Email this page
closeRisk Management
1. Policy Statement
Risk management is the systematic process to positively identify, assess, treat and manage risks - which either threaten the Group's resources or provide beneficial opportunities - in order to enable the Group's business objectives to be achieved.
Risks are owned and managed by the Business Units and Corporate functions where the risk resides. A common Risk Management System and reporting procedures have been implemented to allow overall Group risk to be identified and managed.
The operation of the Risk Management System enables the Group to understand and communicate the risks, which the Group faces and accepts, in order to ensure that these are positively managed at every level.
2. Principles
- Risk management encompasses the implementation of cost-effective controls and contingency plans with the intent of exceeding goals and objectives, including the minimisation of costs, timescales and liabilities.
- Risk management is the responsibility of all managers, who are responsible for implementing the Group's risk management policies and systems, as appropriate, across the business and ensuring that all employees apply these systems.
- Risk management is a continuous process.
- Pro-active management of risk is an integral part of the normal management and review process -to define future plans and actions, and ensure their satisfactory execution. It also facilitates more cost-effective and efficient purchase of insurance.
- Risk budgets are established to fund risk assessment and treatment.
- Activities that may affect the company's image or reputation are subject to formal risk management.
3. Responsibility Cascade
3.1 Board
The Board has overall accountability for the Group's Risk Management Policy and for ensuring that the Risk Management System is effective and complies with the Turnbull Committee Guidance in the Combined Code.
The Board reviews an annual report of the Key Risks facing the Group and the actions put in place to mitigate those risks together with an assessment of the effectiveness of the system of risk management, and reports on these matters in the Annual Report to shareholders.
3.2 Risk Committee
The Board has delegated to the Chief Executive responsibility for the implementation of the Group's Risk Management Policy and for submitting the annual Risk Report to the Board.
The Risk Committee is comprised of the executive directors and the executive officers of the Group and is chaired by the Chief Executive.
The Risk Committee reviews the Group Risk Register to assess:
- The nature and extent of the risks.
- The extent and category of risks which it regards as acceptable.
- The impact and likelihood of risks occurring.
- The adequacy of risk treatment.
- Actions and contingency plans.
- The adequacy and cost of controls.
- The progress on the implementation of the Risk Management System.
3.3 Business Units and Corporate functions
By implementing the Risk Management Policy, the Business Units and Corporate functions are responsible for:
- Maintenance and update of risk reporting (registers/presentations).
- Managing risk action implementation plans.
- Maintaining and reviewing risk performance and measurement systems.
Risk Registers are compiled and submitted for review twice a year. Risk assessments are also submitted with acquisitions or divestment proposals and capital expenditure requests for over £2m.
Each Business Unit has appointed a Risk Management Champion to facilitate the Risk Management Policy within their business. A Group Head Office Risk Management Champion fulfils this role for Corporate functions.
3.4 Corporate Risk Function
The Corporate Risk Function is responsible for:
- Compilation of the Group Risk Register at least half-yearly for submission to the Risk Committee, including:
Consolidation of Business Units and Corporate function Key Risks Facilitation of the creation of the Group Risk Register Regular reporting on overall progress in implementing the Risk Management System Significant risk issues and changes in risk
- Facilitation and training support and communication of best practice within the Group.
- Continuous improvement of the Risk Management System
4. Annual Timetable
| April - June | CEO reviews individual Risk Registers Risk Registers submitted Risk Committee meeting |
| October - December | Risk Champions Meeting Risk Registers submitted for review |
| January | Risk Committee meeting |
| February | Board reviews annual Risk Report |
5. Internal Controls and Risk Management
The Smith & Nephew Board is responsible for the maintenance of the Group's systems of internal control and risk management and for reviewing their effectiveness. An ongoing process is in place for identifying, evaluating and managing key risks through: the Risk Committee which reports to the Board annually; business reviews by the Board of each of the business units; and the review by the Audit Committee of internal controls over financial reporting and the risk management process. These systems are reviewed annually by the Board. Whilst not providing absolute assurance against material misstatements or loss, these systems are designed to identify and manage those risks that could adversely impact the achievement of the Group's objectives.
The principal risks are detailed in “Risk Factors” to be found on pages 22 to 26 of the Annual Report.
In 2007, the effectiveness of the business units systems to identify and manage material risk were evaluated and the findings reported to the Board. No material weaknesses were identified in these systems.
As the Group’s shares are quoted on the New York Stock Exchange in the form of American Depositary Shares, in 2007 in accordance with the requirement in the US under S404 of the Sarbanes-Oxley Act management assessed the effectiveness of the Group’s internal control over financial reporting. Based on its assessment management concluded the Group’s internal control over financial reporting was effective based on the criteria set out by the Committee of Sponsoring Organisations of the Treadway Commission in Internal Control – Integrated Frameworks.