Internal Control and Risk Management
Risk management strategy and framework
The objectives of the Board and Melrose senior management include safeguarding and increasing the value of the business and assets of the Group for stakeholders as a whole. Achievement of these objectives requires the development of policies and appropriate internal control frameworks to ensure the Group’s resources are managed properly, and for key risks to be identified and mitigated where possible.
The Board recognises that it is ultimately responsible for determining the nature and extent of the principal risks it is willing to take in the pursuit of its strategic objectives. It also recognises the need to define a risk appetite for the Group, to maintain sound risk management and internal control systems, and to monitor its risk exposures and mitigation measures to ensure that the nature and extent of risks taken by the Group are aligned with, and proportionate to, its strategic objectives.
The Board has established an organisational structure with clear reporting procedures, lines of responsibility and delegated authority. Consistent with this, the Group operates a top-down, bottom-up approach to risk management, comprising Board and senior management oversight coupled with bottom-up risk management embedded in the day-to-day activities of the business.
The Board confirms that there is an ongoing process for identifying, evaluating, tracking and managing the principal risks faced by the Group and that these systems, which are subject to regular monitoring and review.
The Audit Committee monitors, oversees and reviews the effectiveness of the risk management and internal control processes implemented across the Group, through regular updates and discussions with management and a review of the key findings presented by the external and internal auditors. The Board is responsible for considering the Audit Committee’s recommendations and ensuring implementation by senior management of those recommendations it deems appropriate for the business. A description of the Audit Committee’s activities during the year on risk management can be found on the Audit Committee page or on page 124 of the 2024 Annual Report.
The executive committee comprising functional and business line leaders, as informed by their operational, functional and site-level senior managers, is responsible for monitoring business-level risk and implementing and maintaining an effective risk and control environment as part of day-to-day operations, in line with the Group risk management framework and internal control systems. Risks are reported into senior management and are reviewed and assessed by the executive committee, with support from the legal team, the financial compliance and assurance team and other members of senior management. In turn, they are reported to the Audit Committee biannually through interim and annual risk management reports that follow the executive committee’s risk management reviews. The Audit Committee also receives regular updates from the executive committee and other members of the senior management team on material items that arise relating to principal Group risks.
Following the Company’s change in strategy during 2023 to operating as a long-term aerospace technology business, Ernst & Young supported the risk management process by analysing the Group’s principal risk profile against other aerospace and defence companies based on public disclosures. Senior management conducted a similar analysis during 2024.
With 2024 being the first full calendar year of a combined Melrose/ GKN Aerospace executive committee, the legal team and financial compliance and assurance team spent additional time reviewing the business’s material risks directly with risk owners to duly challenge and ensure continued alignment with the Company’s principal risks.
The Audit Committee reviewed and challenged the Group’s risk management process, and also reviewed and challenged the interim and annual risk management reports prepared by senior management relating to the Group’s principal risk profile. These reports guided the Board and Audit Committee on relevant updates to the Group’s principal risks (including the identification of new principal Group risks and emerging risks), as reported in the Risks and uncertainties section on pages 39 to 46 of the 2024 Annual Report. They also aided the Audit Committee’s discussions with the Board on risk appetite, as detailed further below. During the year under review, in accordance with provisions 28 and 29 of the UK Corporate Governance Code, the Board continued to assess the Group’s principle and emerging risks and to monitor and review the effectiveness of the Group's risk management and internal control systems. The Board concluded that the Group’s risk management and internal control systems and processes were effective.
Risk appetite
In conjunction with the annual risk management review process in 2024, the Board undertook an exercise to consider its risk appetite across a number of key business risk areas by assessing its current and optimal level of risk appetite for each of the Group’s principal risks. The results of this review indicate the relative appetite of the Board across the Group’s principal risk areas at a specific point in time.
The results of the risk appetite review demonstrated that the Board has an open risk appetite regarding commercial risk, a balanced appetite regarding operational and loss of key management and capabilities risk, with a cautious appetite towards economic and political, climate change and treasury risks. The Board seeks to minimise health and safety, legal and regulatory, and information security and cyber threats risks.
The results of the risk appetite review supports the Board’s decision-making processes during 2025. The Board undertakes a review of its risk appetite at least annually.
Internal financial controls and reporting
The Group has a comprehensive system for assessing the effectiveness of the Group’s internal controls, including strategic business planning and regular monitoring and reporting of financial performance. A detailed annual budget is prepared by senior management and thereafter is reviewed and formally adopted by the Board.
The identification and oversight of material controls over the ESG data of the business is the responsibility of the Chief Technology Officer and the Group Sustainability Function, which runs an established yet evolving programme of regular monitoring and review (at least quarterly) processes that are consistently robust across the Group. This is complemented by reporting protocols to ensure the business lines’ management are accountable for achieving progress on sustainability and climate-related matters. The quality and accuracy of ESG data is continually improved against relevant guidance from prominent international regulatory frameworks and as tailored for our chosen metrics and targets. In 2024, we commenced a sustainability data pre assurance project in preparation for formal limited assurance in the coming years. The project, facilitated by an external third party, included an assessment of our data management process as well as a sample of site visits. As a result, we have further improved our sustainability data management systems to ensure future compliance.
The Audit Committee also monitors the effectiveness of the internal control process implemented across the Group through a review of the key findings presented by the external and internal auditors, and the output from the Group’s risk identification and mitigation process. Management is responsible for ensuring that the Audit Committee’s recommendations in respect of internal controls and risk management are implemented.
Ethics and compliance
Our Code of Ethics reinforces our values and provides guidance for all employees, contractors and business associates so that they are aware of what is expected of them, their responsibilities and the consequences of non-compliance. The principles outlined in our Code of Ethics are embedded within the Group, and mechanisms and policies are in place for anyone to whom the Code of Ethics applies to seek guidance on interpreting its principles, where required.
The Code of Ethics is supported by Group compliance policies covering best practice with respect to anti-bribery and corruption, anti-money laundering, anti-facilitation of tax evasion, competition, conflict minerals, trade compliance, data privacy, whistleblowing, treasury and financial controls, anti-slavery and human trafficking, document retention, joint ventures, diversity and inclusion, environmental, human rights, supply chain, biodiversity and water.
The implementation of the Code of Ethics and Company compliance policies are supported by a combination of risk assessment requirements, training and ongoing monitoring to ensure their effectiveness for the Group. Taken together, these initiatives have enhanced our business’s effectiveness at identifying and managing risks, and promoting and embedding a risk-aware culture. Further details on the Group’s management of risk can be found in the Risk management section on pages 34 to 36 of the 2024 Annual Report.
Melrose’s reputation for acting responsibly plays a critical role in its success as a business and its ability to generate shareholder value. We maintain high standards of ethical conduct and take a zero-tolerance approach to bribery, corruption, modern slavery and human trafficking and any other unethical or illegal practice. We are committed to acting professionally, fairly and with integrity in all business dealings and relationships, within all jurisdictions in which we operate. Further details of the Group’s stance and focus on ensuring effective stewardship in respect of key environmental, social and governance matters are set out in the Sustainability review on pages 51 to 99 of the 2024 Annual Report. Supporting our compliance policies are a comprehensive online training platform, an industry-leading whistleblowing reporting facility and a top-down, bottom-up risk management process providing risk management visibility and trend analysis to senior management and the Audit Committee. The integrity of the compliance framework is further reinforced by the use of independent compliance reviews where required.