Corporate governance report Audit, risk and internal control continued RISK MANAGEMENT AND RISK AND RESILIENCE COMMITTEE The Committee considers that the The Audit and Risk Committee carried if measures go into the ‘red’ tolerance processes in place to manage risk by out a formal risk review in September zone, this is highlighted to the the Board are robust and working 2020, February 2021 and September Executive Board so that action can be effectively. 2021. In each case the Committee taken if needed. The KPI measures are noted that specific consideration was also reviewed by the Committee and In FY21, management proposed to given through the risk review process the Board as part of the twice-yearly enhance this process by establishing with management and by the Executive review of principal risks. a ‘Risk and Resilienc Cmmitee’ –teo Board, Audit and Risk Committee and this is an Executive Committee, not a Board discussions to any ’emerging We also asked KPMG, our Internal formal Board Committee. It is chaired risks’, or risks which have increased in Auditor, to carry out a risk assurance by Laura Carr, the Chief Financial severity, for example, this included in exercise, and this was presented to Officer, and attended by Dawn the year the increasing importance of the Committee in June 2021. This was Durrant, Company Secretary, as well climate change. designed to assess the internal and as the Chief Information Officer, the external assurance measures in place Group Finance Director, the Head of The Board held one of its regular to measure the effectiveness of the risk Health and Safety and other senior discussions of ‘What keeps us awake mitigations. The review concluded that: representatives from other functions. at night?’ in June 2021, coupled with • There is a significant level of This Committee meets monthly to a review of the factors which make assurance activity across all carry out a ‘deep dive’ into one of Dunelm able to withstand the impact three ‘lines of defence’, with the principal riskswith the relevant of a low probability, high impact compensating controls where Executive owner. At each meeting, risk, or more than one risk impacting no assurance activity has been a detailed cross-functional internal simultaneously. This was fed into the identified peer review of the risk and mitigations review of principal risks in September • All principal risks are subject to the is conducted to provide challenge 2021. In February 2021 we removed and to identify any cross-functional ‘Brexit’ from our principal risk register, explicit oversight of the Executive dependencies or impacts, and any reflecting the fact that potential and the Group Board emerging risks. Standing agenda disruption from leaving the European • There is a degree of overlapping items for each meeting also include a Union had been successfully mitigated activity, for example at the Risk review of cyber security, and of KPIs and its ongoing impact is not material. and Resilience Committee and the associated with each principal risk We also noted that individual principal Performance Executive meeting that are used to identify any failures risk topics are reviewed by the Board • Management has identified a in risk mitigationwhich would require through the rolling agenda, as well number of gaps or additional management action. The intention is to as consideration of the output of activity it would like to introduce, review each principal risk at least once the executive Risk and Resilience and these will be progressed a year, with the highest-impact risks Committee, see above. (measured by likelihood and severity) During the year, the Committee also reviewed at least twice a year. In FY21 In June 2021, the Committee adopted reviewed our business continuity the principal risks reviewed were: a formal Risk Appetite Statement, planning, including IT continuity, IT systems, data and cyber security; which can be found on our website noting the continued progress being Competition, market and customers; at corporate.dunelm.com. This is made to keep these up to date and Supply chain disruption; People brought to life in a practical way by improve them; and our insurance and culture; and Climate change the KPIs which we use to measure the programme which it considered to and environment. A summary of the effectiveness of the mitigations in be satisfactory. conclusions and actions is circulated to place in respect ofour principal risks . the Executive Board after each meeting These are reviewed monthly by the and the Audit and Risk Committee is Risk and Resilience Committee; updated at each meeting. 136 DUNELM GROUP PLC ANNUAL REPORT & ACCOUNTS 2021