efficiency of operations and delivery, accurate and reliable financial reporting, and compliance with applicable laws and regulation. NCC Group has established a robust internal control framework, which is made up of a number of components: Control environment The control environment has primarily been established taking account of the Group’s values (working together, being brilliantly creative, embracing difference and taking responsibility), and its Code of Ethics, which sets the foundations for the expected behaviours, values and competencies for all colleagues across the Group. The Board, Executive Committee and extended leadership team lead by example and strive to maintain effective control environments, while also maintaining integrity and transparency. Risk assessments Risk assessments are conducted at both a strategic and operational level of the Group and support the Group in understanding the risks that it faces and the controls in place to mitigate them. Importantly, they provide a mechanism to identify operational improvements and are vital in our transformational programmes. Policies and procedures Established policies communicate expected behaviours and are supported by procedures and guidelines that define required processes and controls. This, in turn, helps the business to adopt efficient and effective control environments. Information and communications Access to accurate and timely data is essential for supporting our colleagues in making informed decisions and effectively managing and controlling their areas of responsibility. Activity monitoring The minimum financial controls framework was established in FY20. Further enhancement of the framework is being designed and implemented to align with the UK Corporate Governance Reform and upcoming Directors’ attestation of internal controls. In preparation for new legislative requirements relating to failure to prevent fraud, key anti-fraud controls have been identified and these are supported by red flag reporting and ongoing trend analysis to enhance the existing control environment to ensure compliance with the Economic Crime and Transparency Act (2023). Financial accounting and reporting follow generally accepted accounting practices. Group review and approval procedures exist in relation to major areas of risk and require Executive Committee/Board approval, including mergers and acquisitions, major contracts, capital expenditure, litigation, treasury management and taxation policies. The approval procedures are captured within a global delegation of authority (DoA) matrix which is disseminated across the Group. Compliance with all legislation, current and new, is closely monitored. Risk and control reporting structure NCC Group has embedded the “three lines of defence” to provide a robust internal controls structure that will support the Board, Audit Committee, Cyber Security Committee, Executive Committee and extended leadership team with accurate and reliable information in relation to the systems of internal control. Three lines of defence: • First line – Group policies and procedures • Second line – information security, data protection, health and safety, and legal • Third line – risk and assurance, incorporating internal audit, standards and support, assessing compliance with standards and external audit, both financial and operational, providing independent challenge and assessment
likelihood of an event occurring and the impact that it may have on the Group. The scoring mechanism adopted takes account of high impact, low likelihood events and these risks are managed in a timely manner. In addition to ongoing risk identification, an annual exercise is undertaken to review the Group’s strategic risk universe by the Board. This exercise is reliant on the “top-down”, “bottom-up” approach discussed earlier. Assess Post-identification of the Group’s inherent risk exposure, a comprehensive assessment of the effectiveness of current mitigating controls is undertaken. This exercise takes account of the design of the current control environment and the application of these controls prior to assessing the Group’s current exposure to risk – the mitigated risk score. The Board uses a number of sources of information to support the scoring of risk and these include, but are not limited to: • Management updates • Action tracking and reporting • Control environment policies and procedures
• Independent audit activity • Project monitoring reports Address
Having identified and assessed the risks faced by the Group, the risks are scored according to likelihood of occurring and impact to the business should they occur. An assessment of whether additional actions are required to reduce our risk exposure is undertaken, with actions falling into one of four categories: • Treat – develop an action plan (applying responsibility, deadlines and prioritisation) that may include the implementation of additional controls, or increase the requirement for additional assurance over the adequacy and effectiveness of the existing controls • Transfer – use a third party specialist to undertake the activity, thus mitigating the risk • Tolerate – determine the risk is within appetite • Terminate – exit the activity The output from the evaluation of strategic risks has resulted in milestone plans owned by senior business leaders or has been used in the development of the Group’s transformation programme. Monitor Ongoing monitoring of risks and related actions is key to the implementation of our risk management model and, therefore, NCC Group is committed to making enterprise-wide risk management part of business as usual. Examples of ongoing monitoring of business risks include, but are not limited to: • Annual review of the external audit strategy and plan by the Audit Committee and Chief Financial Officer to ensure inclusion of key financial risks • Review of the annual Internal Audit Plan to validate that it incorporates key areas of business risk • A review of internal audit reports issued during the period, including a summary of progress against previously raised management actions at each Audit Committee meeting • Annual review of the strategic risk register by the Enterprise Risk Management Steering Group and Board to ensure that it includes risks arising in the period Internal control While risk management identifies threats to the Group achieving its strategic objectives, internal controls are designed to provide assurance that these objectives are being achieved, such as the effectiveness and
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 31
Made with FlippingBook Online newsletter maker