i Table of contents 164

NCC Group plc annual report and accounts for the year ended…

A. Strategy continued

3. Commercial models (contractual and pricing) do not reflect the flexibility required by clients or drive the optimal commercial outcome for NCC Group

VR

Link to strategy:

Our clients

Our capabilities

Global delivery

Previous risk name N/A

Risk impact Inability to transact, operate and deliver profitable services resulting in loss of revenue and negative impact on share price.

Key controls and mitigating factors Finance review of margins. Legal review of contracts. Approval is required for low margin jobs. Regular review of services is offered. Client engagement and feedback to enhance the portfolio of product and services.

Risk owner Peter Vorley, CCO

Risk impact and movement NR

B. Cyber and information security

VR

4. Cyber attack

Link to strategy:

Our capabilities

Global delivery

Differentiated brands

Previous risk name N/A

Risk impact Data breach leading to fines from regulators and reputational damage. Lack of availability in systems. Inability to operate services resulting in loss of customer trust, resulting in loss of revenue and negative impact on share price. Impact on national security due to our work with government clients. Risk impact and movement Increased due to increase in high profile cyber attacks and change to geopolitical landscape.

Key controls and mitigating factors The Board operates a Cyber Security Committee chaired by a NED. All colleagues globally are required to undertake annual and ongoing security training to alert them to potential methods of security breach and to their responsibilities in safeguarding information and reporting potential issues. Security testing is regularly carried out on the Group’s infrastructure and there are extensive response plans, which are tested. Comprehensive plans are in place and being delivered associated with discharging our data protection obligations. Deployed an Information Security Management System (ISO 27001). All key locations are certified.

Risk owner Guy Ellis, CFO

Risk movement: Increased

Risk impact: High

Viability risk: VR New risk: NR

Decreased

Unchanged

Medium

Low

NCC Group plc — Annual report and accounts for the year ended 30 September 2025 33

Made with FlippingBook Online newsletter maker