Académique Documents
Professionnel Documents
Culture Documents
Framework
We are committed to the identification, measurement and monitoring of threats and opportunities
wherever they may impact, either negatively or positively, our business objectives.
Ausenco has developed and implemented a common, simple and proactive approach to risk
management which applies across all of Ausencos activities and operations. It is the responsibility of
everyone to manage risk in accordance with this framework and to utilise the resources and tools
available, including Ausencos enterprise risk management tool, Active Risk Manager.
This framework has been produced to explain the mandated Ausenco Enterprise Risk Management
approach, methodology and requirements.
I expect all elements of the Ausenco Business to comply with this framework and ensure that it is
supported proactively within our business.
Zimi Meka
Chief Executive Officer
1. Risks
2. Issues
3. Opportunities.
This framework and corresponding process defined in this document reflect the minimum
requirements for the compliance with the Ausenco Risk Management Policy. This framework is
also designed to meet our internal and external obligations including:
This framework is applicable to all Ausenco activities and its application is mandatory. It is
therefore expected that all Functions and Business Lines implement and undertake proactive
risk, issue and opportunity management in line with the minimum requirements defined within
this framework.
The core process defined in this framework reflects AS/NZS ISO 31000:2008 Risk
Management Principles and Guidelines and industry best practice. The process is aligned to
the language and maturity of the business, and encompasses our Enterprise Risk
Management (ERM) objectives.
This framework as well as the Ausenco Risk Management Policy will act as overarching
requirements for the management of risks, opportunities and issues across the business. These
documents are complemented by the Business Risk Management Plan and Project Delivery
Standards and Guidelines.
The Ausenco Board is ultimately responsible for risk management across our business and for
communicating the business requirements of the Risk Management Policy.
The Chief Executive Officer is responsible for the leadership, direction and coordination of risk
management throughout Ausenco.
The Ausenco Leadership Team is responsible for monitoring those risks which pose the
greatest threat to the achievement of corporate business objectives. Each Business Line
President of Functional Chief will carry responsibility for managing risks within their own
business line or function and will also ensure that risk management responsibilities are
developed and assigned within their business line or function.
All Management Personnel will carry responsibility for managing risks within their own area.
All employees are responsible for engaging in and supporting the risk management process and
ensuring identified risks, issues or opportunities are raised, reported and where appropriate,
managed accordingly.
The Audit and Risk Management Committee, in conjunction with the Ausenco Leadership
Team, are responsible for the development of the risk strategy and its implementation, ongoing
monitoring and continuous improvement.
The Commercial and Risk Management Team will disseminate risk management strategies,
tools and techniques, and will facilitate risk awareness and risk management best practice.
The internal audit function will support Ausenco risk management by providing advice and
support on risk management, and through an annual independent review of risk management
practices and procedures to provide guidance on their efficiency and relevance to the
committee.
3 Risk Appetite
Throughout this Framework reference is made to the acceptance of risk where acceptance
thereof is necessary to realise opportunities considered beneficial to Ausenco.
To be risk adverse can stifle progress and stagnation can result, however acceptance of certain
risks can result in irreparable harm to the organisation.
When realising opportunity involves the need for the voluntary assumption of significant levels
of risk the following principles need to be considered:
The potential benefits must clearly outweigh the assumption of the risks involved.
A balance needs to be established and all risks accepted need to be identified and
treated to minimise the likelihood of harm to Ausenco.
Irrespective of the perceived benefits, the integrity of Ausencos Enterprise Risk
Management must not be compromised.
Type Appetite
Note: Registers may also be split into locations. Register ownership will lie
with the Business Line Presidents.
Note: Registers may also be split into locations. Ultimate ownership will lie
with the Functional Chiefs.
5.1 Plan
Risk Management must be aligned to the objectives and scope of the operation and its
activities. The planning phase involves defining the scope, definitions, organisation,
responsibilities and procedures. The output of the Plan step will be the Risk Management Plan.
This document will define the following:
The identify step involves identifying the risks, opportunities and issues that have the potential
to impact objectives. When identifying risks, opportunities or issues, it is important that these
are understandable and articulate the cause and effects clearly.
Detailed guidance on these identification techniques should be sourced from the Risk
Management Team, details for which can be found on the Commercial and Risk page of the
Ausenco Hub.
5.3 Assess
The assessment step is used to enable a consistent and formalised assessment of the identified
items, which will then provide a prioritisation of the potential outcomes faced. This will assist to
enable management to focus their attention on the critical risks, opportunities or issues.
Identified risks, issues and opportunities will be assessed based on their Likelihood and Impact
using the assessment criteria, and then scored using the Probability and Impact Diagram (PID)
or Heatmap. Figure 4 below is the Ausenco Core Reference Risk and Opportunity Matrix.
5.4 Manage
The manage step involves preparing detailed response plans and implementing them.
Management responses are required for all risks, issues and opportunities. Management
responses should be SMART:
Risks rating above a score of 11 must have a Fallback Plan detailed to articulate an alternative
or recovery approach which can be implemented should the risk occur or develop into an issue.
Responses should be reviewed regularly to ensure risks, issues and opportunities are being
addressed. The key management steps are therefore as follows:
develop and implement management plans for risks, issues and opportunities. Mandatory
for all identified items
develop Fallback plans for items with a score above 11
ensure plans have clear timescales, context and accountability
create SMART responses (controls, actions and fallbacks).
The review step provides a formal opportunity to examine and discuss the overall risk
management status. This includes agreeing follow-up actions that will move the business
forward towards meeting its objectives. Key activities include:
5.6 Communicate
The results of the Identification, Assessment, Management and Review steps must be
communicated and reported to the key stakeholders. The output of this process at the
operational level will be the risk register which will document the identified risks, issues and
opportunities, together with their assessment and agreed management responses.
Reports will continue an overview of the top most significant risks, issues and opportunities,
new and closed items, trending and analysis and register/process health.
The following reports will be generated for Business Risk (or including business risk
information), however reports are not limited as per Table 2 and further reports may be
requested.
The risk management process is a continuous process and risks must be updated based on
operational progress, and changes in the working environment. The governance stage ensures
that the process and risks remain valid, resourced and supported. The key governance activities
include:
Issues or inefficiencies identified with either the application of the process, or the process itself
should also be reported to the Commercial and Risk group to enable continuous improvement
of the risk management process.
ARM access and training can be requested via the Commercial and Risk Management Group.
Term Description
Ausenco mandated system for risk management. Ausenco has selected Active Risk
Manager (ARM) as the tool for enterprise risk management across the business.
ARM is a web based application and is available for projects, alliances and joint
ARM (Active
ventures. ARM access can also be provided by projects to clients, partners and
Risk Manager)
other and internal/external stakeholders as part of our joint working approach. ARM
reflects industry and risk management best practice and fully supports
ISO 31000:2009.
Identify the impact of the risk based on probability (Likelihood) and consequence
Assess
(Impact)
Assessment
Refer Core Reference Risk and Opportunity Matrix
Criteria
Assessment The reasons and justification behind the impact of risk or opportunity, and
Rationale verification of the quantitative impacts
1. Budget - Risks and opportunities associated with the project budget (timing,
constraints etc.).
5. Community - Risks and opportunities associated with the dealings with and
influence of internal and external stakeholders, including issues relating to
the immediate surrounding community, such as interaction,
benefits/concerns to, and social culture.
11. Finance - Risks and opportunity associated with finance aspects of the
project or operation, this can include the ability the find or have sufficient
funding in place, Fraud issues, and the effect of foreign exchange, economic
condition, escalation rates or cash flow (positive or negative) i.e. ROI
uncertainty.
13. Health and Safety - Risks and opportunities associated with the safety and
health of all parties that we have a duty of care towards when executing our
works.
16. Market - Risks and opportunities associated with market conditions. Can
include competition, clients, entry into new markets or countries.
17. Operations - Risks and opportunities associated with the operation of the
project.
19. Political - Risks and opportunities relating to political decisions and political
events which may introduce a change in policy, e.g. changes in defence
policies, government industrial and environmental policies, foreign policies.
22. Quality - Risks and opportunities associated with the defined characteristics
of any of our products or in the ability to achieve required levels of quality.
24. Resources - Risk or opportunities relating to the ability to identify recruit and
retain resources with the necessary skills/experience to be able to carry out
the required business activities.
26. Site Conditions - Risks associated with site conditions including geotech
issues, topography, pre-existing site conditions (e.g. pollution); surface
conditions, mine conditions
27. Strategic - Risks and Opportunities associated with the corporate structure
of Ausenco, internal management interfaces and Ausenco business
processes.
28. Tax - Risks and opportunities associated with tax payments, structures and
billing entities.
29. Transport and Logistics - Risks and opportunities relating to the transport
and logistics of the project.
Comments (Risk
Background or further information to explain the context of the risk or opportunity.
or Opportunity)
RISK
RISK
Possible Could occur at some time. Serious $2.5M - Marginal delays. Localised medium term Serious injury or Negative publicity within industry Serious breach of Delays resulting in Requires internal
(3) 35% - 64% OR (3) $10M AUD Late achievement of damage to an area of local impairment to one media. regulation with reduced throughput restatement of
The event or similar has occurred key milestone value. or more people. Negative regional publicity. Client prosecution or moderate due to changes to strategic objectives.
elsewhere. 8 - 30 days review of Ausenco engagement. fine possible. existing practices. Impact on Values
requires management.
Unlikely May occur in exceptional Moderate $400K - Minor delays. Localised short to medium Medical treatment Negative publicity from local media. Minor legal issues. Sustained minor Minor impact on
(2) circumstances. (2) $2.5M AUD Late achievement of term damage to an area of injury. Client formal notice of non- Moderate non- change to existing Strategic Plan and
15% - 34% OR target date minor local significance. performance. compliances and practices. Values. Adjustments
May occur once in your career 1 - 7 days breaches of regulations. to Strategic Plan
LIKELIHOOD CONSEQUENCE
Operations Strategy
Probability of Occurrence Financial Schedule Environment Health and Safety Reputation Legal
Interruption
Rare Not expected to occur in most Minor <$400,000 Minimal benefit Limited enhancement to a Prevention of low Local public praise. Prevention of minor non- Temporary minimal Positive alignment with
(1) circumstances. (1) AUD < 1 day localised area. level symptoms Positive feedback from Client. compliances and improvement to Plan.
1% - 14% OR No lasting effects. requiring first aid breaches of regulations. existing practices.
Have not heard of this happening. treatment only.
Unlikely May occur in exceptional Moderate $400K - Minor benefit. Localised short to medium Prevention of Positive publicity and attention Prevention of minor legal Sustained minor Potential activity to
(2) circumstances. (2) $2.5M AUD Early achievement of term enhancement to an medical treatment from local media. Client positive issues or moderate non- improvement to include in strategic
15% - 34% OR target date area of minor local injury. feedback at senior management compliances and existing practices. plan
May occur once in your career. 1 - 7 days significance. level. breaches of regulations.
OPPORTUNITY
OPPORTUNITY
Possible Could occur at some time. Serious $2.5M - Marginal benefit. Localised medium term Prevention of serious Attention from media. Prevention of serious Schedule gain results in Enhances existing
(3) 35% - 64% OR (3) $10M AUD Early achievement of enhancement to an area of injury or impairment Positive regional publicity. Client breach of regulation with increased throughput strategic objectives
The event or similar has occurred key milestone local value. to one or more interest in standing services prosecution or moderate due to improvements
elsewhere. 8 - 30 days people. contract. fine possible. to existing practices.
Likely Will probably occur at some time. Major $10M - $20M Substantial benefit. Wide spread long to Prevention of single Significant positive attention. Prevention of major Prevention of a Demonstrates
(4) 65% - 84% OR (4) AUD Early achievement of medium term enhancement fatality or severe National publicity. Reputation breach of regulation or temporary plant alignment with
The event has occurred several critical path item to valued area. permanent impact to greatly improved. Praise from global major litigation. shutdown. < 1 day business strategy and
times or more in your career. 1 - 3 months multiple people. client. core values
Almost Expected to occur in most Critical >$20M AUD Exceptional benefit. Significant, extensive Prevention of Positive international publicity. Prevention of significant Prevention of a plant Enhances commitment
Certain circumstances. (5) Early achievement of detrimental long term multiple fatalities or Reputation greatly enhanced. Share prosecution / fines or shutdown. to strategy and core
(5) 85% - 99% OR major milestone enhancement. permanent disability price may be affected. Global very serious litigation > 1 day values
Occurs more than once per year. > 3 months to multiple people. industry recognition. including class action.
Financial Impact The potential financial impact of a risk or opportunity on the business objectives.
Current Assessment of the risk based on how likely the risk is to occur and the impact of
Assessment that risk if it does, taking into consideration current controls.
Current The mathematical distribution used to reflect the range of possible impacts defined
Distribution by the quantitative values.
Evaluated level of risk or opportunity (i.e. Extreme, High, Medium, Low) taking into
Current Severity
consideration current controls.
Date which the risk/opportunity was identified/entered into the risk and opportunity
Date Raised
system.
Outline of the risk or opportunity, its context including why and how the risk would
Description occur and its consequence. (Use of a CAUSE, RISK, EFFECT statement is
recommended).
A description of the overall consequences the risk or opportunity may have should it
Effect
occur or objectives effected.
Environmental
Potential impact of risk or opportunity on the local environment.
Impact
Estimated cost should the risk or opportunity occur. Includes money spent on
Exposure Cost
completed treatment and expected impact.
Task or set of tasks to be taken after a risk or opportunity event has occurred in
Fallback Plan
order to reduce or address the effect of the risk, or provide an alternative solution if
Description
an opportunity was missed
Funding status denotes that for those projects and operations which have a
contingency or provision release process the stage in the funding allocation process
the response resides:
The activities associated with managing and policing the risk and opportunity
Govern
management process.
Also Probability and Impact Diagram (PID) Matrix. A diagram of the risks and
opportunities likelihood vs. impact, reflecting the Ausenco scoring and severity
criteria:
Heat Map
The process step responsibly used for the identification and capture of risks and
Identify
opportunities faced by an endeavour.
Impact End The date in which the risk/opportunity is no longer valid and will no longer occur.
Incident Situation or event which has occurred and exposed the business to loss.
Interested Key stakeholders or business leads with an interest or other who could be impacted
Parties by the consequence of the risk/opportunity.
Issue A risk that has occurred, or definitely will occur in the future (refer definition of risk).
Commercial and Risk Ausenco 2014. All rights reserved. 15 of 19
Enterprise Risk Management Framework Document uncontrolled when downloaded/printed
Version: 1 Issue Date: 27-February-2014
Term Description
The process steps responsible for ensuring the treatment of risks and opportunities
Manage is adequately defined, applied, and that sufficient support or attention is provided to
ensure successful management of the risk/opportunity faced.
Next Review
Date the risk/opportunity should be formally reviewed and updated.
Date
Owner (Risk or Individual responsible and accountable for providing updates and reviews of
Opportunity) captured risks and opportunities.
Per cent
The progress of treatment task.
Complete
The process stage responsible for developing the treatment strategy that targets
Plan key areas or drivers in order to reduce the severity of the risk/opportunity impact
and/or the probability of occurrence.
Risks (Threats):
Transfer: Seek to transfer the risk and place the liability on to a third party.
(NB: The only effected transference approach is to seek to transfer the risk
back to the client if they are the source of risk).
Opportunities:
Share: Seek to use the benefits of the opportunity as incentives with third
parties help realise the benefit.
An estimate of the likelihood that a particular event will occur, usually expressed on
a scale of 0 to 100%. Estimates of probability are often subjective, as the
Probability combination of tasks, people and other circumstances are usually unique. In a
controlled, repeatable environment, such as a factory or laboratory, it may be
possible to derive objective probabilities such as fault rates.
Response
Original due date for an action.
Baseline Due
Response Used to record and note information concerning the response, such as progress to
Comments date.
Response
Date response was completed.
Completion
Response Owner The person responsible and accountable for performing the response task.
Response Start
Date the response should be commenced.
Date
The lifecycle of the response and identifies the stage in the management process
for which it currently resides. The following lifecycle statuses are currently used and
have the following definitions:
Not Yet Started: Response has been identified as valid but has not yet
begun.
Response Title A clear and concise indication/summary of the action, control or fallback.
Review
Date a fallback or control should be revisited to assess validity.
(Response)
Risk and
The process whereby risk and opportunities are identified assessed and
Opportunity
management responses formulated to address the issues faced.
Management
Commercial and Risk Ausenco 2014. All rights reserved. 17 of 19
Enterprise Risk Management Framework Document uncontrolled when downloaded/printed
Version: 1 Issue Date: 27-February-2014
Term Description
Risk and
Set of components that provide the foundations and organisational arrangements of
Opportunity
designing, implementing, monitoring, reviewing and continually improving risk and
Management
management processes throughout the organisation.
Framework
Risk and
Opportunity A document defining how Risk and Opportunity Management is to be implemented
Management in the context of the particular project/business concerned.
Plan
Risk and
Document outlining the detailed requirements and minimum levels of achievement
Opportunity
necessary for successful implementation of risk and opportunity management in line
Management
with the Ausenco risk and opportunity management process.
Policy
Risk and
A list of all risks and opportunities identified by the risk and opportunity process,
Opportunity
including full descriptive detail and cross-references.
Register
Quantitative and Qualitative definitions for the levels of risk and opportunity
Scoring Scheme exposure to determine scoring/assessment (refer Core Reference Risk and
Opportunity Matrix).
Anything which alone or in combination has the intrinsic potential to give rise to a
Source
risk or opportunity.
Active: Risk or Opportunity has been created and approved as a valid risk
by the Risk Owner and Project/Business Manager.
Status (Risk and Closed - Occurred: Risk or Opportunity has impacted on the project or
Opportunity) business and cannot occur again.
Closed - Expired: Risk or Opportunity did not occur and can no longer
impact the project (not due to management but rather time).
Rejected: Risk or Opportunity was created but not approved by the Risk
Owner or Project/Business Manager (this status is similar to the delete
function).
Target Consider the likelihood of the impact assuming successful completing of the
Assessment Treatment Plan.
Target Severity Level of risk or opportunity which should remain if management is successful.
Title (Risk or
Brief summary of the risk or opportunity identified.
Opportunity)
Treatment Cost Total cost of response tasks required to manage the risk or opportunity.
Fallback Plan
Strategy/narrative on the recovery plan should the risk or opportunity occur.
Description