JM applies a holistic risk approach which enables the business to protect value, proactively manage threats to the delivery of strategic and operational objectives while enhancing the realisation of opportunities. The COVID-19 pandemic has altered the external environment and specifically our response in some areas where risk has increased. The long term impact of the COVID-19 pandemic on JM is uncertain and we have been working through a number of scenarios to understand the potential impacts. While we are confident that our business model is resilient, we remain cognisant of the challenges created by the pandemic. We have further identified specific areas where our principal risks could be impacted and, as they evolve, we are working with management to further provide JM’s board with the line of sight in order to plan ahead and take appropriate action.
Managing JM’s risks
Effective risk management is central to JM’s decision making process as it enables:
- Planning through the lens of prioritisation to deliver strategic objectives.
- Consideration of risk and reward in establishing and implementation of the relevant controls in the areas that matter most.
- Assurance resources to be focused on specific areas of risk and uncertainty.
- Opportunities to be pursued while continuing to mitigate JM’s risks in a rapidly changing external environment. This includes effective incident response to emerging risks, such as COVID-19.
- Compliance with UK Corporate Governance Code requirements.
JM’s Board of Directors has overall responsibility for the risk management process. Together with the Group Management Committee (GMC) they have performed a robust assessment of the principal and emerging risks facing the business to ensure that the risks align with goals and strategic objectives. The Audit Committee assists the board in monitoring the effectiveness of the risk management and internal control policies, procedures and systems.
The risk management framework incorporates both a top down approach to identify the company’s principal risks and a bottom up approach to identify operational risks. Each principal risk is sponsored by a member of the GMC who drives progress through regular review considering related emerging risk factors, current responses and further mitigating actions to reach appetite. The GMC also periodically focuses on selected risks and performs deep dive reviews to support relevant strategic topics on the GMC agenda. The risk reviews are embedded within the relevant business and / or functional reviews to ensure that they are considered in the context of JM’s values and strategic objectives. In response to the outbreak of the global pandemic, a dedicated Group Incident Management Team was deployed which is discussed further on page 69, to specifically oversee and direct JM’s response to COVID-19.
How we manage risk
All risks are described, analysed and reported using a standardised framework across the business. Likelihood of occurrence and the potential impact on objectives are considered and scored using a broad range of impact measures. The effectiveness and adequacy of controls are assessed regularly with assigned risk sponsors and owners, and reported at least twice a year. Furthermore, functional leaders, sectors and site teams are responsible for identifying, assessing and prioritising their risks, considering the likelihood of occurrence and the potential impact to JM’s objectives. Site risks are aggregated and analysed for trends and anomalies which are reviewed by sector leadership teams. Risk insights are then incorporated into strategic planning and budgeting. The Group Risk Register is subject to a detailed review and discussion by the GMC, and this includes discussion of emerging risks. The board assesses the outputs from this process and takes confidence from the ‘three lines of defence’ risk assurance model. The first line represents operational management who own and manage risk on a day to day basis, utilising effective internal controls. Group actions and sectors monitor and oversee these activities, representing governance and compliance at the second line. The third line is the independent assurance over these activities provided by the Corporate Assurance function.