NCC Group plc Annual Report 2021

Control environment The control environment has primarily been established taking account of the Group’s values (working together, being brilliantly creative and embracing difference) and its Code of Ethics, which sets the foundations for the expected behaviours, values and competencies for all colleagues across the Group. The Board, Executive Committee and extended leadership team lead by example and strive to maintain effective control environments, whilst also maintaining integrity and transparency. Risk assessments Risk assessments are conducted at both a strategic and operational level of the Group and support the Group in understanding the risks that it faces and the controls in place to mitigate them. Importantly, they provide a mechanism to identify operational improvements which is vital in our transformational programmes. Policies and procedures Established policies communicate expected behaviours and these are supported through procedures and guidelines defining required processes and controls. This in turn supports the business to adopt efficient and effective control environments. Information and communication Access to accurate and timely data is key in supporting our colleagues to make decisions and to be well informed in order to conduct, manage and control their areas of responsibility. During the year, the Group has continued to focus on its data systems – rolling out the Workday Finance system to support consistent controls and reporting. Activity monitoring Financial minimum controls were established during FY20 for local finance teams. The financial minimum controls have been self- assessed by all finance teams and a programme of audit against these standards launched in FY21. The financial minimum controls framework was established in consultation with the Chief Financial Officer, Group Financial Controller and local Finance Directors and has taken account of the implementation of Workday Finance. Further enhancement of the framework is being considered in preparation for potential changes proposed in the Brydon Review and related white paper issued by the Department for Business, Energy and Industrial Strategy. Financial accounting and reporting follows generally accepted accounting practices. Group review and approval procedures exist in relation to major areas of risk and require Executive Committee/Board approval, including mergers and acquisitions, major contracts, capital expenditure, litigation, treasury management and taxation policies. Compliance with all legislation, current and new, is closely monitored. Risk and control reporting structure During the current financial year, NCC Group has focused on establishing the “three lines of defence” to provide a robust internal controls structure that will support the Board, Audit Committee, Cyber Security Committee, Executive Committee and extended leadership team with accurate and reliable information in relation to the systems of internal control. Three lines of defence: • First line – Group policies and procedures • Second line – Global Governance function, incorporating Health and Safety; Information Security; Data Protection; Compliance and Standards; and Corporate Legal • Third line – independent challenge and assessment, including ISO certification and internal and external audit

4 7

1

8

3 11 6

5

10

9

2

Likelihood

Low

High

1 Business strategy

7 Quality of Management

Information Systems (MIS) and internal business processes

5 Attracting and retaining appropriate colleague capacity and capability 2 Management of strategic change 3 Global pandemic – Covid-19 4 Availability of critical information systems 6 Information security risk (including cyber risk)

8 Quality and Security Management Systems 9 Post-Brexit

10

Sustainability

11

Acquisition of IPM

Monitor Ongoing monitoring of risks and related actions is key to the implementation of our risk management model and, therefore, NCC Group is committed to making enterprise-wide risk management part of business as usual. Examples of ongoing monitoring of business risks include, but are not limited to: • Annual review of the external audit strategy and plan by the Audit Committee and Chief Financial Officer to ensure inclusion of key financial risks • Annual review of the annual internal audit plan to validate that it incorporates key areas of business risk • At each Audit Committee, a review of internal audit reports issued during the period, including a summary of progress against previously raised management actions • Annual review of the strategic risk register by the Enterprise Risk Management Steering Group (introduced in FY21) and Board to ensure that it includes risks arising in year Internal control Whilst risk management identifies threats to the Group achieving its strategic objectives, internal controls are designed to provide assurance that these objectives are being achieved, such as the effectiveness and efficiency of operations and delivery, accurate and reliable financial reporting, and compliance with applicable laws and regulation. NCC Group has established a robust internal control framework which is made up of a number of components:

NCC Group plc — Annual report and accounts for the year ended 31 May 2021

43

Made with FlippingBook Converter PDF to HTML5