Risk factors and risk management
Overview
In pursuing its strategic objectives the Group is inevitably
exposed to risks that could prevent those goals being realised
in part or whole. It is only by taking on the challenge of
managing risk that the Group can expect to succeed.
Accordingly, the Group’s policy in relation to risk does not
seek to eliminate all risk, but to ensure risks are identified,
assessed and their potential impacts managed in a costeffective way to achieve an acceptable level of risk by
deploying appropriate controls.
Approach
The Board is responsible for ensuring risk management
procedures across the Group are effective, for reviewing the
major risks and emerging issues identified by the business, and
for considering the potential impact of significant risks on the
long term prospects and viability of the Group. Management
are responsible for ensuring risk management procedures are
followed, with clear roles, responsibilities and accountabilities
for risk management throughout the business, risk registers
kept up to date and prompt implementation of agreed tasks.
To give effect to these responsibilities, the Group operates
both bottom-up and top-down risk management processes.
Bottom-up
Each operating division has a Risk Committee comprising
divisional leaders and other functional heads, and risk registers
that identify and prioritise risks identified by Committee
members. Ascential’s Legal Director attends every Risk
Committee to provoke discussion and share best practice
across the Company. Each Risk Committee profiles the risk
on impact and likelihood, devising appropriate controls and
remedial plans to avoid or mitigate those risks based on the
threat level. Actions to implement the remedial plans are
allocated to a Committee member to implement, and progress
is monitored with update reports back to the Committee.
Top-down
The Board monitors the bottom-up view, to identify emerging
risks where Group-wide action is needed (e.g. cyber security,
terrorism threat). The top risks and emerging trends are then
combined with risks identified during strategic planning, and
risks identified by considering external viewpoints on risks
relevant to the business, to form a consolidated risk register.
This is then critically appraised by senior management to
ensure risks have been consistently rated and that proper
attention has been given to different types of risk, classified
as strategic, operational, technological, financial and
regulatory risk.
The Board conducts regular reviews of the consolidated risk
register, and considers reports from management on the
operation of the bottom-up processes, in order to form its
assessment of the effectiveness of risk management
procedures and the principal risks facing the Group.
28
Ascential plc Annual Report 2016
Risk trends
While the risks faced by the Group are never static and
continue to evolve in nature or in threat level, during the year
management have devoted considerable time to deciding upon
and implementing responses to the following risks where we
consider the threat levels have increased:
Cyber security
In common with most businesses, we have seen an increase in
the number of attempts to penetrate our IT security measures,
or to attempt to initiate fraudulent activities by deception such
as phishing. The business has intensified its cyber security
programme reporting directly to the CEO to respond to this
increased threat, driven by the IT team but involving all
functions in the business in developing the programme and
tracking progress, together with weekly reporting to senior
management on current threat levels and incidents.
Terrorism
Terrorist events and the perception of increased terrorist
events have always received serious consideration and
planning. The Group has a dedicated security function with
relevant training and continues to engage highly qualified third
party security advisory firms to conduct security reviews of
events and our office locations throughout the world. Such
work covers preventative measures, crisis management
procedures and business continuity plans, and working with
business teams to integrate these measures into regular
operational practice. In addition we continue to work closely
with venue providers, external security firms, local police and
other security forces, to ensure close co-ordination between
all parties in dealing with this threat.
Brexit
The decision by the UK to leave the EU has created a range of
uncertainty in and outside the UK. Most aspects of the Group
are best served by keeping a watching brief and in preparation
for quick response if a situation were to develop requiring
action to best position the Company to defend or leverage the
opportunity created on behalf of the Company’s multi-national
customers. The main areas we monitor are impacts on the
macro-economic environment, and regulatory and tax
frameworks. The Group’s immediate priority is to support
staff who may, in the future, be personally affected by
changes to residence and employment rights, including EU
nationals working for us in the UK, to ensure we continue
to benefit from the talents and commitment of these highly
valued colleagues.