Risk management and internal control

The Board acknowledges its overall responsibility for monitoring the Group’s risk management and internal control systems to facilitate the identification, assessment and management of risk and the protection of shareholders’ investments and the Group’s assets. The directors recognise that they are responsible for providing a return to shareholders, which is consistent with the responsible assessment and mitigation of risks.

The directors confirm that there is a process for identifying, evaluating and managing the risks faced by the Group and the operational effectiveness of the related controls, which has been in place for the year under review and is up to the date of approval of the Annual Report. They also confirm that they have regularly monitored the effectiveness of the risk management and internal control systems (which cover all material controls including financial, operational and compliance controls) utilising the review process set out below.


There are guidelines on the minimum groupwide requirements for health and safety and environmental standards. There are also guidelines on the minimum level of internal control that each of the divisions should exercise over specified processes. Each business has developed and documented policies and procedures to comply with the minimum control standards established, including procedures for monitoring compliance and taking corrective action. The board of each business is required to confirm twice yearly that it has complied with these policies and procedures.

High-level controls

All businesses prepare annual operating plans and budgets which are updated regularly. Performance against budget is monitored at business unit level and centrally, with variances being reported promptly. The cash position at Group and business level is monitored constantly and variances from expected levels are investigated thoroughly. Clearly defined guidelines have been established for capital expenditure and investment decisions. These include the preparation of budgets, appraisal and review procedures and delegated authority levels.

Financial reporting

Detailed management accounts are prepared every four weeks, consolidated in a single system and reviewed by senior management and the Board.

They include a comprehensive set of financial reports and key performance indicators covering commercial, operational, environmental and people issues. Performance against budgets and forecasts is discussed regularly at Board meetings and at meetings between operational and Group management. The adequacy and suitability of key performance indicators are reviewed regularly. All chief executives and finance directors of the Group’s operations are asked to sign an annual confirmation that their business has complied with the Group Accounting Manual in the preparation of consolidated financial statements and specifically to confirm the adequacy and accuracy of accounting provisions.

Internal audit

The Group’s internal audit activities are co-ordinated centrally by the Director of Financial Control, who is accountable to the Audit Committee.

Our internal audit team adopts a risk-based approach to develop and deliver a balanced internal audit plan that provides assurance that our businesses are effectively managing their key control risks and agreed action plans with business leaders where controls require improvement.

All Group businesses are required to comply with the Group’s Financial Control Framework which sets out minimum control standards. Our internal audit plans are designed to include coverage of financial controls to provide assurance over how our businesses meet the requirements of the Financial Control Framework.

Assessment of principal risks

The directors confirm that, during the year, the Board has carried out a robust assessment of the principal and emerging risks facing the Group, including those that could threaten its business model, future performance, and solvency or liquidity. A description of these principal and emerging risks and how they are being managed and mitigated is set out on pages 68 to 75 of the Annual Report 2023.

Annual review of the effectiveness of the systems of risk management and internal control

During the year, the Board reviewed the effectiveness of the Group’s systems of risk management and internal control processes embracing all material systems, including financial, operational and compliance controls, to ensure that they remain robust. The review covered the financial year to 16 September 2023 and the period to the date of approval of the Annual Report. The review included:

  • the annual risk management review, a comprehensive process identifying the key external and operational risks facing the Group and the controls and activities in place to mitigate them, the findings of which are discussed with each member of the Board individually (refer to the risk management section on pages 94 to 95 of the Annual Report for details of the process undertaken); and
  • the annual assessment of internal control, which, following consideration by the Audit Committee, provided assurance to the Board around the control environment and processes in place around the Group, specifically those relating to internal financial control.

The Board evaluated the effectiveness of management’s processes for monitoring and reviewing risk management and internal control. No significant failings or weaknesses were identified by the review and the Board is satisfied that, where areas of improvement were identified, processes are in place to ensure that remedial action is taken and progress monitored.

The Board confirmed that it was satisfied with the outcome of the review of the effectiveness of the systems and processes and that they complied with the requirements of the 2018 Code.


Our use of cookies

We use necessary cookies to make our site work. We’d also like to set optional analytics cookies to help us improve it. We won’t set optional cookies unless you enable them. Using this tool will set a cookie on your device to remember your preferences.

For more detailed information about the cookies we use, see our Cookie policy

Analytics cookies

We’d like to set Google Analytics cookies to help us to improve our website by collecting and reporting information on how you use it. The cookies collect information in a way that does not directly identify anyone.

For more detailed information about the cookies we use, see our Cookie policy