The management of risk is embedded in the day-to-day operations of divisional management teams.
A key element of this is the regular review and update of detailed ‘risk registers’ in each division, in which risks are identified and assessed in terms of both the probability of the risk occurring, and its potential impact.
Group-level risks are either derived from a ‘top-down’ review, or from the divisional risk registers, because either the risk affects multiple divisions, or is of a materiality in itself that is considered of Group significance.
Each of these Group-level risks is then assessed by the Board in terms of its potential impact on the Group and its key stakeholders. The Group prioritises risk mitigation actions by considering risk likelihood and potential severity.
The Group has developed an Emerging Risk Register which is reviewed and approved by the Board. The Group considers an emerging risk to be one that is not currently having a material impact on the business, but has a reasonable likelihood of impacting future strategy or operations. The Group’s approach to managing emerging risk exposure is to:
- establish a wide universe of potential emerging risk, using horizon scanning techniques; published external research and peer/competitor review;
- assess these risks taking into account our industry sector and market position, and our strategy, to determine broad relevance;
- consider the potential impact of each risk on the Group’s strategy, finances, operations and reputation, taking into account the likelihood of the risk occurring, and the speed with which it may manifest; and
- develop actions to address the risks where appropriate.
As with the Group’s principal risks, many of the emerging risks present equal or greater opportunities. For example, climate change and ageing population demographics, which are risks fundamental to many sectors, are more of an opportunity than a threat to the Group.
From a very wide universe of potential emerging risks, the Group has, through the above process, identified a number of risks that warrant closer review. These have been further segregated into those requiring only a monitoring approach at present, to those where actions are being developed alongside the principal risks. There are four risks that currently fall into the latter category.
These broadly cover the risk of disruption from integrators and/or demand-responsive ‘MaaS’ operations as well at the future possibilities offered by autonomous vehicles.
It should be noted that the Group considers all these areas to be significant opportunities as well as risks.