Risk Management Overview
Our business model, future performance, solvency, liquidity and/ or reputation are exposed to a variety of risks and uncertainties. The board’s role is to determine the emerging and principal risks the Group is willing to take to achieve its long-term strategic objectives and enhance the sustainability of value creation. Underpinning the operation of, and central to, the risk management process is the culture of the Group, led by the board, of openness, transparency, debate, trust and accountability. On behalf of the board, the audit committee reviews and challenges the effectiveness and robustness of the risk management process.
The board manages risk in accordance with the enterprise Risk Management Framework (“RMF”) under the Group’s Risk Management Policy and Procedure, including emerging and principal risks. The Risk Management Policy and Procedure was updated during the period under review to incorporate ESG considerations as part of the overall risk management approach. The RMF is aligned to the business objectives and strategy (see Chief Executive’s Strategic review on pages 08 to 11). A key component of the RMF for the board is that, while the RMF enables an assessment of risk, it is also practical and proportionate. This ensures that the RMF is embedded into the day-to-day business processes across the Group, to drive risk awareness and risk culture. The board continues to build upon the RMF to respond to any future change in the Group’s risk profile. During the period, the board continued to assess the gross and net risks against the defined risk appetite statements of the Group and to further align the risks to the Group’s strategy. The risk appetite statements set out the board’s risk-taking approach to ensure a balanced view between risk aversion, opportunity and gains, against a background of maintaining reputation, financial stability and compliance.
Risk management process
The Group maintains a risk-based annual internal audit plan (see page 94 for the report on internal control and risk management). As the risks assessed under the RMF change, the annual internal audit plan is flexed to ensure appropriate levels of assurance. The Group Risk Register was reviewed with internal audit during the development of the annual internal audit plan, and subsequently at each update of the Group Risk Register throughout the period, to ensure alignment of the internal audit plan to the Group’s risk profile. To underpin the robustness of the RMF, as part of the risk-based internal audit process, the internal auditors assess the gross and net risk ranking assigned by the risk owners. The RMF is also subject to an annual review and shared with the Internal Audit team.
Risk Management Cycle
Risks are identified, assessed and recorded across the Group. Each business area director and Group function head is responsible for the identification, assessment and management of risk in their area. Each risk is owned by an individual in that area. The process includes the use of risk registers and one to one interviews with business area directors, Group function heads and board members. Risks are assessed on a gross and net basis against a consistent set of criteria defined by the board. The criteria measure the likelihood of occurrence against the potential impact to the Group including financial results, strategic plans, operations and reputation. Each risk is allocated a risk appetite category and a risk tolerance; changes in the risk profile are tracked at each reporting point during the period and presented to the audit committee. The assessment includes current and emerging risks. Principal risks are categorised into four distinct areas, both externally and internally driven, which include financial, infrastructure, marketplace, and reputational risks. Existing controls and improvement actions are recorded on the risk register for each risk, together with internal audit reviews.
The RMF sets out a continuous cycle of review, reporting and improvement over the period. Following one-to-one interviews with the business area directors and Group function heads, the individual risk registers are consolidated to form the Group risk profile. The Group risk profile is reported to the executive directors for monitoring, review and challenge. A report is made to every audit committee meeting during the period for review, to challenge the effectiveness of current controls and planned mitigations across the Group’s risks. The audit committee reports on its risk management dealings to the board, and the board has a standing ERM agenda item. Risks identified as ESG-related are reported to each meeting of the ESG committee. An ESG working group was established in the period, reporting to the ESG committee, with the role to execute and implement the Group’s ESG strategy, activities and disclosures, in the context of the Group’s overall strategy.
The Group’s principal risks are detailed on pages 61 to 73 of the Annual Report and Accounts.