Internal control and risk management

In accordance with the FRC ‘Guidance on Risk Management, Internal Control and Related Financial Business Reporting’ the Board recognises that it is responsible for the Group’s system of internal control and risk management. The system has been designed to manage rather than eliminate the risk of failure to achieve business objectives, and can only provide reasonable and not absolute assurance against material misstatement or loss.

This system has continued to operate throughout the COVID-19 pandemic. The Board has embedded a continuous process for identifying, evaluating and managing the Group’s significant risks, including risks arising out of Bodycote’s corporate and social engagement. The Board’s monitoring covers all significant strategic, financial, operational and compliance risks. It is based principally on reviewing reports from management and from Internal Audit (IA) to consider whether any significant failings or weaknesses are promptly remedied or indicate a need for more extensive monitoring. The Audit Committee assists the Board in discharging these review responsibilities. The emerging risk review, based around horizon scanning, has explored what the future might look like and seeks to identify early warning signals. These emerging risks are characterised by their high level of uncertainty both in terms of likelihood and potential impact and are therefore more difficult to manage or mitigate. Risks that have been considered by the Board have included:

• COVID-19 – the long-term effect of this and other possible pandemics
• Geopolitical risks – increased international tensions and tariffs
• Move to electric vehicles

The Board is satisfied that the Group maintains an effective system of internal controls and that there were no significant failings or weaknesses in the system. The system was in operation throughout 2020 and continues to operate up to the date of the approval of this report. The key elements of the Group’s system of internal control that is monitored by the Board includes:

• Key financial, legal and compliance policies that apply across the Group including: Detailed Financial Policies, Group Authority Matrix, Anti-Bribery and Anti-Corruption, Anti-Slavery and Human Trafficking, Core Values and Code of Conduct.
• A comprehensive financial planning, accounting and reporting framework.
• Bodycote has engaged BDO to monitor and assist in improving the Group’s internal control system. IA reviews are conducted on the basis of a risk-based plan approved annually by the Audit Committee. As a result of COVID-19, this plan was revised during 2020 and re-approved by the Audit Committee. The revised plan took account of the various national and regional restrictions impacting the ability
  of auditors to visit Bodycote locations. To provide assurance on the continued operation of controls, financial control self-assessments (CSA) have been developed and implemented in each division. The results of these CSA have been verified by IA using video technologies. Other risk-based reviews have been conducted using techniques such as remote data analytics to provide assurance of the controls operating in the shared service centres and accounting centres. The findings and recommendations from IA are reported on a regular basis to the Executive and Audit Committees.
• An annual internal control self-assessment, with management certification, is undertaken by every Bodycote plant. The assessment covers the effectiveness of key financial, compliance and selected operational controls. The results are validated by IA through spot checks and are reported to the Executive and Audit Committees.
• The Chief Financial Officer, Group Financial Controller, President and Vice President of Finance for each division sign a letter of representation annually. This is to confirm the adequacy of their systems of internal controls, their compliance with Group Core Values and Group Policies, relevant laws and regulations, and that they have reported any control weaknesses and actual, or attempted, frauds or thefts through the Group’s assurance processes.
• A Group-wide risk register and assurance map is maintained throughout the year to identify the Group’s key strategic and operational risks. Any changes to these risks during the year are promptly reported to the Executive Committee and the Board.

During 2020, in compliance with provision 29 of the Code, management performed an assessment of its risk management processes for the purpose of this Annual Report. Management’s assessment, which has been reviewed by the Audit Committee and the Board, included a review of the Group’s key strategic, operational and emerging risks. The review was based on work performed by the Group Head of Risk and the Group’s Sustainability and Risk Committee (by means of workshops, interviews, investigations, and by reviewing departmental or divisional risk registers). These risks have been reviewed throughout the year and three new key risks have been added for 2020: contract review, equipment downtime and loss of key accreditations. Two risks previously reported as key are no longer considered as such: capital projects and the loss of key customers. Further information regarding the ways in which the principal business risks and uncertainties affecting the Group are managed is shown on pages 29 to 33of the annual report.

By order of the Board:

U.S. Ball
Group Company Secretary
12 March 2021
Springwood Court Springwood Close
Tytherington Business Park
Macclesfield
Cheshire SK10 2XF