Internal Control and Risk Management
Risk management strategy and framework
The objectives of the Directors and Melrose senior management include safeguarding and increasing the value of the businesses and assets of the Group for stakeholders as a whole. Achievement of these objectives requires the development of policies and appropriate internal control frameworks to ensure the Group’s resources are managed properly, and for key risks to be identified and mitigated where possible.
The Board recognises that it is ultimately responsible for determining the nature and extent of the principal risks it is willing to take in the pursuit of its strategic objectives. It also recognises the need to define a risk appetite for the Group, to maintain sound risk management and internal control systems, and to monitor its risk exposures and mitigation measures to ensure that the nature and extent of risks taken by the Group are aligned with, and proportionate to, its strategic objectives.
The Group operates on a decentralised basis and the Board has established an organisational structure with clear reporting procedures, lines of responsibility and delegated authority, as depicted in the diagram above. Consistent with this, the Group operates a top-down, bottom-up approach to risk management, comprising Board and Melrose senior management oversight coupled with bottom-up risk management embedded in the day-to-day activities of its individual businesses.
The Board confirms that there is an ongoing process for identifying, evaluating, tracking and managing the principal risks faced by the Group and that these systems, which are subject to regular monitoring and review, have been in place for the year under review up to the date of approval of this Annual Report and financial statements. The Board further confirms that the systems, processes and controls that are in place accord with the guidance contained in the Financial Reporting Council’s “Guidance on Risk Management, Internal Control and Related Financial and Business Reporting” and the UK Corporate Governance Code (the “Code”).
The Audit Committee monitors, oversees and reviews the effectiveness of the risk management and internal control processes implemented across the Group, through regular updates and discussions with management and a review of the key findings presented by the external and internal auditors. The Board is responsible for considering the Audit Committee’s recommendations and ensuring implementation by divisional management of those recommendations it deems appropriate for the business. A description of the Audit Committee’s activities during 2021 on risk management can be found on the Audit Committee page or on page 97 of the 2021 Annual Report.
The management team of each business unit is responsible for monitoring business level risk and implementing and maintaining an effective risk and control environment within their respective business unit as part of day-to-day operations, in line with the Group risk management framework and internal control systems determined by the Board. The CEO and senior executive team of each division are responsible for, and report to the Melrose senior management team in respect of, specific and ongoing risks related to their respective business division, which are reported formally to the Audit Committee on an annual basis. The Audit Committee receives a formal risk management report on a biannual basis, in addition to their regular receipt of updates from the Melrose senior management team on material items that arise relating to principal Group risks.
The Board has undertaken an exercise to consider its risk appetite across a number of key business risk areas. The results of this review indicate the relative appetite of the Board across the risk factors at a specific point in time. Any material changes in risk factors will impact the Board’s assessment of its risk appetite.
The Board has a higher risk appetite towards its strategic risks, with a balanced appetite towards operational and commercial risk, and macro-economic, climate change and political risk. The Board seeks to minimise all health and safety risks and has a low risk appetite in relation to legal, compliance and regulatory risk. Similarly, a conservative appetite is indicated by the Board with respect to pension and finance-related risk and information technology and cyber risk.
The results of the risk appetite review will support the Board’s decision-making processes during 2022. The Board undertakes a review of its risk appetite at least annually
Internal financial controls and reporting
The Group has a comprehensive system for assessing the effectiveness of the Group’s internal controls, including strategic business planning and regular monitoring and reporting of financial performance. A detailed annual budget is prepared by senior management and thereafter is reviewed and formally adopted by the Board.
The budget and other targets are regularly updated via a rolling forecast process and regular business review meetings are held with the involvement of senior management to assess performance. The results of these reviews are in turn reported to, and discussed by, the Board at each meeting. As discussed in the Audit Committee report on page 98 of the 2021 Annual Report, the Group engages BM Howarth as internal auditor with additional support, as required, from Ernst & Young. A total of 42 sites across the Group were assessed by BM Howarth and Ernst & Young during 2021.
As was common across most large, geographically dispersed companies, COVID-19 disruption continued to present a number of challenges and limitations throughout the year due to restricted international travel and extended periods of remote working for many site-based finance teams. Further details about the additional assurance measures that were taken to mitigate the impact of COVID-19 disruption on internal controls during 2021 can be found in the Audit Committee report on pages 94 to 98 of the 2021 Annual Report.
The Directors can report that based on the sites visited and reviewed in 2021, there has been progress across the Group following the 2021 internal audit programme and that the majority of the recommendations presented in the internal audit report have been or are in the process of being implemented.
The Audit Committee also monitors the effectiveness of the internal control process implemented across the Group through a review of the key findings presented by the external and internal auditors. Management are responsible for ensuring that the Audit Committee’s recommendations in respect of internal controls and risk management are implemented.
Ethics and compliance
The Company takes very seriously its responsibilities under the laws and regulations in the countries and jurisdictions in which the Group operates, and has in place appropriate measures to ensure compliance. A compliance framework is in place comprising a suite of Group-wide policies relating to anti-bribery and corruption, anti-money laundering, anti-facilitation of tax evasion, competition, conflict minerals, trade compliance, data privacy, whistleblowing, treasury and financial controls, anti-slavery and human trafficking, document retention, joint ventures, diversity and inclusion, environmental, and human rights. These policies are in place within each business and, other than in respect of certain policies where it would not be appropriate for them to have such a broad reach, they generally apply to all Directors, employees (whether permanent, fixed-term, or temporary), pension trustees, consultants and other business advisors, contractors, trainees, volunteers, business agents, distributors, joint venture partners or any other person working for or performing a service on behalf of the Company, its subsidiaries and/or associated companies in which the Company or any of its subsidiaries has a majority interest.
During 2021, Melrose implemented new Environmental and Human Rights policies, and the Company also updated the Melrose Code of Ethics in light of key regulatory and legal developments and to align it with the new policies. The new policies and updated Melrose Code of Ethics have been fully implemented across all business units, and they (as well as all other Group compliance policies) continue to be monitored to ensure their effectiveness for the Group. Online compliance training continued to be conducted within all businesses, covering topics such as anti-trust, trade compliance and export controls, data privacy, anti-bribery and corruption, and anti-money laundering, to enhance and supplement the existing compliance regime.
The Company’s Modern Slavery Statement is approved by the Board annually and the current statement is available on this website. Under Melrose’s decentralised group structure, each division is responsible (where applicable) for publishing their own Modern Slavery Statements in accordance with the requirements under the Modern Slavery Act 2015 and are supported by Melrose where needed. To support the Company’s belief in the importance of this matter, it has a Group-wide policy on the prevention of modern slavery and human trafficking, which the businesses have rolled out to employees, along with an online compliance training module. Please also refer to section 1 on page 89 of the 2021 Annual Report for details of the Company’s whistleblowing policies and procedures.
BDO LLP were engaged to conduct an independent non-financial review programme of the GKN Aerospace and GKN Automotive businesses, to test and provide additional external assurance in respect of those businesses’ key compliance areas and safeguards as a result of their relative scale and complexity. Although COVID-19 travel restrictions caused some delay to the original site visit schedule during 2020, the review programme was completed during 2021, with a total of 67 site visits being conducted by BDO (and overseen by the General Counsels of the businesses) across the programme. The programme included GKN Aerospace sites across the UK, the Netherlands, India, Singapore, Thailand, Sweden, and Norway, as well as GKN Automotive sites including those located in Mexico, France, Malaysia, Germany, Italy, India and Japan. Overall, both GKN Aerospace and GKN Automotive were found to demonstrate a good level of compliance including within the areas of anti-bribery and corruption, anti-money laundering, whistleblowing, data protection, export control, contract compliance, health and safety, and trade compliance.