We have robust systems and processes to identify and manage the key risks facing each of our businesses and the Group as a whole, and all parts of the business have appropriate risk and crisis management plans that meet our policy standards.
Our risk management policies, systems and processes are therefore defined and embedded within the Serco Management System. The Board regularly reviews these, which conform to the Combined Code's requirements. Such policies, systems and processes, however, can only be designed to mitigate, rather than eliminate, the risk of failure to achieve business objectives.
We regularly review the risk management processes we apply throughout our business as part of the Serco Management System. This ensures they reflect the nature of the activities we undertake and the business and operational risks inherent in them, and therefore the level of control we consider necessary to protect our interests and those of our stakeholders.
These controls and processes fall into four main areas: identification; assessment; planning and control; and monitoring, so that we:
- identify business objectives that reflect our stakeholders' interests, and the risks associated with achieving these objectives;
- regularly assess our exposure to risk, including measuring key risk indicators;
- control and reduce risk as far as reasonably practicable or achievable, through cost-effective risk mitigation; and
- identify new risks as they arise and remove risks that are no longer relevant.
The output of the risk management process supports our internal audit programme. Key controls, defined within the Serco Management System are used to manage or mitigate risks. A risk based internal audit programme then tests the application and effectiveness of key control processes.
We also have material investments in a number of joint ventures, where we have joint control over management practices. Our representatives within these companies ensure that their processes and procedures for identifying and managing risk are appropriate and that internal controls exist and are regularly monitored.