Risk management

Understanding the risks that affect the Group

This section describes the principal risks that could have a material adverse impact on the Group and how those risks are identified, evaluated and managed.

How we manage risk

How we manage risk Gamma operates a robust and well-established structure for the management of risk in each area of its business. This process includes the identification, evaluation and scoring of risks based on the likelihood of occurrence, the potential impact, and the adequacy of the mitigation or control actions in place. Risks are categorised and aligned to Gammas strategic priorities to ensure appropriate evaluation and mitigation. An integrated risk management process provides visibility of risks across the Company and facilitates consistent data-driven decision making. Each generic area of risk has clearly assigned accountability within the Senior Leadership Team (SLT) with reporting lines to the CEO and ultimately the Board. A centralised risk register is maintained which includes all identified risks, their scores, prioritisation, the status of existing controls and action planning.

Risk management happens at multiple levels within the organisation and all employees are encouraged to consider company risks throughout their working routines, supported through a network of nominated people we call ‘Risk Champions’. These people are actively encouraged to identify and assess risks across the business and work with employees to act on risks as they become aware of them. In this way, a culture of risk awareness and risk management is embedded throughout the organisation.

Risk management framework

Group Risk Committee
Data Protection Committee
Executive Directors
Risk Management Process
  • Identification
  • Evaluation
  • Monitoring
  • Mitigation
Risk Champions

Gamma continues to grow and reinforce its position in core UK markets alongside executing on strategic acquisitions to expand its addressable markets internationally. The majority of Gamma’s resources and assets continue to reside in the UK and therefore Gamma’s principal risks are largely centred on its UK business. As the Gamma Group continues to grow internationally, its group risk governance framework is introduced and as such it is expected that the principal risks will gain further international perspective over time.

Our risk governance

The Board has overall responsibility for the establishment and oversight of the Group’s risk management framework, for ensuring that an appropriate risk management culture exists within the organisation, and for ensuring the effective identification, assessment and management of individual risks.

In order to assist in this process, with respect to non-financial risk, the Board has established a Group Risk Committee under the Chairmanship of Martin Lea, Independent Non-Executive Director. In addition to its Chairman, the Risk Committee comprises the Company’s Chairman, three other Non-Executive Directors, the CEO, the CFO and the Group Operations Director. It generally meets quarterly or as otherwise required. The main tasks of the Risk Committee are to ensure that:

  • the Company has an appropriate and effective risk management and control system;
  • there is a system in place for scanning the environment for new risks;
  • the nature and extent of the principal risks is understood and agree with management how they will be managed or mitigated; and
  • an appropriate risk management culture exists within the organisation.

Additional governance is applied to manage the risk of data loss, which is one the Company’s principal risks. A subset of the SLT forms the ‘Data Protection Committee.’ In addition to establishing strong governance controls for the protection of personal data and the business’ GDPR obligations, the Committee also oversees Gamma data assets and ensures these are adequately protected. This Committee is informed by the Data Protection Officer, Information Security Director and Chief Architect to ensure all aspects of the data lifecycle are appropriately assessed, managed and protected.

Gamma utilises certified frameworks for the management of risk related to information security (ISO 27001), business continuity (ISO 22301) and environmental management (ISO 14001).

Gamma has a series of policies regarding anti bribery and corruption, modern slavery and human trafficking, ethical behaviour and wider social and governance matters; but the Board does not consider there to be significant risks in these areas. There is also a whistleblowing policy in place.

The risk management process

Within the Risk Management Governance Framework, Gamma has a well-established process for managing risk. The process follows four simple steps.

  1. Identification

    Risks can be identified by any employee of Gamma and are reported via a simple online template with supporting guidelines.

  2. Evaluation

    Once a risk is identified an impact assessment is completed, together with the likelihood and proximity and subsequent priority of a risk.

  3. Mitigation

    Risk owners are assigned to every risk raised and action plans developed and implemented. Robust risk mitigation strategies are subject to regular and rigorous review.

  4. Monitoring

    Every risk is monitored to keep the relative impact, likelihood and proximity current. Monitoring also ensures all risk owners have appropriate support and training to manage each risk effectively.

The Risk Committee undertakes a quarterly review of the risk register and in particular the number and status of the principal risks and progress with the implementation of any mitigation plans. In addition, the Committee receives reports on any material incidents, their root causes and mitigating actions. Material risks and mitigation strategies, along with the results of regular cyber security related testing and training are presented by the Group Operations Director, Information Security Director, and other members of the SLT.

Risk appetite

The Company’s risk appetite is reflected in the way it assesses, scores, ranks and then manages individual risks. As a service provider which provides mission critical services to business customers, the Company has a very low risk appetite for anything that could severely disrupt the availability and quality of service provided to its customers, or that could give rise to regulatory or legal risks or that could result in a material level of reputational risk.

As a commercial organisation the Company understands that it must accept and then manage certain levels of risk associated with planned growth. This primarily means accepting the inherent risks in taking on large commercial contracts, moving into non-UK geographic territories, making acquisitions and continuing to develop and introduce new products. As the Company continues to build its experience and that of its people, then the level of risk associated with any particular growth initiative will naturally reduce.

Through Gamma’s acquisition strategy, risk assessments are completed as part of upfront due diligence and these risks are recorded and inform the timing and prioritisation of our post-acquisition planning.

Also in this section

Principal risks

Our principal risks and how we mitigate them.

How we communicate with our stakeholders

Engaging with our stakeholders and acting in a way that promotes the long-term success of the Company.

Market trends

Gamma provides business communication services that are flexible, scalable and secure to meet today's and tomorrow’s challenges.

Key to strategy

  1. Cloud Telephony and UCaaS Evolve our strong Cloud telephony position into the UCaaS market
  2. Fixed and Mobile Telecom Build on our Fixed and Mobile Telecom strength to differentiate our proposition from pure OTTs
  3. Company Expansion Expand into Europe to gain continued growth and scale
  4. Digital progression Continue to build on our digital capabilities to assure agility and sustain competitiveness

Key to KPIs

  1. Revenue
  2. Gross profit
  3. Gross margin
  5. Cash
  6. Cash generated by operations
  7. EPS
  8. Adjusted EPS

Key to risks

  1. Unplanned service disruption
  2. Data Loss and Cyber Attacks
  3. Customer service experience
  4. Suppliers
  5. Market landscape
  6. Legal and regulatory
  7. Our people
  8. M&A
  9. Climate change