112 ITV plc Annual Report and Accounts 2023 ITV plc Annual Report and Accounts 2023 113 AUDIT AND RISK COMMITTEE REPORT CONTINUED G O VE R NAN C RISK MANAGEMENT AND INTERNAL CONTROLSITV Speaking Crisis E Our roleCommittee reviewed: • Assist the Board to establish and articulate overall risk • Biannually, management’s conclusions regarding principal and emerging risks and Together Upanagement M appetite and oversee and advise the Board on specific uncertainties and associated mitigations strategic risk exposures and mitigations• Progress in implementing the enhanced ERM framework, including enhancements to the Oracle Fusion went live on 11 April 2023, The Board continued to receive regular reports Over the past year, a series of significant • Review the risk identification and mitigation processes and risk governance structurechanging the operations and interaction of on issues raised during 2023 via Safecall, the external, non-ITV specific incidents and the undertake deep dives into high-risk business areas or • Progress in improving operational risk management capability for security, duty of care, and colleagues, HR, Finance and Production independent whistleblowing facility, and other evolving global landscape have underscored processescrisis management Finance processes. complaint notification channels available within the necessity for a structured and robust crisis • Review the effectiveness of the internal control and risk • Insurance arrangements and policies, including how those support mitigation of principal The Committee noted that a change of this ITV, with the Committee reviewing an overview management response capability at ITV. management processesand other financial risksnature and size was complex, and was pleased summary for the year. This included an During 2023, the revised crisis management • Oversee appropriate compliance, speaking up and fraud that it launched with minimal disruption to the assessment of any identified trends or themes framework and plan was subject to internal • Progress in implementing the financial controls framework and effectiveness review for the in complaints, the nature of any noteworthy prevention arrangementsITV Together programmebusiness with a high volume of users and audit review by EY, as well as tested via a series transactions being processed. allegations, the corrective measures of simulated exercises facilitated by Deloitte, • Ongoing programme of improvements to technology and IT-related controls and implemented to address substantiated governance environment However, due to system and reporting issues complaints, and the process applied to triage the results of both being reported to and identified, various processes and controls did and correctly investigate complaints. The discussed by the Committee, and progress • Mapping of the internal audit plan to key principal and operational risk areas to understand in implementing the agreed resulting changes assurance coverage not operate as anticipated, with alternative Committee also considered the actions taken monitored by the Committee. • Outcome of the risk focused audits undertaken by the internal auditors, including manual controls implemented to mitigate any by management as a result of the investigations’ implementation of agreed actions to address audit conclusions risk. Consequently, Deloitte conducted a post conclusions and recommended additional The Committee acknowledged that the good implementation review in the second half of actions where appropriate, overseeing the progress in 2023 provides a solid foundation for • Enhancements to the Speaking Up policy and report on ongoing actions taken to 2023, focusing on project governance, resourcing investigation of all significant issues reported. continued improvement in 2024, including the strengthen Speaking Up processes and further increase awareness across the organisation, and change management, the outcomes of requirement to conduct regular training and including reflection of the relevant recommendations arising from the Committee’s deep which were communicated to the Committee.The Committee received regular updates on the simulated exercises across the Group in order to dive review in July 2023 and the external review by Jane Mulcahy KC status of and improvements to ITV’s awareness ensure ITV’s resilience and readiness to • Progress in implementation of data privacy and governance enhancements, including Throughout 2023 the Committee closely campaign, alongside an internal audit completed effectively respond to crisis events. actions arising from the internal audit of the effectiveness of relevant processes monitored the programme of remediation and at the end of 2022, the results of which the effectiveness of the mitigations. In addition, highlighted the need to drive continued • Biannually, effectiveness of compliance framework and monitoringthe Committee Chair held a number of meetings awareness and focused training to ensure that Cyber • The M&A approvals process and approved amendmentswith the programme leadership to receive communications are effective. The Committee • Fraud risk and fraud prevention, detection and controls framework and its effectiveness detailed briefings on the progress of the change noted significant progress that had been made • Transformation Programme updates, particularly in respect of ITV Togethermanagement plan, providing challenge during 2023, which was demonstrated in the Security and support. strong scores for awareness of the programme • Deep dives on the Group’s resilience to key risks, including cyber, crisis management, and the routes for raising concerns in the duty of care and Speaking UpIn the last few months of 2023, the ITV Together engagement survey. The Committee recognises that ITV has a • The internal audit conclusions and recommendations regarding the effectiveness and programme moved into Stabilisation and unique range of factors that impact how maturity of the second lines of defence in respect of the Group’s financial, IT general and Adoption of the Oracle Fusion solution phase, The Committee also noted the actions that management focuses on cyber to enable the compliance controls with the embedding of new ways of working had been taken in 2023 to strengthen recording future business strategy whilst managing the following hyper care, running until June 2024. and collation of relevant data to provide a better immediate risks by reducing dependence on During this phase the Committee will monitor insight into concerns being raised through the legacy systems, building security into the delivery of enhancements to meet the target various channels available across the Group, delivery of its strategy and creating a cyber finance control automation objective; alongside including the Safecall facility. During 2023, culture that provides consistent defence over Risk managementAlthough certain aspects of the Group’s Committee considered the suite of fully embedding the end-to-end IT controls to listening circles/focus groups were introduced, a devolved organisation. ensure Oracle Fusion is robust and sufficiently which were run by an external provider, inviting Recognising the evolving nature of the risk control environment are immature, with automated analytics that enable ongoing controlled, enabling reliance over the process colleagues and freelancers to participate in The Committee received regular updates landscape, due to the increasing pace of some existing deficiencies (particularly in monitoring of high-risk financial transactions and control automation.confidential discussions about areas of concern. throughout 2023 and is pleased with the respect of IT general controls, where and access controls across Group systems. maturity and effective progress achieved. change in the industry, the continued impact The Committee welcomed the development of the macroeconomic environment and mitigations have been implemented to of a programme of mandatory training for line The Group has adopted the internationally global instability, ITV needs to be able to be address these weaknesses), the Committee In 2024, the Committee intends to continue managers on managing grievances, recognised NIST cybersecurity maturity agile in flexing aspects of its strategy is satisfied that the Group’s internal controls with focused bi-annual (and in respect of disciplinaries, concerns and complaints. framework and the Committee is supportive over financial reporting operated effectively certain areas of internal controls, quarterly) of the cyber team using this internationally implementation and manage resulting risks The recommendations arising from the KC’s recognised standard in the development smartly. The Committee’s focus for 2023 throughout the year, with no material sessions with the relevant change review of This Morning included a more targeted weaknesses identified. This was principally programme and compliance, financial, of ITV’s approach. therefore has been on evolving ITV’s approach to Speaking Up related training for based on a programme of internal audit operational and technology controls different parts of the Group and a further During 2023, the Committee received regular approach to risk management to ensure it reviews, independent Group finance sponsors and leadership teams. In particular, strengthening of the concerns and complaints updates on progress in adopting a programme remains appropriate and proportionate as assurance reviews, and monthly the Committee will focus on strategic process. The Committee will monitor of enhancement to the Group’s maturity well as enhancing the understanding of ITV’s management financial control initiatives being implemented within the management’s implementation of these framework, which included: most critical risks. This has included focus on self-assessments and the reviews Group’s technology function, with the enhancements during 2024. • Development of a new security operations progress in optimising the practices and undertaken by the external auditors as part objective of improving the overall IT control capability to detect and protect against cyber behaviours of the second line of defence and in public cloud estate introducing more collaboration and structure of their 2023 audit plan. During 2023, the maturity. Key activities in 2024 will include • Expanded coverage of controls across the across financial, IT, compliance and Committee was regularly presented with updates to the IT controls framework, Group’s international businesses – to improve operational controls, with the Committee observations following second line design completion of control design assessments how to track and measure threats, and changes providing challenge and direction as reviews conducted by the Financial for applicable systems, control gap in cyber culture appropriate. Governance and Compliance team post remediation and rollout of awareness • Continued assessment of third-party Oracle Fusion Go-Live (part of the ITV sessions across Group Technology. The suppliers/vendors to identify risks Financial internal controlsTogether programme), with a particular focus Committee notes the roadmap of activities For 2024, the Committee will continue to on controls automation progress and fraud for 2024, which includes controls self- regularly review the enhancements in the Throughout 2023, the Committee received controls. Moreover, where specific areas for certification and independent assurance Group’s cyber security profile, which will include regular updates on management’s ongoing improvement were identified, it was noted testing across the IT controls landscape, to additional focus on improving API security, enhancements to the Group’s controls that mitigating workaround controls and enable a cultural shift and more proactive increasing defence against AI-based email environments, including financial and IT processes were in place. These updates management of risks. attacks and bolstering defences against data controls, finance fraud risk prevention, provided the Committee with the loss with an aim to achieve target maturity cyber security, data privacy processes opportunity to increase the scope of its own by the end of the year. and capability, Speaking Up effectiveness, review and obtain additional visibility over compliance programme, and resilience to the financial control environment during the risk, including crisis management and year, particularly those areas not covered in business continuity.the Internal Audit plan. In addition, the
ITV Annual Report & Accounts Page 114 Page 116