Crisis Management Manual

Crisis
Management
Manual

www.maaden.com.sa

Table of Contents 4
17
PARTS 41
51
1. Crisis Management Policy 105
2. Governance and Management 157
3. Incident Assessment and Escalation 171
4. Crisis Management Plan
5. Crisis Communication Plan
6. Maintenance, exercising and training
7. Glossary of Terms

Part 1 Crisis Management Policy 2

Part 1

Crisis Management
Policy

Part 1 Crisis Management Policy 3

Table of Contents 2

PART 1 4

1. CRISIS MANAGEMENT POLICY 4
5
1.1. A message from the President and CEO 5
1.2. Applicability 6
1.3. Scope 6
1.4. Purpose 6
1.5. Principles 7
1.6. Definitions 8
1.7. Crisis management responsibilities 8
1.8. Crisis management Priorities 8
1.9. Requirements 9
1.9.1. Incident assessment 9
1.9.2. Escalation, notification and reporting 9
1.9.3. Initial notification 10
1.9.4. Escalation 10
1.9.5. Recording and reporting 12
1.9.6. Plans 12
1.9.7. Crisis command centers 12
1.9.8. Governance 13
1.9.9. Training 13
1.9.10. Exercising 14
1.9.11. Maintenance 14
1.9.12. Review & Audit
1.10. References 3

Part 1 Crisis Management Policy

Part 1 Crisis Management Policy 4

1.1. Applicability

The requirements of this policy shall apply to all locations and business entities
Kingdom-wide in which Ma’aden has a controlling interest, or which are Ma’aden
owned, Ma’aden managed, and Ma’aden leased. At locations or in business entities
where Ma’aden does not have a controlling interest, Ma’aden will encourage the
creation, implementation and maintenance of these requirements.

1.2. Scope

This policy document applies to the management of any events which can or do
constitute a crisis, either at a local level (for example an affiliate) or on a wider scale
and impact the Ma’aden Group. Such crisis events can be classified into two groups:

Operational Crises
• Industrial emergencies such as accidents resulting in critical injury or property

damage
• Natural disasters that threaten employee safety or jeopardize operations
• Accidental releases of materials such as tailings dam failure or a major chemical

spill that could threaten people and the environment

Non-Operational Crises
• Medical emergencies in jurisdictions where quality medical care is either remote

or entirely lacking
• Corporate/business-related threats such as litigation, white-collar crime, market

issues and other matters with a material impact on the company
• Workplace issues such as workplace violence, allegations of unethical

behaviour, etc.
• Missing person incidents related to criminal or non-criminal circumstances
• Political and security risks such as kidnapping, extortion, bomb threats, sabotage,

political or civil unrest, disgruntled employees, illegal detention by authorities,
insurgent activity and civil disturbances
• Natural disasters, pandemics, etc. that threatens the health and safety of
employees or the communities in which the company operates

This policy is also applicable to and should include within its scope, crisis management
events which can emerge as an aftershock from the original crisis, or from
emergencies. These could include discovery of other problems

Part 1 Crisis Management Policy 5

related to the crisis as part of a post-incident review, investigations by regulators,
industry bodies, emergency services or government authorities, the impact of social
media outlets, lawsuits, financial penalties, lost business/production, management
changes and impact from crisis events relating to divestitures through association.

1.3. Purpose

The purpose of this document is to describe the elements required for a robust
and consistent crisis management capability across Ma’aden’s
business interests so that Ma’aden is capable of responding in the required manner to
incidents which may have a material impact on Ma’aden’s business interests.

1.4. Principles

These principles are the fundamental rules and considerations that shape
Ma’aden’s preparation for, response to and recovery from a crisis. Specific ways
of working should always be consistent with these overarching principles.

a. Be prepared with clear, and universally understood structures, roles and
responsibilities

b. When a crisis occurs, take and achieve control as soon as possible
c. Build situational awareness by good information management, challenge and

collective working
d. Have a clear and well-rehearsed decision-making and action driving process
e. Communicate well, both internally and externally
f. Enable, facilitate and develop good leadership at all levels of the

organization
g. Prepare people for a crisis through appropriate training and robust

exercising
h. Learn from mistakes and make changes to prevent their reoccurrence through

a continual improvement process

1.5. Definitions

Please refer to Part 7 of this document for a complete list of definitions.

Part 1 Crisis Management Policy 6

A list of key definitions used within this policy are detailed below:

Term Description
CMT
Crisis Crisis Management Team

Emergency Is an abnormal, unstable and complex situation, with a wider impact than that
of an incident or emergency, but which threatens the strategic objectives,
reputation or existence of the organization.

Is an incident which is outside the control or scope of the immediate
management and requires additional authorities, or tactical decisions, or
which requires a timely response due to its magnitude and potential for further
escalation into a crisis.

Incident Is an adverse or disruptive event that has the capacity to lead to the loss of or
a disruption to an organization’s operations, services, or functions – which, if
not managed effectively can escalate into an emergency, crisis, or disaster.

1.6. Crisis management responsibilities

The main responsibilities for crisis management rest with the management teams in
the appropriate organization, either Ma’aden Corporate or the affiliates. In addition,
there are a number of specific roles to support the implementation and management
of the crisis management capability, these are defined below:

WHO RESPONSIBILITES
President & CEO
Reviewing crisis management policy, standards, processes and
systems, providing sponsorship and support for the establishment
and maintenance of the crisis management capability across the
group.

Crisis Management Effective crisis management awareness, assessment and
Committee measurement of the crisis management capability and ensuring the
appropriate controls are in place for the implementation and
maintenance of the crisis management capability across the group.

Crisis The strategic direction and command, control, and communication in
Management Team managing the response to a crisis incident within the group.

(Affiliate) Crisis The strategic direction and command, control, and communication in
managing the response to a crisis incident within the affiliate.
Management Team

Part 1 Crisis Management Policy 7

Affiliates Ensuring that a comprehensive crisis management capability is
implemented and maintained in their affiliate in accordance with this
policy so that consistency is applied across the group, that incidents
are swiftly notified and reported
to the Corporate Industrial Security Department so that lessons
learnt can be recorded and tracked through to implementation.

Owner The strategic direction and command, control, and communication in
managing the response to a crisis incident within the group.

Corporate Industrial On behalf of the Crisis Management Committee, responsible for
awareness, assessment, monitoring and measurement for the crisis
Security Department management capability and controls relating to
implementation and maintenance of crisis management across the
group.

Internal Audit Ensuring that a review of crisis management is conducted across
the group to ensure the appropriate controls are in place and the
defined framework is being followed.

1.7. Crisis management Priorities

In a Ma’aden corporate crisis situation, the Group Crisis Management Team will apply
the following priorities when defining and directing a response:

• Minimize risk or danger to clients, employees or the public.
• Protect the environment to the best of its ability.
• Preserve the Company’s assets, reputation and goodwill.
• Minimize risk to the financial position of the Company.
• Communicate effectively, both internally and externally ensuring that external

communications centre on key stakeholders, including the authorities and the
media.
• Provide policy guidance in areas not covered by these guidelines.

1.8. Requirements

1.8.1. Incident assessment

Whenever an incident occurs at a Ma’aden location, the incident must be
assessed using the requirements defined in this policy to classify its potential
impact on the organization.

Ma’aden Corporate has defined an assessment table to assist with this
process. This assessment table should be used to determine the initial

Part 1 Crisis Management Policy 8

severity of the incident and any subsequent severities as part of an ongoing
assessment.

The severity level will dictate who should be notified and who should take control of
the incident and manage the response. Within Ma’aden, incidents will be classified
using the following severity levels as defined by HCIS:

CLASSIFICATION COLOR CODE
Minor BLUE
Minor YELLOW
Mediate ORANGE
Major RED

1.8.2. Escalation, notification and reporting

At all times, corporate procedures for the notification, escalation and reporting of
incidents must be followed. The following policy will be applied for all incidents.

1.8.3. Initial notification

Whenever an incident occurs at a Ma’aden location it must be notified to a
representative of the management team at that location and then if the
severity warrants it, through to the affiliate management team and Ma’aden Corporate
management team. The initial assessed severity level should then be confirmed with
the party being notified.

CLASSIFICATION COLOR CODE PARTY TO BE NOTIFIED

Minor Blue Site/Local Emergency Management Team

Minor Yellow Affiliate Management Team ISD & CEO*

Mediate Orange Corporate management Team ISD & CEO

Major Red ISD & CEO

*ISD to use their discretion on whether to notify the CEO based upon nature and extent of the incident.

1.8.4. Escalation

If any facts or circumstances change relating to the incident, the responsible party that
has management control of the incident should re-assess the severity of the incident
and if the severity level changes, notify this to the

Part 1 Crisis Management Policy 9

appropriate party relating to the severity level using the initial notification table above.

1.8.5. Recording & reporting

All incidents must be formally recorded using the procedure EHSS-001 and held in a
central register. All reports must include the mandated information defined within
procedure HSE-11-STD-01 and a copy of the initial incident report must be sent to the
required parties in the timescales defined in procedure HSE-11-STD-01. All reports
must be sent to Corporate Security and Insurance Department in Ma’aden Corporate
in addition to any other parties defined in the corporate procedure and any parties
prescribed by local procedures.

1.8.6. Plans

To ensure Ma’aden has the appropriate procedures in place to respond to and manage
incidents at all severity levels,

all Ma’aden locations and affiliates will have the following plans in place:

PLANNING PLAN SEVERITY RESPONSIBLE DESCRIPTION
LEVEL LEVEL OWNER

Incidents BLUE Local Scenario specific plans
Management and procedures to assist
‘day-to-day’
Emergency management response to
Response manage minor incidents
Plan
Procedure based plans
Emergencies YELLOW Site Emergency that define the
Management structure and actions to
Team respond to and manage
emergencies.

ORANGE Affiliate Crisis Process based plans and
Management procedures to respond to
Team and manage crisis incidents
that are local to the affiliate.

Crises Crisis Process based plans and
Management procedures to respond to
Plan Corporate and manage crisis
Crisis incidents that have an
RED Management impact outside a specific
Team affiliate or a single location.

Part 1 Crisis Management Policy 10

Incident response plans (IRP’s) and Emergency Management Plans (EMP’s) will be
specific to each location and/or affiliate, but they must comply with the minimum
requirements defined within the Ma’aden corporate policy and procedural
requirements.

Crisis management plans must be adapted so they are appropriate for each
affiliate. Each crisis management plan must include the following information
as a minimum:

a. The structure and role of the CMT and what is expected of it

b. The activation (notification) mechanism and process for a crisis and how it works
in practice

c. A team composition and structure with defined roles and responsibilities

d. The crisis management processes and protocols to be adopted

e. Details of levels of response across the organization (i.e. who is to be
contacted for what level of problem)

f. Key contact details: how the CMT and staff are to be contacted in the
event of a crisis

g. Where the CMT is to meet (with alternative locations) and what
equipment, facilities and support are required

h. Who has authority and responsibility for key decisions and actions
in a crisis

i. CMT record keeping guidance during the crisis

j. A situation report template which is to be used across the
organization to provide information to the CMT

k. Stakeholder reference chart/list and protocols for stakeholder
management, including crisis communication

l. Location and contents of the primary and alternate crisis
control centers

m. Templates for forms, reports and briefings, such as:

• Draft crisis management team meeting agenda

• CMT record keeping sheet (actions, decisions, events, time,
responsibility, etc.)

Part 1 Crisis Management Policy 11

• Situation report

• Status/progress reports

• Enquires log (Media, families, public, staff, etc.)

• Checklists

1.8.7. Crisis command centers

A crisis command center and alternate should be identified, implemented and
proven for each crisis management plan. Each crisis command center should have
both a primary and alternate location available. The primary and alternate location
should be sufficiently far enough apart so that the likelihood of both locations being
affected by the same crisis incident is at an acceptable level. The primary and
alternate location should have a
minimum set of facilities available which should be listed in an appendix to the
associated crisis management plan.

The crisis command center should be separate from any emergency
management center used by Ma’aden or its affiliates due to the high
likelihood of both centers being required at the time of a crisis.
Requirements for the emergency management centers are defined separately in
the Ma’aden emergency management policy and procedures documents.

1.8.8. Governance

An appropriate governance framework will be applied to the crisis management
capability across Ma’aden which will include:
• A management and responsibility structure for ‘day-to-day’ management and crisis

response management
• ‘day-to-day’ roles and responsibilities for maintaining the crisis

management capability
• Reporting frequency and criteria
• Clearly defined sponsorship, ownership and accountability for the crisis

management capability in Ma’aden corporate and in each affiliate

1.8.9. Training

All crisis management team members and their alternates shall receive crisis
management training initially and then refresher training on at least an

Part 1 Crisis Management Policy 12

annual basis. The topics to be covered in the crisis management training are detailed
in the crisis management Framework, Part 6.

Stakeholder and media communications shall only be performed by those that have
the required authority and training. Crisis Communications/media training should be
provided to all approved individuals and refresher training should be provided each
year.

1.8.10. Exercising

All crisis management plans and facilities for the Ma’aden Group shall be tested
and exercised at least once a year. Exercising must also include testing the
integration between crisis management and emergency management plans.

The following table details the exercising activities to be conducted and their
frequency.

# ITEM/ACTIVITY FREQUENCY RESPONSIBILITY

Confirm crisis management facilities are Plan owner (see
1 implemented, are available, functional and Once a year above)

working

2 Conducting desktop crisis management Different level 4 risk each Plan owner (see
exercise against level 4 risk
quarter above)

3 Conducting semi-live crisis management Once a year Plan owner (see
exercise above)

4 Conducting combined crisis and emergency Once a year (separate Plan owner (see
management exercise from item above) above)

5 Completing Exercise plan Whenever exercise is Plan owner (see
6 Completing Post-exercise report
conducted above)

Within 2 weeks of each Plan owner (see

exercise above)

The minimum requirements for pre-exercise planning and post-exercise
reporting are defined in Part 6 of the crisis management framework.

1.8.11. Maintenance

All crisis management plans and supporting information, crisis management centers,
crisis management facilities and crisis management information must be kept
accurate and up-to-date by their owners.

Part 1 Crisis Management Policy 13

Updates to crisis management plans must be circulated to the designated crisis
management team and alternates on the same day.

Validation of crisis management updates will be performed by the Corporate
Industrial Security Department.

1.8.12. Review & Audit

The crisis management framework defines requirements for the periodic review and
maintenance of the crisis management plan, facilities and capability. This review
should be formalized with the submittal of an annual self-assessment confirmation
form by the owner, and for these forms to be held on register centrally.

Ma’aden should also include crisis management on the schedule of internal audits
and ensure that all crisis management plans, facilities and capabilities are
independently audited and reviewed to ensure the process is being followed and the
crisis management capability reported is a fair and accurate reflection of the actual
status

1.9. References

The above policy has been specifically written for Ma’aden with reference to the
following standards and industry best practice documents:
1. Mining Association of Canada - Crisis Management Planning

reference guide
2. ISO 22320 Societal Security – Emergency management – Requirements for

incident response
3. BS 11200 Crisis management - Guidance and Good Practice
4. ISO 22398 Societal security – Guidelines for exercises
5. EHSS-001 Ma’aden Corporate MA’ADEN ENVIRONMENT, HEALTH &

SAFETY (EHS) Standards Incidents Reporting Standard
6. PAS 200:2011 Crisis management – Guidance and good practice

Part 1 Crisis Management Policy 14

Part 2

Governance
and Management

Table of Contents 15

PART 2 17

2. Governance and management 17
17
2.1. Introduction 17
2.1.1. Overview 17
2.1.2. Purpose 17
2.1.3. Context 18
2.1.4. Scope 18
2.1.5. Intended outcome 19
2.2. Governance Development 19
2.3. Crisis management governance 20
2.3.1. Overview 21
2.3.2. Reporting 22
2.3.3. Resources 22
2.3.4. Ownership 23
2.3.5. Involvement 24
2.3.6. Integration 26
Appendix A - Crisis Management Committee (CMC) 31
Appendix B - Crisis Management Committee (CMC) 34
Appendix C - Crisis management status report 36
Appendix D - Crisis management issues register
Appendix E - Crisis management self-assessment

Part 2 Governance & Management 16

2. Governance and management

2.1. Introduction

This governance and management framework is a core component of the overall crisis
management capability within Ma’aden. It explains the controls in place regarding the
development, management and monitoring of an ongoing crisis management
capability and performance.

2.1.1. Overview

This governance and management framework is one of a number of documents
produced to define and describe the methodology that Ma’aden will use to steer,
control and manage crisis management across its group of companies (comprising of
its corporate entity and affiliates). The framework consists of a structure and
associated set of interacting activities that achieve the desired governance outcomes.

2.1.2. Purpose

The purpose of governance is to provide executives and senior management with the
assurance that its intent and direction are reflected in the crisis management posture
and capability of Ma’aden. This is done by using a structured approach to govern the
on-going crisis management programme and monitor its capability in continuing to
meet the required outcome.

2.1.3. Context

Within the scope of this document, and therefore the crisis management governance
framework across Ma’aden, governance is defined as:

A framework of responsibilities and activities discharged by executives and senior
management that consists of leadership, organizational structures and processes to
ensure Ma’aden sustains, protects and supports the achievement of Ma’aden’s
strategy and objectives through consistently monitoring, assessing and responding to
incidents that can affect its people, essential services and activities along with their
supporting facilities and infrastructure.

2.1.4. Scope

This governance and management framework is applicable to the Ma’aden group
which comprises of the corporate entity and all of its affiliates and values creation
activities.

Part 2 Governance & Management 17

This governance and management framework will provide a consistent
strategic direction for crisis management activities and ensure that the
defined and required objectives are achieved. It will ensure crisis
management risks and issues are appropriately assessed and managed, enterprise
resources are used responsibly, and the required benefit is derived from an integrated,
cohesive and structured approach to crisis management across Ma’aden.

2.1.5. Intended outcome

The executives and senior management of Ma’aden should be confident that they
have an accurate understanding of the adequacy and effectiveness of the Ma’aden
crisis management programme and its capability to achieve the required preventative
and responsive measures to protect Ma’aden against unplanned, unforeseen
incidents that escalate beyond the capability of day to day management practices.

2.2. Governance Development

A foundation of any governance structure is to develop and adapt as the organization
evolves and changes. This means the Ma’aden governance and management
framework should be maintained and adapted as Ma’aden grows and changes, in
order to maintain the crisis management capability and ensure it can develop and
mature.

This activity should be recognized as an important part of the continuous
improvement programme across Ma’aden and be integrated into the organization’s
change management discipline. While the implementation of crisis management
can be monitored and structured as a project (or
programme of integrated projects), the commitment to crisis management, its
ongoing management, maintenance, exercising, training and development as
Ma’aden develops is paramount to ensure

its continued capability required to support and protect the Ma’aden enterprise from
unforeseen incidents.

2.3. Crisis management governance

Part 2 Governance & Management 18

2.3.1. Overview

As Ma’aden’s crisis management capability develops and matures, so governance
should develop and become more familiar, streamlined, relevant and, ultimately, more
effective and integrated.

The governance approach defines how the crisis management programme,
maintenance and development should be steered and managed to achieve the
desired goals, and the relationship between the contributing aspects.
Each of the aspects has an equal contribution to achieve the desired overall
governance objective(s). The governance approach for Ma’aden focuses on five key
aspects (also referred to as pillars):

• Reporting
• Resources
• Ownership
• Involvement
• Integration

The relationship between these five pillars is depicted in Figure 2.1 below. A
description follows in the accompanying sub-sections.

Measurement, monitoring and Operational Management of CM, advice,
information flow guidance, training and testing

CM
GOVERNANCE

Decision making, accountability Strategic alignment, management and
and authority direction of CM

INTEGRATION

Integrating CM with other
management processes

Diagram 2.1 – Governance framework

Part 2 Governance & Management 19

2.3.2. Reporting

Reporting for crisis management governance defines the collection of information
provided to the crisis management owners, relating to the status, well-being and
progress of crisis management implementation and maintenance across the
organization.

The purpose of reporting is to provide the owners with sufficient information so that
they are aware of the current status of the crisis management capability and any
issues associated with it and can therefore make the necessary decisions to address
these.

Crisis management reporting across the Ma’aden group is required to be as follows:

INFORMATION SUBMISSION FREQUENCY RECIPIENT
RESPONSIBILITY
Six monthly
Emergency Affiliate site Affiliate crisis
management management Six monthly
information pack* team(s) management team
Twice a year,
Affiliate Crisis Affiliate Crisis within 2 weeks Corporate Industrial
of exercise Security Department
management management Team

information pack*

Crisis management Affiliate Crisis Corporate Industrial
exercise documentation Security Department
(see Part 6) management Team

Crisis management Affiliate Crisis Quarterly Corporate Industrial
status report (see Quarterly Security Department
Appendix C) management Team Annually
Corporate Industrial
Crisis management Affiliate Crisis Security Department
issues register (see
Appendix D) management Team Corporate Industrial
Security Department
Crisis management All
self-assessment (see
Appendix E)

*Affiliate emergency management and crisis management information packs should include copies of all the relevant information
specific to the affiliate, in accordance with the policy procedures and guidelines issued by Ma’aden corporate.

Ma’aden will use these reporting activities to define a number of key performance
indicators, against which the affiliates will be measured and monitored. The
underlying activities which will

Part 2 Governance & Management 20

define the key performance indicators (KPI’s) will be:
• Maintenance and update of emergency management information*
• Maintenance and update of crisis management information*
• Submission/maintenance of information*
• Completion of crisis management exercises & submission of exercise reports
• Submission of reports by the due dates
• Age of issues - <= 30 days, > 30 days & <= 90 days, > 90 days & <= 180 days,

> 180 days
• Completion of crisis management self-assessment, sign-off by President of

Affiliate and submission to Corporate Industrial Security Department.

*A copy of all the affiliate crisis management information should be stored on a central repository provided by corporate, to which
the affiliates have access. Every six months each affiliate should submit confirmation that the information stored centrally is up-
to-date.

2.3.3. Resources

Insufficient resources can lead to inappropriate implementations, a lack of alignment
and understanding of the business and a reduction in quality of implementation.
Therefore, the key control criteria for crisis management resources relates to the
correct quality¹ and quantity² of human resources, along with the necessary budget³.

• Resource requires support and empowerment to carry out implementation,
conduct periodic reviews and perform on-going crisis management
maintenance across the Ma’aden Group.

• Having the necessary quantity of skilled and experienced resources, an
understanding of the business and an ability to understand how crisis
management integrates with emergency management is required.

• Continual development and improvement of the crisis management practices,
procedures and facilities requires crisis management maintenance to be
integrated into the change management processes within the affiliates and
corporate.

¹Without enough quality, the capability is likely to be significantly impaired and unlikely to achieve the necessary
proficiency;

²Without enough quantity of resource, the capability is likely to take longer to implement (therefore exposing the organization to
elongated risks) and become out-of-date due to poor maintenance activities and frequencies;

³Without enough budget the crisis management programme may not be able to implement the right controls and preventative /

protection measures.

Part 2 Governance & Management 21

2.3.4. Ownership

Effective governance models depend upon the correct levels of ownership within the
organization for on-going management and maintenance activities.

Ownership for crisis management in the affiliates and corporate is defined within
the crisis management policy.

The owners for crisis management are responsible for implementation of the
crisis management program and its ongoing ability to meet the requirements of
the individual affiliate and Ma’aden corporate.

2.3.5. Involvement

Crisis management governance requires the active engagement of stakeholders on
multiple levels: strategic, tactical and operational, for the ongoing management and
maintenance of the crisis management capability and when responding to an incident.

Individual roles and responsibilities are defined in the crisis management policy.

A high-level overview of the involvement across Ma’aden for the maintenance of crisis
management is shown below:

ENTITY INVOLVEMENT

Ma’aden Crisis Management Effective crisis management awareness, assessment and
Committee measurement of the crisis management capability and
ensuring the appropriate controls are in place for the
implementation and maintenance of the crisis management
capability across the group.

Corporate Industrial On behalf of the Crisis Management Committee,
Department responsible for awareness, assessment, monitoring and
Security measurement for the crisis management capability and
controls relating to implementation and maintenance of
crisis management across the group.

Affiliate Management Ensuring that a comprehensive crisis management
capability is implemented and maintained in their affiliate
in accordance with Ma’aden policy, swiftly notifying and
reporting incidents to the Corporate Industrial Security
Department, providing regular reporting and document
updates as required.

Part 2 Governance & Management 22

2.3.6. Integration

Effective governance is dependent upon crisis management being integrated with
other management processes to ensure consistency across the Ma’aden Group,
including all affiliates and their locations.

A consistent method in the assessment of incident severity across functions and
affiliates will ensure the right individuals are informed, respond and manage the wider
aspects of incidents.

Effective integration accelerates the maturity, progress, benefits and results of crisis
management and other management processes, enhancing such processes and
enabling them to provide a common, integrated platform of assessment recognized
and understood by all area of the business and its affiliates.

Ma’aden should ensure that an appropriate method is in place across corporate
functions and the affiliates to integrate crisis management and ensure consistency of
severity levels and assessment.

Part 2 Governance & Management 23

Appendix A

Crisis
Management
Committee
(CMC)
Composition

Part 2 Governance & Management 24

Crisis Management Committee Composition

Functional Name Functional Name
Division/Dept Mosaed Al Ohali Division/Dept
Director- Corporate
Maaden Enterprise Abdulaziz A. Al Harbi Coordination EHSS
Facilitation
Ibrahim Al-Amer & Saad Al -Twaim
Government
Human Capital Relation Saad Alanazi
Khalid Al-Fantoukh

Abdulgader Saud
Al-amer

SVP- Finance & CFO

Finance Omar Abdullah Al-
Harbi
Procurement

Riyadh Al-Nassar

Aluminum SBU Bander Awad Al-
Phosphate SBU ICT Habshan
MGBM SBU
Hassan M.Al-Ali

David C. Ibrahim Al-Amer
Schummer HR

Corp HSE & IS Director- Corporate
EHSS

Abdulaziz Nassir
Al-Najim

PME. Project Admin Services Hassan Sharaf Al-
Management Hassani
Engineering

Raminder Singh

Legal

Corporate Khaled Al-Ohali Insurance/ERM
Strategic Affairs Turki A. Altoaimi Security

Communication

Manager- Corporate
Security

Part 2 Governance & Management 25

Appendix B

Crisis
Management
Committee
(CMC) Terms of
Reference

Part 2 Governance & Management 26

Membership

1. The Crisis Management Committee (CMC) shall operate as a sub-
committee of the Executive Committee of Ma’aden.

2. The CMC shall have designated members covering all aspects of
Ma’aden’s business, support and control functions.

3. The Executive Committee shall:
• Appoint and agree the primary members of the CMC;
• Appoint and agree the deputies/alternates for each member
• of the CMC;
• Confirm the President and CEO as the Chairman of the CMC;
• Select the CMC Deputy Chairman and Secretary;
• Determine the period for which CMC members shall hold office.

Meetings

1. The Crisis Management Committee (CMC) shall meet normally every six
months, although this may be more frequent if there are significant changes or
other activities underway which impacts on the crisis management capability
within Ma’aden.

• Frequency of meetings shall be determined by the Committee
Chairman.

• Suggestions for a higher frequency, with justifications, shall be referred to the
Chairman of the Committee.

2. An extra-ordinary meeting of the CMC may be called by any member of the CMC
or by the CMC Secretary.

3. The quorum necessary for the transaction of business by the CMC shall be six
members, comprising of:

• Committee Chairman or deputy;
• An appropriate representative for Finance, Insurance or Legal;
• An appropriate representative for HR & Sustainability;
• An appropriate representative for each SBU.

4. Notice of each CMC meeting, confirming the venue, time and date, and enclosing
an Agenda of the items to be discussed shall, unless otherwise agreed by the CMC
Chairman, be forwarded to each member of the CMC and any other person
required to attend, no fewer than three days prior to the date of the meeting.

Part 2 Governance & Management 27

5. An up-to-date status report of crisis management across Ma’aden and its
affiliates will be circulated to the CMC with the agenda and previous minutes
prior to the CMC meeting taking place.

6. In the absence of the physical presence of the CMC Chairman, or any
appointed deputy, the Chairman or deputy may attend via telephone
conference call or other means as necessary.

7. The CMC Secretary or Deputy Secretary shall keep accurate and appropriate
minutes of the proceedings of the CMC, all decisions made, and actions agreed,
and will circulate a copy of the minutes within 72 hours following the Committee
meeting.

Authority

1. The CMC is authorised to seek any information it requires from any employee of
the Company or affiliate to enable it to carry out its duties. Senior Management
shall make arrangements to ensure that the CMC is provided with such data it
requires to enable it to perform its duties.

2. The CMC shall have full authority to commission whatever reports or surveys
it deems desirable to enable it to discharge its functions.

3. The CMC shall be empowered to perform the necessary duties to control, manage
and investigate any potential or actual incident that could
or does affect the business operations of Ma’aden, providing regular
communication is maintained with the Chairman of the CMC.

Duties

1. The CMC shall during normal operations:

• Provide oversight to the development, maintenance and testing of crisis
management plans and facilities;

• Agree the crisis management policy for Ma’aden;
• Provide direction and prioritisation to crisis management activities during

‘day-to-day’ business operational activity;
• Review the current status on crisis management capability and the

issues associated with the status, and provide direction and
prioritisation on activities to address those issues and any deficiency in
Ma’aden’s crisis management capability;

Part 2 Governance & Management 28

• Ensure that crisis management is considered as part of strategic
business decisions;

• Promote crisis management awareness and education across Ma’aden;
• Ensure crisis management planning, maintenance and testing

responsibilities are clearly assigned and understood within the
business areas;
• Review and agree the strategic crisis management assessment and
planning information;
• Review crisis management exercise reports and ensure any actions are
prioritised and progressed.
• Ensure maintenance of crisis management requirements for systems,
facilities and services is conducted by the business areas in-line with
business changes.

Responsibilities

The CMC members will represent the following business areas:

BUSINESS AREAS REPRESENTED

President & CEO Chairman

Finance Group Treasury
Investor Relations
Planning, Budget & performance
Financial Reporting & Tax
Insurance & ERM
Mergers & Acquisitions
Business Evaluation
MIC

EHSS

- Environment, Health, Safety & Security

PME & OE

- Operational Excellence

- Digitalization

- R&D

- PMO

Executive VP, - Engineering Reliability & Practices

Shared Services & - PMT

Security - Projects

CSR

- Sustainability

- Local Content Development

CSS

- ICT

- Accounting

- Procurement

- Admin Services

Part 2 Governance & Management 29

Human Capital Leadership Dev’t. & Org. Effectiveness
Strategy Learning & Dev’t Partnerships
Employee Services

Corporate Strategy
New Business Development

Legal &
Compliance
Legal & Compliance

Audit Committee Internal Audit

Corporate Affairs Corporate Communications

Exploration Greenfield
Brownfield
Resource Conversion

Aluminum B.U. Strategy & Bus. Development
Marketing & Logistics
MBAC
MAC
MRC
SAMAPCO

Gold Base Metals Strategy & Bus. Development
MGBM
B.U. MBCC

Phosphate B.U. Strategy & Bus. Development
Marketing & Logistics
MPC
MWSPC
IMC

Part 2 Governance & Management 30

Appendix C

Crisis
Management
Status Report

ROLE BUSINESS AREAS REPRESENTED

Company / Affiliate

Name: Month: Year:
(tick appropriate box)
3 months
Crisis Management < 1 week 1 week & 1 month &<6 >6
Plan (CMP) < 1 month &<3 months Months
months

CMP last reviewed

CMP last updated

CMP last circulated to
the CMT

Contact details

CM internal contact
details reviewed

CM internal contact
details updated

CM external contact
details reviewed

CM external contact
details updated

Crisis
Communications
Plan (CCP)

CCP reviewed

CCP updated
CCP circulated to CMT

Crisis Command
Centre (CCC)

Part 2 Governance & Management 32

CCC facilities checked 33

CCC information
checked
CCC information
updated
CCC stationery
checked
CCC stationery
updated
Crisis Management
exercise
CM desktop exercise
conducted
CM plan tested for
level 4 risks
CM semi-live exercise
conducted
CM exercise plan
produced
CM exercise plan
approved
CM exercise report
produced
CM exercise report
approved
Crisis Management
Team (CMT) training

CMT trained

CMT alternates training

Part 2 Governance & Management

Appendix D

Crisis
Management
Issues Register

Part 2 Governance & Management 34

Crisis Management issue register

Issue Action to Person Estimated Actual Reason
# Status of completion completion for
date date
description resolve issue responsible
action for action
1
2
3
4
5
6

Part 2 Governance & Management 35

Appendix E

Crisis
Management
Self-assessment

Part 2 Governance & Management 36

Crisis management self-assessment
sign-off

Affiliate Name:

Person’s Name:

Role / position:

Date:

I hereby confirm that I have reviewed the crisis management plan, facilities and
capability of the above-named affiliate and confirm that:

a. The structure and roles of the CMT and alternates are up-to-date and
accurate.

b. All internal and external contact details have been reviewed and are up- to-date.
c. All CMT members and their deputies are aware of their roles if the CMT is

activated.
d. The crisis management plan has been reviewed and updated.
e. The crisis management facilities (Crisis Control Center and facilities) have been

reviewed, checked and tested – and meets the requirements of the CMT and
crisis management plan.
f. The information in the crisis control center has been updated.
g. The CMT convening/RV points have been clearly defined and
communicated to all the CMT and alternates.
h. Authority to activate the CMT and crisis control center has been defined and
communicated to all CMT members and alternates and is understood by all.
i. All members of the CMT and their alternates have been sent and have received
a copy of the crisis management plan.
j. The crisis management plan contains copies of all required forms for
managing the response to a crisis and recording all such response activities.
k. The crisis management issues register is up-to-date and has been

Part 2 Governance & Management 37

submitted to Ma’aden corporate.

l. Sufficient resources and budget are assigned to resolve the issues on the crisis
management register.

m. The incident reporting process and protocol is understood by all staff in the
affiliate and is followed rigorously.

n. The affiliate’s management team understands how to assess an incident using
the crisis management incident assessment criteria.

o. The affiliate’s management knows when to notify, inform and escalate an incident
to Ma’aden corporate.

Signed

GENERAL INSTRUCTION (G.I) CRISIS MANAGEMENT PLAN
-001
Prepared by:
Number:

Part 2 Governance & Management 38

Part 3

Incident Assessment
and Escalation

Table of Contents 39

PART 3 41

3. Incident assessment and escalation 41
41
3.1. Incident identification 42
3.2. Incident assessment 43
3.3. Incident escalation and notification 44
3.4. Incident reporting 47
Appendix A - Impact Assessment Table
Appendix B - Escalation and notification flow

Part 3 Incident Assessment and Escalation 40

3. Incident assessment and escalation

3.1. Incident identification

Every individual has a responsibility to identify and report an incident.

All incidents, regardless of their severity must be reported to the individual’s line
manager.

Every individual should be aware of the Ma’aden Incident Reporting Standard and
all associated emergency management procedures.

3.2. Incident assessment

Once an incident has been reported, the incident should be assessed in relation to its:

• Severity in relation to environment, health and safety as per procedure
• Severity in relation to its impact on Ma’aden (see below)

The incident’s impact severity on Ma’aden will be measured using the
following categories:

• People
• Property & equipment
• Process & capability
• Environment
• Reputation
• Financial
• Information

There are four levels of crisis severity used in the assessment. These have been
aligned with the four levels defined by HCIS and used for assessment in procedure
for consistency, these are:

Minor COLOR CODE
Minor BLUE
Mediate YELLOW
Major ORANGE
RED

Part 3 Incident Assessment and Escalation 41

The table in Appendix A shows a description for each of these levels against each
category show above. This table should be used to assess the incident against each
category and identify the level of impact to Ma’aden. This will provide the impact
classification for the incident.

Once the incident has been classified, notification and escalation should take place to
ensure the correct individuals are informed, and the incident is managed at the
appropriate level.

3.3. Incident escalation and notification

The following diagram shows the notification and escalation that should take place
at each incident severity level, based upon the incident’s classification color.

Actions

Assessment Escalation Notification Response

Incident Identified
and Reported

Local Is this a Inform Notify CIS & Manage Maintain log

minor YES Local Insurance response old actions, Resolve Incident
EMT Departments to the decisions
Management incident? incident and events

NO NOTIFICATION DELEGATION

Is this a Inform Notify CIS & response old actions, Resolve
Local Insurance
Local EMT minor YES CMT Departments

incident? to the decisions Incident
incident and events

NO NOTIFICATION DELEGATION

Local CMT Is this a Inform Notify CIS & Manage Maintain log
moderate YES Group Insurance response old actions, Resolve
incident? CMT Departments to the
decisions Incident
incident
and events

NO NOTIFICATION DELEGATION

Is this a Inform Notify CIS & Manage Maintain log
Local Insurance
Group CMT major YES EMT Departments response old actions, Resolve
to the
NO incident? incident decisions Incident

and events

Close Incident Updated Conduct post -
processes and incident review &
procedures identify lessons
as part of learnt
continual
improvement
process

Figure 1 – incident notification and escalation flow

At each classification level, the subsequent level is notified of the incident when it

occurs, so they have advance warning in case the incident level escalates.

Part 3 Incident Assessment and Escalation 42

3.4. Incident reporting

Incident reporting for crisis related incidents shall be performed in accordance with the
emergency management incident reporting standards. This reporting standard shall
be applied across the whole of Ma’aden and its affiliates.

Incidents shall be notified and escalated separately from the formal incident reporting
procedure. Incident reports shall be produced by the responsible party as follows:

(MINOR) (MINOR) (MODERATE) (MAJOR)
Within 4 hours Within 1 hour Immediately
Incident report Same day
production

Reports should be distributed in accordance with the following table.

(MINOR) (MINOR) (MODERATE) (MAJOR)

Incident report ✓ ✓ ✓ ✓
✓
production

✓Local management ✓✓

Local EMT ✓ ✓ ✓ ✓

Local CMT ✓✓✓

Group CMT ✓✓

Part 3 Incident Assessment and Escalation 43

Appendix A

Impact
Assessment
Table

Part 3 Incident Assessment and Escalation 44

QUICK ASSESSMENT GUIDE

(MINOR) (MINOR) (MODERATE) (MAJOR)
Yellow Orange Red
CLASSIFICATIONS
Blue

Reversible health effects Severe, reversible health Single fatality or Multiple fatalities or
of concern that would effects of concern that would serious disabling illness
typically result in medical typically result in a lost-time irreversible health effects to multiple people.
treatment. illness.
or disabling illness to a

person. Can include

Can include temperature Can include acute/short-term Can include progressive progressive chronic
effects; travel effects; effects associated with extreme chronic conditions and/or
stress; and sunburn. acute/short-term high-risk conditions and/or
effects.
temperature effects; acute/short-term high-
musculoskeletal effects;
Unresolved minor vibration effects; risk effects.

localized community Severe localized Severe, prolonged

concern about health. nervous system effects; some community concern about localized community
infectious diseases.
health. concern about health.

Reversible injuries Severe permanent Severe permanent

People requiring treatment but Repeated localized community disability to a person e.g. disability to multiple
concerns about health requiring
Property & does not lead to restricted site management or business loss of hand or lower limb people.
Equipment response.
duties. Typically, a
Processes
Capability medical treatment Pandemic declared by local Pandemic declared by
government affecting only
Reversible injury or moderate one site local government
damage or impairment to one
Localized, short term, or more persons. Typically, a Major, ongoing challenges affecting more than one
challenges in engaging, lost time or restricted work in attracting engaging and
attracting and retaining injury retaining people leading to site
staff material gaps in core
capabilities or capacity Systemic and ongoing

challenges in

Localized, medium term accessing, engaging,
challenges in attracting,
engaging or retaining people attracting or retaining
leading to capability or capacity
shortfalls people significantly

affecting Group

objectives

Minor damage Moderate damage resulting Extensive damage Destruction of key
in Equipment loss
resulting in (excluding Production loss) resulting Loss assets, resulting
USD.100,000
Equipment loss – 3 Million. (excluding Production Loss (excluding

(excluding Between one- and three- loss) between USD 3 - Production loss) >
days operational delay or
Production interruption 10 USD 10 Million

loss) <USD.100,000. Million Between More than one-

Up to one day three days and one- week operational

operational delay or week operational delay or

interruption delay or interruption interruption

and systems quality, An impact on business Breakdown of key Critical business
but able to be dealt resulting activities leading to
with at operational in reduced performance resulting reduction in performance failure, resulting > 3-
level in < 1-day outage. resulting in between 1 to 3
days outage. Such as day outage
& The project is not threatened, but service delays, client
could be subject to significant dissatisfaction, revenue preventing core
review or changed ways or loss, legislative breaches.
operations Survival of the activities from being
project threatened
performed the impact

threatens the

operational capability

of the organization

Part 3 Incident Assessment and Escalation 45

An unplanned or An unplanned or unintended An unplanned or An unplanned or
unintended event; or a event; or a series of cumulative unintended event; or a
series of cumulative events results in: series of cumulative unintended event; or a
events results in: events results in:
series of cumulative

events results in:

Environment and Harm on the Harm on the environment that Harm on the Widespread offsite,
Care (Cont.) environment that is is largely localized (limited to environment that is environmental harm that
localized (limited to site site boundaries) and is rectified unconfined and is is rectified or reversed
boundaries) and is or reversed within one month to rectified or reversed within several years to
rectified or reversed one year within 1 to 10 years of decades of work effort,
within a month work effort, or 1 to 10 or > 10 years of natural
For impacts to groundwater years of natural recovery.
– months to years of natural recovery.
For impacts to recovery.
groundwater – weeks For impacts to
to months of natural groundwater – years to For impacts to
recovery. decades of natural groundwater –
recovery multiple decades of
natural recovery.

Formal public Reputation damage Reputation damage

disapproval from local requiring significant local on an international

stakeholder(s) management intervention Reputation damage (~ 1 year) or

requiring specific and concessions. Prolonged on a national scale, national (multiple

local management scrutiny by local credibly constraining years) scale,

response. Some stakeholders contributing to future business credibly preventing
and residual local
Reputation cumulative reputation harm. activities at that level realisation of a
Integrity
reputational impact, for around 6 months major future

with potential Low-level, informal due to prolonged opportunity or

accumulate over expressions of negative scrutiny by prolonged scrutiny

time. sentiment from key investor; stakeholders. of the Group's

or formal, public expressions assets and

Informal expressions from special-interest groups Public expressions of business activities.
negative investor /
of negative sentiment with some influence. analyst sentiment with
potential to influence
among special Informal expressions of trend of market value / Negative investor /
negative sentiment among share price. financial community
interest investor with special interest investor with sentiment, driving
limited influence on short-term (months)
limited influence on investment community reduction in market
value / share price
investment

community

Financial US$3m - US$10m

US$100k - US$3m US$10m - US$20m US$20m -US$100m

Information Minor compromise of Compromise of information Compromise of highly Compromise of
sensitive information sensitive to Company sensitive information
information with

significant, ongoing

impact

Part 3 Incident Assessment and Escalation 46

Appendix B

Escalation and
Notification Flow

Part 3 Incident Assessment and Escalation 47

SEVERITYResponsibilities COMMUNICATION Involving
DELEGATION Board/Media/
Emergency mgt. Government
Incident mgt.
Incident mgt. Emergencies

Part 3 Incident Assessment and Escalation 48

Part 4

Crisis
Management
Plan