Assistant Director
Division of Corporation Finance
Securities and Exchange Commission
Washington
DC 20549
USA
Privileged and confidential
By Hand
Dear Mr Schwall
I refer to your letter of 19 July and your recent conversations with our counsel Kathryn Campbell of Sullivan & Cromwell. As you are aware we are currently in the process of putting together our response to the Staff’s letter, which we expect to submit on August 13, 2010. However, in the interim you have asked for copies of the report from our General Auditor which contributed to the Board’s annual review of the company’s system of internal control, as referred to in Comment 1 of your letter.
In accordance with what we understand to be the Staff’s policy with respect to requests for confidential treatment of responses to the Staff’s comment letters, we are submitting two separate letters in response to the Staff’s comments. This letter contains confidential information of BP and is submitted to the Staff on a confidential basis. Concurrent with the submission to you of this letter, confidential treatment is being requested under the Commission’s rules. Accordingly, this response letter is being filed by hand and not via EDGAR. The other letter being submitted does not contain confidential information of BP and therefore is not submitted on a confidential basis.
2
6 August 2010
Mr H Roger Schwall
I am enclosing for the confidential information of the Staff, the following documents which were considered by the members of the Audit Committee (MBAC) and the Safety, Ethics and Environment Assurance Committee (SEEAC) in January 2010 in connection with the Board’s annual review of the effectiveness of the Group’s system of internal control: (i) The 2009 Annual Report on BP’s System of Internal Control (the “Internal Control Report”); and (ii) a note, “The Board’s Process for Reviewing the Effectiveness of Internal Control.
These documents were prepared for internal use and are presented in a format which is well understood by management and the directors. However, we appreciate that these documents may not be that easily understood by persons outside the company. We would be happy to discuss with you either by telephone or in person, the structure of these documents and how they relate to the Board’s overall consideration of risk and to the disclosure of risks in our Annual Report on Form 20-F.
Set out below is our response to Comments 1 and 2 of your letter.
1. We note your disclosure on page 70 that in January 2010, a joint meeting of the audit and the safety, ethics and environment assurance committees of the board reviewed reports from a general auditor as part of the board’s annual review of the company’s system of internal control. The reports described the significant risks identified across the group and highlighted remedial actions taken by management in response to significant failings and weaknesses identified. Please provide copies of such reports to us. In addition, please tell us what consideration you gave to identifying such risks in your annual report on Form 20-F for the fiscal year ended December 31, 2009.
Response:
Combined Annual Report and Form 20-F
BP prepares a combined UK Annual Report and Report on Form 20-F. Our Form 20-F therefore includes various disclosures required to be included in our UK Annual Report. A summary of the process conducted by the Board for its annual review of the effectiveness of the system of internal control is required by the UK Combined Code on Corporate Governance (the “UK
3
6 August 2010
Mr H Roger Schwall
Combined Code”) and is included on page 70 of the Form 20-F. The review of the Internal Control Report at the joint meeting of the MBAC and SEEAC is part of this process1. The disclosures on page 70 are intended to describe how the Board discharges its responsibility for reviewing the effectiveness of the company’s system of internal control (as required by the UK Combined Code), rather than to disclose specific risks. In relation to the disclosure of the significant risks facing the group, these are described in the section on Risk Factors in the Form 20-F (from page 14 of the Form 20-F).
The Board’s overall consideration of risk
In its overall consideration of risk, the Board (and its committees) review and challenge to their satisfaction the identification and evaluation of significant group risks and the company’s responses to them in reviewing reports from management throughout the year. Material group risks are described within three main categories namely: strategic risks, operational risks and compliance and control risks. Within these three main risk categories, management utilises 12 group risk categories to manage and report the company’s significant risks which are then disclosed as 20-F Risk Factors. For example, the risks related to the Risk Factors, “process safety” and, “personal safety” in operational risks are managed and reported within the group risk
category, “Material safety or environmental incident”.
Purpose of the Internal Control Report
The purpose of the Internal Control Report is to contribute to the process conducted by the Board for its annual review of the effectiveness of the system of internal control. This Report utilises the same 12 group risk categories within the same three main risk categories to summarise the results of internal audit work performed on aspects of the system of internal control and management’s actions to remedy any gaps identified in that work. Disclosure about management’s action to remedy “significant weaknesses and failings” is required by the UK Combined Code.
1 The UK Combined Code disclosure requirements on internal controls and how the Internal Control Report fits in to the Board process for compliance with these requirements, are described in greater detail in the attached note, “The Board’s Process for Reviewing the Effectiveness of Internal Control”.
4
6 August 2010
Mr H Roger Schwall
When considering how the Internal Control Report content might contribute to the Risk Factor disclosures, it is important to note that the purpose of the Internal Control Report is not to identify or document significant risks, but to report on audit work performed on the system of internal control (which system includes the management of significant risks). It is only one of a number of reports that might contribute to the disclosures on internal control.
All the work undertaken during the year by the MBAC and SEEAC in engaging with management, the General Auditor and other monitoring and assurance providers (such as the Group Compliance & Ethics Function, the Safety & Operations Function, the Safety & Operations Audit Function and the Group Control testing function) contributes to the Board’s review of the effectiveness of the system of internal control.
Risk Factors and their relationship to the Internal Control Report
All the gaps identified in the Internal Control Report relate to the management of risks covered by the disclosed Risk Factors and are organised by the same three main risk categories and the 12 group risk categories.
It should be noted that since the Internal Control Report provides a “snapshot” of the gaps identified in the system of internal control (typically as a result of recent internal audit work) that have not yet been addressed by management (and those addressed by management but not yet reviewed by internal audit for closure) as at the year end, it does not identify all significant risks of the company, or highlight gaps that have been closed by the year end.
2. We also note your disclosure on page 70 that you have in place a system of internal controls for managing risks, including environmental risks. In light of the Deepwater Horizon accident, please expand your disclosure to describe such internal controls.
Response:
The disclosure on page 70 of the Form 20-F states: “[This process enables the board and its committees to consider] the system of internal controls
5
6 August 2010
Mr H Roger Schwall
being operated for managing significant risks, including social, environmental, safety, ethical and compliance risks, throughout the year”. In your letter you ask that we expand on our disclosure relating to the company’s internal controls for managing risk, including environmental risks, in light of the Deepwater Horizon accident.
The company’s system of internal control is described on page 16 of the Form 20-F in the section titled “Our systems of control”. Our response to Comment 2 is intended to highlight those aspects of the disclosures on page 16, which we believe may be most relevant to the Staff’s comment, along with additional information.
BP maintains a comprehensive system of internal control. This comprises our management systems, organizational structures, processes, standards and behaviours that are employed to conduct our business and deliver returns for shareholders. The system is designed to meet the expectations of internal control of the Combined Code in the UK and of COSO (committee of the sponsoring organizations for the Treadway Commission) in the US. It addresses risks and how we should respond to them as well as the overall control environment. Each component of the system has been designed to respond to a particular type or collection of risks.
The three key elements of our system of internal control are: the control environment; the management of risk and operational performance (including in relation to financial reporting); and the management of people and individual performance. Controls include the BP code of conduct, our leadership framework and our principles for delegation of authority, which are designed to make sure employees understand what is expected of them.
As part of the control system, the Group Chief Executive’s senior team – known as the executive team – is supported by sub-committees that are responsible for and monitor specific group risks. These include the group operations risk committee (GORC), the group financial risk committee (GFRC), the group people committee (GPC), and the group disclosures committee (GDC), which reviews the controls and procedures over reporting.
6
6 August 2010
Mr H Roger Schwall
Operations are conducted in accordance with (and associated risks are thereby managed through) the set of standards and processes known as the Operating Management System (“OMS”). OMS provides a common framework for all operations as it is designed to achieve consistency and continuous improvement in safety and operations. It includes mandatory practices, such as integrity management, control of work and incident investigation, which are designed to address particular risks. OMS (Version 2.0) was issued in November 2008 and all operations are expected to be operating under it by the end of 2010. Most operations already are and the remaining minority are currently completing their transition.
Underpinning OMS is a set of Group Defined Practices, Group Recommended Practices and Engineering Technical Practices that cover all areas of operations consistently across the group. They include mandatory procedures around the identification, prioritisation, management, monitoring and improvement of Health, Safety and Environment risks at all operations. They also cover various requirements and recommendations over the management of specific risk areas and risks in specific operational environments and particular operational activities.
A number of these requirements and recommendations refer to or cover environmental risks. The Practices and procedures referring to or covering environmental risks are distributed throughout the system, as the organisation of OMS is by operational element rather than risk type. Section 3.6 of OMS entitled, “Environment”, sets out the Group Essentials (required operating standards) responding to the principle, “BP entities identify and systematically manage the impact of all their activities on the environment and integrate environmental requirements into the local Operating Management System.”
Each business is required to comply with these Practices and procedures, which include environmental risks, as relevant to their operations.
Following the Deepwater Horizon accident, the most relevant of these operational procedures and associated technical practices have been re-considered and re-emphasised at relevant sites – along with the requirements to re-confirm compliance and to re-perform certain explicit testing procedures.
7
6 August 2010
Mr H Roger Schwall
We will review the recommendations and lessons learned from the various investigations into the accident and, where appropriate, we will incorporate these into OMS. We would expect to include a discussion of any such significant changes in our 2010 Form 20-F.
We hereby request confidential treatment of the information identified as confidential bearing Bates-stamp numbers BP-01 through BP-39 (the “Confidential Material”). We make this confidential treatment request under the Freedom of Information Act (the “FOIA”) pursuant to Title 17 C.F.R. §200.83. It is our understanding that, pursuant to the FOIA regulations, (i) no determination as to the merits of our request for confidential treatment will be made at this time and (ii) if the Staff receives a request for any of the information subject to this request for confidential treatment, we will be notified and provided with the opportunity to substantiate
our request for confidential treatment. If you have any questions relating to this request for confidential treatment, please feel free to call Kathryn A. Campbell at +44 207 959 8580. She may also be reached by facsimile at +44 20 3350 2080 and by email at campbellk@sullcrom.com.
We acknowledge that BP is responsible for the adequacy and accuracy of the disclosure in its Form 20-F, that Staff comments or changes to disclosure in response to Staff comments do not foreclose the Commission from taking any action with respect to BP’s Form 20-F, and that BP may not assert Staff comments as a defense in any proceeding initiated by the Commission or any person under the federal securities laws of the United States.
We are available to discuss the foregoing with you at your convenience.
Yours sincerely
cc Kathryn A Campbell
(Sullivan & Cromwell LLP)
