Board composition and division of responsibilities continued
Risk management The Board has ultimate responsibility for ensuring that business risks are effectively managed. The Board has delegated regular review of the risk management procedures to the Cyber Security Committee in relation to cyber risks, and to the Audit Committee in relation to all other risks. The Board reviews the overall risk environment on at least an annual basis. The day-to-day management of business risks is the responsibility of the Executive Committee (ExCom). Internal control The Group has a system of internal controls which aims to support the delivery of the Group’s strategy by managing the risk of failing to achieve business objectives and to protect the stewardship of the Group’s assets. As with all such systems, the goal is to manage risk within acceptable parameters, rather than to eliminate risk entirely. The Group can therefore only provide reasonable and not absolute assurance that the business objectives and asset stewardship will be delivered successfully. In addition, the Group insures against various risks, but certain risks remain difficult to insure, due to the breadth and cost of cover. In some cases, external insurance is not available at all, or at least not at an economically viable price. The Group regularly reviews both the type and amount of external insurance that it buys in conjunction with its insurance brokers. For a more detailed review of risk management processes, the principal risks faced by the Group and their mitigation, see pages 64 to 72. The Audit Committee is responsible for reviewing the effectiveness of the risk management and internal control systems. The steps it takes in relation to the review are set out on page 97.
The Audit Committee makes recommendations to the Board on the effectiveness of risk management and internal controls, which the Board considers, together with reports from the Cyber Security Committee, in forming its own view on the effectiveness of the risk management and internal control systems. During the year ended 31 May 2022, the Board reviewed the effectiveness of the Group’s risk management and internal control systems together with internal control findings issued by our auditor, including the mitigating factors surrounding the use of IT users with certain access rights to our systems. We confirm that the processes outlined above and on page 97 have been in place for the year under review and up to the date of this Annual Report and Accounts, and that these processes accord with the UK Corporate Governance Code and the FRC Guidance on Risk Management, Internal Control and Related Financial and Business Reporting. We also confirm that, while no significant failings or weaknesses were identified in relation to the internal audits performed, there is a programme of continuous improvement to support the achievement of higher standards. This has resulted in an increase in benchmarking our systems of internal control against recognised frameworks. For example, while our score against the NIST Framework is in line with similar organisations, we have taken a conscious step to exceed these standards. Therefore, we have established and continue to monitor an aggressive action plan to achieve our objective of being a leader in the market. Executive remuneration During the year (until the 2021 AGM), we operated within the Remuneration Policy approved by shareholders at the 2020 AGM. From the 2021 AGM until 31 May 2022, we operated within the Remuneration Policy approved by shareholders at the 2021 AGM. Details of how the Remuneration Policy has been applied during this financial year are set out on pages 121 to 127 of the Remuneration Committee Report.
92
NCC Group plc — Annual report and accounts for the year ended 31 May 2022
Made with FlippingBook Online newsletter maker