Micro Focus operations take place within a framework of prudent and effective controls which enable risk to be assessed and managed.
Our business model, future performance, solvency, liquidity and/ or reputation are exposed to a variety of risks and uncertainties. The board’s role is to determine the emerging and principal risks the Group is willing to take to achieve its long-term strategic objectives and enhance the sustainability of value creation. Underpinning the operation of, and central to, the risk management process is the culture of the Group, led by the board, of openness, transparency, debate, trust and accountability. On behalf of the board, the audit committee reviews and challenges the effectiveness and robustness of the risk management process.
The board manages risk in accordance with the enterprise Risk Management Framework (“RMF”) under the Group’s Risk Management Policy and Procedure, including emerging and principal risks. The RMF is aligned to the business objectives and strategy (see Chief Executive’s Strategic review on pages 14 to 17). A key component of the RMF for the board is that, while the RMF enables an assessment of risk, it is also practical and proportionate. This ensures that the RMF is embedded into the day-to-day business processes across the Group, to drive risk awareness and risk culture. The board continues to build upon the RMF to respond to any future change in the Group’s risk profile. During the period, the board continued to assess the gross and net risks against the defined risk appetite statements of the Group and to further align the risks to the Group’s strategy. The risk appetite statements set out the board’s risk-taking approach to ensure a balanced view between risk aversion, opportunity and gains, against a background of maintaining reputation, financial stability and compliance.
The Group maintains a risk-based annual internal audit plan (see page 19 for the report on internal controls). As the risks assessed under the RMF changed and the impacts of COVID-19 were assessed during the period, the annual internal audit plan was flexed to ensure appropriate levels of assurance. The Group Risk Register was reviewed with internal audit during the development of the annual internal audit plan, and subsequently at each update of the Group Risk Register throughout the period, to ensure alignment of the internal audit plan to the Group’s risk profile. To underpin the robustness of the RMF, as part of the risk-based internal audit process, the internal auditors assess the gross and net risk ranking assigned by the risk owners. The RMF is also subject to an annual review and shared with the Internal Audit team.
Each business area director and Group function head is responsible for the identification, assessment and management of risk in their area. Each risk is owned by an individual in that area. The process includes the use of risk registers and one to one interviews with business area directors, Group function heads and board members. Risks are assessed on a gross and net basis against a consistent set of criteria defined by the board. The criteria measure the likelihood of occurrence against the potential impact to the Group including financial results, strategic plans, operations and reputation. Each risk is allocated a risk appetite category and a risk tolerance; changes in the risk profile are tracked at each reporting point during the period and presented to the audit committee. The assessment includes current and emerging risks. Principal risks are categorised into four distinct areas, both externally and internally driven, which include financial, infrastructure, marketplace, and reputational risks. Existing controls and improvement actions are recorded on the risk register for each risk, together with internal audit reviews.
The RMF sets out a continuous cycle of review, reporting and improvement over the period. Following one-to-one interviews with the business area directors and Group function heads, the individual risk registers are consolidated to form the Group risk profile. The Group risk profile is reported to the executive directors for monitoring, review and challenge. A report is made to every audit committee meeting during the period for review, to challenge the effectiveness of current controls and planned mitigations across the Group’s risks. The audit committee reports on its risk management dealings to the board, and the board has a standing ERM agenda item. As part of the RMF, an annual review of internal risk management is also undertaken, which is aligned with the annual review of internal audit. These annual reviews focus on areas for improvement in the process, as well as the key emerging areas of risk for the Group in the year ahead. The board and the audit committee also receive detailed risk assessments as part of reports on material projects across the Group.
The Group’s principal risks are detailed on pages 64-73 of the Annual Report and Accounts.
