Risk management continued
Top down Strategic risk management
Bottom up Operational risk management
• Establishing guidance on the Group’s approach to risk management and establishing the parameters for risk appetite and associated decision making • Identification, review and management of identified Group strategic risks and associated actions
• Periodically assessing the effectiveness of the embedded Group risk management process • Challenging the content of the strategic risk register to support a comprehensive and balanced assessment of risk • Reporting on the principal risks and uncertainties of the Group
Board Audit Committee Cyber Security Committee
• Ongoing consideration of: • IT and cyber-centric risk • Environmental risk
• Implementing and embedding the Group’s Enterprise Risk Management policy and approach • Directing the delivery of the Group’s identified actions associated with managing/ mitigating risk • Identification of key risk indicators, monitoring and taking timely action where appropriate • Instrumental in developing the risk management framework adopted by the Board • Conduit between the Board and the business units – providing training and support where appropriate • Developing and executing a risk-based Internal Audit Plan to assess the management of risks • Execution of the delivery of the Group’s identified actions associated with managing risk • Timely reporting on the implementation and progress of agreed action plans • Provision of key risk indicator updates
• Responsible for reviewing the operational risks across the business units and Group • Challenging the appropriateness and adequacy of proposed action plans to mitigate risk • Giving due consideration to the aggregation of risk across the Group • Provisioning suitable cross-functional/ business unit resource to effectively manage risk where appropriate • Ongoing monitoring and reporting to the Board in relation to the progress being made by the business units in implementing agreed action plans to mitigate strategic risk • Close cross-functional relationships with the Global Technical Services (GTS) security operations team to facilitate the identification, management, monitoring and reporting of data security risks • Identification and reporting of strategic risk to the Board • Provision of reports and data relating to significant emerging risks to the Group (internal and external) • Implementation of risk management approach which promotes the ongoing identification, evaluation, prioritisation, mitigation and monitoring of operational risk
Executive Committee Leadership team
Global Governance function
Business units
Effective pursuit of strategic objectives
Risk management model continued The Board, Audit Committee, Cyber Security Committee and Executive Committee review risks on an ongoing basis throughout the period. The appropriateness and relevance of the risks are monitored by the Global Governance function to ensure they continue to be updated, meet the needs of the Group and remain in line with good risk management practice. In addition, there is a robust process in place for monitoring and reporting the implementation of agreed actions. We are satisfied that the Enterprise Risk Management policy, framework and model currently in place are sufficient to manage risk across the Group.
The key areas of identifying, assessing, addressing and monitoring risks are explained in more detail overleaf. Identify Risks exist within all areas of our business, and it is important for us to identify and understand the degree to which their impact and likelihood of occurrence will affect the delivery of our key objectives. This is achieved through day-to-day working practices and incorporates risks in both the internal and external environment. All identified risks are initially assessed for their “inherent” risk (risk with no controls in place), using a scoring mechanism that accounts for the
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 30
Made with FlippingBook Online newsletter maker