Principal risks and uncertainties continued
In addition to ongoing risk identification, an annual exercise is undertaken to review the Group’s strategic risk universe by the Board. This exercise is reliant on the “top down” “bottom up” approach discussed earlier. Assess Post identification of the Group’s inherent risk exposure, a comprehensive assessment of the effectiveness of current mitigating controls is undertaken. This exercise takes account of the design of the current control environment and the application of these controls prior to assessing the Group’s current exposure to risk – mitigated risk score. The Board uses a number of sources of information to support the scoring of risk and these include, but are not limited to: • Management updates • Action tracking and reporting • Control environment policies and procedures
g o
Identify risks
Monitor delivery of
Identify inherent risks and likelihood of impact
action plans/ risk universe
Risk management model
Assess adequacy and effectiveness of existing controls
Develop action plans (treat, transfer, tolerate, terminate)
Assign Director-level sponsorship
Evaluate mitigated risks and likelihood of impact
• Independent audit activity • Project monitoring reports Address
Having identified and assessed the risks faced by the Group, the risks are scored according to likelihood of occurring and impact to the business should they occur. The risks are then mapped according to their rating onto a risk heat map, which reflects the Group’s overall risk appetite set by the Board. The Group’s Risk Management Policy then provides guidance on the expected level of response to those risks, depending on where they sit on the risk heat map. The heat map shows the four bandings in the different shades of risks as set out below as well as expected actions and responses to risks in these areas: • Green – within appetite. Ongoing monitoring in place • Amber – out of appetite. Some actions are required to treat the risk to bring this within acceptable levels • Purple – significantly out of appetite. High combination of residual probability and impact. Management actions required, with some urgency, to treat the risk, reducing this to acceptable levels • Grey/black – risks that are deemed to have such an impact that they could theoretically impact the ability of the business to continue in existence. If any, they would need consideration in assessing in the Directors’ Viability Statement An assessment of whether additional actions are required to reduce our risk exposure is undertaken, with actions falling into the one of four categories: • Treat – develop an action plan (applying responsibility, deadlines and prioritisation) that may include the implementation of additional controls, or increase the requirement for additional assurance over the adequacy and effectiveness of the existing controls • Transfer – use a third party specialist to undertake the activity, thus mitigating the risk • Tolerate – determine the risk is within appetite • Terminate – exit the activity Output from the evaluation of strategic risks has resulted in milestone plans owned by senior business leaders, or has been used in the development of the Group’s transformation programme.
Risk management model The Board has overall responsibility for ensuring that NCC Group adopts an effective risk management model, which is aligned to our objectives and promotes good risk management practice. We have therefore adopted the model described in this section and summarised in the diagram above. The Board, Audit Committee, Cyber Security Committee and Executive Team review risks on an ongoing basis throughout the year. The appropriateness and relevance of the risks and issues tracking system – IRMS – are monitored by the global governance team to ensure that it continues to be updated, meets the needs of the Group and remains in line with good risk management practice. In addition, there is a robust process in place for monitoring and reporting the implementation of agreed actions. We are satisfied that the Risk Management Policy, framework and model currently in place are sufficient to manage risk across the Group. The key areas of identifying, assessing, addressing and monitoring risks are explained in more detail below: Identify Risks exist within all areas of our business and it is important for us to identify and understand the degree to which their impact and likelihood of occurrence will affect the delivery of our key objectives. This is achieved through day-to-day working practices and incorporates risks in both the internal and external environment. Examples of identification include horizon scanning for legislative and market changes, operational and delivery reviews (such as SGT), procedures in relation to projects and change and independent systems audits. All identified risks are initially assessed for their “inherent” risk (risk with no controls in place), using a scoring mechanism that accounts for the likelihood of an event occurring and the impact that it may have on the Group. The scoring mechanism adopted takes account of high impact, low likelihood events and these risks are managed in a timely manner.
42
NCC Group plc — Annual report and accounts for the year ended 31 May 2021
Made with FlippingBook Converter PDF to HTML5