NNPC Ltd Enterprise Risk Management Processes And Procedures PDF

ENTERPRISE RISK MANAGEMENT PROCESSES AND PROCEDURES NNPC Limited January 2023 Page 0 of 347 NNPC Limited ERM Processes and Procedures Document Review, Check, Endorsement & Approval Issue 1 Signature Name Position Date Issue, Modification PIA Implementati on Team CCO SLT SMT 19/01/2023 19/01/2023 19/01/2023 19/01/2023 Prepared Checked Endorsed Approved Page 1 of 347 NNPC Limited ERM Processes and Procedures Table of Contents 1.0 Introduction................................................................................ 4 2.0 Risk Strategy & Appetite........................................................ 11 3.0 Risk Culture.............................................................................. 16 4.0 Risk Governance...................................................................... 18 5.0 Enterprise Risk Management Process................................ 34 6.0 Appendix................................................................................... 73 Appendix A – Training and Awareness Policy........................... 73 Appendix B – Risk Reporting Framework.................................. 75 Page 2 of 347 NNPC Limited ERM Processes and Procedures Glossary of Terms Term/ Abbreviation Meaning ACCA Association of Chartered Certified Accountants AF Audit Function BAC Board Audit Committee Board Board of Directors of NNPC Limited GCEO Group Chief Executive Officer Head of GRC (BU) Head of GRC of a Subsidiary ERM Enterprise Risk Management ERP Enterprise Resource Planning GRC Governance, Risk and Compliance HR Human Resources ICAN Institute of Chartered Accountants of Nigeria IIA Institute of Internal Auditors ISACA Information System Audit and Control Association Management Deputy Manager and above MD Managing Director of a subsidiary NNPC NNPC Limited Page 3 of 347 NNPC Limited ERM Processes and Procedures 1.0 Introduction 1.1 Background Risk is the probability that the occurrence of an event may positively or negatively impact the achievement of the organization’s objectives. This definition applies to each subsidiary, division and process within NNPC Limited (“NNPC” or “the Company”) and it is the Company’s philosophy that the management of risk is the responsibility of everyone. NNPC Limited is committed to proactively ensuring that all risks that may prevent the achievement of its strategic objectives are effectively managed and potential opportunities are explored to optimize value. Risk management shall be an integral part of strategic and operational planning, performance management and governance across NNPC Limited and its subsidiaries. Consequently, NNPC Limited has adopted an Enterprise Risk Management (ERM) approach to improving its risk management practices. The ERM model is effected by an entity’s Board of directors, Management and other personnel, applied in strategic planning and designed to identify potential events that may affect the achievement of the Company’s objectives. The following are the four (4) key elements of NNPC Limited’s ERM model: a) Risk strategy and appetite; b) Risk culture; c) Risk governance; and d) Risk management process. The risk management process involves risk identification, assessment, mitigation and monitoring, and managing risk to be within NNPC’s risk Page 4 of 347 NNPC Limited ERM Processes and Procedures appetite, to provide reasonable assurance regarding the achievement of entity objectives. The purpose of this manual therefore, is to set out the Enterprise Risk Management (ERM) policies and procedures for NNPC Limited. The manual describes the policies, guidelines and practices to be adopted in managing risks and carrying out ERM processes. It is a summary of the applicable standards, practices, procedures, tools and templates to be utilised by NNPC Limited’s ERM Function (“ERM” or “ERM Function”) to: a) Provide guidance in the management of the risks faced by NNPC Limited; b) Adopt an enterprise-wide approach to the management of risks; c) Identify and prioritise risks that could impact NNPC Limited’s strategic and operational objectives; d) Develop and implement mitigating strategies to avoid or reduce risk exposures; e) Monitor and report on NNPC Limited’s risk profile; and f) Support NNPC Limited, subsidiaries and operations to successfully embed ERM in employee behaviour and daily activities at all levels in the organisation, through both existing and new processes. Specifically, the manual defines a process for identifying, assessing, monitoring and controlling business risks that could impact NNPC Limited’s objectives. It also defines roles and responsibilities for those managing risks. NNPC Limited’s commitment to meeting high standards of corporate governance and accountability is reflected in this manual. Specific processes and procedures contained in this manual are tailored to enable a step-by-step implementation of internal guidelines (e.g., Page 5 of 347 NNPC Limited ERM Processes and Procedures Delegation of Authority) and external regulations (e.g., Nigerian Code of Corporate Governance 2018). 1.2 Structure of this Manual The manual contains a high-level Mandate, the SIPOC (Supplier-InputProcesses-Output-Customers) Model, and Relationship Map for the ERM Function. This is followed by four (4) core chapters (encompassing a total of seven (7) areas in which policies and procedures have been defined) each of which is organised in line with the following structure:  Introduction: Gives an overview and scope of the process and sets out the key sub-processes covered.  Objectives: States the main purposes that the process intends to accomplish.  Policies: Outlines the main operating policies guiding the execution of various activities and tasks.  Procedures: Provides a detailed breakdown of the main activities in the process, including tasks, responsibilities and job aids/tools.  Input and Output Documents: Outlines the documents that serve as inputs into the process, the outputs and key reports generated.  Key Performances Indicators: Sets the performance measures used to determine the efficiency and effectiveness of the processes.  Process Flow Map: Provides a pictorial summary of the outlined procedures. a 1.3 Compliance Compliance with this manual is mandatory for all users. Any significant act of non-compliance may be considered an act of misconduct. Page 6 of 347 NNPC Limited ERM Processes and Procedures However, there may be exceptional circumstances, where it is impracticable to comply with a specific policy or procedure. In such instances, a prior written waiver will be required from the Head of the Function. The IA function will review compliance with the provisions of this manual as part of their audit plan and procedures. Where the need arises, the GCEO is authorized to grant exceptions to the application of this policy, and thereafter seek ratification from the NNPC Limited Board. 1.4 Users This manual applies to all sub-functional areas in the ERM Function. It also applies to all business units as reflected in the Relationship Map. 1.5 Review of this Manual It is intended that this manual will be updated every two years, unless there is a specific requirement for an immediate revision in line with changes in NNPC Limited’s business. Such updates will be duly communicated to all relevant departments and units. It is instructive to note that the scope of processes addressed in this manual covers the important areas selected by NNPC management. Accordingly, it is anticipated that additional policies and procedures may be identified and incorporated in the future. Page 7 of 347 NNPC Limited ERM Policies and Procedures Page 8 of 347 NNPC Limited ERM Policies and Procedures Page 9 of 347 NNPC Limited ERM Policies and Procedures Page 10 of 347 NNPC Limited ERM Processes and Procedures 2.0 Risk Strategy & Appetite 2.1 Introduction NNPC Limited’s strategy for managing risk is to establish and sustain a robust ERM model that is proactive and embedded in all processes to ensure that responses to risks are effective and dynamic. The model will help structure and coordinate all risk management activities within NNPC Limited and ensure risks are managed within the risk appetite. Risk Appetite Risk appetite is the amount of risk NNPC Limited is willing to accept in order to be in alignment with its strategic objectives. The risk appetite would serve as:  A guide to determine how much risk is acceptable;  A benchmark for key risk indicators; and  A guide during the strategy and goal setting process. A risk averse Company will set conservative goals while a high-risk appetite company will set aggressive goals. The nature of NNPC Limited’s business, the risks inherent in it, the business objectives and strategies will guide the determination of its risk appetite. 2.2 Objectives The key objectives of risk management within NNPC Limited is to develop and implement effective strategies that will: a) Reduce operational surprises and losses; b) Integrate risk management into the decision-making process; Page 11 of 347 NNPC Limited ERM Processes and Procedures c) Develop a risk culture that encourages staff to identify risks and associated opportunities and to respond to them with cost effective actions; d) Enable the Board and Senior Management team confidently make informed decisions; and e) Improve stakeholders' confidence and trust. 2.3 Policies Policies S/N 1. Description ERM shall be an integral part of strategic and operational planning, performance management and governance across the Company. Consequently, we shall perform a detailed identification and assessment of risks as well as proposed mitigating action plans when we develop our strategies and annual plans. 2. NNPC Limited shall adopt a top-down approach to defining the Company’s risk appetite, by ensuring that its risk appetite will cascade from the Board. 3. The risk appetite shall be described using qualitative and quantitative measures and shall always be set at a level that minimizes erosion of earnings or losses from frauds and operational inefficiencies. Page 12 of 347 NNPC Limited ERM Processes and Procedures Policies S/N 4. Description Annually, we shall define acceptable limits of risks the Company is willing to accept to enable it meet its strategic, operational, reporting and compliance objectives. 5. It shall be the responsibility of the Head of Risk Management to develop and review the risk appetite statements, in consultation with Senior Management Committee. The Senior Management Team shall endorse it and the Board shall approve through the BAC. 6. Once the entity-wide risk appetite has been formulated and approved by the Board, the risk appetite for each Subsidiary shall be determined and derived from it, during their annual strategy/goal setting processes. 7. The following parameters can be considered when determining the risk appetite for NNPC Limited and its subsidiaries: a) Risk-return profile: Will we rather pursue a high-risk/highreturn businesses or a more conservative predictable business? b) Budget: How much of our budget can we subject to potential loss? c) Oil price: How much oil price volatility are we able to withstand? Page 13 of 347 NNPC Limited ERM Processes and Procedures Policies S/N Description d) Safety: What is our willingness to experience operational hazards? e) Community: To what extent do we want to limit business shutdown arising from community issues.? f) Operational downtime: To what extent can we tolerate operational losses? g) Are there specific risks we are not willing to accept? 8. It is the responsibility of the Company’s Senior Management Team to communicate NNPC Limited’s risk appetite to all staff within NNPC Limited, its Subsidiaries and key stakeholders (as deemed necessary). However, the ERM Function primary responsibility for ensuring such shall have information is communicated and that staff are aware of the Company’s risk appetite. The Function shall also ensure risks are mitigated with consideration for the Company’s risk appetite. 9. Definition of the risk appetite NNPC Limited would state its risk appetite based on the following broad corporate objectives: Strategic objectives Operational objectives Compliance objectives Reporting objectives Page 14 of 347 NNPC Limited ERM Processes and Procedures Policies S/N 10. Description Re-evaluation of the risk appetite NNPC Limited’s risk appetite will need to be re-evaluated: a) As part of Its strategy planning cycle and goal-setting process; b) When significant changes are made to NNPC Limited’s organisational structure; c) When changes are made to Its overall strategy and goals; and d) When there are changes in the expectations and risk preferences of key stakeholders. The following considerations shall be made in the course of the review:  Changes to the Company’s strategic objectives and risk preferences  Changes in prevailing market realities and economic conditions  The output shall be the revised risk appetite statements and key risk indicators. Page 15 of 347 NNPC Limited ERM Processes and Procedures 3.0 Risk Culture Introduction NNPC’s risk culture encompasses the shared knowledge, understanding, values, beliefs, attitudes of Management and staff towards risks. A strong risk culture leads to effective management of risks while a weak risk culture. Objectives To ensure the development of a strong risk culture, alignment of vision and values in the management of risks across NNPC Limited. Policies Policies S/N 1. Description Management and staff of NNPC Limited shall be committed to the optimal management of risk in order to achieve the Company’s mission and vision, as well as protect Its core values. 2. Management shall ensure periodic training and awareness on risks are provided to all stakeholders within NNPC Limited 3. NNPC Limited shall proactively identify future uncertainties and adequately plan for them without inhibiting growth and value creation. Page 16 of 347 NNPC Limited ERM Processes and Procedures Policies S/N 4. Description Employees are expected to proactively manage risks in their operations and will be recognised for their good risk management practices in our performance evaluation process. 5. NNPC Limited and its subsidiaries shall adhere to the following four (4) key pillars: a) Leadership – The Board and Senior Management shall set the tone at the top by establishing and promoting a strong culture of adherence to risk limits and boundaries. b) Ownership – Every employee shall proactively manage risks in their day-to-day activities i.e. risk management is a shared responsibility. Every staff shall be trained to integrate risk management in their respective day to day operations. See Appendix A for the training policy. c) Transparency – There shall be open, clear and honest communication information of shall risks be within NNPC communicated Limited. to Risk relevant stakeholders periodically, to aid decision making. d) Compliance – There shall be low risk tolerance for breach of laws, regulations and organizational policies. The Governance, Risk and Compliance Function shall be empowered to monitor compliance. Where the need arises, the GCEO is authorized to grant exceptions to the application of this policy, and thereafter Page 17 of 347 NNPC Limited ERM Processes and Procedures Policies S/N Description seek ratification from the NNPC Limited Board. 4.0 Risk Governance 4.1 Introduction Risk governance refers to the structure for managing risks within NNPC Limited and its subsidiaries. It also presents a comprehensive detail of the responsibilities for monitoring and reporting business risks within NNPC Limited and its subsidiaries. The risk governance structure comprises: 1) The risk governance structure; 2) The ERM organizational structure; 3) The risk reporting structure; 4) The ERM roles and responsibilities; and 5) The ERM stakeholder relationships. These are further detailed below: 1. Risk Governance Structure NNPC Limited’s risk governance structure is based on the “three lines of defense” model, which ensures that risk is properly managed throughout NNPC Limited and its subsidiaries. Page 18 of 347 NNPC Limited ERM Processes and Procedures The model also provides a clear allocation of responsibilities for the ownership and management of risk, to avoid overlaps and/or gaps in risk governance as shown below: Board Audit Committee 1st Line: Primary 2nd Line: Risk Risk Oversight 3rd Line: Assurance Management Page 19 of 347 NNPC Limited ERM Processes and Procedures Board Audit Committee a) Operational a) The Risk a) The Assurance management Management units in Functions within NNPC the provide Limited and its and its subsidiaries independent subsidiaries shall reviews of controls at have the management NNPC Limited and primary support by reviewing its subsidiaries. responsibility for and reporting on key identifying, risks managing designated and reporting risks. b) They shall NNPC Limited provide to Committees the at the Board and Management manage their with risks by responsibilities implementing risk. and risk level oversight for b) They shall collaborate maintaining with effective management internal develop and monitor procedures processes daily. shall operational to and controls to mitigate identified risks c) They risk shall facilitate assessment sessions, develop risk management Page 20 of 347 NNPC Limited ERM Processes and Procedures Board Audit Committee programs and alert management to emerging issues and changing risk scenarios d) They shall also provide support by training and providing counsel to business units relation to in risk management. e) The specialized risk functions (i.e. ETD, HSE, insurance) shall provide risk oversight on their risk areas respectively. However, they shall periodically report on the status of their risk profile to the ERM Function. Notes: In line with the policy: Page 21 of 347 NNPC Limited ERM Processes and Procedures a) The Level 1 and 2 Committees at NNPC Limited double as the risk management committees for the Company. b) The Level 1 committee at each subsidiary double as the risk management committee for the subsidiary. c) The Heads of Risk management at NNPC Limited and the Subsidiaries shall serve as members of the Committees. 2. ERM Organisational Structure The organisational structure for the ERM Function is depicted below: Board of Directors Board Audit Committee GCEO Chief Compliance Officer MD/Head of BU Head, Governance & Risk Management ERM Manager Head of GRC (BU) Page 22 of 347 NNPC Limited ERM Processes and Procedures Notes a) The Chief Compliance Officer shall double as the Chief Risk Officer for NNPC Limited. b) The Chief Compliance Officer shall report directly to the Managing Director and have direct access to BAC on risk management activities. c) The Head of Risk Management would primarily oversee the risk management activities of the risk management teams at the Headquarters & Subsidiary and report directly to the NNPC Limited Chief Compliance Officer. d) There shall be GRC function at each subsidiary, headed by the Head of GRC (BU). The Subsidiary GRC Unit shall report functionally to the NNPC Limited’s GRC through the Head of Risk Management on risk management matters. The ED shall also have direct access to the MD of the subsidiary and the subsidiary Board through the BAC in line with leading practices. 3. Risk Reporting Structure NNPC Limited’s risk reporting structure is depicted in the diagram below: Page 23 of 347 NNPC Limited ERM Processes and Procedures Board of Directors Board Audit Committee GCEO Level 1 and 2 Committees Chief Compliance Head, Governance and Risk Management ERM Manager Subsidiary Board Risk Management Personnel at CHQ Board Audit Committee Subsidiary Companies Subsidiary MD GCEO’s Office Corporate Services Finance and Accounts GCEO’s Office Risk Champion s Corporate Services Risk Champion Finance & Accounts Risk Champion Executive Director of GRC Level 1 Committee Subsidiary Risk Management Team Subsidiary Risk Champion Page 24 of 347 NNPC Limited ERM Processes and Procedures 4. ERM Roles and Responsibilities Summary of Roles and Responsibilities A. The following actions relating to this section shall be defined as follows: Action Definition I – Initiate To commence a risk management process. C – Consult R – Recommend To seek the views and opinions before taking risk management decisions. To propose a risk management decision for endorsement or approval. To pre-approve a risk management decision before E – Endorse it is presented to a higher authority for final approval. A – Approve IMP – Implement INF – Inform To officially accept a risk management decision. To implement the risk management decisions taken. To be notified of an outcome of a risk management process or decision B. Below is a summary of the roles and responsibilities of stakeholders for ERM and its key elements: Page 25 of 347 NNPC Limited ERM Processes and Procedures Element of Risk Managemen t Manual NNPC Ltd Board BAC Managem ent Committe e HODs/Proc ess Owners/Pr oject Managers Risk and Control Function ERM policies and procedures A R R INF/IMP I/C Risk appetite A E R IMP I/C Risk identificatio n and assessment - INF A I/C I/C Risk mitigation and control A INF/R A IMP I/R Risk monitoring and reporting INF INF INF I/C I/C Legend: I – Initiate; C – Consult; R – Recommend; E – Endorse; A – Approve; IMP – Implement; INF – Inform First Line of Defence – Risk Management 1. Board of Directors The Board sets the overall risk appetite, approves the risk management strategy and is ultimately responsible for the effectiveness of the risk management process and system of internal control within NNPC Page 26 of 347 NNPC Limited ERM Processes and Procedures Limited. The Board oversees risk management through the Board Audit Committee. 2. Board Audit Committee (BAC) The Committee shall: a) Assist the Board in setting an overall risk culture and appetite at the top; b) Assist the Board in overseeing the effectiveness of risk management and controls through the review of periodic risk management reports; c) Discuss risk management philosophy and risk appetite d) Review the framework for managing risks and recommend to the Board for approval; e) Review the propositions of Senior Management to identify potential risk exposures and direct appropriate actions to be taken by Senior Management; and f) Empower the ERM Function to enable it to discharge its responsibilities effectively. 3. Management Risk Committee The Committee shall: a) Implement an effective risk management system and instil the right culture throughout NNPC Limited and its subsidiaries for effective risk governance; b) Ensure that the internal and external risks relevant to the organisation have been effectively identified and assessed; Page 27 of 347 NNPC Limited ERM Processes and Procedures c) Develop and implement a sound system of internal controls and mitigating strategies to bring risks within acceptable levels and threshold limits; d) Review and validate key risk indicators & threshold limits for recommendation to the BAC for approval; e) Evaluate strategic initiatives and management decisions to ensure that they are within the approved risk appetite; f) Appoint risk owners for the key risks of the organisation; and g) Ensure that risk management policies are integrated into NNPC Limited’s culture 4. Functional Heads All functional heads will be responsible for the day-to-day identification, mitigation, management and monitoring of risks within their respective departments. Specifically, they shall: a) Adhere to NNPC Limited’s process for identifying and managing risks to which they are exposed; b) Identify and report risk events to RM function; c) Report on associated risk profile and status of risk mitigating strategies to the ERM Function; d) Continuously identify, mitigate and monitor risks within their respective business areas; e) Implement policies and procedures developed to manage risks; and f) Manage day-to-day risk exposures by complying with standard operating policies and procedures. Page 28 of 347 NNPC Limited ERM Processes and Procedures Functional Heads as Risk Champions: Functional Heads shall serve as functional risk champions or appoint champions within their function who shall perform the following risk management activities: a) Act as a communication channel between the ERM Function and risk owners; b) Educate members of their team on the use of the control selfassessment questionnaires; c) Drive the implementation of risk mitigation plans within the risk register for the departments; d) Conduct risk awareness sessions at departmental meetings; e) Manage the team’s risk event database and communicate identified risks to the ERM Function ; and f) Escalate challenges with risk management efforts within their departments. Second Line of Defence – Risk Oversight The ERM Function s at NNPC Limited and its subsidiaries perform the following risk management activities: a) Perform periodic scans of the operating environment for emerging risks; b) Develop and implement the necessary tools and templates to embed ERM across NNPC Limited and its subsidiaries; c) Maintain and monitor (changes in) NNPC Limited’s risk inventory by engaging all process owners to identify risks and obtain an enterprisewide view of risks; d) Foster a corporate risk culture through adequate training and serving as an internal ambassador and resource centre for ERM; Page 29 of 347 NNPC Limited ERM Processes and Procedures e) Facilitate risk assessment and prioritization by management; f) Coordinate, review and challenge (where necessary) the input received from risk owners in identifying risks and developing comprehensive risk registers; g) Consult with process owners to identify and propose key risk indicators, threshold limits and mitigating strategies, to the Management Risk Committees for validation; h) Periodically facilitate and validate risk and control self-assessments performed by risk owners, to monitor the operational risk profile and strengthen the control environment; i) Periodically monitor and report on risk management to the BAC and Management Risk Committees. (See Appendix B for details of the Risk Reporting Framework); and j) Assist stakeholders in risk management matters and provide periodic risk advisory services to the business as may be required. Third Line of Defence – Assurance 1. Audit Function The Audit function (AF) shall provide independent assurance on the adequacy and effectiveness of controls in place for managing risks as well as compliance with policies and procedures. An external assessment of the ERM function shall be conducted by an independent third party, as part of the quality assurance review of the overall GRC function. This should be performed at least once every three (3) years. Upon separation of the IA Function from GRC, the IA Function shall conduct independent assurance reviews of the ERM Function as part of its internal audit plan. Page 30 of 347 NNPC Limited ERM Processes and Procedures 2. External Audit The External Audit Function is statutorily responsible to shareholders to provide an independent opinion on NNPC Limited’s financial statements. The function shall also report on the adequacy of the NNPC Limited’s risk management systems. 3. Regulators Regulators sometimes set and monitor the implementation of specific requirements aimed management practices at for strengthening increased Company-wide assurance of risk building a sustainable enterprise. 5. Risk Management and Stakeholder Relationships The relationship between the RM and other stakeholders is depicted in the diagram below: Board Audit Committee Rating Agencies Reporting & Analysis Risk Report Directives Business Information & Data Risk report Internal Auditors Enquiries/Au dit Report Risk report External Auditors Enquiries/Au dit Report Enterprise Risk Management Function Departments Risk Report & Risk Analysis Business Information & Data Ad-hoc Committees Page 31 of 347 NNPC Limited ERM Processes and Procedures 4.2 Objectives To identify the interrelationships that exist between the divisions, departments and functions that are relevant in the governance of enterprise risks and its accompanying roles and responsibilities. 4.3 Policies Policies S/N 1. Description NNPC Limited’s risk governance structure shall be based on the “three lines of defense” model, which ensures that risk is properly managed throughout NNPC Limited and its subsidiaries. 2. The Subsidiary Boards, Management and Subsidiary GRC function shall replicate the roles and responsibilities defined for NNPC Limited within their entities 3. ERM Organisational Structure: a) The Chief Compliance Officer shall double as the Chief Risk Officer for NNPC Limited. b) The Chief Compliance Officer shall report directly to the GCEO and have direct access to BAC on risk management activities. c) The Head of Risk Management shall primarily oversee the risk management activities of the risk management teams at the Headquarters & subsidiaries, and report directly to the NNPC Limited Chief Compliance Officer. Page 32 of 347 NNPC Limited ERM Processes and Procedures Policies S/N Description d) There shall be GRC function at each subsidiary, headed by a Subsidiary Executive Director of the GRC. The function shall report functionally to the NNPC Limited GRC through the Head of Risk Management on risk management matters. The Subsidiary Executive Director of the GRC shall also have direct access to the MD of the subsidiary and the subsidiary Board through the BAC, in line with leading practices. Page 33 of 347 NNPC Limited ERM Processes and Procedures 5.0 Enterprise Risk Management Process 5.1 Introduction This section describes the detailed steps to be adopted in managing business risks within NNPC Limited and its subsidiaries. The objectives of the risk management process described in this chapter are: a) To establish a standard for identifying, assessing, mitigating and reporting risks across NNPC Limited and its subsidiaries; and b) To ensure effective and holistic integration of leading risk management practices across NNPC Limited and its subsidiaries. NNPC Limited’s ERM process will address four major components as depicted below. Risk Management Process Page 34 of 347 NNPC Limited ERM Processes and Procedures 5.2 Risk Identification The aim of risk identification is to generate a comprehensive list of all the relevant risks that could influence the achievement of its business and strategic objectives. Regular risk identification is imperative to the success of the risk management process as it ensures the inclusion of emerging risks for consideration. Objectives To identify all key risks and opportunities that could potentially have an impact on the organisation’s objectives. Policies S/N 1. Description Management shall put systems in place to ensure that enterprise risks are reviewed at least annually and on a continuous basis. 2. The risk identification activities shall consider existing and emerging risks to ensure adequate coverage of all risks that may impact our strategic objectives and operations. 3. The ERM Function shall validate all identified risks with Management to ensure accuracy and completeness 4. All identified risks shall be documented and such documentation shall include key information including at a minimum, the nature of the risk, Page 35 of 347 NNPC Limited ERM Processes and Procedures Policies S/N Description the source of identification, the root causes, and historical or potential ways the risks impact NNPC limited Procedures S/N Responsibl e Party 1. ERM For projects: Gather and review information on project risks through the review of: Function/ Heads of Departmen ts Description a) Quality and Risk management plan b) Cost management plan c) Schedule management plan d) Scope baseline  Proactive feedback from process owners on identified risks.  Documentatio n Reviews f) Stakeholder register  Brainstorming h) Project charter i) Feasibility study, etc. ERM Function  Administering questionnaires and surveys. e) Activity cost and duration estimates g) Procurement document 2. Job Aid  SWOT Analysis  Workshops  Risk Questionnaires Develop and agree objectives for the risk  Email identification process.  Office Tools Page 36 of 347 NNPC Limited ERM Processes and Procedures Procedures S/N Responsibl e Party Description Job Aid 3. ERM Gather and review information on  Function existing and emerging risks. The process with the will involve performing any of the support of following activities: the process interview sessions.  /Workshop. owners scanning/market  intelligence analysis. c. Review of process Administerin g maps questionnaire and/or s and surveys. process documents.  d. Analysis of internal and external audit Proactive feedback reports. from process owners on e. Review of risk event reports. identified f. Benchmarking against industry leading practices. Focus group discussions a. Review of industry trends and data. b. Environmental One-on-One risks.  Documentati on Reviews  Brainstormin g  SWOT Analysis  Workshops Page 37 of 347 NNPC Limited ERM Processes and Procedures Procedures S/N Responsibl e Party Description Job Aid  Risk Questionnair es 4. ERM Function For projects: Gather and review information on project risks through the review of: a. Quality and Risk management plan  on Reviews  d. Scope baseline   i. Feasibility study, etc. Interviews/W orkshops  Risk Questionnair es  Root Cause Analysis g. Procurement document h. Project charter SWOT Analysis e. Activity cost and duration estimates f. Stakeholder register Brainstormin g b. Cost management plan c. Schedule management plan Documentati  Checklist Analysis  Assumption Analysis  Expert Opinion 5. ERM Review, analyse and aggregate risks  Brainstorming Function identified from various risk identification Page 38 of 347 NNPC Limited ERM Processes and Procedures Procedures S/N Responsibl e Party Description with activities. This will involve streamlining support of duplicated risks and categorising risks the risk/ appropriately. process owner Job Aid The following categories can be used for categorisation: Category Definition External Risks that events arise from outside the Company’s control that can impact the business. Risks in this area include policy and regulatory uncertainty risk, and equipment loss and vandalism risk Strategic Internal risks associated with the Company’s business corporate model, strategy and long-term planning. Risks in this area include weak governance and corporate culture risk and Page 39 of 347 NNPC Limited ERM Processes and Procedures Procedures S/N Responsibl e Party Description Job Aid ineffective alliance & partnership risk Operation al Risks derived from the Company’s core business practices and support processes, which rely on systems, practices, and people. Within this risk domain are technical loss risk, network infrastructure risk and business continuity and disaster recovery risk Financial Risks associated with the Company’s ability to raise capital, maintain access to capital, contracting issues, cost of risk and evaluating vendor support. Risks in this area include credit/ collection loss risk, funding and liquidity risk Page 40 of 347 NNPC Limited ERM Processes and Procedures Procedures S/N Responsibl e Party Description 6. ERM Populate the risk register and map the  Documentatio Function risks to the relevant business process. ERM Validate the risks with the process  Interviews Function owners and other key stakeholders. 7. Job Aid n with support of the risk/ process owner 8. ERM Consolidate the risks identified across  Documentatio Function NNPC Limited and its subsidiaries on the n risk register. Input & Output Documents S/N Document Description Type Frequen cy Source Recipient Input As required Process owners ERM Function 1. Process documents strategy Output As required ERM Function ERM Function 2. BUD and Page 41 of 347 NNPC Limited ERM Processes and Procedures Input & Output Documents S/N 3. Document Description Risk Universe Type Output Frequen cy Source Recipient As required ERM Function ERM Function and Process Owners Key Performance Indicators S/ N 1. 2. Performance Measure Basis Measurement of Frequency of enterprise risk identification Number enterprise identification Frequency of functional risk identification % of functional risk identifications conducted of risk Timeframe Target Annually Minimum of one Annually TBD Page 42 of 347 NNPC Limited ERM Processes and Procedures Page 43 of 347 NNPC Limited ERM Processes and Procedures 5.3 Risk Assessment Introduction NNPC Limited’s risk assessment approach aims at measuring the level of identified risks relating to its business processes. Basically, this would involve a careful examination of risks, their causes, their mitigating controls, their likelihood of occurrence and their impact if they crystallise. In assessing/ranking identified risks, NNPC considers the following factors: The likelihood that the risks will occur, considering the effectiveness of – controls in place; and The magnitude of the impact of the risks if they occur, considering the – effectiveness of controls in place A. Risk Ranking Criteria: Likelihood This is a measure of the probability that a risk may occur in the near future. The likelihood ranking criteria for NNPC Limited and its subsidiaries as at the time this manual was developed is given below: Scale Likelihood Factor Frequency Indicator (3 years) Event is most likely to 5 Almost Certain occur in circumstances most at 90 - 100% least once in every 3 years 4 Likely More than an even chance of occurring 65 - 89% Page 44 of 347 NNPC Limited ERM Processes and Procedures Scale Likelihood Factor Frequency Indicator (3 years) at least once in every 3 years An even chance of 3 Possible occurring at least 40 - 64% once in every 3 years Small likelihood but 2 Unlikely could happen at least 20 – 39% once in every 3 years Not 1 Rare expected to happen – event would 1 – 19% be a surprise B. Risk Ranking Criteria: Impact 1. Non-Financial Impact This is the potential non-financial consequence of an event/risk occurring if a risk were to crystallise. The impact criteria for NNPC Limited is as follows: Page 45 of 347 NNPC Limited ERM Processes and Procedures 1 2 (Minor) 3 (Moderate) 4 (Major) 5 (Extreme) (Insignificant) Event will have Event will Event no noticeable have impact on:  Strategy/bu siness   will extreme impact on:  minimal moderate significant impact on: impact on: impact on: Strategy/business model Market share model business siness Regulatory Market model model   Market  Market ness model Regulatory share share compliance  Regulato  Regulatory (e.g.fines, ry compliance litigations) complian Retention ce of fines, senior/expe litigation rienced s) senior/exper Key alliances Retentio ienced staff and  (e.g.  d staff  Key alliances and senior/experi  Continuity ence d staff business Key senior/ex alliances and perience and partnership d staff partnership Key s alliances  Continuity of senior/experience fines, litigations) Retention Retention alliances and (e.g.  partnerships n of  compliance (e.g. fines, litigations) Retention of Key s compliance litigations) of   Market share Regulatory (e.g. fines, have have Strategy/bu Strategy/busi  staff  have will Event Strategy/  share  will Event operations  HSE matters partnerships Continuity of business operations HSE matters of Page 46 of 347 of NNPC Limited ERM Processes and Procedures 1 2 (Minor) 3 (Moderate) 4 (Major) 5 (Extreme) (Insignificant)  Continuity partners business of business hips operations Continuit  HSE matters operations   HSE y of matters business operatio ns  HSE matters Require the Require the Require attention of lower management attention of Require Heads of the involvement attention of Department Senior within the Management of the Top Require the specific Managemen intervention of the t Committee shareholders and Board Business Units Minimal or no media attention expected Prominent Short-term Short-term national or Sustained local media national media international international media attention attention media attention attention 2. Risk Ranking Criteria: Financial Impact Page 47 of 347 NNPC Limited ERM Processes and Procedures This is the potential financial consequence of an event/risk occurring if a risk were to crystallise. The impact criteria for NNPC Limited is as follows: Scale Financial 1 2 3 4 Minor Moderat Major 5 paramet er Insignifi cant Extreme e Financial Impact Total Less Between Between Between Greater Asset (N) than xx% xx% impact xx% and xx% than xx% and xx% xx% and xx% impact impact impact impact C. Risk Prioritisation and Ranking The level of risk is a combination of the likelihood of occurrence and the magnitude of impact. The combination of these criteria produces the risk map, which is an illustration of the level of risk. These levels are either high, medium or low as earlier described. See the diagram below: Page 48 of 347 NNPC Limited ERM Processes and Procedures Extreme 5 M M H H H M H M M H M M M M D Impact Major 4 Moderate 3 Minor 2 Insignificant 1 M M L M E L L M LF L L Unlikely 2 Possible 3 Rare Key: High B 1 Medium Low A H C Likely 4 Almost Certain5 Likelihood Risk Example Notes: a) High risks, in the areas marked “H” on the risk map, are risks that may materially influence the achievement of NNPC Limited’s business and strategic objectives. These risks require the active attention and involvement of the Board and Senior Management to ensure that it’s properly mitigated or exploited. The source of these risks must be identified, understood and positive actions executed to treat or remove them. b) Medium risks, in the areas marked “M” on the risk map, are risks that may influence the achievement of NNPC Limited’s short-term business and strategic objectives. Depending on the objective they affect, these risks may require the attention of the Board or Senior Management. Page 49 of 347 NNPC Limited ERM Processes and Procedures Generally, middle management staff can mitigate or exploit them. c) Low risks, in the areas marked “L” on the risk map, occur in the normal course of business. They usually have negligible influence on the achievement of NNPC Limited’s business and strategic objectives. Middle level management can generally mitigate or exploit these risks. d) A, B, C, D, E and F are risks plotted on the heat map based on the assessed likelihood and impact. D. Control Assessment a) Where the level of inherent or gross risk is evaluated (i.e. assessing risks without considering controls), NNPC Limited may assess the effectiveness of controls in place by conducting a control assessment to enable us determine the level of residual risk. b) The aim of a control assessment is to assess and validate the effectiveness of the controls designed by management to mitigate the identified risks. These controls need to be identified clearly and their effectiveness assessed, as risks not subject to effective controls may result in catastrophic consequences. c) Each participant in the control assessment session shall consider the following questions as it relates to each inherent risk under consideration. 1. Are all appropriate controls present? 2. Does the control address the risk effectively? 3. Is the control officially documented and communicated? 4. Is the control reviewed by anyone independent of the person Page 50 of 347 NNPC Limited ERM Processes and Procedures performing the control procedure? 5. How reliable are the reports from the process? 6. How competent are the personnel managing the risk? 7. How effective and reliable are the resources used? d) A description of control effectiveness is given below: Control Rating Description Poor The control measures in place are ineffective Fair There is room for some improvement Good Majority of risk exposure is effectively controlled and managed Very Good Risk exposure is effectively controlled and managed Objective Risk assessment is conducted to undertake risk evaluation so as to make decisions about the significance of risks to organization and whether specific risks identified should be accepted or treated. Policies S/N 1. Description Risk Assessment Page 51 of 347 NNPC Limited ERM Processes and Procedures Policies S/N Description Desktop-based assessment – this involves identifying key risk indicators (KRIs) for each risk, setting thresholds for these KRIs and monitoring them on a (daily, weekly, monthly etc.) basis. Business process owners and the Risk Management Division would use this approach for assessing risks within their line of sight. 1. Facilitated workshops – this involves holding facilitated workshops with process owners to discuss and evaluate the likelihood and impact of the occurrence of the identified risks. 2. Structured interviews – this involves holding one-on-one discussions with relevant personnel to obtain their opinion on its risk exposures. This approach would be adopted where it is difficult to convene a workshop. 3. Questionnaires – this involves developing and administering a structured manual/electronic questionnaire to key personnel to obtain their opinion on the likelihood and impact of a risk. This approach would be adopted where the people required are in diverse locations and there is limited time available for the exercise. 2. The ERM Function in collaboration with business and risk owners, shall define the criteria for assessing risks at the individual subsidiary. Page 52 of 347 NNPC Limited ERM Processes and Procedures Policies S/N 3. Description The parameters for risk assessment criteria shall be reviewed on an annual basis for continued relevance e.g. due to changes in the Company’s risk appetite or change in financial profile. Procedures S/N Responsibl e Party Description Job Aid 1. ERM Establish and agree the criteria for  Interview Function assessing risks.  Feedback from Risk owner ERM Determine and agree the  Interview Function appropriate risk assessment with the approach to adopt. and Risk owner 2. support of Risk owner 3. ERM Determine, invite and provide Function instructions to the participants on and Risk the risk assessment approach. owner  Risk assessment briefing presentatio n/pack Page 53 of 347 NNPC Limited ERM Processes and Procedures Procedures S/N Responsibl e Party Description Job Aid 4. ERM Obtain consensus on the identified Function risks and the assessment criteria and Risk with the participants.  Risk assessment workshop owner 5. ERM Conduct risk assessment: Function a) Assess the impact and likelihood and Risk owner  Risk assessment workshop of identified risks; b) Identify key controls and mitigation activities associated with the identified risks; c) Evaluate the effectiveness of identified key controls and mitigation activities; d) Rank the residual risks from high to low; and e) Develop a risk map. Input & Output Documents S/N Document Description 1. Risk assessment pack Type Input Frequen cy Source Recipie nt As Required ERM Function Risk Owners Page 54 of 347 NNPC Limited ERM Processes and Procedures Input & Output Documents S/N 2. Document Description Type Risk heat map Output Frequen cy As Required Source ERM Function Recipie nt Board & Executi ve Manag ement Key Performance Indicators S/ N 1. Performance Measure Basis Measurement Accuracy assessment reports Number of material errors, omissions, and misrepresentations in the assessment reports. of of Timeframe Target As required TBD Page 55 of 347 NNPC Limited ERM Processes and Procedures Page 56 of 347 NNPC Limited ERM Processes and Procedures 5.4 Risk Mitigation and Control Introduction Risk mitigation is a process of putting controls in place to reduce the level of occurrence or magnitude of impact of risks. When risks have been identified and assessed, the next step is to carefully decide on the best approach to mitigate the risks. NNPC Limited and its subsidiaries shall adopt any of the four (4) risk treatment approaches below. The risk mitigation strategies would differ based on the severity of the risk. S/ Mitigation Description Manageme Example Applicab N Alternativ nt Action le Risk e 1 Tolerate In using this approach, Accept the No (Acceptan NNPC will accept the stated risk incrementa ce) risks inherent in the exposure l treatment  Low risk Corporation’s or transactions i.e. the mitigation consequences of the risk is will be absorbed. This employed approach will either be adopted in instances where the magnitude of impact of these risks is low/minimal or where the cost of managing the risk far outweighs the loss to be incurred Page 57 of 347 NNPC Limited ERM Processes and Procedures S/ Mitigation Description Manageme Example Applicab N Alternativ nt Action le Risk e should the risk occur. 2 Treat  (Reduce) Under this approach, Employ one Policies NNPC will accept the or more risk and risk and adopt mitigation  High risk procedures  measures to reduce the strategies to , defining probability of its reduce all or authority occurrence and the partial limits, severity should it exposure obtaining crystallise. Processes expert and procedures advice Mediu m risk  Low risk standardisation, policy formulation, continuous education, regular defining training program, defining authority limits, obtaining expert advice are some of the risk reduction measures NNPC will deploy. 3 Transfer (Share)  Under this approach, Shift risk to Purchase  High NNPC will transfer the a third party insurance  Mediu Page 58 of 347 NNPC Limited ERM Processes and Procedures S/ Mitigation Description Manageme Example Applicab N Alternativ nt Action le Risk e consequences of the Outsourcin Corporation’s risks to g m other sources. Some common practices involved in risk sharing include purchasing various forms of insurance and finding external sources to perform activities of undesired risk levels also known as outsourcing. NNPC will transfer its risks to independent counterparties by utilising contracts, insurance arrangements, outsourcing arrangements and hedging instruments. 4 Terminate  These risks will include Discontinue (Avoidanc risks outside the all or partial e) Corporation’s risk activities appetite or risks whose  Obtain executive orders to High risk actions that specify Page 59 of 347 NNPC Limited ERM Processes and Procedures S/ Mitigation Description Manageme Example Applicab N Alternativ nt Action le Risk e rewards are not contributin mandate remain commensurate with the g to or  risks undertaken. creating risk Specifically, NNPC will exposure Discontin tably ue specific discontinue activities activity that generate these from risks, where possible. which The Corporation would the risk utilise this approach for unaccep arises high-risk actions that high even after controls have been applied. remain unacceptably high even after controls have been applied. The risk map below illustrates the effects of an implemented mitigation plan on the inherent/gross risk. The implemented plan should have the effect of moving the gross risks towards the bottom left hand corner of the grid, resulting in residual risk. An illustration of this effect is graphically depicted as follows: 8 4 5 9 7 Major Impact 1 7 Extreme 8 Moderate 13 Minor 1 1 1 4 9 17 14 5 Page 60 of 347 1 NNPC Limited ERM Processes and Procedures Objectives To reduce and eliminate the impact that risk has on the strategic objective of the organisation. Policies S/N Description 1. All identified and prioritised risks shall have documented mitigation strategies 2. The Risk Management Team shall identify the existing controls and ascertain their effectiveness. 3. The RMF shall ensure the relevant risk mitigation approach for the level of risk is considered by Management before decisions are made 4. The mitigation plan shall clearly identify the individuals responsible for implementing the plan Procedures S/N 1. Responsible Party Description Job Aid ERM Function Review risk identification and risk Office tools assessment reports to identify areas of significant exposure Page 61 of 347 NNPC Limited ERM Processes and Procedures Procedures S/N 2. Responsible Party ERM Function Description Job Aid Revalidate the control assessment Office tools performed during the risk assessment phase. The revalidation will involve reviewing the internal and external audit reports, focusing on the following: a) Independent on assurance the effectiveness of identified controls and mitigation activities. b) Control gaps noted and recommendations to address noted gaps. c) Significant and recurring control issues and failures. 3. 4. ERM Function and Risk Process Owner Identify and select appropriate risk ERM Function and Risk Assist process and risk owners with the Office tools mitigation approach and strategy. design and implementation of controls Office tools Email Page 62 of 347 NNPC Limited ERM Processes and Procedures Procedures S/N Responsible Party Description Process Owner to address Job Aid deficiencies and weaknesses noted. Input & Output Documents S/N 1. 2. Document Description Type Frequen cy Source Recipient Risk Ranking Input As required ERM Function Risk Owners Annually ERM Function Risk and Control Register Output ERM Function and Executive Management Key Performance Indicators S/N 1. Performance Measure Basis Measurement of Completeness of risk mitigation plans Number of risks without risk mitigation plans Timeframe Target As required TBD Page 63 of 347 NNPC Limited ERM Processes and Procedures Page 64 of 347 NNPC Limited ERM Processes and Procedures Page 65 of 347 NNPC Limited ERM Processes and Procedures 5.5 Risk Monitoring and Reporting Introduction Risk monitoring involves the re-evaluation of all risks recorded on the risk treatment plan to ensure that the current assessment remains valid. Objective  To keep track of the risks that occur and the effectiveness of the responses which are implemented by an organization.  The objective is to enable decision-makers to regularly evaluate risk management performance. Policies S/N 1. Description Risk monitoring and review shall form part of NNPC Limited and its subsidiary normal management reviews and shall be performed either daily, weekly, monthly, quarterly, half-yearly or yearly depending on the type and nature of the risks. 2. The following aspects of risk management shall be monitored: 1. Status of mitigation plans The status of implementation of mitigation strategies agreed to prevent risks or lower them to acceptable limits shall be monitored periodically. 2. Key risk indicators (KRIs) Page 66 of 347 NNPC Limited ERM Processes and Procedures Policies S/N Description Key risk indicators are metrics to be used in providing early signals of increasing risk exposures in various areas of NNPC Limited and its subsidiaries. A threshold limit shall be defined for each KRI. The KRIs shall be periodically monitored against their threshold limits. 3. Risk and control self-assessment (RCSA) The RCSA is a repository of applicable controls designed to address operational risks within the business. The process owners shall be required to periodically attest to compliance with the controls and the result shall be validated by the RM function. 4. Risk register review The risk register is a comprehensive record of all risks within NNPC Limited. The document shall be maintained by the Risk Management Division. The risk register may be maintained in MS Excel or in applicable risk management software/ERP system. Regardless of the form taken, the risk register would at a minimum capture the following information: a) Description of risk; b) Type of risk; c) Likelihood and impact of risk on NNPC Limited and its subsidiaries; d) Level of risk; e) Mitigating controls; and Page 67 of 347 NNPC Limited ERM Processes and Procedures Policies S/N Description f) Risk owners. 5. External risk review There shall be periodic examination of the environment for emerging risks within the NNPC Limited’s sphere of operation. This shall be done by performing a thorough scan and analysing all relevant risk factors that may directly or indirectly impact NNPC Limited’s objectives. 6. Risk events This is a review of the risk incidents that have occurred within the various business units within NNPC Limited and its subsidiaries. The risk event documentation shall in the minimum contain description of event, root cause, severity of impact and summary of action plan. 3. A reporting framework shall be developed and maintained by the ERM Function, detailing the risk reports to be generated, the frequency and the recipients. (Please see Appendix B for a reporting framework which can be periodically updated to reflect changes in the business or additional information required by the management of NNPC Limited). 4. Risk progress reports shall be generated by the ERM Function to assess the adequacy and completeness of the risk management process. Page 68 of 347 NNPC Limited ERM Processes and Procedures Policies S/N 5. Description Every support unit of the Company shall conduct a detailed risk and control self-assessment for all its processes on an annual basis. Procedures Responsibl e Party Description Job Aid 1. ERM Function and Risk Owner Determine qualitative and quantitative risk information to be monitored and reported. Office tools 2. ERM Function and Risk Owner Establish indicators, triggers and standards for tracking, capturing and monitoring risk information. Office tools 3. ERM Function Establish a centralised risk management NA system to identify, value, and capture risk information. 4. ERM Function Establish and agree risk monitoring and ERM Function Establish and agree risk escalation NA procedures including the following: S/N 5. Office Tools reporting responsibilities.  Frequency and format for reporting.  Triggers to prompt management Page 69 of 347 NNPC Limited ERM Processes and Procedures Procedures S/N Responsibl e Party Description Job Aid actions. 6. ERM Function Establish process for continuous risk NA monitoring. 7. ERM Function and Risk Process Owner Define key risk indicators and assign NA accountability and responsibility for the risks. Input & Output Documents S/N 1. Document Description Type Frequen cy Risk Tool Input Quarterly ERM Function ERM Function & Risk Owner Output Quarterly ERM Function Board & Executive Manageme nt Monitoring Risk Report 2. Source Recipient Key Performance Indicators S/ N Performance Measure Basis Measurement of Timeframe Target Page 70 of 347 NNPC Limited ERM Processes and Procedures Key Performance Indicators 1. 2. Timeliness Board reporting Accuracy reporting of of Circulation quarterly papers of board Number of material errors, omissions, and misrepresentations in the report. Quarterly At least one week before Board meeting Quarterly TBD Page 71 of 347 NNPC Limited ERM Processes and Procedures Page 72 of 347 NNPC Limited ERM Processes and Procedures 6.0 Appendix Appendix A – Training and Awareness Policy This section of the manual outlines the risk management training and awareness policy that shall guide the training of staff to enable them to understand NNPC Limited’s risk management philosophy, principles, culture, appetite, measurement, methodologies, process and procedures. The Head of Risk Management shall develop a comprehensive training and awareness plan on an annual basis. This plan shall form part of NNPC Limited’s annual training calendar. The risk training and awareness plan shall include courses that: a) Provide Board of Directors and staff with specific training and awareness on NNPC Limited’s risk management policies and procedures covering all the key risks; b) Discuss trends and industry practices in enterprise risk management; c) Teach the fundamentals of risk management and ERM concepts and approaches; d) Assist participants to understand and implement risk management policies and procedures; e) Provide an efficient methodology for evaluating risks in the business environment; f) Assist participants to understand the use of the information technology systems put in place to manage risks; g) Give practical insights into the relationship between ERM and other organisational systems relating to corporate governance, knowledge management and quality management; h) Provide understanding of important quantitative techniques used in risk Page 73 of 347 NNPC Limited ERM Processes and Procedures management; i) Provide understanding of how ERM can be used to gain a competitive edge; and j) Provide an understanding of the Risk Management decision process. Risk Management Awareness A risk awareness program shall be established by the Head of Risk Management to ensure that all staff are continually educated on recent developments and findings in risk management. This will help to raise staff awareness of the risk management policy and processes, their role in it and to provide education on basics of risk management. The awareness process shall be designed in a way that personnel can readily learn with minimum disruptions to their duties. Options for this type of training include: a) Induction manuals for new hires; b) Short presentations (facilitated internally or externally) during normal office meetings; c) Meetings/interviews or facilitating of regular departmental/unit chat or discussion on ERM; d) Workshops; e) Special briefings; and f) Newsletters or Publication of quarterly bulletin highlighting ERM event within NNPC Limited and its subsidiaries. Page 74 of 347 NNPC Limited ERM Processes and Procedures Appendix B – Risk Reporting Framework To enable RM fulfill its mandate, some of the risk reports to be prepared and issued by RM are itemized in the table below: S/ Report Descriptio N Generator n RM Team Risk 1 Recipient  assessmen t report Relevant Frequen Purpose cy  Risk  At least Chief prioritisati annuall Compliance on y Officer  Relevant MD/GCEO  Relevant BAC 2 RM Team Key risk  indicator report  Relevant  Risk  Monthl Chief monitorin Compliance g Officer mitigatio Relevant n y and MD/GCEO 3 RM Team Status of  mitigation plan  Relevant  Risk  Monthl Chief monitorin Compliance g Officer mitigatio Relevant n y and MD/GCEO Page 75 of 347 NNPC Limited ERM Processes and Procedures 4 RM Team Market  outlook and emerging risks  Relevant  Risk  Monthl Chief monitorin Compliance g Officer mitigatio Relevant n y and MD/GCEO 4 RM Team Risk event  reports and internal control exceptions  Relevant  Risk  Monthl Chief monitorin Compliance g Officer mitigatio Relevant n y and MD/GCEO 3 RM Team RCSA  Relevant  Risk Heads report of  Quarter monitorin Department g within assurance the ly and Business Units  Relevant Chief Compliance Officer  Relevant MD/GCEO  Relevant BAC Page 76 of 347 NNPC Limited ERM Processes and Procedures 4 RM Team Company-  Risk  ent report comprising  rs   Risk incident s identificat NNPC ion Limited prioritisati Head of RM on and Relevant of Relevant Internal Audit of on plans  Risk Division  Status mitigati  Quarter ly Officer Heads  Key risk indicato e Compliance Divisional :  Assuranc Chief wide or managem Relevant Function  Relevant MD/GCEO  Relevant BAC  Internal control exceptio ns  Internal followup results on Page 77 of 347 NNPC Limited ERM Processes and Procedures implem entation of recomm endatio ns by other assuran ce provider s  Market outlook and emergin g risks 6 NNPC Consolidat Limited’s ed report Risk on risk  Manageme reviews nt Team  NNPC  Quarte Limited  Consolidat rly Chief ed Risk Compliance reporting NNPC Limited Limited GCEO its subsidiarie s  Assurance Officer across and NNPC  NNPC Limited BAC Page 78 of 347 NNPC Limited ERM Processes and Procedures  NNPC Limited Head of Internal Audit Appendix C – Sample Risk Appetite Statements COSO’s Sub- Classificatio Classification Objectives Risk Appetite n Objectives Strategic  We shall seek Production and Restoration of reserve growth energy production to sustain long to peak levels, and term growing the by production mix and an energy mix portfolio of oil and growth achieving that gas reserves. meets current and future needs of our stakeholders  We shall seek to deliver over XX% of domestic energy requirements. Page 79 of 347 NNPC Limited ERM Processes and Procedures COSO’s Sub- Objectives Classificatio Classification Risk Appetite n Objectives Alliance Partnership and Implementation of  We shall not IJVs across board for engage in any alliances and strategic partnerships. alliance on any project or investment that does not meet PSAP requirements.  We shall not partner with any entity that fails to meet our minimum due diligence requirements.  We shall seek to meet all our responsibilities as detailed in our partnership agreements and shall not tolerate any unresolved Page 80 of 347 NNPC Limited ERM Processes and Procedures COSO’s Sub- Classificatio Classification Objectives Risk Appetite n Objectives default from our partners. People Sufficient staff  We shall attract, capacity of excellent develop professionalism and retain capability. skilled and highly employees.  We shall seek to ensure that each Senior Management Staff has at least one (1) subordinate not lower than two (2) from ranks the incumbent’s position.  We shall seek to ensure smooth job by transitions notifying Page 81 of 347 NNPC Limited ERM Processes and Procedures COSO’s Sub- Classificatio Classification Objectives Risk Appetite n Objectives potential successors at least (6) six months prior to the exit planned of any Senior Management Staff.  We shall seek to achieve seamless successions through a minimum XX% of positive job evaluations following succession Investment Investment in  We shall not profitable businesses approve that create value or project support without a clear efficient management of business any case and Page 82 of 347 NNPC Limited ERM Processes and Procedures COSO’s Sub- Classificatio Classification Objectives Risk Appetite n Objectives NNPC Limited’s commercial resources Operating Model viability. Operation lean of a Our staff strength at Corporate the NNPC Limited Headquarters and shall not be more autonomous than XX% of total business units that staff capacity. are core to NNPC Limited's operations. Reputation Strengthen our  We shall seek to reputation and avoid brand amongst all businesses, stakeholders. situations, actions could or that have a negative impact on our reputation and brand. that have Actions would negative impact on our Page 83 of 347 NNPC Limited ERM Processes and Procedures COSO’s Sub- Classificatio Classification Objectives Risk Appetite n Objectives reputation shall not be more than XX instance(s) in a year.  We will not tolerate negative media exposure beyond XX days. Community  relations  Maintain cordial our relationship with cordial Corporate a and sensitive to our Social responsibility core in manner that is communities. Make business activities host  We shall conduct part communities. of business strategy implementation and performance scorecard host a  We shall tolerate not more than 1 week of disruption annum per arising Page 84 of 347 NNPC Limited ERM Processes and Procedures COSO’s Sub- Classificatio Classification Objectives Risk Appetite n Objectives from Communal Issues  We shall seek to achieve all financial and non-financial obligations to stakeholders in any financial year. Operational Security Security of our core We shall put in place asset and people. measures to security exposure and limit asset destruction to less than XX instances in a year. HSE  Health and safety  of lives and our We shall not tolerate any loss environment of life arising from our operations.  We shall also not tolerate any Page 85 of 347 NNPC Limited ERM Processes and Procedures COSO’s Sub- Classificatio Classification Objectives Risk Appetite n Objectives occupational incidence or rate accident frequency rate (AFR) exceeding XX%.  We shall not tolerate environmental damage or wastage that leads to costs for stakeholders excess of in $xx annually  We shall limit asset destruction and vandalization to $XX per year  We shall not take on any activity for which we have determined that our staff or Page 86 of 347 NNPC Limited ERM Processes and Procedures COSO’s Sub- Classificatio Classification Objectives Risk Appetite n Objectives facilities are exposed to security threats of our  Our assets shall Capacity Operation optimisation assets at optimum not capacity to achieve below profitability. capacity operate XX% utilization.  We shall seek to achieve a minimal return of XX% on our assets Staff Welfare Build staff capability We shall not score of commercial- below xx % oriented with mindset internal from staff promotion satisfaction surveys based on that performance. shall be deployed from time to time. Product Quality Delivery of products We shall not in accordance to accept beyond XX specification. instances of Page 87 of 347 NNPC Limited ERM Processes and Procedures COSO’s Sub- Objectives Classificatio Classification Risk Appetite n Objectives negative deviation from specified requirements any in given operation or project per year. Reporting Financial and Transparent  We shall not Operational reporting of financial accept Information and operational significant information. misstatement of any financial or operational information i.e. beyond XX audit adjustments at any given period or audit adjustments beyond XX% on any balance sheet or P&L account.  We shall also Page 88 of 347 NNPC Limited ERM Processes and Procedures COSO’s Sub- Classificatio Classification Objectives Risk Appetite n Objectives not tolerate the finalization of audited financial statements later than months xx after the end of each financial year. Compliance Regulatory, Compliance with Legal and internal policies, tolerate internal Policy laws and or Compliance regulation. audits  We shall not regulatory with compliance ratings below XX%.  We shall have xx tolerance for financial crime and non- compliance to regulatory standards Page 89 of 347 NNPC Limited ERM Processes and Procedures COSO’s Sub- Classificatio Classification Objectives Risk Appetite n Objectives  We shall not tolerate exposure to fines due to late submission of regulatory reports  We shall ensure required approvals from regulatory bodies are received before commenceme nt of projects  We shall not tolerate unethical behaviors by staff Page 90 of 347 NNPC Limited Quality Assurance Processes and Procedures QUALITY ASSURANCE PROCESSES AND PROCEDURES NNPC Limited January 2023 NNPC Limited Quality Assurance Processes and Procedures Document Review, Check, Endorsement & Approval Issue 1 Signature Name Position Date Issue, Modificatio n PIA Implementati on Team CCO SLT SMT 19/01/2023 19/01/2023 19/01/2023 19/01/2023 Prepared Checked Endorsed Approved Page 92 of 347 NNPC Limited Quality Assurance Processes and Procedures Table of Contents 1.0 Introduction..................................................................................................................................................... 2 2.0 Governance of the Quality Assurance and Monitoring Function................................. 0 3.0 Quality Assurance Improvement Program................................................................................ 0 4.0 Reporting Framework.............................................................................................................................. 0 5.0 Performance Management.................................................................................................................. 0 5.1 Appendix - Quality Assurance Review Tool................................................................................. 3 NNPC Limited Quality Assurance Processes and Procedures Glossary of Terms Term/ Abbreviation Meaning GRC GRC Function ERM Enterprise Risk Management IIA Institute of GRCors IPPF International Professional Practices Framework NNPC Nigerian National Petroleum Company Limited QAIP Quality Assurance and Improvement Program QA Quality Assurance Function RM Risk Management SBU Strategic Business Unit Page 1 of 347 NNPC Limited Quality Assurance Processes and Procedures 1.0 Introduction 1.1 Background NNPC Limited understands that there is a need to obtain assurance that its GRC processes are:  Credible and standardized across NNPC Limited and its subsidiaries.  In line with the frameworks that have been developed to guide GRC and each of its sub-units.  In line with leading practice requirements including the International Professional Practices Framework (IPPF). One of the critical success factors to meeting these expectations is a comprehensive Quality Assurance and Improvement Program (QAIP) that includes ongoing assessment and monitoring of GRC’s performance and effectiveness. Considering the above, the Quality Assurance (QA) unit has been established within the GRC Function, to provide continuous monitoring, evaluation and improvements to the activities of the GRC Function within NNPC Limited and its subsidiaries. 1.2 Objectives The objective of the Quality Assurance Policies and procedures is to enable the QA unit to: a. Provide internal assurance over the effectiveness of the GRC Function b. Ascertain that the GRC processes are being conducted in accordance with the guiding frameworks in line with the GRC Charter and Manual. Page 2 of 347 NNPC Limited Quality Assurance Processes and Procedures The aim of the Quality Assurance Policies and procedures is to cover all the main aspects of quality assurance and the key measures aimed at ensuring that the Company’s GRC practices are in line with leading standards. To operate at this level, GRC staff need a higher level of credibility with their stakeholders. The policies highlight the role of the Quality Assurance and Monitoring Function within the GRC Function of NNPC Limited and its subsidiaries. 1.3 Structure of the Policy The policy contains a high-level Mandate, the SIPOC (Supplier-InputProcesses-Output-Customers) Model, and Relationship Map for the GRC Function. This is followed by 2 core chapters (processes), each of which is organised in line with the following structure:  Introduction: Gives an overview and scope of the process and sets out the key sub-processes covered.  Objectives: States the main purposes that the process intends to accomplish.  Policies: Outlines the main operating policies guiding the execution of various activities and tasks.  Procedures: Provides a detailed breakdown of the main activities in the process, including tasks, responsibilities and job aids/tools.  Input and Output Documents: Outlines the documents that serve as inputs into the process, the outputs and key reports generated.  Key Performances Indicators: Sets the performance measures used to determine the efficiency and effectiveness of the processes. Page 3 of 347 NNPC Limited Quality Assurance Processes and Procedures  Process Flow Map: Provides a pictorial summary of the outlined procedures 1.4 Compliance Compliance with this Policy is mandatory for the GRC Function. However, there may be exceptional circumstances, where it is impracticable to comply with a particular policy or procedure. In such instances, a prior written waiver will be required from the approving authority The Policy and Procedure has been designed as an adaptation of the IPPF* to meet the requirements and characteristics of a quality GRC Function. Where the need arises, the GCEO is authorized to grant exceptions to the application of this policy, and thereafter seek ratification from the NNPC Limited Board. *N.B: The IPPF consists of the Mandatory and the Recommended guidance, and broadly comprise four (4) elements: Core Principles, Definition of Internal Audit , Code of Ethics and Standards. 1.5 Users This policy applies to the Quality Assurance and Monitoring unit 1.6 Updates to the Policy It is intended that this policy will be updated every two years unless there is a specific requirement for an immediate revision in line with changes in NNPC Limited’s business. Such updates will be duly communicated to all relevant departments Page 4 of 347 NNPC Limited Quality Assurance Processes and Procedures NNPC Limited Quality Assurance Processes and Procedures Page 1 of 347 NNPC Limited Quality Assurance Processes and Procedures Page 2 of 347 NNPC Limited Quality Assurance Processes and Procedures 2.0 Governance of the Quality Assurance and Monitoring Function 2.1 Introduction 2.1.1. Vision “To be regarded as a reliable business advisor to NNPC Limited and its subsidiaries through the institutionalization of best practices within the GRC Function.” 2.1.2. Mission “To provide the Board and Management of NNPC Limited and its subsidiaries with the added assurance that all GRC activities have been conducted in accordance with standard practices across NNPC Limited and its subsidiaries.” 2.1.3. Scope of the QA Unit The QA Unit shall support the management of the GRC Function to coordinate quality assurance activities for the GRC. Its services shall cover NNPC Limited and its subsidiaries. 2.1.4. Structure* NNPC Limited Quality Assurance Processes and Procedures The Quality Assurance and Monitoring Function within NNPC Limited reports to the Head of Global Compliance and ultimately to the Chief Compliance Officer. The Quality Assurance Manager is saddled with the following responsibilities: a. To implement and monitor compliance with the internal quality management system for enhancing the value of GRC services provided by GRC to business units. b. To set and monitor strategy and policy within GRC Function. c. To ensure maintenance of an up-to-date database system for the GRC Function. d. To manage corporate performance, including maintaining a database of information for reporting on the Key Performance Indicators for the GRC Function. 2.2 Objective The objective is to consolidate and standardize the tasks, and responsibilities to ensure effect execution of QA reviews in line with the standards and stakeholder expectation 2.3 Policy Policies S/N Description Page 1 of 347 NNPC Limited Quality Assurance Processes and Procedures Policies 1. Overall Responsibilities of the QA Unit The overall responsibilities of the QA Unit shall be to: a) Standardize GRC activities by ensuring that the policies and procedures are adequate and aligned with leading best practices. b) Establish and manage appropriate mechanisms for obtaining feedback from stakeholders on the effectiveness of the GRC Function. c) Review compliance with the GRC’s policies and procedures and proffer recommendations for possible gaps noted. d) Facilitate the performance of periodic external assessments (if any) of the GRC Function in line with regulatory and professional standards as well as leading practices. e) Facilitate capacity development by coordinating training and periodic knowledge sharing sessions among staff and personnel of the GRC. f) Facilitate setting and monitoring of strategy within GRC Function and coordinate performance assessment of staff. g) Serve as primary point of contact for external service providers including independent consultants. h) Facilitate the preparation and reporting of the Division’s Key performance Indicators. i) Strengthen the management of internal control system, to minimize operational surprises and losses. Page 2 of 347 NNPC Limited Quality Assurance Processes and Procedures Policies j) Instil a risk-aware culture that engenders proactive identification and management of risks and opportunities. k) Ensure effective allocation and utilization of resources through a coordinated, and structured approach for risk management. Specific Roles and Responsibilities of the Sub-units under QA Quality Assurance a) Implement quality management systems for improved assurance advisory services and increased customer satisfaction with the GRC Function. b) Identify advisory service areas that do not meet best practice standards and drive improvement of such. c) Carry out continuous monitoring and periodic internal assessment on the level of effectiveness of the activities of the GRC Function, utilizing agreed metrics. d) Deploy periodic surveys, customer satisfaction questionnaires or structured performance feedback meetings with GRC internal customers, to elicit their views on the effectiveness of the GRC Function at least annually. e) Conduct quality assurance review of GRC reviews. Systems and Strategy Page 3 of 347 NNPC Limited Quality Assurance Processes and Procedures Policies a) Ensure the existence and adequacy of policies, standards and procedures covering the activities of GRC and all other processes along NNPC Limited value chain b) Maintain an up-to-date database system for the GRC Function c) Coordinate the development an annual plan highlighting the various activities to be conducted by the department. d) Provide periodic reports to the GRC Function on the status of implementation of the annual plan. e) Coordinate budgeting and financial administrative activities such as training within the GRC Function. f) Oversee the resourcing of staff with the Function, including job rotation and management development programs. g) Develop SMART performance metrics to drive and improve the effectiveness and efficiency of the Function. h) Coordinate the development of standardized policies, procedures, manuals, work programmes and reporting templates to be utilized by the Function in delivering consistent services across NNPC Limited and its subsidiaries. In addition, coordinate periodic reviews of these documents and propose recommendations for process improvement, where required. i) Oversee the staff development, including administration of the performance evaluation and job rotation processes in the Function. j) Recommend relevant training for GRC staff (to HR Division through the Group Head of GRC) to address identified skill gaps and enhance their ability to carry out their functional responsibilities. Page 4 of 347 NNPC Limited Quality Assurance Processes and Procedures Policies k) Oversee the consolidation and preparation of periodic reports to be issued by the Function to senior management, management committees and the Board Audit committee. l) Assist the GRC Function in keeping current on changes and emerging best practices of the profession; undertake research into other emerging issues and opportunities. m) Collaborate with an external assessor (to be decided upon by the Chief Compliance Officer) once every three (3) years to assess the GRC Function within NNPC, in line with the IIA Standards and Nigerian Code of Corporate Governance. 2. Monitoring of GRC Function’s Key Performance Indicators (KPI) The QA Unit shall be responsible for monitoring the KPIs for the GRC. The same shall be reported to GRC leadership annually. The key performance indicators are: People This covers satisfaction, retention, and quality of development of the GRC staff. The KPIs in this section include, but not limited to: a) Staff turnover (relative to other divisions) b) Percentage of certified staff c) Training cost as a % of GRC budget d) Minimum training hours per GRC staff e) Minimum number of GRC staff rotated into the business in one year Page 5 of 347 NNPC Limited Quality Assurance Processes and Procedures Policies f) Minimum number of process owners rotated into GRC in one year g) Minimum number of process owners rotated into GRC in one year Processes This covers the effectiveness of GRC processes in fulfilling its mandate and expectations of its stakeholders. The KPIs in this area include but not limited to: a) % implementation of recommendations that have fallen due b) % implementation of recommendations from external quality assurance (if any) that have fallen due in the quarter c) % of processes within the process universe that are data & analytics enabled d) % of reviews with cycle time from kick-off meeting to issuance of draft report within the threshold of the approved timeline e) % of reviews with cycle time from close-out meeting to issuance of final report within two (2) weeks f) Circulation of quarterly board papers at least one week before Board meeting Plan (Efficiency) This covers the efficiency of GRC processes in achieving the GRC plan within its approved budget. The KPIs in this area include but not limited to: a) % completion of GRC plan Page 6 of 347 NNPC Limited Quality Assurance Processes and Procedures Policies b) Controlled GRC cost per budget Stakeholder Management This covers the ability of GRC to meet the expectations of its stakeholders. Feedback from the Business units should be obtained at least annually via a Customer Satisfaction Survey. The objective of the questionnaire is to obtain feedback from the Business units on the execution of GRC audit/review projects. The survey will be distributed, collected, and analysed by the Quality Assurance and Monitoring Function. The KPIs in this area include: a) Average customer satisfaction score for all processes reviewed during the year b) Board Audit Committee Chairman’s appraisal rating/score of GRC effectiveness (after taking feedback from the GCEO and other members of Board into consideration). Page 7 of 347 NNPC Limited Quality Assurance Processes and Procedures 3.0 Quality Assurance Improvement Program 3.1 Introduction Quality Assurance Improvement Program (QAIP) enables an evaluation of the GRC activity’s conformance with the Definition of Auditing and the International Standards for the Professional Practice of Auditing (Standards) and an evaluation of whether GRC staff apply the code of Ethics 3.2 Objectives The objective of the QAIP process is to ensure: a. The effectiveness of the GRC activity, including consulting engagements, as found in the mandatory elements of the IPPF are continually monitored b. ongoing and periodic internal assessments as well as external assessments by a qualified independent assessment team, are conducted 3.3 The QA Framework The three major elements of the Quality Assurance and Improvement Program are highlighted in the schematic below: 1 Internal Assessment 2 External Assessment 3 Knowledge Sharing and Communication NNPC Limited Quality Assurance Processes and Procedures 3.4 Policy Policies S/N 1. Description Internal Assessment Internal Assessments are quality assurance assessments which shall be conducted by the Internal Quality Assurance team. Internal Assessments may involve one of the following: In-flight (on-going) assessment Post-mortem assessment 1.1 Inflight Assessment: An In-flight assessment refers to internal quality assessments which are conducted during or immediately after GRC assignments. The Quality Assurance team shall conduct internal quality assessment of select GRC assignments according to the annual QA plan or immediately a scheduled review is completed. The main aim of the ongoing assessment is to ensure quality and identify areas for capacity development 1.2 Annual Internal Quality Assurance Review (Post-Mortem) The QA Unit shall conduct an annual self-assessment of NNPC GRC Function to appraise its overall effectiveness and conformance with the IIA Standards at the end of every year. Page 1 of 347 NNPC Limited Quality Assurance Processes and Procedures Policies S/N Description The internal annual self-assessment shall seek to check that: The GRC Function is efficient and effective, taking into consideration compliance with its charter, board and management expectations. The GRC Function is in conformance with the IIA Standards. The QA Unit will take the following into consideration in conducting the annual self-assessment: The outcome of the ongoing internal assessments in line with the annual QA plan The outcome of an annual customer satisfaction survey to be conducted by the QA Team using any suitable platform and deployed to management personnel (Managers and above) across NNPC Limited and its subsidiaries. Alternatively, the results of the Business unit satisfaction survey conducted at end of the audit/reviews contained in the QA plan can be consolidated and used to evaluate the satisfaction of GRC’s stakeholders. Note: The QA team shall consolidate report(s) from ongoing internal assessment of GRC and present the result at the quarterly GRC performance review meetings. 2. QA Planning and Resourcing Strategy Planning Page 2 of 347 NNPC Limited Quality Assurance Processes and Procedures Policies S/N Description The QA Unit shall develop an annual plan for the ongoing internal assessments to be performed within a calendar year and the plan shall define the approximate resources and strategy necessary to accomplish the scope. In developing the QA plan: The QA Unit should seek to ensure that at least one (1) GRC engagement review from each subsidiary and one (1) GRC engagement within each division at the NNPC Limited is selected for quality assurance in each calendar year. The input of GRC management must be considered in this process The afore-mentioned plan is dependent on the activation of the resourcing strategy (contained in the subsequent section) such that there are sufficient personnel to execute the plan. Where this is yet to be activated, one review from each subsidiary and each division at NNPC Limited will be reviewed by QA annually The selection of GRC reviews for purpose of quality assurance shall be risk based. Consequently, high risk processes will constitute majority of the processes to be selected in the QA plan The QA Unit shall draft the annual QA plan during the period for developing the annual GRC plan and consolidated with Page 3 of 347 NNPC Limited Quality Assurance Processes and Procedures Policies S/N Description the overall GRC plan to be presented to the Audit Committee for approval Similar to other elements of the GRC plan, the actual performance of the QA plan against the expected outcome per quarter shall be reviewed and communicated to the Audit Committee in GRC’s quarterly report to the Committee. Resourcing Strategy In resourcing talents for the execution of the QA plan and positioning the QA Unit as a centre of excellence within GRC, the Function shall adopt either of the models below or a combination of both as follows: In-sourcing: In this model, the QA Manager will work in conjunction with the GRC Leadership Team to develop and implement a resourcing strategy that will enable the Group Head of GRC to rotate staff in and out of the QA Unit. The QA staff will be responsible for conducting the quality assurance reviews and implementing the QA plan for the year. Peer-to-peer Review: In this model, an GRC staff will be assigned to the QA review of an GRC assignment executed by another team. This is a Page 4 of 347 NNPC Limited Quality Assurance Processes and Procedures Policies S/N Description temporary arrangement as this does not make the staff a permanent staff of the QA Unit. In safeguarding the objectivity of the appointed QA reviewer, the QA Unit shall give preference to reviewers without conflict of interest in either fact or appearance. This will include a preference for reviewers that have not worked with the team or subsidiary to be reviewed in the last three (3) years. The peer-to-peer model will ultimately enable QA to: bridge any manning gaps serve as a training ground for future leaders within the GRC Function and enlighten them of the quality expected from GRC assignments 3. facilitate knowledge transfer among GRC staff External Assessment The IIA and the Nigerian Code of Corporate Governance require that an external assessment is carried out once every three (3) years for the Audit Function and not the GRC Function. Consequently, the GRC Function may choose to appoint a qualified external assessor to assess and report on its effectiveness every three (3) years or any suitable period of its choosing. Consequently, the external assessment team must demonstrate competence in two areas: the professional practice of Auditing and the external assessment process. Page 5 of 347 NNPC Limited Quality Assurance Processes and Procedures Policies S/N Description For avoidance of doubt, the Internal Assessment components of the Quality Assurance framework shall be carried out continuously between external assessments and its results could be considered by the external assessors based on their discretion. 4. Knowledge Sharing and Communications GRC Performance Review Meetings (Quarterly): Every quarter, members of the QA Unit shall organise a Knowledge Sharing Session (KSS) as a standing agenda item at the GRC performance review meetings. At this meeting, the result of QA reviews conducted within the quarter shall be presented. The QA Unit shall perform root cause analysis into most frequent issues noted from the review of assurance engagements in the Quality Assurance Review tool. The QA Unit shall present recommendations on managing prevalent issues/exceptions documented to prevent External Knowledge Sharing Session: On annual basis, the QA Unit shall also seek an extended KSS with the all staff of the GRC Function. During the extended KSS, the QA Unit will present the trends observed across the QA reviews that have been conducted during the year and recommended improvements. In addition, the QA Unit shall nominate any of the GRC review teams with outstanding quality assurance results, to present an Page 6 of 347 NNPC Limited Quality Assurance Processes and Procedures Policies S/N Description end-to-end view of a completed GRC review. This shall be aimed at the transfer of applicable information to other staff in the GRC Function Capacity Building The QA Unit shall assist in developing the annual training plan for GRC staff. In developing the specific plan (without prejudice to the general Human Resources plan), the Function will consider the: The prevalent issues noted by the QA Unit during the year The skill gaps of GRC staff as contained in their appraisal The competence gaps between the current and target competence requirements to build an GRC Function of the future Input received from GRC Heads overseeing GRC Functions of subsidiaries. The QA Unit shall monitor execution of the approved training plan to ensure that specific trainings are provided to GRC staff to enhance overall quality and effectiveness 3.5 Procedures (Ongoing Assessment) Page 7 of 347 NNPC Limited Quality Assurance Processes and Procedures Procedures S/N Responsible Party Description Job Aid 1. QA Unit QA Checklist Office tools Using the completed QA checklist, fill out and attach all relevant documents which were either prepared or reviewed during the assurance work The Client Satisfaction Survey shall also be considered. 2. QA Unit Quality Assurance Review The NNPC Quality Assurance Review  Office tools tool (see appendix 1) is the key tool designed to aid these checks on the quality assurance. – Results of this variance analysis or check shall be documented in the Quality Assurance Checklist with the next steps for each of the GRC team involved in the reviews. Note: a. The Manager, QA is expected to make inputs into the evaluation of all teams who conducted the various GRC engagements Page 8 of 347 NNPC Limited Quality Assurance Processes and Procedures 3.6Output Input & Output Documents S/N Document Description Completed 1. QA Type Frequen cy Source Recipient Input As QA Team QA required Lead Lead/Mana Checklist QA Team ger Checklist Input Variance Analysis As QA required Manager GRC – The checklist will 2. highlight the gaps noted in ongoing the review and the next steps Quality Assurance Output Quarterly QA Team GRC Report - A report 3. outlining the objectives, scope, approach, conclusions, all Page 9 of 347 NNPC Limited Quality Assurance Processes and Procedures Input & Output Documents S/N Document Description findings Type Frequen cy Source Recipient Output Annually QA Team GRC and recommendation s identified during the performance of the field work and next steps for the GRC team Executive 4. 3.7 Summary KPIs Key Performance Indicators S/N 1. Performance Measure Timeliness execution Basis Measurement of of % of ongoing QA reviews in line with the approved timeline Timeframe Target Per review TBD Page 10 of 347 NNPC Limited Quality Assurance Processes and Procedures NNPC Limited Quality Assurance Processes and Procedures 4.0 5.0 Reporting Framework Introduction Quality Assurance Reporting occurs through formal documentation and the respective meetings with the GRC Function 5.1 Objectives The objectives of QA reporting are: a. to document the outcome of the reviews of the GRC activity b. to effectively communicate the opinion on the quality of review assignment c. to agree action plans to resolve gaps noted during the reviews 5.2 Policy Policies S/N 1. Description Consolidation of In-Flight (Ongoing) Assessments Every quarter, the QA Unit shall present a consolidated report from QA reviews performed within the quarter. The report shall highlight assessment score for each category within the review for each subsidiary as well as a consolidated view of all subsidiaries reviewed within the quarter. In addition, the report shall highlight areas where prevalent issues were noted. The Quality Assurance Review tool shall provide the means for the consolidation. 2. Interpretation of Ongoing Internal Assessment Result NNPC Limited Quality Assurance Processes and Procedures Policies S/N Description At the end of each of the quality assessment conducted by the internal QA Unit, the QA Unit shall arrive at an opinion on the quality of a review assignment The Quality Assurance Review tool will provide a quantitative and standardised approach for assessing the adequacy of the documentation and the quality of the deliverables. A set of criteria has been set out in the tool to enable the QA reviewers arrive at an opinion on the quality of risk and/or compliance review; Below is the opinion for each category of score arrived at: Rating 3. Quantitative Definition Overall Definition Level 1 0-49% Unsatisfactory Level 2 50-74% Major improvement required Level 3 75-94% Minor improvement required Level 4 95-100% Satisfactory Corrective Action Plans Improvement is the aim of every quality assurance review. The entire goal of each review is to arrive at a point where area for improvements are identified to further enhance the effectiveness of the QA Unit. Hence, recommendations are expected to be included in the reviewed Quality Assurance checklist which must Page 1 of 347 NNPC Limited Quality Assurance Processes and Procedures Policies S/N Description have been completed by the GRC team members who carried out the reviews. A date shall be stated in the plan to indicate the timeline within which the agreed action points have been implemented. There is also a high-level – next step indicated in the Quality Assurance Review tool to indicate at a glance, the expectation of the stakeholders, given the result of the assessment. Rating Level 1 Level 2 Level 3 Level 4 Overall Definiti

NNPC Ltd Enterprise Risk Management Processes And Procedures PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue