Common use of Risk survey Clause in Contracts

Risk survey. A risk survey is a methodical process carried out on a periodic basis to form and maintain the risk map at the Project level and which focuses on material risks. A risk survey includes mapping of scenarios and/or processes that are evaluated and rated according to scales of assessment that were defined by the management of the Project, according to parameters of severity and probability. The findings of the risk survey constitute the foundation for forming the handling plan of the key risks and taking action to mitigate them. A risk survey includes the following stages:  Mapping and planning of the work and its scope The purpose of this stage is to determine the goals of the survey and forming consent as to the contents of the survey, its stages, the work approach, the timetables and the budget scope. This stage includes, inter alia, reference to the following matters:  the units, the bodies and the activities that will be included in the work contents.  Executives and agents that will take part in the survey process.  Individual reference to the goals of the Project that will be included in the contents of the risk management process.  The work method and its adaptation to the characteristics of the Project.  The main risk areas upon which the risk survey will focus.  Mapping of material risks in the Project This stage includes all the actions that are being carried out for the purpose of identifying and mapping the risks. In the framework of this process, possible agents (internal or external) and possible outcomes (consequences) of potential risk event will be taken into account. In order to identify the risk, the tools and methods to identify risks, that are adapted to the nature of the activity in the Project will be implemented. The mapping of risks will include a preliminary stage in the framework of which the main activities categories in the Project will be mapped as well as the goals of such activities, across categories (the COSO-ERM model divides into 4 categories: strategy, operation, reporting, compliance). Identification of the targets and definition of the risk categories is the starting point for carrying out the risk survey as well as the foundation for achieving maximum perfection of the risk survey. In relation to each risk, a risk owner will be identified that will be the agent directly responsible for risk management in the Project. Here is a partial example for the main activity categories3: Here is an example of a risk mapping document format: 3 The example is for illustration purposes only of the document structure and is not a full and binding list of categories of activities. Risk no. Risk Category Risk subject Risk definition Risk factors Impact of the risk Level of severity Rate of probability Top category (COSO) Secondary category Activity category Strategy Realization of project strategy Business concentration Goodwill and image Interfaces with governmental bodies Outsourcing strategy Geo-political Corporate responsibility and sustainability (CR&S) External factor Security Natural disasters Emergency event Business continuity management (BCP/DRP) Operations Planning Statutory planning Engineering planning Interfaces with third parties Construction Construction works Safety Environmental, health and safety Procurement and engagements Procurement management Information technology Information systems management Information security Human resources Human resources management Legal Legal proceedings management Financial Embezzlement and fraud Financing and liquidity Budget management Economic conditions / trends Insurance Reporting Reporting Accounting and taxes Reporting to authorities and external bodies Internal reporting Compliance Compliance Laws and regulations Regulation Compliance policy Compliance supervision  determining criteria for rating risks In order to assess the risks criteria will be formed that will be used by position holders to rate risks in terms of severity (impact) and probability. Criteria to assess severity and probability may be quantitative as well as qualitative. Criteria to assess the severity level of the risks are criteria to assess the damage level that may form in the Project as a result of a risk occurring. Criteria to assess the probability level of the risks are criteria to assess the potential of the risk occurring. Here is an example of criteria for assessment of severity and probability: Impact of the risk on business processes Level Description Deviation from the budget Deviation from the timetables Impact on passenger traffic 1 Immaterial Less than 2% of the budget A deviation of up to a month A decrease of less than 10% in passenger traffic 2 Low 2%-5% of the budget A deviation of 2-3 months A decrease of between 10% and 20% in passenger traffic 3 Medium 5%-15% of the budget A deviation of 3-4 months A decrease of between 20% and 30% in passenger traffic 4 Material 15%-30% of the budget A deviation of 5-6 months A decrease of between 30% and 40% in passenger traffic 5 Critical More than 30% of the budget A deviation of more than six months A decrease of more than 40% in passenger traffic Probability of the risk occurring Level Description Risk Description 1 Remote 5%> chance that the event will occur The event may occur under extraordinary circumstances - once every 50 years 2 Improbable 5%-10% chance that the event will occur The event may occur sometime on the upcoming 10 years 3 Plausible 10%-50% chance that the event will occur The event may occur sometime in the upcoming two to five years 4 Expected 50%-80% chance that the event will occur The event will probably occur during the next couple of years 5 High probability 80%> chance that the event will occur The event will probably occur during the upcoming year  Risk assessment and rating of severity and probability When carrying out a risk survey the level of impact and the level of probability of the risk is being assessed by the relevant position holders in the Project and reflects their assessment of the consequences of the risk, while taking into account the ways to handle the risk (responses) that exist in the context of the risk event, in terms of effectiveness and completeness of carrying out the responses. These assessments are manifested in the risks map that is a drawing of the risk levels (as residual risk as mentioned) in the various fields of activity in the Project. The risks map includes all the risks in a lateral view and allows a managerial focus on the risks, that constitute “key risks”, the key risks are risks the risk level of which was defined as high or critical. Here are examples of as risk map (heat map): Impact of the risk Critical High Mediu Low Immaterial Remot Improbabl Plausible Exp Probability of the risk occurringect High probability

Risk survey. A risk survey is a methodical process carried out on a periodic basis to form and maintain the risk map at the Project level and which focuses on material risks. A risk survey includes mapping of scenarios and/or processes that are evaluated and rated according to scales of assessment that were defined by the management of the Project, according to parameters of severity and probability. The findings of the risk survey constitute the foundation for forming the handling plan of the key risks and taking action to mitigate them. A risk survey includes the following stages:  Mapping and planning of the work and its scope The purpose of this stage is to determine the goals of the survey and forming consent as to the contents of the survey, its stages, the work approach, the timetables and the budget scope. This stage includes, inter alia, reference to the following matters:  ▪ the units, the bodies and the activities that will be included in the work contents.  ▪ Executives and agents that will take part in the survey process.  ▪ Individual reference to the goals of the Project that will be included in the contents of the risk management process.  ▪ The work method and its adaptation to the characteristics of the Project.  ▪ The main risk areas upon which the risk survey will focus.  Mapping of material risks in the Project This stage includes all the actions that are being carried out for the purpose of identifying and mapping the risks. In the framework of this process, possible agents (internal or external) and possible outcomes (consequences) of potential risk event will be taken into account. In order to identify the risk, the tools and methods to identify risks, that are adapted to the nature of the activity in the Project will be implemented. The mapping of risks will include a preliminary stage in the framework of which the main activities categories in the Project will be mapped as well as the goals of such activities, across categories (the COSO-ERM model divides into 4 categories: strategy, operation, reporting, compliance). Identification of the targets and definition of the risk categories is the starting point for carrying out the risk survey as well as the foundation for achieving maximum perfection of the risk survey. In relation to each risk, a risk owner will be identified that will be the agent directly responsible for risk management in the Project. Here is a partial example for the main activity categories3: Here is an example of a risk mapping document format: 3 The example is for illustration purposes only of the document structure and is not a full and binding list of categories of activities. Risk no. Risk Category Risk subject Risk definition Risk factors Impact of the risk Level of severity Rate of probability Top category (COSO) Secondary category Activity category Strategy Realization of project strategy Business concentration Goodwill and image Interfaces with governmental bodies Outsourcing strategy Geo-political Corporate responsibility and sustainability (CR&S) External factor Security Natural disasters Emergency event Business continuity management (BCP/DRP) Operations Planning Statutory planning Engineering planning Interfaces with third parties Construction Construction works Safety Environmental, health and safety Procurement and engagements Procurement management Information technology Information systems management Information security Human resources Human resources management Legal Legal proceedings management Financial Embezzlement and fraud Financing and liquidity Budget management Economic conditions / trends Insurance Reporting Reporting Accounting and taxes Reporting to authorities and external bodies Internal reporting Compliance Compliance Laws and regulations Regulation Compliance policy Compliance supervision  determining criteria for rating risks In order to assess the risks criteria will be formed that will be used by position holders to rate risks in terms of severity (impact) and probability. Criteria to assess severity and probability may be quantitative as well as qualitative. Criteria to assess the severity level of the risks are criteria to assess the damage level that may form in the Project as a result of a risk occurring. Criteria to assess the probability level of the risks are criteria to assess the potential of the risk occurring. Here is an example of criteria for assessment of severity and probability: Impact of the risk on business processes Level Description Deviation from the budget Deviation from the timetables Impact on passenger traffic 1 Immaterial Less than 2% of the budget A deviation of up to a month A decrease of less than 10% in passenger traffic 2 Low 2%-5% of the budget A deviation of 2-3 months A decrease of between 10% and 20% in passenger traffic 3 Medium 5%-15% of the budget A deviation of 3-4 months A decrease of between 20% and 30% in passenger traffic 4 Material 15%-30% of the budget A deviation of 5-6 months A decrease of between 30% and 40% in passenger traffic 5 Critical More than 30% of the budget A deviation of more than six months A decrease of more than 40% in passenger traffic Probability of the risk occurring Level Description Risk Description 1 Remote 5%> chance that the event will occur The event may occur under extraordinary circumstances - once every 50 years 2 Improbable 5%-10% chance that the event will occur The event may occur sometime on the upcoming 10 years 3 Plausible 10%-50% chance that the event will occur The event may occur sometime in the upcoming two to five years 4 Expected 50%-80% chance that the event will occur The event will probably occur during the next couple of years 5 High probability 80%> chance that the event will occur The event will probably occur during the upcoming year  Risk assessment and rating of severity and probability When carrying out a risk survey the level of impact and the level of probability of the risk is being assessed by the relevant position holders in the Project and reflects their assessment of the consequences of the risk, while taking into account the ways to handle the risk (responses) that exist in the context of the risk event, in terms of effectiveness and completeness of carrying out the responses. These assessments are manifested in the risks map that is a drawing of the risk levels (as residual risk as mentioned) in the various fields of activity in the Project. The risks map includes all the risks in a lateral view and allows a managerial focus on the risks, that constitute “key risks”, the key risks are risks the risk level of which was defined as high or critical. Here are examples of as risk map (heat map): Impact of the risk Critical High Mediu Low Immaterial Remot Improbabl Plausible Exp Probability of the risk occurringect High probability