Effective risk management underpins the delivery of our objectives. It is essential to protecting our reputation and generating sustainable shareholder value.
Risk management and internal control
Effective risk management underpins the delivery of the Group’s objectives. It is essential to protecting its reputation and generating sustainable shareholder value. Balfour Beatty aims to identify key risks at an early stage and develop actions to eliminate them or mitigate their impact and likelihood to an acceptable level. The Board has applied principle C2 of the UK Corporate Governance Code by embedding continuous risk management processes throughout the Group at all levels which form an integral part of day-to-day business activity. They are designed to help management to identify and understand the risks they face in delivering business objectives and the status of the key controls in place for managing those risks.
Roles and responsibilities
The Board is responsible for Balfour Beatty’s system of risk management and internal control. It sets the Group’s appetite for risk in pursuit of its strategic objectives, and the level of risk that can be taken by Group, divisional and business unit management without specific Board approval. Group policies and delegated authority levels set by the Board provide the means by which risks are reviewed and escalated to the appropriate level within the Group, up to and including the Board, for consideration and approval.
Risk management process
Our risk management policy requires that all divisions and those business units within them identify and assess the risks to which they are exposed and which could impact the ability to deliver their, and the Group’s, objectives.
Identified risk events, their causes and possible consequences are recorded in risk registers, with details of the likelihood and potential business impact and the control systems in place to manage them analysed and, if required, additional actions developed and put in place to mitigate or eliminate unwanted exposures; and individuals allocated responsibility for evaluating and managing these risks to an agreed timescale.
The Group sets its risk appetite by calibrating its delegations of authority and the triggers for matters requiring Group senior management or Board approval. In relation to bidding, this means that projects above a certain value, with certain features that import certain risks or involve a move into new markets or work types, require approval by the Group Tender and Investment Committee, with divisions having a delegated level of authority as well as their own approval and risk management committees and triggers.
Reporting structures ensure that risks are monitored continually, mitigation plans are reviewed and significant exposures are escalated – from project level to business unit management to divisional and Group senior management.
A range of procedures is used to monitor the effectiveness of internal controls, including management assurance, risk management processes and independent assurance provided by internal audit and other specialist third parties.
In May 2014, significant revisions were made to divisional risk reporting, including the Group Commercial and Risk function playing a more proactive role to encourage responsible reporting and ownership of risk. Other revisions include greater coordination of commercial and more general business risk and assurance reporting, attendance on divisional risk committees, greater frequency and breadth of site visits to specific projects and robust, structured and intrusive meetings being held with divisional assurance and commercial leads to interrogate their risk reports.
Increased interrogation and coordination of risk reporting will continue throughout 2015 with the Group Commercial and Risk functions seeking to further integrate the analysis of commercial and general business risk and their controls.
The Board has ultimate responsibility for the Group’s risk management systems and internal control, and regularly reviews their effectiveness.
The Group’s systems and controls are designed to ensure that the Group’s exposure to significant risk is managed properly, but the Board recognises that any system of internal control is designed to manage rather than eliminate the risk of failure to achieve business objectives and can only provide reasonable and not absolute assurance against material misstatement or loss. In addition, not all the material joint ventures in which the Group is involved are treated, for these purposes, as part of the Group. Where they are not, systems of internal control and risk management are applied as agreed between the partners to the joint venture.
Central to the Group’s systems of internal control are its processes and framework for risk management. These align with the Internal Controls: Guidance to Directors (previously known as the Turnbull Guidance) on internal controls and were in place throughout 2015 and up to the date of signing the 2015 Annual Report. The Group’s systems of internal control operate through a number of different processes, some of which are interlinked.
- a clear system of delegated authorities from the Board to management with certain matters reserved by the Board
- the annual review of the strategy and plans of each division and of the Group as a whole in order to identify the risks to the Group’s achievement of its overall objectives and, where appropriate, any relevant mitigating actions
- monthly financial reporting against budgets and the review of results and forecasts by executive Directors and management, including particular areas of business or project risk. This is used to update management’s understanding of the environment in which the Group operates and the methods used to mitigate and control the risks identified
- individual tender and project review procedures starting at the business unit and progressing to divisional and Board Committee levels if value, or perceived exposure, exceeds certain thresholds
- regular reporting, monitoring and review of the effectiveness of health, safety and environmental processes. These processes are subject to independent audit and certification to internationally recognised standards
- the review and authorisation of proposed investment, divestment and capital expenditure through the Board’s Committees and the Board itself
- specific policies set out in the Group Finance Manual covering the financial management of the Group, including arrangements with the Group’s bankers and bond providers, controls on foreign exchange dealings and management of currency and interest rate exposures,insurance, capital expenditure procedures, application of accounting policies and financial controls
- legal compliance risks which are addressed through specific policies and training on such matters as ethics, competition and data protection laws
- Group-wide risk management standards which are embedded throughout the Group
- reviews and tests by the internal audit function of critical business financial processes and controls and specific reviews in areas of perceived high business risk
- the Group’s ethics helpline and other channels by which staff are encouraged to raise concerns, in confidence, about possible breaches of the Code of Conduct, improprieties on matters of financial reporting and other issues.
These systems are extended, as soon as possible and as appropriate, to all businesses joining the Group.
Each of the divisional CEOs is responsible for ensuring that a comprehensive framework of assurance (including internal audit) exists within his or her division and business units which is in accordance with Group requirements.
The Board continued to assess the effectiveness of the risk management processes and internal controls during 2014 and to the date of this report. Such assessment is based on reports made to the Board, the Audit, Risk & Assurance Committee and the Safety & Sustainability Committee, including:
- the results of internal audit’s reviews of internal financial controls
- a Group-wide certification that effective internal controls had been maintained or, where any significant non compliance or breakdown had occurred with or without loss, that appropriate remedial action has been or is being taken
- a paper prepared by management on the nature, extent and mitigation of significant risks and on the systems of internal controls.