Internal control & risk management

Risk management and internal controls accountabilities

Accepting that risk is an inherent part of doing business, our risk management systems are designed both to encourage entrepreneurial spirit and also provide assurance that risk is fully understood and managed. The Board has overall responsibility for risk management and internal control within the context of achieving the Group’s objectives. Executive management is responsible for implementing and maintaining the necessary control systems. The role of Internal Audit is to monitor the overall internal control systems and report on their effectiveness to Executive management, as well as to the Audit Committee, in order to facilitate its review of the systems.

Background
The Group has a five-year rolling business plan to support the delivery of its strategy of long-term growth and returns for shareholders. Every business unit and support function derives its objectives from the five-year plan and these are cascaded to managers and staff by way of personal objectives.

Key to delivering effective risk management is ensuring our people have a good understanding of the Group’s strategy and our policies, procedures, values and expected performance. We have a structured internal communications programme that provides employees with a clear definition of the Group’s purpose and goals, accountabilities and the scope of permitted activities for each business unit, as well as individual line managers and other employees. This ensures that all our people understand what is expected of them and that decision-making takes place at the appropriate level.

We recognise that our people may face ethical dilemmas in the normal course of business so we provide clear guidance based on the Tesco Values. The Values set out the standards that we wish to uphold in how we treat people. These are supported by the Group Code of Ethics which offers guidance on relationships between the Group and its employees, suppliers and contractors. The Company is a signatory to the DTI Code of Conduct and met its obligations for implementing the Code for the financial year ended 28 February 2009.

We operate a balanced scorecard approach that is known within the Group as our Steering Wheel. This unites the Group’s resources around our customers, people, operations, community and finance. The scorecard operates at every level within the Group, from ground level business units, through to country level operations. It enables the business to be operated and monitored on a balanced basis with due regard for all stakeholders.

Risk management
The Group maintains a Key Risk Register. The Register contains the key risks faced by the Group including their impact and likelihood as well as the controls and procedures implemented to mitigate these risks. The content of the Register is determined through regular discussions with senior management and review by the Executive Committee and the full Board. A balanced approach allows the degree of controllability to be taken into account when we consider the effectiveness of mitigation recognising that some necessary activities carry inherent risk which may be outside the Group’s control. Our risk management process recognises there are opportunities to improve the business to be built into our future plans.

The risk management process is cascaded through the Group with every international CEO and local Boards maintaining their own risk registers and assessing their control systems. The same process also applies functionally in those parts of the Group requiring greater overview. For example, the Audit Committee’s Terms of Reference require it to oversee the Finance Risk Register. We also have a Corporate Responsibility Risk Register which specifically considers Social, Ethical and Environmental (SEE) risks. Oversight of these risks is the responsibility of the Corporate Responsibility Committee. The Board assesses the significant SEE risks to the Group’s short-term and long-term value, and incorporates SEE risks on the Key Risk Register where they are considered material or appropriate.

We recognise the value of the ABI Guidelines on Responsible Investment Disclosure and confirm that, as part of its regular risk assessment procedures, the Board takes account of the significance of SEE matters to the business of the Group. We recognise that a number of investors and other stakeholders take a keen interest in how companies manage SEE matters and so we report more detail on our SEE policies and approach to managing material risks arising from SEE matters and the KPI s we use both on our website ( www.tescoplc.com/plc/corporate_responsibility_09/ ) and in our Corporate Responsibility Review 2009.

Internal controls
The Board is responsible for the Company’s system of internal control and for reviewing the effectiveness of such a system. We have a Group-wide process for clearly establishing the risks and responsibilities assigned to each level of management and the controls which are required to be operated and monitored. The CEOs of subsidiary businesses are required to certify by way of annual statements of assurance that the Board’s governance policies have been adopted both in practice and in spirit. For certain joint ventures, the Board places reliance upon the internal control systems operating within our partners’ infrastructure and the obligations upon partners’ Boards relating to the effectiveness of their own systems. Such a system is designed to manage rather than eliminate the risk of failure to achieve business objectives and can only provide reasonable and not absolute assurance against material misstatement or loss.

The Board has conducted a review of the effectiveness of internal controls and is satisfied that the controls in place remain appropriate.

Monitoring
The Board oversees the monitoring system and has set specific responsibilities for itself and the various committees as set out below. Both Internal Audit and our external auditors play key roles in the monitoring process, as do several non-statutory committees including the Finance Committee, Compliance Committee and Corporate Responsibility Committee. The Minutes of the Audit Committee and the various non-statutory committees (Finance, Compliance and Corporate Responsibility Committees) are distributed to the Board and each committee submits a report for formal discussion at least once a year. These processes provide assurance that the Group is operating legally, ethically and in accordance with approved financial and operational policies.

Audit Committee
The Audit Committee reports to the Board each year on its review of the effectiveness of the internal control systems for the financial year and the period to the date of approval of the financial statements. Throughout the year the Committee receives regular reports from the external auditors covering topics such as quality of earnings and technical accounting developments. The Committee also receives updates from Internal Audit and has dialogue with senior managers on their control responsibilities. It should be understood that such systems are designed to provide reasonable, but not absolute, assurance against material misstatement or loss.

Internal Audit
The Internal Audit department is fully independent of business operations and has a Group-wide mandate. It undertakes a programme to address internal control and risk management processes with particular reference to the Turnbull Guidance. It operates a risk based methodology, ensuring that the Group’s key risks receive appropriate regular examination. Its responsibilities include maintaining the Key Risk Register, reviewing and reporting on the effectiveness of risk management systems and internal control with the Executive Committee, the Audit Committee and ultimately to the Board. Internal Audit facilitates oversight of risk and control systems across the Group through audit and compliance committees in each of our international businesses and our joint ventures. The Head of Internal Audit also attends all Audit Committee meetings.

External audit
PricewaterhouseCoopers LLP, the Company’s external auditor, contributes a further independent perspective on certain aspects of our internal financial control systems arising from its work, and reports to both the Board and the Audit Committee. The engagement and independence of external auditors is considered annually by the Audit Committee before it recommends its selection to the Board. The Committee has satisfied itself that PricewaterhouseCoopers LLP is independent and there are adequate controls in place to safeguard its objectivity. One such measure is the non-audit services policy that sets out criteria for employing external auditors and identifies areas where it is inappropriate for PricewaterhouseCoopers LLP to work. Non-audit services work carried out by PricewaterhouseCoopers LLP is predominantly the review of subsidiary undertakings’ statutory accounts, transaction work and corporate tax services, where PwC’s services are considered to be the most appropriate. PricewaterhouseCoopers LLP also follows its own ethical guidelines and continually reviews its audit team to ensure its independence is not compromised.

Finance Committee
The Finance Committee, which is not a statutory committee, is chaired by the CEO, Sir Terry Leahy, and membership includes Non-executive Directors with relevant financial expertise, Executive Directors and members of senior management. The Committee usually meets twice a year and its role is to review and agree the Finance Plan on an annual basis to review reports of the Treasury and Tax functions, and to review and approve Treasury limits and delegations.

Compliance Committee
The Compliance Committee, which is not a statutory committee, is chaired by the Corporate and Legal Affairs Director, Lucy Neville-Rolfe, and includes three Executive Directors and members of senior management.

The Committee normally meets six times a year and its remit is to ensure that the Group complies with all necessary laws and regulations in all of its operations world-wide. The Committee has established a schedule for the regular review of operational activities and legal exposure. Each international business in the Group has a local compliance committee designed to ensure compliance with local laws and regulations as well as Group Compliance policies, and each country compliance committee reports to the Group Compliance Committee on a regular basis.

Corporate Responsibility Committee
The Corporate Responsibility Committee, which is not a statutory committee, is chaired by the Corporate and Legal Affairs Director, Lucy Neville-Rolfe and membership is made up of senior executives from across the Group. It meets at least four times a year to support, develop and monitor policies on Social, Ethical and Environmental issues, reviewing threats and opportunities for the Group. Progress in developing Community initiatives is monitored by the use of relevant KPI s in the UK and our international businesses. The Board formally discusses the work of the Committee on a regular basis, including progress in implementing our Community Plan. The Corporate and Legal Affairs department and the Trading Law and Technical department provide assurance and advice on legal compliance, health and safety, and SEE matters. These functions report on their work on a regular basis and escalate matters as appropriate.

Whistleblowing
The Group operates a whistleblowing policy and has a confidential ‘Protector Line’ service accessible to concerned employees where they can report, anonymously if necessary, on issues of malpractice within the business. These issues include unethical behaviour such as fraud, dishonesty and any practices that endanger our staff, customers or the environment.

Complaints made are treated as confidential and are investigated. Where appropriate, matters will be escalated to the Director of Group Security for further action.

Management
In our fast moving business, trading is tracked on a daily and weekly basis, financial performance is reviewed weekly and monthly, and the Steering Wheel is reviewed quarterly. Steering Wheels are operated in business units across the Group, and reports are prepared of performance against target KPI s on a quarterly basis enabling management to measure performance. All major initiatives require business cases normally covering a minimum period of five years. Post-investment appraisals, carried out by management, determine the reasons for any significant variance from expected performance.

Back to top