Risk Management

Overview

Exposure to risk is an inherent element to carrying out the business activities of the Group; the operation of vessels and provision of related services. Effective risk management and internal control systems are essential to protect the Group from exposure to unnecessary risks and to ensure the sustainability of the Group’s business.

The Board has overall responsibility for establishing procedures to manage risk, oversight of the internal control framework and determining the nature and extent of the principal risks the Group is willing to accept in order to achieve its long-term objectives. The Board has created a culture of risk awareness throughout the organisation whereby risk consideration is embedded in decision making processes.

The Board has delegated the monitoring of the Group’s risk management and internal control systems to the Audit Committee. This assessment is carried out through the review of reports and presentations made by the Risk Management Committee (RMC) and Group Internal Audit. Further information on the Audit Committee activities is set out in its report on pages 84 to 87.

Risk Architecture, Strategy and Protocols

The Group follows international standard ISO 31000 (2018) ‘Risk Management – Guidelines’ in designing its risk architecture, strategy and protocols (RASP).

The Group’s risk architecture includes the roles and responsibilities of the Board and Group personnel in managing risk, along with internal reporting requirements. This is illustrated by the ‘three lines of defence’ framework.

Risk Management Framework

Roles, responsibilities, risk management policy, objectives and process overviews are documented within the Group’s Risk Code. The Group has sought to adopt an Enterprise Risk Management (ERM) system that takes a unifying, broad and integrated approach to managing risks and aligns risk management to the achievement of strategic objectives.

Role of the Risk Management Committee

The Risk Management Committee (RMC) established by the Group comprises members from across the three lines of defence, as well as having Board representation. With its mandate from the Board, the RMC is tasked with;

  • Making appropriate recommendations to the Board on all significant matters relating to the development of risk strategy and processes of the Group.
  • Keeping under review the effectiveness of the Group’s risk management systems.
  • Reviewing the Group’s risk exposures in relation to the Board’s risk appetite.
  • Maintaining a robust Group Risk Register and ensuring risks are identified comprehensively and assessed consistently across classified risk areas.

Risk Management Process

The Group’s Risk Management Process is underpinned by its RASP and is led by the RMC. The Group’s process is based on the revised international standard ISO 31000 (2018), ‘Risk Management – Guidelines’, and provides an iterative and systematic approach to managing risks throughout the Group.

Risk Assessments and Monitoring

The Board sets the Group’s risk appetite for classified risk areas. Risk appetite is communicated through the adoption of Risk Appetite Statements. These statements, along with internal capabilities, resources and industry factors provide context to how the Group’s strategy is pursued and to which risks are assessed. The Board has a low acceptance for risks that may impact safety of vessels, workers and customers and compliance with relevant laws and regulations.

Each business owner is responsible for ensuring comprehensive risk identification and assessment is carried out covering their sphere of responsibility. Risks are identified through various means, including the use of an identification tool guiding risk assessors through several internal and external factors in identifying potential barriers to respective objectives. Risks are assigned to risk owners with responsibility for the activity generating the risk. Where a risk contains multiple causes and consequences, risk owners are required to collaborate in performing a cause and consequence analysis.

For some risks, this collaboration spans across departments and divisions within the Group.

Risk owners are ultimately responsible for the completion and maintenance of risk assessments across their respective risk areas. Risks are measured in terms of the likelihood of occurrence and estimated impact using a standardised scoring model. All evaluations are made from a Group perspective and are relative to Group risk appetite. Guidance tools are in place to ensure Group-wide consistency is achieved across risk assessments.

Existing control measures are documented and assessed within the risk assessment forms in determining net risk scores. All risk assessments are reviewed by members of the RMC before they are released to the Group Risk Register. The RMC and risk owners can prescribe the implementation of further control measures at the review stage.

The Group Risk Register is the central online repository for documenting, assessing and prioritising risks, and for documenting and prescribing control measures. The Register forms a significant portion of the Group’s risk management process. The Group Risk Register is reviewed on a regular basis by the RMC.

Any necessary changes to the Group Risk Register are made throughout the year and can be prompted by;

  • The occurrence of a risk event.
  • The identification of new emerging risks or as circumstances of existing emerging risks change.
  • Quarterly RMC meetings.
  • Internal Audit or regulatory reviews.
  • Annual risk owner reassessment.
  • Changes in Key Risk Indicator measurements.
  • New risk assessments completed within business area teams.

Risk information within the Group Risk Register is analysed and used for reporting principal risks to the Board and for Internal Audit planning. A presentation of the Group’s principal and emerging risks is made to the Board at least annually or more frequently if warranted by developments. At these presentations the Board challenges the RMC in their processes and evaluations of the principal and emerging risks identified in the context of the Group’s own risk policy, risk appetite and general market developments both within and outside the industry sector.

Emerging Risks

Risk monitoring is an ongoing process to reflect the dynamic nature of the environment in which the Group operates. The Group acknowledges three types of emerging risks that can arise. The first type are new risks that emerge in the Group’s external environment. These are identified through the ongoing Group risk identification process. The second type are previously identified risks recorded in the Group Risk Register whose impact on Group activities has changed, prompting a reassessment. The third type are new risks emerging from the internal environment when changes to core processes are made. These are identified when undertaking new projects or engaging with new business partners.

Emerging risks are closely monitored and assessed as their uncertain nature can result in the risks becoming significant within a short timeframe. Emerging risks currently under review at the date of this report relate to greater employer responsibility for employee welfare, greater environmental and climate awareness driving increased corporate responsibility and regulatory requirements and long-term risks and opportunities associated with technological advancements.

Significant Risk Events during the Year

Covid-19 Pandemic

The Covid-19 pandemic first began to affect operations and pose a health risk to the Group’s customers, staff and contractors in early March. The Group responded swiftly by implementing measures for the purpose of;

  • Ensuring the continuity of safe operations and ensuring effective communication of such measures to all stakeholders including customers, employees, contractors and state authorities.
  • Reducing the financial impact caused by Covid-19 through cost-cutting, efficiencies and service restrictions, while committing to continue to operate loss-making routes which provide a vital lifeline service to the island.

A specific and detailed risk assessment was performed with input from all departments across each division, which included details of all control measures. This risk assessment was updated throughout the year. At the date of this report, while some services have been curtailed, and passenger travel on ferries is severely restricted by government guidance, all operations have been maintained safely. The Group continues to monitor Covid-19 developments and adjust its risk response when necessary.

Brexit

2020 brought increased clarity on the post-transition relationship between the UK and EU. As it became clear that the UK would leave the EU Single Market and Customs Union on 31 December 2020, a specific and detailed risk assessment was developed and updated throughout the year.

The principal risks identified were in relation to;

  • Negative impact on market demand due to lack of customer readiness and ability to complete required declarations. As at January 2021, this risk has manifested, with the anticipated temporary impact on freight demand, however this negative impact is reduced by the agreement of a Brexit deal and the deferment until July of GB import control formalities at the border.
  • Market distortion due to potential re-routing of commercial freight traffic via Northern Ireland and via the direct route to France, to avoid customs and health formalities. As at January 2021, this risk has manifested, with the anticipated temporary impact on freight demand.
  • Traffic congestion at ports and the knock-on effect this could have on ship operations, including pressure on slot times. As at January 2021, this risk has not manifested, potentially due to temporarily reduced freight demand.
  • Readiness and capacity of State Authorities’ border inspection facilities and IT systems. As at January 2021, this risk has not manifested, potentially due to temporarily reduced freight demand.
  • Negative impact on the GB/ROI passenger market. This risk has not manifested due to the greater impacts of Covid-19.

The Group also prepared to accommodate and maximise increased customer demand due to pre-Brexit stockpiling towards the end of 2020. The Group will continue to monitor post-Brexit links, particularly as additional requirements for imports to Britain are implemented from 1 July 2021.

Viability assessment

The principal risks identified through the Group’s risk processes have been considered by the Directors when preparing the Viability Statement on page 104, as part of their assessment of the prospects for the Group.

Principal Risks

Linkage to strategic pillars:
Quality service People and Culture Financial management Safety Sustainability

Risk Area

Description

Potential Impact

Examples of Risk Treatment

Commercial & Market

The Group operates in a highly competitive environment that intensified in 2020 with new market risks and opportunities arising from the uncertain political and economic landscapes.

Loss of competitiveness caused by failure to adjust cost base, price competitively or respond to the changing needs of customers, resulting in loss of key customers and overall loss in market share and profitability.

The Group undertakes regular assessments of its cost base and performs benchmarking against competitors.

Direct and indirect competitor activity and market performance is monitored closely which allows the Group to respond proactively.

The Group puts emphasis on ensuring a safe and reliable service is provided to customers in order to maintain and strengthen alliances.

Business Continuity

The Group’s operations are exposed to the risk of fire, flood, technical failure, vessel incidents and loss of critical supplies caused by accident or by natural disaster.

Major disruptive events can result in the loss of critical infrastructure such as vessels, plant, premises, port facilities, communications networks or systems. This in turn can result in significant financial loss and reputational damage.

The Group places strategic importance on investment in quality assets and safety. Examples of preventative measures to help reduce the likelihood of major disruptive events are described for various risk areas within this table.

The Group has detailed, coordinated and rehearsed business continuity plans containing crisis management and disaster recovery components to respond to major incidents at land or at sea and ensure affected operations can be resumed promptly and safely.

Information Security & Cyber Threats

By nature of the services offered, the Group must rely on IT systems to support its business activities and must retain certain types of personal data. The Group is susceptible to data breaches and cyber-attacks through various means.

Viruses can spread to critical systems and result in business interruption. Data breaches can result in heavy fines under GDPR and cause reputational damage.

Physical access controls are in place restricting access to sensitive computing and data areas.

GDPR compliance is reviewed regularly by Internal Audit and the Group’s designated Data Protection Officer.

Group IT and its managed service providers employ a suite of technical controls to prevent, detect, mitigate and remediate malicious threats and unusual activity.

Mandatory GDPR and security awareness training is in place for all staff and relevant crew.

Safety & Environmental Protection

Given the nature of the Group’s activities there is a risk of vessel incidents, accidents, spillages or incidents involving hazardous cargo.

There is also the risk of an outbreak of contagious illness among staff, crews and customers.

These safety or environmental incidents could result in loss of life, serious personal injury or illness, pollution and other damage to local ecosystems.

The Group and its service providers adhere to defined operating safety and quality policies and procedures. All sites are regularly inspected by internal second line functions and external regulatory bodies. Emergency procedures and safety training are conducted regularly.

Hazardous cargoes are managed in accordance with international maritime regulations.

Group vessels, offices and facilities are thoroughly and frequently sanitised. World Health Organisation (WHO) and governmental guidance and instructions are followed. Remote working is facilitated for office staff.

Financial Loss

The Group is at risk of losses caused by ineffective or inefficient financial policies or practices.

Financial loss arising from inadequacies in areas such as; budgeting and financial planning, insurance provisioning, project management or credit control techniques.

The Group’s financial management activities are performed by experienced and knowledgeable personnel. Regular internal management reporting ensures negative variances and trends are identified promptly and acted upon.

Close relations with insurance brokers are maintained and emerging risks are considered when assessing coverage.

Major projects require pre-approval of the Board. Due diligence procedures are carried out for project contractors and new commercial customers while ongoing performance management of projects and debtors is in place.

Human Capital

The Group recognises the integral role of its staff and service providers in achieving sustained success. There is a risk of failure to attract qualified and talented individuals and a risk of losing key personnel. Staff may also become unmotivated or dissatisfied with the working environment.

Human capital risks ultimately lead to a poor standard of service to customers and poor decision making. This can damage the Group’s market position, reputation and stakeholder relationships.

Pay and conditions are reviewed and benchmarked to ensure the Group remains competitive. ICG is an equal opportunities employer and seeks a diverse workforce to promote a strong and accepting culture and to help make informed decisions.

Staff are encouraged and supported in their pursuits of further education and career advancement.

The Group operates an open-door policy with its staff. The Group’s grievance and disputes policy is designed to protect staff in resolving any sensitive matters.

Long-term incentive plans are in place to help retain and motivate key management personnel.

Operational Compliance

The Group’s activities are governed by a range of international maritime (IMO), flag state, port state, EU and national government regulations. There is a risk that instances of non-compliance may be identified.

Serious or repeated breaches of regulations may result in significant fines, vessel lay-up or other halting of operations and reputational damage.

Ongoing training is provided to operations staff and contractors in line with regulatory requirements.

New regulations are discussed and assessed at management meetings.

The Group’s vessels and port operations are subject to regular inspections and audits from internal second line functions and external bodies.

Volatility

The Group is exposed to fluctuations in fuel prices and exchange rates.

Financial loss resulting from;

increases in cost base due to adverse fuel price movements or;

decreases in revenues due to adverse foreign exchange movements.

Group policy has been to purchase commodities in the spot markets and remain unhedged. The Group operates a dynamic surcharge mechanism with its freight customers which allows for prearranged price adjustments in line with euro fuel costs to help mitigate US dollar exposure arising from fuel purchases. In the passenger sector, in addition to fixed environmental surcharges, changes in bunker costs are included in the ticket price to the extent that market conditions will allow.

The Group employs a matching policy to mitigate exposure to sterling. Decreases in translation of sterling revenues to euro are largely offset against corresponding decreases in translation of sterling costs.

Retirement Benefit Scheme

The Group’s pension liabilities are exposed to risks arising from changes in interest rates, inflation, demographics and market values of the underlying investments.

Financial loss resulting from decreases in scheme asset values or increases in scheme obligations.

An agreement was reached with scheme members during the year to transfer a portion of the Group’s defined benefit obligations to a third-party insurance company.

All actuarial assumptions are substantiated and challenged where necessary.

Regular communication is maintained with the scheme investment managers to monitor performance relative to agreed benchmarks.

Fraud

Over the course of a year, as part of Group operations, a significant volume of transactions are processed. These include a large amount of payment exchanges in the booking process, on board passenger vessels and at port ticket desks. This level of activity inherently carries a risk of fraud through the processing of improper payments or misappropriation of cash or assets.

Financial loss, reputational and cultural damage.

Improper payments are prevented by a segregation of duties within the payment set-up, payment approval and accounts posting processes. Further training and procedures are in place to ensure any requested changes to vendor payments are validated.

Daily reconciliations are performed at cash processing locations. All cash counts require supervisor oversight and CCTV cameras are installed to deter and capture any inappropriate behaviour.

Internal Audit procedures are designed in consideration for the scope of fraud where relevant.