Principle 7

Recognise and manage risk

The Board recognises that effective risk management processes help ensure the business is more likely to achieve its business objectives and that the Board meets its corporate governance responsibilities.  In meeting its responsibilities, the Board has approved the Group’s risk appetite statement and ensured that comprehensive risk management policies and practices have been put in place across the Group.  The Board conducts annual reviews of the Group’s risk management framework (including both financial and non-financial risks) to ensure that it continues to be sound, and that management is operating with due regard to the risk appetite that has been set by the Board.  During FY23, the Audit and Risk Committee conducted a review of the Group’s risk management framework to ensure it is working effectively and within the risk parameters set by the Board.

Such risk management processes include defining the risk oversight responsibilities of the Board and the responsibilities of management in ensuring risks are both identified and effectively managed.  Whilst ultimate responsibility for risk oversight rests with the Board, the Audit and Risk Committee is the delegated mechanism for focusing the Group on risk oversight, risk management and internal controls.  The Audit and Risk Committee monitors management’s performance against the Group’s risk management framework. The Audit and Risk Committee reports to the Board on risk management and internal control matters in accordance with its main responsibilities as outlined in the Audit and Risk Committee Charter.

For further details of the Audit and Risk Committee composition and responsibilities, refer to the Audit and Risk Committee disclosures under Principle 4 - Safeguard the integrity of corporate reports.


The Audit and Risk Committee is supported in managing risk through the combined activities of the following:

  • Enterprise risk profiles have been developed for the Group which are regularly reviewed and updated as part of the strategic planning process together with mitigation actions.  The identified risks are analysed based on their potential impact and likelihood of occurrence and mitigation responses are put in place to manage the risks.  Updates to the enterprise risk profiles form part of the agenda for the quarterly business reviews and strategy planning sessions with the Chief Executive Officer and Chief Financial Officer.  The enterprise risk profiles for major risks are presented to the Audit and Risk Committee at the May and November meetings;
  • Finance Risk Committee comprising the executive and senior financial management of the Group meets quarterly to monitor the financial risks in the organisation, oversee the execution of Group policies in relation to finance risks and measure the impact of both the underlying risks and the mitigation strategies employed.  Financial risks include liquidity and funding, interest rates, foreign currency, credit and legal risks.  In addition, a sub-committee of the Finance Risk Committee meets weekly to consider foreign currency and other risks as required;
  • Chief Financial Officer who has primary responsibility for designing, implementing and coordinating the overall Group risk management and internal control practices.  The Chief Financial Officer attends the Board and Audit and Risk Committee meetings and presents bi-annually, the Chief Financial Officer’s Report.  The Chief Financial Officer has the authority to report directly to the Board or Audit and Risk Committee on any matter at any time;
  • Group General Manager – People and Performance and the Group Workplace Health and Safety (WHS) Manager who have specific responsibilities in respect of operational risks including workplace health and safety, business continuity, environmental, sustainability, ethical sourcing and industrial relations risks.  The Group WHS Manager prepares a workplace health and safety report for the monthly Board meetings and is regularly required to attend and present at Board meetings on Group workplace health and safety strategy and performance;
  • Chief Information Officer who has specific responsibilities in respect of the Group’s information technology security and risk environment including cyber security risks.  The Chief Information Officer attends and presents at Audit and Risk Committee meetings as required;
  • Company Secretary who is responsible for putting in place adequate insurance to cover the major group insurable risks including property and business interruption, public and products liability, product recall and directors’ and officers’ liability insurance.  The Group’s insurance broker assists with arranging the insurance and claims management.  The insurance policies are placed with reputable insurers with appropriate coverage, limits and deductibles for the business;
  • The Company Secretary is also the Ethical Standards Officer who is responsible for the administration and maintenance of the Group-wide policy against slavery and trafficking in persons.  The Ethical Standards Officer has responsibility for overseeing the implementation of the policy, monitoring its use and effectiveness, dealing with any questions that arise, and ensuring audits and internal control systems and procedures are effective in countering modern slavery.  The Ethical Standards Officer, with the support of the Head of Procurement, prepares regular reports for the Audit and Risk Committee on progress with the modern slavery risk mitigation plans;
  • Internal Audit activities are carried out by a combination of internal and appropriately qualified external resources based on an annual program of work approved by the Audit and Risk Committee.  The internal audit function provides both management and the Board with independent objective assurance in relation to the adequacy of the design, and effectiveness of the implementation of the Group’s governance, risk management, internal control, key business processes and compliance systems and their operational effectiveness.  The Internal Audit function has independent access to the Audit and Risk Committee and is independent of the External Audit function;
  • External Audit activities undertaken by the External Auditor, KPMG, to review internal controls as part of their half year review and full year audit procedures.  Internal control weaknesses are identified by the External Auditor and communicated to management to address through a formal reporting process.  The actions taken by management are reviewed by the Chief Financial Officer and Group Financial Controller as part of the stewardship review process for the half and full year accounts.

The Group has implemented risk management software across the Group for the purpose of identifying and managing workplace health and safety risks.  The software is a critical tool for executives and senior management and has enhanced the identification, reporting and monitoring of actions in this important area.

Risk management is embedded in the Group’s policies and procedures which have enabled the Group to pro-actively identify and manage all types of risk within the organisation.  The Board aims to continually evaluate and re-assess the risk management and internal control practices of the Group to ensure current good practice is maintained and to preserve and create long-term value within the organisation.

A summary of the GWA’s key risks and the relevant monitoring and mitigation can be found in the FY23 Annual Report, which is available on the Group’s website at under Investor Relations, Annual Reports.