01. risk management manual
TRANSCRIPT
-
8/3/2019 01. Risk Management Manual
1/16
RASHPETCO and BURULLUSGovernance System
Document Title: Risk Management Manual
Document Number: RPC-COR-MS-RMP-201
THIS IS A CONTROLLED DOCUMENT NO.
THIS IS AN UNCONTROLLED DOCUMENT X
Controlled documents will automatically be re-issued to recipients as and when changes occur. It is the recipientsresponsibility to replace and destroy the old version.
Uncontrolled documents will not automatically be re-issued and users should ensure that they have the latest version.If in doubt, consult Governance department.
Approved Chairman & MD T El-Attar
Approved MD & GM F Ahrabi
Checked Internal AuditGM M Helmy
2
Accommodate validation checks;update meetings terms ofreference; clarity of link to thePartners process; realignment ofthe responsibility matrix; link toObjectives, Performance
Contracts & BusinessImprovement Plan; and someformat changes. A Risk Registertemplate has also been producedand referenced in this manual. Prepared
GovernanceManager B Williams
Approved Chairman & M.D. T El-Attar
Approved M. D. & G. M. R. Fox
Checked HSE GMAlaa El DinShinaishai
Checked HSE D/GM Alan Spicer
1 Format and number changes only
Prepared Governance Chris. Thomas
Revision Description Description Designation Name Signature Date
-
8/3/2019 01. Risk Management Manual
2/16
RASHPETCO and BURULLUSGovernance System
Page 2 of 2Document Number:RPC-COR-MS-RMP-201
Date: July 2003
Document Title:
Risk Management Manual Revision: 2
CONTENTS
PART 1 INTRODUCTION
1.1 Purpose
1.2 Scope
1.3 Definition of Risk
1.4 Benefits of Risk Management
PART 2 BUSINESS PROCESS MAPS
2.1 Risk Management Business Process
2.2 New Register Preparation Business Process
PART 3 RISK MANAGEMENT STRUCTURE
3.1 Process Hierarchy
3.2 Risk Registers
3.3 Risk Meetings
PART 4 BUSINESS PROCESS NOTES NEW REGISTERS
4.1 Format and Content
4.2 Ownership of Registers
4.3 Preparation of new Registers
4.4 Risk Ratings
4.5 Elevation of risks
4.6 Dealing with risks
4.7 Managing risks
4.8 Risk Meetings Terms of Reference
PART 5 RESPONSIBILITY MATRIX
5.1 Responsibil ity Matrix
PART 6 APPENDICES
6.1 Method of Risk Rating
6.2 Risk Register Template
-
8/3/2019 01. Risk Management Manual
3/16
RASHPETCO and BURULLUSGovernance System
Page 3 of 3Document Number:RPC-COR-MS-RMP-201
Date: July 2003
Document Title:
Risk Management Manual Revision: 2
1 INTRODUCTION
1.1 Purpose
This document defines the Risk Management process. It covers the ongoing process of Business Riskidentification, understanding, measurement and decision making to control and mitigate the identified risks,recognising that a risk may present either an opportunity or threat to the achievement of the COMPANYobjectives.
Risk management is an iterative process and should be used at all levels within the Company and at allstages within the business cycle. All employees have responsibility for managing the risks relevant to theirrole.
1.2 Scope
This guideline outlines a methodology for the management of risk of all COMPANY activities, including all thephases of project lifecycles.
Note: It is also the COMPANY intention to include the main contractors working on COMPANY Projects in theRisk Management process. The frequency, process and format for gathering the Risk information shall beagreed during the tender processes or kick-off meeting.
1.3 Definition of Risk
Within this guideline risk is defined as either:
the threat that an event or action will adversely affect the COMPANY, and prevent it from achieving itsobjectives, or
a missed opportunity for improvement.
The consequences can affect one or more of the following:
cost (CAPEX and OPEX)
schedule
quality, including plant capacity, flexibility, availability
health, safety, security and environment
company image and reputation
licence to operate
financial management
third party relations.
-
8/3/2019 01. Risk Management Manual
4/16
RASHPETCO and BURULLUSGovernance System
Page 4 of 4Document Number:RPC-COR-MS-RMP-201
Date: July 2003
Document Title:
Risk Management Manual Revision: 2
1.4 Benefits of Risk Management
The main benefits of a formalised risk management process are that it:
creates an understanding of the relationship between risks: cost, timescales, image, quality and safetyand environment, and brings realism into the consideration of the trade-offs between them
improves decision making at all levels in the company
underpins a culture of continuous improvement; encouraging openness and enabling effective, pro-active
and timely application of knowledge and expertise ensures ownership of risks, so they are effectively monitored and pro-actively managed
focuses, through rating, on the key risk areas
makes risks, and actions taken to resolve them, clearly visible to management
reduces the likelihood of a risk materialising and the impact if it does
reduces spending on resolution of problems, through addressing them earlier
improves the quality and accuracy of CAPEX estimates and project schedules
optimises exploitation of opportunities
encourages the proper handling of risks rather than the management of crises.
-
8/3/2019 01. Risk Management Manual
5/16
RASHPETCO and BURULLUSGovernance System
Page 5 of 5Document Number:RPC-COR-MS-RMP-201
Date: July 2003
Document Title:
Risk Management Manual Revision: 2
2 BUSINESS PROCESS
2.1 New Register Preparation Process
Retain and manage within
the department or project
Department / Project
Risk Register
Cascade Risks to
Corporate Register
Determine Mitigating
Actions
Evaluate and Rate Risks
ThresholdRatings 1 and 2
Risk Register
Required
End of Process
Allocate Risk Owners
Finalise and Issue Risk
Register
Define Risks
Risk ManagementBusiness Process((see 2.2 below)
YES
Are risks higher rated than
threshold 1 & 2 as defined bythe MDs in discussion withPartners?
New Register Preparation
Business Process
Business
Environment
Objectives.PerformanceContracts.
BusinessImprovementPlan
NO
-
8/3/2019 01. Risk Management Manual
6/16
RASHPETCO and BURULLUSGovernance System
Page 6 of 6Document Number:RPC-COR-MS-RMP-201
Date: July 2003
Document Title:
Risk Management Manual Revision: 2
2.2 Risk Management Business Process
Submit Risks to Managing
Partners Risk System
Department / Project
Risk Register
Cascade Risks toCorporate Register
Hold Risk Meeting andRe-evaluate Risks
Review Feedback and
Update Register
ThresholdRating 1
Initiate Risk
Management
End of BusinessProcess
Hold Corporate RiskMeeting and
Re-evaluate Risks
Finalise and Issue Risk
Register
ThresholdRating 2
Initiate Mitigating Actions
New RegisterPreparation Process(see 2.1 above)
YES
YES
Are risks higher rated thanthreshold 1 i.e. score of 12 and
above?
Risk Management
Business Process
Identify new and
changes in Risks
Are risks higher rated thanthreshold i.e. score of 18 and
above?
Corporate Risk
Register
Validate Risk Registercontents through interdepartmental reviews and
challenges.
-
8/3/2019 01. Risk Management Manual
7/16
RASHPETCO and BURULLUSGovernance System
Page 7 of 7Document Number:RPC-COR-MS-RMP-201
Date: July 2003
Document Title:
Risk Management Manual Revision: 2
3. BUSINESS RISK MANAGEMENT STRUCTURE
3.1 Process Hierarchy
The company Business Risk Management system is structured to enable Risks to be rated and prioritised inorder to ensure that each risk receives the appropriate management attention. (As shown on the followingchart):
3.2 Risk Registers
Risk Registers will be prepared and managed as defined in section 2 . Current registers will be kept within theGovernance Documents suite. Risk Owners are responsible for sending a copy of the current register to theGovernance Manager. As a minimum requirement, the COMPANY will maintain the following registers.
REGISTER OWNER RISK LEVEL
Corporate Managing Directors High and Medium
All Projects Project General Managers All Project Risks
Operations Operations General Managers All Department Risks
Exploration Exploration General Managers All Department Risks
Finance Finance General Managers All Department Risks
HSE HSE General Managers All Department Risks
IT IT General Manager All Department Risks
Contract & Procurement GM Material and GM Contract All Department Risks
However, all departments are expected to routinely review their Business Risks, capture the risks andmitigating actions, preferably through a Risk Register, demonstrate the management of the risks and reportany significant changes to the Managing Directors.
Risk Prioritisation
HIGH LEVEL RISKS
PARTNER LEVEL
MEDIUM LEVEL RISKSCORPORATE REGISTER
CORPORATE RISK MEETING
ALL RISKSPROJECT & DEPARTMENT REGISTERS
RISK MANAGEMENT MEETINGS
RASHPETCO RISK MANAGEMENT STRUCTURE
-
8/3/2019 01. Risk Management Manual
8/16
RASHPETCO and BURULLUSGovernance System
Page 8 of 8Document Number:RPC-COR-MS-RMP-201
Date: July 2003
Document Title:
Risk Management Manual Revision: 2
3.3 Risk Meetings
Risk Meetings are the essential formal elements in managing risk at all risk levels within the COMPANY.There are three levels of risk meetings, which are as follows:
Partner Risk Meeting
This meeting is held every quarter and it is owned and shared by BG Egypt (BGE) on behalf of otherpartners. Rashpetco risks scoring 18 and above are fed into this process by the submission of the
Corporate Partner Level Risk Register to BGE in advance of this meeting. In addition, the BGEManagers responsible for the Projects receive and contribute to the Project/Operation Risk Registersroutinely. These processes allow adequate review and challenge opportunities ahead of the quarterlymeeting. Rashpetco/Burullus will be represented at this meeting by the Governance Manager, and RiskOwners may be invited by BGE should further clarification be required.
Corporate Risk Meetings
This meeting is held every quarter and captures all risks scoring 12 and above from the departmental riskregisters. These risks are contained in the Corporate General Risk Register. In addition, corporatespecific risks are identified, processed and added to the register in advance of this meeting. This meetingwill agree the contents of the register and the elevation of risks scoring 18 and above to the Corporate Partner Level Risk Register. An important role of this meeting is to re-evaluate and finalise the risk ratings
and in the process identify the risks to be elevated to the Partners. For example, a risk item with a scoreof 18 and above from a department may end up with a lower score because Rashpetco managementconsiders that the manageability factor should be lower; whilst manageability may be outside the controlof the department, it is considered to be within the companys control.
Department and Project Risk Meetings
These meetings will identify and evaluate all risks associated with their business objectives. All risksscoring 12 and above, after inter-department validation process, will be elevated to the Corporate RiskRegister.
The terms of reference for the Corporate Risk meeting and the Departmental/Project Risk meetings arecontained in Section 4. The terms of reference of the Partner Risk meeting are determined by BGE.
-
8/3/2019 01. Risk Management Manual
9/16
RASHPETCO and BURULLUSGovernance System
Page 9 of 9Document Number:RPC-COR-MS-RMP-201
Date: July 2003
Document Title:
Risk Management Manual Revision: 2
4 BUSINESS PROCESS NOTES FOR THE PREPARATION OF RISK REGISTERS
4.1 Format and Content
Adopting a standardised format for project risk registers facilitates the review and comparison of risks acrossprojects, and the assembly of an assets risk register from its constituent projects. A suggested format isshown in Appendix 1. If there is a need to depart from this format because it does not fit in with adepartment/projects established procedures, this should be discussed with the Governance Manager whomay use the opportunity to implement an improved format.
4.2 Ownership of Risk Registers
Ownership of the overall risk register lies with the General Manager. Maintenance of the register may bedelegated to an identified risk co-ordinator within the project/department team, whose role is to ensure thatrisks are added, updated and closed out on the register in a timely fashion. It is recommended that regularrisk reviews are held, at least quarterly, to ensure that the register reflects the true risk status at alltimes.
4.3 Preparing New Risk Registers
To initiate a Risk Register each department or project team should convene a risk identification review at theearliest suitable time.
In the case of projects, it is recommended that this be at the point where the development concept has beenselected but before the definition/FEED stage. At this point, reservoir knowledge, development concept,execution strategy, cost, schedule and commercial framework have been established in sufficient detail toenable meaningful risk assessments to be made.
The information collation process can either be tasked to individuals or generated by brainstorming by thedepartment or project team. The latter approach is likely to generate a more comprehensive risk registermore efficiently and is therefore recommended.
Regardless of the process, a major objective should be to ensure that:
the objectives and goals of the projects/departments are clearly understood and are reflected
the business environment is taking into consideration
clear team ownership of the risk register and management procedure.
The risks identified may be grouped under agreed headings or, in the case of project, using the WorkBreakdown Structure (WBS) or functional team set-up.
Once the risks have been grouped, the risks and the associated control options should be discussed with theobjectives of:
agreeing that the risks or opportunities are realistic, meaningful and comprehensive
agreeing the risk evaluation rating in accordance with example in the Appendix. The ratings must reflectthe business environment and be objective as far as possible.
agreeing the control procedure and actions that would mitigate each risk. These should be specific,clearly defined and include a timescale for completion of the mitigating actions, where relevant.
-
8/3/2019 01. Risk Management Manual
10/16
RASHPETCO and BURULLUSGovernance System
Page 10 of 10Document Number:RPC-COR-MS-RMP-201
Date: July 2003
Document Title:
Risk Management Manual Revision: 2
ensuring an alignment of documented mitigated actions with the contents Business Improvement Plan.
validating the contents of the proposed risk register before the quarterly publication through inter-departmental consultation, review and challenge. This gives more credibility to, and wider acceptance ofthe contents of the register ahead of publication.
4.4 Risk Ratings
The following method of rating of risks is a mandatory requirement for all Risk Registers.
Each risk is evaluated in terms of its Impact (I), Probability (P) and its Manageability (M). See Appendix 7.1
for guidance notes. Each of these risk factors has a rating between 1 and 3. The final rating is calculated asshown below:
FINAL RATING = IMPACT X PROBABILITY X MANAGEABILITY
Using this method the minimum risk rating is 1 and the maximum is 27.
4.5 Elevation of Risks
The main business risks will be elevated into the Corporate Risk Register, and potentially into the PartnersRisk Management system. Proposed criteria for deciding which risks need to be elevated will be based on thefollowing rating levels:
1 11 - Projects/Department12-17 - Rashpetco/Burullus level18+ - Partner Level.
4.6 Dealing with Risks
Central to risk management is selection of the most appropriate mitigation or control strategies.
These may:
Avoid the risk by suggesting alternative courses of action
Eliminate the cause(s) of the risk
Reduce the likelihood of the risk occurring
Reduce the direct consequence of the risk
Minimise its impact in business terms
Transfer the risk (e.g. Insurance)
Instigate investigation to gather further information before a final decision is made
Accept the risks as unavoidable.
The appropriate mitigation or control method is very context specific and there is no universally right orwrong approach. The above generic approaches can be used for guidance, but ultimately the decisions willbe based on the knowledge, experience and judgment of the management team.
-
8/3/2019 01. Risk Management Manual
11/16
RASHPETCO and BURULLUSGovernance System
Page 11 of 11Document Number:RPC-COR-MS-RMP-201
Date: July 2003
Document Title:
Risk Management Manual Revision: 2
4.7 Managing Risk
Risks will normally be identified during individual, dedicated sessions or on request prior to Risk Meetings,but all COMPANY employees and PMT members are responsible for being risk aware at all times. Any riskidentified during a review process, or at any other time, that threatens the successful achievement ofCOMPANY business objectives should be brought to the attention of the relevant Department or ProjectManager for inclusion, if appropriate, within the appropriate risk register.
Risk is managed using a series of structured meetings, which are described in 3.3 and in the terms of
reference in 4.8.
All nominated personnel will attend each Risk Management meeting.
The purpose of the meeting is to brief the attendees of all the risks (particularly those scoring medium andhigh ranking), discuss/rank new perceived risks and review/agree mitigating actions and actionees.
Prior to the risk meeting, each member of the meeting will be responsible for forwarding a list of revisedcurrent ratings or new perceived risks, which will be processed by the nominated Risk Register Co-ordinatorwho will update the Risk Register prior to each meeting. All new Ratings or Risks will be evaluated during themeeting and the rating modified as appropriate.
4.8 Risk Meetings Terms of Reference
The relevant terms of reference are stated below.
-
8/3/2019 01. Risk Management Manual
12/16
RASHPETCO and BURULLUSGovernance System
Page 12 of 12Document Number:RPC-COR-MS-RMP-201
Date: July 2003
Document Title:
Risk Management Manual Revision: 2
Terms of Reference - Corporate Risk Management Meeting
Frequency / Time: Quarterly / 1 hour Attendees
Chairman & MDChair / Owner MDs
General Manager & MD
All General and Deputy General Managers
All Project ManagersAction Log Owner Governance Manager
Governance Manager
Objectives
To promote a comprehensive Risk ManagementProcess within the COMPANY
To maintain Corporate Risk Register
To establish and agree a commonunderstanding of specific mitigation actions
To align Risk mitigations actions with BIPs
To agree the Partner Level Risks.
To evaluate the progress of outstanding auditactions.
Agenda
Minutes and action from the previous meeting
Review of Corporate and Partner Level Risk Registers
BIPS
Review of Audit Log and outstanding items
Inputs
Action log from prior meeting
Departmental and Corporate Risk Registers
Business Improvement Plans
Audit Action Logs and Tracking Registers
Outputs
Agreed Corporate Risk Registers
Agreed Shareholder Risk Register
Revised Business Improvement Plans.
Revised Audit Action logs and Tracking Registers
Comments:
This meeting will be scheduled to align with Partners Risk Management meeting and Business Control meeting.
-
8/3/2019 01. Risk Management Manual
13/16
RASHPETCO and BURULLUSGovernance System
Page 13 of 13Document Number:RPC-COR-MS-RMP-201
Date: July 2003
Document Title:
Risk Management Manual Revision: 2
Terms of Reference - PROJECT & DEPARTMENT RISK MEETINGS
Frequency / Time: Quarterly / 1 hour Attendees
GMSChair / Owner GMs
Key Managers
Action Log Owner As designated.
Objectives:
To support the COMPANY Risk ManagementManual requirements
Maintain Department / Project Risk Register
Co-ordinate Audit Activities and Reporting
Develop Mitigating Action Lists
Maintain the departmental Business ImprovementPlan
Agenda:
Minutes from previous meeting
Review Register
Agree Risks that will cascade to the Corporate RiskRegister
Review Audit Log
Review BIP
Inputs:
Action log from previous meeting
Departmental Risk Register
Corporate Risk Register
Feedback from other departments & GMs
Audit Reports and Action Logs
BIP
Outputs:
Updated Risk register
Agreed Corporate levels risks
Updated Action log and Audit findings
Revised BIP
Comments:
-
8/3/2019 01. Risk Management Manual
14/16
RASHPETCO and BURULLUSGovernance System
Page 14 of 14Document Number:RPC-COR-MS-RMP-201
Date: July 2003
Document Title:
Risk Management Manual Revision: 2
5. RESPONSIBILITY MATRIX
RISK MANAGEMENT - RACI MATRIX
R = ResponsibilityA = AccountableC = ConsultedI = Informed
Ma
nagingPartner
Ma
nagingDirectors
Go
vernanceManager
Pro
ject/Department
Ma
nagers
Pro
ject/Department
Ris
kCo-ordinator
1 Approval of this Manual I R A I
2 Maintenance of this Manual R A I
3 Participation in Managing Partners Risk Process I R A C
4 Updating and Issuing of the Corporate Risk Registers I R A I
5 Approval of the Corporate Risk Registers R A C
6 Elevating of risks to the Corporate Risk Registers C A R I
7 Updating and Issuing of Department / Project Risk Register I R/I A
8 Approval of Department / Project Risk Registers I I/C R/I A
9 Preparation of the Department / Project Risk Register R I/C R A
-
8/3/2019 01. Risk Management Manual
15/16
RASHPETCO and BURULLUSGovernance System
Page 15 of 15Document Number:RPC-COR-MS-RMP-201
Date: July 2003
Document Title:
Risk Management Manual Revision: 2
6 APPENDICES
6.1 Guidelines for Risk Rating
The following guidelines are general and may not be appropriate to all circumstances.
IMPACT
Factor 1 (Low impact) 2 (Medium impact) 3 (High impact)
Schedule < 7 days >7days, 1 month
Cost $150k, $6mm
QualityAcceptable with minoractions
Acceptable with majoractions
Not acceptable
Safety & environmentTolerable with minoractions
Tolerable with majoractions
Not acceptable
RASHPETCO imageAcceptable with minor
actions
Acceptable with major
actions
Not acceptable
Stakeholders imageAcceptable with minoractions
Acceptable with majoractions
Not acceptable
PROBABILITY
1 (Low ) 2 (Medium) 3 (High)
Less than once in 5 years veryunlikely to occur
Once in 5 years quite likely tooccur
Once a year very likely to occur
MANAGEABILITY
1 (Low ) 2 (Medium) 3 (High)
Relatively easy to manage withnormal management resources.
Needs special attention andpossibly enhanced managementprocedures
Difficult to manage and may needoutside assistance.
RISK RATING = IMPACT X PROBABILITY X MANAGEABILITY
-
8/3/2019 01. Risk Management Manual
16/16
RASHPETCO and BURULLUSGovernance System
Page 16 of 16Document Number:RPC-COR-MS-RMP-201
Date: July 2003
Document Title:
Risk Management Manual Revision: 2
6.2 RISK REGISTER TEMPLATE
The template can be found in the Governance Shared Drive, Under Risk Management.
The document is self-explanatory and can be completed using the process detailed in section 4 above.Where you need to have an input in terms of the Register format, appropriate comments have been insertedin the register template to guide you. These are identified by the yellow marks. Just put your pointer over it toread the comment. Then highlight and type the required information over it.