Risk Management and Internal Control

The Board is responsible for maintaining and reviewing the effectiveness of our risk management activities, from a strategic, financial and operational perspective. These activities are designed to identify and manage, rather than eliminate, the risk of failure to achieve business objectives or to successfully deliver our business strategy. 

We’ve built the risk management framework to identify, assess, respond, report and monitor the risks that threaten our ability to achieve our business strategy and objectives, within our risk appetite. 

Risks are owned and managed within the business, and reviewed by our businesses at least quarterly. This is our first line of defence. Global governance teams form a second line of defence. Global governance teams review risks and controls, including those relating to information security, regulatory compliance and business continuity. Internal Audit independently and objectively assesses our risks and controls. The results of these reviews feed into our quarterly reporting cycle. 

Our risk identification processes follow a dual approach: 

  • A bottom-up approach at a business unit or country level. This identifies the risks that threaten an individual business unit activity and which the business unit manages. To give us visibility of wider issues within the business, we consolidate these risks at the regional and global level, and escalate higher rated risks to the regional and executive risk management committees. 
  • A top-down approach at the global level. This identifies the principal risks that threaten the delivery of our strategy and objectives. The diagram below summarises our principal risk profile