RAPCO GROUP
Trading, Contracting, and Industrial Constructions
EPC CONSTRUCTOR
P.O. BOX: 759, RAS TANURA 31941 – KSA
TEL. NO. (03) 668 1617/1514 – 667 2219
FAX NO. (03) 668 1564
WEBSITE: www.rapcogroups.com
RISK ASSESSMENT
1.0
PURPOSE
2.0
The purpose of this procedure is to establish and maintain procedures
in assessing risks.
3.0
This procedure is a guide in assessing risk in RAPCO facilities,
project sites and operations.
SCOPE
RESPONSIBILITY
 All RAPCO personnel
4.0
 EHS Internal Auditors
PROCEDURE
4.1
Basic Steps of Risk
Assessment
4.1.1
Classify works operations:
 Geographical area within/outside RAPCO premises
 Warehouse operations / materials stocking
 Planned work
 Reactive work (work reacting to an unplanned event)
 Defined tasks (material receiving / shipping)
4.1.2
 Identified working groups
Identify hazards:
 Is there a source of harm?
 Who (or what) could be harm?
4.1.3
 How could harm occur?
Categorizing hazards:
RAPCO GROUP
Trading, Contracting, and Industrial Constructions
EPC CONSTRUCTOR
P.O. BOX: 759, RAS TANURA 31941 – KSA
TEL. NO. (03) 668 1617/1514 – 667 2219
FAX NO. (03) 668 1564
WEBSITE: www.rapcogroups.com
 Mechanical / Electrical
 Substances (chemicals, solvent)
 Fire / Explosion
 Temperature (hot or cold)
4.1.4
 Biological
Work Activities which hazards may exist:
 Slips/fall on the level, from heights, tools and materials
 Hazards associated with manual lifting/handling
 Forklift / equipment hazards
 Fire and explosion
 Harmful energies (electricity)
 Inadequate thermal environment (too hot or too cold)
 Contractor activities / violence to staff
4.2
 Substance that may be inhaled, may damage the eye
and may cause harm in skin or being ingested
Determine Risk
The risk from the hazard should be determined by assessing:
4.2.1
Severity of harm
 the part(s) of the body likely to be affected;
 the nature of the harm, (slight to extremely harmful)
A. Slightly harmful
 superficial injuries; minor cuts and bruises; eye irritation
 nuisance and irritation; ill-health leading to
temporary discomfort;
B. Harmful
 lacerations; burns; concussion; serious sprains; fractures;
RAPCO GROUP
Trading, Contracting, and Industrial Constructions
EPC CONSTRUCTOR
P.O. BOX: 759, RAS TANURA 31941 – KSA
TEL. NO. (03) 668 1617/1514 – 667 2219
FAX NO. (03) 668 1564
WEBSITE: www.rapcogroups.com
 deafness; dermatitis; asthma; work-related
upper limb disorders; ill-health;
C Extremely harmful
 amputations; major fractures; poisonings; multiple
injuries;
fatal injuries;
4.2.2
 occupational cancer; other severely life shortening
diseases;
acute fatal diseases
Likelihood of harm
 number of personnel exposed
 frequency and duration of exposure to the hazard
 failure of equipment and safety devices
 exposure to the elements
 protection afforded by PPE and its usage rate
4.3
 unsafe acts (unintended errors or intentional
violations) by persons.
Decide if the risk is tolerable or has been reduced
4.3.1
HIGHLY UNLIKELY
UNLIKELY
LIKELY
SLIGHTLY
HARMFUL
Trivial Risk
Tolerable Risk
Moderate Risk
4.3.2
RISK LEVEL
TRIVIAL
A simple risk-level estimator guide:
HARMFUL
Tolerable Risk
Moderate Risk
Substantial Risk
EXTREMLY
HARMFUL
Moderate Risk
Substantial Risk
Intolerable Risk
A simple risk-based control plan guide:
ACTION and TIME SCALE
No action is required and no documentary records need to keep.
RAPCO GROUP
Trading, Contracting, and Industrial Constructions
EPC CONSTRUCTOR
P.O. BOX: 759, RAS TANURA 31941 – KSA
TEL. NO. (03) 668 1617/1514 – 667 2219
FAX NO. (03) 668 1564
WEBSITE: www.rapcogroups.com
TOLERABLE
MODERATE
SUBSTANTIAL
INTOLERABLE
No additional controls are required. Consideration may be given to a
more
cost-effective solution or improvement that imposed no additional
cost burden.
Monitoring
required
ensure
the controls
are
Efforts
should
be made toisreduce
thetorisk,
but that
the cost
of prevention
maintained.
should
be
carefully measured and limited. Risk reduction measures
should be implemented within a defined time period.
Where the moderate risk is associated with extremely harmful
consequences, further assessment may be necessary to establish
more precisely the likelihood of harm as a basis for determining
the
need
for improved
control
measures.
Work
should
not be started
until
the risk has been reduced.
Considerable resources may have to be allocated to reduce the
risk. Where the risk involves work in progress, urgent action
should
be taken.
Work should
not to be started or continued until the risk has been
reduced. If it is not possible to reduce risk even with unlimited
resources, work has to remain prohibited.
4.3.3
Control Guide to those risks that are not acceptable.
 Eliminate hazards altogether if possible or combating
risk at source (i.e., using a safer substance instead of a
dangerous one).
 If elimination is not possible, try to reduce the risk.
 Where possible, adapting work to the individual (i.e.,
worker’s
mental and physical capabilities).
 Take advantage of technical progress to improve controls.
 Use measures that protect employees (i.e., restricted entry)
 Use a blend of technical and procedural controls.
 Adopt PPE (i.e., only as last resort).
 Introduce planned maintenance (regular
extraction system inspection and maintenance)
 Emergency arrangements (i.e., alarm systems
and back-up controls).
 Adopting proactive measurement indicators
to monitor compliance with the controls.
RAPCO GROUP
Trading, Contracting, and Industrial Constructions
EPC CONSTRUCTOR
P.O. BOX: 759, RAS TANURA 31941 – KSA
TEL. NO. (03) 668 1617/1514 – 667 2219
FAX NO. (03) 668 1564
WEBSITE: www.rapcogroups.com
4.4
 Develop emergency and evacuation plan and
provision of emergency response equipment.
Review the adequacy of the action plan.
Re-assess risks on the basis of the revised controls and check
the risk that is tolerable.
 Will the revised controls lead to tolerable risk level?
 Are new hazards created?
 Has the most cost-effective solution been chosen?
 How will the revised controls be affected if changes occur?
4.5
 What do operators think of the practicality of the preventive
measures?
Provide a written record where risks are significant.
Where action needs to be taken, risk assessment records
should be made and generate appropriate controls.
5.0
A date should be included to ensure that the corrective
measures are reviewed with respect to their effectiveness.
RECORDS
Risk Assessment records shall be filed and maintained in the EHS Department.
RAPCO GROUP
Trading, Contracting, and Industrial Constructions
EPC CONSTRUCTOR
WEBSITE: www.rapcogroups.com
RMPR001
Risk Management Procedure
Risk Management Procedure
Systems Engineering Discipline:
Risk Management
Description:
Risk Management addresses future uncertainties that could endanger achievement of Project objectives and
identifies potential problems before they occur so that risk-handling activities may be planned and
implemented to mitigate adverse impacts should a risk be realized.
Risk must be captured within individual Projects and initiatives as well as an integrated systems perspective.
Risks may have dependencies to other Projects within the Directorate or outside the organization.
This procedure documents the organization’s enterprise risk management strategy and provides the details
necessary to support the execution of a disciplined and effective risk management program within the
Directorate.
Entry Criteria:
Complete the following before beginning this procedure:

Risk Management Stakeholders Identified
Procedure Steps: (These steps are not always performed sequentially.)
Although the Site Manager is ultimately responsible to ensure risk management activities are performed
throughout the life cycle of any work effort, key roles are identified below as the lead for certain steps or
activities.
1. Project Manager: Plan risk management activities.
1.1. Document the Project Risk management strategy.
A Project unique Risk Management Plan (RMP) is recommended for all projects. Refer to the Risk
Management Plan Template in Attachment 2. However, if a Project does not prepare a RMP, a
documented strategy or plan for how risk management activities will be conducted throughout the life
cycle of the Project must be incorporated into the Project’s Life Cycle Management Plan or Systems
Engineering Plan. To be complete, this strategy should, at a minimum, document the following:
 The specific roles and responsibilities of Site Team members in the risk management process.
 The processes used to identify, capture, analyze, handle, and monitor risks within the Project.
 The tools that will be used to execute the risk management strategy.
 The frequency of risk management activities (meetings, reviews, customer briefs, etc.).
1.2. Resource the Risk Management Plan.
To be successful, risk management activities must be started early and performed continuously
throughout a Project’s life-cycle. The Project Manager should:
 Formally designate a Project Risk Manager
 Establish a battle rhythm of risk management workshops/reviews
 Provide a mechanism for team members to present risks or updates outside of scheduled reviews
1
RAPCO GROUP
Trading, Contracting, and Industrial Constructions
EPC CONSTRUCTOR
WEBSITE: www.rapcogroups.com
RMPR001
Risk Management Procedure
2. Site Team: Identify risks.
2.1. Site Team: Identify risks.
Any Site Team member may identify risks.
2.1.1. Determine risk sources.
Risk sources are the common areas where risks may originate. Risk sources can be internal or
external to the Project and in some cases may be both. Additional risk sources may be identified
throughout the Project life cycle. Early identification of sources leads to early identification of risks,
and early mitigation plans may preclude occurrence of or reduce consequences if they occur. Listed
below are some typical examples of risk sources:
 Requirements (i.e., unclear operational needs, attributes, constraints, technology, or design
processes; change frequency, etc.)
 Technical Baseline (infeasible or incomplete design)
 Schedule (unrealistic schedule estimates and/or allocation, concurrency)
 Manpower (inadequate staffing and/or skills)
 Cost/Budget (uncertainty of estimates, funding issues)
 External Factors (facilities, infrastructure, subject matter expertise, etc.)
2.1.2. Identify risk categories.
There are three designated risk categories. These categories identify risks associated with cost,
schedule, or performance. Risks should be examined during all phases of the life cycle to the extent
they impact Project objectives. Listed below are the main categories of risks and some examples:
2.1.2.1. Financial Manager: Identify cost risks.
Identify risks associated to the Project’s cost. Examples include:
 Development costs
 Product acquisition costs
 Cost of spare or replacement products
 Product disposition costs that have design implications
 Funding levels, estimates, or distributed budgets
2.1.2.2. Site Manager: Identify schedule risks.
Identify risks associated to the Project’s schedule. Examples include:
 Planned activities and interdependencies
 Key events and reviews
 Milestones
 Contract performance (dates and deliverables)
 Human resource availability
2.1.2.3. Lead Engineer: Identify performance risks.
Identify risks associated to the Project’s performance. Examples include:
 Requirements
 Interface and interoperability complexities
 Infrastructure limitations
 Data Conversion
 Analysis and design
 Application of new technology
2
RAPCO GROUP
Trading, Contracting, and Industrial Constructions
EPC CONSTRUCTOR
WEBSITE: www.rapcogroups.com
RMPR001
Risk Management Procedure




Technical performance and operation such as throughput
Verification and Validation
Development and Test Environments
Information Assurance/Security
2.1.2.4. Site Manager: Identify other risks.
Identify any other risks that fall into the cost, schedule, or performance categories. Site Teams
should review all elements of their work breakdown structure to ensure that all aspects of the
work effort have been considered.
For example, the Contracting Officer should lead the identification of any risks associated with:
 Acquisition strategy
 Contract management
 Competition
In another example, the Customer should lead the identification of any risks associated with
operational suitability or funding availability.
2.2. Project Risk Manager: Document Project Risks.
It is important to be thorough in this step of the process. One of the keys to writing good risk and issue
statements is to focus on a tangible, measurable event that may occur rather than a vague statement.
Once a risk has been identified, the following minimum information should be captured:
2.2.1. Identifier: <Project Abbreviation>-<Risk No.> (e.g., ABC-001)
2.2.2. Title: Use a short, meaningful title so that the risk can be easily identified in tables and
standard reporting systems.
2.2.3. Owner: Identify the individual best suited to manage the risk.
2.2.4. Description of the risk: Teams should use the "If, then" logic when documenting their risks
remembering that the “If” is the cause and the “Then” is the effect of the risk on the project.
2.2.5. Phase: Identify the phase of the acquisition life cycle the risk may impact.
2.2.6. Category (Project area): Use this element to place risks into the categories identified above
(cost, schedule, performance, other).
2.2.7. Source: Identify the most relevant source of the risk associated to the root cause indicated
(budget, manpower, requirements, schedule, technology, etc.).
2.2.8. Initiation Date: Insert the date the risk was identified.
2.2.9. Next Review Date: Insert the date of the next anticipated review.
3. Site Team: Analyze and evaluate risks.
This step answers the question “How big is the risk?”
3.1. Site Team: Analyze risks.
Analyzing risks is a key part of risk management and should involve the entire Site Team. It includes
maintaining a database of Project Risks so that the most important risks can be prioritized based on the
judgment of the Site Team.
3
RAPCO GROUP
Trading, Contracting, and Industrial Constructions
EPC CONSTRUCTOR
WEBSITE: www.rapcogroups.com
RMPR001
Risk Management Procedure
3.1.1. Just as the identification of certain types of risk is the responsibility of the functional team
member that leads that Project area, the thorough analysis and evaluation of those identified risks
also remains the responsibility of those functional leads.
3.1.2. Each risk is evaluated and scored in accordance with the defined risk parameters identified
below. The goal is to identify the highest-priority risks and focus risk handling resources on them as
the Project evolves over time. As risk handling steps are put into place, risk parameters may change
over time and therefore frequent adjustments may be required.
3.2. Site Team: Score risk parameters.
To ensure consistent and rigorous execution and reporting, all Projects, without deviation, must use the
standard 5x5 risk matrix, likelihood criteria and consequence criteria to analyze Project Risks (see
below). Realizing that every risk may have multiple consequences (performance, cost, and schedule) to
be assessed, the matrix should depict the consequence with the most severe impact. Risk handling plans
will be prepared for all Medium (Yellow) and High (Red) Project Risks. Parameters for evaluating,
categorizing, and prioritizing risks include the following:
3.2.1. Likelihood.
Likelihood is the current estimate of probability that the risk will occur over the impact time frame.
It is measured in percent and based on professional judgment or historical data. The likelihood value
will likely change over time as the risk is actively managed. Use the ratings in Figure 1 below as a
guide in assigning the likelihood ratings:
Rating
5
4
3
2
1
Probability of Occurrence
81 – 99 %
61 – 80 %
41 – 60 %
21 – 40 %
5 – 20 %
Likelihood
Near Certainty
Highly Likely
Likely
Low Likelihood
Not Likely
Figure 1: Likelihood Rating Criteria
3.2.2. Consequence.
Consequence is an undesirable event or impact which would negatively affect the Project should the
risk materialize. Consequence is a subjective ranking made by the Site Team using past experience,
historical data or comparison to other systems. The primary purpose of the consequence value is to
help rank Project Risks. This value may change over time as the risk is actively managed.
3.2.3. Impact dates.
These dates differ from the date the risk was first identified (initiation date) and the review dates
which were previously documented.
 Document the earliest date the risk could impact the Project
 Document the latest date the risk could impact the Project
3.2.4. Target Resolution.
Document the date by which the risk is expected or desired to be mitigated or resolved
3.3. Project Risk Manager: Prioritize risks.
4
RAPCO GROUP
Trading, Contracting, and Industrial Constructions
EPC CONSTRUCTOR
WEBSITE: www.rapcogroups.com
RMPR001
Risk Management Procedure
The current priority ranking of a risk is relative to all other risks and based on the analysis performed as
calculated using the probability and consequence. Rank 1 is the highest priority; rank 2 is next, and so
on. Risk ranking must always be carefully maintained.
4. Project Manager: Handle risks.
This step answers the questions, “What is the approach for addressing this potential unfavorable
consequence?” and “How do we implement that approach?”
4.1. Site Team: Develop risk handling plans.
Develop a risk handling plan for each risk. A handling plan for a given risk includes techniques and
methods to be used to avoid, reduce, and control the likelihood of occurrence of the risk, the extent of
damage incurred, or both.
4.1.1. Determine handling strategy.
This activity identifies, evaluates, selects and implements options in order to set risk at acceptable
levels given Project constraints and objectives.
4.1.1.1. Accept/Assume: assume the level of risk and continue with the current program.
4.1.1.2. Monitor: take no immediate action, but watch for changes.
4.1.1.3. Research: collect additional information needed for a decision or reduce uncertainty
surrounding risk estimates.
4.1.1.4. Transfer: shift the root cause elsewhere.
4.1.1.5. Mitigate/control: apply methods aimed at eliminating the risk, or reducing the likelihood
and/or consequence of the risk.
4.1.1.6. Avoid: Eliminate the root cause of the risk (e.g., not performing an activity that may
drive risk).
4.1.2. Develop detailed risk handling steps.
The risk handling plan will describe the approach that will be taken to reduce the likelihood or
consequence of occurrence thus reducing overall risk exposure. Producing good handling steps
requires planning out the following details for each step in your plan.
 Descriptions
 Priority
 Start and due dates
 Potential costs
 Deliverables
 Target Score: the new likelihood and consequence should this response plan be successful.
4.1.3. Develop contingency plan (fallback plan).
A contingency or fallback plan is a set of actions to take in the event critical risks materialize. The
contingency plan should include, at a minimum, alternative courses of action, work-arounds, and
fallback positions, with a recommended course of action. All High (Red) risks require a contingency
plan (fallback plan).
4.2. Project Manager: Report and Escalate Risks
For all risk reporting, Projects will use the standard 5x5 Risk Matrix and Details Table as shown in
Figures 5, 6, and 7 below.
5
RAPCO GROUP
Trading, Contracting, and Industrial Constructions
EPC CONSTRUCTOR
WEBSITE: www.rapcogroups.com
RMPR001
Risk Management Procedure
5
HIGH
Likelihood
4
3
MEDIUM
2
LOW
1
1
2
3
4
5
Consequence
Figure 5: Standard 5X5 Project Risk Matrix
Rank
Risk Description
Figure 6: Risk Descriptions
6
RAPCO GROUP
Trading, Contracting, and Industrial Constructions
EPC CONSTRUCTOR
WEBSITE: www.rapcogroups.com
RMPR001
Rank
Risk Management Procedure
Risk Description
Handling / Mitigation
Target Date
POC
Figure 7: Risk Details Table
Site Managers and Division Directors will follow the criteria depicted in Figure 8 below to determine
when conditions warrant the escalation of Project Risks to higher authority. Document the escalation
strategy in your Risk Management Plan.
Figure 8: Risk Escalation Criteria
4.3. Implement risk handling activities.
Implement the risk handling steps as approved by the Project Manager.
7
RAPCO GROUP
Trading, Contracting, and Industrial Constructions
EPC CONSTRUCTOR
WEBSITE: www.rapcogroups.com
RMPR001
Risk Management Procedure
5. Site Manager: Manage and track risks.
This step answers the question “How are things going?” The Site Manager must be proactive and monitor
these risks throughout the Project’s life cycle.
5.1. Assign responsibility.
Document the name of the person responsible for tracking or managing each risk.
5.2. Monitor risks.
Monitor the status of each risk throughout the Project's life cycle.
5.2.1. Update Status.
Systematically review initially identified and baselined risks. Analyze them to determine their
status. Archive risks when they are no longer present or have been closed.
5.2.2. Update handling step progress.
5.2.3. Update contingency plan (fallback plan).
5.2.4. Maintain risk history.
Maintain a historical events log on each risk. This log is the recording of events about the risk that
might be useful in evaluating its importance or in justifying specific actions that were taken. For
instance, external events might occur that caused a change to the impact or probability of the risk. It
can serve as a repository of thoughts and decisions that affect how the risk was perceived, mitigated,
and/or retired.
5.2.5. Report Status to Management.
Project Managers must perform periodic reviews of Project Risks. The Project Manager is
responsible for briefing senior management and senior functional staff members to provide visibility
into the Project’s overall risk exposure.
5.3. Monitor and control the risk management process.
Include all members of the Site Team in monitoring and controlling risks. Implement corrective actions
or mitigation actions as required. Use metrics to help in monitoring and controlling risks.
Recommended metrics may include the following:
 Number of risks identified, managed, tracked, and controlled; include a breakdown based on
priority
 Risk age; risk growth within the Project
 Risk exposure and changes to the risk exposure for each assessed risk
 Change activity for the risk mitigation plans (e.g. processes, schedule, funding)
 Impact timeframes/dates (initiation date, trigger dates, expiration dates, target resolution dates,
etc)
 Occurrence of unanticipated risks
 Risk categorization volatility
 Comparison of estimated vs. actual risk mitigation effort and impact
5.4. Continuously identify new and potential risks.
As the Project progresses, new risks will become a threat to its success. When they do, follow this
procedure to identify, document, analyze, mitigate, and track those risks.
8
RAPCO GROUP
Trading, Contracting, and Industrial Constructions
EPC CONSTRUCTOR
WEBSITE: www.rapcogroups.com
RMPR001
Risk Management Procedure
Exit Criteria:
The following are a result of completing this procedure:



Risk Management Plan or Documented Risk Management Strategy
Updated Risk Management Tool:
o Identified, analyzed, and documented Project Risks
o Handling plan steps for all documented risks
o Contingency/Fallback plans for all High (Red) risks
Escalated Risks (as appropriate)
9