Risk 
management

In line with our policy of aligning group corporate governance with international best practice to safeguard the interests of stakeholders, Imperial has implemented an enterprise risk model to identify and assess relevant risks facing the group at strategic, business and operational levels. The group’s risk model is based on ISO 31000:2009 – Risk Management Principles and Guidelines.

The risk assessment process also identifies areas of opportunity, for example, where effective risk management can be turned into a competitive advantage or where taking certain risks could result in reward for the group. Any risk taken is considered within the group’s risk appetite and tolerance levels, which are updated annually.

The group’s business units have different market, operating and financial characteristics. Risk management responsibility and accountability, therefore, vests largely with business unit management structures. They report to the divisional finance and risk review committees, which are overseen by the group audit and risk committees. The group risk committee formalises, standardises and monitors this process, guiding management and assessing their effectiveness in implementing the approved risk management framework.

The board determines the level of acceptable risk and requires operations to manage and report on risk accordingly. Issues and circumstances that could materially affect the group’s reputation constitute unacceptable risk.

A system of internal control is implemented in all key operations and is tailored to each business’s characteristics. It provides reasonable, rather than absolute, assurance that the group’s business objectives will be achieved within prescribed risk tolerance levels. The associated risk areas and control processes are monitored and reported on across the group. Internal audit aligns its procedures with the risks identified. Formal feedback is provided to both divisional finance and risk review committees, as well as at quarterly risk committee meetings.

The group also maintains a comprehensive insurance programme to ensure that material financial consequences of risk events do not result in undue financial impact on group businesses.

In reviewing risk management reports and internal controls, the board has:

• considered what the group’s risks are and how they have been identified, evaluated and controlled
• assessed the effectiveness of the related risk management process, and particularly reports of significant process failings or weaknesses
• considered if the necessary action is being taken timeously to rectify any significant failings or weaknesses
• considered whether results from the review process indicate that more extensive monitoring is required.

An independent review of the group’s risk management alignment with King IV was undertaken by our internal audit function, based on the previous assessment undertaken by PriceWaterhouseCoopers. This concluded that Imperial has applied the principles set out in King IV.