Risk Management and Internal Control
The Board acknowledges its responsibility for ensuring the maintenance of a sound system of internal controls and risk management. In accordance with the guidance set out in the Financial Reporting Council’s (FRC’s) Guidance on Risk Management, Internal Control and Related Financial Business Reporting 2014, and in the Corporate Governance Code itself, an ongoing process has been established for identifying, evaluating and managing the principal risks faced by the Group. The Directors have established an organisational structure with clear operating procedures, lines of responsibility and delegated authority.
In particular, there are clear procedures and defined authorities for the following:
- Financial reporting, with clear policies and procedures governing the financial reporting process and preparation of the financial statements. There is a clear and documented framework of required controls. Each reporting location prepares an annual self‑assessment of compliance with these controls, which is assured during planned internal audit visits
- Comprehensive monitoring and quantification of business risks, under the direction of the Risk Management Committee. The Group’s approach to risk management and the principal risks facing the Group are discussed in more detail in the Strategic Report on pages 30 to 34 of the 2017 Annual Report & Accounts
- Capital investment with detailed appraisal, risk analysis, authorisation and post-investment review procedures.
This process has been in place for the full financial year and up to the date on which the financial statements were approved by the Directors.
The Board discharged its responsibility for monitoring the operational effectiveness of the internal control and risk management systems throughout the financial year and up to the date of approval of the Annual Report and Accounts. It used a process which involved:
- Written confirmations from relevant senior executives and divisional directors concerning the operation of those elements of the system for which they are responsible
- Internal audit work carried out by KPMG LLP, which reports through the Vice President of Risk and Assurance to the Audit Committee
- Reports from the external auditors
- Presentations of key risks and controls by the Executive owner and other assurance providers
- Half-yearly report on significant controls from the Vice President of Risk and Assurance
This system is designed to mitigate, rather than eliminate, the risk of failure to achieve business objectives and provides reasonable, but not absolute, assurance against material misstatement or loss. As appropriate, the Board also ensures that necessary actions have been, or are being taken, to remedy failings or weaknesses identified from the review of internal controls’ effectiveness and judges their level of significance.