To find the section you want, click on it in the list below.
- Introduction and Statement of Compliance
- The Board
- Directors' indemnity and insurance
- Audit committee
- Remuneration committee
- Nominations committee
- Relations with shareholders
- Risk and internal control
- Going concern
- Statement of directors' responsibilities
- Directors' Responsibility Statement
Risk and internal control
The Board is responsible for the Group's system of internal control and for reviewing its effectiveness, whilst the role of management is to implement Board policies on risk and control. Such a system is, however, designed to manage rather than eliminate the risks of failure to achieve business objectives. In pursuing these objectives, internal controls can only provide reasonable assurance against misstatement or loss. The UK Corporate Governance Code recommends that the Board at least annually reviews the effectiveness of the Group's system of internal controls, including financial, operational and compliance controls and risk management. The Board has conducted reviews of the effectiveness of the system of internal controls through the processes described below and is satisfied that it accords both with the Code and with the Turnbull Guidance. In accordance with IAA recommendations, a comprehensive external review of the effectiveness of the Internal Audit function was undertaken by PricewaterhouseCoopers during the year. Subject to this review and during the course of its own review of the system of internal control, the Board has not identified or been advised of any failings or weaknesses which it has determined to be significant; therefore a confirmation in respect of necessary actions has not been considered appropriate.
A description of the Group's principal risk and uncertainties can be found on pages 21 to 24 of the Review of Operations and Finance in the 2012 Annual Report.
The Board can confirm that, for the 2012 financial year and up to the date of approval of the Annual Report and financial statements, there has been an ongoing process for identifying, evaluating and managing the significant risks faced by the Group which is reviewed regularly by the Board and accords with the Turnbull Guidance. Under the guidance of the Chief Financial Officer, it is the responsibility of the Executive Committee to review the effectiveness of the risk management process and internal controls on behalf of the Board. The Executive Committee regularly reports to the Board on how risks are being managed. In addition, there is a mechanism in place to report significant control breakdowns or risk occurrences to the Executive Committee. An ongoing process for the effective management of risk has been defined by the Board and is embedded throughout the various tiers of the organisation. It is operated in the following stages:
- Each operating division and central function identifies key risks through the adoption of both a "bottom-up" and "topdown" process. These key risks are regularly reviewed by the senior management team in each division. The key risks to each business area's objectives are identified and scored for probability and impact. The key controls to manage the risks to the desired level are identified.
- A local database of risks and controls is maintained within each operating division and central service function. This is consolidated into a central register which becomes the key risk register for the Group. The Group Risk department facilitates the identification of these risks and provides an independent appraisal of the interpretation of the scoring mechanism, to ensure that the key risks are brought forward to the Executive Committee. The Executive Committee then reviews the key risks to assess the effectiveness of the risk management strategies.
- The senior management team within each division and within the central functions are responsible for the ongoing review of their functions' risk registers. Regular reporting on internal and external changes that affect the risks or their importance to the business, and any risk occurrences, are reported upwards through their register to the Executive Committee.
- Key risks and their management and any areas for improvement are regularly reported to and discussed at the Executive Committee.
- A review of the risk process and risk management systems is undertaken by the Audit Committee annually.
- Key risks arising within the business are formally discussed by the Group Board every six months given that overall risk is a matter reserved for the Board as a whole.
- In order to gain assurance that the Group's risk process is effective a periodic review of both the Audit and Risk Process is conducted by an appropriately qualified and experienced external assurance service provider. This is conducted every five years and was undertaken during 2012. The Audit Committee were satisfied with the conclusions of the review.
The Group has an established framework of internal controls, which includes the following key elements:
- The Board reviews Group strategy and the executive management are accountable for their performance within the agreed strategy.
- The Group and its subsidiaries operate control procedures designed to ensure complete and accurate accounting of financial transactions, and to limit exposure to loss of assets or fraud. Measures taken include physical controls, segregation of duties in key areas and periodic Internal Audit reviews.
- The Audit Committee meets regularly and its responsibilities are set out in the Audit Committee Report. It receives reports from the Internal Audit function on the results of work carried out under an annually agreed audit programme. The Audit Committee has full and independent access to the internal and external auditors.
- Internal Audit facilitates a process whereby operating entities provide certified statements of compliance with specified and appropriate key financial controls. These controls are then cyclically tested by the Internal Audit Department to ensure they remain effective, and are being consistently applied.
- The Audit Committee will annually assess the effectiveness of the assurance provided by the internal and external auditors. Every five years, an external assessment will be undertaken with regard to the assurance provided by the Internal Audit department. An external review was undertaken by PricewaterhouseCoopers in 2012.