Professional Documents
Culture Documents
MMG STANDARD
Purpose
Defines the requirements for the identification, reporting, analysis and control of risks and significant
events at MMG Limited and its subsidiaries (MMG).
Scope
This standard applies to all MMG People and all business activities controlled by MMG.
Owner
General Counsel
__________________________________________________________________________________________
Document Number: 229874 Release: 11
Document Owner: HEAD OFFICE General Counsel Released: 30 Jul 2020
Area: Business Management and Compliance > Hazard - Risk Management Page 1 of 8
CONTROLLED DOCUMENT: Printed copies must be checked for release currency prior to use.
Risk Management Standard
1. Management of Risk
An annual systematic method to identify and manage Level 6 Material Risks that can impact the achievement of
MMG’s Strategy and business plans.
1.1 Identify Level 6 Material Risks as risks where the Maximum Foreseeable Loss (MFL) has a Level 6 impact or
the Risk Level (RL) is Very High for each site, development project and function, as defined in Appendix A, and:
1.2 Develop, implement and maintain a site-specific procedure for managing non-Level 6 Material Risks.
1.3 Analyse each Level 6 Material Risk using the Bow-Tie Template to determine:
1.4 Develop and document the Critical Controls for each Level 6 Material Risk, using the Critical Control Design
(CCD) Template, and include:
The control name and control objective, including insurance if a mitigating control;
The key design elements of the control;
The activities associated with the execution of the control (Critical Control Execution (CCE)); and
The tasks and evidence required to verify the controls are being executed as planned (Critical Control
Verification (CCV)),
and store in the MMG Library and add a link to the CCD in GRC.
1.5 Conduct a Control Self-Assessment (CSA), through the Control Owner, to rate the control’s effectiveness as
defined in Appendix A.4, and record the outcome in GRC at least annually.
1.6 Evaluate each Level 6 Material Risk at least annually, through the Risk Owner, to determine their overall Risk
Control Effectiveness (RCE) as defined in A.5, and record the outcome in GRC.
2.1 Develop, implement and maintain a site-specific Significant Event Investigation Procedure that ensures control
failures are identified, reported and addressed.
2.2 Conduct and complete an investigation of all Significant Events and ensure learnings are shared with all of
MMG.
__________________________________________________________________________________________
Document Number: 229874 Release: 11
Document Owner: HEAD OFFICE General Counsel Released: 30 Jul 2020
Area: Business Management and Compliance > Hazard - Risk Management Page 2 of 8
CONTROLLED DOCUMENT: Printed copies must be checked for release currency prior to use.
Risk Management Standard
2.3 Record and report all Significant Events using Incident and Event Management (IEM), within 48 hours of the
event occurring.
2.4 Report all incidents with the potential to cause a loss equivalent to a Level 6 Material Risk consequence, to the
Head of Assurance, Risk and Audit, within seven days of the event.
__________________________________________________________________________________________
Document Number: 229874 Release: 11
Document Owner: HEAD OFFICE General Counsel Released: 30 Jul 2020
Area: Business Management and Compliance > Hazard - Risk Management Page 3 of 8
CONTROLLED DOCUMENT: Printed copies must be checked for release currency prior to use.
Risk Management Standard
Appendix A: Risk Rating Tables
A.1 Consequence Criteria
Maximum Foreseeable Loss (MFL) it is the total plausible maximum impact on MMG considering the consequences Consequence level rating should be chosen based on the expected or most likely impact on MMG taking into account
that could arise if all existing controls were ineffective or missing. current mitigating controls and their effectiveness.
__________________________________________________________________________________________
Document Number: 229874 Release: 11
Document Owner: HEAD OFFICE General Counsel Released: 30 Jul 2020
Area: Business Management and Compliance > Hazard - Risk Management Page 4 of 8
CONTROLLED DOCUMENT: Printed copies must be checked for release currency prior to use.
Risk Management Standard
A.2 Likelihood Criteria
Use this table to determine the likelihood of the event occurring resulting in the severity which is being used in the
calculation of Risk Level, taking into account current preventative controls and their effectiveness.
Business Projects
Unlikely Could be incurred within a 5 – 20 year period Has been known to happen, but only rarely C
Very Rare Could be incurred in a period > 50 years Conceivable, but only in extreme circumstances A
1 2 3 4 5 6
__________________________________________________________________________________________
Document Number: 229874 Release: 11
Document Owner: HEAD OFFICE General Counsel Released: 30 Jul 2020
Area: Business Management and Compliance > Hazard - Risk Management Page 5 of 8
CONTROLLED DOCUMENT: Printed copies must be checked for release currency prior to use.
Risk Management Standard
A.4 Control Effectiveness
Each Critical Control must be assessed against its Critical Control Design to determine effectiveness using the Table
below. The Control Self-Assessment considers adequacy of Control Design standards, data from Control Execution
and Control verification activities and control failures.
Control Design requirements are being met and have been assessed as
Effective adequate, effectively operated and require no further improvement. There has
been no evidence of control failure.
Control Design requirements are largely being met however there have been
Partially Effective instances of isolated control failure and/or areas for improvement have been
identified.
There are systemic issues with the Control Design requirements and/or
Not Effective repeatable execution of the control. Improvements are required to enable the
control to operate in a consistent, sustainable way.
Each Material Risk must be evaluated to determine the overall effectiveness of the control environment. The Overall
Risk Evaluation (Risk Control Effectiveness) must consider the Control Self-Assessment ratings of each of the Critical
Controls, control failures, significant incidents, near misses, Internal Audit findings and other applicable learnings from
across the organization or external industry experience.
Nothing more to be done except review and monitor the existing controls.
Fully effective Controls are well designed for the risk, address the root causes and Management
believes that they are effective and reliable at all times.
Most controls are designed correctly and are in place and effective.
Substantially effective Some more work to be done to improve operating effectiveness or Management has
doubts about operational effectiveness and reliability.
While the design of controls may be largely correct in that they treat most of the root
causes of the risk, they are not consistently executed.
Partially effective or
Some of the controls do not seem correctly designed in that they do not treat root
causes, those that are correctly designed are operating effectively.
Significant control gaps.
Largely ineffective
Either controls do not treat root cause/s or they do not operate at all effectively.
Virtually no credible control.
None or totally
ineffective Management has no confidence that any degree of control is being achieved due to
poor control design and/or very limited operational effectiveness.
__________________________________________________________________________________________
Document Number: 229874 Release: 11
Document Owner: HEAD OFFICE General Counsel Released: 30 Jul 2020
Area: Business Management and Compliance > Hazard - Risk Management Page 6 of 8
CONTROLLED DOCUMENT: Printed copies must be checked for release currency prior to use.
Risk Management Standard
Appendix B: Authorities
Approve
Endorse
(Owner)
Accountable Level 4 Manager (or Level 3 Head of Function where Level 4 does not exist)
Appendix C: Glossary
Term Definition
Control Owner of a critical control at a region, site, project or function. Control Owner is
Control Owner
minimum Level 2 organisational level.
Control Self-Assessment An assessment of the effectiveness of the Control considering control failures, design
(CSA) and operational effectiveness.
A document which outlines the performance expectations for a critical control. This
Critical Control Design includes design basis, execution and verification tasks, and information to be considered
(CCD) when rating the control effectiveness through Control Self-Assessment questions. Each
critical control must have a Critical Control Design.
Critical Control Execution Execution strategy that is developed and documented by the Control Owner as part
(CCE) design of the Critical Control and recorded in the Critical Control Design.
Critical Control Verifications are designed and implemented by the Control Owner as
Critical Control
part of the design of the critical control and recorded in the Critical Control Design
Verification (CCV)
ensuring they are executed as designed.
Governance Risk
Risk Management module in SAP.
Compliance (GRC)
Risks having:
Potential Exposure/Maximum Foreseeable Loss (MFL) is Level 6 on MMG’s
Consequence Criteria; or
Level 6 Material Risk
Risk Level of Very High.
Level 6 Material Risks are described in terms of events, and they have the potential to
impact the delivery of MMG’s strategy and business plans.
Risks having:
Non-Level 6 Material Risk Potential Exposure/Maximum Foreseeable Loss (MFL) is ≤ Level 5 on MMG’s
Consequence Criteria.
Non-Level 6 Material risks are described in terms of events.
Overall Risk Control Effectiveness is an assessment performed by the Risk Owner as to
the overall level of understanding of the risk and the current effectiveness of the control
Risk Control Effectiveness
environment. The rating considers effectiveness of each critical control as determined
(RCE)
through CSAs, incidents and near misses, audit and assurance findings and any other
relevant information.
__________________________________________________________________________________________
Document Number: 229874 Release: 11
Document Owner: HEAD OFFICE General Counsel Released: 30 Jul 2020
Area: Business Management and Compliance > Hazard - Risk Management Page 7 of 8
CONTROLLED DOCUMENT: Printed copies must be checked for release currency prior to use.
Risk Management Standard
Term Definition
The residual level of risk considering the impact of mitigating and preventative controls.
Risk Level Risk Level is determined by considering consequence x likelihood and rated as per the
Risk Level Table as outlined in the Risk Management Procedure.
Risk Owner is accountable for a material risk at a region, site, project or function. Risk
Risk Owner
Owner is minimum Level 3 organisational level.
Any event that resulted in, or had the potential to result in, consequences which are
Significant Event
equal to or greater than Level 4 in MMG’s Consequence Criteria.
The three lines of defence is an approach that provides three levels of assurance across
the organisation. Line management assures their own structure, systems, processes and
capable people (first line of defence). The second line provides management with
Three Lines of Defence assurance based on their functional expertise across MMG wide processes and cannot be
performed by people executing delivery of the first line. The third line, consisting of
internal audit, provides independent assurance to Senior Management and the Audit and
Risk Management Committee.
__________________________________________________________________________________________
Document Number: 229874 Release: 11
Document Owner: HEAD OFFICE General Counsel Released: 30 Jul 2020
Area: Business Management and Compliance > Hazard - Risk Management Page 8 of 8
CONTROLLED DOCUMENT: Printed copies must be checked for release currency prior to use.