Corporate Governance

Risk Management

1. Overview
   Infomedia Ltd and each of its controlled entities (Infomedia or the Company) recognise the importance of a formal risk management process in order to achieve robust, efficient and accountable management of business processes.  Risk management permits Infomedia to capitalise upon opportunities whilst meeting required standards of accountability, compliance, probity and transparency.This policy has been prepared utilising the Risk Management Guidelines set out in AS/NZS 31000:2009.  The policy:
   1. sets the framework for a risk management process appropriate within the context of the Company’s size and available resources; and
   2. provides a reference to directors, chief officers, senior executives, line managers and staff when identifying risks, categorising risks and developing processes, systems and techniques for managing those risks, in a manner that is appropriate in the context of the Company and/or their roles.
2. Definitions
   This Risk Policy adopts the definitions found in AS/NZS 31000:2009: Risk Management – Principles and guidelines.  The following terms feature in this document:

3. Purpose
   This risk management policy (the Risk Policy) forms part of the internal control and corporate governance arrangements of Infomedia.  The objectives of the Risk Policy and processes are to support the Company’s broader commercial objectives by:
   1. developing a culture of overall risk awareness;
   2. setting an appropriate Risk Appetite for the Company to ensure continued innovation and realisation of business opportunities (i.e. risk/return philosophy);
   3. ensuring compliance with legal and other regulatory frameworks;
   4. maximising the efficient use/allocation of capital and resources within the Company;
   5. ensuring the management of operational risks is integrated into standard management and accountability decisions;
   6. protecting and enhancing the Company’s assets and image; and
   7. Identifying unmitigated risks and formulating action plans for the treatment of those risks in a manner reflective of Infomedia’s strategic goals, and within the range of available resources.

   The Risk Policy forms the mandate and foundation from which Infomedia’s risk management process is implemented.

4. The Risk Management Process
   Risk Management is an iterative process requiring continual review and contribution by internal stakeholders.  The main elements of Infomedia’s Risk Management process are:
   1. Communication & consultation: Liaise with internal and external stakeholders at each stage of the risk management process seeking collaborative input.
   2. Establishing the context: Define the basic parameters within which risks must be managed and set the scope for the rest of the risk management process.  This includes identifying the corporate objectives of the Company, internal and external operating environments, and the relative risk appetite of the Company to each risk category.
   3. Identify the risks: Gather and identify the physical and operational risks confronting the business through a collaborative process with key internal stakeholders.
   4. Analyse the risks: Identify and evaluate any existing Risk Treatments in place. Assess the likelihood and the potential consequences of each risk materialising within a ‘risk matrix’, and use this to guide appropriate risk mitigation strategies.  Upon completion of this process, senior management in conjunction with the Audit & Risk Committee will select up to eight key risk areas representing the most immediate threat to the Company, and develop treatment plans to suit those risks.   Additional risk categories may be included where necessary.
   5. Treat Risks: Develop and implement specific, cost-effective strategies and action plans for increasing potential benefits and reducing potential costs. Allocate responsibilities to those best placed to address the risk and agree on specific, measurable and timely targets to be achieved.
   6. Document, monitor and review: Each stage of the Risk Management process must be documented. It is necessary to monitor the effectiveness of the risk management process to ensure continuous improvement and relevancy of the process.
5. Resourcing & Responibilities
   1. Audit & Risk Committee: The role of the Audit & Risk Committee is to assist and advise the Board of Directors (the Board) in fulfilling its responsibilities to shareholders of the company on financial and statutory reporting and risk management responsibilities by monitoring and reviewing:
      1. the integrity of the company’s internal financial reporting and external financial statements;
      2. the effectiveness of internal financial controls;
      3. the independence, objectivity and performance of external auditors; and
      4. the policies and practices on risk oversight and management; and
      5. making recommendations to the Board in relation to the appointment of external auditors and approving the remuneration and terms of their engagement.

      The Audit & Risk Committee is established by resolution of the Board and is provided with the powers necessary for it to perform its functions.  It is not a policy making body, but assists the Board by implementing Board policy and making recommendations to the Board in respect of matters for which it is responsible.  Ultimate responsibility for the integrity of the Company’s financial reporting and risk management rests with the full Board notwithstanding the establishment of the Committee.

   2. Chief Executive Officer: The Chief Executive Officer (CEO) is accountable to the to the ARC and responsible for ensuring:
      1. development and implementation of operational policies and procedures for risk management;
      2. identification of strategic risks faced by the Company, including the provision of information to the ARC;
      3. setting mandates and allocating resources among senior executives across the entire Company to ensure the objectives of the Risk Policy are met; and
      4. a review of policies and procedures on a regular basis to ensure they remain effective and appropriate.
   3. Executives and Managers: Executives and managers are responsible for incorporating risk management into their standard management practices by:
      1. identifying and determining appropriate actions to address operational risks within their area of responsibility in accordance with Company policies and procedures;
      2. implementing actions with respect to risk management as directed by the ARC, the CEO or any other senior executive within the Company;
      3. reporting on the management of significant emerging or residual risks;
      4. instilling a culture of risk management among staff which is consistent with the policies and procedures of the Company from time to time; and
      5. ensuring the inclusion of risk management responsibilities in duty statements, induction, professional development and performance management processes for all staff.
6. Performance Evaluation & Review
   The Board of Directors, operating via the ARC, will monitor and evaluate the Company’s performance in relation to risk management.  The ARC will maintain a watching brief on developing risks confronting the Company, and will make recommendations on the adaptation of the risk management process where appropriate.Once annually, the Audit & Risk Committee, in conjunction with senior management, shall examine and evaluate:
   1. the effectiveness of the implementation of risk management policies and procedures across the Company;
   2. the awareness of managers and staff of their responsibilities in respect of risk management and business continuity;
   3. the existence of risk management plans for all major projects and activities; and
   4. the currency of the corporate risk assessment and whether the risk management process is suitable for continued endorsement for a further 12 month period.