Risk Management and Internal Control

The Board is responsible for maintaining and reviewing the effectiveness of our risk management activities from a strategic, financial and operational perspective. These activities are designed to identify and manage, rather than eliminate, the risk of failure to achieve business objectives or to successfully deliver our business strategy.

The risk management process is designed to identify, assess, respond to, report on and monitor the risks that threaten our ability to achieve our business strategy and objectives, within our risk appetite.


We follow the Three Lines of Defence approach to risk management. Risks are owned and managed within the business (First Line of Defence) and reviewed by our businesses at least quarterly. Global governance teams (from the Second Line of Defence) review risks and controls, including those relating to information security, compliance and business continuity. Global Internal Audit as the Third Line of Defence assesses our risks and controls independently and objectively. The results of these reviews feed into our reporting cycle through the risk management governance structure.


Our risk identification processes follow a dual approach:

  • A bottom-up approach at a business unit or country level. This identifies the risks that threaten an individual business unit activity. To provide visibility of issues across the business, we consolidate these risks at a regional and global level, then escalate to the Risk Management Committees.

  • A top-down approach at the global level. This identifies the principal risks that threaten the delivery of our strategy. The diagram below summarises our principal risk profile.