Risk Management
The Committee manages and monitors the Group’s risk and control processes and procedures. It was chaired during 2007 by the Company secretary and its members during the year were drawn from relevant functions and from Group businesses worldwide, as follows:
| Company secretary | Group HR director |
| Chief financial officer | Group risk manager |
| Group general counsel | Group chief information officer |
| Six senior representatives from across | Aegis Media and Synovate |
The Committee meets four times a year, usually three weeks before an Audit Committee meeting. The Risk Committee and the Audit Committee work very closely together and ensure that there are good communication channels in place to enhance the flow of information. The minutes of each Risk Committee meeting and the internal audit supporting papers are sent to the Audit Committee for information and comment.
A review of the Committee’s terms of reference was undertaken in 2007 with the input of KPMG. The revised terms of reference were subsequently endorsed by the Audit Committee.
The Committee is responsible for:
- setting the Group risk management strategy;
- communicating and embedding risk and internal control policy and guidelines;
- reviewing the major risks facing the Group and providing guidance and direction on the internal controls required to manage them;
- monitoring risk management performance; and
- overseeing and supporting the internal audit function.
Significant matters dealt with by the Committee during 2007 included:
Germany fraud
The previously reported fraud in Aegis Media Germany was reviewed in detail to see what lessons had been learned and what consequent changes had been introduced in control processes and procedures. As a result, the Group Risk Manager undertook a revision of the internal audit work programme.
In relation to the fraud, three individuals including the former chief executive of Aegis Media Central and Eastern Europe and one other former employee of Aegis Media Germany have been formally charged with embezzlement. Court proceedings were commenced in January 2008 against the two former employees and these proceedings are ongoing.
The Group continues to take steps to maximise recovery for the losses suffered including making a claim under the Group’s crime insurance policy. Although some recovery of funds is expected, the amount and timing of the recovery is not certain and the recoveries are disclosed as a contingent asset in the Group’s financial statements.
IT penetration testing
Recognising its importance, IT penetration testing was rolled out with the assistance of external IT specialists. The scope of the testing was to identify any system, network or application vulnerabilities to unauthorised access that could lead to a loss of data integrity. An implementation programme for improvements has been put in place. This is seen as an important exercise and will be continued on an annual basis.
Review of key risks
Discussions took place between the Group risk manager and senior management from Synovate and Aegis Media to review and update, where appropriate, the key risks for each business. These were agreed along with associated control processes. Alongside this review of the key business risks an assessment was also undertaken of potential low probability but high impact risks. Any consequential actions agreed by the Committee have been or are planned to be communicated to the businesses and internal processes amended accordingly.
Review of Group Principles and Policies Manual
The Committee was tasked with overseeing a review and update of the manual. This will be completed in early 2008 and distributed to all employees via the Group’s intranet site.
Risk monitoring and assurance
Risk self-assessment surveys
The risk self-assessment surveys provide senior management with an insight from the businesses about the management of their key risks and changes in risk focus. As Synovate and Aegis Media face a number of different risks, two separate online surveys were developed with input from Synovate’s COO and Aegis Media’s Global CFO. The CEOs of each local business unit must report, for each of the risks identified in their survey, the status of internal control and management of the risk within their operation, providing action plans where required.
The last survey was performed in December 2006. In 2007 the results were analysed by the Risk Committee and provided online to regional, global and group management as well as to the Risk and Audit Committees. Based on the responses and a review of the operations’ key risks, the surveys have been updated. The revised surveys will be distributed for completion in the first quarter of 2008, with responses taking into account the period since completion of the previous survey.
Annual compliance certificates
The chief executive officer and chief financial officer of each reporting unit or entity is required to complete an annual certificate to confirm in relation to the relevant unit or entity that:
- the accounts as submitted were accurate and complete;
- there were no actual or potential breaches of laws or regulations;
- there were no frauds;
- there were no related party transactions other than those properly disclosed;
- there were no conflicted directorships; and
- all relevant information was disclosed to the auditors.
Similar certifications have been required of regional, global and Group management.
Where a unit or entity states that they are non-compliant with any of the areas listed above, full explanations are required for further understanding and follow-up. The results from this process are reported to the Audit Committee prior to the signing of the Annual Report and Accounts.
Internal audit
Our internal audit function has been in place since 2005 and helps provide assurance to the Board, via the Risk and Audit Committees, on internal controls implemented to help mitigate some of the Group’s key risks. Internal audit reviews are undertaken with the support of an international firm of accountants.
The annual internal audit programme incorporates all areas of our business and is agreed by the Risk Committee and approved by the Audit Committee. In 2007, the following types of activities were included within the plan:
- reviews of recently acquired companies;
- peer reviews;
- internal audits concentrating on financial controls at the operations deemed to be higher risk; and
- IT security reviews.
In addition to the agreed plan, ad hoc audits may be carried out. These may be at the request of senior management, the Risk Committee or the Audit Committee. All amendments to the original plan require approval from the Audit Committee. In 2007, this included the IT penetration testing as referred to earlier.
One of our key risks is the integration of companies that we acquire. We therefore bring them into our internal audit programme as early as possible, recognising that full integration may take time. Within 12 months of acquisition we visit the more significant businesses to perform an acquisition review. The next step may be a peer review or an internal audit review, depending on the size of the acquisition. Our audit programme is based on a five year rolling cycle, with the more significant operations visited by internal audit every two to three years. Peer reviews are used to supplement the internal audit reviews to ensure good coverage of our operations and are conducted by experienced CFOs from within our operating units. Support is provided from an international firm of accountants to carry out specified detailed tests to confirm that key financial operations are working satisfactorily.
All reviews are performed using pre-defined audit programs that are updated on a rolling basis to incorporate the risks and results from the risk self-assessment surveys and issues arising from the internal audit reviews. The acquisition reviews also focus on the issues highlighted within the due diligence report.
Action plans to address any areas of concern are agreed with senior management, with responsibilities assigned and timeframes established. The results are reported to country, regional, global and Group management as appropriate and also to the Risk and Audit Committees.
Although management has ultimate responsibility for implementing any agreed recommendations, Internal Audit monitors their progress. Where common issues are noted across several business units, these are reviewed and discussed in more detail at the Risk Committee to assess whether updates to existing Group policies are required. Regional and global management are also reminded to take corrective action. In addition, common issues were shared and discussed at the Group’s Finance annual conference.
Key risks
On an ongoing basis management identifies, analyses, monitors and controls all major risks. These include risks affecting clients, people, the ability to provide continuous service, risks arising from the laws that govern our business and control over Company finances.
Our risk management process has identified the following potential risks and uncertainties that could have a material impact on the Group’s performance, and has put in place internal processes and controls designed to mitigate each risk. The Group’s results could also be impacted by other factors. The risk factors detailed below should not be regarded as a complete and comprehensive statement of all potential risks and uncertainties facing the Group.
| RISK FACTOR | INTERNAL PROCESSES AND CONTROLS |
| Acquisition integration | Strategic planning Robust due diligence procedures Board approvals Post integration procedures and review by Internal Audit |
| Business continuity and disaster recovery | Build in resilience where
cost–effective Business continuity and disaster recovery plans are required to be in place and tested by all business units Business continuity workshops held Back –up guidelines for electronic applications and data are in place |
| Cash and liquidity risk | Reconciliations and review procedures in place for
balance sheet accounts Working capital management Daily review of short –term liquidity Review and analysis of borrowing facilities and cash flows |
| Client contract management | Established guidelines in place for format and
content of client contracts Standard contract terms encouraged with all clients Client contract training |
| Credit management | Efficient credit control function including credit
insurance where appropriate and available Client acceptance and credit check procedures Advance payments required in certain instances Client satisfaction surveys |
| Data accuracy | Policies and procedures in place Control checks in place, automated where possible Review procedures in place at all levels within the Group ’s management structure Internal and external audit reviews |
| Data privacy and security | Group policies and procedures for personal data
and transferring data intra–group Group Data Transfer Undertaking being developed, based on model clauses as approved by EU Commission, for cross border transfers of personal data, for market research businesses IT penetration testing was introduced in 2007 to ensure robustness of data |
| Financial controls | Detailed budgeting and forecasting
procedures Monthly reporting and variance analysis Internal audit programme Self –assessment programme Directors ’ annual confirmations |
| Fraud/unethical business practices | Internal fraud workshops held around Group Internal controls in place to help mitigate fraud Relevant and appropriate messages are being built into leadership programmes Employee concerns ‘SpeakUp’ policy being reviewed and updated |
| Intellectual property (IP) rights | Clear rights of ownership in client
contracts Indemnities clauses in client contracts Global professional indemnity insurance in place to cover breaches |
| Key staff | Management succession planning Incentive plans to attract and retain quality staff |
| Marketplace disruption | Constant monitoring of market trends and
competitors’ activities Detailed planning process and appropriate contingency plans Diversification of geographic footprint |