NCC Group plc Annual Report 2022

Principal risks and uncertainties

Embedded risk management systems

Risk management Risk is an inherent part of doing business and risk management is a fundamental part of good corporate governance. A successful risk management process balances risk and reward and is underpinned by sound judgement of their impact and likelihood. The Board has overall responsibility for ensuring that NCC Group has an effective risk management framework, which is aligned to our business objectives. The Board has established a Risk Management Policy, which has established protocols, including: • Roles and responsibilities for the risk management framework • Risk scoring framework • A definition of risk appetite Embedded risk management systems have supported the Group in pursuing its strategy for sustainable and profitable growth. ”

The integrated approach to risk management diagram on page 66 summarises the Group’s overall approach to risk management, which is supported by a web-based tool – the Integrated Risk Management System (IRMS). The tool is designed to follow the risk management model described in the next section and records both strategic and operational risk registers and tracks risk mitigation action plans, helping embed ownership of risks and treatment actions while also providing access to live management information, which is used at both a Board and operational management level. NCC Group’s approach to risk management NCC Group adopts both a “top-down” and “bottom-up” approach to risk, to manage risk exposure across the Group to enable the effective pursuit of strategic objectives. The approach is summarised in the diagram on page 65. The approach is one of collaboration, which supports our comprehensive approach to risk identification, from the “top down” and “bottom up”. The Group believes that this is the most efficient and effective way to identify its business risks. Top down The Board, Audit Committee and Cyber Security Committee review risks on an ongoing basis and are supported by the Executive Committee and subject matter specialists (including Software Resilience, Assurance, information security, data protection and health and safety). The Board gives consideration to the Group’s strategic objectives and any barriers to their achievement. Bottom up The Board and senior leadership team engage with colleagues at every level of the Group in recognition of the importance of their expertise, contribution and views. In relation to matters of wrongdoing, or risks not being recognised and adequately managed, the Group has a robust and effective whistleblowing procedure, which is supported by the Safecall reporting line.


Made with FlippingBook Online newsletter maker