Purpose

This Procedure specifies the organization’s requirements to identify and assess risks and opportunities as
specified by ISO 9001:2015

The main benefits associated with the implementation of this procedure are:
 to ensure appropriate control measures are deployed to reduce risks and seize opportunities
 to ensure one common methodology is used in the organization

Local legislation must be complied with as a minimum. Where this procedure, local legislation and client
requirements differ, the more stringent requirements must be complied with. This procedure applies to
all Business Units of Construction Kaiser Limited and M&E Kaiser Limited. Compliance is mandatory for
all.

Scope
This procedure applies to all employees and contract staff of Construction Kaiser Limited and M&E Kaiser
Limited. As such, all employees must comply with this procedure regarding risks and opportunities and
implement it.

References
ISO 9001:2015 Quality Management Systems - Requirements

ISO 31000:2018 Risk Management – Principles and Guidelines

Definitions
Threat A threat is a factor that could lead to a risk occurring - that is it will
be the cause of a risk
Consequence outcome of an event affecting objectives
Issues An issue is a concern that cannot be avoided. It may be; a risk that
has materialised that needs to be managed; a required change to
a project; a problem affecting a project
Risks Effect of Uncertainties on objectives
Likelihood Chance of something happening
Opportunity A time or a set of circumstances which makes it possible to do
something
Event occurrence or a change in a particular set of circumstances
Responsibilities

Corporate Risk Officer

The corporate risk officer is responsible for identifying, assessing and managing the risks and
opportunities.
He/She shall establish and maintain a register which contains all identified risks and opportunities,
assessment results and control measures.
The Corporate Risk Officer can delegate these responsibilities to a competent person, team or
organization. This delegation must be documented.

Process Owners

Process owners are responsible for supporting the Corporate Risk Officer in identifying the risks and
opportunities based on their expertise in their own fields.

Employees and Contract Staff

Employees and contract staff are responsible for informing process owners when they detect a non-
identified risk.

Process Steps

1. To identify and assess risks and opportunities, the following steps are to be completed:

 To obtain the internal and external issues relevant to the strategic direction of the
organization (A PESTLE and SWOT analysis could be performed by a committee). When
considering the opportunities and threats aspect of a SWOT, opportunities may emanate
from the PESTLE. Risks can be identified from the threats that can exploit the vulnerability of
the organization
 List all potential interested parties, identify their needs and expectations and determine
risks and opportunities that need to be addressed
 Process owners are to identify risks associated with their process objectives
 Project Managers are to identify risks associated with the project objectives
2. Analyse the Risk- This involves consideration of the causes and sources of risk, their positive and
negative consequences, and the likelihood that those consequences can occur. Risk is analysed by
determining the consequences and the likelihood
3. Evaluate the Organizations Risks – The purpose of risk evaluation is to assist in making decisions,
based on the outcomes of risk analysis, about which risks need treatment and priority for treatment
implementation. Risk evaluation involves comparing the level of risk found during the analysis
process with the risk criteria.
4. Selection of Risk Treatment: The options for risk treatment include the following:
 Avoiding the risk by deciding not to start or continue with the activity that gives rise to the
risk
 Taking or increasing the risk in order to pursue an opportunity
 Removing the risk source
 Changing the likelihood
 Changing the consequences
 Sharing the risk with another party or parties
 Retaining the risk by informed decision
Selecting the most appropriate risk treatment option involves balancing the costs and efforts of
implementation against the benefit derived, with regard to legal, regulatory, and other
requirements such as social responsibility and the protection of the natural environment.
5. Preparing and Implementing risk treatment or opportunity plan: The purpose of risk treatment plans
is to document how the chosen treatment options will be implemented. The information provided in
treatment plans should include:
 The reasons for selection of treatment options, including expected benefits to be gained
 Those who are accountable for approving the plan and those responsible for implementing
the plan
 Proposed actions
 Resources requirements including contingencies
 Performance measures and constraints
 Reporting and monitoring requirements; and
 Timing and schedule
Decision makers and other stakeholders should be aware of the nature and extent of the residual
risks after risk treatment. The residual risk should be documented and subjected to monitoring,
review and where appropriate, further treatment.

6. Monitoring and review – Both monitoring and review should be a planned part of the risk
management process and involve regular periodic checking and surveillance. The Corporate Risk
Officer is responsible for monitoring and review. The organizations monitoring and review process
involves all aspects of the risk management process for the purpose of:
 Ensuring that controls are effective and efficient in bothdesign and operation;
 Obtaining further information to improve risk assessment;
 Analysing and learning lessons from events (including near-misses), changes, trends,
successes and failures
  Detecting changes in the external and internal context, including changes in risk criteria and
the risk itself which can require revision of risk treatments and priorities; and
 Identifying emerging risks
Progress in implementing risk treatment plans provides a performance measure. The results of
monitoring and review should be recorded and externally and internally reported as appropriate
and should be used as an input into the risk management framework.

Risk Criteria

The risk criteria of the organization are as shown below in Figure 1.

Figure 1. CKL and MEK Risk Criteria