Share Page:
  • Share on Twitter - opens in a new window
  • Share on Facebook - opens in a new window
  • Share on LinkedIn - opens in a new window
  • Email page

Create PDF document

Add web pages to PDF bundle for download

How to use PDF generator


Pages in bundle

Page successfully added to PDF Creator
Page successfully removed from PDF Creator

Risk management and internal controls

Print Bookmark

The Board is responsible for reviewing and approving the Group’s governance framework and ensuring its adequacy and effectiveness, as set out in the Financial Reporting Council’s 2014 Guidance on Risk Management, Internal Control and Related Financial and Business Reporting. Internal controls, which include financial, operational and compliance and risk management systems, are central to this framework.

The Atkins code of conduct, ‘Behaving the Atkins Way’ (the Group Code of Conduct) sets out the standards and behaviours that all employees should consider when making decisions or taking actions. The Group Code of Conduct forms part of our corporate governance framework and is an important element of our corporate compliance progamme.

The Group’s values and ethics permeate each category of the governance framework as do controls with regard to quality, safety, security and environment (QSSE), people and audit and risk management. The governance framework is illustrated below

Governance framework

Click to enlarge

The governance framework reflects the devolved and decentralised structure of the Group, which is considered a key part of the Group’s ability to deliver services to its clients. Under this structure the Board has delegated operational responsibility to the CEO who then delegates authority and control to the regional, Acuity, Energy and Faithful+Gould CEOs (who are all members of the senior leadership team and operational leadership team). Authority is further delegated from them to the managing directors of the principal operations and then downward to business and project managers as appropriate. This is reflected in the framework as follows:

  • the Group policy statements approved by the Board set out clearly and succinctly Atkins’ vision, commitment and arrangements, including: business conduct, risk management, employment, excellence in delivery, health, safety and security, sustainability and stakeholder communication
  • Group controls set out mandatory activities and standards that are part of the overall Group processes and apply across the Group
  • the Group Code of Conduct sets out behavioural expectations for everyone who works for and represents Atkins, the purpose being to reinforce the controls and underpin the ethics and values that apply across the Group, thereby protecting the reputation of our business and maintaining our professional standing and brand
  • a Group Business Management System (BMS) framework incorporates all Group controls and forms the basis of each business’ BMS, each of which adds the regional and industry-specific controls it requires to deliver our four key business processes of win work, deliver work, people and business operations, providing a single source of information for employees that enables them to understand their responsibilities and comply with all Atkins’ requirements.

The following principles are key to the successful operation of the framework:

  • authority is delegated within clearly prescribed limits (under the Group’s authority matrix)
  • decisions are escalated where either project size or risk profile require a higher level of authority
  • activity and performance are tracked through monthly and quarterly reports
  • effectiveness is audited via internal audit and self-assessment reviews.

The governance framework is designed to manage, rather than eliminate, the risk of failure to achieve stated business objectives. It can only provide reasonable and not absolute assurance against material misstatement or loss.

Joint ventures and other investments in which the Company does not have overall control are not covered by the Group’s governance framework. For these joint ventures and other investments, systems of internal control are applied as agreed between the joint venture parties or by management, but as far as possible we seek compliance with our governance requirements as a minimum.

Region/business performance controls

Strategic plans and annual budgets are developed via a structured process which ensures that each business responds appropriately to market opportunities within an overall strategy for the Group. These plans and budgets are reviewed formally by the CEO, Group finance director and Group HR director before finally being approved by the Board.

The performance against targets of each region, Acuity, Energy and Faithful+Gould is reviewed quarterly by the CEO, Group finance director and Group HR director. These reviews are wide-ranging, covering matters including quality, safety, security and environment, financial performance and forecasts, employee matters and commercial, risk, strategy and operational matters.

In addition, the CEO and management team of each region, Acuity, Energy and Faithful+Gould prepare a business review and management accounts for the region, Acuity, Energy and Faithful+Gould on a monthly basis. The Group finance director and Group financial controller also review monthly financial performance. These monthly financial performance updates are consolidated and distributed to the Board and regional chief executive officers and finance directors as part of the Group management accounts.

Each of the regions and the Acuity, Energy and Faithful+Gould businesses has a management board, which varies in size and composition to meet the specific needs of the region or business but always includes at its core the CEO, finance director, commercial director and HR partner for that region or business. These management boards are responsible for the day to day operations of our businesses.

The Group finance function reviews the annual self-certification process undertaken by management, which requires managers throughout the Group to personally confirm the testing of the key internal controls and compliance with Group policies, standards and procedures within their business or function and the steps taken to address actual or potential issues that are identified. Central reporting enables good practice to be shared throughout the Group.

Project controls

The primary objective of the Group’s project systems and controls is to deliver business objectives and customer requirements in an efficient and consistent manner. These systems and controls are in place to minimise the risk of errors and omissions on projects, and to maximise the delivery of the required technical quality to customers and the required profitability to the Group.

Controls are in place to ensure that the right people review and approve bids, projects and purchases and that appropriate and focused reporting provides managers with the right information to make informed decisions. The system provides common processes to deliver maximum efficiency.

While significant responsibility for commercial issues is delegated to the businesses, there are consistent controls in place to ensure the Group is able to assess and manage overall business risk. This is set out in the commercial and risk standard.

Our business management systems include policies, standards, processes, procedures, guidance, plans and other tools such as pro forma documents specific to the needs of the business. They are implemented to support the management and the control of risks and to ensure activities are effectively controlled.

The Group authority matrix summarises the authority of employees at each level of the organisation to commit the Group to transactional expenditure and commercial liabilities in the course of their duties. It has been designed to allow the Group to operate flexibly and efficiently. Controls are in place to ensure the Group authority matrix and procedures around its operation and management are adhered to.

A service delivery process has been adopted to enable us to realise value from opportunities for customers, the Group and partners while always adhering to the Group’s Code of Conduct. The commercial framework and the associated service delivery process is applied over the full life cycle of a project, from the receipt of a project or services lead, through bidding, to project delivery and project closure. This process overlays requirements and responsibilities on our managers to ensure a consistent, controlled approach to the control, evaluation and monitoring of bids and projects.

Each bid and each project has a project manager and a project director appointed to it. These individuals are responsible for ensuring the project is carried out in accordance with the Group’s business management system. Controls exist to identify individuals who are suitable for these roles.

Commercial standards, procedures and guidance notes have been developed to help bid and project managers and directors understand specific commercial issues and legal issues associated with international trading in the bidding process and also during the delivery of projects. While the Group commercial standards and procedures are mandatory, guidance notes are advisory and provide the background to specific commercial and legal issues. The guidance notes are reviewed annually to ensure they are up to date and relevant.

An annual risk review of all parts of the Group is undertaken with the assistance of the Group’s insurance brokers. This review is based on interviews with key management and assists in determining the risk profile of the Group. These results are shared with the Group Risk Committee and the Board. Risk registers are produced throughout the Group in accordance with the risk management policy, including project and business risk registers, which feed into the Group risk register, which is split into strategic and operational risks. Project risk registers form an integral part of the business management system and service delivery process while the Group risk register is reviewed by the Group Risk Committee and the Board.

Project summary reports are one page summaries of the financial status of projects at a point in time. The project manager, project director and lead engineer are required to approve the report on a monthly basis.

Project audits are carried out by the internal audit function. The activities of this function are described in more detail below.

Quality, safety, security and environment (QSSE)

The Board sets Group policies on corporate sustainability, including QSSE. The CEO is the Board member responsible for corporate sustainability and for the Group’s performance, supported by Groupwide frameworks. A common management structure governs QSSE. The Group technical and QSSE director, who reports to the CEO, is responsible for Group QSSE. Each business also has dedicated QSSE representatives.

Corporate sustainability-related Group policy statements include excellence in delivery, health, safety and security, sustainability, business conduct and employment. These are published on the Group’s intranet and website. They are reviewed regularly and updated to reflect changes to legislation, emerging good practice and business needs.

A summary of the Group’s corporate sustainability activities is provided for shareholders in the section of the Annual Report entitled 'Our responsibility'. In addition, the Group provides further information on corporate sustainability, which includes detailed information in respect of safety leadership and performance, carbon reduction, respect for the environment and working with our community in the corporate sustainability section of our website.

Business conduct

Our business conduct policy sets out the standards of behaviour we expect from Atkins staff in our dealings with clients, suppliers, colleagues and other parties. The areas it covers are illustrated below.

Atkins business conduct


Click to enlarge

A guidance note on bribery and corruption is in place to help our people identify and report any suspicious behaviour exhibited by clients and partners that may expose Atkins to legal risk.


The Group’s principal objective is to maintain a culture and an environment within which talented professionals can be recruited, retained, developed and deployed to work in support of its clients. Significant effort is made to treat staff consistently and fairly yet at the same time as individuals.

The Group endeavours to operate cohesively. However, people are employed in several countries where employment practices and legislation differ from the UK. In these jurisdictions the Group operates in compliance with local requirements.

A range of business controls are maintained to ensure that the Group:

  • identifies and satisfies resource requirements
  • selects people with the requisite skills, qualifications and experience
  • manages employee performance and drives engagement
  • develops the careers and capabilities of individuals and the Group
  • encourages and supports the mobility of talent and careers across the organisation
  • assures the health and well-being of all staff
  • manages employment obligations, liabilities and risks.

More information on the Group’s people is provided in the People section within the Annual Report.


The Board has established a Group Risk Committee, chaired by the CEO, to provide assistance with the day-to-day management of risk and to oversee the operation of the Group’s risk management framework.

The members of the Group Risk Committee comprise the CEO, the Group finance director, the Group HR director, the company secretary, the Group legal director, the head of internal audit, the Group commercial and risk management director, the Group insurance manager, a representative of senior management from one of the businesses and the Group technical and QSSE director. The representative of senior management changes on a rotational basis.

The Committee usually meets three times each year.

The chairman and non-executive directors are invited by the CEO to attend committee meetings. In particular, the chairman of the Audit Committee is requested to attend meetings. The company secretary, or their nominee, acts as secretary to the Committee.

The Committee’s responsibilities include:

  • reviewing significant risks and ensuring they are being actively managed
  • instilling risk awareness into Atkins’ corporate culture and sharing knowledge and best practice
  • reviewing and monitoring the changing risk profile for the Group
  • reviewing the continued relevance of the Group’s insurance programme arrangements
  • reviewing significant claims arising in the period together with lessons learned
  • reporting to the Board and Audit Committee on its activities.
Internal audit

The Group aims to ensure that all its activities are adequately controlled to mitigate risk and support achievement of objectives, while avoiding the creation of excessive bureaucracy. The internal audit function supports this aim by providing the directors, through the Audit Committee, with an objective evaluation of the Group’s governance framework. The internal audit function also aims to raise levels of understanding and awareness of risk and control throughout the Group.

The head of internal audit reports to the Group finance director and the chairman of the Audit Committee and, through the Audit Committee, to the Board.

The internal audit function has unlimited access to records, staff and data (subject to any formal client restrictions). The head of internal audit will report any concerns about restrictions placed on the authority or scope of the team’s work to the CEO, Group finance director and Audit Committee.

Ernst & Young (EY) has been appointed to provide internal audit services to the Group. This arrangement seeks to ensure that the function is fully resourced, leading edge and able to draw on the resources and specialist expertise of the wider EY group. An EY employee holds the position of head of internal audit.

The internal audit function is independent and free from interference in determining the scope of internal auditing, performing audit work and communicating results. It operates within the terms of its charter as laid out on the Group’s intranet and complies with the Standards and Code of Ethics of the Institute of Internal Auditors. Should the head of internal audit become aware of any non-compliance, the CEO, Group finance director and Audit Committee would be informed.

Independent audit

The external audit is an important independent control.

The appointment of the independent auditor is approved by shareholders annually. The independent auditor’s audit of the financial statements is conducted in accordance with international standards on auditing issued by the Auditing Practices Board. The independent auditor, currently PricewaterhouseCoopers LLP (PwC), provides the following:

  • a report to the Audit Committee giving an overview of the results, significant contracts and judgements and observations on the control environment
  • an opinion on the truth and fairness of the Group and Company accounts
  • an internal control report, following its audit, highlighting to management any areas of weakness or concern.

As required by the UK Corporate Governance Code (the Code), we put the independent audit contract out to tender during the year ended 31 March 2016. The tender was conducted with the intention that a new independent auditor be appointed from 1 April 2017. We chose this timeframe to ensure an orderly transition from PwC to the new audit firm. A full and competitive tender process was followed, culminating in the Audit Committee recommending to the Board that KPMG LLP (KPMG) be appointed as independent auditor for the financial year ending 31 March 2018. KPMG’s appointment will be subject to shareholder approval at the 2017 AGM. Further details on the audit tender are provided in the Annual Report.

There are no contractual obligations restricting the Company’s choice of independent auditor.

Adequacy and effectiveness of internal controls

The Board monitors and reviews the adequacy and effectiveness of the Group’s governance framework, which includes internal controls and risk management, on a continual basis throughout each year. Support is provided by the Board’s committees, the internal audit function and the Company’s independent auditor.