lunedì 3 dicembre 201826 October 2018

THE RISK MANAGEMENT APPROACH IN SAIPEM

226 October 2018

TABLE OF CONTENTS

1 Enterprise Risk Management

2 Industrial Risk Management

326 October 2018

ENTERPRISERISK MANAGEMENT

INDUSTRIAL RISK MONITORING AND REPORTING

RISK MANAGEMENTAND BUSINESS INTEGRITY

CEO

Enterprise Risk

Management

Industrial Risk Management

ENTERPRISE RISK MANAGEMENT

TOP-DOWN approach

FOCUS on Strategic, External, Operational Group Risks

PROJECT RISK MANAGEMENT BOTTOM-UP approach

FOCUS on Project Risks

RISK MANAGEMENT

ENTERPRISE

Risk assessment aimed at identifying, evaluating, and managing the risk at Group level(Corporate and 5 Divisions)

Monitoring of top risks identified in the assessment phase and measurement oftreatment actions undertaken

Risk assessment finalised to identify, evaluate and manage the Top Risks of mainsubsidiaries

INDUSTRIAL

Risk Assessment on projects, either in commercial or execution phase, guaranteeing acorrect assessment of risks/opportunities and contributing to the identification ofactions for their optimal management

Development and updating of Risk and Opportunity Breakdown Structure and GoldenRules and Silver Guidelines

Enhancing the Knowledge Capitalisation on project risks

RMBI

DRILLING OFFSHORE RISK MANAGEMENT

E&C ONSHORERISK MANAGEMENT

DRILLING ONSHORE RISK MANAGEMENT

E&C OFFSHORE RISK MANAGEMENT

XSIGHTRISK MANAGEMENT

RISK MANAGEMENTOrganisation and focus areas

426 October 2018

ENTERPRISE RISK MANAGEMENTTable of Contents

1

2 Risk Assessment

3 Top Risk Monitoring

4 Subsidiary Risk Assessments

Saipem Enterprise Risk Management Model

526 October 2018

SAIPEM ENTERPRISE RISK MANAGEMENT MODELProcess

The Enterprise Risk Management process is characterised by a ‘top-down’ and ‘risk-based’ approach. According to the process, the risks areidentified, assessed, and analysed by the management in relation to their ability to affect the achievement of management and strategicobjectives and, therefore, to influence corporate value

Subsidiary Risk Assessments performed on 21 subsidiaries via workshops with the local Top Management teams Subsidiary Risk Assessments are approved

twice a year by each Subsidiary’s Board of Directors

At Division level: Analysis of Division’s top risks Identification of risk treatment plan Proposal of strategic initiatives to mitigate

risks

The Board of Directors approves Saipem’s Strategic Plan

Identification of scope and depth of the Risk Assessment activities Identification and evaluation of the main

events and factors that could affect the organisation and the achievement of its strategic objectives Definition of a Risk map for Each Division Top Risk map approved twice a year by the

Saipem Board of Directors

3a

1

2c

2a

Division Managers in proposing their new strategies to the Saipem Board of Directors highlight the risks such new strategies are mitigating

3b

Enterprise Risk

Management

Monitoring: the top risks the implementation of risk treatment plan the emerging risks

2b

33

11

22

Saipem Strategic Plan

Risk Assessment

&Monitoring

New Strategy definition

626 October 2018

Scope and activities at Group levelENTERPRISE RISK ASSESSMENT

BoDBoD

Audit & Risk Committee

Audit & Risk Committee

Board of Statutory Auditors

Board of Statutory Auditors

CEOCEO

Advisory CommitteeAdvisory Committee

Heads of Division. CFO, Corporate DirectorsHeads of Division. CFO, Corporate Directors

Key ManagersKey Managers

Risk AssessmentMeetings ReportingScope Definition

Group Risk Assessment

Phas

es

Identification, assessment and management of risks, their causes, consequences, and treatment activities

Analysis and consolidation of Top Risks

Analysis of Top Risks

Analysis and approval of Top Risks and Risk Management Strategy

ScopeDefinition

Internalenvironment

analyses

External environment

analyses

Analysis of Strategic Plan and

Technology Development

Plan

Risk Clustering

Approval of risks by Head of Division, CFO and Corporate Directors

2018 Goal Model

726 October 2018

• The risk event(1), defined as any potential event that may adversely affect the achievement of strategic objectives and managementobjectives, is identified by mapping relevant causes, consequences, and treatment activities

• Risks are assessed in terms of likelihood and impact and their combination generates the level of risk (or scoring)(2)

• Risks are classified in 3 tiers on the basis of the scoring and position on the Likelihood-Impact Matrix

• Assessments on likelihood and impact are performed at inherent level (not considering the treatment actions already in place), atresidual ‘AS IS’ level (considering the treatment actions in place) and, only for Top Risks, at residual ‘TO BE’ level (considering thetreatment actions proposed by management)

ENTERPRISE RISK ASSESSMENTRisk Assessment methodology (1/2)

(1) Risk’s nature can be: strategic, operative and external(2) Likelihood and impact are assessed on a scale of 1 to 5; risk scoring is determined on the basis of the result of the multiplication between likelihood and impact (scale

from 1 to 25): Risks in the squares ‘Rare – Extreme’ (1X5), ‘Unlikely – Extreme (2x5)’ and ‘Rare – Very Relevant (1x4)’ are included in the most relevant tier through a multiplicative factor respectively of 2.4 , 1.4 and 1.75

LIKELIHOOD

(1) Rare (2) Unlikely (3) Moderate (4) Likely (5) More than likely

IMPA

CT

Negligible (1)

Significant (2)

Relevant (3)

Very Relevant (4)

Extreme (5)

Likelihood x Impact Matrix The orange areas of the matrixidentify the more relevant areas,renamed respectively areas of tier 1and tier 2

Positioning of the inherent risk into the matrix(the example shows a risk evaluated at inherent level as likelihood ‘5 - more than likely’ and impact ‘4 - very relevant’: risk scoring: 20)

Positioning of the residual ‘AS IS’ risk into the matrix (the example shows a risk evaluated at residual ‘AS IS’ level as likelihood ‘3. moderate’ and impact ‘3. relevant’: risk scoring: 9)

Tier 1

Tier 2

Tier 3

Positioning of the residual ‘TO BE’ risk into the matrix (the example shows a risk evaluated at residual ‘TO BE’ level as likelihood ‘2 – unlikely’ and impact ‘1 – negligible’: risk scoring: 2)

826 October 2018

• Each Key Manager / Risk Owner assesses the risk event identified in terms of likelihood and impact (using at least one of the drivers)

• Each impact driver is discussed and shared with the relevant Saipem functions before Annual Risk Assessment

Image and Reputation

1. Impact on clients / partners2. Impact on financial stakeholders 3. Public opinion and mass media concern4. Impact on web and social networks

Descriptive / qualitative

1. Management commitment 2. Review of strategies

Security

Environment 1. Polluting effects

Health & Safety1. Effects on health 2. Injuries and fatalities

Economic - EBITDA 1.EBITDA decrease(tailored for the Group and Divisions)

Impact drivers

Likelihooddrivers

Event occurrence in the last 3 years

Event occurrence in the next 3 years

Event occurrence frequency

Social Impacts

1. Local employment, economy, and development2. Human and labour rights, culture and identity of

a local community3. Political-institutional framework and local

community structure4. Occupation of land5. Access to critical infrastructures and essential

services

Likelihood x Impact Matrix (1)

1. Impact on employees inside and outside sites2. Impact on assets and sites

(1) Rare (2) Unlikely (3) Moderate (4) Likely (5) More than likely

Negligible (1)

Significant (2)

Relevant (3)

Very Relevant (4)

Extreme (5)

Financial - Cash Flow 1.Cash flow decrease(tailored for the Group and Divisions)

ENTERPRISE RISK ASSESSMENTRisk Assessment methodology (2/2)

(1) Likelihood and impact are assessed on a scale from 1 to 5. Risk scoring is determined on the basis of the result of the multiplication between likelihood and impact (scale from 1 to 25). Risks in the square 'Rare – Extreme' (1X5), 'Unlikely – Extreme’ (2x5) and 'Rare – Very Relevant’ (1x4) are included in the most relevant tier trough a multiplicative factor respectively of 2.4 , 1.4 and 1.75.

926 October 2018

TOP RISKS MONITORINGScope and activities

MONITORING CYCLE PLAYERS

Enterprise Risk Management team advises on indicators and analyses the results of indicators

Detection Owners ensure timely data to update the indicators

Risk Owners review and analyze the monitoring results

OUTPUT

Top Risks Monitoring Report issued on a

quarterly basis for the Top

Management, Committees and Board of

Directors

2. Identification of Key Risk

Indicators and Key Control Indicators

3. Data Collection:

Indicators and progress of

treatment actions

1. Identification of Top Risks, as

arisen during Risk Assessment at Corporate and Division level

4. Risk Owner’s approval and

quarterly issue of Top Risks Monitoring

Report

1

4

2

3Enterprise

Risk Management

teamRisk

Owners

DetectionOwners

1026 October 2018

Positive NegativeNeutral

Trend RatingThe rating is assessed according to the thresholds identifiedwith risk owner or other considerations (such as budget)

The combination of trend and rating generates the indicator status, which is associated to a scoring

For each risk all indicators are weighted according to their relevance and this generates the arrow’s position (i.e. status) in the risk status tachymeter

The trend is assessed on the basis of former survey

Status

TOP RISKS MONITORINGMethodology

Risk monitoring status tachymeter

Actual risk monitoring status

Former riskmonitoring status

Improving WorseningStable

1126 October 2018

Scope and activitiesSUBSIDIARIES RISK ASSESSMENT

The strategically relevant subsidiaries in the 2018/19 EnterpriseRisk Management scope are 21, which have been identified onthe basis of quantitative parameters (i.e. revenues, purchases,fixed assets, debts and workforce) or qualitative parameters(i.e. on the basis of indications from the management)

SCOPE MAIN ACTIVITIES

1226 October 2018

INDUSTRIAL RISK MANAGEMENTTable of Contents

1 Overview

2 Risk Appetite Framework (RAF)

3 Bid Complexity Index (BCI)

4 Golden rules and silver guidelines (GR&SG)

5 Project Risk Management (PRM)

6 Corporate monitoring and Reporting

7 Why is it so important?

1326 October 2018

Bid Complexity Index (BCI)Scoring Model based on Evaluation Criteria and thresholds that trigger processes/actions

Golden Rules and Silver Guidelines (GR&SG)

Set of rules collecting and summarizing the multi-year experience of Saipem as an international Oil & Gas contractor in order to manage and address contractual issues.

Risk Appetite Framework (RAF)The amount of risk, on a broad level, Saipem is willing to accept in pursuit of value.

Project Risk Management (PRM)Management of Project risk, defined as "an uncertain event or condition that, if occurring, may have a positive or negative effect on a project’s objectives”.

In Saipem IRM is based on four pillars

IRM Pillars

INDUSTRIAL RISK MANAGEMENTAn overview

1426 October 2018

Risk Appetite

Risk Tolerance

Risk Capacity

Risk Appetite:The amount of risk, on abroad level, an entity iswilling to accept in pursuitof value.

Risk Tolerance:The amount of risk, on abroad level, an entity isunwilling to exceed.

Risk Capacity:Maximum level of risk anentity is able to address.Market Environment

Off-strategy risks¹ On-strategy risks²1 Off-strategy risks are risks the Board and Management have no appetite to assume2 On-strategy risks are risks the Board and Management are willing to accept

Investments Board Approval required

ContractualDiscipline

Golden Rules framework and deviation authority

FinanceAs detailed in Golden Rules (Company Payments and Client Credit

Worthiness)

Contract Duration Maximum Contract Duration

Expected Marginality

Yearly target marginality set for each BU

Portfolio Balanced portfolio in terms of Country and Client

It acts on:

RISK APPETITE FRAMEWORK (RAF)

1526 October 2018

A + B + C + D + E = 220!! Complex Project!

It acts on:

COMMERCIAL PHASE

EXECUTION PHASE

BCI ≥ X1 PEER TO PEER MEETING (1)

BEFORE THE FORMAL SUBMISSION OF THE

PROPOSAL

BCI ≥ X3 CHECK & BALANCE (2)

QUARTERLY, BEFORE RISK REGISTER TRANSMITTAL TO PROJECT CONTROL

BCI ≥ X2 BID EVALUATION COMMITTEE

PROJECT MANAGER(Supported by the RISK MANAGER)

AWARD

PROPOSAL MANAGER(«Bid Manager»)

(1) Peer-to-peer meeting aimed at consolidating the risk register and related project risk profile; attended by representatives of Commercial and Execution departments

(2) Check and Balance meeting aimed at controlling the implementation of Industrial Risk Management Activities and validation of the Risk Register

BID COMPLEXITY INDEX (BCI)

1626 October 2018

Best Practices transferred into essential rules whose waiver could jeopardize Saipem’s interests and

goals.

Specific Procedure to be followed in order to derogate.

RULE CODE GENERAL AREA

SPECIFIC ISSUE GUIDELINE NOTES / SUGGESTED WORDING DEVIATION BY

ON C G 07 04 Execution Risks

Site Avoid responsibility fordelays and extra costsdue to archaeologicalfindings / artificialphysical obstructions.

“If during the execution of the Workthe Contractor shall encounterarchaeological findings / artificialphysical obstructions differing fromthose set forth in the Contract, theContractor shall forthwith givewritten notice thereof to theCompany and the Company shall issuea Variation Order to properly takeinto account the relevant impact incost and/or schedule caused to theContractor by reason of such differingconditions”.

UNWAIVABLE

CEO (Bid EvalutationCommittee)BCI ≥ X1

DIVISION MANAGER

PRODUCT LINE MANAGER

PROPOSAL MANAGER

GOLDEN RULES

SILVER GUIDELINES

MANDATORY

STRONG RECCOMENDATION

…the more useful, the more the commercial process is decentralized

For Commercial phase and partnership, Saipem has identified:Golden Rules with exceptions formally authorized by the Top Management.

It acts on:• COMMERCIAL PHASE• PARTNERSHIP ON

PROJECTS

GOLDEN RULES & SILVER GUIDELINES (GR&SG)

1726 October 2018

The continuous process of identifying, analysing and

responding to project risks.

RISK MANAGEMENT

MANAGEMENT OF RISKS, NO elimination of risks, as this would eliminate the reward

Project risk is an uncertain event or condition that, if occurring, may have a positive or negative effect on one or more project objectives such as scope, schedule, cost, and

quality.

RISK: Uncertainty that Matters

(PMI, PMBOK 5th Edition)

RISKS ≠ ISSUES

It acts on:

Commercial phase• Definition of a complete and transparent risk register including all risks identified during

commercial phase, both for commercial and execution phase.• Evaluation of each risk,• Launch of the Monte Carlo Simulation in order to identify a minimum level of contingencies

to be taken into consideration in the final price before the offer submission.

Cumulated Probability

Expected Cost due to Occurred Risks

0%

20%

40%

60%

80%

100%

0 50 100 150 200 250 300

Pxx

YYMln€

P100

Cumulated Probability of theoverall Project R&O

Execution phase

• Updating the risk register with new risks identified during the execution of the project.• Comparing the level of contingencies with the Monte Carlo curve in order to identify the

Risk Coverage and the Value at risk of the project.

PROJECT RISK MANAGEMENT (PRM)

1826 October 2018

Controlling the Process Monitoring the Risk Profile

Providing Management Tools

Other analyses

Controlling the processthrough high level indicators:

Are we covering ourbacklog?

Is the information up-to-date, Complete and/orreliable?

Are we following theapplicable procedures?

Monitoring the risk profile interms of:

Is the portfolio balanced? How is the risk profile

moving? Do we have enough

contingencies?

RISK COVERAGE (RC): Risk Coverage (RC) is the confidence level that Contingencies will be enough to cover the impacts of all the risks occurring on the Project/Portfolio, or, in other words, the probabilityfor the Project/Portfolio to meet the current Margin forecast.RISK EXPOSURE (RE): Risk Exposure (RE) is equal to 1-RC and represents the probability for the Project/Portfolio not to meet the Current Gross Margin ForecastValue At Risk (VAR): Value at Risk (VAR) is theresidual (i.e. not covered by Contingencies) risks impact that the Project/Portfolio could face within a confidence level of xx%.

What are the types of riskmostly impacting theProject/Business Unit?

Are they incidental orsystemic?

Who has the levers tohelp my project?

Are there any biases affecting our evaluations?

CORPORATE MONITORING AND REPORTING

1926 October 2018

• Projects are presented with their economic and financial elements (revenues, costs, contingencies, k, cash flow)

• To complete the PICTURE, risks and opportunities are needed to define:• the GROSS MARGIN CONFIDENCE LEVEL which

represents the probability to meet the margin forecast

• The VALUE at RISK

To COMPLETE the Project Framework• The market scenario is increasingly challenging (few projects to

focus on, with competition that is now up to Saipem’s standards)• Projects are remunerated for the underlying risk profile• Risk management, both in the commercial and in the execution

phase, is of FUNDAMENTAL importance in the market in which Saipem operates• to take the projects at best - Commercial phase• to protect the margin during the whole Execution Phase

To Help DERISK the BUSINESS MODEL

+ Revenues- costs- contingencies= margin

risk

s

oppo

rtun

itie

s

WHY IS IT SO IMPORTANT?