04
Exercise robust governance, risk management and compliance
Our objectives
- Implement and enforce effective compliance policies across our businesses, ensuring integrity, responsibility and adherence to ethical principlesÂ
- Encourage them to protect the ultimate wellbeing of their products’ end-users by adhering to the highest safety standardsÂ
- Ensure our businesses respect labour and human rights and request their suppliers to respect these principlesÂ
- Protect information security and data privacyÂ
- Carry out prudent and responsible financial and tax planning and management
- Maintain sensible and sustainable leverage to support investment
UN SDGs
Sound business ethics and integrity, and effective and transparent governance, are core to the Group’s values and fundamental for the success of our strategy. Melrose is a premium listed company with strong, established financial and non-financial controls that are continually assessed, tested and reviewed.
Our robust governance framework is overseen by the Melrose Board and supported by independent internal audit and risk functions, regular public disclosure and financial reporting, external audits, public accountability and conformance with leading benchmarks set by the UK Corporate Governance Code. The framework is also supported by direct engagement with investors, corporate governance and proxy advisers, and the Group’s wider stakeholders to ensure best market practice is being implemented.
Melrose Board and Committees
The Board consists of four executive Directors and six Non-executive Directors (inclusive of the Senior Independent Director and the Non-executive Chairman). Together, they bring a combination of skills, experience and knowledge to the Board that is complementary to the activities of the Company, and the Board is satisfied that there is sufficient challenge by Non-executive Directors of executive management in meetings of the Board, and that no individual or small group of individuals dominates its decision-making. Biographies of the Directors can be found on our Board of Directors page.
The roles of each of the Non-executive Chairman, the Executive Vice-Chairman and the Chief Executive of the Company are, and will remain, separate in accordance with the Code and the Board policies. The Chairman, with the assistance of the Executive Vice-Chairman, is responsible for leadership of the Board. The Chairman sets the Board agenda and ensures that adequate time is given to the discussion of issues in order to facilitate constructive discussions with effective contributions from the Non-executive Directors, particularly on issues of strategic nature.
The Chairman, with the support of the Company Secretary, also facilitates constructive Board relations by providing accurate and clear information in a timely manner. Responsibility for ensuring effective communications with shareholders rests with the Chairman, the Executive Vice-Chairman and the three other executive Directors. The Chief Executive is responsible for strategic direction and decisions involving the day-to-day management of the Company.
Ethics and Compliance
Melrose Board and Committees
The Company’s Non-executive Directors scrutinise the performance of the executive Directors in all areas, including on strategy, risks and financial information, through their roles on the Company’s Committees, at the Board meetings and business review sessions, and on an ad hoc basis. The Non-executive Directors come from a diverse range of backgrounds and as such, draw on their own specialist knowledge to give necessary guidance and advice, and hold management to account.
In accordance with the provisions of the Code, consideration has been given to the independence of all Non-executive Directors. The Board considers all of the Non-executive Directors to be independent.
Upon Mr Justin Dowley’s appointment to the role of Non-executive Chairman, he was considered independent, and had strong shareholder support for his current tenure into 2023, which was extended in 2020 with the support of shareholders, in order to facilitate succession planning arrangements and the development of a diverse Board. Upon the retirement of Ms Liz Hewitt from the Board in May 2022, Mr David Lis was appointed Senior Independent Director. The Senior Independent Director acts as an intermediary for the other Directors and shareholders. In line with the Code requirements, at least half of the Board, excluding the Chairman, comprises Nonexecutive Directors determined by the Board to be independent.
The Non-executive Directors are not entitled to any cash bonus or shares under the 2020 Employee Share Plan, nor do they receive taxable benefits or pension contributions.
Succession planning continued to be an area of focus for Melrose in 2022. The Nomination Committee, which consists of Non-executive Directors only, and the Board together considered the leadership needs of the Group, present and future, as well as the skills, experience and diversity needed from all its directors and the Melrose senior management team going forward. We recognise that succession planning is an ongoing process and is critical to maintaining an effective and high-quality Board. The Board and shareholders approved the extension of Mr Justin Dowley’s Chairmanship tenure in order to aid effective succession planning.
Succession planning arrangements for the Board as a whole were reviewed by the Nomination Committee and the Board. This included reviewing the skills set, tenure, diversity and independence of those already on the Board, and reviewing the Melrose senior management team, including the career planning and talent management programmes in operation for them. In each case this was to allow the Nomination Committee to ensure that the right balance of skills, experience and diversity was reflected and being developed.
Given the strength of Melrose’s decentralised operating structure in achieving the Group’s strategic objectives, the Nomination Committee does not have direct involvement in the succession planning arrangements of the divisions. However, the Nomination Committee has access to the divisional executive teams through the business review cycle.
The Code requires that FTSE 350 companies undertake an externally facilitated Board and Committee evaluation once every three years. The last external Melrose Board and Committee review was in 2020, for which the Company engaged Lintstock Ltd. The Company will again be conducting an external evaluation in 2023.
Whilst the Company is not required to undertake another externally facilitated Board and Committee evaluation until 2023, during 2022 the Company continued its ongoing internal review of the Board and each Committee, both internally within each of those bodies and with the Chairman of the Board and Chairman of each Committee respectively. As in prior years, the Company also conducted an evaluation of the Chairman of the Board’s performance. These evaluations were conducted and facilitated by the completion of questionnaires, and discussions at the applicable Board and Committee meetings, with follow-up actions taking place as relevant. Directors were also given the option for meetings to be scheduled with the Chairman of the Board or the Chairman of the relevant Committee about any relevant matters that they wished to raise as part of the ongoing review.
A range of topics were discussed as part of the evaluation including the mix of the Board, diversity of gender, race and thought, succession planning oversight, risk management and internal controls, strategic oversight, understanding of the views and requirements of key stakeholders, and the integration of sustainability into the Group’s strategy and operations.
Stakeholder engagement
Through presentations and regular meetings between the executive Directors, analysts and institutional shareholders, including those following the announcements of the Company’s annual and interim results and trading updates, the Company seeks to build on a mutual understanding of objectives with its shareholders and other stakeholders. During 2022, in addition to the usual disclosure rounds following the release of annual and interim results, the Company continued its programme of engagement with key investors and corporate governance bodies in respect of specific material topics, as well as open-agenda discussions between key shareholders and members of the Board. Engagement with key shareholders, proxy advisors, employee bodies, ratings agencies (including sustainability ratings agencies) and other governance bodies remains a central part of the Company’s approach to stakeholder engagement and governance.
Group Code of Ethics and compliance policies
Strong financial and non-financial controls, as well as strong governance backed by internal and, where required, external review of financial and non-financial compliance, are enforced throughout the Group. Directors, officers, employees, and contractors throughout the Group, whether permanent or temporary, and in respect of any entities over which Melrose has effective control, must comply with Melrose’s Code of Ethics and Group compliance policies which reflect current best practice and strong corporate citizenship. Each business is required to communicate and embed the Group Code of Ethics and compliance policies within their operations and activities to ensure that they conduct business with integrity and in a responsible, ethical and sustainable manner.
The Group Code of Ethics and some of the compliance policies and statements can be found on our policies page.
The Group Code of Ethics and compliance policies, as approved by the Board, cover best practice with respect to anti-bribery and corruption, anti-money laundering, anti-facilitation of tax evasion, competition, conflict minerals, trade compliance, data privacy, whistleblowing, treasury and financial controls, anti-slavery and human trafficking, document retention, joint ventures, diversity and inclusion, environmental, human rights, supply chain, biodiversity and water.
During 2022, Melrose implemented new Supply Chain, Biodiversity and Water policies, and also updated the Melrose Board of Directors Diversity policy and Melrose Diversity, Equity and Inclusion policy. The new and updated policies have been fully implemented across all business units, and they (as well as all other Group compliance policies) continue to be monitored to ensure their effectiveness for the Group.
Implementation of the Group Code of Ethics and compliance policies is supported by risk assessments, audits and reviews and annual compliance certifications. Melrose strongly believes that policies and procedures are only as effective as the people who implement them. To that end, all of the above measures are backed by investment, resources and training.
Ethics and Compliance
Our Policies
We take a zero-tolerance approach to bribery, corruption and other unethical or illegal practices, and are committed to acting professionally, fairly and with integrity in all business dealings and relationships, within all jurisdictions in which we and our businesses operate. Melrose requires its businesses to adopt high governance standards, to ensure that the Group conducts business responsibly, sustainably, and in the pursuit of long-term success for the collective benefit of stakeholders. This is outlined in our Anti-Bribery and Corruption policy, which is implemented and administered throughout the Group, and is available on our policies page. During 2022, two employees were disciplined or dismissed due to non-compliance with the Anti-Bribery and Corruption policy.
Although the policy prohibits party political donations, it does however recognise that from time to time our Group may comprise businesses that engage in policy debate and advocacy activities on subjects of legitimate concern to their respective industries and key stakeholders, including their staff and the communities in which they operate. There were no political donations made during the year ended 31 December 2022 (2021: nil).
Melrose runs a Group-wide whistleblowing platform, which is overseen by the Audit Committee and supported by the Melrose senior management team, and ultimately reported to the Board. The platform is monitored by the businesses’ legal, compliance and HR functions, with support from the Melrose senior management team. All employees have access to a multi-lingual online portal, together with local hotline numbers that are available 24/7, in order to raise concerns, confidentially and anonymously, about possible wrongdoing in any aspect of their business, including financial and non-financial matters.
The businesses take a number of actions to raise employees’ awareness of the whistleblowing platform, using online and offline media as appropriate. Employees who come forward with a genuine concern are treated with respect and dignity and do not face retaliation. During 2022, 120 whistleblowing cases were recorded through the platform (2021: 103)(1). This highlights the effectiveness of awareness campaigns together with the trust placed by employees in the whistleblowing programme. Each case is investigated confidentially by the business with appropriate response measures taken. Whistleblowing cases are regularly reported to the Audit Committee and ultimately to the Board.
The Group has a zero-tolerance approach to any form of modern slavery, as set out in the Melrose Anti-Slavery and Human Trafficking policy which is available on our policies page. In accordance with the Modern Slavery Act 2015, Melrose publishes its own Modern Slavery Statement, which is approved by the Board annually and the latest statement can be found on our website. Under Melrose’s decentralised Group structure, each business is responsible, where applicable, for publishing their own Modern Slavery Statement in accordance with the requirements under the Modern Slavery Act 2015, with support provided by Melrose where needed. This approach ensures that those senior managers closest to the business operations devise appropriate measures to ensure that slavery is not present within their supply chains.
Melrose drives its businesses to implement employee training with respect to anti-slavery and human trafficking, to ensure that employees understand the risks and are prepared to take the required action if they suspect that modern slavery is happening internally or within the supply chain.
We are committed to acting in an ethical manner with integrity and transparency in all business dealings, and to create effective systems and controls across the Group to safeguard against adverse human rights impacts. The Group has a strong culture of ethics, which encompasses key human rights considerations, as set out in our Human Rights policy, in support of the principles set out in the UN Declaration of Human Rights. The Human Rights policy can be found on our policies page.
Our businesses also implement effective and proportionate measures to identify, assess and mitigate potential labour and human rights abuses across their operations and supply chains. These include training, anti-slavery and human trafficking policies, employee handbooks and business-specific policies. All business-specific policies are reviewed locally within each business in order to ensure compliance with local laws and standards as a minimum.
There have been no violations reported on human rights by our businesses in 2022 or in the previous two years.
Melrose is committed to paying taxes that are due, complying with all applicable laws, and engaging with all applicable tax authorities in an open and cooperative manner. The Group does not engage in aggressive tax planning. The Group’s Tax Strategy is reviewed, discussed and approved by the Board annually. The Audit Committee periodically reviews the Group’s tax affairs and risks.
The Group has adopted a policy in respect of the prevention of the facilitation of tax evasion which has been implemented by the businesses, with guidance on undertaking risk assessments and training to employees in relevant roles.
The Group does not operate in countries considered as partially compliant or non-compliant according to the OECD tax transparency report, or in any countries blacklisted by the EU, for the purposes of tax avoidance and/or harmful tax practices, per the lists released as at 4 October 2022.
Sustainability and climate change governance
In 2022, we further crystallised our Group sustainability and climate change governance framework, which enables the delivery of our targets and commitments. The framework illustrates how we govern the implementation of our overarching Group sustainability strategy, including climate-related risks and opportunities within operations, overseen by the Board with the support of the Melrose senior management team.
The framework provides a solid foundation for review of progress against our sustainability targets and commitments. It also facilitates the integration of sustainability into strategic decision-making through the robust oversight and accountability principles, as well as established approach to report on ESG KPIs alongside the financial and operational metrics.
Melrose Board of Directors has overall responsibility and oversight of Group sustainability strategy, including climate-related risks and opportunities and is supported by the Melrose senior management team.
The Audit Committee is responsible for ensuring that sustainability and climate change risks are integrated into Group risk management and through its annual risk assessment it allows for a Group-level view of these risks for improved understanding and mitigation measures. The Nomination Committee is responsible for ensuring that Board membership and pipelines for succession planning are suitably diverse.
Sustainability is a permanent item on every Board meeting agenda, which provides a platform to update its members on matters relating to the Group sustainability programme and performance topics, some of which required Board approval. The topics discussed with the Directors throughout 2022 included various sustainability initiatives and updates on the divisional ESG performance, the Group Net Zero Transition Plan and TCFD disclosures, the launch of the Group Water Stewardship Programme and setting a Water target, as well as the updates on the Group inaugural participation in the CDP Supply Chain Engagement initiative and the new Group Supply Chain, Water and Biodiversity policies.​
Ethics and Compliance
Our Policies
We take a zero-tolerance approach to bribery, corruption and other unethical or illegal practices, and are committed to acting professionally, fairly and with integrity in all business dealings and relationships, within all jurisdictions in which we and our businesses operate. Melrose requires its businesses to adopt high governance standards, to ensure that the Group conducts business responsibly, sustainably, and in the pursuit of long-term success for the collective benefit of stakeholders. This is outlined in our AntiBribery and Corruption policy, which is implemented and administered throughout the Group, and available on our policies page. During 2021, no employees were disciplined or dismissed due to non-compliance with the Anti-Bribery and Corruption policy.
In line with our Anti-Bribery and Corruption policy noted above, Melrose prohibits party political donations. We also recognise that from time to time our Group may comprise businesses that engage in policy debate and advocacy activities on subjects of legitimate concern to their respective industries and key stakeholders, including their staff and the communities in which they operate.
Melrose runs a Group-wide whistleblowing platform, which is overseen by the Audit Committee and supported by the Melrose senior management team, and ultimately reported to the Board. The platform is monitored by the businesses’ legal, compliance and HR functions, with support from the Melrose senior management team. All employees have access to a multi-lingual online portal, together with local hotline numbers that are available 24/7, in order to raise concerns, confidentially and anonymously, about possible wrong-doing in any aspect of their business, including financial and non-financial matters.
The businesses take a number of actions to raise employees’ awareness of the whistleblowing platform, using online and offline media as appropriate. Employees who come forward with a genuine concern are treated with respect and dignity and do not face retaliation. During 2021, 103 whistleblowing cases were recorded through the platform (2020: 120)(1). This highlights the effectiveness of awareness campaigns together with the trust placed by employees in the whistleblowing programme. Each case is investigated confidentially by the business with appropriate response measures taken. Whistleblowing cases are regularly reported to the Audit Committee and ultimately to the Board.
(1) These figures exclude any whistleblowing cases received by businesses that were no longer part of the Group as at 31 December 2021
As set out in the Melrose Anti-Slavery and Human Trafficking policy, the Group has a zero-tolerance approach to any form of modern slavery. In accordance with the Modern Slavery Act 2015, Melrose publishes its own Modern Slavery Statement, which is approved by the Board annually and can be found on our website. Under Melrose’s decentralised Group structure, each business is responsible (where applicable) for publishing their own Modern Slavery Statement in accordance with the requirements under the Modern Slavery Act 2015, with support provided by Melrose where needed. This approach ensures that those senior managers closest to the business operations devise appropriate measures to ensure slavery is not present within their supply chains.
Melrose drives its businesses to implement employee training with respect to anti-slavery and human trafficking, to ensure that employees understand the risks and are prepared to take the required action if they suspect that modern slavery is happening internally or within the supply chain.
We are committed to acting in an ethical manner with integrity and transparency in all business dealings, and to create effective systems and controls across the Group to safeguard against adverse human rights impacts. The Group has a strong culture of ethics, which encompasses key human rights considerations and is set out in our Human Rights policy. The Group supports the principles set out in the UN Declaration of Human Rights.
Our businesses also implement effective and proportionate measures to identify, assess and mitigate potential labour and human rights abuses across their operations and supply chains. These include training, anti-slavery and human trafficking policies, employee handbooks and business-specific policies. All business-specific policies are reviewed locally within each business in order to ensure compliance with local laws and standards as a minimum.
There have been no violations reported on human rights by our businesses in 2021 or in the previous two years.
Melrose is committed to paying taxes that are due, complying with all applicable laws, and engaging with all applicable tax authorities in an open and cooperative manner. The Group does not engage in aggressive tax planning. The Group’s tax strategy is reviewed, discussed and approved by the Board annually. The Audit Committee periodically reviews the Group’s tax affairs and risks.
The Group has adopted a policy in respect of the prevention of the facilitation of tax evasion which has been implemented by the businesses, along with guidance on undertaking risk assessments and training to employees in relevant roles.
The Group does not reside in countries considered as partially compliant or noncompliant according to the OECD tax transparency report, or in any countries blacklisted by the EU, for the purposes of tax avoidance and/or harmful tax practices, per the latest lists released as at 31 December 2021.
Supply Chain management
We realise that to achieve Net Zero, we need to play our part in accelerating the climate transition beyond our immediate chain of control, and only through regular and constructive engagement with our supply chain , solid governance principles and transparency, can we mitigate the associated risks and derive commercially attractive sustainable opportunities.
In 2021, we elevated the importance and prominence of Responsible Sourcing across the Group as a material sustainability topic. Supply chain engagement, as the key enabler of our commitment to source responsibly, has therefore received greater focus. In line with our commitments to accelerate the transition to Net Zero for not only our operations, but also for the suppliers that we rely on, and our drive to reduce environmental impacts throughout the value chain, we have taken further actions to improve the understanding of our key suppliers’ energy consumption and emissions management.
To fulfil this commitment, we have set the supply chain management programme as a running item on our agendas to help improve the understanding of suppliers’ climate positions, prepare for any supply chain related risks, seize emissions reduction opportunities, and ultimately improve our Scope 3 carbon footprint. In 2022, the Board approved our inaugural Group Supply Chain policy which sets minimum standards for suppliers in the areas such as energy use, emissions reduction targets, adoption of low-carbon energy sources, water stewardship, biodiversity, waste reduction and resource use. The Melrose senior management team has conducted internal training sessions with the Group businesses to drive engagement with suppliers, encourage supplier sustainability assessments, and foster collaborative engagement going forward. The Supply Chain policy can be found on our Policies page.
>50%
engagement rate generated for the CDP Supply Chain initiative in 2022
In order to begin to capture supplier climate and other environmental data, and enable efficient tracking of their alignment with Net Zero, last year, Melrose joined the CDP Supply Chain engagement initiative, which provided valuable data for improving our understanding of the nature of Scope 3 emissions and for informing our supplier KPIs as relevant. We realise that a number of suppliers that were contacted did not provide a response in this first year of participation, and therefore further engagement will be required with both the suppliers who are at the beginning of their climate journey and those with more mature strategies.
Ethics and compliance
Protecting information security and data privacy
The Melrose senior management team continues to work with the executive management teams of each business and external cyber security risk consultants to track the Group’s exposure to cyber security risk and, to ensure appropriate compliance with the General Data Protection Regulation (“GDPR”), mitigation measures are in place for the Group.
Melrose has deployed its information security strategy and risk-based governance framework to all businesses within the Group, which follows the UK Government’s recommendations on cyber security. This strategy has enabled risk profiling and mitigation plans to be developed for each business to mitigate and reduce their exposure to cyber risk in a manner that is adequate for their level of sophistication. This ensures clarity and consistency in the assessment of IT and cyber security matters across our diverse and decentralised Group. The progress of each business is measured against the information security strategy and is monitored on a quarterly basis.
The Board, supported by the Melrose senior management team, oversees the Group’s cyber security risk profile and, in line with our decentralised model, each business is required to protect their business and personal information, ensuring safe and appropriate usage of their IT systems and processes by their employees.
To mitigate the impact of external cyber-attacks, the Melrose senior management team works with the executive management teams of each business and external cyber security risk consultants to review each business’s cyber risk profile to monitor and drive continuous improvement actions. The results of this ongoing review programme are reported to the Board on a quarterly basis.
The businesses regularly perform internal and external testing of their perimeter defences through penetration testing, ensuring appropriate threat monitoring systems are in place. All of our businesses follow and work towards national and international business accreditations in varying aspects of cyber management where applicable and relevant to their business activities, including the UK’s National Cyber Security Strategy (“NCSS”), ISO 27001, and industry-specific National Institute of Standards and Technology (“NIST”) in the defence sector and the Trusted Information Security Exchange (“TISAX”) in the automotive sector.
As part of Melrose’s overall information security strategy, IT security awareness training was provided by all businesses in 2022.
Risk and internal controls
Risk management
A key responsibility of the Board and Melrose senior management team is to safeguard and increase the value of the Group assets for the benefit of our shareholders and broader stakeholders. Achievement of our objectives requires robust policies and appropriate internal control frameworks to ensure that our resources are managed properly and that any key risks are identified and mitigated where possible.
The Board is ultimately responsible for the development of the Group’s overall risk management policies and system of internal control frameworks and for reviewing their respective effectiveness, while the role of the Melrose senior management team is to implement these policies and frameworks across the Group’s business operations. Melrose recognises that the systems and processes established by the Board are designed to manage, rather than eliminate, the risk of failing to achieve business objectives and cannot provide absolute assurance against material financial misstatement or loss.
In accordance with the Financial Reporting Council’s (“FRC”) Guidance on Risk Management, Internal Control and Related Financial and Business Reporting, the Board assumes ultimate responsibility for risk management and internal controls, including determining the nature and extent of the principal risks it is willing to take to achieve its strategic objectives (its “risk appetite”) and ensuring an appropriate culture has been embedded throughout the organisation. The risk management and internal control system is complemented by ongoing monitoring and review, to ensure that the Company is able to adapt to an evolving risk environment.
Internal financial controls and reporting
The Group has a comprehensive and robust system for assessing the effectiveness of the Group’s internal controls, including strategic business planning and regular monitoring and reporting of ESG data alongside financial and operational performance. The identification and oversight of material controls over the ESG data is the responsibility of the Melrose senior management team which has established an evolving programme of regular monitoring and review processes that are consistently robust across the Group. This is complemented by reporting protocols to ensure accountability for achieving progress on sustainability and climate-related matters. ESG data collection, control and decision-making is supported through regular sustainability training at Board level.
The quality and accuracy of ESG data is continually improved against relevant guidance from prominent international regulatory frameworks. Horizon-scanning of applicable external reporting requirements is conducted regularly to identify the opportunities to strengthen data management systems and controls. The Audit Committee also monitors the effectiveness of the internal control process implemented across the Group through a review of the key findings presented by the external and internal auditors. The Melrose senior management team is responsible for ensuring that the Audit Committee’s recommendations in respect of internal controls and risk management are implemented.
Risk and internal controls
Information security and data privacy
Melrose strongly respects privacy and seeks to minimise the amount of personal data that it collects, as well as to ensure the robust and sufficiently segregated storage of any data that is held. Information security and cyber threats are an increasing priority across all industries globally, and like many businesses, Melrose recognises that the Group must be protected from potential exposures in this area, particularly in light of its scale, reach, complexity and public-facing nature, as well as the potential sensitivity of data held in relation to civil aerospace technology and controlled defence contracts.
The Melrose senior management team continues to work with the executive management teams of each business and external cyber security risk consultants to track the Group’s exposure to cyber security risk and, to ensure appropriate compliance with the General Data Protection Regulation (“GDPR”), mitigation measures are in place for the Group.
Melrose has deployed its information security strategy and risk-based governance framework to all businesses within the Group, which follows the UK Government’s recommendations on cyber security. This strategy has enabled risk profiling and mitigation plans to be developed for each business to mitigate and reduce their exposure to cyber risk in a manner that is adequate for their level of sophistication. This ensures clarity and consistency in the assessment of IT and cyber security matters across our diverse and decentralised Group. The progress of each business is measured against the information security strategy and is monitored on a quarterly basis.
The Board, supported by the Melrose senior management team, oversees the Group’s cyber security risk profile and, in line with our decentralised model, each business is required to protect their business and personal information, ensuring safe and appropriate usage of their IT systems and processes by their employees.
To mitigate the impact of external cyber-attacks, the Melrose senior management team works with the executive management teams of each business and external cyber security risk consultants to review each business’s cyber risk profile to monitor and drive continuous improvement actions. The results of this ongoing review programme are reported to the Board on a quarterly basis.
The businesses regularly perform internal and external testing of their perimeter defences through penetration testing, ensuring appropriate threat monitoring systems are in place. All of our businesses follow and work towards national and international business accreditations in varying aspects of cyber management where applicable and relevant to their business activities, including the UK’s National Cyber Security Strategy (“NCSS”), ISO 27001, and industry-specific National Institute of Standards and Technology (“NIST”) in the defence sector and the Trusted Information Security Exchange (“TISAX”) in the automotive sector.
As part of Melrose’s overall information security strategy, IT security awareness training was provided by all businesses in 2022.
Protecting information security and data privacy
Melrose strongly respects privacy and seeks to minimise the amount of personal data that it collects, as well as to ensure the robust and sufficiently segregated storage of any data that is held. Information security and cyber threats are an increasing priority across all industries globally, and like many businesses, Melrose recognises that the Group must be protected from potential exposures in this area, particularly in light of its scale, reach, complexity and public-facing nature, as well as the potential sensitivity of data held in relation to civil aerospace technology and controlled defence contracts.
Read more
Protecting information security and data privacy
The Melrose senior management team continues to work with the executive management teams of each business and external cyber security risk consultants to track the Group’s exposure to cyber security risk and, to ensure appropriate compliance with the General Data Protection Regulation (“GDPR”), mitigation measures are in place for the Group.
Melrose has deployed its information security strategy and risk-based governance framework to all businesses within the Group, which follows the UK Government’s recommendations on cyber security. This strategy has enabled risk profiling and mitigation plans to be developed for each business to mitigate and reduce their exposure to cyber risk in a manner that is adequate for their level of sophistication. This ensures clarity and consistency in the assessment of IT and cyber security matters across our diverse and decentralised Group. The progress of each business is measured against the information security strategy and is monitored on a quarterly basis.
The Board, supported by the Melrose senior management team, oversees the Group’s cyber security risk profile and, in line with our decentralised model, each business is required to protect their business and personal information, ensuring safe and appropriate usage of their IT systems and processes by their employees.
To mitigate the impact of external cyber-attacks, the Melrose senior management team works with the executive management teams of each business and external cyber security risk consultants to review each business’s cyber risk profile to monitor and drive continuous improvement actions. The results of this ongoing review programme are reported to the Board on a quarterly basis.
The businesses regularly perform internal and external testing of their perimeter defences through penetration testing, ensuring appropriate threat monitoring systems are in place. All of our businesses follow and work towards national and international business accreditations in varying aspects of cyber management where applicable and relevant to their business activities, including the UK’s National Cyber Security Strategy (“NCSS”), ISO 27001, and industry-specific National Institute of Standards and Technology (“NIST”) in the defence sector and the Trusted Information Security Exchange (“TISAX”) in the automotive sector.
As part of Melrose’s overall information security strategy, IT security awareness training was provided by all businesses in 2022.