At Tullow, we recognise that effectively
managing risks and opportunities is essential to our long-term success. Our ability to identify, assess and successfully manage current and emerging risks is critical in ensuring we achieve our strategic objectives and protect shareholder value.

Risk oversight and governance

A risk focused culture and consistent risk management framework is embedded across all levels at Tullow and is driven by the Board. The Board is responsible for overseeing the risk identification, assessment and mitigation process. To this end, the Board undertakes a bi-annual assessment of the risks facing the Company, including those risks that could threaten our business strategy, operating model, performance, solvency and liquidity. Emerging risks are discussed by the Board and the Senior Leadership Team periodically throughout the year.

The Board is responsible for ensuring Tullow maintains an effective risk management and internal control system and works closely with Tullow’s Senior Leadership Team to ensure
this is in place. The Senior Leadership Team is collectively responsible and accountable for the risk management process in place across the organisation, with individual members
taking ownership for risks that fall in their business area.

Tullow recognises that risk cannot be fully eliminated and that there are certain risks the Board and/or the Senior Leadership Team accept when pursuing strategic business opportunities. Acceptance of risk is made at an appropriate authority level and within
Tullow’s defined risk appetite and tolerance levels.

Tullow’s risk governance framework is illustrated below:

Every layer of the organisation is responsible for identifying key risks and managing them in line with our risk appetite (as set by the Board).

  • Oversees identification and assessment of, and response to, principal risks
  • Sets risk appetite
  • Monitors effectiveness of the risk
    management process
Senior Leadership Team
  • Sets the tone for an effective risk
    management culture
  • Identifies and assesses principal and
    enterprise-wide risks
  • Monitors effectiveness of risk
    management actions for those risks
    and decides the focus of effort
  • Decides which risks require periodic
    Board review
  • Provides oversight, support and challenge to the Extended Leadership Team and business functions
Business functions
  • Identifies and assesses business
    delivery risks and raises these to the
    leadership team
  • Identifies and assesses respective
    project risks
  • Ensures effective risk mitigation
    actions are planned and implemented
  • Monitors effectiveness of risk
    mitigation and response plans

Principal risks

The Company risk profile has been closely monitored throughout the year, with consideration given to the risks to delivering the Business Plan, as well as whether external factors such as the war in Ukraine, inflationary pressures and oil price volatility have resulted in any new risks or changes to existing risks. The impact of these factors has been considered and managed across all principal risks. The following table represents the Company’s
current principal risks.


Risk description

Commercial & financial risk
1 Failure to deliver production targets
Commercial and EHS or security risk
2 Risk of an asset integrity breach
EHS or security risk
3 Risk of a major accident event
Stakeholder, commercial and financial risk
4 Failure to unlock value
Stakeholder and financial risk
5 Failure to manage geopolitical risks
Climate risk
6 Failure to manage climate change risks
Financial risk
7 Risk of insufficient liquidity and funding capacity to sustain and grow the business or failure to deliver a highly cash-generative business
People risk
8 Failure to develop, retain and attract capability
Ethics and conduct risk
9 Risk of a compliance or regulatory breach
Cyber risk
10 Risk of major cyber-attack