Annual Report and Accounts 2014

 

Risk Report

Risk Management

The Board of DCC is responsible for the Group’s risk management and internal control systems, which are designed to identify, manage and mitigate potential material risks to the achievement of the Group’s strategic and business objectives.

The Board has approved a Risk Management Policy which sets out delegated responsibilities and procedures for the management of risk across the Group.

It has also approved a Risk Appetite Statement specifying the levels of risk that the Group is prepared to accept in key areas of activity. This Statement informs the internal controls that are maintained in those areas.

The Board reviews the Risk Management Policy and Risk Appetite Statement at least annually to ensure that they remain current.

The Board recognises that the effective management of risk requires the involvement of people at every level of the organisation and seeks to encourage this through a culture of open communication in addition to the operation of formal risk management processes.

The framework in place to achieve this objective and the roles and responsibilities of the key elements of the framework are set out below.

Framework+-

The risk management framework has been designed using a ‘three lines of defence’ model. The first line comprises subsidiary and divisional management, who have day- to-day responsibility for designing, implementing and maintaining effective internal controls within the individual subsidiaries and divisions. The second line comprises Group oversight functions who provide expertise in regard to the management of specific risks. The third line of defence principally comprises Group Internal Audit and also includes the external auditors and specialist third party auditors/regulators.

185382.png

Roles & Responsibilities+-

The detailed roles and responsibilities assigned as part of the risk management and control framework are summarised below:

Board

The Board is responsible for the Group’s Risk Management Policy and for determining the Risk Appetite Statement of the Group. The Board is also required to report on the annual review of the effectiveness of risk management and internal control systems.

Audit Committee

The Audit Committee is responsible for assisting the Board by taking delegated responsibility for risk identification and assessment and for reviewing the Group’s risk management and internal control systems and making recommendations to the Board thereon. It fulfils its responsibilities by reviewing regular reports from Group Internal Audit and from second line providers, in particular the Executive Risk Committee, Group Health, Safety and Environmental ('HSE') and Group Compliance.

The Chairman of the Audit Committee reports to the Board at each Board meeting on its activities, both in regard to audit matters and risk management.

The Audit Committee also reports to the Board on the detailed work done by management in respect of the annual assessment of the operation of the Group’s system of risk management and internal control.

The activities of the Audit Committee are set out in detail in its report on this page.

Executive Risk Committee

The Executive Risk Committee is chaired by the Chief Executive and comprises senior divisional and Group management. Its responsibilities are to analyse on a continuous basis the principal risks facing the Group, the controls in place to manage those risks and the related monitoring procedures and to consider any changes in business strategy which impact on the Group’s risk environment and material risks and controls.

The Executive Risk Committee maintains the Group Risk Register and the Integrated Assurance Report and reports on changes to these to the Audit Committee. The Group Risk Register process is detailed in this report.

The Executive Risk Committee also evaluates all reports prepared by Group Internal Audit, Group HSE and Group Compliance and ensures prompt action is taken to address control weaknesses highlighted by these reports, prior to these reports being considered by the Audit Committee.

Group Oversight Functions

These functions include Group HSE, Group Compliance and Group Finance, which comprises finance, taxation and treasury.

The Group HSE function has in place a risk based HSE audit programme which provides independent assurance on the key HSE management processes (for example leadership, risk assessment and learning from events) that are in place in the Group’s businesses. The Group HSE function also supports divisional HSE committees in setting objectives, reviewing HSE risk registers and developing appropriate HSE standards.

The Group Compliance function is responsible for ensuring that each Group subsidiary has identified its material compliance risks, in particular legal and regulatory risks, and maintains effective controls in respect of these risks. Controls in this context will include policies, procedures and training.  These controls are supported by a clear ‘tone from the top’ from both the business and the Group. Compliance audits are conducted to ensure that controls are being followed and are operating effectively.

Group Internal Audit

Group Internal Audit is responsible for reviewing the risk management and internal control processes and identifying areas for improvement and providing independent and objective assurance on risk matters to senior management and the Audit Committee. Group Internal Audit develop a risk-based internal audit programme, which is approved by the Audit Committee.

Risk Register Process+-

A risk register template, pre-populated with the most relevant risks covering strategic, operational, financial and compliance areas, has been developed. These risk registers are completed at all levels of the Group with the impact and probability of occurrence for each risk determined and scored at both a gross (before mitigation) and net (after mitigation) basis. A risk scoring matrix is used to ensure a consistent approach is taken when completing the probability and impact assessments. New or emerging risks are added to the risk register as they are identified and the template is formally reviewed and updated at least annually.

Subsidiary

Each subsidiary is required to maintain a risk register, which is reviewed and updated for submission to divisional management twice a year, following formal review and approval by the subsidiary board.

Division

Subsidiary risk registers are reviewed to update the divisional risk registers, which are approved by the divisional boards and submitted to the Executive Risk Committee twice a year.

Group

The Group Risk Register is maintained by the Executive Risk Committee and updated to reflect any significant changes noted in the reviews of divisional risk registers. It is then reviewed and formally approved by the Audit Committee and the Board.

An Integrated Assurance Report (‘IAR’) is maintained to identify the assurance activities planned for the forthcoming year, across the three lines of defence, which are intended to address the key risks and emerging risks identified by the risk register process. The IAR is updated and discussed by the Executive Risk Committee before being formally presented to the Audit Committee and Board.

Reporting+-

Formal risk reporting timetables and structures are in place across the Group and in particular from the Executive Risk Committee and the second line of defence functions to the Audit Committee, by way of the Governance, Risk and Compliance report, and from Group Internal Audit to the Audit Committee.

This facilitates full, comprehensive reporting by the Audit Committee to the Board.

Principal Risks and Uncertainties

The principal risks and uncertainties facing the Group in the short to medium term are set out below, together with the principal mitigation measures. This is not an exhaustive statement of all relevant risks and uncertainties. Matters which are not currently known to the Board or events which the Board considers to be of low likelihood could emerge and give rise to material consequences.

The mitigation measures that are maintained in relation to these risks are designed to provide a reasonable and not an absolute level of protection against the impact of the events in question.

Risk and Impact

Principal Mitigation Measures


Legislation and regulation

 

DCC's operations across five divisions in thirteen countries must comply with a broad range of legal and regulatory requirements which are subject to changes as well as increasing levels of enforcement.  Failure to comply clearly with applicable legal or regulatory obligations could result in enforcement action, legal liabilities, costs and damage to the Group’s reputation.

 

All Group subsidiaries have recorded their key legal and regulatory obligations and the controls they have in place to ensure those obligations are met. Primary responsibility for compliance rests with subsidiary management, who are supported by the Group Compliance function which provides detailed support on legal and regulatory issues and audits compliance across the Group.

Health, safety and environmental

 

The principal health & safety and environmental risks faced by the Group relate to:

  • fire, explosion or multiple vehicle accident resulting in one or more fatalities;
  • poor product quality control requiring activation of our product recall procedures;
  • an incident resulting in significant environmental damage or compliance breach; and
  • a HSE or security event requiring the activation of our crisis management plan and / or business continuity plans.

Such risks may give rise to legal liability, significant costs and damage to the Group’s reputation.

All Group subsidiaries operate health, safety and environmental (HSE) management systems appropriate to the nature and scale of their risks. Within the Energy division in particular there is a strong focus on process safety and ongoing communication with the relevant safety authorities.


All manufacturing and product processing facilities operate quality management systems, which are subject to regulatory review and licencing requirements. Quality assurance processes are in place to ensure finished products are produced in accordance with regulatory requirements and applicable specifications. External independent resources are engaged where additional assurance is required.


Emergency response and business continuity plans are also in place to minimise the impact of any significant incidents that take place.


Inspection and auditing processes are in place in relation to HSE management systems. These checks are conducted by the subsidiaries in question, by the Group HSE function and by external assurance providers, as appropriate.


Insurance cover is maintained at Group level for all significant insurable risks.

 

Key supplier & customer relationships

 

Certain Group subsidiaries derive a significant part of their revenue from key suppliers and customers and the loss of any of those relationships would have a material financial impact on that subsidiary.

 

The Group as a whole trades with a very broad supplier and customer base. Close commercial relationships exist with all our suppliers and customers and there is a constant focus on providing a value added service to them.

Strategic growth / Change management

 

A failure to identify, execute or properly integrate acquisitions, change management programmes or other growth opportunities could impact on profit targets and impede the strategic development of the Group.

Group and divisional management teams engage in a continuous and active review of potential acquisitions. All potential acquisitions are subject to an assessment of their ability to generate a return on capital employed well in excess of the cost of capital and their strategic fit within the Group.


The Group conducts a stringent internal evaluation process and external due diligence prior to completing any acquisition. Group and subsidiary management have significant expertise in, and experience of, integrating acquisitions.


Projects and change management programmes are resourced by dedicated and appropriately qualified internal personnel, supported by external expertise.

Crime

 

The Group is potentially subject to a variety of criminal threats including fraud, particularly in relation to payments, and theft of product.

The security of the Group’s IT and banking systems are subject to both external and internal review and are updated and improved as needed. Other internal controls against fraud are maintained in every subsidiary and are monitored at Group level. Suitable controls are in place against physical crime such as theft and vandalism.


The Group also maintains fidelity insurance in relation to risks in this area.

 

Information security

 

Maintaining adequate IT systems and infrastructure to support growth and development may be affected by:

  • accidental exposure or deliberate theft of sensitive information;
  • loss of service or system availability;
  • significant system changes or upgrades; and
  • cybercrime.

IT standards and policies have been subject to a comprehensive review and update project over the last two years to ensure they are in line with appropriate best practices.

Business continuity, IT disaster recovery and crisis management plans are in place and tested.

Dedicated IT personnel with the appropriate technical expertise are in place to oversee IT security. A dedicated IT audit resource was appointed during the current year providing independent assurance with respect to the IT control environment.

 

Access to credit

 

The continued growth and expansion of the Group’s operations increases demand for credit at a time when credit availability has become more restricted globally.

The Group’s financial position remains strong with significant cash resources and relatively long term debt maturities. There is a continued focus on working capital management, cash generation and managing supplier and customer relationships.

 

Talent management

 

The Group’s devolved management structure has been fundamental to the Group’s success. A failure to attract, retain or develop high quality entrepreneurial management throughout the Group will impede its strategic objectives.

The Group maintains a constant focus on this area with structured succession planning, management development and remuneration programmes, incorporating long and short term incentives, in place. A graduate recruitment programme has also been established.

These programmes are reviewed regularly by Group Human Resources, divisional management, the Chief Executive and the Board.

 

Weather

 

Demand for some of the products sold by the Group, most notably heating products sold by the Energy division, is directly related to weather conditions. The inherent uncertainty of weather conditions therefore presents a risk to profits generated by that division.

 

The Energy division is expanding its operations in the non-heating segments of the market, primarily in transport fuels (with a particular emphasis on retail petrol stations), in marine and in aviation.

 

Pricing

 

The Group is exposed to commodity cost price risk in its Energy division, in both its oil distribution and LPG distribution businesses. The ability to maintain margins by recovering these costs on a timely basis may be adversely impacted by external factors including changes to consumer spending, competition and regulations.

Commodity cost price movements are immediately reflected in oil commodity sales prices and within a short period in LPG commodity sales prices. Approved matching forward contracts and hedges are used where price movement exposures exist.