NNPCL GRC_Risk Monitoring.pdf

Full Transcript

NNPC Limited ERM Processes and Procedures

5.5

Risk Monitoring and Reporting
Introduction
Risk monitoring involves the re-evaluation of all risks recorded on the risk
treatment plan to ensure that the current assessment remains valid.

Objective


To keep track of the risks that occur and the effectiveness of the
responses which are implemented by an organization.



The objective is to enable decision-makers to regularly evaluate risk
management performance.

Policies
S/N
1.

Description
Risk monitoring and review shall form part of NNPC Limited and its
subsidiary normal management reviews and shall be performed
either daily, weekly, monthly, quarterly, half-yearly or

yearly

depending on the type and nature of the risks.
2.

The following aspects of risk management shall be monitored:

1. Status of mitigation plans
The status of implementation of mitigation strategies agreed to
prevent risks or lower them to acceptable limits shall be monitored
periodically.

2. Key risk indicators (KRIs)

Page 66 of 347

NNPC Limited ERM Processes and Procedures

Policies
S/N

Description
Key risk indicators are metrics to be used in providing early signals
of increasing risk exposures in various areas of NNPC Limited and
its subsidiaries. A threshold limit shall be defined for each KRI. The
KRIs shall be periodically monitored against their threshold limits.

3. Risk and control self-assessment (RCSA)
The RCSA is a repository of applicable controls designed to address
operational risks within the business. The process owners shall be
required to periodically attest to compliance with the controls and
the result shall be validated by the RM function.

4. Risk register review
The risk register is a comprehensive record of all risks within NNPC
Limited. The document shall be maintained by the Risk
Management Division. The risk register may be maintained in MS
Excel or in applicable risk management software/ERP system.
Regardless of the form taken, the risk register would at a minimum
capture the following information:

a) Description of risk;
b) Type of risk;
c) Likelihood and impact of risk on NNPC Limited and its
subsidiaries;

d) Level of risk;
e) Mitigating controls; and

Page 67 of 347

NNPC Limited ERM Processes and Procedures

Policies
S/N

Description

f) Risk owners.
5. External risk review
There shall be periodic examination of the environment for
emerging risks within the NNPC Limited’s sphere of operation. This
shall be done by performing a thorough scan and analysing all
relevant risk factors that may directly or indirectly impact NNPC
Limited’s objectives.

6. Risk events
This is a review of the risk incidents that have occurred within the
various business units within NNPC Limited and its subsidiaries.
The risk event documentation shall in the minimum contain
description of event, root cause, severity of impact and summary of
action plan.
3.

A reporting framework shall be developed and maintained by the
ERM Function, detailing the risk reports to be generated, the
frequency and the recipients.
(Please see Appendix B for a reporting framework which can be
periodically updated to reflect changes in the business or additional
information required by the management of NNPC Limited).

4.

Risk progress reports shall be generated by the ERM Function to
assess the adequacy and completeness of the risk management
process.
Page 68 of 347

NNPC Limited ERM Processes and Procedures

Policies
S/N
5.

Description
Every support unit of the Company shall conduct a detailed risk and
control self-assessment for all its processes on an annual basis.

Procedures
Responsibl
e Party

Description

Job Aid

1.

ERM
Function
and Risk
Owner

Determine qualitative and quantitative
risk information to be monitored and
reported.

Office tools

2.

ERM
Function
and Risk
Owner

Establish indicators, triggers and
standards for tracking, capturing and
monitoring risk information.

Office tools

3.

ERM
Function

Establish a centralised risk management NA
system to identify, value, and capture
risk information.

4.

ERM
Function

Establish and agree risk monitoring and

ERM
Function

Establish and agree risk escalation NA
procedures including the following:

S/N

5.

Office Tools

reporting responsibilities.



Frequency and format for reporting.



Triggers to prompt management

Page 69 of 347

NNPC Limited ERM Processes and Procedures

Procedures
S/N

Responsibl
e Party

Description

Job Aid

actions.
6.

ERM
Function

Establish process for continuous risk NA
monitoring.

7.

ERM
Function
and Risk
Process
Owner

Define key risk indicators and assign NA
accountability and responsibility for the
risks.

Input & Output Documents
S/N

1.

Document
Description

Type

Frequen
cy

Risk
Tool

Input

Quarterly ERM
Function

ERM
Function &
Risk Owner

Output

Quarterly ERM
Function

Board
&
Executive
Manageme
nt

Monitoring

Risk Report
2.

Source

Recipient

Key Performance Indicators
S/
N

Performance
Measure

Basis
Measurement

of

Timeframe

Target

Page 70 of 347

NNPC Limited ERM Processes and Procedures

Key Performance Indicators
1.

2.

Timeliness
Board
reporting

Accuracy
reporting

of

of

Circulation
quarterly
papers

of
board

Number of material
errors,
omissions,
and
misrepresentations
in the report.

Quarterly

At least one
week before
Board
meeting

Quarterly

TBD

Page 71 of 347

NNPC Limited ERM Processes and Procedures

Page 72 of 347