Internal control and risk management

Directors' responsibility for internal control

The directors are responsible for the Group’s system of internal control and for maintaining and reviewing its effectiveness from both a financial and an operational perspective. The system of internal control is designed to manage, rather than eliminate, the risk of failure to achieve business objectives and to provide reasonable but not absolute assurance against material misstatement or loss. The Group’s approach to internal control is based on the underlying principle of line management's accountability for control and risk management.

In reviewing the effectiveness of the system of internal control, the Board has taken account of the results of the work carried out to audit and review the activities of the Group.

There is an ongoing process to identify, assess and manage risk, including those risks affecting the Group’s reputation. This process is subject to continuous improvement and has been in place throughout the financial year to which these statements apply and up to the date of their approval. In 2008, the effectiveness and consistency of risk management at all levels of the organisation has been measured, improved and reported via the sector and function assurance framework.

The Board has reviewed the risk management process and confirms that ongoing processes and systems ensure that the Group continues to be compliant with the Turnbull guidance as contained in ‘Internal Control: Guidance for Directors on the Combined Code’.

Organisation structure

The Group has a clearly defined organisation structure within which operational management has detailed responsibilities and levels of authorisation, supported by written job descriptions and operating manuals.

The risk management system

The risk management system is an integral part of management’s approach to delivering business objectives and is a systematic process designed to identify, assess, treat, manage and communicate risks.

The risk management  system

The risk management process

Risks are recorded in regularly updated risk registers operating at all levels of the organisation and are continuously reviewed and monitored. The risk management process places significant emphasis on learning from and sharing prior experience. The system provides methods for escalation and delegation to the appropriate Levels within the organisation and ensures that actions are owned, defined, resourced and effective.

The risk escalation process

The risk escalation process

Risks may arise from a variety of internal and external sources. They may be associated with regulations, customer requirements and competitor actions, or could result from the capability of the processes used to execute the business, or from external and largely unpredictable events, such as terrorist activity or war. The principal risks and uncertainties for the Group are shown on these pages.

Risks, irrespective of source, are managed through processes operated by business unit and functional teams. The corporate risk register is updated and reviewed by the risk committee twice a year so that the Board may then consider and review these risks in terms of their potential impact.

Management has continued to perform comprehensive risk reviews for all key projects, programmes and business change plans.

All the processes operated by the Group are subject to continuous improvement, including the risk management process itself. Development and deployment of the process is the responsibility of a dedicated Enterprise Risk Management team. The team has created a comprehensive framework for the assessment of risk management maturity at all levels throughout the organisation that enables focused improvement actions and drives consistent application of the risk management process throughout the Group.

The risk process is underpinned by an integrated range of tools and training and education programmes. Deployment of an enterprise-wide risk management software application enables the analysis, management and communication of risks across the business. A network of risk champions, mentors and facilitators helps to develop, embed and share best practice throughout the organisation.

Systems of internal control

The general managers of individual businesses are aware of their responsibility to operate systems of internal control which provide reasonable assurance of effective and efficient operations, reliable financial information and compliance with laws and regulations. Financial managers are required to acknowledge in writing that their routine financial reporting is based on reliable data and that their results are properly stated in accordance with Group requirements.

The Group has a comprehensive budgeting system with an annual budget approved by the Board. Revised forecasts for the year are reported at least quarterly. Actual results are reported monthly against budget and variances reviewed.

The activities of the Group are subject to review by the Department of Risk, including business assurance and product introduction and life cycle management, and the assurance functions of Health, Safety and Environment, Quality and Engineering. These functions operate to work programmes agreed by the appropriate Board member.

The business assurance function, which works closely with the external auditors, undertakes a programme of financial and operational audits and reviews agreed by the audit committee and covering all Group activities. The programme includes independent reviews of the systems of internal control and risk management. The findings and the status of corrective actions taken to address these are reported in writing to both the audit and risk committees twice a year.