Risk Management Manual

RASHPETCO and BURULLUS Governance System
Document Title: Document Number:
Risk Management Manual RPC-COR-MS-RMP-201
THIS IS A CONTROLLED DOCUMENT NO. THIS IS AN UNCONTROLLED DOCUMENT X
Controlled documents will automatically be re-issued to recipients as and when changes occur. It is the recipients responsibility to replace and destroy the old version. Uncontrolled documents will not automatically be re-issued and users should ensure that they have the latest version. If in doubt, consult Governance department.
Accommodate validation checks; update meetings terms of reference; clarity of link to the Partners process; realignment of the responsibility matrix; link to Objectives, Performance Contracts & Business Improvement Plan; and some format changes. A Risk Register template has also been produced and referenced in this manual.
Approved Approved Checked
Chairman & MD
T El-Attar
MD & GM Internal Audit GM Governance Manager Chairman & M.D. M. D. & G. M. HSE GM HSE D/GM Governance Designation
F Ahrabi M Helmy
Prepared
B Williams T El-Attar R. Fox Alaa El Din Shinaishai Alan Spicer Chris. Thomas Name Signature Date
Approved Approved 1 Format and number changes only Checked Checked Prepared Revision Description Description
Page 2 of 2 Date: July 2003
Document Title: Risk Management Manual
Document Number:
RPC-COR-MS-RMP-201
Revision: 2
CONTENTS PART 1 1.1 1.2 1.3 1.4 Purpose Scope Definition of Risk Benefits of Risk Management PART 2 BUSINESS PROCESS MAPS 2.1 2.2 Risk Management Business Process New Register Preparation Business Process PART 3 RISK MANAGEMENT STRUCTURE 3.1 3.2 3.3 Process Hierarchy Risk Registers Risk Meetings PART 4 BUSINESS PROCESS NOTES NEW REGISTERS 4.1 4.2 4.3 4.4 4.5 4.6 4.7 4.8 Format and Content Ownership of Registers Preparation of new Registers Risk Ratings Elevation of risks Dealing with risks Managing risks Risk Meetings Terms of Reference PART 5 5.1 Responsibility Matrix PART 6 6.1 6.2 Method of Risk Rating Risk Register Template APPENDICES RESPONSIBILITY MATRIX INTRODUCTION
Document Number:
RPC-COR-MS-RMP-201
Revision: 2
1 1.1
INTRODUCTION Purpose This document defines the Risk Management process. It covers the ongoing process of Business Risk identification, understanding, measurement and decision making to control and mitigate the identified risks, recognising that a risk may present e ither an opportunity or threat to the achievement of the COMPANY objectives. Risk management is an iterative process and should be used at all levels within the Company and at all stages within the business cycle. All employees have responsibility for managing the risks relevant to their role.
1.2
Scope This guideline outlines a methodology for the management of risk of all COMPANY activities, including all the phases of project lifecycles. Note: It is also the COMPANY intention to include the main contractors working on COMPANY Projects in the Risk Management process. The frequency, process and format for gathering the Risk information shall be agreed during the tender processes or kick-off meeting.
1.3
Definition of Risk Within this guideline risk is defined as either:

the threat that an event or action will adversely affect the COMPANY, and prevent it from achieving its objectives, or a missed opportunity for improvement.
The consequences can affect one or more of the following:

cost (CAPEX and OPEX) schedule quality, including plant capacity, flexibility, availability health, safety, security and environment company image and reputation licence to operate financial management third party relations.
Document Number:
RPC-COR-MS-RMP-201
Revision: 2
1.4
Benefits of Risk Management The main benefits of a formalised risk management process are that it:

creates an understanding of the relationship between risks: cost, timescales, image, quality and safety and environment, and brings realism into the consideration of the trade-offs between them improves decision making at all levels in the company underpins a culture of continuous improvement; encouraging openness and enabling effective, pro-active and timely application of knowledge and expertise ensures ownership of risks, so they are effectively monitored and pro-actively managed focuses, through rating, on the key risk areas makes risks, and actions taken to resolve them, clearly visible to management reduces the likelihood of a risk materialising and the impact if it does reduces spending on resolution of problems, through addressing them earlier improves the quality and accuracy of CAPEX estimates and project schedules optimises exploitation of opportunities encourages the proper handling of risks rather than the management of crises.
Document Number:
RPC-COR-MS-RMP-201
Revision: 2
2 2.1
BUSINESS PROCESS New Register Preparation Process
New Register Preparation Business Process
Risk Register Required
Objectives. Performance Contracts.

Define Risks
Evaluate and Rate Risks
Business Environment
Determine Mitigating Actions
Business Improvement Plan
Allocate Risk Owners
Department / Project Risk Register
Finalise and Issue Risk Register
Are risks higher rated than threshold 1 & 2 as defined by the MDs in discussion with Partners?
Cascade Risks to Corporate Register
YES
Threshold Ratings 1 and 2 Risk Management Business Process ((see 2.2 below)
NO
Retain and manage within the department or project
End of Process
Document Number:
RPC-COR-MS-RMP-201
Revision: 2
2.2
Risk Management Business Process
Risk Management Business Process
Initiate Risk Management
New Register Preparation Process (see 2.1 above)
Initiate Mitigating Actions
Identify new and changes in Risks
Review Feedback and Update Register
Validate Risk Register contents through inter departmental reviews and challenges.
Hold Risk Meeting and Re-evaluate Risks Are risks higher rated than threshold 1 i.e. score of 12 and above? Department / Project Risk Register Finalise and Issue Risk Register
YES Cascade Risks to Corporate Register
Threshold Rating 1 Are risks higher rated than threshold i.e. score of 18 and above?
Corporate Risk Register
Hold Corporate Risk Meeting and Re-evaluate Risks
Submit Risks to Managing Partners Risk System
YES
Threshold Rating 2
End of Business Process
Document Number:
RPC-COR-MS-RMP-201
Revision: 2
3. 3.1
BUSINESS RISK MANAGEMENT STRUCTURE Process Hierarchy The company Business Risk Management system is structured to enable Risks to be rated and prioritised in order to ensure that each risk receives the appropriate management attention. (As shown on the following chart):
HIGH LEVEL RISKS PARTNER LEVEL
Risk Prioritisation
MEDIUM LEVEL RISKS CORPORATE REGISTER CORPORATE RISK MEETING
ALL RISKS PROJECT & DEPARTMENT REGISTERS RISK MANAGEMENT MEETINGS
RASHPETCO RISK MANAGEMENT STRUCTURE 3.2 Risk Registers Risk Registers will be prepared and managed as defined in section 2 . Current registers will be kept within the Governance Documents suite. Risk Owners are responsible for sending a copy of the current register to the Governance Manager. As a minimum requirement, the COMPANY will maintain the following registers. REGISTER Corporate All Projects Operations Exploration Finance HSE IT Contract & Procurement OWNER Managing Directors Project General Managers Operations General Managers Exploration General Managers Finance General Managers HSE General Managers IT General Manager GM Material and GM Contract RISK LEVEL High and Medium All Project Risks All Department Risks All Department Risks All Department Risks All Department Risks All Department Risks All Department Risks
However, all departments are expected to routinely review their Business Risks, capture the risks and mitigating actions, preferably through a Risk Register, demonstrate the management of the risks and report any significant changes to the Managing Directors.
Document Number:
RPC-COR-MS-RMP-201
Revision: 2
3.3
Risk Meetings Risk Meetings are the essential formal elements in managing risk at all risk levels within the COMPANY. There are three levels of risk meetings, which are as follows:
Partner Risk Meeting This meeting is held every quarter and it is owned and shared by BG Egypt (BGE) on behalf of other partners. Rashpetco risks scoring 18 and above are fed into this process by the submission of the Corporate Partner Level Risk Register to BGE in advance of this meeting. In addition, the BGE Managers responsible for the Projects receive and contribute to the Project/Operation Risk Registers routinely. These processes allow adequate review and challenge opportunities ahead of the quarterly meeting. Rashpetco/Burullus will be represented at this meeting by the Governance Manager, and Risk Owners may be invited by BGE should further clarification be required.
Corporate Risk Meetings This meeting is held every quarter and captures all risks scoring 12 and above from the departmental risk registers. These risks are contained in the Corporate General Risk Register. In addition, corporate specific risks are identified, processed and added to the register in advance of this meeting. This meeting will agree the contents of the register and the elevation of risks scoring 18 and above to the Corporate Partner Level Risk Register. An important role of this meeting is to re-evaluate and finalise the risk ratings and in the process identify the risks to be elevated to the Partners. For example, a risk item with a score of 18 and above from a department may end up with a lower score because Rashpetco management considers that the manageability factor should be lower; whilst manageability may be outside the control of the department, it is considered to be within the companys control.
Department and Project Risk Meetings These meetings will identify and evaluate all risks associated with their business objectives. All risks scoring 12 and above, after inter-department validation process, will be elevated to the Corporate Risk Register.
The terms of reference for the Corporate Risk meeting and the Departmental/Project Risk meetings are contained in Section 4. The terms of reference of the Partner Risk meeting are determined by BGE.
Document Number:
RPC-COR-MS-RMP-201
Revision: 2
4 4.1
BUSINESS PROCESS NOTES FOR THE PREPARATION OF RISK REGISTERS Format and Content Adopting a standardised format for project risk registers facilitates the review and comparison of risks across projects, and the assembly of an assets risk register from its constituent projects. A suggested format is shown in Appendix 1. If there is a need to depart from this format because it does not fit in with a department/projects established procedures, this should be discussed with the Governance Manager who may use the opportunity to implement an improved format.
4.2
Ownership of Risk Registers Ownership of the overall risk register lies with the General Manager. Maintenance of the register may be delegated to an identified risk co-ordinator within the project/department team, whose role is to ensure that risks are added, updated and closed out on the register in a timely fashion. It is recommended that regular risk reviews are held, at least quarterly, to ensure that the register reflects the true risk status at all times.
4.3
Preparing New Risk Registers To initiate a Risk Register each department or project team should convene a risk identification review at the earliest suitable time. In the case of projects, it is recommended that this be at the point where the development concept has been selected but before the definition/FEED stage. At this point, reservoir knowledge, development concept, execution strategy, cost, schedule and commercial framework have been established in sufficient detail to enable meaningful risk assessments to be made. The information collation process can either be tasked to individuals or generated by brainstorming by the department or project team. The latter approach is likely to generate a more comprehensive risk register more efficiently and is therefore recommended. Regardless of the process, a major objective should be to ensure that:

the objectives and goals of the projects/departments are clearly understood and are reflected the business environment is taking into consideration clear team ownership of the risk register and management procedure.
The risks identified may be grouped under agreed headings or, in the case of project, using the Work Breakdown Structure (WBS) or functional team set-up. Once the risks have been grouped, the risks and the associated control options should be discussed with the objectives of:

agreeing that the risks or opportunities are realistic, meaningful and comprehensive agreeing the risk evaluation rating in accordance with example in the Appendix. The ratings must reflect the business environment and be objective as far as possible. agreeing the control procedure and actions that would mitigate each risk. These should be specific, clearly defined and include a timescale for completion of the mitigating actions, where relevant.

Document Number:
RPC-COR-MS-RMP-201
Revision: 2
ensuring an alignment of documented mitigated actions with the contents Business Improvement Plan. validating the contents of the proposed risk register before the quarterly publication through interdepartmental consultation, review and challenge. This gives more credibility to, and wider acceptance of the contents of the register ahead of publication.
4.4
Risk Ratings The following method of rating of risks is a mandatory requirement for all Risk Registers. Each risk is evaluated in terms of its Impact (I), Probability (P) and its Manageability (M). See Appendix 7.1 for guidance notes. Each of these risk factors has a rating between 1 and 3. The final rating is calculated as shown below: FINAL RATING = IMPACT X PROBABILITY X MANAGEABILITY Using this method the minimum risk rating is 1 and the maximum is 27.
4.5
Elevation of Risks The main business risks will be elevated into the Corporate Risk Register, and potentially into the Partners Risk Management system. Proposed criteria for deciding which risks need to be elevated will be based on the following rating levels: 1 11 12-17 18+ Projects/Department Rashpetco/Burullus level Partner Level.
4.6
Dealing with Risks Central to risk management is selection of the most appropriate mitigation or control strategies. These may:

Avoid the risk by suggesting alternative courses of action Eliminate the cause(s) of the risk Reduce the likelihood of the risk occurring Reduce the direct consequence of the risk Minimise its impact in business terms Transfer the risk (e.g. Insurance) Instigate investigation to gather further information before a final decision is made Accept the risks as unavoidable.
The appropriate mitigation or control method is very context specific and there is no universally right or wrong approach. The above generic approaches can be used for guidance, but ultimately the decisions will be based on the knowledge, experience and judgment of the management team.
Document Number:
RPC-COR-MS-RMP-201
Revision: 2
4.7
Managing Risk Risks will normally be identified during individual, dedicated sessions or on request prior to Risk Meetings, but all COMPANY employees and PMT members are responsible for being risk aware at all times. Any risk identified during a review process, or at any other time, that threatens the successful achievement of COMPANY business objectives should be brought to the attention of the relevant Department or Project Manager for inclusion, if appropriate, within the appropriate risk register. Risk is managed using a series of structured meetings, which are described in 3.3 and in the terms of reference in 4.8. All nominated personnel will attend each Risk Management meeting. The purpose of the meeting is to brief the attendees of all the risks (particularly those scoring medium and high ranking), discuss/rank new perceived risks and review/agree mitigating actions and actionees. Prior to the risk meeting, each member of the meeting will be responsible for forwarding a list of revised current ratings or new perceived risks, which will be processed by the nominated Risk Register Co-ordinator who will update the Risk Register prior to each meeting. All new Ratings or Risks will be evaluated during the meeting and the rating modified as appropriate.
4.8
Risk Meetings Terms of Reference The relevant terms of reference are stated below.
Document Number:
RPC-COR-MS-RMP-201
Revision: 2
Terms of Reference - Corporate Risk Management Meeting Frequency / Time: Chair / Owner Quarterly / 1 hour MDs Agenda Minutes and action from the previous meeting Review of Corporate and Partner Level Risk Registers BIPS Review of Audit Log and outstanding items Chairman & MD General Manager & MD All General and Deputy General Managers All Project Managers Governance Manager Attendees
Action Log Owner
Governance Manager
Objectives To promote a comprehensive Risk Management Process within the COMPANY To maintain Corporate Risk Register To establish and agree a common understanding of specific mitigation actions To align Risk mitigations actions with BIPs To agree the Partner Level Risks. To evaluate the progress of outstanding audit actions.
Inputs Action log from prior meeting Departmental and Corporate Risk Registers Business Improvement Plans Audit Action Logs and Tracking Registers
Outputs Agreed Corporate Risk Registers Agreed Shareholder Risk Register Revised Business Improvement Plans. Revised Audit Action logs and Tracking Registers
Comments:
This meeting will be scheduled to align with Partners Risk Management meeting and Business Control meeting.
Document Number:
RPC-COR-MS-RMP-201
Revision: 2
Terms of Reference - PROJECT & DEPARTMENT RISK MEETINGS Frequency / Time: Chair / Owner Action Log Owner Quarterly / 1 hour GMs As designated. GMS Key Managers Attendees
Objectives: To support the COMPANY Risk Management Manual requirements Maintain Department / Project Risk Register Co-ordinate Audit Activities and Reporting Develop Mitigating Action Lists Maintain the departmental Business Improvement Plan
Agenda: Minutes from previous meeting Review Register Agree Risks that will cascade to the Corporate Risk Register Review Audit Log Review BIP
Inputs: Action log from previous meeting Departmental Risk Register Corporate Risk Register Feedback from other departments & GMs Audit Reports and Action Logs BIP
Outputs: Updated Risk register Agreed Corporate levels risks Updated Action log and Audit findings Revised BIP
Comments:
Document Number:
RPC-COR-MS-RMP-201
Revision: 2
5.
RESPONSIBILITY MATRIX
Governance Manager
Managing Directors
RISK MANAGEMENT - RACI MATRIX R A C I = Responsibility = Accountable = Consulted = Informed
Approval of this Manual
Maintenance of this Manual
Participation in Managing Partners Risk Process
Updating and Issuing of the Corporate Risk Registers
Approval of the Corporate Risk Registers
Elevating of risks to the Corporate Risk Registers
Updating and Issuing of Department / Project Risk Register
R/I
Approval of Department / Project Risk Registers
I/C
R/I
Preparation of the Department / Project Risk Register
I/C
Project/Department Risk Co-ordinator I A A A
Project/Department Managers
Managing Partner
Page 15 of 15 Date: July 2003 6 6.1 APPENDICES
Document Number:
RPC-COR-MS-RMP-201
Revision: 2
Guidelines for Risk Rating The following guidelines are general and may not be appropriate to all circumstances. IMPACT Factor Schedule Cost Quality Safety & environment RASHPETCO image Stakeholders image 1 (Low impact) < 7 days <$150k Acceptable with minor actions Tolerable with minor actions Acceptable with minor actions Acceptable with minor actions 2 (Medium impact) >7days, <1 month >$150k, <$6m Acceptable with major actions Tolerable with major actions Acceptable with major actions Acceptable with major actions 3 (High impact) >1 month >$6mm Not acceptable Not acceptable Not acceptable Not acceptable
PROBABILITY 1 (Low ) Less than once in 5 years very unlikely to occur 2 (Medium) Once in 5 years quite likely to occur 3 (High) Once a year very likely to occur
MANAGEABILITY 1 (Low ) Relatively easy to manage with normal management resources. 2 (Medium) Needs special attention and possibly enhanced management procedures 3 (High) Difficult to manage and may need outside assistance.
RISK RATING = IMPACT X PROBABILITY X MANAGEABILITY
Page 16 of 16 Date: July 2003 6.2
Document Number:
RPC-COR-MS-RMP-201
Revision: 2
RISK REGISTER TEMPLATE The template can be found in the Governance Shared Drive, Under Risk Management. The document is self-explanatory and can be completed using the process detailed in section 4 above. Where you need to have an input in terms of the Register format, appropriate comments have been inserted in the register template to guide you. These are identified by the yellow marks. Just put your pointer over it to read the comment. Then highlight and type the required information over it.

Risk Management Manual

Diunggah oleh

Informasi Dokumen

Deskripsi Asli:

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Risk Management Manual

Diunggah oleh

Hak Cipta:

Format Tersedia

RASHPETCO and BURULLUS Governance System

Document Title: Document Number: