3.7.2Design and Effectiveness of the Internal Risk Management and Control System

management approach

SBM Offshore is continuously exposed to a number of factors that could potentially affect its operational and financial performance. The primary duty of the Risk Management function is to ensure that those risk factors are properly identified, evaluated and managed in order for the Company to achieve its strategic goals and objectives.

SBM Offshore recognizes the importance of internal control and risk management systems. The effectiveness of SBM Offshore’s risk management and control framework is periodically assessed and amended to ensure stakeholders’ value protection.

The framework’s effectiveness, as well as significant changes and improvements, are regularly reported to, and discussed with, external auditors and SBM Offshore’s Audit and Finance Committee; the latter reports on these subjects to the Supervisory Board on a yearly basis.

The identification, assessment and management of risk are considered management’s responsibility and are carried out with the support of dedicated resources integrated into the Company’s main business areas. Under the leadership of the Group Risk and Compliance Director, the business area risk and compliance officers bring the necessary skills in challenging and advising the business on identifying and properly managing risks associated with businesses operations and core processes. The Risk Assurance Committee (RAC) reviews the most significant risks faced by the company and the relevant control measures to mitigate them on a quarterly basis.

2017 performance

To comply with duties in the area of internal risk management and control systems with respect to financial reporting risks, SBM Offshore continues to use various measures among which:

• Quarterly Management Operational Review meetings of the Management Board with Regional Center senior management on financial performance and realization of operational objectives and responses to emerging issues;
• Quarterly financial reporting to the Management Board and senior management;
• Letters of representation signed by key senior Management members on a quarterly basis in which they confirm that for their responsible area, the financial reports fairly present the position and results of the Company;
• Internal Control Over Financial Reporting (ICOFR) assessed within the framework; the risk bearing financial processes are identified and the associated risks and controls listed in the ICOFR Risk and Control matrices. A periodic review of the matrices is performed to assess the effectiveness of the risk coverage amongst different geographical locations including a 1^st level review by the Finance Function and a 2^nd level review performed by Internal Audit;
• Internal Control Over Systems & IT (ICOSIT) - the IT function together with Group Internal Audit review the effectiveness of Control Matrices based on the international COBIT (Control Objectives for Information & related Technology) framework;
• Discussions on management letters and audit reports provided by the Company’s internal and external auditors within SBM Offshore Management Board, Audit and Finance Committee and Supervisory Board;
• The RAC reviews the most sigificant risks facing the company and provides a consolidated quarterly risk report to the Management Board.

Key Achievements

Reinforcing and consolidating the performances of the Company’s risk management and control framework by:

• Further strengthening of the integrated Risk and Compliance department to ensure cross-company consistency.
• The role of the RAC has been further defined by internal publication of a formal written charter as per latest COSO ERM Framework to strengthen guidance to the RAC on objectives, roles and responsibilities. The Committee includes the group directors of all 2^nd line of defense functions, plus Group Internal Audit, representing the 3^rd line of defense. The RAC has during 2017 reviewed its integrated risk management methodology, approach and framework towards assurance across the different assurance functions. The plan for integrated audits has been further refined to optimize assurance activities carried out by 2^nd and 3^rd lines of defense, to minimize business disruption.
• The Company’s Risk Appetite Key Risk Indicators (KRIs) were revised during 2017 in agreement with the Supervisory Board and the Management Board. The aim was to achieve a more focused approach on fewer reported KRIs, to enable concentrated focus on higher impact risk areas.

Future

• Improve efficiency of reporting by more in-depth benchmarking of internal risk reports versus business risks and Company strategy
• Continue to strengthen risk culture and associated behaviors via communication campaigns and training.