Top down Strategic risk management
Bottom up Operational risk management
• Establishing guidance on the Group’s approach to risk management and establishing the parameters for risk appetite and associated decision making • Identification, review and management of identified Group strategic risks and associated actions
• Periodically assessing the effectiveness of the embedded Group risk management process • Challenging the content of the strategic risk register to support a comprehensive and balanced assessment of risk • Reporting on the principal risks and uncertainties of the Group • Responsible for reviewing the operational risks across the business units and Group • Challenging the appropriateness and adequacy of proposed action plans to mitigate risk • Giving due consideration to the aggregation of risk across the Group • Provisioning suitable cross-functional/business unit resource to effectively manage risk where appropriate • Ongoing monitoring and reporting to the Board in relation to the progress being made by the business units in implementing agreed action plans to mitigate strategic risk • CISO dedicated to the identification, management, monitoring and reporting of data security risks • Identification and reporting of strategic risk to the Board • Provision of reports and data relating to significant emerging risks to the Group (internal and external) • Implementation of risk management approach which promotes the ongoing identification, evaluation, prioritisation, mitigation and monitoring of operational risk
Board Audit Committee Cyber Security Committee
• Ongoing consideration of: – IT and cyber-centric risk – Environmental risk
• Implementing and embedding the Group’s Risk Management Policy and approach • Directing the delivery of the Group’s identified actions associated with managing/mitigating risk • Identification of key risk indicators, monitoring and taking timely action where appropriate
Executive Board and leadership team
• Instrumental in developing the risk management framework adopted by the Board • Providing governance and control over the IRMS • Conduit between the Board and the business units – providing training and support where appropriate • Developing and executing a risk-based internal audit plan to assess the management of risks • Execution of the delivery of the Group’s identified actions associated with managing risk • Timely reporting on the implementation and progress of agreed action plans • Provision of key risk indicator updates
Global Governance function, incl. dedicated CISO
Business units
Effective pursuit of strategic objectives
NCC Group plc — Annual report and accounts for the year ended 31 May 2021
41
Made with FlippingBook Converter PDF to HTML5