46

Part 4. Risk management (continued)

4.2 Internal control framework (continued)

4.2.2 Risk Committee reporting

The Risk Committee engages in a quarterly conversation with management to assess current and emerging risks, identifed through the Line of Business and Group risk reporting process. Each Line of Business also reports to the Risk Committee on the performance of its business against target dimensions, as contained in risk appetite statements, and updated stress testing scenario results are provided to the Risk Committee on a six-monthly basis. Matters are referred to the Board by the Risk Committee from time to time for consideration and approval in accordance with delegated authorities and regulatory requirements.

4.2.3 Financial reporting

The Board receives reports on a monthly basis from management on the fnancial performance of each business unit and the Suncorp Group, including details of all key fnancial and business results reported against budget, with regular updates on yearly forecasts.

When the Board considers the statutory fnancial statements and reports for the Suncorp Group in February and August each year, written certifcations regarding the integrity of those fnancial statements and the Suncorp Group’s risk management and internal compliance and control systems are provided by the Group CEO, Group CFO and Group Chief Risk Offcer (Group CRO).

For the fnancial year ended 30 June 2011, the Group CEO, Group CFO and Group CRO have provided:

–– a declaration regarding the integrity of the fnancial statements of the Suncorp Group; and

–– assurance that the Suncorp Group’s risk management and internal compliance and control systems are operating effectively in all material respects.

These certifcations meet the requirements of s 295A of the

Corporations Act 2001 (Cth).

The certifcations provided by the Group CEO, Group CFO and Group CRO are based on responses provided by Senior Executives and management representatives to a management certifcation questionnaire, which is designed to provide an assurance to directors on matters that may impact the fnancial statements of Suncorp Group companies.

4.2.4 APRA declarations

In accordance with APRA regulations, each regulated entity is required to submit to APRA on an annual basis a risk management declaration, confrming the adequacy of the regulated entity’s risk management systems.

The risk management declarations, approved by the Board, are based on reports considered and reviews conducted by the Risk Committee during the course of the year and on the representations provided to the Board by management in regard to the adequacy of the Suncorp Group’s risk management systems for each category of risk.

4.3 Risk management accountabilities

4.3.1 Three lines of defence

Accountabilities for risk management within the Suncorp Group are based upon the three lines of defence model.

SUNCORP GROUP BOARD

BOARD RISK COMMITTEE BOARD AUDIT COMMITTEE

1st Line of Defence

All business areas

Manage risk & comply with Group frameworks, policies and risk appetite

2nd Line of Defence

All risk functions Suncorp Group & LOB

Independent risk functions own and monitor the application of risk frameworks, and measure and report on risk performance and compliance

3rd Line of Defence

Internal & external audit

Independent assurance over internal controls and risk management practices

Corporate Governance Statement (continued)