GLD.

017
RISK MANAGEMENT

Group Risk Assessment and Assurance

The Key Contact for this GLD is listed on the Portal.

Authorities

Please click here for list of authorities relating to this GLD.

Glossary

Please click here for list of glossary terms relating to this GLD.

Brief description

Performance requirements for the assessment, control, monitoring and reporting of material risks
that could impact Our Purpose and business plans.

Version: 4.0 (23 August 2013)

BHP Billiton Group Level Document (printed copies are uncontrolled)
GLD.017
RISK MANAGEMENT

1. Risk management reporting

Identify and report all material risks that have the potential to impact the delivery of business plans.

• Appoint risk management resources and document responsibilities in position descriptions.

• Maintain a Risk Register for each Business, Asset, Marketing and Group Function and incorporate a review of material risks into
the regular management agenda.
• Review, update and authorise (click here) the material risk profile and tolerability biannually, identifying new material risks or
changes to existing material risks. Report the material risk profile to the Business Group Risk and Audit Committee biannually.
• Report material risk data biannually to Group Risk Assessment and Assurance using the Group Risk Data Capture template.

2. Risk assessment
Conduct a risk assessment on all material risks to understand their potential causes and impacts and to
determine the tolerance of the material risks in the context of business plans.

• Conduct risk assessments for all material risks and record outcomes in a Risk Register.

Material Risk Identification

• Identify material risks using the following materiality criteria: Maximum Foreseeable Loss (MFL) is ≥ level 5 impact; or Residual
Risk Rating (RRR) is ≥ 90 (Appendix 1).

Material Risk Analysis

• Analyse material risks to determine: causes, existing preventative controls, impacts, existing mitigating controls, and control design
improvement tasks.
• Assess the MFL for all possible impact types in the severity table and determine which has the highest RRR.
• Record outcome of risk analysis in a ‘bow tie’.

Material Risk Evaluation

• Evaluate material risks by comparing the RRR with the results of the material risk control assessment (Appendix 2).
• Determine if material risks are tolerable using the following tolerability criteria: RRR ≤ 90 and material risk control assessment is
‘well controlled’.
• Implement and monitor a management plan to reduce the residual risk or improve the controls if RRR is ≥ 90 and material risk
control assessment is not ‘well controlled’.

3. Risk control
Critical controls must be implemented and managed so that material risks are ‘well-controlled’.

• Identify and document critical controls for each material risk, which include the following four elements: title, objective, performance
standards and assessment criteria. For material risks that could interrupt the BHP Billiton Group, develop a business continuity plan
as a critical control.
• Implement, operate and verify critical controls.
• Assess critical controls (Appendix 2) and conduct a material risk control assessment (Appendix 2) annually and record in the Risk
Register. The material risk owner is accountable for the completion of the material risk control assessment.

Version: 4.0 (23 August 2013)

BHP Billiton Group Level Document (printed copies are uncontrolled) page 2 of 6
GLD.017
RISK MANAGEMENT

Appendix 1. Severity and Likelihood tables

Severity Impact Types Severity
Level 1 2 Factor
Health and safety Environment Community Reputation Legal Financial
7 >50 fatalities. Permanent severe impact/s Complete breakdown of social order. Prolonged (>2 months) international Hostile takeover, public ≥ US$2.5 1000
Permanent impairment to land, biodiversity, Widespread desecration of items of global multi-Non-Government Organisation shareholder discontent billion (BHP
>30% of body to more ecosystem services, water cultural significance. Company directly and media condemnation. resulting in loss of Chairman/ Billiton share)
than 500 persons. resources or air. responsible or complicit in severe and CEO/Board, bankruptcy,
widespread long-term impacts on human closure of operations on
rights. multiple sites or BHP Billiton.

6 >20 fatalities. Severe impact/s (>20years) A breakdown of social order. Widespread International multi-NGO and media Lack of valid operating title, ≥ US$1 billion 300
Permanent impairment to land, biodiversity, damage to items of global cultural condemnation. BHP Billiton direct forced closure of an to <US$2.5
>30% of body to more ecosystem services, water significance. Highly offensive infringements action (includes partner/contractor operation, competition law or billion
than100 persons. resources or air. of cultural heritage. Company directly action) results in reputation issue. Foreign Corrupt Practices (BHP Billiton
responsible or complicit in severe, long-term Large violent protest (>100 people) inquiry. share)
impacts on human rights. resulting in fatal injuries

5 2-20 fatalities. Serious or extensive Extensive long-term social impacts. Serious public or national media Fines and prosecutions ≥ US$250 100
Permanent impairment impact/s (<20 years) to Widespread damage to structures/ outcry (international coverage). relating to criminal breaches million to
>30% of body more land, biodiversity, items/locations of national cultural Damaging NGO campaign. BHP including jail terms and being <US$1 billion
than 10 persons. ecosystem services, water significance. Serious infringements of Billiton reputation severely tarnished. the subject of a royal (BHP Billiton
resources or air. cultural heritage. Company directly Third-party actions (where BHP commission. share)
responsible or complicit in multiple Billiton is one of many in a group)
aggravated impacts on human rights. result in reputation impact. Large
protest (>100 people) with significant
violence & serious, multiple injuries

4 Single fatality. Major impact/s Major long-term social impacts or on-going Major adverse national media/ Major civil litigation including ≥ US$25 30
Permanent impairment (<5 years) to land, social issues. Damage to structures/items of public/NGO attention. 20-100 people class actions. million to
>30% of body to one or biodiversity, ecosystem national cultural significance. Major protest, people restrained with force, <US$250
more persons. services, water resources infringement and disregard of cultural arrests and injuries. Asset/Business million
or air. heritage. Company directly responsible or reputation majorly impacted. (BHP Billiton
complicit in major human rights impacts. share)

Version: 4.0 (23 August 2013)

BHP Billiton Group Level Document (printed copies are uncontrolled) page 3 of 6
GLD.017
RISK MANAGEMENT

Severity Impact Types Severity

Level 1 2 Factor
Health and safety Environment Community Reputation Legal Financial
3 Permanent impairment Moderate impact/s Moderate medium-term social impacts or Attention from regional media and/or Breach of regulation. ≥ US$2.5 10
<30% of body to one or (<1 year) to land, frequent social issues. Moderate damage to heightened concern by local community. Lack of valid exploration million to <
more persons. biodiversity, ecosystem structures/ items of local cultural significance. Criticism by community, NGOs or title. US$25 million
Days lost due to injury services, water resources Moderate infringement of cultural activists. Asset reputation adversely (BHP Billiton
or illness. or air. heritage/sacred locations. Moderate, affected. share)
temporary human rights impacts.

2 Objective but reversible Minor impact/s Minor medium-term social impacts on small Adverse local public or media attention Minor legal issues, non- ≥US$250,000 3
impairment. (<3 months) to land, number of people. Minor repairable damage or and complaints. Heightened scrutiny from compliances and to <US$2.5
Medical treatment biodiversity, ecosystem disturbance to property, structures, or items. regulator. Asset reputation is adversely breaches of regulation. million
injury or illness. services, water resources Minor infringement of cultural heritage. Minor, affected with a small number of people. (BHP Billiton
or air. temporary human rights impacts share)

1 Low-level short-term Low-level impact/s to Low-level social impacts. Low-level Public concern restricted to local Low-level legal issue. <U$250,000 1
subjective symptoms or land, biodiversity, infringement of cultural heritage or minimal complaints. Low-level interest from local (BHP Billiton
inconvenience. No ecosystem services, disturbance to heritage structures. Minimal media and/or regulator. share)
medical treatment. water resources or air. impact on human rights.
(1) Impairment to be determined using the American Medical Association Guide to Permanent Impairment.
(2) Where the financial impact is expected to be a one-off amount, it must be calculated as the resultant change in the Earnings Before Interest and Tax (EBIT) in that year. Where the financial impact is expected to be an
ongoing annual reduction in EBIT, it must be calculated as the Net Present Value (NPV) of those future reductions in EBIT.

Version: 4.0 (23 August 2013)

BHP Billiton Group Level Document (printed copies are uncontrolled) page 4 of 6
GLD.017
RISK MANAGEMENT

Likelihood table
Use this table to measure the chance of the impact at the severity which is being used in the calculation of the Residual Risk Rating.
Business Projects
Based on BHP Billiton and industry Based on BHP Billiton and industry Likelihood
Uncertainty experience and expected future experience and expected future conditions, Factor
conditions, the risk event: with similar studies or projects, the risk
event:
Almost Could be incurred more than once in a year. Could be expected to occur more than once 10
certain during the study or project delivery.
Likely Could be incurred over a 1 - 2 year budget Could easily be incurred and has generally 3
period. occurred in similar studies or projects.
Possible Could be incurred within a 5 year strategic Incurred in a minority of similar studies or 1
planning period. projects.
Unlikely Could be incurred within a 5 - 20 year time Known to happen, but only rarely. 0.3
frame.
Rare Could be incurred in a 20 - 50 year Has not occurred in similar studies or projects, 0.1
timeframe. but could.
Very rare For a system failure: Conceivable, but only in extreme 0.03
• This consequence has not happened in circumstances.
the industry in the last 50 years.
For a natural hazard:
• The predicted return period for a risk of this
strength/ magnitude is one in 100 years or
longer.

Version: 4.0 (23 August 2013)

BHP Billiton Group Level Document (printed copies are uncontrolled) page 5 of 6
GLD.017
RISK MANAGEMENT

Appendix 2. Critical control and material risk control assessment

Critical control assessment

Critical control effectiveness assessment must use critical control verification (verification of design to control objective and operation
of control as designed) and, where applicable, actual control failure or a control failure that resulted in a similar control failure, internal
audit findings, external audit findings, management reviews.
Rating Explanation
Effective Performance standard requirements for the critical control have been evaluated and are adequate,
appropriate, effective and being achieved.
Not effective Performance standard requirements for the critical control have been evaluated and some are not
adequate, appropriate, effective or being achieved.

Material risk control assessment

Each material risk must be assessed according to the categories below. The material risk control assessment must use critical
control assessment results and, where applicable, actual control failure or a control failure that resulted in a similar material risk,
internal audit findings, external audit findings, management reviews.
Rating Explanation
Well controlled Controls, processes and performance requirements evaluated are adequate, appropriate and effective to
provide reasonable assurance that risks are being managed and business and functional effectiveness
objectives should be met.
Requires some A few specific control or performance requirement weaknesses were noted; generally however, controls
improvement and performance requirements evaluated are adequate, appropriate and effective to provide reasonable
assurance that risks are being managed and objectives should be met. Certain controls or may require
improvement to ensure that the overall environment will continue to operate effectively.
Requires Numerous specific controls or functional priority performance requirement weaknesses were noted.
significant Controls or performance requirements evaluated are unlikely to provide reasonable assurance that risks
improvement are being managed and business and functional effectiveness objectives should be met. The control
framework needs improvement to achieve a satisfactory level of risk mitigation.
Uncontrolled Controls and performance requirements evaluated are not adequate, appropriate or effective to provide
reasonable assurance that risks are being managed and objectives should be met. There is an urgent
need for management to improve the control framework to achieve a satisfactory level of risk mitigation.

Version: 4.0 (23 August 2013)

BHP Billiton Group Level Document (printed copies are uncontrolled) page 6 of 6