Strong and effective risk management is at the heart of how the directors run the business and supports the achievement of the Group's strategic objectives.
Risk management process
The board has overall responsibility for the Group's risk management and systems of internal control and for determining the nature and extent of the significant risks it is willing to take in achieving its strategic objectives. An ongoing process has been established for identifying, evaluating and managing the significant risks faced by the Group.
The audit committee, on behalf of the board, formally reviews risks and mitigations for the Group and each of the businesses on a biannual basis. The key elements of this risk management process are:
- Senior management from all key disciplines and businesses within the Group continue to be involved in the process of risk assessment and monitoring in order to identify and assess Group objectives, key issues and controls. Further reviews are performed to identify and monitor those risks relevant to the Group as a whole. This process feeds into our assessment of long-term viability and encompasses all aspects of risk, including operational, compliance, financial, strategic, environmental, social and governance ('ESG') issues.
- Identified risk events, their causes and possible consequences are recorded in risk registers. Their likelihood and potential business impact and the control systems that are in place to manage them are analysed and, if required, additional actions are developed and put in place to mitigate or eliminate unwanted exposures. Individuals are allocated responsibility for evaluating and managing these risks within an agreed timetable.
- The Group establishes its risk appetite through use of delegated authorities so that matters considered higher risk require the approval of senior management or the board. These include, but are not limited to, tender pricing, bid submissions, approval of contract variations and final account settlements, capital requirements, procurement, and certain legal and strategic matters.
- Ongoing risk management and assurance is provided through various monitoring reviews and reporting mechanisms, including the executive risk committee (chaired by the chief executive officer) which convenes on a weekly basis and has the primary responsibility to identify, monitor and control significant risks to an acceptable level throughout the Group. The committee receives information on relevant risk matters from a variety of sources on a regular basis.
- Subsidiary company boards consider and report on risk on a monthly basis as part of the monthly business review process. This process is followed to ensure that, as far as possible, the controls and safeguards are being operated in line with established procedures and standards.
- On a quarterly basis, the significant risks identified by the Group's businesses are discussed in detail with each management team. In addition, the Group finance director, Group legal director and Group IT director meet on a quarterly basis to review IT risks facing the Group. The outcome of these discussions is collated and reported to the executive committee.
- The risk registers of each business, together with the Group IT risk register, are updated and, together with a consolidated Group risk register compiled by the executive committee, are reported to the audit committee twice yearly, to ensure that adequate information in relation to risk management matters is available to the board and to allow board members the opportunity to challenge and review the risks identified and to consider in detail the various impacts of the risks and the mitigations in place.
- A Group assurance map is used to co-ordinate the various assurance providers within the Group and a compliance framework provides the board with a ready reference tool for monitoring compliance across the Group.
First line of defence
- Project management procedures
- Health and safety
- Financial control
- Cash and working capital management
Second line of defence
- Group authorisation policy
- Contract sign-off process
- Purchase guidelines
- Quality manual
- SHE policies
- Executive committee, risk committee and safety leadership team
- Audit committee
- Nominations committee
Third line of defence
- External audit
- Internal audit
- Other third party assurance
Three lines of defence
The Group manages risk by operating a 'three lines of defence' assurance model (management activity, Group oversight and independent review), which is mapped against the Company's principal risks. This process is summarised in the Group assurance map.
A. First line of defence: management activity
The first line of defence involves senior management implementing and maintaining effective internal controls and risk management procedures. These internal controls cover all areas of the Group's operations. There are inherent limitations in any system of internal control and, accordingly, even the most effective system can provide only reasonable, and not absolute, assurance against material misstatement or loss. The system is designed to manage rather than eliminate the risk of failure to achieve the Group's objectives.
The key features of the Group's framework of internal controls are as follows:
Project management procedures — project risk is managed throughout the life of a contract from the tender stage to completion. Individual tenders for projects are subject to detailed review with approvals required at relevant levels and at various stages from commencement of the tender process through to contract award. Tenders above a certain value and those involving an unusually high degree of technical or commercial risk must be approved at a senior level within the Group.
Robust procedures exist to manage the ongoing risks associated with contracts. Regular monthly contract reviews to assess contract performance, covering both financial and operational issues, form an integral part of contract forecasting procedures.
Health and safety — SHE issues and risks are continually monitored at all sites and are reviewed on a monthly basis by senior management and the board. The Group has a well-developed health and safety management system for the internal and external control of health and safety risks which is managed by the Group SHE director. This includes the use of risk management systems for the identification, mitigation and reporting of health and safety management information.
Financial control — the Group maintains a strong system of accounting and financial management controls. Standard financial control procedures operate throughout the Group to ensure the integrity of the Group's financial statements.
The Group operates a comprehensive budgeting and forecasting system. Risks are identified and appraised throughout the annual process of preparing budgets. The annual budget and quarterly forecasts are approved by the board.
A formal quarterly review of each business's year-end forecast, business performance, risk and internal control matters is carried out by the directors of each business unit with the chief executive officer, Group finance director and chief operating officer in attendance.
Cash and working capital management — cash flow forecasts are regularly prepared to ensure that the Group has adequate funds and resources for the foreseeable future and is in compliance with banking covenants. Each business reports its cash position daily. Actual cash performance is compared to forecast on a weekly basis.
B. Second line of defence: Group oversight
The first line of defence is supported by certain Group policies, functions and committees which, in combination, form the second line of defence.
Group policies — internal controls across financial, operational and compliance systems are provided principally through the requirement to adhere to the Group finance manual, divisional procedures and a number of Group-wide policies (such as the Group authorisation policy, the contract sign-off process, the purchase guidelines, the anti-bribery policy, the Competition Law compliance policy, the quality manual, the health and safety policy and the environmental policy). During the year, we also obtained ISO 27001 accreditation for our information security management system. This will give further assurance as to the Group's resilience to cyber risk.
These policies are supported by statements of compliance from all directors and letters of assurance ('LoA') from the Group's three managing directors. LoAs are required twice yearly, one at 30 September and one at 31 March supported by an internal control questionnaire ('ICQ') which is completed by each business unit and which provides a detailed basis for management to satisfy themselves that they are complying with all key control requirements. The responses in these ICQs are subject to ongoing independent review by PwC, the Group's internal auditor.
The following main committees provide oversight of management activities:
The executive committee, risk committee and safety leadership team — these committees are responsible for the identification, reporting and ongoing management of risks and for the stewardship of the Group's risk management approach.
The audit committee — the board has delegated responsibility to this committee for overseeing the effectiveness of the Group's internal control function and risk management systems.
The nominations committee — this committee ensures that the board has the appropriate balance of skills and knowledge required to assess and address risk and that appropriate succession plans are in place.
C. Third line of defence: independent review
The third line of defence represents independent assurance which is provided mainly by the internal auditor, external auditor and various external consultants and advisers. External consultants and advisers support management and the board through ad hoc consulting activities, as required.
Internal auditor — the audit committee annually reviews and approves the PwC internal audit programme for the year. The committee reviews progress against the plan at each of its meetings, considering the adequacy of audit resource, the results of audit findings and any changes in business circumstances which may require additional audits.
The results of internal audits are reported to the executive team and senior management and, where required, corrective actions are agreed. The results of all audits are summarised for the audit committee along with progress against agreed actions.
Annual review of effectiveness
The risk management and internal control systems have been in place for the year under review and up to the date of approval of the annual report, and are regularly reviewed by the board. The board monitors executive management's action plans to implement improvements in internal controls that have been identified following the processes described above.
The board confirms that it has not identified any significant failings or weaknesses in the Group's systems of risk management or internal control as a result of information provided to the board and resulting discussions.
The level of risk it is considered appropriate to accept in achieving the Group's strategic objectives is reviewed and validated by the board. The appropriateness of the mitigating actions is determined in accordance with the board-approved risk appetite for the relevant area.
The organisation's approach is to minimise exposure to reputational, financial and operational risk, whilst accepting and recognising a risk/reward trade-off in the pursuit of its strategic and commercial objectives. Operating in the construction industry, the reputation of the Group is imperative to its continued success and cannot be risked. Consequently, it has a zero tolerance for risks relating to health and safety. However, management recognises that certain strategic, commercial and investment risks will be required to seize opportunities and deliver growth in line with the Group's strategic objectives.
Changes to principal risks
Although there have been no significant changes since last year's annual report to the list of those risks classified as principal risks, the following amendments are noteworthy:
- Health and safety risk (a serious incident causing death or serious injury which could also lead to regulatory intervention, financial loss and reputational loss) has been upgraded from medium to high, notwithstanding the improvement in the Group's AFR over the past year, reflecting the new sentencing guidelines which could impose significant fines for health and safety breaches even in cases not involving fatalities.
- Tendering and project execution risk (the failure to achieve targeted profit on major projects) has been renamed as mispricing a contract (at tender) (the incorrect pricing of a contract, particularly on complex contracts) and downgraded from high to medium to reflect the improvements made to the Group's contract management processes during the year.
Changes have also been made to the detailed descriptions of mitigation to reflect ongoing activity in the year. In its risk reviews the Group has not identified any significant environmental, social or governance risks to the Group's short and long-term value.
2017 principal risks
The board has carried out a robust assessment of the principal risks and uncertainties which have the potential to impact the Group's profitability and ability to achieve its strategic objectives. These are set out in the table below. This list is not intended to be exhaustive. Additional risks and uncertainties not presently known to management or deemed to be less significant at the date of this report may also have the potential to have an adverse effect on the Group.
|Principal risk||Strategic pillars||Link to KPIs||Movement||Scoring|
|Health and safety||1234567||High|
|Commercial and market environment||1234567||Medium|
|Mispricing a contract (at tender)||1234567||Medium|
|Indian joint venture||1234567||Medium|
|Information technology resilience||1234567||Medium|
India joint venture
1 Underlying operating profit and margin (before JVs and associates)
2 Underlying basic earnings
3 Revenue growth
4 Operating cash conversion
5 Return on capital employed ('ROCE')
6 Order book
7 Accident frequency rate ('AFR')
The scoring of each risk as high or medium is determined based on the scoring of the risk within the Group's risk register. This scoring takes into account the potential impact and likelihood associated with the crystallisation of each risk (the assessment of impact takes into account both potential and reputational issues). Only high and medium risks are considered sufficiently significant for disclosure in the annual report.
Health and safety
The Group works on significant, complex and potentially hazardous projects which require continuous monitoring and management of health and safety risks. Ineffective management of health and safety issues could lead to a serious injury or death or damage to property or equipment.
A serious health and safety incident could lead to the potential for legal proceedings, regulatory intervention, project delays, potential loss of reputation and ultimately exclusion from future business. New sentencing guidelines have come into force which have the potential to impose significant fines even where no actual harm has occurred.
- Established safety systems, site visits, safety audits, monitoring and reporting, and detailed health and safety policies and procedures, are in place across the Group.
- Thorough and regular employee training programmes (including behavioural safety training) under the leadership of the new Group SHE director (appointed in July 2016).
- Director-led safety leadership teams established to bring innovative solutions and to engage with all stakeholders to deliver continuous improvement in standards across the business and wider industry.
- Close monitoring of subcontractor safety performance.
- Priority board review of ongoing performance.
- Regular reporting of and investigation and root cause analysis of accidents and near misses.
- Achievement of challenging health and safety performance targets is a key element of management remuneration (and staff remuneration from March 2017 onwards).
Commercial and market environment
Changes in government and client spending or other external factors could lead to programme and contract delays or cancellations, or changes in market growth. Whilst Brexit has to date not had a significant impact on the UK construction market, outcomes following the triggering of Article 50 remain difficult to predict and could affect investor confidence.
Lower than anticipated demand could result in increased competition, tighter margins and the transfer of commercial, technical and financial risk down the supply chain, through more demanding contract terms and longer payment cycles.
A significant fall in construction activity could adversely impact revenues, profits, ability to recover overheads and cash generation.
- Regular reviews of market trends performed (as part of the Group's annual strategic planning process) to ensure actual and anticipated impacts from macroeconomic risks are minimised and managed effectively.
- Regular monitoring and reporting of financial performance, orders secured, prospects and the conversion rate of the pipeline of opportunities.
- Selection of opportunities that will provide sustainable margins and repeat business.
- Strategic planning is undertaken to identify and focus on the addressable market (including new overseas and domestic opportunities).
- Recruitment of a new European business development director to focus on markets and opportunities in mainland Europe which fit the Group's risk appetite.
- Close management of capital investment and focus on maximising asset utilisation to ensure alignment of our capacity and volume demand from clients.
- Close engagement with both customers and suppliers and monitoring of payment cycles.
- Ongoing assessment of financial solvency and strength of counterparties throughout the life of contracts.
- Continuing use of credit insurance to minimise impact of customer failure.
- Strong balance sheet (the Group has net funds in excess of £30m) supports the business through fluctuations in the economic conditions for the sector.
Mispricing a contract (at tender)
Failure to accurately estimate and evaluate the contract risks, costs to complete, contract duration and the impact of price increases could result in a contract being mispriced. Execution failure on a high-profile contract could result in reputational damage.
If a contract is incorrectly priced, particularly on complex contracts, this could lead to loss of profitability, adverse business performance and missed performance targets.
This could also damage relationships with clients and the supply chain.
- Improved contract selectivity (those that are right for the business and which match our risk appetite) has de-risked the order book and reduced the probability of poor contract execution.
- Estimating processes are in place with approvals by appropriate levels of management.
- Tender settlement processes are in place to give senior management regular visibility of major tenders.
- Use of the tender review process to mitigate the impact of rising supply chain costs.
- Work performed under minimum standard terms (to mitigate onerous contract terms) where possible.
- Use of Group authorisation policy to ensure appropriate contract tendering and acceptance.
- Professional indemnity cover is in place to provide further safeguards.
The Group is reliant on certain key supply chain partners for the successful operational delivery of contracts to meet client expectations. The failure of a key supplier or a breakdown in relationships with a key supplier could result in some short-term delay and disruption to the Group's operations. There is also a risk that credit checks undertaken in the past may no longer be valid.
Interruption of supply or poor performance by a supply chain partner could impact the Group's execution of existing contracts (including the costs of finding a replacement), its ability to bid for future contracts and its reputation, thereby adversely impacting financial performance.
- Initiatives are in place to select supply chain partners that match our expectations in terms of quality, sustainability and commitment to client service. New sources of supply are quality controlled.
- New Group head of procurement appointed to bring in best practice improvement initiatives.
- Strong relationships maintained with key suppliers including a programme of regular meetings and reviews.
- Contingency plans developed to address supplier and subcontractor failure.
- Ongoing reassessment of the strategic value of supply relationships and the potential to utilise alternative arrangements in particular for steel supply.
- Key supplier audits are performed within projects to ensure they are in a position to deliver consistently against requirements.
- Monthly review process to facilitate early warning of issues and subsequent mitigation strategies.
Indian joint venture
The growth, management and performance of the business is a key element of the Group's overall performance. Effective management of the joint venture is therefore important to the Group's continuing success.
Crucial to the long-term success of the joint venture is the development of the market for steel (rather than concrete) construction.
Failure to effectively manage operations in India could lead to financial loss, reputational damage and a drain on cash resources to fund the operations.
- Robust joint venture agreement and strong governance structure is in place.
- Two members of the Group's board of directors are members of the joint venture board.
- Regular formal and informal meetings held with both joint venture management and joint venture partners.
- Contract risk assessment, engagement and execution process now embedded in the joint venture.
- Market and operational plan now implemented; overhead reduction and operational improvement programmes remain ongoing.
- Close monitoring of cash flow and debt repayments.
Information technology resilience
Technology failure, cyber-attack or property damage could lead to IT disruption with resultant loss of data, loss of system functionality and business interruption.
The Group's core IT systems must be managed effectively, to avoid interruptions, keep pace with new technologies and respond to threats to data and security.
Prolonged or major failure of IT systems could result in business interruption, financial losses, loss of confidential data, negative reputational impact and breaches of regulations. If the Group fails to invest in its IT systems, it will ultimately be unable to meet the future needs of the business and fulfil its strategy.
- IT is the responsibility of a central function which manages the majority of the systems across the Group. Other IT systems are managed locally by experienced IT personnel.
- Significant investments in IT systems are subject to board approval.
- Group IT committee ensures focused strategic development and resolution of issues impacting the Group's technology environment.
- Robust business continuity plans are in place and disaster recovery and penetration testing are undertaken on a systematic basis.
- Data protection and information security policies are in place across the Group, including anti-virus software, off-site and on-site backups, storage area networks, software maintenance agreements and virtualisation of the IT environment.
- Cyber-crimes and associated IT risks are assessed on a continual basis and additional technological safeguards introduced. Cyber-threats and how they manifest themselves are communicated regularly to all employees (including practical guidance on how to respond to perceived risks).
- ISO 27001 accreditation achieved for the Group's information security environment and regular employee engagement undertaken to reinforce key messages.
The ability to identify, attract, develop and retain talent is crucial to satisfy the current and future needs of the business. Skills shortages in the construction industry are likely to remain an issue for the foreseeable future and it can become increasingly difficult to recruit capable people and retain key employees, especially those targeted by competitors.
Loss of key people could adversely impact the Group's existing market position and reputation. Insufficient growth and development of its people and skill sets could adversely affect its ability to deliver its strategic objectives.
A high level of staff turnover or low employee engagement could result in a drop in confidence in the business within the market, customer relationships being lost and an inability to focus on business improvements.
- Remuneration arrangements are regularly reviewed (and benchmarked where possible) to ensure that they are competitive and strike the appropriate balance between short and long-term rewards and incentives.
- Skills gaps are continually identified and actions put in place to bridge these by training, development or external recruitment.
- In 2017 we continued to focus on emerging talent, succession planning and career opportunity and launched our new Severfield Development Programme which will help us build sustainable leadership capability within our next generation of leaders. Other ongoing leadership and management development plans are also in place.
- We undertook a Group-wide employee engagement survey to measure engagement, with the results being analysed and improvements identified and implemented.
- Annual appraisal process provides 360 degree feedback on performance for certain employees.
- Graduate, trainee and apprenticeship schemes are in place to safeguard an inflow of new talent.
- We undertook a thorough review of internal communications across the Group and improvements in this area are planned for 2018.
The Group (and the industry in general) has a significant number of members who are members of trade unions. Industrial action taken by employees could impact on the ability of the Group to maintain effective levels of production.
Interruption to production by industrial action could impact both the Group's performance on existing contracts, its ability to bid for future contracts and its reputation, thereby adversely impacting its financial performance.
- Employee and union engagement takes place on a regular basis.
- The Group has four main production facilities so interruption at one facility could to some extent be absorbed by increasing capacity at a sister facility.
- Processes are in place to mitigate disruptions as a result of industrial action.
Strategic report approval
The strategic report is approved by the board and signed on its behalf by
14 June 2017