NNPCL GRC_28-44.pdf

Full Transcript

NNPC Limited ERM Processes and Procedures

Limited. The Board oversees risk management through the Board Audit
Committee.
2. Board Audit Committee (BAC)
The Committee shall:
a) Assist the Board in setting an overall risk culture and appetite at the
top;
b) Assist the Board in overseeing the effectiveness of risk management
and controls through the review of periodic risk management
reports;
c) Discuss risk management philosophy and risk appetite
d) Review the framework for managing risks and recommend to the
Board for approval;
e) Review the propositions of Senior Management to identify potential
risk exposures and direct appropriate actions to be taken by Senior
Management; and
f) Empower the ERM Function

to enable it to discharge its

responsibilities effectively.

3. Management Risk Committee
The Committee shall:
a) Implement an effective risk management system and instil the right
culture throughout NNPC Limited and its subsidiaries for effective
risk governance;
b) Ensure that the internal and external risks relevant to the
organisation have been effectively identified and assessed;
Page 27 of 347

NNPC Limited ERM Processes and Procedures

c) Develop and implement a sound system of internal controls and
mitigating strategies to bring risks within acceptable levels and
threshold limits;
d) Review and validate key risk indicators & threshold limits for
recommendation to the BAC for approval;
e) Evaluate strategic initiatives and management decisions to ensure
that they are within the approved risk appetite;
f) Appoint risk owners for the key risks of the organisation; and
g) Ensure that risk management policies are integrated into NNPC
Limited’s culture
4. Functional Heads
All functional heads will be responsible for the day-to-day identification,
mitigation, management and monitoring of risks within their respective
departments. Specifically, they shall:
a) Adhere to NNPC Limited’s process for identifying and managing
risks to which they are exposed;
b) Identify and report risk events to RM function;
c) Report on associated risk profile and status of risk mitigating
strategies to the ERM Function;
d) Continuously identify, mitigate and monitor risks within their
respective business areas;
e) Implement policies and procedures developed to manage risks; and
f) Manage day-to-day risk exposures by complying with standard
operating policies and procedures.

Page 28 of 347

NNPC Limited ERM Processes and Procedures

Functional Heads as Risk Champions: Functional Heads shall serve as
functional risk champions or appoint champions within their function
who shall perform the following risk management activities:
a) Act as a communication channel between the ERM Function and
risk owners;
b) Educate members of their team on the use of the control selfassessment questionnaires;
c) Drive the implementation of risk mitigation plans within the risk
register for the departments;
d) Conduct risk awareness sessions at departmental meetings;
e) Manage the team’s risk event database and communicate identified
risks to the ERM Function ; and
f) Escalate challenges with risk management efforts within their
departments.

Second Line of Defence – Risk Oversight
The ERM Function s at NNPC Limited and its subsidiaries perform the
following risk management activities:
a) Perform periodic scans of the operating environment for emerging
risks;
b) Develop and implement the necessary tools and templates to embed
ERM across NNPC Limited and its subsidiaries;
c) Maintain and monitor (changes in) NNPC Limited’s risk inventory by
engaging all process owners to identify risks and obtain an enterprisewide view of risks;
d) Foster a corporate risk culture through adequate training and serving
as an internal ambassador and resource centre for ERM;
Page 29 of 347

NNPC Limited ERM Processes and Procedures

e) Facilitate risk assessment and prioritization by management;
f) Coordinate, review and challenge (where necessary) the input received
from risk owners in identifying risks and developing comprehensive risk
registers;
g) Consult with process owners to identify and propose key risk indicators,
threshold limits and mitigating strategies, to the Management Risk
Committees for validation;
h) Periodically facilitate and validate risk and control self-assessments
performed by risk owners, to monitor the operational risk profile and
strengthen the control environment;
i) Periodically monitor and report on risk management to the BAC and
Management Risk Committees. (See Appendix B for details of the Risk
Reporting Framework); and
j) Assist stakeholders in risk management matters and provide periodic
risk advisory services to the business as may be required.

Third Line of Defence – Assurance
1. Audit Function
The Audit function (AF) shall provide independent assurance on the
adequacy and effectiveness of controls in place for managing risks as
well as compliance with policies and procedures.
An external assessment of the ERM function shall be conducted by an
independent third party, as part of the quality assurance review of the
overall GRC function. This should be performed at least once every
three (3) years. Upon separation of the IA Function from GRC, the IA
Function shall conduct independent assurance reviews of the ERM
Function as part of its internal audit plan.
Page 30 of 347

NNPC Limited ERM Processes and Procedures

2. External Audit
The External Audit Function is statutorily responsible to shareholders to
provide an

independent

opinion

on

NNPC

Limited’s

financial

statements. The function shall also report on the adequacy of the NNPC
Limited’s risk management systems.
3. Regulators
Regulators sometimes set and monitor the implementation of specific
requirements

aimed

management

practices

at
for

strengthening
increased

Company-wide

assurance

of

risk

building

a

sustainable enterprise.

5. Risk Management and Stakeholder Relationships
The relationship between the RM and other stakeholders is depicted in the
diagram below:
Board Audit Committee

Rating
Agencies

Reporting
& Analysis

Risk Report

Directives

Business
Information &
Data

Risk report
Internal
Auditors
Enquiries/Au
dit Report
Risk report
External
Auditors
Enquiries/Au
dit Report

Enterprise Risk
Management
Function

Departments

Risk Report &
Risk Analysis

Business
Information &
Data

Ad-hoc
Committees

Page 31 of 347

NNPC Limited ERM Processes and Procedures

4.2 Objectives
To identify the interrelationships that exist between the divisions,
departments and functions that are relevant in the governance of
enterprise risks and its accompanying roles and responsibilities.

4.3 Policies
Policies
S/N
1.

Description
NNPC Limited’s risk governance structure shall be based on the
“three lines of defense” model, which ensures that risk is properly
managed throughout NNPC Limited and its subsidiaries.

2.

The Subsidiary Boards, Management and Subsidiary GRC
function shall replicate the roles and responsibilities defined for
NNPC Limited within their entities

3.

ERM Organisational Structure:
a) The Chief Compliance Officer shall double as the Chief Risk

Officer for NNPC Limited.
b) The Chief Compliance Officer shall report directly to the GCEO

and have direct access to BAC on risk management activities.
c) The Head of Risk Management shall primarily oversee the risk

management activities of the risk management teams at the
Headquarters & subsidiaries, and report directly to the NNPC
Limited Chief Compliance Officer.

Page 32 of 347

NNPC Limited ERM Processes and Procedures

Policies
S/N

Description
d) There shall be GRC function at each subsidiary, headed by a

Subsidiary Executive Director of the GRC. The function shall
report functionally to the NNPC Limited GRC through the Head
of Risk Management on risk management matters. The
Subsidiary Executive Director of the GRC shall also have direct
access to the MD of the subsidiary and the subsidiary Board
through the BAC, in line with leading practices.

Page 33 of 347

NNPC Limited ERM Processes and Procedures

5.0 Enterprise Risk Management Process
5.1

Introduction
This section describes the detailed steps to be adopted in managing
business risks within NNPC Limited and its subsidiaries. The objectives of
the risk management process described in this chapter are:
a) To establish a standard for identifying, assessing, mitigating and
reporting risks across NNPC Limited and its subsidiaries; and
b) To ensure effective and holistic integration of leading risk management
practices across NNPC Limited and its subsidiaries.
NNPC Limited’s ERM process will address four major components as
depicted below.

Risk Management
Process

Page 34 of 347

NNPC Limited ERM Processes and Procedures

5.2

Risk Identification
The aim of risk identification is to generate a comprehensive list of all the
relevant risks that could influence the achievement of its business and
strategic objectives. Regular risk identification is imperative to the success
of the risk management process as it ensures the inclusion of emerging
risks for consideration.

Objectives
To identify all key risks and opportunities that could potentially have an
impact on the organisation’s objectives.

Policies
S/N
1.

Description
Management shall put systems in place to ensure that enterprise risks
are reviewed at least annually and on a continuous basis.

2.

The risk identification activities shall consider existing and emerging
risks to ensure adequate coverage of all risks that may impact our
strategic objectives and operations.

3.

The ERM Function shall validate all identified risks with Management
to ensure accuracy and completeness

4.

All identified risks shall be documented and such documentation shall
include key information including at a minimum, the nature of the risk,

Page 35 of 347

NNPC Limited ERM Processes and Procedures

Policies
S/N

Description
the source of identification, the root causes, and historical or potential
ways the risks impact NNPC limited

Procedures
S/N

Responsibl
e Party

1.

ERM

For projects: Gather and review
information on project risks through
the review of:

Function/
Heads

of

Departmen
ts

Description

a) Quality and Risk management plan
b) Cost management plan
c) Schedule management plan
d) Scope baseline

 Proactive
feedback from
process owners
on identified
risks.
 Documentatio
n Reviews

f) Stakeholder register

 Brainstorming

h) Project charter
i) Feasibility study, etc.
ERM
Function

 Administering
questionnaires
and surveys.

e) Activity cost and duration estimates

g) Procurement document

2.

Job Aid

 SWOT Analysis
 Workshops
 Risk
Questionnaires

Develop and agree objectives for the risk  Email
identification process.
 Office Tools

Page 36 of 347

NNPC Limited ERM Processes and Procedures

Procedures
S/N

Responsibl
e Party

Description

Job Aid

3.

ERM

Gather and review information on



Function

existing and emerging risks. The process

with the

will involve performing any of the

support of

following activities:

the process

interview
sessions.


/Workshop.

owners
scanning/market 

intelligence analysis.
c. Review

of

process

Administerin
g

maps

questionnaire

and/or

s and surveys.

process documents.

d. Analysis of internal and external audit

Proactive
feedback

reports.

from process
owners on

e. Review of risk event reports.

identified

f. Benchmarking against industry
leading practices.

Focus group
discussions

a. Review of industry trends and data.
b. Environmental

One-on-One

risks.


Documentati
on Reviews



Brainstormin
g



SWOT
Analysis



Workshops

Page 37 of 347

NNPC Limited ERM Processes and Procedures

Procedures
S/N

Responsibl
e Party

Description

Job Aid


Risk
Questionnair
es

4.

ERM
Function

For projects: Gather and review
information on project risks through
the review of:
a. Quality and Risk management plan



on Reviews


d. Scope baseline





i.

Feasibility study, etc.

Interviews/W
orkshops



Risk
Questionnair
es



Root Cause
Analysis

g. Procurement document
h. Project charter

SWOT
Analysis

e. Activity cost and duration estimates
f. Stakeholder register

Brainstormin
g

b. Cost management plan
c. Schedule management plan

Documentati



Checklist
Analysis



Assumption
Analysis



Expert
Opinion

5.

ERM

Review, analyse and aggregate risks  Brainstorming

Function

identified from various risk identification
Page 38 of 347

NNPC Limited ERM Processes and Procedures

Procedures
S/N

Responsibl
e Party

Description

with

activities. This will involve streamlining

support of

duplicated risks and categorising risks

the risk/

appropriately.

process
owner

Job Aid

The following categories can be used for
categorisation:
Category

Definition

External

Risks

that

events

arise

from

outside

the

Company’s control that
can impact the business.
Risks in this area include
policy

and

regulatory

uncertainty

risk,

and

equipment

loss

and

vandalism risk
Strategic

Internal risks associated
with

the

Company’s

business
corporate

model,
strategy and

long-term planning. Risks
in this area include weak
governance

and

corporate culture risk and
Page 39 of 347

NNPC Limited ERM Processes and Procedures

Procedures
S/N

Responsibl
e Party

Description

Job Aid
ineffective

alliance

&

partnership risk
Operation
al

Risks derived from the
Company’s core business
practices

and

support

processes, which rely on
systems,

practices,

and

people. Within this risk
domain are technical loss
risk,

network

infrastructure

risk

and

business continuity and
disaster recovery risk
Financial

Risks associated with the
Company’s ability to raise
capital, maintain access
to

capital,

contracting

issues, cost of risk and
evaluating

vendor

support. Risks in this area
include credit/ collection
loss

risk,

funding

and

liquidity risk

Page 40 of 347

NNPC Limited ERM Processes and Procedures

Procedures
S/N

Responsibl
e Party

Description

6.

ERM

Populate the risk register and map the  Documentatio

Function

risks to the relevant business process.

ERM

Validate the risks with the process  Interviews

Function

owners and other key stakeholders.

7.

Job Aid

n

with
support of
the risk/
process
owner
8.

ERM

Consolidate the risks identified across  Documentatio

Function

NNPC Limited and its subsidiaries on the

n

risk register.

Input & Output Documents
S/N

Document
Description

Type

Frequen
cy

Source

Recipient

Input

As
required

Process
owners

ERM Function

1.

Process
documents
strategy

Output

As
required

ERM
Function

ERM Function

2.

BUD

and

Page 41 of 347

NNPC Limited ERM Processes and Procedures

Input & Output Documents
S/N

3.

Document
Description

Risk Universe

Type

Output

Frequen
cy

Source

Recipient

As
required

ERM
Function

ERM Function
and Process
Owners

Key Performance Indicators
S/
N
1.

2.

Performance
Measure

Basis
Measurement

of

Frequency of
enterprise risk
identification

Number
enterprise
identification

Frequency of
functional risk
identification

% of functional risk
identifications
conducted

of
risk

Timeframe

Target

Annually

Minimum of one

Annually

TBD

Page 42 of 347

NNPC Limited ERM Processes and Procedures

Page 43 of 347