The risk management framework

Ocado's risk management process is designed to improve the likelihood of delivering our business objectives, to protect the interests of our key stakeholders, to enhance the quality of our decision making, and to assist in the safeguarding of our assets, including people, finances, property and reputation.

The Board is responsible for the identification of Ocado's key strategic and emerging risks, and for the review and approval of the risk management framework. The Audit Committee, delegated by the Board, is responsible for the independent review of the effectiveness of risk management, the system of internal control, and the monitoring of the quality of financial statements and consideration of any findings reported by the auditors, PricewaterhouseCoopers ("PwC"), in relation to Ocado's control environment and its financial reporting procedures.

The key features of our system of internal control and risk management, including those relating to the financial reporting process, are:

  • an organisational structure with clear segregation of duties, control and authority, and a framework of policies covering all key areas;
  • a system of financial reporting, business planning and forecasting processes;
  • a capital approval policy that controls Ocado's capital expenditure and a post-completion review process for significant projects;
  • monitoring the progress of major projects by management, the Executive Directors and by the Board;
  • a Risk Committee which monitors Ocado's risk control processes;
  • an Information Security Committee which monitors Ocado's information security;
  • an Internal Audit & Risk function that provides independent assurance on key programmes and controls;
  • a treasury policy overseen by the Treasury Committee that manages Ocado's cash and deposits, investments, foreign exchange and interest rates, so as to ensure liquidity and minimise financial risk;
  • a food and product technology department, responsible for designing and monitoring compliance with Ocado's processes for the procurement and handling of foods and other goods for resale;
  • other control measures outlined elsewhere in this Annual Report including legal and regulatory compliance and health and safety.

Risk Management

1 Our strategy informs the setting of objectives across the business and is widely communicated.

2 Executive Directors evaluate the most significant strategic risks for the Group. In addition, each divisional Director prepares a risk register for their respective division, highlighting their significant risks. The Risk Committee, whose members are senior executives, reports to the Audit Committee. The Risk Committee oversees risk control processes and risk analysis from each part of the business, reviews these top down and bottom up representations to ensure that no significant risks have been omitted.

3 Divisional directors identify how they will manage or mitigate their significant risks. These mitigation actions are then summarised into a description of the Group-wide mitigation process for each risk.

4 Group-wide risks and mitigation processes are regularly reviewed by the Risk Committee and by the Audit Committee.

What we addressed in 2014

The process described above for identifying, evaluating and managing the principal risks faced by the Group operated during the period and up to the date of this Annual Report. Such a system can only provide reasonable, and not absolute, assurance, as it is designed to manage rather than eliminate the risk of failure to achieve business objectives.

Following a review by KPMG LLP of the effectiveness of the Group's governance framework against market practice for listed companies, management is in the process of implementing the key recommendations. These included enhancing our risk management capability through establishing an Internal Audit & Risk function in July 2014 and consolidating in a common area and format the existing and revised key policies and procedures.

The Audit Committee, on behalf of the Board, undertook an annual review of the effectiveness of risk management and the system of internal control, covering all material controls including financial, operational, compliance controls, and risk management systems.

For further information on the review of financial reporting and for a description of the Company's externally facilitated control and governance review see the Audit Committee report.

What we will be looking at in 2015

Activities to improve our strategic, programme and operational risk management capabilities, including business continuity and information security, will continue in 2015. Our trading strategy is reviewed and amended as necessary to reflect the increasingly competitive grocery trading environment.

2015 will also see us begin to integrate our environmental, social and governance (ESG) risks across the business. Our long-term aim is for integrated reporting, and we see the greater integration of ESG risks throughout the business, along with transparent stakeholder dialogue, as key drivers of this.

The new Internal Audit & Risk function will provide independent and objective assurance and advisory services designed to add value and improve the operations of the business. Its scope will encompass, but not be limited to, the examination and evaluation of the adequacy and effectiveness of Ocado's governance, risk management and internal control processes.

Risks

We have identified 12 principal risks and uncertainties facing Ocado. These are considered by the Board to be material to the development, performance, position or future prospects of Ocado. These risks, mitigations and changes during the year are summarised in the table below. They are not set out in priority order.

ObjectiveRisksMitigation Action/ControlChange During The Year

Driving
Growth

Failure to maintain competitive pricing position

  • Continuation of our LPP basket matching price comparison
  • Maintaining a competitive number of promotional offers and increased availability of free delivery slots for price sensitive customers
  • Creation of a choice of tiered price points within each category

Due to increased competition in the market

A risk of decline in high service levels

  • Weekly monitoring of the key indicators and the underlying drivers against published targets
  • Installation of additional capacity to reduce the pressure on the business and resiliency work in CFC1

Successful increase in operations of CFC2 means that both CFCs are operating with sufficient capacity headroom

Failure to maintain a compelling product range

  • Growth of the Ocado own label range alongside continued provision of the Waitrose range
  • Growth of branded ranges and expansion of supplier base
  • Alternative sourcing scenarios planned in the event that the Waitrose sourcing relationship terminates

Range and supply base have increased during the year

Failure to continue to recruit increasing numbers of new customers and retain existing customers

  • Continuation of investment and optimisation of the marketing channels to acquire new customers

Active customers grew and retention rates improved during the year

Maximising
Efficiency

A risk of delays in the implementation of new capacity for both Ocado and Morrisons

  • Dedication of resources to the modularisation of technology and logistics systems to enable faster replication
  • Preparation of plans for new capacity at CFC3 and CFC4

Future new capacity is reliant on new, unproven, technology

Utilising
Knowledge

Failure to develop a competitive model for further commercialisation

  • Engagement with a wide number of international grocers to understand market needs
  • Experienced teams in place who understand the current solutions and are aware of global alternatives used in other industries

Significant progress in developing the commercial offer but higher risks remain until first OSP deal is signed

Monetising
proprietary
knowledge

Failure to protect current technology and process and failure to ensure that our technology can be freely operated without infringing a third party's IP

  • Processes are operating to identify patentable inventions and to apply for patents
  • Conducting extensive "freedom to operate" searches on selected technologies

Multiple patents now filed but the value of IP has increased so increasing the value to others

Operational

A risk of a food or product safety incident

  • Experienced legal, food technology and health and safety professionals monitor compliance against policies and procedures
  • Supplier approval and certification process
  • Health and safety policies with appropriate operational procedures

Supplier and product numbers have increased and the market has become more sensitive to product issues

A risk of changes in regulations impacting our business operations

  • Regular monitoring of regulatory developments to ensure that changes are identified
  • Monitoring operational performance to minimise environmental impact

Failure of technology or data loss

  • IT systems are structured to operate reliably and securely
  • Denial of service protection service is in place
  • The security of our IT systems is regularly tested by third parties
  • No customer payment card data is held on Ocado's databases
  • Access to customer personal data is restricted to those who need this information as part of their job

Business interruption

  • Dedicated engineering teams on site with daily maintenance programmes to support the continued operation of equipment
  • Insurers advise on engineering and risk management in the design and operation of the CFCs
  • High level of protection for CFCs and equipment

Opening of more spokes reduces reliance on any one particular spoke

A risk of unintentional infringement of competition legislation

  • Issued a revised competition compliance policy in 2014
  • Conducted training of key personnel and deployed an e-learning tool for all personnel in every department having access to trading data
  • Physical and technical firewalls installed to separate those teams who need to deal with sensitive Morrisons' data, in order to provide the services to Morrisons, from those running the Ocado offer

The risk that future efficiency improvements may be limited, previously reported in last year's annual report, is no longer considered to be a principal risk because Ocado has reached a level of efficiency sufficient to ensure the viability of the business.

Fish on chopping board