KERACS LTD.

RISK MANAGEMENT POLICY

June, 2023.

1. Policy Statement

KERACS Limited (KERACS Ltd) as a contractor to major, client, Ok Tedi Mining Ltd, and other
development partners, is committed to ensuring that risk management practices are embedded into
all business processes and operations in order to drive consistent, effective and accountable action,
decision making and management practice.

A strong risk management culture is critical to enabling KERACS to achieve its strategic, operational
and commercial objectives and can also be a source of competitive advantage.

The purpose of this Policy is to set out KERACS’s objectives for risk management and to clearly
articulate the responsibilities of all KERACS personnel in relation to the management of risk.

This Policy is supported by the KERACS Risk Management & Assessment Standard (‘the Standard’) in
approval from Ok Tedi Integrated systems, and which describes the requirements and processes that
underpin effective, consistent and integrated risk management practice.

This Policy aligns with the principles and requirements set out in ISO 31000 Risk Management –
Principles & Guidelines and has been approved by the KERACS Board of Directors (Board). The policy
is the framework that will be used in conjunction with the Risk Management Procedures, and other
associated tools for managing RISKS.

2. KERACS Risk Management Model

KERACS’s Risk Management model is based on the ‘three lines of defence’ and is illustrated in the
diagram below.

Page 1 of 7
3. Scope

This Policy applies to KERACS, its directors and its employees, including employees working on fixed
term contracts and other contracted labour (collectively referred as ’Employees’).

4. KERACS Risk Context

KERACS is an integrated electrical company, listed on the Ok Tedi Mining Ltd’ s Contactor’s
Portfolios. KERACS operates three (3) main businesses:

 Electrical Operations which is responsible for managing KERACS’s diverse electrical

maintenance portfolio, spread across modern industrial electrification of installations and
repairs of electrical cables and transmission power lines and other domestic services to
OTML and other minor clients.

 Carpentry Operations which is responsible for managing the carpentry portfolio of the
company, which include, erection of buildings, erection of fences, and other related
maintenance carpentry duties. The carpentry services utilizes manpower and resources,
from carpentry division, and management of this portfolio and services pricing for doing
business.

 Labour Hire Operations, which is responsible for managing Labour hire portfolio by
recruitment and placement of personnel to client OTML. The company utilizes the local and
expatriates who form Labour manpower and for placement to OTML for employment
contracts; KERACS intends to place mark-up income rates for the labour hire, in doing
business.

Risk is dynamic and is inherent in all external and internal operating environments. KERACS is
committed to managing all risks effectively. Effective risk management is a means for achieving
competitive advantage and is pivotal to enabling the ongoing growth and success of KERACS’s
business.

The environment in which KERACS operates has changed significantly in recent years. This in turn
has resulted in considerable change to KERACS’s internal operations, including our risk profile. To
continue strengthening our position as a leading integrated electrical company, we need to
understand the opportunities and challenges KERACS’s business faces today and into the future.

As our operating environment continues to transform, embedding risk management principles and
practices into strategy development and day to day business processes is critical to achieving robust
and favourable commercial outcomes.

Just as risk is inherent in our operations, risk management is also inherent in all decision making and
management processes. Risk management is essential to good corporate governance and is a
fundamental component of good management practice.

Page 2 of 7
5. Risk Management Objectives

Effective risk management within KERACS has a number of key objectives:

› promote an enterprise wide approach by integrating risk management processes into each of the
following areas:

» business strategy, project management, organisational process and decision making;

» audit, insurance and specialist risk functions; and

» compliance and general governance functions

› promote consistency and transparency in methodology, assessment and management processes;

› promote proactive recognition of external factors and anticipation of uncertainties that may affect
the achievement of strategic objectives;

› promote confidence in operating performance, management decision making and the achievement
of expected outcomes;

› protect the interests of KERACS shareholders;

› demonstrate sound business practice to counterparties, customers, employees and the

communities in which KERACS operates;

› sponsor innovation and maximise value from assets, ventures and opportunities;

› provide appropriate, consistent and transparent ownership and accountability for risk mitigation;

› enable the design and implementation of controls that:

» are structured to promote effective realisation of objectives; and

» are resourced appropriately to effectively mitigate risk.

› recognise that timely and accurate monitoring, review, communication and reporting of risk is
critical to:

» providing mechanisms for the timely identification and effective management of risk occurrences
and consequences;

» providing confidence in management practice to the Board;

» providing a solid platform for growth; and

» KERACS Audit and Risk Management Committee and

» generating and maintaining a sound corporate history

Page 3 of 7
6. Accountabilities

In accordance with KERACS’s Code of Conduct, it is the responsibility of all Employees to comply with
the law, KERACS’s contractual commitments with OTML, and KERACS’s policies and procedures
(including the Compliance Management System) and to work towards embedding KERACS’s
compliance management objectives within their areas of responsibility.

KERACS Board

The Board is responsible for:

› approving, and monitoring the implementation of policies governing KERACS’s systems of internal
compliance, risk management and control; and

› monitoring KERACS’s compliance with obligations governing KERACS’s operations.

To assist it in discharging its responsibilities the Board has established the Audit and Risk
Management Committee (ARMC).

The ARMC has been established to, among other things:

› review, and recommend to the Board approval of KERACS’s Risk Management Policy;

› regularly review, and recommend to the Board for approval, KERACS’s Tier 1 risks and risk profile;

› review all material risks and discuss with management the operation and implementation of
mitigating controls;

› review all material risks and discuss with management the operation and implementation of
mitigating controls;

› monitor the effectiveness of KERACS’s risk policies, procedures and management practices; and

› review and approve KERACS’s insurance policies, including the terms of annual policy renewals and
considering the creditworthiness and claims payment histories of KERACS’s principal insurers.

The ARMC operates and reports within the terms of the ARMC Charter endorsed by the Board.

Manager and Executive Team

The Manager is responsible for managing KERACS in accordance with the strategy, business plans
and policies approved by the Board, including this Policy.

This includes responsibility for managing the implementation of this Policy and promoting a positive
risk culture within KERACS.

The Executive Team is accountable to the Manager for:

› identifying, assessing, managing, reporting, reviewing and monitoring risks that may impact the
achievement of KERACS’s strategic, operational and commercial objectives; and

› ensuring that there are systems in place to maintain adherence to this Policy.

Page 4 of 7
Group Risk, Compliance & Insurance.

Group Risk, Compliance & Insurance (GRCI) has carriage of the AGL enterprise wide risk
management function. GRCI reports to the Company Secretary and is independent from business

› facilitating the identification, monitoring and reporting of KERACS’s Tier 1 risks;

operations in terms of its reporting line. GRCI is responsible for:

› promoting and facilitating a standardised approach to effective risk management, including the
ongoing review and improvement of the Standard;

› assisting the business to identify, understand and manage risk;

› facilitating the integration of KERACS’s approved processes for managing risk and compliance
within the business;

and › reporting to the ARMC no less frequently than quarterly on material risks.

Risk Managers / Champions

Risk Manager and Risk ‘Champions’ within KERACS’s business units perform critical roles in KERACS’s
first line of defence and are responsible for:

› assisting the business to implement risk management practices in accordance with this Policy and
the Standard;

› facilitating risk assessments, maintenance of the business units risk registers and monitoring action
items within their respective business areas;

› the provision of technical risk expertise and advice; and

› analysing and reporting risks in accordance with the Standard, which includes the reporting of
material risks to GRCI for inclusion in the regular ARMC risk activity report.

Group Audit

In accordance with its charter, Group Audit provides independent, objective assurance and
consulting services to the ARMC and senior management designed to support and assist, both
directly and indirectly, KERACS to achieve its strategic objectives in an efficient and effective manner
and within an acceptable level of risk.

Group Audit is responsible for developing the Internal Audit Plan that will be a risk based flexible
plan, using an appropriate risk-based methodology.

Group Audit reviews are designed to assess that activities appropriately mitigate risk and are in
compliance with KERACS policies and procedures, which are designed to comply with industry
standards, legislation and regulations.

Page 5 of 7
Employees

KERACS’s Employees are required to:

› familiarise themselves with this Policy and other policies concerning the management of risk
relevant to their workplace activities;

› adhere to relevant legislation and their compliance obligations;

› incorporate risk management practices into their workplace activities;

› report and escalate risks in accordance with the Standard; and

› look for opportunities to improve operational efficiencies and optimise outcomes.

7. Risk Management Requirements

KERACS is committed to the development of effective and robust risk management practices and
meeting the objectives as outlined in section 5 of this Policy. This commitment is reflected through
the following areas:

› KERACS will make available the necessary resources for the management of risk in accordance with
this Policy and KERACS’s risk appetite;

› each area of the business is accountable for managing its strategic and operational risks and
maintaining a register of material risk exposures;

› risk registers are based on the outcomes of thorough risk identification and assessment processes
that are developed in accordance with the Standard;

› reviews of risk registers are regularly conducted (dependent on business requirements) and
reporting and escalations occur in accordance with the Standard;

› enterprise risk identification, assessment and profiling are conducted on an annual basis by GRCI;
and

› a review of KERACS’s risk appetite is facilitated by GRCI and discussed with the ARMC on an annual
basis.

8. Related & Supporting Policies

This Policy is supported by, and linked to, specific KERACS policies and standards as issued from time
to time. These policies and standards include, but are not limited to:

› Risk Management & Assessment Standard

› Compliance Management Standard.

› Wholesale Markets Risk Management Policy.

› Health, Safety & Environment Policy.

› Fitness for work policy

› Golden Rules –Social behaviour and workplace

› Fraud & Corruption Risk Control Policy.

Page 6 of 7
11. Reviewing and Maintaining the Policy

This Policy is administered by GRCI. The Policy is to be reviewed every one (1) year or where there is
a material change to KERACS’s context or objectives. Changes to the Policy require Board approval.

Prepared by: Reviewed and Approved by: Dated:

Mrs. Maureen Iwo Mr. Sotai Pito 1. Prepared – 19/11/2021
Director - KERACS LTD Chairman – KERACS Ltd 2. Revision 1 – 23/06/2022
Phone#: 74739106 Phone#: 79679641
Email: [email protected] Email: [email protected]

12. Glossary of Terms

Term Description
Compliance A set of interrelated and interacting elements of an organisation with
Management System the purpose of establishing policies, objectives and processes to
maintain compliance with the organisation’s compliance obligations
Compliance Obligation A course of action or behaviour which the organisation is legally bound
to do (e.g. law or regulation), or has committed to do (e.g. standards,
codes, internal policies)
Compliance Program Compliance obligation or set of obligations with similar or associated
purpose, usually in accordance with the business function or primary
business function to which it relates.
Compliance Risk Effect of uncertainty on the ability to meet compliance objectives

Page 7 of 7