Peachtree 2015 Annual Report Download - page 40

Download and view the complete annual report

Please find page 40 of the 2015 Peachtree annual report below. You can navigate through the pages in the report by either clicking on the pages listed below, or by using the keyword search tool below to find specific information within the annual report.

Page out of 168

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158
  • 159
  • 160
  • 161
  • 162
  • 163
  • 164
  • 165
  • 166
  • 167
  • 168

A
N
A
L
Y
S
E
M
I
T
I
G
A
T
E
I
D
E
N
T
I
F
Y
E
V
A
L
U
A
T
E
RISK MANAGEMENT
PROCESS
Principal risks and uncertainties continued
How we manage risk
Our risk management framework has been built to identify,
evaluate, analyse, manage and mitigate those risks which
threaten the successful achievement of our business
strategy and objectives, within tolerable appetites. Risks are
owned and managed within the business, and formally
reviewed on a quarterly basis.
To supplement business as usual risk management
activities, Global Risk undertakes a number of targeted
in-depth reviews against identified risks each year. In 2015
these were conducted against three of the principal risks,
namely Third Party Reliance, Information Management and
Protection (including cyber), and Legal and Regulatory
Framework. The results of these reviews feed into the
quarterly reporting cycle.
Risks continue to be owned and managed within the
business, and are overseen and supervised through the
Global and Regional Risk Commiees. During 2015 risk
resources around the business were brought together to
operate as a global function. This move seeks to drive
greater consistency, and toavoid any conflicts of interest
between local reporting lines and global requirements.
Our risk management activities
The Board is responsible for maintaining and reviewing the
effectiveness of our risk management activities from a
financial, operational and compliance perspective. These
activities are designed to identify and manage, rather than
eliminate, the risk of failure to achieve business objectives
or to successfully deliver the business strategy. Our risk
management strategy supports the successful running
of the business by identifying and managing risks to an
acceptable level and delivering assurance on these.
Culture
The Board is aware that the effectiveness of risk
management is dependent on behaviours. During 2015
we launched a revised Code of Ethics, re-enforcing our
required values and behaviours, and in turn strengthening
our risk culture. This is now supported by our ethics and
compliance programme, which aims to ensure compliance
with our ethical standards.
In parallel, Sage recognises the behavioural benefits that
clear expectations bring to the business, and as such is
re-enforcing a 100% compliance culture with policies and
procedures across the business, and wrapping this within
a broader ‘Sage Way’ of working. Oversight of compliance
is reported through Global Risk and Assurance, and during
2016 plans are in place to enhance existing capabilities
through the formation of a dedicated Compliance function.
How we identify risk
Our risk identification processes follow a dual
approach, seeking:
To identify risks using a top down approach at the
global level. These principal risks are those which
threaten delivery of our Strategy.
To identify risks using a boom up approach at the
country level. Such risks are those which threaten local
business activity, and they are managed at the local level.
To provide visibility of wider issues within the business,
these are consolidated at the global level. To further
improve the visibility of local risks at a regional and
global level, the Risk Management Policy was revised
during 2015, and formal requirement for escalation
of higher rated risks to the Regional and Global Risk
Commiees was introduced.
Our risk appetite
We use an assessment of the level of risk and our
associated risk appetite to ensure that appropriate focus
is placed on the risks we face. Identified risks are measured
on a gross and net risk basis using our pre-defined scoring
matrix. Risks are then prioritised for mitigation by
considering these scores against our risk appetite.
The principal risks, of which there are currently ten, are
reviewed by the Board on an on-going basis, and monitored
and managed through the Audit and Risk Commiee
and Global Risk Commiee.
To assist with the monitoring and management of these
identified principal risks, work was undertaken with risk
sponsors and owners to establish a set of Risk Appetite
Statements for each identified principal risk. Behind each
statement a series of Risk Metrics and their measurement
were identified and agreed, in order to provide oversight of
whether we are working within identified tolerance, and
whether additional executive aention may be required.
These metrics have been incorporated within our quarterly
reporting activities.
The Sage Group plc | Annual Report & Accounts 2015
38