Critical Risk Management Standard FSM-MSD-SUS-15-EN

Critical Risk Management Standard

Document Category Corporate Standard Area Sustainability
Code FSM-MSD-SUS-15-EN Date Approved 30/08/2022
Version 1.0
Elaborated by Edson Covic Director of HSSE LATAM
Paul Criddle COO West Africa
Reviewed by
Cesar Velasco COO LATAM
Approved by Julien Baudrand SVP Sustainability

Table of Contents
1. Objective 2
2. Scope 2
3. Definitions 2
4. Requirements 2
4.1. Critical Risks assessment 2
4.2. Critical Controls identification 3
4.3. Fatal Risk Control Protocols (FRCP) 4
4.4. Critical Control Check List (CCCL) 4
4.5. Audit, Inspection and Verification process 4
4.6. Communication and training 5
5. Roles and Responsibility 6
6. Reference material 7
7. Related documents 8
8. Change control 8

Fortuna Silver Mines Inc. Page 1 of 9

 Critical Risk Management Standard FSM-MSD-SUS-15-EN

1. Objective

Establish the requirements for critical risks management through the identification of critical controls,
the assignment of accountability for their implementation and the verification of their effectiveness,
in order to prevent events with potential major or severe consequences according to the Company’s
Enterprise Risk Management process, including event that can cause fatalities.

2. Scope

Applies to all areas and subsidiaries of Fortuna Silver Mines.

3. Definitions

• Critical Risk Management (CRM): a process that involves a systematic approach to ensure
that Critical Controls are in place and effective in order to control Critical Risks.

• Critical Risk: A risk that has the potential to cause an event with potential major or severe
consequences according to the Company’s Enterprise Risk Management (ERM) process,
including event that can cause fatalities.

• Critical Control: A control that is crucial to avoid a potential event with potential major or
severe consequences or mitigate its consequences when an undesired event occurs. The
absence or failure of a Critical Control would significantly increase the risk, despite the
existence of other controls.

• Defense (non-critical control): Control identified to prevent or mitigate a risk, however, it

is not considered a critical control.

• Bowtie Analysis (BTA): An analytical method for identifying and reviewing the controls
intended to prevent or mitigate a specific unwanted event.

• Inherent risk: Represents the level of risk before any risk mitigation actions and controls
haven been taken into account.

• Residual risk: Residual risk is the level of risk that remains after controls are accounted for.

• Fatal Risk Control Protocols (FRCP): Documents that establish the minimum critical
controls required to manage the critical risks identified by the company.

4. Requirements

The following sections contains the minimum requirements for the implementation of the Critical Risk
Management at operational and corporate levels. Note that each subsidiary may develop one or
more additional specific tools and documents (e.g., procedure, guidelines, checklist, etc.) to meet
these requirements.

4.1. Critical Risks assessment

All the subsidiaries, operations, projects, exploration and other operational activities must maintain
a Risk Register of their activities and processes well updated.

The risk level of each event must be assessed considering the FSM ERM Risk Matrix.

Specific responsibilities in risk management must be assigned as required by the sites, considering
the particularities of each site's organizational structure.

Fortuna Silver Mines Inc. Page 2 of 9

 Critical Risk Management Standard FSM-MSD-SUS-15-EN

Based on the mining and other activities ongoing at operational level, but also on the learnings from
historical incidents at site and/or in the industry, foreseeable events and/or other information of
interest, hazard identification and risk assessment have to be conducted for all ongoing and expected
activities.

For each subsidiary and for the exploration activities, the identification and assessment of risks must
be documented into a risk register according to the risks assessment processes in place, such as
ISO management system and Fortuna Enterprise Risk Management (ERM) procedure and risk
matrix. If the local legislation demands a risk analysis based on a different risk matrix to assess the
risk profile, the manager in charge of the HS department must contact the Regional Director in charge
of Health and Safety to evaluate the situation.

The team participating in the risk assessment should be formed at least by the area manager,
specialists (operational inputs, coordinators, supervisors and/or operators), along with a
representative of the HS department.

These risk registers should clearly identify the Critical Risks based on the results of the identified
inherent risk assessment.

In order to ensure an efficient and consistent management of Critical Risks, all the Critical Risks
identified during a risks assessment process must be communicated to:

• the subsidiary’s manager in charge of the Health and Safety department;

• the subsidiary’s manager in charge of the department concerned by the activity;
• the subsidiary’s manager or Country Head;
• the Regional Director in charge of Health and Safety.

4.2. Critical Controls identification

After the identification of the critical risks, a Bowtie Analysis (BTA) process should be carried out for
each critical risk identified in order to determine the critical Controls to be implemented to
eliminate/mitigate the risk and its consequences.

It is important to consider identifying all controls, both existing and new, before identifying which
controls are critical.

To determine and confirm if they are Critical Controls, all the controls reflected in the Bowtie Analysis
must be evaluated. The criteria for evaluating whether a control is critical or not will be determined
by the decision tree methodology.

The Bowtie Analysis should be carried out with support from specialists and it can be handled
according to each subsidiary or exploration team decision, aligned with the subsidiary’s manager in
charge of the Health and Safety department. If necessary, support from the corporate/region can be
requested. This support will be provided in alignment with company strategy.

The BTA results as well as the Critical Controls must be communicated to:

• the subsidiary’s manager in charge of the Health and Safety department;

• the subsidiary’s manager in charge of the department concerned by the activity;
• the subsidiary’s manager or Country Head;
• the Regional Director in charge of Health and Safety.

Fortuna Silver Mines Inc. Page 3 of 9

 Critical Risk Management Standard FSM-MSD-SUS-15-EN

4.3. Fatal Risk Control Protocols (FRCP)

Elaborated based on the BTA, a Fatal Risk Control Protocols (FRCP) is a Corporate document that
identifies the critical controls or defenses that are required to be implemented at operational level for
all the subsidiaries and operations. This constitutes the minimum critical controls to be implemented
everywhere in order to manage critical risks.

If the subsidiary considered that a critical control presented in the FRCP is not applicable, a formal
exception process must be carried out, signed off by the Country Head (or Head of exploration),
COO, and SVP Sustainability, with a specific risk assessment to ensure that the critical risk is still
mitigated adequately considering the other critical controls or defenses implemented.

If the FRCP are under revision, pending corporate validation, the subsidiaries and exploration teams
must carry on with the effectiveness monitoring of the critical controls that were raised through the
BTA or in alignment with corporate strategy.

4.4. Critical Control Check List (CCCL)

All the critical controls identified in the BTA at subsidiary and operations level, and those included in
the FRCP will be mentioned in a documented check list, called Critical Control Check List (CCCL). If
the subsidiaries have specific critical controls or defenses, according to their own BTA and
characteristics, these must be added to this CCCL.

At subsidiary level, a specific CCCL must be developed for each Critical Risk Identified.

The CCCL results and progress must be communicated every month to the regional manager in
charge of Health and Safety.

This CCCL is to be used to conduct inspections that will monitor the effectiveness of critical controls
in the field.

4.5. Audit, Inspection and Verification process

Each subsidiary and exploration team must have in place a Critical Control effectiveness process, in
order to ensure that the critical controls that were identified and required are implemented and
working on the field according to design and intent.

If a critical control is not in place, the activity must be stopped by anyone. The situation must
be reported and assessed. A managerial decision must be taken with a documented sign-off
regarding the way to continue the activity.

This process is organized in three level as follow:

a) FRCP Compliance Audit

Each subsidiary must have in place and execute a periodic and documented Audit Program that
considers all the aspects of the Fatal Risk Control Protocols (FRCP). The Audit Program must be
validated by Corporate.

These audits will provide a percentage of compliance to the FRCP and the gaps between the FRCP
and the reality on the field. All non-compliance must be recorded. Following the audit, an action plan
(corrective actions) must be elaborated and implemented to reach full compliance (100%) in the best
and more reasonable way possible.

The results of each audit and action plan must be presented to Corporate on the 15 days following
the audit execution.

Fortuna Silver Mines Inc. Page 4 of 9

 Critical Risk Management Standard FSM-MSD-SUS-15-EN

The results of the audits must be presented in the subsidiary monthly report according to the reporting
framework developed by Corporate.

Corporate will provide a form that will support the audit, the reporting framework, the action plan and
a system to record the information.

The responsible for this FRCP Compliance Audit process is the subsidiary’s manager in charge of
the Health and Safety department.

The person accountable for the level of compliance to the Fatal Risk Control Protocols (FRCP) is the
Country Head.

b) Critical Control Inspection

Each subsidiary must have in place and execute a periodic and documented Inspection Program
that considers all the aspects of the Critical Control Check List (CCCL).

The Inspection Program must be validated by the Regional Director in charge of Health and Safety.

These inspections will provide a percentage of compliance to the CCCL and the gaps between the
CCCL and the reality on the field. All non-compliance must be recorded. Following the inspection, an
action plan (corrective actions) must be elaborated and implemented to improve the level of
compliance.

The results of the inspections must be recorded into FSM HSEC Management System (Intelex) and
presented in the subsidiary monthly report according to the reporting framework developed by
Corporate.

The responsible for this Inspection Program is the subsidiary’s manager in charge of the Health and
Safety department.

c) Routine verification

The subsidiary shall implement a tool to be used during routine verification that must be executed by
all employee, based on the 4 Key Behavior mentioned below or other task risk assessment process.

4 Key Behavior:

 Recognize the Risk

 Stop and Assess
 Process, evaluate if the critical controls are in place, and also other controls that can be
important to continue with the task in a safe manner
 Report Unsafe Condition, if the critical controls are not in place and the task cannot be
executed with safety, do not execute or do not let other to execute – report to the supervisor

4.6. Communication and training

All Fortuna operations must ensure that all employees and contractors are aware of the critical risks
they face and are fully aware of critical controls. For that the subsidiary must communicate the critical
risks and critical controls such as by signaling risks where they apply, toolbox talks/meetings, safety
shares, onboarding training and awareness, etc.

A specific awareness and training program must be implemented according to the Health and Safety
Awareness and Training Standard.

Fortuna Silver Mines Inc. Page 5 of 9

 Critical Risk Management Standard FSM-MSD-SUS-15-EN

5. Roles and Responsibility

a) Country Head

• Ensure the CRM process implementation in all operations of the country

• Provide the necessary resources for the implementation of this process in the subsidiaries
and operations under his responsibility
• Provide the necessary resources to implement and maintain the FRCP critical controls and
defenses defined through the bow ties
• Ensure 100% of level of compliance of the FRCP Audits

b) Operational Manager

• Ensure the implementation of CRM as well as its continuous improvement. It shall all be
documented
• Ensure that appropriate and sufficient professionals are mobilized for all Bow Tie Analyses
• Formally validate the defenses and critical controls that were identified in all Bow Tie
Analyses, as well as ensure that the necessary revisions are made to keep the analyses
valid
• Ensure the necessary resources (financial, human and material) to provide effective
management of the Critical Risks, critical controls and defenses identified in the operational
areas – including making available adequate information, instruction and training for
employees and contractors, and ensuring the competence of the personnel involved
• Manage all the corrective actions raised through the critical control effectiveness process
and audits
• Ensure the implementation plan for the FRCP in the operations under their responsibility
• Ensure the implementation of the Critical Control Check List in the areas under their
responsibility

c) Area Manager

• Formally validate the controls and critical controls that were identified in all Bow Tie Analyses
• Appoint area representatives to participate in the Bow Tie multidisciplinary working groups
• Elaborate, together with representatives of the multidisciplinary team, an action plan to meet
the recommendations (improvements or new controls) originated in the Bow Ties and FRCP
– and monitor its implementation
• Keep the workforce trained in the critical risks and critical controls and aware of the
significance and prioritization in the operational activities
• Promote the workforce's awareness of the risks associated with their activities
• Ensure the existence of standards establishing the obligation to comply with the FRCP and
Critical Controls
• Define the person(s) responsible for conducting CCCL inspections/monitoring and
implement actions resulting from the three levels of the effectiveness verification process
• Bring the team together, to present and discuss the proposed techniques, establish the
operating rules, responsibilities and roles of each member, according to the CRM
• Responsible for planning and implement changes in the workplace and operational
processes necessary to be compliant with the CRM, Critical Controls and Defenses
• Ensure proper communication and signaling/signage in their area of responsibility according
to the CRM
• Evaluate, by sampling, the quality of the Critical Control Inspection and whether your team
is working on activities in accordance with all the planned controls
• Reinforce to the team members the attitude of not proceeding with the execution of a certain
activity if the critical control is not in place

d) Subsidiary’s manager in charge of the Health and Safety department

• Keep professionals trained and updated in all CRM process

Fortuna Silver Mines Inc. Page 6 of 9

 Critical Risk Management Standard FSM-MSD-SUS-15-EN

• Audit CRM compliance

• Conduct periodic inspections to evaluate the quality of the critical control effectiveness
monitoring
• Support area managers in the implementation CRM in the areas under their responsibility,
under the terms of this document
• Make available members of their team to guide and participate in risk assessments to ensure
the quality of the same with regards to HS requirements
• Design the plan for CRM implementation

e) Supervisor

• Ensure that all tasks performed in their area of responsibility are assessed according to CRM
• Ensure that critical control and defense measures are implemented to reduce the level of
risk
• Refuse or redefine the activity if it is deemed unacceptable (not compliant with critical control)
• Communicate the details of the Bow Tie Results and FRCP to the work team, allocating
individual responsibilities for work tasks and critical control measures
• Ensure that before work begins, all members of the work team agree to the key behavior
according with the critical controls
• Use the CCCL during their inspection of the area and use it as a way to communicate critical
risks and their controls
• Reinforce to team members the attitude of not proceeding with the execution of a certain
activity if the critical control is not in place
• Permanently reinforce to their team the Right of Refusal, i.e. the duty to work at an
acceptable level of risk, and how the worker should act when faced with an uncontrolled
hazard in their activity
• Ensure that the team under their responsibility that will perform a certain task is trained,
qualified and empowered with the specific Operating Procedures of the relevant areas,
complying with all the considerations contained therein
• Communicate to employees, through Toolbox and Safety Shares, HiPo events that occurred
at other sites or in external areas, which serve as learning to avoid the occurrence or
repetition of similar incidents

f) Regional Director in charge of Health and Safety

• Support the elaboration of the Fatal Risk Control Protocols (FRCP)

• Evaluate the situation when the Local HSE Directors inform conflicts between the FSM ERM
Risk Matrix and the local regulation
• Control that the standard is implemented as prescribed at subsidiary level
• Report the subsidiary level CRM performance to the Senior Vice-President of Sustainability

g) Senior Vice-President of Sustainability

• Keep this Standard updated

• Validate the FRCP and maintain them updated according to the BTAs raised from the
subsidiaries according to the concept of High Leadership Validation
• Define corporate KPI’s and also timing for Critical Controls implementation
• Facilitate Software tools for critical control inspections
• Report the performance of this program to HSSEC Corporate Committee and the
Sustainability Committee

6. Reference material

● FSMCS-2022-03 Health and Safety Employees Awareness and Training Standard

● Fortuna Enterprise Risk Management (ERM) Risk Matrix
● ICMM Health and safety critical control management, Good practice guide

Fortuna Silver Mines Inc. Page 7 of 9

 Critical Risk Management Standard FSM-MSD-SUS-15-EN

● ICMM Critical Control Management, Implementation Guide

7. Related documents

● Critical Control Verification Form

● Critical Control Audit Form

8. Change control

Version Date Modified by Reason for change

1.0 30/06/2022 Edson Covic New standard

Fortuna Silver Mines Inc. Page 8 of 9

 Critical Risk Management Standard FSM-MSD-SUS-15-EN

Annex Critical Controls Decision Tree

Fortuna Silver Mines Inc. Page 9 of 9