Summary

This document details the risk assessment approach used by NNPC Limited. It outlines the criteria for assessing risk likelihood and impact, and describes the risk ranking process.

Full Transcript

NNPC Limited ERM Processes and Procedures 5.3 Risk Assessment Introduction NNPC Limited’s risk assessment approach aims at measuring the level of identified risks relating to its business processes. Basically, this would involve a careful examination of risks, their causes, their mitigating contro...

NNPC Limited ERM Processes and Procedures 5.3 Risk Assessment Introduction NNPC Limited’s risk assessment approach aims at measuring the level of identified risks relating to its business processes. Basically, this would involve a careful examination of risks, their causes, their mitigating controls, their likelihood of occurrence and their impact if they crystallise. In assessing/ranking identified risks, NNPC considers the following factors: The likelihood that the risks will occur, considering the effectiveness of – controls in place; and The magnitude of the impact of the risks if they occur, considering the – effectiveness of controls in place A. Risk Ranking Criteria: Likelihood This is a measure of the probability that a risk may occur in the near future. The likelihood ranking criteria for NNPC Limited and its subsidiaries as at the time this manual was developed is given below: Scale Likelihood Factor Frequency Indicator (3 years) Event is most likely to 5 Almost Certain occur in circumstances most at 90 - 100% least once in every 3 years 4 Likely More than an even chance of occurring 65 - 89% Page 44 of 347 NNPC Limited ERM Processes and Procedures Scale Likelihood Factor Frequency Indicator (3 years) at least once in every 3 years An even chance of 3 Possible occurring at least 40 - 64% once in every 3 years Small likelihood but 2 Unlikely could happen at least 20 – 39% once in every 3 years Not 1 Rare expected to happen – event would 1 – 19% be a surprise B. Risk Ranking Criteria: Impact 1. Non-Financial Impact This is the potential non-financial consequence of an event/risk occurring if a risk were to crystallise. The impact criteria for NNPC Limited is as follows: Page 45 of 347 NNPC Limited ERM Processes and Procedures 1 2 (Minor) 3 (Moderate) 4 (Major) 5 (Extreme) (Insignificant) Event will have Event will Event no noticeable have impact on:  Strategy/bu siness   will extreme impact on:  minimal moderate significant impact on: impact on: impact on: Strategy/business model Market share model business siness Regulatory Market model model   Market  Market ness model Regulatory share share compliance  Regulato  Regulatory (e.g.fines, ry compliance litigations) complian Retention ce of fines, senior/expe litigation rienced s) senior/exper Key alliances Retentio ienced staff and  (e.g.  d staff  Key alliances and senior/experi  Continuity ence d staff business Key senior/ex alliances and perience and partnership d staff partnership Key s alliances  Continuity of senior/experience fines, litigations) Retention Retention alliances and (e.g.  partnerships n of  compliance (e.g. fines, litigations) Retention of Key s compliance litigations) of   Market share Regulatory (e.g. fines, have have Strategy/bu Strategy/busi  staff  have will Event Strategy/  share  will Event operations  HSE matters partnerships Continuity of business operations HSE matters of Page 46 of 347 of NNPC Limited ERM Processes and Procedures 1 2 (Minor) 3 (Moderate) 4 (Major) 5 (Extreme) (Insignificant)  Continuity partners business of business hips operations Continuit  HSE matters operations   HSE y of matters business operatio ns  HSE matters Require the Require the Require attention of lower management attention of Require Heads of the involvement attention of Department Senior within the Management of the Top Require the specific Managemen intervention of the t Committee shareholders and Board Business Units Minimal or no media attention expected Prominent Short-term Short-term national or Sustained local media national media international international media attention attention media attention attention 2. Risk Ranking Criteria: Financial Impact Page 47 of 347 NNPC Limited ERM Processes and Procedures This is the potential financial consequence of an event/risk occurring if a risk were to crystallise. The impact criteria for NNPC Limited is as follows: Scale Financial 1 2 3 4 Minor Moderat Major 5 paramet er Insignifi cant Extreme e Financial Impact Total Less Between Between Between Greater Asset (N) than xx% xx% impact xx% and xx% than xx% and xx% xx% and xx% impact impact impact impact C. Risk Prioritisation and Ranking The level of risk is a combination of the likelihood of occurrence and the magnitude of impact. The combination of these criteria produces the risk map, which is an illustration of the level of risk. These levels are either high, medium or low as earlier described. See the diagram below: Page 48 of 347 NNPC Limited ERM Processes and Procedures Extreme 5 M M H H H M H M M H M M M M D Impact Major 4 Moderate 3 Minor 2 Insignificant 1 M M L M E L L M LF L L Unlikely 2 Possible 3 Rare Key: High B 1 Medium Low A H C Likely 4 Almost Certain5 Likelihood Risk Example Notes: a) High risks, in the areas marked “H” on the risk map, are risks that may materially influence the achievement of NNPC Limited’s business and strategic objectives. These risks require the active attention and involvement of the Board and Senior Management to ensure that it’s properly mitigated or exploited. The source of these risks must be identified, understood and positive actions executed to treat or remove them. b) Medium risks, in the areas marked “M” on the risk map, are risks that may influence the achievement of NNPC Limited’s short-term business and strategic objectives. Depending on the objective they affect, these risks may require the attention of the Board or Senior Management. Page 49 of 347 NNPC Limited ERM Processes and Procedures Generally, middle management staff can mitigate or exploit them. c) Low risks, in the areas marked “L” on the risk map, occur in the normal course of business. They usually have negligible influence on the achievement of NNPC Limited’s business and strategic objectives. Middle level management can generally mitigate or exploit these risks. d) A, B, C, D, E and F are risks plotted on the heat map based on the assessed likelihood and impact. D. Control Assessment a) Where the level of inherent or gross risk is evaluated (i.e. assessing risks without considering controls), NNPC Limited may assess the effectiveness of controls in place by conducting a control assessment to enable us determine the level of residual risk. b) The aim of a control assessment is to assess and validate the effectiveness of the controls designed by management to mitigate the identified risks. These controls need to be identified clearly and their effectiveness assessed, as risks not subject to effective controls may result in catastrophic consequences. c) Each participant in the control assessment session shall consider the following questions as it relates to each inherent risk under consideration. 1. Are all appropriate controls present? 2. Does the control address the risk effectively? 3. Is the control officially documented and communicated? 4. Is the control reviewed by anyone independent of the person Page 50 of 347 NNPC Limited ERM Processes and Procedures performing the control procedure? 5. How reliable are the reports from the process? 6. How competent are the personnel managing the risk? 7. How effective and reliable are the resources used? d) A description of control effectiveness is given below: Control Rating Description Poor The control measures in place are ineffective Fair There is room for some improvement Good Majority of risk exposure is effectively controlled and managed Very Good Risk exposure is effectively controlled and managed Objective Risk assessment is conducted to undertake risk evaluation so as to make decisions about the significance of risks to organization and whether specific risks identified should be accepted or treated. Policies S/N 1. Description Risk Assessment Page 51 of 347 NNPC Limited ERM Processes and Procedures Policies S/N Description Desktop-based assessment – this involves identifying key risk indicators (KRIs) for each risk, setting thresholds for these KRIs and monitoring them on a (daily, weekly, monthly etc.) basis. Business process owners and the Risk Management Division would use this approach for assessing risks within their line of sight. 1. Facilitated workshops – this involves holding facilitated workshops with process owners to discuss and evaluate the likelihood and impact of the occurrence of the identified risks. 2. Structured interviews – this involves holding one-on-one discussions with relevant personnel to obtain their opinion on its risk exposures. This approach would be adopted where it is difficult to convene a workshop. 3. Questionnaires – this involves developing and administering a structured manual/electronic questionnaire to key personnel to obtain their opinion on the likelihood and impact of a risk. This approach would be adopted where the people required are in diverse locations and there is limited time available for the exercise. 2. The ERM Function in collaboration with business and risk owners, shall define the criteria for assessing risks at the individual subsidiary. Page 52 of 347 NNPC Limited ERM Processes and Procedures Policies S/N 3. Description The parameters for risk assessment criteria shall be reviewed on an annual basis for continued relevance e.g. due to changes in the Company’s risk appetite or change in financial profile. Procedures S/N Responsibl e Party Description Job Aid 1. ERM Establish and agree the criteria for  Interview Function assessing risks.  Feedback from Risk owner ERM Determine and agree the  Interview Function appropriate risk assessment with the approach to adopt. and Risk owner 2. support of Risk owner 3. ERM Determine, invite and provide Function instructions to the participants on and Risk the risk assessment approach. owner  Risk assessment briefing presentatio n/pack Page 53 of 347 NNPC Limited ERM Processes and Procedures Procedures S/N Responsibl e Party Description Job Aid 4. ERM Obtain consensus on the identified Function risks and the assessment criteria and Risk with the participants.  Risk assessment workshop owner 5. ERM Conduct risk assessment: Function a) Assess the impact and likelihood and Risk owner  Risk assessment workshop of identified risks; b) Identify key controls and mitigation activities associated with the identified risks; c) Evaluate the effectiveness of identified key controls and mitigation activities; d) Rank the residual risks from high to low; and e) Develop a risk map. Input & Output Documents S/N Document Description 1. Risk assessment pack Type Input Frequen cy Source Recipie nt As Required ERM Function Risk Owners Page 54 of 347 NNPC Limited ERM Processes and Procedures Input & Output Documents S/N 2. Document Description Type Risk heat map Output Frequen cy As Required Source ERM Function Recipie nt Board & Executi ve Manag ement Key Performance Indicators S/ N 1. Performance Measure Basis Measurement Accuracy assessment reports Number of material errors, omissions, and misrepresentations in the assessment reports. of of Timeframe Target As required TBD Page 55 of 347 NNPC Limited ERM Processes and Procedures Page 56 of 347

Use Quizgecko on...
Browser
Browser