This area of our Corporate Governance section contains information on our Risk Management policies, processes and controls, covering:

• Overall responsibility
• Objective
• Policies for management of material business risk
• Risk Management Committee
• Internal audit
• External audit
• CEO and CFO certification of financial reports
• Internal controls and SOX 404
• Management's annual report on internal control over financial reporting
• Statement on risk management and control
• Limitations of control systems

Overall responsibility 
The Audit Committee has oversight of the company’s risk management policies, procedures and controls. The Audit Committee reviews, monitors and discusses these matters with the Managing Board. The Audit Committee and Managing Board report periodically to the Supervisory Board on the company’s risk management policies, processes and controls.

The Audit Committee is supported in its oversight role by the policies put in place by the Managing Board to oversee and manage material business risks, as well as the roles played by the Risk Management Committee (described in detail below) and internal and external audit functions. The internal and external audit functions are separate from
and independent of each other and each has a direct line of reporting to the Audit Committee.

Objective
The company considers that a sound framework of risk management policies, procedures and controls produces a system of risk oversight, risk management and internal control that is fundamental to good corporate governance and creation of shareholder value. The objective of the company’s risk management policies, procedures and controls is to ensure that:

• our risk management systems are effective;
• our principal strategic, operational and financial risks are identified;
• effective systems are in place to monitor and manage risks; and
• reporting systems, internal controls and arrangements for monitoring compliance with laws and regulations are adequate.

Policies for management of material business risks
Management has put in place a number of key policies, processes and independent controls to provide assurance as to the integrity of our systems of internal control and risk management. In addition to the measures described elsewhere in this report, a summary of the more significant policies, processes or controls adopted by the company for oversight and management of material business risks are:

• an Enterprise Risk Management process, which involves identifying and then developing contingency plans for the key risks facing the company and its assumptions in its three year strategic plans and beyond;
• a planning process involving the preparation of three-year strategic plans and a rolling 12 month forecast;
• annual budgeting and monthly reporting to monitor performance;
• maintaining an appropriate insurance program;
• maintaining policies and procedures in relation to treasury operations, including the use of financial derivatives;
• issuing and revising standards and procedures in relation to environmental and health and safety matters;
• implementing and maintaining training programs in relation to legal issues such as trade practices/antitrust, trade secrecy, and intellectual property protection;
• issuing procedures requiring significant capital and recurring expenditure to be approved at the appropriate levels; and
• documenting detailed accounting policies, procedures and guidance for the group in a single group finance manual.

A summary of these policies, processes and controls is available on this website.

During the fiscal year, the Audit Committee, and through it the Supervisory and Joint Boards, received a number of reports on the operation and effectiveness of these policies, processes and controls, including progress of the Enterprise Risk Management process and management’s assessment of the effectiveness of that process in managing the company’s material business risks.

Risk Management Committee
The Risk Management Committee, which reviews and monitors the risks facing the company, is the primary management forum for risk assessment and management in the company. During the last year, the company formally documented the role of the Risk Management Committee in the Risk Management Committee charter. The Risk Management Committee comprises a cross-functional group of employees and reports both to the Managing Board and Audit Committee on the procedures in place for identifying, monitoring, managing and reporting on the principal strategic, operational and financial risks facing the company. The Risk Management Committee also oversees the company’s Enterprise Risk Management process.

Internal audit
During the last year, the company appointed a Director of Internal Audit to head an internal audit department. The Audit Committee approved an Internal Audit Charter setting out the independence of the internal audit department, its scope of work, responsibilities and audit plan. The internal audit department’s workplan is approved annually by the Audit Committee. The Director of Internal Audit reports to the Chairman of the Audit Committee and meets with the Audit Committee and Supervisory Board in executive sessions on a quarterly basis.

External audit
The External Auditor reviews each quarterly and half–year results announcement and audits the full year results. The External Auditor attends each meeting of the Audit Committee, including an executive session where only members of the Audit Committee and Supervisory Board directors are present.

The Audit Committee has approved policies to ensure that all non-audit services performed by the External Auditor, including the amount of fees payable for those services, receive prior approval.

On 2 April 2008 James Hardie announced the engagement of Ernst & Young LLP as external auditor for the James Hardie group for the year commencing 1 April 2008. The selection of Ernst & Young follows a decision of the company’s Audit Committee and Supervisory Board in December 2007 to undertake a competitive tender process for the provision of external audit services to the James Hardie group. Following a comprehensive tender and review process of major accounting firms with the capabilities of undertaking the company’s audit, overseen by the Audit Committee and a special committee of management, the Audit Committee made a recommendation to the Supervisory Board and Ernst & Young was appointed as external auditor for the year commencing 1 April 2008. PricewaterhouseCoopers LLP which had been James Hardie’s external auditor for over 30 years has been responsible for the performance of the audit for the year ending 31 March 2008.

CEO and CFO certification of financial reports
Under SEC rules and the company’s internal control arrangements, our CEO and CFO provide certain certifications with respect to our full year financial statements, disclosure controls and procedures and internal controls over financial reporting. These certifications are more comprehensive and detailed than those required under the Corporations Act and are considered appropriate given that the company reports in accordance with US GAAP.

The Managing Board in turn receives quarterly assurance from the Financial Statements Disclosure Committee relating to the company’s disclosure controls and procedures and internal controls over financial reporting. This assurance is supported by written quarterly and annual sub-certifications from the General Managers and Chief Financial Officers of each business unit, the Director Treasury and the Corporate Controller and the annual certifications from the Senior Leadership Team.

Internal controls and SOX 404
Each fiscal year, the members of the Senior Leadership Team, and key members of the company’s business and corporate functions, complete an internal control certificate that seeks to confirm that adequate internal controls are in place and are operating effectively, and evaluate any failings and weaknesses.

Management's annual report on internal control over financial reporting  
Our management is responsible for establishing and maintaining adequate internal control over financial reporting as defined in Rule 13a-15(f) of the Exchange Act. Because of its inherent limitations, internal control over financial reporting may not prevent or detect all misstatements. Also, projections of any evaluation of effectiveness to future periods are subject to the risk that controls may become inadequate because of changes in conditions, or that the degree of compliance with the policies or procedures may deteriorate.

We assessed the effectiveness of our internal control over financial reporting as of 31 March 2008. In making this assessment, we used the criteria set forth by the Committee of Sponsoring Organisations of the Treadway Commission in Internal Control – Integrated Framework. Based on our assessment using those criteria, we concluded that our internal control over financial reporting was effective as of 31 March 2008.

The effectiveness of our internal control over financial reporting as of 31 March 2008 has been audited by PricewaterhouseCoopers LLP, an independent registered public accounting firm, as stated in their report
in the 2008 annual report (PDF, 18K).

Statement on risk management and control 
James Hardie has designed its internal risk management and control systems to provide reasonable (but not absolute) assurance to ensure compliance with regulatory matters and to safeguard reliability of the financial reporting and its disclosures. Having assessed our internal risk management and control systems, the Managing Board believes that:

• the risk management and control systems provide reasonable assurance that this annual report does not contain any material inaccuracies; and
• no material failings in the risk management and control systems were discovered in our fiscal year 2008.

This statement is not a statement in accordance with the requirements of Section 404 of the US Sarbanes-Oxley Act. Our analysis of our internal risk management and control systems for purposes of the Dutch Code is different from the report that we are required to prepare in the United States pursuant to Section 404 of the Sarbanes-Oxley Act.

Limitations of control systems
Despite the steps outlined above, our management does not expect that our internal risk management and control systems will prevent or detect all error and all fraud. No matter how well it is designed and operated, a control system can provide only reasonable, not absolute, assurance that the control system’s objectives will be met. The design of a control system must reflect the fact that there are resource constraints, and the benefits of controls must be considered relative to their costs. Further, because of the inherent limitations in all control systems, no evaluation of controls can provide absolute assurance that misstatements due to error or fraud will not occur or that all control issues and instances of fraud, if any, within the company have been detected.

These inherent limitations include the realities that judgments in decision-making can be faulty and that breakdowns can occur because of simple error or mistake. Controls can also be circumvented by the individual acts of some persons, by collusion of two or more people, or by management override of the controls. The design of any system of controls is based in part on certain assumptions about the likelihood of future events, and there can be no assurance that any design will succeed in achieving its stated goals under all potential future conditions. Projections of any evaluation of controls’ effectiveness to future periods are subject to risks. Over time, controls may become
inadequate because of changes in conditions or deterioration in the degree of compliance with policies or procedures.