Principle 7
Recognise and manage risk
The Board recognises that effective risk management processes help ensure the business is more likely to achieve its business objectives and that the Board meets its corporate governance responsibilities. In meeting its responsibilities, the Board has approved the Group’s risk appetite statement and ensured that comprehensive risk management policies and practices have been put in place across the Group.
Such risk management processes include defining the risk oversight responsibilities of the Board and the responsibilities of management in ensuring risks are both identified and effectively managed. Whilst ultimate responsibility for risk oversight rests with the Board, the Audit and Risk Committee is the delegated mechanism for focusing the Group on risk oversight, risk management and internal controls. The Audit and Risk Committee reviews the Group’s risk management framework and its effectiveness, at least annually; and regularly reviews management’s initiatives to identify material risks and the appropriateness of the risk management processes in place to address them and operative within the risk appetite statement. The Audit and Risk Committee reports to the Board on risk management and internal control matters in accordance with its main responsibilities as outlined in the Audit and Risk Committee Charter.
During FY24, an independent internal audit review of the Group’s risk management framework was carried out and the Committee was satisfied that it continues to be sound, and the Group is operating with due regard to the risk parameters set by the Board.
For further details of the Audit and Risk Committee composition and responsibilities, refer to the Audit and Risk Committee disclosures under Principle 4 - Safeguard the integrity of corporate reports.
The Audit and Risk Committee is supported in managing risk through the combined input of the following key risk activities and management accountabilities.
- Internal Audit activities are carried out by a combination of internal and appropriately qualified external resources based on an annual program of work approved by the Audit and Risk Committee. The internal audit function provides both management and the Board with independent objective assurance in relation to the adequacy of the design, and effectiveness of the implementation of the Group’s governance, risk management, internal control, key business processes and compliance systems and their operational effectiveness. The Internal Audit function has independent access to the Audit and Risk Committee and is independent of the External Audit function.
- External Audit activities undertaken by the External Auditor, KPMG, to review internal controls as part of their half year review and full year audit procedures. Internal control weaknesses are identified by the External Auditor and communicated to management to address through a formal reporting process. The actions taken by management are reviewed by the Chief Financial Officer and Group Financial Controller as part of the stewardship review process for the half and full year accounts.
- Enterprise risk profiles have been developed for the Group which are regularly reviewed and updated as part of the strategic planning process together with mitigation actions. The identified risks are analysed based on their potential impact and likelihood of occurrence and mitigation responses are put in place to manage the risks. Updates to the enterprise risk profiles form part of the agenda for the quarterly business reviews and strategy planning sessions with the Chief Executive Officer and Chief Financial Officer. The enterprise risk profiles for major risks are regularly presented to the Audit and Risk Committee.
- The Finance Risk Committee, comprising the executive and senior financial management of the Group, meets quarterly to monitor the financial risks in the organisation, oversee the execution of Group policies in relation to finance risks and measure the impact of both the underlying risks and the mitigation strategies employed. Financial risks include liquidity and funding, interest rates, foreign currency, credit and legal risks. In addition, a sub-committee of the Finance Risk Committee meets weekly to consider foreign currency and other risks as required.
- The Chief Financial Officer has primary responsibility for designing, implementing and coordinating the overall Group risk management and internal control practices. The Chief Financial Officer attends the Board and Audit and Risk Committee meetings and presents bi-annually, the Chief Financial Officer’s Report. The Chief Financial Officer has the authority to report directly to the Board or Audit and Risk Committee on any matter at any time.
- The Group General Manager – People and Performance and Group Workplace Health and Safety (WHS) Manager, have specific responsibilities in respect of operational risks including workplace health and safety, business continuity, environmental, sustainability, ethical sourcing and industrial relations. The Group WHS Manager prepares a workplace health and safety report for the monthly Board meetings and is regularly required to attend and present at Board meetings on Group workplace health and safety strategy and performance.
- The Group General Manager – Supply Chain and Innovation has specific responsibilities in respect of operational risks including business continuity, environmental, sustainability, ethical sourcing and safety. The Group General Manager – Supply Chain and Innovation attends and presents at Audit and Risk Committee meetings as required.
- The Chief Information Officer has specific responsibilities in respect of the Group’s information technology security and risk environment including cyber security risks. The Chief Information Officer attends and presents at Audit and Risk Committee meetings as required.
- The Company Secretary is responsible for putting in place adequate insurance to cover the major Group insurable risks including property and business interruption, public and products liability, product recall and directors’ and officers’ liability insurance. The Group’s insurance broker assists with arranging the insurance and claims management. The insurance policies are placed with reputable insurers with appropriate coverage, limits and deductibles for the business.
-
The Company Secretary is also the Ethical Standards Officer who is responsible for the administration and maintenance of the Group-wide policy against slavery and trafficking in persons. The Ethical Standards Officer and Head of Sustainable Procurement have responsibility for overseeing the implementation of the policy, monitoring its use and effectiveness, dealing with any questions that arise, and ensuring audits and internal control systems and procedures are effective in countering modern slavery. Regular reports are prepared for the Audit and Risk Committee on progress with the modern slavery risk mitigation plans.
The Group has implemented risk management software across the Group for the purpose of identifying and managing workplace health and safety risks. The software is a critical tool for executives and senior management and has enhanced the identification, reporting and monitoring of actions in this important area.
Risk management is embedded in the Group’s policies and procedures which have enabled the Group to pro-actively identify and manage all types of risk within the organisation. The Board aims to continually evaluate and re-assess the risk management and internal control practices of the Group to ensure current good practice is maintained and to preserve and create long-term value within the organisation.
A summary of the GWA’s key risks and the relevant monitoring and mitigation can be found in the FY24 Annual Report, which is available on the Group’s website at www.gwagroup.com.au under Investor Relations, Annual Reports.