Risk management
This section describes the principal risks that could have a material adverse impact on the Group and how those risks are identified, evaluated, and managed.
How Gamma manages risk
Gamma operates a robust and well established structure for the management of risk in each area of its business. This process includes the identification, evaluation and scoring of risks based on the likelihood of occurrence, when it may impact Gamma and the potential impact when it does, alongside the adequacy of the mitigation or control actions in place. Risks are categorised and aligned to Gamma’s business priorities to ensure appropriate senior visibility, evaluation and mitigation exists. An integrated risk management process provides visibility of risks across the Company and facilitates consistent data-driven decision making. Each generic area of risk has clearly assigned accountability within the Executive Committee and wider Leadership Team with reporting lines to the CEO and ultimately the Board. A centralised risk register is maintained which includes all identified risks, their scores, prioritisation, the status of existing controls and action planning.
Risk management happens at multiple levels within the organisation and all employees are encouraged to consider Company risks throughout their working routines. The organisation level at which risk is owned is determined by its severity. This ensures the owner has appropriate level of authority to decide upon the response to a risk. Alongside an ongoing education and training programme, the Company continues to build a risk aware culture.
The Company categorises and subsequently manages risk in two distinct ways. "Principal Risks" are the most significant areas of risk facing Gamma.
They are strategically significant and could have a material adverse impact on the Group’s financial performance or reputation. Principal risks are where Gamma sets its risk appetite. The company determines its appetite by agreeing how open it is to taking risk in a given area. The risk appetite is reviewed annually and approved by the Board. "Business Risks" enable Gamma to successfully manage Principal Risks. They are specific and more easily quantified and form the method that the Company uses to manage risk and action planning within specific areas of the business. For example, the threat of "Data loss and cyber-attacks" is an area of Principal Risk for Gamma and within that area of risk are various Business Risks which articulate specific threats in each area of its business, such as a lack of server security patching within a live network environment, and/or a lack of skills in a development team to build to Gamma's defined security standards. By using this method, Gamma can tangibly assess how and where risks are building within every part of its business.
Gamma continues to grow and reinforce its position in core UK markets, whilst in parallel executing on strategic acquisitions to expand its addressable markets internationally, and in 2022 Gamma conducted a thorough review of its principal risks to ensure they are representative of the Group with adequate international perspective.
Risk governance
The Board has overall responsibility for the establishment and oversight of the Group’s risk management policy and framework, for ensuring that an appropriate risk management culture exists within the organisation, and for ensuring the effective identification, assessment and management of individual risks.
To assist in this process, the Board in 2018, established a Group Risk Committee under the stewardship of Martin Lea, Independent Non-Executive Director. In addition to its Chair, the Risk Committee comprises the Company’s Chair, three other Non Executive Directors, the CEO, the CFO and the COO. It generally meets quarterly or as otherwise required and liaises where necessary with other Board committees.
The main tasks of the Risk Committee are to ensure that:
- Management has implemented an appropriate and effective risk assessment, management and internal control system.
- There is an effective system in place for the identification and assessment of new and emerging risks.
- The nature and extent of the principal risks faced is understood and that they are effectively managed and mitigated.
- An appropriate risk management culture exists within the organisation.
In line with the governance structures set out in our Group Data Protection policy, a subset of the Executive Committee forms the “Data Protection Committee”. In addition to establishing strong governance controls for the protection of personal data and the business’ GDPR obligations, the Committee also oversees Gamma data assets and ensures these are adequately protected in line with its Data Protection policy. This Committee is advised by the Data Protection Officer, Group Risk and Governance Director and Chief Architect to ensure all aspects of the data lifecycle are appropriately assessed, managed and protected.
Gamma utilises certified frameworks for the management of risk related to information security (ISO 27001), business continuity (ISO 22301) and environmental management (ISO 14001). These frameworks are also supported by associated policies.
Gamma also has a series of policies regarding anti-bribery and corruption, modern slavery and human trafficking, ethical behaviour and wider social and governance matters; but the Board does not consider there to be significant risks in these areas. There is also a whistleblowing policy in place.
The risk management process
Within the Risk Management governance framework, Gamma has a well-established process for managing risk. The process follows four simple steps:
Identification
All employees are encouraged to consider and document risks within their working routines and the risk management process supports this at every organisational level. Gamma's Executive Committee will raise and discuss risk within various regular forums and in addition there is a dedicated quarterly risk review forum where the most significant risks are discussed in greater depth.
Assessment
Risks are assessed by reference to likelihood (i.e., probability of occurrence), proximity and impact against the assessment criteria. By measuring risks against consistent criteria, it allows comparison of risks on a like-for-like basis and this assessment also sets out the thresholds which determine at which level a risk should be owned.
Based on the Framework Principal risks are owned by the relevant member of the Executive Committee, with Business risk ownership linked to the ability to influence and effectively manage the risk faced.
Risk response
Once assessed, a risk response option is selected and implemented which will determine any action that is required to reduce the risk impact and/or likelihood. Risk are either “tolerated”, “treated”, “avoided”, e.g. by changing strategy or tactics, or “transferred”, e.g. moving contractual liabilities to a third party. Risk management plans are developed for risks we wish to avoid, transfer or treat and incorporate the need for effective control development.
Monitoring, Reporting and Escalation
Every risk is monitored to keep the relative impact, likelihood and proximity current. A structured reporting model is implemented with:
- All business risks, and any related risk management plans, being reviewed quarterly by the respective owners.
- The most severe business risks, and any related risk management plans, being reviewed quarterly by the Executive Committee and Risk Committee.
- The principal risks being assessed biannually, with a desire to identify risks that may impact Gamma in the future.
- Control design and implementation being subject to internal audit activity.
Unpredictable and significant events
Where highly unpredictable, significant, and close proximity risks (sometimes referred to as black swan events) occur they are managed through Gamma's Risk Management Process and are closely managed by the relevant team within Gamma. They are assessed, scored and managed using the integrated framework, recognising the assessment must be completed at the pace of the event. An important aspect of an unpredictable risk is that, in hindsight, it may have been predictable or visible had certain data or knowledge been available. As such, a post-risk review occurs to ensure the Company learns and adjusts its risk framework where appropriate.
Given the magnitude of events such as the COVID-19 pandemic and the Russian/ Ukrainian conflict in recent years Gamma has adopted “black swan events” as an other risk. This ensures the right level of focus is applied to planning how Gamma responds to unforeseen events.
Risk appetite
The Company’s risk appetite is reflected in the way it assesses, scores, ranks, and then manages individual risks.
In 2022 Gamma conducted a review of its risk appetite surrounding its principal risks. Risk appetite statements have been developed and are owned by the Executive Committee and approved by the Risk Committee. Gamma's risk appetite statements are directional and ensure that those managing business risks understand Gamma’s desires and willingness to take risk within a given area. The purpose of these statements is to strengthen risk assessment and allow prioritisation of risk response activities. This allows efficient use of time and resources when managing risk, whilst ensuring acceptable levels of risk are taken to deliver the strategic objectives. Gamma also publishes an overarching risk appetite statement in its Group Risk Policy.
An example of this is demonstrated within the “Unplanned service disruption” principal risk. This was assessed by the Executive Committee and the appetite set such that service interruption must be avoided, in particular across Gamma’s mature products and services where a large number of customers rely upon them for business-critical operations.
Once the risk appetite is defined and approved by the Risk Committee, this then helps employees working within Gamma’s development, engineering and operational teams understand the importance of maintaining high levels of service availability.