Corporate Governance

Risk Management Policy Statement

This Policy Statement describes the company's approach to risk oversight and management.

Context

Good risk management underpins a successful business and is an integral part of the management processes and culture at Toll. The Company embraces the active management of risk by all Toll employees, supported by clear accountability and performance evaluation, to achieve strategic and business objectives. While the acceptance of risk is necessary to achieving corporate goals, success is derived from the company's ability to identify key risks in a timely manner and implement appropriate strategies to maximise business opportunities, manage uncertainties, and minimise potential hazards. In continually evaluating the risk and reward balance, and building risk management into daily activities, the Toll risk management framework addresses the interests of all stakeholders including shareholders, customers, suppliers, regulators and employees. Risks can be broadly classified as Strategic, Operational, Financial Reporting, and Compliance.

Accountability and Responsibility

The key components of the risk management accountability framework are illustrated below:

Board

The Board, through the Audit and Financial Risk Committee is responsible for overseeing the establishment and implementation of an adequate system of risk management and internal compliance and control across the Toll Group. It is also responsible for reviewing at least on an annual basis the effectiveness of the Group's risk management system. Integrated risk management programs aimed at ensuring risks are identified, assessed and appropriately managed include regular reports to the Board on the status of business risks.

Audit and Financial Risk Committee

The Audit and Financial Risk Committee assists the Board in fulfilling its risk management and oversight role by independently assessing compliance with internal controls and risk management practices. Membership of the committee comprises the independent Non Executive directors of the Board. Specifically it monitors:

• Corporate risks and internal controls as directed by the Board
• Compliance with Corporation Act, and Stock Exchange listing rules
• Specific risks relating to business continuity, disaster recovery, reputation, and currency/interest rate exposures
• Compliance with selected government regulations
• Adequacy of insurance coverage
• Special investigations as requested by the Board
  

It is also responsible for approving the annual program of Business Assurance and Internal Audit (BA&IA) reviews and the scope of the work to be performed.

Nomination and Corporate Governance Committee

In addition to other responsibilities, the Nomination and Corporate Governance Committee assists the Board to:

• periodically review the Company's Corporate Governance Guidelines and establish procedures to promote compliance;
• periodically review the Corporate Code of Practice, as well as procedures to promote compliance;
• approve and review policies on sensitive issues or practices such as:
  • Environment ;
  • Equal Opportunity ; and
  • Drugs and Alcohol;
• periodically reviewing the Company's Continuous Disclosure Policy
  

Management

The Board has delegated responsibility for implementation of this Risk Management Policy Statement to the Group Managing Director. In practice, Divisional Directors and Group General Managers are responsible for risk management within their respective divisions and functions. This responsibility includes designing and implementing a sound system of risk management and internal control that identifies, assesses, monitors, and manages key risks that impact achievement of business objectives. To promote accountability, Divisional Directors delegate day to day responsibility for compliance and control to Business Unit General Managers. Specialist Risk or OH&S managers are also appointed to business units to assist in establishing and monitoring risk management processes and awareness.

Group Risk Management Committee

The Group Risk Management Committee (a management committee), chaired by the Executive Director Operations, sets Group risk policies and risk strategies, has a risk performance monitoring role, as well as being a forum to discuss and manage any major risks. Significant risk matters are reported on a monthly basis to the Board. The Committee seeks to identify the key business risks which could prevent the Company from achieving its objectives and ensures that appropriate controls are in place to manage these risks. Membership of the Group Risk Management Committee includes the Executive Director Operations, Chief Finance Officer, Divisional Directors, Company Secretary, General Manager -Risk, Group Risk Manager, National Workers Compensation Manager, and Group Manager, Business Assurance and Internal Audit.

Specific responsibilities include:

• providing assurance that risk management policy and strategy set by the Board are operating effectively;
• being a primary advocate for risk management, strategically and operationally
• developing risk response processes and assessing adequacy of responses;
• monitoring the performance of divisions in regard to losses;
• monitoring adequacy of insurance or financial cover to protect against catastrophic loss;
• reviewing strategies for ensuring compliance with government regulations on issues such as OH&S, vehicle safety, dangerous goods and the environment; and
• determining and evaluating potential risks for self insurance.
  

Group Risk Management

Group Risk Management is responsible for providing technical advice, developing group risk management policies and procedures, and coordinating risk reporting to the Group Risk Management Committee and Board on matters such as OH&S, property protection, environment, dangerous/hazards goods, contracts, risk financing, and insurance. Selected risk management and compliance matters are also reported to the Audit and Financial Risk Committee. Through General Managers, Financial Controllers, and Risk or OH&S managers appointed to each business unit, Group Risk assists divisions to implement appropriate risk management processes and practices. In doing so it promotes the active day to day management of risk and ongoing performance improvement.

Specific responsibilities include:

• developing policy and providing a framework and methodology to Divisions to identify, analyse and manage their material risks;
• developing risk response processes;
• reporting on divisional performance in regard to losses;
• investigating and evaluating adequacy of insurance and financial cover to protect against accidents and catastrophic loss
• developing and implementing risk financing or insurance strategies that reflect company and business objectives.
• implementing and monitoring workers compensation strategies.
• coordinating self insurance activities
  

Risk Management Framework

The Toll Group risk management framework is based on the following components and is consistent with the principles of the Australian/NZ risk management standard 4360:

• Active support by senior management for awareness and management of risk
• Implementation of a corporate policy and a consistent group wide framework - understood and owned by all management
• Communication and development of processes to make risk management a daily way of doing business
• Implementation of processes at Group, Division and Business Unit level to identify, assess, and manage key risks
• Implement processes to monitor the risk management framework, including ongoing evaluation and reappraisal of key risks
  

The process for key risk identification and management at Group and Divisional level is detailed below:

Risk Profile

As a transport and logistics provider, business risks may arise from such matters as occupational health and safety (including vehicle and driver safety), environment and property management, business continuity, contractual obligations, financial and capital management, risk financing and insurance, and development and use of information systems and technology. Managing significant joint venture relationships and the growth in Toll’s important New Zealand operations are also key business areas that must be effectively managed.

The Toll group and divisional risk profile is monitored continuously and updated to reflect changes in the Company’s business activities, strategies, and internal and external risk factors. Selected key control and compliance mechanisms are described below under ‘Compliance and Internal Control’. Formal business risk analysis workshops are also conducted at least annually to focus all levels of management on material factors that impact achievement of the Group’s operational and strategic plans. Selected material risk categories are summarised below:

Business Assurance and Internal Audit (BA&IA)

Business Assurance and Internal Audit is responsible for independently evaluating the effectiveness and efficiency of selected risk management and internal compliance and control practices. The BA&IA function co ordinates its program with other group 'assurance' activities covering occupational health & safety, hazardous goods, balance sheet integrity, and internal compliance programs. It also assists in monitoring and evaluating the effectiveness of the Group and Divisional business risk analysis and monitoring program. BA&IA

liaises and consults with Group Risk Management, and the Group Risk Management Committee on selected risk and compliance matters, which includes attendance at Group Risk Management Committee meetings. The Group Manager, Business Assurance and Internal Audit reports through the Group Chief Financial Officer to the Audit and Financial Risk Committee.

External Auditors

External Audit is responsible for providing an opinion on the truth and fairness of the annual report. This includes assessing the management of financial statement risks and related internal control systems.

Compliance and Internal Control

The strength of Toll's risk management and internal control framework is founded on a combination of 'formal' controls, analysis, reporting, and policies and procedures; and 'informal' controls such as management competence, ethics and values, and specific accountability; all actively promoted by senior management. The Board is responsible for the compliance and internal control framework but recognises that no cost effective internal controls system will preclude all errors and irregularities. Selected compliance and control mechanisms employed to support the business include:

• Business Planning, Budgeting and Reporting - A comprehensive business planning and budgeting process includes evaluation of strategies, objectives, and risks resulting in an annual budget approved by the Board. Monthly actual performance is reported against budget and revised forecasts for the year are prepared periodically. Strategy and business plan performance are monitored by division and business units supported by regular senior management forums, Group Risk Management Committee meetings, and reporting to the Board and Board committees.
  
  
• Quality and integrity of employees - there are clearly defined accountabilities, performance measures, and reinforcement of values and ethics by senior management. The Toll Group quality management system, supported by training, development, and appraisal, requires the involvement and commitment of management, employees and subcontractors to ensure continuous improvement and management of risk.
  
  
• Group policies - Board approved Group policies address matters such as Code of Practice, Occupational Health and Safety, Equal Opportunity, Driver Health, Compliance, Environment, Drugs and Alcohol, Corporate Governance, Management Performance Review and Development, Continuous Disclosure, Securities Trading, Treasury, and Privacy.
  
  
• Business controls - comprehensive financial, business process, project management, and IT system controls and procedures exist at the group, division and business unit level.
  
  
• Investment appraisal - the Company has documented guidelines for capital expenditure, investment appraisals, and acquisitions. These include annual budgets, appraisal against financial hurdle targets, expenditure review procedures, and appropriate levels of authority. Post investment reviews are performed to assess effectiveness of spend on capital assets and acquisitions. Comprehensive and proven business integration strategies are used to enhance success of and derive maximum value from acquisitions.
  
  
• Group assurance and monitoring activities - these include Internal Audit, specialist audits of OH&S, environment, and dangerous goods, balance sheet reviews, and group compliance programs.
  
  

Annual Risk Management, Compliance and Control Confirmation

A certification process has been developed to support the annual sign off to the Board by the Group Managing Director and Group Chief Finance Officer on the adequacy of the Group's risk management, compliance and control framework. The certification process requires sign off by Divisional and Group management on matters relating to risk management, control environment, and specific risk and compliance activities. BA&IA is responsible for reviewing the effectiveness of the annual certification process. Separate assurance is obtained from joint venture operations and publicly listed investments.

Disclosure

This risk management policy statement is made publicly available on the Toll Group website. All material changes to the Toll risk profile are disclosed to stakeholders in accordance with the Toll Continuous Disclosure Policy and shareholder communication processes.

Policy Review

This policy is subject to regular review by the Audit and Financial Risk Committee and the Board and will be amended (as appropriate) to reflect best practices and ensure ongoing relevance to the Group.

Top