How we identify and assess risk
The risk profile is commensurate with the issues and opportunities inherent to our operations as a listed water and wastewater business, and takes into account our statutory and regulatory obligations as well as the expectations of our stakeholders. In this way the profile illustrates risks that represent key elements of major end-to-end processes or systems, in line with our Systems Thinking approach.
The assessment of individual risks considers both the internal and external business environment as well as the effectiveness of cross-business controls. Each risk is sponsored by a senior manager who is responsible for the assessment of the risk, and for implementing preventative and responsive controls, although accountability for different aspects of the controls may lie across various departments. Although operational and project level risk assessment occurs continuously throughout the year, the activity culminates in the biannual Business Unit Risk Assessment (BURA), which reviews the strategic and tactical level business risks that underpin our principal risks (as illustrated in Principal risks and uncertainties). Each business risk is event based, with the assessment considering first the likelihood of the event occurring based on multiple causal factors, and secondly the full range of potential impacts and their severity should the event occur, from a minimum (best case) to a maximum (worst case) scenario.
All business areas are accountable for undertaking the BURA process, which is aligned to the full and half-year reporting cycle. The process involves group level evaluation, benchmarking and calibration to enable a consistent approach, an appreciation of the most significant risks from a financial and reputational context, and an assessment of how these relate to our risk appetite.
Oversight and governance process
The board ensures that its oversight of risk remains effective through a number of established reporting routes.
Twice yearly the board receives a full update on the risk profile as part of the full and half-year reporting cycle. This provides an overview of the nature and extent of risk exposure in the context of the group’s principal risks, and emphasises the most significant risks in both their current state relative to the risk appetite, and target state of acceptable exposure. This practice is in compliance with the UK Corporate Governance Code, and enables reports to be provided to the board for each full and half-year statutory accounting period. The board is therefore able to:
- Make decisions on the level of risk it is prepared to manage in order to deliver on the group’s strategy;
- Engage with the business to put appropriate controls in place, and to ask questions and test the appropriateness of plans;
- Report externally on the long-term viability of the company in an informed manner; and
- Monitor and review the effectiveness of procedures, systems and risk management thinking.
The most significant risks reflect three categories: the ten highest business risk exposures (likelihood and impact) from across the group (see also Principal risks and undertainties); the ten highest risk exposures with an operational context; and risks that have a remote likelihood of occurrence but a significant impact should they occur. The board is advised of significant new or emerging risks pending assessment, risks which carry serious reputational impact, and those which would not otherwise be reported under the criteria described above, but because of associated uncertainty are kept under a watching brief.
Risk-specific governance and steering groups provide a picture of ongoing individual risks, and these feed into the executive-led Group Audit and Risk Board (GARB), which focuses on governance, risk and compliance.
The audit committee is a fundamental component of the governance structure. Supported by company secretariat and the corporate audit teams, the audit committee reviews the effectiveness of risk management and internal controls before these are considered by the board.
Continuous improvement is a key feature of our business risk management framework. In recent years we have matured fundamental aspects of our enterprise-wide risk management approach. This has been delivered through focusing on inherent risk, cross-business assessment of control, response and recovery, as well as prevention and consideration of extreme impacts in addition to more routine impacts. These fully align to our business-wide initiatives for Systems Thinking and resilience, and going forward we will continue to support the maturity of these through the further embedment of the Business Risk Management Framework.
Aligned to this approach is the introduction of a separate New and Emerging Risk forum over the last 12 months. This takes place in addition to the BURA process to ensure that changing circumstances from both the external and internal business environments are taken into account, and we continue to consult with external bodies to keep up to date with potential threats to the sector. In January 2020 we undertook a cross-business assessment of insider risk with the Centre for the Protection of National Infrastructure (CPNI). We have recently set up a dedicated anti-fraud forum to understand potential threats and impacts, and to develop mitigation strategies.
We have carried out a review of the National Risk Register for Climate Change to cross reference our own risk profile and use the assessment parameters to reassess our existing risks in the longer term. This has better enabled us to understand potential impacts and determine future strategies and associated funding requirements.
As a utility company we take part in multi-agency partnerships via Local Resilience Forums (LRFs) and in November 2018 we developed a specific pandemic plan to provide support to our well-established incident management process. This plan has been the basis for our COVID-19 incident management team, which was established in January 2020 to maintain our key operations during the incident, and to promote and support government advice on containment, delay and social distancing.