Notice of AGM 2018 and Notice of Trading Update

RNS Number : 7182Y

NCC Group PLC

23 August 2018

NCC Group plc

(the "Company" or the "Group")

Notice of Annual General Meeting 2018

and

Notice of Trading Update

The Company confirms that its Notice of Annual General Meeting 2018 ("AGM Notice") and its Annual Report and Accounts for the year ending 31 May 2018 ("Annual Report") have been posted or otherwise been made available to shareholders and published on the Investor Relations section of its website (www.nccgroup.trust/uk/about-us/investor-relations/). The Annual General Meeting will be held at 11.00am on Wednesday 26 September 2018 at the Company's Head Office, XYZ Building, 2 Hardman Boulevard, Spinningfields, Manchester, M3 3AQ.

Copies of the Annual Report and the AGM Notice have been submitted to the National Storage Mechanism and will shortly be available for inspection at www.morningstar.co.uk/uk/NSM.

The Company will provide a trading update at 7.00am on Wednesday 26 September 2018 ahead of its Annual General Meeting on the same day.

A condensed set of the Company's financial statements and extracts were included in the Company's preliminary results for the year ended 31 May 2018 released on 17 July 2018 (the "Preliminary Announcement"). The information included within the Preliminary Announcement together with the information set out below, which is extracted from the Annual Report, constitute the material required by Disclosure Guidance and Transparency Rule 6.3.5 to be communicated to the media in full unedited text through a Regulatory Information Service. This announcement and the Preliminary Announcement are not a substitute for reading the full Annual Report. Page numbers and cross-references in the extracted information below refer to page numbers and cross-references in the Annual Report. To view the Preliminary Announcement, please visit the Investor Relations section of the Company's website at www.nccgroup.trust/uk/about-us/investor-relations/.

Directors' Responsibility Statement

The following statement is extracted from page 97 of the Annual Report and is repeated here for the purposes of Disclosure Guidance and Transparency Rule 6.3.5. This statement relates solely to the Annual Report and is not connected to the extracted information set out in this announcement or the Preliminary Announcement:

"The Directors are responsible for preparing the Annual Report and the Group and parent Company Financial Statements in accordance with applicable law and regulations.

Company law requires the Directors to prepare Group and parent Company financial statements for each financial year. Under that law they are required to prepare the Group Financial Statements in accordance with International Financial Reporting Standards as adopted by the European Union (IFRSs as adopted by the EU) and applicable law and have elected to prepare the parent Company Financial Statements on the same basis.

Under company law the Directors must not approve the Financial Statements unless they are satisfied that they give a true and fair view of the state of affairs of the Group and parent Company and of their profit or loss for that period. In preparing each of the Group and parent Company Financial Statements, the Directors are required to:

· select suitable accounting policies and then apply them consistently;

· make judgements and estimates that are reasonable, relevant and reliable;

· state whether they have been prepared in accordance with IFRSs as adopted by the EU;

· assess the Group and parent Company's ability to continue as a going concern, disclosing, as applicable, matters related to going concern; and

· using the going concern basis of accounting unless they either intend to liquidate the Group or the parent Company or to cease operations, or have no realistic alternative but to do so.

The Directors are responsible for keeping adequate accounting records that are sufficient to show and explain the parent Company's transactions and disclose with reasonable accuracy at any time the financial position of the parent Company and enable them to ensure that its financial statements comply with the Companies Act 2006. They are responsible for such internal control as they determine is necessary to enable the preparation of the financial statements that are free from material misstatement, whether due to fraud or error, and have general responsibility for taking such steps as are reasonably open to them to safeguard the assets of the Group and to prevent and detect fraud and other irregularities.

Under applicable law and regulations, the Directors are also responsible for preparing a Strategic Report, Directors' Report, Directors' Remuneration Report and Corporate Governance Statement that complies with that law and those regulations.

The Directors are responsible for the maintenance and integrity of the corporate and financial information included on the company's website. Legislation in the UK governing the preparation and dissemination of financial statements may differ from legislation in other jurisdictions.

Responsibility statement of the Directors in respect of the annual financial report

We confirm that to the best of our knowledge:

· The financial statements, prepared in accordance with the applicable set of accounting standards, give a true and fair view of the assets, liabilities, financial position and profit or loss of the Company and the undertakings included in the consolidation taken as a whole.

· The strategic report/Directors' report includes a fair review of the development and performance of the business and the position of the issuer and the undertakings included in the consolidation taken as a whole, together with a description of the principal risks and uncertainties that they face.

We consider the annual report and accounts, taken as a whole, is fair, balanced and understandable and provides the information necessary for shareholders to assess the Group's position and performance, business model and strategy."

Principal risks and uncertainties

The principal risks and uncertainties relating to the Company are set out on pages 40 to 44 of the Annual Report from which the following is extracted in full and unedited text:

"Relaunch of Risk Management

During the year we appointed a risk management subject matter expert, the Director of Risk & Assurance. Following this appointment, the Board commissioned an evaluation of our existing risk management framework. The review led to the implementation of a range of enhancements to build on the established platform.

The Group has now developed and implemented a new Risk Management Policy, against which we are relaunching enterprise wide risk management. This policy sets out protocols covering roles and responsibilities for the risk framework and the definition of risk appetite as set by the Board (see the risk framework diagram). A web-based tool, the Integrated Risk Management System (IRMS), has been deployed to record risk registers and to track risk mitigation action plans, helping embed ownership of risks and treatment actions while also providing access to live management information.

Risks are evaluated at a number of levels of the organisation, commencing with those which link to the Group achieving its strategic objectives. These risks are presented overleaf under our principal risks and uncertainties.

Risks are identified primarily by the management team through the use of a structured risk framework. Non-executive reviews carried out by two Board Committees; the Cyber Security Committee for IT centric risks and the Audit Committee for all other risk types. The Chief Information Security Office (CISO) reports to the Cyber Committee and the Director of Risk and Assurance reports to the Audit Committee.

While distinct from the established CISO role, the Director of Risk and Assurance works closely with the CISO to facilitate risk oversight across the full range of risk types.

Risk management processes and controls

The Board monitors the ongoing process by which relevant material risks are identified, evaluated and managed via the two subcommittees noted above. On a quarterly basis, the sub-committees review the detailed risk registers that have been prepared and updated across the business along with the status of actions plans that are in place to treat risks which are considered to be excessive.

Evaluation and treatment of risk

Risks are evaluated using a simple but robust model which forms part of the new Risk Management Policy. The model, which is capable of application across multiple risk types, is sufficiently sensitive to record risks that have the potential to impact Viability Reporting obligations.

Risks are evaluated without considering the operation of any existing controls. This is done to form a view of inherent risk.

The impact of existing mitigating controls are then considered along with their effectiveness to determine the extent of residual risk. The assessments are made using a combination of impact and likelihood criteria to arrive at a total risk score. Residual risk is then considered against the Group Risk Appetite which is a judgemental scoring matrix created by the Board to identify risks as being within or outside acceptable parameters for the Group.

Output from the evaluation of strategic risks has been used to help shape the Group's Transformation Programme. Where risks are assessed as being outside of appetite, treatment actions are agreed including owners, priorities and due dates, either within the Transformation governance structures or milestone plans owned by senior business leaders. The IRMS is used to track these actions, with data mining capabilities to produce reports to the Cyber Security and Audit Committees.

The Group uses a simple Risk Heat Map to record an up-to-date view of residual risk. Viability risks are principal risks that the Directors consider are so extreme that they could jeopardise the business viability if they crystallise.

Principal risks and uncertainties

The Group continues to operate in a particularly dynamic and evolving marketplace. The very latest strategic risk register has been developed to reflect those factors.

The Directors have carried out a robust assessment of the principal risks facing the Group including those that would threaten its business model, future performance, solvency or liquidity. Detailed descriptions of the current principal risks and uncertainties faced by the Group, their potential impact and mitigating processes and controls are set out below. The tables also highlight whether the risk is assessed as increasing or decreasing with a similar assessment for the position last year. This includes identifying new principal risks and uncertainties.

Risk Areas	Potential Impact	Mitigation
Business Strategy A comprehensive business strategy is essential to the continued success of the Group as we strive to maximise shareholder value.	A poor strategy or ineffective execution of a strategy could have a material negative impact on the Group's financial performance and value. It would potentially weaken the Group compared to its competitors and risk the Group's established position in the marketplace.	(Medium impact, risk exposure decreased from 2017) Members of the Board have significant experience in evolving business strategies. Following the recent appointment of the current CEO, the Group is in the process of reviewing and updating the strategy. The results are expect to help shape and refine the Group's already established Transformation Programme.
Management of strategic change As the Group adapts and executes its strategy there are a number of complex projects and initiatives that not only need to be delivered but also require understanding and support from all staff.	Poor change management could lead to ineffective implementation of projects that then cost more to deliver, take longer to deliver and result in fewer benefits being realised (or all three). Poor delivery of change could ultimately impair business performance.	(Medium impact, risk exposure decreased from 2017) During the year the Group has established a Strategic Change Management capability. This includes access to Programme Management professionals and the deployment of associated change management processes, for example the operation of senior change oversight committees.
Availability of critical information systems The Group is heavily reliant on continued and uninterrupted access to its IT systems. As well as environmental and physical threats, the Group is a natural target for individuals who may seek to disrupt the Group's commercial activities.	If the Group's critical systems failed, this could affect the Group's ability to provide services to our customers.	(High impact, risk exposure unchanged from 2017) The Group has made significant investment in its IT infrastructure to ensure it continues to support the growth of the organisation. The Group has controls in place in order to reduce the risk of actual loss of critical systems. Further, controls are operated to ensure the availability of back-up media in the event of prolonged loss of systems. Initiating to standardise and simplify while increasing resilience continue to be implemented. Additional focus is being periodically given to proving the recoverability of systems and data.
Attracting and retaining appropriate staff capacity and capability The Group would be adversely impacted if it were unable to attract and retain the right calibre of skilled staff. Some roles within the Group operate in highly technical and extremely specialised areas in which there are shortages of skilled people.	Loss of key employees or significant staff turnover could result in a lack of necessary expertise or continuity to execute the Group's strategy. An inability to attract and retain sufficient high-calibre employees could become a barrier to the continued success and growth of NCC Group.	(Medium impact, risk exposure unchanged from 2017) Staff are offered a rewarding career structure and attractive salary packages, which can include participation in share schemes. Linked to the development of our people, the Group is reviewing our values, personal performance management processes and aligned development programmes.
Cyber risk (including GDPR) As a provider of security services, the Group is a high profile target and could therefore be subject to attacks specifically designed to disrupt the Group's business and harm the Group's reputation. There could also be implications relating to our GDPR control obligations. Such events could adversely affect the market's perception of the Group as well as causing business disruption.	Failure to maintain control over customer, colleague, commercial and/or operational data could lead to a range of impacts, including reputational damage. The misuse of personal data, for example without the customer's consent or retaining for longer than is necessary, may also result in reputational harm, regulatory investigations and potential fines.	(Medium impact, risk exposure decreased from 2017) The Board operates a Cyber Security Committee chaired by a Senior Non-Executive Director. The CISO reports to each meeting, in line with the new Group Risk Management Policy. Security testing is regularly carried out on the Group's infrastructure and there are extensive response plans, which were reviewed during the year, in the event of a major security incident. Comprehensive plans are in place and being delivered associated with discharging our GDPR obligations. Progress is monitored by the Cyber Security Committee. Employees also receive regular security training and updates. During the remainder of 2018, the Group expects to commission a health check of Cyber security governance and control.
Quality of Management Information Systems (MIS) and internal business processes In addition to meeting statutory reporting obligations, ensuring that trusted and relevant MIS is available on a day-to-day basis to inform management decisions and drive performance.	Suboptimal business decision-making and performance as key financial performance data is not available or trusted.	(Medium impact, risk exposure decreased from 2017) The Group finance function has developed a forward-facing Finance Functional Strategy. Enhancements were identified covering system and process standardisation. A comprehensive milestone plan is in place and progress is tracked and reported to each Audit Committee. Standardised business process control standards were recently issued across all parts of the Group. As the new financial year progresses, control self-assessment techniques will be implemented along with an aligned programme of Internal Audits.
Quality and Security Management Systems We aspire to attain and retain key internationally recognised standards which form an important component for many of our customers.	The risk of the Group failing to retain a core standard e.g. 9001, 27001 or PCI, with a consequential loss of key customer accounts or ability to operate.	(Low impact, risk exposure unchanged from 2017) We operate a comprehensive programme to ensure the retention of our core standards. This includes a portfolio of aligned policies and cascading business processes. A programme of internal audit provides assurance over the design and application of these policies and procedures. External assessors provide a further layer of review and challenge, confirming during the year the retention of our Quality and Security standards.

Risk Areas

Potential Impact

Mitigation

Business Strategy

A comprehensive business strategy is essential to the continued success of the Group as we strive to maximise shareholder value.

A poor strategy or ineffective execution of a strategy could have a material negative impact on the Group's financial performance and value. It would potentially weaken the Group compared to its competitors and risk the Group's established position in the marketplace.

(Medium impact, risk exposure decreased from 2017)

Members of the Board have significant experience in evolving business strategies. Following the recent appointment of the current CEO, the Group is in the process of reviewing and updating the strategy. The results are expect to help shape and refine the Group's already established Transformation Programme.

Management of strategic change

As the Group adapts and executes its strategy there are a number of complex projects and initiatives that not only need to be delivered but also require understanding and support from all staff.

Poor change management could lead to ineffective implementation of projects that then cost more to deliver, take longer to deliver and result in fewer benefits being realised (or all three). Poor delivery of change could ultimately impair business performance.

(Medium impact, risk exposure decreased from 2017)

During the year the Group has established a Strategic Change Management capability. This includes access to Programme Management professionals and the deployment of associated change management processes, for example the operation of senior change oversight committees.

Availability of critical information systems

The Group is heavily reliant on continued and uninterrupted access to its IT systems. As well as environmental and physical threats, the Group is a natural target for individuals who may seek to disrupt the Group's commercial activities.

If the Group's critical systems failed, this could affect the Group's ability to provide services to our customers.

(High impact, risk exposure unchanged from 2017)

The Group has made significant investment in its IT infrastructure to ensure it continues to support the growth of the organisation.

The Group has controls in place in order to reduce the risk of actual loss of critical systems. Further, controls are operated to ensure the availability of back-up media in the event of prolonged loss of systems.

Initiating to standardise and simplify while increasing resilience continue to be implemented. Additional focus is being periodically given to proving the recoverability of systems and data.

Attracting and retaining appropriate staff capacity and capability

The Group would be adversely impacted if it were unable to attract and retain the right calibre of skilled staff.

Some roles within the Group operate in highly technical and extremely specialised areas in which there are shortages of skilled people.

Loss of key employees or significant staff turnover could result in a lack of necessary expertise or continuity to execute the Group's strategy.

An inability to attract and retain sufficient high-calibre employees could become a barrier to the continued success and growth of NCC Group.

(Medium impact, risk exposure unchanged from 2017)

Staff are offered a rewarding career structure and attractive salary packages, which can include participation in share schemes.

Linked to the development of our people, the Group is reviewing our values, personal performance management processes and aligned development programmes.

Cyber risk (including GDPR)

As a provider of security services, the Group is a high profile target and could therefore be subject to attacks specifically designed to disrupt the Group's business and harm the Group's reputation.

There could also be implications relating to our GDPR control obligations. Such events could adversely affect the market's perception of the Group as well as causing business disruption.

Failure to maintain control over customer, colleague, commercial and/or operational data could lead to a range of impacts, including reputational damage. The misuse of personal data, for example without the customer's consent or retaining for longer than is necessary, may also result in reputational harm, regulatory investigations and potential fines.

(Medium impact, risk exposure decreased from 2017)

The Board operates a Cyber Security Committee chaired by a Senior Non-Executive Director. The CISO reports to each meeting, in line with the new Group Risk Management Policy.

Security testing is regularly carried out on the Group's infrastructure and there are extensive response plans, which were reviewed during the year, in the event of a major security incident.

Comprehensive plans are in place and being delivered associated with discharging our GDPR obligations. Progress is monitored by the Cyber Security Committee.

Employees also receive regular security training and updates.

During the remainder of 2018, the Group expects to commission a health check of Cyber security governance and control.

Quality of Management Information Systems (MIS) and internal business processes

In addition to meeting statutory reporting obligations, ensuring that trusted and relevant MIS is available on a day-to-day basis to inform management decisions and drive performance.

Suboptimal business decision-making and performance as key financial performance data is not available or trusted.

(Medium impact, risk exposure decreased from 2017)

The Group finance function has developed a forward-facing Finance Functional Strategy. Enhancements were identified covering system and process standardisation. A comprehensive milestone plan is in place and progress is tracked and reported to each Audit Committee.

Standardised business process control standards were recently issued across all parts of the Group. As the new financial year progresses, control self-assessment techniques will be implemented along with an aligned programme of Internal Audits.

Quality and Security Management Systems

We aspire to attain and retain key internationally recognised standards which form an important component for many of our customers.

The risk of the Group failing to retain a core standard e.g. 9001, 27001 or PCI, with a consequential loss of key customer accounts or ability to operate.

(Low impact, risk exposure unchanged from 2017)

We operate a comprehensive programme to ensure the retention of our core standards. This includes a portfolio of aligned policies and cascading business processes. A programme of internal audit provides assurance over the design and application of these policies and procedures. External assessors provide a further layer of review and challenge, confirming during the year the retention of our Quality and Security standards.

Other risks

Furthermore, as the Group's international footprint expands, there is an inherent risk of adverse foreign exchange movements affecting profitability. At present this risk is limited due to the low level of inter territorial trading but it will increase in future. Inability to refinance the Group's core banking facilities could call into doubt the Group's longer term viability. Equally, if those facilities lacked the appropriate flexibility and structure, this could inhibit delivery of the Group's strategy. The Group's current banking facilities cover all of its expected needs of the Group for the period of such facilities and are sufficiently flexible to allow the Group to function effectively. The Group has a Tax and Treasury Manager. Part of their role is to support the CFO in developing a Treasury strategy and overseeing its implementation.

Impact of Brexit on the Group

The Group continues to have little inter-territorial trade from the UK into Europe and vice versa. While Brexit has already had an impact on exchange rates, there is inevitably some uncertainty around the likely impact of Brexit on businesses. The Group does not believe that Brexit will have a significant impact on its operations as currently structured. UK cyber regulation is likely to stay closely attuned to evolving regulation in Europe, such as GDPR where implementation will proceed in both Europe and the UK as envisaged. Regulations governing international data transfers are already in place and the Group works within these with little change expected from Brexit itself.

With regards to staffing, NCC Group has significant in-region presence within the UK and continental Europe. As such, should free movement be impeded in the future, we do not foresee a material impact. In the medium term, should free movement of labour be impeded then future recruitment requirements in the UK will be offset in part through our involvement in supporting initiatives designed to create capacity in UK nationals in computer science and cyber."

LEI number - 213800DJCGZRB6523934

Classification - Annual Report and Financial Statements and Notice of AGM.

Enquiries:

NCC Group plc

Adam Palser - CEO

Tim Kowalski - CFO

Jonathan Williams, Deputy Company Secretary

0161 209 5200

0161 209 5374

This information is provided by RNS, the news service of the London Stock Exchange. RNS is approved by the Financial Conduct Authority to act as a Primary Information Provider in the United Kingdom. Terms and conditions relating to the use and distribution of this information may apply. For further information, please contact rns@lseg.com or visit www.rns.com.

END

MSCPJMBTMBJTBIP

Companies

NCC Group (NCC)

Wednesday, 15th May 2024

COMPANIES COVERED:

EXPN KLR HTG

Oil services company Hunting sees share price jump on news of significant contract win from Kuwait, Keller advances as pre-AGM trading statement upgrades profit forecast and Experian full year performance lands at top of expectations.

Full Archive

UK 100

Latest directors dealings

15 minutes ago Hunting
15 minutes ago Hunting
25 minutes ago Ricardo
45 minutes ago AstraZeneca
46 minutes ago Heavitree Brewery

All directors dealings today