A culture that actively manages risk

BlueScope is committed to the identification and comprehensive management of risk.

We aim to achieve a culture that seeks to actively manage risk. The Company believes that a sound risk management framework is fundamental to strong governance. Our Risk Management policy is part of that framework

• Risk Management policy

An illustrative representation of the Company's framework is as follows:

The Company's Risk Management Policy describes that;

• Risk is the effect of uncertainty on our objectives and is inherent in our business.
• Risk management at BlueScope is a core and integral component of doing business, not a separate function.
• Understanding risk, and our appetite for particular types of risk, is a key consideration in our decision making.
• Decisions are made as close as possible to the source of risk. Leaders are empowered to own and manage risks directly within the approved limits of authority delegated to them.

Risk Appetite statements set the fundamental principles that govern the way we will execute our strategy and the acceptable level of risk.  Seven broad categories of risk have risk appetite statements and are used to ensure the comprehensive identification and management of both financial and non-financial risks, these categories are:

• Compliance & Ethical Conduct;
• Health, Safety, Environment & Communities;
• Markets & Products;
• Operations;
• Financial;
• Technology; and,
• People & Remuneration.

Metrics and tolerance measures have been defined for each of these risk categories; performance against these measures is reported by each business unit, and to the Risk & Sustainability Committee, on a quarterly basis. Where performance is outside of tolerance, mitigation strategies are developed and reported to the Board or relevant Board Committees.

Some of the key policies, processes or controls adopted by the Company for oversight and management of material business risks are:

• a risk management policy approved by the Board, and risk management processes reviewed annually by the Risk & Sustainability Committee;
• regular review of the risk appetite and risk profile of the Company by the Board, including reviewing risks that are material to the achievement of the Company's objectives and management's assessment of mitigating controls and actions taken in relation to managing those risks;
• an independent internal audit function, with a reporting line direct to the Chair of the Audit Committee, which has a comprehensive internal audit program designed to review the quality and effectiveness of risk management and internal controls.