RNS Number : 4812Z


18 September 2020

NCC Group plc

(the "Company" or the "Group")

Notice of Annual General Meeting 2020

The Company confirms that its Notice of Annual General Meeting 2020 ("AGM Notice") and its Annual Report and Accounts for the year ending 31 May 2020 ("Annual Report") have been posted or otherwise been made available to shareholders and published on the Investor Relations section of its website (www.nccgroup.com/investor-relations). The Annual General Meeting will be held at 10.30 am on Tuesday 20 October 2020 at the Company's Head Office, XYZ Building, 2 Hardman Boulevard, Spinningfields, Manchester, M3 3AQ.

Copies of the Annual Report and the AGM Notice have been submitted to the National Storage Mechanism and will shortly be available for inspection at www.morningstar.co.uk/uk/NSM .

A condensed set of the Company's financial statements and extracts were included in the Company's preliminary results for the year ended 31 May 2020 released on 3 September 2020 (the "Preliminary Announcement"). The information included within the Preliminary Announcement together with the information set out below, which is extracted from the Annual Report, constitute the material required by Disclosure Guidance and Transparency Rule 6.3.5 to be communicated to the media in full unedited text through a Regulatory Information Service. This announcement and the Preliminary Announcement are not a substitute for reading the full Annual Report. Page numbers and cross-references in the extracted information below refer to page numbers and cross-references in the Annual Report. To view the Preliminary Announcement, please visit the Investor Relations section of the Company's website at www.nccgroup.com/investor-relations

Directors' responsibilities statement

The following statement is extracted from page 96 of the Annual Report and is repeated here for the purposes of Disclosure Guidance and Transparency Rule 6.3.5. This statement relates solely to the Annual Report and is not connected to the extracted information set out in this announcement or the Preliminary Announcement:

"The Directors are responsible for preparing the Annual Report and Accounts and the Group and Parent Company Financial Statements in accordance with applicable law and regulations.

Company law requires the Directors to prepare Group and Parent Company Financial Statements for each financial year. Under that law they are required to prepare both the Group Financial Statements in accordance with International Financial Reporting Standards as adopted by the European Union (IFRSs as adopted by the EU) and applicable law and have elected to prepare the Parent Company Financial Statements on the same basis.

Under company law the Directors must not approve the Financial Statements unless they are satisfied that they give a true and fair view of the state of affairs of the Group and Parent Company and of their profit or loss for that period. In preparing each of the Group and Parent Company Financial Statements, the Directors are required to:

   --      Select suitable accounting policies and then apply them consistently 
   --      Make judgments and estimates that are reasonable, relevant and reliable 
   --      State whether they have been prepared in accordance with IFRSs as adopted by the EU 

-- Assess the Group and Parent Company's ability to continue as a going concern, disclosing, as applicable, matters related to going concern

-- Use the going concern basis of accounting unless they either intend to liquidate the Group or the Parent Company or to cease operations, or have no realistic alternative but to do so

The Directors are responsible for keeping adequate accounting records that are sufficient to show and explain the Parent Company's transactions and disclose with reasonable accuracy at any time the financial position of the Parent Company and enable them to ensure that its Financial Statements comply with the Companies Act 2006. They are responsible for such internal control as they determine is necessary to enable the preparation of Financial Statements that are free from material misstatement, whether due to fraud or error, and have general responsibility for taking such steps as are reasonably open to them to safeguard the assets of the Group and to prevent and detect fraud and other irregularities.

Under applicable law and regulations, the Directors are also responsible for preparing a Strategic Report, Directors' Report, Directors' Remuneration Report and Corporate Governance Statement that comply with that law and those regulations.

The Directors are responsible for the maintenance and integrity of the corporate and financial information included on the Company's website. Legislation in the UK governing the preparation and dissemination of Financial Statements may differ from legislation in other jurisdictions.

Responsibility statement of the Directors in respect of the annual financial report

We confirm that to the best of our knowledge:

-- The Financial Statements, prepared in accordance with the applicable set of accounting standards, give a true and fair view of the assets, liabilities, financial position and profit or loss of the Company and the undertakings included in the consolidation taken as a whole

-- The Strategic Report includes a fair review of the development and performance of the business and the position of the issuer and the undertakings included in the consolidation taken as a whole, together with a description of the principal risks and uncertainties that they face

We consider the Annual Report and Accounts, taken as a whole, is fair, balanced and understandable and provides the information necessary for shareholders to assess the Group's position and performance, business model and strategy."

Principal risks and uncertainties

The principal risks and uncertainties relating to the Company are set out on pages 30 to 36 of the Annual Report from which the following is extracted in full and unedited text :

"Risk management

Risk is an inherent part of doing business and risk management is a fundamental part of good corporate governance. A successful risk management process balances risk and reward and is underpinned by sound judgment of their impact and likelihood. The Board has overall responsibility for ensuring that NCC Group has an effective risk management framework, which is aligned to our business objectives.

The Board has established a Risk Management Policy, which has established protocols, including:

   --      Roles and responsibilities for the risk management framework 
   --      Risk scoring framework 
   --      A definition of risk appetite 

The integrated approach to risk management diagram on page 31 summarises the Group's overall approach to risk management, which is supported by a web-based tool - the Integrated Risk Management System (IRMS). The tool is designed to follow the risk management model described in the next section and records both strategic and operational risk registers and tracks risk mitigation action plans, helping embed ownership of risks and treatment actions while also providing access to live management information, which is used at both a Board and operational management level.

NCC Group's approach to risk management

NCC Group adopts both a "top down" and "bottom up" approach to risk, to manage risk exposure across the Group to enable the effective pursuit of strategic objectives. The approach is summarised in the diagram on page 31.

The approach is one of collaboration, which supports our comprehensive approach to risk identification, from the "top down" and "bottom up". The Group believes that this is the most efficient and effective way to identify its business risks.

Top down - strategic risk management

The Board, Audit Committee and Cyber Committee review risks on an ongoing basis and are supported by the Executive Committee and subject matter specialists (including Assurance, Software Resilience (Escrow), Information Security, Data Protection and Health and Safety). The Board gives consideration to the Group's strategic objectives and any barriers to their achievement.

Bottom up - operational risk management

The Board and Executive Committee engage with colleagues at every level of the Group in recognition of the importance of their expertise, contribution and views. In relation to matters of wrongdoing, or risks not being recognised and adequately managed, the Group has a robust and effective whistleblowing procedure, which is supported by the Safecall reporting line.

Risk management model

The Board has overall responsibility for ensuring that NCC Group adopts an effective risk management model, which is aligned to our objectives and promotes good risk management practice. We have therefore adopted the model described in this section and summarised in the diagram above.

The Board, Audit Committee, Cyber Committee and Executive Committee review risks on an ongoing basis throughout the year. The appropriateness and relevance of the risks and issues tracking system - IRMS - are monitored by the global governance team to ensure that it continues to be updated, meet the needs of the Group and remain in line with good risk management practice. In addition, there is a robust process in place for monitoring and reporting the implementation of agreed actions.

We are satisfied that the risk management policy, framework and model currently in place are sufficient to manage risk across the Group.

The key areas of identifying, assessing, addressing and monitoring risks are explained in more detail below:


Risks exist within all areas of our business and it is important for us to identify and understand the degree to which their impact and likelihood of occurrence will affect the delivery of our key objectives. This is achieved through day-to-day working practices and incorporates risks in both the internal and external environment. Examples of identification include horizon scanning for legislative and market changes, operational and delivery reviews (such as SGT), procedures in relation to projects and change and independent systems audits.

All identified risks are initially assessed for their "inherent" risk (risk with no controls in place), using a scoring mechanism that accounts for the likelihood of an event occurring and the impact that it may have on the Group. The scoring mechanism adopted takes account of high impact, low likelihood events and these risks are managed in a timely manner.

In addition to ongoing risk identification, an annual exercise is undertaken to review the Group's strategic risk universe by the Board. This exercise is reliant on the "top down", "bottom up" approach discussed earlier.


Following the identification of the Group's inherent risks exposure, a comprehensive assessment of the effectiveness of current mitigating controls is undertaken. This exercise takes account of the design of the current control environment and the application of these controls prior to assessing the Group's current exposure to risk - mitigated risk score. The Board uses a number of sources of information to support the scoring of risk and these include, but are not limited to:

   --      Management updates 
   --      Action tracking and reporting 
   --      Control environment policies and procedures 
   --      Independent audit activity 
   --      Project monitoring reports 


An assessment of whether additional actions are required to reduce our risk exposure is undertaken, with actions falling into one of four categories:

-- Treat - develop an action plan (applying responsibility, deadlines and prioritisation) that may include the implementation of additional controls, or increase the requirement for additional assurance over the adequacy and effectiveness of the existing controls

   --      Transfer - use a third party specialist to undertake the activity, thus mitigating the risk 
   --      Tolerate - determine the risk is within appetite 
   --      Terminate - exit the activity 

Output from the evaluation of strategic risks has resulted in milestone plans owned by senior business leaders, or has been used in the development of the Group's Transformation Programme.


Ongoing monitoring of risks and related actions is key to the implementation of our risk management model and, therefore, NCC Group is committed to making enterprise-wide risk management part of business as usual. Examples of ongoing monitoring of business risks include, but are not limited to:

-- Annual review of the external audit strategy and plan by the Audit Committee and Chief Financial Officer to ensure inclusion of key financial risks

-- Annual review of the annual internal audit plan to validate that it incorporates key areas of business risk

-- A review of internal audit reports issued during the period, including a summary of progress against previously raised management actions

-- Annual review of the strategic risk register by the Board to ensure that it includes risks arising in year

Internal control

While risk management identifies threats to the Group achieving its strategic objectives, internal controls are designed to provide assurance that these objectives are being achieved, such as the effectiveness and efficiency of operations and delivery, accurate and reliable financial reporting, and compliance with applicable laws and regulation.

NCC Group has established a robust internal control framework which is made up of a number of components:

Control environment

The control environment has primarily been established taking account of the Group's values (working together; being brilliantly creative; and embracing difference), and its Code of Ethics, which sets the foundations for the expected behaviours, values and competencies for all colleagues across the Group. The Board, Executive Committee and its extended leadership team lead by example and strive to maintain effective control environments, while also maintaining integrity and transparency.

Risk assessments

Risk assessments are conducted at both a strategic and operational level of the Group and support the Group in understanding the risks that it faces and the controls in place to mitigate them. Importantly, they provide a mechanism to identify operational improvements and are vital in our transformational programmes.

Policies and procedures

Established policies communicate expected behaviours and these are supported through procedures and guidelines defining required processes and controls. This in turn supports the business to adopt efficient and effective control environments.

Information and communication

Access to accurate and timely data is key in supporting our colleagues to make decisions and to be well informed in order to conduct, manage and control their areas of responsibility. During the year, the Group has focused on its data systems - successfully implementing Workday HR and currently rolling out the Workday Finance system.

Activity monitoring

Financial minimum controls have been established during the current financial year for local finance teams. The financial minimum controls were self-assessed at the year end and will be audited by the internal audit function from FY21. The financial minimum controls framework was established in consultation with the Chief Financial Officer, the Group Financial Controller and the local Finance Directors and has taken account of the implementation of Workday Finance.

Financial accounting and reporting follow generally accepted accounting practices.

Group review and approval procedures exist in relation to major areas of risk and require Executive Committee/Board approval, including mergers and acquisitions, major contracts, capital expenditure, litigation, treasury management and taxation policies.

Compliance with all legislation, current and new, is closely monitored.

Risk and control reporting structure

During the current financial year, NCC Group has focused on establishing the "three lines of defence", to provide a robust internal controls structure that will support the Board, Audit Committee, Cyber Committee, Executive Committee and extended leadership team with accurate and reliable information in relation to the systems of internal control. This has resulted in the recruitment of a Director of Global Governance, who was on-boarded in January 2020.

The Group has three lines of defence:

   --      First line - Group policies and procedures 

-- Second line - Global Governance function, incorporating Health and Safety; Information Security; Data Protection; Compliance & Standards; and Corporate Legal

-- Third line - independent challenge and assessment, including ISO certification; and internal and external audit

Principal risks and uncertainties

The Group continues to operate in a particularly dynamic and evolving marketplace. The current strategic risk register has been developed to reflect those factors and includes those risks that would threaten its business model, future performance, solvency or liquidity. Detailed descriptions of the current principal risks and uncertainties faced by the Group, their potential impact and mitigating processes and controls are set out below:

 Risk Areas        Potential Impact                                              Mitigation 
 Business          A poor strategy                                               (High impact, risk exposure 
 strategy           or ineffective                                                unchanged from 2019) 
                    execution of a 
 A comprehensive    strategy could                                                Members of the Board have 
 business           have a material                                               significant experience 
 strategy           negative impact                                               in evolving business strategies. 
 is essential       on the Group's                                                The Board is significantly 
 to the             financial performance                                         engaged in both setting 
 continued          and value. It would                                           and reviewing strategy 
 success of the     potentially weaken                                            and held a dedicated strategy 
 Group as we        the Group compared                                            session in March 2020. 
 strive             to its competitors 
 to maximise        and risk the Group's 
 shareholder        established position 
 value.             in the marketplace. 
                  ------------------------------------------------------------  ------------------------------------------------------------- 
 Management of     Poor change management                                        (Low impact, risk exposure 
 strategic          could lead to ineffective                                     unchanged from 2019) 
 change             implementation 
                    of projects that                                              The Group has established 
 As the Group       then cost more                                                a Strategic Change Management 
 adapts and         to deliver, take                                              capability and this includes 
 executes           longer to deliver                                             access to programme management 
 its strategy       and result in fewer                                           professionals and the 
 there are a        benefits being                                                deployment of associated 
 number             realised (or all                                              change management processes, 
 of complex         three). Poor delivery                                         for example the operation 
 projects           of change could                                               of senior change oversight 
 and initiatives    ultimately impair                                             committees. 
 that not only      business performance. 
 need to be 
 but also 
 and support 
 all colleagues. 
                  ------------------------------------------------------------  ------------------------------------------------------------- 
 Global pandemic   The potential impact                                          (High impact, risk exposure 
 - Covid-19        of a pandemic for                                              increased from 2019) 
                   the Group could 
 NCC Group has     be:                                                            We established a global 
 a number of                                                                      response team and mobilised 
 features           *    The inability to operate due to local restrictions       our whole workforce to 
 which give the          impacting our customers                                  remote working ahead of 
 Group a greater                                                                  local lockdown/shelter-in-place 
 resilience in                                                                    orders. Local task forces 
 the face of a                                                                    were established and processes 
 global             *    The potential inability to deliver work if required      were in place to protect 
 pandemic.               onsite                                                   colleagues and customers 
 Failure to                                                                       from risk of infection. 
 prepare                                                                          Local office track and 
 for this may                                                                     trace measures were put 
 cause              *    Risk of colleagues being exposed due to travel/onsite    in place with 24 hour 
 disruption              work requirements                                        reporting to support global 
 and uncertainty                                                                  operations. 
 to our 
 business,                                                                        We also enabled more than 
 as well as risk    *    Colleagues being unable to work due to illness or        95 per cent of our services 
 the health and          being restricted due to shielding/quarantine either      to be delivered remotely 
 safety of our           for themselves or people they live with                  with a dedicated global 
 people. Any                                                                      marketing campaign to 
 disruption                                                                       support customers around 
 or uncertainty                                                                   their specific Covid-19 
 could have an      *    Lower demand due to many of our customers                challenges. Existing services 
 adverse effect          experiencing uncertainty, financial pressures or         were modified to provide 
 on our                  logistical challenges effecting the Group's revenue,     customers short-term solutions 
 business,               profitability and cash generation                        to lockdown issues. 
 results                                                                          For further information 
 and operations.                                                                  in relation to the Group's 
                                                                                  specific Covid-19 response, 
                                                                                  please see pages 8 and 
                                                                                  9 of the Strategic Report. 
                  ------------------------------------------------------------  ------------------------------------------------------------- 
 Availability      If the Group's                                                (Medium impact, risk exposure 
 of critical        critical systems                                              decreased from 2019) 
 information        failed, this could 
 systems            affect our ability                                            The Group continues to 
                    to provide services                                           make significant investment 
 The Group is       to our customers.                                             in its IT infrastructure 
 heavily reliant                                                                  to ensure it continues 
 on continued                                                                     to support the growth 
 and                                                                              of the organisation. This 
 uninterrupted                                                                    has been particularly 
 access to its                                                                    pertinent, during home 
 IT systems. As                                                                   working, as part of Covid-19. 
 well as 
 environmental                                                                    The Group has controls 
 and physical                                                                     in place in order to reduce 
 threats, the                                                                     the risk of actual loss 
 Group is a                                                                       of critical systems; this 
 natural                                                                          has included a review 
 target for                                                                       of single points of failure 
 individuals                                                                      and these have been mitigated. 
 who may seek                                                                     Further, controls are 
 to disrupt the                                                                   operated to ensure the 
 Group's                                                                          availability of backup 
 commercial                                                                       media in the event of 
 activities.                                                                      prolonged loss of systems. 
                                                                                  Initiating to standardise 
                                                                                  and simplify while increasing 
                                                                                  resilience continues to 
                                                                                  be implemented. Additional 
                                                                                  focus is being periodically 
                                                                                  given to proving the recoverability 
                                                                                  of systems and data. 
                  ------------------------------------------------------------  ------------------------------------------------------------- 
 Attracting and    Loss of key colleagues                                        (Medium impact, risk exposure 
 retaining          or significant                                                decreased from 2019) 
 appropriate        colleague turnover 
 colleagues'        could result in                                               Colleagues are offered 
 capacity           a lack of necessary                                           a rewarding career structure 
 and capability     expertise or continuity                                       and attractive salary 
                    to execute the                                                and benefits packages, 
 The Group would    Group's strategy.                                             which can include participation 
 be adversely                                                                     in share schemes. 
 impacted if it     An inability to 
 were unable to     attract and retain                                            Comprehensive communications 
 attract and        sufficient high-calibre                                       with our colleagues are 
 retain             colleagues could                                              ongoing and include all-hands 
 the right          become a barrier                                              calls, The Wire, and Group 
 calibre            to the continued                                              and local communications. 
 of skilled         success and growth 
 colleagues.        of NCC Group.                                                 Linked to the development 
 Some roles                                                                       of our people, the Group 
 within                                                                           continues to review our 
 the Group                                                                        values, has launched personal 
 operate                                                                          performance management 
 in highly                                                                        processes in 2020 and 
 technical                                                                        has aligned development 
 and extremely                                                                    programmes. 
 in which there 
 are shortages 
 of skilled 
                  ------------------------------------------------------------  ------------------------------------------------------------- 
 Cyber risk        Failure to maintain                                           (Low impact, risk exposure 
 (including         control over customer,                                        unchanged from 2019) 
 data               colleague, commercial 
 protection)        and/or operational                                            The Board operates a Cyber 
                    data could lead                                               Committee chaired by the 
 As a provider      to a range of impacts,                                        Chair of the Board. 
 of security        including reputational 
 services,          damage. The misuse                                            Security testing is regularly 
 the Group is       of personal data,                                             carried out on the Group's 
 a high profile     for example without                                           infrastructure and there 
 target and         the customer's                                                are extensive response 
 could              consent, or retaining                                         plans, which were reviewed 
 therefore be       for longer than                                               during the year, in the 
 subject to         is necessary, may                                             event of a major security 
 attacks            also result in                                                incident. 
 specifically       reputational harm, 
 designed to        regulatory investigations                                     Comprehensive plans are 
 disrupt            and potential fines.                                          in place and being delivered 
 the Group's                                                                      associated with discharging 
 business                                                                         our GDPR obligations. 
 and harm the                                                                     Progress is monitored 
 Group's                                                                          by the Cyber Committee. 
 reputation.                                                                      Colleagues also receive 
                                                                                  regular security training 
 There could                                                                      and updates. 
 be implications 
 relating to our 
 GDPR control 
 Such events 
 the market's 
 perception of 
 the Group as 
 well as causing 
                  ------------------------------------------------------------  ------------------------------------------------------------- 
 Quality of        Suboptimal business                                           (High impact, risk exposure 
 Management         decision making                                               decreased from 2019) 
 Information        and performance 
 Systems            as key financial                                              The Group finance function 
 (MIS) and          performance data                                              has developed a forward-facing 
 internal           is not available                                              Finance Functional Strategy. 
 business           or trusted.                                                   Enhancements were identified 
 processes                                                                        covering system and process 
                                                                                  standardisation. A comprehensive 
 We need to                                                                       milestone plan is in place 
 ensure                                                                           and progress is tracked 
 that trusted                                                                     and reported to the Audit 
 and relevant                                                                     Committee. 
 MIS are 
 available                                                                        Standardised business 
 on a day-to-day                                                                  process control standards 
 basis to inform                                                                  are in place across all 
 management                                                                       parts of the Group. As 
 decisions                                                                        the new financial year 
 and drive                                                                        progresses, control self-assessment 
 performance.                                                                     techniques will be implemented 
                                                                                  along with an aligned 
                                                                                  programme of internal 
                  ------------------------------------------------------------  ------------------------------------------------------------- 
 Quality and       The risk of the                                               (Low impact, risk exposure 
 security           Group failing to                                              unchanged from 2019) 
 management         retain a core standard, 
 systems            e.g. 9001, 27001                                              We operate a comprehensive 
                    or PCI, with a                                                programme to ensure the 
 We aspire to       consequential loss                                            retention of our core 
 attain and         of key customer                                               standards. This includes 
 retain             accounts or ability                                           a portfolio of aligned 
 key                to operate.                                                   policies and cascading 
 internationally                                                                  business processes. A 
 recognised                                                                       programme of internal 
 standards.                                                                       audit provides assurance 
 These form an                                                                    over the design and application 
 important                                                                        of these policies and 
 component                                                                        procedures. External assessors 
 for many of our                                                                  provide a further layer 
 customers.                                                                       of review and challenge, 
                                                                                  confirming during the 
                                                                                  year the retention of 
                                                                                  our Quality and Security 
                  ------------------------------------------------------------  ------------------------------------------------------------- 
 Brexit            Uncertainty around                                                 (Medium impact, risk exposure 
                    the UK's departure                                                unchanged from 2019) 
 Failure to         from the EU continues 
 prepare            as a result of                                                    Similar to any UK company, 
 for the UK's       the political deadlock.                                           we list Brexit as a significant 
 departure from     The risks associated                                              risk due to the uncertainty 
 the EU may         with Brexit are                                                   surrounding the final 
 cause              the possibility                                                   form Brexit will actually 
 disruption to,     of a "no-deal"                                                    take and when it will 
 and create         scenario and also                                                 happen. 
 uncertainty        the potential for 
 around, our        an abrupt departure                                               We continue to plan for 
 business.          from the EU.                                                      Brexit internally and 
 Any disruption                                                                       the Brexit Steering Group 
 or uncertainty                                                                       meets regularly. 
 could have an 
 adverse effect                                                                       As our operations around 
 on our                                                                               the world include business 
 business,                                                                            entities based in Continental 
 financial                                                                            Europe, we believe NCC 
 results                                                                              Group is structurally 
 and operations.                                                                      resilient to any disruption 
                                                                                      caused by Brexit. The 
                                                                                      main risks to our business 
                                                                                      from Brexit are: 
                                                                                       *    Any reduction in demand from an economic slowdown 
                                                                                       *    Real or perceived differences in data protection 
                                                                                            standards, which impact our global ways of workin 
                  ------------------------------------------------------------  ------------------------------------------------------------- 

Extraordinary risk during the year

During the year, the global pandemic of Covid-19 occurred and while this had an impact on financial performance, it also provided opportunities. The Group mobilised its Executive Support Team and its business continuity plan in January 2020 and this enabled a number of planned initiatives to be brought forward to support a Group-wide response to remote working and delivery.

We have also successfully negotiated with our clients where appropriate to work remotely, which has minimised disruption to service delivery."

LEI - 213800DJCGZRB6523934

Classification - Annual Report and Financial Statements and Notice of AGM.

 NCC Group plc 
  Adam Palser - CEO                               0161 209 5200 
  Tim Kowalski - CFO                               0161 209 5200 
  Jonathan Williams, Deputy Company Secretary      0161 209 5374 

This information is provided by RNS, the news service of the London Stock Exchange. RNS is approved by the Financial Conduct Authority to act as a Primary Information Provider in the United Kingdom. Terms and conditions relating to the use and distribution of this information may apply. For further information, please contact rns@lseg.com or visit www.rns.com.

RNS may use your IP address to confirm compliance with the terms and conditions, to analyse how you engage with the information contained in this communication, and to share such analysis on an anonymised basis with others as part of our commercial services. For further information about how RNS and the London Stock Exchange use the personal data you provide us, please see our Privacy Policy.



(END) Dow Jones Newswires

September 18, 2020 10:19 ET (14:19 GMT)