enterprise risk management
Effective management of risk is essential to the achievement of our business objectives and to the protection of our people, assets and reputation. Identifying, assessing and managing risks is integral to the way we run our business. It is part of our focus on operational excellence and best performance which are key priorities for the Group. The various risks attached to our activities are consistently assessed, recorded and reported in a visible, structured and continuous manner.
During 2010, we enhanced our risk management process through the creation of an enterprise risk management function to further improve, where possible, the integration and efficiency of our risk management framework and, in doing so, to address the increased demands and requirements from external and internal stakeholders. The new function, whose director sits on the executive leadership team and reports directly to the chief executive, draws together our existing risk based responsibilities and builds on the good risk management processes and practices already in place across the Group. This section describes our well established risk management process and outlines the main factors that may affect the execution and implementation of our strategy.
Rexam risk management process
Rexam risk management process
The purpose of the Rexam risk management process is to support achievement of Rexam’s key objective to deliver shareholder value. Although risk can never be eliminated, the process aims to identify and set appropriate mitigation responses for the key risks faced by Rexam. The approach is based around the ISO 31000 risk management process and on both the bottom up and top down assessments of operational, financial and strategic risks.
The first stage of our risk management process is to identify the risks faced by Rexam. This is initially a bottom up process with business units and functions undertaking an annual process of risk identification. Risk workshop sessions, previous year’s risk registers and a risk categorisation check list, among other tools, are used to structure and support the process. The enterprise risk management function leads and supports the process but is also there to challenge the findings. Executive directors and other senior management are also closely involved at critical stages in the process. They review, challenge and debate the risks identified by the business units from a top down perspective. The resultant output is a list of identified risks faced by Rexam for each business and function – the risk register.
The next stage involves the assessment of each identified risk on the register in terms of its likelihood of occurring, and the impact on Rexam if the risk does occur. The assessment of likelihood and impact enables us to identify the key material risks for each business and function. Again this involves both the business units and the senior management and there may be further discussion and analysis. To aid assessment we use specific tools, such as the Heat Map and Radar, to illustrate the impact and likelihood of different risks faced and to show their trend over time. Images of these tools are shown below.
Rexam risk management tool – radar
- Year 1
- Year 0
Rexam risk management tool – heat map
Once risks have been assessed an appropriate mitigation response is determined for each risk identified. The mitigation response will depend upon the impact and likelihood assessment and, for example, may consist of a control action or insurance. The risk response reduces either the likelihood of the risk occurring or the impact on Rexam if the risk does occur or both.
Once we have assessed the risks and the responses have been determined each business unit and function provides a risk report to the enterprise risk management function. These reports are considered together and a Group level risk register is produced showing the key risks to Rexam and key mitigation responses.
The Group level risk register is monitored by the board through a monthly report which updates on key movements in the trend of the risk and key mitigations. The executive leadership team, the audit and risk committee and full board all review the risk profile and any changes on a periodic basis. Ownership of each key Group risk is allocated to the relevant accountable member of the executive leadership team. The audit and risk committee reviews the overall risk management process.
We are constantly looking to enhance our risk management process. In line with external best practice and following the creation of the enterprise risk management function in 2010, a project was undertaken to determine future development opportunities for the Rexam risk management process. The process will be developed in line with the results of this project through 2011.
summary of key Group risks
Set out in the tables below is a summary of the key risks for the Group as a whole. Although the recent global financial and economic situation has heightened many Group risks and exposed new ones, the challenge remains the same in terms of identifying the most relevant risks, assessing their impact and importance and developing appropriate methods to eliminate or mitigate them.
The tables provide brief descriptions of the key types of risk to which the Group is exposed and identify, in each case, their potential impact on the Group, and the principal processes in place to manage and mitigate the risk. Each risk is specifically owned by a senior executive. The tables do not provide an exhaustive analysis of all risks affecting the Group. Not all of the factors listed are within the control of the Group and other factors besides those listed may affect the performance of its businesses. Some risks may be unknown at present and other risks, currently regarded as immaterial, could turn out to be material in the future. Further information on the process by which risk is managed and reported is covered in the risk management and internal control section in the corporate governance report.
health and safety
We use Rexam’s environment, health and safety audit to drive our sites to best practice standards. It was created with the input of both internal and external specialists and is supported by an auditing process using an approved third party auditor. The process highlights gaps between current site practices and best practices so that we can put in place appropriate actions and monitor them for completion. As recognition for high scoring sites we have introduced Bronze, Silver and Gold awards which will also determine future audit frequency.
To further focus our operations on the importance of health and safety we have introduced the Rexam incident rate (RIR) which is the number of lost time accidents plus the number of medical incidents divided by the total man hours worked. Over the years, we have been successful in reducing lost time accidents and the RIR was created to allow for a greater focus on medical incidents and therefore enhance the safety of our people. This measure is now used in addition to the lost time accident rate (LTAR).
LTAR (number of lost time accidents x 200,000/total worked hours).
RIR (number of lost time accidents and medical incidents x 200,000/total worked hours).
supply chain risk
In the wake of the recent global recession, supply chains and businesses have come under significant pressure and are, in general, more vulnerable to supply chain disruption. Removal of capacity and the financial stress within the supply chain may take months, if not years, to restore. From experience, we know that lower risk supply chains can deliver enhanced value, and since early 2009 we have been implementing measures to affect a more robust approach to supply risk management and embed it into the organisation. To this end we established a team from across the business to develop tools which allow us to proactively identify potential risk by mapping out the supply chain so that we can better assess and evaluate this risk. The data is essential to develop the right strategy to either remove or mitigate the risk impact on the business.
In Beverage Can Europe & Asia, for example, this approach has enabled us to identify and then reduce the risks associated with the supply of graphic plates used for can decoration. Activities undertaken included strengthening our supplier relationships, implementing more rigorous and controlled back up capabilities and a review of the design process to reduce the overall leadtime and resource involved.
these are the key risks that relate to and impact the longer term strategic business activities of the organisation
business operations risks
these are the key risks arising from Rexam’s day to day business activities
these are the key risks that are specific to the effective management and control of the finances of Rexam and the effects of external financial factors