3 May 2023 PAGE 1

Risk Reporting and

Management

Agenda

• Risk in a business context

• Why is risk reporting important?

• Risk Management Process

3 May 2023 PAGE 2

Risk – From a business perspective

3 May 2023 PAGE 3

• Google’s early days: A startup taking on established, deep pocketed players

• Difficulty to source local content

• Algeria implemented an additional tax on oil production

A B

C

Risk – E&P Operations

3 May 2023 PAGE 4

Risk – E&P Operations

3 May 2023 PAGE 5

A Balanced View – Risk vs Rewards

• A business case needs to look at more than the strategic fit, profitability (NPV) etc.

• It needs to carefully consider and report key risks associated with the proposed investment.

3 May 2023 PAGE 6

Why is Risk reporting important?

• Decision makers may not be aware of all the project details

Furthermore:• Decision makers can take a portfolio view of risks

– Exposure to particular risk across different projects can be viewed together

• They can look at mitigation plans

3 May 2023 PAGE 7

Risk Management is a 3 step process

1.Risk identification – what are the risks?

2.Risk assessment – To understand their likelihood

and potential impact

• Qualitative and quantitative

3.Risk response – how can we reduce the risk

likelihood and impact?

3 May 2023 PAGE 8

Risk Identification

3 May 2023 PAGE 9

Risk IdentificationPEST Framework

• Political - war, crisis, political instability, legislation local and international, contractual provisions, arbitration and jurisdiction provision, tax implications

• Economic and Financial Risks general economic climate, financial markets, funding, interest, inflation, oil and commodity prices.

• Social and Environmental Risk-pollution, laws/regulation, unions, oil spill

• Technical Risks - production/reserves, i.e. a risk analysis must show the consequences of expectation and low estimates.

3 May 2023 PAGE 10

Risk IdentificationAdditional Risks

• Business Continuity- Document retention, succession.

• Management and Organizational and HR Risks- human resources, personal injury/death of personnel, communication systems/infrastructure, data integrity and processing, corporate structure, accounting systems, right strategies, growth, change readiness, subcultures.

• Commercial and Operational Risks - Change of Competitive structure, risk related to non-performance of contractual obligations by suppliers, buyers, debtors or creditors, lack of project control, cost overruns and delays,

• Communication, IT Processes - safeguarding the A.P. Møller -Maersk name and image, standardization.

3 May 2023 PAGE 11

Risk Identification - Only important risks

Laundry list of all possible risks is not an answer!

• Do not list all conceivable risks in the world – it does not help anyone!

• Internal: Ask experienced colleagues/team members/steering committee

• External: Interviews, data providers, Economist Intelligence Unit

Focus only on key risks.

3 May 2023 PAGE 12

Risk Assessment

3 May 2023 PAGE 13

Risk assessment – Quantitative

• Scenarios:• Sensitivity modelling:• Monte Carlo simulation:

3 May 2023 PAGE 14

Risk Assessment - Qualitative

Catastrophic (5)

Major (4)

Moderate (3)

Minor (2)

Insignificant (1)

Rar

e (1

) U

nlik

ely

(2)

Poss

ible

(3)

Prob

able

(4)

Alm

ost C

erta

in (5

)

Impact

Risk Levels

Very high

High

Medium

Low Lik

elih

ood

The position of the risk levels in the heat map is to be finally determined by senior management.

3 May 2023 PAGE 15

Impact

Low

Medium

High

Low

Medium

High

Like

lihoo

d

Political risk

Tax exposure

Delay/ Cost overrun

Personnel for operation

FSO accident with another vessel or platform

Well Performance during

operation

MOG’s risk assessment model

Level Descriptor Relative impact on objectives

Explanation

1 Insignificant <1% Day to day mishaps. Low short term and no long term impact. Unlikely to damage objectives. (E.g. infrequent schedule delays).

2 Minor 1-5% Low short and low long term impact. Only negligible damage to objectives. (E.g. loss of area key client or repetitive document / service failures).

3 Moderate 6-25% High short term and low long term impact. Noticeably affect to objectives. (E.g. loss of global key client or short term production loss).

4 Major 26-80% Major single event with high short term impact and some long term consequences. Harm or impediment to objectives. (E.g. breach of platform security, oil spill, or lack of expertise).

5 Catastrophic 81-100% Event which could wipe out our continued business in a particular segment. Destruction of objectives.

Level Descriptor Likelihood of occurrence within (e.g.) one year

Explanation

1 Rare < 2% The risk may occur in exceptional circumstances.

2 Unlikely 2-10% The risk is uncommon to occur, but may do so under certain conditions.

3 Possible 11-25% The risk may occur.

4 Probable 26-70% The risk is likely to occur once.

5 Almost Certain >70% The risk is very likely to occur once or more frequently.

3 May 2023 PAGE 16

Risk response

How do we mitigate risk impact?

• Avoidance: Exit activity• Reduction: Action to reduce likelihood or impact• Sharing: Reducing impact by transferring risk – normally at a

cost (insurance, hedging, partnership, outsourcing)

• Acceptance: If risk is within our risk appetite, we live with it.

Any examples?

3 May 2023 PAGE 17

In a nutshell…

3 May 2023 PAGE 18