The directors are ultimately responsible for corporate reporting, risk management and internal control and for reviewing effectiveness. There is a regular schedule for the board to consider and carry out a robust assessment of the group’s principal risks including those which would threaten its business model, future performance, solvency or liquidity and to review how these risks are being managed together with the mitigating actions. The principal risks and uncertainties facing the group are set out on pages 16 and 17 of the 2016 annual report. These are regularly reviewed by the board, and the principal risks facing the group have been robustly assessed by the board.
The risk management system is designed to manage, rather than eliminate, the risk of failure to achieve business objectives. There is a continuous process in place for identifying, assessing, managing, monitoring and reporting on the significant risks faced by individual group companies and by the group as a whole.
The Financial Reporting Council updated the provisions of the Code on risk management and internal control in 2014. The revised Code, and new guidance under it apply to SABMiller in respect of the year under review and the group’s risk management systems has been reviewed to ensure compliance with the revised Code and guidance. The group’s systems of risk management comply with the revised Code and guidance.
Excom has specific responsibility for implementing the group’s system of risk management and views the careful and appropriate management of risk as a key management role. Excom reviews our significant risks and subsequently reports to the board on material changes and the associated mitigating actions. Reviews of the effectiveness of the risk management system, and of the group’s principal risks, were carried out by excom in October and December 2015 and in March 2016 and the summary outputs were reported to the audit committee and board respectively.
Enterprise-wide risk management
Managing business risk to deliver opportunities is a key element of all our business activities, and is undertaken using a practical and flexible framework which provides a consistent and sustained approach to risk evaluation. Business risks, which may be strategic, operational, financial or environmental, or concern the group’s reputation, are understood and visible. The business context determines in each situation the level of acceptable risk and controls.
Key features of our system of risk management are:
- group statements on strategic priorities, purpose and values;
- clear business objectives and business principles;
- an established risk policy;
- a continuous process for identification and evaluation of significant risks to the achievement of business objectives;
- management processes to mitigate significant risks to an acceptable level;
- continuing monitoring of significant risks and internal and external environmental factors that may change our risk profile; and
- a regular review of both the type and amount of external insurance purchased, bearing in mind the availability of cover, its cost and the likelihood and magnitude of the risks involved.
In addition to excom’s regular reports to the board on key risks, there is a process of regular reporting to the board through the audit committee on the status of the risk management process. Strategic planning, internal audit and other risk control specialist processes are integrated into line management’s risk processes and simplified risk reporting.
Key reports include those that identify, assess and monitor strategic, financial, reputational and operational risks in each country, division, group function and on a group basis.