Risk management and internal controls

The Board is ultimately responsible for the management of risk in the Group.

James Fisher's internal control and risk management framework is regularly monitored and reviewed by the Board and the Audit Committee and comprises a series of policies, processes, procedures and organisational structures which are designed to ensure that the level of risk to which the Group is exposed is consistent with the Board’s risk appetite and the Company’s strategic objectives.

The Board determines the Group’s policies on risk, appetite for risk and levels of risk tolerance and specifically approves: risk management policies and plans; significant insurance and/or legal claims and/or settlements; acquisitions, disposals and capital expenditures; and the Group budget, forecast and three year plan. The Board has put in place a documented organisational structure with strictly defined limits of authority from the Board to operating units that have been communicated throughout the businesses and are well understood by the Executive Directors, functional and business leaders who have delegated authority and specific responsibility for ensuring compliance with and implementing policies at corporate, divisional and business unit level. Group functions and operating units are each required to operate within this control environment and in accordance with the established policies and procedures covering areas including ethical, anti-bribery and corruption, conflicts, treasury, employment, slavery and human trafficking, whistleblowing, data protection, health and safety and environment.

The Group’s trading companies are supported by Group functions. Each functional head reports to a nominated Executive Director. The Board retains an oversight role, receives regular reports on key issues and has a schedule of matters specifically reserved to it for decision designed to ensure that it maintains full and effective control over appropriate strategic, investment, financial, organisational and compliance issues. This schedule is subject to review by the Board on an annual basis.

The Group’s Internal Audit function is supported by a co-sourcing arrangement with a major international firm, and undertakes regular reviews of the individual businesses’ operations and their systems of internal controls. It makes recommendations to improve controls and follows up to ensure that management implements the recommendations made. The annual Internal Audit plan is determined on a risk assessment basis and is reviewed and approved by the Audit Committee. Internal Audit’s findings are reported to the individual management team, the Executive management team, and the chairman of the Audit Committee. The head of Internal Audit attends all Audit Committee meetings and twice annually presents a summary of the Internal Audit findings, recommendations, and implementation progress. Internal Audit also implements the annual risk evaluation process and the internal control and risk management review questionnaire process with the individual businesses, before their presentation to the Board.

The Board also operates a Group Risk Committee (GRC), which meets quarterly and is attended by the Executive Directors and the heads of the functional teams. The minutes of the GRC are reported to the Board, and any key issues raised are discussed at the Board. The main responsibilities of the GRC are to identify and monitor operational risks and ensure that those risks are being actively managed throughout the Group; to support the Group’s Internal Control and Risk Management strategy and policy; and to review reports on key risks and risk maps prepared by trading companies in order to monitor and report on the types of risk within the Group and report on how effectively risk management is performed/monitored within each business unit/trading company. Each of the functional teams provides a report at each GRC meeting which identifies any matters in their functional area which relates to the Group’s principal risks and uncertainties, or to the individual businesses’ own risk registers. During the year, the GRC has undertaken specific reviews of the Group’s approach in the following principal risk areas: development of project
management best practice and training, on-going development of Group-wide process and training for contract risk management, and a review of the Group’s cyber security risks to the Group’s own systems and the Group’s key IT suppliers.

Principal risks and uncertainties

The most significant risks that the Board considers may affect our business (based on the risk evaluation process described above) are listed below. On the basis that the Board considers that the Group’s principal risks have not materially changed, the categories of risks listed below are similar to last year. The Group’s decentralised business model and geographical spread helps to mitigate the impact of each principal risk.

  • Project delivery
  • Contractual risk
  • Recruitment and retention of key staff
  • Health, safety and environment
  • Financial risk
  • Energy markets
  • Operating in emerging markets
  • Cyber security


On 29 March 2017, the United Kingdom invoked Article 50 of the Treaty on European Union (EU) which began the member state’s withdrawal, commonly known as Brexit, from the EU. The Board continues to monitor the progress of the UK’s proposed exit from the EU . In addition, and in view of the time scale, the Group has been assessing the implications and potential mitigating actions of a no -deal scenario.



Operations based in EU countries

Very low. 0.4% of Group turnover from businesses outside of the UK and based in the EU .

Exports to customers based in the EU and the risk of tariffs on exports and the risk of delays in delivery due to logistical issues at ports or airports

Low risk. 6% of revenue is delivered to EU countries.

Imports from suppliers and the potential cost of
tariffs and logistical issues at ports and airports

Low – medium risk. Purchases from EU countries are not signifi cant. Purchases of spares and consumables in the Tankships division of c. £1m per annum may be impacted. Dry docking in that division may be carried out at EU shipyards and costs could increase by tariffs or if switched to other locations.

Administrative risks of compliance, certification, visas for EU nationals

Low risk. We anticipate a pragmatic solution even in the event of a no-deal Brexit, although time and
costs may increase.

Currency risk

Medium risk. The Group’s main exposure is to the USD and following the Brexit vote, Sterling sharply weakened against the USD. This has been beneficial to the Group’s sales and profits and there is a risk of this reversing after 29 March 2019. The Group reduces earnings volatility by taking out forward contracts for 40%-60% of its exposure and this partly mitigates the risk.

Availability of finance

Low risk. The ability of banks to provide finance and for the banking market to continue to operate in the same manner after 29 March 2019 is expected to be unchanged.

Contractual risk

Medium -high risk. James Fisher has a contract with the European Maritime Safety Agency (EMSA) to deliver emergency pollution response services should an accident occur in the UK, Irish or North-West European coast. EMSA, post-Brexit, may choose to use EU vessels or companies to provide this service.


List of principal risks and uncertainties, as included in the 2018 Annual Report and Accounts.