Our risk management strategy supports our ability to respond to the changing needs of our stakeholders and the dynamics of the markets we operate in.
The purpose of our risk management strategy is to identify risks which could affect us achieving our strategic objectives and mitigate these to an acceptable level.
Risk focus
The risks facing the Group continue to be wide ranging, with both external and internal factors providing a high level of uncertainty across the year.
The Group Risk Committee meets formally on a quarterly basis, with significant progress made throughout the year, resetting the risk appetite for the enlarged Group and harmonising the risk management process across the businesses. A description of the Board’s decisions made during the year is included within the Section 172 statement in the annual report.
Identifying and managing risks
The Board oversees the ongoing process for identifying, evaluating and managing the significant risks the Group faces. The Board is also responsible for ensuring the risk management process is effectively operated in accordance with risk management guidance, including performing a robust assessment of the principal and emerging risks facing the Group.
The Board has overall responsibility for risk management with a focus on determining the nature and extent of exposure to the principal and emerging risks the business is willing to take in achieving its strategic objectives. The amount of risk is assessed in the context of our business model and the external environment in which we operate.
The Audit Committee takes responsibility for overseeing the effectiveness of internal control systems which are embedded into our risk management processes on behalf of the Board, and assesses the work of Group Internal Audit.
The Group Risk Committee (overseen by the Group Head of Internal Audit and comprising executive Directors, and senior management across the business) is responsible for managing the principal risks in order to achieve our performance goals within the context of risk appetite.
Whilst ultimate responsibility for oversight of risk management rests with the Board, the effective day to day management of risk is embedded within our operational business units and forms an integral part of how we work. This bottom up approach allows potential risks to be identified at an early stage and escalated as appropriate, with mitigations put in place to manage such risks. Each business unit maintains a comprehensive risk register. Changes to the register are reviewed quarterly by the Group Risk Committee, with significant and emerging risks escalated to the Board.
The Group ensures that there are robust processes in place in order to achieve effective risk management. This involves the identification, evaluation, control and continuous monitoring of risk posed to the business. These processes ensure that we have appropriate measures to manage our exposure to risk in order to operate within the Group’s risk appetite.
Oversight and governance process
There is a formal governance structure underpinning our approach to risk management. Key roles and responsibilities within the structure are as follows:
The Board
- Overall responsibility for risk management
- Reviews and approves risk appetite
- Monitors the activity of the Group Risk Committee and agrees the risk programme
- Reviews principal and emerging risks with the Executive Directors
Audit Committee
- Supports the Board in monitoring risk exposure and ensuring that internal controls embedded in the business are relevant and proportionate to risk appetite and exposure
- Reviews internal controls
- Sets the objectives of and monitors the work of Group Internal Audit
Executives
- Define risk appetite
- Set Group strategy in context of risk
appetite and risk tolerance - Identify and review principal risks
- Identify and monitor emerging risks
- Design and implement the risk
management framework
Group Risk Committee
- Oversee and facilitate the process of identifying recording and monitoring risks on a bottom up basis throughout the business units and functions in a consistent manner
- Ensure that risk owners are allocated to all risks
- Aggregate risk information and map against principal risks ensuring escalation to Executive and Board
- Ensure that top down and emerging risks are managed throughout the Group
Group Internal Audit
- Monitors risk management processes across the group through overseeing the Group Risk Committee
- Supports the Audit Committee in evaluating risk exposures and emerging risks
- Designs and implements a testing programme of internal controls
Regional executive teams
- Identify and assess risks in business operations
- Allocate risk owners to all risks
- Monitor risks and report to Risk Committee
- Ensure effective operation of internal controls
Support functions
- Provide guidance to Group Risk Committee, Regional executive teams and risk owners
- Identify and assess risks in support functions
- Allocate risk owners to all support function risks
The Board is responsible for overseeing the risk appetite of the Group. Executive Directors set the risk appetite of the Group based on the level of risk that the Group is willing to take in order to deliver against strategic, operational and financial objectives.
The risk appetite processes ensure that risks are consistently managed across the Group with decisions being made accepting the right level of risk, and that the appropriate resources and controls are put in place at each level of risk. It also ensures that risks are escalated appropriately and proportionately in line with overall appetite.
The risk appetite process is explained as follows:
1. Describe potential impacts
Risk appetite is assessed for potential impacts across different impact categories:
- Financial risk
- Operational disruption
- Legal and regulatory compliance
- Health and safety
- Environment
- Reputational risks: considered separately across each identified stakeholder group
2. Set acceptable risk level
Potential impacts are assessed against a combination of likelihood and risk impact with the overall outcome being categorised as risk averse, neutral or risk aware.
An example of an area of risk averse tolerance would be our approach towards seeking to comply with all relevant laws and regulations.
An example of where the Group has an open or positive tolerance to risk would be in seeking strategic growth opportunities including acquisitions which may require accepting a higher level of risk in order to achieve returns against our strategic objectives.
3. Compare risk assessment
Risk appetite will vary across different types of risk, and therefore appetite is further analysed between underlying, operational and strategic risks where tolerance for accepting risk will vary.
4. Determine action
Principal risks including inherent and mitigated risk are measured against the risk appetite framework to ensure that they are within tolerance of overall risk appetite. If principal risks are outside or towards the top end of risk appetite tolerance, actions will be taken including taking mitigating actions or increasing oversight or controls. If risks are below the risk appetite tolerance level then action should be taken to consider being more open towards risk in order to facilitate achievement of our strategic objectives including higher returns or growth.
| Risk appetite category | Risk tolerance | Explanation |
|---|---|---|
| Averse | Very low | Activities undertaken will only be those considered to carry very low or virtually no residual risk. |
| Low | Minimal | Activities will only be undertaken where they have a low degree of residual risk. Preference for very safe business delivery with the potential for benefit or higher return not a key driver. |
| Cautious | Medium | Activities undertaken may carry a high degree of inherent risk that is deemed controllable to a large extent so that the residual risk is medium. Willing to tolerate a degree of risk in selecting which activities to undertake to achieve key deliverables or initiatives, where we have identified scope to achieve significant benefit or realise an opportunity. |
| Open | High | Activities themselves may potentially carry, or contribute to, a high degree of residual risk. Willing to consider wider range of options and choose one most likely to result in successful delivery while providing an acceptable level of benefit. Seek to achieve a balance between a high likelihood of successful delivery and a high degree of benefit and value for money. |
| Positive | Very high | Willing to be innovative and to consider opportunities offering higher business rewards despite elevated levels of inherent risk even if those activities carry a very high residual risk. |
Identifying and managing risks
The Board maintains a focus on effective risk management, which flows all the way through the organisation. The risk appetite is set at different tolerances depending on the impact categories as mentioned previously, for example the Group’s willingness to accept strategic risk is higher than the tolerance of risk in areas of health and safety. The culture of the organisation ensures all activities, from day to day operations to high level strategic decisions, are performed in line with this approach.
The Board’s assessment of our principal risks is based on the perceived impact on the Group’s ability to achieve its strategic objectives and the likelihood of their occurrence taking into account controls that have been put into place to mitigate any impact.
Principal risks
Recognising that all business activity involves elements of risk, the Board maintains a policy of continuously identifying and reviewing risks that represent a threat to the business, or that may cause future financial results to differ materially from expected results. Our approach is not intended to eliminate risk entirely, but to manage our risk exposures across the business, whilst at the same time making the most of our opportunities.
A review of the movement in our key risks are identified in the table below; a full assessment of our risk identification and mitigation actions is set the risk section of the annual report.
Principal risks and uncertainties
Risk trend
Mitigated Risk
within appetite tolerance
outside of appetite tolerance
Risk trend
Evaluation is defined as management’s assessment of whether the risk factor has:
| Type of risk | Risk | Appetite tolerance | Mitigated risk | Risk level | Change |
|---|---|---|---|---|---|
| Strategic risks | Economic environment | Cautious to open | |  | – Demand for our rental services remains high, above the level of new vehicle supply – Volumes have continued to grow in Redde following recovery from COVID-19 period – Inflationary pressures have been experienced during the year but have been managed against the cost base and through pricing |
| Market risk | Minimal to open | | | – No major customer losses and the customer base continues to be diversified across sectors with no reliance on individual customers of size – The opportunities and services created through further development of our integrated mobilities platform improves the attractiveness of our offering and the retention of customers – We continue to build a platform and relationships that will facilitate the transition to non-ICE vehicles for the Group and its customers | |
| Operational risks | Vehicle supply | Minimal to open | |  | – The flexibility in our fleet model has enabled us to age out the fleet during a period of low availability of supply. However, the older age is now reducing the ability to significantly further age the fleet without impacting operational performance or customer service, and may restrict growth opportunities – Supply issues also put pressure on new vehicle inflation but there are indications that the global supply of vehicles will improve going forward – We expect residual values to reduce from the high levels experienced since COVID-19 |
| The employee environment | Averse to open | |  | – Improved employee engagement scoring reflects the measures taken to improve communication, training and development of our people. – Widening of benefits including free shares, employee allowances and cost-of-living support has reduced attrition risk – Improved routes to employee markets through further developing in-house recruitment and vacancy filler platform used across the Group | |
| Legal and compliance | Averse | | | – No material changes to laws and regulations – No material changes to contractual obligations – Horizon scanning and planning for future changes to laws and regulations | |
| IT systems | Minimal to open | | | – Continued investment in and integration of IT platforms as the group grows organically and inorganically | |
| Financial risks | Recovery of contract assets | Cautious to open | | | – Cash collection has improved with statutory debtor days in Redde reducing – Insurance environment remains stable in order to facilitate collection of claims |
| Access to capital | Cautious to open | | | – Debt facilities remain adequate for funding Group strategic objectives – One year extension of bank facilities in the year has maintained the maturing profile of debt |
