Page 30 - Annual Report 2020
P. 30

1.5.4 Risk management continued
          Risk governance
          Risk management accountability and oversight is an integral part of BHP’s governance. The Board and senior management (including the
          Executive Leadership Team) provide oversight and monitoring of risk management outcomes. They are ultimately responsible for ensuring
          BHP maintains a robust Risk Framework and an effective internal control environment.
          BHP uses the ‘three lines of defence’ model of risk governance and management to define the relationships and clarify the role of different
          teams across the organisation in managing risk. This approach is illustrated in the diagram below and integrates risk management, control
          definition, control improvement, governance and assurance frameworks into one governance model.

                                                    BHP Board

                           Executive Leadership Team



                                                Centres of Excellence

                                            Health, Safety and Environment
                                                   Community
                Operational management                                           Internal audit
                  (operations, assets                                               (IAA)
                    and regions)              Analysis and improvement
                                                     Risk                                              External audit  Regulator
                                               Ethics and compliance

                                                     Legal

                                                 Business partners


                  First line of defence        Second line of defence         Third line of defence
              Management across the assets   Management in the functions that   Our Internal Audit and Advisory team,
               and functions who identify   define Group-wide minimum standards   who provide independent assurance
               risk and implement controls   and provide subject matter expertise   over the control environment
                                            to support, delivering insight and   (governance, risk management
                                              oversight to manage risk        and internal controls)
          Adapted from Institute of Internal Audit Position Paper: The three lines of defence in effective risk management and control.

          For example, for a loss of containment risk within the Group Risk    of performance that is outside upper or lower limits to indicate
          of process safety/hazardous materials containment, our first line   whether management is taking sufficient or excessive risk, enabling
          operations personnel would be responsible for implementing pipe   the Board to hold management to account where necessary.
          thickness checks to ensure corrosion is within acceptable limits.   In FY2019, we introduced an additional second line led review of
          Second line functions, such as our engineering teams, would   the Group’s most significant risks (such as tailings storage facility
          define and assure minimum standards for pipe materials and   failure) to provide greater oversight and assurance of, and identify
          acceptable levels of corrosion. Our Internal Audit and Advisory   any opportunities to improve, the management of these risks.
          team audits the effectiveness of the standards and their application   This process, referred to as the Priority Group Risk Review process,
          as the third line of defence.                      reviews the analysis and controls for risks that could impact the
          BHP Board and Committees                           Group’s viability or strategy, with findings and recommendations
          The Board reviews and considers BHP’s risk profile, covering   reported to the RAC and Sustainability Committee. Findings and
          operational, strategic and emerging risks, based on the material risk   recommendations are considered by management and the Board
          report. The report includes an overview of the risk profile, summary   and may inform strategic decisions on whether to accept, reduce
          of material changes to the profile, performance against KRIs,   or eliminate risks to align with the Group’s risk appetite, and may be
          summaries of our priority Group Risks and, with the introduction    used to develop remediation plans, such as to improve risk analysis
          of our enterprise-level watch list in FY2020 (as described in the   or control definition.
          Emerging risk section), updates on emerging risk themes.    Additional information on risk management and internal
          The contents of this report are further described in the diagram    controls is shared between the Board, the RAC and, for HSEC
          in the Risk intelligence section.                  matters, the Sustainability Committee and also provided by the
          The broad range of skills, experience and knowledge of the Board   Business Risk and Audit Committees (covering each business
          assists in providing a diverse view on risk management. The Risk   region), management committees, our Internal Audit and Advisory
          and Audit Committee (RAC) and Sustainability Committee assist   team and our External Auditor. For more information, refer to
          the Board with the oversight of risk management. For more   section 2. Our approach to risk reporting is outlined in the Risk
          information, refer to sections 2.7, 2.10 and 2.11.  intelligence section.
          The Risk Appetite Statement is the mechanism by which the Board
          sets boundaries for taking risk. It enables management to make
          risk-informed decisions within the risk appetite that has been
          determined by the Board. Performance against risk appetite is
          monitored and reported to the RAC and the Board, as well as the
          Sustainability Committee for HSEC matters. This includes reporting



          28  BHP Annual Report 2020
   25   26   27   28   29   30   31   32   33   34   35