Example of Enterprise Risk Management Policy

ISO 31000:2018 25 Minutes
https://preteshbiswas.com/wp-content/uploads/2024/12/ABCD-Enterprise-Risk-Management-Policy.wav

1. Forward

Enterprise risk management (ERM) is described as a risk-based approach to managing an enterprise integrating concepts of intern control, the Sarbanes-Oxley Act, data protection and strategic planning. ERM is evolving to address the needs of various stakeholders, who want to understand the broad spectrum of risks facing complex organizations to ensure they are appropriately managed. Regulators and debt rating agencies have increased their scrutiny on the risk management processes of companies.

For this reason, ERM aggregates and manages risks as a portfolio level, providing a comprehensive perspective of risk throughout the enterprise, and aligning risk management to the corporate strategy. This helps the company to make info decisions, to set priorities, and to  optimize the balance between risk and return.

Enterprise risk management (ERM) in business includes the methods and processes used by organizations to manage risks and seize opportunity related to the achievement of their objectives. ERM provides a framework for risk management, which typically involves identifying particular events or circumstances related to the organization’s objectives (threats and opportunities), assessing them in terms of likelihood and magnitude of impact, determining a response strategy, and monitoring process. By identify and proactively addressing risks and opportunities, business enterprises protect and create value fo their stakeholders, including owners, employees, customers, regulators, and society overall.

ABCD value chain business by nature manage risks and have a variety of existing departments or functions (“risk functions”) that identify and manage part risks. However, each risk function varies in capability and how it coordinates with other risk functions. A central goal and challenge of ERM is improving this capability and coordination, while integrating the output to provide a unified picture of risk for stakeholders and improving the organization’s ability to manage the risks effectively.

This document focuses  on highlighting the standards of Enterprise Risk management with the definition  of risk, risk management and the enterprise risk management applicable to ABCD. A comprehensive gap analysis has been conducted in order to find out the definitions as well as international standards and frameworks that are published and used by the present day decision makers in the risk management arena.

After a gap analysis that was conducted between the leading international standards COSO and ISO, we found out that ISO 31 000:2018 provides more strategic direction compared to its previous version as well as COSO and emphasize more on involvement of senior management on risk management and integration of risk management into the firms’ decision making process.

In order to evaluate the applicable standards of ERM to ABCD, ISO 31000, COSO and a recognized format is necessary. The GROUP COMPANY published a highly regarded guide to the format for management system standards. Overall, GROUP COMPANY ERM provide detailed guidelines on the plan, implement, measure and learn features of a risk management system, but less explicit information on the context, leadership and support features required of a management system standard.

2. Introduction

ABCD’s ERM Policy is based upon and is in line with GROUP COMPANY a Enterprise Risk Management guidelines as its guide, and elements from both frameworks have been incorporated into this policy. The policy is consistent with ABCD’s strategic objectives and business environment; as well as aligned with GROUP COMPANY’s ERM requirements. Managing risk is iterative and assists ABCD in setting strategy, achieving objectives and making informed decisions.

Managing risk is part of governance and leadership, and is fundamental to how ABCD is managed at all levels. It contributes to the improvement of management systems.

Managing risk is part of all activities associated with GROUP COMPANY and Sister Companies and includes interaction with stakeholders.

Managing risk considers the external and internal context of the ABCD, including human behavior and cultural factors.

Managing risk is based on the principles, framework and process outlined in this document, as illustrated in Figure 1. These components might already exist in full or in part within ABCD, however, they might need to be adapted or improved so that managing risk is efficient, effective and consistent The importance of adequate risk management draws the need for periodic review and updates of this policy. ERM Policy is reviewed and updated based on any possible changes, annually in the standard.

3 Scope

This Enterprise Risk Management (ERM) Policy defines all key elements of ABCD’s ERM practices at a high level and these elements include, as a minimum, context and objectives; strategies through its risk statements; processes; and, governance structure via a high-level description of roles and responsibilities. This document provides standards and guidelines on managing risk faced by ABCD. The application of these guidelines can be customized to any ABCD and its context. This document provides a common approach to managing any type of risk specific to ABCD. This document can be used throughout the life of ABCD and can be applied to any activity, including decision-making at all levels.

4 Strategy

As part of GROUP COMPANY  ERM Strategy, ABCD works with GROUP COMPANY and Sister Companies to implement risk management best practices in all activities related to GROUP COMPANY businesses. The GROUP COMPANY ERM Strategic Initiatives are:

  • Enhance corporate-wide risk culture, awareness, and know-how of risk management.
  • Demonstrate management commitment by effectively enforcing risk management in the decision making process throughout GROUP COMPANY and maximize it’s integration.
  • Develop a highly skilled and motivated ERM workforce .
  • Enhance and Support ERM eminence building program and promote the global presence of GROUP COMPANY as a leader in ERM.

5. Definitions

For the purposes of this document, the following terms and definitions apply.

  • Consequence outcome of an event – affecting objectives, A consequence can be certain or uncertain and can have positive or negative direct or indirect effects on objectives. Consequences can be expressed qualitatively or quantitatively. Any consequence can escalate through cascading and cumulative effects.
  • Control – measure that maintains and/or modifies risk. Controls include,but are not limited to, any process, policy, device, practice, or other conditions and/or actions which maintain or modify risk. Controls may not always exert the intended or assumed modifying effect.
  • Enterprise Risk Management (ERM) – a structured and disciplined risk management approach integrated with strategy, process, people, technology, and knowledge with the purpose of continually evaluating and managing risks to business strategies and objectives on an enterprise-wide basis.
  • ERM Program – the processes, framework, roles and responsibilities used by ABCD for the management of enterprise risk.
  • Event – occurrence or change of a particular set of circumstances, an event can have one or more occurrences, and can have several causes and several consequences. An event can also be something that is expected which does not happen, or something that is not expected which does happen.An event can be a risk source.
  • Key Group Risks – the risks that ABCD as a whole considers to be above ABCD tolerance threshold (very high risks) these key group risks are to be monitored on a company level. It is expected that these risks will change over time. Key Group Risks are documented in the Risk Register.
  • ABCD Business Unit – a corporate function within ABCD, such as Internal Audit, Corporate Finance, Legal, etc.
  • GROUP COMPANY Subsidiary – a subsidiary company of Group company, such as Sub 1, sub 2, etc.
  • Likelihood – chance of something happening “likelihood” is used to refer to the chance of something  happening,  whether  defined,  measured  or  determined  objectively  or subjectively, qualitatively or quantitatively, and described using general terms or mathematically (such as a probability or a frequency over a given time period).
  • Opportunity – the possibility that an event will occur and positively affect the achievement of objectives.
  • Risk -the possibility that an event will occur and adversely affect the achievement of objectives, especially as relates to ABCD’s ability to achieve its business objectives as defined by the 2040 Plan. Risk is described in terms of its likelihood of occurrence and potential impact or magnitude. Categories of risk are defined in the Risk Definitions section of this document.
  • Risk Aggregation -Quantitative approach to risk where a firm looks to measure multiple types or sources of risk collectively.
  • Risk Appetite – Articulation of choice and breadth of risks ABCD is willing to accept in pursuit of value for the company. ABCD and Business Units’ Risk Appetite guides resource allocation within the corporation and each Business Unit. ABCD management allocates resources across Business Units with consideration of the entity’s Risk Appetite and Business Units’ strategy for generating a desired return on ABCD and its Business Units’ investments.
  • Risk Assessment – the process by which ABCD and its subsidiaries consider how potential events and resultant risks might affect the achievement of its company objectives. ABCD assess events from perspectives: likelihood, impact Risk assessment includes identification of three risk elements: risk factors (root causes), risk events, and the consequences of the risk event.
  • Risk Capacity – Amount of aggregated risk the company is able to take while meeting obligations to its stakeholders (or without causing financial distress) whilst ensuring long­ term stability.
  • Risk Governance – the risk-related roles and responsibilities among various constituent groups such as stakeholders, board members, management and employees, and the rules and procedures for making risk-related decisions. ABCD’s stakeholders and influential parties have a number of risk-related roles and responsibilities that will evolve from year to year.
  • Risk Mitigation/Risk Treatment actions or decisions by management that will change the status of a risk. Management alternatives include retaining the risk (either completely or partially), avoiding the risk (by withdrawing from or ceasing the activity), reducing the likelihood (by designing and implementing controls), reducing the impact (by emergency or crisis response), and/or transferring the risk (by outsourcing, insurance, etc.).
  • Profile – the results of any Risk Assessment, assembled into a consolidated view of the significant strategic, regulatory, financial and operational risks inherent in a project, line of business or across the corporation.
  • Risk Register- the systematic listing of risks for each Subsidiary and Business Unit of ABCD, as well as the risks common across the corporation.This includes the individual risks for each Subsidiary and Business Unit as well as the Key Group Risks.
  • Risk Tolerance – the acceptable level of variation relative to the achievement of ABCD’s

Strategic Directions and is the set of quantitative parameters derived from the risk capacity and appetite, and focusing on selected areas, to serve as guidelines on corporate decision­ making.

6. ABCD Risk Appetite & Risk Tolerance

ABCD was established to ………………………. Considering the nature of ABCD’s business environment, ERM plays an important role in supporting ABCD in achieving its strategic goals and objectives.

ERM will help ABCD to manage the challenges and threats that could affect these objectives, and to better exploit opportunities in pursuit of the company’s strategic objectives. In alignment with GROUP COMPANY’s ERM mission, “to Embed enterprise risk management into GROUP COMPANY’s & subsidiaries business and influence ERM practice with our business partners to ensure the optimal balance of risk and reward whilst pursuing our objectives .”

ERM at ABCD adopts structured approach to managing risk through defined risk capacity, risk appetite and risk tolerance statements which help ABCD achieve its objectives. The relationship between risk capacity, risk appetite and risk tolerance is illustrated in the diagram  below:

Risk Capacity

Risk capacity is the amount of risk that ABCD is able to bear without financial or other distress (consequence of its financial situation and other commitments). ABCD assesses its capacity to bear risks both in terms of its crude and gas production; and, financial performance (cash flow). ABCD’s financial relationship is such  that all operating and capital costs are reimbursed as incurred, which is expected to continue for the foreseeable future. Nevertheless, ABCD shall use the value created in its business activities to determine its risk bearing capacity as defined herewith:

  • Production levels (and hence production capacity and reliability) in a normal operating environment:
    • can with certainty (100% confidence) meets its share of the oil sector obligation to meet the internal energy demand
    • can deliver with 95% confidence the forecast production of the 5 year plan
  • Financial risk is assessed using the cash flow at risk methodology (complemented by stress testing to assess impact of rare events, i.e., tailevents). It will operate so as to maintain a high level of confidence  that it can:
    • meet its agreed share of the value contribution to GROUP COMPANY and the State
    • ensure the value creation is sufficient to service the on-going investment after meeting State’s requirements
    • service its financial obligations as they become due (i.e., meet cash calls)

In this context, ‘high level of confidence’ means with 95% probability over any rolling 5 year period. Exceptional variations may only occur under specific circumstances (in any case not more than once in 20 years).

Evaluation of risk capacity for extreme events (e.g., war, significant global economic disruptions) will follow the same pattern (i.e., production capacity, financial terms) but will be assessed based on stress testing and scenario analysis.

Risk Appetite

ABCD risk appetite will be the amount of risk the company is willing to accept in pursuit of value for the company. Risk appetite is an essential component of ERM, as it provides the high level target for the amount of risk that the company should take.

Company activities should be conducted in accordance with the company’s risk appetite, so that the amount of residual risk is in line with expectations. ABCD’s risk appetite aligns to GROUP COMPANY’s risk appetite classification.

The following is ABCD’s Risk Appetite Statement

  1. Unacceptable Risks: Risks that ABCD is not distinctively advantaged to manage or finds it unethical to be exposed to and hence bears no appetite for these risks. Typical actions ABCD will take for these risks are to avoid being involved in activities bearing such risks, or mitigate these risks to the extent reasonable, when they cannot be avoided
    • Political and stakeholder risk: ABCD seeks to avoid any reputational risk that could affect either itself, GROUP COMPANY.
    • Operational risk: ABCD actively seeks to avoid liability and HSSE (Health, Safety, Security & Environment) risks, and invests to avoid these risks whether or not it gains financially by doing so. ABCD closely monitors the FAR (Fatal Accident Rate) and the LTI (Lost Time Injury) rates and compares them to industry averages.
  2. Acceptable risks within defined tolerance limits: Risks integral to ABCD’s business model that ABCD is advantaged to manage, and is willing to be exposed to provided they remain within set tolerance limits. ABCD will manage these risks to remain within set tolerance limits. ABCD will reduce or cap relevant business activity if risks cannot be managed adequately.
    • Project risk: Designing and executing projects is a core part of ABCD’s business, however ABCD will actively manage project risk to minimize delays and cost overruns
    • Market risks: ABCD accepts to be exposed to most market risks inherent in the oiland gas business, in particular crude and gas prices, to the extent they remain within set tolerance limits
    • Operationd risk: ABCD seeks to optimize operational efficiency (e.g., minimize downtime and outages)
  3. Risks taken but no tolerance limit defined: Risks integral to ABCD’s business model for which are difficult to control. As a consequence, ABCD has no set tolerance limits for these risks, however it will engage with and influence stakeholder to manage these risks as relevant and may seek relief from GROUP COMPANY to extent risk limits ability to manage the business (e.g. capital funding):
    • Market/Financial Risk: ABCD has not set tolerance limits on risks such as correlation of crude and gas prices and KD/USD exchange rate.
    • Counterparty Risk: ABCD has not set tolerance limits on risks related to its partners.
    • Extreme events: ABCD has to accept that it is exposed to extreme events.  For such events ABCD will develop stress scenarios to define its appetite.

Table depicting ABCD’s aggregated risks according to its risk appetite classification is appended in the following

Risk Tolerance

Risk Tolerance refers to the ability of an organization to accept or withstand risk from a given source or event. It represents a threshold or measurement and it is defined as the economic and operating sensitivity the organization has to risk. ABCD’s risk tolerance is the acceptable level of variation relative to the achievement of the company’s strategic objectives. It is the choice of overall level of acceptable risk-taking for ABCD in pursuit of its objectives and never more than its risk bearing capacity. ABCD’s risk tolerance statement is derived based upon its risk bearing capacity and risk appetite.

The following is ABCD’s Risk Tolerance Statement:

  • Limits on individual risks: ABCD will set risk tolerance limits for all risks which require such limits, as defined in the risk appetite section.  ABCD will continuously monitor these risks against the set limits and ABCD’s cash flow, and intervene as needed.
    • ABCD will limit the impact of project delays. For domestic political influence risk (approval delay), the cash flow tolerance limit is set at 10%; and, for execution delay risk, it is at 5%
    • ABCD delegates monitoring of crude and gas prices volatility to GROUP COMPANY International Marketing. In the same time, ABCD monitors it production costs based on the volatility of the crude and gas price. Crude and gas price volatility risk tolerance limit is set at 25%
    • ABCD will limit the impact of operational risk and the tolerance limit is set at 2%
    • ABCD will limit the impact technology risk and the tolerance limit is set at 0.5%
  • Extreme events: ABCD assesses its cash flow and production capacity against extreme event scenarios and develops mitigation plans to reduce these risks to levels as low as reasonably possible.

Risk Taxonomy

ABCD establishes a common language for risk to promote effective communication. A risk taxonomyis a common structure for describing the categories and subcategories of risks, as well as the tools, metrics, and strategies for risk management.

  • A taxonomy is useful for breaking the universe of risk down into manageable components that can then be aggregated for exposure measurement and reporting purposes.
  • The development of a taxonomy is not a one-off process. It should be iterative and reflect the dynamic and changing nature of the business.
  • The process of creating a risk framework specific to a ABCD risk profile generally starts with a generic template which can then be further refined.
  • The categories are likely to decrease in number as some are eliminated or combined with others after the identification phase. Once defined, the risk framework can serve as the primary organizing principle for data collection and subsequent analysis.

Risk Categories

  • Credit- risk arising from inability of a counterparty to meet a payment or delivery commitment
  • Environmental-  risk  arising  from  noncompliance  with  local,  regional, or  federal environmental laws or regulations
  • Financial – risk arising from deviation of business financing costs from original estimates
  • Health and Safety – risk arising from lack of or noncompliance with health and safety regulations, policies, or procedures
  • Human Resources – risk arising from inadequate human resources or inappropriate use of available resources’
  • Information Systems – risk arising from inadequate information technology resources or inappropriate use of available resources
  • Legal – risk arising from contracts or other arrangements  that are not enforceable through available means
  • Market – risk arising from unexpected changes in market supply, demand, or price
  • Model  & Validation  –  risk arising from  incorrect  assumptions  or  data, or  the inappropriate application of a model
  • Operational (Asset Failure) – risk arising from inadequate physical infrastructure
  • Operational (Process Failure) – risk arising from inadequate risk control or failure of risk infrastructure
  • Political – risk arising from the actions of local, regional, or federal governments or special interest groups
  • Reputation – risk arising from changes in public opinion that impact earnings or access to capital
  • Strategic – risk arising from ABCD inability to formulate and/or execute a successful business strategy
  • Technology – risk arising from ABCD inability to implement or manage new technology
  • Regulatory – risk arising from unexpected changes to local, regional, or federal law or regulatory policy

7. ERM Process

ABCD recognizes that an effective ERM entails a systematic process and thorough approach to its implementation. Implementing an integrated risk management approach requires a management decision and sustained commitment, and is designed to contribute to the realization of organizational objectives.

Appended below is an overview of ABCD’s risk management process:

Establish the Context

Establishing internal and external context helps ABCD  to articulate its objectives and defines the external and internal parameters to be taken into account when managing risk, and sets the scope and the risk criteria for the remaining process. This phase is about understanding the internal and external environment; activities and processes; company’s business model and objectives; governance structure; supply chain; etc. and relating it to the subsequent risk management process.

Risk Identification

ABCD shall identify sources of risk. areas of impact, events (including changes in circumstances) and their causes and their potential consequences. This can facilitate identifying events that might create, enhance, prevent, degrade, accelerate or delay the achievement of objectives. Comprehensive identification is critical, because a risk that is not identified at this stage will not be included in further analysis. Best practice to identify risk would start from acknowledging our objectives and identifying elements that could affect these objectives either positively (upside) or negatively (downside). Accordingly, the key risk indicators or risk triggers are also identified at this stage. Key risk indicator serve as an early warning to ABCD,that a risk could potentially materialise and therefore,further actions such as a contingency plan must be activated.

Risk Analysis

This provides an input to risk evaluation and to decisions on whether risks need to be treated, and on the most appropriate risk treatment strategies and methods. Risk analysis can also provide an input into making decisions when choices must be made and the options involve different types and levels of risk. Risk analysis involves consideration of the causes and sources of risk (root causes), their positive and negative consequences, and the likelihood that those consequences can occur. Factors that affect consequences and likelihoods should be identified accurately. Risk is analysed by determining consequences (impact) and their likelihood, and other attributes of risk. An event can have multiple consequences and can affect multiple objectives. Existing controls and their effectiveness should also be taken into account.

Risk Evaluation

Risk evaluation seeks to establish the risk rating of a risk based on the probability of each risk occurring and the severity impact of that risk. Once risks have been identified, an analysis of possible impact and probability of occurrence will be  made using consistent parameters that will enable the development of a corporate risk profile. A numerical measurement is given to rate the probability of occurrence of a risk and its impact (monetary and non-monetary).  Risk severity is derived as follows :Likelihood x Impact = Severity.

ABCD’s Likelihood Scale (Probability of Occurrence)

ABCD’s Impact Scale

ABCD has 2 impact scales, one is based on financial values and the other is a non­ financial impact.

Based on the likelihood and impact scales, ABCD’s risk heat map is tabled as below;

Risk evaluation involves comparing the level of risk found during the analysis process with risk criteria established when the context was considered. Based on this comparison, the need for treatment can be considered. In some circumstances, the risk evaluation can lead to a decision to undertake further analysis. The risk evaluation can also lead to a decision not to treat the risk in any way other than maintaining existing controls. This decision will be influenced by ABCD’s risk attitude and the risk criteria that have been established.

Risk Mitigation and Risk Treatment

Risk mitigation and risk treatment are actions taken by risk owners that will change the status of a risk. Management alternatives include the following possibilities:

  • retaining the risk either completely or partially,
  • avoiding the risk by withdrawing from or ceasing the activity,
  • reducing its likelihood of occurrence by designing and implementing controls, reducing the impact by emergency or crisis response, and/or
  • transferring the risk by outsourcing or utilizing insurance schemes.

Monitoring and Review

To ensure that ERM is effective and continuous to support organizational performance, ABCD shall:

  1. Measure risk management performance against indicators, which are periodically reviewed for appropriateness;
  2. Periodically measure progress against, and deviation from, the risk management plan;
  3. Periodically review whether the risk management framework, policy and plan are still appropriate, given the external and internal context
  4. ;Report  on  risk, progress with the  risk management  plan and  how well  the risk management policy is being followed; and,
  5. Review the effectiveness of the risk management framework .

Communication and Consultation

Communication and consultation with external and internal stakeholders shall take place during all stages of the risk management process. This is especially important as they make judgements about risk based on their perceptions of risk. These perceptions can vary due to difference in values, needs, assumptions, concepts and concerns of stakeholders. Communication and consultation should facilitate truthful, relevant, accurate and understandable exchanges of information, taking into account confidential and personal integrity aspects.

Risk Index

ABCD focuses on the risk mitigation of its key group risks, which consists of ‘High & Very High’ risk severity. A number of these key group risks are selected by ABCD’s management annually and the risk mitigation is monitored on a monthly basis. These selected key group risks are known as Risk Index.

8 Framework

The purpose of the risk management framework is to assist the ABCD in integrating risk management into significant activities and functions. The effectiveness of risk management will depend on its integration into the governance of the ABCD, including decision-making. This requires support from stakeholders, particularly ABCD leadership and top management. Framework development encompasses integrating, designing, implementing, evaluating and improving risk management across ABCD. Figure 9 illustrates the components of a framework .

ABCD evaluates its existing risk management practices and processes, evaluate any gaps and address those gaps within the framework . The components of the framework and the way in which they work together should be customized to the needs ABCD.

Leadership and commitment

ABCD Top Management and Risk Oversight Committe, ensure that risk management is integrated into all ABCD activities and demonstrates leadership and commitment by:

  • customizing and implementing all components of the framework;
  • issuing a statement or policy that establishes a risk management  approach,  plan or course of action;
  • ensuring that the necessary resources are allocated to managing risk;
  • assigning authority, responsibility and accountability at appropriate levels within ABCD.

Design

Understanding ABCD and its context

When designing the framework for managing risk, ABCD examine and understand its external and internal context. Examining ABCD external context may include, but is not limited to:

  • The social, cultural, political, legal, regulatory, financial, technological, economic and environmental factors, whether international, national, regional or local;
  • External stakeholders’ relationships, perceptions, values, needs and expectations;
  • Contractual relationships and commitments;

Examining ABCD internal context may include, but is not limited to:

  • Vision, mission and values;
  • Governance, ABCD structure, roles and accountabilities;
  • Strategy, objectives and policies;
  • ABCD risk culture;
  • Standards, guidelines and models adopted by the GROUP COMPANY as well as ABCD;
  • Capabilities, understood in terms of resources and knowledge (e.g. capital, time, people, intellectual property, processes, systems and technologies);
  • Data, information systems and information flows;
  • Relationships with internal stakeholders,  taking into account  their  perceptions  and values;
  • Contractual relationships and commitments.

Allocating resources

Top Management  and  Risk Oversight Committe, where  applicable, ensure allocation of appropriate resources for risk management, which can include, but are not limited to:

  • people, skills, experience and competence;
  • ABCD’s processes, methods and tools to be used for managing risk;
  • documented processes and procedures;
  • information and knowledge management systems;
  • Professional development and training needs.

ABCD considers the capabilities of, and constraints on, existing resources.

Improvement

ABCD  continually  improves  the  suitability,  adequacy   and  effectiveness  of  the  risk management framework and the way the risk management process is integrated. ABCD develop and enhance its human capital skills and competency on ERM-related subjects. This encompasses ABCD’s risk practitioners; risk owners; risk coordinators; and, senior and top management. In the same time, other employees are also encouraged to learn and understandthe basic concepts of ERM. The knowledge gained from this activities would be beneficial and value-adding to ABCD as it shall support the development of a robust ERM culture for ABCD.

ERM Roles and Responsibilities

An effective risk governance structure, clearly assigning authority and responsibility for risk management in the company, is an essential component of ERM. The ERM Governance in ABCD is illustrated as below:

1) Board of Directors (BODs):

Responsibility

  • Maintain an awareness and understanding of the principal risks in all aspects of the business.
  • ERM Strategy Setting and ERM Decision Making

Role

  • Approve the Enterprise Risk Management Policy.
  • Approve limits of risk taking {Capacity, Appetite & Tolerance) for the company.
  • Approve designation of Key Group Risks’
  • Approve 5YR Risk Report.
  • Monitor the Management of Key Group Risks.

2) Audit & Risk Committee:

Responsibility

• Provide assurance that the organization is compliant to prevailing regulations and guidelines.

Role

• Ensure the effective operation of the ERM Framework.
• Determine consistency with stated GROUP COMPANY Risk Appetite and Risk Tolerance.
• Monitor Business Unit risk management practices for consistency and conformance to the Policy.

Chief Executive Officer (CEO) and Leadership Committee:

Responsibility

  • The owner of the ABCD’s ERM Policy.
  • The ultimate accountability for the management of the corporation’s risks, including issuing directives for their management.

Role

  • Ensure that there is a proper balance between risks and potential returns at the organization/Business Unit level.
  • Ensure that there are policies and systems to effectively manage and monitor risks, with a view to the achievement of ABCD’s and hence GROUP COMPANY’s Strategic Directives.
  • Ensure that appropriate processes and risk management capabilities are in place to identify, assess, measure, manage, monitor, and report risks within the Organization/Business Unit.
  • Endorse Risk Limits (Capacity, Tolerance and Appetite) for the Organization after consultation with the BOD and Risk Management Group as necessary.
  • Communicate the level and status of risk within the Organization Unit to the BOD.
  • Initiating, where ever necessary, processes to improve the assessment, measuring, management, monitoring, and reporting of risk.
  • • Report to the BOD on risks and opportunities in the Organization.
  • • Ensuring Organizations’ risk reports are submitted to CRMD for monitoring purposes.

3) Risk Oversight Committee

Responsibility

The ROG is a permanent committee within KGOC, established by its Chief Executive Officer (CEO}, with advice from Risk Management Team. Its members have an overall knowledge of KGOC business and are responsible for tactical risk governance.

The ROC Chairman chairs a ROC meeting and inthe event he/she is not available, the Deputy Chairman shall preside the meeting. In decision­ makings where no consensus could be reached, the Chairman’s vote shall be the deciding vote. The ROG Chairman also represents ABCD in GROUP COMPANY’s ROC as a committee member.  The ROC chairman also represents ABCD in GROUP COMPANY HSSE steering committee

Role

  • advises the CEO and LC on all matters related to ERM;
  • monitors the effectiveness of ERM at ABCD and recommends actions to maintain and increase the effectiveness of ABCD’s ERM;
  • continuously monitors and assess the Key Group Risks (KGR) and their treatment plans;
  • selects and overlooks Risk Index target achievement;
  • assesses ABCD’s risk tolerance thresholds on a periodic basis and recommend revisions, if necessary;
  • secures and develops ERM resources and capabilities;
  • reviews ERM Policy on a periodic basis.

ABCD’s ROC compositions are as below:

  • ROC Chairman – Deputy CEO of Technical &Commercial Affairs.
  • ROC Deputy Chairman – Risk Management Group Manager
  • ROC Secretary – Sr. Risk Analyst
  • ROC Members – ABCD Head Office Group Managers + Team Leader, Risk Management +Team Leader HSSE

The scope of ROG is explained descriptively in the ROC Charter, a separate document.

Risk Management Team

Responsibility

The Risk Management is responsible for on-going ERM activities

Role

  • coordinates and facilitates Risk Management processes;
  • supports ABCD Teams in the management of their risks;
  • coordinates implementation of Risk Management procedures throughout ABCD by facilitating meetings and discussions with RCs;
  • provides periodic reports to the ROC and implements the guidelines provided by the ROC;
  • provide monthly report to the top management about Risk Management process;
  • maintains communication with the GROUP COMPANY Corporate Risk Management Department; (and if required with GROUP COMPANY Internal Audit team for GROUP COMPANY Audit and Risk Committee)
  • aggregates, analyses and reports the company’s overall risk portfolio;
  • support ERM Integration of Head Office with Joint Operations; and,
  • increases over time the capabilities of ABCD ERM and ensures that ERM continuously reflects the best fit for ABCD as the art and science of ERM improves over time.

Managers and Team Leaders

Managers and Team Leaders manage risks within the scope of their authority and accountability; make business decisions in accordance with GROUP COMPANY and ABCD risk policies and guidelines; implement risk management processes within their Team or Group, in collaboration with the Risk Management Team; ensure that employees have the information and skills required to manage risks; are aware of the interrelationships between risks faced by their Team and other Teams.

Risk Coordinators (RC)

RCs are selected and appointed by a Team Leader or Group Manager. RC would represent the Team/Group on matters pertaining to risk management. It is expected that each team should have at least one RC, and, a Group Manager may appoint a RC to represent his/her group. The principal basis for appointing RC:

  • adequate knowledge and experience level on the team’s objectives and functions;
  • provides risk mitigation updates and status to Risk Management Team;
  • coordinate and organize risk assessment activities within his/her Team/Group by actively engaging respective colleagues to obtain the required information; and,
  • obtains  approval  from  Tearn  Leader/Group  Manager  prior  to  adding  and/or removing risks from the risk register.

There may be instances where an RC is appointed by higher management-level authority, within managerial or team leader level, to assist in ABCD’s ERM process such as addressing risks at the portfolio level (ABCD-wide risks). The group of ABCD’s RCs are known as the Risk Management Work Group.

In general, ABCD’s employees and contractors should understand the basic principles of ERM and their own accountability for specific risks; contribute and actively participate in the continuous improvement of risk management in ABCD, according to the principle that ‘risk management is everybody’s business.’ This is vital for the evolvement and maturity of ABCD’s risk culture and in this regard, Risk Management Team shall conduct continuous learning sessions (i.e., awareness programs, ERM-related presentations and activities, etc.).Employees and contractors are encouraged to continuously communicate to the Team Leader of Risk Management Team about risks related to the company.

Enterprise Risk Management Policy Statement

ABCD has formulated the following Enterprise Risk Management (ERM) Policy Statement. It will be communicated to all relevant stakeholders by ABCD’s Chief Executive Officer.

To: All ABCD Employees and Contractors;

ABCD’s vision is to achieve a leading global position in Upstream Oil& Gas as an integrated and value-driven enterprise. This is to be achieved by maximising the strategic value from oil; realising the potential of gas; growing reserves for a sustainable future; be an employer of choice; optimising value from technology; strengthening commitment to HSSE; striving for excellence in performance; and, contributing to the enterprise and State of Kuwait.

To achieve this vision, we need to protect ourselves against the uncertainties that threaten our company objectives, and at the same time identify and capture the opportunities that would help us achieve our goals. ERM is the systematic approach that ABCD uses to manage all risks in the company, both threats and opportunities. It gives ABCD a better understanding of how internal and external factors affect company objectives, provides better support for decisions, reduces unwelcome surprises and improves opportunities. ERM helps ABCD to secure and achieve its strategic objectives and is aligned with our overall strategy.

ERM involves open discussion of risks, based on a common language and framework. Risks are managed as a portfolio, considering the relationships between them; every risk has an ‘owner’ who is accountable for managing it.

Effective risk management relies on a corporate culture where ‘risk management is everybody’s business.’ All ABCD employees and contractors are expected to:

  • Understand the general principles of ERM;
  • Identify the threats and opportunities that might affect company objectives;
  • Report, discuss and analyse these risks frankly and openly;
  • Understand their own accountability  for specific risks, and participate in risk monitoring  and treatment; and,
  • Participate actively in the continuous improvement of risk management in ABCD.

ABCD management is committed to fostering a work environment where risks are discussed openly, and encourages employees and contractors to grow their risk management skills and apply them to their everyday work. For this purpose, ABCD’s ERM Policy shall be used as a guiding principle.

Published by Pretesh Biswas

Pretesh Biswas has wealth of qualifications and experience in providing results-oriented solutions for your system development, training or auditing needs. He has helped dozens of organizations in implementing effective management systems to a number of standards. He provide a unique blend of specialized knowledge, experience, tools and interactive skills to help you develop systems that not only get certified, but also contribute to the bottom line. He has taught literally hundreds of students over the past 5 years. He has experience in training at hundreds of organizations in several industry sectors. His training is unique in that which can be customized as to your management system and activities and deliver them at your facility. This greatly accelerates the learning curve and application of the knowledge acquired. He is now ex-Certification body lead auditor now working as consultancy auditor. He has performed hundreds of audits in several industry sectors. As consultancy auditor, he not just report findings, but provide value-added service in recommending appropriate solutions. Experience Consultancy: He has helped over 100 clients in a wide variety of industries achieve ISO 9001,14001,27001,20000, OHSAS 18001 and TS 16949 certification. Industries include automotive, metal stamping and screw machine, fabrication, machining, assembly, Forging electrostatic and chrome plating, heat-treating, coatings, glass, plastic and rubber products, electrical and electronic equipment, assemblies & components, batteries, computer hardware and software, printing, placement and Security help, warehousing and distribution, repair facilities, consumer credit counseling agencies, banks, call centers, etc. Training: He has delivered public and on-site quality management training to over 1000 students. Courses include ISO/TS -RAB approved Lead Auditor, Internal Auditing, Implementation, Documentation, as well as customized ISO/TS courses, PPAP, FMEA, APQP and Control Plans. Auditing: He has conducted over 100 third party registration and surveillance audits and dozens of gap, internal and pre-assessment audits to ISO/QS/TS Standards, in the manufacturing and service sectors. Other services: He has provided business planning, restructuring, asset management, systems and process streamlining services to a variety of manufacturing and service clients such as printing, plastics, automotive, transportation and custom brokerage, warehousing and distribution, electrical and electronics, trading, equipment leasing, etc. Education & professional certification: Pretesh Biswas has held IRCA certified Lead Auditor for ISO 9001,14001 and 27001. He holds a Bachelor of Engineering degree in Mechanical Engineering and is a MBA in Systems and Marketing. Prior to becoming a business consultant 6 years ago, he has worked in several portfolios such as Marketing, operations, production, Quality and customer care. He is also certified in Six Sigma Black belt .

Published

Leave a ReplyCancel reply