Effective risk management underpins the delivery of our objectives. It is essential to protecting our reputation and generating sustainable shareholder value.
Risk management and internal control
Balfour Beatty’s risk management policy demonstrates the Board’s commitment to meeting the relevant requirements of the Code. Through adoption of the policy, the Board accepts its responsibility to establish procedures to manage risk, oversee the internal control framework, and determine the nature and extent of the principal risks the Company is willing to take in order to achieve its long-term strategic objectives. The Board is also kept informed of any emerging risks the Group faces and the required responses as part of its ongoing system of monitoring and control reporting.
For more information on the principal and emerging risks faced by the Group see 2019 Annual Report pages 72 to 84.
Balfour Beatty’s approach to risk management aims to reduce the likelihood of risk events occurring, control the adverse impact of those events and identify opportunities where taking risks may benefit the Group. The Enterprise Risk Management (ERM) framework is integral to this approach and, as such, is under constant review as part of the ongoing monitoring of and response to changes to the Group’s risk profile.
Roles and responsibilities
The Board is responsible for the implementation and oversight of Balfour Beatty’s ERM framework and embedding an effective risk management culture. The Board establishes the Group’s risk attitude and appetite by directing the level of risk that can be taken by the Group and its strategic and individual business units without specific approval. Group policies, procedures and delegated authority levels set by the Board provide the structure within which risks are reviewed and escalated to the appropriate level, up to and including the Board, for consideration and approval.
The roles and responsibilities of the Board, its Committees, strategic business unit and individual business unit management are set out on page 114 in 2019 Annual Report.
Risk management systems
Balfour Beatty’s ERM framework comprises the policy, the operating standards and associated procedures to identify, assess, respond to and monitor risk. In the UK, all risk registers are now held on the bespoke Intelligent Risk Information System (IRIS) which allows for increased oversight and central review. In 2019 following the adoption of IRIS the frequency of business-level risk register reviews was increased to enhance the Group’s efforts in optimising its ERM framework.
As part of the IRIS roll out, over 4,000 employees undertook a bespoke eLearning module aimed at further promoting and embedding an effective culture of risk management. In 2020 this enhanced control will start to be deployed across the wider Group beginning with the US Buildings business.
As mandated by Balfour Beatty’s risk management policy, all business units are responsible for ensuring that effective arrangements, and management controls, are established and implemented for the management of risk.
The Group’s hierarchy of risk management is to prioritise reduction in the likelihood of risk events occurring, mitigate the adverse impact where this is not possible and identify opportunities where taking risks might benefit the business. Balfour Beatty is relentless in ensuring that a positive risk management culture remains embedded at all levels.
Risk management is central to the work winning and project delivery process and an assessment of risk is mandated at each stage within the Gated Business Lifecycle (GBL), informing the decision on whether to proceed to the next stage. Heightened consideration is given to those risks which have the potential to influence a project’s ability to meet its objectives, including achieving expected contract targets and client expectations.
The Circles of Risk act as a prompt and provide early guidance on the identification of potential project-level risk themes as part of the decision-making process. For more information on the Circles of Risk see 2019 Annual Report page 72.
In addition, the Board’s delegated authority levels act as triggers for the escalation of matters requiring approval. In relation to work winning, this means projects above a certain value, or those with unusual characteristics such as a move into new markets, require approval by the Group Tender and Investment Committee or the Board, as appropriate.
Escalation and reporting structures ensure that risk oversight is rigorously applied at all levels of the business from operational review through to scrutiny by the Executive Risk Steering Group (ERSG) and the Board. The ERSG monitors any changes in the Group’s risk profile and its members act as the executive sponsor for risk management within their businesses and functions.
To be effective it is vital that the Group’s approach to risk management remains reflective of the shape and direction of the business and the wider industry. In 2019 the Group Risk Register was reviewed and refreshed as part of the biannual formal review of the Group’s risk profile to verify that all identified risks and associated controls have been appropriately assessed and have an allocated owner at senior management level.
The Board has ultimate responsibility for the Group’s internal control and risk management systems and regularly reviews their effectiveness. The Group’s systems and controls are held centrally on the Business Management System (BMS) and are designed to ensure exposure to significant risk is both understood and appropriately managed. The Board recognises that any system of internal control is designed to identify and control rather than eliminate risk and can only provide reasonable and not absolute assurance against material misstatement or loss. In addition, not all the material joint ventures in which the Group is involved sit wholly within Balfour Beatty’s internal control environment. Where this is the case, separate systems of internal control and risk management are applied as agreed between the joint venture partners.
Central to the Group’s systems of internal control are its processes and framework for risk management. These align with the Financial Reporting Council’s Guidance on Risk Management, Internal Control and Related Financial and Business Reporting and were in place throughout 2019 and up to the date of signing this report. The Group has a thorough understanding of its risk exposures and has in place a key control statement.
Topics covered by policies, standards and expectations include but are not limited to:
- a comprehensive system of delegated authorities from the Board to management with certain matters reserved by the Board;
- monthly financial reporting against budgets and the review of results and forecasts by executive Directors and management, including particular areas of business or project risk. This is used to update management’s understanding of the environment in which the Group operates and the methods used to mitigate and control identified risks;
- annual review of the strategy and plans of each business and of the Group as a whole to identify risks to the achievement of objectives and, where appropriate, any relevant mitigating actions;
- a comprehensive suite of policies, manuals and instructions setting out the requirements of the Group finance function covering the financial management of the Group, including but not restricted to arrangements with the Group’s bankers and bond providers, controls on foreign exchange dealings and management of currency and interest rate exposures, application of accounting policies and financial controls;
- risk management expectations which are embedded throughout the Group and held on the BMS;
- enhanced systems for the management and reporting of risk which have been deployed throughout the Group;
- reviews and tests by the internal audit function of critical business financial processes and controls and specific reviews in areas of perceived high business risk;
- reviews and authorising of proposed investment, divestment and capital expenditure through the Board and Board Committees;
- regular reporting, monitoring and review of the effectiveness of health, safety, environment and sustainability processes. These processes are subject to independent audit and certification to internationally recognised standards as appropriate;
- legal and regulatory compliance risks which are addressed through specific policies and training on such matters as business integrity, competition and data protection laws; and
- promotion of a culture of compliance with ethics and integrity responsibilities to help manage legal and reputational risks across the Group. A ‘Speak Up’ ethics helpline encourages staff to raise concerns, in confidence, about possible breaches of the Code of Conduct.
There is also an independent internal audit function that executes a risk-based programme of audit throughout the entire Group. All audit reports are shared with relevant business leaders in addition to being reviewed by the Audit and Risk Committee; see 2019 Annual Report pages 109 to 115.
It is the expectation and requirement of the Board that business leaders ensure this comprehensive internal control environment (including internal audit) is embedded within their business units.