Corporate governance services

In March 2003, the ASX Corporate Governance Council (the Council), comprising representatives of a range of business groups…

In March 2003, the ASX Corporate Governance Council (‘the Council), comprising representatives of a range of business groups, published ‘Principles of Good Corporate Governance and Best Practice Recommendations’. This publication describes ten core principles of good corporate governance, each of which is supported by best practice recommendations and implementation guidance and suggestions (including required disclosures).

The ten core principles are:

  1. Lay solid foundations for management and oversight – Recognise and publish the respective roles and responsibilities of board and management.
  2. Structure the board to add value – Have a board of an effective composition, size and commitment to adequately discharge its responsibilities and duties.
  3. Promote ethical and responsible decision-making – Actively promote ethical and responsible decision-making.
  4. Safeguard integrity in financial reporting – Have a structure to independently verify and safeguard the integrity of the company’s financial reporting.
  5. Make timely and balanced disclosure – Promote timely and balanced disclosure of all material matters concerning the company.
  6. Respect the rights of shareholders – Respect the rights of shareholders and facilitate the effective exercise of those rights.
  7. Recognise and manage risk – Establish a sound system of risk oversight and management and internal control.
  8. Encouraged enhanced performance – Fairly review and actively encourage enhanced board and management effectiveness.
  9. Remunerate fairly and responsibly – Ensure that the level and composition of remuneration is sufficient and reasonable and that its relationship to corporate and individual performance is defined.
  10. Recognise the legitimate interests of stakeholders – Recognise legal and other obligations to all legitimate stakeholders.

A statement disclosing the extent to which the entity has followed the best practice recommendations set by the ASX Corporate Governance Council during the reporting period. If the entity has not followed all of the recommendations the entity must identify those recommendations that have not been followed and give reasons for not following them. If a recommendation had been followed for only part of the period, the entity must state the period during which it had been followed.


CEO and CFO Statements about Financial Reports and Internal ControlsThe Council recommends that a company’s CEO and CFO should make statements about the company’s financial reports and internal controls in order to achieve compliance with Principle 4 ‘Safeguard integrity in financial reporting’ and Principle 7 ‘Recognise and manage risk’. The relevant Recommendations are discussed below:

Recommendation 4.1: CEO and CFO Statements about Financial Reports

Principle 4 requires a company to have a structure of review and authorisation that independently verifies and safeguards the integrity of the company’s financial reporting, including the truthful and factual presentation of the company’s financial position.

One of the five recommendations made by the Council to achieve Principle 4 is Recommendation 4.1, in that the company should:

Require the chief executive officer (or equivalent) and the chief financial officer (or equivalent) to state in writing to the board that the company’s financial reports present a true and fair view, in all material respects, of the company’s financial condition and operational results and are in accordance with relvant accounting standards.

Recommendation 7.2: CEO and CFO statements about risk oversight and management and internal control

Principle 7 requires a company to establish a sound system of risk oversight and management and internal control, which is designed to identify, assess, monitor and manage risk, and inform investors of material changes to the company’s risk profile. One of the three recommendations made by the Council to achieve Principle 7 is Recommendation 7.2, being that:

The chief executive officer (or equivalent) and the chief financial officer (or equivalent) should state to the board in writing that:

7.2.1 The statement given in accordance with best practice recommendation 4.1 (the integrity of financial statements) is founded on a sound system of risk management and internal compliance and control which implements the policies adopted by the board. 7.2.2 The company’s risk management and internal compliance and control system is operating efficiently and effectively in all material respects.

Framework component Indicative attributes
Internal Environment Board responsibilities for risk management have been established. At least three independent / non-executive directors are involved.
A risk management policy is in place.
Ethical values have been established.
The Board has set its risk reporting expectations, consistent with the risk management policy.
Responsibility and accountability for risk management has been delegated from the Board to management with appropriate functions and accountabilities within the business.
Risk management has been incorporated into business and personal performance criteria.
Objective Setting Business objectives / strategies have been developed and documented.
Key performance indicators have been established to monitor achievement.
Event identification Management has implemented systems and processes to identify risks that could threaten the achievement of business objectives.
Risk profiles are prepared describing the material risks facing the organisation.
The risk identification process considers internal and external factors.
Risk assessment Consistent risk assessment criteria are used to measure the likelihood and impact of identified risks. These have been tailored to suit the environment and risk appetite of the organisation.
Material risks are assessed across all material business units.
Risk Response Consideration is given to all options for managing a risk including: avoidance, reduction, sharing / transfer and acceptance.
Control activities Responsibility and accountability for control activities has been assigned within the organisation.
The effectiveness of controls is evaluated periodically with remedial actions implemented and monitored where necessary.
Effectiveness assessment includes evaluation of design (i.e. fitness for purpose) and execution (i.e. compliance).
Information and communication The risk management policy has been communicated internally and made publicly available.
Communication channels (e.g. intranet, internet, internal knowledge systems) have been established to enable people to access relevant risk management information.
Risk management information is integrated with other information used to manage the organisation.
Monitoring The Board and Management regularly review and update the organisation’s risk profile.
Protocols have been established for reporting risk issues, with escalation to senior management / the Board as necessary.
Appropriate risk monitoring functions, such as internal audit, have been established and are coordinated to ensure completeness of monitoring activities.
An internal audit function has been structured in a manner that achieves organisational objectivity and permits full and unrestricted access to top management and the audit committee of the Board.