Risk Management Standard - 229874 - Julio 2020

Risk Management
MMG STANDARD
Purpose
Defines the requirements for the identification, reporting, analysis and control of risks and significant
events at MMG Limited and its subsidiaries (MMG).
Scope
This standard applies to all MMG People and all business activities controlled by MMG.
Owner
General Counsel
__________________________________________________________________________________________
Document Number: 229874 Release: 11
Document Owner: HEAD OFFICE General Counsel Released: 30 Jul 2020
Area: Business Management and Compliance > Hazard - Risk Management Page 1 of 8
CONTROLLED DOCUMENT: Printed copies must be checked for release currency prior to use.
Risk Management Standard
1. Management of Risk
An annual systematic method to identify and manage Level 6 Material Risks that can impact the achievement of
MMG’s Strategy and business plans.
1.1 Identify Level 6 Material Risks as risks where the Maximum Foreseeable Loss (MFL) has a Level 6 impact or
the Risk Level (RL) is Very High for each site, development project and function, as defined in Appendix A, and:
 Assign a Risk Owner for each Level 6 Material Risk;

 Update each Level 6 Material Risk in Governance and Risk Compliance (GRC) at least annually or when
there are known changes to the Level 6 Material Risk profile;
 Authorise each Level 6 Material Risk as defined in Appendix B.
1.2 Develop, implement and maintain a site-specific procedure for managing non-Level 6 Material Risks.
1.3 Analyse each Level 6 Material Risk using the Bow-Tie Template to determine:
 The context and assumptions of the risk (the event);

 How the risk may occur (causes);
 The potential consequences if the event did occur (impacts); and
 How the risk likelihood is reduced with existing preventative critical controls and consequence reduced
through the application of mitigating controls,
and store in the MMG Library and add a link to the bow-tie in GRC.
1.4 Develop and document the Critical Controls for each Level 6 Material Risk, using the Critical Control Design
(CCD) Template, and include:
 The control name and control objective, including insurance if a mitigating control;
 The key design elements of the control;
 The activities associated with the execution of the control (Critical Control Execution (CCE)); and
 The tasks and evidence required to verify the controls are being executed as planned (Critical Control
Verification (CCV)),
and store in the MMG Library and add a link to the CCD in GRC.
1.5 Conduct a Control Self-Assessment (CSA), through the Control Owner, to rate the control’s effectiveness as
defined in Appendix A.4, and record the outcome in GRC at least annually.
1.6 Evaluate each Level 6 Material Risk at least annually, through the Risk Owner, to determine their overall Risk
Control Effectiveness (RCE) as defined in A.5, and record the outcome in GRC.
2. Significant Events Reporting and Investigation

Significant Events are reported, investigated and actions taken to prevent recurrence.
2.1 Develop, implement and maintain a site-specific Significant Event Investigation Procedure that ensures control
failures are identified, reported and addressed.
2.2 Conduct and complete an investigation of all Significant Events and ensure learnings are shared with all of
MMG.
__________________________________________________________________________________________
2.3 Record and report all Significant Events using Incident and Event Management (IEM), within 48 hours of the
event occurring.
2.4 Report all incidents with the potential to cause a loss equivalent to a Level 6 Material Risk consequence, to the
Head of Assurance, Risk and Audit, within seven days of the event.
__________________________________________________________________________________________
Appendix A: Risk Rating Tables
A.1 Consequence Criteria
Maximum Foreseeable Loss (MFL) it is the total plausible maximum impact on MMG considering the consequences Consequence level rating should be chosen based on the expected or most likely impact on MMG taking into account
that could arise if all existing controls were ineffective or missing. current mitigating controls and their effectiveness.
Direct and/or Planned Fraud or

Consequential production theft
Rating Safety and People Environment Legal Compliance
Financial Loss throughput (USD
(USD millions) (Days) millions)
 Regional, offsite environmental impact requiring long-term recovery  Regulatory or operating licence non-compliance, or any incident or
 >2 Fatalities circumstance with a probable fine of > USD 30 million
(years) with irreversible residual damage
 International NGO or National  Civil claim with damages of >100million
 Species extinction or permanent impairment of ecosystem function or
6 >100 >28 >10 Government intervention in response to
biodiversity value within site  Imprisonment of company executive
multiple community fatalities resulting
 Irreversible loss/damage to site or item of significant cultural heritage  Failure to deliver on community agreements or accords with
from mining related activities or disputes
value maximum potential compensation cost of > USD 30 million
 Prolonged or severe, offsite environmental impact requiring long-term  Regulatory or operating licence non-compliance, or any incident or
clean-up (years) circumstance with a probable fine of USD 15 -30million or potential
 1 – 2 Fatalities
 Extensive unconfined, on lease impact requiring long-term clean-up trigger for loss of licence.
5 >50 – 100 >14 - 28 >5 - 10  1 or more Community Fatalities resulting (months-years) leaving residual damage  Civil claim with damages of more than USD 50 -100 million
from mining related activities or disputes
 Change to ecosystem function or biodiversity value within site  Failure to deliver on community agreements or accords with
 Irreversible damage to site or item of significant cultural heritage value maximum potential compensation cost of USD 15-30 million
 Major, offsite, environmental impact requiring medium-term clean-up
 Permanent disabling injury or illness
(months).  Regulatory or operating licence non-compliance with a maximum
 Multiple Lost Time Injuries
 Onsite confined impact requiring significant clean-up effort (years) potential fine of USD 10-<15 million
4 >10 – 50 >7 - 14 >3 – 5  Multiple Community Medical Treatment
 Temporary impairment of an ecosystem function or any kill/loss of a  Failure to deliver on community agreements or accords with
Injuries resulting from mining related
listed or protected species maximum potential compensation cost of USD 10-<15 million
activities or disputes
 Repairable damage to site or item of significant cultural heritage value
 Single Lost Time Injury / Illness
 Reversible offsite environmental impact, requiring short-term clean-up  Regulatory or operating licence non-compliance with a maximum
 Reversible disability / disabling illness(es)
(weeks) potential fine of USD 5 - <10 million
3 >5 – 10 >3 - 7 >1 – 3  Single Community Medical Treatment
 Onsite, confined, reversible environmental impact, requiring medium  Failure to deliver on community agreements or accords with
Injury resulting from mining related
term (weeks-months) clean-up maximum potential compensation cost of USD 5-<10 million
activities or disputes
 Regulatory or operating licence non-compliance with a maximum
 Medical Treatment Injury / Illness(es)  Low, confined, reversible environmental impact potential fine of less than USD 5 million
2 1-5 1-3 0.5 - 1
 Restricted Work Injury(ies)  Short term (less than a week) clean-up  Failure to deliver on community agreements or accords with
maximum potential compensation cost of < USD 5 million
 Very low, reversible environmental impact confined to a small area
 Breach of site standard or direction.
1 <1 <1  < 0.5  First aid treatment within operations
 Breach of community agreement or accord
 Prompt (within a shift) clean-up
1. “Significant events” are shaded.
2. The materiality thresholds set out in the above table are for the purposes of assessment pursuant to the Risk Management Standard only and do not imply that the events described necessarily have a material impact on the price of the securities
of the Company.
3. Financial Loss: Permanent loss of money (profit and/or cash flow) or unplanned decrease in financial carrying value.
__________________________________________________________________________________________
A.2 Likelihood Criteria
Use this table to determine the likelihood of the event occurring resulting in the severity which is being used in the
calculation of Risk Level, taking into account current preventative controls and their effectiveness.
Business Projects
Based on MMG and industry experience and Likelihood

Likelihood Based on MMG and industry experience
expected conditions, with similar studies or Category
and expected conditions, the risk event
projects, the risk event
Almost Could be expected to occur more than once

Could be incurred more than once in a year F
Certain during the study or project delivery
Could easily be incurred and has generally

Likely Could be incurred over a 1 – 2 year period E
occurred in similar studies or projects
Has been incurred in a minority of similar studies

Possible Could be incurred within a 5 year period D
or projects
Unlikely Could be incurred within a 5 – 20 year period Has been known to happen, but only rarely C
Has not occurred in similar studies or projects

Rare Could be incurred within a 20 – 50 year period B
but could
Very Rare Could be incurred in a period > 50 years Conceivable, but only in extreme circumstances A
A.3 Risk Level
F Medium Medium High Very High Very High Very High
E Low Medium High High Very High Very High

Likelihood Rating
D Low Medium Medium High High Very High
C Low Low Medium Medium High High
B Low Low Low Medium Medium High
A Low Low Low Low Medium Medium
1 2 3 4 5 6
Consequence Criteria Rating
__________________________________________________________________________________________
A.4 Control Effectiveness
Each Critical Control must be assessed against its Critical Control Design to determine effectiveness using the Table
below. The Control Self-Assessment considers adequacy of Control Design standards, data from Control Execution
and Control verification activities and control failures.
Control Self-Assessment Rating Control Effectiveness Guide
Control Design requirements are being met and have been assessed as
Effective adequate, effectively operated and require no further improvement. There has
been no evidence of control failure.
Control Design requirements are largely being met however there have been
Partially Effective instances of isolated control failure and/or areas for improvement have been
identified.
There are systemic issues with the Control Design requirements and/or
Not Effective repeatable execution of the control. Improvements are required to enable the
control to operate in a consistent, sustainable way.
A.5 Overall Risk Evaluation (Risk Control Effectiveness)
Each Material Risk must be evaluated to determine the overall effectiveness of the control environment. The Overall
Risk Evaluation (Risk Control Effectiveness) must consider the Control Self-Assessment ratings of each of the Critical
Controls, control failures, significant incidents, near misses, Internal Audit findings and other applicable learnings from
across the organization or external industry experience.
Overall Risk Control

Control Effectiveness Guide
Effectiveness Rating
Nothing more to be done except review and monitor the existing controls.
Fully effective Controls are well designed for the risk, address the root causes and Management
believes that they are effective and reliable at all times.
Most controls are designed correctly and are in place and effective.
Substantially effective Some more work to be done to improve operating effectiveness or Management has
doubts about operational effectiveness and reliability.
While the design of controls may be largely correct in that they treat most of the root
causes of the risk, they are not consistently executed.
Partially effective or
Some of the controls do not seem correctly designed in that they do not treat root
causes, those that are correctly designed are operating effectively.
Significant control gaps.
Largely ineffective
Either controls do not treat root cause/s or they do not operate at all effectively.
Virtually no credible control.
None or totally
ineffective Management has no confidence that any degree of control is being achieved due to
poor control design and/or very limited operational effectiveness.
__________________________________________________________________________________________
Appendix B: Authorities
Approve
Endorse
(Owner)
List and framing of Site, Project or Function Level 6 Material Risk
General Manager – Operations and Technical Excellence (for operational risks) 
Accountable Level 4 Manager (or Level 3 Head of Function where Level 4 does not exist) 
Appendix C: Glossary
Term Definition
Control Owner of a critical control at a region, site, project or function. Control Owner is
Control Owner
minimum Level 2 organisational level.
Control Self-Assessment An assessment of the effectiveness of the Control considering control failures, design
(CSA) and operational effectiveness.
A document which outlines the performance expectations for a critical control. This
Critical Control Design includes design basis, execution and verification tasks, and information to be considered
(CCD) when rating the control effectiveness through Control Self-Assessment questions. Each
critical control must have a Critical Control Design.
Critical Control Execution Execution strategy that is developed and documented by the Control Owner as part
(CCE) design of the Critical Control and recorded in the Critical Control Design.
Critical Control Verifications are designed and implemented by the Control Owner as
Critical Control
part of the design of the critical control and recorded in the Critical Control Design
Verification (CCV)
ensuring they are executed as designed.
Governance Risk
Risk Management module in SAP.
Compliance (GRC)
Risks having:
 Potential Exposure/Maximum Foreseeable Loss (MFL) is Level 6 on MMG’s
Consequence Criteria; or
Level 6 Material Risk
 Risk Level of Very High.
Level 6 Material Risks are described in terms of events, and they have the potential to
impact the delivery of MMG’s strategy and business plans.
Risks having:
Non-Level 6 Material Risk  Potential Exposure/Maximum Foreseeable Loss (MFL) is ≤ Level 5 on MMG’s
Consequence Criteria.
Non-Level 6 Material risks are described in terms of events.
Overall Risk Control Effectiveness is an assessment performed by the Risk Owner as to
the overall level of understanding of the risk and the current effectiveness of the control
Risk Control Effectiveness
environment. The rating considers effectiveness of each critical control as determined
(RCE)
through CSAs, incidents and near misses, audit and assurance findings and any other
relevant information.
__________________________________________________________________________________________
Term Definition
The residual level of risk considering the impact of mitigating and preventative controls.
Risk Level Risk Level is determined by considering consequence x likelihood and rated as per the
Risk Level Table as outlined in the Risk Management Procedure.
Risk Owner is accountable for a material risk at a region, site, project or function. Risk
Risk Owner
Owner is minimum Level 3 organisational level.
Any event that resulted in, or had the potential to result in, consequences which are
Significant Event
equal to or greater than Level 4 in MMG’s Consequence Criteria.
The three lines of defence is an approach that provides three levels of assurance across
the organisation. Line management assures their own structure, systems, processes and
capable people (first line of defence). The second line provides management with
Three Lines of Defence assurance based on their functional expertise across MMG wide processes and cannot be
performed by people executing delivery of the first line. The third line, consisting of
internal audit, provides independent assurance to Senior Management and the Audit and
Risk Management Committee.
__________________________________________________________________________________________

Risk Management Standard - 229874 - Julio 2020

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Risk Management Standard - 229874 - Julio 2020

Uploaded by

Copyright:

Available Formats

Risk Management

 Assign a Risk Owner for each Level 6 Material Risk;

 The context and assumptions of the risk (the event);

2. Significant Events Reporting and Investigation

Direct and/or Planned Fraud or

Based on MMG and industry experience and Likelihood

Almost Could be expected to occur more than once

Could easily be incurred and has generally

Has been incurred in a minority of similar studies

Has not occurred in similar studies or projects

A.3 Risk Level

F Medium Medium High Very High Very High Very High

E Low Medium High High Very High Very High

D Low Medium Medium High High Very High

C Low Low Medium Medium High High

B Low Low Low Medium Medium High

A Low Low Low Low Medium Medium

Consequence Criteria Rating

Control Self-Assessment Rating Control Effectiveness Guide

A.5 Overall Risk Evaluation (Risk Control Effectiveness)

Overall Risk Control

List and framing of Site, Project or Function Level 6 Material Risk

General Manager – Operations and Technical Excellence (for operational risks) 

You might also like