VR
4. Availability of critical information systems
Link to strategy:
Win business
Support growth
Develop our people
Key controls and mitigating factors The Group continues to make significant investment in its IT infrastructure to ensure it continues to support the growth of the organisation. This has been particularly pertinent during home working as part of the response to Covid-19. The Group has controls in place in order to reduce the risk of actual loss of critical systems; this has included a review of single points of failure and these have been mitigated. Further, controls are operated to ensure the availability of backup media in the event of prolonged loss of systems. The Group also standardises and simplifies processes whilst increasing resilience. Additional focus is given to proving the recoverability of systems and data.
Impact If the Group’s critical systems failed, this could affect the Group’s ability to provide services to our customers.
The Group is heavily reliant on continued and uninterrupted access to its IT systems. As well as environmental and physical threats, the Group is a natural target for individuals who may seek to disrupt the Group’s commercial activities.
Risk movement/impact
Accountable Executive Steve Boughton, Global Operations Director
VR
5. Attracting and retaining appropriate colleague capacity and capability
Link to strategy:
Lead the market
Win business
Support growth
Develop our people
Key controls and mitigating factors Colleagues are offered a rewarding career structure and attractive salary and benefits packages, which can include participation in share schemes. Comprehensive communications with our colleagues are ongoing and include all-hands calls, The Wire and Group and local communications. Linked to the development of our people, the Group continues to review our values and continues to use personal performance management processes, and aligned development programmes, which are linked to succession planning.
Impact Loss of key colleagues or significant colleague turnover could result in a lack of necessary expertise or continuity to execute the Group’s strategy. An inability to attract and retain sufficient high- calibre colleagues could become a barrier to the continued success and growth of NCC Group.
The Group would be adversely impacted if it were unable to attract and retain the right calibre of skilled colleagues. Some roles within the Group operate in highly technical and extremely specialised areas in which there are shortages of skilled people.
Risk movement/impact
Accountable Executive Colin Watt, Chief People Officer
6. Information security risk (including cyber risk)
VR
Link to strategy:
Win business
Deliver excellence
Support growth
Key controls and mitigating factors The Board operates a Cyber Security Committee chaired by the Chair of the Board and is responsible for the ongoing oversight of this risk and related control environments. All colleagues globally are required to undertake annual security training and updates to alert them to potential methods of security breach and to their responsibilities in safeguarding information and reporting potential issues. Security testing is regularly carried out on the Group’s infrastructure and there are extensive response plans, which were reviewed during the year, in the event of a major security incident. Comprehensive plans are in place and being delivered associated with discharging our data protection obligations.
Impact Failure to maintain control over customer, colleague, commercial and/or operational data could lead to a range of impacts, including reputational damage. The misuse of personal data, for example without the customer’s consent, or retaining data for longer than is necessary, may also result in reputational harm, regulatory investigations and potential fines.
Due to the nature of the services provided by NCC Group, clients have a high expectation of the systems, processes and people handling their data. In addition, as a cyber security provider, NCC Group is more exposed to its systems being maliciously compromised. As a result, NCC Group could experience a malicious cyber- attack, inadvertent disclosure and/ or compromise of confidential data and/or any other information security incident.
Risk movement/impact
Accountable Executive Steve Boughton, Global Operations Director
Risk movement:
Risk impact:
Decreased
Unchanged
High
Medium Low
Increased
Viability risk: VR New risk: NR
NCC Group plc — Annual report and accounts for the year ended 31 May 2021
45
Made with FlippingBook Converter PDF to HTML5