Risk management and internal control
The Board acknowledges its overall responsibility for monitoring the group’s risk management and internal control systems to facilitate the identification, assessment and management of risk and the protection of shareholders’ investments and the group’s assets. The directors recognise that they are responsible for providing a return to shareholders, which is consistent with the responsible assessment and mitigation of risks.
The directors confirm that there is a process for identifying, evaluating and managing the risks faced by the group and the operational effectiveness of the related controls, which has been in place for the year under review and up to the date of approval of the annual report. They also confirm that they have regularly monitored the effectiveness of the risk management and internal control systems (which cover all material controls including financial, operational and compliance controls) utilising the review process set out below.
There are guidelines on the minimum group-wide requirements for health and safety and environmental standards. There are also guidelines on the minimum level of internal control that each of the divisions should exercise over specified processes. Each business has developed and documented policies and procedures to comply with the minimum control standards established, including procedures for monitoring compliance and taking corrective action. The Board of each business is required to confirm twice yearly that it has complied with these policies and procedures.
High level controls
All businesses prepare annual operating plans and budgets which are updated regularly. Performance against budget is monitored at business unit level and centrally, with variances being reported promptly. The cash position at group and business level is monitored constantly and variances from expected levels are investigated thoroughly.
Clearly defined guidelines have been established for capital expenditure and investment decisions. These include the preparation of budgets, appraisal and review procedures and delegated authority levels.
Detailed management accounts are prepared every four weeks, consolidated in a single system and reviewed by senior management and the Board. They include a comprehensive set of financial reports and key performance indicators covering commercial, operational, environmental and people issues. Performance against budgets and forecasts is discussed regularly at Board meetings and at meetings between operational and group management. The adequacy and suitability of key performance indicators is reviewed regularly. All chief executives and finance directors of the group’s operations are asked to sign an annual confirmation that their business has complied with the Group Accounting Manual in the preparation of consolidated financial statements and specifically to confirm the adequacy and accuracy of accounting provisions.
The group’s businesses employ internal auditors (both employees and resources provided by major accounting firms other than the firm involved in the audit of the group (except where expressly permitted by the Audit Committee)) with skills and experience relevant to the operation of each business. All of the internal audit activities are co-ordinated centrally by the group’s Director of Financial Control, who is accountable to the Audit Committee.
All group businesses are required to comply with the group’s financial control framework that sets out minimum control standards. A key function of the group’s internal audit resources is to undertake audits to ensure compliance with the financial control framework and make recommendations for improvement in controls where appropriate. Internal audit also conducts regular reviews to ensure that risk management procedures and controls are observed. The Audit Committee receives regular reports on the results of internal audit’s work and monitors the status of recommendations arising. The Committee reviews annually the adequacy, qualifications and experience of the group’s internal audit resources and the nature and scope of internal audit activity in the overall context of the group’s risk management system. The group’s Director of Financial Control meets with the Chair of the Audit Committee as appropriate but at least quarterly, without the presence of executive management, and has direct access to the Chairman of the Board.
Assessment of principal risks
The directors confirm that, during the year, the Board has carried out a robust assessment of the principal risks facing the group, including those that could threaten its business model, future performance, solvency or liquidity, together with emerging risks. A description of the principal risks and how they are being managed and mitigated is set out here.
Annual review of the effectiveness of the systems
During the year, the Board reviewed the effectiveness of the group’s systems of risk management and internal control processes embracing all material systems, including financial, operational and compliance controls, to ensure that they remain robust. The review covered the financial year to 12 September 2020 and the period to the date of approval of the 2020 annual report. The review included:
- the annual risk management review, a comprehensive process identifying the key external and operational risks facing the group and the controls and activities in place to mitigate them, the findings of which are discussed with each member of the Board individually (refer to the risk management section on pages 84 to 90 of the 2020 annual report for details of the process undertaken); and
- the annual assessment of internal control, which, following consideration by the Audit Committee, provided assurance to the Board around the control environment and processes in place around the group, specifically those relating to internal financial control.
The Board evaluated the effectiveness of management’s processes for monitoring and reviewing risk management and internal control. No significant failings or weaknesses were identified by the review and the Board is satisfied that, where areas of improvement were identified, processes are in place to ensure that remedial action is taken and progress monitored.
The Board confirmed that it was satisfied that the systems and processes were functioning effectively and complied with the requirements of the 2018 Code.