Strong and effective risk management is at the heart of how the directors run the business and supports the achievement of the Group's strategic objectives.
Our key focus areas in 2023
- Health & safety – reviewing our strategy for maintaining everyone's focus on preventing and mitigating safety related incidents.
- Cyber security – ensuring we continuously evaluated and tested our cyber resilience against known and emerging threats.
- Sustainability risk – mitigating the impact of uncertainty around stakeholder expectations as to how we conduct a sustainable and responsible business.
Our future priorities for 2024
Some of our main priorities (and emerging risks) this year will be:
- Continued focus on mitigating people risk, our ability to identify, attract, develop and retain talent, in particular in our factories.
- Continued identification and mitigation of sustainability risks, including quantitative climate scenario analysis and the setting and defining of targets in line with TCFD requirements.
- Continued focus on mitigating cyber security risk.
Changes to principal risks
The following changes have been made to the Group's principal risks in 2023:
- People risk has been downgraded from high risk to medium risk reflecting a recent improvement in the issues experienced across the Group last year in recruiting and retaining sufficient skilled people.
- Supply chain risk has been downgraded from high risk to medium risk due to the easing of certain economic and geopolitical factors and the diversification of suppliers for key inputs.
- Indian joint venture risk has been removed due to JSSL's recovery and strong performance post COVID-19.
- Industrial relations has been added back into the register (it was removed in 2018) due to the current backdrop of inflationary pressures and industrial action across the UK.
Other principal risks remain largely unchanged from last year. Changes have also been made to the detailed descriptions of mitigation to reflect ongoing activity in the year.
Risk appetite
The level of risk it is considered appropriate to accept in achieving the Group's strategic objectives is reviewed and validated by the board. The appropriateness of the mitigating actions is determined in accordance with the board-approved risk appetite for the relevant area.
The organisation's approach is to minimise exposure to reputational, financial and operational risk, while accepting and recognising a risk and reward trade-off in the pursuit of its strategic and commercial objectives. It has a zero tolerance for risks relating to health and safety. However, management recognises that certain strategic, commercial and investment risks will be required to seize opportunities and deliver growth in line with the Group's strategic objectives.
The Group establishes its risk appetite through use of delegated authorities so that matters considered higher risk require the approval of senior management or the board. These include, but are not limited to, tender pricing, bid submissions, approval of contract variations and final account settlements, capital requirements, procurement, and certain legal and strategic matters.
Risk management process
The board has overall responsibility for the Group's risk management and systems of internal control and for determining the nature and extent of the significant risks it is willing to take in achieving its strategic objectives. An ongoing process has been established for identifying, evaluating and managing the significant risks faced by the Group. This includes emerging risks such as the successful integration of our recent acquisitions.
The audit committee, on behalf of the board, formally reviews principal and emerging risks and mitigations for the Group and each of the businesses on a biannual basis. The key elements of this risk management process are:
- Senior management from all key disciplines and businesses within the Group continue to be involved in the process of risk assessment and monitoring in order to identify and assess Group objectives, key issues, emerging issues and controls. Further reviews are performed to identify and monitor those risks relevant to the Group as a whole. This process feeds into our assessment of long-term viability and encompasses all aspects of risk, including operational, compliance, financial, strategic, and sustainability issues.
- Identified risk and emerging risk events, their causes and possible consequences are recorded in risk registers. Their likelihood and potential business impact and the control systems that are in place to manage them are analysed and, if required, additional actions are developed and put in place to mitigate or eliminate unwanted exposures. Individuals are allocated responsibility for evaluating and managing these risks within an agreed timetable.
- Ongoing risk management and assurance is provided through various monitoring reviews and reporting mechanisms, including the executive risk committee (chaired by the Chief Executive Officer) which convenes on a weekly basis and has the primary responsibility to identify, monitor and control significant risks to an acceptable level throughout the Group. The committee receives information on relevant risk matters from a variety of sources on a regular basis.
- Subsidiary company boards consider and report on risk on a monthly basis as part of the monthly business review process. In doing so they identify emerging risks. This process is followed to ensure that, as far as possible, the controls and safeguards are being operated in line with established procedures and standards.
- On a quarterly basis, the significant risks identified by the Group's businesses are discussed in detail with each management team. In addition, the Group legal director and Group IT director meet on a quarterly basis to review IT risks facing the Group and the sustainability risk review committee (comprising the Group legal director, the Group SHE director, Group financial controller and the Group sustainability manager) meet on a quarterly basis to review sustainability risks facing the Group. The outcome of these discussions is collated and reported to the executive committee.
- The risk registers of each business, together with the Group IT risk register, and the Group sustainability risk register are updated and, together with a consolidated Group risk register compiled by the executive committee, are reported to the audit committee twice yearly, to ensure that adequate information in relation to risk management matters is available to the board and to allow board members the opportunity to challenge and review the risks identified and to consider in detail the various impacts of the risks and the mitigations in place.
- A Group assurance map is used to co-ordinate the various assurance providers within the Group and a compliance framework provides the board with a ready reference tool for monitoring compliance across the Group.
Three lines of defence
The Group manages risk by operating a ‘three lines of defence’ assurance model (management activity, Group oversight and independent review), which is mapped against the Company’s principal risks. This process is summarised in the Group assurance map.
A. First line of defence:
Management activity
The first line of defence involves senior management implementing and maintaining effective internal controls and risk management procedures. These internal controls cover all areas of the Group's operations. There are inherent limitations in any system of internal control and, accordingly, even the most effective system can provide only reasonable, and not absolute, assurance against material misstatement or loss. The system is designed to manage rather than eliminate the risk of failure to achieve the Group's objectives. The Group's policies and procedures are continuously under review and improved to ensure they are adequate for our current circumstances. On acquisition, as part of integration, new businesses adopt these policies and procedures on a phased basis.
The key features of the Group's framework of internal controls are as follows:
Project management procedures
Project risk is managed throughout the life of a contract from the tender stage to completion. Individual tenders for projects are subject to detailed review with approvals required at relevant levels and at various stages from commencement of the tender process through to contract award. Tenders above a certain value and those involving an unusually high degree of technical or commercial risk must be approved at a senior level within the Group. Robust procedures exist to manage the ongoing risks associated with contracts. Regular monthly contract reviews to assess contract performance, covering both financial and operational issues, form an integral part of contract forecasting procedures.
Health and safety
Health and safety issues and risks are continually monitored at all sites and are reviewed on a monthly basis by senior management and the board. The Group has a well-developed health and safety management system for the internal and external control of health and safety risks which is managed by the Group SHE director. This includes the use of risk management systems for the identification, mitigation and reporting of health and safety management information.
Financial control
The Group maintains a strong system of accounting and financial management controls. Standard financial control procedures operate throughout the Group to ensure the integrity of the Group's financial statements.
The Group operates a comprehensive budgeting and forecasting system. Risks are identified and appraised throughout the annual process of preparing budgets. The annual budget and quarterly forecasts are approved by the board.
A formal quarterly review of each business's year-end forecast, business performance, risk and internal control matters is carried out by the directors of each business unit with the Chief Executive Officer, Chief Financial Officer and Chief Operating Officer in attendance.
Cash and working capital management
Cash flow forecasts are regularly prepared to ensure that the Group has adequate funds and resources for the foreseeable future and is in compliance with banking covenants. Each business reports its cash position daily. Actual cash performance is compared to forecast on a weekly basis.
B. Second line of defence:
Group oversight
The first line of defence is supported by certain Group policies, functions and committees which, in combination, form the second line of defence.
Group policies
Internal controls across financial, operational and compliance systems are provided principally through the requirement to adhere to the Group finance manual, divisional procedures and a number of Group-wide policies (such as the Group authorisation policy, the contract sign-off process, the purchase guidelines, the anti-bribery policy, the Competition Law compliance policy, the quality manual, the health and safety policy and the environmental policy). During the year, we were audited successfully on our ISO 27001 accreditation for our information security management system and a separate committee reviews any information security issues impacting the Group. This continues to give further assurance as to the Group's resilience to cyber risk, which is a subject that is also discussed regularly at main board level.
These policies are supported by statements of compliance from all directors and letters of assurance ('LoA') from the Group's managing directors. LoAs are required twice yearly, one at 30 September and one at 31 March, supported by an internal control questionnaire ('ICQ') which is completed by each business unit and which provides a detailed basis for management to satisfy themselves that they are complying with all key control requirements. The responses in these ICQs are subject to ongoing independent review by PwC, the Group's internal auditor.
The following main committees provide oversight of management activities:
The executive committee, risk committee, safety leadership team, human resource committee, sustainability committee and the information security management committee
These committees are responsible for the identification, reporting and ongoing management of risks and for the stewardship of the Group's risk management approach.
The audit committee
The board has delegated responsibility to this committee for overseeing the effectiveness of the Group's internal control function and risk management systems.
The nominations committee
This committee ensures that the board has the appropriate balance of skills and knowledge required to assess and address risk and that appropriate succession plans are in place.
The remuneration committee
This committee ensures that the board complies with regulations and best practice regarding remuneration and that remuneration policy remains appropriate for attracting and retaining management of the right calibre.
C. Third line of defence:
Independent review
The third line of defence represents independent assurance which is provided mainly by the internal auditor, external auditor and various external consultants and advisers. External consultants and advisers support management and the board through ad hoc consulting activities, as required, including the Group's insurance brokers Lockton LLP.
Internal auditor
The audit committee annually reviews and approves the PwC internal audit programme for the year. The committee reviews progress against the plan at each of its meetings, considering the adequacy of audit resource, the results of audit findings and any changes in business circumstances which may require additional audits.
The results of internal audits are reported to the executive team and senior management and, where required, corrective actions are agreed. The results of all audits are summarised for the audit committee along with progress against agreed actions.
Annual review of effectiveness
The risk management and internal control systems have been in place for the year under review and up to the date of approval of the annual report and are regularly reviewed by the board. The board monitors executive management's action plans to implement improvements in internal controls that have been identified following the processes described above.
During the financial year, any control weaknesses identified through the operation of our risk management and internal control processes were remediated and subsequently monitored in line with normal business operations. The board confirms that it has not identified any significant failings or weaknesses in the Group's systems of risk management or internal control as a result of the information provided to the board and resulting discussions.