Company Name and page strapline

Governance

The process

Our process of defining, assessing, classifying and monitoring risks is set out below.

Defining the risks

Various levels of management in each operating company define risks at project, process, operational, tactical and strategic levels. The Board sets the levels of risk tolerance yearly.

Assessing the impact of the risks on the organisation should they happen

Risks are assessed based on their potential impact on the business (customers, business sytems, employees), financial position and reputation. A level 1 risk is seen as insignificant and level 5 is catastrophic. For example, if more than half of our customers would be impacted by the risk, it would be classified as level 5.

Assessing the likelihood of the risks happening

Risks are assessed based on the likelihood of them happening after taking into account controls in place to mitigate them. Again we use a scale from 1 to 5, where 1 is ‘never’ and 5 is ‘almost certain’. When we rate a risk ‘5’, it means the controls in place will not prevent the risk from happening due to factors outside our control.

Classifying the risks

We classify risks as critical, high, medium and low based on their impact and likelihood of them occurring. So where a risk has a high likelihood of occurring and the impact on our business, financial position or reputation is high it would be considered critical.

Monitoring and reporting the risks

We capture well over 2 000 operational, tactical and strategic risks across the Group in our risk system, Cura. We manage risks continually and review them quarterly. We also involve internal audit and report back to the Group’s Audit, Risk and Compliance Committee and the Board quarterly.

This page uses JavaScript. Your browser either doesn't support JavaScript or you have it turned off. This page remains functional without JavaScript, however, to see and use this page as it is meant to appear and be used, please use a JavaScript enabled browser.