Effective risk management underpins the delivery of our objectives. It is essential to protecting our reputation and generating sustainable shareholder value.
Risk management and internal control
An assessment of risk is central to the Group’s strategic decision-making process and an essential part of meeting the requirements of the UK Corporate Governance Code. By delivering effective risk management and understanding its exposure to risk, the business is better able to protect its reputation, ensure long-term viability and generate sustainable shareholder value. Balfour Beatty maintains an agile and comprehensive internal control environment. Key risks are identified and a decision made to treat, tolerate, terminate or transfer potential exposure dependent upon the Group’s risk attitude or appetite. For more information, refer to pages 48 to 56 of the 2017 Annual Report.
The Board has applied principle C2 of the UK Corporate Governance Code by embedding continuously evolving risk management processes throughout the Group at all levels which form an integral part of day-to-day business activity.
Roles and responsibilities
The Board is responsible for the implementation and oversight of Balfour Beatty’s risk management framework. It sets the Group’s appetite for and attitude to risk in pursuit of its agreed strategic objectives and therefore the level of risk that can be taken by Group, strategic business unit and individual business unit management without specific Board approval. Group policies, procedures and delegated authority levels set by the Board provide the structure in which risks are reviewed and escalated to the appropriate level within the Group, up to and including the Board, for consideration and approval.
The roles and responsibilities of the Board, its Committees, strategic business unit and individual business unit management are set out on page 65 of the 2017 Annual Report.
Risk management process
Balfour Beatty’s risk management policy requires that all business units implement effective arrangements and management controls across all operations for the management of risk. The Group’s approach to risk management is to reduce the likelihood of risk events occurring, mitigate the adverse impact of such events and identify opportunities where taking risks might benefit the business. Balfour Beatty is relentless in ensuring that a positive risk management culture remains embedded at all levels.
When pursuing new opportunities, an assessment of risk forms a key part of the work winning process. Risks are continuously assessed to ensure potential exposure remains within an accepted tolerance.
Additionally, the Board sets and regularly reviews delegated authority levels which act as triggers for the escalation of matters requiring approval. In relation to work winning, this means projects above a certain value, or those with unusual characteristics, such as a move into new markets, require approval by the Group Tender and Investment Committee or the Board, as appropriate.
Reporting structures ensure that risks are monitored continually, mitigation plans are reviewed and significant exposures which develop are reviewed within the business unit or by Group senior management via the Executive Risk Steering Group.
Effective risk management cannot stand still. In 2017 significant improvements have been made to further align the Group’s risk management and audit functions to bring greater focus on the assurance mapping process. This work will continue in 2018 as part of the ongoing review of risk aggregation and escalation. Review of the Group’s business continuity arrangements will ensure that Balfour Beatty remains resilient to the ever-changing threats it faces in delivering its business objectives.
The Board has ultimate responsibility for the Group’s risk management systems and internal control and regularly reviews their effectiveness. The Group’s systems and controls are designed to ensure exposure to significant risk is managed appropriately. The Board recognises that any system of internal control is designed to understand and manage rather than eliminate the risk and can only provide reasonable and not absolute assurance against material misstatement or loss. In addition, not all the material joint ventures in which the Group is involved are treated, for these purposes, as part of the Group. Where they are not, systems of internal control and risk management are applied as agreed between the joint venture partners.
Central to the Group’s systems of internal control are its processes and framework for risk management. These align with the Financial Reporting Council’s Guidance on Risk Management, Internal Control and Related Financial and Business Reporting and were in place throughout 2017 and up to the date of signing this report. Guidance and policies have been issued and are continuously monitored to provide an interlinked and comprehensive internal control environment. Such topics include but are not limited to:
- a clear system of delegated authorities from the Board to management with certain matters reserved by the Board
- monthly financial reporting against budgets and the review of results and forecasts by executive Directors and management, including particular areas of business or project risk. This is used to update management’s understanding of the environment in which the Group operates and the methods used to mitigate and control identified risks
- annual review of the strategy and plans of each business and of the Group as a whole to identify risks to the achievement of objectives and, where appropriate, any relevant mitigating actions
- specific policies set out in the Group Finance Manual covering the financial management of the Group, including arrangements with the Group’s bankers and bond providers, controls on foreign exchange dealings and management of currency and interest rate exposures, application of accounting policies and financial controls
- risk management expectations which are embedded throughout the Group
- gateway reviews requiring risk, uncertainty and control assessment at all stages of project development and at all levels of the business from business unit level to Board Committee if value, or perceived exposure, exceeds certain thresholds
- reviews and tests by the internal audit function of critical business financial processes and controls and specific reviews in areas of perceived high business risk
- reviews and authorising of proposed investment, divestment and capital expenditure through the Board and Board Committees
- regular reporting, monitoring and review of the effectiveness of health, safety, environment and sustainability processes. These processes are subject to independent audit and certification to internationally recognised standards as appropriate
- legal and regulatory compliance risks which are addressed through specific policies and training on such matters as ethics, competition and data protection laws
- promotion of a culture of compliance with ethics and integrity responsibilities to help manage legal and reputational risks across the Group. An ethics helpline encourages staff to raise concerns, in confidence, about possible breaches of the Code of Conduct.
There is also an independent internal audit function that executes a risk-based programme of audit throughout the entire Group. All audit reports are shared with relevant business leaders in addition to being reviewed by the Audit and Risk Committee (see pages 67 to 69 of the 2017 Annual Report).
It is the expectation and requirement of the Board that business leaders ensure this comprehensive internal control environment (including internal audit) is embedded within their business units.
The Board’s assessment of the risk management processes and internal controls during 2017 is based on reports it received and those presented to the Audit and Risk Committee and the Safety and Sustainability Committee, including:
- the results of the internal audit function’s reviews of internal financial controls
- a Group-wide certification that effective internal controls had been maintained or, where any significant non-compliance or breakdown had occurred with or without loss, that appropriate remedial action has been or is being taken
- a paper prepared by management on the nature, extent and mitigation of significant risks and on the systems of internal controls.