Strong and effective risk management is at the heart of how the directors run the business and supports the achievement of the Group's strategic objectives.
Our key focus areas in 2020
The impact of the COVID-19 pandemic on the Group became an emerging risk in Q4 of FY20 and is now a principal risk (see specific 'COVID-19' risk below). We have implemented our business continuity plans and our primary focus has been on the health, safety and wellbeing of all employees, clients and the wider public, together with protecting the financial strength of the Group. To date we have coped well with the challenges presented by COVID-19. Our factories are operational and, after some temporary interruptions, all of the Group's construction sites are open. Strict precautions are in place in both factories and sites including enhanced levels of cleaning, additional hygiene facilities and social distancing. During the crisis we are holding regular update calls with our executive team and board focussing on the impact of the crisis on the Group.
The risks associated with Brexit remain due to there being no clarity on the long-term trading relationship with the EU. Although the UK entered the standstill transition period on 31 January 2020, uncertainty over the longer-term trade issues could remain until 31 December 2020 and potentially beyond. We have amended our principal risk descriptions accordingly (see 'commercial and market environment' below). We continue to monitor developments closely and specific risks and related mitigations are kept under review by the executive committee.
Another area of focus has been cybersecurity risk and we have continued to invest in additional security to seek to mitigate the risk and impact of a significant security breach.
Our future priorities for 2021
Some of our main priorities (and emerging risks) this year will be:
- Continued development and implementation of plans to ensure the best possible outcomes to the uncertainty created by the COVID-19 crisis;
- Continued identification and mitigation of environmental, social and governance ('ESG') risks; and
- Continued focus on staff engagement and culture in order to maintain good industrial relations.
Changes to principal risks
The following changes have been made to the Group's principal risks in 2020:
- COVID-19 risk (the effect of the disease itself on the health and safety of our people, the financial impact of implementing social distancing measures across our business and the economic slowdown that has resulted from the measures taken in the UK and abroad to combat the virus) was added as a new risk to our Group risk register in 2020 and has been classified as a high risk.
Other principal risks remain largely unchanged from last year. Changes have also been made to the detailed descriptions of mitigation to reflect ongoing activity in the year. In its risk reviews, the Group has not identified any significant environmental, social or governance risks to the Group's short and long-term value.
The level of risk it is considered appropriate to accept in achieving the Group's strategic objectives is reviewed and validated by the board. The appropriateness of the mitigating actions is determined in accordance with the board-approved risk appetite for the relevant area.
The organisation's approach is to minimise exposure to reputational, financial and operational risk, while accepting and recognising a risk and reward trade-off in the pursuit of its strategic and commercial objectives. Operating in the construction industry, the reputation of the Group is imperative to its continued success and cannot be risked. Consequently, it has a zero tolerance for risks relating to health and safety. However, management recognises that certain strategic, commercial and investment risks will be required to seize opportunities and deliver growth in line with the Group's strategic objectives.
The Group establishes its risk appetite through use of delegated authorities so that matters considered higher risk require the approval of senior management or the board. These include, but are not limited to, tender pricing, bid submissions, approval of contract variations and final account settlements, capital requirements, procurement, and certain legal and strategic matters.
Risk management process
The board has overall responsibility for the Group's risk management and systems of internal control and for determining the nature and extent of the significant risks it is willing to take in achieving its strategic objectives. An ongoing process has been established for identifying, evaluating and managing the significant risks faced by the Group. This includes emerging risks such as the ever-changing nature of the risks that we characterise as 'COVID-19', 'information technology resilience' and Brexit risk, classified within 'commercial and market environment'.
The audit committee, on behalf of the board, formally reviews principal and emerging risks and mitigations for the Group and each of the businesses on a biannual basis. The key elements of this risk management process are:
- Senior management from all key disciplines and businesses within the Group continue to be involved in the process of risk assessment and monitoring in order to identify and assess Group objectives, key issues, emerging issues and controls. Further reviews are performed to identify and monitor those risks relevant to the Group as a whole. This process feeds into our assessment of long-term viability and encompasses all aspects of risk, including operational, compliance, financial, strategic, and ESG issues. Regular updates are being made to our risk management of the COVID-19 crisis.
- Identified risk and emerging risk events, their causes and possible consequences are recorded in risk registers. Their likelihood and potential business impact and the control systems that are in place to manage them are analysed and, if required, additional actions are developed and put in place to mitigate or eliminate unwanted exposures. Individuals are allocated responsibility for evaluating and managing these risks within an agreed timetable.
- Ongoing risk management and assurance is provided through various monitoring reviews and reporting mechanisms, including the executive risk committee (chaired by the chief executive officer) which convenes on a weekly basis and has the primary responsibility to identify, monitor and control significant risks to an acceptable level throughout the Group. The committee receives information on relevant risk matters from a variety of sources on a regular basis.
- Subsidiary company boards consider and report on risk on a monthly basis as part of the monthly business review process. In doing so they identify emerging risks. This process is followed to ensure that, as far as possible, the controls and safeguards are being operated in line with established procedures and standards.
- On a quarterly basis, the significant risks identified by the Group's businesses are discussed in detail with each management team. In addition, the chief executive officer, Group legal director and Group IT director meet on a quarterly basis to review IT risks facing the Group. The outcome of these discussions is collated and reported to the executive committee.
- The risk registers of each business, together with the Group IT risk register, are updated and, together with a consolidated Group risk register compiled by the executive committee, are reported to the audit committee twice yearly, to ensure that adequate information in relation to risk management matters is available to the board and to allow board members the opportunity to challenge and review the risks identified and to consider in detail the various impacts of the risks and the mitigations in place.
- A Group assurance map is used to co-ordinate the various assurance providers within the Group and a compliance framework provides the board with a ready reference tool for monitoring compliance across the Group.
Three lines of defence
The Group manages risk by operating a 'three lines of defence' assurance model (management activity, Group oversight and independent review), which is mapped against the Company's principal risks. This process is summarised in the Group assurance map.
A. First line of defence:
The first line of defence involves senior management implementing and maintaining effective internal controls and risk management procedures. These internal controls cover all areas of the Group's operations. There are inherent limitations in any system of internal control and, accordingly, even the most effective system can provide only reasonable, and not absolute, assurance against material misstatement or loss. The system is designed to manage rather than eliminate the risk of failure to achieve the Group's objectives. The Group's policies and procedures are continuously under review and improved to ensure they are adequate for our current circumstances.
The key features of the Group's framework of internal controls are as follows:
Project management procedures
Project risk is managed throughout the life of a contract from the tender stage to completion. Individual tenders for projects are subject to detailed review with approvals required at relevant levels and at various stages from commencement of the tender process through to contract award. Tenders above a certain value and those involving an unusually high degree of technical or commercial risk must be approved at a senior level within the Group.
Robust procedures exist to manage the ongoing risks associated with contracts. Regular monthly contract reviews to assess contract performance, covering both financial and operational issues, form an integral part of contract forecasting procedures.
In 2020 we continued the roll-out of our project risk management framework ('PRMF') to ensure consistency and good practice across the Group in managing project risk.
Health and safety
SHE issues and risks are continually monitored at all sites and are reviewed on a monthly basis by senior management and the board. The Group has a well-developed health and safety management system for the internal and external control of health and safety risks which is managed by the Group SHE director. This includes the use of risk management systems for the identification, mitigation and reporting of health and safety management information.
The Group maintains a strong system of accounting and financial management controls. Standard financial control procedures operate throughout the Group to ensure the integrity of the Group's financial statements.
The Group operates a comprehensive budgeting and forecasting system. Risks are identified and appraised throughout the annual process of preparing budgets. The annual budget and quarterly forecasts are approved by the board.
A formal quarterly review of each business's year-end forecast, business performance, risk and internal control matters is carried out by the directors of each business unit with the chief executive officer, Group finance director and chief operating officer in attendance.
Cash and working capital management
Cash flow forecasts are regularly prepared to ensure that the Group has adequate funds and resources for the foreseeable future and is in compliance with banking covenants. Each business reports its cash position daily. Actual cash performance is compared to forecast on a weekly basis.
B. Second line of defence:
The first line of defence is supported by certain Group policies, functions and committees which, in combination, form the second line of defence.
Internal controls across financial, operational and compliance systems are provided principally through the requirement to adhere to the Group finance manual, divisional procedures and a number of Group-wide policies (such as the Group authorisation policy, the contract sign-off process, the purchase guidelines, the anti-bribery policy, the Competition Law compliance policy, the quality manual, the health and safety policy and the environmental policy). During the year, we were audited successfully on our ISO 27001 accreditation for our information security management system. This continues to give further assurance as to the Group's resilience to cyber risk, which is a subject that has also been discussed at main board level.
These policies are supported by statements of compliance from all directors and letters of assurance ('LoA') from the Group's four managing directors. LoAs are required twice yearly, one at 30 September and one at 31 March supported by an internal control questionnaire ('ICQ') which is completed by each business unit and which provides a detailed basis for management to satisfy themselves that they are complying with all key control requirements. The responses in these ICQs are subject to ongoing independent review by PwC, the Group's internal auditor.
The following main committees provide oversight of management activities:
The executive committee, risk committee and safety leadership team
These committees are responsible for the identification, reporting and ongoing management of risks and for the stewardship of the Group's risk management approach.
The audit committee
The board has delegated responsibility to this committee for overseeing the effectiveness of the Group's internal control function and risk management systems.
The nominations committee
This committee ensures that the board has the appropriate balance of skills and knowledge required to assess and address risk and that appropriate succession plans are in place.
C. Third line of defence:
The third line of defence represents independent assurance which is provided mainly by the internal auditor, external auditor and various external consultants and advisers. External consultants and advisers support management and the board through ad hoc consulting activities, as required.
The audit committee annually reviews and approves the PwC internal audit programme for the year. The committee reviews progress against the plan at each of its meetings, considering the adequacy of audit resource, the results of audit findings and any changes in business circumstances which may require additional audits.
The results of internal audits are reported to the executive team and senior management and, where required, corrective actions are agreed. The results of all audits are summarised for the audit committee along with progress against agreed actions.
Annual review of effectiveness
The risk management and internal control systems have been in place for the year under review and up to the date of approval of the annual report and are regularly reviewed by the board. The board monitors executive management's action plans to implement improvements in internal controls that have been identified following the processes described above.
The board confirms that it has not identified any significant failings or weaknesses in the Group's systems of risk management or internal control as a result of information provided to the board and resulting discussions.