Risk management
Managing risk is an integral part of our business. We apply a comprehensive process for assessing and managing risks associated with our operations and business and strategic corporate decisions. Through this process, significant risks faced by the Group are identified, evaluated and appropriately managed.
An overview of the risk management and internal control framework, responsibilities within it and the relationship between functions is set out below. While the Board is ultimately responsible for risk management within the Group, it has delegated responsibility for the monitoring of the effectiveness of the Group’s risk management and internal control systems to the Audit and Risk Committee. The Board and Audit and Risk Committee receive reports from the Executive Committee on the key risks to the business and the steps being taken to mitigate such risks. The Audit and Risk Committee reviews the principal risks and uncertainties.
Risk assessment process
The Group’s risk assessment process is based on a coordinated, Group-wide approach to the identification and evaluation of risks and the manner in which they are monitored and managed. This process begins with a bottom-up approach involving operational managers who, through a programme of workshops, regularly perform a detailed risk review to update the departmental risk registers. In assessing the potential impact and likelihood of each risk identified, management considers the existing key controls and evaluates the risks in terms of potential residual impact. A standard risk-scoring matrix is used to ensure consistency in reporting across all areas. Departmental risk registers are consolidated into a Group Risk Register. The Executive Committee provides input to ensure that there is a top-down view of the key risks facing the Group. This includes consideration and assessment of any newly identified emerging risks. Following a review of the Group Risk Register by the Executive Committee, the principal risks identified for the Group and their mitigations are submitted to the Audit and Risk Committee and Board for review and approval. As part of this review and approval process the Audit and Risk Committee provides a robust assessment of the emerging and principal risks faced by the Group. This is achieved by offering alternative viewpoints and challenging risk scoring assumptions as appropriate.