Together, our organisational structures, processes, standards, values and behaviours form a robust integrated internal control system that helps proactively manage our key risks.

Risk oversight and governance

The Board is responsible for providing strategic oversight of the Company and ensuring Tullow maintains an effective risk management and internal control system. As part of that system, the tone for risk management is driven by the Board who agree our principal risks and annually determine our risk appetite and mitigation strategies for each key risk. It is then the responsibility of Tullow’s leadership teams to oversee and manage risks that fall under their remit.

Tullow’s governance framework is illustrated below:


  • Oversees identification, assessment and response to principal risks (annual planning)
  • Determines risk appetite
  • Monitors effectiveness of risk management process (delegated to Audit Committee)

Management team

  • Identifies and assesses enterprise risks and principal risks
  • Monitors effectiveness of risk reduction actions for those risks
  • Monitors risk portfolio with a deep-dive into selected key risks (quarterly)
  • Decides which enterprise risks, in addition to principal risks, require the Board to periodically review in detail

Business leadership

  • Ensures compliance with standards set by Heads of functions
  • Identifies and assesses their respective business delivery risks (at least annually)
  • Ensures effective risk mitigation actions are planned
  • Monitors effectiveness of risk mitigation and response plans (quarterly)

Heads of functions

  • Set standards for managing risks in their respective functional areas
  • Identify and assess their respective corporate risks (at least annually)
  • Ensure effective risk mitigation actions are planned
  • Monitor effectiveness of functional risk mitigation and response plans (quarterly)

Principal risks

A summary of Tullow’s principal risks is illustrated below. Detailed risk descriptions including their potential mitigations can be found in our 2019 Annual Report & Accounts. Internally, the Group monitors and mitigates a more substantive list of risks, but those listed below are the risks considered to be the most important at the time of publishing our 2019 Annual Report that could threaten our business strategy, operating model, future performance, solvency and liquidity. Our principal risks and risk reduction actions are monitored and assessed on an ongoing basis.


Risk description

Strategy risk
1 Inability to make new significant oil discoveries and replenish exploration and subsurface portfolio
2 Failure to deliver commercially attractive and timely development projects
Stakeholder risk
3 Disruption to business due to political / regulatory influence in Ghana
Climate change risk
4 Impact on business and strategy resulting from climate change
EHS or security risk
5 Major process safety, EHS incident or production failure on FPSOs
Financial risk
6 Insufficient liquidity and funding capacity
Organisation risk
7 Organisation model, people strategy and culture do not support strategy
Conduct risk
8 Major breach of business conduct standards
Cyber risk
9 Major cyber or information security incident