Effective risk management underpins the delivery of our objectives. It is essential to protecting our reputation and generating sustainable shareholder value.
Risk management and internal control
Effective risk management underpins the delivery of the Group’s objectives and is an essential element of meeting the requirements of the UK Corporate Governance Code. By identifying and managing risk, the business is better able to protect its reputation, ensure long-term viability and generate sustainable shareholder value. Balfour Beatty identifies key risks at an early stage and applies mitigations within a strong internal control environment to eliminate them or mitigate their impact and likelihood to an acceptable level. The Board has applied principle C2 of the UK Corporate Governance Code by embedding continuous risk management processes throughout the Group at all levels which form an integral part of day-to-day business activity.
Roles and responsibilities
The Board is responsible for the implementation and oversight of Balfour Beatty’s system of risk management and internal control. It sets the Group’s appetite for and attitude to risk in pursuit of its strategic objectives and therefore the level of risk that can be taken by Group, strategic business unit and individual business unit management without specific Board approval. Group policies, procedures and delegated authority levels set by the Board provide the means by which risks are reviewed and escalated to the appropriate level within the Group, up to and including the Board, for consideration and approval.
Risk management process
Balfour Beatty’s risk management policy requires that all business units ensure that effective controls are established and implemented for the management of risk.
Identified risk events, their causes and possible consequences are recorded in risk registers, together with assessments of their likelihood and potential business impact. The controls in place to manage each risk event are assessed for effectiveness and, if required, additional actions are developed to bring exposure within the Group’s risk appetite. Each risk is allocated to a specific risk owner who is given the responsibility to manage the risk and its controls within an agreed timeframe.
For new projects, an assessment of risk forms a key part of the work winning Gates (1–4) within the Gated Lifecycle process (page 53) and risks are continuously assessed as projects evolve and progress.
Additionally the Board sets and regularly reviews delegated authority levels which act as triggers for matters requiring senior management or Board approval. In relation to work winning, this means that projects above a certain value, or those that import particular uncertainties such as a move into new markets, require approval by the Group Tender and Investment Committee.
Reporting structures ensure that risks are monitored continually, mitigation plans are reviewed and significant exposures are
escalated – from project level through the appropriate business unit review stages and, as appropriate, to Group senior management.
Further improvements to the risk management framework have been made throughout 2016 including significant strengthening to the process of assessing, managing and reporting risk. This progress is detailed on pages 53 to 55 of the 2016 Annual Report.
Increased rigour within risk management will continue in 2017 with renewed focus on risk impact quantification and escalation. These enhancements alongside the ongoing co-ordination between project, contract and business level risk analysis continue to drive risk awareness
The Board has ultimate responsibility for the Group’s risk management systems and internal control, and regularly reviews
The Group’s systems and controls are designed to ensure that the Group’s exposure to significant risk is managed appropriately. The Board recognises that any system of internal control is designed to manage rather than eliminate the risk of failure to achieve business objectives and can only provide reasonable and not absolute assurance against material misstatement or loss. In addition, not all the material joint ventures in which the Group is involved are treated, for these purposes, as part of the Group. Where they are not, systems of internal control and risk management are applied as agreed between the partners to the joint venture.
Central to the Group’s systems of internal control are its processes and framework for risk management. These align with Guidance on Risk Management, Internal Control and Related Financial and Business Reporting and were in place throughout 2016 and up to the date of signing this report.
Guidance and policies have been issued and are continuously monitored to provide an interlinked and comprehensive internal
control environment. Such topics include but are not limited to:
- a clear system of delegated authorities from the Board to management with certain matters reserved by the Board
- the annual review of the strategy and plans of each business and of the Group as a whole in order to identify the risks to the Group’s achievement of its overall objectives and, where appropriate, any relevant mitigating actions
- monthly financial reporting against budgets and the review of results and forecasts by executive Directors and management, including particular areas of business or project risk. This is used to update management’s understanding of the environment in which the Group operates and the methods used to mitigate and control the risks identified
- specific policies set out in the Group Finance Manual covering the financial management of the Group, including arrangements with the Group’s bankers and bond providers, controls on foreign exchange dealings and management of currency and interest rate exposures, application of accounting policies and financial controls
- Group-wide risk management standards which are embedded throughout the Group
- gateway reviews requiring risk, uncertainty and control assessment at all stages of project development and at all levels
of the business from business unit level to Board Committee if value, or perceived exposure, exceeds certain thresholds
- reviews and tests by the internal audit function of critical business financial processes and controls and specific reviews in areas of perceived high business risk
- reviews and authorises proposed investment, divestment and capital expenditure through the Board’s Committees and
- regular reporting, monitoring and review of the effectiveness of health, safety, environment and sustainability processes. These processes are subject to independent audit and certification to internationally recognised standards as appropriate
- legal compliance risks which are addressed through specific policies and training on such matters as ethics, competition and data protection laws
- promotion of a culture of compliance with ethics and integrity responsibilities to help manage legal and reputational risks across the Group. An ethics helpline has been established to encourage staff to raise concerns, in confidence, about possible breaches of the Code of Conduct.
These systems are extended, as soon as possible and as appropriate, to all businesses joining the Group.
The Group also has an independent internal audit function that executes a risk-based programme of audit throughout the entire
Group. All audit reports are shared with relevant business leaders in addition to being scrutinised by the Audit and Risk Committee (see pages 75 to 77).
It is the expectation and requirement of the Board that business leaders ensure that this comprehensive internal control environment (including internal audit) is embedded within their business units.
The Board continued to assess the effectiveness of the risk management processes and internal controls during 2016 and to the date of this report. Such assessment is based on reports made to the Board, the Audit and Risk Committee and the Safety and Sustainability Committee, including:
- the results of the internal audit function’s reviews of internal financial controls
- a Group-wide certification that effective internal controls had been maintained or, where any significant non-compliance or breakdown had occurred with or without loss, that appropriate remedial action has been or is being taken
- a paper prepared by management on the nature, extent and mitigation of significant risks and on the systems of