The Board of Directors has responsibility for the Group’s system of internal control. This involves an ongoing process for identifying, evaluating and managing the significant risks faced by the Group and reviewing the effectiveness of the resultant system of internal control.
An overview of the risk management and internal control framework, responsibilities within it and the relationship between functions is illustrated below. While the Board is ultimately responsible for risk management within the Group, it has delegated responsibility for the monitoring of the effectiveness of the Group’s risk management and internal control systems to the Audit Committee. The Board and Audit Committee receive reports from executive management on the key risks to the business and the steps being taken to mitigate such risks. The Audit Committee reviews the principal risks and uncertainties.
Risk assessment process
The Group’s risk assessment process is based on a co-ordinated, Group-wide approach to the identification and evaluation of risks and the manner in which they are monitored and managed. This process begins with a bottom-up approach involving managers from all departmental areas who, through a programme of workshops, regularly perform a detailed risk review to update the Group risk register. In assessing the potential impact and likelihood of each risk identified, management considers the existing key controls and evaluates the risks in terms of potential residual impact. A standard risk-scoring matrix is used to ensure consistency in reporting across all areas. Departmental risk registers are consolidated into a Group risk register. Executive management provides input to ensure that there is a top-down view of the key risks facing the Group. Following a review of the Group risk register by senior management, the principal risks identified for the Group and their mitigations are submitted to the Audit Committee and Board for review and approval.