The Board is responsible for setting the Group’s risk appetite and ensuring that appropriate risk management systems are in place. The Board reviews the Group’s principal risks throughout the year as part of its normal agenda, adopting an integrated approach to risk management by regularly discussing our principal risks. In addition, once a year the Board formally assesses the Group’s principal risks, taking the strength of the Group’s control systems and our appetite for risk into account.
The Board delegates responsibility for day-to-day risk management to the Executive Committee, including the identification, evaluation and monitoring of key risks facing the Group and the implementation of Group-wide risk management processes and controls.
The Audit Committee keeps the effectiveness of the Group’s risk management systems under review and reports to the Board on the results of its review. The occurrence of any material control issues, serious accidents or major commercial, financial or reputational issues, or the identification of new significant risks, are reported to the Board and/or Audit Committee as appropriate.
Following changes to the UK Corporate Governance Code in 2014, and changes to our strategy and organisation in 2015, we have carried out a robust assessment of our principal risks and uncertainties. Our revised principal risks are set out here.
The Board is aware that the effectiveness of risk management is dependent on behaviours. In 2016 we will launch a refreshed Code of Business Conduct to provide a common and consistent framework for responsible business practices. It will reinforce the standards we expect our people to follow in their day-to-day activities, no matter where they work in the world, and tell others that they can rely on our integrity. It will be supported by our Ethics and Compliance programme, which aims to ensure compliance with our ethical standards.
How we identify risk
Our risk management process has been built to identify, evaluate, analyse and mitigate significant risks to the achievement of our strategy. Our risk identification processes seek to identify risks from both a top down strategic perspective and a bottom up local operating company perspective.
The Board has overall responsibility for risk management, the setting of risk appetite and the implementation of the risk management policy. The Board reviews and challenges the Group’s principal risks on an ongoing basis.
The Audit Committee
The Audit Committee ensures adequate assurance is obtained over the risks that are identified as the Group’s principal risks. The Audit Committee is also responsible for the independent review and challenge of the adequacy and effectiveness of the risk management approach.
The Executive Committee is responsible for the identification, reporting and ongoing management of risks and for the stewardship of the risk management approach. The Executive Committee reviews and assesses the key strategic risks to the Group and the outputs of the assessment are sent to the Divisional Presidents for inclusion in their local risk assessment exercises.
Divisional Presidents are responsible for the identification, reporting and ongoing management of risks in their respective regions. The outputs of these assessment exercises are reviewed and challenged by the Executive Committee as part of their assessment of the key strategic risks facing the Group.
Our risk appetite
We use an assessment of the level of risk and our associated risk appetite to ensure the appropriate focus is placed on the correct risks.