Travis Perkins (TPK)
03-March-2020 / 15:00 GMT/BST
Dissemination of a Regulatory Announcement, transmitted by EQS Group.
The issuer is solely responsible for the content of this announcement.
Publication of the Annual Report 2019
Further to the release of its results announcement this morning, Travis Perkins plc (the "Company") announces that it has today published its Annual Report for the year ended 31 December 2019. The Company's Annual Report 2019 can be viewed on the Company's website - www.travisperkinsplc.co.uk
In accordance with rule 9.6.1 of the Listing Rules, copies of the following documents have been submitted to the National Storage Mechanism and will shortly be available for inspection at www.morningstar.co.uk/uk/NSM
- Annual Report and Accounts 2019;
A condensed set of the Company's financial statements and information on important events that have occurred during the year and their impact on the financial statements were included in the Company's announcement. That information together with the information set out below which is extracted from the Annual Report constitute the requirements of Disclosure and Transparency Rule ("DTR") 6.3.5 which is to be communicated via a Regulatory Information Service in unedited full text. This announcement is not a substitute for reading the full Annual Report. Page and note references in the text below refer to page numbers in the Annual Report. To view the preliminary announcement, visit the Company's website: www.travisperkinsplc.co.uk
Enquiries:
Graeme Barnes
Graeme.barnes@travisperkins.co.uk
+44 (0) 7469 401819
Robin Miller
Ribin.miller@travisperkins.co.uk
+44 (0) 1604 592533
STATEMENT OF PRINCIPAL RISKS AND UNCERTAINTIES
For the year ended 31 December 2019
The Group's risk management activities continue to be developed to support management in identifying both threats and opportunities that could materially impact strategic delivery, performance, compliance and reputation. The Group operates in markets and an industry which, by their nature, are subject to a number of inherent risks. In common with most large organisations the Group is also subject to general commercial, political and economic risks. The Group is able to mitigate those risks by adopting different strategies and by maintaining a strong system of internal control which is routinely tested and assured. However, regardless of the approach that is taken, the Group must accept a certain level of risk in order to generate suitable returns for shareholders, and for that reason the risk management process is closely aligned to the Group's strategy.
Risk management framework
The Board has developed a risk reporting framework that ensures it has visibility of the Group's key risks, the potential impacts on the Group and how and to what extent those risks are mitigated. Further details of the Group's risk management processes and oversight are given in the Corporate Governance Report on page 75.
The Board undertook an enhanced exercise during 2019 to consider the nature and level of risk it is prepared to accept to deliver the strategy. Risk appetite is set across a suite of risk categories directly relevant to the Group, supported by high-level risk statements which set out the expectations for the management and control of each category of risk. The resulting assessment of risk appetite has been set to balance opportunities for growth and business development in areas of potentially higher risk and return, whilst prioritising safety and maintaining the Group's reputation, legal and regulatory compliance and the desired high levels of customer service and satisfaction.
Principal risks
At least twice a year, the Board and Group Leadership Team formally assess the Group's principal risks. The table on pages 40 to 51 sets out, in no particular order, the principal risks that are currently considered by the Board to be material to the achievement of the Group's objectives, their potential impacts, mitigating factors and those areas of the businesses' strategies that are potentially impacted. The inherent risk (before the operation of mitigating controls) is stated for each risk area together with an indication of the current trend for that risk.
The nature of risk is that its scope and potential impact will change over time. As such the list below should not be regarded as a comprehensive statement of all potential risks and uncertainties that may manifest in the future. Additional risks and uncertainties that are not presently known to the Directors, or which are currently deemed immaterial, could also have an adverse effect on the Group's future operating results, financial condition or prospects.
Key changes in the year
The risk environment in which the Group operates does not remain static. As part of the ongoing risk review process, the Board and Group Leadership Team: identify new risks for the Group, assess the inherent risk associated with each principal risk, and determine whether the risk trend facing the Group is increasing, decreasing or unchanged.
Whilst the risk profile for the Group remains relatively stable relative to 2018, the following key changes were identified in 2019:
- One additional principal risk has been disclosed in relation to IT systems and infrastructure. This risk previously formed part of the risk associated with change management and has been separated given the Group's plans to modernise its IT infrastructure and replace a number of legacy systems
- The inherent risk associated with business transformation initiatives, including the IT modernisation programme, has been reassessed as "high" to reflect the scale of change activities ongoing or planned within the Group
- The inherent risk associated with cyber threats and data security has been increased to "high" to acknowledge that the continual changes in both threat sources and the tactics employed by cyber criminals present an ongoing challenge for all companies, including the Group
Emerging risks
The Board is required to undertake a robust assessment of the emerging risks that may impact the Group under the 2018 UK Corporate Code, which is effective from 1 January 2019. In response to this requirement, consideration of emerging risk has been integrated into the Group's current risk management practices, which continue to be developed and refined. The Board regularly considers the latest risk research alongside views on emerging risks collated from assessments made by the business unit and functional leadership teams. These risks are monitored but are not currently assessed as sufficiently material to be considered as principal risks.
The Group is monitoring the potential impact of COVID-19 carefully. The Group will continue to review the possible impacts on the business and refine its contingency plans as more information about the epidemic emerges.
Risk workshops are undertaken periodically with the most significant business units and are structured to consider a number of risk categories, including "disruption", being the risks that may emerge and impact the viability of a strategy or business model. The current statement of principal risks recognises the potential for such disruption in the competitor and customer landscape, as well as in relation to suppliers.
Category
|
Principal risks
|
Risk trend
|
Inherent risk
|
External
|
Changing customer and competitor landscape
Supplier risks
Brexit
Market conditions
|
↔
↔
↔
↔
|
High Medium High High
|
Strategic
|
Capital allocation
Change Management
Portfolio management
|
↓
↑
↔
|
Medium High
Medium
|
Technological
|
IT systems and infrastructure
Cyber threat and data security
|
↑
↑
|
High High
|
Operational
|
Health and safety
Talent management
Legal compliance
|
↔
↔
↑
|
Medium
Medium Medium
|
Key disruptive risks are also identified and mitigated by the Group. None of them are currently considered to be principal risks
Risk Trend: ↑ Increasing ↓ Decreasing ↔ Unchanged
CHANGING CUSTOMER AND COMPETITOR LANDSCAPE
|
|
|
INHERENT RISK: High
TREND: Unchanged
STRATEGY:
Best-in-class services
Focus on trade
Advantaged businesses
IMPACT:
Adverse effect
on financial results
Loss of market share
|
RISK DESCRIPTION
The Group sells and distributes building materials through a number of channels. The number of outlets and channels where building materials can be purchased continues to grow with new competitors entering the market. These new entrants may operate business models which differ significantly from the traditional merchanting, retail and online formats from which the Group currently operates and may take market share.
The demerger of the Wickes business will change the risk profile of the Group in the coming year, as exposure to the retail sector is reduced.
Customer purchasing habits also continue to evolve with an increasing percentage of transactions for the Group now originating online. Customers' preference for purchasing materials through a range of supply channels and not just through the Group's traditional competitors may adversely impact the profitability of branch-based operations and the Group's overall performance.
Increasing price transparency could lead to a perception that the Group is less price competitive leading to downward pressure on price and margins.
|
RISK MITIGATION
The Board is cognisant of the risks and opportunities presented by the changing customer and competitor landscape and evaluates developments both in terms of threats and opportunities for the Group.. One example of this in 2019 is the decision to pursue the demerger of the Wickes business, and for the Group to focus on the service of trade rather than retail customers.
The Group continues to build multi-channel capabilities that complement its existing operations and enable customers to transact with the Group through channels that best suit their needs.
The Group is able to use its sites flexibly to respond to changes. Alternative space utilisation models are possible, including maintaining smaller stores and implanting additional services into existing branches. During 2019, Toolstation opened its first high street store.
The development of new, innovative and competitive supply solutions is a key strength of the Group. It works closely with customers and suppliers on a programme of continuous improvement to enhance the customer proposition.
Pricing strategies across the Group are regularly reviewed and refined as necessary to ensure they remain competitive.
|
TALENT MANAGEMENT
|
|
|
INHERENT RISK: Medium
TREND: Unchanged
STRATEGY:
Best-in-class services
Focus on trade
Simplifying the Group
IMPACT:
Adverse effect on delivery of strategy
Competitive disadvantage
|
RISK DESCRIPTION
People are key to the Group's success. The ability to recruit, develop, retain and motivate suitably qualified and experienced staff is an important driver of the Group's overall performance. The Group may also be exposed to skills shortages in certain areas which can result in salary cost pressures. This may be compounded by Brexit if significant numbers of EU citizens decide to leave the UK (see also page 47). In particular, the availability of suitably qualified commercial drivers is an area of ongoing focus for the Group, which is critical to the operation of its fleet to meet customer delivery expectations.
The strength of the Group's customer proposition is underpinned by the quality of people working throughout the Group, particularly in branch and other customer-facing roles. Many colleagues have worked for Travis Perkins for many years, during which they have gained valuable product and customer knowledge and expertise.
The Group faces competition for the best people from other organisations. Ensuring the retention and development of colleagues and that robust succession plans exist for key positions is important for the Group to ensure it has the right skills and experience to deliver on its strategic objectives.
|
RISK MITIGATION
The Group's employment policies and practices are kept under regular review. Staff engagement and turnover by job type is reported regularly to the Group Leadership Team and the Board. A Group-wide talent and succession exercise was undertaken in 2019 and reviewed by the Board. Succession plans are reviewed annually; the process was reviewed for 2020 to ensure that plans are in place for the Board, senior management positions and other critical roles and to promote the development of diverse and inclusive pipelines.
The Group's reward and recognition systems are actively managed to ensure high levels of employee engagement. Salaries and other benefits are benchmarked regularly to ensure that the Group remains competitive and the Group operates incentive structures to ensure that high-performing colleagues are adequately rewarded and retained.
A wide range of training programmes are in place to encourage staff development. Management development programmes are available to those identified for more senior positions. The Group's "Learn and Earn" Apprenticeship Programme ("LEAP") has been in place for a number of years and has a track record of successful delivery of apprenticeships in both branch-based and functional roles.
|
SUPPLIER RISKS
|
|
|
INHERENT RISK: Medium
TREND: Unchanged
STRATEGY:
Best-in-class services
Focus on trade
Simplifying the Group
Financial strength
IMPACT:
Adverse effect on financial result
Adverse effect on reputation
|
RISK DESCRIPTION
The Group faces a number of supplier risks in relation to key dependencies and relationships, overseas sourcing and disintermediation, all of which could adversely impact upon ranging and price.
The Group is the largest customer to a number of its suppliers. In some cases, those suppliers are large enough to cause the Group significant difficulties and disruption if they are unable to meet their supply obligations due to either economic or operational factors. Alternative sourcing may be available, but the volumes required and the time it may take those suppliers to increase production could result in significant stock-outs for a considerable time, adversely impacting customer service and, potentially, leading customers to switch to a competitor in the short- or long-term.
The Group sources a number of products from overseas factories, which increases the Group's exposure to sourcing, quality, trading, warranty and currency issues. This again may adversely impact customer service and choice.
Manufacturers of materials and products sold by the Group may also look to sell directly to end customers in the future, diminishing the role of distributors..
The Group's intended demerger of the Wickes business, as well as the potential future sale of its Plumbing & Heating businesses, will reduce the size of the Group, which may impact on its ability to renegotiate future supply contracts on equivalent or favourable terms.
|
RISK MITIGATION
Making decent returns is one of the Group's cornerstones which requires it to treat both customers and suppliers fairly. The commercial and financial teams have established strong relationships with the Group's key suppliers and work closely with them to agree contracts that are beneficial to both parties and facilitate continuity of quality materials. This interaction continues as the Wickes demerger is progressed and revised contractual arrangements are put in place.
Where possible, contracts exist with more than one supplier for key products, to reduce the risks of dependency on a sole supplier.
The Group has made a significant investment in its Far East infrastructure to support its direct sourcing operation. This allows the development of own brand products, thereby reducing the reliance on branded suppliers. The Group has also adopted a conservative hedging policy to reduce its exposure to currency fluctuations.
Independent checks are undertaken on the factories producing products for the Group, including the quality and suitability of those products before they are shipped to the UK. The results of these checks are kept under review with action taken as necessary to address any concerns
|
HEALTH AND SAFETY
|
|
|
INHERENT RISK: Medium
TREND: Unchanged
STRATEGY:
Best-in-class services
Financial strength
IMPACT:
Harm to our colleagues, customers and the wider community
Potential legal action, fines and penalties
Adverse effect on financial results
Adverse effect on reputation
|
RISK DESCRIPTION
Keeping the Group's colleagues, customers, suppliers and the public safe is a cornerstone of the business and at the heart of how it operates. The Group expects everyone to go home to their families
safely everyday.
The Group operates over two thousand sites, many with complex and busy yards. It also operates one of the largest vehicle fleets in the UK, distributing heavy and bulky materials. Poorly implemented safety practices on site, on the road and at delivery locations could result in significant harm to people which would damage the Company's reputation and could impact trading performance.
|
RISK MITIGATION
The Group continues to challenge its thinking and approach to improving its safety performance through its now well established "Stay Safe" brand.
Governance of Stay Safe is well established and designed to promote a continual focus on health and safety. Stay Safe performance is reviewed at all Board Meetings, by the Group Leadership Team and by the dedicated Stay Safe Committee, which is chaired by a Non-executive Director. Safety performance is a focus at the leadership meetings for each of the Group's business units, with regular consideration of continuous improvement plans in this area. These forums also monitor the achievement of transport-related compliance requirements, including driver licensing and professional competence. In addition, a number of the business units, including Travis Perkins, have retained FORS accreditation of their vehicle fleets.
During 2019 a programme of "Safety Deep Dive" reviews was introduced to assess how effectively key safety risks are managed and to benchmark the Group to leading practice. Safety management arrangements are periodically assessed and accredited by members of the Safety Schemes in Procurement Forum.
Incidents are monitored, investigated and corrective action taken to reduce the likelihood of similar incidents in future. Stay Safe assurance reviews are regularly undertaken at all sites by dedicated safety professionals with any resulting improvement actions tracked to completion.
De-risking the Group's operations, improving health and safety awareness and implementing improved ways of working are at the forefront of the Group's activities. Further information on progress made during the year can be found in the Health and Safety report on pages 52 to 67.
|
CAPITAL ALLOCATION
|
|
|
INHERENT RISK: Medium
TREND: Decreasing
STRATEGY:
Focus on trade
Advantaged businesses
Financial strength
IMPACT:
Adverse effect on financial results
|
RISK DESCRIPTION
The Group manages a number of different businesses in the UK which operate in different, but complementary channels. As the Group's markets continue to develop, it is investing to enhance its existing businesses and also to develop new propositions to better serve its customers.
While the Group operates a disciplined capital allocation process, there is a risk that it may be over-investing in channels which may decline or that it may not be allocating sufficient capital to new propositions and advantaged businesses resulting in sub-optimal returns on capital.
|
RISK MITIGATION
Return on capital is one of the Group's key performance indicators as shown on page 21. The Group's decision to refine its strategy and focus on trade customers in the most advantaged businesses has influenced the allocation of capital during 2019, with more focused management attention and capital deployment in areas of higher return. This capital allocation policy is also a driver for the Wickes demerger, enabling both Wickes and the remaining Group to pursue separate strategies and priorities for investment and growth.
Responsibility for identifying and implementing opportunities to expand, improve or modify the Group's operations rests with each of the business unit leadership teams. Capital is deployed or re-deployed through a Group-led forum to strategically-aligned projects expected to achieve the best return on capital. Projects are required to present a comprehensive business case and, for the largest investments, Board approval is sought.
Major projects are reviewed by the Group Leadership Team, which introduced a monthly programme review during 2019. Progress against plan is kept under close review.
Post implementation reviews are undertaken of all major projects and returns are monitored on an on-going basis to ensure that the expected returns are achieved, but also to allow the Group to modify its capital allocation when appropriate.
|
CHANGE MANAGEMENT
|
|
|
INHERENT RISK: High
TREND: Increasing
STRATEGY:
Best-in-class services
Advantaged businesses
Simplifying the Group
Financial strength
IMPACT:
Adverse effect on financial results
Adverse effect on shareholder value
|
RISK DESCRIPTION
The Group undertakes a variety of projects throughout its business in order to generate returns for its shareholders. These projects include the modernisation of the Group's core IT systems and infrastructure, on-going development of its supply chain operations and branch and store networks, and the simplification of the Group to speed up decision-making and reduce costs.
By their nature, such strategic projects are often complicated, interlinked and may require considerable resource to deliver. As a result, the expected benefits, timescale for delivery and the costs of implementation of each project may deviate from those anticipated at their outset. Colleague engagement may be impacted during a period of significant change and cost-focus.
Following the announcement in 2019 to delay the Merchant ERP replacement programme, the Group is considering its approach to implementation of the various elements of an ERP system, after modernisation of the core IT architecture. The results and delays to this programme are illustrative of the challenges associated with major transformation projects in Group with a number of complex legacy systems.
|
RISK MITIGATION
As set out in relation to capital allocation, all potentially significant projects are subject to detailed investigation, assessment and approval prior to commencement.
Dedicated teams, including financial resource, are allocated to each project, with additional expertise being brought into the Group to supplement existing resource when necessary.
All strategic projects are supported by an appropriate governance structure and are closely monitored through the Group Leadership Team's programme review with regular reporting to the Board.
Regular communications are undertaken to keep colleagues informed.
When projects do not deliver against expectations, exercises are undertaken to capture the "lessons learned" which are fed into future projects.
|
BREXIT
|
|
|
INHERENT RISK: High
TREND: Unchanged
STRATEGY:
Best-in-class services
Financial strength
IMPACT:
Adverse effect on financial results
|
RISK DESCRIPTION
The result of the UK vote to leave the European Union ("Brexit") and the subsequent process to determine the terms of the withdrawal agreement has caused considerable market uncertainty throughout 2019 and continues to do so. It remains difficult to predict the economic outlook and impact to the Group in the short term or long term. The Group continued to experience significant volatility in the value of sterling against the principal currencies used to pay for imported goods during 2019.
Future trading relationships with overseas markets have yet to be determined and these may result in higher tariffs or duties on imports of construction products as well as extended lead times on imported supplies or result in the need to source some products elsewhere. These risks have the potential to impact the Group significantly. Of less risk to the Group, but potentially significant for its customers, are the significant numbers of non-UK nationals employed in the construction industry and the distribution and logistics markets. If the UK becomes a less attractive place for them to work this could result in labour shortages and consequent salary cost pressures and could change dynamics in our key markets. Whilst significant changes to product standards and legislative requirements more generally are not anticipated in the short term, they could impact the Group if introduced in the future.
The Group operates a small number of branches in Northern Ireland and the Republic of Ireland. During 2019, the Group acquired a controlling share of the Toolstation Europe business. Whilst not material to the Group, business operations in these territories may be impacted by the final agreements made with the EU including those in respect of borders, tariffs and information flow.
The continued uncertainties that surround Brexit mean that a more precise assessment of the impact on the Group's operations is unlikely to be possible until further detail becomes available in respect of the future trading relationships of the UK after the transition period.
|
RISK MITIGATION
It remains difficult to determine the full impact of Brexit on the Group. The Board continues to monitor developments and market conditions and will react accordingly.
The Board has undertaken a process to assess the risks associated with Brexit. This includes assessment of existing risk mitigations and actions in progress and is updated on a regular basis.
The Group continues to invest in the business where those investments are expected to realise acceptable returns, but it is prepared to flex activity levels should market conditions so dictate.
Throughout 2019, exercises were undertaken by the business unit leadership teams to assess the level of stock holding required in each business unit to minimise disruption to customers as a consequence of Brexit. The Group has taken steps to minimise disruption to its imports from the EU and was granted Authorised Economic Operator status by HMRC in early 2019.
Regular communication continues with both customers and key suppliers. A customer statement is in place and will be reassessed as agreements with the EU are clarified.
Where the cost of goods increases due to the exchange rate deteriorating or additional tariffs and duties, the Group will seek to pass those price increases through to its customers, but its ability to do so will depend upon market conditions at the time.
The processes in place around the recruitment and retention are set out in the related principal risk on page 43.
|
MARKET CONDITIONS
|
|
|
INHERENT RISK: High
TREND: Unchanged
STRATEGY:
Best-in-class services
Focus on trade
Advantaged businesses
IMPACT:
Adverse effect on financial results
|
RISK DESCRIPTION
The Group's products are sold to businesses, trades and retail customers for a broad range of end uses in the built environment. The Group's markets are cyclical in nature and the performance of those markets is affected by general economic conditions and a number of specific drivers of construction, Renovation, Maintenance and Improvement and DIY activity, including mortgage availability and affordability, housing transactions and the timing and nature of government activity to stimulate activity, net disposable income, house price inflation, consumer confidence, interest rates and unemployment.
A significant downturn in economic conditions or major uncertainty about the future outlook could affect the levels of construction activity in the Group's markets and the confidence levels of the Group's customers, which could reduce their propensity to purchase products and services from the Group's businesses.
|
RISK MITIGATION
The Board conducts an annual review of strategy, which includes an assessment of likely competitor activity, market forecasts and possible future trends in products, channels of distribution and customer behaviour.
The Group maintains a comprehensive tracking system for lead indicators that influence the market for the consumption of building materials in the UK.
Significant events including those in the supply chain that may affect the Group are monitored by the Group Leadership Team and reported to the Board monthly by the Group CEO.
Should market conditions deteriorate then the Board has a range of options dependent upon the severity of the change. Historically these have included amending the Group's trading stance, cost reduction, lowering capital investment and reducing the dividend.
|
PORTFOLIO MANAGEMENT
|
|
|
INHERENT RISK: Medium
TREND: Unchanged
STRATEGY:
Focus on trade
Advantaged businesses
Simplifying the Group
Financial strength
IMPACT:
Adverse effect on financial results
Adverse effect on shareholder value
Adverse effect on reputation
|
RISK DESCRIPTION
The Group undertakes acquisition and disposal activity to optimise its portfolio of businesses and drive shareholder return. In December 2018, the Group announced a strategy to simplify the Group and concentrate on its trade-focused businesses. In the last year, the Group has:
- Set out its intention to explore the potential divestment of the Plumbing & Heating businesses. The Group confirmed in January the sale of its Primaflow F&P wholesale business to Newbury Investments (UK) Ltd. Further activity in relation to the remaining businesses has been paused
- Announced a proposed demerger of the Wickes business in 2020
- Acquired a controlling shareholding in Toolstation Europe
Programmes to separate businesses for sale or demerger can be complex given the many linkages to Group systems and processes.
Communication of the impacts to colleagues both in the affected and remaining businesses require careful consideration to ensure that colleagues remain informed, engaged and also that confidentiality is not breached.
The projected benefits, costs and timescale for portfolio management activities may deviate from those originally planned, which could in turn impact the progression of the process and the value realised or price paid.
|
RISK MITIGATION
All portfolio management activities are subject to a detailed appraisal process and ultimate approval by the Board.
A formal programme of work, with dedicated resource is put in place for the larger-scale transactions including those in relation to Plumbing & Heating and Wickes. External expertise and advisers are involved as required to support the programme teams.
The Plumbing & Heating businesses were successfully separated both functionally and in system terms during 2019 to the agreed timescales. The Wickes demerger activity is progressing in line with plans.
All activity of this kind is supported by robust governance and monitoring. The largest programmes are closely monitored by a Steering Committee, with sponsorship and representation from members of the Group Leadership Team and, when appropriate based on the significance of a transaction, the Board. Both the Group Leadership Team and the Board receive regular updates on all portfolio management activities
|
IT SYSTEMS AND INFRASTRUCTURE
|
|
INHERENT RISK: High
TREND: Increasing
STRATEGY:
Best-in-class services
Simplifying the Group
IMPACT:
Adverse effect on financial results
Adverse effect on reputation
Adverse Effect on delivery of strategy
Competitive disadvantage
|
RISK DESCRIPTION
The Group is dependent on a wide range of IT systems and supporting infrastructure for its day-to-day operations and technology plays a significant role in the future growth and success of the Group. The current IT landscape is complex and includes some legacy systems that lack the functionality of modern software and where expertise is diminishing.
System failures or outages could disrupt the day-to-day operations of the Group and, in turn, impact customer service and the Group's financial performance.
The Group is developing a comprehensive modernisation plan that will include the replacement of a number of legacy systems. This will bring greater stability, capability and longevity to the Group's systems and infrastructure.
In its digital offerings, the Group's ability to meet customer demand will impact longer-term growth and delivery of the strategy.
There is significant risk associated with IT change programmes including risks in relation to prioritisation and sequencing, resource allocation, cost and time overruns, testing and business acceptance. These risks, alone or in combination, could impact the financial results and reputation of the Group, and achievement of the longer-term strategy.
|
RISK MITIGATION
To mitigate the risk of disruption in the event of a system failure, an IT disaster recovery plan is in place, together with broader business continuity plans. Arrangements are in place for alternative data sites. Off-site back-up routines are in place. Plans are regularly tested and the results assessed to drive further improvements. The incident management process is designed to prioritise and respond to any incident quickly and effectively, with escalation and communication protocols. Recovery targets are in place and are designed to minimise the operational and customer impact. Internal Audit reviewed the disaster recovery plans and incident management processes during the year.
In relation to the modernisation of the Group's IT systems and infrastructure, the IT strategy is currently being updated. A governance structure is in place for change programmes from idea generation through to deployment. This includes protocols, reviewed by internal audit during the year, to ensure that upgrades and improvements are delivered to the business in a controlled manner and limit the potential for disruption.
The Group Leadership Team receives regular progress reports and larger programmes are reported to the Board. This structure has been refreshed during the year and is designed to ensure that programmes are appropriately resourced and progress to plan.
Any system change is rigorously tested in respect of functionality and that it meets business requirements before it is implemented.
Following the cancellation of the Merchant ERP replacement programme, a full lessons learned exercise was undertaken, as is standard at the end of every programme, with insights captured and rolled into future change programmes.
|
CYBER THREAT AND DATA SECURITY
|
|
|
INHERENT RISK: High
TREND: Increasing
STRATEGY:
Best-in-class services
Financial strength
IMPACT:
Adverse effect on financial results
Adverse effect on reputation
Potential legal action, fines and penalties
|
RISK DESCRIPTION
Incidents of sophisticated cyber-crime represent a significant and increasing threat to all businesses including the Group. The tactics of cyber criminals evolve on a daily basis, finding new ways to compromise organisations, which presents a continuous challenge for Information Security teams in terms of cyber risk protection and preparation for potential incidents. Threat sources change continually such that, while the Group may be targeted by cyber-criminals, it may also be impacted by attacks aimed at impacting the UK's infrastructure more generally.
Information Security incidents can be caused externally or internally, accidentally or deliberately. The Group's business activities are heavily dependent on IT systems that are available when needed, based on accurate and complete data. An external cyber-attack or insider threat (or an equivalent incident at a third party with whom Group data is shared legitimately) could result in disruption to customer-facing, supplier-facing and financial systems through theft and misuse of confidential data, damage to or manipulation of operationally critical data or interruption to IT services, any of which may have serious consequential impacts on the Group's reputation, ability to trade and compliance with data protection regulations.
Whilst cyber incidents have not significantly impacted the Group to date, these threats continue to evolve and can, in turn, impact the effectiveness of mitigating actions. The Group continues to be vigilant and assess its exposure.
|
RISK MITIGATION
The Group takes its responsibilities and legal obligations in respect of data security and protection seriously and continues to make investments to protect data, including customer data, and ensure that its confidentiality, integrity and availability is maintained.
The Group takes a two-pronged approach to data security: through technology (protective tools and countermeasures) and people (awareness and training).
Best of breed technical solutions are deployed across the Group's infrastructure including firewalls, virus protection, email threat protection, intrusion detection and vulnerability scanning. There is an ongoing review process to ensure that these solutions provide optimal benefit and protection to the Group, through appropriate tuning and configuration. An outsourced Security Operations Centre has recently launched to provide round the clock monitoring of the Group's infrastructure using market-leading tools. This will deliver mature levels of threat intelligence to support proactive defence against cyber threats.
New IT projects are scrutinised and supported by the Information Security team, ensuring security by design. All changes to technology solutions require information security review and approval.
An information security improvement project was initiated in 2019 with the objective of continuously advancing the Group's information security profile and maturity against the recognised National Institute of Standards and Technology - Cyber Security Framework. This has led to the introduction of a new governance framework, including a steering group and "Security Champion" forum, and the development of a new policy framework.
The Group continues to maintain compliance with the Payment Card Industry - Data Security Standard.
The Group has a comprehensive set of data protection and information security policies in place and all colleagues are required to undertake regular training regarding the protection of information. This emphasises the importance of keeping personal information safe and secure in whatever format it is held by the Group. A Data Governance Committee is in place to support the Group's data governance and information security framework. Its remit includes reviewing and approving key information security policies, supporting development of a positive culture of compliance (including by promoting awareness of key information security policies) and, where appropriate, reviewing the response to data security breaches.
In the event of an incident, the response protocols and recovery plans in place are designed to mitigate the impact and support a rapid and efficient recovery of systems and service.
|
LEGAL COMPLIANCE
|
INHERENT RISK: Medium
TREND: Increasing
STRATEGY:
Best-in-class services
Focus on trade
Advantaged Businesses
Simplifying the Group
Financial strength
IMPACT:
Adverse effect of reputation
Adverse effect on financial and operational performance
Potential legal action, fines and penalties
|
RISK DESCRIPTION
The Group is subject to a broad range of existing and evolving governance requirements, environmental, health and safety and other laws, regulations, standards and best practices which affect the way the Group operates and give rise to significant compliance costs, potential legal liability exposure for non-compliance and potential
limitations on the development of the Group's operations.
|
RISK MITIGATION
The Group's in-house legal team is responsible for monitoring changes to laws and regulations that affect the business and is supported by external advisers.
The Group has a comprehensive framework of policies in place that set out the ways colleagues and suppliers are expected to conduct themselves. Those expectations are widely disseminated using a range of methods to ensure colleagues and suppliers understand their responsibilities to comply with the law and other regulations affecting the Group at all times.
In recognition of the ongoing changes and requirements across the Group's regulatory compliance landscape, a Regulatory Risk Business Partner has recently been appointed who will support the business
in meeting new requirements and continue to develop and improve the existing framework.
The Group provides online training to colleagues in key areas of legal and regulatory compliance, including a suite of mandatory training for those that join the Group.
The Group Leadership Team and the Board regularly monitor compliance with laws and regulations.
The Group operates a whistleblowing process that allows the anonymous reporting, through an independent hotline, of any suspected wrongdoing or unethical behaviour, including reporting instances of
non-compliance laws and regulations. All reported cases are investigated.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|