Lendlease Annual Report 2021

Three lines of defence Risk Governance and Management Our risk framework remains unchanged from a governance perspective. This continues to become infused into the DNA of our business. The framework is underpinned by a ‘Three Lines of Defence’ model. The model codifies the defensive aspects of risk and allows for the broader aspects of value creation and organisational success. Risk Risk Appetite Framework Following the Risk Committee’s approval of the Risk Appetite Framework and its subsequent implementation, the Board’s level of oversight across the business has been enhanced. As Risk Appetite continues to evolve, the risk tolerances and accompanying standards and frameworks are refined to remain fit for purpose. Of note in the period, the following policies and standards were implemented and will allow the Board to increase its oversight of the business: • Group Standards on Project Environmental and Social Risk Assessment • Group Standard on Design Complexity • Group Policy and Standard on Customer Complaints and Feedback. Risk Appetite Framework deployment Third line of defence Second line of defence First line of defence Board and Committees Group Leadership Team Business Operations Regional Leadership Teams Risk Based Governance Functions Business Integrity Group Internal Audit External Audit The Board is responsible for ensuring the effectiveness of the risk management framework. The risk management process outlines the governance, risk appetite and accountability for the risk management and operational resilience program. Our approach aims at providing best in class governance, innovation and people to embed a risk intelligent culture that delivers on strategy and produces predictable and repeatable outcomes. Continuous Improvement The Risk Appetite Framework is reviewed annually by the Group Chief Risk Officer and approved by the Board Risk Committee. Any changes outside of the annual review cycle that encompass the addition of new statements and tolerances will be reviewed and approved by the Board Risk Committee on a quarterly basis. Business risks managed at regional level Enterprise risks: Customer • Geopolitical • Environmental • Commercial Performance Scalable Growth • Health, Safety and Wellbeing • Project Execution Strategy Approval, Policies, Regional Investment Committees, Limits of Authority, Formalised Investment Approval Processes Operational issues/risks managed at project/ investment level Project Reviews, Limits of Authority, Localised Policies, Project Approval Gates Board defines its appetite and applies governance Defines its appetite for the 12 Enterprise Risks through the Risk Appetite Framework Corporate risks managed by Group Enterprise risks: Disruption • Cyber/Data • Regulatory • Culture • Business Continuity Group Strategy, Investment in Digital, IT Policies, Management of Compliance Obligations, Business Continuity Policy, Limits of Authority, Code of Conduct, Formalised Investment Approval Processes Board Group Regions/Businesses Projects/Investments 49 A sense of place 48 Lendlease Annual Report 2021 Risk and Climate Related Resilience