Procedure for Risk Assessment v1 by qkc15888



Co mpl ian ce Ri sk Asse ss men t Wo rks ho p             Pag e 1 o f 23

1.         INTRODUCTION ..........................................................................................................................3
           1.1         Purpose ...........................................................................................................................3
           1.2         Scope ..............................................................................................................................3
2.         DEFINITIONS...............................................................................................................................4
3.         DETAILS ......................................................................................................................................5
           3.1         Overview ..........................................................................................................................5
           3.2         Compliance Risk Assessment Workshops ........................................................................5
                       3.2.1       Stage 1 - Preparation for Risk Assessment Workshops...................................8
                       3.2.2       Stage 2 - Running Workshops .........................................................................10
                       3.2.3       Step 3 - Post Workshop Follow-up ..................................................................13
           3.3         Risk Acceptance Level ...................................................................................................14
           3.4         Records from the Compliance Risk Workshop ................................................................14
4.         RELATED DOCUMENTS ...........................................................................................................14
APPENDIX 1 – RISK PROMPTS ...........................................................................................................15
APPENDIX 2 – RESOURCE REQUIREMENTS & ACCOUNTABILITES .................................................17
APPENDIX 3 – RISK ASSESSMENT SCOPING DOCUMENT ................................................................19
APPENDIX 5 - RISK TABLES & MATRIX................................................................................................21
APPENDIX 6 – EXISTING CONTROL EFFECTIVENESS .......................................................................23

Co mpl ian ce Ri sk Asse ss men t Wo rks ho p                                                                                               Pag e 2 o f 23
1.                                              INTRODUCTION

1.1        PURPOSE

           To purpose of this Procedure is to describe the process used by Rio Tinto Compliance to facilitate
           compliance risk assessments. It details the process for conducting systematic risk assessments of
           major compliance hazards that can then be used to develop detailed control management or risk
           reduction plans. These risk assessments are conducted as part of an effective way to manage the
           major risks encountered in day-to day operations.
           The key objectives of this Procedure are therefore to ensure:
            1. Risk assessments are conducted in a transparent, systematic way by appropriately trained
               and experienced persons using an appropriate process;
            2. The assessment capture all relevant and material Compliance Risk
            3. Risk assessments are undertaken to a consistent quality; and
            4. The results of risk assessments are used as intended.
           This Procedure is consistent with the Rio Tinto Risk Analysis and Management Guidance (RMAG)
           and with international standards on Risk Management.

1.2        SCOPE

           This procedure covers the risk assessment of compliance risk as outlined in the Rio Tinto
           Compliance Guidance.

           Compliance risk assessment deals fundamentally in downside risk.

Co mpl ian ce Ri sk Asse ss men t Wo rks ho p                                                      Pag e 3 o f 23
2.                                 DEFINITIONS
Compliance Risk                                 Hazards arising from those laws, regulations, policies codes and
                                                standards, which if contravened, could give rise to a material impact
                                                on the Business Unit or Rio Tinto‟s financial condition, reputation or
                                                ability to achieve business objectives. (Rio Tinto Compliance
                                                Guidance, 2003)

Current Risk                                    the risk level with the current controls and current control efficiency.

Hazard                                          A source of potential harm or a situation with a potential to cause
                                                loss. (AS/NZS 4360:1999 Risk Management). In this document, it is
                                                used in the context of compliance hazards.

Inherent Risk                                   The risk as originally identified before actions or controls have been
                                                implemented. (Rio Tinto RAMG 2005)

Material Impact                                 For financial: Any event that could lead to a loss equal to or greater
                                                than x% of annual turnover

                                                For reputation: Any event that, should it be made public, would put
                                                the company and its shareholders in disrepute

                                                For business objectives: Any event that would prevent the company
                                                from meeting plan targets (whether measured in terms of
                                                production, costs, revenue or otherwise) by x% or more.

Residual Risk                                   The risk remaining after agreed actions and controls have been
                                                implemented. (Rio Tinto RAMG 2005)

Risk                                            An uncertain event or condition that, if it occurs, will affect the
                                                achievement of one or more objectives (Rio Tinto RAMG 2005)

Risk Acceptance Threshold                       A measure of the level of risk exposure above which action must be
                                                taken to proactively manage threats and maximise opportunities,
                                                and below which risks may be accepted. (Rio Tinto RAMG 2005)

Risk Analysis                                   The overall process of risk identification and risk evaluation. (Rio
                                                Tinto RAMG 2005)

Risk Assessment                                 The overall process of risk analysis and risk evaluation. (AS/NZS
                                                4360:1999 Risk Management)

Risk Assessment Workshop                        A forum for conducting risk analysis and risk assessment activities.

Risk Reduction Measure                          For compliance risk, the potential risk response. The selective
                                                application of appropriate techniques and management principles to
                                                reduce either likelihood of an occurrence or its consequences, or
                                                both. (AS/NZS 4360:1999 Risk Management)

Zero Tolerance Risks                            Refers to those strategic risks that the organization needs to „get
                                                right‟ if it is to achieve its strategic objectives. „zero tolerance‟ refers
                                                to the risk acceptance level of that organisation and may mean that
                                                „risk management‟ means „risk elimination‟ to the maximum extent
                                                that it is feasible to do this. Zero tolerance risks are above the risk
                                                acceptance threshold.

Co mpl ian ce Ri sk Asse ss men t Wo rks ho p                                                                   Pag e 4 o f 23
3.                                 DETAILS
3.1        OVERVIEW

           This procedure was developed by Rio Tinto Compliance and Rio Tinto Technical Services
           with input from Rio Tinto Group Risk Management and Rio Tinto Group Internal Control to
           ensure a transparent, standardised process of identifying and ranking of compliance risk.
           This procedure provides a methodology to assist Business Units to address the Rio Tinto
           Compliance Guidance requirement to identify compliance risk on a systemic and ongoing

           The likelihood and potential consequences of unwanted events associated with the major
           compliance hazards are determined using a team of appropriate personnel, and the level
           of risk calculated using a risk matrix. For risks that exceed an acceptable level, new
           controls may be required (eg obtaining professional advice, re-designing or modifying a
           task or process, or introducing training) to eliminate or reduce the level of risk to an
           acceptable level.

           These team-based risk assessments must be undertaken by a team of “knowledgeable”
           persons who have a good understanding of the issues involved, including that activities or
           tasks, the various hazards and unwanted events, and controls required to minimise risk.

           The entire suite of documents that support this process are available via the Head of
           Compliance or via the Compliance Community on the Rio Tinto portal.

           Those Business Units that have their own sound method of identifying compliance risk, in
           accordance with the Rio Tinto Risk Analysis and Management Guidance (RAMG), are not
           required to follow this process.

           The head of Compliance is the custodian of this procedure.


           The compliance risk assessment process:

                      Identifies and documents a comprehensive set of compliance hazards.

                      Identifies any „zero tolerance‟ compliance risks for that Business Unit.

                      Assesses the likelihood of each hazard arising based on a predetermined
                       classification system, in line with the Business Unit‟s existing methodology if any
                       and as applicable, to ensure data can be integrated with other risk sources.

                      Assesses the expected severity of each consequence using a predetermined
                       classification system, in line with the Business Unit‟s existing methodology, to
                       ensure data can be integrated with other risk sources.

                      Identifies potential risk reduction measures that could be adopted to reduce the

           Compliance risk should be reviewed at an appropriate frequency to capture changes in
           business, business processes, senior staff, regulation, and Rio Tinto policy.

           Summary information from the approved version of the final risk report will be collated by the
           head of Compliance and communicated back to Product Group heads.

Co mpl ian ce Ri sk Asse ss men t Wo rks ho p                                                          Pag e 5 o f 23
Key success factors are:

                        Use of a trained and experienced Facilitator. The Facilitator should be familiar with
                         the scope of the risk analysis and skilled in the risk process and should be drawn
                         from outside the team directly working on the area being analysed;

                        Use of a team with the relevant knowledge, experience and motivation;

                        Appointment of an appropriately qualified and competent Team Leader;

                        Proper scoping (see Appendix 3) of the risk assessment, including:
                     o         Definition and distribution of appropriate context setting materials;
                     o         Definition of the level of “acceptable” and “unacceptable” risk;
                     o         Consideration of likely outcomes;

                        No perceived pressure on the Team to come up with a pre-determined outcome
                         (eg a clean slate to look good) i.e. it must be and must be seen as objective and
                         done with integrity;

                        Use of a detailed and systematic approach for hazard/ risk identification;

                        Proper documentation and reporting of the assessment;

                        Adequate review of the assessment results by senior Management and in-house
                         legal advisors; and

                        Feedback by Management to the organisation on subsequent implementation
                         requirements for actions for reducing compliance risk.

           Risk Assessment workshops involve three stages. These are:

                        Stage One - Preparation for risk assessment workshops

                        Stage Two - Running the workshops

                        Stage Three - Post workshop follow-up

           The process for the workshops is outlined in Figure 1.

Co mpl ian ce Ri sk Asse ss men t Wo rks ho p                                                              Pag e 6 o f 23
           Figure 1: Risk identification and risk evaluation process

                                                                         Identify Existing
                                        Identify Hazards

                                                           Likelihood of

                                                           of Occurrence
                              Risk Treatment

                                                            Risk Level

                                                  NO                                            Risk

                                                            Risk Level

Co mpl ian ce Ri sk Asse ss men t Wo rks ho p                                                             Pag e 7 o f 23
           3.2.1       Stage 1 - Preparation for Risk Assessment Workshops

           i)          Establishing the Context

                       The designated person accountable for Compliance at the Business Unit will
                       provide the following information to the head of Compliance, at least two weeks
                       before the scheduled Compliance Risk workshop date:

                            Organisational Context.

                                          o     Summary information on the nature of risk assessment work
                                                already done within the Business Unit.

                                          o     Likelihood, consequence and risk scoring methodology already
                                                used within the Business Unit.

                                          o     How risk information is currently captured (eg Risk Register, Excel
                                                Spreadsheets, Access database or other)?

                                          o     Names and roles of proposed workshop team members.

                                          o     What technical expertise is available to that Business Unit in
                                                defining the risk tolerance levels.

                                          o     What technical expertise is available to that Business Unit in
                                                defining any „zero tolerance‟ risks.

                                          o     What types of legal actions, or threatened legal actions, have
                                                occurred in the past five years at this Business Unit? (this can be
                                                expressed as $ spent on categories of legal matters, numbers of
                                                items by matter category or any other quantifyable measure
                                                including exposure.

                                          o     Any matters currently under advice, previously under legal advice,
                                                or could foreseeably be under future legal advice, that could lead
                                                to issues of legal professional privilege being compromised.

                                          o     Number and type of internal issues that could have progressed to
                                                legal action (eg unfair treatment, harassment, golden handcuffs,

                                          o     Number and nature of Speak-OUT issues raised at that Business

                                          o     High-level organisational chart.

Co mpl ian ce Ri sk Asse ss men t Wo rks ho p                                                                    Pag e 8 o f 23
                       The head of Compliance provide information the following to the Business Unit
                       Team Leader:

                                   Compliance Risk assessment context

                                          o     The objective of the compliance risk assessment is to identify the
                                                laws, regulations, Group policies, codes and standards, which, if
                                                contravened, could give rise to a material impact on their own or
                                                Rio Tinto‟s

                                                       Financial condition

                                                       Reputation

                                                       Ability to achieve its business objective

                                          o     Up to date lists of Rio Tinto Group policies, standards and
                                                guidelines can be found via the Rio Tinto Portal Compliance page.

                                          o     A list of risk prompts will be used during the workshop process.
                                                The list includes details of the Rio Tinto Group policies, standards
                                                and guidelines. A copy of this is at Appendix 1. This will be sent
                                                by the head of Compliance to the BU compliance representative
                                                prior to the workshop, for that person to distribute to the
                                                compliance risk assessment team members.

                                          o     A check sheet outlining the resources required for the workshop
                                                and accountability for those resources (Appendix 2).

                                   Define the Risk evaluation criteria

                                          o     Agreement on the evaluation criteria for consequence and
                                                likelihood (BU own or Rio Tinto)

                                          o     Determine any risk acceptability / risk tolerance levels (although it
                                                must be noted that a BU shall not „accept‟ an exposure of critical
                                                or significant nature)

           ii)         Scheduling Workshops

                       Scheduling of workshops shall be by consultation with the Business Unit
                       representative and the head of Compliance.

                       The duration of each workshop will depend upon the size and complexity of the
                       Business Unit.

           iii)        Information and Data Provision

                       For the workshops to be effective, a range of supporting information must be
                       made available to the participants.

                       The Business Unit Team Leader is responsible for the distribution of agreed
                       information to Team Members. The information set will be confirmed between the
                       head of Compliance and the Team Leader and will be included on the Risk
                       Workshop Scoping Document (see Appendix 3).

Co mpl ian ce Ri sk Asse ss men t Wo rks ho p                                                                      Pag e 9 o f 23
           3.2.2       Stage 2 - Running Workshops

                       At the commencement of the workshop, the facilitator is to:

                                  Confirm the agreed scope of the workshop

                                  Confirm the roles of the participants in the workshop

                                  Confirm the strategic context

                                  Confirm the process to be used for the workshop

                                               Part 1: Identification of risk

                                               Part 2: Determination of likelihood and consequences

                       - Sample agendas for this process are available from the head of Compliance.

                       The head of Compliance, in conjunction with the designated person accountable
                       for Compliance at the Business Unit will discuss and document the strategic
                       context with the workshop participants, at the commencement of a Compliance
                       Risk workshop:

                            Strategic context

                                          o     In which country or countries does this Business Unit operate?

                                                        Which jurisdictional authorities prevail?

                                                        Is the legislative landscape applicable to the Business
                                                         Unit changing or stable

                                                        What is the culture of the country?

                                                        Who are the major stakeholders for this Business Unit?

                                                        What are the areas of emerging compliance risk (eg new
                                                         areas of compliance, new rules) for that region?

                       The purpose of risk workshops is to:

                       Part 1:

                                  Review previously identified compliance risks in the significant category
                                   (i.e. from the Client‟s existing risk identification data such as HSE risk,
                                   Group Risk Reviews, etc)

                                  Identify compliance hazards not previously documented, using the Risk
                                   Prompt sheets as a guide. (refer Appendix 1)

Co mpl ian ce Ri sk Asse ss men t Wo rks ho p                                                                      Pag e 10 of 23
                       Part 2:

                                  Assess the likelihood(s) and consequence(s) associated with updated
                                   risk(s) and new hazard(s), using risk measures with controls in place, that
                                   is, assess the current risk level and the control effectiveness.

                                  Identify potential candidates to address new hazards

                                  Determine a list of possible risk reduction measures.

           i)          Hazard Identification

                       The process by which hazards are identified relies heavily on "expert judgement".
                       In this context, expert judgement is provided by the workshop attendees who
                       participate in the assessment, and which may or may not be backed up by
                       tangible evidence.

                       A list of risk prompts is provided at Appendix 1.

                       Although tangible evidence may not always exist for some of the risks identified,
                       this does not devalue the identification in any way. It is the subsequent likelihood
                       and consequence assessments that indicate how seriously the individual risks
                       should be taken when devising risk assessment strategies.

                       Information about each hazard, including history of similar incidents should be
                       recorded. In the event that the Business Unit does not have it‟s own methodology,
                       the forms at Appendix 4 can be used.

           ii)         Assessment of Consequence(s) and Likelihood(s)


                       For each hazard identified, the maximum reasonable consequence must be
                       determined to identify the risk. This is the outcome that could occur in a
                       reasonable “worst case” scenario with consideration of any controls that might be
                       in place to minimise the consequences.

                       In the event that the Business Unit does not have their own proprietary method of
                       determining consequence, the classification system in Appendix 5, Tables 2 and 3
                       can be used.

                       Compliance risk consequences are, for the main, assessed in terms of:

                                  Reputational damage to the Business Unit or to Rio Tinto

                                  Imposed penalties

                                  Time and money in defending an action

                       With reference to the Rio Tinto Risk Analysis and Management Guidance
                       (RAMG), Capex, Schedule and Production Volume consequences have been
                       considered and assessed as not relevant to compliance risks.

Co mpl ian ce Ri sk Asse ss men t Wo rks ho p                                                              Pag e 11 of 23

                       The likelihood of an unwanted event occurring is dependent on two factors:

                       1. In many cases, the frequency of exposure and the number of times the task or
                       activity is undertaken. The following aspects should be considered when making
                       this decision:

                                  The number of times tasks/ cycles/ situations occur;

                                  The number of people performing the tasks.

                                  Whether the likelihood arises out from a judgement rather than a task

                                  Frequency of an omission (eg failure to enforce contractual rights, leading
                                   to the right to seek performance being waived)

                       2. The probability that the unwanted event or omission will (maximum reasonable
                       consequence) occur as a result of the hazard based on what has happened in the
                       past here or elsewhere in similar situations (i.e. have incidents occurred
                       previously, how often have they occurred etc).

                       In the evaluation process, the workshop participants must consider the "most
                       credible scenario" and attempt to keep a balance between the assessed likelihood
                       and consequences.

                       In the event that the Business Unit does not have their own proprietary method of
                       determining likelihood, the classification system in Appendix 5, Table 1 can be

           iii)        Risk Determination and Ranking

                       Risk is the combination of the chance of an event happening and the severity of
                       the consequences when it does. In a qualitative analysis, the risk is determined
                       from the relationship between the assessed likelihood and consequences, using a
                       risk ranking matrix (refer example at Appendix 5, Table 4).

           iv)         Identification of Risk Reduction Measures

                       During the process of identifying hazards, attempts will be made to identify
                       measures that can be taken to reduce or manage the risks. Risk reduction
                       measures are devised to reduce the likelihood that the risk will develop, or to
                       mitigate the consequences should the risk occur.

                       Consideration of the „hierarchy of controls‟ should be made. Refer Appendix 6.

Co mpl ian ce Ri sk Asse ss men t Wo rks ho p                                                              Pag e 12 of 23
           v)          Recording Information

                       All information must be recorded accurately and in a clear, consistent manner.
                       This requires the services of an experienced scribe who must prepare the
                       necessary blank forms or provide an alternative system to gather the information.
                       Photocopies of the white board or the flip chart sheets should be retained.

                       The Workshop Facilitator:

                                  Checks with participants during the workshops to confirm information and
                                   clarify decisions

                                  Makes sufficient notes to ensure that the scribe's notes can be confirmed
                                   prior to the compilation of the final report.

           3.2.3       Step 3 - Post Workshop Follow-up

                       The Workshop Facilitator:

                                  Follows up any additional gaps in information from the workshops

                                  Utilizing the services of Rio Tinto Group Internal Control, organise an
                                   independent session with the appointed internal auditors.

                                  Ensures a report of information generated from the workshops is provided
                                   to the Business Unit head (eg risk profiles, hazard descriptions, existing
                                   controls) for review and approval.
                                  Ensures risk information is transferred back to the Team Leader for
                                   integration into the Business Units own risk register system.
                                  Ensures risk information and summary report is forwarded to the head of
                                   Compliance for collation at a Group level.

                       The Business Unit head is responsible for:

                                  Approval of all risk ratings assigned to each hazard from each workshop.

                                  Ensuring that all new risk ratings are consistent across the business.

                                  Ensuring that adequate risk reduction measures are identified for all
                                   significant and highly significant risks.

                                  Ensures that suitable risk reduction measures are implemented to manage
                                   the risk under consideration, and to reduce the risk level to an acceptable

                                  Ensuring the report of the risk identification process and risk reduction
                                   measures are retained in accordance with the requirements in the Rio
                                   Tinto Compliance Guidance.

Co mpl ian ce Ri sk Asse ss men t Wo rks ho p                                                                  Pag e 13 of 23

           Any hazards with an assessed current risk ranking between Level 4 and Level 7 (using the
           scale on Appendix 5 table 4) are considered to be significant and require appropriate risk
           reduction measures to be identified and available for adoption or implementation.

           Level 6 and Level 7 are termed highly significant and will require immediate action by the
           Business Unit.

           This does not preclude risk reduction measures from being determined and actioned for
           hazards with a lower risk rating.


           At the conclusion of the Compliance Risk identification process, a report will be generated
           by the workshop facilitator. The Business Unit in accordance with the requirements of the
           Rio Tinto Compliance Guidance and local regulatory guidelines should retain the report.
           Information from the report should be integrated with other risk data managed within that
           Business Unit.


                      AS/NZS 4360: 1999 “Risk management” (Standards Australia)

                      HB 142-199 “A basic introduction to managing risk using the Australian Risk
                       Management Standard AS 4360:1999” (Standards Australia)

                      HB 158: 2002 “A guide to using AS/NZS4360 Risk management within the internal
                       audit process” (Standards Australia)

Co mpl ian ce Ri sk Asse ss men t Wo rks ho p                                                     Pag e 14 of 23
APPENDIX 1 – RISK PROMPTS                              This list is designed to provide a number of Risk Prompts, to assist Business Units in the identification of sources of compliance risk.

             Legislative and Regulatory                                        Contractual                                    Common law or its civil code                              Rio Tinto Policy
                (civil and criminal)                                                                                                equivalent                                 (+ assoc Standards and Guidelines)
                        A (1)                                                       B (2)                                              C (3)
Risk associated with non-compliance, including               Risk associated with defending or containing            Risk associated with defending or containing                Risk associated with non-compliance
criminal prosecution and civil claims based on non           claims based on alleged breach of contract;             common law claims (eg negligence, libel                  ‘beyond the legal’ with Rio Tinto policies,
compliance brought by regulators or private parties          including claims as to existence of unwritten           slander, trespass etc)                                       including reputation damage, trade
                                                             contract                                                                                                           embargos, ostracism from international
      Actions brought by Env /Safety regulators;                                                                           Failure to maintain safe premises results in                 voluntary schemes
      Private actions based on violations of HSE                 Failure to respond to complaint brought by                injury to visitor and personal injury action;        The way we work:
       regulations or license conditions;                          customer for breaching quality                           Imprudent remarks made about a supplier /                      o Communities Policy
      Regulatory or private actions based on violations           specifications in supply contract, leading to             customer after commercial dispute leads to                     o Employment Policy
       of Competition Law;                                         default and cancellation;                                 libel action;                                                  o Environment Policy
      Regulatory actions for violation of Import / Export        Repeated failure to meet quantity                        Failure to monitor own mining activities                       o Human Rights Policy
       laws;                                                                                                                 relative to boundary lines leads to trespass                   o Land Access Policy
                                                                   requirements without declaring force
      Gov’t actions for violation of OECD Bribery and                                                                       action;                                                        o Occupational Health Policy
                                                                   majuere, leading to default and cancellation
                                                                                                                                                                                            o Political Involvement Policy
       Corruption laws / US Foreign Corrupt Practice;             We breach supply agreement (disaster /                   Improper and deceitful negotiating
                                                                                                                                                                                            o Safety Policy
      Violation of Employment / Industrial Relations              shortfall/ not to spec)                                   practices leads to fraud action.
       laws;                                                                                                                                                                                o Sustainable Development
                                                                  Employment contract breach                               Bribery and corruption                                              Policy
      Actions brought by mining authorities;                     Project / joint ventures                                 International protocols or conventions
                                                                                                                                                                                 Rio Tinto Controllers Manual
       Material misrepresentation or omission in public           Procurement processes in general, including               affect operations/reputations
                                                                                                                                                                                  Rio Tinto Information Security
       announcement or SEC or Exchange filing leads to
                                                                   disclosure of conflict of interests; adherence           Misappropriation of company funds                     Management Policy
       legal / regulatory action                                   to protocols etc                                         Traditional law (eg aboriginal law) issues
      Breach of Directors / Officer’s duties                                                                                                                                     Rio Tinto Group Data Protection Policy
                                                                                                                            Theft of product or company assets                   Rio Tinto Data Protection in Australia
      Changing legislation or new legislation is missed
      Insider dealings                                                                                                                                                           Rio Tinto Group Treasury Policies
      Intellectual Property                                                                                                                                                      Rio Tinto Internet and Email Policy
      Legacy issues - closed or abandoned sites                                                                                                                                  Rio Tinto Patch Management Policy
      Licenses – operating without one
      Mining laws
      Non-compliance with accounting standards
      Non-compliance with tax legislation
      Other health laws (eg running of mine camps
       (pools, food, etc))
      Privacy
      Tenement management issues / loss of tenement
      Workers Compensation – criminal & civil

Co mpl ian ce Ri sk Asse ss men t Wo rks ho p                                                                              Pag e 15 of 23
                           D (5)                                                 E (4)                                                     F (6)
Risk associated with a third party’s non-                Risk associated with failing to invoke/enforce             Risk     associated      with failing to                Risk associated with Rio Tinto actively
compliance (as above) that puts Group assets,            contractual rights                                         invoke/prosecute common law claims (as                  trading with a third party in non-
financial health or reputation at risk                                                                              above) against third parties                            compliance with Rio Tinto policy or
                                                             Failure in not enforcing quality / quantity terms                                                             voluntary schemes
      Agent’s action that violates OECD Bribery              in suppliers contract, resulting in eg inability to        Failure to monitor activities near property
       and Corruption laws giving rise to liability of        meet production targets;                                    boundary leads to ongoing trespass, with third
       Rio Tinto;                                            Failure to give notice of missed deadline in                party acquiring title by adverse possession;
      Release of contaminants by third party onto            EPCM contract, leading to waiver of rights /               Failure to adequately refute adverse public
       company property, leading to Rio Tinto                 inability to take advantage of contractual                  statements by supplier / customer following
       liability;                                             reduction in fees.                                          commercial dispute leads to loss of reputation.
      Conspiracy amongst competitors that                 Our contractor breaches supply agreement
       violates Competition Law and prejudices Rio
       Tinto’s market position / profitability;
                                                           Project / joint ventures
      Contractor fails to follow building codes,
       leading to operability problems at a new

Co mpl ian ce Ri sk Asse ss men t Wo rks ho p                                                                            Pag e 16 of 23


The Risk Assessment Team should be a blend of the following:
     Senior Management personnel;
     Technical (eg in-house lawyers or external legal advisor, HSE) personnel; and
     Management (eg manager/ superintendent of specialist areas).
Team members should have both knowledge and experience of the hazards associated with the
process, system, plant/ equipment, operation or work area that is the subject of the assessment.
In general, the Team should comprise not less than 6 or more than 15 persons.
A trained facilitator will be used to guide the Team through the compliance risk assessment
process. One member of the Team should be nominated as Team Leader. This person will act as
the liaison between the Client and the Team and be responsible for ensuring the final report is
provided on time.
All Team Members should be given appropriate notification to allow adequate preparation before
the risk assessment. The Team Leader will be responsible for providing the notification to the
Team Members.

All of the below roles should be clearly explained by the Facilitator at the start of the risk

Role of the Team Leader is to:                   Role of a Team Member is to:     Role of the Facilitator is to:

 Act as the Client liaison;                      Input skills and experience     Set up the exercise based
                                                   into the risk assessment         on the original scoping
 Provide support                   to     the     exercise;                        document;
                                                  Understand the issue under      Introduce the team to the
 Make     any                    logistical       review and the potential and     scope and risk assessment
                                                   actual hazards that arise        methodology;
 Help resolve any conflicts                       from these issues;
                                                                                   Keep the process on track
  within the Team;
                                                  Have some understanding of       throughout the exercise;
 Ensure a formal report of the                    what current controls are in
                                                                                   Promote creative thinking in
  risk    assessment          is                   place     to    prevent  the
                                                   unwanted incidents and how       determining       applicable
  completed;                                                                        controls;
                                                   effective they are; and
 Assist the Client in the                                                         Guide the team through the
  review    of     the      risk                  Actively contribute their
                                                   knowledge to achieve a           exercise;
  assessment results (i.e. can
  provide additional detail not                    successful outcome.             Resolve any conflicts within
  contained     within     final                                                    the team;
                                                                                   Help    reach   consensus,
                                                                                    where required;
                                                                                   Ensure the team‟s objectives
                                                                                    are achieved within specified

Co mpl ian ce Ri sk Asse ss men t Wo rks ho p                                                                 Pag e 17 of 23
Business unit checklist:
Item                                                      Accountability   Completed
Determine accountable person at the Business Unit
to act as Team Leader. Advise to head of
Compliance. This person will act as Client liaison.
Book venue and equipment for agreed date; arrange
any refreshments required.
Book relevant internal personnel (MD, GM’s,
Managers, in-house counsel, legal advisors,
including those from remote locations)
Provide hazard capture templates and risk rating
criteria to be used (i.e. so the data can go into their
own form of risk register) if already existing in the
business unit.
Identify legislation, regulation that applies to their
operation (available from –or to be developed by –
regional Rio Tinto Legal Services)
Provide list of major contracts (as supplier or as
Provide details on legal matters under action for past
5 years
Alert head of Compliance to any issues currently
under advice, discussion of which could compromise
legal professional privilege
Provide last 6-monthly HSE report
Provide information from the Speak-OUT program
Provide any details currently captured on
compliance-related risk
Distribute appropriate information to Team Members
Ensure a formal report of the compliance risk
assessment is completed

RTHQ Compliance checklist:
Item                                                      Accountability   Completed
Source Risk Workshop facilitator
For BU’s without in-house legal counsel, provide
Rio Tinto legal expert.
Collate context-setting materials as defined at 3.2.1
and risk prompts. Send to Business Unit Team
Leader for distribution to Business Unit Team

Co mpl ian ce Ri sk Asse ss men t Wo rks ho p                                          Pag e 18 of 23

                                 RISK ASSESSMENT SCOPING DOCUMENT
Title:          Compliance Risk                          Site:
Client:                                                  Process to Use:     Workshop
The objective of the risk assessment is to review risks related to non compliance with laws,
regulation, Rio Tinto Policies, Rio Tinto Standards and Rio Tinto Guidelines, that could have a
material impact on the Business Unit or Rio Tinto‟s financial condition, reputation or ability to
achieve it‟s business objectives.

Focusing on risk types such as those indicated on the attached table. (as per Attachment 1)

The Team should examine the risks systematically, scoring each risk factor it identifies according
to the risk rating method agreed.

Risk rank scores <insert score ranges> are to be considered as “unacceptable” risks and the
Team will need to further examine these risks to determine the adequacy of existing controls and
the level of residual risk.

A “Risk Reduction Plan” is to be developed for all risks with a score of <insert score ranges> and
is required by <insert date>.

The team will be allotted <insert number of days> days, from <insert start date> to <insert end
date> to undertake the assessment.

The venue for the risk assessment will <insert venue name/location>

The Final Report will be required by <insert report due date>
The team members

Documents to be                                    This scoping document
distributed to Team
Members are:                                    

The Facilitator is:

The Team Leader is:

Feed-back to the Team will be arranged as follows:

Client’s Signature                                                    Date

Co mpl ian ce Ri sk Asse ss men t Wo rks ho p                                                       Pag e 19 of 23

Illustrative example

                                                                                                               *       *
Ref       Hazard                                                           L Measure         C Type        L       C              Risk      Control Risk Reduction Measures                        Risk
                                                                                                                                  Level                                                            Ownership

A1        Fraud or misappropriation of funds due to control                     Time      (E) React        VU      M                L3        C4   Review control effectiveness
          weaknesses.                                                           Time      (E) Opcost       VU      VL
                                                                                Time      (N) Reputation   VU      M

A2        Failure to disclose material information to the market            Descriptive   (E) React        VU      H                L4        C3   Need to review formal controls
                                                                            Descriptive   (N) Reputation   VU      H
                                                                            Descriptive   (N) Penalties    VU      L

B1        Equal employment opportunity or harassment claims.                Descriptive      (E) React     U       VL               L3        C3   Training and education on EEO and harassment.

* L = Likelihood: VU- very unlikely; U – unlikely; P = probable; HL = highly likely
* C = Consequence: VL =very low; L = low; M = moderate; H = high

Co mpl ian ce Ri sk Asse ss men t Wo rks ho p                                                                              Pag e 20 of 23


      1. Annual production of <………..> tonnes,
      2. Revenue of US$<……..> per tonne of product (approx US$<…..> pa),
      3. Operating costs of US$<………> per tonne (approx US$<…….> pa)

                                                            Very                                      Highly
                                                                        Unlikely       Probable
                                                          Unlikely                                     Likely
                                                           Almost       Possible        Isolated     Repeated
                                                         Impossible    Sometime        Incidents     Incidents
                                                                       1/month to      1/week to
                               Time                       < 1/year                                   > 1/week
                                                                         1/year         1/month
                               Probability                < 0.1%       0.1% – 1%       1% – 10%         > 10%
                                                       Table 1 - Likelihood Classification

(Figures in blue – replace with calculated values for that BU using Assumptions above)

                                                                      Economic Consequences (annual)
                                                    Very Low                Low          Moderate                    High
         Costs to React or                                            US$0.15M to    US$0.5M to
                                                  < US$0.15M                                                     > US$1M
         Defend                                                       US$0.5M        US$1M
         Revenue Impact of Loss                   < 1%                1% to 3.5%     3.5% to 7%                  > 7%
         Operating Cost Impact
                                                  < 2.25%             2.25% to 7.5%       7.5% to 15%            > 15%
         of Loss
                                                Table 2 – Economic Consequence Classification

                                                                   Non-Economic Consequences
                                            Very Low         Low             Moderate         High
               Rio Tinto or BU                               Slight          Moderate         Severe
               Reputation                                    (Manager Level) (BU Level)       (Board or RT Level)
               Health Impact                None                             Long-term Minor Long-term Serious
               Personnel                                     Minor Injuries  Serious Injuries
                                            No Injuries                                       Fatalities
               Safety                                        (Dressings)     (LTIs)
               Environmental                Localised        Widespread      Severe           Catastrophic
               Impact                       Degradation      Degradation     Degradation      Degradation
                                            Negligible       Slight                Moderate          Severe
               Non-financial                Official
                                                             Fines                 Prosecution       Business Closure
               Penalties                    Censure
               Loss of Corp’te                               Minimal               Significant       Severe Business
               Knowledge                                     Business Impact       Business Impact   Impact
                                            Table 3 – Non-economic Consequence Classification

Co mpl ian ce Ri sk Asse ss men t Wo rks ho p                                                                     Pag e 21 of 23

                                                               Most Serious Consequence
                                                 Very Low       Low          Moderate          High
                             Very Unlikely       Level 1        Level 2      Level 3           Level 4
                             Unlikely            Level 2        Level 3      Level 4           Level 6
                             Probable            Level 2        Level 3      Level 5           Level 6
                             Highly Likely       Level 3        Level 5      Level 6           Level 7
                                                  Table 4 – Risk Determination Matrix

In general terms, the action levels appropriate for the risk levels in Table 4 can be summarised as follows:

RMAG Class *                Risk Level          Significance and Response
Class 1                     Levels 1 & 2        - risks that are below the risk acceptance threshold and do not
                                                require active management
Class 2                     Level 3             - risks that lie on the risk acceptance threshold and require active
Class 3                     Levels 4 & 5        - risks that exceed the risk acceptance threshold and require
                                                proactive management
Class 4                     Levels 6 & 7        - risks that significantly exceed the risk acceptance threshold and
                                                need urgent and immediate attention
* Refer Rio Tinto
Risk Analysis and
Guidance, 2005

Co mpl ian ce Ri sk Asse ss men t Wo rks ho p                                                                Pag e 22 of 23


                                         Corporate Compliance Risk Analysis
                                            Control Effectiveness Tables
This scheme is designed to assess the effectiveness of the controls that are taken into account in the
determination of the current risk level.

The scheme is based on the principles in AS4360 – Risk management, with the internal audit process (HB158 –
Standards Australia); except that a four-fold scheme is used for consistency with the likelihood and consequence
scheme and the definition expanded slightly to include both a control quality element as well as a time element.


Inherent risk                         the risk without any controls in place.

Current risk                          the risk level with the current controls and current control efficiency.

Residual risk                         level of risk when all controls are applied to the maximum reasonable extent

Key control                           a control that reduces a high risk to an acceptable level and is, therefore, critical to the
                                      effective management of that risk.

The four-fold system to assess the effectiveness of controls at the present time is:

Control Rank                       Description
       C1                          Ineffective on all occasions

             C2                    Partially effective on some occasions

             C3                    Effective on most occasions

             C4                    Highly effective on almost all occasions

The “hierarchy of control”, often seen used for HSE purposes is described below:
                                                (1) Eliminate the hazard altogether to avoid the risk (eg stop using a dangerous
                                                    substance if it is not necessary, use a safer method of mining etc)

                                                (2) Substitute. Change the activity or process to one that is less risky.

                                                (3) Engineering. Redesign the system or process or workflow.

                                                (4) Administrative Controls. Provide written procedural controls, adequate
                                                    supervision, training, rules, checkpoints in work processes etc.

                                                (5) Protect people by providing appropriate Personal Protective Equipment (this
                                                    should be the last resort)

The Facilitator should provide an overview of the “Hierarchy of Controls” to assist the Team in determining what
effective controls are required. Lateral thinking may be required to look beyond the usual “procedural” controls!
The result of this analysis should then be recorded on the “Risk Assessment Record form” (Appendix 3).
If any “highly significant” risks have been identified which have ineffective controls and are considered to pose an
immediate threat to personnel it may be necessary to immediately notify the legal department so that they are
made aware of the situation.

Co mpl ian ce Ri sk Asse ss men t Wo rks ho p                                                                    Pag e 23 of 23

To top