RISK

Risk Context: Business operations related to production functions Risk type

RANKING
Date: 28112014 Safety

Risk events associated with Mining - night haulage Environment Almost certain

LIKELIHOOD
Health Likely

Community Possible
Financial Unlikely

Admin Rare
All
Risk Identification & Control Strategy Type and Accountability
Accountable for
KRA Risk Event Cause Preventative Controls Impact Mitigating Controls Risk Type
current controls

Potential outcome as a result of Existing controls relevant to the recognised Safety, Env, Organisational position
Source of risk Loss of control Potential causes of control loss Existing controls relevant to the recognised cause
the loss of control impact Business or All accountable for control

Damage to plant & HSE-PLN-002 Emergency Response

Uncontrolled movement Brake hose failure
Failure to apply park brake
Ground conditions - uneven, soft,
Mobile plant - Haul trucks
not stable
MS-PRO-007 Loading Mobile Equipment Procedure Financial AM Mining
equipment Plan
HSE-PLN-006 Medical Services
MS-PRO-002 Digging/Loading Materials Procedure Injury
Management Plan
Service truck operation Management
HSE-PRO-003.03 Job Hazard Analysis (Risk Ranked)
SOP
MNT-STD-010 PM Maintenance Tasks OEM supply agreements
MS-PRO-017 Loading Trucks Procedure Seat belts fitted
MS-PRO-004 Dumping Loads Procedure

Collision with Mobile

MS-PRO-008 Mining, Pit Conditions and Haul Road Traffic Damage to plant & HSE-PLN-002 Emergency Response
Equipment/LV, fixed structure Component failure All AM Mining
Procedure equipment Plan
or people

Injury - cuts, contusions, HSE-PLN-006 Medical Services

Unauthorised operators TRG-PKG-001 General Induction
broken bones Management Plan

Failure to follow procedures MS-PRO-010 Safe Travelling and Hauling Procedure Rollover - Fatality Seat belts fitted

Environmental conditions - slippery

Pre-start Loss of production OEM design
road, raining

Less than adequate road design and Ballast tank rupture - WCP
Mobile plant - Haul trucks MS-PRO-012 Windrow Construction Procedure
construct - Load shift rollover

Cognitive impairment - fatigue, drugs

HSE-STD-006 Fitness for Work s4.2
or alcohol

Road maintenance MS-PRO-017 Loading Trucks Procedure

Human factors - Lack of positive

HSE-PRO-020 Communication
communication
Less than adequate segregation of
Advanced driver training
mobile plant
Poor visibility MS-PRO-004 Dumping Loads Procedure
Interaction at public road crossing MNT-STD-010 PM Maintenance Tasks

Bogging vehicles Poor equipment selection MS-PRO-010 Safe Travelling and Hauling Procedure Loss of production Financial AM Mining

Mobile plant - Haul trucks

 Damage to plant &
Less than competent persons Competent personnel
equipment
Mobile plant - Haul trucks Failure to identify hazards Advanced driver training
Failure to follow procedures TRG-PKG-001 General Induction
Environmental conditions - slippery
road, raining
HSE-PLN-002 Emergency Response
Tyre blow out/Stud sheer Poor road design / maintenance MS-PRO-016 Grader Operation Procedure Loss of production Safety AM Mining
Plan
Damage to plant & HSE-PLN-006 Medical Services
Load shift HSE-PRO-021 Loading and unloading of materials at site
equipment Management Plan
Mobile plant - Haul trucks
Incorrect tyre inflation HSE-PRO-021.01 Load Assessment template Roll over - Fatality OEM supply agreements
Injury - cuts, contusions,
Less than adequate tyres used MNT-STD-010 PM Maintenance Tasks
broken bones
Overheating Pre-start - inspection
Damage to plant & HSE-PLN-002 Emergency Response
Ignition/combustion Smoking No smoking policy - TRG-PKG-001 General Induction Financial AM Mining
equipment Plan
HSE-PLN-006 Medical Services
Mobile plant - Haul trucks Electrical defect Flame arrestor Loss of production
Management Plan
Hydraulic hose burst Pre-start Injury Fire hoses/extinguishers
 CONSEQUENCE

Low Minor Moderate Major Critical

H11 H16 E20 E23 E25

M7 H12 H17 E21 E24

L4 M8 H13 E18 E22

L2 L5 M9 H14 E19

L1 L3 M6 M10 H15

Risk Evaluation Action Register

Current Risk Further Actions Accountable for
Like. Cons.
Rating Required Control Action

Over what Maximum With controls in Organisational position

Description
time foreseeable place accountable for action

Unlikely Moderate M9

Erect speed humps at

Likely Major E21 Haul road/Diogo-
Lampor intersection

Install two-way radios in

all haul trucks

Excavate rise on
Lampor side of haul
road to improve
visibility

Install rear lighting on

all mobile equipment

Consider installing
traffic lights at Diogo-
Lampor intersection

Employ 24hr guardians

for Diogo-Lampor
crossing

Issue appropriate Hi-

Vis vests and light
sabres for night duty
personnel

Rare Minor L3
 Rare Major M10

Possible Major E18

 Guidance to CSA Tool

CSA Template
Guidance in responding to the evaluation questions:
Risk Control Analysis

1. Has the risk assessment process considered causes, impacts, preventative and mitigating controls?
Prior to analysing the effectiveness of individual controls, it is essential that there is confidence that the risk issue is sufficiently understood so that there is
confidence that the "right" controls are in place. The CSA process encourages appropriate understanding of targeted controls - those which are providing the main
prevention/mitigation to those causes or impacts which are key to the risk issue. To do this, an appropriate risk assessment methodology should be employed
when analysing a risk to ensure that risk issues are identified, analysed and ranked in a consistent and appropriate manner. The risk assessment process should
ensure that all causes which may result in the event occurring and the impacts that may arise from that event are sufficiently understood. The preventative
controls (controls which reduce the likelihood of the event occurring) that are in place, as well as the mitigating controls (controls which reduce the impact of the
event), should also be identified and understood.
The method used to obtain this understanding will vary depending on the risk issue and may range from a facilitated risk assessment workshop to a desktop
review. Generally speaking, a workshop will facilitate exploration of the risk issue and allow the abovementioned elements to be discussed and a greater
understanding captured. In instances where the risk issue is in the process of being explored -for example: where a detailed independent review of impacts which
may arise from the risk issue materialising is still being finalised - a detailed understanding cannot be claimed.

2. Were all relevant personnel engaged in the risk assessment process?

Risk assessments should involve people with relevant knowledge and experience, and include managers, functional and technical experts and other stakeholders
as appropriate. Considering the risk from a variety of disciplines and experiences provides greater confidence that the assessment represents a holistic view of
the potential causes, impacts and controls. Where a risk has been profiled in isolation of key stakeholders, assurance that all causes, impacts and controls were
identified cannot be given. For instance, greater understanding of the control environment may be gained from including Control Operators and not just Control
Owners in the risk profiling process as it Operators who are often closer to the operation of the control.

3. Have all causes been linked to preventative controls?

The Risk Owner should ensure that each Cause has been linked to a Preventative Control. Where a Cause cannot be linked to a Control, the Risk Owner should
endeavour to further explore their understanding of the preventative controls which are relied upon to prevent the cause from producing an unwanted event. The
risk profiling process may identify controls that are required to be established and whilst the assessment presents an opportunity to identify controls which are
required to be established or refer to controls which are currently being improved, they are not controls which can be relied on to prevent the event from
eventuating at this present point in time. The control self assessment refers to controls which are in place and not those that are aspirational. Where most Causes
cannot be linked to preventative controls in place, there is a significant increase in the likelihood that an unwanted event may occur and immediate action should
be taken. The purpose of the CSA tool is to ensure that the risk is well controlled, hence if a control gap is detected, the CSA rating for that risk issue will be
reduced - a control gap.

4. Have all impacts been linked to possible mitigating controls?

Mitigating controls are aimed at reducing the impact of the event should it occur. In some instances, mitigating controls, such as insurance, may significantly
reduce the impact of the risk. However, the level of mitigation will be variable depending on the nature of the event and the impact. The greater the reliance on
the mitigation control, the more important the design and operating effectiveness of that control. For example, some mitigating controls may only guard against
10% of the impact whereas in rare circumstances, the control may mitigate the entire impact, such as maybe in the case with insurance. It should be
acknowledged that not all impacts are capable of being mitigated and therefore responses to this questions should be cognisant as to whether mitigation is
possible or not. Focus should be placed on preventing an unwanted event from occurring, rather than solely mitigating the impacts once the event has occurred.
In some instances however, some causes of an event may not be able to be controlled (for example an earthquake), hence focus should then be on reducing the
impact should the event occur.

August 2007 5 of 8 BHP Billiton CSA Tool

 Guidance to CSA Tool

Design Effectiveness

1 Is the control design appropriate given potential consequences?

In order to assess whether control design is appropriate, the Control Owner should consider the design type of the control given the potential severity of the event,
whether the control is utilising known and proven technology/methods and the cost effectiveness of the control versus other control options. To determine if design
selection provides adequate control reliability, the Control Matrix should be referred to. This tool conceptually outlines the relative reliability between People,
Systems and Engineering-based controls. The type of control selected will afford a potentially different level of control reliability and therefore confidence. This
analysis should be coupled with an analysis of cost effectiveness of potential controls as well as the experience and expertise engaged in those involved in its
design. This question asks the Control Owner to consider the robustness of the control design given known constraints.

2 Is there an accountable owner for the control?

The Control Owner should consider whether there is clarity of the accountability for the control. The Control Owner should consider the nature and quality of
documentation and other evidence that is in place which is aimed at ensuring that ownership of controls is clear and sustainable ie. whether ownership of the
control is clearly stated in a position description and whether review of the management of the control forms part of the Control Owner's performance review.
Where ownership and responsibility for the controls is not clearly understood and communicated or ownership of the control is inferred, the control is at risk of
being overlooked, becoming inoperable or inactive. Where an accountable owner cannot be identified, immediate action should be taken to clarify single point
responsibility for the operation of the control.

3 Are the control's objective, process and limits documented?

Documentation of the design of the control provides the foundation for appropriate communication concerning responsibilities for performing the control and
ensures that the control is not reliant on an individual increasing the sustainability of the control over time. Comprehensive documentation of the control should
include an understanding of what the control is attempting to achieve, any relevant limits, process steps as well as monitoring and review processes. The
documentation of the control should form part of the entity's management system which is accessible to all and be integrated with other relevant documents.
Formal periodic review of the document should be performed and material changes to the control environment reflected in the document on a timely basis.

4 Is there a management process to track and measure control performance?

Where the design of a control includes processes to ensure the control is operating effectively and there is appropriate management follow up of non-performance,
there can be greater certainty that the control is operating as intended. Monitoring processes to detect non-performance of the control should be built into an
effective control environment with formal and regularity of review more highly regarded. Performance measures for the control should be established and
operation of the control may be monitored through reporting of exception outcomes, review of control documentation or other review activity. The control owner
must assess the extent to which operation of the control is reinforced through monitoring procedures and active follow-up.

August 2007 6 of 8 BHP Billiton CSA Tool

 Guidance to CSA Tool
Operating Effectiveness

1 Are the control & its objective understood by the Control Owner and operator(s)?
It is imperative that those executing a control understand what the control is attempting to achieve. Where the purpose and operation of the control is not
understood, there is less likelihood that the control will be effective. Where the Control Owner is responsible for executing the control, the Control Owner should
assess their own level of knowledge regarding the purpose and operation of the control. Where others execute the control activity under the Control Owner’s
supervision, the Control Owner should assess their level of knowledge regarding the purpose and operation of the control.

2 Is the control operated as designed?

Whilst the design of the control environment may be effective, the control may not be operated as intended or designed. This may occur for a number of reasons
such as where there is no accountability for the control, the control is not adequately documented or where there is no tracking of the performance of the control
with appropriate follow up. When the control is being operated other than designed, either the design is incorrect or the implementation of the control has been
less than optimal. Monitoring compliance of operation compared with design will identify either of these issues so that the cause can be identified and remedied.

3 Has the control failed since the last CSA?

A control failure results in greater exposure to the risk. Control failure may result from either poor design or inadequate execution of the control. The nature of
the failure of the control should be understood by the Control Owner in order to determine whether the failure arose from an isolated incidence or whether the
failure was systemic in nature. Where the failure was determined to be systemic in nature, this may suggest that the control environment is inadequate and should
be addressed. Isolated failures may be tolerated from a cost effectiveness perspective. Procedures that provide evidence that such controls are in fact "in
service" provide a valuable design feature. Where detection of failure of the control is not possible, the intent of the control may be compromised.

4 Are Control Owners/Operators competent to operate the control?

The operating effectiveness of a control is largely dependent on whether the person performing or maintaining the control possesses the necessary knowledge,
skills and experience. Lack of adequate training and supervision may compromise the knowledge and capability necessary to achieve adequate operating
effectiveness of the control. This evaluation attribute requires the Control Owner to consider matters such as the experience, training and supervision of the
person responsible for operating the controls, relative to the complexity of the control. Where the Control Owner is directly responsible for execution or
maintenance of the control, the Control Owner should make the assessment of themselves. Where the control activity is executed by others under the Control
Owner’s supervision, the Control Owner should assess their level of training and supervision. A formal process should also be maintained to assess the Control
Operator's competence which may vary from regular testing to annual performance reviews. Formal review processes will ensure that the Operator maintains their
competence.

5 Is there an independent assurance process for this control?

An independent assurance process provides an independent assessment that the control is being operated as designed. The assurance provider must be
independent to the Control Owner and Operator but need not be independent of the asset. The assurance process will not provide an assessment of design
adequacy - that is the role of management. Management should source functional expertise to assist in review design adequacy.

August 2007 7 of 8 BHP Billiton CSA Tool

 Control Self Assessment - Calculation Overview
Causes Preventative Controls Mitigating Controls Impacts
Cause 1
Control 1
Owner: Control 2
Owner:
Impacts

Risk Control Analysis

Risk Issue
Cause 2 Control 2 Impacts:
CSG/Asset/GSF: Control 5 Control 6
Owner: Date:
Owner: Owner:
Risk Issue Description:
Strategic Driver:
Control 3
Participants:
Control 4 Owner:
Cause 3 Owner:
Risk Control
Analysis

Risk Control Analysis Question Score

Ranking 2 1 0 NA
1 Has the risk assessment considered causes, impacts, preventative & mitigating controls? 4 1 2 3 -
2 Were all relevant personnel engaged in the risk assessment? 1 1 2 3 -
3 Have all causes been linked to preventative controls? 2 1 2 3 4
4 Are mitigating controls in place with respect to all impacts? 1 1 2 3 4
In summary, has the risk analysis identified a Control Gap? x%
Risk
Result
Control
(Score 1 x Ranking 1) + (Score 2 x Ranking 2) + (Score 3 x Ranking 3) + (Score 4 x Ranking 4)
Risk Control = No Gap > 90%
---------------------------------------------------------------------------------------------------------------------------------------------------
CSA Score

Analysis (Highest possible score1 x Rank1) + (Highest possible score2 x Rank2) No Major Gap > 80%
+ (Highest possible score3 x Rank3) + (Highest possible score4 x Rank4) Improve Control Gap > 65%
Not Adequate =<65%
Note: NA answers not included in calculation
+

Average Control Score

Control____________________________________________
Score 1 + Control Score 2 + Control Score n
Ave Control
Ave Control

Score = n
Score

Average Control Score

Control Score
= (Design Effectiveness + Operating Effectiveness)
(per control)
___________________________________________
2

Control Design Effectiveness Question Score Control Operating Effectiveness Question Score
Ranking 2 1 0 NA Ranking 2 1 0 NA
1. Is the control design appropriate considering potential consequences? 6 1 2 3 - 1. Are the control & its objective understood by the Control Owner & operator(s)? 3 1 2 3 -
=

2. Is there an accountable owner for the control? 3 1 2 3 - 2. Is the control operated as designed? 3 1 2 3 -
3. Are the control's objective, process and limits documented? 2 1 2 3 - 3. Has the control failed since the last CSA? 3 1 2 3 -
4. Is there a management process to track and measure control performance? 2 1 2 3 - 4. Are Control Owners/Operators competent to operate the control? 2 1 2 3 -
5. Is there an independent assurance process for this control? 2 1 2 3 4

Risk
Control Operating Effectiveness = Result
Control Design Effectiveness = Risk Control
Result
Control Adequate > 80%
(Score 1 x Ranking 1) + (Score 2 x Ranking 2) + (Score 3 x Ranking 3) + (Score 4 x Ranking 4) (Score 1 x Ranking 1) + (Score 2 x Ranking 2) + (Score 3 x Ranking 3) + (Score 4 x Ranking 4)
________________________________________________________________________________ Adequate > 80% Need to improve
--------------------------------------------------------------------------------------------------------------------------------------------------- > 65%
(Highest possible score 1 x Rank 1) + (Highest possible score 2 x Rank 2) Need to improve > 65% (Highest possible score 1 x Rank 1) + (Highest possible score 2 x Rank 2) Not Adequate £ 65%
Average + (Highest possible score 3 x Rank 3) + (Highest possible score 4 x Rank 4) Not Adequate £ 65% + (Highest possible score 3 x Rank 3) + (Highest possible score 4 x Rank 4) + (Highest posible score x Rank 5)
Risk Control
Control
Analysis
Score Note: NA answers not included in calculation Note: NA answers not included in calculation
Excellent > 90% > 90%
Well controlled >80% >80%
Requires some Improvement >65% >65%
Requires significant improvement ³ 50% ³ 50%
Uncontrolled < 50% < 50%