.N OIL. COMPANY. POLICY STATEMENT ENTERPRISE RISK MANAGEMENT This Enterprise Risk Management (ERM) Policy Statement describes the Company's expectations with regard to the formal management of risk across the Company. It applies to all organizations and activities, including subsidiaries and operated joint ventures, Risk is the effect of uncertainty on the achievement of objectives. Risk is inherent in doing any business and taking risk within the Company's risk tolerance, without compromising the health, safety and environment standards, is a necessary and accepted part of doing business. Enterprise Risk Management (ERM) is the system of policies, processes and tools by which risks are identified, understood and responded to across the entire Company in a deliberate, proactive and coordinated manner. The effective management of risk creates and protects stakeholder value by helping the Company achieve its objectives, embed corporate values and protect its reputation. All organizations must apply risk management processes, methodologies and tools to all key activities and decisions in a manner consistent with this Policy and other policies, procedures and instructions that collectively comprise the ERM framework. The Company, through the corporate ERM Group, will ensure that the various functions established to support the management of risk are incorporated into the ERM framework and properiy aligned with one another through common risk language, assessment criteria, understanding of appetite and reporting systems to enable the efficient escalation of risks for appropriate resolution The President & CEO, assisted by the Head of Risk, is responsible for ensuring that the Company has an effective ERM framework and the capabilities and resources to apply it consistently throughout the Company. He is also supported by the Management Committee, which approves risk management policies, sets the risk appetite, and monitors application All organizations will formally document and manage risks to their strategies and objectives, including all submissions for approvals put before the Management Committee. Risks identified as Top Corporate Risks will be allocated to Risk Champions, who will assess them, recommend responses, and present their reports periodically to the Management Committee and Board Audit Committee. pare: 2/1 8 [15~ vate: 2 /S/ 20) x he Z RECOMMENDED: Ae APPROVED: Zt Secretary President & Management Committee Chief Executive Officer