Welcome to Serco.com. Please review the region selection dropdown just below to get the most relevant content to your region.

Managed Risk

What managed risk means to us

Managed riskIn order to achieve our strategic and business objectives, protect our stakeholder interests and maximise our returns, we seek to identify, manage and mitigate our exposure to risks through robust procedures and controls throughout the organisation.





Our policy and commitment

Our commitment is defined within our Risk Management Policy Statement, supporting standards and related operating procedures.

In summary, we strive to:

  • support informed risk-taking that promotes business growth and success whilst recognising the risks associated with key decisions;

  • embed systematic, structured and timely risk management in our organisational processes, linked to achievement of our objectives;

  • gain early line of sight regarding increases in threat or exposure;

  • maintain a robust control environment that reduces negative impacts to our business performance; and

  • be dynamic, iterative and responsive to change, facilitating continuous improvement of our risk management through review and assurance.

Key components in our governance

  • Our Group Risk Committee (GRC) sets the context for risk and organisational risk taking, providing oversight of Group-level risk management and principal risks. The GRC and Divisional Executive Management Teams (EMTs) review relevant risk registers quarterly, examining individual risks as required, with the Committee Chair updating the Board directly on GRC outcomes.

  • The Group Director Risk and Compliance is responsible for reviewing and maintaining the Risk Management Framework, providing oversight and reporting on business risk and the performance of the framework.

  • The Group Risk and Compliance Function is custodian of the Group Risk Register and Compliance Assurance Programme, providing oversight and assurance and ensuring material controls are effectively implemented.

  • Our Risk Management Lifecycle is mandated across the business and enables us to manage risk effectively, systematically and consistently.

  • Divisional EMTs are responsible for reviewing and challenging risks facing Divisions and ensuring appropriate risk resources are in place, while Divisional Risk Leads are responsible for implementing the Risk Management Framework, policy, standards, procedures and key controls across the Division.

Our progress and performance in 2017

We have:

  • reviewed all Group principal risks as planned to ensure they remain current, taking into consideration Functional and Divisional risk registers and any emerging risks that could threaten our strategy execution, business model, future performance, solvency and liquidity; and

  • conducted in-depth analysis of five of the principal risks confirmed in 2016, as planned, examining how they have been managed and the activities underway to better define, understand and mitigate them.

As of end-2017 our Group principal risks are:

  • Failure to grow profitably
  • Failure to act with integrity
  • Contract non-compliance, non-performance or misreporting
  • Failure to deliver expected benefits from Transformation
  • Major information security breach
  • Failure to manage our reputation
  • Failure of business critical partner, supplier, sub-contractor
  • Catastrophic incident
  •  Financial control failure    
  • Material legal and regulatory compliance failure

 In addition, we have:

  • worked to improve management oversight on principal risks and heighten focus on consistent risk management by embedding the Group Risk Committee, initiated in 2016;

  • refined our definition of a ‘catastrophic incident’ to ensure the right level of understanding of this risk and assign appropriate focus on risk mitigation activities;

  • reviewed Divisional risk management in UK & Europe, Middle East and Asia Pacific;

  • delivered priority mitigation and contingency actions to improve the effectiveness of our Group-wide material controls for all principal risks; and

  • reviewed and enhanced our corporate risk management tool.


Our next steps

We will:

  • continue to conduct in-depth reviews of Group principal risks and risk management in the Divisions; 

  • continue to review our exposure to catastrophic risks and relevant mitigations; and

  • continue to improve the effectiveness of our mitigation for principal risks.