The Board has overall responsibility for the Company’s system of risk management and internal control and for reviewing its effectiveness, whilst the role of management is to implement the Board’s policies on risk and control and provide assurance on compliance with these policies. Such a system is, however, designed to manage or mitigate rather than eliminate the risk of failure to achieve business objectives, and can only provide reasonable and not absolute assurance against material misstatement or loss.
Internal controls kept under review by the Audit Committee
Internal Risk Committee monitors risks across the business
Risk management
The Board confirms that there is an ongoing process for identifying, evaluating and managing significant risks faced by the Company, including those risks relating to social, environmental and ethical matters. This process was in place throughout the year under review and up to the date of approval of the Annual Report and accords with the revised guidance on internal control published in October 2005 (‘the Turnbull Guidance’).
The Audit Committee has kept under review the effectiveness of the system of internal control and has reported regularly to the Board. The Audit Committee has also carried out a specific review of the effectiveness of the system of internal control for the purpose of this Annual Report. This assessment considered all significant aspects of internal control arising during the period covered by this report including the work of internal audit. During the course of this review, the Audit Committee has not identified nor been advised of any failings or weaknesses which it has determined to be significant. Therefore a confirmation in respect of necessary actions has not been considered appropriate.
The key features of the risk management process are as follows:
- the Company has an internal Risk Committee responsible for monitoring risks across the business;
- the business conducts half-yearly risk assessments based on identified business objectives, which are reviewed and agreed by its executive management. Risks are categorised into strategic, operational, financial and compliance and are evaluated in respect of their potential impact and likelihood. These risk assessments are updated and reviewed quarterly by the Risk Committee and are reported to the executive management and Audit Committee;
- the business risk assessment forms one of the bases for determining the internal audit plan. Audit reports in relation to areas reviewed are discussed with the Risk Committee and agreed with the Audit Committee; and
- the internal audit team meets annually with senior executives in order to complete a formal certification of the effectiveness of internal controls. These certificates are submitted to the Risk Committee. A Certificate is also provided by the Risk Committee to the Audit Committee, to assist the Board in conducting its annual review of the effectiveness of internal controls in compliance with Turnbull guidance.
Internal control
a) Financial controls
The Company has an established framework of internal financial controls, the effectiveness of which is regularly reviewed by the executive management and the Board. The key elements of this are as follows:
- the Board is responsible for overall Company strategy, for approving revenue and capital budgets and plans, for approving major acquisitions and disposals and for determining the financial structure of the Company, including treasury and dividend policy. Monthly results, variances from plan and forecasts are reported to the Board;
- the Board has established an organisational structure with clearly defined lines of responsibility and controls at all levels of management across the business, identifying transactions requiring approval by the Board or by the Approvals Committee. The Approvals Committee, which comprises the Group Chief Executive and Group Finance Director, and for commercial transactions the relevant member of the executive management, is authorised by the Board to approve routine matters within agreed financial limits. The Finance Director is responsible for the functional leadership and development of the Company’s finance activities;
- the Audit Committee assists the Board in the discharge of its duties regarding the Company’s financial statements, accounting policies and the maintenance of proper internal financial controls. The Committee provides a direct link between the Board and the external auditors;
- the internal audit function advises and assists business management to establish and maintain adequate financial controls and reports to the executive management, Risk and Audit Committees on the effectiveness of those controls;
- there is a comprehensive system for budgeting and planning and for monitoring and reporting the performance of the Company’s business to the Board. Monthly results are reported against budget and prior year, and forecasts for the current financial year are regularly revised in the light of actual performance. These cover profits, cash flows, capital expenditure and balance sheets;
- the Company carries out a full appraisal of all major investment projects;
- executive management has defined the financial controls and procedures with which the business is required to comply. Key controls over major business risks include reviews against performance indicators and exception reporting, and the preparation of monthly management accounts; and
- monthly reports are prepared to cover treasury activities and risks, for review by senior executives, and annual reports are prepared for the Board and Audit Committee covering treasury policies, pensions and insurance.
b) Non-financial controls
The Company has established a range of non-financial controls covering areas such as service levels to customers, health and safety, environment, employment and business continuity, the effectiveness of which is regularly reviewed by the executive management and the Board. The key elements are as follows:
- the business monitors service through rigorous key performance indicators at every location. Summary level data is provided to the Board on a monthly basis;
- the business commissions independently conducted surveys to establish levels of customer satisfaction and action plans are created for any significant issues that arise;
- the business has strict guidelines for the use of confidential customer data;
- a corporate responsibility programme has been approved by the Board to address the impact our activities have on the environment, workplace, marketplace and community;
- the Company has established a Corporate Responsibility Committee to take responsibility for reviewing performance in delivering corporate responsibility objectives and annual updates are provided to the Board;
- the Company has established a Code of Business Conduct which takes into account the interests of all stakeholders;
- the Company is committed to maintaining high standards of health and safety in all its business activities. These standards are set out in the Company’s Health and Safety Policy, which is reviewed annually by the Board. The Risk Management team works with the business to assess health and safety risks and introduce systems to mitigate them. Details of major business incidents are reported to the Risk and Audit Committees and all notified accidents are investigated;
- the Board has approved an Environmental Policy which is reviewed annually;
- the Company is committed to ensuring that its personnel meet high standards of integrity and competence. The Company’s systems cover the recruitment, training and development of personnel, an appropriate division of responsibilities and the communication of Company policies and procedures throughout the organisation; and
- business recovery plans exist to enable the business to continue with minimum disruption to customers in the event of a disaster. These plans are reviewed by the Risk Committee.