Introducing Enterprise Risk Management (ERM) - The KOC Experience

1. Introducing Enterprise Risk Management (ERM) - The KOC Experience November 2012 Khaled Al-Awadhi Risk Management Team Kuwait Oil Company

2. Index Introduction Why we are doing it? Doing the same thing Behavioral aspects in ERM Risk - key definitions Implementation journey Risk policy Enterprise Risk Management (ERM) Manual ERM Pilot ERM Rollout Way forward

3. Introduction Global demand for improved visible governance Examples of risks facing large companies ( both major and complete collapse …. Rawdatain Gas Well incident (KOC) Bank failures Why we are doing it?

4. KOC adopted it because of KPC directives and because of its benefits Benefits: Demonstrate improved governance to all stake holders No surprises / Improved preparedness Risk reduction/treatment Improved confidence in decision making reduce risk to company objectives Continue…..

5. Are you really doing the same thing? The scenario changes! The person doing it changes!! The objectives change!!! Unknown unknown !!!! Continue….. Doing the same thing • Can you do the same thing again and again and expect the same result?

6. Can personality types affect risk perception? Can past experience affect risk perception? Can laws affect risk perception? What else? Continue….. Behavioral aspects of ERM

7. KOC KOC’s Risk Exposure Global Oil Market KPC Operational Risk Exposure Barriers Global/ Domestic Products Market Sister Companies 7

8. Macro to Micro (and back again) Leaders Leaders need firm information on which to base decision making and objective setting. Risk profiling does this. Risk Profile Macro Risk Workforce Micro Risk Work force needs strategic information to make right detailed operational planning. Activity Strategic Tactical

9. Continue….. Risk - key definitions

10. Continue….. Risk – framework (AS/NZ 4360: 2004) Standard

11. Implementation Journey KOC Risk Policy ERM Procedure ERM Pilot ERM Rollout Way forward

12. Implementation Journey … KOC Risk Policy

13. Implementation Journey … KOC Risk Policy • Consistent with international best practice • Recognizes that risk is inherent in our business • Risk Management is fundamental to achieving our objectives • Visibility will help to monitor actions • Improve decision making

14. ERM Framework Stakeholders ERM Policy Organisation & Capability ERM Process Enterprise Risk Management System Assurance Operational Functions Acceptance & Appetite Communication Risk Register

16. Implementation Journey … Risk Matrix Consequence Consequence Consequence Consequence Consequence Consequence What are the worst case What are the worst case What are the worst case credible credible credible What are the worst case What are the worst case What are the worst case credible credible credible n n n n n n scenarios for each category of scenarios for each category of scenarios for each category of scenarios for each category of scenarios for each category of scenarios for each category of consequence (target)? consequence (target)? consequence (target)? consequence (target)? consequence (target)? consequence (target)? Probability Probability Probability Probability Probability Probability How likely is it to occur / reoccur? How likely is it to occur / reoccur? How likely is it to occur / reoccur? How likely is it to occur / reoccur? How likely is it to occur / reoccur? How likely is it to occur / reoccur? n n n n n n How effective are the controls we How effective are the controls we How effective are the controls we How effective are the controls we How effective are the controls we How effective are the controls we n n n n n n have in place? have in place? have in place? have in place? have in place? have in place? RISK CONSEQUENCE Cost of Event Profit Reduction Health and Safety Natural Environment Social or Cultural Heritage Community, Government, Reputation, Media Legal

17. Risk Hierarchy Risk register allows “drill down” from corporate level risks to detailed exposures www.kockw.com

18. Areas of Exposure & Control E&PD Directorate West Kuwait Directorate General Management North Kuwait Directorate Administration Technical Services South & East Kuwait Directorate Directorate Directorate Corporate Financial Risk Profile Operational 60 Areas of Risk 50 Human Resources Critical 40 Intolerable 30 Broadly Tolerable Health, Safety & Environmental 20 Acceptable 10 Governance, Reputation & 0 1st Qtr 2nd Qtr 3rd Qtr 4th Qtr Compliance Risk Profile The risk hierarchy allows senior managers to understand the current level of exposure and the trend over time. From this they can set improvement objectives for the following period. Planning & Gas Directorate

19. Implementation Journey … ERM Pilot • Workshops held in two Groups • Risks Identified • Risks Analyzed • Actions Identified • Responsibility assigned • Risk Register prepared

20. Implementation Journey … ERM Roll out • Implementation of ERM in all groups in KOC. • Risk Review workshop for LC • KOC Risk Register • Training of • Risk Management for Managers • General Awareness • Super Users • RM Team capability building • Because of the unique case of Ahmadi Hospital, building the Risk Register was done alone not with the company roll out.

21. Embed ERM in KOC Continuous updated vision of Risks facing KOC is available to leadership to support risk aware decision making. Compile and analyze risk profile LC Risk review Communicate risk profile to stakeholders Support KPC Enterprise Risk Management Project. Modeling of key risks Proactive support to Auditors as partners, to find opportunities for improvement We are now linking the internal audit report with Risk Register. This year we will include London Office Risks to the Risk Register. ERM Way forward

22. ERM Profile in KOC KPM : Risk Index (Treated) is linked to SMAIP Basis : Annual Update Basis : Work Shops Basis : Survey & Audits