Risk management and internal control
The Board acknowledges its responsibility for ensuring the maintenance of a sound system of internal controls and risk management. In accordance with the guidance set out in the Financial Reporting Council’s (FRC’s) Guidance on Risk Management, Internal Control and Related Financial Business Reporting 2014, and in the Corporate Governance Code itself, an ongoing process has been established for identifying, evaluating and managing the principal risks faced by the Group. The Directors have established an organisational structure with clear operating procedures, lines of responsibility and delegated authority which was reviewed by the Board.
In particular, there are clear procedures and defined authorities for the following:
- Financial reporting, with policies and procedures governing the financial reporting process and preparation of the financial statements.
- Internal Controls, with a documented framework of required internal controls. Each reporting location prepares an annual self‑assessment of compliance with these controls, which is assured during planned internal audit visits
- Business risks, with comprehensive monitoring and quantification of business risks, under the direction of the Risk Management Committee. The Group’s approach to risk management and the principal and emerging risks facing the Group are discussed in more detail in the Strategic Report on pages 44 to 48 of the 2020 Annual Report and Accounts
- Capital investment, through detailed appraisal, risk analysis, authorisation and post-investment review procedures.
This process has been in place for the full financial year and up to the date on which the financial statements were approved by the Board.
The Board discharged its responsibility for monitoring the operational effectiveness of the internal control and risk management systems throughout the financial year and up to the date of approval of the Annual Report and Accounts, using a process which involved:
- Review of the controls self-assessment returns in April to ensure internal audit visits focused on key areas
- Review of the findings from the internal audit assurance programme which reports through the Vice President of Risk and Assurance who attends every Audit Committee meeting alongside the PwC internal audit partner
- Review of closure of management actions to remedy failings and weaknesses identified through the internal audit programme
- Receipt of written confirmations from relevant senior executives and divisional directors at the end of the year confirming the continued operation of those control elements for which they are responsible
- Review of the report on significant control weaknesses from the Vice President of Risk and Assurance, including whistleblowing and fraud incidents
- Annual presentation and review of risk appetite statements, principal and emerging risks and mitigating controls supported by a quarterly update from the Risk Management Committee
- Reports from the external auditors.
This system is designed to mitigate, rather than eliminate, the risk of failure to achieve business objectives and provides reasonable, but not absolute, assurance against material misstatement or loss.
As appropriate, the Board also ensures that necessary actions have been, or are being taken, to remedy failings or weaknesses identified from the review of internal controls’ effectiveness and judges their level of significance.