Risk management

The Board accepts responsibility for determining the nature and extent of the significant risks it is willing to take in achieving its strategic objectives. There is an ongoing internal process for identifying, evaluating and managing significant risks faced by the Group that is regularly reviewed by the Risk Committee, the Executive Committee, the Audit Committee and then by the Board. This process has been in place throughout the year and up to the date of this report.

The Risk Committee is responsible for advising the Executive Committee and the Audit Committee on the co-ordination and prioritisation of risk management issues throughout the Group and developing a risk management strategy; ensuring that the Board's risk policy is implemented throughout the Group through effective development and review of risk registers, mitigation plans and insurance policies and promoting risk awareness at all levels.

A risk management strategy encompassing risk assessment and risk treatment has been adopted with the key objective to ensure that risk management is an integral part of the strategic and operational management decision-making, planning and implementation process. Risk appetite and tolerance have been reviewed and agreed by the Board and will be considered annually and monitored as appropriate. The Group's Strategic Plan is reviewed annually at an off-site meeting involving the Board and the Executive Committee. An annual budget is prepared by each of the operating divisions of the Group and this is consolidated into a Group budget, which is reviewed and approved by the Board.

Our Risk management framework

Top down

Oversight, identification, assessment and mitigation of risk at corporate level

The Board

  • Has overall responsibility for the Group's risk management
  • Determines the nature and extent of risk it is willing to take in achieving strategic objectives
  • Reviews, agrees and monitors risk appetite and tolerance
  • Provides direction on the importance of risk management to create a strong, risk aware control environment

Executive Committee

  • Assesses and mitigates risks throughout the Group
  • Monitors risk management processes and controls

Audit Committee

  • Assists the Board in reviewing the adequacy and effectiveness of the Group's internal controls and risk management systems

Risk Committee

  • Advises the Executive Committee and Audit Committee on risk management issues
  • Implements the Board's risk policy through effective development and review of risk registers, mitigation plans and insurance policies, and promoting risk awareness at all levels

Internal audit

  • Advises the Risk Committee on the effectiveness of internal controls and risk management procedures
  • Recommends improvements in control processes and monitors management's implementation of these

Operational level

  • Identify, assess and mitigate risks across the business
  • Implement the Group's internal controls
  • Culture of risk awareness embedded at operational level

Bottom up

Identification, assessment and mitigation of risk at divisional level and across functional areas

Introduction to principal risks

Our internal controls include risk management processes to identify principal risks and, where possible, to manage those risks through systems and processes and by implementing specific mitigation strategies. The most significant risks identified through our progressive review of the risk register that could materially affect the Group's ability to achieve its financial and operating objectives are summarised in this section. Other risks are either unknown or deemed less material.

Regulatory / Legal risk:
The Group must comply with certain laws and regulations in different jurisdictions and regulated markets. This includes operating API and other manufacturing facilities and meeting the obligations within the scope of environmental and health and safety regulations. There are a number of risks including reputational damage, penalties and fines should we fail to comply.
A strong regulatory compliance regime is in place, which includes regular reviews and audits by both regulatory bodies and customers. The Group has an internal legal team and engages external specialists on national laws in the jurisdictions concerned. There are specific whistleblowing, anti-corruption and anti-bribery policies which all employees are required to comply with. Bribery Act training is given to employees.
Reliance upon key customers / products:
Both Aesica and Bespak have a degree of reliance on a relatively small number of key customers/products and the loss of one such customer/product could lead to a significant reduction in revenues and profitability.
The Group has significant Intellectual Property with associated barriers to entry. Regulatory licensing reduces customers' ability to transfer business elsewhere and the Group seeks to enter into long-term supply agreements where appropriate. The Group's strategy of diversification has provided a broader range of products and customers to reduce customer and product concentration.
Growth / Acquisition risk:
Delivery of organic growth carries the risk of execution due to allocation of resources and new areas of expertise. Failure to successfully execute or attain strategic objectives from the Group's acquisitions may adversely affect the Group's financial performance and position.
The Group has risk based planning processes that provide good visibility of anticipated resource requirements. The Board reviews potential acquisitions against a defined set of criteria, engages qualified advisors and ensures appropriate due diligence is performed before approving any transaction.
Major operational incident:
A major incident (e.g. fire or chemical spill) at a manufacturing site may result in the disruption to a key supply chain and loss of assets, revenues and profit.
Where possible, manufacturing is split into discrete buildings for separate operations providing some level of isolation. Critical plant risk and remediation assessments are completed at each manufacturing site, and business continuity plans are also in place.
Product quality failure:
The Group operates in highly regulated markets with strict quality requirements. Any quality failure involving the Group's products could lead to loss of reputation, reduction in revenues, recall costs or sanction by the regulators.
The Group has rigorous quality management and assurance systems and processes. Any issues are tracked and reported to ensure that there is early communication with customers and regulatory bodies regarding any quality audits.
Human resources / People:
The Group relies heavily on recruiting and retaining talented employees with a diverse range of skills and capabilities to meet its strategic objectives. An inability to attract and retain such employees could have a considerable impact on our success. In addition, we have completed some streamlining of the business during the year which has involved a number of positions becoming redundant.
Remuneration packages are reviewed on an annual basis in order to ensure the Group continues to attract and retain its employees. The Group is also committed to working on improving drivers of engagement, such as increasing employees' understanding of our strategy, performance and core values. We have completed the restructuring exercises professionally with appropriate consultation with those affected.
Development risk:
At any time, any of the Group's products may fail in clinical trials, be withdrawn by the customer or may not become commercially successful once launched.
The Group follows rigorous processes for the development of new products. Where possible, Bespak is developing its device technology as a platform for multiple programmes to reduce the exposure to any individual trial. Aesica's development services are on a fee per project basis, with the majority of its revenues coming from manufacturing services.
Pension schemes:
The Group operates a number of defined benefit pension schemes. Changes to the valuation of the pension deficit can impact the level of distributable reserves and the ability to make distributions. Macroeconomic factors may result in substantial increases in the Group's pension deficit, which could affect its ability to make future distributions.
The Group monitors distributable reserves prior to key reporting periods and these are reported within the Board dividend paper. There is open dialogue with the Pension Trustees to ensure that pension schemes are adequately funded. The most recent Triennial Valuation of the Bespak Pension Scheme has been completed and the deficit recovery funding requirements agreed.
Political/Socio-economic risk (Impact of Brexit):
The Group operates in a number of countries and is therefore subject to political and socio-economic risks which may impact both operational and financial performance.
The Group continually reviews political and economic policy changes in both the UK and global markets, including results of the ongoing Brexit negotiations, and assesses if there is any impact on the business by providing legal updates to the Board and the Executive Committee.
Financial risks:
The Group faces a number of finance risks which include currency, liquidity, funding and interest rates.
Currency exposures are reviewed on a monthly basis and a hedging strategy is in place. Committed debt facilities are in place until September 2019 and the Group anticipates renewing its banking facility in advance of this expiry date.
IT / Cyber:
The Group is dependent on information technology: its systems and infrastructure face certain risks, including service disruptions and the loss or theft of sensitive or confidential information, due to the inherent risks involved and the continued threat of cyber-crime.
The Group has a dedicated IT department who monitor and review access security; ensure that there are regular backups of confidential information and data; perform disaster recovery procedures when required; and manage investment in the Group's IT infrastructure.
Corporate Social Responsibility:
Our manufactured products or other activities/decisions of the Group may not be judged by the public, governments or other stakeholders as being socially responsible, leading to reputational harm.
The Group's Corporate Responsibility Committee meets regularly, and is responsible for reviewing new programmes, assisting with resourcing and ensuring alignment to the overall Group strategy.

Key: Risk increase Risk decrease Risk unchanged