Risk Management and Internal Control
The Board meets regularly throughout the year and has adopted a schedule of matters which are required to be brought to it for decision. This procedure is intended to ensure that the Directors maintain full and effective control over all significant strategic, financial and organisational issues.
During the year, actions to strengthen the control environment continue to be taken centrally by Group management, particularly in the area of health and safety and bribery and corruption. The duties and responsibilities of subsidiary management are continually refreshed as well as documented in a manual circulated to all subsidiary managing directors. A comprehensive induction programme for subsidiary finance directors was launched in the year. We also strengthened the resources dedicated to identifying and investigating potential acquisitions and the policies to ensure a rapid and successful integration following acquisition. The scope of the Group’s policies and the programme of compliance audits are regularly reviewed to ensure they are sufficient to address current risks. The Group placed additional emphasis on updating our business continuity plans over the past year.
The Group’s treasury and hedging policy was also updated to ensure that appropriate accounting and banking arrangements were in line with the Group’s growth and to ensure continued compliance with accounting requirements.
The internal audit function has operated independently since 2004, reporting to the Audit Committee. In 2008/09, a dedicated Internal Audit manager was added to support the function and during 2010/11 an internal auditor based in China was recruited. Each year we implement further improvements to our Internal Audit procedures to enhance effectiveness.
The processes which the Board has applied in reviewing the effectiveness of the Group’s system of internal control are summarised below:
- operating companies carry out a detailed risk assessment each year and identify mitigating actions in place or proposed for each significant risk. A risk register is compiled from this information, against which action is monitored through to resolution. Group management also compiles a summary of significant Group risks, documenting existing or planned actions to mitigate, manage or avoid risks;
- each month the board of every operating company meets, discusses and reports on its operating performance, its opportunities, the risks facing it and the resultant actions. The relevant Divisional Chief Executive chairs this meeting. Divisional Chief Executives meet regularly with the Chief Executive and Finance Director and report on divisional progress to the Executive Board;
- financial and trading ‘warning signs’ are reported to Group and divisional management. Weekly data on cash management and sales orders are also reported direct to the Chief Executive, the Finance Director and the Group finance team. This framework is designed to provide an early warning of potential risks and to direct appropriate action where necessary;
- the Chief Executive submits a report to each Halma plc Board meeting which includes financial information, the main features of Group operations and an analysis of the significant risks and opportunities facing the Group. The report also covers progress against strategic objectives and shareholder related issues;
- regular Director visits to Group companies are scheduled and open access to the subsidiary company boards is encouraged;
- cyclical and risk-based internal control visits are carried out by internal audit or senior finance staff resulting in actions being fed back to each company and followed up by Divisional Finance Directors and Divisional Chief Executives. Reviews are coded in terms of risk and a summary of all such reviews is given to the Audit Committee, with any significant control failings being reported directly to the Audit Committee; senior finance staff also conduct financial reviews at each operating company before publication of half-year and year-end figures. We have a Groupwide IT policy supported by a programme of IT audits; and
- the Chief Executive, Finance Director and Internal Audit report to the Audit Committee on all aspects of internal control. The Board receives regular reports from the Audit Committee chairman and the papers and minutes of the Audit Committee meetings are used as a basis for its annual review of internal control.
Group risk management
Group risk is mitigated by means of an operating structure which spreads the Group’s activities across a number of autonomous subsidiary companies. Each of these companies is led by a high-quality board of directors including a finance executive.
Group companies operate under a system of controls which includes but is not limited to:
- a defined organisational structure with an appropriate delegation of authority to operational management which ensures appropriate segregation of key duties;
- the identification and appraisal of risks both formally, through the annual process of preparing business plans and budgets, through an annual detailed risk assessment carried out at local level and informally through close monitoring of operations;
- a comprehensive financial reporting system, recently enhanced, within which actual and forecast results are compared with approved budgets and the previous year’s figures on a monthly basis. Weekly cash/sales/orders reporting including details of financial institutions are also maintained within the financial reporting system, all of which is reviewed at both local and Group level;
- an investment evaluation procedure to ensure an appropriate level of approval for all capital expenditure and other capitalised costs;
- self-certification by operating company management of compliance and control issues;
- a robust structure for electronic communication and conducting e-commerce to ensure that the Group is not negatively impacted by threats to its information technology infrastructure and to minimise potential for business disruptions. The Group has a wide range of measures, policies and framework in place which includes a virtual private network covering over 80 sites worldwide, secure firewalls, information management audits, disaster recovery and a mobile devices management system; and
- an acquisitions and disposals framework which governs the due diligence and negotiation and approval processes to ensure that value enhancing, quality investments are made in order to meet our strategic objectives.