The board manages risk in accordance with the enterprise Risk Management Framework (“RMF”) under the Group’s Risk Management Policy and Procedure. The RMF is aligned to the business objectives and strategy (see Chief Executive’s Strategic review on pages 12 to 15). A key component of the RMF for the board is that, while the RMF enables an assessment of risk, it is also practical and proportionate. This ensures that the RMF is able to be embedded into the day-to-day business processes across the Group, to drive risk awareness and risk culture. The board continues to build upon the RMF to respond to any future change in the Group’s risk profile. During the period, the board continued to assess the gross and net risks against the defined risk appetite statements of the Group and to further align the risks to the Group’s strategy. The risk appetite statements set out the board’s risk-taking approach to ensure a balanced view between risk aversion, opportunity and gains, against a background of maintaining reputation, financial stability and compliance.
The Group maintains a risk-based annual internal audit plan (see pages 84 to 85 for the report on internal controls). During the period, the Group continued with significant and complex transformational change following the acquisition of the HPE Software business on 1 September 2017 and successfully completed the sale of the SUSE business on 15 March 2019, as set out on page 13. As the risks assessed under the RMF changed during the period, the annual internal audit plan was flexed to ensure appropriate levels of assurance. The Group risk register was reviewed with internal audit during the development of the annual internal audit plan, and subsequently at each update of the Group risk register throughout the period, to ensure alignment of the internal audit plan to the Group’s risk profile. To underpin the robustness of the operation of the RMF, as part of the risk-based internal audit process, the internal auditors assess the gross and net risk ranking assigned by the risk owners. The RMF is also subject to an annual review and shared with the internal audit team.
Risk Management Cycle
Risks are identified, assessed and recorded across the Group. Each business area director and Group function head is responsible for the identification, assessment and management of risk in their area. Each risk is owned by an individual in that area. The process includes the use of risk registers and one to one interviews with business area directors, Group function heads and board members. Risks are assessed on a gross and net basis against a consistent set of criteria defined by the board. The criteria measures the likelihood of occurrence against the potential impact to the Group including financial results, strategic plans, operations and reputation. Each risk is allocated a risk appetite category and a risk tolerance; changes in the risk profile are tracked at each reporting point during the period and presented to the audit committee. The assessment includes current and emerging risks. Principal risks are categorised into four distinct areas, both externally and internally driven, which include financial, infrastructure, marketplace, and reputational risks. Existing controls and improvement actions are recorded on the risk register for each risk, together with internal audit reviews.
The RMF sets out a continuous cycle of review, reporting and improvement over the period. Following one to one interviews with the business area directors and Group function heads, the individual risk registers are consolidated to form the Group risk profile. The Group risk profile is reported to the executive directors for monitoring, review and challenge. A report is made to every audit committee meeting during the period for review, to challenge the effectiveness of current controls and planned mitigations across the Group’s risks. The audit committee reports on its risk management dealings to the board. As part of the RMF, an annual review of internal risk management is also undertaken, which is aligned with the annual review of internal audit. These annual reviews focus on areas for improvement in the process, as well as the key emerging areas of risk for the Group in the year ahead. The board and the audit committee also receive detailed risk assessments as part of reports on material projects across the Group.