86 John Lewis Partnership plc Annual Report and Accounts 2016 Audit and Risk Committee report (continued)
Risk management and
internal audit activities The Partnership’s approach to risk management, our framework, risk appetite and governance structure are detailed on pages 52 to 57.
Key roles and responsibilities are included below. Responsibilities
Partnership Board Overall responsibility for the risk management framework and key risk decisions. Reviews principal risks and mitigating actions regularly with the support of the Chairman’s Committee.
Audit and Risk Committee
Provides assurance to the Board on internal controls and the risk management process. Monitors internal control and risk management processes.
Executive Management
Identifies and evaluates the principal business risks. Implements and maintains systems for managing those risks in an efficient and effective manner, through support from Divisional Risk Committees.
The Audit and Risk Committee seeks assurance from the work of the Internal Audit and Risk teams, which provide objective assurance on the effectiveness of those arrangements through the delivery of a risk-based work plan and risk management activities. The Head of Internal Audit and Risk reports functionally to the Chair of the Committee and operationally to the Group Finance Director.
Monitoring during the year
The Board has evaluated the Partnership’s risk management and internal control systems with the support of the Chairman’s Committee and the Audit and Risk Committee, on a quarterly basis. It has stress-tested the business plan in relation to the relevant principal risks and monitored the Partnership’s performance on a quarterly basis.
Ongoing monitoring has been implemented by the Board through the regular allocation of specific time to understand and assess risk management and internal control weaknesses across strategic, operational, financial and compliance areas at Board meetings; and discussion with Executive Management. The Board and Chairman’s Committee have also invited Executive Management to present on risks and mitigating activities this year in order to support their ongoing assessment in areas such as cyber security and IT infrastructure, change, pensions and talent management.
The Board has an overall risk appetite for the business to operate within. With the support of the Chairman’s Committee, it has reviewed Divisional Board mapping of risk profiles against the Partnership’s appetite for risk, and taken decisions to further reduce or tolerate risk if appropriate, working closely with Divisional Management. The Partnership is currently upgrading its risk management software to improve the efficiency, clarity and consistency of future risk reporting.
The Board has reviewed control weaknesses identified. Improvements in internal controls in these processes are underway to improve Partner and customer experiences and protect revenue to support the overall sustainability of our business.
The Partnership’s systems of risk management and internal control
Risk management Assessing and managing risk is fundamental to safeguarding our Partners’ interests, protecting our reputation, complying with regulatory standards and achieving our business objectives.
To enable this, the Partnership has a risk management framework, including a process for how we identify, evaluate, manage and monitor the principal risks faced by the Partnership, supported by tools, dedicated Partners and a risk governance structure. Further details on this can be found on pages 52 to 57, along with details of our principal risks and how we mitigate them. During the year, our Risk Policy has been revised and approved to reflect developments of the risk management framework and a Risk Manual has been approved to provide detailed guidance for Partners on the framework.
Internal control The systems of internal control we have established are designed to manage, rather than eliminate, the risk that is inherent in pursuit of our business objectives. As a consequence, our internal controls can only provide reasonable, and not absolute, assurance against material misstatement or loss.
The Audit and Risk Committee monitors the development of our policies and systems for identifying, evaluating and managing the principal risks throughout the Partnership. The Committee has reviewed the principal risks identified by the Board and progress in mitigating activities on a quarterly basis.
Strategic risks i.e. risk of us ‘taking the wrong investment decision’
Operational risks i.e. risk of us ‘doing the right thing, in the wrong way’
Financial risks i.e. risk of us ‘doing things in a way that loses money or incurs unnecessary liabilities’
Compliance risks i.e. risk of us ‘not complying with applicable laws and regulations’
The Committee has reported quarterly to the Partnership Board, which seeks assurance that the systems of internal control for risk management are operating effectively. Reporting is through the work of internal audit, presentations from Executive Management and the minutes of the Divisional Risk Committees.
At the end of the year, the Committee conducted an annual review of the effectiveness of the risk management framework, supported by a self-certification exercise by management. No material issues were highlighted through this year’s review.
In response to the increasing external threat of an information security breach or cyber attack, the Committee has focussed on plans to improve our resilience and our IT controls development throughout 2016; and we have appointed a Data Privacy and Information Security Officer. The Divisions and Internal Audit have tested key controls over material financial risks and an assurance mapping exercise is underway to assess key controls over our wider principal risks. The Committee has also been focussed on reviewing controls to support an improved customer and Partner experience.
The focus for the year ahead is to continue to develop reporting against our risk indicators for our principal risks to support management’s proactive decision-making, complete the Partnership-wide assurance mapping exercise and improve the efficiency, clarity and consistency of risk-reporting through the implementation of risk software.
The Partnership’s approach
to internal audit Partnership Internal Audit is an independent and objective assurance and advisory function, operating to add value to the business through improving and assuring systems of risk management and control.
Page 1 |
Page 2 |
Page 3 |
Page 4 |
Page 5 |
Page 6 |
Page 7 |
Page 8 |
Page 9 |
Page 10 |
Page 11 |
Page 12 |
Page 13 |
Page 14 |
Page 15 |
Page 16 |
Page 17 |
Page 18 |
Page 19 |
Page 20 |
Page 21 |
Page 22 |
Page 23 |
Page 24 |
Page 25 |
Page 26 |
Page 27 |
Page 28 |
Page 29 |
Page 30 |
Page 31 |
Page 32 |
Page 33 |
Page 34 |
Page 35 |
Page 36 |
Page 37 |
Page 38 |
Page 39 |
Page 40 |
Page 41 |
Page 42 |
Page 43 |
Page 44 |
Page 45 |
Page 46 |
Page 47 |
Page 48 |
Page 49 |
Page 50 |
Page 51 |
Page 52 |
Page 53 |
Page 54 |
Page 55 |
Page 56 |
Page 57 |
Page 58 |
Page 59 |
Page 60 |
Page 61 |
Page 62 |
Page 63 |
Page 64 |
Page 65 |
Page 66 |
Page 67 |
Page 68 |
Page 69 |
Page 70 |
Page 71 |
Page 72 |
Page 73 |
Page 74 |
Page 75 |
Page 76 |
Page 77 |
Page 78 |
Page 79 |
Page 80 |
Page 81 |
Page 82 |
Page 83 |
Page 84 |
Page 85 |
Page 86 |
Page 87 |
Page 88 |
Page 89 |
Page 90 |
Page 91 |
Page 92 |
Page 93 |
Page 94 |
Page 95 |
Page 96 |
Page 97 |
Page 98 |
Page 99 |
Page 100 |
Page 101 |
Page 102 |
Page 103 |
Page 104 |
Page 105 |
Page 106 |
Page 107 |
Page 108 |
Page 109 |
Page 110 |
Page 111 |
Page 112 |
Page 113 |
Page 114 |
Page 115 |
Page 116 |
Page 117 |
Page 118 |
Page 119 |
Page 120 |
Page 121 |
Page 122 |
Page 123 |
Page 124 |
Page 125 |
Page 126 |
Page 127 |
Page 128 |
Page 129 |
Page 130 |
Page 131 |
Page 132 |
Page 133 |
Page 134 |
Page 135 |
Page 136 |
Page 137 |
Page 138 |
Page 139 |
Page 140 |
Page 141 |
Page 142 |
Page 143 |
Page 144 |
Page 145 |
Page 146 |
Page 147 |
Page 148 |
Page 149 |
Page 150 |
Page 151 |
Page 152 |
Page 153 |
Page 154 |
Page 155 |
Page 156 |
Page 157 |
Page 158 |
Page 159 |
Page 160 |
Page 161 |
Page 162 |
Page 163 |
Page 164 |
Page 165 |
Page 166 |
Page 167 |
Page 168
