Risk management is built into our daily activities and is an integral part of how we work. Risk management involves the identification and evaluation of risks, and is the responsibility of the Group Board. The Group's ability to manage risk is continually improving through the focus on risk management capability to ensure that it remains robust and that emerging risks are identified, assessed and managed effectively.

The risk management process incorporates both top-down and bottom-up elements to the identification, evaluation and management of risks, and all risks evaluated are referenced to the Group's strategy. Key business risks are formally identified, reviewed and updated by the Group Executive Committee ("GEC") every six months using a risk scoring methodology. Each risk is categorised based on likelihood and potential impact. Once agreed with the GEC, the risks are plotted on a risk matrix and submitted to the Audit Committee for approval and subsequently to the Board. Mitigating controls are identified and opportunities for the enhancement of the Group's control environment are implemented.

Further information on the Group's risk management procedures is included in the Corporate Governance section.

There are a number of potential risks and uncertainties which could have a material impact on SIG's long-term performance. The risk identification, monitoring and reporting framework together with the key risks and uncertainties identified as part of the Group's risk management process are as follows:

Risk identification, monitoring and reporting framework

Top-Down
Responsibility for implementing

The Board

  • Sets strategic objectives
  • Approves risk governance structure and agrees risk appetite
  • Sets delegation of authority
  • Receives and reviews Group Risk Register
  • Receives and reviews Audit Committee reports on risk governance and internal controls

Audit Committee

  • Considers adequacy of risk management and internal control framework
  • Receives and reviews reports from the Group Risk Function
  • Receives and reviews reports from independent assurance providers
  • Receives Audit Programme

Group Executive Committee

  • Ensures risk management is embedded into all processes
  • Reviews Group Risk Profile

Operating Company Management

  • Management and employees are responsible for the identification, management and reporting of local risks
  • Maintenance of local risk registers
  • Implementation of control framework and risk mitigation plans

Group Risk Function

  • Conducts continual review of risks and risk controls
  • Concludes on treatment of risks
  • Reviews and reports on risk to the Audit Committee and Board
  • Formulation of strategy and policy
  • Tracks risk management activity in the operating companies

Central Support

  • Provides targeted expertise and support to risk owners
  • Develops and maintains risk specific controls

Independent Assurance

  • Internal audit
  • External audit
  • Quality standards audit
  • Insurer and property risk surveyors
  • Audit Committee and Board

Bottom-Up
Accountability for monitoring

Principal Risks

1

Market conditions

2

Competitors and margin management

3

Commercial relationships

4

Government legislation

5

Availability of funding

6

Working capital and cash management

7

IT infrastructure and cybersecurity

8

Availability and quality of key resources

Principal risk matrix

2016 developments

Throughout 2016 SIG has continued to develop the integrated approach to its risk and assurance activities. Specifically, the following improvements were implemented:

  • Continued review of the internal control and risk management framework including architecture, strategy and protocols.
  • Data warehouse implemented which improved financial analyses, data security, overall control framework, allowed for improved disaster recovery and better quality of reporting.
  • Extended scope of fraud risk management framework, including delivery of risk management and fraud awareness training across the Group to help confirm a consistent approach in embedding risk and fraud awareness practices throughout the business, as well as educating employees on the importance of these disciplines.
  • Enhancement of self-certification processes, ensuring they remain consistent with the dynamic risk and fraud environment.
  • External review of cybersecurity framework, including awareness policies and controls.
  • A cyber-strategy framework for the Group was defined, with a programme of activity which included the obtainment of "Cyber Essentials" certification, attendance at peer group Information Security Round Table meetings, membership of the Government Cybersecurity Information Sharing Partnership ("CISP") programme and engaging with the Templar Executives, an industry-leading cybersecurity company.

Planned improvements for 2017

SIG will continue to improve its risk management processes with a number of initiatives:

  • Data warehouse to be further improved by providing a single point of data for operating companies with enhanced security and disaster recovery.
  • Review of risk management software to improve risk identification and drive consistency.
  • Continued development of Group-wide control framework forums to identify and drive best practice.
  • Monitoring of the terms of the UK exit from the EU that could have implications on the requirements or regulations that are applicable to the business of the Group.
  • A full roadmap and plan for appropriate cybersecurity is being reviewed by senior management which includes investment in people, services and technology.

Throughout the year the risks that SIG faces have been critically reviewed and evaluated. The assessment of the most significant risks and uncertainties that could impact SIG's long-term performance is outlined in this section of the report. These risks are not set out in any order of priority and they do not comprise all the risks and the uncertainties that SIG faces. These risks have been reviewed throughout the year and they have not materially changed since 2015.

PRINCIPAL RISKTrendKey mitigation activities include:Our focus in 2016

1

Market conditions

The Group is exposed to changes in the level of activity and therefore demand from the building, construction and civil engineering industries.

Government policy and expenditure plans, private investor decisions, the general economic climate and both business and (to a lesser extent) consumer confidence are all factors which can influence the level of building activity and therefore the demand for many of the Group's products.

1

2

  • Maintain a broad spread of markets, products and customers to limit risks and act as a natural hedge within any given territory
  • The Group Board's portfolio review ensures that the Group's capital is appropriately allocated to the geographies and markets which remain core
  • Continual review of all available indicators of market activity and regular communication with key suppliers and customers to ensure that any change in market demand is anticipated as early as possible
  • Ensure the Group remains structured in a way that enables it to take prompt action in the event of a material change in the trading environment
  • Ensure the Group maintains a strong balance sheet and financial position
  • Restructuring actions
  • Strategic Initiatives
  • Selected ROCE-enhancing acquisitions
  • Further diversification through investment in specialist niche markets
  • Rebranding

2

Competitors and margin management

Challenging market trading conditions mean that competition pressures from direct specialist competition and the overlap with general suppliers remain high, which in turn results in continued margin pressures being faced by the Group.

1

2

  • Strong trading presence and positions in the majority of the markets in which the Group trades
  • Initiatives designed to improve the Group's core competencies surrounding customer service, sales support and training
  • Ongoing pricing and purchasing initiatives, including supplier rebates, designed to improve gross margin
  • Tight control of operating costs
  • Significant investment in the branch network and distribution capability, people, IT infrastructure and product offering
  • Diversified portfolio of products, customers and markets limits the risk from any single competitor
  • Specialist training
  • Investment in IT
  • Professionalising procurement and pricing management

3

Commercial relationships

Failure to negotiate competitive terms of business with suppliers or failure to satisfy the needs of customers could harm the Group's business. Customer or supplier consolidation and/or manufacturers dealing directly with customers.

1

3

4

  • Ongoing pricing and purchasing initiatives designed to improve gross margin
  • The Group has extensive and regular dialogue with all commercial partners to maintain strong relationships
  • Key supplier/customer harmonisation and national account strategy planning
  • The Group is not overly reliant on any one supplier and all businesses undergo alternative key supplier scenario planning
  • No significant customer dependency. Continued focus on customer service to maintain excellent relationships including monitoring of customer satisfaction
  • Strategically important supply chain partners are reviewed globally to assess their financial health
  • Monitoring of customer behaviour and performance
  • Procurement Initiative
  • Commercial partner relationship and rationalisation

4

Government legislation

SIG operates in a number of countries, each with its own laws and regulations, encompassing environmental, legal, health and safety, employment and tax matters. Changes in these laws and regulations, including as a result of Brexit, could impact on SIG's ability to conduct its business, or make the conduct of such business more expensive.

There is also the reputational and financial cost of being penalised for non-compliance.

5

  • Embedding and operating a zero harm culture
  • Dedicated resource to monitor compliance with legal and regulatory matters
  • Active monitoring of relevant laws and regulations to ensure that any changes to the legal framework are identified and effects minimised
  • Review of policies and procedures with reference to changing legislative requirements and the provision of associated training
  • Affiliation with regulatory bodies and trade associations
  • Strong internal control framework, policies and culture supported by strong leadership, accountability and commitment throughout the organisation
  • Continuous monitoring of political environment
  • Continuous review of business plans in order to minimise SIG's exposure to potential changes in Government policy
  • Compulsory risk management training programmes (eg data protection and anti-bribery and corruption etc) appropriate to their roles in order to increase awareness of potential risks
  • 'Zero Harm' programme
  • Training and development programmes

5

Availability of funding

Group net debt at 31 December 2016 amounted to £259.9m (2015: £235.9m).

The Group has to manage the following risks relating to its net debt:

  • future availability of funding
  • interest rate risk
  • foreign currency risk
  • compliance with debt covenants
  • counterparty credit risk.
  • Regular meetings of the Tax and Treasury Committee
  • Comprehensive Treasury Policy (please see the Treasury Risk Management section)
  • Regular monitoring, including sensitivity analysis, to understand the impact of interest rate and exchange rate movements
  • Active hedging programme in place
  • Monitoring performance against covenants on the Group's Revolving Credit Facility and private placement notes
  • Regular discussion with banking and private placement partners
  • Maintaining a strong balance sheet to enable access to cost effective sources of third party funding
  • Refinancing of maturing private placement debt and securing facilities to ensure certainty of funding for the medium to longer term
  • Initiatives to manage and improve the Group's leverage position

6

Working capital and cash management

Failure to manage working capital effectively may lead to a significant increase in the Group's net debt, thereby reducing the Group's funding headroom and liquidity.

1

3

  • Post-tax Return on Capital Employed is a Key Performance Indicator of the Group
  • Cash flow targets are agreed with each business unit as part of the annual budget process and reviewed on a monthly basis
  • Stringent authorisation procedures to control capital expenditure
  • Proactive credit management systems supported by daily customer monitoring systems
  • Branch reviews
  • Strategic Initiatives
  • Investment in IT

7

IT infrastructure and cybersecurity

SIG uses a range of computer systems across the Group. Outages and interruptions could affect the ability to conduct day-to-day operations, which could result in loss of sales and delays to cash flow.

Key systems are breached causing financial loss, data loss, disruption or damage.

A new ERP system is currently being implemented within the UK distribution businesses.

1

3

4

  • Continual review of IT strategies to ensure they remain appropriate
  • Business continuity framework
  • Dedicated internal IT support team together with external support providers
  • Regular updates to technology, infrastructure, communications and application systems
  • The Group is continuing to invest in advanced hardware and software security to ensure protection of commercial and sensitive data
  • For new IT projects, external consultants are utilised in conjunction with internal project management teams
  • Collaborative cross-functional risk group in place
  • Formal security and information assurance governance structures to oversee and manage cybersecurity and similar risks
  • Roll-out of the new ERP system for the UK distribution businesses has continued during the course of 2016 and this will be completed in 2017
  • Awareness of increased exposure to cyber-crime and actively sharing IT security information through industry and security forums
  • External review of cybersecurity framework
  • Implementation of a data warehouse
  • Attainment of Cyber Essentials certification
  • Joined CISP

8

Availability and quality of key resources

Unavailability of key resources (eg assets such as property, stock and personnel) will impact on the ability of SIG to operate effectively and efficiently.

Failure to attract and retain key individuals, strong management and technical staff in the future could have an adverse effect upon the Group's business.

1

3

5

  • Strategic and budget reviews ensure all key resource requirements are identified and managed
  • Senior management succession planning
  • Continue to evolve a defined people strategy based on culture and engagement, talent management, training and reward recognition
  • Provision of channels for employees to raise concerns to promote an environment of honesty and trust
  • Increased employee communication and engagement
  • Implemented detailed succession planning for senior management
  • Increased training through 'Raising the Bar' programme for Senior Leadership Team
  • Establishment of RISE Programme, the new high potential development programme, designed to identify and progress SIG's future leaders and support our strategic growth going forward

Relevance to strategy

1

Improving our customer focus

2

Innovation and value added sales

3

Supply chain

4

Procurement

5

People

Understanding movements in business risks

Increase

No change

Decrease Arrow

Decrease