Assessing, Understanding
and Managing Our Risks
Strong ESG performance requires a strong risk-identification and mitigation process. Through our comprehensive Enterprise Risk Management (ERM) program, Chesapeake takes an orderly approach to identifying, assessing and managing ESG-related risks.
Risk Management Process
1
Identification
2
Assessment
3
Evaluation
4
Mitigation or Treatment
5
Monitor and Report
We use the Three Lines of Defense as our framework for risk management, helping to ensure all employees play a role in risk identification and mitigation.
The Three Lines of Defense Model
Business Plans and Strategy
1st Line of Defense
Operational and Service Groups
2nd Line of Defense
Internal Controls Group
3rd Line of Defense
Internal Audit, reports to the Board’s Audit Committee
- The first line of defense begins at the department and business unit level to identify and control risks at the front lines of the organization. Internal risk owners — senior managers and subject matter experts from across the company — regularly review and assess the company’s risks as part of our ERM process. We also host an annual risk survey during which we ask employees throughout the organization to review existing risk drivers and identify emerging risks.
- The second line of defense, our Internal Controls group, provides impartial enterprise risk and compliance analyses.
- The third line of defense is our Internal Audit Department, an independent and objective assurance group that reports directly to the Board’s Audit Committee. The department uses a standardized, objective process to identify risk-based audits of department and business unit controls and processes.
On a quarterly basis, members of our Internal Audit and Internal Controls teams and risk owners review all identified enterprise-level risks according to our four risk-measurement characteristics.
Risk-Measurement Characteristics
When identifying enterprise-wide risks, we measure risk severity based on a set of characteristics:
- Impact: The expected effects of a risk on an organization
- Likelihood: The potential for a risk to occur in various scenarios
- Velocity: The speed at which a risk could impact an organization
- Response Maturity: An evaluation of the controls and response plans already in place to mitigate a risk
Enterprise risks are also regularly evaluated by our executive team and Board. We provide quarterly ERM updates to our Board Audit Committee and ESG-related risks are shared with the Board’s ESG Committee. This comprehensive reporting allows Board committees to analyze the company’s material risks and direct business strategies accordingly.
Risk Mitigation
If it’s determined that a risk requires mitigation, management develops and executes specific plans to reduce the risk to an acceptable level. Mitigation options include adopting or enhancing corporate policies and procedures, contingency plans, insurance policies, technologies or hedging strategies.
Business Continuity
Our business continuity and disaster recovery programs are examples of Chesapeake’s enterprise-level, risk-mitigation controls. Through these programs, a cross-functional task force assesses the business impacts of certain risks and develops response and recovery plans to reduce potential interruptions.
The objective of our business continuity program is to protect employees and maintain operations during sustained incidents such as natural disasters, pandemics and other disruptive events. Our current business continuity strategies cover 38 critical business processes.
We have standing, multidisciplinary Business Continuity and Emergency Response teams. Emergency Response regularly conducts drills and exercises to assess material risks and our response capabilities. Additionally, Continuity of Operations plans have been implemented for all field operations. We also work with emergency responders, governmental agencies and other key stakeholders to ensure our preparedness, tailoring plans to each of our operating areas.
