NCC Group plc
(the "Company" or the "Group")
Notice of Annual General Meeting 2021
The Company confirms that its Notice of Annual General Meeting 2021 ("AGM Notice") and its Annual Report and Accounts for the year ending 31 May 2021 ("Annual Report") have been posted or otherwise been made available to shareholders and published on the Investor Relations section of its website (www.nccgroup.com/investor-relations). The Annual General Meeting will be held at 2.00pm on Thursday 4 November 2021 at the Company's Head Office, XYZ Building, 2 Hardman Boulevard, Spinningfields, Manchester, M3 3AQ.
Copies of the Annual Report and the AGM Notice have been submitted to the National Storage Mechanism and will shortly be available for inspection at https://www.fca.org.uk/markets/primary-markets/regulatory-disclosures/national-storage-mechanism
A condensed set of the Company's financial statements and extracts were included in the Company's preliminary results for the year ended 31 May 2021 released on 14 September 2021 (the "Preliminary Announcement"). The information included within the Preliminary Announcement together with the information set out below, which is extracted from the Annual Report, constitute the material required by Disclosure Guidance and Transparency Rule 6.3.5 to be communicated to the media in full unedited text through a Regulatory Information Service. This announcement and the Preliminary Announcement are not a substitute for reading the full Annual Report. Page numbers and cross-references in the extracted information below refer to page numbers and cross-references in the Annual Report. To view the Preliminary Announcement, please visit the Investor Relations section of the Company's website at www.nccgroup.com/investor-relations
Directors' responsibilities statement
The following statement is extracted from page 123 of the Annual Report and is repeated here for the purposes of Disclosure Guidance and Transparency Rule 6.3.5. This statement relates solely to the Annual Report and is not connected to the extracted information set out in this announcement or the Preliminary Announcement:
"Statement of Directors' responsibilities in respect of the Annual Report and Accounts and the Financial Statements
The Directors are responsible for preparing the Annual Report and Accounts and the Group and Parent Company Financial Statements in accordance with applicable law and regulations.
Company law requires the Directors to prepare Group and Parent Company Financial Statements for each financial year. Under that law they are required to prepare the Group Financial Statements in accordance with International Accounting Standards in conformity with the requirements of the Companies Act 2006 and applicable law and have elected to prepare the Parent Company Financial Statements on the same basis. In addition the Group Financial Statements are required under the Financial Conduct Authority's Disclosure Guidance and Transparency Rules (DTRs) to be prepared in accordance with International Financial Reporting Standards adopted pursuant to Regulation (EC) No 1606/2002 as it applies in the European Union ('IFRSs as adopted by the EU').
Under company law the Directors must not approve the Financial Statements unless they are satisfied that they give a true and fair view of the state of affairs of the Company and of the Group's profit or loss for that period. In preparing each of the Group and Parent Company Financial Statements, the Directors are required to:
· Select suitable accounting policies and then apply them consistently
· Make judgements and estimates that are reasonable, relevant and reliable
· State whether they have been prepared in accordance with International Accounting Standards in conformity with the requirements of the Companies Act 2006 and, as regards the Group Financial Statements, International Financial Reporting Standards adopted pursuant to Regulation (EC) No 1606/2002 as it applies in the European Union ('IFRSs as adopted by the EU')
· Assess the Group and Parent Company's ability to continue as a going concern, disclosing, as applicable, matters related to going concern
· Use the going concern basis of accounting unless they either intend to liquidate the Group or the Parent Company or to cease operations, or have no realistic alternative but to do so
The Directors are responsible for keeping adequate accounting records that are sufficient to show and explain the Parent Company's transactions and disclose with reasonable accuracy at any time the financial position of the Parent Company and enable them to ensure that its Financial Statements comply with the Companies Act 2006. They are responsible for such internal control as they determine is necessary to enable the preparation of Financial Statements that are free from material misstatement, whether due to fraud or error, and have general responsibility for taking such steps as are reasonably open to them to safeguard the assets of the Group and to prevent and detect fraud and other irregularities.
Under applicable law and regulations, the Directors are also responsible for preparing a Strategic Report, Directors' Report, Directors' Remuneration Report and Corporate Governance Statement that comply with that law and those regulations.
The Directors are responsible for the maintenance and integrity of the corporate and financial information included on the Company's website. Legislation in the UK governing the preparation and dissemination of Financial Statements may differ from legislation in other jurisdictions.
Responsibility statement of the Directors in respect of the annual financial report
We confirm that to the best of our knowledge:
· The Financial Statements, prepared in accordance with the applicable set of accounting standards, give a true and fair view of the assets, liabilities, financial position and profit or loss of the Company and the undertakings included in the consolidation taken as a whole
· The Strategic Report includes a fair review of the development and performance of the business and the position of the issuer and the undertakings included in the consolidation taken as a whole, together with a description of the principal risks and uncertainties that they face
We consider the Annual Report and Accounts, taken as a whole, is fair, balanced and understandable and provides the information necessary for shareholders to assess the Group's position and performance, business model and strategy."
Principal risks and uncertainties
The principal risks and uncertainties relating to the Company are set out on pages 40 to 47 of the Annual Report from which the following is extracted in full and unedited text:
"Risk management
Risk is an inherent part of doing business and risk management is a fundamental part of good corporate governance. A successful risk management process balances risk and reward and is underpinned by sound judgement of their impact and likelihood. The Board has overall responsibility for ensuring that NCC Group has an effective risk management framework, which is aligned to our business objectives.
The Board has established a Risk Management Policy, which has established protocols, including:
· Roles and responsibilities for the risk management framework
· Risk scoring framework
· A definition of risk appetite
The integrated approach to risk management diagram summarises the Group's overall approach to risk management, which is supported by a web-based tool - the Integrated Risk Management System (IRMS). The tool is designed to follow the risk management model described in the next section and records both strategic and operational risk registers and tracks risk mitigation action plans, helping embed ownership of risks and treatment actions while also providing access to live management information, which is used at both a Board and operational management level.
NCC Group's approach to risk management
NCC Group adopts both a "top down" and "bottom up" approach to risk, to manage risk exposure across the Group to enable the effective pursuit of strategic objectives. The approach is summarised in the diagram on page 41.
The approach is one of collaboration, which supports our comprehensive approach to risk identification, from the "top down" and "bottom up". The Group believes that this is the most efficient and effective way to identify its business risks.
Top down
The Board, Audit Committee and Cyber Security Committee review risks on an ongoing basis and are supported by the Executive Committee and subject matter specialists (including Software Resilience, Assurance, information security, data protection and health and safety). The Board gives consideration to the Group's strategic objectives and any barriers to their achievement.
Bottom up
The Board and senior leadership team engage with colleagues at every level of the Group in recognition of the importance of their expertise, contribution and views. In relation to matters of wrongdoing, or risks not being recognised and adequately managed, the Group has a robust and effective whistleblowing procedure, which is supported by the Safecall reporting line.
Risk management model
The Board has overall responsibility for ensuring that NCC Group adopts an effective risk management model, which is aligned to our objectives and promotes good risk management practice. We have therefore adopted the model described in this section and summarised in the diagram above.
The Board, Audit Committee, Cyber Security Committee and Executive Team review risks on an ongoing basis throughout the year. The appropriateness and relevance of the risks and issues tracking system - IRMS - are monitored by the global governance team to ensure that it continues to be updated, meets the needs of the Group and remains in line with good risk management practice. In addition, there is a robust process in place for monitoring and reporting the implementation of agreed actions.
We are satisfied that the Risk Management Policy, framework and model currently in place are sufficient to manage risk across the Group.
The key areas of identifying, assessing, addressing and monitoring risks are explained in more detail below:
Identify
Risks exist within all areas of our business and it is important for us to identify and understand the degree to which their impact and likelihood of occurrence will affect the delivery of our key objectives. This is achieved through day-to-day working practices and incorporates risks in both the internal and external environment. Examples of identification include horizon scanning for legislative and market changes, operational and delivery reviews (such as SGT), procedures in relation to projects and change and independent systems audits.
All identified risks are initially assessed for their "inherent" risk (risk with no controls in place), using a scoring mechanism that accounts for the likelihood of an event occurring and the impact that it may have on the Group. The scoring mechanism adopted takes account of high impact, low likelihood events and these risks are managed in a timely manner.
In addition to ongoing risk identification, an annual exercise is undertaken to review the Group's strategic risk universe by the Board. This exercise is reliant on the "top down" "bottom up" approach discussed earlier.
Assess
Post identification of the Group's inherent risk exposure, a comprehensive assessment of the effectiveness of current mitigating controls is undertaken. This exercise takes account of the design of the current control environment and the application of these controls prior to assessing the Group's current exposure to risk - mitigated risk score. The Board uses a number of sources of information to support the scoring of risk and these include, but are not limited to:
· Management updates
· Action tracking and reporting
· Control environment policies and procedures
· Independent audit activity
· Project monitoring reports
Address
Having identified and assessed the risks faced by the Group, the risks are scored according to likelihood of occurring and impact to the business should they occur. The risks are then mapped according to their rating onto a risk heat map, which reflects the Group's overall risk appetite set by the Board. The Group's Risk Management Policy then provides guidance on the expected level of response to those risks, depending on where they sit on the risk heat map. The heat map shows the four bandings in the different shades of risks as set out below as well as expected actions and responses to risks in these areas:
Green - within appetite. Ongoing monitoring in place
Amber - out of appetite. Some actions are required to treat the risk to bring this within acceptable levels
Purple - significantly out of appetite. High combination of residual probability and impact. Management actions required, with some urgency, to treat the risk, reducing this to acceptable levels
Grey/black - risks that are deemed to have such an impact that they could theoretically impact the ability of the business to continue in existence. If any, they would need consideration in assessing in the Directors' Viability Statement
An assessment of whether additional actions are required to reduce our risk exposure is undertaken, with actions falling into the one of four categories:
· Treat - develop an action plan (applying responsibility, deadlines and prioritisation) that may include the implementation of additional controls, or increase the requirement for additional assurance over the adequacy and effectiveness of the existing controls
· Transfer - use a third party specialist to undertake the activity, thus mitigating the risk
· Tolerate - determine the risk is within appetite
· Terminate - exit the activity
Output from the evaluation of strategic risks has resulted in milestone plans owned by senior business leaders, or has been used in the development of the Group's transformation programme.
Monitor
Ongoing monitoring of risks and related actions is key to the implementation of our risk management model and, therefore, NCC Group is committed to making enterprise-wide risk management part of business as usual. Examples of ongoing monitoring of business risks include, but are not limited to:
· Annual review of the external audit strategy and plan by the Audit Committee and Chief Financial Officer to ensure inclusion of key financial risks
· Annual review of the annual internal audit plan to validate that it incorporates key areas of business risk
· At each Audit Committee, a review of internal audit reports issued during the period, including a summary of progress against previously raised management actions
· Annual review of the strategic risk register by the Enterprise Risk Management Steering Group (introduced in FY21) and Board to ensure that it includes risks arising in year
Internal control
Whilst risk management identifies threats to the Group achieving its strategic objectives, internal controls are designed to provide assurance that these objectives are being achieved, such as the effectiveness and efficiency of operations and delivery, accurate and reliable financial reporting, and compliance with applicable laws and regulation.
NCC Group has established a robust internal control framework which is made up of a number of components:
Control environment
The control environment has primarily been established taking account of the Group's values (working together, being brilliantly creative and embracing difference) and its Code of Ethics, which sets the foundations for the expected behaviours, values and competencies for all colleagues across the Group. The Board, Executive Committee and extended leadership team lead by example and strive to maintain effective control environments, whilst also maintaining integrity and transparency.
Risk assessments
Risk assessments are conducted at both a strategic and operational level of the Group and support the Group in understanding the risks that it faces and the controls in place to mitigate them. Importantly, they provide a mechanism to identify operational improvements which is vital in our transformational programmes.
Policies and procedures
Established policies communicate expected behaviours and these are supported through procedures and guidelines defining required processes and controls. This in turn supports the business to adopt efficient and effective control environments.
Information and communication
Access to accurate and timely data is key in supporting our colleagues to make decisions and to be well informed in order to conduct, manage and control their areas of responsibility. During the year, the Group has continued to focus on its data systems - rolling out the Workday Finance system to support consistent controls and reporting.
Activity monitoring
Financial minimum controls were established during FY20 for local finance teams. The financial minimum controls have been self-assessed by all finance teams and a programme of audit against these standards launched in FY21. The financial minimum controls framework was established in consultation with the Chief Financial Officer, Group Financial Controller and local Finance Directors and has taken account of the implementation of Workday Finance. Further enhancement of the framework is being considered in preparation for potential changes proposed in the Brydon Review and related white paper issued by the Department for Business, Energy and Industrial Strategy.
Financial accounting and reporting follows generally accepted accounting practices.
Group review and approval procedures exist in relation to major areas of risk and require Executive Committee/Board approval, including mergers and acquisitions, major contracts, capital expenditure, litigation, treasury management and taxation policies.
Compliance with all legislation, current and new, is closely monitored.
Risk and control reporting structure
During the current financial year, NCC Group has focused on establishing the "three lines of defence" to provide a robust internal controls structure that will support the Board, Audit Committee, Cyber Security Committee, Executive Committee and extended leadership team with accurate and reliable information in relation to the systems of internal control.
Three lines of defence:
· First line - Group policies and procedures
· Second line - Global Governance function, incorporating Health and Safety; Information Security; Data Protection; Compliance and Standards; and Corporate Legal
· Third line - independent challenge and assessment, including ISO certification and internal and external audit
Principal risks and uncertainties
The Group continues to operate in a particularly dynamic and evolving marketplace. The current strategic risk register has been developed to reflect those factors and includes those risks that would threaten its business model, future performance, solvency or liquidity. Detailed descriptions of the current principal risks and uncertainties faced by the Group, their potential impact and mitigating processes and controls are set out below. A risk related to sustainability (10) has been added to the strategic risks for FY21 and reflects the importance being placed on a sustainable business strategy by NCC Group and its investors.
The heat map provides a pictorial representation of the Group's strategic risks and their direction of travel.
| Risk areas | Impact | Key controls and mitigating factors
|
| Business strategy
A comprehensive business strategy is essential to the continued success of the Group as we strive to maximise shareholder value.
| A poor strategy or ineffective execution of a strategy could have a material negative impact on the Group's financial performance and value. It would potentially weaken the Group compared to its competitors and risk the Group's established position in the marketplace. | (High impact, risk exposure unchanged from 2020)
Members of the Board have significant experience in evolving business strategies. The Board is significantly engaged in both setting and reviewing strategy and held a dedicated strategy session in March 2021.
|
| Management of strategic change
As the Group adapts and executes its strategy there are a number of complex projects and initiatives that not only need to be delivered but also require understanding and support from all colleagues.
| Poor change management could lead to ineffective implementation of projects that then cost more to deliver, take longer to deliver and result in fewer benefits being realised (or all three). Poor delivery of change could ultimately impair business performance.
| (Low impact, risk exposure unchanged from 2020)
The Group has established a strategic change management capability and this includes access to programme management professionals and the deployment of associated change management processes, for example the operation of senior change oversight committees.
|
| Global pandemic - Covid-19
NCC Group has a number of features which give the Group greater resilience in the face of a global pandemic. Failure to prepare for this may cause disruption and uncertainty to our business, as well as risk the health and safety of our people. Any disruption or uncertainty could have an adverse effect on our business, financial results and operations.
| The potential impact of a pandemic globally is closed offices, people who are unwell and unable to work for periods of time and a slow-down in business from our clients.
| (Medium impact, risk exposure decreased from 2020)
During 2021, we successfully moved to remote working during the lockdown periods across our offices and were able to deliver our services off client sites. We have also used remote working as an opportunity to develop our services to support remote delivery.
In addition, the Group has developed an office re-opening programme, which has taken into account the health and wellbeing of our colleagues, which has further supported our successful service delivery. |
| Availability of critical information systems
The Group is heavily reliant on continued and uninterrupted access to its IT systems. As well as environmental and physical threats, the Group is a natural target for individuals who may seek to disrupt the Group's commercial activities.
| If the Group's critical systems failed, this could affect the Group's ability to provide services to our customers.
| (High impact, risk exposure decreased from 2020)
The Group continues to make significant investment in its IT infrastructure to ensure it continues to support the growth of the organisation. This has been particularly pertinent during home working as part of the response to Covid-19.
The Group has controls in place in order to reduce the risk of actual loss of critical systems; this has included a review of single points of failure and these have been mitigated. Further, controls are operated to ensure the availability of backup media in the event of prolonged loss of systems.
The Group also standardises and simplifies processes whilst increasing resilience. Additional focus is given to proving the recoverability of systems and data.
|
| Attracting and retaining appropriate colleague capacity and capability
The Group would be adversely impacted if it were unable to attract and retain the right calibre of skilled colleagues. Some roles within the Group operate in highly technical and extremely specialised areas in which there are shortages of skilled people.
| Loss of key colleagues or significant colleague turnover could result in a lack of necessary expertise or continuity to execute the Group's strategy.
An inability to attract and retain sufficient high-calibre colleagues could become a barrier to the continued success and growth of NCC Group. | (Medium impact, risk exposure decreased from 2020)
Colleagues are offered a rewarding career structure and attractive salary and benefits packages, which can include participation in share schemes.
Comprehensive communications with our colleagues are ongoing and include all-hands calls, The Wire and Group and local communications.
Linked to the development of our people, the Group continues to review our values and continues to use personal performance management processes, and aligned development programmes, which are linked to succession planning.
|
| Information security risk (including cyber risk)
Due to the nature of the services provided by NCC Group, clients have a high expectation of the systems, processes and people handling their data.
In addition, as a cyber security provider, NCC Group is more exposed to its systems being maliciously compromised.
As a result, NCC Group could experience a malicious cyber-attack, inadvertent disclosure and/ or compromise of confidential data and/or any other information security incident.
| Failure to maintain control over customer, colleague, commercial and/or operational data could lead to a range of impacts, including reputational damage. The misuse of personal data, for example without the customer's consent, or retaining data for longer than is necessary, may also result in reputational harm, regulatory investigations and potential fines.
| (Medium impact, risk exposure unchanged from 2020)
The Board operates a Cyber Security Committee chaired by the Chair of the Board and is responsible for the ongoing oversight of this risk and related control environments.
All colleagues globally are required to undertake annual security training and updates to alert them to potential methods of security breach and to their responsibilities in safeguarding information and reporting potential issues.
Security testing is regularly carried out on the Group's infrastructure and there are extensive response plans, which were reviewed during the year, in the event of a major security incident.
Comprehensive plans are in place and being delivered associated with discharging our data protection obligations. |
| Quality of Management Information Systems (MIS) and internal business processes
We need to ensure that trusted and relevant MIS are available on a day-to-day basis to inform management decisions and drive performance.
| Suboptimal business decision making and performance as key financial performance data is not available or trusted.
| (High impact, risk exposure decreased from 2020)
The Group finance function has developed a forward-facing Finance Functional Strategy. Enhancements were identified covering system and process standardisation. A comprehensive milestone plan is in place and progress is tracked and reported to each Audit Committee.
The rollout of Workday across our global finance teams has been significantly completed and will support the standardisation of policies and procedures, in addition to improving efficiency and effectiveness.
Standardised business process control standards are in place across all parts of the Group. Financial year 2021 has seen the implementation of the new control self-assessment questionnaires along with an aligned programme of internal audits.
|
| Quality and Security Management Systems
We aspire to attain and retain key internationally recognised standards, which form an important component for many of our customers.
| The risk of the Group failing to retain a core standard, e.g. 9001, 27001 or PCI, with a consequential loss of key customer accounts or ability to operate.
| (High impact, risk exposure decreased from 2020)
We operate a comprehensive programme to ensure the retention of our core standards. This includes a portfolio of aligned policies and cascading business processes. A programme of internal audit provides assurance over the design and application of these policies and procedures.
External assessors provide a further layer of review and challenge, confirming during the year the retention of our Quality and Security standards, which were renewed in April 2021.
|
| Post-Brexit
Failure to comply with changing EU regulations as a result of Brexit may cause disruption to our business. Any disruption could have an adverse effect on our business operations.
| There remains some uncertainty around the detail of EU regulatory changes as these are finalised (for example, finalisation of trade negotiations with the wider world), which may impact on some of the services delivered by the Group, which fall under export control regulations.
| (Low impact, risk exposure decreased from 2020)
Similar to any UK company, we list post-Brexit as a significant risk due to the continued uncertainty surrounding the final EU post-Brexit trade deals with Europe and other international countries, which are still being negotiated. As our operations around the world include business entities based in Continental Europe and the wider world, we believe NCC Group is structurally resilient to the post-Brexit trading environment. The main risks to our business post-Brexit are:
· Changes to export control requirements and related tariffs being implemented which may impact on some areas of service delivery
· Real or perceived differences in data protection standards, which impact our global ways of working
|
| Sustainability
NCC Group recognises the importance of good environment, social and governance (ESG) frameworks as a key indicator of the Group's sustainability and ethical impact of our business.
| Non-compliance with the Group's frameworks related to ESG will impact on our ability to display robust working practices, grounded in good working practice, which take account of our environment, people and communities. This in turn could impact on our ability to develop and maintain business relationships and may lead to the loss of key customer accounts and shareholder investment.
| (New impact, no risk exposure)
The Group has developed an ESG framework which continues to evolve. Examples of progress to date include:
· Ongoing review of key policies, such as the Code of Ethics, Whistleblowing Policy, Anti-Bribery and Corruption Policy and Anti-Trust Policy. These policies reflect our global footprint and will be translated into all of our jurisdictional languages in 2022
· Maintained our corporate governance and decision-making structures during the "move to remote" during Covid-19 lockdowns
More examples are outlined in the sustainability section of the report.
|
| Acquisition of IPM (Intellectual Property Management)
NCC Group obtained shareholder approval to acquire Iron Mountain's Intellectual Property Management (IPM), post extensive due diligence on 1 June 2021. The acquisition of the IPM division significantly grows the US Software Resilience customer base and allows us to support them with a broader set of services.
A comprehensive integration plan has been established to support the effective and efficient transition of IPM into the Group.
| Ineffective implementation of the integration plan may lead to:
· Staggered transition to key systems
· Increased costs against the budgeted £2.5m
| (New impact, no risk exposure)
The Group has established a comprehensive integration plan, which has been sub-divided into specific workstreams, including, but not limited to, finance; legal; compliance; and IT.
Each workstream has specific deliverables, along with deadlines, and these are being regularly monitored to validate "on time" delivery and to enable additional actions/resource to be deployed if required. |
Extraordinary risk during the year
During the year, the global pandemic of Covid-19 continued, with minimal impact on financial performance; it also provided opportunities. The Group mobilised its Executive Support Team and its business continuity plan in January 2020 and this enabled a number of planned initiatives to be brought forward to support a Group-wide response to remote working and delivery.
We have continued to successfully negotiate with our customers where appropriate to work remotely, which has minimised disruption to service delivery."
LEI - 213800DJCGZRB6523934
Classification - Annual Report and Financial Statements and Notice of AGM.
|
Enquiries:
|
|
| NCC Group plc Adam Palser - CEO Tim Kowalski - CFO Jonathan Williams, Deputy Company Secretary |
0161 209 5200 0161 209 5200 0161 209 5374 |
| |
|
RNS may use your IP address to confirm compliance with the terms and conditions, to analyse how you engage with the information contained in this communication, and to share such analysis on an anonymised basis with others as part of our commercial services. For further information about how RNS and the London Stock Exchange use the personal data you provide us, please see our Privacy Policy.
