The Serco Management System (SMS) is our management framework. It describes how we do business and defines the rules governing how we operate, behave and deliver our strategy, including all areas covered by our CR framework.
At the heart of the SMS are 16 Group policy statements and 23 Group standards. Group policies are owned by Group Functional Directors, signed by the Group Chief Executive and approved by the plc Board. They define our strategic commitments and apply across the Group.
Group standards reflect our Values and define the minimum standards we must achieve, focusing on mandatory requirements applicable across the Group.
Group, Country, Divisional and Local operating procedures build on these foundations within the SMS, providing direction on how to achieve mandatory requirements and comply with relevant laws and regulations in the countries within which we operate. Operating procedures are sensitive to local customs, traditions and cultures. All elements of the SMS are subject to a schedule of regular review, ensuring they meet our needs and are up-to-date, relevant and appropriate.
Employee and manager responsibilities regarding SMS compliance are clearly defined and all employees complete appropriate SMS, Code of Conduct and Values training on joining Serco and periodically during their time with Serco. Our Group Consequence Management Standard defines how instances of non-compliance are managed.
To provide management assurance, a ‘three lines of defence’ model has been implemented to test business compliance. Each level of assurance informs our risk management process and the delivery of local, regional and Group improvements.
1st line of defence:
At an operational level, local controls are implemented to ensure customer, legal and regulatory requirements are met. In addition, an annual SMS self-assessment process is undertaken across the Group which helps managers increase their understanding of SMS requirements and improve compliance with SMS controls by completing actions for any areas of non-compliance identified.
2nd line of defence:
A programme of Division-led retrospective compliance assurance reviews test compliance with SMS controls and risk management processes. Reviews against the SMS are carried out at contract, Business Unit and Divisional levels.
3rd line of defence:
Internal Audit provides independent review (sometimes delivered by independent external parties) of the design and operating effectiveness of our controls. External Audit is also used to test control effectiveness in areas of the business where there is a customer or legal requirement.