+1(978)310-4246 credencewriters@gmail.com
  

CASE STUDY – RISK ASSESSMENT EXERCISE
Imagine you are the Risk Manager of plastic manufacturing company operating in the Kingdom of Saudi Arabia. The
Company’s major raw material is procured from country’s biggest supplier at subsidized rates which is supporting
the current business viability. As a general practice, the spares and manpower of overhaul activities (shut down for
maintenance) of the plants are arranged through OEM’s operating outside the kingdom.
Lately, the Company had aggressive plans for expansions and therefore, took huge loans to the best of its abilities
for setting up second plant in the kingdom. Currently, two of its plants are operating at 60% capacity and is meeting
the required demands. The current Debt to equity ratio stands at 2:1, while the limit mandated by its lender bank is
2.5:1.
In the previous year, the Company had employee turnover ratio of 15% at N-1 level (designations directly reporting
to CEO). And 1 negative trend was noted on Twitter on the handling of customer complaints by the Company.
Additional information:
1.
The Company saved about SAR 50 Million from the subsidized rates received as against the international
prices of the major raw material.
2.
If plant is shut down for any unplanned activity then expect a daily impact of SAR 0.5 Million on budgeted
Net income. The scenario has happened twice last year leading to 15 days of production outage.
3.
The company’s budgeted net income for this year is SAR 30 Million.
Risks and Existing Controls
S.
No.
1.
Risk
category
Financial
2.
Financial
3.
Human
Resource
Risk Title
Risk Description / Event
Existing Controls and Mitigation Plans
Removal
of
Government
Subsidies
and
Impact
on
Profitability
Non-availability of
critical spare parts
Removal of subsidies for the Company by the
Government could affect the Company’s ability to
make profits due to increased operational costs of
the business as a result of high raw material cost
shrinking the margins for the Company.
Unplanned shutdowns in the production process
due to unavailability of critical spare parts and
inadequate planning for procurement of spare parts.
This may lead to lower utilization of plant capacity
and higher loss of production hours.
The Company’s employee turnover rate may be high
for senior management roles due to lack of
employee
retention
policies,
competitive
compensation, incorrect business strategy, benefits
and career plan. This may lead to operational
disruptions and inability to achieve the defined KPIs
and strategic objectives of the Company.
No Control Exists
High turnover of
senior
management and
critical positions
Risk Assessment Criteria (RAC)
Existing Controls
1) Maintaining adequate spare parts
availability is already added as part of
the KPIs of maintenance team.
Existing Controls
1) Employee turnover at various levels of the
organization is closely monitored by the HR
Team.
2) Work from home policy as well as flexible work
time policy is in place at the Company.
3) The Company has Loyalty Program to
incentivize long term association of talent with
the organization.
Shared in a separate PPT. (Named as – NG – Application of Risk Appetite – Case study Appetite)
Risk Scoring Exercise
S. No.
1.
Risk category
Financial
2.
Financial
3.
Human Resource
Risk Title
Removal
of
Government
Subsidies
and
Impact
on
Profitability
Non-availability of critical spare
parts
High
turnover
of
senior
management
and
critical
positions
Inherent Level
Residual Level
National Grid SA – ERM
Implementation Project
Training Session – Application of Risk
Appetite Statement and Risk Assessment
Criteria in Risk Registers
June 2022
OVERVIEW OF TODAY’S SESSION
1
OVERVIEW OF KEY COMPONENTS IN ERM
2
RECAP ON RISK APPETITE AND ASSESSMENT CRITERIA
3
OBJECTIVE OF RISK APPETITE AND ASSESSMENT CRITERIA
4
KEY COMPONENTS OF RISK APPETITE
5
CATEGORIZATION OF RISKS FOR RISK ASSESSMENT
6
RISK ASSESSMENT AT DIFFERENT LEVELS
7
DECIDING THE RISK TREATMENT STRATEGY
8
RISK ASSESSMENT EXAMPLE
9
TRAINING ACTIVITY – CASE STUDY
10
QUESTIONS AND ANSWERS
OVERVIEW OF KEY COMPONENTS IN ERM
Enterprise Risk Management process is supported by the following key components that facilitate to identify and effectively manage potential
events that may affect the entity’s objectives and plans.
Risk Infrastructure
Risk Culture
•
Established and understood as a valuable
• Robust framework, policies and procedures per leading
element of general management.
•
ERM standards that provides guidance on risk
Knowledge is effectively shared and transferred
management process, defines risk governance and
across NG
accountability.
• Allocates resources and enablers to manage risks.
Risk Management Process
•
•
Enterprise Risk
Management
Risk Appetite and Assessment Criteria
Risks are identified / assessed
• Defines the acceptable level of risk company is
and treated as per NG’s risk
willing to accept in pursuit of its objectives.
appetite.
• Provides criteria to assess severity of risks and
Risks are periodically monitored
determines priority.
and reported to stakeholders
Risks Consideration in Strategy and Performance Management
RECAP ON RISK APPETITE AND ASSESSMENT CRITERIA
Risk appetite is the amount of risk Company is willing to take in pursuit of achieving its objectives. Risk assessment criteria is a measure used to
assess the significance of risk impact and likelihood that helps in deriving the severity of the risk.
Risk Appetite
Risks Assessment Criteria
• Provides guidance for tolerable and non-tolerable risks.
• Facilitates measurement of risk severity based on a product from the
scales of impact and likelihood.
• Forms the basis for determining the risks that require risk treatment.
• Supports monitoring and treatment of risks.
• Facilitates strategic planning and budgeting.
• Provides guidance on determining risk taxonomy / category, risk impact
and likelihood assessment parameters.
• Enables in risk prioritization / ranking to identify the top risks.
OBJECTIVE OF RISK APPETITE AND ASSESSMENT CRITERIA
1
To provide a clear articulation of NGs’ risk-taking, risk mitigation and risk avoidance, and to
define the risk-taking at the aggregate level.
2
To increase understanding of NGs’ material risk exposures and raise risk awareness across the
organization.
3
To support the Board of Managers and the Senior Management in planning, formulating and
executing strategic business decisions to achieve the long-term goals of NG.
4
To provide means for the Board of Managers and Senior Management to engage in discussions on
risk-taking, risk management, business strategy, and their interlinkages.
5
To provide tools for the Board of Managers and Senior Management to continuously monitor and
align the NG actual risk profile with the risk appetite.
KEY COMPONENTS OF RISK APPETITE
NG Risk Categories
Risks are classified into risk categories as per the
business activities of the organization and provides a
structured overview of the underlying and
potential risks faced by them.
Very High
Low
High
Very Low
Moderate
Risk Appetite
Statements
Risk Appetite statements are defined based on the objective
criteria known as Tolerance Limits. These limits act as
guidance while evaluating the impact of the risks. Also it
demarcates tolerable and intolerable risks for effective risk
management.
Risk
Categories
• Financial
• Reputational
• Legal & Compliance
• Health & Safety
• Security
• Environment
• Operational
• Human Resources
• Stakeholder Relations
• Information Technology /
Cyber Security
Risks Appetite statements define the level of risk
appetite against each risk category. This indicates the
level of risk that the Company is willing to take in pursuit
of its objectives.
Tolerance
Limits
Indicative Tolerance Limits
Financial
â–ªAdverse Impact on EBIT by
>5%
Legal & Compliance
â–ªFines and penalties per year > SAR
100K
CATEGORIZATION OF RISKS FOR RISK ASSESSMENT
Based on the Company’s business and risk landscape, the risks could be broadly categorized into the following risk categories:
Financial
Risks associated with potential for financial losses such as impact
on revenues, net profits, liquidity, cash flows etc. on account of
operational or other factors.
Environment
Risks associated with incident, accidents related to environmental
issues that result from business operations such as pollution,
deforestation / logging, water disposal, climate change etc.
Reputational
Risk arising due to adverse public attention towards the company
that could have a negative impact on the company’s public image,
brand, goodwill etc.
Operational
The risk of loss resulting from inadequate or failed internal processes, and
systems, or from external events, but is better viewed as the risk arising
from the execution of Company’s functions including failures resulting from
poor policies etc.
Legal and Compliance
Risk arising from inability to comply with internal policies, contracts
or non-compliance to legal and regulatory requirements leading to
fines and sanctions being imposed on the Company by the
concerned regulatory authorities.
Human Resources
Risk arising from any people, culture or governance factor that causes
uncertainty in the business environment that could adversely affect the
company’s operations / strategy.
Health and Safety
Risks associated with incident, accidents related to health and safety
issues that result from business operations such as occupational
health hazards, communicable diseases such as COVID-19, fatality,
injuries etc.
Stakeholder Relations
Security
Risks associated with incident, accidents related to security issues or
breaches that result from business operations such as theft,
vandalism, terrorism, burglary or force majeure events such as natural
disasters, etc.
Risk arising from events resulting in loss of potential stakeholders, the
relations with them and credibility of the organization in the market.
Information Technology / Cyber Security
Risks or incidents that compromise information security and technology
infrastructure of the Company in any way causing adverse impacts on the
organization’s business processes or mission.
KEY RISK DRIVERS TO ASSESS RISKS BASED ON RISK ASSESSMENT CRITERIA
KEY RISK DRIVERS
Environment
• Environmental damage / severe nuisance / contamination / discharge
of toxicity.
• Incidents resulting in losses.
Operational
• Partial / total black out of operation area.
• Loss of production.
• Extended restoration period.
• Loss of bulk customers.
• Impact on EBIT (Earnings Before Interest and Tax).
Financial
Reputational
Damage to reputation and brand image due to:
• Negative publicity from media / attention of government agencies.
• Instances of fraud.
Legal and
Compliance
• Loss of key executive members / management turnover.
• Volatility and changes in regulatory requirements and standards.
Human
• Potential implications from non-compliance with regulatory, internal
• Voluntary staff turnover.
The building blocks for how the dashboard will look, and how it will work:
Resources
policies and contractual requirements.
• Employee satisfaction percentage / promoter Score with work
• Fines and penalties from regulatory authorities.
environment.
Health and
Safety
Security
• Fatalities / occupational illness / disabilities.
• Incidents resulting in losses.
• Security intrusions.
• Incidents resulting in losses.
Stakeholder
Relations
Information
Technology /
Cyber
Security
• Loss of stakeholder’s confidence.
• Data and cybersecurity breaches.
• Unplanned loss of internet, network and downtime of systems.
• Loss of critical / classified business information.
• Resolution of IT incidents.
NG RISK APPETITE INDICATOR / TOLERANCES
Amount of risk willing to accept
Very Low
1
Low
2
Moderate
3
High
4
Very High
5
Adverse impact on EBIT ≤ 1%, or ≤ 47
million whichever is lower.
Adverse impact on EBIT > 1% and ≤
3%, or > 47 million and ≤ 140 million
whichever is lower.
Adverse impact on EBIT > 3% and ≤
5%, or > 140 million and ≤ 234
million whichever is lower.
Adverse impact on EBIT > 5% and ≤
7%, or > 234 million and ≤ 327 million
whichever is lower.
Adverse impact on EBIT > 7%, or >
327 million whichever is lower.
Events causing negative publicity only
amongst internal stakeholders of NG and
can be resolved by routine management
actions.
Ongoing social issues / isolated local
media attention for < 1 day with no impact on business operations. Negative local media publicity >1 day with
considerable impact on routine business
operations with possible need for Senior
Management Intervention.
Negative media or public attention
resulting in temporary shutdown of
offices / business disruptions.
Extended national adverse media
coverage or very serious social issues
at regional level causing business
continuity issues.
Isolated non-compliance with
regulations, internal policies or
contracts that can be easily remedied
without any impact on business.
Repeated non-compliance with regulations,
internal policies or contracts, remedied with
minimal operational delays or minor fines
per year ≤ SAR 100,000.
Widespread, prolonged non–compliances to
regulations, internal policies or contracts may
cause moderate operational delays or fines per
year > SAR 100,000 and ≤ SAR 300,000.
Serious breach of regulation leading to
investigation report to authority with
prosecution, major fine or litigation of >
SAR 300,000 and ≤ SAR 500,000.
Significant prosecution, litigation,
fines and penalties per year > SAR
500,000 or imprisonment of one or
more executives or directors.
Financial
Reputational
Legal and Compliance
Health and Safety
Slight injury or work illness, not affecting
work performance that can be selfadministered.
Minor injury or work illness, slightly
affecting work performance with no
restricted work cases.
Minor injury or limited health effects
affecting work performance < 5 working days. Multiple injuries or irreversible health effects affecting performance for longer term. Fatalities / disabilities from accident or occupational illness. Temporary security issues or malfunctions for one of the security measures or minor remediation or disturbance. Any security related, suspicious or unexplainable activity or short-term damage / interruption. Any loss or compromise of non-public information or substantial remediation; temporary site closure (1 day); loss of accreditation; costs. Extreme security compromise creating possibility of catastrophic financial losses or total replacement; permanent site closure. Security Tolerable Risks Risk Appetite Intolerable Risks NG RISK APPETITE INDICATOR / TOLERANCES Amount of risk willing to accept Very Low 1 Low 2 Moderate 3 High 4 Very High 5 Extreme widespread impairment of ecosystem functions recovery is irreversible destruction of protected wildlife, plant or their habitat. Environment Non-compliance with PME regulation from ISD environmental audit; quickly and easily reversible effects on biological or physical environment. Complaint from civil society or a notice from regulator on pollution from site; minor, short-term effects on environment but not affecting the broader ecosystem. Penalty from regulator on pollution from site; serious environmental effects where recovery takes less than 1 year; emission/ discharge exceeding legal standard Very serious impairment of ecosystem functions where recovery takes between 1 - 3 years; single death of a protected plant/ wildlife. Disruption of single transmission equipment; loss of ≤ 50 MV. Disruption of multiple transmission equipment; loss of > 50 MV and ≤ 500
MV, Partial loss for 1 bulk customer.
Disruption of one complete station;
loss of > 500 MV and ≤ 2500 MV,
Complete loss for 1 bulk customer.
Partial blackout of operation area;
loss of > 2500 MV and ≤ 5000 MV,
Complete loss for 2 to 5 bulk
customers.
Total black out of operation area;
loss of > 5000 MV,
Complete loss for > 5 bulk customers.
Negligible or isolated staff
dissatisfaction
Voluntary employee turnover (excluding
managers, executive and rare talent) ≤ 5%.
General staff morale and attitude problems.
Voluntary employee turnover > 5% and ≤
10% of total workforce, Poor reputation as
an employer; widespread staff attitude
problems and dissatisfaction.
Voluntary employee turnover > 10%
and ≤ 20% of total workforce, Company
not perceived as employer of choice.
Loss of any key executive team / heads
or rare talent
Minor incident not affecting any
internal or external stakeholders.
Isolated or minor complaints from one
stakeholder (except regulatory).
Multiple complaints by more than one
internal and/or external stakeholders
(except regulatory).
Recurring complaints / loss of confidence
by any one stakeholder (except
regulatory) witnessed through frequent
corrective back/action.
Significant loss of confidence by any
regulatory stakeholders or loss of
confidence by > 1 internal and external
stakeholders (except regulatory).
No impact to service delivery
obligations, or no penalty incurred for
missed obligations.
Any systems compromise impacts IT
/ OT operations limited to a single
service.
Any cybersecurity or system control lapse,
impacts business operations and/or power
transmission limited to single facility (Power
Plant, Control Center, ITC Data Center).
Any cybersecurity or system control lapse,
impacts business operations and / or
power transmission in one sector (COA,
EOA, WOA or SOA); multiple cyber attack
attempts, though controlled.
Any systems compromise impacts
business operations and / or power
transmission across the Kingdom
(more than 1 sector).
Operational
Human Resources
Stakeholder Relations
Information Technology /
Cybersecurity
Tolerable Risks
Risk
Appetite
Intolerable Risks
RISK ASSESSMENT AT DIFFERENT LEVELS
Risk
Assessment
at different
levels
Level of Risk
Risk Rating
Inherent Risk
The risk that an activity would pose if no controls
or other mitigating factors were in place (the
gross risk or risk before controls).
As there are no controls to reduce
the impact of risk so risk rating is
highest at inherent level
Very High
Actual Residual Risk
The risk that remains after existing controls
of the Company are taken into account (the
net risk or risk after current controls).
Existing controls reduces the rating to
certain extent to
Insert Text Moderate
Target Residual Risk
The risk that remains after considering current
controls and desired risk mitigation plans (the net
risk after current and desired controls).
Mitigation plans further reduces the
risk rating to an acceptable level to
Insert Text
Low
KEY STEPS IN RISK ASSESSMENT
Following steps are being followed to assess each risk at different levels :-
1. Inherent risk impact, likelihood and
rating is determined based on the risk
assessment criteria. The category most
impacted by the risk should be taken
into consideration.
4. Risk treatment strategy and action
`
plan is determined.
2. Existing controls are identified and
mapped against the risks.
5. Planned implementation timelines
are defined.
3. Actual residual risk impact,
`
likelihood and rating is determined
based on the risk assessment criteria.
6. Target residual risk impact, likelihood
and rating is determined based on the
risk assessment criteria.
DECIDING THE RISK TREATMENT STRATEGY
NG shall determine how it responds to risks identified. Risk responses shall be assessed based on the effect on risk likelihood and impact as
well as costs and benefits. Risk responses plan shall be aligned to NG’s Risk Management Philosophy classified under the following ‘4T’s’
Tolerate
When the risk is within risk appetite, the Company decides to Tolerate
the risk.
Treat
When the risk is not within risk appetite, the Company may decide to
Treat the risk by implementing Strict Controls to reduce its Impact and
Likelihood
Transfer
When the risk is not within risk appetite, the Company may decide to
Transfer the risk to the third party.
Terminate
When the risk is not within risk appetite, the Company may decide to
Terminate the risk by exiting the activity giving risk to the risk.
RISK ESCALATION MATRIX
Risk escalation is defined as a critical part of the ERM activities whereby a risk based upon its risk score is reported to the relevant level of
authority in the company. The table below can serve as a guideline for the risk response action :Risk Score
Risk Rating
Risk Mitigation strategy
Risk Escalation
Risk Response Action
Terminate / Treat /
Transfer
Risks shall be brought to the
notice of the ROCC, CEO, and
NG Board.
• Require NG Board, CEO and the
ROCC to take immediate action to
reduce the risk and monitor
effectiveness of controls with highest
priority.
• Have a contingency plan in place.
Treat / Transfer/Tolerate
Risks shall be brought to the
notice of managers / process
owners
Management shall consider actions to
reduce the risk and closely monitor
control actions.
Not Applicable
Manage by routine control procedures
and keep under review.
Very High
15-25
High
Moderate
5-14
Low
7%, or > 327 million whichever is lower.
5
Minor
Important
Significant
Major
▪ Adverse impact on EBIT > 5% and ≤ 7%, or > 234 million and ≤ 327 million whichever is lower.
4
▪ Adverse impact on EBIT > 3% and ≤ 5%, or > 140 million and ≤ 234 million whichever is lower.
3
▪ Adverse impact on EBIT > 1% and ≤ 3%, or > 47 million and ≤ 140 million whichever is lower.
2
▪ Adverse impact on EBIT ≤ 1%, or ≤ 47 million whichever is lower.
1
RISK ASSESSMENT CRITERIA – REPUTATIONAL
Risk Impact Assessment
Minor
Important
Significant
Major
Severe
Rating
Score
5
4
3
2
Criteria
â–ª Extended national adverse media coverage or very serious social issues (such as civil rights, racial discrimination, gender inequality and other
similar issues) at regional level with potential impact on business continuity / seizure or suspension of operating license requiring NG Board of
Managers and Senior Management intervention.
â–ª Serious public or media outcry or any events leading to tarnishing of brand image, and reputation of the Company.
â–ª Any events and types of fraud within the Company having financial or non-financial impact.
â–ª Adverse national media coverage or public attention with potential impact on business operations and possibilities for temporary suspension of
operating license requiring Senior Management intervention.
â–ª Events resulting in serious social issues / communal oppositions at national level or criticism from government agencies leading to temporary shut
down of offices or severe business interruptions.
â–ª Adverse local media coverage or public attention for > 1 day causing considerable impact on routine business operations with possible need for
Senior Management Intervention.
â–ª Ongoing serious social issues or negative publicity leading to remediation costs and warnings by the local community or government agencies.
▪ Ongoing social issues / isolated local public or media attention for < 1 day with no impact on business operations and can be resolved by routine management actions. ▪ Heightened concern by local community and negative publicity require the Company to only submit clarifications / show cause notices. ▪ Events causing negative publicity or image only amongst internal stakeholders of NG and can be resolved by routine management actions. 1 RISK ASSESSMENT CRITERIA – LEGAL AND COMPLIANCE Risk Impact Assessment Minor Important Significant Major Severe Rating Score Criteria 5 ▪ Non–compliance / violation of legal / regulatory and any applicable statutory requirements (such as WERA, Ministry of Finance ZATCA, MOCI, NCA, Ministry of Human Resources and Social Development, etc.) that may lead to major penalties from regulatory/ statutory bodies and/or loss of operating licenses and / or shutdown of offices. ▪ Significant prosecution, litigation, fines and penalties per year > SAR 500,000 or imprisonment of one or more executives, VPs or directors.
â–ª Several / repeated non-compliance with internal policies / code of conduct / contracts that cause critical operational delays or suspension of
specific operations and have any adverse impact on business.
4
▪ Non–compliance / violation of legal / regulatory and any applicable statutory requirements (such as WERA, Ministry of Finance ZATCA, MOCI, NCA,
Ministry of Human Resources and Social Development, etc.) that may lead to penalties and / or lodge of complaints / warning from regulatory/
statutory bodies.
▪ Serious breach of regulation leading to investigation report to authority with prosecution / major fine / litigation of > SAR 300,000 and ≤ SAR
500,000.
â–ª Non-compliance with internal policies or contracts that have been often / repeated causing major operational delays and have any adverse impact
on business.
3
▪ Non–compliance to any legal / regulatory provision / recommendatory standards which may require the Company to only submit clarifications /
show cause notices to relevant authorities.
▪ Widespread, prolonged non–compliances with regulations, internal policies or contracts that may cause moderate operational delays or fines and
penalties per year > SAR 100,000 and ≤ SAR 300,000.
2
1
â–ª Repeated non-compliance with regulations, internal policies or contracts that can be remedied and may cause minimal operational delays /
adverse impact on business and can be resolved with minor penalties or fines per year ≤ SAR 100,000.
â–ª Isolated non-compliance with regulations, internal policies or contracts that can be easily / quickly remedied without any adverse impact on
business or any penalty/ regulatory or media attention.
RISK ASSESSMENT CRITERIA – HEALTH AND SAFETY
Risk Impact Assessment
Minor
Important
Significant
Major
Severe
Rating
Score
5
4
3
2
Criteria
▪ Single fatality or multiple fatalities or any disabilities (leading to employee’s inability to work for the rest of life) from an accident or occupational
illness.
â–ª Widespread epidemic/health disease.
â–ª Incidents resulting in closure of the site, major impact and needs third party help.
â–ª Incidents resulting in direct losses of > SAR 6.5 M.
â–ª Multiple injuries or irreversible health effects affecting work performance in the longer term, e.g. prolonged absences from work, irreversible
health damage, chronic conditions with lost time injury of ≥ 5 working days and hospitalization.
â–ª Incidents resulting in temporary site closure (more than a day).
▪ Incidents resulting in direct losses between > SAR 650,000 and ≤ SAR 6.5 M.
â–ª Minor injury or limited health effects – affecting work performance, e.g. restriction to activities (restricted work cases – RWC) or need to take time
off from work to recover with lost time injury of < 5 working days. ▪ Incidents resulting in temporary site closure (less than a day). ▪ Incidents resulting in direct losses between > SAR 65,000 to ≤ SAR 650,000.
â–ª Minor injury or work illness, slightly affecting work performance with no restricted work cases, but needs to be remediated by first aid treatment.
▪ Incidents resulting in direct losses between ≤ SAR 65,000.
â–ª Slight injury or work illness, not affecting work performance that can be self-administered by first aid treatment or no-specific treatment required.
1
RISK ASSESSMENT CRITERIA – SECURITY
Risk Impact Assessment
Minor
Important
Significant
Major
Severe
Rating
Score
5
4
3
2
1
Criteria
â–ª Extreme risk of security controls being compromised to the extent creating possibility of catastrophic financial losses occurring as a result.
â–ª Security incidents with losses or damage in terms of extensive loss of life, business interruptions and total loss of primary services such as
telephone and communication lines, water, escalators, lifts, lightings, fire systems, alarms, ventilation and other such services.
â–ª Events resulting in property and related damages > SAR 3.25 M.
â–ª Any unauthorized intrusion to a site or facility that has major impact and requires external assistance and large-scale remediation.
â–ª Security incidents with losses or damage in terms of widespread onsite serious injuries and partial loss of primary services.
â–ª Temporary site closure (more than a day).
▪ Events resulting in property and related damages > SAR 650,000 and ≤ SAR 3.25 M.
â–ª Any loss or compromise of non-public belongings that causes adverse impact to business.
â–ª Security incidents with losses or damage in terms of possible widespread offsite serious injuries.
â–ª Temporary site closure (less than a day).
▪ Events resulting in property and related damages > SAR 65,000 and ≤ SAR 650,000.
â–ª Any security related, suspicious or unexplainable activity or communication resulting in adverse consequences.
â–ª Security incidents with losses or damage in terms of medical treatment cases without any business interruptions.
▪ Events resulting in property and related damages > SAR 6,500 and ≤ SAR 65,000.
â–ª Temporary security issues or malfunctions for one of the security measures such as CCTV, access systems, unavailability of security guard and
other related measures.
▪ Events resulting in property and related damages < SAR 6,500. RISK ASSESSMENT CRITERIA – ENVIRONMENT Risk Impact Assessment Minor Important Significant Major Severe Rating Score 5 4 Criteria ▪ Persistent severe environmental damage causing national media coverage over multiple days where environmental remediation is required. The cost of remediation or penalties is > SAR 3.25 M involving regulatory authority investigation / oversight of process and other significant
community impact.
â–ª Extreme widespread impairment of ecosystem functions where recovery is irreversible or takes more than 3 years; destruction of protected
wildlife, plant or their habitat; multiple deaths.
â–ª Significant damage to the environment over the long term > 1 year or major annoyance to the local community or multiple community complaints
> 5 with possibilities of any civil prosecution or fines > SAR 130,000 and ≤ 3.25 M.
â–ª Very serious impairment of ecosystem functions where recovery takes between 1 – 3 years; single death of a protected plant/ wildlife.
â–ª Loss of containment off site (more than 100 barrel).
3
▪ Contamination, temporary or short-term damage to the environment < 1 year or repeat community complaints < 5 with possibilities of any civil prosecution or fines > SAR 32,500 and ≤ 130,000.
â–ª Penalty from regulator on pollution from site; serious environmental effects where recovery takes less than 1 year; emission/ discharge exceeding
legal standard; loss of containment off site ≤ 100 barrel.
2
â–ª Short-term damage to environment with moderate remediation, and temporary or limited annoyance to local community with regulatory
enforcement or civil action e.g.: notice or warning letters or penalties / fines > SAR 650 and ≤ 32,500.
â–ª Complaint from civil society or a notice from regulator on pollution from site; minor, short-term effects on environment but not affecting the
broader ecosystem; loss of containment > 100 barrel (remains on premises).
1
â–ª Negligible impact on environment and no annoyance to the local community.
â–ª Non-compliance with PME (Presidency of Meteorology and Environment) regulation from environmental audits; quickly and easily reversible
effects on biological or physical environment; loss of containment ≤ 100 barrel (remains on premises).
RISK ASSESSMENT CRITERIA – OPERATIONAL
Risk Impact Assessment
Minor
Important
Significant
Major
Severe
Rating
Score
5
4
Criteria
Events resulting in:
â–ª Total black out of operation area.
â–ª Megawatts loss of > 5000 MV.
â–ª Restoration period for operations from disruption > 24 hours
â–ª Complete loss for > 5 bulk customers.
â–ª Partial blackout of operation area.
▪ Megawatts loss of > 2500 MV and ≤ 5000 MV.
▪ Restoration period for operations from disruption > 12 hours and ≤ 24 hours
â–ª Complete loss for 2 to 5 bulk customers.
3
â–ª Disruption of one complete station.
▪ Megawatts loss of > 500 MV and ≤ 2500 MV.
▪ Restoration period for operations from disruption > 6 hours and ≤ 12 hours
â–ª Complete loss for 1 bulk customer.
2
â–ª Disruption of multiple transmission equipment.
▪ Megawatts loss of > 50 MV and ≤ 500 MV.
▪ Restoration period for operations from disruption > 1 hours and ≤ 6 hours
â–ª Partial loss for 1 bulk customer.
1
â–ª Disruption of single transmission equipment.
▪ Megawatts loss of ≤ 50 MV.
▪ Restoration period for operations from disruption ≤ 1 hour.
RISK ASSESSMENT CRITERIA – HUMAN RESOURCES
Risk Impact Assessment
Minor
Important
Significant
Major
Severe
Rating
Score
5
4
3
2
Criteria
â–ª Unexpected / unplanned loss of any key executive team members (CXOs, and VPs).
â–ª Unexpected / unplanned loss of heads of departments / managers or rare talent such as critical system operators / technicians or others that are
scarce in the market and considered to be a key dependency on operations.
â–ª Voluntary employee turnover/ change (excluding managers, executive and rare talent) of > 20% of total workforce at any point of time.
â–ª Significant shortfall in Saudization targets below 50% leading to major penalties/ restrictions.
▪ Voluntary employee turnover/ change (excluding managers, executive and rare talent) of > 10% and ≤ 20% of total workforce at any point of time.
â–ª Shortfall in Saudization targets below 60% leading to may lead to penalties and / or impositions of restrictions from regulatory/ statutory bodies.
▪ Company not perceived as employer of choice; the employees satisfaction percentage / promoter score for work environment < 50%. ▪ Voluntary employee turnover/ change (excluding managers, executive and rare talent) of > 5% and ≤ 10% of total workforce at any point of time.
â–ª Shortfall in Saudization targets below 70% may require the Company to only submit clarifications / show cause notices to relevant authorities.
â–ª Poor reputation as an employer; widespread staff attitude problems and dissatisfaction; the employees satisfaction percentage / promoter score
for work environment ≥ 50% and < 60%. ▪ Voluntary employee turnover/ change (excluding managers, executive and rare talent) of ≤ 5% of total workforce at any point of time. ▪ General staff morale and attitude problems; the employees satisfaction percentage / promoter score for work environment ≥ 60% and < 70%. ▪ Negligible or isolated staff dissatisfaction; the employees satisfaction percentage / promoter score for work environment ≥ 70%. 1 RISK ASSESSMENT CRITERIA – STAKEHOLDER RELATIONS Risk Impact Assessment Minor Important Significant Major Severe Rating Score 5 Criteria ▪ Significant loss of confidence (in terms of NG achieving its business objectives) by any regulatory stakeholders witnessed through frequent corrective feedback / actions. ▪ Loss of confidence (in terms of NG achieving its business objectives) by more than one internal and external stakeholders (except regulatory). ▪ Loss of confidence by any regulatory stakeholders witnessed through rare corrective feedback / actions. ▪ Recurring complaints / loss of confidence by any one stakeholder (except regulatory) witnessed through frequent corrective feedback/action. 4 3 ▪ Loss of confidence by any one stakeholder (except regulatory) witnessed through rare corrective feedback / action. ▪ Multiple complaints by more than one internal and/or external stakeholders (except regulatory). ▪ Isolated or minor complaints from one stakeholder (except regulatory). 2 ▪ Minor incident not affecting any internal or external stakeholders. 1 RISK ASSESSMENT CRITERIA – INFORMATION TECHNOLOGY / CYBER SECURITY Risk Impact Assessment Minor Important Significant Major Severe Rating Score 5 4 3 2 Criteria ▪ Serious cybersecurity breaches that may lead to any material loss to the Company including loss/compromise of any critical or classified business information. ▪ Any systems compromise impacts business operations and / or power transmission across the Kingdom (more than 1 sector). ▪ More than 1 incident of cyber threat or attack to business or operations applications (per year). ▪ Any cybersecurity or system control lapse, loss of internet, network and unplanned downtimes impacts business operations and / or power transmission in one sector (COA, EOA, WOA or SOA); multiple cyber attack attempts, though controlled. ▪ 1 Incident of cyber threat or attack to business or operations applications (per year). ▪ Any cybersecurity or system control lapse, loss of internet, network and unplanned downtimes impacts business operations and/or power transmission limited to a single facility (Power Plant, Control Center, ITC Data Center). ▪ IT incidents with high severity remaining unresolved beyond the prescribed SLAs. ▪ Any systems compromise impacts IT / OT operations limited to a single service. ▪ IT incidents with medium severity remaining unresolved beyond the prescribed SLAs. ▪ IT incidents with low severity remaining unresolved beyond the prescribed SLAs. 1 RISK ASSESSMENT EXAMPLE (1/2) Residual Risk Mitigation Plan / Desired Target Risk Risk Title Risk Description Existing Controls Risk Rating Controls Rating Aged equipment may be used by the 1) The Company has an investment planning policy based on 1) The Company shall explore Company for various regions which the risk analysis is performed to replace the equipment. the possibility of developing including transformers, and other 2) The Company is implementing a project in the current year for and implementing an asset critical assets for transmission of replacement of obsolete equipment. replacement strategy to power to the customers in the 3) The procedure is in place to identify the obsolete assets like ensure timely replacement of Aged transformers and replace the same or improve its performance assets and other old aged equipment's region. Further, the Company may not have by replacing spare parts. infrastructure. and 4) For replacement of assets, analysis is being performed by transmission defined an adequate asset Very High High Moderate maintenance team and concerned department needs to decide infrastructure replacement strategy for its aging (5 X 4 = 20) (4 X 4 = 16) (3 X 3 = 9) equipment. This may lead to whether to replace the asset or not. 5) Several technical criteria are evaluated to identify whether to Risk Impact possibilities of frequent breakdown replace the asset like availability of spare parts, equipment failure Category - of equipment resulting in complete rate etc. After analyzing these criteria decision for replacement is Operational or partial blackouts impacting the Company's financials. reputation taken. and stakeholder relations. 6) A benchmarking study has also been conducted to identify the average age of the equipment as per the industry standards. Inherent Risk Rating Based on risk impact category – Risk appetite level at different levels is calculated At Inherent Level Risk is not within appetite of the Company As a result of existing controls, reduction in likelihood and impact score of the risk will lead to reduction in overall risk rating At Actual Residual level – Existing controls are not sufficient to bring the risk within appetite of the Company As the risk is not within appetite, hence mitigation plans are implemented to further reduce the risk rating. At Target Residual level – Mitigation plan brings the risk within appetite of the Company RISK ASSESSMENT EXAMPLE (2/2) Risk Title Risk Description Inherent Risk Rating Residual Risk Rating Existing Controls The Company may not have 1) Manpower planning is performed on annual adequate workforce with basis. required technical skills set and 2) As a process annually, the manpower trainings. Further, the requirements from the department are collected Workforce manpower plan and budget by the Business Coordination Department and Constraints to may not be well defined submitted to the NG CEO for review and Support projecting the requirements approval. Based on the CEO’s approval, the Strategic for next 1-3 years and linked manpower requirement plan is submitted to the Asset with the Company's strategic SEC Corporate HR Team. Management High objectives and business plans. 3) In case of any shortage of staff/ expertise, (4 X 4 = 16) This may lead to shortage of consultants are hired for the activities and tasks right skill sets, increased for which department do not have the adequate Risk Impact manpower costs due to skills. Category unnecessary / inefficient Human resources and disruptions in resources department activities. Based on risk impact category – Risk appetite level at different levels is calculated At Inherent Level Risk is not within appetite of the Company As a result of existing controls, reduction in likelihood and impact score of the risk will lead to reduction in overall risk rating Risk Mitigation Plan / Desired Controls Target Risk Rating 1) As a part of the budget exercise a detailed Manpower plan shall be developed and shall include the following: - Forecasting the overall human resources requirements in accordance with the organizational plans / strategy; - In case of future surplus, plan for redeployment and in case of future deficit, forecast the future need of manpower; Moderate Low - Plan / Schedule for recruitment, development (3 X 4 = 12) (3 X 2 = 6) and internal mobility if future supply is more than or equal to net manpower requirements. 2) Manpower plan shall be reviewed and approved as per the DOA of the Company. 3) The Company shall identify specific universities in the country for hiring fresh and qualified talent and thereafter nurture them to handle the critical operations of the department. At Actual Residual level – Existing controls are sufficient to bring the risk within appetite of the Company As the risk is within appetite, hence mitigation plans are not required. However, following are optional plans. At Target Residual level –Mitigation plan further reduces the risk to Low level. TRAINING ACTIVITY – CASE STUDY You have been provided with a case study handout to identify risks for a manufacturing company operating in the Kingdom of Saudi Arabia. Based on the understanding of today’s session, you are required to rate the risks identified in the case study. Time Allocated: 45 Mins to 1 Hr. • Rating of risks by the participants – 25 Mins. • Presentation and discussion of the risks rated by the participants – 20 Mins. Instructions 1. Everyone must participate, rate the risks in your laptop / notepad. 2. Participants are encouraged to ask additional information, if warranted or seem appropriate. Questions & Answers Session Thank You Likelihood Company XYZ Risks Assessment Matrix Risk Score = Impact X Likelihood May never occur or has never been recorded in industry. Unlikely to occur but has been recorded in the industry. Occasional or occurred once per year at XYZ Co. / more than once per year in the industry. Rare (1) Unlikely (2) Possible (3) Likely (4) Almost Certain (5) 10 Moderate 15 High 20 Very High 25 Very High 12 Moderate 16 High 20 Very High Multiple injuries or irreversible health effects or long-term damage to the environment > 1 year
Event causing
national media
attention
Violation of any
regulatory requirement
leading to warnings,
penalties > SAR 400K
and ≤ 500K
Minor injury affecting
work performance or
short-term damage to the
environment < 1 year Event causing local media attention of > 1
day
Impact
Slight injury not affecting
work performance or
limited environmental
annoyance to local
community
Negligible impact on
environment
Human Resource
Impact on budgeted
net income of > 30%
variance
Data and cyber
security breach
Loss of any key
executive team /
heads or rare talent
or turnover for >
15%
Impact on budgeted
net income of >22%
and ≤ 30% variance
Loss of network
internet, system
downtimes > 45
mins and ≤ 1 hours
Voluntary turnover,
of > 11% and ≤ 15%
Violation of regulatory
recommendation
requiring clarifications
or penalties > SAR 300K
and ≤ 400K
Impact on budgeted
net income of >14%
and ≤ 22% variance
Loss of network
internet, system
downtimes > 30
mins and ≤ 45 mins
Voluntary turnover,
of > 7% and ≤ 11%
Event causing
local media
attention of < 1 day Violation of regulatory / internal policies or contracts with minimal impact on operations or penalties > SAR 200K
and ≤ 300K
Impact on budgeted
net income of >6%
and ≤ 14% variance
Loss of network,
internet, system
downtimes ≤ 30
mins
Voluntary turnover,
of > 3% and ≤ 7%
Event causing
internal
Company level
attention
Violation of regulatory /
internal policies or
contracts with no
impact on operations or
penalties ≤ 200K
Impact on budgeted
net income of ≤ 6%
variance
IT incidents with
low severity
remaining
unresolved
Voluntary turnover,
of ≤ 3%
Severe (5)
Event causing
international
media attention
Violation of any
regulatory requirement
leading to loss of
licenses or penalties >
SAR 500K
Fatality or any disabilities
or environmental damage
involving regulatory
authority investigation
Information
Technology
Financial
5
Low
Major (4)
Legal, Regulatory and
Compliance
4
Very Low
Significant (3)
Reputational
3
Very Low
6
Low
9
Moderate
12
Moderate
15
High
Important (2)
Health, Safety, Security
and Sustainability
Almost certain
to occur or
occurred several
times at XYZ Co.
2
Very Low
4
Very Low
6
Low
8
Low
10
Moderate
Minor (1)
Risk Impact Category*
Likely to occur
or occurred
more than
once per year at
XYZ Co.
1
Very Low
2
Very Low
3
Very Low
4
Very Low
5
Low
8
Low
*Notes: 1. Risks must be assessed across all relevant categories. Should a risk have an impact across multiple categories, it would be categorized as per the category in which it has the greatest impact.

Purchase answer to see full
attachment

  
error: Content is protected !!