Risk Management and Internal Control

The Audit Committee acknowledges its responsibilities for the Group’s risk management and internal control systems and its duty to facilitate the identification, assessment and management of risk, and the protection of Group assets and shareholder investments. The Committee also acknowledges that it is responsible for providing a return to shareholders, consistent with responsible assessment and mitigation of risks.

All business areas of the Group prepare annual operating plans and budgets and these are regularly reviewed and updated as necessary throughout the year. Performance against budget is monitored centrally and at operational level. The cash position of the Group is monitored daily and variances from expected levels are thoroughly investigated.

Clear guidelines are in place for capital expenditure and investment decisions. These include budget preparation, appraisal and review procedures and delegated authority levels.

Effective controls ensure that the Group’s exposure to avoidable risk is minimized and that proper accounting records are maintained, financial information used within all business areas is reliable and up-to-date, and the financial reporting processes comply with relevant regulatory reporting requirements.

The Company has in place internal controls and risk management systems in relation to the Company’s financial reporting process for preparation of consolidated accounts. These systems include policies and procedures that relate to the maintenance of records which accurately and fairly reflect transactions, provide reasonable assurance that transactions are recorded as necessary to permit the preparation of financial statements, require representatives of the Company to certify that their reported information gives a true and fair view of the state of affairs of the business and its results for the period, and review and reconcile reported data.

Management accounts are reviewed by senior management and the Board. Performance against budget and forecasts is discussed at Committee and Board meetings, including key performance indicators covering all areas of the business. The adequacy of key performance indicators is reviewed regularly.

It should be recognized that all control processes are designed to manage, rather than eliminate, the risk of assets being unprotected and guard against their unauthorized use, culminating in the failure to achieve business objectives. Internal controls will only provide reasonable and not total assurance against material misstatement or loss.

Accordingly, the Committee confirms there is a process for identifying, evaluating and managing risks faced by the Group and the operational effectiveness of the appropriate controls, all of which have been in place throughout the year and up to the date of approval of the 2016 Annual Report and Accounts.

Reviewing the effectiveness of internal control

As referred to above, throughout the financial year the Board, through the Committee and assisted by the Internal Audit function, reviews the effectiveness of internal control and the management of risk. The Internal Audit function reports into the

Committee and has authority to review any relevant part of the Company or its business and has a planned schedule of reviews that coincide with the Company’s risks. In addition to financial and business reports, the Committee has reviewed

medium- and longer-term strategic plans, reports on key operational issues, tax, treasury, risk management, legal matters and Committee reports, including Internal and External Auditors’ reports.