Search Icon
Sage Investor relations | Governance | Managing risk

Managing risk

At Sage we seek to effectively identify, evaluate and manage our strategic, operational, commercial, compliance, financial and emerging risks. This helps us to deliver our strategic objectives and goals through risk-informed decisions. Find out how our risk management processes work below, with further detail on p60-75 of the annual report.

Corporate risk controls

The processes to identify and manage the key risks to the success of Sage are an integral part of the internal control environment.

There is an ongoing process for identifying, evaluating, and managing the principal and emerging risks faced by the Group. The Executive Committee is responsible for the stewardship of the risk management process. It develops the strategy and oversees the delivery of the related operational plans that help to manage the associated risks.

The Board has overall responsibility for the operation and effectiveness of the Group’s risk management and internal control systems. The Audit and Risk Committee supports the Board to oversee the Group’s financial reporting, risk management and internal control procedures and the work of Sage Assurance and the external auditor. These activities are performed in accordance with the principles of the Financial Reporting Council’s (“FRC”) UK Corporate Governance Code 2018 and the associated recommendations set out in the FRC’s Guidance on Audit Committees.

The Audit and Risk Committee reviews principal risks and receives updates from management regarding effectiveness. This monitoring includes oversight of all material controls, including financial, operational, regulatory and compliance controls, and assessing whether control systems are fit for purpose or whether corrective action is necessary.

The Audit and Risk Committee review principal risks and receive updates from management, including scrutinising their performance in managing risk, to review and consider the effectiveness of risk management. The Committee also monitors the effectiveness of the control environment through the review of internal audit reports and other assurance activity from Sage Assurance, and consideration of relevant reporting from management, Sage Risk, Sage Business Integrity, and the external auditor.

Our risk appetite reflects our ability or desire to make decisions on the level of risk that can be accepted to achieve our strategic objectives. We recognise that eliminating risk is often not feasible or desirable, so we use risk appetite statements, Group parameters and metrics to provide our leaders with the guidance they need to make decisions on the level of risk that can be taken or sought to achieve strategic objectives. 

The Board has overall responsibility for establishing the Group’s risk appetite. It monitors the risk environment and reviews the relevance and appropriateness of the principal risks to the business. 

The Audit and Risk Committee supports the Board in setting the Group’s risk appetite and ensuring that processes are in place to identify, manage and mitigate the Group’s principal risks. At each meeting, the Committee reviews the principal risks and their associated appetite targets and metrics, to assess whether they continue to be relevant, effective, and aligned to the achievement of Sage’s strategic objectives, and within an acceptable tolerance for the Group.
Internal audit activities are delivered by the in-house Sage Assurance function, supplemented under co-source agreements by third-party providers. The objectives, authority, scope, and responsibilities of Sage Assurance are set out by the Internal Audit Charter. The role of head of internal audit is undertaken by the VP Assurance, who has a direct reporting line to the Audit and Risk Committee and its Chair in order to ensure independence.

The primary role of internal audit is to assist the Board, Sage management and colleagues in fulfilling their responsibility to develop and maintain appropriate internal controls across Sage, to protect the assets, reputation, and sustainability of the organisation. Sage Assurance provides management and colleagues with root cause analyses, appraisals, issue identification, examples of good practice, advice and information concerning the activities reviewed.

The internal audit plan is determined through a structured process of risk assessment and provides assurance at group, region, country and function level, with results reported to management and the Audit and Risk Committee. The internal audit plan is also flexed as necessary to account for any key business changes.

Other internal control procedures

Other internal control policies and procedures are described below.

Colleagues can raise concerns about actual or suspected misconduct through a variety of channels at Sage. We have a dedicated online and telephone whistle-blowing service that operates across many of our regions, allowing employees to raise issues of concern on an anonymous and confidential basis. The Audit Committee receives regular reports on any matters raised through these services and monitors their use throughout the Group.
As part of the general internal controls and risk management processes, Sage also has specific internal controls and risk management systems to govern financial reporting. The requirements for producing financial information are governed by the Group Accounting Manual, against which the Group’s external auditors review the financial statements. Financial control requirements are set out in a detailed Financial Controls Policy, which is subject to internal audit reviews on an annual basis.

Robust processes have been established to ensure that assurance can be provided over whether the annual report and accounts are considered to be fair, balanced, and understandable. Management representations, external and internal audit reviews, and an independent messaging review are undertaken to provide this assurance.
The integrity and competence of personnel is ensured through high recruitment standards and the provision of subsequent training and development. High-quality personnel are seen as an essential part of the control environment.
Sage has a clearly defined organisational structure within which roles and responsibilities are identified, defined and monitored. 

The management of the Group as a whole is delegated from the Board to the Chief Executive Officer and the Executive Committee. The Executive Committee meets regularly to: i) discuss and agree corporate strategy to propose for the Board’s consideration, ii) monitor performance against Sage’s strategy, and iii) consider key business issues. As part of its review, it considers the risks associated with the delivery of strategy and important governance issues within operating companies. 

The structure includes a number of global, central administrative functions such as Finance, Legal, People, Marketing, and Strategy. The Executive Committee receives information from these functions through the relevant Executive Committee member. The Executive Committee provides a flow of information to the Board and its main Committees.

Sage operates through a Delegation of Authority model to execute and implement the strategy set. The conduct of Sage’s individual businesses is delegated to Regional executive management teams. These teams are accountable for the conduct and performance of their businesses within the agreed business strategy. They have full authority to act subject to their Delegated Authority, and reserved powers and sanctioning limits laid down by the Board.

A number of Group-wide policies, issued and administered centrally, have been set to ensure compliance with key governance standards across the whole Group. These policies cover a number of areas such as anti-bribery and corruption, data protection and information security, and risk management
A comprehensive budgeting system is in place, with annual budgets for all operating companies being approved by respective local boards. Subsequently the combined budget is subject to consideration and approval by the Board. Management information systems provide the directors with relevant and timely information required to monitor financial performance.

Capital and operational expenditure is regulated through budgetary approval and defined authorisation levels, supported by an investment committee framework where projects are considered in detail. As part of the budgetary process the Board considers proposals for research and development programmes.

Acquisition and disposal activity is subject to internal guidelines governing investment criteria, financial targets, negotiation, execution, and post-acquisition or disposal management.

Explore further

Investor centre

Annual report