3.7.2Design and Effectiveness of the Internal Risk Management and Control System

management approach

The identification, assessment and management of risk are Management’s responsibility and are carried out with the support of dedicated Risk Management resources integrated into the Company’s main business pillars. Under the leadership of the Group Risk and Compliance Director (GRCD), the business risk and compliance officers bring the necessary skills in monitoring, challenging and advising the business on identifying and properly managing risks associated with businesses operations and core processes.

The Risk Assurance Committee (RAC), chaired by the GRCD reviews the most significant risks faced by the Company and the relevant control measures. The RAC meets regularly and includes the group directors of all assurance functions, such as HSSE, Quality assurance, Finance and Risk and Compliance as well as Internal Audit, representing the third line of defense. The RAC ensures an integrated risk management approach across the assurance functions.The primary duty of the Risk Management function is to ensure that risk factors are properly identified, evaluated and managed in order for the Company to achieve its strategic goals and objectives. The Risk Management function periodically assesses the effectiveness of SBM Offshore’s risk management, control framework and the Risk Appetite Statement. At least once every year, the Risk framework’s effectiveness is assessed and discussed with the Supervisory Board.

Every quarter a risk report is drawn up by the Risk Management function that contains information on the most significant risks and incidents. These reports are discussed with the Management Board, the Audit and Finance Committee and the entire Supervisory Board, whereby the Risk Appetite Statement is taken into account. The reports are built on information from the Company’s risk registers maintained by the Company business pillars, interviews with key stakeholders and information from the Company’s Integrity Line. Reported risks and incidents seldom come as a surprise to Management as the GRCD monitors those on a daily basis and severe and urgent matters are brought to the attention of the Group Governance and Compliance Officer and the full Management Board immediately if the situation so warrants.

2018 performance

SBM Offshore applied various measures, amongst which:

• Quarterly Management Operational Review meetings of the Management Board with senior business leadership on financial performance and realization of operational objectives and responses to emerging issues;
• Quarterly financial reporting to the Management Board and Senior Management;
• Letters of representation signed by key Senior Management members on a quarterly basis in which they confirm that for their responsible area, the financial reports fairly present the position and results of the Company;
• Internal Control Over Financial Reporting (ICOFR) assessed by reference to an internationally recognized framework, within which the risk bearing financial processes are identified and the associated risks and controls are listed in the ICOFR Risk and Control matrices. A periodic review of the matrices is performed to assess the effectiveness of the risk coverage amongst different geographical locations including a first level review by the Finance function and a second level review performed by Internal Audit;
• Internal Control Over Systems & IT (ICOSIT) − the IT function together with Group Internal Audit review the effectiveness of Control Matrices based on the international Control Objectives for Information & related Technology (COBIT) framework;
• Discussions on management letters and audit reports provided by the Company’s internal and external auditors during SBM Offshore Management Board, Audit and Finance Committee and Supervisory Board meetings;
• The Risk and Compliance function facilitates a quarterly review by business pillar leadership and the RAC of the most significant risks and provides a consolidated quarterly risk report to the Management Board and the Audit and Finance Committee and the Supervisory Board.

Key Achievements

Strengthening risk management by:

• Further expanding the integrated Risk Management and Compliance function to ensure cross-Company consistency.
• The delivery of an integrated risk report from the RAC to the Management Board on a quarterly basis.
• The Company’s Risk Appetite Statement was reviewed and updated during 2018 in agreement with the Management Board and Supervisory Board.

Future

• Continue to enhance the quality and practical impact of the risk and control framework via increased efficiency of risk and control reporting.
• Continue to strengthen risk culture and associated behaviors via communication campaigns and training.