(Extracted from Annual Report 2023)
The Board acknowledges its responsibility for:
The Board acknowledges its responsibility to establish, maintain and review the effectiveness of the Group’s risk management and internal control systems. This responsibility is primarily fulfilled on its behalf by the Audit Committee as discussed on pages 105 to 106.
The foundation of strong risk management and internal control systems is dependent on the ethics and culture of the organisation, the quality and competence of its personnel, the direction provided by the Board, and the effectiveness of management.
Since profits are, in part, the reward for successful risk taking in business, the risk management and internal control systems are designed to manage rather than eliminate the risk of failure to achieve business objectives and can only provide reasonable and not absolute assurance against material misstatement or loss.
The key components of the Group’s control structure are as follows:
Culture: The Board believes that good corporate governance reflects the culture of an organisation. This is more significant than any written procedures.
The Company aims at all times to act ethically and with integrity, and to instill this behaviour in all its employees by example from the Board down. The Company has a Corporate Code of Conduct, which is posted on its website.
The Company is committed to developing and maintaining high professional and ethical standards. These are reflected in the rigorous selection process and career development plans for all employees. The organisation prides itself on being a long-term employer which instills in individuals, as they progress through the Group, a thorough understanding of the Company’s ways of thinking and acting.
Channels of communication are clearly established, allowing employees a means of communicating their views upwards with a willingness on the part of more senior personnel to listen. Employees are aware that, whenever the unexpected occurs, attention should be given not only to the event itself, but also to determining the cause.
Through the Company’s Corporate Code of Conduct, employees are encouraged (and instructed as to how) to report control deficiencies or suspicions of impropriety to those who are in a position to take necessary action. The Company has a Whistleblowing Policy and system for employees and those who deal with the Group to raise concerns, in confidence and with anonymity, where desired, about actual or suspected cases of impropriety in any matter related to the Group. The policy is available on the Company’s website.
The Company has an Anti-Bribery and Corruption Policy which sets out the Company’s policy and systems that promote and support compliance with applicable anti-bribery and corruption laws and regulations, and enhances the provisions relating to bribery and corruption in the Company’s Corporate Code of Conduct. The policy is available on the Company’s website.
Risk assessment: The Board of Directors and the management each have a responsibility to identify and analyse the risks underlying the achievement of business objectives, and to determine how such risks should be managed and mitigated.
The Company has implemented the three lines of defence model of risk governance which is designed to minimise conflicts of interest and ensure independent oversight of risk management. Details of the three lines of defence model are set out in the section of this annual report headed Risk Management.
Management structure: The Group has a clear organisational structure that, to the extent required, delegates the day-to-day responsibility for the design, documentation and implementation of procedures and monitoring of risk. Individuals appreciate where they will be held accountable in this process.
A control self-assessment process requires management to assess, through the use of detailed questionnaires, the adequacy and effectiveness of risk management and internal controls over the reliability of financial reporting, the effectiveness and efficiency of operations and compliance with applicable laws and regulations. This process and its results are reviewed by internal auditors and form part of the Audit Committee’s annual assessment of control effectiveness.
Controls and review: The control environment comprises policies and procedures intended to ensure that relevant management directives are carried out and actions that may be needed to address risks are taken. These may include approvals and verifications, reviews, safeguarding of assets and segregation of duties. Control activities can be divided into operations, financial reporting and compliance, although there may, on occasion, be some overlap between them. The typical control activities include:
The Company has in place effective processes and systems for the identification, capture and reporting of operational, financial and compliance-related information in a form and time-frame intended to ensure that staff carry out their designated responsibilities.
Internal audit: Independent of management, the Group Internal Audit Department (“GIAD”) reports directly to the Audit Committee and performs regular reviews of key risk areas and monitors compliance with Group accounting, financial and operational procedures. The role of GIAD is discussed further on pages 106 to 107.