Risk management

We operate in a challenging environment  but we recognise that, with careful management, risks can offer opportunities as well as challenges.

We understand that risks are an inherent part of our business. Risk management is an integral part of how we work and it is built into our day to day activities. Identifying and managing risks and opportunities is key to the successful delivery of our strategy.

Review our key risk register

Risk governance

Our Board is responsible for reviewing the effectiveness of our risk management and internal control systems, including financial, operational, and compliance controls. The work undertaken by our Committees is a vital component of the way we effectively review, identify, and manage risk.

Our risk management approach is based upon the principles and guidelines of BS ISO 31000:2018 and on our Internal Control Framework. Our risk framework has continued to mature as we learn from  the challenges we have faced in the past. We have continued to improve our risk management processes  and believe our framework provides us with the structure to identify the risks that may affect our business.

Read more about our approach to risk governance.

Risk management framework

Our risk management framework is designed to underpin our sustainability and helps our Board fulfil its responsibilities. The framework includes the policies, culture, organisation, behaviours, processes and systems that, taken together, facilitate its effective and efficient operation.

The Framework supports the Board in exercising its overall responsibilities and to:

  • Regulate the entry of appropriate opportunities and risks into the Group
  • Develop our understanding of the most significant threats and opportunities
  • Promote active management of risk exposures down to acceptable levels
  • Assist the Group in delivering business plan objectives and operational performance

2018 review

In 2018 we continued to enhance our processes and controls to improve both the consistency and transparency of our approach to risk management. The following improvements were made:

  • Revised the Enterprise Risk Management Governance and Framework to align with revised standards (ISO 31000:2018) and regulatory requirements
  • Enhanced Group oversight of opportunities by amending the GRC mandate, adding further assurance to our Group risk reviews, aligning GRC membership and attendees to organisational changes and enabling wider cross-management input
  • Developed a more formal articulation of risk appetite
  • Revised the Group’s principal risks and revised our approach and engagement with risk owners to improve monitoring of principal risks, mitigating actions and key risk indicators
  • Reviewed our approach to project risk management consistent with new IFRS requirements
  • Reviewed and enhanced key Group control processes including:
    • Review of existing Group policies, standards and procedures
    • Revision of our Delegated Authorities
  • The Third Party Risk Review Committee and Compliance and Ethics Committee continued to meet regularly to review applicable third-party relationships and provide oversight of our compliance arrangements.
  • Embedded a compliance monitoring programme on projects
  • Organisational changes primarily relating to the E&C and EPS business, designed to provide clarity of leadership for our divisions and ensure the optimal long-term structural foundation for the business to deliver our strategic priorities
  • We continued to review succession planning and talent development
  • Our regular employee survey was conducted, helping to continually drive employee engagement
  • We continued to implement findings from lessons learned reviews, and we conducted regular ‘cold eye reviews’ across our E&C projects to support them in identifying risks and mitigating potential impacts
  • We continued to develop and expand our ‘stage gate’ approach to our E&C projects with additional improvements introduced through project controls and operational processes becoming more systematic
  • The internal audit programme continued to apply a risk-based approach
  • We continued to implement a financial controls improvement programme, a broad-reaching initiative to improve our financial controls and provide enhanced assurance. This is building on existing practices and will improve the way we work
  • We continued to expand our intrusion detection monitoring of cyber-security threats and tightened our controls, including establishment of a Global Cyber-Security Council
  • Refreshed the Global IT Security Policy, and a number of new Information Security standards have been published
  • A number of HSSEIA deep dives were conducted across the business to identify and address key related concerns, with focus on the Group Safety Improvement Plan
  • As part of our crisis management programme, we conducted simulation exercises across the organisation
  • There has been a continued focus on evacuation and emergency response with mock exercises regularly planned and conducted
  •  A number of HSSEIA standards have been updated and published

Risk Appetite

During 2018, we undertook an exercise to more formally articulate our risk appetite in the context of our strategic priorities and for each of the Group’s principal risks. We will monitor activities against the more formal appetite statements during 2019 and these will be reviewed on at least an annual basis.

The Group’s risk appetite will govern the Delegated Authorities and operation of Risk Review Committees, that are embedded across the Group.


Our Board is assisted by four committees - the Audit, Compliance and Ethics, Nominations and Remuneration committees