LCPL ERM Framework by Aaron Chen

Enterprise Risk Management at Leighton Contractors

A message from our Managing Director, Craig Laslett

Understanding risk and managing it well are key to the ongoing success of our business. This document defines what risk means at Leighton Contractors Pty Limited (LCPL) and describes how it’s managed in relation to the LCPL Group Operating Model. Our business is large and diverse; we bid, negotiate and deliver high-value work in extremely competitive markets, delivering projects and services for clients across multiple sectors. This often involves high levels of risk. Our people, assets, intellectual property, balance sheet, licence to operate, reputation, relationships with our clients and partners (our Enterprise Capital) are absolutely critical to the ongoing success of our business. Enterprise Risk Management is about protecting our Enterprise Capital and growing each element for future success. Each of us is responsible to ensure we are aware of the risks we face in all of what we do and to reduce, if not eliminate, risks that threaten our Enterprise Capital. This document outlines our Enterprise Risk Management framework. By taking a proactive approach to risk management: our business will become more efficient as it enables us to anticipate events that may cause disruption and take effective actions to reduce the likelihood and/or impact of such events occurring; our business standards, processes, tools and knowledge will be more effective by ensuring the appropriate controls are in place to address the risks; there will be greater certainty in everything we do. I urge you to read this document to develop a better understanding of LCPL’s approach to managing risk and your risk management responsibilities at LCPL. By positively supporting LCPL’s Enterprise Risk Management, we will ensure the protection and ongoing growth of our business. Craig Laslett, Managing Director

Contents 1. Introduction

2. Enterprise Risk Management at LCPL

2.1 Objective of ERM

2.2 Enterprise Capital

2.3 Enterprise Risk Management Protocols

2.4 Business Activities

3. LCPLâ&#x20AC;&#x2122;s Enterprise Risk Management Framework

3.1 Risk Management Strategy

3.2 Risk Management Architecture

3.3 Risk Management Process

3.4 Risk Management Protocols

4. Risk Appetite

5. Business Continuity and Crisis Management

6. Appendix

6.1 Glossary of Terms

Enterprise Risk Management at Leighton Contractors

1. Introduction Leighton Contractors Pty Limited (LCPL) delivers projects and services for clients across the infrastructure, mining, telecommunications, civil construction, industrial, energy, health and services sectors.

We transform ideas to enhance people’s everyday lives. This means understanding our clients’ needs and aspirations to find the best way to transform an idea into reality.

doing so exposes our business to risks which we must manage effectively. We create value and grow our business by leveraging our Enterprise Capital through our Business Activities.

We seek opportunities to create value and grow our business. We acknowledge and embrace the fact that

Our Enterprise Capital is not only critical to our viability but also to achieving our short, medium and long-term business

Our Objective is to protect and grow our Enterprise Capital within LCPL’s Risk Appetite. This document is not intended to provide an exhaustive approach to risk management but rather outlines LCPL’s approach for managing risk within our operating environment. It is critical that this document is read in conjunction with the relevant business standards and procedures available on ‘Our Way’.

objectives. Accordingly it is critical that LCPL has a structured approach to protecting our Enterprise Capital and we do this via our Enterprise Risk Management Framework.

Definition of Risk

Risk and Opportunity

International Standard ISO 31000:2009 Risk Management: Principles and Guidelines defines risk as the ‘effect of uncertainty on objectives’. The effect may be positive, negative or a deviation from the expected. Risk is often described in terms of an event, a change in circumstance or a consequence.

At LCPL we refer to a negative outcome as a ‘Risk’ and a positive outcome as an ‘Opportunity’ respectively (‘R&O’). When identifying and assessing risk, we consider both possible effects on our objectives to ensure our analysis is complete and balanced.

Risks can also impact LCPL over the short, medium and long term. In short, risks are present in, and can impact all of, LCPL, including our day-to-day operations, business initiatives and strategy.

LCPL’s Enterprise Risk Management framework provides a structured approach to managing risks by taking into consideration the size, nature and complexity of our business and is based on ISO 31000:2009. The key elements of LCPL’s ERM framework require us to: describe our Risk Management Strategy – the objectives of enterprise risk management at LCPL and the way in which LCPL intends to achieve those objectives;

define our Risk Management Architecture – the roles, responsibilities and accountabilities of individuals, groups and committees to support the management of risk across LCPL including the prescription of how risks are to be reported and communicated; detail our Risk Management Process – the way in which risks are to be identified, assessed and managed at LCPL; and specify our Risk Management Protocols – the business standards, processes, tools and knowledge that are to be developed, maintained and applied as part of LCPL’s ongoing effort to manage risk across its business.

Enterprise Risk Management at Leighton Contractors

2. Enterprise Risk Management at LCPL Enterprise Risk Management (ERM) forms a protective layer surrounding our Enterprise Capital by clearly outlining business standards (protocols) of operations which are embedded within our Business Activities (central, operational and transactional activities).

The diagram below illustrates the relationship between these elements which are further described in this section.

rational Activities Ope

tral Activities Cen M Protocols R E

al n io ct a s s an itie r T tiv Ac

2.1 Objective of Enterprise Risk Management LCPL’s Enterprise Risk Management objective is to protect and grow our Enterprise Capital within our Risk Appetite.

2.2 Enterprise Capital In any business, there are certain key dependencies critical to its ability to deliver value to stakeholders. At LCPL, we call these key dependencies our Enterprise Capital. It is every employee’s responsibility to protect our Enterprise Capital from the negative effects of a risk materialising and contribute to growing it through realising opportunities. Our Enterprise Capital includes:

Enterprise Capital Element

Description

Our People

Our people are what enable us to transform our clients’ needs to reality. We must protect our people from risks that can affect their safety, well-being and performance. We look to grow their abilities and provide opportunities to develop their careers within LCPL.

Our Assets

Our assets relate to the physical assets such as plant and equipment. We must ensure they are available and perform as required.

Our Intellectual Property

Our intellectual property relates the collective knowledge of how we create value and deliver results. We must be able to retain and protect our intellectual property as this is a key element of our competitive advantage.

Our Relationships with our Clients and Partners

The trust and respect of our clients and partners are paramount in both delivering on current work and generating future opportunities. We must ensure that we are able to deliver on our promises.

Our Reputation

The ‘Leighton’ name and the strong positive reputation it carries must be protected at all times. We must be clear and consistent in how we conduct our business so our stakeholders and the marketplace know what to expect when engaging with us.

Our ‘Licence to Operate’

To be able to operate (conduct business activities) in the markets we wish to, we must ensure we satisfy all relevant obligations. These extend beyond our regulatory obligations and include our social obligations.

Our ‘Balance Sheet’

Our business requires capital to achieve our objectives. Accordingly we must ensure we are able to access capital (our balance sheet) as and when required. Similarly we must be able to account for our activities in an accurate and timely manner to ensure we are able to make effective decisions.

Enterprise Risk Management at Leighton Contractors

2.3 Enterprise Risk Management Protocols LCPL’s Enterprise Risk Management Protocols underpin all of our Business Activities as described below. The ERM Protocols surround our Enterprise Capital to enable us to protect and grow it within LCPL’s Risk Appetite by providing clear business standards. LCPL’s ERM Protocols are as follows:

ERM Protocols

Risk Assessment

Business Continuity Management

Pre-Contracts Review

Project Risk Management

Insurance

Project Assurance

Quality & Systems

Internal Audit

These are further discussed in section 3.4 Risk Management Protocols.

Risk Reporting

2.4 Business Activities LCPL undertakes Business Activities that expose our Enterprise Capital to risks. These Business Activities are categorised as a central activity, an operational activity or a transactional activity.

Activity

Description

Key Functions

Central

The core groupwide common activities involved in supporting and governing any enterprise

Management of overall enterprise: –– Strategic planning and business transformation –– Finance –– Accounting and statutory reporting –– Information Technology –– Legal Counsel –– Corporate Affairs and Communications –– Risk and Pre-Contracts –– People and Capability –– Safety, Health and Environment

Operational

Day-to-day divisional and business unit activities involved in the planning, delivery and close-out of discrete projects and services

Client relationship management Opportunity development Preparing the technical elements of a tender/binding offer Delivering a project/service on time, to budget and to specification, including: –– managing design –– programming/scheduling –– recruiting, training and deploying people –– mobilising plant and equipment –– implementing Safety, Health and Environment Business Standards –– reviewing project/service delivery performance –– executing project/service delivery tasks and activities

Transactional

The process of engaging with third parties on a contractual basis

Procuring plant, labour, materials and subcontract items Preparing the commercial elements of a tender/binding offer Reviewing and approving the submission of a tender/binding offer Agreeing contractual terms with: –– clients for the delivery of a project/services –– partners to joint venture –– suppliers for the procurement of plant, labour and materials –– sub-contractors for the provision of services –– service providers (consultants) for the provision of expert advice and services –– financiers for finance

The activities we choose to undertake and the manner in which we undertake them can affect our Enterprise Capital positively or negatively. 9

Enterprise Risk Management at Leighton Contractors

3. LCPL’s Enterprise Risk Management Framework Managing risks requires a methodical approach that takes into consideration the size, nature and complexity of our business.

The four key components of LCPL’s Enterprise Risk Management Framework are our Risk Management Strategy, Risk Management Process, Risk Management Architecture and Risk Management Protocols. The framework is illustrated below:

3.1 Risk Management Strategy Objective To protect and grow our Enterprise Capital within LCPL’s Risk Appetite. Ensuring it is: designed to protect and grow our Enterprise Capital; applicable to our entire business including projects and services we are delivering; critical to managing our business and project/service delivery performance; and embedded in our culture and behaviours. Our Enterprise Capital is not only critical to our ability to achieving our short, medium and long-term business objectives. It is every employee’s responsibility to protect our Enterprise Capital from the negative effects of a risk materialising and, equally importantly, consider how we are able to grow our Enterprise Capital through the realisation of opportunities. 10

3.2 Risk Management Architecture An essential component of LCPL’s Enterprise Risk Management Framework is how we communicate risks and treatments across the company. LCPL’s Risk Management Architecture sets out the roles and responsibilities throughout our business. The following table outlines the key roles and responsibilities throughout LCPL. Role

Responsibilities

Managing Director

The Managing Director (MD) has overall accountability for risk at LCPL. The MD provides the ultimate sign-off that the ERM framework is effectively designed and operational within LCPL.

Chief Financial Officer

The Chief Financial Officer has been nominated by the MD as the executive sponsor of ERM at the Executive Leadership Team (ELT).

Executive Leadership Team (ELT)

The ELT is responsible for leading risk across LCPL. The ELT sets the risk appetite and tolerance levels. In addition, the ELT approves the risk strategy of LCPL, identifies strategic business-wide risks, ensures that line management has identified the key operational risks facing the business and that those risks are managed appropriately. Each ELT member is responsible for ensuring the effective implementation and oversight of ERM within their respective functional responsibilities.

Group Risk

The Group Risk team supports the ELT in developing and driving the ERM framework and culture to provide a platform to protect and grow our Enterprise Capital within LCPL’s Risk Appetite. Group Risk is responsible for ensuring that the ERM framework is effectively implemented through appropriate procedures and processes and is supported by an effective communication strategy that incorporates all stakeholders. Group Risk must ensure the ERM framework evolves to meet the changing requirements of LCPL’s business.

Divisional Leadership Teams

Divisional leaders are responsible for identification and management of risks and controls within their division. They must ensure appropriate reporting and escalation of risks, incidents or breaches that may have occurred. They are also responsible for ensuring that all agreed treatment plans are delivered.

Divisional/Business Unit Risk Managers

Responsible for the coordination and implementation of the ERM framework within their respective divisions/business units. They work closely with the relevant leadership teams and Group Risk to ensure that the divisional framework is in line with the expectations and requirements of the group framework. Divisional/Business Unit Risk Managers provide key risk advice and training to the business and are responsible for coordinating and reviewing divisional risk reporting.

Directors/Project Managers

Responsible for the successful delivery of project risk management for their respective projects.

All Employees, contractors and subcontractors

All employees have a role in the management of risks within LCPL. By being risk aware and being alert to the requirements of the ERM framework, all employees assist through the identification of risks and/or breaches, and making recommendations for change and improvement.

Enterprise Risk Management at Leighton Contractors

Detailed standards which outline core competencies and knowledge required for each role mentioned above are available on ‘Our Way’. It is important to note that LCPL’s Risk Management Architecture is not an organisation chart or a management chart nor does it seek to exhaustively define the interactions that are to exist between Leighton Holdings Limited, Executive Leadership Team, divisions, business units and functional units concerning risk management. Whilst the architecture is critical for ensuring key risks are appropriately communicated, it is necessary for informal reporting relationships to take place between functional unit personnel and divisional and business unit personnel as appropriate.

3.3 Risk Management Process LCPL’s Risk Management Process is consistent with ISO 31000:2009 Risk Management: Principles and Guidelines and is to be applied across all Business Activities (central, operational and transactional activities). The figure below illustrates LCPL’s Risk Management Process:

LCPL’s Risk Management Process

Active Risk Manager

Risk Assessment Establish Context

Identify Risks

Analyse Risks

Evaluate Risks

Treat Risks

LCPL’s Risk Management Process involves the following: Process Step

Summary of Minimum Requirements

Establish the context

Group Risk develop standards Divisions/BUs develop risk management plans Projects plan to formalise risk process

Identifying risks

Regular risk workshops (at least annually) to identify risks across our Business Activities Undertake Commercial Risk Analysis (CRA) Safety, Health and Environment risk process

Analysing risks

Perform root cause analysis Rate risk in accordance with probability impact diagram (PID)/5x5 matrix Apply Quantitative Risk Analysis/Schedule Risk Analysis

Evaluating risks

Prioritise risks against risk tolerance/appetite

Registering risks

Active Risk Manager (ARM) to record all risk registers throughout LCPL

Treating risks

Detailed treatment plans to be developed for all Critical Risks Critical Risks to be proactively managed and reported in accordance with reporting standards

Reporting

Adhere to the work-winning process (5 gates) Project/management review In accordance with risk reporting calendar and reporting standards

Reviewing, re-evaluating and updating risks

Critical risks to be reviewed monthly All risks to be reviewed at least quarterly

Further guidance regarding each of the minimum requirements is available on ‘Our Way’.

Enterprise Risk Management at Leighton Contractors

3.4 Risk Management Protocols LCPL’s Risk Management Protocols are the business standards, processes, tools and knowledge resources that are to be applied so that our Enterprise Capital is protected and, where appropriate, grown. The following outlines the Risk Management Protocols for which detailed business standards, processes, tools and knowledge are available through ‘Our Way’. ERM Protocol

Description

Risk Assessment

Risk assessment provides a structured and consistent way to build risk profiles through a process of identifying, assessing risk and opportunity, and evaluating controls for appropriateness, effectiveness and efficiency. Risk is measured based on a combination of its probability and its impact. Where the risk and control rating is unacceptable, treatment plans are developed to improve the control environment and reduce the risk to within LCPL’s risk appetite. Risk assessments are required to be completed at both the divisional level and by group functions.

Pre-Contracts Review

Reviewing the risk exposure the proposed tender business plan would add to the overall enterprisewide risk profile. Ensuring a coherent approach towards commercial risk analysis, risk outputs and overarching tender strategy. The required risk exposure analysis includes but is not limited to: Quantified Risk Analysis (QRA); Schedule Risk Analysis (SRA); and Safety, Health and Environment Risk Analysis.

Project Risk Management

Ensuring adequate planning, delivery and monitoring of risks throughout the lifecycle of the project. Project Risk Management requires implementation of: Risk Management Plans Risk Registers Project quality assurance process/reviews

Project Assurance

Project Assurance reviews projects initially at start-up phase to ensure all appropriate business systems to support the project have been effectively implemented to manage the risks identified as part of the work-winning phase of the project lifecycle. Where deemed required, such as for high-value or high-risk projects, additional project assurance reviews will be undertaken throughout the life of the project or post completion to provide further assurance that business systems continue to operate effectively.

Risk Reporting

Risk reporting outlines the required structure, frequency and escalation of enterprise-wide risks throughout LCPL.

Internal Audit

Internal audit refers to the process to review the design and operational effectiveness of key controls within business processes and systems.

ERM Protocol

Description

Quality and Systems

Quality and systems ensure that our processes are designed, and our systems developed, in a consistent manner with regard to their appropriateness and efficiency. In doing so, we are able to provide more certainty to achieving outcomes and ensuring adequate controls are in place to protect our Enterprise Capital.

Insurance

The enterprise-wide insurance framework ensures an appropriate program and range of insurances for LCPL are in place to ensure our Enterprise Capital is protected against a variety of events outside of our control (so far as is reasonably practicable). The insurances can be loosely described as corporate, operational and employee related. The enterprise-wide insurance framework must be integrated with the other elements of the ERM protocol to ensure an acceptable level of risk is transferred.

Business Continuity Management

Business Continuity Management (BCM) refers to our ability to continue to operate in the face of unexpected business interruption, such as an office building being incapacitated through fire or water damage. It encompasses plans and procedures which ensure that key personnel, processes and systems are identified, communication protocols and procedures are in place, and alternate sites are available.

Detailed business standards, processes, tools and knowledge are available on â&#x20AC;&#x2DC;Our Wayâ&#x20AC;&#x2122;. Risk Management Protocols are to be reviewed regularly and revised accordingly by those accountable for them as per LCPLâ&#x20AC;&#x2122;s Risk Management Architecture.

Enterprise Risk Management at Leighton Contractors

4. Risk Appetite LCPL’s ERM objective is to protect and grow our Enterprise Capital within our Risk Appetite.

Our Risk Appetite articulates the thresholds of risk we are prepared to accept to achieve our business objectives. Our Risk Appetite will vary between our different Enterprise Capital elements across divisions and business units depending on LCPL’s agreed business strategy.

Negligible

Minor

The following illustrates how the Risk Appetite is applied against LCPL’s probability impact diagram (PID)/5 x 5 risk matrix. Target risks (i.e. the level of risk after considering all existing and planned controls) are mapped against the PID.

Moderate

Major

Substantial

IMPACT

Almost

Certain

Possible

Unlikely

PROBABILITY

Likely

Generally unacceptable risk 20 24

Target level of risk

Low Threat

Well within risk appetite Rare

Moderate Threat High Threat

Very High Threat Extreme Threat

Depending on where the risks lie in relation to the Risk Appetite thresholds will determine whether the activity is deemed acceptable, unacceptable or requires further review and approval. Activities where the associated risks exceed our Risk Appetite indicate that the level of effort required to manage the risks may not generate the level of returns required to justify the activity. Conversely, where an activity’s risks are well within our Risk Appetite, this may indicate that we have not leveraged our Enterprise Capital effectively and there may be an opportunity to seek higher returns. The ELT reviews LCPL’s Risk Appetite each year to ensure clear guidelines exist in relation to the level of risk and reward we are prepared to accept as part of our Business Activities. These Risk Appetite statements are included in our business plans as shown in the following example. Risk Appetite Statement Enterprise Capital Element

Willingness to accept risk Low

People

Very High

Extreme

P P P P

Intellectual Property Relationships Reputation

Balance Sheet

High

Assets

Licence to Operate

Moderate

P P

Specifically, the ELT will, in the context of the entire business: acknowledge LCPL’s willingness and capacity to take on risk; determine the relative importance of each Enterprise Capital item in the context of the business strategy, objectives and stakeholder expectations; and agree, for each Enterprise Capital item, the range of possible consequences it is prepared to tolerate. Where the residual (target) risks, assessed after the identified treatment, associated with a particular business activity exceed the stated Risk Appetite but the activity is still deemed consistent with our objectives, our standards require these to be escalated in accordance with the Authority to Tolerate schedule outlined on ‘Our Way’.

Enterprise Risk Management at Leighton Contractors

5. Business Continuity and Crisis Management Business Continuity Management (BCM) refers to our ability to continue to operate in the face of unexpected business interruption.

Despite best efforts to identify, analyse, evaluate and treat risks with respect to our Enterprise Capital throughout our business, there is always the possibility of an event occurring which can cause significant disruption to our business. Our ability to respond to such a disruption is referred to as crisis management and the processes to ensure ongoing operations are outlined in our Business Continuity Plans.

Business Continuity Plans Our business continuity planning efforts focus on restoring our Enterprise Capital as soon as possible after an event that causes significant disruption to our business. LCPL’s Business Continuity Plan must be developed in consultation with divisions and functional units. Key features of our Business Continuity Plan include: events which may warrant when the plan is to be activated and the details of those responsible for its implementation Identification of mission-critical activities, personnel, materials, procedures and equipment that are needed to keep the business operating key messages that are to be communicated to our personnel, clients, partners, relevant external authorities and media at key milestones during the recovery period arrangements to be ‘activated’ with utility service providers, suppliers, logistics service providers and subcontractors alternative premises from which to operate in the event that existing premises become compromised estimated recovery time details of when the plan was last tested and the changes that have been made to the plan as a result. Review of our Business Continuity Plan is undertaken annually to maintain alignment with our external environment and the nature of our business. Following activation of the Business Continuity Plan, a full and proper investigation will be conducted into the circumstances, decisions and actions that preceded the crisis and our response during and following the crisis. Where it is ascertained that the cause of the event may have been managed or avoided our ERM Framework should be reviewed and updated to addresses any possible weakness.

Emergency and Crisis Management Plans LCPL’s Emergency and Crisis Management Plans form part of our overall Business Continuity Plan and outline LCPL’s initial response to a crisis event. Every major project or service we deliver and every division, business unit and functional unit must have a Crisis Management Plan in place. Key features of a Crisis Management Plan include: outline of events which may warrant when the plan is to be activated and the details of those responsible for its implementation. key personnel and relevant external authorities to be alerted in the event of a crisis. key messages that are to be communicated to our personnel, clients, relevant external authorities and media immediately after the crisis. emergency response activities that are to be undertaken to limit, if not prevent, further damage to our Enterprise Capital and to kick-start the resumption of valueadding activities as quickly as possible. Emergency and Crisis Management Plans need to be tested for adequacy with respect to scope, effectiveness and timeliness. Review of Emergency and Crisis Management plans is to be undertaken annually to ensure suitability.

Enterprise Risk Management at Leighton Contractors

6. Appendix

6.1 Glossary of Terms Term

Definition

See ‘Tolerate’.

Accountable

See ‘RACI’.

Active Risk Manager (ARM)

LCPL’s electronic risk register used to record, manage and report information of risks across the business.

Avoid

See ‘Terminate’.

Business Continuity Plan (BCP)

Plan to ensure continuity of business operations in the event of a serious incident that impacts the organisation.

Business Standards

The minimum mandated standard according to which our business is to operate and/or deliver.

Business Process

The activities our business is to undertake to achieve the minimum standard.

Central Activity

The core activities involved in supporting and governing any enterprise.

Consequences

Range of specific impacts or effects which allows risk to be measured prior to or post risk materialisation.

Consulted

See ‘RACI’.

Control

Actions to reduce the likelihood and/or magnitude of a risk. Controls can be preventive or corrective.

Corporate Governance

Set of activities and policies that control the way in which an organisation is directed, administered and/or controlled.

Critical Risk

A risk with a ‘Current’ risk rating within the range 14–25 on the LCPL Risk Matrix.

Current Risk

The exposure based on the existing LCPL operating controls and their known effectiveness.

Crisis Management Plan

Plan for use in the event of serious loss, such as IT failure, fire or earthquake to assist the recovery of the organisation.

Damage Limitation

The range of activities to reduce the magnitude of damage when a risk materialises.

Eliminate

See ‘Terminate’.

Enterprise Capital

The key dependencies critical to the viability of that business as a going concern.

Enterprise Risk Management (ERM)

Integrated and coordinated approach to all the risks faced by an organisation.

Executive Leadership Team (ELT)

The Executive General Managers of LCPL responsible and accountable for the direction, operations and performance (financial and non-financial) of the business.

Frequency

The probable frequency of future loss.

Term

Definition

Governance, Risk and Assurance (GRA)

Integrated approach to governance, risk management and risk assurance.

Impact

Overall size and nature of the consequences of a risk materialising.

Informed

See ‘RACI’.

Inherent Risk

Level of risk before any control activities are applied, sometimes referred to as the ‘gross level’ or ‘absolute level’ of the risk.

Insurance

See ‘Transfer’.

Knowledge

Resources to support the execution of business processes designed to achieve our business standards.

Leighton Contractors Pty Limited (LCPL)

A diversified engineering construction and services business that operates in the infrastructure, mining, telecommunications, civil construction, industrial, energy, health and services sectors across Australia, New Zealand and Africa.

Leighton Holdings Limited (LHL)

ASX-listed (ASX: LHL) strategic management company that owns and manages a portfolio of engineering construction and services businesses including Leighton Contractors Pty Limited (LCPL).

Level of Risk

Combination of the likelihood and impact of the risk, as established during the risk rating stage of risk assessment and can be determined at either current or target level.

Licence to Operate

The permission our business has been given by regulatory authorities and Leighton Holdings Limited to pursue and undertake the work our business is involved in.

Loss Containment

The range of activities to reduce the magnitude of the impact and consequence when a risk materialises.

Loss Prevention

The range of activities to reduce the probability and the impact of the consequence of a risk materialising.

Operational Activity

Divisional and business unit activities involved in the planning, delivery and close-out of discrete projects and services.

Opportunity

The positive effect of uncertainty on objectives.

Our Way

LCPL’s integrated management system which underpins our Group Operating Model by providing the repository that holds the business standards, processes, tools and knowledge.

Potential Exposure

The exposure in dollar value of a risk if it were to materialise prior to any control activities being applied.

Preventative Control

Type of control that is designed to reduce or eliminate the possibility of an undesirable risk materialising.

Probability

Evaluation of judgement regarding the chances of a risk materialising.

Project Risk

Risk that could cause doubt about the ability to deliver a project on time, within budget and to quality.

RACI (Responsible, Accountable, Consulted and Informed)

The matrix according to which roles (those responsible, accountable, consulted and/or informed) are assigned to tasks or deliverables for a project or business process. Responsible – those who do the work to achieve the task. Accountable – those who are ultimately answerable for the correct and thorough completion of the deliverable or task, and the one who delegates the work to those responsible. Consulted – those whose opinions are sought, typically subject matter experts, and with whom there is two-way communication. Informed – those who are kept up to date on progress, often only on completion of the task or deliverable, and with whom there is just one-way communication.

Red Book

Enterprise Risk Management as it applies at LCPL. 21

Enterprise Risk Management at Leighton Contractors

Term

Definition

Reduce

See ‘Treat’.

Residual Exposure

The exposure of a risk if it were to materialise after control activities have been applied.

Residual Risk

See ‘Target risk’.

Responsible

See ‘RACI’.

Retain

See ‘Tolerate’.

Risk

The negative effect of uncertainty on objectives.

Risk Appetite

Amount or type of risk that an organisation is willing to pursue or retain – definitions of risk appetite can vary considerably.

Risk Assessment

Means by which significant risks are evaluated and prioritised by undertaking the three stages of ‘Risk recognition’, ‘Risk rating’ and ‘Risk ranking’.

Risk Assurance

Means by which an organisation received reasonable assurance that the significant risks are being adequately controlled.

Risk Criteria

Basis for ranking or evaluation of the significance of a risk – will define the risk appetite of an organisation.

Risk Exposure

Level of risk to which the organisation is actually exposed, with regard to an individual risk or the cumulative exposure to the risks faced by the organisation.

Risk Management Architecture

The roles, responsibilities and accountabilities of individuals, groups and committees to support the management of risk across LCPL.

Risk Management Framework

Set of activities that support the risk management process, referred to as the risk architecture, strategy and protocols; the arrangements for designing, implementing, monitoring, reviewing and continually improving risk management.

Risk Management Process

Activities that deliver management and control of risks – defined in LCPL as: Establish Context, Identify Risks, Analyse Risks, Evaluate Risks, Register Risks, Treat Risks, Report Risks, Review, Re-evaluate and Update Risks.

Risk Management Protocols

The business standards, processes, tools and knowledge that are to be developed, maintained and applied as part of LCPL’s ongoing effort to manage risk across its business.

Risk Management Strategy

The objectives of Enterprise Risk Management at LCPL and the way in which LCPL intends to achieve those objectives.

Risk Treatment

Risk Response activities to deliver the most favourable outcome and reduce the volatility or variability of that outcome.

Risk Matrix

Presentation of risk information on a grid or graph, also referred to as a risk map or heat map and often used to illustrate information from the risk register.

Risk Ranking

Stage in the risk assessment process that analyses the likelihood and impact of risks and allows them to be ranked against each other.

Risk Rating

See ‘Risk significance'.

Risk Register

Record of all the risks faced by an organisation, the scale of the risk, the controls currently in place, additional controls that are required and responsibility for control activities.

Risk Response

Implementation of actions to respond to risks, including decisions whether to avoid, reduce, transfer, insure, accept, enhance or develop controls.

Risk Significance

Stage in the risk assessment process that evaluates the risk with reference to the risk appetite or the established risk criteria, to help select the appropriate risk response.

Risk Tolerance

The company’s absolute statements and risk metrics which allow the differentiation between a tolerable and intolerable risk to be made.

Term

Definition

Severity

Size of the event when a risk materialises, sometimes referred to as ‘severity’ of the event and representing the current level of the risk.

SFAIRP (So Far As Is Reasonably Practicable)

The process of implementing controls which mean the risk has been managed So Far As Is Reasonably Practicable. This is to ensure risk management activity is not grossly disproportionate to the risk impact.

Significant Risk

Risk with the ability to impact above the established benchmark for that type of risk.

Strategy

Statement of where the organisation wants to be in three to five years time, often defined by strategic objectives – strategy should be efficacious.

Target Risk

The level of risk that is desired by the organisation when planned additional controls have been implemented.

Terminate

This means ceasing the activity which attracted the risk as the risk is not acceptable to the organisation or is outside the stated risk appetite, also referred to as ‘avoid’ or ‘eliminate’.

Tolerate

Risk response that is appropriate when the level of risk is within risk appetite, also referred to as ‘accept’ or ‘retain’.

Tools

Pro formas to support the execution of business processes designed to achieve our business standards.

Transactional Activity

The activities involved in the procurement of contracts with third parties.

Transfer

Risk response for risks that the organisation wishes to transfer or share, by means of insurance, contract or (perhaps) joint venture.

ÂŠ Leighton Contractors Pty Limited 2013 First edition, February 2013