Successful management of risks and uncertainties enables us to deliver on our purpose to provide great water and more for the North West.


Our approach to risk management

A key objective of our approach is to support the sustainable achievement of the strategic themes that underpin our vision to be the best UK water and wastewater company delivering:

  • The best service to customers;
  • At the lowest sustainable cost;
  • In a responsible manner.

From this starting point our emphasis is on our capacity and capability to manage risk and uncertainty, and to build and maintain long-term resilience across the corporate, financial and operational structures of the group.

Our risk management framework provides the foundation for the business to anticipate threats to delivering an effective service. In addition, our approach enables us to understand the new and emerging circumstances that present themselves in unstable and challenging times. Key components of the framework include:

  • An embedded group-wide risk management process that is aligned to ISO 31000:2018;
  • A board-led approach to risk appetite, based
    on strategic goals;
  • A strong and well established governance structure giving the board oversight of the nature and extent of risks the group faces, as well as the effectiveness of risk management processes; and
  • A portfolio of policies, procedures, guidance and training to enable consistent, group-wide participation by our people.

How we identify and assess risk

The risk profile is commensurate with the issues and opportunities inherent to our operations as a listed water and wastewater business, and takes into account our statutory and regulatory obligations as well as the expectations of our stakeholders. In this way the profile illustrates risks that represent key elements of major end-to-end processes or systems, in line with our Systems Thinking approach.

The assessment of individual risks considers both the internal and external business environment as well as the effectiveness of cross-business controls. Each risk is sponsored by a senior manager who is responsible for the assessment of the risk, and for implementing preventative and responsive controls, although accountability for different aspects of the controls may lie across various departments. Although operational and project level risk assessment occurs continuously throughout the year, the activity culminates in the biannual Business Unit Risk Assessment (BURA), which reviews the strategic and tactical level business risks that underpin our principal risks (as illustrated in Principal risks and uncertainties). Each business risk is event based, with the assessment considering first the likelihood of the event occurring based on multiple causal factors, and secondly the full range of potential impacts and their severity should the event occur, from a minimum (best case) to a maximum (worst case) scenario.

All business areas are accountable for undertaking the BURA process, which is aligned to the full and half-year reporting cycle. The process involves group level evaluation, benchmarking and calibration to enable a consistent approach, an appreciation of the most significant risks from a financial and reputational context, and an assessment of how these relate to our risk appetite.

Oversight and governance process

The board ensures that its oversight of risk remains effective through a number of established reporting routes.

Twice yearly the board receives a full update on the risk profile as part of the full and half-year reporting cycle. This provides an overview of the nature and extent of risk exposure in the context of the group’s principal risks, and emphasises the most significant risks in both their current state relative to the risk appetite, and target state of acceptable exposure. This practice is in compliance with the UK Corporate Governance Code, and enables reports to be provided to the board for each full and half-year statutory accounting period. The board is therefore able to:

  • Make decisions on the level of risk it is prepared to manage in order to deliver on the group’s strategy;
  • Engage with the business to put appropriate controls in place, and to ask questions and test the appropriateness of plans;
  • Report externally on the long-term viability of the company in an informed manner; and
  • Monitor and review the effectiveness of procedures, systems and risk management thinking.

The most significant risks reflect three categories: the ten highest business risk exposures (likelihood and impact) from across the group (see also Principal risks and undertainties); the ten highest risk exposures with an operational context; and risks that have a remote likelihood of occurrence but a significant impact should they occur. The board is advised of significant new or emerging risks pending assessment, risks which carry serious reputational impact, and those which would not otherwise be reported under the criteria described above, but because of associated uncertainty are kept under a watching brief.

Risk-specific governance and steering groups provide a picture of ongoing individual risks, and these feed into the executive-led Group Audit and Risk Board (GARB), which focuses on governance, risk and compliance.

The audit committee is a fundamental component of the governance structure. Supported by company secretariat and the corporate audit teams, the audit committee reviews the effectiveness of risk management and internal controls before these are considered by the board.

Key developments

Continuous improvement is a key feature of our business risk management framework. In recent years we have matured fundamental aspects of our enterprise-wide risk management approach. This has been delivered through focusing on inherent risk, cross-business assessment of control, response and recovery, as well as prevention and consideration of extreme impacts in addition to more routine impacts. These fully align to our business-wide initiatives for Systems Thinking and resilience, and going forward we will continue to support the maturity of these through the further embedment of the Business Risk Management Framework.

Aligned to this approach is the introduction of a separate New and Emerging Risk forum over the last 12 months. This takes place in addition to the BURA process to ensure that changing circumstances from both the external and internal business environments are taken into account, and we continue to consult with external bodies to keep up to date with potential threats to the sector. In January 2020 we undertook a cross-business assessment of insider risk with the Centre for the Protection of National Infrastructure (CPNI). We have recently set up a dedicated anti-fraud forum to understand potential threats and impacts, and to develop mitigation strategies.

We have carried out a review of the National Risk Register for Climate Change to cross reference our own risk profile and use the assessment parameters to reassess our existing risks in the longer term. This has better enabled us to understand potential impacts and determine future strategies and associated funding requirements.

As a utility company we take part in multi-agency partnerships via Local Resilience Forums (LRFs) and in November 2018 we developed a specific pandemic plan to provide support to our well-established incident management process. This plan has been the basis for our COVID-19 incident management team, which was established in January 2020 to maintain our key operations during the incident, and to promote and support government advice on containment, delay and social distancing.

Figure 2: Governance and reporting process

Our approach is in accordance with the UK Corporate Governance Code and incorporates reporting to the group board for every full and half-year statutory accounting period. This enables the board to:

  • Determine the nature and extent of the principal risks it is willing to take in achieving its strategic objectives;
  • Oversee the management of those risks and provide challenge to executive management where appropriate;
  • Express an informed opinion on the long-term viability of the company; and
  • Monitor risk management and internal control systems and review their effectiveness.

Profile features

Our business risk profile, underpinning the principal risks, consists of approximately 100 risks. Although the profile (as reported to the board) remains relatively static in terms of its headline inherent risk factors, the detail reflects the changing nature of the political and regulatory environment, the transition between the regulatory Asset Management Periods (AMPs), and emerging circumstances including those associated with COVID-19.

From a political and regulatory perspective the final determination in December 2019 saw the crystallisation of tougher targets and penalty/outperformance payment structures for operational risks. While we accepted the final determination, four companies have made a referral to the Competition and Markets Authority (CMA) which has potential implications for the sector as we start to look at the next price review (PR24). The General Election, which took place in December 2019, ended the immediate threat of nationalisation for the water sector and better informed some uncertainties around Brexit. Despite this, uncertainty remains in respect of perceptions of sector legitimacy and Brexit, including the potential for no suitable trade deal with the EU and the potential implications for our supply chain, particularly chemicals.

Looking more closely at operational and programme delivery risk, the transition between AMPs is particularly relevant for our capital programme. This involves AMP6 closedown work and related AMP7 early start, working with new partners and contractors, and delivering novel approaches. This will include the new Direct Procurement for Customers (DPC) methodology and model, which we are utilising for our scheme to replace sections of the Haweswater Aqueduct. While DPC is Ofwat’s favoured approach for certain types of qualifying large projects of significant spend, it brings a number of uncertainties, risks and challenges, including achieving value for money, contract terms and risks, and the effect on the remainder of our operations and financial structures (including our capital structure). Another key change for AMP7 is the introduction of a new customer measure of experience (C-MeX), which looks beyond direct customer experience of operational activity to a broader perception of the company and brand orientation. Climate change remains a key focus area, especially because of its impact on our water resources, asset base and operations, and on the environment that we strive to protect and enhance. Our commitment to the principles set by the Financial Stability Board’s Task Force on Climate-related Disclosures is described in detail on Our approach to climate change

The COVID-19 pandemic has radically changed global economies, compounding a number of the risk exposures already captured within this business risk profile. These include risks in relation to financing performance, revenue and cash collection, and supply chain and operational delivery risks for water and wastewater. As well as considering our existing risks, we work with our trade body (Water UK) to understand additional potential scenarios, their associated implications and to plan mitigation.

Principal risks

We have set out in Principal risks and undertainties in tabular form that could have a material impact on the group’s business model, future performance, solvency or liquidity and reputation. These principal risks are a combination of event-based risks and a description is provided as to how they might cause losses or gains to arise. Areas of potential exposure are illustrated and mitigating controls described. The tables set out individual matters that are currently significant risks, issues or areas of uncertainty, and which could affect our overall risk exposure.

Figure 3: Risk map

















(1)   Political and regulatory

(2)   Conduct and compliance risk

(3)   Water service

(4)   Wastewater service

(5)   Retail and commercial

(6)   Financial

(7)   Supply chain and programme delivery

(8)   Resources

(9)   Security

(10)   Health, safety and environmental

    Risk increased

    Risk decreased

    Risk stable

The risk map provides an indicative only view of the current exposure of each of the principal risks relative to each other: illustrating the likelihood of occurrence relative to the associated internal or external drivers; whether the risk is believed to have increased, decreased or remained stable over the last 12 months; and the most likely impact should an event occur.