The board is committed to a robust and comprehensive risk management process. Underpinning the operation of, and central to, the risk management process is the culture of the Group, led by the board, of openness, transparency, trust and accountability. On behalf of the board the audit committee reviews and challenges the effectiveness of the risk management process.

Risk Management Cycle


The board manages risk in accordance with the Risk Management Framework (“RMF”) under the Group’s Risk Management Policy and Procedure. The RMF is aligned to the business objectives and strategy. A key component of the RMF for the board is that, whilst the RMF enables a robust assessment of risk, it is also practical and proportionate. This ensures that the RMF is embedded into the day-to-day business processes across the Group, to drive risk awareness and risk culture. The board continues to build upon the RMF to respond to any future change in the Group’s risk profile. In the financial year to 30 April 2017, the board developed its risk appetite work and agreed a set of Group level risk appetite statements aligned to the Group’s principal risk areas. The statements set out the board’s risk taking approach to ensure a balanced view between risk aversion, opportunity and gains, against a background of maintaining reputation, financial stability and compliance. As part of the assurance for the board the operation of the RMF is facilitated by an Internal Risk Management function. Individual risks are also mapped onto the Internal Audit plan for the year. As part of the risked based internal audit process, the internal audit team assesses the gross and net risk ranking assigned by the risk owners to underpin the robustness of the operation of the RMF. The RMF is also subject to an annual review by Internal Audit. Key areas of current focus are to strengthen the three lines of defense:

(i) risk ownership

(ii) risk management and compliance, and

(iii) internal audit.

Risks are identified, assessed and recorded by the Micro Focus and SUSE Product Portfolios and the Group functions. Each product portfolio director and Group function head is responsible for the identification, assessment and management of risk in their area. Each risk is owned by an individual in that area. The process includes the use of risk registers, one to one interviews with product portfolio directors, Group function heads and board members. Risks are assessed on a gross and net basis against a consistent set of criteria defined by the board. The criteria measures likelihood of occurrence against potential impact to the Group including financial results, strategic plans, operations and reputation. Each risk is allocated a risk appetite category and a risk tolerance; changes in the risk profile are tracked at each reporting point in the year. The assessment includes current and emerging risks, as well as internal and external threats. Existing controls and improvement actions are recorded on the risk register for each risk.

The RMF contains a continuous cycle of review and reporting over the year. No fewer than five times a year, following one to one interviews with the business area directors and Group function heads, the individual risk registers are consolidated to form the Group risk profile. The Group risk profile is reported to the Executive Directors for monitoring, review and challenge. A report is made to every Audit Committee meeting in the year for review and to challenge the effectiveness of the RMF and then approval by the board. As part of the RMF an annual review of risk is also undertaken, this is aligned with the annual review of Internal Audit. These annual reviews focus on areas for improvement in the process, as well as the key emerging areas of risk for the Group in the year ahead. The board and the audit committee also received detailed risk assessments as part of reports on material projects.