Risk Management

This area of our Corporate Governance section contains information on our Risk Management policies, processes and controls, covering:

• Overall responsibility
• Objective
• Policies for management of material business risk
• Risk Management Committee
• Internal audit
• External audit
• Financial statements disclosure committee
• CEO and CFO certification of financial reports
• Internal controls and SOX 404
• Management's annual report on internal control over financial reporting
• Statement on risk management and control
• Limitations of control systems

Overall responsibility 
The Audit Committee has oversight of the company’s risk management policies, procedures and controls. The Audit Committee reviews, monitors and discusses these matters with the CEO, CFO and General Counsel. The Audit Committee, CEO, CFO and General Counsel report periodically to the Board on the company’s risk management policies, processes and controls.

The Audit Committee is supported in its oversight role by the policies put in place by management to oversee and manage material business risks, as well as the roles played by the Risk Management Committee (described in detail in section 6.4 below) and internal and external audit functions.

The internal and external audit functions are separate from and independent of each other and each has a direct reporting line to the Audit Committee.

Objective
The company considers that a sound framework of risk management policies, procedures and controls produces a system of risk oversight, risk management and internal control that is fundamental to good corporate governance and creation of shareholder value. The objective of the company’s risk management policies, procedures and controls is to ensure that:

• our risk management systems are effective;
• our principal strategic, operational and financial risks are identified;
• effective systems are in place to monitor and manage risks; and
• reporting systems, internal controls and arrangements for monitoring compliance with laws and regulations are adequate.

Risk management does not involve avoiding all risks. The company’s risk management policies seek to strike a balance between ensuring that the company continues to generate financial returns and simultaneously manages risks appropriately by setting appropriate strategies and objectives.

Policies for management of material business risks
Management has put in place a number of key policies, processes and independent controls to provide assurance as to the integrity of our systems of internal control and risk management. In addition to the measures described elsewhere in this report, the more significant policies, processes or controls adopted by the company for oversight and management of material business risks are:

• quarterly meetings of the Risk Management Committee to assess the key strategic, operations,reporting and compliance risks facing the company, the level of risk and the processes implemented to manage each of these key risks over the upcoming twelve months;
• quarterly reporting to the Audit Committee of the Risk Management Committee’s conclusions regarding the key strategic, operations, reporting and compliance risks facing the company;
• an Enterprise Risk Management process, which involves developing contingency plans for the key risks facing the company and its assumptions in its three year strategic plans and beyond;
• a planning process involving the preparation of three-year strategic plans and a rolling twelve month forecast;
• annual budgeting and monthly reporting to monitor performance;
• an internal audit department with a reporting line direct to the Chairman of the Audit Committee;
• increased monitoring of the company’s liquidity and status of renewals of finance facilities;
• maintaining an appropriate insurance program;
• maintaining policies and procedures in relation to treasury operations, including the use of financial derivatives;
• issuing and revising standards and procedures in relation to environmental and health and safety matters;
• implementing and maintaining training programs in relation to legal issues such as trade practices/antitrust, trade secrecy, and intellectual property protection;
• issuing procedures requiring significant capital and recurring expenditure to be approved at the appropriate levels; and
• documenting detailed accounting policies, procedures and guidance for the group in a single group finance manual.

Another example of the company’s approach to managing significant business risks is the establishment of the Due Diligence Committee, which was formed to oversee the formulation of the company’s Re-domicile proposal.

During the fiscal year, the Audit Committee, and through it the Board, received a number of reports on the operation and effectiveness of the policies, processes and controls described in this section. This included a review of the company’s current compliance programs and disclosure controls and processes, how they compare with best practices and the steps proposed by management to continue cultivating the company’s risk management culture.

Risk Management Committee
The Risk Management Committee, which reviews and monitors the risks facing the company, is the primary management forum for risk assessment and risk management in the company. This role is more formally documented in the company’s Risk Management Committee charter. The Risk Management Committee comprises a cross-functional group of employees and reports quarterly to both the CEO, CFO, General Counsel and Audit Committee on the procedures in place for identifying, monitoring, managing and reporting on the principal strategic, operational, financial and legal risks facing the company. The Risk Management Committee also oversees the company’s Enterprise Risk Management process. 

Internal audit
The director of internal audit heads the internal audit department. The internal audit charter sets out the independence of the internal audit department, its scope of work, responsibilities and audit plan.

The internal audit department’s workplan is approved annually by the Audit Committee. The director of internal audit reports to the Chairman of the Audit Committee and meets quarterly with the Audit Committee and Board in executive sessions. 

External audit
The external auditor reviews each quarterly and half-year results announcement and audits the full year results. The external auditor attends each meeting of the Audit Committee, including an executive session where only members of the Audit Committee and Board directors are present. The Audit Committee has approved policies to ensure that all non-audit services performed by the external auditor, including the amount of fees payable for those services, receive prior approval. The Audit Committee also reviews the remuneration paid to the external auditor and makes recommendations to the Board regarding the maximum compensation to be paid to the external auditor.

Financial statements disclosure committee 
The Financial Statements Disclosure Committee is a management committee comprising senior finance, accounting, compliance, legal, tax, treasury and investor relations executives in the company, which meets with the CEO, CFO and General Counsel prior to the Board’s consideration of any quarterly or annual results. The Financial Statements Disclosure Committee is a forum for the CEO, CFO and General Counsel to discuss, and, on the basis of those discussions, report to the Audit Committee, about a range of risk management procedures, policies and controls, covering the draft results materials, business unit financial performance and the current status of legal, tax, treasury, accounting, compliance, internal audit, complaints and disclosure control matters.

CEO and CFO certification of financial reports
Under SEC rules and the company’s internal control arrangements, our CEO and CFO provide certain and internal controls over financial reporting. These certifications are more comprehensive and detailed than those required under the Australian Corporations Act and are considered appropriate given that the company’s financial reports are prepared in accordance with US GAAP.

The Board in turn receives quarterly assurance from the Financial Statements Disclosure Committee relating to the company’s disclosure controls and procedures and internal controls over financial reporting. This assurance is supported by written quarterly and annual sub-certifications from the general managers and chief financial officers of each business unit, the director treasury and the corporate controller and the annual certifications from the Group Management Team.

Internal controls and SOX 404
Each Each fiscal year, the members of the Group Management Team, and key members of the company’s business and corporate functions, complete an internal control certificate that seeks to confirm that adequate internal controls are in place and are operating effectively, and evaluate any failings and weaknesses.
 

Management's annual report on internal control over financial reporting  
Our management is responsible for establishing and maintaining adequate internal control over financial reporting as defined in Rule 13a-15(f) of the Exchange Act. Because of its inherent limitations, internal control over financial reporting may not prevent or detect all misstatements. Also, projections of any evaluation of effectiveness to future periods are subject to the risk that controls become inadequate because of changes in conditions, or that the degree of compliance with the policies or procedures may deteriorate.

We assessed the effectiveness of our internal control over financial reporting as of 31 March 2010. In making this assessment, we used the criteria set forth by the Committee of Sponsoring Organizations of  the Treadway Commission in Internal Control – Integrated Framework. Based on our assessment using those criteria, we concluded that our internal control over financial reporting was effective as of 31 March 2010.

The effectiveness of our internal control over financial reporting as of 31 March 2010 has been audited by Ernst & Young LLP, an independent registered public accounting firm, as stated in their report which appears on page 77 of the 2010 annual report (PDF, 30K).

Statement on risk management and control 
James Hardie has designed its internal risk management and control systems to provide reasonable (but not absolute) assurance to ensure compliance with regulatory matters and to safeguard reliability of the financial reporting and its disclosures. Having assessed our internal risk management and control systems, the CEO and CFO believe that:

• the risk management and control systems provide reasonable assurance that this annual report does not contain any material inaccuracies; and  
• no material failings in the risk management and control systems were discovered in our fiscal year 2010.

This statement is not a statement in accordance with the requirements of Section 404 of the US Sarbanes-Oxley Act. Our analysis of our internal risk management and control systems for purposes of the Dutch Code is different from the report that we are required to prepare in the United States pursuant to Section 404 of the Sarbanes-Oxley Act.

Limitations of control systems
Despite the steps outlined above, our management does not expect that our internal risk management and control systems will prevent or detect all error and all fraud. No matter how well it is designed and operated, a control system can provide only reasonable, not absolute, assurance that the control system’s objectives will be met.

The design of a control system must reflect the fact that there are resource constraints, and the benefits of controls must be considered relative to their costs. Further, because of the inherent limitations in all control systems, no evaluation of controls can provide absolute assurance that misstatements due to error or fraud will not occur or that all control issues and instances of fraud, if any, within the company have been detected.

These inherent limitations include the realities that judgments in decision-making can be faulty and that breakdowns can occur because of simple error or mistake. Controls can also be circumvented by the individual acts of some persons, by collusion of two or more people, or by management override of the controls. The design of any system of controls is based in part on certain assumptions about the likelihood of future events, and there can be no assurance that any design will succeed in achieving its stated goals under all potential future conditions. Projections of any evaluation of controls’ effectiveness to future periods are subject to risks. Over time, controls may become inadequate because of changes in conditions or deterioration in the degree of compliance with policies or procedures.