PROCEDURE for COMPLIANCE RISK ASSESSMENT

Compliance Risk Assessment Workshop Page 1 of 24

TABLE OF CONTENTS

1. INTRODUCTION 3
1.1 Purpose 3
1.2 Scope 3
2. DEFINITIONS 4
3. DETAILS 5
3.1 Overview 5
3.2 Compliance Risk Assessment Workshops 5
3.2.1 Stage 1 - Preparation for Risk Assessment Workshops 8
3.2.2 Stage 2 - Running Workshops 10
3.2.3 Step 3 - Post Workshop Follow-up 13
3.3 Risk Acceptance Level 14
3.4 Records from the Compliance Risk Workshop 14
4. RELATED DOCUMENTS 14
APPENDIX 1 – RISK PROMPTS . 15
APPENDIX 2 – RESOURCE REQUIREMENTS & ACCOUNTABILITES 18
APPENDIX 3 – RISK ASSESSMENT SCOPING DOCUMENT 20
APPENDIX 5 - RISK TABLES & MATRIX 22
APPENDIX 6 – EXISTING CONTROL EFFECTIVENESS 24

Compliance Risk Assessment Workshop Page 2 of 24

1. INTRODUCTION

1.1 PURPOSE

To purpose of this Procedure is to describe the process used by Rio Tinto Compliance to facilitate
compliance risk assessments. It details the process for conducting systematic risk assessments of
major compliance hazards that can then be used to develop detailed control management or risk
reduction plans. These risk assessments are conducted as part of an effective way to manage the
major risks encountered in day-to day operations.
The key objectives of this Procedure are therefore to ensure:
1. Risk assessments are conducted in a transparent, systematic way by appropriately trained
and experienced persons using an appropriate process;
2. The assessment capture all relevant and material Compliance Risk
3. Risk assessments are undertaken to a consistent quality; and
4. The results of risk assessments are used as intended.
This Procedure is consistent with the Rio Tinto Risk Analysis and Management Guidance (RMAG)
and with international standards on Risk Management.

1.2 SCOPE

This procedure covers the risk assessment of compliance risk as outlined in the Rio Tinto
Compliance Guidance.

Compliance risk assessment deals fundamentally in downside risk.

Compliance Risk Assessment Workshop Page 3 of 24

2. DEFINITIONS
Compliance Risk Hazards arising from those laws, regulations, policies codes and
standards, which if contravened, could give rise to a material
impact on the Business Unit or Rio Tinto’s financial condition,
reputation or ability to achieve business objectives. (Rio Tinto
Compliance Guidance, 2003)

Current Risk the risk level with the current controls and current control efficiency.

Hazard A source of potential harm or a situation with a potential to cause

loss. (AS/NZS 4360:1999 Risk Management). In this document, it is
used in the context of compliance hazards.

Inherent Risk The risk as originally identified before actions or controls have been
implemented. (Rio Tinto RAMG 2005)

Material Impact For financial: Any event that could lead to a loss equal to or greater
than x% of annual turnover

For reputation: Any event that, should it be made public, would put
the company and its shareholders in disrepute

For business objectives: Any event that would prevent the company
from meeting plan targets (whether measured in terms of
production, costs, revenue or otherwise) by x% or more.

Residual Risk The risk remaining after agreed actions and controls have been
implemented. (Rio Tinto RAMG 2005)

Risk An uncertain event or condition that, if it occurs, will affect the

achievement of one or more objectives (Rio Tinto RAMG 2005)

Risk Acceptance Threshold A measure of the level of risk exposure above which action must be
taken to proactively manage threats and maximise opportunities,
and below which risks may be accepted. (Rio Tinto RAMG 2005)

Risk Analysis The overall process of risk identification and risk evaluation. (Rio
Tinto RAMG 2005)

Risk Assessment The overall process of risk analysis and risk evaluation. (AS/NZS
4360:1999 Risk Management)

Risk Assessment Workshop A forum for conducting risk analysis and risk assessment activities.

Risk Reduction Measure For compliance risk, the potential risk response. The selective
application of appropriate techniques and management principles
to reduce either likelihood of an occurrence or its consequences, or
both. (AS/NZS 4360:1999 Risk Management)

Zero Tolerance Risks
Refers to those strategic risks that the organization needs to ‘get
right’ if it is to achieve its strategic objectives. ‘zero tolerance’ refers
to the risk acceptance level of that organisation and may mean
that ‘risk management’ means ‘risk elimination’ to the maximum
extent that it is feasible to do this. Zero tolerance risks are above
the risk acceptance threshold.

Compliance Risk Assessment Workshop Page 4 of 24

3. DETAILS
3.1 OVERVIEW

This procedure was developed by Rio Tinto Compliance and Rio Tinto Technical Services
with input from Rio Tinto Group Risk Management and Rio Tinto Group Internal Control to
ensure a transparent, standardised process of identifying and ranking of compliance risk.
This procedure provides a methodology to assist Business Units to address the Rio Tinto
Compliance Guidance requirement to identify compliance risk on a systemic and ongoing
basis.

The likelihood and potential consequences of unwanted events associated with the major
compliance hazards are determined using a team of appropriate personnel, and the
level of risk calculated using a risk matrix. For risks that exceed an acceptable level, new
controls may be required (eg obtaining professional advice, re-designing or modifying
a task or process, or introducing training) to eliminate or reduce the level of risk to an
acceptable level.

These team-based risk assessments must be undertaken by a team of “knowledgeable”

persons who have a good understanding of the issues involved, including that activities or
tasks, the various hazards and unwanted events, and controls required to minimise risk.

The entire suite of documents that support this process are available via the Head of
Compliance or via the Compliance Community on the Rio Tinto portal.

Those Business Units that have their own sound method of identifying compliance risk, in
accordance with the Rio Tinto Risk Analysis and Management Guidance (RAMG), are not
required to follow this process.

The head of Compliance is the custodian of this procedure.

3.2 COMPLIANCE RISK ASSESSMENT WORKSHOPS

The compliance risk assessment process:

• Identifies and documents a comprehensive set of compliance hazards.

• Identifies any ‘zero tolerance’ compliance risks for that Business Unit.

• Assesses the likelihood of each hazard arising based on a predetermined

classification system, in line with the Business Unit’s existing methodology if any
and as applicable, to ensure data can be integrated with other risk sources.

• Assesses the expected severity of each consequence using a predetermined

classification system, in line with the Business Unit’s existing methodology, to
ensure data can be integrated with other risk sources.

• Identifies potential risk reduction measures that could be adopted to reduce the
risk.

Compliance risk should be reviewed at an appropriate frequency to capture changes in

business, business processes, senior staff, regulation, and Rio Tinto policy.

Summary information from the approved version of the final risk report will be collated by the
head of Compliance and communicated back to Product Group heads.

Compliance Risk Assessment Workshop Page 5 of 24

Key success factors are:

• Use of a trained and experienced Facilitator. The Facilitator should be familiar with
the scope of the risk analysis and skilled in the risk process and should be drawn
from outside the team directly working on the area being analysed;

• Use of a team with the relevant knowledge, experience and motivation;

• Appointment of an appropriately qualified and competent Team Leader;

• Proper scoping (see Appendix 3) of the risk assessment, including:

o Definition and distribution of appropriate context setting materials;
o Definition of the level of “acceptable” and “unacceptable” risk;
o Consideration of likely outcomes;

• No perceived pressure on the Team to come up with a pre-determined outcome

(eg a clean slate to look good) i.e. it must be and must be seen as objective and
done with integrity;

• Use of a detailed and systematic approach for hazard/ risk identification;

• Proper documentation and reporting of the assessment;

• Adequate review of the assessment results by senior Management and in-house

legal advisors; and

• Feedback by Management to the organisation on subsequent implementation

requirements for actions for reducing compliance risk.

Risk Assessment workshops involve three stages. These are:

• Stage One - Preparation for risk assessment workshops

• Stage Two - Running the workshops

• Stage Three - Post workshop follow-up

The process for the workshops is outlined in Figure 1.

Compliance Risk Assessment Workshop Page 6 of 24

 Figure 1: Risk identification and risk evaluation process

Identify Existing
Identify Hazards
Controls

Assess
Likelihood of
Occurrence

Assess
Consequences
of Occurrence
Risk Treatment
Actions

Determine
Risk Level

NO Risk
Risk
Acceptance
Acceptable
Criteria
?
YES

Residual
Risk Level

Compliance Risk Assessment Workshop Page 7 of 24

 3.2.1 Stage 1 - Preparation for Risk Assessment Workshops

i) Establishing the Context

The designated person accountable for Compliance at the Business Unit will
provide the following information to the head of Compliance, at least two weeks
before the scheduled Compliance Risk workshop date:

• Organisational Context.

o Summary information on the nature of risk assessment work

already done within the Business Unit.

o Likelihood, consequence and risk scoring methodology already

used within the Business Unit.

o How risk information is currently captured (eg Risk Register, Excel

Spreadsheets, Access database or other)?

o Names and roles of proposed workshop team members.

o What technical expertise is available to that Business Unit in

defining the risk tolerance levels.

o What technical expertise is available to that Business Unit in

defining any ‘zero tolerance’ risks.

o What types of legal actions, or threatened legal actions, have

occurred in the past five years at this Business Unit? (this can be
expressed as $ spent on categories of legal matters, numbers
of items by matter category or any other quantifyable measure
including exposure.

o Any matters currently under advice, previously under legal advice,

or could foreseeably be under future legal advice, that could lead
to issues of legal professional privilege being compromised.

o Number and type of internal issues that could have progressed to

legal action (eg unfair treatment, harassment, golden handcuffs,
etc).

o Number and nature of Speak-OUT issues raised at that Business

Unit.

o High-level organisational chart.

Compliance Risk Assessment Workshop Page 8 of 24

 The head of Compliance provide information the following to the Business Unit
Team Leader:

• Compliance Risk assessment context

o The objective of the compliance risk assessment is to identify the

laws, regulations, Group policies, codes and standards, which, if
contravened, could give rise to a material impact on their own or
Rio Tinto’s

§ Financial condition

§ Reputation

§ Ability to achieve its business objective

o Up to date lists of Rio Tinto Group policies, standards and

guidelines can be found via the Rio Tinto Portal Compliance page.

o A list of risk prompts will be used during the workshop process.

The list includes details of the Rio Tinto Group policies, standards
and guidelines. A copy of this is at Appendix 1. This will be sent
by the head of Compliance to the BU compliance representative
prior to the workshop, for that person to distribute to the
compliance risk assessment team members.

o A check sheet outlining the resources required for the workshop

and accountability for those resources (Appendix 2).

• Define the Risk evaluation criteria

o Agreement on the evaluation criteria for consequence and

likelihood (BU own or Rio Tinto)

o Determine any risk acceptability / risk tolerance levels (although it

must be noted that a BU shall not ‘accept’ an exposure of critical
or significant nature)

ii) Scheduling Workshops

Scheduling of workshops shall be by consultation with the Business Unit

representative and the head of Compliance.

The duration of each workshop will depend upon the size and complexity of the
Business Unit.

iii) Information and Data Provision

For the workshops to be effective, a range of supporting information must be

made available to the participants.

The Business Unit Team Leader is responsible for the distribution of agreed
information to Team Members. The information set will be confirmed between
the head of Compliance and the Team Leader and will be included on the Risk
Workshop Scoping Document (see Appendix 3).

Compliance Risk Assessment Workshop Page 9 of 24

 3.2.2 Stage 2 - Running Workshops

At the commencement of the workshop, the facilitator is to:

• Confirm the agreed scope of the workshop

• Confirm the roles of the participants in the workshop

• Confirm the strategic context

• Confirm the process to be used for the workshop

• Part 1: Identification of risk

• Part 2: Determination of likelihood and consequences

- Sample agendas for this process are available from the head of Compliance.

The head of Compliance, in conjunction with the designated person accountable

for Compliance at the Business Unit will discuss and document the strategic
context with the workshop participants, at the commencement of a Compliance
Risk workshop:

• Strategic context

o In which country or countries does this Business Unit operate?

§ Which jurisdictional authorities prevail?

§ Is the legislative landscape applicable to the Business

Unit changing or stable

§ What is the culture of the country?

§ Who are the major stakeholders for this Business Unit?

§ What are the areas of emerging compliance risk (eg new

areas of compliance, new rules) for that region?

The purpose of risk workshops is to:

Part 1:

• Review previously identified compliance risks in the significant category

(i.e. from the Client’s existing risk identification data such as HSE risk,
Group Risk Reviews, etc)

• Identify compliance hazards not previously documented, using the Risk

Prompt sheets as a guide. (refer Appendix 1)

Compliance Risk Assessment Workshop Page 10 of 24

 Part 2:

• Assess the likelihood(s) and consequence(s) associated with updated

risk(s) and new hazard(s), using risk measures with controls in place, that
is, assess the current risk level and the control effectiveness.

• Identify potential candidates to address new hazards

• Determine a list of possible risk reduction measures.

i) Hazard Identification

The process by which hazards are identified relies heavily on "expert judgement".
In this context, expert judgement is provided by the workshop attendees who
participate in the assessment, and which may or may not be backed up by
tangible evidence.

A list of risk prompts is provided at Appendix 1.

Although tangible evidence may not always exist for some of the risks identified,
this does not devalue the identification in any way. It is the subsequent likelihood
and consequence assessments that indicate how seriously the individual risks
should be taken when devising risk assessment strategies.

Information about each hazard, including history of similar incidents should be

recorded. In the event that the Business Unit does not have it’s own methodology,
the forms at Appendix 4 can be used.

ii) Assessment of Consequence(s) and Likelihood(s)

Consequence

For each hazard identified, the maximum reasonable consequence must

be determined to identify the risk. This is the outcome that could occur in a
reasonable “worst case” scenario with consideration of any controls that might be
in place to minimise the consequences.

In the event that the Business Unit does not have their own proprietary method of
determining consequence, the classification system in Appendix 5, Tables 2 and 3
can be used.

Compliance risk consequences are, for the main, assessed in terms of:

• Reputational damage to the Business Unit or to Rio Tinto

• Imposed penalties

• Time and money in defending an action

With reference to the Rio Tinto Risk Analysis and Management Guidance
(RAMG), Capex, Schedule and Production Volume consequences have been
considered and assessed as not relevant to compliance risks.

Compliance Risk Assessment Workshop Page 11 of 24

 Likelihood

The likelihood of an unwanted event occurring is dependent on two factors:

1. In many cases, the frequency of exposure and the number of times the task or
activity is undertaken. The following aspects should be considered when making
this decision:

• The number of times tasks/ cycles/ situations occur;

• The number of people performing the tasks.

• Whether the likelihood arises out from a judgement rather than a task

• Frequency of an omission (eg failure to enforce contractual rights, leading

to the right to seek performance being waived)

2. The probability that the unwanted event or omission will (maximum reasonable
consequence) occur as a result of the hazard based on what has happened
in the past here or elsewhere in similar situations (i.e. have incidents occurred
previously, how often have they occurred etc).

In the evaluation process, the workshop participants must consider the "most
credible scenario" and attempt to keep a balance between the assessed likelihood
and consequences.

In the event that the Business Unit does not have their own proprietary method
of determining likelihood, the classification system in Appendix 5, Table 1 can be
used.

iii) Risk Determination and Ranking

Risk is the combination of the chance of an event happening and the severity of
the consequences when it does. In a qualitative analysis, the risk is determined
from the relationship between the assessed likelihood and consequences, using a
risk ranking matrix (refer example at Appendix 5, Table 4).

iv) Identification of Risk Reduction Measures

During the process of identifying hazards, attempts will be made to identify

measures that can be taken to reduce or manage the risks. Risk reduction
measures are devised to reduce the likelihood that the risk will develop, or to
mitigate the consequences should the risk occur.

Consideration of the ‘hierarchy of controls’ should be made. Refer Appendix 6.

Compliance Risk Assessment Workshop Page 12 of 24

 v) Recording Information

All information must be recorded accurately and in a clear, consistent manner.

This requires the services of an experienced scribe who must prepare the
necessary blank forms or provide an alternative system to gather the information.
Photocopies of the white board or the flip chart sheets should be retained.

The Workshop Facilitator:

• Checks with participants during the workshops to confirm information and

clarify decisions

• Makes sufficient notes to ensure that the scribe's notes can be confirmed
prior to the compilation of the final report.

3.2.3 Step 3 - Post Workshop Follow-up

The Workshop Facilitator:

• Follows up any additional gaps in information from the workshops

• Utilizing the services of Rio Tinto Group Internal Control, organise an

independent session with the appointed internal auditors.

• Ensures a report of information generated from the workshops is provided

to the Business Unit head (eg risk profiles, hazard descriptions, existing
controls) for review and approval.
• Ensures risk information is transferred back to the Team Leader for
integration into the Business Units own risk register system.
• Ensures risk information and summary report is forwarded to the head of
Compliance for collation at a Group level.

The Business Unit head is responsible for:

• Approval of all risk ratings assigned to each hazard from each workshop.

• Ensuring that all new risk ratings are consistent across the business.

• Ensuring that adequate risk reduction measures are identified for all
significant and highly significant risks.

• Ensures that suitable risk reduction measures are implemented to manage

the risk under consideration, and to reduce the risk level to an acceptable
level.

• Ensuring the report of the risk identification process and risk reduction
measures are retained in accordance with the requirements in the Rio
Tinto Compliance Guidance.

Compliance Risk Assessment Workshop Page 13 of 24

3.3 RISK ACCEPTANCE LEVEL

Any hazards with an assessed current risk ranking between Level 4 and Level 7 (using the
scale on Appendix 5 table 4) are considered to be significant and require appropriate risk
reduction measures to be identified and available for adoption or implementation.

Level 6 and Level 7 are termed highly significant and will require immediate action by the
Business Unit.

This does not preclude risk reduction measures from being determined and actioned for
hazards with a lower risk rating.

3.4 RECORDS FROM THE COMPLIANCE RISK WORKSHOP

At the conclusion of the Compliance Risk identification process, a report will be generated
by the workshop facilitator. The Business Unit in accordance with the requirements of the
Rio Tinto Compliance Guidance and local regulatory guidelines should retain the report.
Information from the report should be integrated with other risk data managed within that
Business Unit.

4. RELATED DOCUMENTS

• AS/NZS 4360: 1999 “Risk management” (Standards Australia)

• HB 142-199 “A basic introduction to managing risk using the Australian Risk

Management Standard AS 4360:1999” (Standards Australia)

• HB 158: 2002 “A guide to using AS/NZS4360 Risk management within the internal
audit process” (Standards Australia)

Compliance Risk Assessment Workshop Page 14 of 24

 APPENDIX 1 – RISK PROMPTS
Legislative and Regulatory
(civil and criminal)
A (1)
Risk associated with non-compliance, including
criminal prosecution and civil claims based on non
compliance brought by regulators or private parties
• Actions brought by Env /Safety regulators;
• Private actions based on violations of HSE
regulations or license conditions;
• Regulatory or private actions based on violations
of Competition Law;
• Regulatory actions for violation of Import / Export
laws;
• Gov’t actions for violation of OECD Bribery and
Corruption laws / US Foreign Corrupt Practice;
• Violation of Employment / Industrial Relations
laws;
• Actions brought by mining authorities;
• Material misrepresentation or omission in public
announcement or SEC or Exchange filing leads to
legal / regulatory action
• Breach of Directors / Officer’s duties
• Changing legislation or new legislation is missed
• Insider dealings
• Intellectual Property
• Legacy issues - closed or abandoned sites
• Licenses – operating without one
• Mining laws
• Non-compliance with accounting standards
• Non-compliance with tax legislation
• Other health laws (eg running of mine camps
(pools, food, etc))
• Privacy
• Tenement management issues / loss of tenement
• Workers Compensation – criminal & civil
proceedings
Compliance Risk Assessment Workshop
This list is designed to provide a number of Risk Prompts, to assist Business Units in the identification of sources of compliance risk.
Contractual
B (2)
Risk associated with defending or containing
claims based on alleged breach of contract;
including claims as to existence of unwritten
contract
• Failure to respond to complaint brought
by customer for breaching quality
specifications in supply contract, leading to
default and cancellation;
Repeated failure to meet quantity
•
requirements without declaring force
majuere, leading to default and cancellation
• We breach supply agreement (disaster /
shortfall/ not to spec)
• Employment contract breach
• Project / joint ventures
• Procurement processes in general, including
disclosure of conflict of interests; adherence
to protocols etc
Common law or its civil code
equivalent
C (3)
Risk associated with defending or containing
common law claims (eg negligence, libel
slander, trespass etc)
• Failure to maintain safe premises results in
injury to visitor and personal injury action;
• Imprudent remarks made about a supplier /
customer after commercial dispute leads to
libel action;
• Failure to monitor own mining activities
relative to boundary lines leads to trespass
action;
• Improper and deceitful negotiating
practices leads to fraud action.
• Bribery and corruption
• International protocols or conventions
affect operations/reputations
• Misappropriation of company funds
• Traditional law (eg aboriginal law) issues
• Theft of product or company assets
Page 15 of 24
Rio Tinto Policy
(+ assoc Standards and Guidelines)
Risk associated with non-
compliance ‘beyond the legal’ with
Rio Tinto policies, including reputation
damage, trade embargos, ostracism from
international voluntary schemes
• The way we work:
o Communities Policy
o Employment Policy
o Environment Policy
o Human Rights Policy
o Land Access Policy
o Occupational Health Policy
o Political Involvement Policy
o Safety Policy
o Sustainable Development
Policy
• Rio Tinto Controllers Manual
• Rio Tinto Information Security
Management Policy
• Rio Tinto Group Data Protection Policy
• Rio Tinto Data Protection in Australia
• Rio Tinto Group Treasury Policies
• Rio Tinto Internet and Email Policy
• Rio Tinto Patch Management Policy
Compliance Risk Assessment Workshop Page 16 of 24
 D (5)
Risk associated with a third party’s non-
compliance (as above) that puts Group
assets, financial health or reputation at risk
• Agent’s action that violates OECD Bribery
and Corruption laws giving rise to liability
of Rio Tinto;
• Release of contaminants by third party onto
company property, leading to Rio Tinto
liability;
• Conspiracy amongst competitors that
violates Competition Law and prejudices
Rio Tinto’s market position / profitability;
• Contractor fails to follow building codes,
leading to operability problems at a new
facility.
Compliance Risk Assessment Workshop
E (4)
Risk associated with failing to invoke/enforce
contractual rights
• Failure in not enforcing quality / quantity terms
in suppliers contract, resulting in eg inability to
meet production targets;
• Failure to give notice of missed deadline in
EPCM contract, leading to waiver of rights
/ inability to take advantage of contractual
reduction in fees.
• Our contractor breaches supply agreement
• Project / joint ventures
F (6)
Risk associated with failing to invoke/ Risk associated with Rio Tinto actively
prosecute common law claims (as above) trading with a third party in non-
against third parties compliance with Rio Tinto policy or
voluntary schemes
• Failure to monitor activities near property
boundary leads to ongoing trespass, with third
party acquiring title by adverse possession;
• Failure to adequately refute adverse public
statements by supplier / customer following
commercial dispute leads to loss of reputation.
Page 17 of 24
APPENDIX 2 – RESOURCE REQUIREMENTS &
ACCOUNTABILITES

SELECTING THE WORKSHOP TEAM

The Risk Assessment Team should be a blend of the following:

• Senior Management personnel;
• Technical (eg in-house lawyers or external legal advisor, HSE) personnel; and
• Management (eg manager/ superintendent of specialist areas).
Team members should have both knowledge and experience of the hazards associated with the
process, system, plant/ equipment, operation or work area that is the subject of the assessment.
In general, the Team should comprise not less than 6 or more than 15 persons.
A trained facilitator will be used to guide the Team through the compliance risk assessment
process. One member of the Team should be nominated as Team Leader. This person will act
as the liaison between the Client and the Team and be responsible for ensuring the final report is
provided on time.
All Team Members should be given appropriate notification to allow adequate preparation before
the risk assessment. The Team Leader will be responsible for providing the notification to the
Team Members.

All of the below roles should be clearly explained by the Facilitator at the start of the risk
assessment.

Role of the Team Leader is to: Role of a Team Member is to: Role of the Facilitator is to:

• Act as the Client liaison; • Input skills and experience • Set up the exercise based
into the risk assessment on the original scoping
•Provide support to the
exercise; document;
Facilitator;
• Understand the issue under • Introduce the team to the
Make
• any logistical
review and the potential and scope and risk assessment
arrangements;
actual hazards that arise methodology;
• Help resolve any conflicts from these issues;
• Keep the process on track
within the Team;
• Have some understanding throughout the exercise;
• Ensure a formal report of what current controls
• Promote creative thinking
of the risk assessment is are in place to prevent the
in determining applicable
completed; unwanted incidents and how
controls;
effective they are; and
Assist
• the Client in
• Guide the team through the
the review of the risk •Actively contribute their
exercise;
assessment results (i.e. can knowledge to achieve a
provide additional detail successful outcome. • Resolve any conflicts within
not contained within final the team;
Report).
•Help reach consensus,
where required;
• Ensure the team’s objectives
are achieved within specified
time.

Compliance Risk Assessment Workshop Page 18 of 24

Business unit checklist:
Item Accountability Completed
Determine accountable person at the Business
Unit to act as Team Leader. Advise to head of
Compliance. This person will act as Client liaison.
Book venue and equipment for agreed date; arrange
any refreshments required.
Book relevant internal personnel (MD, GM’s,
Managers, in-house counsel, legal advisors,
including those from remote locations)
Provide hazard capture templates and risk rating
criteria to be used (i.e. so the data can go into their
own form of risk register) if already existing in the
business unit.
Identify legislation, regulation that applies to their
operation (available from –or to be developed by –
regional Rio Tinto Legal Services)
Provide list of major contracts (as supplier or as
customer)
Provide details on legal matters under action for past
5 years
Alert head of Compliance to any issues currently
under advice, discussion of which could compromise
legal professional privilege
Provide last 6-monthly HSE report
Provide information from the Speak-OUT program
Provide any details currently captured on
compliance-related risk
Distribute appropriate information to Team Members
Ensure a formal report of the compliance risk
assessment is completed

RTHQ Compliance checklist:

Item Accountability Completed
Source Risk Workshop facilitator
For BU’s without in-house legal counsel, provide
Rio Tinto legal expert.
Collate context-setting materials as defined at 3.2.1
and risk prompts. Send to Business Unit Team
Leader for distribution to Business Unit Team
Members.

Compliance Risk Assessment Workshop Page 19 of 24

APPENDIX 3 – RISK ASSESSMENT SCOPING DOCUMENT

RISK ASSESSMENT SCOPING DOCUMENT

Title: Compliance Risk Site:
Client: Process to Use: Workshop
Objective:
The objective of the risk assessment is to review risks related to non compliance with laws,
regulation, Rio Tinto Policies, Rio Tinto Standards and Rio Tinto Guidelines, that could have a
material impact on the Business Unit or Rio Tinto’s financial condition, reputation or ability to
achieve it’s business objectives.

Focusing on risk types such as those indicated on the attached table. (as per Attachment 1)

Mandate:
The Team should examine the risks systematically, scoring each risk factor it identifies according
to the risk rating method agreed.

Risk rank scores <insert score ranges> are to be considered as “unacceptable” risks and the
Team will need to further examine these risks to determine the adequacy of existing controls and
the level of residual risk.

A “Risk Reduction Plan” is to be developed for all risks with a score of <insert score ranges> and
is required by <insert date>.

The team will be allotted <insert number of days> days, from <insert start date> to <insert end
date> to undertake the assessment.

The venue for the risk assessment will <insert venue name/location>

The Final Report will be required by <insert report due date>

The team members
are:

Documents to be • This scoping document

distributed to Team
•
Members are:

The Facilitator is:

The Team Leader is:

Feed-back to the Team will be arranged as follows:

Client’s Signature Date

Compliance Risk Assessment Workshop Page 20 of 24

APPENDIX 4 – RISK ASSESSMENT RECORD FORM

Illustrative example

Ref Hazard L Measure C Type L* C* Risk Control Risk Reduction Measures Risk
Level Ownership
A ACCOUNTING, TAXATION, FINANCE

A1 Fraud or misappropriation of funds due to control Time (E) React VU M L3 C4 Review control effectiveness
weaknesses. Time (E) Opcost VU VL
Time (N) Reputation VU M

A2 Failure to disclose material information to the market Descriptive (E) React VU H L4 C3 Need to review formal controls
Descriptive (N) Reputation VU H
Descriptive (N) Penalties VU L
B HUMAN RESOURCES, EMPLOYMENT

B1 Equal employment opportunity or harassment claims. Descriptive (E) React U VL L3 C3 Training and education on EEO and harassment.

* L = Likelihood: VU- very unlikely; U – unlikely; P = probable; HL = highly likely

* C = Consequence: VL =very low; L = low; M = moderate; H = high

Compliance Risk Assessment Workshop Page 21 of 24

PROCEDURE for RISK ASSESSMENT

APPENDIX 5 - RISK TABLES & MATRIX

Assumptions:

1. Annual production of <………..> tonnes,

2. Revenue of US$<……..> per tonne of product (approx US$<…..> pa),
3. Operating costs of US$<………> per tonne (approx US$<…….> pa)

Likelihood
Very Highly
Unlikely Probable
Unlikely Likely
Almost Possible Isolated Repeated
Descriptive
Impossible Sometime Incidents Incidents
1/month to 1/week to
Time < 1/year > 1/week
1/year 1/month
Probability < 0.1% 0.1% – 1% 1% – 10% > 10%
Table 1 - Likelihood Classification

(Figures in blue – replace with calculated values for that BU using Assumptions above)

Economic Consequences (annual)

Very Low Low Moderate High
Costs to React or US$0.15M to US$0.5M to
< US$0.15M > US$1M
Defend US$0.5M US$1M
Revenue Impact of Loss < 1% 1% to 3.5% 3.5% to 7% > 7%
Operating Cost Impact
< 2.25% 2.25% to 7.5% 7.5% to 15% > 15%
of Loss
Table 2 – Economic Consequence Classification

Non-Economic Consequences
Very Low Low Moderate High
Rio Tinto or BU Slight Moderate Severe
Negligible
Reputation (Manager Level) (BU Level) (Board or RT Level)
Short-term
Health Impact None Long-term Minor Long-term Serious
Minor
Personnel Minor Injuries Serious Injuries
No Injuries Fatalities
Safety (Dressings) (LTIs)
Environmental Localised Widespread Severe Catastrophic
Impact Degradation Degradation Degradation Degradation
Community
Negligible Slight Moderate Severe
Impact
Non-financial Official
Fines Prosecution Business Closure
Penalties Censure
Loss of Corp’te Minimal Significant Severe Business
Negligible
Knowledge Business Impact Business Impact Impact
Table 3 – Non-economic Consequence Classification

Compliance Risk Assessment Workshop Page 22 of 24

PROCEDURE for RISK ASSESSMENT

Most Serious Consequence

Very Low Low Moderate High
Very Unlikely Level 1 Level 2 Level 3 Level 4
Unlikely Level 2 Level 3 Level 4 Level 6
Probable Level 2 Level 3 Level 5 Level 6
Highly Likely Level 3 Level 5 Level 6 Level 7
Table 4 – Risk Determination Matrix

In general terms, the action levels appropriate for the risk levels in Table 4 can be summarised as follows:

RMAG Class * Risk Level Significance and Response

Class 1 Levels 1 & 2 - risks that are below the risk acceptance threshold and do not
require active management
Class 2 Level 3 - risks that lie on the risk acceptance threshold and require active
monitoring
Class 3 Levels 4 & 5 - risks that exceed the risk acceptance threshold and require
proactive management
Class 4 Levels 6 & 7 - risks that significantly exceed the risk acceptance threshold and
need urgent and immediate attention
* Refer Rio Tinto
Risk Analysis
and Management
Guidance, 2005

Compliance Risk Assessment Workshop Page 23 of 24

PROCEDURE for RISK ASSESSMENT

APPENDIX 6 – EXISTING CONTROL EFFECTIVENESS

Corporate Compliance Risk Analysis

Control Effectiveness Tables
This scheme is designed to assess the effectiveness of the controls that are taken into account in the
determination of the current risk level.

The scheme is based on the principles in AS4360 – Risk management, with the internal audit process (HB158 –
Standards Australia); except that a four-fold scheme is used for consistency with the likelihood and consequence
scheme and the definition expanded slightly to include both a control quality element as well as a time element.

Definitions:

Inherent risk the risk without any controls in place.

Current risk the risk level with the current controls and current control efficiency.

Residual risk level of risk when all controls are applied to the maximum reasonable extent

Key control a control that reduces a high risk to an acceptable level and is, therefore, critical to the
effective management of that risk.

The four-fold system to assess the effectiveness of controls at the present time is:

Control Rank Description

C1 Ineffective on all occasions

C2 Partially effective on some occasions

C3 Effective on most occasions

C4 Highly effective on almost all occasions

The “hierarchy of control”, often seen used for HSE purposes is described below:
(1) Eliminate the hazard altogether to avoid the risk (eg stop using a dangerous
substance if it is not necessary, use a safer method of mining etc)
(2) Substitute. Change the activity or process to one that is less risky.
(3) Engineering. Redesign the system or process or workflow.
(4)Administrative Controls. Provide written procedural controls, adequate
supervision, training, rules, checkpoints in work processes etc.
(5) Protect people by providing appropriate Personal Protective Equipment (this
should be the last resort)
The Facilitator should provide an overview of the “Hierarchy of Controls” to assist the Team in determining what
effective controls are required. Lateral thinking may be required to look beyond the usual “procedural” controls!
The result of this analysis should then be recorded on the “Risk Assessment Record form” (Appendix 3).
If any “highly significant” risks have been identified which have ineffective controls and are considered to pose
an immediate threat to personnel it may be necessary to immediately notify the legal department so that they are
made aware of the situation.

Compliance Risk Assessment Workshop Page 24 of 24