Internal control and risk management

Accountabilities

Accepting that risk is an inherent part of doing business, our risk management systems are designed both to encourage entrepreneurial spirit and also provide assurance that risk is fully understood and managed. The Board has overall responsibility for risk management and internal control within the context of achieving the Group’s objectives. Executive management is responsible for implementing and maintaining the necessary control systems. The role of Internal Audit is to monitor the overall internal control systems and report on their effectiveness to Executive management, as well as to the Audit Committee, in order to facilitate its review of the systems.

Background

The Group has a three-year rolling business plan to support the delivery of its strategy. Every business unit and support function derives its objectives from the three-year plan and these are cascaded to managers and staff by way of personal objectives.

Key to delivering effective risk management is ensuring that our people have a good understanding of the Group’s strategy and our policies, procedures, values and expected performance. We have a structured internal communications programme that provides employees with a clear definition of the Group’s purpose and goals, accountabilities and the scope of permitted activities for each business unit, as well as individual line managers and other employees. This ensures that all our people understand what is expected of them and that decision-making takes place at the appropriate level. We recognise that our people may face ethical dilemmas in the normal course of business so we provide clear guidance based on the Tesco Values. The Values set out the standards that we wish to uphold in how we treat people. These are supported by the Group’s Code of Business Conduct, which offers guidance on relationships between the Group and its employees, suppliers and contractors.

Risk management

The Group maintains a Key Risk Register. The Register contains the key risks faced by the Group, including their impact and likelihood, as well as the controls and procedures implemented to mitigate these risks (see diagram below). The content of the Register is determined through regular discussions with senior management and review by the Executive Committee and the full Board. A balanced approach allows the degree of controllability to be taken into account when we consider the effectiveness of mitigation, recognising that some necessary activities carry inherent risk which may be outside the Group’s control. Our key risks are summarised in the Annual Report.

The risk management process is cascaded through the Group, with operating subsidiary boards maintaining their own risk registers and assessing their control systems. The same process also applies functionally in those parts of the Group requiring greater overview. For example, the Audit Committee’s terms of reference require it to oversee the Finance Risk Register. The Board assesses significant social, environmental and ethical (‘SEE’) risks to the Group’s short and long-term value, and incorporates SEE risks into the Key Risk Register where they are considered material or appropriate. During the year the Board regularly reviewed the Risk Register and also undertook an in-depth assessment of product safety.

We recognise the value of the ABI Guidelines on Responsible Investment Disclosure and confirm that, as part of its regular risk assessment procedures, the Board takes account of the significance of SEE matters to the business of the Group. We recognise that a number of investors and other stakeholders take a keen interest in how companies manage SEE matters and so we report more detail on our SEE policies and approach to managing material risks arising from SEE matters and the KPIs we use both on our website (www.tescoplc.com/corporate-responsibility/) and in our Corporate Responsibility Review 2012. To provide further assurance, the Group’s Corporate Responsibility KPIs are audited on a regular basis by Internal Audit.

Risk Matrix