Strategic Report 01 Strategy 02 03 04 Risk management Risk management We are exposed to a variety of risks and uncertainties which could have a material adverse effect on our key stakeholders (including, but not limited to, our shareholders, patients, customers, etc.), as well as our business, financial position, operational results and reputation, and on the value of our shares. We recognise that the effective management of risk and a robust system of internal controls is critical to delivering our strategic objectives and protecting the interests of our shareholders. Overview day-to-day operations and business processes. Through senior We identify, evaluate, manage and monitor the risks that we face management, we ensure that our employees are given appropriate through an integrated control framework consisting of formal policies training and knowledge to perform their roles in line with the framework and procedures, clearly delegated authority levels and comprehensive we have developed. reporting. The Board confirms that our current risk management framework has been in place throughout the year ended 31 DecemberOn a day-to-day basis, management is responsible for the 2018 and to the date of approval of this Annual Report and Accounts implementation of the Group’s risk management and other internal and is integrated into both our business planning and viability control policies and procedures. Based on our risk culture, managers assessment processes. “own” the risks relevant to their respective function. Our Board, supported by our Audit Committee, Clinical Quality and For each risk identified at any level of the business, the risk is Safety Committee and senior management, is ultimately responsible measured, mitigated (where possible) in accordance with our policies for the Group’s risk management and internal controls and for and procedures, and monitored. Managers are required to report ensuring that an appropriate culture of risk awareness and risk on identified risks and responses to such risks on a consistent basis. management has been embedded throughout the organisation. Senior management reviews the output from the bottom-up process by providing independent challenge and assessing the implementation We have worked to ensure that managing risk is ingrained in our of the risk management and internal control policies and procedures. everyday business activities. We seek to create an environment where there is openness and transparency in how we make decisions and This system is bespoke to the Group’s particular needs and risks to manage risks and where business managers are accountable for the which it is exposed and is designed to manage rather than eliminate risk management and internal control processes associated with their risk. Due to the limitations inherent in any system of internal control, activities. At an operational level, management also seek to ensure this system provides robust, but not absolute, assurance against that risk management is responsive, forward-looking and consistent. material misstatement or loss. Our framework The Board has put in place corporate governance policies and The Board’s mandate includes determining the Group’s risk appetite procedures that aim to ensure that there is good and clear awareness and risk tolerance, as well as monitoring risk exposures to ensure and understanding of the policies and procedures amongst senior that the nature and extent of the main risks we face are consistent management, as well as throughout the organisation. with our overall goals and strategic objectives. We develop risk management strategies which address the full spectrum of risks that Comprehensive reporting forms an integral part of our framework. Our the Group faces. We are accountable for reviewing the effectiveness reporting process enables key risks to be escalated to the appropriate of the systems and processes of risk management and internal level of authority and provides assurance to the Committees and the control, with the Audit Committee and the Clinical Quality and Safety Board. Key developments affecting our principal risks and associated Committee assisting in the discharge of this responsibility. We also mitigating actions are reviewed quarterly (or more often if necessary focus on the resolution of any internal control failures that may arise. on an ad hoc basis outside of the regular reporting process) by the No significant failures occurred during 2018 or the period up to the Audit Committee and the Clinical Quality and Safety Committee, date of this Annual Report. as appropriate, and the Board. The principal risks and uncertainties faced by the Group are identified through this process. The Group’s risk appetite is the amount and type of risk that we are prepared to seek, accept or tolerate. Our risk appetite evolves over A description of these principal risks and uncertainties in addition time to reflect new risks and changes in external market developments to key drivers and trends as well as mitigation efforts can be found and circumstances. on pages 53 to 59. Our control framework is the foundation for the delivery of effective risk The Board is also responsible for determining the nature and extent management. We develop formal policies and procedures which explain of any principal risks the Group is willing to take in order to achieve the way in which risks need to be systematically identified, assessed, its strategic objectives. quantified, managed and monitored. We clearly delegate authority levels and reporting lines throughout the management hierarchy. Each business participates in the risk management process by identifying the key risks applicable to its business. We strive to build our first line of defence against material risks (and the recently implemented Delegation Project reflects all aspects of this strategy) and we work closely with all levels of management to reinforce risk awareness as well as a risk-based pricing mindset in all employees involved in our 49