Risk Management Guideline

Transcription

1 Risk Management Guideline [Selected Pages] Version 1.1 (August 2012) 1 P a g e

2 1 Objective This Guideline outlines the processes used at Panoramic Resources Limited (Panoramic) to identify and manage risk and opportunities. It is recognised that implementation of this guideline may require additional project specific training, procedures, plans, guidelines, forms, checklists and/or registers to ensure compliance with specific statutory, legal or other requirements. It is expected that it will be the responsibility of the General Managers, Department and Operational Managers, under the direction and supervision of the Chief Financial Officer (CFO), to ensure that, where required, these additional documents are developed to meet and/or exceed the requirements set within this guideline. Deviation from the requirements of this Guideline is to be managed in accordance with the management of change process as described in the Panoramic Resources Change Management Guideline [PR-HS-PO-GL-8-96]. 2 Scope This Guideline applies to all activities and processes undertaken at Panoramic and over which Panoramic has control and influence. 3 Responsibilities Job Title Responsibilities Board Environment, Safety and Risk Committee(Committee), noting that as at the date of this Guideline all directors are also members of the Committee) To approve and authorise the Panoramic Risk Management Guideline. To approve and authorise the Panoramic Risk Management Policy To review and approve the Panoramic Risk Appetite Statements. To authorise the proceeding of all corporate risk conditions, which are determined to be above established risk tolerances. To supervise Panoramic s Risk Management Guideline and Policy. To annually review the Panoramic Risk Management Guideline and propose amends as required. To annually review the Panoramic Risk Management Policy and propose amendments as required To review Panoramic s Risk Appetite Statements. To annually review the Senior Management Risk Appetite Questionnaire /results and propose amendments as required. To review all corporate risk conditions, which are determined to be above established risk tolerances, and report to the Board as required. 4 P a g e

3 Job Title Responsibilities Managing Director (MD) Chief Financial Officer (CFO) Senior Management (including Operations Managers) To provide applicable resources to ensure that risk management activities are undertaken with Panoramic. To provide to the Board a risk and control annual written certification statement with the CFO (Section 295A of the Corporations Act To review and authorise all operational risk conditions, which are determined using established risk tolerances. To complete the annual Senior Management Risk Appetite Questionnaire. Using the results of the Senior Management Risk Appetite Questionnaire(s), on a biannual basis, together with the CFO review and amend if required the Panoramic Risk Appetite Statement for presentation to the Committee and the Board. To ensure that Panoramic s enterprise wide risk & opportunity profiles are conducted and maintained annually across the Panoramic Group. To supervise the undertaking of annual risk assessments across the Panoramic Group and the maintenance of risk registers and to be responsible for the maintenance and update of the Guideline and for the presentation of the Guideline for review and approval to the MD, the Committee and Board at periodic intervals. To provide to the Board a risk and control annual written certification statement with the MD (Section 295A of the Corporations Act 2001). To complete the annual Senior Management Risk Appetite Questionnaire. To tabulate the results of the Senior Management Risk Appetite Questionnaire. Using the results of the Senior Management Risk Appetite Questionnaire(s), on a biannual basis, together with the MD review and amend if required the Panoramic Risk Appetite Statement for presentation to the Committee and the Board. To complete the annual Senior Management Risk Appetite Questionnaire. Conduct a Level 2 risk assessment and produce the associated Risk Register reflecting their applicable risks. Monitor associated risk profiles and update as required. Review Department/Operations Risk Registers annually and determine if any changes to the risk profile are required. Develop and manage associated risk action plans to reduce risks to an acceptable level. Manage the level of risk within their areas of authority. Report all risks that have been determined to be unacceptable 5 P a g e

4 Job Title Responsibilities to the CFO and MD. Conduct a risk assessment on determined department/operations objectives (business plans). Group OHS Manager Human Resources Manager Business Development Manager Exploration Manager Risk Owner Risk Work Team All Employees Conduct an annual Compliance Review of core work processes conducted within their area of accountability to determine level of compliance with applicable legislation and contract requirements. Provide a Compliance report either to the General Manager- Nickel Operations and the General Manager Project Development and the CFO outlining legal specifics of compliance and any corrective actions if required. If applicable, comply with additional requirements and disclosure specific to individual role as further detailed below. Coordinate the maintenance of risk & opportunity procedures and supporting tools (risk matrix, forms and registers). Manage risk & opportunity information storage processes. Coordinate risk and opportunity support (training and facilitation) as required. Coordinate periodic risk audits with results to be communicated to the CFO, MD, and the Board. Coordinate the development, maintenance and communication of the Panoramic Code of Conduct. Conduct risk & opportunity assessments for all new business ventures with which Panoramic may be associated. Report level of risks and opportunities to the MD, CFO and Board. Conduct risk & opportunity assessments for all new ventures with which Panoramic may be associated. Report level of risks and opportunities to the MD, CFO and Board. Coordinate the risk assessment process in accordance with Panoramic s requirements. To participate in the risk assessment process in accordance with Panoramic s requirements. Ensure that Panoramic s Risk Management tools are utilised as required. 6 P a g e

5 4 Guideline 4.1 Risk Management Corporate governance can be defined as the system by which organisations are directed and controlled. It is concerned with improving the performance of companies for the benefit of stakeholders. Risk & opportunity management contributes to good corporate governance by providing reasonable assurance to boards, managers and employees that the organisational objectives will be achieved within a tolerable degree of residual risk. Risk & opportunity management is a comprehensive process, supported by appropriate strategies, frameworks and processes that are designed to identify, analyse, evaluate, treat, monitor and communicate those risks that could prevent a Department, Project or Work Group from achieving its objectives. It covers strategic as well as operational, economic and non-economic risks. Panoramic s risk & opportunity management is about supporting effective management decisions that lead to project and program success. 4.2 Risk Management Framework In order to implement an integrated approach to risk management and ensure a high-quality and uniform risk management process, Panoramic has implemented an enterprise-wide Risk Management Framework (RMF). Risk Leadership Risk Culture Internal Environment Communication & Training Planning Communication & Training Operational Strategy Process Report & Review Respond to Events Project / Iniative Risk Methodology Manage Risk Analysis & Evaluation Assessment Tools Communicate Risk Risk Recording Communication & Training Risk Data (Repositories) Risk Response and Management Risk Asessment Figure 1:. Panoramic RMF. 7 P a g e

6 5 RMF Components The Panoramic RMF consists of eleven interrelated components that are grouped into three core processes. These components are: Risk Leadership o Internal Environment o Risk Culture o Risk Assessment o Risk Methodology o Assessment Tools o Risk Data (Repository) o Risk Analysis and Evaluation Risk Response & Risk Management o Respond to Events o Report and Review o Manage Activities o Risk Recording o Communicate Risk 6 Risk Leadership 6.1 Internal Environment The internal risk environment encompasses the tone of Panoramic, influencing the risk consciousness of its people, and is the basis for all other components of the Panoramic Risk Management Framework (RMF), providing discipline and structure. Panoramic s internal risk environment and philosophy are outlined within the following structures: Risk Management Guideline Risk Management Policy ; Risk Appetite Statements; Senior Management Risk Appetite Questionnaire MD & CFO Annual Statement to the Board on risk and control compliance; Oversight by the Board; The integrity, ethical values, and competence of the Panoramic employees (Panoramic s Code of Conduct) and The way management assigns authority, responsibility and organizes and develops its people. 8 P a g e

7 6.1.1 Risk Management Philosophy Panoramic s risk management philosophy is articulated through the Panoramic Risk Management Policy (Attachment A). The Panoramic Risk Management Policy shall be reviewed by the Environment, Safety and Risk Committee (Committee) and authorised by the Board. The policy shall be reviewed on an annual basis and amended if required. The Risk Policy shall be communicated to all employees via Panoramic s internal intranet services and displayed in prominent areas throughout the organisation and on the Panoramic Web Site ( Risk Appetite Risk appetite can be broadly defined as the amount of risk that Panoramic is willing to take in the pursuit of its goals. Risk appetite is a key component of an effective RMF as it sets the boundaries within which management are expected to operate as they seek to deliver Panoramic s strategic and operational objectives. A clearly understood and clearly articulated statement of risk appetite can assist in unlocking value by better aligning decision-making and risk taking between the Board and management. An organisation s risk appetite is at the heart of how it goes about its business and represents to all stakeholders how it wishes to be perceived internally and externally. Panoramic s corporate risk appetite is detailed in the Board approved Risk Appetite Statements (Attachment C). Each of Panoramic s Senior Management team completes, at least on an annual basis, a Risk Appetite Questionnaire. Based on a tabulation of the questionnaire results (Attachment C), a standardised level of risk the Company is willing to accept, for each risk type, is reviewed by the MD and CFO. On a bi-annual basis, Panoramic s Risk Appetite Statements are amended after consideration of the questionnaire results by the MD and CFO and is presented for review, discussion and approval by the Committee and / or the Board [noting that all directors of the Panoramic Board are currently also members of the Committee and as such the review and approval process can be done simultaneously at the one meeting of directors]. Panoramic corporate risk appetite is further defined within the Panoramic s Qualitative Risk Matrix. To calculate the level of risk, Panoramic has established a hierarchy of operational risk levels. These are outlined in detail in section Risk levels Risk Tolerances Risk tolerance is the tolerable deviation from the level set by the Company s risk appetite and business objectives. 9 P a g e

8 Panoramic promotes agility and innovation to exploit new business opportunities, while focusing on adequately managing unacceptable risks as required. The Business Development Manager and Exploration Manager shall include a risk component for new initiatives/projects, so that senior management and the Board can have the discretion to pursue new opportunities up to the specified level of risk appetite. Panoramic generally has zero risk tolerance when complying with situations that require specific legal, regulatory or industry requirements. Department and Operations Managers shall review their core work processes annually and provide an overview on the level of compliance with applicable legislation and internal standards to the General Manager -Nickel Operations, the General Manager Special Projects (whichever is applicable) and the CFO. Corrective action plans shall be developed for any identified non-compliances and nonconformances, as outlined in Panoramic s Compliance Management Guideline [GP-OP-GL-8-146]. At the operational level, exceptions can be tolerated (or different thresholds defined) so long as at that level, the overall exposure does not exceed the set risk appetite. Panoramic recognises that there may be circumstances where the cost/business impact of risk mitigation options exceeds Panoramic s capabilities/resources, thereby leading to higher tolerance levels in these particular risk conditions. Where possible, when the cost/business impact of risk mitigation can be identified with a high degree of certainty, those circumstances where risk conditions exceed defined risk tolerance levels shall be reviewed and authorised by the Committee and or Board prior to proceeding with the risk mitigation option(s). In those circumstances where the level of risk exceeds Panoramic s tolerance levels, but the opportunity versus risk ratio significantly favours value accretion, the Board decision to proceed shall be documented in detail in Board minutes, outlining justifications for proceeding. All operational risk conditions that exceed defined risk tolerances shall be reviewed and authorised by the MD before proceeding. Risk tolerance levels shall be defined for operational purposes through the use of Panoramic s Risk Matrix and Consequence Definitions and as outlined in Panoramic s Strategic, Department and Project Plans. Risk Tolerances Indicators shall be identified and regularly monitored and reported by the respective Manager MD & CFO Annual Written Statement to the Board on Risk Management Principle 7 ( Recognise and Manage Risk ) of the Australian Stock Exchange (ASX) Corporate Governance Council June 2010 amendments to the August 2007 Corporate Governance Principles and Recommendations (Second Edition) requires listed entities to include in their Annual Governance Statement a statement disclosing the extent to which they have followed recommendations on having in place a risk management framework in identifying risks and the appropriate risk management internal controls, systems and response procedures to mitigate their impact on strategic, operational and financial performance. 10 P a g e

9 Included in Principle 7 and in accordance with Section 295A of the Corporations Act, 2001, the MD and the CFO are also required to provide to the Board on an annual basis, a written certification certifying that the Company s financial reports are based on a sound system of risk management and internal control and that the system is operating effectively Oversight by the Panoramic Board In order to achieve an effective oversight of the Panoramic RMF, the Board shall: Understand, review and authorise the Panoramic Risk Management Policy, the Panoramic Risk Appetite Statement and the Panoramic Risk Management Guideline; Periodically challenge Senior Management to demonstrate the effectiveness of risk processes in identifying, assessing and managing Panoramic s most significant enterprise-wide risk exposures; Annually review Panoramic s risk exposures and consider the current risk exposures against the established risk appetite statements; and Request regular updates by Senior Management of key risk indicators of the key risk exposures The Panoramic Code of Conduct The effectiveness of risk management is a function of the integrity and ethical values of those who create, lead, administer and monitor organisational activities. Integrity and ethical values are essential elements of Panoramic s internal risk environment, affecting the design, administration and monitoring of the RMF. In order to support a strong foundation of integrity and ethics, Panoramic has developed and implemented a formal Code of Conduct, which addresses integrity, ethics, acceptable behaviours and conflicts of interest inside and outside the work place. 6.2 Risk Culture A strong risk culture characteristically offers a setting in which components of risk are discussed openly, and acceptable levels of risk are understood and maintained. Risk Culture consists of three core components, which drive behaviours within an organisation.. These components include: Behaviour towards taking risk How much risk does Panoramic feel it can absorb and which risks is it willing to take? Behaviour towards following policy An element of risk culture is the extent to which people will, or will not embrace and/or comply with apolicy. Behaviour towards negative outcomes How does Panoramic deal with expected or unexpected adverse outcomes. For example, material loss events and missed value accretive opportunities. A strong risk culture begins at the top, with the Board and Senior Management who together set the direction backed-up with policy, communicate on processes under the RMF acknowledge and if appropriate, reward effective risk management behaviours. 11 P a g e

10 In order to promote a strong risk culture, Panoramic shall promote the importance of a culture of collaboration throughout the Company to foster a climate of mutual trust in which personnel adopt a team approach to solving problems and to preventing the recurrence of serious incidents.. To improve the inherent risk culture, Panoramic shall implement processes to appropriately investigate material loss events and missed value accretive opportunities, identifying the major causes and recording potential learning from these incidents. 7 Risk & Opportunity Assessment Risk and opportunity assessment allows Panoramic to consider the extent to which potential events have an impact on the achievement of its organisational objectives. Risk and opportunity assessment activities shall be conducted in four key business areas: 1. Planning - Risk assessments on strategic and operational objectives. 2. Processes - Risk assessment on core work processes. 3. New Projects / Initiatives / Suppliers - Risk and opportunity assessments on new ventures, implementation of major projects and the use of new contractors or suppliers. 4. Ongoing Operations - Risk assessments conducted on work tasks. Panoramic utilises two levels of risk assessments. Level 1 risk assessments include operational tools such as Job Hazard Analysis, Take 5 and Prestart Checks / Inspections, Planned Task Observation, Hazard Reports and Audits. Operation Managers shall provide appropriate resources to implement the use of Level 1 risk assessment tools on site. Level 1 risk assessments are designed to take between 5 and 30 minutes to complete. They are to be conducted individually, or as a group to determine if the environment and equipment are fit for purpose and if effective ways to complete individual work tasks are established prior to initiating the work activity. Level 1 risk assessments are outlined in greater detail in Panoramic Resources JHA [GP-OP-HSE- PRO-001] and Take 5 [GP-OP-HSE-PRO-002] procedures. Level 2 risk assessments are tools that are used to assess risks and opportunities associated with organisational objectives. They are high-level processes that are designed to identify and analyse events that can have adverse or positive impacts on achieving economic and non-economic objectives of a group, department or project. Level 2 risk assessments include activities such as Hazid workshops, feasibility studies, business impact analysis and prequalification reviews. Once completed, risk assessment information is collected and stored in Risk Repositories such as Risk Registers, Plans, Feasibility Studies and Reports to assist managers in making ongoing decisions relating to projects, programs, suppliers, contractors and work processes. Level 2 risk assessments can be conducted individually (Risk Owner) or as a group (Risk Work Team) and are owned by the applicable managers. A summary of the types of Level 2 Risk Assessment implemented within Panoramic is outlined in Table P a g e

11 Table 1: Level 2 Risk Assessment Overview. Risk Area Type When Conducted When Reviewed / Amended By Whom Type of Tool Used Information Stored Planning Panoramic Strategic Plan 3-5 Years Annually Managing Director Plan Risk Assessment Corporate Strategic Plan Planning Department & Project Annual Plans Annually Annually Department & Project Improvement Plans Plan Risk Assessment Department and Project Business Plans Planning Project Life of Mine Plan Annually Annually Mine Planner / Stakeholder Operations Manager LOM Risk Assessment LOM Plans / Annual Report Project / New Initiative Feasibility Studies, New Projects As required Business Development Manager BD Opportunity and Risk Assessment. Feasibility Reports Project / New Initiative Commissioning and Construction Studies New Projects As required Major Project Manager L2 Risk Workshops Project Construction / Plant Risk Registers Process Department and Project Work Processes Annually Annually Department Managers & Operational Managers L2 Risk Workshops Department & Project Risk Registers Process Department & Project Business Impact Analysis Annually Annually Department Managers Business Impact Analysis Department and Project Business Continuity Plans Operational Prequalification Reviews As required Biannually Department and Operational Managers Prequalification Review Contractor Management System Operational Reports to the Board As required Not Required Senior Management Report Risk Indicator Board Report 13 P a g e

12 7.1 Risk Assessment Methodology Panoramic risk assessment methodology conforms to AS/NZS ISO 31000:2009 Risk Management - Principles and guidelines and the COSO Model. It consists of 3 core stages. 1. Establishing context 2. Risk identification, analysis and evaluation 3. Risk response and management. The individual steps and the relationships between each stage are shown in Figure 2. 14

13 Figure 2: Panoramic Resources Risk Methodology Stages Plan Process New initiative / project / supplier New Risk Assessment Define Objective Operational Activity / Task / Equipment Preventative Controls Outline Scope of Risk Assessment Mitigative Controls Threat Identify Factors Threat Stages Identify Events that impact on objective Identify Impacts (Gain or loss) Establishing Context Threat Identification, Analysis and Evaluation Threat Response and Management Actions Actions 1 Actions 2 Actions 3 Actions 1 Actions 2 Actions 3 Plans / Action Registers Activities Activity 1 Activity 2 Activity 3 Activity 1 Activity 2 Activity 3 Management Systems Monitor Review 15

14 7.2 Establishing Context Plan Process New initiative / project / supplier New Risk Assessment Define Objective Operational Activity / Task / Equipment Outline Scope of Risk Assessment Threat Identify Factors Threat Threat Identify Events that impact on objective Threat Figure 3: Establishing Context Steps. By establishing thecontext or the environment in which an organisation seeks to achieve its objectives, an organisation can articulate the objective and identify potential events to be taken into account when assessing a specific risk or threat. The context of the risk management process will vary according to the type of risk assessment and the needs of the Risk Owner. When establishing a context of the risk assessment process, the Risk Owner shall consider but not be limited to the following: Defining the specific objectives to be risk assessed; Defining responsibilities for and within the risk management process; Defining scope, as well as the depth and breadth of the risk assessment activities to be carried out, including specific inclusions and exclusions; 16

15 o o o o Defining process, project, activity, task, function or asset in terms of time and location; Defining the relationship between a particular project, process, activity and other projects, processes or activities of Panoramic; Defining the risk assessment methodology and tool to be utilised; and Identifying and specifying the decisions that have been made. The Risk Context information shall be recorded within the applicable Panoramic Risk Assessment Tool Event Identification An event is defined as an incident or occurrence from internal or external factors or drivers that affect business objectives. Events can have a negative impact, a positive impact, or both. Events with negative impacts represent risks while events with positive impacts may offset negative impacts and or present opportunities. Events are identified firstly from identifying internal and external factors. A myriad of external and internal factors drive events that affect business objectives. External factors that should be considered when identifying events, along with examples and implications are described in Table 3. External Factor Events Example Economic Natural Environment Events include commodity, currency and interest rate price movements, capital availability (equity and debt), barriers to competitive entry. Events include flood, fire, or earthquake that result in damage to plant or buildings, restricted access to raw materials, or loss of human capital. Political / Legal Social Events include the election of a new government with different political agendas, new laws, taxes and a changing regulatory landscape. Events include changing demographics, social morals, family structures, and work/life priorities, terrorism activity that result in a change in the supply and demand of goods and services. Technological Events include new electronic methods for facilitating commerce that result in expanded availability of data, reductions in hardware and software costs, and increased levels of demand for technologybased services. Table 3: Examples of External Factors and Events 17

16 Events are also influenced by internal factors as an organisation s capability and capacity reflect previous choices, influence future events and drive management decisions. Internal factors, along with examples of related events and their implications are described in Table 4. Internal Factor Events - Example Infrastructure, Plant & Equipment Events include increased capital cost, unscheduled maintenance, equipment availability / downtime,, and increased operationing costs. Personnel Events include personnel and or skills shortage, workplace accidents, fraudulent activities, expiration of labour agreements, strike or union action Materials Process Events include supplier going out of business, shortage of critical materials, material price increases. Events include process modification without adequate change management protocols, process execution errors, lost time, waste. Information Technology Events include volume volatility, system downtime, and security breaches. Work Environment Events include excessive heat, cyclones activity, floods etc. Table 4: Examples of Internal Factors and Events The identification of external and internal factors or drivers that influence events is necessary in order to choose the appropriate risk management technique and once the major contributing factors are identified, management can consider their significance and focus on events that can affect the achievement of objectives. Panoramic s Risk Owners shall select techniques that fit the risk assessments need, size and scope and ensure that the involved personnel have the applicable event identification capabilities and the supporting tools in place before commencing event identification. 18

17 7.2.1 Event Identification Techniques Panoramic uses a combination of techniques that consider both past and future events. Panoramic s Event Identification Techniques also vary in terms of where they are used in the Company. Some techniques focus on detailed data analysis and create a bottom-up view of events, while other techniques have a top-down focus. The key types of event techniques currently used by Panoramic are included in Table 5. Technique Description Risk Workshops and Interviews (HAZID) Process Analysis & Business Impact Analysis Leading Event Indicators Loss event data registers(incident Analysis) Event Inventories (Risk Registers) Internal Analysis These techniques identify events by drawing on accumulated knowledge and the experience of management and other internal and external stakeholders through structured discussions. This technique analyses the inputs, tasks, responsibilities and outputs that form a process. By reviewing the internal and external factors that affect the elements within a process, events can be identified that could affect process outcomes and objectives. By monitoring output data correlated to events, the Risk Owner can identify the existence of conditions that could give rise to an event. The collection and storage of historical data on loss events in registers are a useful source of information for identifying similar trends and causes. Once a cause(s) of an incident has been identified and retained, management can recall the learning from previous incidents to more effectively assess and treat a new event. These are detailed registers of potential events common within a particular project or department, or to a particular process or activity common across the Company. This may be done as part of a routine business planning cycle process, typically via regular scheduled meetings. If applicable, internal analysis can utilise information from other stakeholders (customers, suppliers, other departments) or from external advice. Escalation and Threshold Triggers These triggers alert management to potential hazards or events with predefined criteria and or thresholds. Once triggered, an event may require further assessment or an immediate response. Table 5: Panoramic Resources Event Identification Techniques 19

18 7.2.2 Interdependencies Historically, one event can trigger another, and events can occur concurrently. In event identification, Work Teams and or Risk Owners shall assess relationships between other events and risks to determine if events relate to each other and what components of risk management are best suited. Overall, event identification needs to be robust, as it forms the basis for the risk assessment and risk response components Threats (Causes) Events may be caused by any number of threats. In order to implement specific risk treatment options, Risk Owners need to identify specific threats (causes) of that particular event. Threat (Cause) identification provides the Risk Owner with a greater understanding of the likelihood of the event occurring again and the impact. Threats also provide the basis for identifying applicable preventative and mitigating controls. The Risk Owner shall endeavour to identify the number of related events and associated threats as is reasonably possible. 7.3 Risk Analysis & Evaluation Risk analysis and evaluation involves developing an understanding of the level of risk, the quantity of the risk (or opportunity) and what controls can be used to mitigate and lower the threat or risk (residual risk). Risk analysis enables decisions to be made on whether risks need to be treated or controlled, and the most appropriate risk management techniques to be used. Risk analysis and evaluation also provides inputs into the different types and levels of risk. The process and steps to undertake risk analysis and evaluation are outlined in Figure Distinguishing Between Opportunities and Risks Events have a negative and positive impact, or both. Events with a negative impact represent risks which require management s assessment, response and treatment. Operational events that have a positive impact represent opportunities to channel back positive learning to the applicable business plans (objective-setting processes). Business Development and Exploration events, which present both opportunities and risks, shall be analysed and evaluated for both risks and opportunities; with a report providing a balanced viewpoint to be provided to the MD in the first instance. 20

19 7.3.2 Qualitative Risk Analysis Panoramic uses a qualitative risk analysis methodology, which captures participants views on the potential likelihood and consequence of future events, using a descriptive scale outlined in the Panoramic Resources Risk Assessment Matrix and Definitions Scales (Attachment D). The likelihood and impact of each identified risk shall be assessed using Panoramic s Risk Assessment Matrix and Definitions Scales. Each risk shall be classified and prioritised using the agreed risk acceptance threshold levels. Inherent Risk is the level of risk assuming that no risk management mitigation controls are in place. Residual Risk is the level of risk assuming that identified risk management mitigation controls are in place and are effective. A Risk Owner shall determine both Inherent Risk and Residual risk when conducting a Level 2 Risk Assessment pursuant to the Panoramic Resources Level 2 Risk Assessment Procedure [GP-OP-HSE-PRO-02]. The impacts / consequences arising from the occurrence of Level 2 Risk Assessments can be either Economic or Non-economic. Economic consequences shall be scaled when determining the level of risk acceptance according to sensitivity. The Economic consequences to be considered depend on the context of the risk analysis, particularly whether it relates to a finance and treasury transaction or a capital investment project. All Risk Owners when undertaking a Risk Analysis must consider, as a minimum, the following three types of economic risk/opportunity: Production - What could disrupt the delivery of products? Quality What could impact on the quality of products? Loss or Damage What could cause financial loss or damage? Non-economic consequences are harder to scale.. As a minimum, all Risk Owners when undertaking a Risk Analysis must consider the following three types of Non-economic consequences: Health, Safety, Environment & Community What could harm people, the environment or the community in conducting this activity? Legal What could cause enforcement or prosecution in conducting this activity? Reputation What could cause a loss of reputation in relation to conducting this activity? 21

20 7.3.3 Risk Evaluation Risk Evaluation shall be undertaken by Risk Owners with relevant experience and expertise, who have an overall knowledge of the area being analysed. The Risk Owner shall be able to judge the likelihood and consequence in the business and operational context, and consensus shall be sought. Where it is considered necessary, the views of external experts shall be obtained to assist in the evaluation of particular risks. Special attention shall be given to any risks assessed as having a very high negative consequence and very low likelihood. These are major risks where consequences can include multiple fatalities or major plant or mine / project failure resulting in a severe business interruption event. Consideration shall also be given to aggregation risks arising from a number of related causes. Where such risks are identified, they must be noted in the applicable risk register as special cases and each risk mitigated immediately. The results of the Risk Evaluation shall be recorded in the applicable Risk Registers, Plans and Reports. Panoramic has established four Residual Risk Levels. These Include: Critical - Risks that significantly exceed the risk acceptance threshold and need urgent and immediate attention. These risks are reported to Operational Managers and the relevant General Manager. High - Risks that exceed the risk acceptance threshold and require proactive risk management. Includes those risks for which proactive actions have been taken, but further risk reduction is impossible or impracticable. However, active monitoring is required and the latter requires the sign-off from Operational Managers or Department Managers. Moderate - Risks that lie on the risk acceptance threshold and require active monitoring. The implementation of additional measures could be used to mitigate and control the risk further. Low - Risks that are below the risk acceptance threshold and do not require active risk management. Certain risks could in time require active monitoring. The Risk Owner shall allocate a risk level to the risk relating to each event. Where risks are determined to be High or Critical, the Risk Owner shall identify and take immediate action to initiate mitigation controls (if available). 22

21 8 Risk Management and Response Within the RMF, Panoramic shall manage risk in three core ways: 1. Risks with negative consequences / impacts shall be avoided, transferred or minimised. 2. Risks with positive consequences / impacts shall be exploited, shared or enhanced as an opportunity. 3. In those cases where active risk responses are not possible, Residual Risks must be reduced to an acceptable risk threshold level after approval from the required Authority Level. 8.1 Risk Treatments Options / Management Controls Risk Treatments / Controls are any process, policy, device, practice or other measure that is intended to minimise risk. Risk treatments / controls are the key to Risk Management as they reduce or eliminate the level of risk the event will face in the achievement of the identified business objective. Treatment and or Controls and their associated actions are shown in Figure 2. Panoramic uses two types of risk treatments / controls, namely preventative treatments / controls and mitigative controls. Preventative controls reduce the level of risk by preventing the event from occurring in the first place and thereby modify the likelihood. Mitigating controls are initiated after the event has occurred. They include controls such as fire extinguishers, seatbelts, insurance, legal advice, and hedging. Mitigating treatments / controls decrease the level of risk by reducing the consequence / impact. Risk treatments / controls are graded in accordance with their effectiveness in controlling the risk. Panoramic uses a hierarchy of treatments / controls. These include: Elimination Complete removal of the Factor / Hazard. Substitution Replacement with a more effective control alternative. Engineering Controls Isolation, Segregation, Containment or Limitation. All these controls involve physical separation. Administration Controls Establishing appropriate policies and guidelines to control exposure to events. Personal Protective Equipment (PPE). Risk treatment involves identifying the range of options for treating risks, assessing those options, preparing risk treatment plans and implementing these plans as soon as practical. Risk treatment shall always consider the effectiveness hierarchy of controls and to optimise the level of risk exposure to as low as is reasonably practicable (the ALARP Principle). When significant risks have been determined and prioritised, risk treatment / controls identification shall be undertaken to determine what control measures are required and what actions are to be taken to eliminate or minimise the impacts. 23

22 As a minimum, the Risk Owner shall ensure that the appropriate action to reduce the identified risk to an acceptable level for those activities and processes that have or may have significant impacts, is undertaken as soon as practical. Project, program, process or other work activities mustl not commence until appropriate treatments / controls have been implemented, monitored and deemed effective by the relevant Authority Level. 8.2 Risk Reporting The results of Risk Analysis processes shall be documented and reported to the key stakeholders as outlined earlier in this Guideline. Where applicable, all Risk Analysis information on future planned projects shall be entered into the Project Plans. Each Project Plan shall be reviewed and authorised as outlined in the Panoramic Planning Guideline [CORP-PO-GL-8-144]. All process risk analysis information shall be entered into the appropriate level Risk Register, Bowtie XP Risk Database. Information shall include identified risks with their evaluations and agreed responses. The Risk Register shall retain information on all closed risks to provide an audit trail and to assist in learning for any future Risk Analysis All Level 1 Operational Risk Assessment shall be recorded on applicable forms and filed in accordance with Panoramic s Project Document and Record Management Procedures. However, other risk reports formats may be developed for specific purposes. All actions relating to implementing Responses shall be recorded in the appropriate action register, and monitored. 8.3 Risk Review and Updates All Risk Analysis shall be updated in accordance with the changing circumstances or developments.. The update shall reflect the results of Risk Responses that have been previously implemented, and must identify and record additional risks that have emerged since the last update. Department and Operational Managers shall review Department and Project Risk Registers on an annual basis. All risks in the Risk Register shall be reviewed to ensure that risks have not developed a higher risk profile. A Risk Summary Report outlining significant risks for each Department and Project shall be developed by the Department and Operational Managers and provided to the appropriate General Manager for review on an annual basis. 24

23 A Panoramic Risk Audit shall be conducted by the CFO or delegate on an annual basis to determine the conformance to this Guideline. Audit Results shall be presented at the next applicable Panoramic Board meeting. 8.4 Risk Assessment Software Panoramic uses the Bowtie XP Risk Assessment Software to conduct and record Level 2 process risk assessments. 8.5 Training and Awareness Risk Management Awareness and Training Programs will be identified, developed and implemented as outlined in the Table below. Training Program Area Proposed Attendees Board Risk Awareness Board Directors Management Risk Awareness Operations Managers Risk Management (Level 2 Risk Assessments) Operations Managers, Supervisors, OHS And Environmental Coordinators Risk Management Awareness Corporate Induction Operations All personnel Bowtie XP Operations As requested JHA Operations All personnel Take 5 Operations All Personnel Table 6: Panoramic Resources Risk Training Requirements 25

24 Definitions and Abbreviations Definitions Term ALARP ( As low as reasonably practicable ) Aspect Consequence Definition Risk that is tolerable on the basis that the risk is acceptably low and cannot be further reduced effectively considering the cost, time and resources involved. An element of an organisation s activities, products or services that can interact with the environment. For environmental risk purposes, aspect is a synonym for hazard. The impact of an event expressed qualitatively or quantitatively, being a loss, harm, disadvantage or gain. Communication and Consultation Contractor Control Continual and iterative processes that an organisation conducts to provide, share or obtain information and to engage in dialogue with stakeholders. A person or organization providing services to Panoramic Resources at a Panoramic Resources workplace in accordance with agreed specifications, terms and conditions. Any process, policy, device, practice or other measure that is intended to minimise risk. Event External Context An event is defined as an incident or occurrence from internal or external sources that affects achievement of objectives. External environment in which the organisation seeks to achieve its objectives. Hazard A source of potential harm or a situation with the potential to cause actual or perceived loss or damage to people, the environment, plant, equipment, customer expectation or product quality. 26

25 Term Hazard Identification Impact Definition The process of identifying threats (risks with a negative consequence) or enhancement measures for opportunities (risk with potential positive consequences). The harm that has or could occur if the controls are absent or fail. Internal Context Internal environment in which an organisation seeks to achieve its objectives Inherent Risk The risk remaining if proposed that no controls are put in place / implemented. Likelihood Maximum Reasonable Consequence (MRC) Monitoring Maximum Reasonable Outcome (MRO) Opportunity The most realistic or credible chance that a particular event will occur, resulting in the maximum reasonable consequence, expressed as a qualitative or quantitative description of probability or frequency. The largest realistic or credible consequence from an event, considering the location of and population encountering the event as well as the credible failure of current controls. Continually checking, supervising, critically observing or determining the status in order to identify change from the performance level required or expected. The outcome for an incident or risk, based on its maximum potential consequence and the likelihood of that consequence occurring, applying the Panoramic Resources HSEQ Qualitative Risk Assessment Matrix. The Maximum Reasonable Outcome is classified as Low, Moderate, High or Critical. Opportunity is the possibility that an event will occur and positively affect the achievement of objectives. Predicted Risk The predicted risk remaining if proposed controls are implemented. 27

26 Term Qualitative Risk Assessment Residual Risk Risk Risk Appetite Definition Qualitative assessments assess the maximum reasonable consequence of a hazard / aspect or opportunity against its expected likelihood using predefined consequence and likelihood descriptors in the Panoramic Resources HSEQ Qualitative Risk Assessment Matrix. Risk Remaining after risk treatments has been implemented. If controls are implemented, it reflects current risk. If controls have not yet been implemented, it reflects predicted risk levels. An uncertain event or condition that if it occurs will affect the achievement of one or more objectives. It is measured in terms of the likelihood of occurrence and its potential consequences, and assigned an overall risk classification. An organisation s approach to assess and eventually pursue, retain or turn away from risk. Risk Acceptance Threshold Risk Analysis A measure (or criteria) of the level of risk above which proactive actions must be taken to manage threats and maximise opportunities and below which risks may be accepted. The overall process of risk identification and risk assessment. Risk Assessment Risk Capacity Risk Management The method of evaluating the consequence and likelihood of identified hazards, aspects or opportunities and comparing these against a defined risk acceptance threshold relevant to the level of assessment. The overall maximum level of risk that Panoramic Resources can bear and the types of risk Panoramic Resources desires or is prepared to accept in order to achieve its strategic, operational and financial objectives in both the short and long term. The process of making informed decisions and implementing appropriate actions, based on a hierarchy of controls, in response to risk analysis results. 28

27 Term Risk Management Framework Risk Management Process Risk Owner Risk Profile Definition The set of components that provide the foundations and organisational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout the organisation. Systematic application of management policies, procedures and practices to the activities of communicating, consulting, establishing the context, and identifying, analysing, evaluating, treating, monitoring and reviewing risk. Person accountable for the overall management of a hazard and contributing risk scenarios within the work area. This person is also accountable for ensuring controls are in place and effective and that the risks are reviewed appropriately. Description of any set of risks. Risk Management Policy Statement of the overall intentions and direction of an organisation related to risk management. Risk Treatment Process to modify risk Risk Tolerances Risk Rating Risk Scenario The quantum or degree of risk that Panoramic Resources is prepared to accept for each category of risk (operating within its overall risk capacity), where possible expressed in terms of the degree of confidence required so that specific objectives will not be compromised or tolerances thresholds will not be breached. The classification of risk based on its likelihood of occurrence and potential consequence(s). Risks undergoing Level 2 assessments are rated in the descriptive terms: Critical, High, Moderate and Low. A description of how the hazard / aspect could potentially result in an impact. 29

28 Term Risk Scenario Owner Significant Risk Definition Person responsible for the management of an individual risk scenario. This person shall ensure that individual risk scenarios are appropriately assessed and documented and that controls are identified and appropriate actions raised accordingly. Risks with a risk rating of High or Critical. Stakeholder Standard Operating Procedure (SOP) Work Area Person or organisation that can affect, be affected by, or perceives themselves to be affected by a decision or activity. A procedure written at the task level, clearly describing the sequential steps that result in the best known way to complete a task. It does not contain complex decision making. Part of a hierarchical structure that represents the physical location where work is conducted. The hierarchy breaks sites down further, into logical physical sections. Abbreviations Term HSEQ JHA RMF Definition Health, Safety, Environment and Quality Job Hazard Analysis Risk Management Framework 30