01. risk management manual

8/3/2019 01. Risk Management Manual

1/16

RASHPETCO and BURULLUSGovernance System

Document Title: Risk Management Manual

Document Number: RPC-COR-MS-RMP-201

THIS IS A CONTROLLED DOCUMENT NO.

THIS IS AN UNCONTROLLED DOCUMENT X

Controlled documents will automatically be re-issued to recipients as and when changes occur. It is the recipientsresponsibility to replace and destroy the old version.

Uncontrolled documents will not automatically be re-issued and users should ensure that they have the latest version.If in doubt, consult Governance department.

Approved Chairman & MD T El-Attar

Approved MD & GM F Ahrabi

Checked Internal AuditGM M Helmy

2

Accommodate validation checks;update meetings terms ofreference; clarity of link to thePartners process; realignment ofthe responsibility matrix; link toObjectives, Performance

Contracts & BusinessImprovement Plan; and someformat changes. A Risk Registertemplate has also been producedand referenced in this manual. Prepared

GovernanceManager B Williams

Approved Chairman & M.D. T El-Attar

Approved M. D. & G. M. R. Fox

Checked HSE GMAlaa El DinShinaishai

Checked HSE D/GM Alan Spicer

1 Format and number changes only

Prepared Governance Chris. Thomas

Revision Description Description Designation Name Signature Date


2/16


Page 2 of 2Document Number:RPC-COR-MS-RMP-201

Date: July 2003

Document Title:

Risk Management Manual Revision: 2

CONTENTS

PART 1 INTRODUCTION

1.1 Purpose

1.2 Scope

1.3 Definition of Risk

1.4 Benefits of Risk Management

PART 2 BUSINESS PROCESS MAPS

2.1 Risk Management Business Process

2.2 New Register Preparation Business Process

PART 3 RISK MANAGEMENT STRUCTURE

3.1 Process Hierarchy

3.2 Risk Registers

3.3 Risk Meetings

PART 4 BUSINESS PROCESS NOTES NEW REGISTERS

4.1 Format and Content

4.2 Ownership of Registers

4.3 Preparation of new Registers

4.4 Risk Ratings

4.5 Elevation of risks

4.6 Dealing with risks

4.7 Managing risks

4.8 Risk Meetings Terms of Reference

PART 5 RESPONSIBILITY MATRIX

5.1 Responsibil ity Matrix

PART 6 APPENDICES

6.1 Method of Risk Rating

6.2 Risk Register Template


3/16



Date: July 2003

Document Title:


1 INTRODUCTION

1.1 Purpose

This document defines the Risk Management process. It covers the ongoing process of Business Riskidentification, understanding, measurement and decision making to control and mitigate the identified risks,recognising that a risk may present either an opportunity or threat to the achievement of the COMPANYobjectives.

Risk management is an iterative process and should be used at all levels within the Company and at allstages within the business cycle. All employees have responsibility for managing the risks relevant to theirrole.

1.2 Scope

This guideline outlines a methodology for the management of risk of all COMPANY activities, including all thephases of project lifecycles.

Note: It is also the COMPANY intention to include the main contractors working on COMPANY Projects in theRisk Management process. The frequency, process and format for gathering the Risk information shall beagreed during the tender processes or kick-off meeting.

1.3 Definition of Risk

Within this guideline risk is defined as either:

the threat that an event or action will adversely affect the COMPANY, and prevent it from achieving itsobjectives, or

a missed opportunity for improvement.

The consequences can affect one or more of the following:

cost (CAPEX and OPEX)

schedule

quality, including plant capacity, flexibility, availability

health, safety, security and environment

company image and reputation

licence to operate

financial management

third party relations.


4/16



Date: July 2003

Document Title:


1.4 Benefits of Risk Management

The main benefits of a formalised risk management process are that it:

creates an understanding of the relationship between risks: cost, timescales, image, quality and safetyand environment, and brings realism into the consideration of the trade-offs between them

improves decision making at all levels in the company

underpins a culture of continuous improvement; encouraging openness and enabling effective, pro-active

and timely application of knowledge and expertise ensures ownership of risks, so they are effectively monitored and pro-actively managed

focuses, through rating, on the key risk areas

makes risks, and actions taken to resolve them, clearly visible to management

reduces the likelihood of a risk materialising and the impact if it does

reduces spending on resolution of problems, through addressing them earlier

improves the quality and accuracy of CAPEX estimates and project schedules

optimises exploitation of opportunities

encourages the proper handling of risks rather than the management of crises.


5/16



Date: July 2003

Document Title:


2 BUSINESS PROCESS

2.1 New Register Preparation Process

Retain and manage within

the department or project

Department / Project

Risk Register

Cascade Risks to

Corporate Register

Determine Mitigating

Actions

Evaluate and Rate Risks

ThresholdRatings 1 and 2

Risk Register

Required

End of Process

Allocate Risk Owners

Finalise and Issue Risk

Register

Define Risks

Risk ManagementBusiness Process((see 2.2 below)

YES

Are risks higher rated than

threshold 1 & 2 as defined bythe MDs in discussion withPartners?

New Register Preparation

Business Process

Business

Environment

Objectives.PerformanceContracts.

BusinessImprovementPlan

NO


6/16



Date: July 2003

Document Title:


2.2 Risk Management Business Process

Submit Risks to Managing

Partners Risk System

Department / Project

Risk Register

Cascade Risks toCorporate Register

Hold Risk Meeting andRe-evaluate Risks

Review Feedback and

Update Register

ThresholdRating 1

Initiate Risk

Management

End of BusinessProcess

Hold Corporate RiskMeeting and

Re-evaluate Risks

Finalise and Issue Risk

Register

ThresholdRating 2

Initiate Mitigating Actions

New RegisterPreparation Process(see 2.1 above)

YES

YES

Are risks higher rated thanthreshold 1 i.e. score of 12 and

above?

Risk Management

Business Process

Identify new and

changes in Risks

Are risks higher rated thanthreshold i.e. score of 18 and

above?

Corporate Risk

Register

Validate Risk Registercontents through interdepartmental reviews and

challenges.


7/16



Date: July 2003

Document Title:


3. BUSINESS RISK MANAGEMENT STRUCTURE

3.1 Process Hierarchy

The company Business Risk Management system is structured to enable Risks to be rated and prioritised inorder to ensure that each risk receives the appropriate management attention. (As shown on the followingchart):

3.2 Risk Registers

Risk Registers will be prepared and managed as defined in section 2 . Current registers will be kept within theGovernance Documents suite. Risk Owners are responsible for sending a copy of the current register to theGovernance Manager. As a minimum requirement, the COMPANY will maintain the following registers.

REGISTER OWNER RISK LEVEL

Corporate Managing Directors High and Medium

All Projects Project General Managers All Project Risks

Operations Operations General Managers All Department Risks

Exploration Exploration General Managers All Department Risks

Finance Finance General Managers All Department Risks

HSE HSE General Managers All Department Risks

IT IT General Manager All Department Risks

Contract & Procurement GM Material and GM Contract All Department Risks

However, all departments are expected to routinely review their Business Risks, capture the risks andmitigating actions, preferably through a Risk Register, demonstrate the management of the risks and reportany significant changes to the Managing Directors.

Risk Prioritisation

HIGH LEVEL RISKS

PARTNER LEVEL

MEDIUM LEVEL RISKSCORPORATE REGISTER

CORPORATE RISK MEETING

ALL RISKSPROJECT & DEPARTMENT REGISTERS

RISK MANAGEMENT MEETINGS

RASHPETCO RISK MANAGEMENT STRUCTURE


8/16



Date: July 2003

Document Title:


3.3 Risk Meetings

Risk Meetings are the essential formal elements in managing risk at all risk levels within the COMPANY.There are three levels of risk meetings, which are as follows:

Partner Risk Meeting

This meeting is held every quarter and it is owned and shared by BG Egypt (BGE) on behalf of otherpartners. Rashpetco risks scoring 18 and above are fed into this process by the submission of the

Corporate Partner Level Risk Register to BGE in advance of this meeting. In addition, the BGEManagers responsible for the Projects receive and contribute to the Project/Operation Risk Registersroutinely. These processes allow adequate review and challenge opportunities ahead of the quarterlymeeting. Rashpetco/Burullus will be represented at this meeting by the Governance Manager, and RiskOwners may be invited by BGE should further clarification be required.

Corporate Risk Meetings

This meeting is held every quarter and captures all risks scoring 12 and above from the departmental riskregisters. These risks are contained in the Corporate General Risk Register. In addition, corporatespecific risks are identified, processed and added to the register in advance of this meeting. This meetingwill agree the contents of the register and the elevation of risks scoring 18 and above to the Corporate Partner Level Risk Register. An important role of this meeting is to re-evaluate and finalise the risk ratings

and in the process identify the risks to be elevated to the Partners. For example, a risk item with a scoreof 18 and above from a department may end up with a lower score because Rashpetco managementconsiders that the manageability factor should be lower; whilst manageability may be outside the controlof the department, it is considered to be within the companys control.

Department and Project Risk Meetings

These meetings will identify and evaluate all risks associated with their business objectives. All risksscoring 12 and above, after inter-department validation process, will be elevated to the Corporate RiskRegister.

The terms of reference for the Corporate Risk meeting and the Departmental/Project Risk meetings arecontained in Section 4. The terms of reference of the Partner Risk meeting are determined by BGE.


9/16



Date: July 2003

Document Title:


4 BUSINESS PROCESS NOTES FOR THE PREPARATION OF RISK REGISTERS

4.1 Format and Content

Adopting a standardised format for project risk registers facilitates the review and comparison of risks acrossprojects, and the assembly of an assets risk register from its constituent projects. A suggested format isshown in Appendix 1. If there is a need to depart from this format because it does not fit in with adepartment/projects established procedures, this should be discussed with the Governance Manager whomay use the opportunity to implement an improved format.

4.2 Ownership of Risk Registers

Ownership of the overall risk register lies with the General Manager. Maintenance of the register may bedelegated to an identified risk co-ordinator within the project/department team, whose role is to ensure thatrisks are added, updated and closed out on the register in a timely fashion. It is recommended that regularrisk reviews are held, at least quarterly, to ensure that the register reflects the true risk status at alltimes.

4.3 Preparing New Risk Registers

To initiate a Risk Register each department or project team should convene a risk identification review at theearliest suitable time.

In the case of projects, it is recommended that this be at the point where the development concept has beenselected but before the definition/FEED stage. At this point, reservoir knowledge, development concept,execution strategy, cost, schedule and commercial framework have been established in sufficient detail toenable meaningful risk assessments to be made.

The information collation process can either be tasked to individuals or generated by brainstorming by thedepartment or project team. The latter approach is likely to generate a more comprehensive risk registermore efficiently and is therefore recommended.

Regardless of the process, a major objective should be to ensure that:

the objectives and goals of the projects/departments are clearly understood and are reflected

the business environment is taking into consideration

clear team ownership of the risk register and management procedure.

The risks identified may be grouped under agreed headings or, in the case of project, using the WorkBreakdown Structure (WBS) or functional team set-up.

Once the risks have been grouped, the risks and the associated control options should be discussed with theobjectives of:

agreeing that the risks or opportunities are realistic, meaningful and comprehensive

agreeing the risk evaluation rating in accordance with example in the Appendix. The ratings must reflectthe business environment and be objective as far as possible.

agreeing the control procedure and actions that would mitigate each risk. These should be specific,clearly defined and include a timescale for completion of the mitigating actions, where relevant.


10/16



Date: July 2003

Document Title:


ensuring an alignment of documented mitigated actions with the contents Business Improvement Plan.

validating the contents of the proposed risk register before the quarterly publication through inter-departmental consultation, review and challenge. This gives more credibility to, and wider acceptance ofthe contents of the register ahead of publication.

4.4 Risk Ratings

The following method of rating of risks is a mandatory requirement for all Risk Registers.

Each risk is evaluated in terms of its Impact (I), Probability (P) and its Manageability (M). See Appendix 7.1

for guidance notes. Each of these risk factors has a rating between 1 and 3. The final rating is calculated asshown below:

FINAL RATING = IMPACT X PROBABILITY X MANAGEABILITY

Using this method the minimum risk rating is 1 and the maximum is 27.

4.5 Elevation of Risks

The main business risks will be elevated into the Corporate Risk Register, and potentially into the PartnersRisk Management system. Proposed criteria for deciding which risks need to be elevated will be based on thefollowing rating levels:

1 11 - Projects/Department12-17 - Rashpetco/Burullus level18+ - Partner Level.

4.6 Dealing with Risks

Central to risk management is selection of the most appropriate mitigation or control strategies.

These may:

Avoid the risk by suggesting alternative courses of action

Eliminate the cause(s) of the risk

Reduce the likelihood of the risk occurring

Reduce the direct consequence of the risk

Minimise its impact in business terms

Transfer the risk (e.g. Insurance)

Instigate investigation to gather further information before a final decision is made

Accept the risks as unavoidable.

The appropriate mitigation or control method is very context specific and there is no universally right orwrong approach. The above generic approaches can be used for guidance, but ultimately the decisions willbe based on the knowledge, experience and judgment of the management team.


11/16



Date: July 2003

Document Title:


4.7 Managing Risk

Risks will normally be identified during individual, dedicated sessions or on request prior to Risk Meetings,but all COMPANY employees and PMT members are responsible for being risk aware at all times. Any riskidentified during a review process, or at any other time, that threatens the successful achievement ofCOMPANY business objectives should be brought to the attention of the relevant Department or ProjectManager for inclusion, if appropriate, within the appropriate risk register.

Risk is managed using a series of structured meetings, which are described in 3.3 and in the terms of

reference in 4.8.

All nominated personnel will attend each Risk Management meeting.

The purpose of the meeting is to brief the attendees of all the risks (particularly those scoring medium andhigh ranking), discuss/rank new perceived risks and review/agree mitigating actions and actionees.

Prior to the risk meeting, each member of the meeting will be responsible for forwarding a list of revisedcurrent ratings or new perceived risks, which will be processed by the nominated Risk Register Co-ordinatorwho will update the Risk Register prior to each meeting. All new Ratings or Risks will be evaluated during themeeting and the rating modified as appropriate.

4.8 Risk Meetings Terms of Reference

The relevant terms of reference are stated below.


12/16



Date: July 2003

Document Title:


Terms of Reference - Corporate Risk Management Meeting

Frequency / Time: Quarterly / 1 hour Attendees

Chairman & MDChair / Owner MDs

General Manager & MD

All General and Deputy General Managers

All Project ManagersAction Log Owner Governance Manager

Governance Manager

Objectives

To promote a comprehensive Risk ManagementProcess within the COMPANY

To maintain Corporate Risk Register

To establish and agree a commonunderstanding of specific mitigation actions

To align Risk mitigations actions with BIPs

To agree the Partner Level Risks.

To evaluate the progress of outstanding auditactions.

Agenda

Minutes and action from the previous meeting

Review of Corporate and Partner Level Risk Registers

BIPS

Review of Audit Log and outstanding items

Inputs

Action log from prior meeting

Departmental and Corporate Risk Registers

Business Improvement Plans

Audit Action Logs and Tracking Registers

Outputs

Agreed Corporate Risk Registers

Agreed Shareholder Risk Register

Revised Business Improvement Plans.

Revised Audit Action logs and Tracking Registers

Comments:

This meeting will be scheduled to align with Partners Risk Management meeting and Business Control meeting.


13/16



Date: July 2003

Document Title:


Terms of Reference - PROJECT & DEPARTMENT RISK MEETINGS

Frequency / Time: Quarterly / 1 hour Attendees

GMSChair / Owner GMs

Key Managers

Action Log Owner As designated.

Objectives:

To support the COMPANY Risk ManagementManual requirements

Maintain Department / Project Risk Register

Co-ordinate Audit Activities and Reporting

Develop Mitigating Action Lists

Maintain the departmental Business ImprovementPlan

Agenda:

Minutes from previous meeting

Review Register

Agree Risks that will cascade to the Corporate RiskRegister

Review Audit Log

Review BIP

Inputs:

Action log from previous meeting

Departmental Risk Register

Corporate Risk Register

Feedback from other departments & GMs

Audit Reports and Action Logs

BIP

Outputs:

Updated Risk register

Agreed Corporate levels risks

Updated Action log and Audit findings

Revised BIP

Comments:


14/16



Date: July 2003

Document Title:


5. RESPONSIBILITY MATRIX

RISK MANAGEMENT - RACI MATRIX

R = ResponsibilityA = AccountableC = ConsultedI = Informed

Ma

nagingPartner

Ma

nagingDirectors

Go

vernanceManager

Pro

ject/Department

Ma

nagers

Pro

ject/Department

Ris

kCo-ordinator

1 Approval of this Manual I R A I

2 Maintenance of this Manual R A I

3 Participation in Managing Partners Risk Process I R A C

4 Updating and Issuing of the Corporate Risk Registers I R A I

5 Approval of the Corporate Risk Registers R A C

6 Elevating of risks to the Corporate Risk Registers C A R I

7 Updating and Issuing of Department / Project Risk Register I R/I A

8 Approval of Department / Project Risk Registers I I/C R/I A

9 Preparation of the Department / Project Risk Register R I/C R A


15/16



Date: July 2003

Document Title:


6 APPENDICES

6.1 Guidelines for Risk Rating

The following guidelines are general and may not be appropriate to all circumstances.

IMPACT

Factor 1 (Low impact) 2 (Medium impact) 3 (High impact)

Schedule < 7 days >7days, 1 month

Cost $150k, $6mm

QualityAcceptable with minoractions

Acceptable with majoractions

Not acceptable

Safety & environmentTolerable with minoractions

Tolerable with majoractions

Not acceptable

RASHPETCO imageAcceptable with minor

actions

Acceptable with major

actions

Not acceptable

Stakeholders imageAcceptable with minoractions

Acceptable with majoractions

Not acceptable

PROBABILITY

1 (Low ) 2 (Medium) 3 (High)

Less than once in 5 years veryunlikely to occur

Once in 5 years quite likely tooccur

Once a year very likely to occur

MANAGEABILITY

1 (Low ) 2 (Medium) 3 (High)

Relatively easy to manage withnormal management resources.

Needs special attention andpossibly enhanced managementprocedures

Difficult to manage and may needoutside assistance.

RISK RATING = IMPACT X PROBABILITY X MANAGEABILITY


16/16



Date: July 2003

Document Title:


6.2 RISK REGISTER TEMPLATE

The template can be found in the Governance Shared Drive, Under Risk Management.

The document is self-explanatory and can be completed using the process detailed in section 4 above.Where you need to have an input in terms of the Register format, appropriate comments have been insertedin the register template to guide you. These are identified by the yellow marks. Just put your pointer over it toread the comment. Then highlight and type the required information over it.