Risk management and control
The Board of Royal Mail Group believes that effective risk management and a sound control environment are fundamental to the Group.
The system is designed to manage rather than eliminate the risk of failure, as taking on risk is inherent in undertaking the commercial activities of the Group.
There is an ongoing process for identifying, evaluating and managing the significant risks faced by the Group in accordance with the guidance detailed by the Turnbull Committee as part of the “the Combined Code”, including financial, operational, compliance risks and risks to reputation.
The process incorporates both a top-down element (which collates executive management / Board view of key risks) and a bottom-up element (which collates the views of the business units and functions on risks in their area).
Taken together, these two perspectives are combined to form the Group Risk Profile.
The responsibility for joint ventures and associates rests, on the whole, with the senior management of those operations. The Group monitors its investments and exerts influence through Board representations.
The Group has classified its principal risks into four main categories – changes in customer preferences and competitor activity; economic environment; business modernisation and risks inherent in the postal industry.
Risk management framework
The Group wide risk management framework includes risk governance, risk identification, measurement and management, and risk reporting. The Group’s approach to control is based on the underlying principle of line management accountability for internal control and for risk management.
The Group recognises and uses the principle of the “Three Lines of Defence”, that is:
a) Primary controls over the risks to the business are located in the day to day operation;
b) These are supported by internal monitoring and oversight; and
c) Independent assessments by Internal Audit and others provide the third line.
The process for risk identification and management consists of formal identification by management at each level of the Group of the key risks to achieving their business objectives and the controls in place to manage them. The likelihood and potential impact of each risk is evaluated. Risk management action plans are monitored at executive level to ensure key risks are being mitigated.
The views of top management and units / functions are collated and brought together, in the Group Risk Profile, to form a comprehensive view of key risks in the organisation.
The process also includes an annual certification by management that the internal controls are such that they provide reasonable assurance that the risks are appropriately identified, evaluated and managed.
The system of risk management and internal control is embedded into the operations of the Group, and the actions taken to mitigate risk or address any weaknesses are monitored.
Risk governance and the Board
The Board has delegated responsibility for specific review of risk and control processes to the Audit & Risk Committee (ARC). The Risk Management Committee (RMC) supports the ARC in discharging its duties. The key responsibilities for risk and control among the Board, ARC, and RMC are set out in this and the companion section on Internal Control, and the management and committees section.
Risk Management Committee
The Risk Management Committee is a management committee of the Chief Executive Committee with a reporting line to the Audit & Risk Committee, and its responsibilities include to promote and support the establishment, communication and embedding of risk management throughout the business.
Royal Mail Group's attitude to risk
Royal Mail Group aims to be risk aware, but not overly risk averse. We recognise that to achieve our objectives we will take on certain risks, but should do so in an informed manner, such that:
• the level of risk is consistent with the potential rewards; and
• the impact, should the risk materialise, can be managed or absorbed.
We are averse to risks that could:
• negatively affect the safety of our employees or people they come into contact with during the course of business;
• negatively affect our reputation;
• lead to breaches of legal or regulatory requirements; or
• endanger the future existence of the business.
Risk management policy
The Risk Management Policy, which includes mandatory minimum standards for risk management in the business, has been refreshed in the year and communicated to business units and functions.