Risk management and internal controls
The Board is responsible for determining the nature and extent of the principal risks it is willing to take in achieving its strategic objectives and for ensuring that the Company maintains sound risk management and internal control procedures.
On behalf of the Board, the Audit Committee monitors the Group's risk management and internal control process and reviews its effectiveness on an on-going basis. This is part of an established process, in accordance with the FRC Guidance on Risk Management, Internal Control and Related Financial and Business Reporting published in September 2014, for the identification, evaluation and management of the significant risks facing the Group, which operates and is reviewed continually throughout the year. The Group's internal control systems are designed to provide the Board with reasonable assurance as to the effective and efficient operation of the Group and to ensure the quality of internal and external reporting and compliance with all applicable laws and regulations. However, there are inherent limitations in any system of internal control and accordingly even the most effective system can provide only reasonable and not absolute assurance. The Board has taken appropriate action to remedy any significant control failings as referred to in the Audit Committee report.
The Board has carried out a robust assessment of the principal risks facing the Group including those that would threaten its business model, future performance, solvency or liquidity.
Risk management systems
The key features of the Group's risk management systems are as follows:
- Each trading business is required to maintain an up to date risk register which is reviewed at each business board meeting and which identifies key risks and assesses the likelihood and impact of each risk before and after mitigation measures are taken
- On an annual basis the risk registers are submitted to the Company Secretary and Head of Internal Audit for analysis. This analysis is considered by the Board when determining the Group's principal risks and the areas of internal audit focus for the forthcoming period
- The trading company managing directors complete a risk management review questionnaire on an annual basis which is a self-assessment of operational controls and compliance with laws and regulations relating to their business. This enables business managers to identify risks and focus on mitigating strategies. The reviews are submitted to the Company Secretary for analysis and reporting to the Board
- The Group Risk Committee meets quarterly and is chaired by the CEO with representation from functional heads including finance, human resources, legal and company secretarial, information services, insurance and internal audit. The minutes of Risk Committee are reported to the Board.
Identifying and monitoring material risks
Material risks are identified and monitored as follows:
- A risk evaluation process commences in the operating companies with an annual exercise to identify the significant operational and financial risks facing the business. This is supported by a self-assessment internal control review questionnaire completed by each operating company and submitted to the Group Head of Internal Audit. This process is robust and challenging, ensures that risks are identified and that management have adequate internal control systems in place to report any weaknesses that require management attention. The results of the analysis are utilised to determine future areas of internal audit focus
- A 'risk score' is determined for each risk based on the likelihood of each identified risk arising and the potential impact on the business of an adverse outcome. The risk score before and after mitigation is reviewed at business and Group level
- The risk assessments are summarised and presented to the Board who evaluate the principal risks of the Group by reference to the strategy and operating business environment
List of principal risks and uncertainties, as included in the 2016 Annual Report and Accounts.