At Tullow, we recognise that effectively
managing risks and opportunities is essential to our long-term success. Our ability to identify, assess and successfully manage current and emerging risks is critical in ensuring we achieve our strategic objectives and protect shareholder value.

Risk oversight and governance

A risk-focused culture and consistent risk management framework is embedded across Tullow at all levels and is driven by the Board. The Board is responsible for ensuring we maintain an effective risk management and internal control system and it works closely with the SLT to ensure this is in place. The Board also oversees the processes we operate to identify, assess and mitigate the risks that could affect our business, including those risks that could threaten our strategy, operating model, performance, solvency and liquidity.

The Audit Committee is responsible for overseeing the process to identify principal and emerging risks and ensuring that they are managed effectively. The Audit Committee is also responsible for overseeing our internal audit programme and, with the support of the SLT, undertakes an annual review of the effectiveness of the internal controls we implement. The latest review was undertaken in February 2024 and reported to the Audit Committee and the Board on 28 and 29 February, respectively.

The SLT is collectively responsible and accountable for the risk management processes that operate across Tullow, with individual members taking ownership for risks that fall in their business area.

Tullow’s risk governance framework is illustrated below.

Risk management framework

Our risk management framework takes a ‘top-down, bottom-up’ approach and is embedded throughout Tullow. This structure ensures ownership and responsibility for identification, assessment and management of key risks and opportunities at all levels of the Company. Our risk governance framework is set out below.


Board

  • Sets risk appetite.
  • Oversees identification, assessment of and response to principal risks.
  • Monitors effectiveness of risk management process.

Audit Committee

  • Oversight of risk management and internal control processes.
  • Oversees independent, objective and competent internal audit function.
  • Oversight of compliance with legal, ethical and regulatory expectations.

Senior Leadership Team

  • Sets tone for an effective risk management culture.
  • Identifies and assesses principal risks.
  •  Determines principal risk mitigation actions and monitors their effectiveness.
  • Oversees and supports business leadership’s risk identification processes and challenges their risk assessments.

Business management

  • Identifies risks.
  • Implements controls to manage and mitigate risks.

First line of defence
(ownership and management)

Business leadership

  • Sets framework and embeds effective risk management practices.
  • Challenges business management on risks identified and their management.
  • Monitors compliance with fundamental standards.
  • Undertakes regular reviews.

Second line of defence
(risk management oversight)

Internal audit

  • Undertakes risk-based internal audit reviews of governance, and internal controls across all levels of the Group.
  • Identifies areas for improvement and monitors implementation of actions to address.

Third line of defence
(independent assurance)

Our principal risks

During the year, the Company’s risk profile has been closely monitored. The external economic and political landscape including the war in Ukraine, inflationary pressures and oil price volatility have not resulted in any new risks or material changes to existing risks.

Our assessment of the likelihood of our principal risks occurring and the potential impact after taking into account the risk management processes and mitigation actions we implement is summarised below.

1. Business plan not delivered
  Category: Strategy
2. Asset integrity breach
  Category: Health & safety and security
3. Value not unlocked
  Category: Strategy
4. Geopolitical risk
  Category: Stakeholder and Financial
5. Climate change
  Category: Stakeholder
6. Major accident event
  Category: EHS
7. Insufficient liquidity and funding capacity to sustain business
  Category: Financial
8. Capability cannot be attracted, developed or retained
  Category: Organisation
9. Compliance or regulatory breach
  Category: Conduct
10. Major cyber-disruption
  Category: Cyber