Risk Management and Internal Control
The group has an established risk management methodology which seeks to identify, prioritise and mitigate risks, underpinned by a ‘three lines of defence’ model comprising of an internal control framework, monitoring and independent assurance processes. the Board considers that risk management and internal control are fundamental to achieving the group aim of creating long-term sustainable shareholder value.
Risks are identified both ‘top down’ by the Board and executive Committee, and ‘site up’ through the group’s businesses, and are quantified by assessing their inherent impact and mitigated probability to ensure that residual risk exposures are understood and prioritised for control throughout the group. Senior executives are responsible for the strategic management of the group’s principal risks, including related policy, guidelines and process, subject to Board oversight.
Throughout 2016, the Board reviewed the status of all principal risks with a notable potential impact at group level. Additionally, the Audit Committee carried out focused risk reviews of each Division. these reviews included an analysis of principal risks, together with the controls, monitoring and assurance processes established to mitigate those risks to acceptable levels. As a result of these reviews, a number of actions were identified to continue to improve internal controls and the management of risk. In 2016, the Executive Committee initiated a review of the group’s policies that set the framework for effective management of risk, and a number of these have been updated and rolled out across the group. this work will continue in 2017. Also in 2016, the group’s risk management methodology and related processes were updated and aligned with the new Divisional business structure.