Risk management and internal control
The Group operates a rigorous system of risk management and internal control, which is designed to ensure that the possibility of misstatement or loss is kept to a minimum. There is a comprehensive system in place for financial reporting and the Board receives a number of reports to enable it to carry out these functions in the most efficient manner. These procedures include the preparation of management accounts, forecast variance analysis and other ad hoc reports. There are clearly defined authority limits throughout the Group, including those matters which are reserved specifically for the Board.
The Board has applied principle C.2 of the UK Corporate Governance Code by establishing a continuous process for identifying, evaluating and managing the significant risks the Group faces and for determining the nature and extent of the significant risks it is willing to take in achieving its strategic objectives. The Board regularly reviews the process, which has been in place from the start of the year to the date of approval of this report and which is in accordance with revised guidance on internal control published in October 2005 (the Turnbull Guidance). The Board is also responsible for the Group's system of internal control and for reviewing its effectiveness. Such a system is designed to manage rather than eliminate the risk of failure to achieve business objectives, and can only provide reasonable and not absolute assurance against material misstatement or loss.
In compliance with provision C.2.1 of the Code, the Board regularly reviews the effectiveness of the Group's risk management and internal control systems. The Board's monitoring covers all controls, including financial, operational and compliance controls and risk management. It is based principally on reviewing reports from management to consider whether significant risks are identified, evaluated, managed and controlled and whether any significant weaknesses are promptly remedied and indicate a need for more extensive monitoring. The Board has also performed a specific assessment for the purpose of this annual report. This assessment considers all significant aspects of risk management and internal control arising during the period covered by the report, including the work carried out by the Group’s Store Compliance team. The Audit Committee assists the Board in discharging its review responsibilities.
A formal risk identification and assessment exercise has been carried out resulting in a risk framework document summarising the key risks, potential impact and the mitigating factors or controls in place. The Board have a stated policy of reviewing this risk framework at least once a year or in the event of a material change. The risk identification process also considered significant non-financial risks.
During the reviews, the Directors:
- challenged the framework to ensure that the list of significant risks to business objectives is still valid and complete;
- considered new and emerging risks to business objectives and included them in the framework if significant;
- ensured that any changes in the impact or likelihood of the risks are reflected in the risk framework; and
- ensured that there are appropriate action plans in place to address unacceptable risks.
The results of the exercise have been communicated to the Board and the Audit Committee. This was in the form of a summary report which included:
- a prioritised summary of the key risks and their significance;
- any changes in the list of significant risks or their impact and likelihood since the last assessment;
- new or emerging risks that may become significant objectives in the future;
- progress on action plans to address significant risks; and
- any actual or potential control failures or weaknesses during the period (including "near misses").
During the course of its review of the risk management and internal control systems, the Board has not identified, nor been advised of any failings or weaknesses which it has determined to be significant, consistent with the prior year. Therefore, a confirmation in respect of necessary actions has not been considered appropriate.