(Extracted from Annual Report 2019)
The Board acknowledges its responsibility for:
The Board acknowledges its responsibility to establish, maintain and review the effectiveness of the Group's risk management and internal control systems. This responsibility is primarily fulfilled on its behalf by the Audit Committee as discussed on pages 80 to 81.
The foundation of strong risk management and internal control systems is dependent on the ethics and culture of the organisation, the quality and competence of its personnel, the direction provided by the Board, and the effectiveness of management.
Since profits are, in part, the reward for successful risk taking in business, the risk management and internal control systems are designed to manage rather than eliminate the risk of failure to achieve business objectives, and can only provide reasonable and not absolute assurance against material misstatement or loss.
The key components of the Group's control structure are as follows:
Culture: The Board believes that good governance reflects the culture of an organisation. This is more significant than any written procedures.
The Company aims at all times to act ethically and with integrity, and to instil this behaviour in all its employees by example from the Board down. The Company has a Code of Conduct, which is posted on its internal intranet site.
The Company is committed to developing and maintaining high professional and ethical standards. These are reflected in the rigorous selection process and career development plans for all employees. The organisation prides itself on being a long-term employer which instils in individuals, as they progress through the Group, a thorough understanding of the Company's ways of thinking and acting.
Channels of communication are clearly established, allowing employees a means of communicating their views upwards with a willingness on the part of more senior personnel to listen. Employees are aware that, whenever the unexpected occurs, attention should be given not only to the event itself, but also to determining the cause.
Through the Company's Code of Conduct, employees are encouraged (and instructed as to how) to report control deficiencies or suspicions of impropriety to those who are in a position to take necessary action.
Risk assessment: The Board of Directors and the management each have a responsibility to identify and analyse the risks underlying the achievement of business objectives, and to determine how such risks should be managed and mitigated.
Management structure: The Group has a clear organisational structure that, to the extent required, delegates the day-to-day responsibility for the design, documentation and implementation of procedures and monitoring of risk. Individuals appreciate where they will be held accountable in this process.
A control self-assessment process requires management to assess, through the use of detailed questionnaires, the adequacy and effectiveness of risk management and internal controls over the reliability of financial reporting, the effectiveness and efficiency of operations and compliance with applicable laws and regulations. This process and its results are reviewed by internal auditors and form part of the Audit Committee's annual assessment of control effectiveness.
Controls and review: The control environment comprises policies and procedures intended to ensure that relevant management directives are carried out and actions that may be needed to address risks are taken. These may include approvals and verifications, reviews, safeguarding of assets and segregation of duties. Control activities can be divided into operations, financial reporting and compliance, although there may, on occasion, be some overlap between them. The typical control activities include:
The Company has in place effective processes and systems for the identification, capture and reporting of operational, financial and compliance-related information in a form and time-frame intended to ensure that staff carry out their designated responsibilities.
Internal audit: Independent of management, the Internal Audit department reports directly to the Audit Committee and performs regular reviews of key risk areas and monitors compliance with Group accounting, financial and operational procedures. The role of Internal Audit is discussed further on pages 81 and 82.