The Group has an ongoing process for identifying, evaluating and managing the significant risks that it faces. The Board regularly reviews the process, and the Board considers that the process accords with the Turnbull Guidance on internal control.
The Board considers acceptance of appropriate risks to be an integral part of business and unacceptable levels of risk are avoided or reduced and, in some cases, transferred to third parties. Internal controls are used to identify and manage acceptable levels of risk. The Directors acknowledge their responsibility for establishing and maintaining the Group’s system of internal control, and reviewing its effectiveness. Although the system can provide only reasonable and not absolute assurance of material misstatement or loss, the Group’s system is designed to provide the Directors with reasonable assurance that any risks or problems are identified on a timely basis and dealt with appropriately. The Group has established an ongoing process of risk review and certification by the business heads of each operating unit.
Certain of the Group’s businesses are subject to significant risk. Each identified business risk is assessed for its probability of occurrence and its potential severity of occurrence. Where necessary, the Board considers whether it is appropriate to accept certain risks that cannot be fully controlled or mitigated by the Group.
The Group’s risk management process was embedded throughout the businesses during the financial year ended 30 April 2005 and up to the date of the approval of this report. The Board has carried out a review of the effectiveness of the Group’s internal control environment and such reviews are supported on an ongoing basis by the work of the Audit Committee. The Board is satisfied that the processes are in place to ensure that risks are mitigated to an acceptable level.
The Board has designated specific individuals to oversee the internal control and risk management processes, while recognising that it retains ultimate responsibility for these. The Board believes that it is important that these processes remain rooted throughout the business and the managing director of each operating unit is responsible for the internal control framework within that unit. The Audit Committee meets with representatives of operating units because this is one way for an independent and objective appraisal of risk management to be obtained.
Self-assessment of risk conducted by the Directors and senior management is ongoing and has been considered at several levels with each division maintaining a separate risk profile.
The Group Risk Assurance function, which is outsourced to and managed by Deloitte, reports to the Audit Committee and is utilised in monitoring risk management processes to determine whether internal controls are effectively designed and properly implemented. A risk-based approach is applied to the implementation and monitoring of controls. The monitoring process also forms the basis for maintaining the integrity and improving where possible the Group’s full risk management process in the context of the Group’s overall goals.
The Audit Committee reviews Group Risk Assurance plans, as well as external audit plans and any business improvement opportunities that are recommended by the external auditors.
Virgin Rail Group has its own audit committee and internal audit function. The Group’s risk management process does not specifically cover Virgin Rail Group, but the Group maintains an overview of the business risk management through representation on the board and audit committee. Stagecoach management representatives also meet regularly with representatives of Virgin Rail Group to ensure that the joint venture follows appropriate risk management procedures.
The Group’s Audit Committee reviews the financial statements of Virgin Rail Group together with the minutes, external audit presentations, management presentations and internal audit presentations from the audit committee meetings.
