Page 30 - Annual Report 2020
P. 30
1.5.4 Risk management continued
Risk governance
Risk management accountability and oversight is an integral part of BHP’s governance. The Board and senior management (including the
Executive Leadership Team) provide oversight and monitoring of risk management outcomes. They are ultimately responsible for ensuring
BHP maintains a robust Risk Framework and an effective internal control environment.
BHP uses the ‘three lines of defence’ model of risk governance and management to define the relationships and clarify the role of different
teams across the organisation in managing risk. This approach is illustrated in the diagram below and integrates risk management, control
definition, control improvement, governance and assurance frameworks into one governance model.
BHP Board
Executive Leadership Team
Centres of Excellence
Health, Safety and Environment
Community
Operational management Internal audit
(operations, assets (IAA)
and regions) Analysis and improvement
Risk External audit Regulator
Ethics and compliance
Legal
Business partners
First line of defence Second line of defence Third line of defence
Management across the assets Management in the functions that Our Internal Audit and Advisory team,
and functions who identify define Group-wide minimum standards who provide independent assurance
risk and implement controls and provide subject matter expertise over the control environment
to support, delivering insight and (governance, risk management
oversight to manage risk and internal controls)
Adapted from Institute of Internal Audit Position Paper: The three lines of defence in effective risk management and control.
For example, for a loss of containment risk within the Group Risk of performance that is outside upper or lower limits to indicate
of process safety/hazardous materials containment, our first line whether management is taking sufficient or excessive risk, enabling
operations personnel would be responsible for implementing pipe the Board to hold management to account where necessary.
thickness checks to ensure corrosion is within acceptable limits. In FY2019, we introduced an additional second line led review of
Second line functions, such as our engineering teams, would the Group’s most significant risks (such as tailings storage facility
define and assure minimum standards for pipe materials and failure) to provide greater oversight and assurance of, and identify
acceptable levels of corrosion. Our Internal Audit and Advisory any opportunities to improve, the management of these risks.
team audits the effectiveness of the standards and their application This process, referred to as the Priority Group Risk Review process,
as the third line of defence. reviews the analysis and controls for risks that could impact the
BHP Board and Committees Group’s viability or strategy, with findings and recommendations
The Board reviews and considers BHP’s risk profile, covering reported to the RAC and Sustainability Committee. Findings and
operational, strategic and emerging risks, based on the material risk recommendations are considered by management and the Board
report. The report includes an overview of the risk profile, summary and may inform strategic decisions on whether to accept, reduce
of material changes to the profile, performance against KRIs, or eliminate risks to align with the Group’s risk appetite, and may be
summaries of our priority Group Risks and, with the introduction used to develop remediation plans, such as to improve risk analysis
of our enterprise-level watch list in FY2020 (as described in the or control definition.
Emerging risk section), updates on emerging risk themes. Additional information on risk management and internal
The contents of this report are further described in the diagram controls is shared between the Board, the RAC and, for HSEC
in the Risk intelligence section. matters, the Sustainability Committee and also provided by the
The broad range of skills, experience and knowledge of the Board Business Risk and Audit Committees (covering each business
assists in providing a diverse view on risk management. The Risk region), management committees, our Internal Audit and Advisory
and Audit Committee (RAC) and Sustainability Committee assist team and our External Auditor. For more information, refer to
the Board with the oversight of risk management. For more section 2. Our approach to risk reporting is outlined in the Risk
information, refer to sections 2.7, 2.10 and 2.11. intelligence section.
The Risk Appetite Statement is the mechanism by which the Board
sets boundaries for taking risk. It enables management to make
risk-informed decisions within the risk appetite that has been
determined by the Board. Performance against risk appetite is
monitored and reported to the RAC and the Board, as well as the
Sustainability Committee for HSEC matters. This includes reporting
28 BHP Annual Report 2020