RISK AND OPPORTUNITY ASSESSMENT

TABLE 1: Consequence Descriptors (Severity Rating)

ORGANIZATIONAL PERFORMANCE PRODUCT/ SERVICE COMPLIANCE OBLIGATION COST OF MANPOWER AVAILABILITY OF RAW REPUTATION/ BRAND
Organizational Performance is QUALITY/ CUSTOMER Breach of regulatory, IMPLEMENTING/ UTILIZATION MATERIAL/ The COMPANY brand and or
impacted in terms of achieving SATISFACTION common law or contractual MAINTAINING THE What impact will this EQUIPMENT/ reputation value is impacted
Strategic initiatives, key performance Customers are impacted in obligations, internal policy/ ACTIONS action have on the SERVICE in terms of stakeholder and
indicators/ project outcomes or terms of service disruption procedures or requirement Financial losses or manpower resources? The availability of trust in the ability to deliver
benefits and delivery of critical or product quality. to notify a regulator of an unplanned raw materials/ on reliability, quality,
processes and services or project event. expenditure is equipment to Perform transparency and value for
schedule elements incurred by this Action? money expectations.
COMPANY.
Majority of Strategic initiatives/ Project Customer/Community Government inquiry. Corporate Financial Action will require Raw material/ equipment/ Long term (03 month) loss of
outcomes will not be achieved. Majority disruption > 25 hours. Multiple Loss of license to operate. losses > AED 1 million additional foreign service needs to be confidence among key
EXTREME (5)

of strategic KPIs / Project benefits will Key Account customer Civil action, refer Financial external provider, procured outside the stakeholders.
not be achieved. Inability to deliver shutdowns. Performance. Projects > 40 % of different from existing in- country Sustained state and national
critical processes/ services or project No impact in the enhancement Not related to any Compliance budget house external provider adverse media/ social media
schedule elements. of Obligation coverage.
No relevance Strategic Direction of product or service quality or MD Intervention
COMPANY customer satisfaction
Multiple Strategic initiatives /Project Customer/Community Regulator issues notices, Corporate Financial Action will require Raw material/ equipment/ Medium term (01 month) loss of
outcomes will not be achieved. disruption >10 hours. corrective action order and/or losses 0.5 million. additional local external service needs to be confidence among key
Breach of multiple strategic KPIs / Project Individual Key Account penalties, common law provider, different from procured within the stakeholders.
MAJOR (4)

benefits. customer shutdown. liability confirmed. Projects > 20% -40% of existing in-house external country Short term state and/or national
Disruption to multiple critical Indirect effect in the Order to stop work. budget provider adverse media/ social coverage.
processes/services or Project schedule enhancement of customer Prohibition notice. MD Intervention
elements. satisfaction/ product and/ or Breach of Code of Conduct
Relevant to one (01) of COMPANY’s service quality resulting in dismissal.
Strategic Direction
One specific Strategic initiative/ Project Customer/Community Regulator/ external auditor Corporate Financial Action will require Raw material/ equipment/ Short term (01 week) loss of
MODERATE (3)

outcome will not be achieved. disruption >5 hours. issues improvement notice, losses AED 0.1 million. additional in-house service needs to be confidence among some key
Breach of Strategic KPI/ Project benefit. No Key Account customer multiple manpower resources procured locally stakeholders.
Disruption to individual critical disruption. non-conformances or PNC. Projects >10% -20% of Adverse widespread community
process/service or Project schedule Direct impact in the Systemic breach of internal budget. Concern
element. enhancement of product or obligation, procedure or Short-term local adverse media/
Relevant to two (02) of the COMPANY’s service quality or customer policy. social media coverage.
strategic directions satisfaction GM Intervention

Impairment in achieving Strategic Customer/Community Regulator/external auditor Corporate Financial Action will make use Raw material/ equipment/ Minimal stakeholder interest/
initiative/ Project outcome. disruption >1 hour. ‘nonconformance’ losses AED 0.05 of existing in-house service is concern.
Strategic KPI / Project benefit impacted - No Key Account customer or request for further million. manpower resources currently available in the Adverse localized community
MINOR (2)

no breach. disruption. explanation. Projects >5% -10% of COMPANY concern

Disruption to noncritical process/service Direct impact in the Notification to Regulator budget. Isolated local adverse media/
or project schedule element. enhancement of required. social story.
Relevant to three (03) or more of the product or service quality AND Local area breach of internal Manager Intervention
COMPANY’s strategic directions customer satisfaction obligation, procedure or
policy.
 No material impact to Strategic Customers/ Community No regulatory involvement Minimal or No Minimal or No Minimal or No Raw Standard Complaints
INCIDENTAL

initiative / Project outcome. disruption expected. Financial losses. manpower resources is material/ equipment/ Notification of potential adverse
No material impact or breach of event < 1 hour. Individual breach of internal required service is required media/ social media coverage.
(1)

Strategic KPIs/ Project benefit. Direct impact in the policy or procedure. Staff Intervention
No material disruption expected. enhancement of product or No civil action expected.
service quality and customer
satisfaction

TABLE 2: Illustrative Likelihood Scale (Occurrence Rating)

ANNUAL FREQUENCY PROBABILITY/ OCCURRENCE RATING

RATING
DESCRIPTOR DEFINITION DESCRIPTOR DEFINITION
The risk event could possibly occur within 6-months period Almost
5 Frequent 90% or greater chance of certain occurrence over life of asset or project
The risk event has occurred more than once during the year Certain
The risk event could possibly occur within 1-year period
4 Likely Likely 65% up to 90% chance of occurrence over life of asset or project
The risk event has occurred once during the year
The risk event could possibly occur within 3-year period
3 Possible Possible 35% up to 65% chance of occurrence over life of asset or project
The risk event has occurred once in 3-years
The risk event could possibly occur within 5-year period
2 Unlikely Unlikely 10% up to 35% chance of occurrence over life of asset or project
The risk event has occurred once in 5-years
The risk event is not expected to occur in the life of the COMPANY
1 Rare Rare <10% chance of occurrence over life of asset or project
The risk event has not occurred for more than 5-years

TABLE 3: Illustrative Vulnerability Scale

RATING DESCRIPTOR DEFINITION

 No scenario planning performed
 Lack of enterprise level/process level capabilities to address risks
5 Very High
 Responses not implemented
 No contingency or crisis management plans in place
 Scenario planning for key strategic risks performed
 Low enterprise level/process level capabilities to address risks
4 High
 Responses partially implemented or not achieving control objectives
 Some contingency or crisis management plans in place
 Stress testing and sensitivity analysis of scenarios performed
3 Medium
 Medium enterprise level/process level capabilities to address risks
  Responses implemented and achieving objectives most of the time
 Most contingency and crisis management plans in place, limited rehearsals
 Strategic options defined
 Medium to high enterprise level/process level capabilities to address risks
2 Low
 Responses implemented and achieving objectives except under extreme conditions
 Contingency and crisis management plans in place, some rehearsals
 Real options deployed to maximize strategic flexibility
 High enterprise level/process level capabilities to address risks
1 Very Low
 Redundant response mechanisms in place and regularly tested for critical risks
 Contingency and crisis management plans in place and rehearsed regularly

TABLE 3: Illustrative Speed of Onset Scale

RATING DESCRIPTOR DEFINITION

5 Very High
4 High
3 Medium
2 Low
1 Very Low
 Very rapid onset, little or no warning, instantaneous
 Onset occurs in a matter of days to a few weeks
 Onset occurs in a matter of a few months
 Onset occurs in a matter of several months
 Very slow onset, occurs over a year or more

TABLE 4: Illustrative Combine Risks & Opportunities Map

IMPACT
OPPORTUNITIES RISKS
LIKELIHOOD EXTREME MAJOR MODERATE MINOR INCIDENTAL INCIDENTAL MINOR MODERATE MAJOR EXTREME

FREQUENT (5)
LIKELY (4)
POSSIBLE (3)
UNLIKELY (2)
RARE (1)
 TABLE 5: Occurrence of the Risk Event and/ or the Severity of Consequences (Degree of Control)

QUALITATIVE RATING DESCRIPTION

Fully controllable and can be fully avoided by COMPANY
 existing control/ mitigating measures are proven effective
Avoidable 1
 risk source can be eliminated by COMPANY, i.e., process can be modified/ transferred/ relocated;
material can be substituted
Highly controllable by COMPANY and partly avoidable through selected risk mitigation actions taken
 existing control/ mitigating measures are optimum as practicable
High Controllable 2
 risk source is within the COMPANY’s control, i.e., process is performed onsite; material is
supplied/ decided by COMPANY
Slightly controllable by COMPANY but can be influenced by COMPANY to a large degree
Moderately  existing control/ mitigating measures are adequate but can still be improved
3
Controllable  risk source is originating externally, i.e., process is performed by external provider off-site;
material is supplied/ decided by the customer; natural calamities

Uncontrollable by COMPANY but can be influenced by COMPANY to a small degree

Uncontrollable 4  existing control/ mitigating measures are barely adequate
 COMPANY has no authority over risk source, but risk source is relevant interested party

Uncontrollable by COMPANY and cannot be influenced by COMPANY

Highly
5  no existing control/ mitigating measures
Uncontrollable
 COMPANY has no authority over risk source and risk source is not a relevant interested party

TABLE 6: Risk Rating (Occurrence Rating X Degree of Control X Severity Rating)

OCCURRENCE RATING
ALMOST DEGREE OF CONTROL SEVERITY RATING
RARE (1) UNLIKELY (2) POSSIBLE (3) LIKELY (4)
CERTAIN (5)
1 2 3 4 5 AVOIDABLE (1)
2 4 6 8 10 HIGH CONTROLLABLE (2)
3 6 9 12 15 MODERATELY CONTROLLABLE (3) INCIDENTAL (1)
4 8 12 16 20 UNCONTROLLABLE (4)
5 10 15 20 25 HIGHLY UNCONTROLLABLE (5)
2 4 6 8 10 AVOIDABLE (1)
MINOR (2)
4 8 12 16 20 HIGH CONTROLLABLE (2)
 6 12 18 24 30 MODERATELY CONTROLLABLE (3)
8 16 24 32 40 UNCONTROLLABLE (4)
10 20 30 40 50 HIGHLY UNCONTROLLABLE (5)
3 6 9 12 15 AVOIDABLE (1)
6 12 18 24 30 HIGH CONTROLLABLE (2)
9 18 27 36 45 MODERATELY CONTROLLABLE (3) MODERATE (3)
12 24 36 48 60 UNCONTROLLABLE (4)
15 30 45 60 75 HIGHLY UNCONTROLLABLE (5)
4 8 12 16 20 AVOIDABLE (1)
8 16 24 32 40 HIGH CONTROLLABLE (2)
12 24 36 48 60 MODERATELY CONTROLLABLE (3) MAJOR (4)
16 32 48 64 80 UNCONTROLLABLE (4)
20 40 60 80 100 HIGHLY UNCONTROLLABLE (5)
5 10 15 20 25 AVOIDABLE (1)
10 20 30 40 50 HIGH CONTROLLABLE (2)
15 30 45 60 75 MODERATELY CONTROLLABLE (3) EXTREME (5)
20 40 60 80 100 UNCONTROLLABLE (4)
25 50 75 100 125 HIGHLY UNCONTROLLABLE (5)

TABLE 7: Risks & Opportunities Assessment Matrix

EXCELLENT A1 B1 C1
OPPORTUNITY ASSESSMENT

(90-120) Low-Risk/Excellent Opportunity Moderate Risk/Excellent Opportunity High-Risk/ Excellent Opportunity

FAIR A2 B2 C2
(60-89) Low-Risk/Fair Opportunity Moderate Risk/Fair Opportunity High-Risk/Fair Opportunity

POOR A3 B3 C3
(30-59) Low-Risk/ Poor Opportunity Moderate Risk/Poor Opportunity High-Risk/Poor Opportunity

LOW (1-27) MODERATE (28-64) HIGH (65-125)

RISK ASSESSMENT

LEGENDS:
A1 - Pursue opportunity, no RTAP required
A2 - Top Management to decide whether to pursue opportunity, no RTAP required
A3 - Do not pursue opportunity, no RTAP required
B1 - Pursue opportunity but needs RTAP aimed at least to reduce likelihood of the risk event occurring and/ or mitigate the adverse impact
B2 - RTAP required and Top Management to decide whether to pursue opportunity
B3 - Do not pursue opportunity but needs RTAP aimed at least to reduce likelihood of the risk event occurring and/ or mitigate the adverse impact
C1 - Pursue opportunity but implement RTAP aimed at avoiding the risk/ eliminating the risk source
C2 - RTAP required aimed at avoiding the risk/ eliminating the risk source and Top Management to decide whether to pursue opportunity
C3 - Do not pursue opportunity but implement RTAP aimed at avoiding the risk/ eliminating the risk source

TABLE 8: Risk Rating & Opportunity Rating

RISK RATING ACTION

 Risk is acceptable, no further action needed
GREEN - A
 Retain risk by informed decision
(1 < RR < 27) – Low-Risk
 Take the risk to pursue an opportunity
 Risk can be tolerated but needs risk treatment action plan
ORANGE - B aimed at least to reduce likelihood of the risk event occurring
(28 < RR< 64) – Moderate Risk and/ or mitigate the adverse impact
 Transfer/ share the risk
 Risk is not acceptable; needs risk treatment plan aimed at
RED - C avoiding the risk/ eliminating the risk source
(RR ≥ 65) – High-Risk − Stop or suspend work/ operation until risk treatment plan
has been implemented

OPPORTUNITY RATING ACTION

GREEN - 1
(OR ≥ 90) – Excellent  Opportunity shall be pursued immediately
Opportunity

ORANGE - 2
 Management to decide whether to pursue opportunity
(60 < OR < 89) – Fair Opportunity

RED - 3
(30 < OR < 59) – Poor  Opportunity shall not be pursued
Opportunity