Effective management of risk and opportunity is essential to the delivery of the Group’s objectives, achievement of sustainable shareholder value and protection of its reputation. The Group’s approach to risk management is to remove or reduce the likelihood and effect of risks before they occur, and deal effectively with problems if they arise. The Group is committed to the protection of its assets, which include human, property and financial resources, through an effective risk management process, underpinned where appropriate by insurance.
The management of risk is linked into the Group’s strategy, the environment in which it operates, the Group’s appetite for risk and the delivery of the Group’s business objectives. The underlying principles are that risks are continuously monitored, associated action plans reviewed, appropriate contingencies are provisioned and this information is reported through established management control procedures.
To enable this process, BAE Systems has developed a system of internal control, the ‘Operational Framework’ (OF), that encompasses, amongst other things, the mandated policies and core business processes that provide a common framework for how we do business and what it means to be part of BAE Systems.
The Board has overall responsibility for ensuring that risk is effectively managed across the Group and has delegated to the Audit Committee the responsibility for reviewing in detail the effectiveness of the Group's system of internal controls. During the year, the Executive Committee has further enhanced its oversight of material non-financial risks including, in particular, those arising in connection with safety and ethical issues. Close attention has been paid to analysing risks associated with the conduct of international business and new policies and processes have been implemented seeking to provide the highest levels of assurance. The Executive Committee advises the Corporate Responsibility Committee of all matters within the latter’s remit.
In order to assist the Committees and the Board in their review, the Group has a self-assessment Operational Assurance Statement (OAS) process. The OAS is in two parts: a self-assessment of compliance with appropriate parts of the OF; and a report showing the key risks for the relevant business. Together with independent reviews undertaken by Internal Audit, and the work of the external auditors, the OAS forms the Group’s process for reviewing the effectiveness of the system of internal controls.
Reporting within the Group is structured so that key issues are escalated through the management team, ultimately to the Board if appropriate. The responsibility for risk identification, analysis, evaluation, mitigation, reporting and monitoring rests with line management. Both the Audit Committee and the Corporate Responsibility Committee report the findings of their reviews to the Board so that the Board can form a view.
Further information on the activities of the Board and its Committees is given in the Corporate governance section.
Five core processes and 27 policies are mandated by the OF, enabling the business to respond appropriately to material risks faced by the Group. As with any system of internal control, the policies and processes that are mandated in the OF are designed to manage rather than eliminate the risk of failure to achieve business objectives, and can only provide reasonable, and not absolute, assurance against material misstatement or loss.
Further detail on these business processes and mandated policies is given in the Internal control section of the Corporate governance section.
