In this section:
- Overview
- Risk Architecture, Strategy and Protocols
- Role of the Risk Management Committee
- Risk Management Process - Assessments and Monitoring
- Emerging Risks
- Managing Cyber Security
- Managing Climate Change Risks
- Significant and Emerging Risk Events
- Viability assessment
- Principal Risks and Uncertainties
Overview
Exposure to risk is an inherent element to carrying out the business activities of the Group; the operation of vessels and provision of related services. Effective risk management and internal control systems are essential to protect the Group from exposure to unnecessary risks and to ensure the sustainability of the Group’s business.
The Board has overall responsibility for establishing procedures to manage risk, oversight of the internal control framework and determining the nature and extent of the principal risks the Group is willing to accept in order to achieve its long-term objectives. The Board has created a culture of risk awareness throughout the organisation whereby risk consideration is embedded in the decision making processes.
The Board has delegated the appraisal of the Group’s risk management and internal control systems to the Audit Committee. This assessment is carried out through the review of reports and presentations made by the Risk Management Committee (RMC) and Group Internal Audit. Further information on the Audit Committee activities is set out in its report on pages 91 to 94.
Risk Architecture, Strategy and Protocols
The Group follows international standard ISO 31000 (2018) ‘Risk Management – Guidelines’ in designing its risk architecture, strategy and protocols (RASP).
The Group’s risk architecture includes the roles and responsibilities of the Board and Group personnel in managing risk, along with internal reporting requirements. This is illustrated by the ’three lines of defence’ model.
Risk Management Framework
Roles, responsibilities, risk management policy, objectives and process overviews are documented within the Group’s Risk Code. The Group adopts an Enterprise Risk Management (ERM) system that takes a unifying, broad and integrated approach to managing risks and aligns risk management to the achievement of strategic objectives.
Role of the Risk Management Committee
The Risk Management Committee (RMC) established by the Group comprises members from across the three lines of defence, including Board representation. With its mandate from the Board, the RMC is tasked with;
- Making appropriate recommendations to the Board on all significant matters relating to the development of risk strategy and processes of the Group.
- Keeping under review the effectiveness of the Group’s risk management systems.
- Reviewing the Group’s risk exposures in relation to the Board’s risk appetite.
- Maintaining a robust Group Risk Register and ensuring risks are identified comprehensively and assessed consistently across classified risk areas.
Risk Management Process - Assessments and Monitoring
The Group’s Risk Management Process is underpinned by its RASP methodology and is led by the RMC. The Group’s process is based on the revised international standard ISO 31000 (2018), ‘Risk Management – Guidelines’, and provides an iterative and systematic approach to managing risks throughout the Group.
The Board sets the Group’s risk appetite for classified risk areas. Risk appetite is communicated through the adoption of Risk Appetite Statements. These statements, along with internal capabilities, resources and industry factors provide context to how the Group’s strategy is pursued and to which risks are assessed. Stakeholder views with respect to climate and ESG issues, are considered by the Board in setting appropriate appetite levels. Refer to pages 63 to 64 for an overview of the Group’s climate risk framework. The Board has a low acceptance for risks that may impact safety of vessels, workers and customers and compliance with relevant laws and regulations.
The Group wide nature of the risk assessment and monitoring process, requires collaboration across departments and divisions within the Group. Each business owner is responsible for ensuring comprehensive risk identification and assessment is carried out covering their sphere of responsibility. Risks are identified through various means, including the use of an identification tool guiding risk assessors through several internal and external factors in identifying potential barriers to respective objectives. Risks are assigned to risk owners with responsibility for the activity generating the risk. Where a risk contains multiple causes and consequences, risk owners are required to collaborate in performing a cause and consequence analysis.
Risk owners are ultimately responsible for the completion and maintenance of risk assessments across their respective risk areas. Risks are measured in terms of the likelihood of occurrence and estimated impact using a standardised scoring model. All evaluations are made from a Group perspective and are relative to Group risk appetite. Guidance tools are in place to ensure Group-wide consistency is achieved across risk assessments.
Existing control measures are documented and assessed within the risk assessment forms in determining residual risk scores. All risk assessments are reviewed by members of the RMC before they are released to the Group Risk Register. The RMC and risk owners can prescribe the implementation of further control measures at the review stage.
The Group Risk Register is the central online repository for documenting, assessing and prioritising risks, and for documenting and prescribing control measures. The Register forms a significant portion of the Group’s risk management process. The Group Risk Register is reviewed on a regular basis by the RMC.
Any necessary changes to the Group Risk Register are made throughout the year and can be prompted by;
- The occurrence of a risk event.
- The identification of new emerging risks or as circumstances of existing emerging risks change.
- Quarterly RMC meetings.
- Internal Audit or regulatory reviews.
- Annual risk owner reassessment.
- Changes in Key Risk Indicator measurements.
- New risk assessments completed within business area teams.
Risk information within the Group Risk Register is analysed and used for reporting principal risks to the Board and for Internal Audit planning. A presentation of the Group’s principal and emerging risks is made to the Board at least annually or more frequently if warranted by developments. At these presentations, the Board challenges the RMC in their processes and evaluations of the principal and emerging risks identified in the context of the Group’s own risk policy, risk appetite and general market developments both within and outside the industry sector. Key Risk Indicators are in place for highly ranked individual risks at the residual level, to ensure exposure levels are monitored, flagged to the Board and corrective actions taken before impacts are fully realised.
Emerging Risks
Risk monitoring is an ongoing process to reflect the dynamic nature of the environment in which the Group operates. The Group acknowledges three types of emerging risks that can arise. The first type are new risks that emerge in the Group’s external environment. These are identified through the ongoing Group risk identification process. The second type are previously identified risks recorded in the Group Risk Register whose impact on Group activities has changed, prompting a reassessment. The third type are new risks emerging from the internal environment when changes to core processes are made. These are identified when undertaking new projects or engaging with new business partners.
Emerging risks are closely monitored and assessed as their uncertain nature can result in the risks becoming significant within a short timeframe. Emerging risks currently under review at the date of this report relate to local governments imposing additional regulations over seafarer working conditions and the illegal invasion of Ukraine by Russia. We continue to monitor the war in Eastern Europe and its impact on supply chains and fuel prices. Ongoing trends that are a constant in our industry and remain front of mind are the greater environmental and climate awareness driving increased corporate responsibility and regulatory requirements and long-term risks and opportunities associated with technological advancements.
Managing Cyber Security
As our business becomes increasingly digitalised, we are faced with an ever-increasing Cyber threat landscape. At ICG, we are keenly aware of our responsibility to protect our systems and our customers information from outside interference. Cyber Security continues to be a top priority for the board as it carries out its risk management duties. The Board of ICG manages Cyber Security risk in the context of an overall Risk Management Framework.
Given its strategic importance, the board is informed on Cyber Security topics through regular reporting from our Information Technology team. In 2022, reports were received on cyber security and related topics, covering areas such as managed security and breach detection, vulnerability management, NISD Compliance, Incident response planning and business continuity.
Our Information Security Management System (ISMS) is aligned with recognised frameworks such as ISO 27001 and NIST. Cyber Security controls are designed and implemented based on thorough risk assessments and to meet increasing compliance requirements such as PCI-DSS, GDPR and NISD. Cyber Security architecture and controls are constantly reviewed and improved to mitigate emerging security risks as they develop across the wider industry. Operationally, we manage Cyber Security through a blended model of inhouse expertise and the use of best-in-class Managed Security Services Providers (MSSPs) which allows our organisation to benefit from the scale and expertise required to address the evolving threat landscape.
We develop a culture of Cyber Security awareness at ICG through continuous training on relevant security topics. All employees that use our systems are required to complete regular security awareness training which highlights and reinforces their role in protecting the organisation from phishing and other cyber threats. Simulated phishing campaigns are used to gauge the effectiveness of our security training program.
Managing Climate Change Risks
The Group has adopted a framework, based on guidance from the Institute of Risk Management, which identifies the key areas that require attention to enable the development and execution of its climate change risk management strategy. This framework is integrated within the Group’s RASP and related risks assessments are released to the Group Risk Register.
1. Climate Change Risk Landscape
The Group identifies climate risks using the same processes as other emerging risks, with additional emphasis on expert climate risk publications and regulatory updates. Climate change risks are unique in how they; affect every individual and organisation, are long term in nature and are highly uncertain in their ultimate progressions and impacts. Due to these considerations, the Group’s climate risk register contains the following additional details;
- Risks are assessed over three different time horizons; 0-3 years, 3-10 years and >10 years, with the 0-3-year horizon assessments transferring to the Group Risk Register.
- Impacted stakeholder groups are identified for engagement on associated risks.
- Opportunities are identified for each risk to support strategic positioning and resilience planning.
- Impacts are linked to financial statement areas.
A summary of the Group’s climate risks, impacts and opportunities is disclosed on pages 52 to 53.
2. Effective Governance Systems
The Group applies the same risk governance structure to climate change risks as all enterprise risks. The RMC advises the Board on risk appetite, risk management approach and important risk management issues and considerations, which are ultimately approved by the Board or used to facilitate decision making.
The RMC presents to the Board during the year on all important risk management issues, including climate change and ESG risks. Executive Management are also equipped to update the Board on such matters throughout the year, as 75 percent of the Executive Management Team are RMC members. The Group’s recent Board appointments helps ensure there is adequate Non-Executive Director representation with ESG expertise to challenge the RMC and Executive Management on relevant issues.
The RMC is comprised of management across all areas of the business, including; risk and sustainability, sales, operations, health and safety, planning and finance. Collectively, the RMC has the skills, knowledge and experience to best manage the Group’s climate change risks and their wide-ranging impacts. ESG issues are incorporated in the incentive plans of Executive Management and dedicated management roles within the RMC.
3. Stakeholder Insights and Research
The interests and expectations of stakeholders are important considerations in the Group’s climate risk management approach. In 2022, the Group undertook a stakeholder research program to gain insights on ESG issues facing the Group. This is helping facilitate an evaluation of our core strategic, operational and compliance processes concerning the environment and climate change expectations. Mapping of these insights is helping align stakeholder values to the Group’s strategic objectives and core processes.
4. Risk Appetite Setting
Following the outcome of our stakeholder engagement program, the RMC is in the process of developing more specific risk appetite areas across a range of ESG issues. Areas of highest stakeholder importance will be considered in setting the appetite levels for Board approval. All ESG and climate change risks going forward will then be assessed, and mitigation plans updated to ensure they remain proportionate to the relevant appetite levels.
5. Materiality Assessment over Alternative Horizons
Climate change risks are assessed over three separate horizons; 0-3 years, 3-10 years and >10 years. Current known transition risks are most significant in the short and medium term and are expected to curtail from the third time horizon as the Group shifts towards a low carbon economy. While physical risks require attention today, significant physical impacts for the Group may only be experienced over the long-term horizon.
Assessments over the long-term horizon are most challenging to calculate but are key to future resilience planning. The Group is exploring further methods to help quantitively analyse the impact of certain future scenarios.
6. Strategic Positioning and Roadmap
Following a full assessment of risks and opportunities over separate time horizons, the Group can assess strategically its current position against long-term goals. This stage allows the Group to identify any changes to its business model necessary for long-term success, with a focus on opportunity management. Further climate change related controls and projects are then agreed.
7. Implementing Mitigation and Resilience Plans
Further controls and projects to help address climate change risks are implemented and managed. Current resilience plans, including the Group’s Major Incident Response Plans and Disaster Recovery Plans are also reviewed and updated periodically for additional information gathered throughout the process.
8. Operationalise Metrics and Targets
Metrics and targets, including carbon intensity and absolute GHG emissions are monitored and reviewed. Relevant Key Risk Indicators are also introduced to monitor high residual risks, in line with the Group’s risk management process.
Significant and Emerging Risk Events
War in Eastern Europe
The Group is continuing to monitor developments in Eastern Europe following the illegal invasion of Ukraine by Russia. A full organisational-wide risk assessment was conducted as geopolitical tensions escalated in early 2022. The potential impacts highlighted by this review included:
- The impact of economic sanctions on Russia on Group operations and fuel prices;
- Impact on passenger demand due to ticket price inflation;
- Increased cyber security risk to assets and operations;
- Business continuity risks associated with supply of fuel and key third-party contractors;
- We are continuing to closely monitor all developments as they evolve and how they may impact the Group.
Increasing Regulations Over Seafarer Working Conditions
The UK government declared an intention to increase the obligations of employers in the maritime sector, including the imposition of a minimum wage, over the current international requirements by way of a bilateral agreements. Authorities in France have also made a similar statement of intent. This could lead to a potentially significant increase in operating costs for the Ferries Division. We are engaging with regional trade bodies to ensure that our position is heard and understood at Governmental and European Union level.
Viability assessment
The principal risks identified through the Group’s risk processes have been considered by the Directors when preparing the Viability Statement on page 110, as part of their assessment of the prospects for the Group.
Principal Risks and Uncertainties
Linkage to strategic pillars:
Description and Impact |
Risk Treatment |
2022 Developments |
Strategic Risk - Commercial & Market | ||
The Group operates in a highly competitive industry with market risks and opportunities arising from uncertain political and economic landscapes. The Group is at risk of markets not performing in line with expected growth and at risk of loss in market share to competitors, impacting profitability. |
The Group undertakes regular assessments of its cost base and performs competitor benchmarking. Direct and indirect competitor activity and market performance is closely monitored which allows the Group to respond swiftly. The Group focuses on ensuring a safe, reliable and high-quality service is provided to customers in order to maintain and strengthen alliances. |
Exposure to commercial and market risks continues to increase as the Group continues to invest and expand in the Dover – Calais route with 2 ships newly operational during the year. The route remains increasingly competitive with competitors introducing additional capacity on existing markets served. |
Strategic Risk - Economic and Political | ||
Economic and political factors including instability and changes to laws on travel and trade could adversely impact the Group’s activities and demand for its services.
Geopolitical risks, including war risks could have devastating Global impacts, including impacts to Group operations. |
The Group liaises with various associations and governmental bodies to share views on proposed legislative changes. Micro and macroeconomic activity is closely monitored to ensure Group decision making is informed and timely. |
The illegal invasion of Ukraine by Russia has had a significant impact on the wider European economy especially in the areas of fuel and other supply chain inflation. The freight market continues to work through the effect of Brexit and the continuing implementation of the Northern Ireland protocol.
|
Operational Risk - Business Continuity | ||
The Group’s operations are exposed to the risk of fire, flood, storms, vessel incidents and loss of critical supplies caused by accident or by natural disaster. Minor disruptions can impact revenues while major disruptive events can result in the loss of critical infrastructure causing significant financial loss and reputational damage. |
The Group places strategic importance on investment in quality assets and safety, including vessels suitable for challenging sailing conditions and experienced crews and operations teams. The Group has detailed, coordinated and rehearsed business continuity plans containing crisis management and disaster recovery components to respond to major incidents at land or at sea and ensure affected operations can be resumed promptly and safely. |
The Group continuously monitor government guidance, the prevalence of contagious illness in the wider population and will continue to exercise caution in how business activities are conducted. In 2022, the Group operated a full service through most of the year and importantly throughout the entire 2022 tourism season.
|
Operational Risk - Health and Safety | ||
The Group is inherently exposed to the risk of incidents, including; workplace accidents, vessel collisions and damages, hazardous cargo and incidents involving passengers. There is also a risk of outbreak of contagious illness among staff, crews and customers. These events could result in loss of life, serious personal injury or illness, asset damage and reputational impact concerning safety. |
The Group and its service providers adhere to defined operating safety and quality policies and procedures. All sites are regularly inspected by internal second line functions and external regulatory bodies. Emergency procedures and safety training are conducted regularly. Hazardous cargoes are managed in accordance with international maritime regulations. Group vessels, offices and facilities are thoroughly and frequently sanitised. World Health Organisation (WHO) and governmental guidance and instructions are followed.
|
Health and safety metrics for the year are disclosed on page 58. The Group continuously monitor government guidance, the prevalence of contagious illness in the wider population including new waves of Covid-19 and will continue to exercise caution in how business activities are conducted. The rollout of vaccination programmes throughout Europe helped to protect staff, crew and customers from Covid-19 impacts and contributed to the safe resumption of non-essential travel for passengers. This has helped normalise our trading patterns in 2022. |
Operational Risk - Operational Compliance | ||
The Group’s activities are governed by a range of IMO, flag state, port state, EU and national governmental regulations. There is a risk that instances of non-compliance may occur that causes disruption, reputational damage or financial penalties. |
Ongoing training is provided to operations staff and contractors in line with regulatory requirements. New regulations are discussed and assessed at management meetings, together with measures to ensure compliance. The Group’s vessels and port operations are subject to regular inspections and audits from internal second line functions and external bodies. |
The Group will continue to monitor new regulatory developments at the IMO and the EU and liaise with regional chambers of shipping, shipowners’ associations and other industry representatives as further information is announced. Compliance risks related to reducing emissions are managed within the Group’s climate change risk framework. |
Operational Risk - Environmental Protection | ||
The Group is exposed to long-term physical effects of climate change and to near and long-term transition risks associated with the movement towards a low carbon economy. These risks and impacts are detailed further on pages 52 to 53. There is also a risk of spillages or incidents causing pollution and discharge to the sea. |
Physical and transition climate change risks are managed within the Group’s climate change risk framework. The Group is employing a range of technical and operational measures to achieve its GHG reduction targets. Refer to pages 36 to 59 for further details. The Group and its service providers adhere to defined operating safety and quality policies and procedures. All sites are regularly inspected by internal second line functions and external regulatory bodies. Emergency procedures and safety training are conducted regularly. Hazardous cargoes are managed in accordance with international maritime regulations. |
The Group continues to place significant focus on enhancing its approach to ESG and sustainability. Refer to the Sustainability section on pages 36 to 59 for further information on activities and developments during the year. |
Operational Risk - Human Capital | ||
There is a risk of failure to attract qualified and talented individuals and additionally a risk of losing key personnel. Staff could become unmotivated or dissatisfied with the working environment. These risks can ultimately lead to a poor standard of customer service and decision making, affecting the Group’s market position, reputation and stakeholder relationships. |
Pay and conditions are reviewed and benchmarked to ensure the Group remains competitive. ICG is an equal opportunities employer and seeks a diverse workforce to promote a strong and accepting culture and to help make informed decisions. Staff are encouraged and supported in their pursuits of further education and career advancement. Long-term incentive plans are in place to retain and motivate key management personnel. |
Work from home arrangements can be attractive opportunities for many individuals. The Group introduced hybrid working arrangements in response to changes in the work environment brought upon by the Covid-19 pandemic. |
IT Systems and Cyber Risk - Information Security and Cyber Threats | ||
The Group is heavily reliant on its IT systems to support business activities. These systems are susceptible to data breaches and cyber attacks that can result in disruption, heavy fines and reputational damage. |
The Group employs a suite of physical access controls and technical controls to prevent, detect, mitigate and remediate malicious threats and unusual activity. Such controls include rehearsals for major cyber incidents, vulnerability management processes and security awareness training for staff and key contractors. |
Cyber-attacks continue to grow in volume and sophistication and have particularly intensified since the beginning of the Covid-19 pandemic. The Group to remain vigilant and ensure all efforts to protect its systems are made. For an overview of the Group’s cyber security risk management process, see page 62. |
Financial Risk - Financial Loss |
|
|
The Group is at risk of losses caused by ineffective or inefficient financial policies or practices, such as; inadequate budgeting and planning, insurance provisioning, project management or credit control techniques. |
The Group’s financial management activities are performed by experienced and knowledgeable personnel. Regular internal management reporting ensures negative variances and trends are identified timely and acted upon. Close relations with insurance brokers are maintained and emerging risks are considered when assessing coverage. Major projects require pre-approval of the Board. Due diligence procedures are carried out for project contractors and new commercial customers while ongoing performance management of projects and debtors are in place. |
We continue to invest and improve our analytics offerings to our executive management to monitor key operational statistics timely. This allows us to act swiftly and decisively to address any building trends against established benchmarks. |
Financial Risk - Volatility |
|
|
The Group is exposed to adverse fluctuations in fuel prices and exchange rates which can reduce revenues, increase cost base and reduce overall profitability. |
Group policy has been to purchase commodities in the spot markets and remain unhedged. The Group operates a dynamic surcharge mechanism with its freight customers which allows prearranged price adjustments in line with Euro fuel costs to help mitigate US Dollar exposure arising from fuel purchases. In the passenger sector, in addition to fixed environmental surcharges, changes in bunker costs are included in the ticket price to the extent that market conditions will allow. The Group employs a matching policy to mitigate exposure to Sterling. Decreases in translation of Sterling revenues to Euro are largely offset against corresponding decreases in translation of Sterling costs. |
Fuel prices were highly volatile in 2022, but overall have increased substantially over previous years, leading to an increase in Group fuel costs. The Group’s magnitude for exposure to unfavourable Sterling movements increased during the year, following increased trade on the Dover-Calais route. |
Financial Risk - Retirement Benefit Scheme | ||
The Group’s pension liabilities are exposed to risks arising from changes in interest rates, inflation, demographics and market values of the underlying investments, resulting in increased scheme obligations or decreased scheme assets. |
A portion of the Group’s defined benefit risks are transferred to a third-party insurance company. All actuarial assumptions are substantiated and challenged where necessary. Regular communication is maintained with the scheme investment managers to monitor performance relative to agreed benchmarks. |
In 2022, the Group continued its de-risking initiatives and active investment management. |
Financial Risk - Fraud |
|
|
A significant volume of transactions is processed throughout the course of the year. These include a large amount of payment exchanges in the booking process, on board passenger vessels and at port ticket desks. This level of activity inherently carries a risk of fraud through the processing of improper payments or misappropriation of cash or assets. Any instance of fraud affecting ICG could result in financial loss, reputational and cultural damage. |
Improper payments are prevented by a segregation of duties within the payment set-up, payment approval and accounts posting processes. Further training and procedures are in place to ensure any requested changes to vendor payments are validated. Daily reconciliations are performed at cash processing locations. All cash counts require supervisor oversight and CCTV cameras are installed to deter and capture any inappropriate behaviour. Internal audit procedures are designed with consideration for the scope of fraud, where relevant. |
The Group is not aware of any confirmed or suspected instances of fraud during the year. The Group reviewed its Protected Disclosure (Whistleblowing) Policy to encourage employees or any person who works or has worked for the Group to make a disclosure in respect of significant matters including instances of fraud. This policy is available on our website. |
Financial Risk - Financial Compliance | ||
As a public listed company with operations in different jurisdictions, the Group must comply with multiple financial and administrative regulations. Any policy changes or instances of non-compliance could result in financial loss, penalties or reputational damage. |
The Group relies on its professional staff to ensure necessary filings are timely, complete and accurate. Third party experts are engaged when required to advise on complex matters. The Group engages productively with Irish tax authorities through the Co-Operative Compliance Framework. Additional assurance is also gained from the work of the Group’s external auditors. |
The Group is monitoring developments in regulations particularly around whether BEP’s Pillar 2 may affect the group in future periods, through increased tax obligations. The Group is also monitoring and assessing the financial and administrative impact of the EU emission trading scheme and a similar scheme proposed by the United Kingdom. |