.N OIL. COMPANY.
POLICY STATEMENT
ENTERPRISE RISK MANAGEMENT
This Enterprise Risk Management (ERM) Policy Statement describes the Company's expectations
with regard to the formal management of risk across the Company. It applies to all organizations and
activities, including subsidiaries and operated joint ventures,
Risk is the effect of uncertainty on the achievement of objectives. Risk is inherent in doing any
business and taking risk within the Company's risk tolerance, without compromising the health,
safety and environment standards, is a necessary and accepted part of doing business. Enterprise
Risk Management (ERM) is the system of policies, processes and tools by which risks are identified,
understood and responded to across the entire Company in a deliberate, proactive and coordinated
manner.
The effective management of risk creates and protects stakeholder value by helping the Company
achieve its objectives, embed corporate values and protect its reputation. All organizations must
apply risk management processes, methodologies and tools to all key activities and decisions in a
manner consistent with this Policy and other policies, procedures and instructions that collectively
comprise the ERM framework.
The Company, through the corporate ERM Group, will ensure that the various functions established
to support the management of risk are incorporated into the ERM framework and properiy aligned
with one another through common risk language, assessment criteria, understanding of appetite
and reporting systems to enable the efficient escalation of risks for appropriate resolution
The President & CEO, assisted by the Head of Risk, is responsible for ensuring that the Company
has an effective ERM framework and the capabilities and resources to apply it consistently
throughout the Company. He is also supported by the Management Committee, which approves risk
management policies, sets the risk appetite, and monitors application
All organizations will formally document and manage risks to their strategies and objectives,
including all submissions for approvals put before the Management Committee. Risks identified as
Top Corporate Risks will be allocated to Risk Champions, who will assess them, recommend
responses, and present their reports periodically to the Management Committee and Board Audit
Committee.
pare: 2/1 8 [15~ vate: 2 /S/ 20) x
he Z
RECOMMENDED: Ae APPROVED: Zt
Secretary President &
Management Committee Chief Executive Officer