Internal Control and Risk Management
Risk management strategy and framework
The objectives of the Directors and Melrose senior management include safeguarding and increasing the value of GKN Aerospace and the assets of the Group for stakeholders as a whole. Achievement of these objectives requires the development of policies and appropriate internal control frameworks to ensure the Group’s resources are managed properly, and for key risks to be identified and mitigated where possible.
The Board recognises that it is ultimately responsible for determining the nature and extent of the principal risks it is willing to take in the pursuit of its strategic objectives. It also recognises the need to define a risk appetite for the Group, to maintain sound risk management and internal control systems, and to monitor its risk exposures and mitigation measures to ensure that the nature and extent of risks taken by the Group are aligned with, and proportionate to, its strategic objectives.
The Group operates on a decentralised basis and the Board has established an organisational structure with clear reporting procedures, lines of responsibility and delegated authority. Consistent with this, the Group operates a top-down, bottom-up approach to risk management, comprising Board and Melrose senior management oversight coupled with bottom-up risk management embedded in the day-to-day activities of GKN Aerospace.
The Board confirms that there is an ongoing process for identifying, evaluating, tracking and managing the principal risks faced by the Group and that these systems are subject to regular monitoring and review. The Board further confirms that the systems, processes and controls that are in place accord with the guidance contained in the Financial Reporting Council’s “Guidance on Risk Management, Internal Control and Related Financial and Business Reporting” and the UK Corporate Governance Code (the “Code”).
The Audit Committee monitors, oversees and reviews the effectiveness of the risk management and internal control processes implemented across the Group, through regular updates and discussions with management and a review of the key findings presented by the external and internal auditors. The Board is responsible for considering the Audit Committee’s recommendations and ensuring implementation by GKN Aerospace of those recommendations it deems appropriate. A description of the Audit Committee’s activities during the year on risk management can be found on Audit Committee page or on page 111 of the 2022 Annual Report.
The management team of GKN Aerospace is responsible for monitoring business level risk and implementing and maintaining an effective risk and control environment within the business as part of day-to-day operations, in line with the Group risk management framework and internal control systems determined by the Board. The CEO and senior executive team of GKN Aerospace are responsible for, and report to the Melrose senior management team in respect of, specific and ongoing risks related to the business, which are reported formally to the Audit Committee on an annual basis. The Audit Committee receives a formal risk management report on a biannual basis, in addition to their regular receipt of updates from the Melrose senior management team on material items that arise relating to principal Group risks.
In 2019, the Melrose senior management team supplemented the Group’s enterprise risk management programme by building and implementing a data-driven Group reporting dashboard to automate the aggregation and reporting of Group risks, in conjunction with ongoing divisional risk reporting and advice from external risk management consultants. This marked a significant step forward in the Group’s journey towards enhancing both GKN Aerospace’s risk reporting transparency, and the Board’s visibility of the Group’s principal risks, to enable an increasingly robust assessment of GKN Aerospace’s risk profile and its impact on the Group risk profile as a whole. The dashboard has since been enhanced to provide the Audit Committee with additional detail and trend analysis compared to GKN Aerospace’s key industries, further visibility on the significance of GKN Aerospace’s risks, and greater illustration of its risk appetite. The dashboard’s reporting output was also enhanced to further highlight the alignment between divisional and Group risks, together with providing the Audit Committee with additional detail on risk control confidence within the Group. Such enhancements have facilitated the Audit Committee’s monitoring, oversight and review of the effectiveness of the Group’s internal controls and risk management systems and processes.
During the year under review, in accordance with provisions 28 and 29 of the Code, the Board continued to monitor the effectiveness of the Group’s risk management and internal control systems. The Board concluded that the Group’s risk management and internal control systems and processes were operating effectively. Follow-up actions in respect of progress and improvement in relation to financial controls are further discussed in the Audit Committee report.
The Board has undertaken an exercise to consider its risk appetite across a number of key business risk areas. This exercise was enhanced during the year, with the Board assessing their current and optimal level of risk appetite for each of the Group’s principal risks. The results of this review indicate the relative appetite of the Board across the risk factors at a specific point in time. Any material changes in risk factors will impact the Board’s assessment of its risk appetite.
The results of the risk appetite review demonstrated that the Board has a higher risk appetite towards its strategic risks, with a balanced appetite towards operational and commercial risk, and macroeconomic, climate change and political risk. The Board seeks to minimise all health and safety risks and has a low risk appetite in relation to information security and cyber threats risk and legal, compliance and regulatory risk. Similarly, a conservative appetite is indicated by the Board with respect to pensions and finance-related risks.
The results of the risk appetite review will support the Board’s decision-making processes during 2023. The Board undertakes a review of its risk appetite at least annually.
Internal financial controls and reporting
The Group has a comprehensive and robust system for assessing the effectiveness of the Group’s internal controls, including strategic business planning and regular monitoring and reporting of ESG data alongside financial and operational performance. The identification and oversight of material controls over the ESG data of the businesses is the responsibility of the Melrose senior management team, which has established an evolving programme of regular monitoring and review (at least quarterly) processes that are consistently robust across the Group. This is complemented by reporting protocols to ensure the businesses’ executive management teams are accountable for achieving progress on sustainability and climaterelated matters. ESG data collection, control and decision-making is supported through regular sustainability training at Board level. The quality and accuracy of ESG data is continually improved against relevant guidance from prominent international regulatory frameworks. Horizon-scanning of applicable external reporting requirements is conducted regularly by the businesses where relevant to identify the opportunities to strengthen data management systems and controls.
A detailed annual budget is prepared by the Melrose senior management team and thereafter is reviewed and formally approved by the Board. The Group budget and other operational and strategic targets, including on sustainability and climate change, are regularly updated via business review meetings which are held with the involvement of the Melrose senior management team to assess the businesses’ performance, and update sessions with businesses’ sustainability teams take place at least quarterly. The key messages of these reviews are in turn reported to, and discussed by, the Board each quarter.
The Group engages BM Howarth as internal auditor with additional support as required from Ernst & Young. A total of 50 sites across the Group were assessed by BM Howarth during 2022. The Directors can report that based on the sites visited and reviewed in 2022, there has been progress across the Group following the 2022 internal audit programme and that the majority of the recommendations presented in the internal audit report have been or are in the process of being implemented.
The Audit Committee also monitors the effectiveness of the internal control process implemented across the Group through a review of the key findings presented by the external and internal auditors. The Melrose senior management team is responsible for ensuring that the Audit Committee’s recommendations in respect of internal controls and risk management are implemented.
Ethics and compliance
Our Code of Ethics (which can be found at www.melroseplc.net/about-us/governance/code-of-ethics/) reinforces our values and provides guidance for all employees, contractors and business
associates so that they are fully aware of what is expected of them, their responsibilities and the consequences of non-compliance. GKN Aerospace is required to ensure that the Code of Ethics is communicated and embedded into its business operations. GKN Aerospace is also required to ensure there is a mechanism in place for anyone to whom the Code of Ethics applies to seek guidance on interpreting its principles, where required.
This is supported by a compliance framework comprising policies covering best practice with respect to anti-bribery and corruption, anti-money laundering, anti-facilitation of tax evasion, competition, conflict minerals, trade compliance, data privacy, whistleblowing, treasury and financial controls, anti-slavery and human trafficking, document retention, joint ventures, diversity and inclusion, environmental, human rights, supply chain, biodiversity and water.
The implementation of the Melrose Code of Ethics and Group compliance policies are supported by a combination of risk assessment requirements, training and ongoing monitoring to ensure their effectiveness for the Group. In 2022, the Group introduced its first Supply Chain policy, Biodiversity policy and Water policy; further details about these policies can be found in the Sustainability Report. Taken together, these initiatives have enhanced our businesses’ effectiveness at identifying and managing risks and have promoted and embedded a more risk-aware culture. Further details on the Group’s management of risk can be found in the Risk management section on pages 38 to 39 of the Strategic Report.
Melrose’s reputation for acting responsibly plays a critical role in its success as a business and its ability to generate shareholder value. We maintain high standards of ethical conduct and take a zero tolerance approach to bribery, corruption, modern slavery and human trafficking and any other unethical or illegal practice. We are committed to acting professionally, fairly and with integrity in all business dealings and relationships, within all jurisdictions in which we operate. Further details of the Group’s stance and focus on ensuring effective stewardship in respect of key environmental, social and governance matters are set out in the Sustainability Report. Supporting our updated compliance policies are a comprehensive online training platform, an industry-leading whistleblowing reporting facility and a data-driven risk reporting dashboard providing increased risk management visibility and trend analysis to senior management and the Audit Committee. The integrity of the compliance framework is further reinforced by the use of independent assurance and compliance audits.