The Group has an ongoing process for identifying, evaluating and managing the principal risks that it faces. The Board regularly reviews the process.
The Board considers acceptance of appropriate risks to be an integral part of business and unacceptable levels of risk are avoided or reduced and, in some cases, transferred to third parties. Internal controls are used to identify and manage risk. The Directors acknowledge their responsibility for establishing and maintaining the Group’s system of internal control, and for reviewing its effectiveness. The Group’s system cannot provide absolute assurance but is designed to provide the Directors with reasonable assurance that any significant risks or problems are identified on a timely basis and dealt with appropriately. The Group has established an ongoing process of risk review and certification by the business heads of each operating unit.
Certain of the Group’s businesses are subject to significant risk. Each identified business risk is assessed for its probability of occurrence and its potential severity of occurrence. Where necessary, the Board considers whether it is appropriate to accept certain risks that cannot be fully controlled or mitigated by the Group.
For those businesses that have been part of the Group for the whole of the financial year ended 30 April 2016, the Group’s risk management process was embedded throughout the businesses for that year and up to the date of the approval of this report.
The Board has carried out a review of the effectiveness of the Group’s risk management and internal control environment and such reviews are supported on an ongoing basis by the work of the Audit Committee. The Board is satisfied that processes are in place to ensure that risks are appropriately managed.
The Board has designated specific individuals to oversee the internal control and risk management processes, while recognising that it retains ultimate responsibility for these. The Board believes that it is important that these processes remain rooted throughout the business and the managing director of each operating unit is responsible for the internal control framework within that unit.
Self-assessment of risk conducted by the Directors and senior management is ongoing and has been considered at several levels, with each division maintaining a separate risk profile.
The Group Risk Assurance (or internal audit) function, which was outsourced to and has been managed by Deloitte throughout the year to 30 April 2016, reports to the Audit Committee and is utilised in monitoring risk management processes to determine whether internal controls are effectively designed and properly implemented. In conjunction with the tender for the provision of external audit services for the Group that resulted in the Board’s recommendation to appoint Ernst & Young as the Company’s auditors for the financial year ending 30 April 2017, the Audit Committee oversaw a tender for the provision of internal audit services to the Group. As a result of that tender process, the Group intends to appoint PricewaterhouseCoopers to manage the Group Risk Assurance Function. We expect that appointment to be made and take effect in August 2016, subject to shareholders approving the resolution to appoint Ernst & Young as external auditor in place of PricewaterhouseCoopers at the 2016 Annual General Meeting.
A risk-based approach is applied to the implementation and monitoring of controls. The monitoring process also forms the basis for maintaining the integrity and improving, where possible, the Group’s risk management process in the context of the Group’s overall goals. The Audit Committee reviews Group Risk Assurance plans, as well as external audit plans and any business improvement opportunities that are recommended by the external auditors.
The Group’s risk management process does not specifically cover joint ventures, but the Group maintains an overview of joint ventures' business risk management processes through representation on the boards and in the case of Virgin Rail Group, its audit committee. Stagecoach management representatives also meet regularly with representatives of joint ventures to ensure that they follow appropriate risk management procedures.
Most computers will open PDF documents automatically, but you may need to download Adobe Reader.