Recognise and manage risk
The Board recognises that effective risk management processes help ensure the business is more likely to achieve its business objectives and that the Board meets its corporate governance responsibilities. In meeting its responsibilities, the Board has ensured that management has put in place comprehensive risk management policies and practices across the Group. The Board conducts annual reviews of the Group’s risk management framework to ensure that it continues to be sound. During FY20, the Audit and Risk Committee conducted a review of the Group’s risk management framework to ensure it is working effectively and within the risk parameters set by the Board.
Such risk management processes include defining the risk oversight responsibilities of the Board and the responsibilities of management in ensuring risks are both identified and effectively managed. Whilst ultimate responsibility for risk oversight rests with the Board, the Audit and Risk Committee is the delegated mechanism for focusing the Group on risk oversight, risk management and internal controls. The Audit and Risk Committee reports to the Board on risk management and internal control matters in accordance with its main responsibilities as outlined in the Audit and Risk Committee Charter.
For further details of the Audit and Risk Committee composition and responsibilities, refer to the Audit and Risk Committee disclosures under Principle 4 - Safeguard integrity in corporate reporting.
The Audit and Risk Committee is supported in managing risk through the combined activities of the following:
- Enterprise risk profiles have been developed for the Group which are regularly reviewed and updated as part of the strategic planning process together with mitigation actions. The identified risks are analysed based on their potential impact and likelihood of occurrence and mitigation responses are put in place to manage the risks. Updates to the enterprise risk profiles form part of the agenda for the quarterly business reviews and strategy planning sessions with the Managing Director and Group Chief Financial Officer. An enterprise risk update for major risks is prepared for the Audit and Risk Committee at the May and November meetings;
- Finance Risk Committee comprising the executive and senior financial management of the Group meets quarterly to monitor the financial risks in the organisation, oversee the execution of Group policies in relation to finance risk and measure the impact of both the underlying risks and the mitigation strategies employed. Financial risks include liquidity and funding, interest rates, foreign currency, credit and legal risks. The Finance Risk Committee reports to the Audit and Risk Committee on its activities as outlined in the Finance Risk Committee charter. In addition a sub-committee of the Finance Risk Committee meets weekly to consider foreign currency and other risks as required;
- Group Chief Financial Officer who has primary responsibility for designing, implementing and coordinating the overall Group risk management and internal control practices. The Group Chief Financial Officer attends the Board and Audit and Risk Committee meetings and presents bi-annually, the Chief Financial Officer’s Report. The Chief Financial Officer has the authority to report directly to the Board or Audit and Risk Committee on any matter at any time;
- General Manager Supply Chain and National Workplace Health and Safety (WHS) Manager who have specific responsibilities in respect of operational risks including workplace health and safety, business continuity, environmental, sustainability, ethical sourcing and industrial relations risks. The National WHS Manager prepares a workplace health and safety report for the monthly Board meetings and is regularly required to attend and present at Board meetings on Group workplace health and safety strategy and performance;
- General Manager, Business Transformation & Technology and Cyber Security Manager who have specific responsibilities in respect of the Group’s information technology security and risk environment including cyber security risks. The General Manager, Business Transformation & Technology and Cyber Security Manager attend and present at Audit and Risk Committee meetings as required;
- Company Secretary who is responsible for putting in place adequate insurances to cover the major group insurable risks including property and business interruption, public and products liability, product recall and directors and officers liability insurances. The Group’s insurance broker assists with arranging the insurances and claims management. The insurance policies are placed with reputable insurers with appropriate coverage, limits and deductibles for the business;
- The Company Secretary is also the Ethical Standards Officer who is responsible for the administration and maintenance of the Group-wide policy against slavery and trafficking in persons. The Ethical Standards Officer has primary day-to-day responsibility for implementing the policy, monitoring its use and effectiveness, dealing with any questions that arise, and ensuring audits and internal control systems and procedures are effective in countering modern slavery. The Ethical Standards Officer prepares bi-annual reports for the Audit and Risk Committee on progress with the modern slavery risk mitigation plans;
- Internal Audit activities are carried out by a combination of internal and appropriately qualified external resources based on an annual program of work approved by the Audit and Risk Committee. The internal audit function provides both management and the Board with independent objective assurance in relation to the adequacy of the design, and effectiveness of the implementation of the Group’s governance, risk management, internal control, key business processes and compliance systems and their operational effectiveness. The Internal Audit function has independent access to the Audit and Risk Committee and is independent of the External Audit function;
- External Audit activities undertaken by the External Auditor, KPMG, to review internal controls as part of their half year review and full year audit procedures. Internal control weaknesses are identified by the External Auditor and communicated to management to address through a formal reporting process. The actions taken by management are reviewed by the Group Chief Financial Officer and Group Financial Controller as part of the stewardship review process, on a quarterly basis, and for the half and full year accounts.
The Group has implemented risk management software across the Group for the purpose of identifying and managing workplace health and safety risks. The software is a critical tool for executives and senior management and has enhanced the identification, reporting and monitoring of actions in this important area.
Risk management is embedded in the Group’s policies and procedures which have enabled the Group to pro-actively identify and manage all types of risk within the organisation. The Board aims to continually evaluate and re-assess the risk management and internal control practices of the Group to ensure current good practice is maintained and to preserve and create long-term value within the organisation.
During FY20, the Group conducted an internal review of its risk management framework against the COSO (2017 revised) framework as part of its continuous improvement processes. The review indicated that the Group’s risk management principles and processes are closely aligned to the COSO framework. The Group will continue to refine its risk management processes in FY21 and future periods to ensure they remain effective in managing risk.
Certification of Risk Management Controls
In conjunction with the certification of financial reports, the Managing Director and Group Chief Financial Officer state in writing to the Board each reporting period that in their opinion:
- The financial statements are founded on a sound system of risk management and internal compliance and control which implements the policies adopted by the Board; and
- The Group’s risk management and internal compliance and control systems are operating efficiently and effectively in all material respects.
The statements from the Managing Director and Chief Financial Officer are based on a formal sign-off framework established throughout the Group and reviewed by the Audit and Risk Committee as part of the financial reporting process.
Economic, Environmental and Social Sustainability Risks
The Group’s keys risks to its future prospects, and measures to mitigate these risks where possible, are outlined in the following table: