Petroleum Development Oman L.L.C.

Risk and Opportunity Management

Document ID CP-131

Document Type Code of Practice

Security Restricted

Discipline Finance

Owner FD

Next Revision Date September 2023

Version 5.0

Keywords: This document is the property of Petroleum Development Oman, LLC. Neither the whole nor any part of this
document may be disclosed to others or reproduced, stored in a retrieval system, or transmitted in any form by any
means (electronic, mechanical, reprographic recording or otherwise) without prior written consent of the owner.
 Revision: 5.0
Petroleum Development Oman LLC Effective Date: Sep 20

This page was intentionally left blank

Page 2 CP-131 Printed 20/09/20

The controlled version of this CMF Document resides online in Livelink®. Printed copies are UNCONTROLLED.
 Revision: 5.0
Petroleum Development Oman LLC Effective Date: Sep 20

i Document Authorisation

Document Authorisation

Authorised for use Document Custodian Document Controller

(FD) (FFCN) (FFCC)
KHAIFI,HAIFA FD Harthi, Saif FFCN Rana, Muhammad FFCC
Date : 09-01-2019 12:00 Date : 22-01-2019 8:04 AM Date : 22-01-2019 8:02 AM
AM

This document was approved electronically and approval emails are saved

Page 3 CP-131 Printed 20/09/20

The controlled version of this CMF Document resides online in Livelink®. Printed copies are UNCONTROLLED.
 Revision: 5.0
Petroleum Development Oman LLC Effective Date: Sep 20

ii Revision History
The following is a brief summary of the revisions to this document. Details of all revisions prior to these are
held on file by the issuing department

Version # Date Author Scope / Remarks

5.0 September 2020 FFCC Provided additional guidance in practices to
be followed section and annexures on Risk
Assessment Matrix and Corporate Risk
Consolidation
4.0 December 2018 FFCC CoP has been rationalised to maintain key
practices and principles. A separate
procedure on Risk and Opportunity
management PR-2349 has been published
which includes details of the Risk assessment
and consolidation process adopted in PDO
3.0 September 2006 FCC Update to align with RDS Statement on Risk
Management and associated procedures &
templates
2.0 December 2002 FSB Update to align with Risk Policy & Guidelines
1.0 September 1998 CBM/3 Original issue, supporting the Risk Policy

Page 4 CP-131 Printed 20/09/20

The controlled version of this CMF Document resides online in Livelink®. Printed copies are UNCONTROLLED.
 Revision: 5.0
Petroleum Development Oman LLC Effective Date: Sep 20

iii Related Corporate Management System (CMS) Documents

The following documents specifically relate to this Code of Practice. The related CMS Documents can be
retrieved from the Corporate Business Control Documentation Register

Business Control Description Document ID

Policy Risk and Internal Control PL-03
Code of Practice Risk and Oportunity Management CP-131
Procedure Risk and Oportunity Management PR-2349
Code of Practice Health, Safety, and Environment CP-122
Guideline Capital Risk Management Guideline GU-717

Page 5 CP-131 Printed 20/09/20

The controlled version of this CMF Document resides online in Livelink®. Printed copies are UNCONTROLLED.
 Revision: 5.0
Petroleum Development Oman LLC Effective Date: Sep 20

TABLE OF CONTENTS
i Document Authorisation .............................................................................................................................. 3
ii Revision History .......................................................................................................................................... 4
iii Related Corporate Management System (CMS) Documents ..................................................................... 5
1 Introduction .................................................................................................................................................. 7
1.1 Background ........................................................................................................................................... 7
1.2 Review ................................................................................................................................................... 7
1.3 Terminology ........................................................................................................................................... 8
2 Scope & Fundamentals of the Code of Practice ......................................................................................... 9
2.1 Scope .................................................................................................................................................... 9
2.2 Fundamentals ........................................................................................................................................ 9
3 Practices to be followed ............................................................................................................................ 10
4 Roles and Responsibilites ......................................................................................................................... 12
5 Step-Out & Approvals ............................................................................................................................... 13
6 Annexure ................................................................................................................................................... 14

Page 6 CP-131 Printed 20/09/20

The controlled version of this CMF Document resides online in Livelink®. Printed copies are UNCONTROLLED.
 Revision: 5.0
Petroleum Development Oman LLC Effective Date: Sep 20

1 Introduction

1.1 Background
This Code of Practice relates to the PDO policy on Risk and Internal Controls (PL-03), which states that
business risks shall be identified and business controls established to eliminate or reduce the Company’s
risks and exposures to an acceptable level. PDO’s Statement on Risk Management is one of the
foundation level components of PDO Control Framework (PCF). The objective of this Code of Practice
is to articulate PDO’s “Statement on Risk Management” that describes the need for on-going risk based
assessments of the control framework, and the mandatory elements of the process be followed to
conduct risk assessments.

The key obectives of risk management process in PDO is to:

 Increase the likelihood of achieving objectives
 Protect our staff, contractors, assets and reputation
 Support better decision making across board
 Improve performance consistent with our values
 Apply our resources more effectively

1.2 Review

A review of this document will be carried out when business process significantly changes. However, a
general review will be conducted every three years.

Page 7 CP-131 Printed 20/09/20

The controlled version of this CMF Document resides online in Livelink®. Printed copies are UNCONTROLLED.
 Revision: 5.0
Petroleum Development Oman LLC Effective Date: Sep 20

1.3 Terminology

For the uniform application of risk management process, the following definitions of risk management
will be followed:

Risk can be described as the probability of suffering loss or harm to our business objectives. Uncertainty
is something that all business face and manage on a daily basis and uncertainty gives rise to risks. Every
decision taken has associated risks.

Inherent (“gross”) risk is an assessment without any responses being applied and assuming no
controls are in place (or failure of existing ones).

Residual (“net”) risk is an assessment of the risk taking the quality and effectiveness of the controls in
place and after responses have been applied. The potential difference between inherent and residual
risk gives an indication of the quality and effectiveness of the controls in place.

Opportunities are those factors, which could influence the achievement of business objectives having
a potential positive consequence. The opportunity can be assessed in terms of its probability of success
and upside potential.

As Low As Reasonably Practicable (ALARP) can be demonstrated if alternatives have been

considered and it is concluded that further risk reductions are impracticable or costs thereof are grossly
disproportionate to the improvement made

Page 8 CP-131 Printed 20/09/20

The controlled version of this CMF Document resides online in Livelink®. Printed copies are UNCONTROLLED.
 Revision: 5.0
Petroleum Development Oman LLC Effective Date: Sep 20

2 Scope & Fundamentals of the Code of Practice

2.1 Scope
In accordance with the Risk & Internal Control Policy, this Code of Practice covers all activities that
PDO undertakes in the pursuit of its mandated business. This Code of Practice prescribes how the
Risk Management process shall be applied in PDO’s day to day business. It defines the requirements
to ensure that the objectives of the Risk & Internal Control Policy are being met.

This Code of Practice is applicable to all PDO business activities, including those activities
undertaken by contractors on behalf of PDO. Most practices are suitable for everyday use, Therefore
all PDO staff must follow this Code of Practice and related relevant procedures and guidelines, which
in turn are based on this Code of Practice. Any deviation from this Code of Practice should be fully
justifiable in the event of an audit.

2.2 Fundamentals

The guiding principle upon which this Code of Practice is developed is that the systematic
identification, evaluation and assessment of risks to achieving the business objectives, and for the
evaluation of upside potential of opportunities, are essential to a sound business control framework.

Risk management in PDO shall be entrenched within strategy setting, planning and business
processes to safeguard business performance and sustainability. The management of risks at each
organisational level shall provide cost effective responses to create an appropriate balance between
risk and reward.

The fundamentals of the PDO’s risk management process are to:

 Support the achievement of the business objectives
 Create a risk-aware culture where managers and staff actively identify and respond to risks
and opportunities using a common methodology and language.
 Integrate a consistent risk management methodology into key business processes
 Enable the development of risk management competencies
 Promote compliance with legal, regulatory, ethical and policy requirements

Page 9 CP-131 Printed 20/09/20

The controlled version of this CMF Document resides online in Livelink®. Printed copies are UNCONTROLLED.
 Revision: 5.0
Petroleum Development Oman LLC Effective Date: Sep 20

3 Practices to be followed

 This code of practice requires every Asset and Function of the company to:
 Establish clear business objectives
 Review their business environment (internal and external)
 Identify risks to the achievement of business objectives
 Evaluate the impact and likelihood of the risks materialising
 Incorporate and apply effective responses that are designed to:
o achieve business objectives
o facilitate economic, effective, efficient and safe operations
o safeguard company assets from inappropriate use, loss or fraud
o ensure reliable reporting
o enable compliance with applicable laws, regulations, PDO’s Business Principles
and standards that relate to specific types of risk
 Monitor and communicate significant risks, potential and actual control failures, and the
effectiveness of the risk and internal control management
 Provide to shareholders annual assurance of compliance with the Risk & Internal Control
Policy and PDO’s associated standards

Risk Management Process

 Each Asset/ Function shall maintain it’s Directorate risk profile, supported by a risk response register
and/or risk assessment summaries. These shall be reviewed by the leadership teams on a quarterly
basis and shall provide the basis for bi-annual corporate risk consolidation.

 Asset and Functions shall adopt both, a top-down and a bottom-up approach for risk identification
(linking risk dialogue to objectives/ strategy elements) and assessment of risks through workshops,
interviews, market research and intelligence, control self-assessments, etc, ensuring;
 Data driven risk assessments with supporting quantification data (leading or lagging risk
indicators, measures of success, etc) for risk evaluations and assumptions
 Forward looking approach, focussing on risk prevention (rather then issue management)
 Dynamic and integrated view of risks, considering how various risks may impact/ reshape
each other (risk connectivity and aggregation)

 In order to make the risk management process workable it is recommended that at the Directorate
or Departmental level there shall be no more then 10-15 (key) risks.

Page 10 CP-131 Printed 20/09/20

The controlled version of this CMF Document resides online in Livelink®. Printed copies are UNCONTROLLED.
 Revision: 5.0
Petroleum Development Oman LLC Effective Date: Sep 20

 For risks escalated to PDO’s Corporate Risk Profile (CRP), detailed risk information sheets shall be
compiled by respective risk focal points, reviewed/ approved by risk owners/ directors and published
as corporate risk booklet by GRA on a bi-annual basis.
 Risk Coordinator (Head of GRA) shall distribute the risk methodology, templates and tools for the
Corporate and Directorate risk assessments by the business units.

 Appropriate Risk Assessment Matrix (RAM) structure shall be used (e.g. a 3x3 or a 5x5 zone matrix),
as a tool to identify, analyse and prioritise risks. The criteria used to measure risks may depend
upon unique circumstances of the business area.

 Corporate Risk Assessment Matrix – is structured on a 3x3 zone matrix, with assessments of both
likelihood and impact being rated as either High, Medium or Low with representation of trend (in
controls & risk environment) and acceptability of risk responses (measure of residual value of risk
that management is willing to accept).

 HSE risk assessments shall follow the risk matrix and standard process outlined in HSE procedures
to assess risks in terms of absolute severity and relative importance.

 Projects risk management process shall follow the practices outlined in the Capital Project Risk
Management Guideline (GU-717).

 Procedures for monitoring the appropriateness and effectiveness of the identified risk responses
and (timely/ quality) closure of mitigation actions (with clear ownsership) shall be embedded within
the normal operations of the Assets and Functions.

 On a bi-annual basis, GRA (FFCC) shall complie and present Corporate Risk Profile (CRP) to the
Internal Assurance Committee (IAC) and Board Audit Committee (BAC) for approval (Annexure,
Corporate Risk Review and Consolidation Process).

Page 11 CP-131 Printed 20/09/20

The controlled version of this CMF Document resides online in Livelink®. Printed copies are UNCONTROLLED.
 Revision: 5.0
Petroleum Development Oman LLC Effective Date: Sep 20

4 Roles and Responsibilites

Below is the summary matrix of the roles and related responsibilities that are required to both
manage and implement this Code of Practice.

Role Related Responsibilities

Shareholders’ Board  Set the structure and approach for supporting and embedding the risk
Audit Committee (BAC) strategy and accountability
 Review the effectiveness of internal control and risk management
systems
 Approve the corporate risk profile on bi-annual basis

 Ensure that the risk and related standards are appropriate and
understood across the organisation
 Ensure that risks and risk response plans are identified for the
organisation and in respect of all business activities
Internal Assurance  Set priorities and monitor the progress against response plans
Committee (IAC)  Ensure that all risks are reviewed to reflect results of the assurance
process and to reflect changing business circumstances

 Define and assess risk and opportunities

 Ensure that appropriate risk responses are effectively implemented to
reduce risk to an acceptable level
Risk Sponsor (Owner)  Continuously monitor the risk (likelihood and impact) and
performance of the risk responses
 Evaluate and report on the status of risks during quarterly risk
assessments

 Distribute risk methodology and drive assessment process

 Provide advice, templates, and tools for business units
 Constantly refine process based on decisions and experiences
Risk Coordinator  Consolidate Corporate Risk Register
(Head of GRA)  Present corporate risk profile (and summaries of risk changes) to
Internal Assurance Committee and shareholders on a bi-annual basis

Page 12 CP-131 Printed 20/09/20

The controlled version of this CMF Document resides online in Livelink®. Printed copies are UNCONTROLLED.
 Revision: 5.0
Petroleum Development Oman LLC Effective Date: Sep 20

5 Step-Out & Approvals

Any proposal to deviate from this Code of Practice for whatever reason must be submitted to the
Finance Controller and Finance Director for review and formal approval.

Page 13 CP-131 Printed 20/09/20

The controlled version of this CMF Document resides online in Livelink®. Printed copies are UNCONTROLLED.
 Revision: 5.0
Petroleum Development Oman LLC Effective Date: Sep 20

6 Annexure

Corporate Risk Review & Consolidation Process

Page 14 CP-131 Printed 20/09/20

The controlled version of this CMF Document resides online in Livelink®. Printed copies are UNCONTROLLED.