Derwent London aims to deliver its strategic objectives whilst operating within a risk envelope defined by the Group’s risk appetite. The Board recognises that risks are inherent in running any business and uses the Group’s risk management system to ensure that risks to the Group’s strategy are identified, understood and managed.
The Board has overall responsibility for risk management and the Group’s system of internal controls. To assist with carrying out this task, the Board has delegated responsibility to the Audit Committee and the Risk Committee. Executive Management is responsible for developing and operating the Group’s risk management system and for designing, implementing, maintaining and evaluating the system of internal control. The diagram illustrates the Group’s risk management structure.
Risk management and culture
The Board is responsible for managing the Group’s risk profile in an environment that reflects the culture and management structure of the business. Key factors to note in this regard are:
• Senior management encourages an open and transparent culture throughout the business.
• The close day-to-day involvement of the Directors in the business allows any system weaknesses to be identified quickly.
• The Group operates mainly from a single office in central London which is within close proximity to most of its properties.
• The senior management team is experienced and stable and overall staff turnover is low. See page 68 for more information on ‘Our People’.
• The Group has a whistleblowing policy which is supported by an independent advice line.
• The Group has clearly defined levels of responsibility and authority.
The Group’s risk management framework consists of its Risk Management Policy, Risk Appetite Statement and Risk Management Process Document. The framework is designed to identify and manage the risks faced by the business recognising that not all risks can be eliminated at an acceptable cost and that there are some risks that, given its experience, the Board will choose to manage and accept.
In compliance with Code Provision C.2.1 of The UK Corporate Governance Code, the Board has carried out a robust assessment of the principal risks and uncertainties facing the Group. The core element of this assessment is the Group’s risk register which is prepared by the Executive Committee in accordance with the Risk Management Process Document. The first stage in its preparation is for the Committee to identify the risks facing the Group. An assessment is then made collectively by the Committee of the following matters:
• The likelihood of each risk occurring.
• The potential impact of the risk on each different area of the business.
• The strength of the controls operating over the risk and the effectiveness of any mitigating actions.
This approach allows the final assessment to reflect the effect of the controls and any mitigating procedures that are in place. If the controls and mitigating actions over a risk are deemed inadequate, the Committee will agree a target risk profile together with additional controls/actions and a timetable for their implementation.
The register and its method of preparation have been reviewed by the Risk Committee. In order to gain a more comprehensive understanding of the risks facing the business and the management thereof, the Risk Committee periodically receives presentations from senior managers and external advisers.
The Risk Committee has also monitored the Company’s risk management and internal control systems primarily by regularly reviewing the set of key risk indicators that were implemented in 2015. This was supplemented by reviews of the top ten risks on the Group’s risk register and the adequacy of the controls operating over these risks. Further information on the work of the Risk Committee can be found on page 105.
Following these reviews, the Risk Committee has confirmed to the Board that it is satisfied that the Group’s risk management and internal control systems operated effectively throughout the period. The Group’s risk register includes 47 risks split between strategic risks, corporate risks, property risks (together, operational risks) and financial risks. One new risk has been added to the Group’s list of principal risks this year:
• That the negotiations to leave the European Union result in arrangements that are damaging to the UK economy and/or central London.
The Board considered whether the overall increase in the level of risk faced by the Group in 2017, as illustrated by the graphs, was reasonable. It noted that only a few of the risks had abated during the year, whilst the risk surrounding Brexit was a significant new factor and cyber risk continued to increase. Taken with the general increase in both political and economic uncertainty, the Board concluded that the increase was justified.