GLD.

017
RISK MANAGEMENT

Brief description
Performance requirements for the identification, assessment, control and monitoring of material risk issues
that could threaten the Corporate Objective and business plans.

Key contact
Annette McIlroy, Risk Manager Processes

Version: 2.0 (27 April 2010)

Revalidation date: 30 April 2011
BHP Billiton Group Level Document (printed copies are uncontrolled)
 GLD.017
RISK MANAGEMENT

1. Risk assessment scope and resources

The potential for impacts on the achievement of the Corporate Objective and business plans must be identified
through risk assessments using approved materiality and tolerability criteria. Risk assessments must be
supported by clear accountabilities and leadership, and adequate risk resources.

 Incorporate risk assessments in key decision-making and business planning processes (Appendix 2).
 Identify material risk issues by applying the mandated materiality and tolerability criteria for BHP
Billiton, Customer Sector Groups (CSGs), and Group Functions (GFs) (Appendix 2).
 Develop, authorise and apply materiality and tolerability criteria for Assets, projects, Marketing and
Minerals Exploration (Appendix 2). Materiality criteria must include financial and non-financial severity level,
maximum foreseeable loss (MFL), and residual risk rating (RRR).
 Implement risk management plans to assess, control and monitor material risk issues.
 Authorise the risk profile before submission to the Business Group Risk and Audit Committee (RAC)
(Appendix 1).
 Appoint adequate risk management resources, ensuring roles and responsibilities are documented and
obligations understood and training provided.

2. Risk assessment

A risk assessment (risk identification, risk analysis and risk evaluation) must be conducted for all material risk
issues to understand the nature and tolerance of the material risk issues related to the Corporate Objective
and business plans and decisions.

 Conduct and document a risk assessment for all material risk issues (Appendix 2) and record material
risk issue assessments in a Risk Register.
 Apply the risk rating methodology, including, MFL, RRR and severity factors (Appendix 3).
 Perform a risk analysis or Bow Tie Analysis for the material risk issues. Determine and document the
relationship between the following elements: risk event, risk owner, cause, impact, existing preventative
controls, existing mitigating controls, improvement tasks.
 Identify critical controls for material risks issues.
 Conduct a tolerance assessment for BHP Billiton, CSGs, Assets, GFs, projects, Marketing and Mineral
Exploration to ensure material risk issues are maintained within tolerability criteria (Appendix 2).
 Incorporate a formal review of the risk profile into the regular management agenda and update the risk
profile based on the Risk Register at least annually, identifying new or changes to existing risk issues.

Version: 2.0 (27 April 2010)

Revalidation date: 30 April 2011
BHP Billiton Group Level Document (printed copies are uncontrolled) Page 2 of 9
 GLD.017
RISK MANAGEMENT

3. Risk control

Risk controls must be designed, implemented, operating and assessed to produce a residual risk which is
tolerable.

 Establish minimum performance standards (a benchmark, target, reference level or operating parameter
against which performance may be tracked) for each critical control. Design and operating performance
standard criteria must be considered for all critical controls for material risk issues.
 Design, document, implement, operate and monitor critical controls for material risk issues.
 Conduct and document self assessment of critical control design adequacy, implementation and
operation against the established minimum performance standards at least annually.
 Rate the effectiveness of critical controls (applying the control ratings, (Appendix 4) at least annually, to
determine risk profile tolerance.
 Record, monitor and complete improvement tasks to address weaknesses in control effectiveness to
ensure a tolerable risk profile.
 Document, implement, and where practicable test and maintain business continuity management plans
current for material risk issues that interrupt business.
 Report risk profiles and critical control assessments to leadership teams and the Business Group RAC.

Version: 2.0 (27 April 2010)

Revalidation date: 30 April 2011
BHP Billiton Group Level Document (printed copies are uncontrolled) Page 3 of 9
 GLD.017
RISK MANAGEMENT

Appendix 1. Authorities

Endorse Approve Inform

10.8.1 BHP Billiton risk profile including continued tolerance of material risks

Vice President Risk Management and Assurance 

GMC 

Board RAC 

10.8.2 CSG risk profile including continued tolerance of material risk issues

CSG President 

GMC Owner (with line accountability) 

Business Group RAC 

10.8.3 Asset risk profile including continued tolerance of material risk issues

Asset Leader 

CSG President 

10.8.5 Marketing risk profile including continued tolerance of material risk issues

President Marketing 

GMC Owner (with line accountability) 

10.8.6 Mineral Exploration risk profile including continued tolerance of material risk issues

President Mineral Exploration 

GMC Owner (with line accountability) 

10.8.7 Asset materiality and tolerability criteria

Asset Leader 

CSG President 

10.8.8 Marketing materiality and tolerability criteria

President Marketing 

10.8.9 Mineral Exploration materiality and tolerability criteria

President Mineral Exploration 

Version: 2.0 (27 April 2010)

Revalidation date: 30 April 2011
BHP Billiton Group Level Document (printed copies are uncontrolled) Page 4 of 9
 GLD.017
RISK MANAGEMENT

Appendix 2. Materiality and tolerance criteria

Materiality criteria

Risk materiality criteria must consider non-financial impacts (Appendix 3 Severity Table). Risk issues are
considered material if they meet either of the MFL or RRR criteria (Appendix 3).

Mandatory materiality criteria

Maximum foreseeable loss Residual risk rating

US$2.5 billion or more, or non-financial impacts

BHP Billiton equal to, or greater than, Level 5 on the 300 and above
Severity Table.

US$250 million or more, or non-financial

CSG or GF impacts equal to, or greater than, Level 5 on the 90 and above
Severity Table.

Assets, Develop, authorise and apply MFL materiality

projects, Develop, authorise and apply
criteria which must include financial and non-
Marketing, RRR materiality criteria
financial severity level.
Minerals
Exploration

Tolerability criteria

Business Tolerability criteria

BHP Billiton 300 residual risk rating (RRR) and “well controlled” control rating. If ≥
300 RRR and controls require some improvement then a management
action plan to reduce the residual risk or improve the controls is required.

CSG or GF 90 residual risk rating (RRR) and “well controlled” control rating. If ≥ 90
RRR and controls require some improvement then a management action
plan to reduce the residual risk or improve the controls is required.

Assets, projects, Develop, authorise and apply tolerability criteria.

Marketing, Minerals
Exploration

Version: 2.0 (27 April 2010)

Revalidation date: 30 April 2011
BHP Billiton Group Level Document (printed copies are uncontrolled) Page 5 of 9
 GLD.017
RISK MANAGEMENT

Appendix 3. Risk assessment – risk rating

Risk rating methodology

The BHP Billiton risk rating and ranking methodology:

 permits the consistent and repeatable evaluation and ranking of risk issues – so that material risk issues
can be identified and the quantum of residual risk estimated with sufficient accuracy for an assessment of
tolerability;
 facilitates comparison on a consistent basis across BHP Billiton risk issues of various types.

The methodology involves the calculation of two parameters – MFL and RRR. The MFL and RRR needs to be
determined for all material risk events within the risk issue. Risk issue ratings must be defined by the highest MFL
and the highest RRR from the risk events contained within the risk issue. The MFL and the RRR can derive from
different risk events related to the one risk issue.
Maximum foreseeable loss (MFL)

In addition to MFL as defined, the plausible worst foreseeable consequence can be expressed in non-financial
impacts in the Severity Table, and can be applied to all risk issues and loss scenarios – not just to those involving
damage to operational facilities. In a plausible worst case scenario all active risk controls – including insurance
and hedging contracts – are assumed to be ineffective. Record the basis and assumptions used in calculating the
MFL in a Risk Register.
Residual Risk Rating

Residual Risk Rating (RRR) = severity factor x likelihood factor

Severity is calculated from the defined material risk event and assumes reasonable effectiveness of existing and
tested mitigating controls. The likelihood is assessed assuming reasonable effectiveness of existing and tested
preventative controls.
Selecting the severity factor

1. Identify risk events with potentially material consequences associated with the risk issue.
2. For each material risk event, calculate and document the expected maximum harm assuming reasonable
effectiveness of existing and tested mitigating controls. This is the “severity” of the risk event and is the
basis for selecting the severity factor. The basis and assumptions used in calculating the severity must
be documented in the Risk Register.
3. Select from severity table the severity factor description best fitting the expected degree of gain, harm,
injury or loss from material risk event being assessed. Interpolation between the levels is not permitted.
4. In proposals for future work and projects where there are no “existing” controls in place, the mitigating
controls planned and budgeted for must be assumed when selecting the “expected” degree of gain,
harm, injury or loss.
5. Where there is the potential for more than one impact type associated with a single risk event (for
example safety impacts and financial impacts), the severity factor must be the highest numerical rating
amongst those individual “expected degrees of gain, harm, injury or loss”.
6. Where the “financial” impact is expected to be a one-off amount, it must be calculated as the resultant
change in the Earnings Before Interest and Tax (EBIT) in that year.
7. Where the “financial” impact is expected to be an ongoing annual reduction in EBIT, it must be calculated
as the Net Present Value (NPV) of those future reductions in EBIT.
8. For joint ventures where BHP Billiton has less than 100 per cent financial interest, the severity factor for
financial consequences only, must be adjusted to reflect BHP Billiton’s interest.

Version: 2.0 (27 April 2010)

Revalidation date: 30 April 2011
BHP Billiton Group Level Document (printed copies are uncontrolled) Page 6 of 9
 Severity factor: Considering the risk event being analysed, choose a description that best fits the expected degree of gain, harm, injury, or loss from the most severe impact associated with
that risk event, assuming reasonable effectiveness of existing and tested mitigating controls. Where there is more than one impact type possible, look across the table and choose the
highest level and corresponding severity factor.

Impact types
Severity
Severity
level Health and safety Environment Social and cultural Reputation Legal Financial
factor
7 >50 fatalities. Unplanned permanent Complete breakdown of social order. Prolonged (>2 months) international multi-NGO Hostile takeover, public >US$2.5 1000
Very serious environmental impact over Widespread desecration of items of global and media condemnation. shareholder discontent billion
irreversible injury to extensive area. cultural significance. Company directly resulting in loss of
>500 persons. Permanent loss of responsible or complicit in severe, and Chairman/CEO/Board,
ecosystem or extinction of widespread long term impacts on human bankruptcy, closure of
species. rights. operations on multiple
sites or BHP Billiton.
6 >20 fatalities. Unplanned severe impact A breakdown of social order. International multi-NGO and media Lack of valid operating US$250 300
Very serious (>20 years) on ecosystem Widespread damage to items of global condemnation. BHPB direct action (includes title, forced closure of an million –
irreversible injury to or Threatened Species. cultural significance. Highly offensive partner/contractor action) results in reputation operation, Anti-trust or US$2.5
>100 persons. infringements of cultural heritage. Company issue. Foreign Corrupt billion
directly responsible or complicit in severe, Large violent protest (>100 people) resulting in Practices inquiry.
long-term impacts on human rights fatal injuries.
5 2 -20 fatalities. Unplanned serious or Extensive long-term social impacts. Serious public or national media outcry Fines and prosecutions US$50 100
Short or long term extensive impact (<20 Widespread damage to structures/items/ (international coverage). Damaging NGO relating to criminal million –
health exposures years) on ecosystem or locations of national cultural significance. campaign. BHP Billiton reputation severely breaches including jail US$250
leading to significant Threatened Species. Serious infringements of cultural heritage. tarnished. Third party actions (where BHPB is terms and being the million
irreversible human Company directly responsible or complicit one of many in a group) result in reputation subject of a royal
health effects to >50 in multiple aggravated impacts on human impact. commission.
persons. rights. Large protest (>100 people) with significant
violence & serious, multiple injuries
4 Single fatality. Unplanned major impact Major long-term social impacts or on-going Major adverse national media/ public/ NGO Major civil litigation US$5million 30
Severe irreversible (<5 years) on ecosystem social issues. Damage to structures/ items attention. including class actions. – US$50
or Threatened Species. of national cultural significance. Major million
disability or 20- 100 people protest, people restrained with
impairment (>30% of infringement and disregard of cultural force, arrests and injuries. Asset/CSG reputation
body) to one or more heritage. Company directly responsible or majorly impacted.
persons. complicit in major human rights impacts.
3 Moderate Unplanned moderate Moderate medium-term social impacts or Attention from regional media and/or heightened Breach of regulation, US$500,000 10
irreversible disability impact (< 1 year) to frequent social issues. Moderate damage concern by local community. Criticism by Lack of valid exploration – US$5
or impairment (<30% ecosystem or non- to structures/ items of local cultural community, NGOs or activists. Asset reputation title. million
of body) to one or threatened species. significance. Moderate infringement of adversely affected.
more persons. cultural heritage/ sacred locations.
Days lost due to Moderate, temporary human rights impacts.
injury.
2 Objective but Unplanned minor impact (< Minor medium-term social impacts on small Adverse local public or media attention and Minor legal issues, non- US$50,000 – 3
reversible 3 months) to non- number of people. Minor repairable complaints. Heightened scrutiny from regulator. compliances and US$ 500,000
disability/impairment threatened species or their damage or disturbance to property, Asset reputation is adversely affected with a breaches of regulation.
Medical treatment habitat. structures, or items. Minor infringement of small number of people.
injury. cultural heritage. Minor, temporary human
rights impacts.
1 Low level short-term Unplanned low level Low-level social impacts. Low-level Public concern restricted to local complaints. Low-level legal issue. <US$50,000 1
subjective environmental impact infringement of cultural heritage or minimal Low level interest from local media and/or
inconvenience or disturbance to heritage structures. Minimal regulator.
symptoms. No impact on human rights.
medical treatment.

Page 7 of 9
 GLD.017
RISK MANAGEMENT

Likelihood factors table

Operations Uncertainty Projects Likelihood

description factor
Given the site, BHP Billiton and Based on BHP Billiton and industry
industry experience, it: experience with similar studies or
projects, the risk event:

could be incurred more than once in a Almost certain could be expected to occur more than 10
year once during the study or project delivery

could be incurred over a one to two Likely could easily be incurred and has 3
year budget period generally occurred in similar studies or
projects

could be incurred within a five year Possible incurred in a minority of similar studies 1
strategic planning period or projects

could be incurred within a five to ten Unlikely known to happen, but only rarely 0.3
year time frame

could be incurred in a 20 to 30 year Rare Has not occurred in similar studies or 0.1
timeframe projects, but could

For a system failure: Very rare conceivable, but only in extreme 0.03
circumstances
This consequence has not happened
in the industry in the last 50 years.
For a natural hazard:
The predicted return period for a risk
event of this strength/magnitude is
one in 100 years or longer.

Version: 2.0 (27 April 2010)

Revalidation date: 30 April 2011
BHP Billiton Group Level Document (printed copies are uncontrolled) Page 8 of 9
 GLD.017
RISK MANAGEMENT

Appendix 4. Risk monitoring and control

Group Audit Services Explanation

ratings

Controls, processes and performance requirements evaluated are adequate,

Well controlled appropriate and effective to provide reasonable assurance that risks are being
managed and business and functional effectiveness objectives should be met.

A few specific control or performance requirement weaknesses were noted;

generally however, controls and performance requirements evaluated are
Requires some adequate, appropriate and effective to provide reasonable assurance that risk are
improvement being managed and objectives should be met. Certain controls or performance
requirements may require improvement to ensure that the overall environment will
continue to operate effectively.

Numerous specific controls or functional priority performance requirement

weaknesses were noted. Controls or performance requirements evaluated are
Requires significant
unlikely to provide reasonable assurance that risks are being managed and
improvement
business and functional effectiveness objectives should be met. The control
framework needs improvement to achieve a satisfactory level of risk mitigation.

Controls and performance requirements evaluated are not adequate, appropriate or

effective to provide reasonable assurance that risks are being managed and
Uncontrolled
objectives should be met. There is an urgent need for management to improve the
control framework to achieve a satisfactory level of risk mitigation.

Version: 2.0 (27 April 2010)

Revalidation date: 30 April 2011
BHP Billiton Group Level Document (printed copies are uncontrolled) Page 9 of 9