Effective risk management underpins the delivery of our objectives. It is essential to protecting our reputation and generating sustainable shareholder value.
Risk management and internal control
The Board recognises that successful delivery of the Group’s strategic and day to day objectives is underpinned by a comprehensive and consistent assessment of relevant risks. Effective, agile and universally applied risk management principles enable the Group to accurately examine its risk profile against its accepted attitude and appetite, limit its exposure to unacceptable risk and ensure long-term viability. Once key risks to delivering value to the Group and its stakeholders are identified a decision is made to treat, tolerate, terminate or transfer potential exposure. For more information, refer to pages 55 to 66 of the 2018 Annual Report.
The Board is committed to meeting the relevant requirements of the UK Corporate Governance Code and has applied the principles of the Code in establishing procedures to manage risk, oversee the internal control framework, and determine the nature and extent of the principal risks the Group is willing to take in order to achieve its long-term strategic objectives.
Roles and responsibilities
The Board is responsible for the implementation and oversight of Balfour Beatty’s risk management framework and examining and verifying the internal control environment. It sets the Group’s appetite for and attitude towards risk in pursuit of its agreed strategic objectives and drives an effective risk management culture. The Board directs the level of risk that can be taken by Group, strategic business unit and individual business unit management without specific approval. Group policies, procedures and delegated authority levels set by the Board provide the structure in which risks are reviewed and escalated to the appropriate level within the Group, up to and including the Board, for consideration and approval.
The roles and responsibilities of the Board, its Committees, strategic business unit and individual business unit management are set out on page 80 of the 2018 Annual Report.
Risk management process
Mandated by the Balfour Beatty’s risk management policy, all business units are responsible for ensuring that effective arrangements, and management controls, are established and implemented for the management of risk. The Group’s hierarchy of risk management is to prioritise reduction in the likelihood of risk events occurring, mitigate the adverse impact where this is not possible and identify opportunities where taking risks might benefit the business. Balfour Beatty is relentless in ensuring that a positive risk management culture remains embedded at all levels.
When pursuing new opportunities, an assessment of risk forms a key part of the work winning process within the Gated Business Lifecycle. Risks are continuously assessed throughout the lifetime of each project to ensure potential exposure remains within an accepted tolerance.
Additionally, the Board issued updated and more detailed delegated authority levels in 2018 which act as triggers for the escalation of matters requiring approval. In relation
to work winning, this means projects above a certain value, or those with unusual characteristics, such as a move into new markets, require approval by the Group Tender and Investment Committee or the Board, as appropriate.
Escalation and reporting structures ensure that risk oversight is rigorously applied at all levels of the business from operational review through to scrutiny by the Executive Risk Steering Group and the Board.
To be effective it is vital that the Group’s approach to risk management remains reflective of the shape and direction of the business and the wider industry. In 2018 the Group Risk Register was completely refreshed, recategorised and reassessed and a key risk and control statement was drafted for review by the Group Chief Executive. To ensure a consistent application of the Group’s risk management expectations the links between the central risk team and business units were strengthened and a bespoke risk assessment and escalation tool was developed with extensive input from the wider business.
The Board has ultimate responsibility for the Group’s risk management systems and internal control and regularly reviews their effectiveness. The Group’s systems and controls are designed to ensure exposure to significant risk is both understood and appropriately managed. The Board recognises that any system of internal control is designed to identify and control rather than eliminate risk and can only provide reasonable and not absolute assurance against material misstatement or loss. In addition, not all the material joint ventures in which the Group is involved sit wholly within Balfour Beatty’s internal control environment. Where this is the case, separate systems of internal control and risk management are applied as agreed between the joint venture partners.
Central to the Group’s systems of internal control are its processes and framework for risk management. These align with the Financial Reporting Council’s Guidance on Risk Management, Internal Control and Related Financial and Business Reporting and were in place throughout 2018 and up to the date of signing this report. The Group has a thorough understanding of its risk exposures and has mapped out its assurance network accordingly. Topics covered by Policies, Standards and Expectations include but are not limited to:
- a fully revised and reissued system of delegated authorities from the Board to management with certain matters reserved by the Board
- monthly financial reporting against budgets and the review of results and forecasts by executive Directors and management, including particular areas of business or project risk. This is used to update management’s understanding of the environment in which the Group operates and the methods used to mitigate and control identified risks
- annual review of the strategy and plans of each business and of the Group as a whole to identify risks to the achievement of objectives and, where appropriate, any relevant mitigating actions
- specific policies set out in the Group Finance Manual covering the financial management of the Group, including arrangements with the Group’s bankers and bond providers, controls on foreign exchange dealings and management of currency and interest rate exposures, application of accounting policies and financial controls
- a comprehensive suite of policies, manuals and instructions setting out the requirements of the Group Finance function covering the financial management of the Group, including but not restricted to arrangements with the Group’s bankers and bond providers, controls on foreign exchange dealings and management of currency and interest rate exposures, application of accounting policies and financial controls
- risk management expectations which are embedded throughout the Group
- reviews and authorising of proposed investment, divestment and capital expenditure through the Board and Board Committees
- regular reporting, monitoring and review of the effectiveness of health, safety, environment and sustainability processes. These processes are subject to independent audit and certification to internationally recognised standards as appropriate
- legal and regulatory compliance risks which are addressed through specific policies and training on such matters as ethics, competition and data protection laws
- promotion of a culture of compliance with ethics and integrity responsibilities to help manage legal and reputational risks across the Group. An ethics helpline encourages staff to raise concerns, in confidence, about possible breaches of the Code of Conduct.
There is also an independent internal audit function that executes a risk-based programme of audit throughout the entire Group. All audit reports are shared with relevant business leaders in addition to being reviewed by the Audit and Risk Committee (see pages 82 to 84 of the 2018 Annual Report).
It is the expectation and requirement of the Board that business leaders ensure this comprehensive internal control environment (including internal audit) is embedded within their business units.
The Board’s assessment of the risk management processes and internal controls during 2018 is based on reports it received and those presented to the Audit and Risk Committee and the Safety and Sustainability Committee, including:
- the results of the internal audit function’s reviews of internal financial controls
- a Group-wide certification that effective internal controls had been maintained or, where any significant non-compliance or breakdown had occurred with or without loss, that appropriate remedial action has been or is being taken
- a paper prepared by management on the nature, extent and mitigation of significant risks and on the systems of internal controls.