R I S K M AT R I X E R M

NEOM - GRC
 GOVERNANCE, RISK AND COMPLIANCE

R I S K I M PA C T L I K E L I H O O D M AT R I X V 2 . 0
T H R E AT
LIKELIHOOD FREQUENCY
RISK SCORING MATRIX - THREAT

5 Highly likely
Medium (5) High (10) High (15) Very High (20) Very High (25) Almost > 90% / occurring
Certain now

4 Once every
Low (4) Medium (8) High (12) High (16) Very High (20) 71% - 90%
Likely 1 to 2 years

3 Once every
Low (3) Medium (6) Medium (9) High (12) High (15) 31% - 70%
Possible 2 to 5 years
NEOM
Once every
2
Very Low (2) Low (4) Medium (6) Medium (8) High (10) 11% - 30% 5 to 10
Unlikely
years
Once every
1
Very Low (1) Very Low (2) Low (3) Low (4) Medium (5) ≤10% 10 years or
Rare
more

1 2 3 4 5
IMPACT LEVEL
Very Low Low Medium High Very High

Very low confidence objective Low confidence objective Medium confidence objective Very high confidence objective Very high confidence objective
Risk Level / Score 20-25 will be achieved. 10–16 will be achieved. will be achieved. will be achieved. will be achieved.
5-9 3-4 1-2
Description Very High Immediate attention required: High 2nd priority to action: reduce risk Medium 3rd priority to action: monitor on Low 4th priority to action: monitor half Very Low 5th priority to action: monitor
reduce risk level within proximity. level within proximity. quarterly basis to ensure risk level has yearly to ensure risk level has not annually to ensure risk level has not
not worsened. worsened. worsened.

2
 GOVERNANCE, RISK AND COMPLIANCE

R I S K I M PA C T L I K E L I H O O D M AT R I X V 2 . 0
1 2 3 4 5
IMPACT CATEGORIES
Very Low Low Medium High Very High

COST < 1% of budget overrun 1% - 5% of budget overrun 6% - 10% budget overrun 11% - 25% of budget overrun > 25% of budget overrun

Project Baseline Schedule < 36 months

< 2 months 2 – 4 months 5 – 8 months 9 – 10 months > 10 months

Delay Delay Delay Delay Delay
TIME
Project Baseline Schedule > 36 months

< 5% 5% - 10% 11% - 20% 21% - 25% > 25%

Delay Delay Delay Delay Delay
H&S H&S H&S H&S H&S
1.Minor injuries that can be 1.Several minor causalities that 1.Several serious causalities that 1.Would cause serious causalities 1.Would cause serious causalities
treated on site with no long-term might require medical. attention might require hospitalization result in long term physical result in serious Injuries or loss
effect. with no long-term effect. with long term effect. impairment of personnel. of lives.
NEOM 2.Incident that may results in lost 2.2 to 4 man-days Lost time per 2.5 to 15 man-days (LTI). 2.Incident resulting in complete 2.Incident resulting in complete
time for up to 2 man-days. incident (LTI). 3.Lost time injury/illness stop of work for more than 2 shutdown of operations.
3.First aid or slight injury / illness 3.Recordable, medical treatment, or permanent disability. weeks. 3.Multiple fatalities.
with no treatment. restricted work, temporary 3.Single fatality or permanent
effect. E&S disability of 3 or more persons. E&S
HSES E&S 1.Widespread and long-term or 1.Permanent and irreversible
HEALTH & SAFETY 1.Localized but reversible E&S regional but reversible E&S degradation of environmental
ENVIRONMENT exceedances of environmental 1.Localized and long-term or exceedance of environmental 1.Regional and long-term or standards over regional or
& SUSTAINABILITY standards or widespread minor widespread but reversible standards. Landscape but reversible landscape scale.
detection of exceedances. exceedance of environmental 2.Exceedances of AQ standards per exceedance of environmental 2.Continuous exceedances of AQ
2. Between 1 - 20 exceedances standards. year in surrounding area for ≥ 20 standards. standards in surrounding area.
within site boundary of Air 2. Between 1 - 20 exceedances of but <75 days. 2.Exceedances of AQ standards per 3.Permanent and substantial
Quality (AQ) standards stated in AQ standards per year within 3.Any detectable levels of year in surrounding areas ≥ 75 changes in condition or integrity
Appendix A of PME Ambient Air surrounding area of Allowable atmospheric asbestos. but < 150 days. of high value heritage site(s).
Quality Standard. Exceedances stated in Appendix 3.Permanent but minor changes in
4.Permanent and substantial
3.Short-term minor impacts in A of PME Ambient Air Quality condition or integrity of high
changes in condition or integrity
condition or integrity of minor Standard. value heritage site(s).
of moderate value heritage
value heritage site(s). 3.Permanent minor changes in site(s).
condition or integrity of
3 moderate value heritage site(s).
IMPACT LEVELS
 GOVERNANCE, RISK AND COMPLIANCE

R I S K I M PA C T L I K E L I H O O D M AT R I X V 2 . 0
1 2 3 4 5
IMPACT CATEGORIES
Very Low Low Medium High Very High

1. Minimum regulatory impact and 1. Require regulatory disclosure. 1. Require regulatory disclosure 1. Will attract regulatory 1. Will attract regulatory
minimum legal implications. and requires qualification and investigation - possible seizure investigation, possible seizure of
2. Cost of achieve compliance /
requires management attention. of documents documents locally / globally
2. Cost to achieve compliance / change in business
and requires involvement attracts fines penalties/ license
change business model / affects model/reduces attractiveness of 2. Cost of achieve compliance /
of top management. suspension and requires heavy
attractiveness of the the investment < 1M. change in business
involvement of top
investment < 500K. model/reduces attractiveness of 2. Cost of achieve compliance /
3. Loss of asset / compensation / management.
REGULATORY & the investment between 2M and change in business model /
3. No penalty. penalty amounting up to 100K
5M. reduces attractiveness of the 2. Cost of achieve compliance /
LEGAL due to litigation or arbitration.
investment is between change in business model /
3. Loss of asset / compensation /
10M and 20M. reduces attractiveness of the
penalty amounting between
investment >20M
200K and 1M due to litigation or 3. Loss of asset / compensation /
NEOM arbitration. penalty amounting between 2M 3. Loss of asset / compensation /
and 20M due to litigation or penalty amounting above 20M
arbitration. due to litigation or arbitration.

1.Negative impact is internal and 1.Negative impact is local, but with 1. Negative impact is local, with 1. Negative impact is regional, but 1. Negative impact is global and
confined to a small number of limited publicity. widespread publicity. confined to a limited number of is widely publicized.
parties (short term). 2.5-6 annual negative press 2. 7-8 annual negative press parties. 2. >10 negative press mentions on
2.<5 annual negative press mentions on NEOM (i.e. religious mentions on NEOM (i.e. religious 2. 9-10 annual negative press NEOM (i.e. religious & social,
mentions on NEOM (i.e. religious & social, not fulfilling promises, & social, not fulfilling promises, mentions on NEOM (i.e. religious not fulfilling promises, no
& social, not fulfilling promises, no community communication no community communication & social, not fulfilling promises, community communication
no community communication and development). and development). no community communication and development).
REPUTATIONAL and development). 3.Moderate complaint(s) from 3. Significant complaint(s) from and development). 3. Community / NGO legal action.
3.Minor complaint(s) to site and / abutters, local stakeholder abutters, local stakeholder 3. Persistent complaints from Significant concerns expressed
or regulator from abutters, local groups or local government. groups, or local government. community and national by key international stakeholder
stakeholder groups, or 4. Isolated, small-scale protest. stakeholder groups or groups or from more than one
local government. national government. national government.
4. Largescale protests. 4. Sustained large-scale protests
with injury or damages.

4 IMPACT LEVELS
 GOVERNANCE, RISK AND COMPLIANCE

R I S K I M PA C T L I K E L I H O O D M AT R I X V 2 . 0

1 2 3 4 5
IMPACT CATEGORIES
Very Low Low Medium High Very High

Cyber / Information Security Cyber / Information Security Cyber / Information Security Cyber / Information Security Cyber / Information Security
1.Single user, non-destructive 1.Multiple user, non-destructive 1.Malware on multiple hosts < 20. 1.Malware infestation ≥ 20 hosts 1.Malware infestation ≥ 20 hosts
malware. malware. affected. affected. Major systems
2.Unauthorized access to internal
restoration.
2.Discovery of incorrectly configured 2.Discovery of incorrectly configured network - no damage done, or 2.Unauthorized access to network -
access, potentially leading to access, potentially leading to data breached. DoS: Single Limited damage to infrastructure 2.Hostile access to network -
unauthorized access. DoS attempt, unauthorized access. DoS attempt, reported impact on system and / or data breach. DoS: Significant damage to
CYBER / but with no reported impact from but with no reported impact from availability. Prolonged impact on single system infrastructure and / or data
INFORMATION users. users. availability. breach. DoS: Prolonged impact on
3. Multiple services: loss /
SECURITY / DATA multiple systems availability.
3.Single service: loss/interruption of 3.Single service: loss/interruption of Interruption of ≤ 1 hour. 3.Multiple services: loss /
PRIVACY ≤ 1 hour. >1 hour interruption of 1-48 hours. 3.Multiple services: loss /
interruption of ≥ 48 hours.
NEOM Data Privacy Data Privacy Data Privacy
Data Privacy
Data Privacy
1.Disclosure of non-identifiable 1.Disclosure of non-identifiable 1.2-50 individual's sensitive personal
1.1. Individual's sensitive personal
personal data/ non-critical personal data/ non-critical data/ information classified as 1.> 50 individual's sensitive personal
data/ Information classified as
information leading to limited information leading to adverse Secret is disclosed. Single data data/ information classified as Top
Confidential is disclosed. Multiple
effect. Single lost/ corrupted effect. Single lost/ corrupted store compromised. Secret is disclosed. Multiple data
lost/ corrupted records.
record. record. stores compromised.

1.A threat exists against the 1.A threat exists against the 1.A threat exists against the 1.A threat exists against the 1.A threat exists against the
asset or a person. asset or a person. asset or a person. asset or persons. asset or persons.
2.A willful criminal act or condition 2.A willful criminal act or condition 2.A willful criminal act or condition 2.A willful criminal act or condition 2.A willful criminal act or condition
resulting in no injuries, no project resulting in minor injuries, minimal resulting in non-life-threatening resulting in serious injury, severe resulting in death or severe injury,
PHYSICAL SECURITY delays, or minimal loss or damage project delays, or some loss or injuries, some project delays, or project disruption, or major severe project disruption, or major
(up to 24 hrs.). damage. (up to 72hrs). loss or damage. (<1 week destruction. (between 1 - 4 weeks destruction (more than 4 weeks
shutdown of site area). shutdown of site area). shutdown of site area).
3.Normal management 3.Low level of external emergency
action required. service assistance may be 3.External emergency service 3.External emergency service 3.Multiple external emergency
required. assistance may be required. assistance is required. services assistance is required.

IMPACT LEVELS
5
 GOVERNANCE, RISK AND COMPLIANCE

R I S K I M PA C T L I K E L I H O O D M AT R I X V 2 . 0

1 2 3 4 5
IMPACT CATEGORIES
Very Low Low Medium High Very High

1. No impact on the quality of 1. Impact limited to minor delays 1. Some impact on the quality of 1. Major impact on the quality of 1. Severe impact on the quality
services provided. in delivery, manageable defects, service leading to customer service leading to repeated of service leading to customer
manageable customer feedback. dissatisfaction translated in a customer dissatisfaction dissatisfaction translated in a
2. Defects in work identified.
noticeable number of translated in a very significant very significant number of
Minor corrective action 2. Defective work identified.
complaints. number of complaints received complaints received from
contained within operational Corrective action spanning
from various sources/channels. various sources/channels or
role in that shift. multiple shifts required. 2. Systemic defective work
received from VVIP segments
produced & identified prior to 2. Defective work not identified
3. Insignificant impact fully 3. Minor schedule and cost and/or very significant loss of
operational testing. Multiple until operational testing. Single
QUALITY contained. Minor productivity impact. Schedule recoverable. business.
corrective actions required over corrective actions spanning
NEOM SERVICE/WORK impact.
many weeks. months. Significant impact. 2. Systemic defective work
produced & not identified until
3. Moderate schedule impact 3. Multiple months delay to
operational testing. Multiple
delaying subsequent work by a schedule and up to $1M cost
corrective actions required
number of weeks & up to $100K impact to business.
spanning many months.
cost impact to business.
3. Multiple months impact on
schedule and $multi-million cost
impact to business.

IMPACT LEVELS

6
 GOVERNANCE, RISK AND COMPLIANCE

R I S K I M PA C T L I K E L I H O O D M AT R I X V 2 . 0
OPPORTUNITY
LIKELIHOOD FREQUENCY
RISK SCORING MATRIX - OPPORTUNITY

5 Highly likely
Medium (-5) High (-10) High (-15) Very High (-20) Very High (-25) Almost > 90% / occurring
Certain now

4 Once every
Low (-4) Medium (-8) High (-12) High (-16) Very High (-20) 71% - 90%
Likely 1 to 2 years

3 Once every
Low (-3) Medium (-6) Medium (-9) High (-12) High (-15) 31% - 70%
Possible 2 to 5 years
NEOM
Once every
2
Very Low (-2) Low (-4) Medium (-6) Medium (-8) High (-10) 11% - 30% 5 to 10
Unlikely
years
Once every
1
Very Low (-1) Very Low (-2) Low (-3) Low (-4) Medium (-5) ≤10% 10 years or
Rare
more

-1 -2 -3 -4 -5
IMPACT LEVEL
Very Low Low Medium High Very High

Very High confidence opportunity High confidence opportunity Medium confidence opportunity Low confidence opportunity Very Low confidence opportunity
Risk Level / Score -20 -25 will be achieved. -10 –16 will be achieved. will be achieved. will be achieved. will be achieved.
-5 -9 -3 -4 -1 -2
Description Very High Immediate attention required: High 2nd priority to action: increase Medium 3rd priority to action: monitor on Low 4th priority to action: monitor half Very Low 5th priority to action: monitor
increase risk level within proximity. risk level within proximity. quarterly basis to ensure risk level can yearly to ensure risk level can be annually to ensure risk level can be
be achieved. achieved. achieved.

7
 GOVERNANCE, RISK AND COMPLIANCE

R I S K I M PA C T L I K E L I H O O D M AT R I X V 2 . 0
OPPORTUNITY
1 2 3 4 5
IMPACT CATEGORIES
Very Low Low Medium High Very High

COST < 1% of budget / cost savings 1% - 5% of budget / cost savings 6% - 10% budget / cost savings 11% - 25% of budget / cost savings > 25% of budget / cost savings

Project Baseline Schedule < 36 months

< 2 months 2 – 4 months 5 – 8 months 9 – 10 months > 10 months

accelerated accelerated accelerated accelerated accelerated
TIME
Project Baseline Schedule > 36 months

< 5% 5% - 10% 11% - 20% 21% - 25% > 25%

accelerated accelerated accelerated accelerated accelerated
NEOM
IMPACT LEVELS