Site navigation

Risk management is the responsibility of the Board and is a key factor in delivering the Group’s strategic objectives.


The Board is responsible for setting the risk appetite, establishing a culture of effective risk management and for ensuring that effective systems and controls are in place and maintained.

Senior managers take ownership of specific risks and implement policies and procedures to mitigate exposure to those risks.

Risk Management Processplus

The risk management process, alongside effective internal controls, provides assurance to the Board that risks are being appropriately identified and managed.

How we manage riskplus

Risk is managed across the Group in the following ways:

  • The Board meets annually to review strategy and set the risk appetite
  • Risks faced by the Group are identified during the formulation of the annual business planning and budgeting process, which sets objectives and agrees initiatives to achieve the Group’s goals, taking account of the risk appetite set by the Board
  • Senior management and risk owners consider the root cause of each risk and assess the impact and likelihood of it materialising. The analysis is documented in a risk register, which identifies the level of severity, probability, ownership, and mitigation measures, as well as any further actions (and timescale for completion) for each significant risk
  • The Group’s Executive Committee is also the Risk Management Committee. This Committee meets on a regular basis (usually monthly). The status of the most significant risks and mitigations are reviewed at each meeting, with other risks reviewed at least annually
  • The Executive Directors also meet with senior managers on a regular basis throughout the year. This allows the Executive Directors to ensure that they maintain visibility over the material aspects of strategic, financial and other risks
  • The Group’s Audit and Risk Committee assists the Board in assessing and monitoring risk management across the Group. The role of the Committee includes ensuring the timely identification and robust management of inherent and emerging risks, by reviewing the suitability and effectiveness of risk management processes and controls. The Committee also reviews the risk register to ensure net risk and proposed further actions are consistent with the risk appetite set by the Board.

Internal controlplus

The Group has a robust process of financial planning and monitoring, which incorporates Board approval of operating and capital expenditure budgets. Performance against the budget is subsequently monitored and reported to the Board monthly. The Board also monitors overall performance against operating, safety and other targets set at the start of the year.

Performance is reported formally to shareholders through the publication of results both annually and half-yearly. Operational management regularly reports on performance to the Executive Directors.

Day-to-day operations are supported by a clear schedule of authority limits that define processes and procedures for approving material decisions. This ensures that projects and transactions are approved at the appropriate level of management, with the largest and most complex projects being approved by the Board. The schedule of authority limits is reviewed on a regular basis so that it matches the needs of the business.

The Group also has processes in place for ensuring business continuity and emergency planning.

In order to further enhance the internal control and risk management processes, KPMG provides an outsourced internal audit service to the Group. KPMG work closely with the Risk Management Committee in delivering the Group’s internal audit programme. Other third party experts are also engaged to provide internal audit reviews where appropriate e.g. cyber security

Strategic risk registerplus

The Group maintains a risk register that identifies key and emerging risks, the probability of those risks occurring and the impact they would have on the Group if unmitigated. Against each gross risk, the controls that exist to manage and, where possible, minimise or eliminate those risks are also listed, and an assessment of net risk is provided. The risk register also identifies any further actions required such that net residual risk is consistent with the risk appetite set by the Board. The register is regularly updated to reflect changes in circumstances