This section describes the principal risks that could have a material adverse impact on the Group and how those risks are identified, evaluated and managed.
Risk management framework
The Board has overall responsibility for the establishment and oversight of the Group's risk management framework, for ensuring that an appropriate risk management culture exists within the organisation, and for ensuring the effective identification, assessment and management of individual risks.
To assist in this process, with respect to non-financial risk, the Board established a Group Risk Committee under the stewardship of Martin Lea, Senior Independent Non-Executive Director. In addition to its Chair, the Risk Committee comprises the Company's Chair, two other Non-Executive Directors, the CEO, the CFO and the Group Operations Director. It generally meets quarterly or as otherwise required and liaises where necessary with other Board committees.
The main tasks of the Risk Committee are to ensure that:
- Management has implemented an appropriate and effective risk assessment, management and internal control system.
- There is an effective system in place for the identification and assessment of new and emerging risks.
- The nature and extent of the principal risks faced is understood and that they are effectively managed and mitigated.
- An appropriate risk management culture exists within the organisation.
Additional governance is applied to manage the risk of data loss, which is one of the Company’s principal risks. A subset of the Senior Leadership Team (SLT) forms the 'Data Protection Committee.' In addition to establishing strong governance controls for the protection of personal data and the business’ GDPR obligations, the Committee also oversees Gamma data assets and ensures these are adequately protected. This Committee is advised by the Data Protection Officer, Information Security Director and Chief Architect to ensure all aspects of the data lifecycle are appropriately assessed, managed and protected.
Gamma utilises certified frameworks for the management of risk related to information security (ISO 27001), business continuity (ISO 22301) and environmental management (ISO 14001).
Gamma has a series of policies regarding antibribery and corruption, modern slavery and human trafficking, ethical behaviour and wider social and governance matters; but the Board does not consider there to be significant risks in these areas. There is also a whistleblowing policy in place.
The risk management process
Within the Risk Management governance framework, Gamma has a well-established process for managing risk. The process follows four simple steps:
All employees are encouraged to consider and document risks within their working routines and the risk management process supports this at every organisational level.
Risks are assessed by reference to likelihood (i.e., probability of occurrence), proximity and impact against the assessment criteria. By measuring risks against consistent criteria, it allows comparison of risks on a like for like basis and this assessment also sets out the thresholds which determine at which level a risk should be owned.
Once assessed, a risk response option is selected and implemented which will determine any action that is required to reduce the risk impact and/or likelihood.
Monitoring, Reporting and Escalation
Every risk is monitored to keep the relative impact, likelihood and proximity current. Additionally, the risk owner must review, and where required, update the risk register on a quarterly basis.
Unpredictable and significant events
Where highly unpredictable, significant, and close proximity risks (sometimes referred to as black swan events) occur they are managed through Gammas Risk Management Process and are closely managed by the relevant team within Gamma. They are assessed, scored and managed using the integrated framework, recognising the assessment must be completed at the pace of the event. An important aspect of an unpredictable risk is that, in hindsight, it may have been predictable or visible had certain data or knowledge been available. As such a post risk review occurs to ensure the Company learns and adjusts its risk framework where appropriate.
The Company's risk appetite is reflected in the way it assesses, scores, ranks and then manages individual risks.
As part of the annual review of the risk framework Gamma conducted a review of its risk appetite surrounding its principal risks. Risk appetite statements have been developing and are owned by the SLT and approved by the Risk Committee. Gamma appetite statements are directional and ensure that those managing operational risks understand Gamma’s desires and willingness to take risk within the area. The purpose of these statements is to strengthen risk assessment and allow prioritisation of risk response activities. This allows efficient use of time and resources when managing risk, whilst ensuring acceptable levels of risk are taken to deliver the strategic objectives.
An example of this is demonstrated within the ‘Unplanned service disruption’ principal risk. This was assessed by the SLT and the appetite set such that service interruption must be avoided, in particular across Gamma’s mature products and services where a large number of customers rely upon them for business critical operations. Equally, Gamma do recognise that technology failure cannot be completely avoided and for the deployment of new products it is also important to counterbalance maintaining highly available products and services at scale with the pace in which Gamma takes these to market. Once the risk appetite is defined and approved by the Risk Committee, this then helps employees working within Gamma’s development, engineering and operational teams understand the importance of maintaining high levels of service availability.