Enterprise Risk Management

Framework

Business Process Standard

Function: Commercial and Risk Process owner: Zimi Meka

Version: 1 Date: 27 February 2014

Table of Contents
1 Introduction 2
1.1 Enterprise Risk Management Objectives 2
1.2 Scope and Application 3
2 Accountabilities and Responsibilities 3
2.1 The Board 3
2.2 Chief Executive Officer 3
2.3 Ausenco Leadership Team 4
2.4 Management Personnel 4
2.5 All Employees 4
2.6 Audit and Risk Committee 4
2.7 Commercial and Risk Management Team 4
2.8 Internal Audit 4
3 Risk Appetite 4
4 The Structure of Risk Management within Ausenco 5
5 Risk Management Process 7
5.1 Plan 7
5.2 Identify 8
5.3 Assess 8
5.4 Manage 9
5.5 Monitor and Review 10
5.6 Communicate 10
5.7 Govern 11
6 Active Risk Manager 11
7 Risk Management Glossary of Terminology 11
A Message from the Chief Executive Officer
Risk is inherent in all of our activities, but it is the effective and innovative way that Ausenco manages risk
which sets us aside from our competitors. Ensuring that robust and regular risk management is
undertaken is critical to our success as well as in reducing the potential for harm to our people, the
community and our clients.

We are committed to the identification, measurement and monitoring of threats and opportunities
wherever they may impact, either negatively or positively, our business objectives.

Ausenco has developed and implemented a common, simple and proactive approach to risk
management which applies across all of Ausencos activities and operations. It is the responsibility of
everyone to manage risk in accordance with this framework and to utilise the resources and tools
available, including Ausencos enterprise risk management tool, Active Risk Manager.

This framework has been produced to explain the mandated Ausenco Enterprise Risk Management
approach, methodology and requirements.

I expect all elements of the Ausenco Business to comply with this framework and ensure that it is
supported proactively within our business.

Zimi Meka
Chief Executive Officer

Commercial and Risk Ausenco 2014. All rights reserved. 1 of 19

Enterprise Risk Management Framework Document uncontrolled when downloaded/printed
Version: 1 Issue Date: 27-February-2014
1 Introduction
To support risk management activities Ausenco has developed a common enterprise approach
and language for risk management.

It should be noted Risk Management at Ausenco encompasses three key elements:

1. Risks
2. Issues
3. Opportunities.

This framework and corresponding process defined in this document reflect the minimum
requirements for the compliance with the Ausenco Risk Management Policy. This framework is
also designed to meet our internal and external obligations including:

Australian Stock Market (ASX) Corporate Governance Requirements

Internal and External Audit Requirements
Legislation
Ausenco Risk and Audit Committee Requirements.

This framework is applicable to all Ausenco activities and its application is mandatory. It is
therefore expected that all Functions and Business Lines implement and undertake proactive
risk, issue and opportunity management in line with the minimum requirements defined within
this framework.

The core process defined in this framework reflects AS/NZS ISO 31000:2008 Risk
Management Principles and Guidelines and industry best practice. The process is aligned to
the language and maturity of the business, and encompasses our Enterprise Risk
Management (ERM) objectives.

1.1 Enterprise Risk Management Objectives

The Enterprise Risk Management Objectives are to:

Identify and assess risk in all our activities.

Apply a robust, coordinated and integrated approach to risk management.
Break down silos and improve performance.
Enable the business to retain and harness knowledge.
Develop and continually improve risk management practices based on established
international standards and industry best practice.
Promote risk awareness in every activity and with all of our people.
Adopt risk management strategies which promote confidence in the achievement of
optimal business outcomes.

Commercial and Risk Ausenco 2014. All rights reserved. 2 of 19

Enterprise Risk Management Framework Document uncontrolled when downloaded/printed
Version: 1 Issue Date: 27-February-2014
 Extend our risk management capabilities to our clients to enhance management of their
project risks, or use our clients policies and procedures if they are considered suitable.
Ensure that our approach to risk management reflects our commitment to the Core
Values of our business.

1.2 Scope and Application

This framework as well as the Ausenco Risk Management Policy will act as overarching
requirements for the management of risks, opportunities and issues across the business. These
documents are complemented by the Business Risk Management Plan and Project Delivery
Standards and Guidelines.

The structure of this documentation is depicted in Figure 1 below.

Figure 1 Ausenco Risk Management Document Structure

2 Accountabilities and Responsibilities

2.1 The Board

The Ausenco Board is ultimately responsible for risk management across our business and for
communicating the business requirements of the Risk Management Policy.

2.2 Chief Executive Officer

The Chief Executive Officer is responsible for the leadership, direction and coordination of risk
management throughout Ausenco.

Commercial and Risk Ausenco 2014. All rights reserved. 3 of 19

Enterprise Risk Management Framework Document uncontrolled when downloaded/printed
Version: 1 Issue Date: 27-February-2014
2.3 Ausenco Leadership Team

The Ausenco Leadership Team is responsible for monitoring those risks which pose the
greatest threat to the achievement of corporate business objectives. Each Business Line
President of Functional Chief will carry responsibility for managing risks within their own
business line or function and will also ensure that risk management responsibilities are
developed and assigned within their business line or function.

2.4 Management Personnel

All Management Personnel will carry responsibility for managing risks within their own area.

2.5 All Employees

All employees are responsible for engaging in and supporting the risk management process and
ensuring identified risks, issues or opportunities are raised, reported and where appropriate,
managed accordingly.

2.6 Audit and Risk Committee

The Audit and Risk Management Committee, in conjunction with the Ausenco Leadership
Team, are responsible for the development of the risk strategy and its implementation, ongoing
monitoring and continuous improvement.

2.7 Commercial and Risk Management Team

The Commercial and Risk Management Team will disseminate risk management strategies,
tools and techniques, and will facilitate risk awareness and risk management best practice.

2.8 Internal Audit

The internal audit function will support Ausenco risk management by providing advice and
support on risk management, and through an annual independent review of risk management
practices and procedures to provide guidance on their efficiency and relevance to the
committee.

3 Risk Appetite
Throughout this Framework reference is made to the acceptance of risk where acceptance
thereof is necessary to realise opportunities considered beneficial to Ausenco.

To be risk adverse can stifle progress and stagnation can result, however acceptance of certain
risks can result in irreparable harm to the organisation.

When realising opportunity involves the need for the voluntary assumption of significant levels
of risk the following principles need to be considered:

The potential benefits must clearly outweigh the assumption of the risks involved.
A balance needs to be established and all risks accepted need to be identified and
treated to minimise the likelihood of harm to Ausenco.
Irrespective of the perceived benefits, the integrity of Ausencos Enterprise Risk
Management must not be compromised.

Commercial and Risk Ausenco 2014. All rights reserved. 4 of 19

Enterprise Risk Management Framework Document uncontrolled when downloaded/printed
Version: 1 Issue Date: 27-February-2014
 The principles contained in Ausencos risk appetite criteria overleaf are to be carefully
considered and applied in all instances.
Table 1 below depicts Ausencos risk appetite in terms of financial, legal, environment, health
and safety, reputation and strategy impacts.

Table 1 Risk Appetite

Type Appetite

There will be no acceptance of decisions that have a significant negative

Financial
impact on Ausencos long term financial stability.

There will be no acceptance of any non-compliance with legal, professional

Legal
and regulatory requirements.

There will be no acceptance of decisions that cause environmental harm,

Environmental
especially those that are likely to result in DERM intervention.

There will be no acceptance for compromising personnel or public safety

Health and Safety
and welfare.

There will be no acceptance of the failure to conduct business honestly

and ethically.
Reputation
There will be no acceptance for damage to the reputation of Ausenco.
No justifiable adverse media coverage is acceptable.

There is acceptance for Ausenco to respond to the changing environment

Strategy
and seize opportunities where necessary.

4 The Structure of Risk Management within Ausenco

There are two distinct areas of risk management within Ausenco; Project Delivery and Business
Risk Management Figure 2 below shows the hierarchy of these levels of risk management.

Figure 2 Business Risk/Opportunity Register Structure

Commercial and Risk Ausenco 2014. All rights reserved. 5 of 19

Enterprise Risk Management Framework Document uncontrolled when downloaded/printed
Version: 1 Issue Date: 27-February-2014
 1. Project Risk Management (no impact to Ausenco):
a) Project Delivery Risk/Opportunity Registers Risks or opportunities managed at a
project level surrounding project delivery. These risks or opportunities do not
impact Ausenco as a business. This level of registers is owned by individual
Project Managers. It should be noted that risks from this section can be escalated
to Project Level Risks in Section 2 should they be so extreme that the impact will
affect Ausenco.
2. Business Risk Management (Reputation, Legal, Strategy or Cost impacts to Ausenco):
a) Operations Risk/Opportunity Registers Risks that impact all business lines, or
that have been escalated from the Business Line Registers as they require an
additional level of management. This register is owned by the Chief Operating
Officer who is also ultimately accountable for the registers below.
i) Business Line Risks/Opportunities Risks or opportunities that affect the
Business Lines ability to deliver as planned. Ownership of these risks and
the registers lies with the Business Line Presidents.
ii) Regional Level Risks/Opportunities Risks that occur at a regional level that
may impact Ausenco as a business. Risks within this area may be owned by
Regional Managers or General Managers but the registers are owned by the
Business Line Presidents.
iii) Project Level Risks/Opportunities Risks or opportunities that occur at a
project level that may impact Ausenco as a business. Risks within this area
may be owned by General Managers or Project Directors/Managers but the
registers are owned by the Business Line Presidents.

Note: Registers may also be split into locations. Register ownership will lie
with the Business Line Presidents.

b) Functional Level Risks/Opportunities Risks or opportunities that impact the ability

of the corporate functions to deliver as planned. This level of registers should be
owned by the Functional Chiefs.
i) Regional Level Risks/Opportunities Risks that occur at a regional level that
may impact Ausenco as a business. Risks within this area may be owned by
Regional Managers or General Managers, but ultimate ownership lies with
the Functional Chiefs.

Note: Registers may also be split into locations. Ultimate ownership will lie
with the Functional Chiefs.

c) Ausenco Risks/Opportunities Risks or opportunities that impact the businesss

ability to deliver as planned. This level of register should be owned by the CEO
and/or Ausenco Board.

Commercial and Risk Ausenco 2014. All rights reserved. 6 of 19

Enterprise Risk Management Framework Document uncontrolled when downloaded/printed
Version: 1 Issue Date: 27-February-2014
5 Risk Management Process
Figure 3 below is the process for Risk Management at Ausenco.

Figure 3 Ausenco Risk Management Process

5.1 Plan

Risk Management must be aligned to the objectives and scope of the operation and its
activities. The planning phase involves defining the scope, definitions, organisation,
responsibilities and procedures. The output of the Plan step will be the Risk Management Plan.
This document will define the following:

the scope of the activity and the objectives potentially at risk

those to be involved in the process, and their roles and responsibilities
the likelihood and consequence assessment criteria (should be tailored to reflect local
tolerances)
the risk reporting and escalation criteria
the review process and timescales.

Commercial and Risk Ausenco 2014. All rights reserved. 7 of 19

Enterprise Risk Management Framework Document uncontrolled when downloaded/printed
Version: 1 Issue Date: 27-February-2014
5.2 Identify

The identify step involves identifying the risks, opportunities and issues that have the potential
to impact objectives. When identifying risks, opportunities or issues, it is important that these
are understandable and articulate the cause and effects clearly.

The information to be recorded should include:

a clear title or the risk, issue or impact
the cause and effect of that item
the nature of the risk/issue/opportunity, utilising the Ausenco standard categories
an accountable owner.

Risks, issues and opportunities may be captured in:

structured reviews, including relevant stakeholders

documentation reviews
historical information and lessons learnt
business and strategic plan reviews
SWOT (Strengths, Weaknesses, Opportunities, Threats) analyses.

Detailed guidance on these identification techniques should be sourced from the Risk
Management Team, details for which can be found on the Commercial and Risk page of the
Ausenco Hub.

5.3 Assess

The assessment step is used to enable a consistent and formalised assessment of the identified
items, which will then provide a prioritisation of the potential outcomes faced. This will assist to
enable management to focus their attention on the critical risks, opportunities or issues.

Identified risks, issues and opportunities will be assessed based on their Likelihood and Impact
using the assessment criteria, and then scored using the Probability and Impact Diagram (PID)
or Heatmap. Figure 4 below is the Ausenco Core Reference Risk and Opportunity Matrix.

Figure 4 Core Reference Risk and Opportunity Matrix

Commercial and Risk Ausenco 2014. All rights reserved. 8 of 19

Enterprise Risk Management Framework Document uncontrolled when downloaded/printed
Version: 1 Issue Date: 27-February-2014
 With the definitions selected, a risk score and severity rating will be assigned to each item in the
register per the Heatmap in Figure 5.

Figure 5 Core Reference and Opportunity Heatmap

5.4 Manage

The manage step involves preparing detailed response plans and implementing them.
Management responses are required for all risks, issues and opportunities. Management
responses should be SMART:

Specific to the item being addressed

Measurable in terms of a perceived goal
Achievable and realistic delivering tangible results
Resourced accordingly and providing accountability for the response
Timely in that they have a defined due date which can be monitored and reported
against.

Risks rating above a score of 11 must have a Fallback Plan detailed to articulate an alternative
or recovery approach which can be implemented should the risk occur or develop into an issue.
Responses should be reviewed regularly to ensure risks, issues and opportunities are being
addressed. The key management steps are therefore as follows:

develop and implement management plans for risks, issues and opportunities. Mandatory
for all identified items
develop Fallback plans for items with a score above 11
ensure plans have clear timescales, context and accountability
create SMART responses (controls, actions and fallbacks).

Commercial and Risk Ausenco 2014. All rights reserved. 9 of 19

Enterprise Risk Management Framework Document uncontrolled when downloaded/printed
Version: 1 Issue Date: 27-February-2014
5.5 Monitor and Review

The review step provides a formal opportunity to examine and discuss the overall risk
management status. This includes agreeing follow-up actions that will move the business
forward towards meeting its objectives. Key activities include:

review of the current risks, their applicability (status) and severity

add new risks, issues or opportunities
review responses (status and due date)
add additional responses
review risk management process efficiency and effectiveness
escalate critical items.

5.6 Communicate

The results of the Identification, Assessment, Management and Review steps must be
communicated and reported to the key stakeholders. The output of this process at the
operational level will be the risk register which will document the identified risks, issues and
opportunities, together with their assessment and agreed management responses.

Reports will continue an overview of the top most significant risks, issues and opportunities,
new and closed items, trending and analysis and register/process health.

The following reports will be generated for Business Risk (or including business risk
information), however reports are not limited as per Table 2 and further reports may be
requested.

Table 2 Ausenco Business Risk and Opportunity Reports

Report Frequency Audience Contents

Board Report Before each Ausenco Top Risks and Opportunities.

Board Meeting Board

Business Bi - Monthly CEO Top Risks and Opportunities

Risk/Opportunity
Report Trending
Analysis
Register/Process Health.

Operations Monthly COO Issues

Issues Report
Trending
Analysis
Register/Process Health.

ALT Monthly Monthly CEO Issues impacting functions of business

Reports lines.

Commercial and Risk Ausenco 2014. All rights reserved. 10 of 19

Enterprise Risk Management Framework Document uncontrolled when downloaded/printed
Version: 1 Issue Date: 27-February-2014
5.7 Govern

The risk management process is a continuous process and risks must be updated based on
operational progress, and changes in the working environment. The governance stage ensures
that the process and risks remain valid, resourced and supported. The key governance activities
include:

including risk reviews in meeting agendas

regularly assessing the risk management implementation progress
setting risk management KPIs for personnel.

Issues or inefficiencies identified with either the application of the process, or the process itself
should also be reported to the Commercial and Risk group to enable continuous improvement
of the risk management process.

6 Active Risk Manager

Active Risk Manager (ARM) is the chosen Enterprise Risk Management tool. All business risk
management is to be conducted within ARM.

ARM access and training can be requested via the Commercial and Risk Management Group.

7 Risk Management Glossary of Terminology

Term Description

Action A response task taken to prevent risk or maximise opportunity

The date on which a risk/opportunity is marked as active (approved) and becomes

Approval Date
valid

Ausenco mandated system for risk management. Ausenco has selected Active Risk
Manager (ARM) as the tool for enterprise risk management across the business.
ARM is a web based application and is available for projects, alliances and joint
ARM (Active
ventures. ARM access can also be provided by projects to clients, partners and
Risk Manager)
other and internal/external stakeholders as part of our joint working approach. ARM
reflects industry and risk management best practice and fully supports
ISO 31000:2009.

Identify the impact of the risk based on probability (Likelihood) and consequence
Assess
(Impact)

Assessment
Refer Core Reference Risk and Opportunity Matrix
Criteria

Assessment The reasons and justification behind the impact of risk or opportunity, and
Rationale verification of the quantitative impacts

Commercial and Risk Ausenco 2014. All rights reserved. 11 of 19

Enterprise Risk Management Framework Document uncontrolled when downloaded/printed
Version: 1 Issue Date: 27-February-2014
 Term Description

The type or nature of risk/opportunity faced by the business/project, based on the

Ausenco corporate categorisation. Can be considered a source or prevailing
condition which would lead to the materialisation of a risk or opportunity. One or
more categories should be identified for each risk or opportunity:

1. Budget - Risks and opportunities associated with the project budget (timing,
constraints etc.).

2. Client - Risks and opportunities associated with the client.

3. Commercial - Risks and opportunities associated with commercial

conditions, i.e. contractual requirements, subcontractor arrangements.

4. Communications - Risks and opportunities associated with ICT, this could

include risk to the physical infrastructure, the IS architecture or any other
aspect of ICT, e.g. security or the provision of, or reliance on, ICT to support
business/project activities. The category also includes communication issues
between Ausenco, the Client or Contractors.

5. Community - Risks and opportunities associated with the dealings with and
influence of internal and external stakeholders, including issues relating to
the immediate surrounding community, such as interaction,
benefits/concerns to, and social culture.

6. Compliance and Legal - Risks and opportunities relating to compliance with

legislative, legal and other requirements.

7. Construction - Risk pertaining to the construction of the project. Can

include risks and opportunities relating to the use, reliability, availability
Category (Risk suitability or dependency on physical plant and equipment to support
and Opportunity) activities.

8. Economic - Risks and Opportunities associated with economic conditions

(global or regional).

9. Engineering - Risks and opportunities relating the use of technology or

technological working environment. Typically inclusive of issues associated
with design, and can also cover items that have little or no previous history of
use within the group.

10. Environmental - Risk and opportunities associated with existing physical

environment; impacts to the physical environment and/or relating to the
physical working environment. Involves issues associated with changes to
the environment such as discharge of water, pollution, dust, noise, visual
impact, etc. Can also relate to the context in which the endeavour or
enterprise operates; the boundaries that constrain it, and any externalities
that may influence it.

11. Finance - Risks and opportunity associated with finance aspects of the
project or operation, this can include the ability the find or have sufficient
funding in place, Fraud issues, and the effect of foreign exchange, economic
condition, escalation rates or cash flow (positive or negative) i.e. ROI
uncertainty.

12. General Infrastructure - Risks and opportunities associated with water,

power, accommodation etc.

13. Health and Safety - Risks and opportunities associated with the safety and
health of all parties that we have a duty of care towards when executing our
works.

Commercial and Risk Ausenco 2014. All rights reserved. 12 of 19

Enterprise Risk Management Framework Document uncontrolled when downloaded/printed
Version: 1 Issue Date: 27-February-2014
 Term Description

14. Industrial Relations - Risks and opportunities relating to relationship

between employers and employees, and their dealings with each other. Can
include the influence of unions/policies and wages or other employee issues
such as working locations and training.

15. Insurance - Uncertainties with Project Works, Professional Indemnity,

Workers Compensation, Contractors Plant and all other minor insurances.
Can include issues relating to the level of cover and likely claims and excess
costs, or ability to gain the necessary policies.

16. Market - Risks and opportunities associated with market conditions. Can
include competition, clients, entry into new markets or countries.

17. Operations - Risks and opportunities associated with the operation of the
project.

18. Permits and Approvals - Risks and opportunities associated with

preparing, lodging and obtaining permits and approvals associated with the
project or endeavour.

19. Political - Risks and opportunities relating to political decisions and political
events which may introduce a change in policy, e.g. changes in defence
policies, government industrial and environmental policies, foreign policies.

20. Procurement - Risks and opportunities associated with procurement of

materials and equipment.

21. Project Management - Risks and opportunities associated with compliant

implementation and application of Ausenco Project Delivery Systems
(PRISM/AusDB/ERP/Project Controls etc.). Or any other project
management area e.g. strategy.

22. Quality - Risks and opportunities associated with the defined characteristics
of any of our products or in the ability to achieve required levels of quality.

23. Reputation - Risks and opportunities with potential to impact or enhance

Ausencos reputation either locally, regionally or in a market sector.

24. Resources - Risk or opportunities relating to the ability to identify recruit and
retain resources with the necessary skills/experience to be able to carry out
the required business activities.

25. Schedule - Risks and opportunities associated with project delivery or

operational schedule such as timescales including complexity,
internal/external pressures or dependencies.

26. Site Conditions - Risks associated with site conditions including geotech
issues, topography, pre-existing site conditions (e.g. pollution); surface
conditions, mine conditions

27. Strategic - Risks and Opportunities associated with the corporate structure
of Ausenco, internal management interfaces and Ausenco business
processes.

28. Tax - Risks and opportunities associated with tax payments, structures and
billing entities.

29. Transport and Logistics - Risks and opportunities relating to the transport
and logistics of the project.

The underlying driver/trigger of a risk/opportunity occurring. For example, if the risk

Cause is Bridge Collapse, the cause might be Poor Maintenance, Design Flaw, Traffic
Growth, etc.

Commercial and Risk Ausenco 2014. All rights reserved. 13 of 19

Enterprise Risk Management Framework Document uncontrolled when downloaded/printed
Version: 1 Issue Date: 27-February-2014
 Term Description

Comments (Risk
Background or further information to explain the context of the risk or opportunity.
or Opportunity)

A control is a type of response which takes place on an ongoing basis to contain a

risk to an acceptable level, rather than a one-off action. An example of a control
Control
would be the employment of a safety inspector or quality control officer. This would
have an ongoing effect to mitigate risk (and an ongoing cost).

The standard set of criteria Ausenco assess

Ausenco Core risks
Reference Riskand
Matrixopportunities by:
LIKELIHOOD CONSEQUENCE
Operations Strategy
Probability of Occurrence Financial Schedule Environment Health and Safety Reputation Legal
Interruption
Almost Expected to occur in most Critical >$20M AUD Exceptional delays. Significant, extensive Multiple fatalities or Negative international publicity. Significant prosecution / Plant shutdown. Material impact on
Certain circumstances. (5) Late achievement of damage long term or permanent disability Reputation severely tarnished. fines. > 1 day achieving Strategic
(5) 85% - 99% OR critical milestone irreversible impact. to multiple people. Share price affected. Contract Very serious litigation Plan. Complete
Occurs more than once per year. > 3 months termination by global Client. including class action. inconsistency with
Core Values
Likely Will probably occur at some time. Major $10M - $20M Substantial delays. Wide spread medium to Single fatality or Direct criticism within industry Major breach of Temporary plant Key dimension/s of
(4) 65% - 84% OR (4) AUD Late achievement of long term damage to valued severe trauma to media. Negative national publicity. regulation. shutdown. Strategic Plan will not
The event has occurred several critical milestone area. multiple people. Reputation tarnished. Loss of Major litigation. < 1 day be achieved. Values
times or more in your career. 1 - 3 months credibility with global Client. compromised &
unacceptable.

RISK
RISK

Possible Could occur at some time. Serious $2.5M - Marginal delays. Localised medium term Serious injury or Negative publicity within industry Serious breach of Delays resulting in Requires internal
(3) 35% - 64% OR (3) $10M AUD Late achievement of damage to an area of local impairment to one media. regulation with reduced throughput restatement of
The event or similar has occurred key milestone value. or more people. Negative regional publicity. Client prosecution or moderate due to changes to strategic objectives.
elsewhere. 8 - 30 days review of Ausenco engagement. fine possible. existing practices. Impact on Values
requires management.
Unlikely May occur in exceptional Moderate $400K - Minor delays. Localised short to medium Medical treatment Negative publicity from local media. Minor legal issues. Sustained minor Minor impact on
(2) circumstances. (2) $2.5M AUD Late achievement of term damage to an area of injury. Client formal notice of non- Moderate non- change to existing Strategic Plan and
15% - 34% OR target date minor local significance. performance. compliances and practices. Values. Adjustments
May occur once in your career 1 - 7 days breaches of regulations. to Strategic Plan

Core Reference Rare Not expected to occur in most

circumstances.
Minor
(1)
<$400,000
AUD
Minimal delays.
< 1 day
Limited damage to a
localised area.
Low level symptoms
requiring first aid
Local public concern / complaints.
Client complaint.
Minor non-compliances
and breaches of
Temporary minimal
change to existing
unnecessary.
No impact on Strategic
Plan. Values not
(1)
Risk Matrix 1% - 14% OR
Have not heard of this happening.
No lasting effects. treatment only. regulations. practices. compromised.

LIKELIHOOD CONSEQUENCE
Operations Strategy
Probability of Occurrence Financial Schedule Environment Health and Safety Reputation Legal
Interruption
Rare Not expected to occur in most Minor <$400,000 Minimal benefit Limited enhancement to a Prevention of low Local public praise. Prevention of minor non- Temporary minimal Positive alignment with
(1) circumstances. (1) AUD < 1 day localised area. level symptoms Positive feedback from Client. compliances and improvement to Plan.
1% - 14% OR No lasting effects. requiring first aid breaches of regulations. existing practices.
Have not heard of this happening. treatment only.
Unlikely May occur in exceptional Moderate $400K - Minor benefit. Localised short to medium Prevention of Positive publicity and attention Prevention of minor legal Sustained minor Potential activity to
(2) circumstances. (2) $2.5M AUD Early achievement of term enhancement to an medical treatment from local media. Client positive issues or moderate non- improvement to include in strategic
15% - 34% OR target date area of minor local injury. feedback at senior management compliances and existing practices. plan
May occur once in your career. 1 - 7 days significance. level. breaches of regulations.
OPPORTUNITY

OPPORTUNITY
Possible Could occur at some time. Serious $2.5M - Marginal benefit. Localised medium term Prevention of serious Attention from media. Prevention of serious Schedule gain results in Enhances existing
(3) 35% - 64% OR (3) $10M AUD Early achievement of enhancement to an area of injury or impairment Positive regional publicity. Client breach of regulation with increased throughput strategic objectives
The event or similar has occurred key milestone local value. to one or more interest in standing services prosecution or moderate due to improvements
elsewhere. 8 - 30 days people. contract. fine possible. to existing practices.

Likely Will probably occur at some time. Major $10M - $20M Substantial benefit. Wide spread long to Prevention of single Significant positive attention. Prevention of major Prevention of a Demonstrates
(4) 65% - 84% OR (4) AUD Early achievement of medium term enhancement fatality or severe National publicity. Reputation breach of regulation or temporary plant alignment with
The event has occurred several critical path item to valued area. permanent impact to greatly improved. Praise from global major litigation. shutdown. < 1 day business strategy and
times or more in your career. 1 - 3 months multiple people. client. core values
Almost Expected to occur in most Critical >$20M AUD Exceptional benefit. Significant, extensive Prevention of Positive international publicity. Prevention of significant Prevention of a plant Enhances commitment
Certain circumstances. (5) Early achievement of detrimental long term multiple fatalities or Reputation greatly enhanced. Share prosecution / fines or shutdown. to strategy and core
(5) 85% - 99% OR major milestone enhancement. permanent disability price may be affected. Global very serious litigation > 1 day values
Occurs more than once per year. > 3 months to multiple people. industry recognition. including class action.

Financial Impact The potential financial impact of a risk or opportunity on the business objectives.

A crisis or emergency is an out of the ordinary event, announcement, disclosure or

set of circumstances which threatens the safety or well-being of employees and
Crisis Event
other stakeholders, the environment and/or the integrity, performance, reputation or
survival of the company.

Current Assessment of the risk based on how likely the risk is to occur and the impact of
Assessment that risk if it does, taking into consideration current controls.

Current The mathematical distribution used to reflect the range of possible impacts defined
Distribution by the quantitative values.

Evaluated level of risk or opportunity (i.e. Extreme, High, Medium, Low) taking into
Current Severity
consideration current controls.

Date which the risk/opportunity was identified/entered into the risk and opportunity
Date Raised
system.

Outline of the risk or opportunity, its context including why and how the risk would
Description occur and its consequence. (Use of a CAUSE, RISK, EFFECT statement is
recommended).

A description of the overall consequences the risk or opportunity may have should it
Effect
occur or objectives effected.

Endeavour A project, operation, or business function/activity performed by the business.

Environmental
Potential impact of risk or opportunity on the local environment.
Impact

Estimated cost should the risk or opportunity occur. Includes money spent on
Exposure Cost
completed treatment and expected impact.

Commercial and Risk Ausenco 2014. All rights reserved. 14 of 19

Enterprise Risk Management Framework Document uncontrolled when downloaded/printed
Version: 1 Issue Date: 27-February-2014
 Term Description

Task or set of tasks to be taken after a risk or opportunity event has occurred in
Fallback Plan
order to reduce or address the effect of the risk, or provide an alternative solution if
Description
an opportunity was missed

Funding status denotes that for those projects and operations which have a
contingency or provision release process the stage in the funding allocation process
the response resides:

Requires Funding: Response requires the release of funding, pending

confirmation review.
Funding Status
Funding Requested: Response has requested drawdown of funds to
support the management activities.

Funding Approved: Response has had funding approved and it is in place

to support activities.

The activities associated with managing and policing the risk and opportunity
Govern
management process.

Hazard A source/cause of risk or opportunity (safety specific).

Also Probability and Impact Diagram (PID) Matrix. A diagram of the risks and
opportunities likelihood vs. impact, reflecting the Ausenco scoring and severity
criteria:

Heat Map

ID (Risk or Automatically generated number corresponding to the individually raised risk or

Opportunity) opportunity.

The process step responsibly used for the identification and capture of risks and
Identify
opportunities faced by an endeavour.

Impact End The date in which the risk/opportunity is no longer valid and will no longer occur.

Impact Start Earliest date the risk/opportunity would occur.

Incident Situation or event which has occurred and exposed the business to loss.

Interested Key stakeholders or business leads with an interest or other who could be impacted
Parties by the consequence of the risk/opportunity.

Issue A risk that has occurred, or definitely will occur in the future (refer definition of risk).
Commercial and Risk Ausenco 2014. All rights reserved. 15 of 19
Enterprise Risk Management Framework Document uncontrolled when downloaded/printed
Version: 1 Issue Date: 27-February-2014
 Term Description

Loss An incurred negative consequence of adverse effect.

The process steps responsible for ensuring the treatment of risks and opportunities
Manage is adequately defined, applied, and that sufficient support or attention is provided to
ensure successful management of the risk/opportunity faced.

Next Review
Date the risk/opportunity should be formally reviewed and updated.
Date

The effect of uncertainty which would lead to a positive set of circumstances or

Opportunity consequences, on a project/business objective if it occurs. A subset of risk covering
positive outcomes, circumstances, or set of events.

Owner (Risk or Individual responsible and accountable for providing updates and reviews of
Opportunity) captured risks and opportunities.

Per cent
The progress of treatment task.
Complete

The process stage responsible for developing the treatment strategy that targets
Plan key areas or drivers in order to reduce the severity of the risk/opportunity impact
and/or the probability of occurrence.

The management approach to be undertaken to address the risks and opportunities

faced by the business:

Risks (Threats):

Avoid: Seek to avoid the risk by eliminating the cause or source of

uncertainty.

Transfer: Seek to transfer the risk and place the liability on to a third party.
(NB: The only effected transference approach is to seek to transfer the risk
back to the client if they are the source of risk).

Accept: Accept that the risk is unavoidable or unmanageable and include

the consequences in the cost estimate.

Mitigate: Seek to reduce the likelihood or consequence of the risk by

Plan Strategy
addressing the drivers or uncertainties.

Opportunities:

Exploit: Seek to increase the benefit of the opportunities by addressing the

drivers or uncertainties.

Enhance: Seek to increase the likelihood of the opportunities by addressing

the drivers or uncertainties.

Share: Seek to use the benefits of the opportunity as incentives with third
parties help realise the benefit.

Ignore: Do not act on the opportunity. Opportunity is either below a level of

interest or at an acceptable level but should be watched and reviewed
periodically to identify any change in circumstances.

The person responsible/accountable for managing the plan and co-ordinating

Plan Owner
response tasks.

Also Current Controls/Plan Overview. The process of developing options and

Plan Overview
actions to enhance opportunities and to reduce risks.

Commercial and Risk Ausenco 2014. All rights reserved. 16 of 19

Enterprise Risk Management Framework Document uncontrolled when downloaded/printed
Version: 1 Issue Date: 27-February-2014
 Term Description

An estimate of the likelihood that a particular event will occur, usually expressed on
a scale of 0 to 100%. Estimates of probability are often subjective, as the
Probability combination of tasks, people and other circumstances are usually unique. In a
controlled, repeatable environment, such as a factory or laboratory, it may be
possible to derive objective probabilities such as fault rates.

Raised By Individual who identified/raised risk or opportunity.

Reputation Potential impact of risk or opportunity on company reputation and brand.

Response An action/control/fallback task necessary to manage a risk or opportunity.

Response
Original due date for an action.
Baseline Due

Response Used to record and note information concerning the response, such as progress to
Comments date.

Response
Date response was completed.
Completion

Response Strategy/Narrative of the task to be performed (action/control/fallback) and how it

Description will be managed. What must be done.

Response Due When the response is due to be completed.

Response Owner The person responsible and accountable for performing the response task.

Response Start
Date the response should be commenced.
Date

The lifecycle of the response and identifies the stage in the management process
for which it currently resides. The following lifecycle statuses are currently used and
have the following definitions:

In Progress: Response has been identified as valid and is in progress.

Complete: Response has been completed and the risk or opportunity

requires update to reflect the outcome of the response.
Response Status
Proposed: Candidate response has been identified and requires review and
approval.

Abandoned: Response has been abandoned as it is no longer appropriate

or the risk/opportunity is now no longer valid or has been realised.

Not Yet Started: Response has been identified as valid but has not yet
begun.

Response Title A clear and concise indication/summary of the action, control or fallback.

The process of tracking identified risks/opportunities, monitoring residual risks,

Review identifying new risks/opportunities, executing handling plans, and evaluating their
effectiveness throughout the endeavour lifecycle.

Review
Date a fallback or control should be revisited to assess validity.
(Response)

The effect of uncertainty which would lead to a negative set of circumstances or

Risk
consequences, on a project/business objective if it occurs.

Risk and
The process whereby risk and opportunities are identified assessed and
Opportunity
management responses formulated to address the issues faced.
Management
Commercial and Risk Ausenco 2014. All rights reserved. 17 of 19
Enterprise Risk Management Framework Document uncontrolled when downloaded/printed
Version: 1 Issue Date: 27-February-2014
 Term Description

Risk and
Set of components that provide the foundations and organisational arrangements of
Opportunity
designing, implementing, monitoring, reviewing and continually improving risk and
Management
management processes throughout the organisation.
Framework

Risk and
Opportunity A document defining how Risk and Opportunity Management is to be implemented
Management in the context of the particular project/business concerned.
Plan

Risk and
Document outlining the detailed requirements and minimum levels of achievement
Opportunity
necessary for successful implementation of risk and opportunity management in line
Management
with the Ausenco risk and opportunity management process.
Policy

Risk and
A list of all risks and opportunities identified by the risk and opportunity process,
Opportunity
including full descriptive detail and cross-references.
Register

Potential impact of risk or opportunity on health and safety of workers, members of

Safety Impact
the public and other stakeholders.

Quantitative and Qualitative definitions for the levels of risk and opportunity
Scoring Scheme exposure to determine scoring/assessment (refer Core Reference Risk and
Opportunity Matrix).

Anything which alone or in combination has the intrinsic potential to give rise to a
Source
risk or opportunity.

Current position of risk prevention or opportunity exploitation:

Unapproved: Risk or Opportunity has been entered but requires approval

by Risk Owner and Project/Business Manager.

Active: Risk or Opportunity has been created and approved as a valid risk
by the Risk Owner and Project/Business Manager.

Closed - Treated: Risk or Opportunity has been managed and can no

longer impact the project or business.

Status (Risk and Closed - Occurred: Risk or Opportunity has impacted on the project or
Opportunity) business and cannot occur again.

Closed - Expired: Risk or Opportunity did not occur and can no longer
impact the project (not due to management but rather time).

Transferred: Risk or Opportunity has been transferred (Insurance is not a

method of transfer and transference to a contractor must still be managed by
the Project and included in contracts).

Rejected: Risk or Opportunity was created but not approved by the Risk
Owner or Project/Business Manager (this status is similar to the delete
function).

Target Consider the likelihood of the impact assuming successful completing of the
Assessment Treatment Plan.

Target Severity Level of risk or opportunity which should remain if management is successful.

Title (Risk or
Brief summary of the risk or opportunity identified.
Opportunity)

Time Potential impact of risk or opportunity on project or operational schedules.

Commercial and Risk Ausenco 2014. All rights reserved. 18 of 19

Enterprise Risk Management Framework Document uncontrolled when downloaded/printed
Version: 1 Issue Date: 27-February-2014
 Term Description

Treatment Cost Total cost of response tasks required to manage the risk or opportunity.

Fallback Plan
Strategy/narrative on the recovery plan should the risk or opportunity occur.
Description

This is an administrative field. Can be used to contain the statement of intent to

Treatment Title
manage the risk or using a template Treatment Plan - Risk Title.

Vulnerability A weakness or susceptibility to a source of risk.

Commercial and Risk Ausenco 2014. All rights reserved. 19 of 19

Enterprise Risk Management Framework Document uncontrolled when downloaded/printed
Version: 1 Issue Date: 27-February-2014