Document N° - Inkia-S-01-03

Rev.3

Guide Risk Management Process

Document N° Inkia Energy S-01-03

3 6/1/2020 LD/CL/DA/FS FS FS
Rev # Date Prepared by: Reviewed by: Approved by:

This is a controlled document of Inkia Energy

This document is intended for internal use only. It may not be transferred in whole or in part to external
parties without the written approval of Inkia Energy

Application of Policies and Guidelines

Operating companies under Inkia Energy’s operational control are required to implement all Inkia Energy
policies and guidelines. Contractors under the supervision of these operating companies or under the
direct supervision of Inkia Energy are required to uphold the spirit and intent of these policies and
guidelines and may be selected based on their performance against same.

For those operating companies that are not under the operational control of Inkia Energy, Inkia Energy
will endeavor to have its policies and guidelines either:
• Adopted in full, requiring conforming with all policies and guidelines, as a condition of contract; or
• Used as a reference to ensure all contract provisions address the spirit and intent of the Inkia Energy
policies and guidelines.

Page 1 of 8
 Document N° - Inkia-S-01-03
Rev.3

1.0 Introduction

Inkia Energy believes in providing its employees as safe a work environment as reasonably
practicable given the inherent risks in its business. Consequently, Inkia Energy requires all of its
operating companies to perform a detailed Operations and Maintenance (O&M), Environmental and
Social, Health and Safety (ESHS) Risk Assessment to identify the critical aspects of its business. The
operating company is expected to implement a Risk Management System that will ensure the proper
controls for the risks identified are being continuously evaluated and appropriate actions taken as
required.
The following information is provided as a minimum requirement for the Risk Assessment and
Management System selected by the operating company.

2.0 Responsibilities

The following outlines some of the main responsibilities of the different duties within the company.
The allocation of responsibilities may vary depending on the organization chart. It is important that
each of the functions listed have been assigned to an officer of the operation.

General Manager
• Ensure the necessary resources to comply and enforce the guidelines are available.

Plant Manager
• Ensure that systems are in place and functioning for verifying that the proper management
of risk is performed, and Risk Assessment is conducted for all operations in order to achieve
an appropriate and practicable level in all processes.
• Ensure that employees leading and/or conducting Risk Assessment have received
appropriate training in the process.

EHS Supervisor
• Classify all O&M and ESHS related activities in the Risk Management System and establish
that the adequate controls are in place for all activities of the company.
• Participate in conducting Risk Assessment and ensuring that appropriate personnel are
included as part of the risk assessment team.

3.0 Objective

The purpose of the Risk Management System is to ensure a systematic approach to management of
risk for all Operations and ESHS related activities.
The System must ensure that legislation as well as company policies are being complied with. One
of the principal objectives is to establish that the adequate controls are in place for all activities of
the company. There should be multiple level of protection (controls) for each activity to ensure that
the proper safety levels have been achieved. All activities must be reviewed with Management and
proper plans put in place. Special consideration must be given to those activities with two or less
controls in place.
The company should endeavor, through the proper management of risk, to achieve an appropriate
and practicable level in all of its processes. The main outcome of this process is:

• Identification of a set of risk classification criteria for the company

Page 2 of 8
 Document N° - Inkia-S-01-03
Rev.3

• Identification of the risks associated with each activity

• Classification of the risks in accordance with a set of agreed criteria
• Identification of proper controls to reduce probability of occurrence
• Identification of proper controls to reduce the severity after an occurrence
• Set up the controls to manage the activities
• Assist in ensuring that proper resources are being allocated
• Ensure that policies and procedures are properly reviewed
• Assist in the pursuit of ALARP (As Low As Reasonably Practicable) risk levels.

The system must be documented in sufficient detail as to provide evidence that the appropriate
approvals/controls are in place.

4.0 Methodology

The Operating Company has discretion as to the methodology to be implemented. However, the
methodology to be utilized must ensure the following issues are addressed:

• Systematic method for identifying, prioritizing, and addressing significant O&M and ESHS
risks
• Identify O&M and ESHS aspects and hazards considering past, existing and new business
activities, products and services along with changes in operations.
• Allows mapping of all of the company processes.
• Integrate into business and operational planning, the management of significant risks and
opportunities.
• Include the participation of all appropriate parties.
• Evaluate and manage risks and opportunities during all phases of mergers, acquisitions,
divestitures and affiliate transfers.
• Identify Critical Controls and defines responsibilities for their effectiveness.
• Incorporates the possible frequency of occurrence as a parameter.
• Incorporates the possible severity of occurrence as a parameter.
• Provide means of prioritizing risk prone activities.
• Identify personnel responsible for all activities.
• Provide for constant monitoring through appropriate reporting.
• Early warning of failures in the system (temporary or otherwise).
• Measurement of the effectiveness of each control.
• Proper communication channels through the organization.
• Capable of assisting in pursuing ALARP.
• Includes reporting system for all levels of the organization.

5.0 Terminology

The following terms are incorporated to ensure consistency during the evaluation of risks across
the Inkia Energy Organization.

• Hazard: Any inherent physical, biological or chemical characteristic that has the potential
to be a source of harm to workers, the public, the environment, or property.
• Risk: The possibility of adverse impacts to workers, the public, the environment or the
business due to the presence of a hazard or issue. Risk magnitude is a function of the
likelihood of an adverse incident and the severity of its consequences.

Page 3 of 8
 Document N° - Inkia-S-01-03
Rev.3

• Threats: Any material, substance or event that by action or lack of action associated with
a risk that could result in a non-desirable event (Main Event).
• Social Risk: Any social matter of stakeholder concern that has the potential to be a source
of harm to the business. Example stakeholders include the local community, the general
public, activist groups, the media, regulators, investors, employees and customers.
• Main Event: First non-desirable event in what could be a chain of events that could occur
due to the presence of a hazard or issue which would result in adverse impacts to workers,
the public, the environment or the business.
• Consequence: The results of a non-desirable event, could involve people, environment,
property and/or reputation.
• Escalation of a Consequence: Additional events that could result if the proper measures
are not taken after the occurrence of the event.
• Control Barriers: Measures taken to prevent a Main Event from occurring. Barriers can be
physical and/or procedural.
• Risk Management: The identification of inherent risks and implementation of necessary
actions to prevent or mitigate adverse impacts on workers, the public, the environment
and the business.
• Recovery Barriers: Measures taken to minimize damage to people, environment and/or
company property after an event. Barriers can be physical and/or procedural.
• Barriers Factor: It is the factor is determined according to the level of control barriers
implemented. This factor combined with the impacts, allows to determine the level of
residual risk.
• Risk Classification: An operating company wide and approved ranking system to be applied
throughout the entire processes.
• Contributing Factor: Factors that when considered within the evaluation contribute to
increase the probability of occurrence of the identified danger and that may come from
the following sources:
o Equipment – Is equipment (machinery, hardware, tools) creating or contributing
to the risk? Does equipment need to be added, modified, or replaced?
o Materials – Are materials, substances or chemicals creating or contributing to the
risk? Are there alternatives or substitutions?
o Methods – Are operational processes and procedures (or lack thereof) creating or
contributing to the risk? Can operational processes be redesigned, simplified, or
modified to reduce the likelihood and severity of potential incidents?
o Management – Are management issues such as - budget/time constraints, lack of
clear responsibilities, or lack of accountability/oversight - present?
o People – Are workers properly qualified, trained and experienced? Are workers
appropriately rewarded or disciplined for EHS related behaviors?

6.0 Process

The following process is a way to perform the risk assessment, through this process the scope of
the evaluation is defined, the hazards and their consequences are identified, the risks of each
system or activity are evaluated, the level of risk is determined and recommendations are
developed for each significant risk.

Page 4 of 8
 Document N° - Inkia-S-01-03
Rev.3

RISK EVALUATION PROCESS

Obtain Management Support and Sponsorship
Integrate the evaluation group
Define the scope of the
Risk Evaluation Map Company Process
Identify all activities by company

Identify the hazards for each activity

Identify the hazards Identify non desirable event
Analyze existing information about incidents that occurred or
dangerous situations reported

Identify for each hazard the factors that contribute to increase the
Contributing factors likelihood of occurrence

Identify potential
consequences or Identenfy the consecuences or impacts if the hazards causes damage
impacts

Identify Engineering controls

Identify existing Identify Administrative controls
Control Barriers
Identify personal protection

Evaluate the risk for each hazard

Estimate likelihood of occurrence according to cases occurrence criterias

Evaluate the Risk Estimate Severity of consequences or impacts
Determine the total risk score according to severity
Determine relative ranking significance, risk category and total risk score

Evaluate the residual risk for each hazard

Evaluate the Residual Estimate Barrier Factor according to Control Barrier criterias
Risk
Determine the Residual Risk according to Barrier Factor

Develop recommendation for each significant risk

Develop The control barriers recommended have to be developed to reduce
Recommendations the residual risk
The order of the recommendations should be, eliminate, replace, control
and an ultimately protect the staff

Management initiates
Verify the effectiveness of recommended barriers
and ensure
implementation of
The Residual Risk is Acceptable, if the control barriers implemented
appropriate follow-up eliminate, replace or control the risk so that they prevent the main
actions related event from occurring and reduce the residual risk

Evaluate the risk again

Acceptable Level Reassess the risk in the
after implementing the NO YES
of Risk Achieve next planned evaluation
recommended actions

Page 5 of 8
 Document N° - Inkia-S-01-03
Rev.3

a. Directions for evaluate the risks:

After mapping the activities that are part of the scope of the evaluation, identifying the associated
hazards, the factors that can contribute to increasing the probability of occurrence, the
consequence or their potential impacts and the existing control barriers, assesse the risks:
• For a hazard that can produce a potential incident, select the most appropriate Likelihood
of Occurrence column according to the criteria of likelihood (Table 1).
• For evaluate the Severity of Consequence use the criteria of the applicable seven types of
impacts (Table 2).
• The resulting risk category comes from the multiplication of the probability of occurrence
by the highest value of the impacts assessed and their significance can be visualized in the
matrix of Risk Score (Table 3), If the resulting number is higher and the level of risk is higher.
• Colors code define the Risk condition for the hazard assessed (Table 4).
• According to the criteria established for the available barriers, select (Table 5) the value
according to the criteria that apply to the assessed hazard.
• Record each selection on the Worksheet (Showed in the Table 6).

Table 1: Likelihood of occurrence

Likelihood of ocurrence
1 2 3 4 5
Hardly ever Low Medium High Almost Certain
Cases
Never happen Once happen in At least one in At least 2 events More than two
in the industry the industry INKIA companies in INKIA companies events in INKIA companies

Table 2: Severity of Consequence

Safety and health Property Environmental Reputation Financial Compliance Social Level of Impact
Material damage, > US$ 500K Effects with significant Very high profile issue. Very high impact on earning > Legal intervention by regulatory Severe negative impact on the
> 6mo service interruption (irreversible) impact on high Significant public relations 10% EBITDA entity with long term litigations community in the area of
values species, habitats or challenges likely and material costs influence due to the operations
ecosystem. Material impact to of the company, irreparable
environment requiring extensive damage. Material impact to
Possible multiple fatalities remediation and potential
significant impact on Licenses or
community relationship with
potential Significant impact to
5
permits operations (long work stoppage )
requiring long term negotiations
involving third parties.

Significant damage, between Severe effects, in the long term High stakeholder interest. Public High impact on earning , Written requirement for Significant negative impact on
US$100K and US$ 500K, and/or, (more than 5 years). That affect relations challenges likely between 7% and 10% of EBITDA corrective actions with Monetary the community in the area of
between 2 month and 6 month the function of the ecosystem. sanctions influence, damages that involve
Possible fatality or service interruption. Severe impact ro environment long-term recovery measures.
permanently disabling injury or
illness
requiring medium term
remediation and potential
Severe impact to community
relationship with potential
4
impact on Licenses or permits impact to operations (short work
stoppage ) requiring medium
term negotiations.
Some damage, between US$25K Moderate effects, in the medium Moderate stakeholder interest. Moderate impact on earning , Written requirement for Moderate negative impact on the
and US$ 100K, and/or, between 1 term (between 1 and 5 years) Public relations challenges likely between 5% and 7% of EBITDA corrective actions with community in the area of
and 60 days service interruption. that affect the function of the Administrative sanctions influence due to company
ecosystem. Moderate impact to operations. Some violations of
Serious injury or illness and environment requiring short legal limits. Moderate impact to
health issues term remediation and no impact community relationship with 3
to Licenses or permits. potential limited impact to
operations (protests ) requiring
additional negotiations to
normal Grievance process.
Minor damage, between US$10K Minor effects short term (less Moderate stakeholder interest. Low impact on earning , between Written requirement for Mild negative impact in the
and US$ 25K . No service than 1 year) but that do not Public relations challenges 2% and 5% of EBITDA corrective actions community of the area of
Some injury or illness and interruption affect the function of the possible influence. Minor impact to
health issues, medical
treatment
ecosystem. Minor effects to
environment that do not require
community relationship with no
impact to operations (discontent
2
remediation ) and managed thru normal
grievance process.
Minor damage, between US$1K Insignificant effects, in minimal Low stakeholder interest. Public Very low impact on earning , < Verbal requirement for Short-term recovery measures.
Minor injury or illness and and US$ 10K . No service area, of little importance. relations challenges possible 2% EBITDA corrective actions Minor impact to community
health issues, first aid interruption Insignificant effects to relationship managed thru 1
environment normal grievance process.

Page 6 of 8
 Document N° - Inkia-S-01-03
Rev.3

Table 3: Risk score

Table 4: Colors code of Risk Condition

Table 5: Control Barriers Factor

Control Barriers Factor

1 2 3 4 5
Hardly ever Low Medium High Almost Certain
Barriers All control All control implemented. Partially control There are little There are no controls
available implemented. No need There is an acceptable implemented , still control implemented implemented
additional controls redundancy in the controls there are
contributing factors

TABLE 6 (Example of Risk Assessment Worksheet)

RISKS ASSESSMENT PROCESS WORKSHEET

Site: Evaluation Scope: Date:

Business Unit: Person conducting evaluation:

Activity Threat Control Recovery Barriers Severity Total Riks Resulting Risk Residual Recomendation
Ref No. (Source of potential harm) Hazard Consequences Likelihood
Contributing Factors Barriers Barriers Factor S&H PRO ENV REP FIN COM SOC Score Category Risk Control Barriers Recovery Barriers
5 3 3 1 2 1 3 1 4 4 20 12
2 1 3 4 5 2 1 1 1 5 10 5

Page 7 of 8
 Document N° - Inkia-S-01-03
Rev.3

7.0 Final Document

A final Risk Assessment document must be prepared documenting how the Risk Assessment &
Management Process was developed and plans for its implementation. The document should include a
description of company assets as well as specifying in a clear and simple format the company’s critical
activities from a risk point of view. The proper organization structure and lines of responsibilities must
be clearly defined. Should identify the controls required making a distinction between existing and future
controls as well as the personnel responsible for them. Where new controls are required, there should
be a plan to implement them (See Table 7, Risk Assessment Action Plan). Final document should establish
the residual risk in accordance to the controls to be implemented and the accepted risk. This document
shall be approved by the Operating Company Management.
The process for control and reporting must be specified. The reports must include all levels within the
organization to ensure that both routine and non-routine activities as well as the longer-term issues are
addressed.
This Risk Management System must be revised when any of the following conditions exists:
• Every time there is a change in any of the processes
• Acquisitions or Divestures
• In accordance with the Implementation Plans
• Or every 12 months

Table 7: Risk Assessment Action Plan

RISKS ASSESSMENT ACTION PLAN

PLANT: DATE:
APPROVED BY: PREPARED BY:

No. Referencia Activity Risk Risk Level Residual Risk Control Barrier Recomended Expected Residual Risk Estimated Cost Responsible Due Date Status

Page 8 of 8