Governance and risk
Measuring risk management effectiveness and continuous improvement We have multiple assurance activities to assess the value and success of our ERM activities. Our Board monitors and reviews our ERM Framework’s effectiveness. Our internal audit team conducts, at the Board’s request, annual reviews of the framework, to demonstrate to the Board that the framework remains sound and that it aligns with the ASX Corporate Governance Council’s Corporate Governance Principles and Recommendations. Review activities comprise: • Conducting a gap analysis of Transurban’s risk management approach alignment with ASX Corporate Governance Council’s Corporate Governance Principles and Recommendations • examining alignment to ISO 31000:2018 – Risk management • assessing our ERM Framework against other leading practice frameworks. We also assess our risk culture via risk-specific questions in our annual employee ‘Our Voice’
• Operational management Owns and manage risks identified directly through day-to-day operations. • Risk, compliance and resilience functions Provide oversight, guidance, and support to ensure first-line assurance activities are appropriately applied. • Internal audit team Provides assurance services, with outcomes from our risk processes used to define internal audit focus areas. Internal audits also provide independent assurance to our Audit and Risk Committee (ARC). The audits also support management in maintaining an effective risk and control environment. Our broader internal audit assurance activities are co-sourced and comprise an external audit service provider, EY, and our internal audit team. This approach provides balance, independence, external subject matter expertise and internal knowledge. Our internal audit team operates under a plan approved annually by ARC and has full access to all Transurban Group functions, records, property and personnel. The team reports to the Company Secretary and has a direct reporting line to the ARC Chair. Internal audit results are reported to ARC.
survey (see page 60 for more information). These questions assess the current employee understanding of risk, the level of risk management practice within the business, and the propensity of employees and the business to take considered risk and report where this is outside of our risk appetite. ERM review and employee survey results help us identify business areas requiring focused risk support and drive capability development activities. Results and feedback also inform future risk management training, education and ERM Framework improvement activities. As a result of these activities, in FY24 we further enhanced our risk management framework to support the continued business growth in risk practice maturity. These enhancements included minor changes to our policy and frameworks, including updating our risk appetite statements to reflect FY24 business KPIs and KRIs to ensure we operate within our risk appetite and developing enhanced risk reporting. Updates have also been made to our risk assessment criteria to further enhance the ESG assessment of risks in terms of Health, Safety and Environmental
risk and also in considering the Legal consequences associated with risks.
Figure 25: Integrated risk management in action
Annual activity ARC/Board
Quarterly activity
Continuous activity
Business Resilience
Internal Audit
Review ERM effectiveness and approve changes Review and update Risk Appetite
Review material and emerging risks
Provide assurance of resilience capability and preparedness Reporting on learnings from exercises and incidents
Update audit plan based on key risks and themes
Executive Committee
Review ERM eff ectiveness and approve changes Review and update Risk Appetite
Review key business, strategic and emerging risks
Risk and compliance status reporting
Consider emerging threats and catastrophic risks Exercise and test business response
Annual review of business compliance
Assets, Operations and Business
Set risk objectives and priorities in business plan Update risks in line with objectives
Consolidate and review key business and operational risks
Validate key risks and compliance requirements
Exercise and test response to disruption risks Validate preventative controls
Internal Audit plan review and update to reflect any emerging risks
Review key risks and treatments
Projects, development proposals and acquisition
Set risk objectives and priorities in business plan Update risks in line with objectives
Formal review of risk registers
Validate key risks and compliance requirements
Identification of risks that could disrupt the safe and continuous operations of our assets or critical business processes