JM applies a holistic risk approach which enables the business to protect value, proactively manage threats to the delivery of strategic and operational objectives while enhancing the realisation of opportunities. The COVID-19 pandemic has altered the external environment and specifically our response in some areas where risk has increased. The long term impact of the COVID-19 pandemic on JM is uncertain and we have been working through a number of scenarios to understand the potential impacts. While we are confident that our business model is resilient, we remain cognisant of the challenges created by the pandemic. We have further identified specific areas where our principal risks could be impacted and, as they evolve, we are working with management to further provide JM’s board with the line of sight in order to plan ahead and take appropriate action.
Managing JM’s risks
Effective risk management is central to JM’s decision making process as it enables:
Planning through the lens of prioritisation to deliver strategic objectives.
Consideration of risk and reward in establishing and implementation of the relevant controls in the areas that matter most.
Assurance resources to be focused on specific areas of risk and uncertainty.
Opportunities to be pursued while continuing to mitigate JM’s risks in a rapidly changing external environment. This includes effective incident response to emerging risks, such as COVID-19.
Compliance with UK Corporate Governance Code requirements.
JM’s Board of Directors has overall responsibility for the risk management process. Together with the Group Management Committee (GMC) they have performed a robust assessment of the principal and emerging risks facing the business to ensure that the risks align with goals and strategic objectives. The Audit Committee assists the board in monitoring the effectiveness of the risk management and internal control policies, procedures and systems.
The risk management framework incorporates both a top down approach to identify the company’s principal risks and a bottom up approach to identify operational risks. Each principal risk is sponsored by a member of the GMC who drives progress through regular review considering related emerging risk factors, current responses and further mitigating actions to reach appetite. The GMC also periodically focuses on selected risks and performs deep dive reviews to support relevant strategic topics on the GMC agenda. The risk reviews are embedded within the relevant business and / or functional reviews to ensure that they are considered in the context of JM’s values and strategic objectives. In response to the outbreak of the global pandemic, a dedicated Group Incident Management Team was deployed which is discussed further on page 69, to specifically oversee and direct JM’s response to COVID-19.
How we manage risk
All risks are described, analysed and reported using a standardised framework across the business. Likelihood of occurrence and the potential impact on objectives are considered and scored using a broad range of impact measures. The effectiveness and adequacy of controls are assessed regularly with assigned risk sponsors and owners, and reported at least twice a year. Furthermore, functional leaders, sectors and site teams are responsible for identifying, assessing and prioritising their risks, considering the likelihood of occurrence and the potential impact to JM’s objectives. Site risks are aggregated and analysed for trends and anomalies which are reviewed by sector leadership teams. Risk insights are then incorporated into strategic planning and budgeting. The Group Risk Register is subject to a detailed review and discussion by the GMC, and this includes discussion of emerging risks. The board assesses the outputs from this process and takes confidence from the ‘three lines of defence’ risk assurance model. The first line represents operational management who own and manage risk on a day to day basis, utilising effective internal controls. Group actions and sectors monitor and oversee these activities, representing governance and compliance at the second line. The third line is the independent assurance over these activities provided by the Corporate Assurance function.
Process developments during 2019/20
JM continually works to improve risk management practices and over the last 12 months the following key enhancements have been made, which have also supported the coordination of our responses to the COVID-19 pandemic:
Introduced dashboards to improve principal risk reporting. Dashboards were developed to consolidate risk data including current net and appetite scoring as well as the actions required to support achievement of desired outcome. This has improved the quality of risk focused discussions across the business.
Enhanced risk appetite statements. GMC risk sponsors have developed more detailed and focused appetite statements for principal risks. They have been reviewed by the board and the GMC, and have been embedded into risk reporting dashboards to further improve visibility of the journey towards the appetite.
Improved key risk indicators (KRIs) methodology. Developed approach in detailing metrics for each principal risk measured in time and cost. This provides the board, risk sponsors and owners an ability to track mitigation maturity, costs and timescales associated with driving the net positions towards the defined appetites.
Further sub-sector risk analysis. Conducted JM wide analysis on group and sector risks such as root cause and correlation against their likely principal risks to provide information as to where risks are originating from and how they can be effectively mitigated.
Continued horizon scanning for emerging risks. Reviewed internal and external environment changes / movements at the board and GMC to ensure that the top down risk management process is fully informed.
JM has been proactive in its response to COVID-19. The Group Incident Management Team has been swiftly deployed to manage the response to the current pandemic. While coordinated and closely overseen by GMC, the team has implemented several specific measures including a groupwide pandemic response plan, a groupwide alert level status matrix and a comprehensive site pandemic response measures playbook.
These measures have ensured that operations are able to continue safely and in accordance with government policy and regional guidance. JM has also specifically focused actions in managing cash flow, reducing cost and working capital to ensure the group remains robust, with sufficient liquidity. The board and GMC have further directed the updating of JM’s principal risks to reflect the impact of this pandemic.
In most instances, risk definitions have not been changed as the pandemic has not changed the longer term coverage of each risk. However, it should be noted that additional actions have been defined and where appropriate implemented to reflect the impact of COVID-19. Consideration has also been given as to whether COVID-19 should be treated as an individual risk. The board agreed that the pandemic would be more effectively managed through articulating its impact within each of the existing principal risks rather than a stand alone item.
JM recognises that the current COVID-19 pandemic is an evolving situation and we will need to continue to be agile in managing this risk. Furthermore, we will continue to review and challenge the principal risks providing an ongoing consideration as to whether it needs to be recognised as a stand alone risk in the future. The crisis has also accelerated our learnings on how differently we can use technology to connect, collaborate and engage with our customers, suppliers and employees across the globe. We intend to use these lessons, to ensure that as lockdown eases, we are embracing new habits and opportunities this change has created.