Risk Management, Control and Compliance

We view risk management, control and compliance as an integral part of Corporate Governance.

The Group has established common processes and language to develop a clear understanding of how risks should be assessed, managed and controlled within acceptable tolerances. While the Board has overall responsibility for setting risk management strategy, it is the responsibility of operational management to implement and embed risk management and internal controls as well as ensuring compliance with legislation and regulation. Appropriate assessment and management of the risks are integrated in business planning, projects and investment decisions.

Risk Management

The risk management methodology (Morgan Risk) and tools are created and rolled out at Group level to provide a consistent methodology and common language throughout the Group. Risk Officers are embedded in the Divisions having been trained to use the methodology and drive its implementation in the business operations. Most business units have been trained to use Morgan Risk via workshops involving the management teams and their business objectives. 

The methodology addresses all key risk areas under 4 groups: Strategic, Operational, External, Compliance and Ethics. Risks are assessed as:

• Inherent (worst case scenario),
• Residual (with current controls in place) and
• Actioned (with necessary control improvements)

Decisions are made on the acceptability of each risk and actions are agreed to manage “unacceptable” risks to an acceptable level.
The methodology includes the reporting and approval of risks up through the management structures to Board level.