Effective risk management underpins the delivery of our objectives. It is essential to protecting our reputation and generating sustainable shareholder value.
Risk management and internal control
Balfour Beatty’s risk management policy demonstrates the Board’s commitment to meeting the relevant requirements of the Code.
Through adoption of the policy, the Board accepts its responsibility to establish procedures to manage risk, oversee the internal control framework, and determine the nature and extent of the principal risks the Company is willing to take in order to achieve its long-term strategic objectives. As part of its ongoing system of monitoring and control reporting, the Board is also informed of any emerging risks that are faced by the Group, including potential impacts and timeframes and the required responses.
More information on the principal and emerging risks faced by the Group are found on pages 92 to 102 of the 2020 Annual report.
Balfour Beatty’s approach to risk management seeks to reduce the likelihood of risk events occurring, limit or remove any negative impact of those events, and identify opportunities where taking risks may benefit the Group. The Enterprise Risk Management (ERM) framework is integral to this approach and, as such, undergoes regular review as part of the ongoing monitoring of, and response to, changes to the Group’s risk profile and business operating model.
Roles and responsibilities
The Board is responsible for the establishment and oversight of Balfour Beatty’s ERM framework and embedding an effective risk management culture. The Board establishes the Group’s risk attitude and appetite by directing the level of risk that can be taken by the Group and its strategic and individual business units without specific approval. Group policies, procedures and delegated authority levels set by the Board provide the structure within which risks are reviewed and escalated to the appropriate level, up to and including the Board, for consideration and approval.
The roles and responsibilities of the Board, its Committees, strategic business unit and individual business unit management are set out opposite.
Balfour Beatty’s ERM framework comprises the policy, operating standards and associated procedures and supporting tools to identify, assess, respond to and monitor risk. Risk registers across the Group are maintained within the bespoke ERM system, IRIS (Intelligent Risk Information System), which enables increased oversight and central review as well as consistency in the application of the process at all levels of the organisation.
In 2020 the roll out of IRIS into the US business has increased visibility of risk profiles and enables the consistent roll up of operational and business risk profiles to Group level.
As mandated in the Balfour Beatty risk management policy, business units and enabling functions are responsible for ensuring that effective arrangements, and management controls, are established and implemented across their organisation, and escalated to Group management as relevant.
Balfour Beatty is relentless in ensuring that a positive risk management culture remains embedded at all levels. This is achieved through senior management ownership and application of the framework at each level of the organisation, ensuring that effective risk identification and management aligned to appetite remain at the heart of key decision making.
Risk management is central to the work winning and project delivery process and an assessment of risk is built into each stage within the Gated Business Lifecycle, informing decisions to proceed to the next stage. As an opportunity develops, detailed analysis of risks which have the potential to influence a project’s ability to meet its objectives, including the achievement of expected contract targets and the meeting of client expectations, is performed and associated mitigation strategies are challenged.
The Circles of Risk act as a prompt to ensure early consideration is given to the pursuit of an opportunity as it aligns to risk appetite and provides guidance on the identification of potential project-level risk themes and associated mitigation to support the decision-making process. For more information on the Circles of Risk see page 89 of the 2020 Annual Report.
In addition, the Board’s delegated authority levels act as triggers for the escalation of matters requiring approval as the opportunity proceeds through the gates at bid stage. This means projects above a certain value, or those with bespoke aspects such as a move into new markets, require approval by the Group Tender and Investment Committee or the Board, as appropriate.
Escalation and reporting structures ensure that risk oversight is rigorously applied at all levels of the business from operational review through to scrutiny by the Executive Risk Steering Group (ERSG) and the Board. The ERSG monitors any changes in the Group’s risk profile and its members act as the executive sponsor for risk management within their respective businesses and functions, ensuring that the Group risk profile is informed by business and operational risk trends.
It remains vital that the Group’s approach to risk management continues to be reflective of the shape and direction of the business and the wider industry. A further review and streamline of the Group Risk Register was reviewed and refreshed in 2020 as part of the biannual formal review of the Group’s risk profile to verify that all identified risks and associated controls have been appropriately assessed and have an allocated owner at senior management level
The Board has ultimate responsibility for the Group’s internal control and risk management systems and regularly reviews their effectiveness. The Group’s systems and controls are maintained centrally on the Business Management System (BMS) and are designed to ensure exposure to significant risk is both understood and appropriately managed. The Board recognises that any system of internal control is designed to identify and control rather than eliminate risk and can only provide reasonable and not absolute assurance against material misstatement or loss. In addition, not all the material joint ventures in which the Group is involved sit wholly within Balfour Beatty’s internal control environment. Where this is the case, separate systems of the 2020 Annual Report on page 133.
internal control and risk management are applied as agreed between the joint venture partners.
Central to the Group’s systems of internal control are its processes and framework for risk management. These align with the Financial Reporting Council’s Guidance on Risk Management, Internal Control and Related Financial and Business Reporting and were in place throughout 2020 and up to the date of signing this report. The Group has a thorough understanding of its risk exposures and has in place a key control statement.
Topics covered by policies, standards and expectations include but are not limited to:
- a comprehensive system of delegated authorities from the Board to management with certain matters reserved by the Board;
- monthly financial reporting against budgets and the review of results and forecasts by executive Directors and management, including particular areas of business or project risk. This is used to update management’s understanding of the environment in which the Group operates and the methods used to mitigate and control identified risks;
- annual review of the strategy and plans of each business and of the Group as a whole to identify risks to the achievement of objectives and, where appropriate, any relevant mitigating actions;
- a comprehensive suite of policies, manuals and instructions setting out the requirements of the Group finance function covering the financial management of the Group, including but not restricted to arrangements with the Group’s bankers and bond providers, controls on foreign exchange dealings and management of currency and interest rate exposures, application of accounting policies and financial controls;
- risk management expectations which are embedded throughout the Group and held on the BMS;
- enhanced systems for the management and reporting of risk which have been deployed throughout the Group;
- reviews and tests by the internal audit function of critical business financial processes and controls and specific reviews in areas of perceived high business risk;
- reviews and authorising of proposed investment, divestment and capital expenditure through the Board and Board Committees;
- regular reporting, monitoring and review of the effectiveness of health, safety, environment and sustainability processes. These processes are subject to independent audit and certification to internationally recognised standards as appropriate;
- legal and regulatory compliance risks which are addressed through specific policies and training on such matters as business integrity, competition and data protection laws; and
- promotion of a culture of compliance with ethics and integrity responsibilities to help manage legal and reputational risks across the Group. A ‘Speak Up’ ethics helpline encourages staff to raise concerns, in confidence, about possible breaches of the Code of Conduct.
There is also an independent internal audit function that executes a risk-based programme of audit throughout the entire Group. All audit reports are shared with relevant management in addition to being reviewed by the Audit and Risk Committee; see pages 130 and 131 of the 2020 Annual Report.
It is the expectation and requirement of the Board that business unit, enabling function and shared services management teams ensure this comprehensive internal control environment (including internal audit) is embedded within their respective areas.