Risk Management

Risk management is the foundation of our Business Resilience program. Our risk management program is consistent with ISO 31000.

Governance

The Board and the Audit and Risk Committee

The Board of Directors, through the Audit and Risk Committee, overseas the establishment and implementation of our Business Resilience program and reviews the effectiveness of the program biannually. The Audit and Risk Committee:

• Establishes with the support of the Board, the level of risk that the business should take in achieving its objectives, through the development and regular review of CCHBC’s Risk Appetite Statement and reviews regular reports on the extent to which the business is operating within the established risk appetite,
• Reviews the Company’s risk and resilience culture to ensure it is embedded in company management processes across all business units and functions,
• Reviews the Company’s emerging and Principal risks and opportunities to ensure that an appropriate range of risks and opportunities are being assessed and that mitigation plans are effective in managing those risks and opportunities,
• Reviews the adequacy of the company’s preparedness to manage disruptive events and incidents and reduce the potential impact of those events and incidents on the business,
• Reviews the level of compliance with the UK Corporate Governance Code.

Three Lines of Defence Model

Our program follows the “Three Lines of Defence Model”.

The first line involves managers in all functions within our business units taking responsibility for identifying, assessing and managing risks in our day-to-day operations consistent with our Business Resilience Framework and Risk Management Guidelines. All business units have designated risk coordinators responsible for the coordination of the process, supported by a risk sponsor who is a member of the BU senior leadership team. BU function heads are responsible for managing risks identified and assessed through that process. Risk assessments and management plans are recorded in the BU risk register. At least once a month, the BU senior leadership team reviews the key operational risks to the business and ensures actions are being taken to keep risks within tolerance levels determined by the Board through the Risk Appetite Statement.

The second line includes the Group Business Resilience Team (BRT), led by the Chief Risk Officer, who are responsible for implementing, facilitating and monitoring the risk management process. The BRT has visibility of all BU risk registers and regularly monitors, analyses and reports risks and the effectiveness of the management of risks across BU’s, Regions and the Group. These reports are reviewed by the Regional Directors and their teams; and the Group Risk and Compliance Committee (GRCC) biannually. The GRCC is made up of all Group Function Heads and who serve as risk category owners. In this role they establish standards, policies and expectations for the management of risks within their area of responsibility and regularly review the implementation of management plans across the Group. They are also responsible for establishing the risk tolerance level for each risk in alignment with the Risk Appetite Statement established by the Board. The Chief Risk Officer puts together the outcomes of all risk assessments and reviews in a report to the Executive Leadership Team and the Audit and Risk Committee of the Board each quarter.

Our third line consists of our Internal Audit Team. The Internal Audit Team operates independently of operating units and Group functions and conducts an annual audit of the Business Resilience Program, including the implementation of our Risk Management program. The Internal Audit Team ensures that risks are managed within tolerances established through the Board’s Risk Appetite Statement and that the risk program is being implemented effectively. The Team reports its findings directly to the Audit and Risk Committee of the Board.

All actions we take to ensure we can continually adjust to changes in our operating environment – either current or future, start with a robust assessment of risks and opportunities.

We have a structured process for conducting risk assessments in all areas of our business. Risk assessments are a key management decision support tool and are used across our business in various business planning, project management and investment decisions. In summary that process is:

1.       Identify

The risk and risk category is selected from our “risk universe” – a comprehensive list of all potential risks to our business. The risk universe is updated annually. Each risk is described as both a potential negative event and a potential positive event – or opportunity, for the business.

2.       Evaluate likelihood.

Likelihood is evaluated on a 5 point scale from “Rare” to “Almost certain” using a table that defines each level.

3.       Evaluate impact.

Impact, also referred to as magnitude or consequences, is evaluated on a 5 point scale from “Insignificant” to “Critical” using a table that defines each level. In addition to potential financial impact, we also include reputation, health and safety, management effort, environment and sustainability and customer impact.

4.       Determine inherent risk.

The level of inherent risk is determined from a 5 x 5 matrix with level of likelihood on one axis and level of impact on the other. The matrix is impact weighted – a risk that is certain to occur but has insignificant impact is not as relevant as a risk that is rare but could have a critical impact. Any risk that has an inherent risk level of 4 (“High”) or 5 (“Critical”) on a Group basis is considered “material” and subject to quarterly reporting to the Audit & Risk Committee for review of mitigation actions.

5.       Evaluate mitigation effectiveness.

The effectiveness of current plans and actions to mitigate the risk is evaluated on a 5 point scale from “none” to “fully effective” using a table that defines each level. Mitigation actions may work to reduce the likelihood of the risk manifesting or reduce the impact on the business if it did manifest, usually both.

6.       Determine residual risk.

The level of residual risk – the risk that remains after accounting for mitigation plans and actions, is determined using a 5 x 5 matrix with level of inherent risk on one axis and level of mitigation effectiveness on the other. Residual risk is described on a 5 point scale from “Very Low” to “Critical”.

7.       Determine whether the risk is within tolerance.

A level of tolerance is established for every risk in the risk universe based on the Risk Appetite Statement established by the Board. Any risk with a residual risk higher than the stated tolerance level is considered “out of tolerance” and actions are required to improve the mitigation effectiveness to bring the risk back within tolerance. We accept that in some rare cases, risks may remain “out of tolerance” as we have little control over them. In such cases, we strive to mitigate them, as best we are able. Risks that are out of tolerance are reported to the Audit and Risk Committee and Board for review.

8.       Monitor indicators and KPI’s.

We continually monitor the operating environment for key risk indicators that may indicate the risk is changing and triggering a review of the assessment. We also monitor agreed KPI’s for each risk to ensure our mitigation actions remain effective.

Our company’s operational risk exposure is assessed and reviewed monthly by the senior leadership team and General Manager of all BU’s using the process described above. The outcomes of these assessments are recorded in the BU risk registers of which the Group Business Resilience Team has full visibility.

On a regular basis, the BRT collates and analyses risks across Regions and the Group as a whole looking for trends and ensuring compliance with the process and that assessments are robust. Where required, the BRT can take immediate action in collaboration with the Region teams and Group functions to address risks contained in the registers. The Chief Risk Officer facilitates a biannual review with the Region Directors and their management teams and to which General Managers of each BU are also invited. The Region review also provides an important cross-functional and cross-BU calibration function.

A Chief Information Security Officer (CISO) has been appointed, reporting to the Chief Technology and Digital Transformation Officer who is a member of the ELT. The CISO is responsible for establishing the Group’s vision, strategy and programme to ensure information assets, plants and technologies are protected. The CISO works with the CRO to facilitate assessment of all current and emerging risks associated with cyber security in accordance with our risk management program.

The outcomes of the Region reviews are discussed at biannual Principal Risk reviews facilitated by the Chief Risk Officer and involving a cross-functional team of Group function heads and key managers. These reviews ensure that risks are reviewed across the Group and mitigation plans are being appropriately and consistently applied across all BU’s. The outcomes of these reviews are discussed at the quarterly meetings of the Group Risk and Compliance Committee to ensure a broad cross-functional perspective.

The outcomes of these reviews are collated by the BRT and presented to the Executive Leadership Team and the Audit and Risk Committee quarterly by the Chief Risk Officer. Principal Risks are also reported annually in the Company’s Integrated Annual Report as well as on our website.