Bravura : Risk Management Policy

Risk Management Policy

Date: 21 November 2022

Document Status: Published

Classification: External

Classification: External

Risk Management Policy

Bravura Solutions Limited and its subsidiaries (the Company)

1. Introduction

1.1 Background

Risk recognition and management are viewed by the Company as integral to its objectives of creating and maintaining shareholder value, and to the successful execution of the Company's strategies.

1.2 Purpose

The purpose of the Risk Management Policy (the Policy) is to ensure that:

1. appropriate systems are in place to identify to the extent reasonably practicable all material risks that may impact on the Company's business;
2. the financial impact of identified risks is understood, and appropriate internal control systems are in place to limit the Company's exposure to such risks;
3. appropriate responsibilities are delegated to control the identified risks effectively;
4. the risk management framework is appropriate and that the Company is operating with due regard to the risk appetite set by the Board and the Audit and Risk Management Committee; and
5. any material changes to the Company's risk profile are disclosed in accordance with the Company's Continuous Disclosure Policy.

For the purpose of this Policy, "risk" is defined as possible outcomes that could materially adversely impact on the Company's financial performance, assets, reputation, people or the environment.

1.3 Board responsibility

The Board is responsible for risk oversight and the management and internal control of the processes by which risk is considered for both ongoing operations and prospective actions. As a minimum, the Board is required to:

1. oversee the establishment and implementation of the risk management system; and
2. review the effectiveness of the Company's risk management system,

in relation to the processes, structures and culture established to identify, assess, treat and monitor risk to support the achievement of the Company's objectives.

In specific areas, the Board is assisted by the Audit & Risk Management Committee. The Audit & Risk Management Committee is responsible for establishing procedures which provide assurance that major business risks are identified, consistently assessed and appropriately addressed. We refer to the Company's Audit & Risk Management Committee Charter.

Not all aspects of risk management can be formalised, and the Company places considerable reliance on the skill, experience and judgment of its people to take risk managed decisions within the framework of this Policy and to communicate openly on all risk related matters.

2.Key principles and concepts

2.1 Identified Business Risks

There are a number of risks which are inherent to the business activities which the Company undertakes.

Classification: External

These risks may change over time as the external environment changes and as the Company expands its operations. The risk management process requires the Board to conduct regular reviews of the Company's existing risks and the identification of any new and emerging risks facing the Company, including financial and non financial matters. It also requires the management, including mitigation where appropriate, of these risks.

2.2 Business Risk Management Policies and Practices

In order to properly identify and develop strategies and actions to manage business risks, the Company has put in place a business risk management framework that the Audit & Risk Management Committee oversee when it meets periodically to identify and assess specific risks.

The Audit & Risk Management Committee should have a thorough understanding of the Company's activities and should be conversant with the Company's business plans, objectives and values which includes undertaking:

1. an assessment of the potential impact of identified business risks and the likelihood of occurrence;
2. a ranking of the business risk in accordance with the likely impact on the Company;
3. an assessment of the acceptability of each identified risk;
4. a consideration and decision on the proposed actions to eliminate, reduce or manage each material risk; and
5. an assignment of the responsibilities for the management of each risk.

Risk management encompasses all areas of the Company's activities. Once a business risk is identified, the risk management processes and systems implemented by the Company are aimed at providing the necessary framework to enable the business risk to be managed.

The overall results of this assessment are presented to the Board, in oral and written form, at every Board meeting following an Audit & Risk Management Committee meeting by the Chair of the Audit & Risk Management Committee, and updated as needed.

The Board reviews the Company's risk management at every Board meeting, and where required, makes improvements to its risk management and internal compliance and control systems.

2.3 Additional Risk Management Policies and Practices

In addition to the specific risk management process described in this Policy, the Company has the following procedures and practices which are designed to manage specific business risks:

1. an insurance program which is reviewed by the Audit & Risk Management Committee and by the Board;
2. regular budgeting and financial reporting;
3. the Company's business plan;
4. corporate strategy guidelines and procedures to review and approve the Company's strategic plans;
5. legally binding commitments and expenditure exceeding certain levels must be submitted to the Board for approval;
6. procedures/controls to manage financial exposures and operational risks;
7. procedures/controls/policies and managements standards to ensure that the Company complies with its obligations and responsibilities in relation to environmental issues, occupational health and safety matters, and the communities in which it operates;
8. oversight of the Company's financial affairs by the Audit & Risk Management Committee;
9. a tax governance framework endorsed by the Board with oversight by the Audit & Risk Management Committee to ensure tax risks are appropriately identified, monitored and managed;
10. environmental and social sustainability risks and frameworks;
11. regular performance reporting enabling the identification of performance against targets and evaluation of trends; and
12. ongoing training and development programs.

Classification: External

Additionally, all other significant areas of the Company's operations are subject to regular reporting to the Board, including development, finance, tax, legal, safety, environment, government and investor relations.

3.Other matters

3.1 Amendment of policy

This Policy can only be amended with the approval of the Board.

3.2 Adoption of Policy, Board review and disclosure

This Policy was adopted by the Board on 21 November 2022, and takes effect from that date and replaces any previous policy in this regard.

The Board and the Audit and Risk Management Committee must review and reassess this Policy at least once each calendar year to satisfy themselves that it continues to be sound and that the Company is operating with due regard to the risk appetite set by the Board. Any amendments to this Policy must be approved by the Board. The Company Secretary will communicate any amendments to employees as appropriate. The Company must also disclose, in relation to each reporting period, whether such a review has taken place.