Corporate Governance

Risk Management Policy

1. Introduction

Our philosophy towards risk is not to be risk averse but to enable risks to be identified, discussed, mitigated and monitored in a balanced manner. 

We are committed to establishing and integrating our risk management systems and processes to support this philosophy without creating an unnecessary burden on the business.

This policy sets out the processes, responsibility and accountability for risk management at the Port of Brisbane Corporation.  It recognises that risk management is an integral part of good management and corporate governance practice and that, in relation to commercial strategy, an element of risk is inevitable and in some cases encouraged.

This policy supports a structured and focused approach to managing risk to complement the strategies adopted to achieve our corporate objectives, increase confidence and enhance the value the Corporation provides to its stakeholders.

The principles behind this policy are based on the Australian/New Zealand Standard AS/NZ 4360:2004 Risk Management and Principle 7 of the Queensland Government’s Corporate Governance Guidelines for Government Owned Corporations - September 2005.
 
1.1  Policy statement

The Corporation is committed to:

  • Behaving as a responsible corporate citizen protecting employees, clients, contractors, visitors, the community and the general public from unnecessary injury, loss or damage.
  • Achieving its business objectives by minimising the impact of risks it can meaningfully and realistically control. 

 

2. Aim

The risk management system and frameworks which we have or will put in place:

(a) Incorporate a consistent systematic process to identify, analyse, mitigate and monitor the key financial, strategic, operational, and compliance risks impacting on the Corporation;

(b) Align risk management with business objectives;

(c) Integrate and align existing risk systems to ensure no duplications or overlap;

(d) Will ensure integration of information systems used for reporting on risk to enable aggregation and reporting at a corporate level;

(e) Allow the necessary controls and policies to be implemented to deliver an appropriate approach to governance and best practice;

(f) Will embed a culture of risk management throughout the Corporation.

Definitions

2.1 What is risk?

Within the Corporation, a risk to the business is any action or event that has the potential to impact on the achievement of our business objectives.  Risk arises as much from the possibility that opportunities will not be realised as it does from the possibility that threats will materialise or that errors will be made. 

2.2 What is risk management? 

Risk management for the Corporation refers to the culture, processes and structures developed to effectively manage potential opportunities and adverse effects for any activity, function or process undertaken by the Corporation. 

The process of managing risk is achieved through the systematic application of policies, procedures and practices to identify, analyse, evaluate, treat, monitor and communicate risk. 

2.3 What is enterprise-wide risk management? 

Enterprise-wide risk management encompasses all the major risk categories (including Environmental, Health and Safety, Fraud, Financial and Security) and includes the co-ordination, integration, consolidation and consistency of reporting by the various risk functions.

 

3. The Risk Management Process at the Corporation 

Our risk management processes are based around the following key risk activities:

  • Risk Identification:  Identify all reasonably foreseeable risks associated with its activities, using the agreed risk methodology detailed in the Corporation’s risk protocols
  • Risk Evaluation: Evaluate those risks using the agreed Corporation criteria
  • Risk Treatment / Mitigation: Develop mitigation plans for risk areas where the residual risk is greater than our tolerable risk levels
  • Risk Monitoring and Reporting: Report risk management activities and risk specific information in accordance with the risk protocols.

 

4. Responsibilities

The Board retains the ultimate responsibility for risk management and for determining the appropriate level of risk that the Board is willing to accept in the conduct of Corporation business activities. The Board will review the effectiveness of the risk management systems. 

Management - is responsible for identifying, evaluating and managing risk in accordance with this policy through a formal enterprise-wide risk management framework. Formal risk assessments must be performed at least once a year as part of the business planning and budgeting process. 

The Executive Management Team - is responsible for the accuracy and validity of risk information reported to the Board. In addition, it will ensure clear communication throughout the Corporation of the Board and senior management’s position on risk. 

The CEO and General Manager Finance and Business Services – will make an annual statement to the Board that the financial reports present a true and fair view and are in accordance with accounting standards and that the statement is founded on a sound system of risk management and internal compliance and control which implements board policies; and the risk management and control system is operating efficiently and effectively in all material respects.

Internal Audit – Internal Audit, in conjunction with Corporation management, and subject to endorsement from the Audit Committee, will align the Strategic Internal Audit Plan with the Corporation risk profile.  Internal Audit will ensure that the results of its reviews are provided to Corporation Management for update of the Corporation Risk Profile as appropriate.  Internal Audit will conduct periodic reviews of the risk management framework pursuant to the Strategic Internal Audit Plan.

Risk Monitoring Activities – the Corporation utilises a number of functions, including Internal Audit, to perform independent and objective monitoring over its risk areas. In addition, a number of reviews over the Corporation’s operations and risk areas are conducted by external agencies.  The scope of the work undertaken by all of these functions and the reviews by external agencies, will be considered in conjunction with the Corporation risk profile by the Board at least annually.  This will assess the independent monitoring coverage over key risk areas within the Corporation risk profile.

 

5. Risk Management Policy and Framework Review 

This policy and our risk management frameworks will be reviewed at least annually by the Executive Management Team and the Board to review their effectiveness and to ensure their continued application and relevance. 

 

6. Risk policy disclosure

This policy statement is to be made available publicly on the Corporation website.