Identifying and managing risks
ARM has a robust risk management process in place to identify key risks; assign ownership for each risk at a senior management level; identify both existing and planned management activities against each risk; assess the residual likelihood and impact of each risk; and ensure ongoing monitoring and reporting of each key risk.
At a strategic level, our risk management objectives are to:
Strategic risks are managed through a number of regular forums where key risks are discussed and existing management activities challenged. These include regular sessions with both the Board and senior management.
Operational risks are managed in accordance with the ARM Management System (AMS), which defines internal controls across the organisation. ARM has a number of internal controls and processes in place to provide assurance on compliance with the AMS.
Determining the Group’s willingness to take on risk (its “risk appetite”) is the starting point of an effective risk management and review process. ARM’s risk appetite differs across the activities that are necessary to maintain and grow our business. The most important elements for ARM are our people and systems to develop new technologies and products, our ecosystem, our brand and reputation, and compliance and regulatory matters. In these areas we have a low appetite for risk, and the Group has more internal controls and processes to minimise the probability or impact of a risk occurring.
Strategic and operational risks are identified, prioritised and reported on within the Corporate Risk Register (CRR). The CRR includes a description of the overall risk, the risk factors, the risk owner and the risk management activities, including operational and oversight activities as defined in the “three lines of defence” model*. Residual risks are assessed in terms of likelihood and impact on the basis that the risk management activities assigned to them are operating effectively and an overall RAG (Red, Amber, Green) rating is generated, taking the risk appetite statement into account where appropriate. Plans to monitor and mitigate individual risks are then included within the relevant objectives of the Group’s operations and functions. Risks are identified through senior management discussion (top down) and regular reporting from every part of the business (bottom up).
The CRR is monitored by the Risk Review Committee, chaired by Mike Muller, Chief Technology Officer. The Risk Review Committee meets on a quarterly basis to review the CRR. Each risk owner is required to review and demonstrate that risks are being appropriately managed. A more detailed explanation of the Risk Review Committee’s activities is included in the Governance and Financial Report 2015 on pages 12 to 14. The Audit Committee is responsible for overseeing the risk management framework and ensuring that the risk review process is operating effectively. The Executive Committee and the Board review the CRR on a regular basis.
ARM’s Internal Audit function develops an annual audit plan to provide assurance that the risk management activities identified to mitigate risks are designed and operating effectively and that corrective action is being taken where necessary.
ARM’s strategy is to develop and deploy energy-efficient technology; to enable innovation through a broad ecosystem of Partners, building on our shared success; and to create superior returns for our shareholders by investing in long-term growth. ARM’s principal risks may impede ARM’s progress in executing this strategy. The table on the next page shows ARM’s principal risks and which element of the strategy each could impact.
The Group’s strategic plan covers a five year period, over which the directors have made assumptions regarding the Group’s revenues, operating costs, dividends, cash requirements and capital structure. A five year planning period is appropriate because of the duration of the Group’s product development cycle (see pages 24 to 25).
The projections for the first three years of the plan are based on current licensing opportunities and foreseeable royalty revenues. There is inherently less certainty in the projections for years four and five. The directors have therefore determined that three years is an appropriate period for the viability statement.
In assessing the Group’s prospects and resilience, the directors considered the Group’s current business position and risk appetite. The conclusions were stress-tested by analysing the principal risks to the Group’s business model, performance, solvency and liquidity (see pages 36 to 39). The directors believe the principal risks to viability are: a shift in industry practice (risk 1), the risk posed by the success of a major competitor (risk 2), and risks to reputation (risk 7), since crystallisation of these risks would have the potential to damage the Group’s financial position.
Based on this assessment and the mitigating actions described, the directors have a reasonable expectation that the Group will be able to continue in operation and meet its liabilities as they fall due over the period to December 2018.* The “three lines of defence” model is a widely used methodology for monitoring, evaluating and improving risk management effectiveness.