Risk Management
Serco operates in many different fields. We run world-class scientific establishments and railways, maintain offices and spacecraft, manage schools, prisons and motorway systems, test military assets and control air traffic. This presents us with an unusually diverse range of risks that need to be recognised, assessed and effectively managed. Over 40 years our experience in managing risks across such a diverse business base has convinced us that the process of risk management should not be treated as an add on to the business – it needs to be an integral part of the way we function.
The Group has a well-established and embedded system of internal control and risk management designed to safeguard shareholders’ investments and the Group’s assets and reputation. Whilst the Board has overall responsibility for the Group’s system of internal control and for reviewing its effectiveness, it is the role of management to implement the policies on risk and control. The Group’s risk management process identifies the key risks facing each business and reports to the Board on how those risks are being managed.
A risk management standard defines the processes that are required at each level in the organisation in order to manage and mitigate the threats to the achievement of our business objectives. The risk management process specifically identifies the interests not only of shareholders but also of other stakeholders that are likely, directly or indirectly, to influence the performance of the business and its value. These include, but are not limited to, customers, suppliers, staff, trade unions, government, regulators, banks and insurers. The interests of the wider community in areas such as social, environmental and ethical impact are recognised in the Group’s corporate responsibility programme.
Risk registers are maintained at a contract, business unit, divisional and Group level and are reviewed at least quarterly and more frequently as required. The risk registers identify the key risks, the probability of those risks occurring, their potential impact on the business and the actions being taken to reduce and mitigate the risks. Risks are prioritised using a consistent scoring system across the business.
The Group risk register identifies the key principle risks and is updated regularly, reviewed six monthly by the Risk Oversight Group and discussed at quarterly Board meetings; active risks are ranked into five categories of importance based on the risk score and grouped under the following six headings:
- Business strategy – covering threats to the long-term deliverability of the Group’s strategy. Principal risks of the Group include loss of competitive position, and strategic risks associated with recent acquisitions
- Financial/commercial performance – covering threats to the short term performance of the Group’s existing business. Principal risks of the Group include the loss of key contracts, the failure to meet financial business plans, pension fund liabilities and delays or cost over-runs in major transition programmes
- Compliance – covering compliance with all relevant legislation and regulations. Principal risks of the Group include legal action resulting from compliance failures, the introduction of the International Financial Reporting Standards (IFRS) and unethical behaviour by Directors or members of staff
- Safety – covering threats to the safety of staff, sub-contractors, members of the public and the environment. Risks of the Group include the responsibility of a major accident or incident where public safety is concerned, environmental pollution and assaults on staff in the course of their duties
- Business continuity – covering threats to the continuity of business operations in the event of adverse events. Principal risks of the Group include the failure of information systems, loss of key infrastructure and the recruitment and retention of key staff
- Hostile actions – covering threats posed by the deliberate actions of individuals and organisations against the interests of the Group. Principal risks of the Group include crime and fraud, pressure group action, terrorism and industrial action.
For the Group, the most significant risks relate to the strategy and safety areas; social, environmental and ethical issues, while recognised within a number of the Group’s risks, do not represent significant threats to the achievement of the Group’s strategy at present. All risks and potential threats are kept under regular review and the Board informed of changes as they occur.
While we aim to assess and manage business risks effectively, we recognise that it’s equally important to have effective systems and processes for managing any crisis that might arise.
During 2006 Grant Thornton has continued to provide an internal audit function within the Group, in addition to that provided by internal peer review and the Corporate Assurance Group. Its programme is complementary to the Group’s broader programme and has been designed to address internal control and risk management processes. Specifically the areas covered are:
- Contract boards
- Exception reporting
- Generation and review of risk register
- Divisional interaction
- Contract manager knowledge
- Corporate social responsibility
- Group financial controls manual
In 2006 Grant Thornton reported that there were no material weaknesses identified as a result of the audits undertaken and corrective action has been taken where deficiencies were found.