We consider risk assessment and control to be fundamental in achieving our strategic objectives.
We identify and assess the impact of risks to the business under four key headings – financial, strategic, operational and knowledge. For each risk, the likelihood is identified and the impact is assessed using quantitative and qualitative information.
The significant risks and uncertainties we face are set out below together with a summary of the control measures and mitigations employed. Notwithstanding these actions, due to pace and nature at which risks evolve, we remain vigilant in addressing these areas of concern and
developing our control measures.
The significant risks and uncertainties faced by the Group are as set out below:
|Risk Description||Risk Mitigation|
|Within the markets we operate, legislation changes on a regular basis and the interpretation of existing laws can also change, creating ever-tightening standards. This will often require additional human and financial resources and the provision of new assets and systems. We are committed to responding positively to new regulation and legislation; changes could affect the pricing for, or adversely affect the revenue from, the services the Group offers. The General Data Protection Regulation (GDPR) became effective in May 2018 and its effects will remain under review due to the impact it will have on data handling.||We have a dedicated Legal, Governance, Health and Safety, Privacy and Information Security Teams who are collectively responsible for monitoring changes to legislation and ensuring compliance in each area. We have access to external legal advisors, globally. We have taken a proactive approach to GDPR and are continuing to progress with our headline plan. The necessary tasks have been completed which included contacting all of our Data Partners and Customers in order to update all data-related contracts prior to May 2018 to enable continued use of our services. Following the successful launch of a global intranet, we are able to provide a forum to promote and monitor our employees’s understanding of our policies; which, in turn will ensure ongoing compliance with regulatory obligations including those required by data protection laws.|
|We operate within competitive markets and intensified competition could lead to pricing pressures. A reduction in the rate at which we add new customers may decrease the size of our market share if clients choose to receive services from other providers.||Our business development functions review the activities of our competitors and report to senior management on issues and developments. We strive to differentiate ourselves from the competition and can only do so effectively by understanding the activities and offerings of our competitors. We continue to enhance our product portfolio both by internal development and through acquisition. Our acquisition strategy has opened up new markets and territories enabling cross sale.|
|Non-Supply my Major Supplier|
|Some of our data and infrastructure is sourced from third party suppliers and partners. The removal from the market by one or more of these third party suppliers or interruption in supply could quickly and adversely affect our operations and result in the loss of revenue or additional expenditure.||Our Product, Data and Technology Teams work strategically to prevent over reliance on any one key supplier, having multiple suppliers where required. Suppliers are carefully selected to minimise risk of supplier failure or insolvency. We ensures our staff are aware of supplier requirements or restrictions to minimise the risk of loss of a supplier due to a breach of contractual obligations.|
|Disaster Recovery, Business Continuity and Cyber Risk|
|We have an understandable reliance on our office locations, IT systems and people. In the event of an incident affecting business continuity, we would initiate our business continuity plans; however, the loss of key components as a result of the incident could affect the Group’s operations and result in additional expenditure. Given the nature of our business the threat of unauthorised or malicious attacks on our IT systems is an ongoing risk. The risk of a cyber attack such as denial of service attacks, phishing and disruptive software campaigns is constantly evolving and becoming increasingly sophisticated.||Our global business continuity programme covers policies and procedures for the key components of each of the businesses’ operating units. We have cyber insurance in place and have established policies to protect the Group against a cyber-attack and any security breaches, which is headed up by our Information Security Officer. Disaster recovery requirements and network security are regularly reviewed and back-ups are maintained in databases and data centres. These policies and programmes are subject to annual review and audit. We will be introducing an InfoSec awareness programme to raise the knowledge of cyber risk and information security. We engage and undertake due diligence with our data partners and suppliers to ensure vulnerabilities are identified and mitigated against. Risk analysis and mitigation processes relating to products and services that we either provide or consume. These are fed into a risk matrix where we track treatment plans against each risk. Penetration testing is conducted via an approved third party specialist. Incident response plan for cyber threats is being defined for the business. Technical security measures for GDPR have been reviewed with requirements currently being defined.|
|New product development|
|In order to maintain a competitive advantage, we invest significant amounts of resource into our product development.||The development of all new technologies and products involves risk, including the product being more expensive, or taking longer to develop than originally planned; the market for the product being smaller than originally envisaged or that the product fails to reach the production stage. We carry out extensive research and market analysis around the viability of a product before the development phase is initiated.|
|We generally protect our proprietary application software products and services by licensing rights to use the applications rather than selling or licensing the computer source code. We rely on trademark, copyright, patent and other intellectual property laws to establish and protect our proprietary rights in these products and services. However, there is a risk that our proprietary rights could be challenged, limited, invalidated or circumvented.||All of our contracts include provisions to protect the proprietary rights of the Group. We register trademarks globally and work closely with external advisors to ensure that the businesses’ rights are safeguarded in all territories in which we operate.|