Skip to main content.

Developing effective risk management in a global mining group


An international mining group had many dissimilar and fragmentary approaches to risk management across its business units, arising from the series of acquisitions and mergers that had led to its formation.

The group felt that its approach to risk management as part of safety and environmental management was well advanced. However, it needed a fresh, consistent and comprehensive approach for all forms of risk across all its sites, including newly acquired upstream assets. In particular the group approach should to address the risks associated with asset integrity, trading and treasury activities, as well as mining operations.

The group asked Broadleaf for practical advice on how to develop and enhance a suitable framework for managing all risks consistently (sometimes called enterprise risk management, or ERM) across its operations. We suggested that this should be based on a critical evaluation of the elements already in place and should be informed by what is generally regarded as good practice in the resources sector.

The entire project was spread over a year. Broadleaf supported the group until it felt confident in its own leadership of the changes required.


Based on considerable experience, we believe that the most efficient and effective approach to developing a new framework and the associated implementation plan involves, broadly, using a gap analysis as an input to a management of change process. This is depicted in the Y Model shown in Figure 1 and described below.

Figure 1: Y Model approach

Y Model approach to gap analysis and planning

To be successful and efficient, the approach requires:

  1. An accepted and accurate representation of the current arrangements for managing different forms of risk – the present situation
  2. The fundamental concepts of risk and risk management and the desired goals in terms of the risk management framework and process to be clearly understood by those sponsoring the change – the wanted situation
  3. A clear and accepted appreciation of the elements of the existing framework that need to be enhanced or improved, the nature of those changes and any additional elements that need to be created – what needs to change
  4. The exploration of options, constraints, enablers and critical paths leading to an appropriate plan of actions with timings
  5. A clear commitment to the plan and its implementation through the allocation of suitable resources by senior management and by their continued oversight of progress.

These steps can be tackled separately and the results reported to senior management. However, the most efficient approach, and the one that gains the greatest degree of ownership and endorsement, is to involve representatives of senior management in all these steps over a short space of time.

Phase 1 – Engagement and gap analysis

Broadleaf facilitated a two-day, intensive workshop that covered the five steps described above with a group of champions drawn from across the business. The workshop involved a series of modules that briefed the participants, facilitated gap analyses, developed a blue print for the framework, devised tools, wrote a policy statement and developed the implementation plan. The outline agenda for the workshop is shown in Table 1.

The workshop was based on ISO 31000:2009, as this provides the most widely used, up to date and comprehensive prescription for a framework for managing risk. The international standard has also been adopted widely as a national standard in many countries, including most locations where the group had operating assets.

Table 1: Agenda and outcomes for the framework workshop



1 Fundamental concepts

  • Risk and how it is managed
  • The risk management framework and its elements
  • The risk management process and steps
  • Enhancing risk management through change management

An appreciation of the fundamental terms and concepts behind effective risk management. This includes how an organisation can build and develop its capacity to manage risk.

2 ISO 31000 – principles and attributes of effective risk management

  • Desired outcomes
  • Integration with decision making
  • Project risk management
  • Strategic risk management

How the risk management process supports decision-making.

An understanding of the process for integration.

Agreement on the wanted situation, the design intent of the framework.

3 Evaluation and gap analysis

  • Applying a gap analysis tool for framework elements and process
  • Examples of good practice
  • Evaluation against principles and attributes of effective risk management

A clear definition of the current situation.

Acceptance of what needs to change.

Motivation for change.

4 Work items and options

  • Exploration of alternatives with costs and benefits
  • Discussion of tasks and outcomes

Agreed, tangible tasks to lead to an enhanced framework.

5 Risk management toolkit

  • Development of risk criteria that reflect the group’s risk attitude and appetite
  • Qualitative risk rating process and matrix
  • Control effectiveness criteria
  • Potential exposure measure
  • Authorities for toleration of risk
  • Priorities for attention
  • Root cause analysis methods *Control assurance approaches

The basis for a risk management toolkit for the group.

This required further detailed development after the workshop.

6 Policy statement

  • Policy elements and design requirements
  • Drafting of policy

Draft policy for review and endorsement by the Management Committee.

7 Draft risk management plan

  • Tasks and timelines
  • Accountabilities
  • Governance and oversight arrangements

Agreed plan and schedule.

Agreed process to steer and monitor progress on the implementation of the plan.

The basis for governance reporting

The evaluation and gap analyses (module 3) used protocols and tools supplied by Broadleaf.

Broadleaf recorded all outcomes as they were developed. These included:

  • Draft policy statement
  • Framework design intent
  • Basis for the risk management toolkit
  • Risk management plan
  • Description of the desired governance and oversight arrangements.

Phase 2 – Guidance on risk assessment and treatment

Broadleaf prepared a guideline that included the risk rating system developed previously. It also included a range of templates and tools and described a process for establishing the context, conducting a risk assessment and developing risk treatment plans.

This guideline, tools and templates were used as the basis of the subsequent training course.

Phase 3 – Risk management champions’ training course

This took place over four days and included many practical exercises including a half-day group case study. It was held twice, in Europe and North America.

The training objective was to equip champions with sufficient skills to facilitate risk assessments and help their management teams start integrating the group risk management process into decision-making processes at their sites.

Table 2: RM Champions' course agenda

Day 1

1 Introduction

  • Basic concepts of risk and risk management
  • Definitions
  • Hazards and risks
  • The risk management process (ISO 31000)
  • The group RM framework, policy, standards and guidelines

2 RM Process - Communication and consultation

  • Stakeholder analysis
  • Communications planning

3 RM Process - Establishing the context

  • External context
  • Internal context
  • Group risk criteria
  • Key elements *Workshop preparation and briefing notes

Day 2

4 RM Process - Risk identification

  • Basic concepts
  • Brainstorming
  • Structured what-if
  • Forms of HAZOP

5 RM Process - Risk analysis

  • Basic concepts
  • Control effectiveness
  • Group risk rating process
  • Potential exposure
  • Quantitative risk analysis

Day 3

6 RM Process - Monitor and review

  • Monitoring compared with review
  • Accountabilities
  • Key controls
  • Environmental scanning
  • Root cause analysis of successes and failures

7 Project risk management

  • Integration into project development and execution
  • Risk focussed peer review

8 Group case study (1/2 day)

Day 4

9 Group case study feedback

10 Integrating risk management

  • Strategy development and the group planning process
  • Sustaining capital process
  • The general process for integration

11 Implementing risk management

  • The role of the RM Champion
  • Challenges to implementation and solutions
  • RM plans
  • Risk management maturity evaluation
  • RM performance management and reporting

12 Personal planning

  • Support
  • Mentoring
  • Personal planning

Site engagement and roll out

Broadleaf supported the group with the rollout of the framework at two locations in Europe and North America. The objective was to demonstrate the application of the concepts and tools introduced to champions in the training courses and to trial the process for risk assessment and treatment in the guideline.

Broadleaf produced an engagement pack for use at all locations. It included templates, copies of the policy, standards and guidelines and a short training workshop for managers. The training materials were to be used on sites to:

  • Introduce the group framework
  • Provide a fundamental understanding of risk, controls and risk management
  • Prepare for a subsequent baseline risk assessment and risk treatment planning exercise
  • Describe how a management team should integrate the risk management process into their decision-making processes and the purpose of a risk management plan
  • Explain, in particular, how the risk management process was to be used in future in support of the group planning and sustaining capital programs.

Broadleaf led two engagement exercises, one at a smelter and one at a mine site. The group risk manager and champions participated at each site so there was a transfer of skills.

Each site engagement took four days. It consisted of:

  • Introductory workshop
  • Site tour and induction
  • Establishing the context
  • Preparation of a briefing note
  • Facilitation of a baseline risk assessment
  • Development of a definitive baseline risk register for the site
  • Facilitation of risk treatment workshops and the creation of risk treatment plans
  • Facilitation of the creation of a risk management plan for the site
  • A close out presentation to management that confirmed what had been found and the next steps required by them.

The close out presentation included the results of risk analyses, such as those shown in Figure 2, Figure 3 and Figure 4. The numbers in the matrices are the identifiers for the risks.

Figure2: Priorities for risk treatment

Priorities for risk treatment based on level of risk and control effectiveness

Figure 3: Key controls for monitoring and review

Teh key controls modify the risks at high PE and low levels of risk

Figure 4: Senior management oversight of treatment

Senior management should monitor the treatment of high risks with high PE

Sites were also provided with a risk management enhancement plan for the next 12 months. An outline plan is shown in Figure 5.

Figure 5: Outline risk management plan

Major activities, month by month


After many years and projects of a similar nature, it is clear to us that a contractor should not ‘do risk management’ for a client. Our role must be to facilitate the process, to help our client’s staff understand and adopt good practice, not to do all the work for them.

Key components of all risk management frameworks are the strategies adopted to train and build capability. In this case it was vital to:

  • Train champions and others in the fundamental concepts of risk management before they were equipped to conduct a gap analysis and evaluation
  • Provide practical training, with many exercises, so that champions quickly became confident in facilitating the risk management process
  • Reinforce theoretical training with involvement in a real engagement and risk assessment exercise on a site
  • As the first part of engagement and roll out of the new framework at a site, provide basic training to managers on the fundamentals of risk management.

A PDF of this case study can be downloaded here