Robust risk management and internal controls

The Board is responsible for the Group’s risk management and internal control systems, supported by the Audit Committee which provides dedicated oversight. This includes reviewing principal and emerging risks, ensuring robust risk management systems are in place, and evaluating the effectiveness of financial, operational and compliance practices the Group adopts to mitigate these risks. The Audit and Risk Management function (ARM) supports this work, operating independently and in line with international internal audit standards.

The boards and executive leadership of portfolio companies hold full accountability for governance, risk management and internal control. The Group maintains active engagement through shareholder representatives and ensures that each portfolio company upholds high standards in risk registers and internal audit processes. Key risk and governance matters are regularly reported to the Group’s Audit Committee, reinforcing a consistent and rigorous approach across the organisation.

Risk governance structure

risk governance structure

 

The Group operates a “three lines of defence” risk governance framework which defines clear responsibilities and the structure for ensuring accountability for and transparency regarding its risk management practices:

  • First line: identifies and assesses relevant risks and then implements and manages specific responses to, and other mitigating actions for, these risks. It also establishes and is responsible for control activities that ensure that its operations are carried out properly. Such activities are considered an integral part of corporate operations. The first line comprises functional management at the Group and in the portfolio companies, as well as these entities’ company leadership;

  • Second line: monitors the key risks of the Group’s portfolio companies and ensures that controls implemented by the first line are appropriate and effective. It also provides support to the first line in the identification and assessment of key risks, as well as in the implementation of the procedures and controls necessary to address them. This second line is entrusted to risk management and compliance functions at the Group and in the portfolio companies; and

  • Third line: performs independent and objective assurance and advisory activities to assess the adequacy of internal control, risk management, and corporate governance processes, using a risk-based approach. These are carried out by the internal audit functions of the Group and of the portfolio companies, which operate independently.

The Group and each portfolio company are responsible for:

  • implementing risk management and “three lines of defence” framework;

  • identifying and assessing the principal and emerging risks and uncertainties to which the Group and each portfolio company are exposed, respectively;

  • implementing the most appropriate actions to mitigate and control these risks to an acceptable level;

  • providing adequate resources to minimise, offset or transfer the effects of any relevant risk event that may occur, whilst considering related costs and benefits;

  • monitoring the effectiveness of their systems of risk management and internal control;

  • reporting periodically to their respective board of directors and audit committee (or equivalent body) on principal and emerging risks and uncertainties; and

  • reporting on key risks and other matters to Audit and Risk Management (ARM) as part of ARM’s process for reporting to each Group Board and Audit Committee meeting.

ARM is responsible for:

  • assisting the Company’s Audit Committee with fulfilling its assurance and reporting roles in governance, risk management, and internal control, and reporting periodically on the results of this assistance, as mandated, including on its review of key risks and other matters reported from the Group’s portfolio companies;

  • conducting internal audits of the processes implemented by the Group and the portfolio companies, where mandated;

  • reviewing and aggregating risks reported by the Group’s portfolio companies and maintaining the Group’s risk register; and

  • raising awareness of the Group’s approach to risk management amongst colleagues via various educational activities and communications.  

Risk management framework  

Risk management is integrated into the Group’s strategic planning, budgeting, decision-making and operations. Central to this is the continuous and systematic application of:

Risk

A risk management framework, based on ISO 31000 and the COSO principles, has been established and embedded into the Group’s business activities, to enable the Group and each portfolio company to identify and assess their key risks and define their strategies for treating, monitoring and reporting on such risks. The risk registers prepared by each portfolio company provide the basis for an aggregation process, which summarises the principal risks and uncertainties facing the Group as a whole.

  • Identifying and documenting the exposure to risks relating to the achievement of its strategic objectives, categorised with reference to a risk taxonomy.

  • Adopting structured and methodical techniques for identifying critical risks.

  • Evaluating risks by estimating the likelihood of their arising, their potential financial and reputational impact, and the speed at which they may materialise, at both the inherent and residual levels.

  • Determining the relative significance of each risk using a scoring system and reflecting this in a risk trend summary based on residual risk.

  • Tolerate – accepting the risk if it is within the risk appetite.

  • Terminate – disposing of or avoiding the risk if there is no appetite to accept it.

Risks may be accepted if mitigated to an appropriate level via:

  • Transfer – insuring against the risk or sharing it through contractual arrangements with business partners

  • Treat – redesigning controls or introducing new controls to address the risk, and monitoring the performance of these controls.

 

  • Periodically reviewing principal risks and uncertainties.

  • Monitoring the adequacy and effectiveness of risk management activity and internal control through regular review.

  • Regular reporting of principal risks and uncertainties by the portfolio companies to the Company’s Board of Directors via the Audit Committee and ARM.

Promotion of a culture of risk awareness

The Group’s strong culture of risk awareness is upheld by integrating and embedding risk processes and procedures throughout each portfolio company.

Regular risk management updates and training are provided to the Group’s board members and staff, to elevate their awareness of risk and emerging trends. Risk management initiatives, such as training and sharing sessions, are also undertaken by each portfolio company.

In addition, ARM facilitates the building of the Group’s risk management knowledge base. Information and guidelines for reporting principal and emerging risks and uncertainties are regularly communicated to the Group’s portfolio companies.

This Group-level activity supports and supplements the knowledge base that each portfolio company creates in respect of their own risk management activities.

Read more

Our use of cookies

We use cookies for website performance, to provide social media features and to analyse our traffic. We also share information about your use of our site with our analytics partners who may combine it with other information that you’ve provided to them or that they’ve collected from your use of their services.

For more detailed information about the cookies we use, see our Cookie policy

Analytics cookies

We’d like to set Google Analytics and MS Clarity cookies to help us to improve our website by collecting and reporting information on how you use it. The cookies collect information in a way that does not directly identify anyone.

For more detailed information about the cookies we use, see our Cookie policy

: