Home » Policies » ECCT Risk Management Policy

ECCT Risk Management Policy

1. Introduction

This Policy Standard sets out the detailed requirements and minimum levels of achievement necessary to implement the risk management elements of the business risk imperative of the ECCT Management System: We manage the risks associated with our activities and minimize the impact of undesired and unexpected events.

Taking and managing appropriate levels of risk is an integral part of all our business activities. Risk Management, performed rigorously and comprehensively, creates stability, indirectly contributes to profit and is a key element of reputation management.

1.1 Definitions

Risk is defined as events that may prevent achievement of the aims or goals of one or more key business or project stakeholders.

Risk Management is a systematic way of protecting business resources and income against losses so that the objectives of the Group can be achieved without unnecessary interruption.

Risk Assessment is the systematic process of identifying and analyzing risks.

2. Objectives and Commitment

ECCT is committed to implementing appropriate strategies and processes that identify, analyze and manage the risks associated with our activities as a means of minimizing the impact of undesired and unexpected events on our business activities. We will therefore:

  • Identify business objectives that reflect our ambition.
  • Identify the threats to the achievement of our business objectives
  • Control and manage our exposure to risk by appropriate risk reduction and mitigation actions
  • Regularly review our exposure to all forms of risk and reduce it as far as reasonably practicable or achievable.
  • Apply robust risk management processes as part of a wider management system.
  • Educate and train our managers in risk management.
  • Regularly review the risks we face as a result of our business activities and of the business and economic climate in which we operate.
  • Identify cost effective risk treatment options.
  • Identify and regularly measure key risk indicators and take appropriate action to reduce our risk exposure.
  • Regularly review our key risk controls to ensure that they remain relevant, robust and effective.

We will demonstrate achievement of the individual components of this Policy Standard through the preparation of documented procedures, the reporting and review of risk at all levels of the business and a monitoring and audit programme to ensure that the processes are being implemented.

3. Principles

In all business areas, managers will carry out risk assessments regularly, record the findings and take appropriate management actions in a timely fashion. Risk reviews will specifically address business, operational, financial and reputational risks as well as risks covered by Health and Safety and Environmental Protection legislation.

In particular, the following activities will be undertaken:

  • Comprehensive risk assessment performed during proposal development.
  • Integrated contract and risk management processes.
  • Regular review and update of risk register.
  • Preparation of contingency plans for high risks.
  • Early identification of emerging risks and initiation of risk reduction or mitigation action.

Where appropriate, managers may need to consider specialist advice for areas such as:

  • Health and safety.
  • Environmental protection.
  • Fire and security.
  • Disaster recovery.
  • Safety-critical systems and operations.
  • Insurance.
  • Media/public relations.

The following contract activities, because of the intrinsic risks or from past experience, present particularly high risk profiles and will require formal risk management activities to be undertaken:

projects involving responsibility for:

  • Nuclear installations, weapons or materials.
  • Conventional weapons, ammunition or explosives.
  • Aircraft operation or maintenance.
  • Air traffic control or aviation services.
  • Mass transit systems.
  • Major environmental or biological hazards.
  • National security.

projects involving:

  • Design/development of safety critical systems and software.
  • Civil engineering design and construction.

Where the annual sales value of the contract represents a significant proportion (typically >10%) of the annual turnover of the business unit.

Where public interest is particularly high or where the customer has placed a particularly high importance on the success of the project.

Where large scale capital investment is required.

Initial contracts for new customer organizations.

Company acquisitions.

4. Requirements

ECCT and joint venture companies are expected to have established systems and procedures which address the issues set out below in ways appropriate to the type of business being undertaken.

4.1 Processes

  • Processes in place to identify the risks associated with the Company’s activities, assess risks in terms of probability and consequence and evaluate reduction and mitigation measures and allocate ownership. Management of risk is a continuous process.
  • Training to ensure all relevant management and staff understand and implement this Policy Standard.

4.2 Risk Assessment

  • Risk assessments conducted for acquisitions, new contracts and projects, existing contracts and contract changes. The assessments are to address potential risks to the expected business benefits and to compliance with relevant legal requirements. These risk assessments form a key part of the formal approval process for the venture.
  • Risk assessments performed by competent personnel including, where appropriate, expertise from outside the immediate business unit.
  • Procedures established to update risk assessments at appropriate intervals and to review these assessments regularly.

4.3 Planning

  • Management plans prepared which describe the actions to be taken to address significant risks.
  • Crisis management plans prepared which describe the actions including media/public relations response to be taken to address crisis or disaster situations. The plans are reviewed, updated and tested at regular intervals.
  • Key risk assessments and management measures referenced in project approval documentation.

4.4 Management

  • Assessed risks addressed by levels of management appropriate to the nature and magnitude of the risk and an overall view of the portfolio risk to the business is taken.
  • Risks considered in the light of potential opportunities
  • Decisions documented and the resulting actions implemented through local procedures.
  • Appropriate and cost-efficient actions taken to manage and control risks.
  • Specific measures in place to ensure continuing compliance with Health and Safety and Environmental Protection legislation.

4.5 Reporting

  • Procedures to ensure that regular reports identifying key risks and risk management actions are prepared for each project, contract and business and that summary reports are submitted to the appropriate management board.
  • Business divisions submit summary reports to ECCT Board as part of the quarterly reporting process.

4.6 Audit & Review

  • A programme of regular audits and reviews to ensure that the risk management procedures are being followed and that planned risk reduction/mitigation actions have been implemented.
  • A regular review of the risk management policies and procedures to ensure that they continue to meet Company Governance requirements and the needs of the business.

5. Responsibility and Authority

This policy standard is issued under the authority of the General Manager of ECCT. Responsibility for implementation of this policy standard is set out below.

  • Responsibility for the achievement of this policy standard rests with the Executive Team.
  • Projects’ Managers are responsible for implementing the policy standard, monitoring its implementation in the everyday activities of their operations and report to their contract board.
  • All staff are responsible for the ownership and undertaking of their risk management functions in accordance with this Policy Standard and for its implementation within the framework of the Company’s procedures and directives.
  • An Assurance Company is covering the ECCT risk for the inability to cover its financial responsibilities.

6. Evidence of Compliance

To demonstrate compliance with this Policy Standard, the following documentation is to be available for audit:


  • Risk Management Policy Standard (This document).
  • Related policy statements and procedures.
  • Risk assessment of ECCT activities.
  • Crisis management plan.
  • Internal Audit reports.


  • Procedures.
  • Risk assessment of divisional activities.
  • Crisis management plan(s).
  • Audit/review records.

Operating contracts

  • Risk assessment of activities.
  • Risk Management Plan.
  • Contract/project proposal review and sign-off.
  • Audit/review records.

7. Guidance and Standards

ECCT risk management guidance and training material is available at main office.

The following international and national standards provide useful guidance on the implementation of risk management:

  • Project Management – Guide to the Management of Business Related Project Risk BS 6079-3:2000 (UK)
  • Risk Management: Guideline for Decision Makers CAN/CSA-Q850-97 (Canada)
  • Risk Management AS/NZS 4360: 2004 (Australia/New Zealand)

Latest Events

  • Area A Project

    In 20 march 2012 ECCT celebrated with all the project “Area A” parties with the success in […]

    Read More