Company XYZ

1. Introduction
XYZ recognises risk management as an integral component of good
corporate governance and fundamental in achieving its strategic and
operational objectives. It improves decision-making, defines opportunities
and mitigates material events that may impact shareholder value.
2. Methodology
XYZ has adopted an enterprise wide framework that incorporates a system
of risk oversight, risk management and internal control designed to identify,
assess, monitor and manage risks consistent with ISO 31000:2009. XYZ
applies risk management in a well-defined, integrated framework that
promotes awareness of risks and an understanding of the company’s risk
tolerances. This enables a systematic approach to risk identification,
leverage of any opportunities and provides treatment strategies to manage,
transfer and avoid risks.
3. Scope
This policy applies to all team members, whether full time, part time or
casual at any level of seniority within the business. The policy also applies
to contractors and consultants working on behalf of XYZ.
The XYZ Risk Management Policy and risk model has been developed to
include the following key categories:
• Customers
• Employees
• Reputation
• Financial
• Business policy and processes
• Strategy
• Governance

IS0 31000 Issue 1.1-Mar 2012

RISM-999-010-ENIN
 Responsibilities
The Board is ultimately responsible for identifying and assessing internal
and external risks that may impact XYZ in achieving its strategic objectives.
The Board is responsible for determining the company’s risk appetite,
overseeing the development and implementation of the risk management
framework and maintaining an adequate monitoring and reporting
mechanism.
The Board is also responsible for reviewing and approving the risk
management framework and risk appetite on an annual basis.
Management is responsible for ensuring that risks are identified, analysed,
evaluated and mitigated. Management must develop a sustainable control
environment to manage significant risks and champion the implementation
of risk management processes within their business operations.
Management monitor and report on material risks identified through the
Internal and external Audit process.
The Internal Audit program must be aligned to the company’s risk profile
and is responsible for providing independent assurance in relation to the
effectiveness of processes to manage particular areas of risk. The scope of
internal audit’s risk-based program is agreed to as part of an annual plan
which is refined as necessary.
4. Reporting
the Chief Executive Officer and the Chief Financial Officer provide
assurance to the Audit, Finance and Risk Committee with regards to the
financial records, risk management and internal compliance.
The declaration will be founded on a sound system of risk management and
internal control and that the system was operating effectively in all material
respects to strategic, shareholder, operational and financial risks.
5. Policy Review
This policy will be reviewed at least annually to ensure effectiveness and
that its continued application and relevance to the XYZ business.

IS0 31000 Issue 1.1-Mar 2012

RISM-999-010-ENIN
Company B

1. Introduction
LMN Limited (the Company) through its various subsidiaries engages in a
number of businesses, most of which involve the provision of high volume,
low margin transactions in financial services markets, and some of which
involve accepting fiduciary responsibility. By their nature, such services
present a substantial level of risk, including financial, technological,
compliance, and operational risk, which must be mitigated on a continuous
basis if the overall growth and prosperity of the LMN Group is to be
assured. This Policy is designed to provide the broad framework for
identifying and managing risk within LMN’s businesses. In prioritising the
LMN Group’s approach to risk management, it is a primary objective to
manage each specific risk so as to neutralise its impact on the Company,
with a particular focus on those risks identified as critical or material to
the business.
The LMN Group’s risk management policies and procedures together
describe its risk profile and detail all aspects of its risk management
framework, internal control system and internal audit function.
2. Policy
The methodology set out in the ISO 31000:2009 on Risk Management
Systems has been used as a benchmark in developing this Policy, and will
be used to assist in monitoring and implementing risk management
measures across the LMN Group, unless local standards and systems
available in jurisdictions in which the Group operates are more suitable to
markets in those jurisdictions.
The key elements of the Company's risk management system are shown
below.
In analysing business risks to the LMN Group, a number of different matters
will be taken into account, including
the likelihood of a particular risk occurring and the consequences likely to
arise if that risk does occur as well as the existing business processes in
place to remedy such a risk and the effectiveness of those processes. To
this end, LMN’s internal audit function will work with respective business
units to assess existing internal controls and establish new ones as
appropriate.
3. Oversight of Risk Management Policy
The Board is ultimately responsible for ensuring that the Company’s risk
management practices are sufficient to mitigate, to the most cost-effective
extent possible, the risks present in the Company’s various businesses. The
Board delegates a portion of this responsibility to its Risk and Audit
Committee (the Committee), which is made up of Board members with
particular talents and experience in this regard. Management is instructed
and empowered by the Board to implement appropriate risk management
IS0 31000 Issue 1.1-Mar 2012

RISM-999-010-ENIN
 strategies, including an internal control system, in cooperation with the
Board and the Committee. In addition, Management is expected to report to
the Board (or the Committee on its behalf) on developments related to
LMN’s business risks, and suggest to the Board new and revised strategies
for mitigating such risks. Management is also expected to provide an annual
statement to the Board as to whether the Company’s material business
risks are being managed effectively.
4. Areas of Ongoing Risk to LMN
The Company is subject to a number of types of risk that can be expected
to be enduring elements of its businesses. The Board and Management will
seek to identify, analyse, evaluate and, to the extent possible, remedy (or at
least mitigate) these risks, which include:
• technology risks, including in the Company’s proprietary systems, systems
licensed from third parties and those used by competitors;
• economic risks, including interest rate and foreign exchange fluctuations,
market conditions and costs of doing business;
• market structure and regulation risks, including share registration regimes,
the emergence of competitors from related fields, and regulatory initiatives;
• operational risks, including transaction processing errors and related
business process failures;
• compliance risks, including issues with regulatory authorities which govern
licences required by the Company to do business;
• business continuity risks, including planning for fire, terrorism, and other
events that require disaster management;
• human resource risks, including succession planning, recruitment,
compensation, and retention issues;
• capital adequacy risks, including access to debt and equity resources
necessary to operate and expand the Company’s businesses and
compliance with financier’s required covenants; and
• accounting and financial control and reporting risk.

The Board will directly, and via the Committee, work with Management on
an ongoing basis within the risk framework outlined above to mitigate the
risks to the Company’s businesses as they may evolve over time.

IS0 31000 Issue 1.1-Mar 2012

RISM-999-010-ENIN