Tesco – Risk responsibilities

Accepting that risk is an inherent part of doing business, our risk management systems are
designed both to encourage entrepreneurial spirit and also provide assurance that risk is fully
understood and managed. The Board has overall responsibility for risk management and internal
control within the context of achieving the Group’s objectives. Executive management is
responsible for implementing and maintaining the necessary control systems. The role of Internal
Audit is to monitor the overall internal control systems and report on their effectiveness to
Executive management, as well as to the Audit Committee.
Key to delivering effective risk management is ensuring our people have a good understanding of
the Group’s strategy and our policies, procedures, values and expected performance. We have a
structured internal communications programme that provides employees with a clear definition
of the Group’s purpose and goals, accountabilities and the scope of permitted activities for each
business unit, as well as individual line managers and other employees.
We operate a balanced scorecard approach that is known within the Group as our Steering Wheel.
This unites the Group’s resources around our customers, people, operations, community and
finance. The scorecard operates at every level within the Group, from ground level business units,
through to country level operations. It enables the business to be operated and monitored on a
balanced basis with due regard for all stakeholders.
The Group maintains a Key Risk Register. The Register contains the key risks faced by the Group
including their impact and likelihood as well as the controls and procedures implemented to
mitigate these risks. The content of the Register is determined through regular discussions with
senior management and review by the Executive Committee and the full Board.
The risk management process is cascaded through the Group with every international CEO and
local Boards maintaining their own risk registers and assessing their control systems.
Risk strategy
The same process also applies functionally in those parts of the Group requiring greater overview.
For example, the Audit Committee’s Terms of Reference require it to oversee the Finance Risk
Register. We also have a Corporate Responsibility Risk Register which specifically considers Social,
Ethical and Environmental (SEE) risks. Oversight of these risks is the responsibility of the Corporate
Responsibility Committee.

Discussion Question
Discuss the following statement using the case study as a basis “Key to delivering effective risk
management is ensuring our people have a good understanding of the Group’s strategy and our
policies, procedures, values and expected performance.”
Source: Hopkin, P. (2010), “Fundamentals of Risk Management”, The Institute of Risk Management