What managed risk means to us
In order to achieve our strategic and business objectives, protect our stakeholder interests and maximise our returns, we seek to identify, manage and mitigate our exposure to risks through robust procedures and controls throughout the organisation.
Our policy and commitment
Our commitment is defined within our Risk Management Policy Statement, supporting standards and related operating procedures.
In summary, we strive to:
- support informed risk-taking that promotes business growth and success whilst recognising the risks associated with key decisions;
- embed systematic, structured and timely risk management in our organisational processes, linked to achievement of our objectives;
- gain early line of sight regarding increases in threat or exposure;
- maintain a robust control environment that reduces negative impacts to our business performance; and
- be dynamic, iterative and responsive to change, facilitating continuous improvement of our risk management through review and assurance.
Key components in our governance
- Our Group Risk Committee (GRC) sets the context for risk and organisational risk taking, providing oversight of Group-level risk management and principal risks. The GRC and Divisional Executive Management Teams (EMTs) review relevant risk registers quarterly, examining individual risks as required, with the Committee Chair updating the Board directly on GRC outcomes.
- The Group Director Enterprise Risk is responsible for reviewing and maintaining the Risk Management Framework, providing oversight and reporting on business risk and the performance of the framework.
- The Group Risk and Compliance Function is custodian of the Group Risk Register and Compliance Assurance Programme, providing oversight and assurance and ensuring material controls are effectively implemented.
- Our Risk Management Lifecycle is mandated across the business and enables us to manage risk effectively, systematically and consistently.
- Divisional EMTs are responsible for reviewing and challenging risks facing Divisions and ensuring appropriate risk resources are in place, while Divisional Risk Leads are responsible for implementing the Risk Management Framework, policy, standards, procedures and key controls across the Division.
See also: Three lines of defence, Our Serco Management System
Our progress and performance in 2018
- reviewed all Group principal risks as planned to ensure they remain current, taking into consideration Functional and Divisional risk registers and any emerging risks that could threaten our strategy execution, business model, future performance, solvency and liquidity; and
- conducted ‘deep dive’ reviews of all our principal risks, focusing on the effectiveness of mitigation actions and the management of any gaps between current risk status and the Company’s risk appetite.
As of end-2018 our Group principal risks are:
In addition, we have:
- streamlined reporting to the GRC to make key information more prominent for enhanced analysis and decision-making;
- introduced a Key Risk Indicator Dashboard to help improve our management oversight and visibility on the effectiveness of our risk management approach;
- completed a review of risk management in all Divisions, launched in 2017; and
- worked to deliver our principal risk mitigation priorities as identified in our 2017 report.
Our next steps
- continue to focus on progress to mitigation plans whilst conducting in-depth reviews of Group principal risks; and
- continue to review and refine our Risk Management Framework to ensure it remains fit for purpose.