VR
4. Availability of critical information systems
Link to strategy:
Win business
Support growth
Develop our people
Key controls and mitigating factors The Group continues to make significant investment in its IT infrastructure to ensure it continues to support the growth of the organisation. The Group has controls in place in order to reduce the risk of actual loss of critical systems; this has included a review of single points of failure and these have been mitigated. Further, controls are operated to ensure the availability of backup media in the event of prolonged loss of systems. Initiating to standardise and simplify while increasing resilience, continues to be implemented. Additional focus is given to proving the recoverability of systems and data.
Impact If the Group’s critical systems failed, this could affect the Group’s ability to provide services to our customers. Risk movement/impact The Group continues to be reliant on access to key information systems.
The Group is heavily reliant on continued and uninterrupted access to its IT systems. As well as environmental and physical threats, the Group is a natural target for individuals who may seek to disrupt the Group’s commercial activities.
Accountable Executive Tim Kowalski, Chief Financial Officer
VR
5. Attracting and retaining appropriate colleague capacity and capability
Link to strategy:
Lead the market
Win business
Support growth
Develop our people
Key controls and mitigating factors Colleagues are offered a rewarding career structure and attractive salary and benefits packages, which can include participation in share schemes. Comprehensive communications with our colleagues are ongoing and include all hands calls, The Wire and Group and local communications. Linked to the development of our people, the Group continues to review our values and continues to use personal performance management processes, and aligned development programmes, which are linked to succession planning.
Impact Loss of key colleagues or significant colleague turnover could result in a lack of necessary expertise or continuity to execute the Group’s strategy. An inability to attract and retain sufficient high calibre colleagues could become a barrier to the continued success and growth of NCC Group. Risk movement/impact Market for cyber resource remains buoyant and competitive and therefore, despite implementing additional mitigation factors, the Group still prioritises recruiting and retaining resource.
The Group would be adversely impacted if it were unable to attract and retain the right calibre of skilled colleagues. Some roles within the Group operate in highly technical and extremely specialised areas in which there are shortages of skilled people.
Accountable Executive Michelle Porteus, Chief People Officer
VR
6. Information security risk (including cyber risk)
Link to strategy:
Win business
Deliver excellence
Support growth
Key controls and mitigating factors The Board operates a Cyber Security Committee chaired by the Chair of the Board which is responsible for the ongoing oversight of this risk and related control environments. All colleagues globally are required to undertake annual security training and updates to alert them to potential methods of security breach and to their responsibilities in safeguarding information and reporting potential issues. Security testing is regularly carried out on the Group’s infrastructure and there are extensive response plans, which were reviewed during the year, in the event of a major security incident. Comprehensive plans are in place and being delivered associated with discharging our data protection obligations.
Impact Failure to maintain control over customer, colleague, commercial and/or operational data could lead to a range of impacts, including reputational damage. The misuse of personal data, for example without the customer’s consent, or retaining data for longer than is necessary, may also result in reputational harm, regulatory investigations and potential fines. Risk movement/impact Information and data security risk environment continues to change and therefore key controls and mitigating factors continue to be updated. Therefore, no change.
Due to the nature of the services provided by NCC Group, clients have a high expectation of the systems, processes and people handling their data. In addition, as a cyber security provider, NCC Group is more exposed to its systems being maliciously compromised. As a result, NCC Group could experience a malicious cyber- attack, inadvertent disclosure and/ or compromise of confidential data and/or any other information security incident.
Accountable Executive Tim Kowalski, Chief Financial Officer
Risk movement:
Risk impact:
Increased
Decreased
Unchanged
High
Medium Low
Viability risk: VR New risk: NR
NCC Group plc — Annual report and accounts for the year ended 31 May 2022
69
Made with FlippingBook Online newsletter maker