Internal control & risk management

Risk management and internal controls accountabilities

Accepting that risk is an inherent part of doing business, our risk management systems are designed both to encourage entrepreneurial spirit and also provide assurance that risk is fully understood and managed. The Board has overall responsibility for risk management and internal control with the context of achieving the Groups objectives. Executive management is responsible for implementing and maintaining the necessary control systems. The role of Internal Audit is to monitor the overall internal control systems and report on their effectiveness to Executive management, as well as to the Audit Committee, in order to facilitate its review of systems.

Background

The Group has a five-year rolling business plan to support the delivery of its strategy of long term growth and returns for shareholders. Every business unit and support function derives its objectives from the five-year plan and these are cascaded to managers and staff by way of personal objectives. Key to delivering effective risk management is ensuing our people have a good understanding of the Groups’ strategy and our policies, procedures, values and expected performance. We have a structured internal communications programme that provides employees with a clear definition of the Group’s purpose and goals, accountabilities and the scope of permitted activities for each business unit, as well as individual line managers and other employees. This ensures that all our people understand what is expected of them and that decision-making takes place at the appropriate level.

We recognise that our people may face ethical dilemmas in the normal course of business so we provide clear guidance based on the Tesco Values. The Values set out the standards that we wish to uphold in how we treat people. These are supported by the Group Code of Ethics which offers guidance on relationships between the Group and its employees, suppliers and contractors. The Company is a signatory for the DTI Code of Conduct and met its obligations for implementing the Code for the financial year ended 23 February 2008.

We operate a balanced scorecard approach which is known within the Group as our Steering Wheel. This unites the Group’s resources around our customers, people, operations, community and finance. The scorecard operates at every level within the Group, from ground level business units, through to country level operations. It enables the business to be operated and monitored on a balance basis with due regard for all stakeholders.

Risk Management

The Group maintains a Key Risk Register. The register contains key risks faced by the Group including their impact and likelihood as well as the controls and procedures implemented to mitigate these risks. The content of the Register is determined through regular discussions with senior management and review by the Executive Committee and the full board. A balanced approach allows the degree of controllability to be taken into account when we consider the effectiveness of mitigation recognising that some necessary activities carry inherent risk which may be outside the Group’s control. Our risk management process recognises there are opportunities to improve the business to be built into our future plans.

The risk management process is cascaded through the Group with every international CEO and local boards maintaining their own risk registers and assessing their control systems. The same process also applies functionally to those parts of the Group requiring greater overview. For example, the Audit Committee’s Terms of Reference require it to oversee the Finance Risk Register. We also have a Corporate Responsibility Risk Register which specifically considers SEE risks. Oversight of these risks is the responsibility of the Corporate Responsibility Committee. The Board assesses the significant SEE risks to Group’s short-term and long-term value, and incorporates SEE risks on the Key Risk Register where they are considered material or appropriate.

We recognise the value of the ABI Guidelines on Responsible Investment Disclosure and confirm that, as part of its regular risk assessment procedures, the Board takes account of the significance of SEE matters to the business of the Group. We recognise that a number of investors and other stakeholders take a keen interest in how companies manage SEE matters and so we report more detail on our SEE policies and approach to managing material risks arising from SEE matters and the KPIs we use both on our website (www.tesco.com) and in our Annual Corporate Responsibility Review 2008 (www.tesco.com/crreview08) To provide further assurance, the Group’s Corporate Responsibility KPIs are audited on a regular basis by Internal Audit.

Internal controls

Accountability for managing risk at an operational level sits with management. We have a Group-wide process for clearly establishing the risks and responsibilities assigned to each level of management and the controls which are required to be operated and monitored.

The CEOs of subsidiary businesses are required to certify by way of annual statements of assurance that the Board’s governance policies have been adopted both in practice and in spirit. For certain joint ventures, the Board places reliance upon the internal control systems operating within our partners; infrastructure and the obligations upon partners’ boards relating to the effectiveness of their own systems.

The Board acknowledges that it is responsible for the Company’s system of internal controls and for reviewing the effectiveness of the system. Such a system is designed to manage rather than eliminate the risk of failure to achieve business objectives and can only provide reasonable and not absolute assurance against material misstatement or loss.

The Board has conducted a review of the effectiveness of internal controls and is satisfied that the controls in place remain appropriate.

Monitoring

The Board oversees the monitoring system and has set specific responsibilities for itself and various Committees as set out below. The minutes of the Audit Committee and the various non-statutory Committees (Finance, Compliance and Corporate Responsibility Committees) are distributed the Board and each Committee submits a report for formal discussion at least once a year. These all provide assurance that the Group is operating legally, ethically and in accordance with approved financial and operational policies. We noted the updates to the Turnbull Guidance and keep under review how the Turnbull Guidance has been applied. In addition, both Internal Audit and our external auditors play key roles in the monitoring process, as do several non-statutory Committees: the Finance Committee, Compliance Committee and Corporate Responsibility Committee.

Audit Committee

Annually, t he Audit Committee reports to the Board on its review of the effectiveness of the internal control systems for the accounting year and the period to the date of approval of the financial statements. Throughout the year the Committee also receives regular reports from its external auditors covering topics such as quality of earnings and technical accounting developments. The Committee also receives updates from Internal Audit and has dialogue with senior managers on their control responsibilities. It should be understood that such systems are designed to provide reasonable, but not absolute, assurance against material misstatement or loss.

Internal Audit

The internal audit department is fully independent of business operations and has a Group-wide mandate. It operates a risk-based methodology, ensuring that the Group's key risks receive appropriate and regular examination. Its responsibilities include maintaining the Key Risk Register, reviewing and reporting on the effectiveness of risk management systems and internal control within the Executive Committee, the Audit Committee and ultimately to the Board. Internal Audit facilitates oversight of risk and control systems across the Group through audit and compliance Committees in each of our international businesses and our joint ventures. The Head of Internal Audit also attends all Audit Committee meetings.

External Audit

PricewaterhouseCoopers LLP, the company's external auditors, contributes a further independent perspective on certain aspects of the internal financial control system arising from its work, and reports to both the Board and Audit Committee.

The engagement and independence of external auditors is considered annually by the Audit Committee before it recommends its selection to the Board. The Committee has satisfied itself that PricewaterhouseCoopers LLP is independent and there are adequate controls in place to safeguard its objectivity. One such measure is the requirement to rotate audit partners every five years. This year the Audit engagement partner, having served five years on the Tesco audit, has been rotated. We have a non-audit services policy that sets out criteria for employing external auditors and identifies areas where it is inappropriate for PricewaterhouseCoopers LLP to work. Non-audit services work carried out by PricewaterhouseCoopers LLP is predominantly the review of subsidiary undertakings’ statutory accounts, transaction work and corporate tax services. PricewaterhouseCoopers LLP also follow their own ethical guidelines and continually review their audit team to ensure their independence is not compromised.

Finance Committee

Membership of the Finance Committee, which is a not a statutory committee, includes Non-executive Directors with relevant financial expertise, Executive Directors and members of senior management. The Committee usually meets twice a year. Its role is to review and agree the Finance Plan on an annual basis, to review reports of the Treasury and Tax functions, and to review and approve Treasury limits and delegations.

Compliance Committee

Membership of the Compliance Committee, which is not a statutory Committee, includes three Executive Directors and members of senior management. The Committee normally meets six times a year and its remit is to ensure that the Group complies with all necessary laws and regulations in all of its operations worldwide. The Committee has established a schedule for the regular review of operational activities and legal exposure. Each international business in the Group has a local compliance committee designed to ensure compliance with local laws and regulations as well as Group compliance policies, and each country compliance committee reports to the Group Compliance Committee on a regular basis.

Corporate Responsibility Committee

The Committee, which is not a statutory Committee, is chaired by the Corporate and Legal Affairs Director and membership is made up of senior executives from across the Group. It meets at least four times a year to support, develop and monitor policies on SEE issues, reviewing threats and opportunities for the Group. Progress in developing Community initiatives is monitored by the use of relevant KPIs in the UK and our international businesses. The Board formally discusses the work of the Committee on a regular basis, including progress in implementing our Community Plan.

The Corporate and Legal Affairs department and the Trading Law and Technical department provide assurance and advice on legal compliance, health and safety, and SEE matters. These functions report on their work on a regular basis and escalate matters as appropriate.

Management

In our fact moving business, trading is tracked on a daily and weekly basis, financial performance is reviewed weekly and monthly, and the Steering Wheel is reviewed quarterly. Steering Wheels are operated in business units across the Group, and reports are prepared of performance against target KPIs on a quarterly basis enabling management to measure performance.

All major initiatives require business cases normally covering a minimum period of five years. Post-investment appraisals, carried out by management, determine the reasons for any significant variance from expected performance.

Back to top