Investor Presentaiton
60
60
Our material risks
We continue to operate in a challenging macroeconomic environment characterised
by elevated inflation, global supply chain disruptions, severe weather events
and regulatory reform. A key challenge in F23 was rising cost-of-living pressures
which impacted our customers and communities, and resulted in increased levels
of theft and violence towards our team.
Risk management oversight
Below is an overview of Woolworths Group's risk governance and management. This also includes
the key responsibilities of the Board and Board Committees, the Group Executive Committee, therisk
community, internal audit and business leaders. The Group applies a three lines of accountability
model approach to managing risk and compliance obligations.
RISK LEADERSHIP
The Board of Directors
(with input from Audit and Finance Committee, People Committee, Risk Committee,
Sustainability Committee and Nomination Committee)
61
Annual Report 2023
Woolworths Group
1
highlights
Performance
Sets and
communicates
expectations for
risk management
Approves
Woolworths Group
ways-of-working, core
values and code of
conduct to underpin
the desired culture
Satisfies itself that
Woolworths Group
has in place an
appropriate risk
management
framework
Sets risk appetite and
provides oversight of
material risk
exposures and
risk-taking
Monitors the
effectiveness
of Woolworths
Group governance
practices
2
Business
review
Group Executive Committee
Provides recommendations
to the Board on risk policy,
frameworks and
Manages material risks and
reporting on material risk
matters
risk practices
Implements effective risk
management in the
business units
3
Directors'
Report
THREE LINES OF ACCOUNTABILITY
As recent events have shown, sophisticated cyber attacks
and data breaches have added layers of complexity
to our risk landscape and, as a result, there has been
a heightening of our data management and privacy risk.
We continue to monitor evolving threats and refine our
processes and controls as the digital environment grows.
Our risks are becoming increasingly interconnected and
complex, requiring a practical and straightforward risk
management approach that is consistently reviewed,
assessed, and where necessary, adjusted through the
appropriate governance forums. Our risk management
framework guides our approach to managing risks and
we continue to refine by listening and learning to our
customers, team, and communities.
As the shape of our Group continues to change, we have
embedded our risk management approach within each
of our businesses and throughout the acquisition lifecycle.
We are focused on equipping our teams with practical
tools and frameworks that allow them to confidently make
risk-informed choices, leading to better outcomes for our
customers, teams, shareholders, and communities.
This year we updated our Board approved risk appetite
statements to better align to our strategy, operational
environment and our purpose and ways-of-working.
Each risk appetite statement has a Group executive
sponsor (RAS Lead) who determines whether we are
meeting our risk objective.
We think about our risks in the following way:
•
Operational risks we manage as part of our daily
business activities
Strategic risks that should they materialise could
impact our ability to deliver our strategic goals
Emerging risks that could materialise over time
that we would need to respond to
Our most significant risks, those that if not managed
effectively would have material consequences, form our
material risks. For our material risks, we have taken
a consistent approach to how we implement, monitor
and test the effectiveness of controls, including response
plans. These risks are monitored formally by one of our
governance committees. For other risks, our response
is determined by our risk appetite posture, taking into
consideration the changing shape of the internal and
external environment.
Our risk approach and material risks reported have not
changed compared with our disclosures contained
within the 2022 Annual Report; however, there has
been a heightening of our outlook with regards to data
management and privacy, commensurate with the
increasing reliance on technology and the digitisation
of our operations. The material risks faced by our Group
and the risk management approach to each of them are
outlined on pages 62 to 65.
Further information in relation to risk management
can be found throughout the Annual Report and
in the Corporate Governance Statement.
Sets business direction
and resolves significant
enterprise risk issues
1ST LINE OF
ACCOUNTABILITY
Business
2ND LINE OF
ACCOUNTABILITY
Oversight functions
3RD LINE OF
ACCOUNTABILITY
Independent assurance
Owns and
manages risk
Oversees and sets frameworks and
standards. Independently monitors and
provides analysis and reporting on risks
and controls
Provides independent assurance
of frameworks and controls
effectiveness
Macro risk factors
Climate
Macro risk factors are attributes, characteristics or exposures that
increase the likelihood of a risk occurring. These are closely monitored
as they are a cause of many of our material risks, examples include:
Cyber
The material risks impacted by climate include:
strategy and transformation; customer; legal,
regulatory and governance; product safety; supply
chain and operational resilience; and sustainability.
The material risks impacted by cyber include: technology;
customer; supply chain and operational resilience; privacy
and data management; financial; legal, regulatory and
governance; and safety, health and wellbeing.
Group businesses
Group platforms
Group Risk Enablement
People team
Group Safety, Health & Wellbeing
Group Legal & Compliance
Group Finance
Group Sustainability
Internal Audit
External Audit
4
Financial
Report
LO
Other
informationView entire presentation