Strong and effective risk management is at the heart of how the directors run the business and supports the achievement of the Group's strategic objectives.
The level of risk it is considered appropriate to accept in achieving the Group's strategic objectives is reviewed and validated by the board. The appropriateness of the mitigating actions is determined in accordance with the board-approved risk appetite for the relevant area.
The organisation's approach is to minimise exposure to reputational, financial and operational risk, whilst accepting and recognising a risk and reward trade-off in the pursuit of its strategic and commercial objectives. Operating in the construction industry, the reputation of the Group is imperative to its continued success and cannot be risked. Consequently, it has a zero tolerance for risks relating to health and safety. However, management recognises that certain strategic, commercial and investment risks will be required to seize opportunities and deliver growth in line with the Group's strategic objectives.
The Group establishes its risk appetite through use of delegated authorities so that matters considered higher risk require the approval of senior management or the board. These include, but are not limited to, tender pricing, bid submissions, approval of contract variations and final account settlements, capital requirements, procurement, and certain legal and strategic matters.
Risk management process
The board has overall responsibility for the Group's risk management and systems of internal control and for determining the nature and extent of the significant risks it is willing to take in achieving its strategic objectives. An ongoing process has been established for identifying, evaluating and managing the significant risks faced by the Group.
The audit committee, on behalf of the board, formally reviews risks and mitigations for the Group and each of the businesses on a biannual basis. The key elements of this risk management process are:
- Senior management from all key disciplines and businesses within the Group continue to be involved in the process of risk assessment and monitoring in order to identify and assess Group objectives, key issues and controls. Further reviews are performed to identify and monitor those risks relevant to the Group as a whole. This process feeds into our assessment of long-term viability and encompasses all aspects of risk, including operational, compliance, financial, strategic, environmental, social and governance ('ESG') issues.
- Identified risk events, their causes and possible consequences are recorded in risk registers. Their likelihood and potential business impact and the control systems that are in place to manage them are analysed and, if required, additional actions are developed and put in place to mitigate or eliminate unwanted exposures. Individuals are allocated responsibility for evaluating and managing these risks within an agreed timetable.
- Ongoing risk management and assurance is provided through various monitoring reviews and reporting mechanisms, including the executive risk committee (chaired by the chief executive officer) which convenes on a weekly basis and has the primary responsibility to identify, monitor and control significant risks to an acceptable level throughout the Group. The committee receives information on relevant risk matters from a variety of sources on a regular basis.
- Subsidiary company boards consider and report on risk on a monthly basis as part of the monthly business review process. This process is followed to ensure that, as far as possible, the controls and safeguards are being operated in line with established procedures and standards.
- On a quarterly basis, the significant risks identified by the Group's businesses are discussed in detail with each management team. In addition, the chief executive officer, Group legal director and Group IT director meet on a quarterly basis to review IT risks facing the Group. The outcome of these discussions is collated and reported to the executive committee.
- The risk registers of each business, together with the Group IT risk register, are updated and, together with a consolidated Group risk register compiled by the executive committee, are reported to the audit committee twice yearly, to ensure that adequate information in relation to risk management matters is available to the board and to allow board members the opportunity to challenge and review the risks identified and to consider in detail the various impacts of the risks and the mitigations in place.
- A Group assurance map is used to co-ordinate the various assurance providers within the Group and a compliance framework provides the board with a ready reference tool for monitoring compliance across the Group.
First line of defence
- Project management procedures
- Health and safety
- Financial control
- Cash and working capital management
Second line of defence
- Group authorisation policy
- Contract sign-off process
- Purchase guidelines
- Quality manual
- SHE policies
- Executive committee, risk committee and safety leadership team
- Audit committee
- Nominations committee
Third line of defence
- External audit
- Internal audit
- Other third party assurance
Three lines of defence
The Group manages risk by operating a 'three lines of defence' assurance model (management activity, Group oversight and independent review), which is mapped against the Company's principal risks. This process is summarised in the Group assurance map.
A. First line of defence: management activity
The first line of defence involves senior management implementing and maintaining effective internal controls and risk management procedures. These internal controls cover all areas of the Group's operations. There are inherent limitations in any system of internal control and, accordingly, even the most effective system can provide only reasonable, and not absolute, assurance against material misstatement or loss. The system is designed to manage rather than eliminate the risk of failure to achieve the Group's objectives. The Group's policies and procedures are continuously under review and improved to ensure they are adequate for our current circumstances.
The key features of the Group's framework of internal controls are as follows:
Project management procedures — project risk is managed throughout the life of a contract from the tender stage to completion. Individual tenders for projects are subject to detailed review with approvals required at relevant levels and at various stages from commencement of the tender process through to contract award. Tenders above a certain value and those involving an unusually high degree of technical or commercial risk must be approved at a senior level within the Group.
Robust procedures exist to manage the ongoing risks associated with contracts. Regular monthly contract reviews to assess contract performance, covering both financial and operational issues, form an integral part of contract forecasting procedures.
Health and safety — SHE issues and risks are continually monitored at all sites and are reviewed on a monthly basis by senior management and the board. The Group has a well-developed health and safety management system for the internal and external control of health and safety risks which is managed by the Group SHE director. This includes the use of risk management systems for the identification, mitigation and reporting of health and safety management information.
Financial control — the Group maintains a strong system of accounting and financial management controls. Standard financial control procedures operate throughout the Group to ensure the integrity of the Group's financial statements.
The Group operates a comprehensive budgeting and forecasting system. Risks are identified and appraised throughout the annual process of preparing budgets. The annual budget and quarterly forecasts are approved by the board.
A formal quarterly review of each business's year-end forecast, business performance, risk and internal control matters is carried out by the directors of each business unit with the chief executive officer, Group finance director and chief operating officer in attendance.
Cash and working capital management — cash flow forecasts are regularly prepared to ensure that the Group has adequate funds and resources for the foreseeable future and is in compliance with banking covenants. Each business reports its cash position daily. Actual cash performance is compared to forecast on a weekly basis.
B. Second line of defence: Group oversight
The first line of defence is supported by certain Group policies, functions and committees which, in combination, form the second line of defence.
Group policies — internal controls across financial, operational and compliance systems are provided principally through the requirement to adhere to the Group finance manual, divisional procedures and a number of Group-wide policies (such as the Group authorisation policy, the contract sign-off process, the purchase guidelines, the anti-bribery policy, the Competition Law compliance policy, the quality manual, the health and safety policy and the environmental policy). During the year, we were audited successfully on our ISO 27001 accreditation for our information security management system. This continues to give further assurance as to the Group's resilience to cyber risk, which is a subject that has also been discussed at main board level.
These policies are supported by statements of compliance from all directors and letters of assurance ('LoA') from the Group's three managing directors. LoAs are required twice yearly, one at 30 September and one at 31 March supported by an internal control questionnaire ('ICQ') which is completed by each business unit and which provides a detailed basis for management to satisfy themselves that they are complying with all key control requirements. The responses in these ICQs are subject to ongoing independent review by PwC, the Group's internal auditor.
The following main committees provide oversight of management activities:
The executive committee, risk committee and safety leadership team — these committees are responsible for the identification, reporting and ongoing management of risks and for the stewardship of the Group's risk management approach.
The audit committee — the board has delegated responsibility to this committee for overseeing the effectiveness of the Group's internal control function and risk management systems.
The nominations committee — this committee ensures that the board has the appropriate balance of skills and knowledge required to assess and address risk and that appropriate succession plans are in place.
C. Third line of defence: independent review
The third line of defence represents independent assurance which is provided mainly by the internal auditor, external auditor and various external consultants and advisers. External consultants and advisers support management and the board through ad hoc consulting activities, as required.
Internal auditor — the audit committee annually reviews and approves the PwC internal audit programme for the year. The committee reviews progress against the plan at each of its meetings, considering the adequacy of audit resource, the results of audit findings and any changes in business circumstances which may require additional audits.
The results of internal audits are reported to the executive team and senior management and, where required, corrective actions are agreed. The results of all audits are summarised for the audit committee along with progress against agreed actions.
Annual review of effectiveness
The risk management and internal control systems have been in place for the year under review and up to the date of approval of the annual report, and are regularly reviewed by the board. The board monitors executive management's action plans to implement improvements in internal controls that have been identified following the processes described above.
The board confirms that it has not identified any significant failings or weaknesses in the Group's systems of risk management or internal control as a result of information provided to the board and resulting discussions.
Changes to principal risks
The following changes have been made to the Group's principal risks in 2018:
- Information technology resilience risk (cyber attack or property damage leads to IT disruption with resultant loss of data, loss of systems functionality and business disruption) has been upgraded from medium to high, reflecting the increasing global information security threats including cybersecurity attacks, malicious code intended to gain access to confidential information and viruses.
- Failure to mitigate onerous contract terms risk (the failure to adequately manage contract risk and adhere to Group policies and, as a result, commit to obligations which the Group is unable to meet without incurring significant unexpected costs). This was previously identified as a risk in 2014 and is a risk which we constantly monitor. It can vary between low and medium risk depending on the mix of contract work in our order book.
Changes have also been made to the detailed descriptions of mitigation to reflect ongoing activity in the year. In its risk reviews, the Group has not identified any significant environmental, social or governance risks to the Group's short and long-term value.
The board has carried out a robust assessment of the principal risks and uncertainties which have the potential to impact the Group's profitability and ability to achieve its strategic objectives. These are set out in the table below. This list is not intended to be exhaustive. Additional risks and uncertainties not presently known to management or deemed to be less significant at the date of this report may also have the potential to have an adverse effect on the Group.
Strategic pillar key
1 Underlying operating profit and margin (before JVs and associates)
2 Underlying basic earnings per share ('EPS')
3 Revenue growth
4 Operating cash conversion
5 Return on capital employed ('ROCE')
6 Order book
7 Accident frequency rate ('AFR')
The scoring of each risk as high or medium is determined based on the scoring of the risk within the Group's risk register. This scoring takes into account the potential impact and likelihood associated with the crystallisation of each risk (the assessment of impact takes into account both potential and reputational issues). Only high and medium risks are considered sufficiently significant for disclosure in the annual report.
2018 principal risks
1 Health and safety .
The Group works on significant, complex and potentially hazardous projects which require continuous monitoring and management of health and safety risks. Ineffective management of health and safety issues could lead to a serious injury, death or damage to property or equipment.
A serious health and safety incident could lead to the potential for legal proceedings, regulatory intervention, project delays, potential loss of reputation and ultimately exclusion from future business. New sentencing guidelines have come into force which have the potential to impose significant fines even where no actual harm has occurred.
- Established safety systems, site visits, safety audits, monitoring and reporting, and detailed health and safety policies and procedures are in place across the Group, all of which focus on prevention and risk reduction/elimination.
- Thorough and regular employee training programmes (including behavioural safety training).
- Director-led safety leadership teams established to bring innovative solutions and to engage with all stakeholders to deliver continuous improvement in standards across the business and wider industry.
- Close monitoring of subcontractor safety performance.
- Priority board review of ongoing performance.
- Regular reporting of, and investigation and root cause analysis of accidents and near misses.
- Achievement of challenging health and safety performance targets is a key element of management and staff remuneration.
2 Information technology resilience .
Technology failure, cyber attack or property damage could lead to IT disruption with resultant loss of data, loss of system functionality and business interruption.
The Group's core IT systems must be managed effectively, to avoid interruptions, keep pace with new technologies and respond to threats to data and security.
Prolonged or major failure of IT systems could result in business interruption, financial losses, loss of confidential data, negative reputational impact and breaches of regulations. If the Group fails to invest in its IT systems, it will ultimately be unable to meet the future needs of the business and fulfil its strategy.
- IT is the responsibility of a central function which manages the majority of the systems across the Group. Other IT systems are managed locally by experienced IT personnel.
- Significant investments in IT systems which are subject to board approval, including anti-virus software, off-site and on-site backups, storage area networks, software maintenance agreements and virtualisation of the IT environment.
- Specific software has been acquired to combat the risk of ransomware attacks.
- Group IT committee ensures focused strategic development and resolution of issues impacting the Group's technology environment.
- Robust business continuity plans are in place and disaster recovery and penetration testing are undertaken on a systematic basis.
- Data protection and information security policies are in place across the Group and have been updated for GDPR.
- Cyber crimes and associated IT risks are assessed on a continual basis and additional technological safeguards introduced. Cyber threats and how they manifest themselves are communicated regularly to all employees (including practical guidance on how to respond to perceived risks).
- ISO 27001 accreditation achieved for the Group's information security environment and regular employee engagement undertaken to reinforce key messages.
- Insurance covers certain losses and is reviewed annually to establish further opportunities for affordable risk transfer.
3 Commercial and market environment .
Changes in government and client spending or other external factors could lead to programme and contract delays or cancellations, or changes in market growth. Whilst Brexit has still not had a significant impact on the UK construction market, outcomes following the decision to leave the EU remain difficult to predict and could affect investor confidence.
Lower than anticipated demand could result in increased competition, tighter margins and the transfer of commercial, technical and financial risk down the supply chain, through more demanding contract terms and longer payment cycles.
A significant fall in construction activity could adversely impact revenues, profits, ability to recover overheads and cash generation.
- Regular reviews of market trends performed (as part of the Group's annual strategic planning and market review process) to ensure actual and anticipated impacts from macroeconomic risks are minimised and managed effectively.
- Regular monitoring and reporting of financial performance, orders secured, prospects and the conversion rate of the pipeline of opportunities and marshalling of market opportunities is undertaken on a co-ordinated Group-wide basis.
- Selection of opportunities that will provide sustainable margins and repeat business.
- Strategic planning is undertaken to identify and focus on the addressable market (including new overseas and domestic opportunities).
- Development of new organic revenue streams including in Europe, residential and Severfield (Products & Processing) which fit the Group's risk appetite.
- Close management of capital investment and focus on maximising asset utilisation to ensure alignment of our capacity and volume demand from clients.
- Close engagement with both customers and suppliers and monitoring of payment cycles.
- Ongoing assessment of financial solvency and strength of counterparties throughout the life of contracts.
- Continuing use of credit insurance to minimise impact of customer failure.
- Strong balance sheet (the Group has net funds in excess of £30m) supports the business through fluctuations in the economic conditions of the sector.
4Mispricing a contract (at tender) .
Failure to accurately estimate and evaluate the contract risks, costs to complete, contract duration and the impact of price increases could result in a contract being mispriced. Execution failure on a high-profile contract could result in reputational damage.
If a contract is incorrectly priced, particularly on complex contracts, this could lead to loss of profitability, adverse business performance and missed performance targets.
This could also damage relationships with clients and the supply chain.
- Improved contract selectivity (those that are right for the business and which match our risk appetite) has de-risked the order book and reduced the probability of poor contract execution.
- Estimating processes are in place with approvals by appropriate levels of management.
- Tender settlement processes are in place to give senior management regular visibility of major tenders.
- Use of the tender review process to mitigate the impact of rising supply chain costs.
- Work performed under minimum standard terms (to mitigate onerous contract terms) where possible.
- Use of Group authorisation policy to ensure appropriate contract tendering and acceptance.
- Professional indemnity cover is in place to provide further safeguards.
5Failure to mitigate onerous contract terms .
The Group's revenue is derived from construction contracts and related assets. Given the highly competitive environment in which we operate, contract terms need to reflect the risks arising from the nature or the work to be performed. Failure to appropriately assess those contractual terms or the acceptance of a contract with unfavourable terms could, unless properly mitigated, result in poor contract delivery, poor understanding of contract risks and legal disputes.
Loss of profitability on contracts as costs incurred may not be recovered and potential reputational damage for the Group.
- The Group has identified minimum standard terms which mitigate contract risk.
- Robust tendering process with detailed legal and commercial review and approval of proposed contractual terms at a senior level (including the risk committee) are required before contract acceptance so that onerous terms are challenged, removed or mitigated as appropriate.
- Regular contract audits are performed to ensure contract acceptance and approval procedures have been adhered to.
- We have worked with the British Constructional Steelwork Association to raise awareness of onerous terms across the industry.
6Supply chain .
The Group is reliant on certain key supply chain partners for the successful operational delivery of contracts to meet client expectations. The failure of a key supplier or a breakdown in relationships with a key supplier could result in some short-term delay and disruption to the Group's operations. There is also a risk that credit checks undertaken in the past may no longer be valid.
Interruption of supply or poor performance by a supply chain partner could impact the Group's execution of existing contracts (including the costs of finding a replacement), its ability to bid for future contracts and its reputation, thereby adversely impacting financial performance.
- Initiatives are in place to select supply chain partners that match our expectations in terms of quality, sustainability and commitment to client service. New sources of supply are quality controlled.
- Implementation of best practice improvement initiatives including automated supplier accreditation processes.
- Strong relationships maintained with key suppliers including a programme of regular meetings and reviews.
- Contingency plans developed to address supplier and subcontractor failure.
- Ongoing reassessment of the strategic value of supply relationships and the potential to utilise alternative arrangements, in particular for steel supply.
- Key supplier audits are performed within projects to ensure they are in a position to deliver consistently against requirements.
- Monthly review process to facilitate early warning of issues and subsequent mitigation strategies.
7 Indian joint venture .
The growth, management and performance of the business is a key element of the Group's overall performance. Effective management of the joint venture is therefore important to the Group's continuing success.
Crucial to the long-term success of the joint venture is the development of the market for steel (rather than concrete) construction.
Failure to effectively manage operations in India could lead to financial loss, reputational damage and a drain on cash resources to fund the operations.
- Robust joint venture agreement and strong governance structure is in place.
- Two members of the Group's board of directors are members of the joint venture board.
- Regular formal and informal meetings held with both joint venture management and joint venture partners.
- Contract risk assessment, engagement and execution process now embedded in the joint venture.
- Market and operational plan now implemented; overhead reduction and operational improvement programmes remain ongoing.
- Close monitoring of cash flow and debt repayments.
- Repayment of term debt has eased cash flow.
The ability to identify, attract, develop and retain talent is crucial to satisfy the current and future needs of the business. Skills shortages in the construction industry are likely to remain an issue for the foreseeable future and it can become increasingly difficult to recruit capable people and retain key employees, especially those targeted by competitors.
Loss of key people could adversely impact the Group's existing market position and reputation. Insufficient growth and development of its people and skill sets could adversely affect its ability to deliver its strategic objectives.
A high level of staff turnover or low employee engagement could result in a drop in confidence in the business within the market, customer relationships being lost and an inability to focus on business improvements.
- Remuneration arrangements are regularly reviewed (and benchmarked where possible) to ensure that they are competitive and strike the appropriate balance between short and long-term rewards and incentives.
- Skills gaps are continually identified and actions put in place to bridge these by training, development or external recruitment.
- In 2018 we continued to focus on emerging talent, succession planning and career opportunity and concluded the first phase of our Severfield development programme which is helping us build sustainable leadership capability within our next generation of leaders. Other ongoing leadership and management development plans are also in place.
- We undertook a Group-wide employee engagement survey to measure engagement, with the results being analysed and improvements identified and implemented.
- Annual appraisal process provides 360 degree feedback on performance for certain employees.
- Graduate, trainee and apprenticeship schemes are in place to safeguard an inflow of new talent.
- We have made a series of improvements in internal communications across the Group.
9 Industrial relations .
The Group (and the industry in general) has a significant number of members who are members of trade unions. Industrial action taken by employees could impact on the ability of the Group to maintain effective levels of production.
Interruption to production by industrial action could impact both the Group's performance on existing contracts, its ability to bid for future contracts and its reputation, thereby adversely impacting its financial performance.
- Employee and union engagement takes place on a regular basis.
- The Group has four main production facilities so interruption at one facility could, to some extent, be absorbed by increasing capacity at a sister facility.
- Processes are in place to mitigate disruptions as a result of industrial action.
Strategic report approval
The strategic report is approved by the board and signed on its behalf by
20 June 2018