Professional Documents
Culture Documents
CP 131
CP 131
CP 131
Document ID CP-131
Security Restricted
Discipline Finance
Owner FD
Version 5.0
Keywords: This document is the property of Petroleum Development Oman, LLC. Neither the whole nor any part of this
document may be disclosed to others or reproduced, stored in a retrieval system, or transmitted in any form by any
means (electronic, mechanical, reprographic recording or otherwise) without prior written consent of the owner.
Revision: 5.0
Petroleum Development Oman LLC Effective Date: Sep 20
i Document Authorisation
Document Authorisation
This document was approved electronically and approval emails are saved
ii Revision History
The following is a brief summary of the revisions to this document. Details of all revisions prior to these are
held on file by the issuing department
TABLE OF CONTENTS
i Document Authorisation .............................................................................................................................. 3
ii Revision History .......................................................................................................................................... 4
iii Related Corporate Management System (CMS) Documents ..................................................................... 5
1 Introduction .................................................................................................................................................. 7
1.1 Background ........................................................................................................................................... 7
1.2 Review ................................................................................................................................................... 7
1.3 Terminology ........................................................................................................................................... 8
2 Scope & Fundamentals of the Code of Practice ......................................................................................... 9
2.1 Scope .................................................................................................................................................... 9
2.2 Fundamentals ........................................................................................................................................ 9
3 Practices to be followed ............................................................................................................................ 10
4 Roles and Responsibilites ......................................................................................................................... 12
5 Step-Out & Approvals ............................................................................................................................... 13
6 Annexure ................................................................................................................................................... 14
1 Introduction
1.1 Background
This Code of Practice relates to the PDO policy on Risk and Internal Controls (PL-03), which states that
business risks shall be identified and business controls established to eliminate or reduce the Company’s
risks and exposures to an acceptable level. PDO’s Statement on Risk Management is one of the
foundation level components of PDO Control Framework (PCF). The objective of this Code of Practice
is to articulate PDO’s “Statement on Risk Management” that describes the need for on-going risk based
assessments of the control framework, and the mandatory elements of the process be followed to
conduct risk assessments.
1.2 Review
A review of this document will be carried out when business process significantly changes. However, a
general review will be conducted every three years.
1.3 Terminology
For the uniform application of risk management process, the following definitions of risk management
will be followed:
Risk can be described as the probability of suffering loss or harm to our business objectives. Uncertainty
is something that all business face and manage on a daily basis and uncertainty gives rise to risks. Every
decision taken has associated risks.
Inherent (“gross”) risk is an assessment without any responses being applied and assuming no
controls are in place (or failure of existing ones).
Residual (“net”) risk is an assessment of the risk taking the quality and effectiveness of the controls in
place and after responses have been applied. The potential difference between inherent and residual
risk gives an indication of the quality and effectiveness of the controls in place.
Opportunities are those factors, which could influence the achievement of business objectives having
a potential positive consequence. The opportunity can be assessed in terms of its probability of success
and upside potential.
2.1 Scope
In accordance with the Risk & Internal Control Policy, this Code of Practice covers all activities that
PDO undertakes in the pursuit of its mandated business. This Code of Practice prescribes how the
Risk Management process shall be applied in PDO’s day to day business. It defines the requirements
to ensure that the objectives of the Risk & Internal Control Policy are being met.
This Code of Practice is applicable to all PDO business activities, including those activities
undertaken by contractors on behalf of PDO. Most practices are suitable for everyday use, Therefore
all PDO staff must follow this Code of Practice and related relevant procedures and guidelines, which
in turn are based on this Code of Practice. Any deviation from this Code of Practice should be fully
justifiable in the event of an audit.
2.2 Fundamentals
The guiding principle upon which this Code of Practice is developed is that the systematic
identification, evaluation and assessment of risks to achieving the business objectives, and for the
evaluation of upside potential of opportunities, are essential to a sound business control framework.
Risk management in PDO shall be entrenched within strategy setting, planning and business
processes to safeguard business performance and sustainability. The management of risks at each
organisational level shall provide cost effective responses to create an appropriate balance between
risk and reward.
3 Practices to be followed
This code of practice requires every Asset and Function of the company to:
Establish clear business objectives
Review their business environment (internal and external)
Identify risks to the achievement of business objectives
Evaluate the impact and likelihood of the risks materialising
Incorporate and apply effective responses that are designed to:
o achieve business objectives
o facilitate economic, effective, efficient and safe operations
o safeguard company assets from inappropriate use, loss or fraud
o ensure reliable reporting
o enable compliance with applicable laws, regulations, PDO’s Business Principles
and standards that relate to specific types of risk
Monitor and communicate significant risks, potential and actual control failures, and the
effectiveness of the risk and internal control management
Provide to shareholders annual assurance of compliance with the Risk & Internal Control
Policy and PDO’s associated standards
Each Asset/ Function shall maintain it’s Directorate risk profile, supported by a risk response register
and/or risk assessment summaries. These shall be reviewed by the leadership teams on a quarterly
basis and shall provide the basis for bi-annual corporate risk consolidation.
Asset and Functions shall adopt both, a top-down and a bottom-up approach for risk identification
(linking risk dialogue to objectives/ strategy elements) and assessment of risks through workshops,
interviews, market research and intelligence, control self-assessments, etc, ensuring;
Data driven risk assessments with supporting quantification data (leading or lagging risk
indicators, measures of success, etc) for risk evaluations and assumptions
Forward looking approach, focussing on risk prevention (rather then issue management)
Dynamic and integrated view of risks, considering how various risks may impact/ reshape
each other (risk connectivity and aggregation)
In order to make the risk management process workable it is recommended that at the Directorate
or Departmental level there shall be no more then 10-15 (key) risks.
For risks escalated to PDO’s Corporate Risk Profile (CRP), detailed risk information sheets shall be
compiled by respective risk focal points, reviewed/ approved by risk owners/ directors and published
as corporate risk booklet by GRA on a bi-annual basis.
Risk Coordinator (Head of GRA) shall distribute the risk methodology, templates and tools for the
Corporate and Directorate risk assessments by the business units.
Appropriate Risk Assessment Matrix (RAM) structure shall be used (e.g. a 3x3 or a 5x5 zone matrix),
as a tool to identify, analyse and prioritise risks. The criteria used to measure risks may depend
upon unique circumstances of the business area.
Corporate Risk Assessment Matrix – is structured on a 3x3 zone matrix, with assessments of both
likelihood and impact being rated as either High, Medium or Low with representation of trend (in
controls & risk environment) and acceptability of risk responses (measure of residual value of risk
that management is willing to accept).
HSE risk assessments shall follow the risk matrix and standard process outlined in HSE procedures
to assess risks in terms of absolute severity and relative importance.
Projects risk management process shall follow the practices outlined in the Capital Project Risk
Management Guideline (GU-717).
Procedures for monitoring the appropriateness and effectiveness of the identified risk responses
and (timely/ quality) closure of mitigation actions (with clear ownsership) shall be embedded within
the normal operations of the Assets and Functions.
On a bi-annual basis, GRA (FFCC) shall complie and present Corporate Risk Profile (CRP) to the
Internal Assurance Committee (IAC) and Board Audit Committee (BAC) for approval (Annexure,
Corporate Risk Review and Consolidation Process).
Shareholders’ Board Set the structure and approach for supporting and embedding the risk
Audit Committee (BAC) strategy and accountability
Review the effectiveness of internal control and risk management
systems
Approve the corporate risk profile on bi-annual basis
Ensure that the risk and related standards are appropriate and
understood across the organisation
Ensure that risks and risk response plans are identified for the
organisation and in respect of all business activities
Internal Assurance Set priorities and monitor the progress against response plans
Committee (IAC) Ensure that all risks are reviewed to reflect results of the assurance
process and to reflect changing business circumstances
6 Annexure