This section describes the principal risks that could have a material adverse impact on the Group and how those risks are identified, evaluated, and managed.
The Board has overall responsibility for the establishment and oversight of the Group’s risk management policy and framework, for ensuring that an appropriate risk management culture exists within the organisation, and for ensuring the effective identification, assessment and management of individual risks.
To assist in this process, the Board in 2018, established a Group Risk Committee under the stewardship of Martin Lea, Independent Non-Executive Director. In addition to its Chair, the Risk Committee comprises the Company’s Chair, three other Non Executive Directors, the CEO, the CFO and the COO. It generally meets quarterly or as otherwise required and liaises where necessary with other Board committees.
The main tasks of the Risk Committee are to ensure that:
- Management has implemented an appropriate and effective risk assessment, management and internal control system.
- There is an effective system in place for the identification and assessment of new and emerging risks.
- The nature and extent of the principal risks faced is understood and that they are effectively managed and mitigated.
- An appropriate risk management culture exists within the organisation.
In line with the governance structures set out in our Group Data Protection policy, a subset of the Executive Committee forms the “Data Protection Committee”. In addition to establishing strong governance controls for the protection of personal data and the business’ GDPR obligations, the Committee also oversees Gamma data assets and ensures these are adequately protected in line with its Data Protection policy. This Committee is advised by the Data Protection Officer, Group Risk and Governance Director and Chief Architect to ensure all aspects of the data lifecycle are appropriately assessed, managed and protected.
Gamma utilises certified frameworks for the management of risk related to information security (ISO 27001), business continuity (ISO 22301) and environmental management (ISO 14001). These frameworks are also supported by associated policies.
Gamma also has a series of policies regarding anti-bribery and corruption, modern slavery and human trafficking, ethical behaviour and wider social and governance matters; but the Board does not consider there to be significant risks in these areas. There is also a whistleblowing policy in place.
The risk management process
Within the Risk Management governance framework, Gamma has a well-established process for managing risk. The process follows four simple steps:
All employees are encouraged to consider and document risks within their working routines and the risk management process supports this at every organisational level. Gamma's Executive Committee will raise and discuss risk within various regular forums and in addition there is a dedicated quarterly risk review forum where the most significant risks are discussed in greater depth.
Risks are assessed by reference to likelihood (i.e., probability of occurrence), proximity and impact against the assessment criteria. By measuring risks against consistent criteria, it allows comparison of risks on a like-for-like basis and this assessment also sets out the thresholds which determine at which level a risk should be owned.
Based on the Framework Principal risks are owned by the relevant member of the Executive Committee, with Business risk ownership linked to the ability to influence and effectively manage the risk faced.
Once assessed, a risk response option is selected and implemented which will determine any action that is required to reduce the risk impact and/or likelihood. Risk are either “tolerated”, “treated”, “avoided”, e.g. by changing strategy or tactics, or “transferred”, e.g. moving contractual liabilities to a third party. Risk management plans are developed for risks we wish to avoid, transfer or treat and incorporate the need for effective control development.
Monitoring, Reporting and Escalation
Every risk is monitored to keep the relative impact, likelihood and proximity current. A structured reporting model is implemented with:
- All business risks, and any related risk management plans, being reviewed quarterly by the respective owners.
- The most severe business risks, and any related risk management plans, being reviewed quarterly by the Executive Committee and Risk Committee.
- The principal risks being assessed biannually, with a desire to identify risks that may impact Gamma in the future.
- Control design and implementation being subject to internal audit activity.
Unpredictable and significant events
Where highly unpredictable, significant, and close proximity risks (sometimes referred to as black swan events) occur they are managed through Gamma's Risk Management Process and are closely managed by the relevant team within Gamma. They are assessed, scored and managed using the integrated framework, recognising the assessment must be completed at the pace of the event. An important aspect of an unpredictable risk is that, in hindsight, it may have been predictable or visible had certain data or knowledge been available. As such, a post-risk review occurs to ensure the Company learns and adjusts its risk framework where appropriate.
Given the magnitude of events such as the COVID-19 pandemic and the Russian/ Ukrainian conflict in recent years Gamma has adopted “black swan events” as an other risk. This ensures the right level of focus is applied to planning how Gamma responds to unforeseen events.
The Company’s risk appetite is reflected in the way it assesses, scores, ranks, and then manages individual risks.
In 2022 Gamma conducted a review of its risk appetite surrounding its principal risks. Risk appetite statements have been developed and are owned by the Executive Committee and approved by the Risk Committee. Gamma's risk appetite statements are directional and ensure that those managing business risks understand Gamma’s desires and willingness to take risk within a given area. The purpose of these statements is to strengthen risk assessment and allow prioritisation of risk response activities. This allows efficient use of time and resources when managing risk, whilst ensuring acceptable levels of risk are taken to deliver the strategic objectives. Gamma also publishes an overarching risk appetite statement in its Group Risk Policy.
An example of this is demonstrated within the “Unplanned service disruption” principal risk. This was assessed by the Executive Committee and the appetite set such that service interruption must be avoided, in particular across Gamma’s mature products and services where a large number of customers rely upon them for business-critical operations.
Once the risk appetite is defined and approved by the Risk Committee, this then helps employees working within Gamma’s development, engineering and operational teams understand the importance of maintaining high levels of service availability.