Effective management of risk and opportunity is essential to the delivery of the Group’s objectives, achievement of sustainable shareholder value and protection of its reputation. The Group’s approach to risk management is aimed at the early identification of key risks and then removing or reducing the likelihood and effect of risks before they occur, and dealing effectively with them if they crystallise. The Group is committed to the protection of its assets, which include human, property and financial resources, through an effective risk management process, underpinned where appropriate by insurance.
The management of risk is linked into the Group’s strategy, the environment in which it operates, the Group’s appetite for risk and the delivery of the Group’s business objectives. The underlying principles are that risks are continuously monitored, associated action plans reviewed, appropriate contingencies are provisioned and this information is reported through established management control procedures.
The Board has overall responsibility for ensuring that risk is effectively managed across the Group and has delegated to the Audit Committee the responsibility for reviewing in detail the effectiveness of the Group’s system of internal controls. The Executive Committee remains committed to the effective management of material non-financial risks including those arising in connection with safety and ethical issues. The Executive Committee advises the Corporate Responsibility Committee of all matters within the latter’s remit.
In order to assist the Committees and the Board in their review, the Group has the self-assessment Operational Assurance Statement (OAS) process, which is mandated by the Operational Framework. The OAS is in two parts: a self-assessment of compliance with appropriate parts of the Operational Framework; and a report showing the key risks for the relevant business. Together with independent reviews undertaken by Internal Audit, and the work of the external auditors, the OAS forms the Group’s process for reviewing the effectiveness of the system of internal controls.
Reporting within the Group is structured so that key issues are escalated through the management team, ultimately to the Board if appropriate. The responsibility for risk identification, analysis, evaluation, mitigation, reporting and monitoring rests with line management. Both the Audit Committee and the Corporate Responsibility Committee report the findings of their reviews to the Board so that the Board can form a view. Further information on the activities of the Board and its Committees is given in the Corporate governance section.
As with any system of internal control, the policies and processes that are mandated in the Operational Framework are designed to manage rather than eliminate the risk of failure to achieve business objectives, and can only provide reasonable, and not absolute, assurance against material mis-statement or loss.
Further details of these business processes and mandated policies is given in the Operational Framework and Corporate governance sections.
Non-financial risk management assessment
In 2007, we introduced an overlay to our existing risk assessment and assurance process to more rigorously identify potential issues of non-financial and reputational risk. The output from the existing risk assessment processes is collated and reviewed by the Executive Committee, along with inputs and consideration of external factors, to identify those issues where the cumulative risk, or possible reputational impacts, could be significant. The Non-Financial Risk register is reviewed regularly by the Executive and Corporate Responsibility Committees to monitor the ongoing status and progression of mitigation plans.