Group ERM Process
The operating companies have adopted a common approach to ERM based on the development and management of their risk registers. This involves:
- Identification: Risks are identified by senior executives and categorised by reference to a common risk taxonomy.
- Assessment: Each major identified risk is assessed by two or more senior executives. Plausible scenarios are considered in which the risk could eventuate and the impact of the risk rated in six dimensions. The vulnerability of the entity to the risk is then rated according to a) the controls in place to prevent an occurrence, b) the readiness of the organisation to respond to any risk event and c) the degree to which the impact cannot be mitigated.
- Mitigation: Designated risk owners then consider the potential for further mitigation and propose action plans. These plans will be expected to reduce the Company’s vulnerability to this risk and improve its overall risk profile.
The results of this process are used to update the Company’s risk registers.
The SPACRMC also follows the above process. Risks which it identifies which have a Group dimension may be considered by the GRMC, the Audit Committee and/or the Board and passed to operating companies who are then responsible for mitigating these risks in their businesses.
The risk forums of the GRMC provide specialist oversight and support to the operating companies, assisting them in the ERM process and providing additional challenge where appropriate. They also advise the GRMC on emerging risks which may affect the Group, help to analyse risk events that have materialised and develop best practices for managing risks, in each case in areas within their respective remits.
The GRMC reviews Group and divisional risk registers and considers how effectively risks are managed. It issues policies to the operating companies and promotes risk culture across the Group. The GRMC reports to the Audit Committee, which reports to the Board. The Board may itself identify risks, providing an independent perspective of what concerns them. These risks are passed to the GRMC and to the operating companies for incorporation into their risk registers.
The ERM process is thus both top down and bottom up. The Board gives guidance on its risk priorities, the operating companies assess their own risks and the SPACRMC group risks. All of these are reported to the GRMC and consolidated into the Group risk register which is then presented to the Audit Committee and the Board.
Risk management is an integral part of each stage of the business management process:
- Strategic planning is informed by the risk identification process which looks for opportunities as well as threats.
- Improving the risk profile is part of the budgeting and planning process.
- Delivery of action plans is included in the performance management process.
- Monitoring changes in the risk profile and its likely impact on the Company’s risk profile is part of the ongoing reporting process.
- A risk assessment is also conducted as part of due diligence for any major investment or transaction.