3.6.2Design and Effectiveness of the Internal Risk Management and Control System

management approach

SBM Offshore is continuously exposed to a number of factors that could potentially affect its operational and financial performance. The primary duty of the Risk Management function is to ensure that those factors of risk are properly identified, evaluated and managed in order to achieve the Company’s strategic goal and objectives.

SBM Offshore acknowledges the importance of internal control and risk management systems. Therefore, a framework has been established and implemented to properly manage Internal Controls Over Financial Reporting (ICOFR), which is based on the Committee of Sponsoring Organizations of the Treadway Commission (’COSO’) model and in line with ISO31000. The effectiveness of SBM Offshore’s risk management and control framework is periodically assessed and strengthened to ensure stakeholders’ value protection.

The framework’s effectiveness, as well as significant changes and improvements, are regularly reported to and discussed with external auditors and SBM Offshore’s Audit Committee; the latter reports about these subjects to the Supervisory Board on a yearly basis.

The identification, assessment and management of risk are considered management’s responsibility and are carried out with the support of dedicated resources integrated into the Company’s main business areas. Under the leadership of the Group Risk and Compliance Director, the officers allocated bring the necessary skills in challenging and advising the business in identifying and properly managing risks associated with businesses operations and core processes.

2016 performance

To comply with duties in the area of internal risk management and control systems with respect to financial reporting risks, SBM Offshore continues to use various measures among which:

• Bi-quarterly Management Operational Review meetings of the Board of Management with Regional Centers senior management on financial performance and realization of operational objectives and responses to emerging issues;
• Quarterly financial reporting to the Board of Management and senior management;
• Letters of representation signed by key senior Management members on a quarterly basis in which they confirm that for their responsible area, the financial reports fairly present the position and results of the Company;
• ICOFR assessed within the framework; the risk bearing financial processes are identified and the associated risks and controls listed in the ICOFR Risk and Control matrices. A periodic review of the matrices is performed to assess the effectiveness of the risk coverage amongst different geographical locations including a 1^st level review by the Finance Function and a 2^nd level review performed by Internal Audit;
• Discussions on management letters and audit reports provided by the Company’s internal and external auditors within SBM Offshore Board of Management, Audit Committee and Supervisory Board;
• Internal Guidelines on Ethical Business Conduct.

Key Achievements

Reinforcing and consolidating the performances of the Company’s risk management and control framework by:

• Amalgamation of the Risk and Compliance departments
• Establishment of the Risk Assurance Committee (RAC). The Committee includes the group directors of all 2^nd line of defense functions, notably HSSE, Risk and Compliance, Internal Control and the Group Execution Office functions, represented by Quality Assurance, Product Regulatory Management and Asset Integrity. Group Internal Audit, representing the 3^rd line of defense, is a standing invitee to the RAC. The RAC has developed an integrated risk management methodology, approach and framework towards assurance across the different assurance functions. A plan for integrated audits has been developed to streamline assurance activities carried out by 2^nd and 3^rd Lines of Defense, while minimizing business disruption and costs.

Future

• Further grow the maturity of the Company’s enterprise risk management by development and deployment of an Integrated Assurance Framework across the Company’s assurance functions
• Update of Governance, Risk and Compliance Charter accordingly, as per latest applicable COSO ERM Framework to strengthen guidance to the RAC on objectives, roles and responsibilities
• Improve efficiency of reporting by more in-depth benchmarking of internal risk reports versus business risks and Company strategy
• Continue to strengthen risk culture and behaviors by means of a communication campaign and training.