Académique Documents
Professionnel Documents
Culture Documents
1. INTRODUCTION 3
1.1 Purpose 3
1.2 Scope 3
2. DEFINITIONS 4
3. DETAILS 5
3.1 Overview 5
3.2 Compliance Risk Assessment Workshops 5
3.2.1 Stage 1 - Preparation for Risk Assessment Workshops 8
3.2.2 Stage 2 - Running Workshops 10
3.2.3 Step 3 - Post Workshop Follow-up 13
3.3 Risk Acceptance Level 14
3.4 Records from the Compliance Risk Workshop 14
4. RELATED DOCUMENTS 14
APPENDIX 1 – RISK PROMPTS . 15
APPENDIX 2 – RESOURCE REQUIREMENTS & ACCOUNTABILITES 18
APPENDIX 3 – RISK ASSESSMENT SCOPING DOCUMENT 20
APPENDIX 5 - RISK TABLES & MATRIX 22
APPENDIX 6 – EXISTING CONTROL EFFECTIVENESS 24
1.1 PURPOSE
To purpose of this Procedure is to describe the process used by Rio Tinto Compliance to facilitate
compliance risk assessments. It details the process for conducting systematic risk assessments of
major compliance hazards that can then be used to develop detailed control management or risk
reduction plans. These risk assessments are conducted as part of an effective way to manage the
major risks encountered in day-to day operations.
The key objectives of this Procedure are therefore to ensure:
1. Risk assessments are conducted in a transparent, systematic way by appropriately trained
and experienced persons using an appropriate process;
2. The assessment capture all relevant and material Compliance Risk
3. Risk assessments are undertaken to a consistent quality; and
4. The results of risk assessments are used as intended.
This Procedure is consistent with the Rio Tinto Risk Analysis and Management Guidance (RMAG)
and with international standards on Risk Management.
1.2 SCOPE
This procedure covers the risk assessment of compliance risk as outlined in the Rio Tinto
Compliance Guidance.
Current Risk the risk level with the current controls and current control efficiency.
Inherent Risk The risk as originally identified before actions or controls have been
implemented. (Rio Tinto RAMG 2005)
Material Impact For financial: Any event that could lead to a loss equal to or greater
than x% of annual turnover
For reputation: Any event that, should it be made public, would put
the company and its shareholders in disrepute
For business objectives: Any event that would prevent the company
from meeting plan targets (whether measured in terms of
production, costs, revenue or otherwise) by x% or more.
Residual Risk The risk remaining after agreed actions and controls have been
implemented. (Rio Tinto RAMG 2005)
Risk Acceptance Threshold A measure of the level of risk exposure above which action must be
taken to proactively manage threats and maximise opportunities,
and below which risks may be accepted. (Rio Tinto RAMG 2005)
Risk Analysis The overall process of risk identification and risk evaluation. (Rio
Tinto RAMG 2005)
Risk Assessment The overall process of risk analysis and risk evaluation. (AS/NZS
4360:1999 Risk Management)
Risk Assessment Workshop A forum for conducting risk analysis and risk assessment activities.
Risk Reduction Measure For compliance risk, the potential risk response. The selective
application of appropriate techniques and management principles
to reduce either likelihood of an occurrence or its consequences, or
both. (AS/NZS 4360:1999 Risk Management)
Zero Tolerance Risks Refers to those strategic risks that the organization needs to ‘get
right’ if it is to achieve its strategic objectives. ‘zero tolerance’ refers
to the risk acceptance level of that organisation and may mean
that ‘risk management’ means ‘risk elimination’ to the maximum
extent that it is feasible to do this. Zero tolerance risks are above
the risk acceptance threshold.
This procedure was developed by Rio Tinto Compliance and Rio Tinto Technical Services
with input from Rio Tinto Group Risk Management and Rio Tinto Group Internal Control to
ensure a transparent, standardised process of identifying and ranking of compliance risk.
This procedure provides a methodology to assist Business Units to address the Rio Tinto
Compliance Guidance requirement to identify compliance risk on a systemic and ongoing
basis.
The likelihood and potential consequences of unwanted events associated with the major
compliance hazards are determined using a team of appropriate personnel, and the
level of risk calculated using a risk matrix. For risks that exceed an acceptable level, new
controls may be required (eg obtaining professional advice, re-designing or modifying
a task or process, or introducing training) to eliminate or reduce the level of risk to an
acceptable level.
The entire suite of documents that support this process are available via the Head of
Compliance or via the Compliance Community on the Rio Tinto portal.
Those Business Units that have their own sound method of identifying compliance risk, in
accordance with the Rio Tinto Risk Analysis and Management Guidance (RAMG), are not
required to follow this process.
• Identifies any ‘zero tolerance’ compliance risks for that Business Unit.
• Identifies potential risk reduction measures that could be adopted to reduce the
risk.
Summary information from the approved version of the final risk report will be collated by the
head of Compliance and communicated back to Product Group heads.
• Use of a trained and experienced Facilitator. The Facilitator should be familiar with
the scope of the risk analysis and skilled in the risk process and should be drawn
from outside the team directly working on the area being analysed;
Identify Existing
Identify Hazards
Controls
Assess
Likelihood of
Occurrence
Assess
Consequences
of Occurrence
Risk Treatment
Actions
Determine
Risk Level
NO Risk
Risk
Acceptance
Acceptable
Criteria
?
YES
Residual
Risk Level
The designated person accountable for Compliance at the Business Unit will
provide the following information to the head of Compliance, at least two weeks
before the scheduled Compliance Risk workshop date:
• Organisational Context.
§ Financial condition
§ Reputation
The duration of each workshop will depend upon the size and complexity of the
Business Unit.
The Business Unit Team Leader is responsible for the distribution of agreed
information to Team Members. The information set will be confirmed between
the head of Compliance and the Team Leader and will be included on the Risk
Workshop Scoping Document (see Appendix 3).
- Sample agendas for this process are available from the head of Compliance.
• Strategic context
Part 1:
i) Hazard Identification
The process by which hazards are identified relies heavily on "expert judgement".
In this context, expert judgement is provided by the workshop attendees who
participate in the assessment, and which may or may not be backed up by
tangible evidence.
Although tangible evidence may not always exist for some of the risks identified,
this does not devalue the identification in any way. It is the subsequent likelihood
and consequence assessments that indicate how seriously the individual risks
should be taken when devising risk assessment strategies.
Consequence
In the event that the Business Unit does not have their own proprietary method of
determining consequence, the classification system in Appendix 5, Tables 2 and 3
can be used.
Compliance risk consequences are, for the main, assessed in terms of:
• Imposed penalties
With reference to the Rio Tinto Risk Analysis and Management Guidance
(RAMG), Capex, Schedule and Production Volume consequences have been
considered and assessed as not relevant to compliance risks.
1. In many cases, the frequency of exposure and the number of times the task or
activity is undertaken. The following aspects should be considered when making
this decision:
• Whether the likelihood arises out from a judgement rather than a task
2. The probability that the unwanted event or omission will (maximum reasonable
consequence) occur as a result of the hazard based on what has happened
in the past here or elsewhere in similar situations (i.e. have incidents occurred
previously, how often have they occurred etc).
In the evaluation process, the workshop participants must consider the "most
credible scenario" and attempt to keep a balance between the assessed likelihood
and consequences.
In the event that the Business Unit does not have their own proprietary method
of determining likelihood, the classification system in Appendix 5, Table 1 can be
used.
Risk is the combination of the chance of an event happening and the severity of
the consequences when it does. In a qualitative analysis, the risk is determined
from the relationship between the assessed likelihood and consequences, using a
risk ranking matrix (refer example at Appendix 5, Table 4).
• Makes sufficient notes to ensure that the scribe's notes can be confirmed
prior to the compilation of the final report.
• Approval of all risk ratings assigned to each hazard from each workshop.
• Ensuring that all new risk ratings are consistent across the business.
• Ensuring that adequate risk reduction measures are identified for all
significant and highly significant risks.
• Ensuring the report of the risk identification process and risk reduction
measures are retained in accordance with the requirements in the Rio
Tinto Compliance Guidance.
Any hazards with an assessed current risk ranking between Level 4 and Level 7 (using the
scale on Appendix 5 table 4) are considered to be significant and require appropriate risk
reduction measures to be identified and available for adoption or implementation.
Level 6 and Level 7 are termed highly significant and will require immediate action by the
Business Unit.
This does not preclude risk reduction measures from being determined and actioned for
hazards with a lower risk rating.
At the conclusion of the Compliance Risk identification process, a report will be generated
by the workshop facilitator. The Business Unit in accordance with the requirements of the
Rio Tinto Compliance Guidance and local regulatory guidelines should retain the report.
Information from the report should be integrated with other risk data managed within that
Business Unit.
4. RELATED DOCUMENTS
• HB 158: 2002 “A guide to using AS/NZS4360 Risk management within the internal
audit process” (Standards Australia)
Legislative and Regulatory Contractual Common law or its civil code Rio Tinto Policy
(civil and criminal) equivalent (+ assoc Standards and Guidelines)
A (1) B (2) C (3)
Risk associated with non-compliance, including Risk associated with defending or containing Risk associated with defending or containing Risk associated with non-
criminal prosecution and civil claims based on non claims based on alleged breach of contract; common law claims (eg negligence, libel compliance ‘beyond the legal’ with
compliance brought by regulators or private parties including claims as to existence of unwritten slander, trespass etc) Rio Tinto policies, including reputation
contract damage, trade embargos, ostracism from
• Actions brought by Env /Safety regulators; • Failure to maintain safe premises results in international voluntary schemes
• Private actions based on violations of HSE • Failure to respond to complaint brought injury to visitor and personal injury action; • The way we work:
regulations or license conditions; by customer for breaching quality • Imprudent remarks made about a supplier / o Communities Policy
• Regulatory or private actions based on violations specifications in supply contract, leading to customer after commercial dispute leads to o Employment Policy
of Competition Law; default and cancellation; libel action; o Environment Policy
• Regulatory actions for violation of Import / Export Repeated failure to meet quantity • Failure to monitor own mining activities o Human Rights Policy
•
laws; requirements without declaring force relative to boundary lines leads to trespass o Land Access Policy
• Gov’t actions for violation of OECD Bribery and majuere, leading to default and cancellation action; o Occupational Health Policy
Corruption laws / US Foreign Corrupt Practice; • We breach supply agreement (disaster / • Improper and deceitful negotiating o Political Involvement Policy
• Violation of Employment / Industrial Relations shortfall/ not to spec) practices leads to fraud action. o Safety Policy
laws; • Employment contract breach • Bribery and corruption o Sustainable Development
• Actions brought by mining authorities; • Project / joint ventures • International protocols or conventions Policy
• Material misrepresentation or omission in public
• Procurement processes in general, including affect operations/reputations • Rio Tinto Controllers Manual
announcement or SEC or Exchange filing leads to disclosure of conflict of interests; adherence • Misappropriation of company funds • Rio Tinto Information Security
legal / regulatory action to protocols etc • Traditional law (eg aboriginal law) issues Management Policy
• Breach of Directors / Officer’s duties • Theft of product or company assets • Rio Tinto Group Data Protection Policy
• Changing legislation or new legislation is missed • Rio Tinto Data Protection in Australia
• Insider dealings • Rio Tinto Group Treasury Policies
• Intellectual Property • Rio Tinto Internet and Email Policy
• Legacy issues - closed or abandoned sites • Rio Tinto Patch Management Policy
• Licenses – operating without one
• Mining laws
• Non-compliance with accounting standards
• Non-compliance with tax legislation
• Other health laws (eg running of mine camps
(pools, food, etc))
• Privacy
• Tenement management issues / loss of tenement
• Workers Compensation – criminal & civil
proceedings
All of the below roles should be clearly explained by the Facilitator at the start of the risk
assessment.
Role of the Team Leader is to: Role of a Team Member is to: Role of the Facilitator is to:
• Act as the Client liaison; • Input skills and experience • Set up the exercise based
into the risk assessment on the original scoping
•Provide support to the
exercise; document;
Facilitator;
• Understand the issue under • Introduce the team to the
Make
• any logistical
review and the potential and scope and risk assessment
arrangements;
actual hazards that arise methodology;
• Help resolve any conflicts from these issues;
• Keep the process on track
within the Team;
• Have some understanding throughout the exercise;
• Ensure a formal report of what current controls
• Promote creative thinking
of the risk assessment is are in place to prevent the
in determining applicable
completed; unwanted incidents and how
controls;
effective they are; and
Assist
• the Client in
• Guide the team through the
the review of the risk •Actively contribute their
exercise;
assessment results (i.e. can knowledge to achieve a
provide additional detail successful outcome. • Resolve any conflicts within
not contained within final the team;
Report).
•Help reach consensus,
where required;
• Ensure the team’s objectives
are achieved within specified
time.
Focusing on risk types such as those indicated on the attached table. (as per Attachment 1)
Mandate:
The Team should examine the risks systematically, scoring each risk factor it identifies according
to the risk rating method agreed.
Risk rank scores <insert score ranges> are to be considered as “unacceptable” risks and the
Team will need to further examine these risks to determine the adequacy of existing controls and
the level of residual risk.
A “Risk Reduction Plan” is to be developed for all risks with a score of <insert score ranges> and
is required by <insert date>.
The team will be allotted <insert number of days> days, from <insert start date> to <insert end
date> to undertake the assessment.
The venue for the risk assessment will <insert venue name/location>
Illustrative example
Ref Hazard L Measure C Type L* C* Risk Control Risk Reduction Measures Risk
Level Ownership
A ACCOUNTING, TAXATION, FINANCE
A1 Fraud or misappropriation of funds due to control Time (E) React VU M L3 C4 Review control effectiveness
weaknesses. Time (E) Opcost VU VL
Time (N) Reputation VU M
A2 Failure to disclose material information to the market Descriptive (E) React VU H L4 C3 Need to review formal controls
Descriptive (N) Reputation VU H
Descriptive (N) Penalties VU L
B HUMAN RESOURCES, EMPLOYMENT
B1 Equal employment opportunity or harassment claims. Descriptive (E) React U VL L3 C3 Training and education on EEO and harassment.
Likelihood
Very Highly
Unlikely Probable
Unlikely Likely
Almost Possible Isolated Repeated
Descriptive
Impossible Sometime Incidents Incidents
1/month to 1/week to
Time < 1/year > 1/week
1/year 1/month
Probability < 0.1% 0.1% – 1% 1% – 10% > 10%
Table 1 - Likelihood Classification
(Figures in blue – replace with calculated values for that BU using Assumptions above)
Non-Economic Consequences
Very Low Low Moderate High
Rio Tinto or BU Slight Moderate Severe
Negligible
Reputation (Manager Level) (BU Level) (Board or RT Level)
Short-term
Health Impact None Long-term Minor Long-term Serious
Minor
Personnel Minor Injuries Serious Injuries
No Injuries Fatalities
Safety (Dressings) (LTIs)
Environmental Localised Widespread Severe Catastrophic
Impact Degradation Degradation Degradation Degradation
Community
Negligible Slight Moderate Severe
Impact
Non-financial Official
Fines Prosecution Business Closure
Penalties Censure
Loss of Corp’te Minimal Significant Severe Business
Negligible
Knowledge Business Impact Business Impact Impact
Table 3 – Non-economic Consequence Classification
In general terms, the action levels appropriate for the risk levels in Table 4 can be summarised as follows:
The scheme is based on the principles in AS4360 – Risk management, with the internal audit process (HB158 –
Standards Australia); except that a four-fold scheme is used for consistency with the likelihood and consequence
scheme and the definition expanded slightly to include both a control quality element as well as a time element.
Definitions:
Current risk the risk level with the current controls and current control efficiency.
Residual risk level of risk when all controls are applied to the maximum reasonable extent
Key control a control that reduces a high risk to an acceptable level and is, therefore, critical to the
effective management of that risk.
The four-fold system to assess the effectiveness of controls at the present time is:
The “hierarchy of control”, often seen used for HSE purposes is described below:
(1) Eliminate the hazard altogether to avoid the risk (eg stop using a dangerous
substance if it is not necessary, use a safer method of mining etc)
(2) Substitute. Change the activity or process to one that is less risky.
(3) Engineering. Redesign the system or process or workflow.
(4)Administrative Controls. Provide written procedural controls, adequate
supervision, training, rules, checkpoints in work processes etc.
(5) Protect people by providing appropriate Personal Protective Equipment (this
should be the last resort)
The Facilitator should provide an overview of the “Hierarchy of Controls” to assist the Team in determining what
effective controls are required. Lateral thinking may be required to look beyond the usual “procedural” controls!
The result of this analysis should then be recorded on the “Risk Assessment Record form” (Appendix 3).
If any “highly significant” risks have been identified which have ineffective controls and are considered to pose
an immediate threat to personnel it may be necessary to immediately notify the legal department so that they are
made aware of the situation.