Approach to risk management
We recognise that managing risk effectively is a requirement for achieving our strategic objectives. Therefore, risk management forms an integral part of our day-to-day operations and the Group has a well-established process which delivers visibility and accountability for risk management across our businesses. This process forms part of the Group’s overall internal control framework.
Our approach to risk management incorporates both bottom-up and top-down elements to the identification, evaluation and management of risks and all risks are evaluated with reference to the Group’s achievement of its strategic objectives.
Our business units are required to undertake formal risk management reviews at least twice per year. This involves the use of a consistent framework for the assessment of significant risks with respect to impact, likelihood and the time frame in which the risk could materialise. Risks are assessed both before and after the effect of controls and mitigating actions has been taken into account.
The Group’s business units are also required to evaluate the status of a number of higher-impact risks. This ensures consideration is given to risks which may not necessarily be preoccupations when viewed from a day-to- day, operational perspective, but which may be capable of having a significant impact on operations were they to materialise.
Overall ownership for each risk, together with responsibility for all associated mitigating actions, is clearly assigned and communicated.
The resulting risk registers are then subject to review on an ongoing basis as part of regular operational reviews. This regular review of the status of risks and corresponding mitigating actions ensures that risk management is embedded in day-to-day management processes and decision-making as well as in the annual strategic planning cycle.
In addition, the Executive Directors consider those risks to the Group’s strategic objectives which are not addressed within the business units and develop appropriate approaches to managing and mitigating these.
The overall effectiveness of the Group’s risk management and mitigation processes is reviewed regularly by the Executive Directors and twice yearly by the Audit and Risk Committee.