Risk management is the responsibility of the Board and is a key factor in delivering the Group’s strategic objectives.
The Board is responsible for setting the risk appetite, establishing a culture of effective risk management and for ensuring that effective systems and controls are in place and maintained.
Senior managers take ownership of specific risks and implement policies and procedures to mitigate exposure to those risks.
Risk Management Processplus
The risk management process sits alongside our strong governance culture and effective internal controls to provide assurance to the Board that risks are being appropriately identified and managed.
How we manage riskplus
Risk is managed across the Group in the following ways:
- The Board meets annually to review strategy and set the risk appetite.
- Risks faced by the Group are identified during the formulation of the annual business plan and budget process, which sets objectives and agrees initiatives to achieve the Group’s goals, taking account of the risk appetite set by the Board.
- Senior management and risk owners consider the root cause of each risk and assess the impact and likelihood of it materialising. The analysis is documented in a risk register, which identifies the level of severity and probability, ownership and mitigation measures, as well as any proposed further actions (and timescale for completion) for each significant risk.
- The Group has an executive Risk Management Committee, chaired by the Chief Financial Officer. This Committee meets on a regular basis (generally quarterly). The status of the most significant risks and mitigations are reviewed at each meeting, with other risks reviewed on a cyclical basis.
- The Executive Directors also meet with senior managers on a regular basis throughout the year. This allows the Executive Directors to ensure that they maintain visibility over the material aspects of strategic, financial and other risks.
- The Group’s Executive Directors also compile their own risk assessment, ensuring that a top-down, bottom-up approach is undertaken when considering the Group-wide environment.
- The Group’s Audit and Risk Committee assists the Board in assessing and monitoring risk management across the Group. The role of the Committee includes ensuring the timely identification and robust management of inherent and emerging risks, by reviewing the suitability and effectiveness of risk management processes and controls. The Committee also reviews the risk register to ensure net risk and proposed further actions are together consistent with the risk appetite set by the Board.
The Group has well-defined systems of internal control.
The Group has a robust process of financial planning and monitoring, which incorporates Board approval of operating and capital expenditure budgets. Performance against the budget is subsequently monitored and reported to the Board on a monthly basis. The Board also monitors overall performance against operating, safety and other targets set at the start of the year. Performance is reported formally to shareholders through the publication of results both annually and half-yearly. Operational management regularly reports on performance to the Executive Directors.
The Group also has processes in place for ensuring business continuity and emergency planning.
Day-to-day operations are supported by a clear schedule of authority limits that define processes and procedures for approving material decisions. This ensures that projects and transactions are approved at the appropriate level of management, with the largest and most complex projects being approved by the Board. The schedule of authority limits is reviewed on a regular basis so that it matches the needs of the business.
In order to further enhance the internal control and risk management processes, KPMG provides an outsourced internal audit service to the Group. KPMG work closely with the Risk Management Committee in delivering the Group’s internal audit programme.
With the assistance of the Audit and Risk Committee, the Board has reviewed the effectiveness of the system of internal control. Following its review, the Board determined that it was not aware of any significant deficiency or material weakness in the system of internal control.
The principal risks monitored by the Board can be found on pages 36 through to 39 of the 2018 Annual Report.