33
Incitec Pivot Limited Annual Report 2019
Risk Description and potential consequences Treatment strategies employed by IPL
Compliance, regulatory and legal risk
Compliance,
regulatory
and legal risk
Changes in federal or state government legislation,
regulations or policies in any of the countries in which
IPL operates or in which it has dealings may adversely
impact its business, financial condition and operations,
or the business, financial condition and operations of
IPL’s customers and suppliers. This includes changes in
domestic or international laws relating to sanctions,
import and export quotas, tariffs and geopolitical risks
relating to countries with which IPL, or its customers
and suppliers, engages to buy or sell products and
materials. In addition, changes in tax legislation or
compliance requirements in the jurisdictions in which
IPL, or its customers and suppliers, operates, or changes
in the policy or practices of the relevant tax authorities
in such jurisdictions, may result in additional compliance
costs and/or increased risk of regulatory action,
including potential impact on licenses to operate.
IPL’s business, and that of its customers and suppliers,
is subject to environmental laws and regulations that
require specific operating licences and impose various
requirements and standards. Changes in these laws
and regulations, failure to abide by the laws and/or
licensing conditions, or changes to licence conditions,
may have a detrimental effect on IPL’s operations and
financial performance, including the need to undertake
environmental remediation, financial penalties or
ceasing to operate. During FY19 a Consent Decree was
issued against IPL’s St Helens ammonia plant.
Compliance with this Consent Decree is subject to an
independent external audit, the results of which are
required to be submitted to the Environmental
Protection Agency.
IPL’s business, and that of its customers and suppliers,
is also subject to various other laws and regulatory
provisions across the jurisdictions in which it operates,
including anti-bribery and corruption laws, sanctions
and anti-trust laws. Failure to abide by these laws and
regulatory provisions could result in reputational
damage to IPL as well as legal action, and could
impact on the willingness of parties, including
financiers, to transact with IPL.
IPL is exposed to potential legal and other claims or
disputes in the course of its business, including
contractual and other commercial disputes, and
property damage and personal injury claims in
connection with its operations.
• Management, through the Managing Director & CEO and
the Chief Financial Officer, is responsible for the overall
design, implementation, management and coordination of
the Group’s risk management and internal control system.
• Each business unit has responsibility for identification and
management of risks specific to the business. This is
managed through an annual risk workshop, risk register
and internal audits aligned to the material business risks.
• Corporate functions are in place to provide sufficient
support and guidance to ensure regulatory risks are
identified and addressed within the business well in
advance.
• Country regulatory risk is regularly reviewed through the
Group’s risk management framework.
• Where possible, IPL appoints local business leaders and
management teams who bring a strong understanding of
the local operating environment and strong customer
relationships.
• A comprehensive HSE management system is in place with
clear principles and policies communicated to employees.
• HSE risk management strategies are employed at all times
and across all sites. Incidents are reported and investigated,
and learnings are shared throughout the Group.
• The Group has strict processes regarding the stewardship,
movement and safe handling of dangerous goods and
other chemicals.
• IPL engages with governments and other key stakeholders
to ensure potential adverse impacts of proposed fiscal, tax,
infrastructure access and regulatory changes are
understood and, where possible, mitigated.
• Regular training is provided to relevant staff on their
obligations and reporting requirements under appropriate
anti-bribery and corruption laws.
• The Group conducts comprehensive checks of its customers
and suppliers to ensure it complies with all relevant
sanctions laws.
• Due diligence processes are undertaken as required under
the Group’s risk management and risk and compliance
frameworks.
• IPL provides a whistleblower hotline where employees and
third parties can anonymously notify the Group’s General
Counsel and Chief Risk Officer of any suspected fraudulent
or illegal activity.
Loss or
exposure of
sensitive data
and cyber
security
Sensitive data, pertaining to IPL, its employees,
associates, customers or suppliers, may be lost or
exposed, resulting in negative impact to reputation or
competitive advantage, and potential breach of
regulatory compliance obligations.
IPL may be the target of cyber-attacks which could
result in commercial, financial, health and safety,
environmental or reputational impacts. The potential
consequences include loss of business or customer,
financial loss, harm to personnel or environment,
interference with compliance with regulations,
interruption to operational business processes, or
interruption to the ability to make, sell and ship
product.
• Policies, procedures and practices are in place regarding
the use of company information, personal storage devices,
IT systems and IT security.
• A data breach response plan has been established to
respond to, and mitigate the effects of, any instances of
sensitive data breaches that may occur.
• External testing is performed to assess the security controls
of the Group’s IT systems.
• Security Operations Centre, threat intelligence, advanced
threat analytics, system/network controls and industry
standard cyber frameworks are collectively leveraged for
the prevention and detection of, and response against,
cyber threats.
• Incident Response Plans, including Disaster Recovery and IT
Business Continuity Planning arrangements, are in place to
help IPL effectively respond to and recover from a cyber
security incident.