Building a more effective risk management process will be an important contributor to the recovery of the Group
Issues experienced during 2016
The Board recognises that its risk management process was not fully effective during 2016, as multiple independent execution, contract and market related risks crystallised during an exceptional period. Whilst a full review has not been undertaken, it is obvious that the implementation of certain controls requires strengthening. The Board takes this issue very seriously, and corrective actions are being developed to ensure that adequate controls are in operation throughout the Group.
The risk management process described in the following section, together with the statements of Group Principal Risks, their impact and mitigations, is presented to provide details of the intended controls. It is recognised that the process in operation in 2016 was insufficient to effectively manage risk in the Group.
How we manage risk
The Board sets the policy for managing risk in the business. It recognises the importance of having effective processes and procedures for identifying, actively monitoring, mitigating and managing the financial and non-financial risks facing the Group.
By regularly reviewing the principal risks reported across the Group by businesses and functions, and satisfying itself that these risks are managed within the Group’s stated risk appetite, the Board ensures that the Group’s risk exposure remains appropriate and that this links to the effective delivery of its strategic objectives.
The Board has ultimate accountability for the execution of risk management systems and internal controls, with the Risk Committee, comprising members of the Group Executive, responsible for overseeing execution of risk management throughout the Group. From 2017 a new Risk Committee, as a formal Board sub-committee will be created, further strengthening the process.
The Board has delegated responsibility for the detailed monitoring and reviewing of the effectiveness of the Group’s internal control and risk management systems to the Audit Committee. Assurance over the effectiveness of these systems is provided by a combination of regular management reporting to the Audit Committee. For the Advanced Electronic Solutions Sector, which holds classified US Defense programs and so operates under a US DoD Special Security Arrangement (SSA), specific assurances and authorised assurance reports are given by representatives of the SSA Board. The Group’s CEO and CFO both sit on the Board of the SSA. Improvements to the effectiveness of governance and assurance procedures between the Group and the SSA are regularly reviewed.
The process for monitoring and controlling risk, illustrated below, emphasises ongoing evaluation and monitoring by the management teams at each appropriate entity level: business unit, Sector, specialist function or at Group level. The Group’s Enterprise Risk Management (ERM) framework is structured to ensure that risks are identified promptly by management teams, to support the achievement of their strategic objectives and to ensure that they are mitigated and managed appropriately in support of the delivery of the Group’s strategic plan. Risks are categorised in terms of inherent risk (before mitigation) and current risk (after existing mitigation). This allows the Group to identify risks that are heavily dependent on internal mitigating controls and to allocate resources appropriately.
The risks identified are documented and measured, including the ownership of individual risks. Data from this system has been aggregated and themed, reviewed under the Governance structure outlined above and has been used as the basis for the Group’s principal risk disclosure.
The Group manages risk by operating a ‘three lines of assurance’ risk and control model. The first line consists of operational management implementing and maintaining effective internal controls and risk management procedures. They are supported by a number of Group functions which, together with performance management procedures, form the second line. Internal audit, which is part of the third line, is empowered to provide an independent assessment of the effectiveness of internal controls (guided by the risk appetite) and risk management processes and procedures, as well as identifying areas for improvement. These lines of assurance include the Group's ethics reporting system, enabling employees to raise concerns over ethics and compliance matters. The internal audit function reports directly to the Audit Committee to ensure its independence and objectivity. In addition, the Audit Committee takes account of the views of the external auditors.
The Group has established a risk appetite baseline through which Cobham’s risks can be managed with appropriate controls and assurance measures. Risk events can be categorised under four main headings: Strategic, Operational, Reporting/Financial and Compliance. The Group has broken down these risk categories into a number of subcategories and defined its risk appetite for each. The risk appetite is articulated as conservative, balanced or assertive across the various elements of the risk framework, with a principles based approach defining what each means for a given risk subcategory.
As shown on the risk appetite diagram below, typically there is a balanced appetite for taking risk across the Operational and Reporting/Financial risk subcategories – the cost of taking the risk is carefully weighed against the resultant benefits.
There is a more assertive appetite for areas of strategic risk including the promotion of growth, for example in business and product portfolios and in the strategic planning processes.There is a conservative appetite for Compliance risk.
The Group’s controls, mitigation activities and associated assurance measures implemented reflect the risk appetite for each position.