Business Resilience

In a volatile operating environment, every business is presented with a similar set of challenges whether it be economic upheavals, pandemics, geopolitical crises, or regulatory changes.

What sets those companies that struggle apart from those companies that not only survive but thrive is the ability to identify challenges and develop plans to manage through them; or if they can’t be prevented or predicted, the agility and responsiveness to reduce the impact and even take advantage of the opportunities inherent in change.

Embedding the processes and capabilities, and most importantly the mindset, that enables our company to thrive in change is business resilience!

We define business resilience as:

Proactively managing the risks and opportunities that arise from change and uncertainty in order to sustainably grow our business over the long term.

There are 6 key elements of Business Resilience:

The Business Resilience program is a group wide program and applies to all employees, functions and business operations in every country that CCHBC operates within. The program is supported by a series of resilience components that are required to implemented in every business unit, and where applicable in every function. These components are noted below and supported by detailed guidelines which are linked.

The Business resilience program is focused on identifying, assessing and managing all risks and opportunities to the business.

There are 5 components of our Business Resilience program that represent an integrated set of processes carried out by cross-functional teams across all areas of our business.

1.      Risk Management

Risk management is the foundation of our Business Resilience program. It is an integral part of both sound management practice and good corporate governance as it informs short, medium and long-term business planning, enhances decision making, and strengthens management accountability. It is the foundation of our broader Business Resilience program as all resilience elements start from an assessment of risk and opportunity. These assessments inform and drive management plans.

The program is applied to all risks and opportunities – both emerging and current. Although the Group Business Resilience team is responsible for facilitating the risk management process, everyone in the business plays a role in managing risk by identifying risks and opportunities and minimizing uncertainty in a way that enables the Company to achieve its common goals – growing the business; remaining resilient; enhancing stakeholder value; and contributing to the communities and future of every country in which CCHBC operates.

For further information on our Risk Management program as well as our current Principal Risks and Emerging Risks, click here.

2.      Security and Fraud Prevention

Our Security and Fraud Prevention program enhances the resilience of our business by protecting our people, products and infrastructure from injury, loss, destruction, and theft. Aligned information security strategies ensure the confidentiality, integrity and availability of our information and hold the user accountable for the use of that information.

As in all our Business Resilience programs, we take a proactive approach to Security and Fraud Prevention program, focusing on preventing incidents from occurring wherever possible to support and enable a safe working environment for our people and supporting our Property Loss Prevention program. Our Security and Fraud Prevention program is also closely aligned and interconnected with our IMCR, Business Continuity Management, Disaster Recovery, and Emergency Response Planning.

Based on a robust, cross functional risk assessment, Security and Fraud Prevention Plans are developed and implemented for all CCHBC operations and facilities by the BU Risk and Security Leader or equivalent with the support of the Group Business Resilience Team. Security and Fraud Prevention Plans incorporate a set of minimum standards as provided in our Security and Fraud Prevention Manual, with additional measures appropriate to the risk.

3.      Fraud Prevention and Control

CCHBC’s insurance program is an integral element of the Coca-Cola HBC Business Resilience framework. It enables us to reduce the potential financial impact of a number of risks to our business. It provides a level of confidence to our stakeholders that we have appropriate balance sheet protection in the event of an insurable risk event occurring.

The Group Insurance team is responsible for formulating an annual insurance placement strategy based on the aggregated results of risk assessments conducted by business units and at Group level, and collaboration with a number of functional areas. This strategy is reviewed and endorsed by the ELT and the Audit & Risk Committee of the Board who ensure that coverage is appropriate for our Risk Appetite.

The Group Insurance team work closely with our insurance brokers to implement our insurance strategy as well as keeping the Insurance team up to date with insurance market and policy changes. Our brokers liaise with insurers to identify suitable policies and assisting CCHBC with placement. Brokers are also responsible for claims management, coordination and settlement support.

4.      Insurance

Business continuity is the capability of our company to continue to deliver products and services to our customers within acceptable time frames at a predefined capacity despite disruptions to our operations regardless of the cause.

Business Continuity Plans (BCP’s) address how we prepare for and respond to events that may impact our operations. The objectives of the BCPs and program are to:

• Protect the safety of our people, visitors, contractors, and members of the public.
• Avoid or minimize financial and other losses to the business by enhancing our speed to recovery.
• Protect our relationships with our customers and our corporate reputation.
• Encourage best practices in corporate governance.

All business units have a Business Continuity Coordinator who is responsible for leading a cross-functional team to ensure the timely development of the Business Continuity Plans in the BU. These plans are based on a robust, cross-functional assessment of Business Interruption risk which includes risks such as natural disasters and extreme weather, major utility disruptions, fire and industrial accidents, and supply chain disruption. This assessment forms an integral part of all BCPs which are updated and tested annually.

5.      Property loss prevention

Despite all of our best efforts to prevent incidents from occurring, we know that they will occur from time to time.  Our Incident Management and Crisis Resolution (IMCR) program is a global Coca-Cola system approach to crisis management and forms a critical component of our business resilience program. 

The program provides guidance at all management levels for:

• Standardising our response to incidents and potential crises,
• Protecting our people, corporate reputation, and minimizing financial losses.
• Encouraging best practices in Corporate Governance. 

We define an incident as any unintended event or situation that, if not managed effectively could lead to a significant impact on the health and safety of people, major financial impact or negative impact on our relationships with key stakeholders and reputation. It includes our management responses to disasters and emergency situations.

All of our business units are required to have trained IMCR Leaders and IMCR Team as well as an updated IMCR Manual consistent with our Group IMCR Guidelines and aligned with the local TCCC country management team. In addition, a Group IMCR Team and ELT IMCR Team have been identified and there are clear guidelines as to when these teams are notified of incidents and engaged; and how actions are coordinated.

Our BU’s go through an IMCR Validation exercise every two years, that includes a realistic crisis simulation exercise facilitated by a group of senior managers from CCHBC Group and TCCC.

For more information on our IMCR programme, click here.

To support our program, we have established a set of key principles that will improve the maturity of our resilience program, aligned with our leadership values.

Add demonstrable business value.

While some of the elements of our business resilience program do not have a direct, short-term impact on revenue, they will all have a significant impact on growth over time. Business resilience supports better planning and decision making and helps position the company to take advantage of the opportunities provided by change, as well as preventing or reducing any negative impact on the business. Wherever possible, we will measure the success of our program in tangible business value added over the longer term.

This principle is aligned with our Deliver sustainably value.

Proactive and forward looking.

Early identification and management of emerging and current risks and opportunities increases the likelihood that we can take advantage of an opportunity, prevent incidents and/or reduce any negative impact on our business. Our program is focused on anticipating risks and opportunities and acting proactively to prevent incidents and create the best possible outcome for the business.

This principle is aligned with our Deliver Sustainably value.

Resilience components are robust and fully integrated.

The Business resilience components are not functional processes that exist in isolation from one another. Rather they represent a continuum of processes that starts with early identification of risks and opportunities through to management of incidents if they occur. While different people may be engaged at different times the work they do benefits from the outcomes of the previous processes. We recognize that few people engaged in the resilience program are functional specialists. We need to ensure processes are simple but robust and our focus is on useful, actionable outcomes that add value, not necessarily having technically perfect processes.

This principle aligns with our Make it Simple value.

Strong cross-functional engagement.

Strong cross-functional engagement in our business resilience processes ensures broader perspectives and insights and stronger commitment to manage risks and opportunities. There are no risks that exist in functional isolation and no management plans that don’t benefit from cross functional engagement. All assessments and management plans must reflect the perspectives and experience of a broad range of functional experts. Assessments and management plans are not considered robust unless at least 2 functions have been involved in their development.

This principle aligns with our We over I value.

Consistent, capable resilience management at all levels.

It is critical that we have the right functional and professional capabilities in our people to deliver our business resilience program. We will work actively to build capability in each of the Business resilience components in our business units and Group functions. We also recognize that to be truly value adding, resilience management has to be embedded in management practices including planning and decision-making and not seen as a burdensome, bureaucratic process.

This principle aligns with our Make it Simple value.

Data-driven with clear metrics and targets.

While intuition and experience will always be a key input into our assessments and management plans, accurate, relevant data is key to finding patterns, connections and trends and driving insights. We also need objective measures to provide assurance that our programs are achieving intended results, and those results are aligned with the broader metrics and targets of the business.

This principle aligns with our Deliver Sustainably value.

The Board and the Audit and Risk Committee

The Board of Directors, through the Audit and Risk Committee, overseas the establishment and implementation of our Business Resilience program and reviews the effectiveness of the program biannually. The Audit and Risk Committee:

• Establishes with the support of the Board, the level of risk that the business should take in achieving its objectives, through the development and regular review of CCHBC’s Risk Appetite Statement and reviews regular reports on the extent to which the business is operating within the established risk appetite,
• Reviews the Company’s risk and resilience culture to ensure it is embedded in company management processes across all business units and functions,
• Reviews the Company’s emerging and Principal risks and opportunities to ensure that an appropriate range of risks and opportunities are being assessed and that mitigation plans are effective in managing those risks and opportunities,
• Reviews the adequacy of the company’s preparedness to manage disruptive events and incidents and reduce the potential impact of those events and incidents on the business,
• Reviews the level of compliance with the UK Corporate Governance Code.

To support the Board and the Audit and Risk Committee, all Directors receive regular risk management and business resilience training. In 2023, the full Board participated in a risk management workshop run by the Chief Risk Officer.

The Executive Leadership Team

The Executive Leadership Team (ELT) has overall responsibility for business resilience at CCHBC. The ELT:

• Receives biannual reports on emerging and current risks and opportunities to ensure that an appropriate range of risks and opportunities are being assessed, those assessments are robust and accurate and that mitigation plans are effective in managing those risks and opportunities,
• Reviews the adequacy of the company’s preparedness to manage disruptive events and incidents and reduce the potential impact of those events and incidents on the business, including engaging in an annual IMCR exercise.

The ELT is provided specialist advice and guidance by the Chief Risk Officer who leads the Business Resilience function and is accountable for maintaining independent visibility on a broad range of risks to the business and advising on appropriate management plans to reduce risk to the business.

Group Business Resilience Team

The primary role of the Group Business Resilience Team is to facilitate business resilience processes, ensure there is appropriate capability across the business, ensure the program is being implemented effectively and is reviewed regularly. It does this by:

• Monitoring changes in the external environment and communicating useful insights on the potential positive and negative impact of that change,
• Developing and facilitating consistent, robust risk and opportunity management at all levels of the business,
• Identifying and communicating accurate, useful insights that add value to the business,
• Providing guidance to managers on the development of risk and opportunity management plans and ensuring those plans are focused on delivering efficient and effective actions to manage the associated risk and/or opportunity,
• Leading the design and implementation of specialist risk management programs such as security, fraud, insurance, business continuity and crisis management
• Measuring the effectiveness of resilience management programs and developing programs to continually improve programs,
• Providing assurance on the extent to which Business Resilience programs have been effectively implemented within each BU,
• Developing programs to strengthen resilience awareness and embed strong resilience culture within the business,
• Coordinating the functions of the Group Risk and Compliance Committee,
• Providing regular reporting and facilitating discussions with Regional Management Teams, ELT and Audit and Risk Committee of the Board,
• Preparing risk and resilience related reporting for public communications such as the annual report and various external reporting frameworks including sustainability reporting.
• Providing regular training for Group functions and Business Unit managers on Risk Management and Business Resilience principles and how they are implemented within CCHBC.

Group Risk and Compliance Committee

The Group Risk and Compliance Committee is made up of senior managers from a range of functions including managers designated as “risk owners” for each of the risk categories in our risk universe. The Committee acts as a resilience “think tank” and review forum to discuss emerging and current risks and opportunities identified by Group functions and business units. The Committee meets quarterly with two of the four meetings focused on risk and resilience and the other two on compliance. The Committee:

• Reviews the principal risk register as updated by Group functions, ensures a broader cross-functional perspective is applied to those assessments and provides expertise on the effective management of those principal risks,
• Identifies and evaluates emerging risks and opportunities and establishes appropriate early warning processes,
• Reviews the aggregated risks and opportunities that are outcomes from the Business Unit and Regional Risk reviews and provides expertise on development and monitoring of effective mitigation programs.

Business Units

Our General Managers are accountable for ensuring an effective Business Resilience program has been implemented with the BU. This includes:

• Ensuring current and emerging risks and opportunities are regularly identified and assessed and documented in the business unit risk register,
• Ensuring that robust mitigation programs are in place to prevent or reduce any potentially negative impact on the business or take advantage of opportunities,
• Ensuring a monthly review of the key risks and opportunities by the Senior Leadership Team of the business unit,
• Ensuring a biannual review of all Business Resilience components and the effectiveness of the program’s implementation is conducted and presented to the SLT and the Group BR Team,
• Ensuring risks and opportunities are embedded in the BU’s Annual Business Plan and any risks or opportunities that arise that may have an impact on the delivery of the plan are communicated in a timely manner with appropriate Regional and Group managers,
• Ensuring incidents are reported in a timely manner as required under the IMCR program and there are capable IMCR Leaders and IMCR Team in place for the business unit,
• Ensuring active participation by appropriate managers in a Business Resilience Validation every two years.

Internal Audit

The Internal Audit team is independent of the Business Resilience Team. It conducts an annual audit of our Business Resilience program and presents the results of the audit to the Audit and Risk Committee of the Board at the Committee’s December meeting. This provides assurance to the Committee and through the Committee to the Board, that the processes are being implemented effectively at Group and Business Unit level in accordance with this Framework and associated Guidelines and in accordance with the UK Corporate Governance Code. 

In 2023, an independent internal audit was conducted of our Risk Management and Business Resilience program at Group level and in selected business units and the results were presented to the Audit and Risk Committee of the Board.

Group Internal Control

The Group Internal Control Team undertake reviews of the controls that form part of the mitigation plans as they relate to the Business Resilience program. The team reports their findings relating to controls and control deficiencies to the ELT and the Audit and Risk Committee of the Board. 

The Chief Risk Officer will review the Business Resilience Framework and associated Guidelines annually. Business units will be subject to a Business Resilience Validation¹ every two years to demonstrate the Business Resilience program has been effectively implemented.

In addition, The Chief Risk Officer will conduct an annual Business Resilience maturity survey to determine the extent to which the Business Resilience Framework and key principles are understood and are being embedded in our management processes.

¹ _{The Business Resilience Validation is being introduced in selected business units in 2024 and will be introduced across the business in 2025.}