Internal control & risk management

Accountabilities

Accepting that risk is an inherent part of doing business, our risk management systems are designed both to encourage entrepreneurial spirit and also provide assurance that risk is fully understood and managed. The Board has overall responsibility for risk management and internal control within the context of achieving the Group’s objectives. Executive management is responsible for implementing and maintaining the necessary control systems. The role of Internal Audit is to monitor the overall internal control systems and report on their effectiveness to Executive management, as well as to the Audit Committee, in order to facilitate its review of the systems.

Background
The Group has a five-year rolling business plan to support the delivery of its strategy of long-term growth and returns for shareholders. Every business unit and support function derives its objectives from the five-year plan and these are cascaded to managers and staff by way of personal objectives. Key to delivering effective risk management is ensuring our people have a good understanding of the Group’s strategy and our policies, procedures, values and expected performance. We have a structured internal communications programme that provides employees with a clear definition of the Group’s purpose and goals, accountabilities and the scope of permitted activities for each business unit, as well as individual line managers and other employees. This ensures that all our people understand what is expected of them and that decision-making takes place at the appropriate level. We recognise that our people may face ethical dilemmas in the normal course of business so we provide clear guidance based on the Tesco Values. The Values set out the standards that we wish to uphold in how we treat people. These are supported by the Group Code of Business Conduct which was launched this year, replacing the Code of Ethics, and offers guidance on relationships between the Group and its employees, suppliers and contractors.

We operate a balanced scorecard approach that is known within the Group as our Steering Wheel. This unites the Group’s resources around our customers, people, operations, community and finance. The Steering Wheel operates at all levels throughout the Group. It enables the business to be operated and monitored on a balanced basis with due regard for all stakeholders.

Risk management
The Group maintains a Key Risk Register. The Register contains the key risks faced by the Group including their impact and likelihood, as well as the controls and procedures implemented to mitigate these risks. The content of the Register is determined through regular discussions with senior management and reviewed by the Executive Committee and the full Board. A balanced approach allows the degree of controllability to be taken into account when we consider the effectiveness of mitigation, recognising that some necessary activities carry inherent risk which may be outside the Group’s control. Where our risk management process identifies opportunities to improve the business these are built into our future plans.

The risk management process is cascaded through the Group with operating subsidiary boards maintaining their own risk registers and assessing their own control systems. The same process also applies functionally in those parts of the Group requiring greater oversight. For example, the Audit Committee’s Terms of Reference require it to oversee the Finance Risk Register. The Board assesses significant Social, Ethical and Environmental (SEE) risks to the Group’s short-term and long-term value, and incorporates SEE risks on the Key Risk Register where they are considered material or appropriate.

We recognise the value of the ABI Guidelines on Responsible Investment Disclosure and confirm that, as part of its regular risk assessment procedures, the Board takes account of the significance of SEE matters to the business of the Group. We recognise that a number of investors and other stakeholders take a keen interest in how companies manage SEE matters and so we report more detail on our SEE policies and approach to managing material risks arising from SEE matters and the KPIs we use at www.tesco.com/cr2010. To provide further assurance, the Group’s Corporate Responsibility KPIs are audited on a regular basis by Internal Audit.

Internal controls
The Board is responsible for the Company’s system of internal control and for reviewing the effectiveness of such a system. We have a Group-wide process for clearly establishing the risks and responsibilities assigned to each level of management and the controls which are required to be operated and monitored. The CEOs of subsidiary businesses are required to certify by way of annual governance returns that appropriate governance and compliance processes have been adopted. For certain joint ventures, the Board places reliance upon the internal control systems operating within our partners’ infrastructures and the obligations upon partners’ boards relating to the effectiveness of their own systems.

Such a system is designed to manage rather than eliminate the risk of failure to achieve business objectives and can only provide reasonable and not absolute assurance against material misstatement or loss. The Board has reviewed the effectiveness of internal controls and is satisfied that the controls in place remain appropriate.

Monitoring
The Board oversees the monitoring system and has set specific responsibilities for itself and the various committees as set out below. Both Internal Audit and our external auditors play key roles in the monitoring process, as do several other committees including the Finance Committee, Compliance Committee and Corporate Responsibility Committee. The Minutes of the Audit Committee and the various other committees (Finance, Compliance and Corporate Responsibility Committees) are distributed to the Board and each Committee submits a report for formal discussion at least once a year. These processes provide assurance that the Group is operating legally, ethically and in accordance with approved financial and operational policies.

Audit Committee
The Audit Committee reports to the Board each year on its review of the effectiveness of the internal control systems for the financial year and the period to the date of approval of the financial statements. Throughout the year the Committee receives regular reports from the external auditors covering topics such as quality of earnings and technical accounting developments. The Committee also receives updates from Internal Audit and has dialogue with senior managers on their control responsibilities. It should be understood that such systems are designed to provide reasonable, but not absolute, assurance against material misstatement or loss.

Internal Audit
The Internal Audit department is fully independent of business operations and has a Group-wide mandate. It undertakes a programme to address internal control and risk management processes with particular reference to the Turnbull Guidance. It operates a risk-based methodology, ensuring that the Group’s key risks receive appropriate regular examination. Its responsibilities include maintaining the Key Risk Register, reviewing and reporting on the effectiveness of risk management systems and internal control with the Executive Committee, the Audit Committee and ultimately to the Board. Internal Audit facilitates oversight of risk and control systems across the Group through risk committees in Asia and Europe and audit committees in a number of our international businesses and joint ventures. The Head of Internal Audit also attends all Audit Committee meetings.

External audit
PricewaterhouseCoopers LLP, who have been the Company’s external auditor for a number of years, contributes a further independent perspective on certain aspects of our internal financial control systems arising from its work, and reports to both the Board and the Audit Committee. Our policy in relation to the reappointment of the external auditors is to consider their engagement and independence annually.

The Committee has satisfied itself that PricewaterhouseCoopers LLP is independent and there are adequate controls in place to safeguard its objectivity. One such measure is the non-audit services policy that sets out criteria for employing external auditors and identifies areas where it is inappropriate for PricewaterhouseCoopers LLP to work. Non-audit services work carried out by PricewaterhouseCoopers LLP is predominantly the review of subsidiary undertakings’ statutory accounts, transaction work and corporate tax services, where their services are considered to be the most appropriate. PricewaterhouseCoopers LLP also follows its own ethical guidelines and continually reviews its audit team to ensure its independence is not compromised.

Finance Committee
Membership of the Finance Committee includes Non-executive Directors with relevant financial expertise, Executive Directors and members of senior management. The Committee is chaired by Sir Terry Leahy, CEO. The Committee usually meets twice a year and its role is to review and agree the Finance Plan on an annual basis, review reports of the Treasury and Tax functions and to review and approve Treasury limits and delegations.

Compliance Committee
Membership of the Compliance Committee includes three Executive Directors and members of senior management. The Committee is chaired by Lucy Neville-Rolfe, Corporate and Legal Affairs Director. The Committee normally meets six times a year and its remit is to ensure that the Group complies with all necessary laws and regulations and other compliance policies in all of its operations world-wide. The Committee has established a schedule for the regular review of operational activities and legal exposure. Each business in the Group has a Compliance Committee designed to ensure compliance with both local and Group policies, and each Compliance Committee reports to the Group Compliance Committee at least once a year.

Corporate Responsibility Committee
The Corporate Responsibility Committee is chaired by the Corporate and Legal Affairs Director, Lucy Neville-Rolfe and membership is made up of senior executives from across the Group. It meets at least four times a year to support, develop and monitor policies on SEE issues and to review threats and opportunities for the Group. Progress in developing Community initiatives is monitored by the use of relevant KPIs for the businesses within the Group. The Board formally discusses the work of the Committee on a regular basis, including progress in implementing our Community Plan.

The Corporate and Legal Affairs department and the Trading Law and Technical department provide assurance and advice on legal compliance, health and safety, and SEE matters. These functions report on their work on a regular basis and escalate matters as appropriate.

Whistleblowing
The Group operates a whistleblowing policy and has a confidential ‘Protector Line’ service accessible to concerned employees where they can report, anonymously if necessary, on issues of malpractice within the business. Such issues include illegal and unethical behaviour such as fraud, dishonesty and any practices that endanger our staff, customers or the environment.

Complaints made are treated as confidential and are investigated. Where appropriate, matters will be escalated to the Director of Group Security for further action.

Management
In our fast moving business, trading is tracked on a daily and weekly basis, financial performance is reviewed weekly and monthly and the Steering Wheel is reviewed quarterly. Steering Wheels are operated in business units across the Group and reports are prepared of performance against target KPIs covering the five segments of the Steering Wheel (Customer, Operations, Community, People and Finance) on a quarterly basis, enabling management to measure performance. All major initiatives require business cases normally covering a minimum period of five years.

Post-investment appraisals, carried out by management, determine the reasons for any significant variance from expected performance.

Back to top