Business Resilience and Risk Management Policy
Business Resilience and Risk Management Policy
Business Resilience and Risk Management Policy
(Board Approved)
Public Version
2.0 Purpose
The purpose of this policy is to develop and strengthen Stanwell’s business resilience and risk
management practices by providing the structural framework in order to continue to meet
Stanwell’s objectives when faced by risks (including both opportunities and threats) and
vulnerabilities.
Note: This document is not to be published to the external internet www.stanwell.com. A
public version is to be created upon approval excluding Appendix 1 – Risk Appetite
Statement. This is the responsibility of the Policy owners.
3.0 Scope
This policy incorporates the integration of a number of interrelated activities including business
continuity, risk management, security and insurance. In delivery of this policy, additional business
functions, such as Compliance and Regulatory Management and Information and Business
Systems are incorporated into the business resilience and risk management corporation-wide
approach.
The diagram below reflects Stanwell’s optimal business resilience model.
WRITTEN BY: .................................. ENDORSED/CHECKED BY: .............................. APPROVED BY: .................................... DATE:
NAME: K Buckley NAME: M O’Rourke NAME: Board .19.03.2018
Doc No: GOV-POL-37 Revision No: 3 Revision Date: 19-03-2018 Page: 1 of 6
Approved via Board Memorandum Number: BD-18-03-6.1
Endorsed via Committee Number : ARMC-18-03-2.2
THIS DOCUMENT IS UNCONTROLLED IN HARD COPY FORMAT
In the development of Stanwell’s Business Resilience and Risk Management approach, Stanwell
will be well-positioned to create opportunities for benefit and to also respond to the negative
consequences of an event. This will deliver improved outcomes based on informed decision
making and resilience, including business continuity, security, and risk transference via insurance
and corporation-wide risk management practices.
This policy applies to Stanwell’s directors and employees and to all contractors working for or at
Stanwell (our people) in relation to all categories of risk and Stanwell’s business activities.
4.0 Content
This policy delivers a strategic methodology to Stanwell’s business resilience which incorporates
an organisation-wide approach to managing the risks and vulnerabilities which may impact on
Stanwell’s ability to achieve its strategic objectives.
Stanwell recognises that business resilience is dynamic and emerges from the complex interaction
between a wide range of business processes. To achieve business resilience, Stanwell has
established a business resilience framework that integrates the functions of business continuity,
security, insurance and risk management.. This alignment supports the knowledge, expertise and
skills of its people to develop, implement and maintain a robust and appropriate business
resilience and risk management program for the corporation.
The diagram below details the relationship between risk management, business continuity
(including crisis, incident, disaster recovery and emergency response), security and insurance.
4.2. Security
Stanwell maintains a security management framework which seeks to moderate Stanwell’s
security exposures and vulnerabilities and to establish the appropriate response through:
a comprehensive understanding of Stanwell’s assets and their security vulnerabilities;
detailed intelligence, threat analysis and the identification of security risks;
robust security management standards and plans tailored to the specific security priorities,
location and risk environment;
building the resilience of the organisation to respond to and recover from a security event;
undertaking regular security audits; and
a sustainable security culture across all of Stanwell’s operating sites and corporate offices.
The key focus of the framework is to apply security best practice to mitigate against security
threats, identify and eliminate vulnerabilities and to demonstrate Stanwell’s intent to comply with
relevant regulatory and compliance requirements.
The framework also establishes an on-going and continuous process of improvement, enabling
the security management program to develop and mature in alignment with Stanwell’s strategic
objectives.
4.4. Insurance
Stanwell chooses to utilise insurance as a risk transference mechanism (where appropriate) and
to reduce the ultimate financial impact to the business should a serious event occur within the
business.
Stanwell maintains a portfolio of insurance policies which aim to cover the types of business
activities Stanwell undertakes on a day to day basis.
Stanwell regularly reviews its insurance coverage, insurers and deductibles as part of an annual
renewal process.
5.0 Responsibilities
Position Responsibility
Audit and Risk Management The Stanwell Board has established the Audit and Risk
Committee (ARMC) Management Committee to assist the Board to oversee the
process for identifying and managing significant business
risks, business continuity, disaster recovery processes and
insurance strategy.
The responsibilities and delegated authority of the ARMC are
detailed in the Board-approved ARMC Charter.
Chief Executive Officer (CEO) Ultimate accountability for ensuring that Stanwell has
identified and managed its significant business risks and has
effective business resilience programs in place.
Managers and Supervisors Managers and Supervisors are responsible for evaluating
their risk environment, to put in place effective controls and
for monitoring the effectiveness of these controls.
Our people Our people are responsible for familiarising themselves with
this Policy and the supporting strategies, procedures,
processes and plans that affect their workplace activities,
incorporating risk practices into their business activities and
reporting and escalating all events, risk concerns, issues and
breaches.
Not applicable
8.0 References