NCC Group has established a robust internal control framework, which is made up of a number of components: Control environment The control environment has primarily been established taking account of the Group’s values (working together; being brilliantly creative; embracing difference; and taking responsibility), and its Code of Ethics, which sets the foundations for the expected behaviours, values and competencies for all colleagues across the Group. The Board, Executive Committee and extended leadership team lead by example and strive to maintain effective control environments, while also maintaining integrity and transparency. Risk assessments Risk assessments are conducted at both a strategic and operational level of the Group and support the Group in understanding the risks that it faces and the controls in place to mitigate them. Importantly, they provide a mechanism to identify operational improvements and are vital in our transformational programmes. Policies and procedures Established policies communicate expected behaviours and these are supported through procedures and guidelines defining required processes and controls. This in turn supports the business to adopt efficient and effective control environments. Information and communication Access to accurate and timely data is key in supporting our colleagues to make decisions and to be well informed in order to conduct, manage and control their areas of responsibility. During the year, the Group has embedded its data systems following the rollout of the Workday systems. Activity monitoring The minimum financial controls framework was established in FY20. Further enhancement of the framework will be designed and implemented in FY23 and beyond, to align with the Brydon Review and related whitepaper issued by the Department for Business, Energy and Industrial Strategy in March 2021. Financial accounting and reporting follow generally accepted accounting practices. Group review and approval procedures exist in relation to major areas of risk and require Executive Committee/Board approval, including mergers and acquisitions, major contracts, capital expenditure, litigation, treasury management and taxation policies. Compliance with all legislation, current and new, is closely monitored. Risk and control reporting structure During the current financial year, NCC Group has continued to focus on embedding the “three lines of defence” to provide a robust internal controls structure that will support the Board, Audit Committee, Cyber Committee, Executive Committee, and extended leadership team with accurate and reliable information in relation the systems of internal control. Three lines of defence: • First line – Group policies and procedures • Second line – Global governance function, incorporating health and safety; information security; data protection; risk and regulatory compliance; standards and support; and legal • Third line – independent challenge and assessment, including ISO certification and internal and external audit
4 7
1
8
6
5
3
10
9
2
Likelihood
Low
High
1 Business strategy 2 Management of strategic change 3 Global pandemic – Covid-19 4 Availability of critical information systems 5 Attracting and retaining
7
Quality of Management Information Systems (MIS) and internal business processes
8
Quality and Security Management Systems
9
International trade
10 A. Sustainability
B. Climate change
appropriate colleague capacity and capability 6 Information security risk (including cyber risk)
Strategic
Operational ESG
Monitor Ongoing monitoring of risks and related actions is key to the implementation of our risk management model and, therefore, NCC Group is committed to making enterprise-wide risk management part of business as usual. Examples of ongoing monitoring of business risks include, but are not limited to: • Annual review of the external audit strategy and plan by the Audit Committee and Chief Financial Officer to ensure inclusion of key financial risks • Annual review of the annual internal audit plan to validate that it incorporates key areas of business risk • A review of internal audit reports issued during the period, including a summary of progress against previously raised management actions at each Audit Committee • Annual review of the strategic risk register by the Enterprise Risk Management Steering Group and Board to ensure that it includes risks arising in year Internal control While risk management identifies threats to the Group achieving its strategic objectives, internal controls are designed to provide assurance that these objectives are being achieved, such as the effectiveness and efficiency of operations and delivery, accurate and reliable financial reporting, and compliance with applicable laws and regulation.
NCC Group plc — Annual report and accounts for the year ended 31 May 2022
67
Made with FlippingBook Online newsletter maker