Risk management

Understanding the risks that affect the Group

This section describes the principal risks that could have a material adverse impact on the Group and how those risks are identified, evaluated and managed.

How Gamma manages risk

Gamma operates a robust and well-established structure for the management of risk in each area of its business. This process includes the identification, evaluation and scoring of risks based on the likelihood of occurrence, when it may impact Gamma and the potential impact when it does, alongside the adequacy of the mitigation or control actions in place. Risks are categorised and aligned to Gamma’s business priorities to ensure appropriate senior visibility, evaluation and mitigation exists. An integrated risk management process provides visibility of risks across the Company and facilitates consistent data-driven decision making. Each generic area of risk has clearly assigned accountability within the Senior Leadership Team (‘SLT’) with reporting lines to the CEO and ultimately the Board. A centralised risk register is maintained which includes all identified risks, their scores, prioritisation, the status of existing controls and action planning.

Risk management happens at multiple levels within the organisation and all employees are encouraged to consider Company risks throughout their working routines. The organisation level at which risk is owned is determined by its severity. This ensures the owner has appropriate level of authority to decide upon the response to a risk. Alongside an ongoing education and training programme, the Company continues to build a risk aware culture.

Gamma continues to grow and reinforce its position in core UK markets, whilst in parallel executing on strategic acquisitions to expand its addressable markets internationally, and in 2021 Gamma conducted a thorough review of its principal risks to ensure they are representative of the Group with adequate international perspective.

Risk management framework

Group Risk Committee
Data Protection Committee
Executive Directors
Risk Management Process
  • Identification
  • Evaluation
  • Monitoring
  • Mitigation
Senior Leadership Team

Risk governance

The Board has overall responsibility for the establishment and oversight of the Group's risk management framework, for ensuring that an appropriate risk management culture exists within the organisation, and for ensuring the effective identification, assessment and management of individual risks.

To assist in this process, with respect to non-financial risk, the Board established a Group Risk Committee under the stewardship of Martin Lea, Senior Independent Non-Executive Director. In addition to its Chair, the Risk Committee comprises the Company's Chair, two other Non-Executive Directors, the CEO, the CFO and the Group Operations Director. It generally meets quarterly or as otherwise required and liaises where necessary with other Board committees.

The main tasks of the Risk Committee are to ensure that:

  • Management has implemented an appropriate and effective risk assessment, management and internal control system.
  • There is an effective system in place for the identification and assessment of new and emerging risks.
  • The nature and extent of the principal risks faced is understood and that they are effectively managed and mitigated.
  • An appropriate risk management culture exists within the organisation.

Additional governance is applied to manage the risk of data loss, which is one of the Company’s principal risks. A subset of the Senior Leadership Team (SLT) forms the 'Data Protection Committee.' In addition to establishing strong governance controls for the protection of personal data and the business’ GDPR obligations, the Committee also oversees Gamma data assets and ensures these are adequately protected. This Committee is advised by the Data Protection Officer, Information Security Director and Chief Architect to ensure all aspects of the data lifecycle are appropriately assessed, managed and protected.

Gamma utilises certified frameworks for the management of risk related to information security (ISO 27001), business continuity (ISO 22301) and environmental management (ISO 14001).

Gamma has a series of policies regarding antibribery and corruption, modern slavery and human trafficking, ethical behaviour and wider social and governance matters; but the Board does not consider there to be significant risks in these areas. There is also a whistleblowing policy in place.

The risk management process

Within the Risk Management governance framework, Gamma has a well-established process for managing risk. The process follows four simple steps:

  1. Identification

    All employees are encouraged to consider and document risks within their working routines and the risk management process supports this at every organisational level.

  2. Assessment

    Risks are assessed by reference to likelihood (i.e., probability of occurrence), proximity and impact against the assessment criteria. By measuring risks against consistent criteria, it allows comparison of risks on a like for like basis and this assessment also sets out the thresholds which determine at which level a risk should be owned.

  3. Risk response

    Once assessed, a risk response option is selected and implemented which will determine any action that is required to reduce the risk impact and/or likelihood.

  4. Monitoring, Reporting and Escalation

    Every risk is monitored to keep the relative impact, likelihood and proximity current. Additionally, the risk owner must review, and where required, update the risk register on a quarterly basis.

Unpredictable and significant events

Where highly unpredictable, significant, and close proximity risks (sometimes referred to as black swan events) occur they are managed through Gammas Risk Management Process and are closely managed by the relevant team within Gamma. They are assessed, scored and managed using the integrated framework, recognising the assessment must be completed at the pace of the event. An important aspect of an unpredictable risk is that, in hindsight, it may have been predictable or visible had certain data or knowledge been available. As such a post risk review occurs to ensure the Company learns and adjusts its risk framework where appropriate.

Risk appetite

The Company's risk appetite is reflected in the way it assesses, scores, ranks and then manages individual risks.

As part of the annual review of the risk framework Gamma conducted a review of its risk appetite surrounding its principal risks. Risk appetite statements have been developing and are owned by the SLT and approved by the Risk Committee. Gamma appetite statements are directional and ensure that those managing operational risks understand Gamma’s desires and willingness to take risk within the area. The purpose of these statements is to strengthen risk assessment and allow prioritisation of risk response activities. This allows efficient use of time and resources when managing risk, whilst ensuring acceptable levels of risk are taken to deliver the strategic objectives.

An example of this is demonstrated within the ‘Unplanned service disruption’ principal risk. This was assessed by the SLT and the appetite set such that service interruption must be avoided, in particular across Gamma’s mature products and services where a large number of customers rely upon them for business critical operations. Equally, Gamma do recognise that technology failure cannot be completely avoided and for the deployment of new products it is also important to counterbalance maintaining highly available products and services at scale with the pace in which Gamma takes these to market. Once the risk appetite is defined and approved by the Risk Committee, this then helps employees working within Gamma’s development, engineering and operational teams understand the importance of maintaining high levels of service availability.

Key to strategy

  1. Cloud Telephony and UCaaS Evolve our strong Cloud telephony position into the UCaaS market
  2. Fixed and Mobile Telecom Build on our fixed and mobile telecom strength to differentiate our proposition from pure OTTs
  3. Company Expansion Expand into Europe to gain continued growth and scale
  4. Digital progression Continue to build on our digital capabilities to assure agility and sustain competitiveness

Key to KPIs

  1. Revenue
  2. Gross profit
  3. Gross margin
  4. Adjusted EBITDA
  5. Cash
  6. Cash generated by operations
  7. EPS
  8. Fully diluted adjusted EPS

Key to risks

  1. Unplanned service disruption
  2. Data loss and cyber attacks
  3. Over-reliance on suppliers
  4. Inability to attract and retain top talent
  5. Uncertain competitive landscape
  6. Price erosion
  7. Legal and regulatory non-compliance
  8. Unsuccessful M&A strategies

The opportunity for UX and CX to win in the Experience economy

Hybrid here to stay

Fundamentals are more important than ever

The ESG Committee oversees the development and activity of Gamma's ESG agenda.