Regulatory Story
Company NCC Group PLC
Headline Notice of AGM 2019 and Notice of Trading Update
Released 10:00 22-Aug-2019
Number 8406J10

RNS Number : 8406J
22 August 2019

NCC Group plc

(the "Company" or the "Group")


Notice of Annual General Meeting 2019


Notice of Trading Update


The Company confirms that its Notice of Annual General Meeting 2019 ("AGM Notice") and its Annual Report and Accounts for the year ending 31 May 2019 ("Annual Report") have been posted or otherwise been made available to shareholders and published on the Investor Relations section of its website ( The Annual General Meeting will be held at 9.30 am on Wednesday 25 September 2019 at the Company's Head Office, XYZ Building, 2 Hardman Boulevard, Spinningfields, Manchester, M3 3AQ.


Copies of the Annual Report and the AGM Notice have been submitted to the National Storage Mechanism and will shortly be available for inspection at


The Company will provide a trading update at 7.00am on Wednesday 25 September 2019 ahead of its Annual General Meeting on the same day. 


A condensed set of the Company's financial statements and extracts were included in the Company's preliminary results for the year ended 31 May 2019 released on 25 July 2019 (the "Preliminary Announcement"). The information included within the Preliminary Announcement together with the information set out below, which is extracted from the Annual Report, constitute the material required by Disclosure Guidance and Transparency Rule 6.3.5 to be communicated to the media in full unedited text through a Regulatory Information Service. This announcement and the Preliminary Announcement are not a substitute for reading the full Annual Report. Page numbers and cross-references in the extracted information below refer to page numbers and cross-references in the Annual Report. To view the Preliminary Announcement, please visit the Investor Relations section of the Company's website at


Directors' Responsibility Statement


The following statement is extracted from page 95 of the Annual Report and is repeated here for the purposes of Disclosure Guidance and Transparency Rule 6.3.5.  This statement relates solely to the Annual Report and is not connected to the extracted information set out in this announcement or the Preliminary Announcement:


"The Directors are responsible for preparing the Annual Report and Accounts and the Group and parent Company Financial Statements in accordance with applicable law and regulations.


Company law requires the Directors to prepare Group and parent Company Financial Statements for each financial year. Under that law they are required to prepare the Group

Financial Statements in accordance with International Financial Reporting Standards as adopted by the European Union (IFRSs as adopted by the EU) and applicable law and have elected to prepare the parent Company Financial Statements on the same basis.


Under company law the Directors must not approve the Financial Statements unless they are satisfied that they give a true and fair view of the state of affairs of the Group and parent Company and of their profit or loss for that period. In preparing each of the Group and parent Company Financial Statements, the Directors are required to:


• select suitable accounting policies and then apply them consistently;

• make judgments and estimates that are reasonable, relevant and reliable;

• state whether they have been prepared in accordance with IFRSs as adopted by the EU;

• assess the Group and parent Company's ability to continue as a going concern, disclosing, as applicable, matters related to going concern; and

• use the going concern basis of accounting unless they either intend to liquidate the Group or the parent Company or to cease operations, or have no realistic alternative but to do so.


The Directors are responsible for keeping adequate accounting records that are sufficient to show and explain the parent Company's transactions and disclose with reasonable accuracy at any time the financial position of the parent Company and enable them to ensure that its Financial Statements comply with the Companies Act 2006. They are responsible for such internal control as they determine is necessary to enable the preparation of Financial Statements that are free from material misstatement, whether due to fraud or error, and have general responsibility for taking such steps as are reasonably open to them to safeguard the assets of the Group and to prevent and detect fraud and other irregularities.


Under applicable law and regulations, the Directors are also responsible for preparing a Strategic Report, Directors' Report, Directors' Remuneration Report and Corporate Governance Statement that complies with that law and those regulations.


The Directors are responsible for the maintenance and integrity of the corporate and financial information included on the Company's website. Legislation in the UK governing the preparation and dissemination of Financial Statements may differ from legislation in other jurisdictions.


Responsibility statement of the Directors in respect of the annual financial report


Each of the Directors whose names and functions are set out on pages 48 to 49 of the Annual Report confirms that, to the best of their knowledge:


• the Financial Statements, prepared in accordance with the applicable set of accounting standards, give a true and fair view of the assets, liabilities, financial position and profit or

loss of the Company and the undertakings included in the consolidation taken as a whole; and

• the Directors' report includes a fair review of the development and performance of the business and the position of the issuer and the undertakings included in the consolidation taken as a whole, together with a description of the principal risks and uncertainties that they face.


We consider the Annual Report and Accounts, taken as a whole, is fair, balanced and understandable and provides the information necessary for shareholders to assess the Group's

position and performance, business model and strategy.


Principal risks and uncertainties


The principal risks and uncertainties relating to the Company are set out on pages 32 to 37 of the Annual Report from which the following is extracted in full and unedited text:


"Relaunch of Risk Management


During the previous year we appointed a risk management subject matter expert, the Director of Risk and Assurance.  Following this appointment, the Board commissioned an evaluation of our existing risk management framework. The review led to the implementation of a range of enhancements to build on the established platform.


The Group has continued to develop and implement a Risk Management Policy, against which we are monitoring enterprise-wide risk management.


This policy sets out protocols covering roles and responsibilities for the risk framework and the definition of risk appetite as set by the Board. A web-based tool, the Integrated Risk Management System (IRMS), has been deployed to record risk registers and to track risk mitigation action plans, helping embed ownership of risks and treatment actions while also providing access to live management information.


Risks are evaluated at a number of levels of the organisation, commencing with those which link to the Group achieving its strategic objectives. These risks are presented under our principal risks and uncertainties. 


Risks are identified primarily by the management team through the use of a structured risk framework. NonExecutive reviews are carried out by two Board Committees: the Cyber Security Committee for IT centric risks and the Audit Committee for all other risk types. The Chief Information Security Office (CISO) reports to the Cyber Committee and the Director of Risk and Assurance reports to the Audit Committee.


While distinct from the established CISO role, the Director of Risk and Assurance works closely with the CISO to facilitate risk oversight across the full range of risk types.


Risk management processes and controls


The Board monitors the ongoing process by which relevant material risks are identified, evaluated and managed via the two subcommittees noted above. On a quarterly basis, the subcommittees review the detailed risk registers that have been prepared and updated across the business along with the status of action plans that are in place to treat risks, which are considered to be excessive.


Evaluation and treatment of risk 


Risks are evaluated using a simple but robust model, which forms part of the Risk Management Policy. The model, which is capable of application across multiple risk types, is sufficiently sensitive to record risks that have the potential to impact Viability Reporting obligations.


Risks are evaluated without considering the operation of any existing controls. This is done to

form a view of inherent risk.


The impact of existing mitigating controls are then considered along with their effectiveness to determine the extent of residual risk. The assessments are made using a combination of impact and likelihood criteria to arrive at a total risk score. Residual risk is then considered against the Group Risk Appetite, which is a judgmental scoring matrix created by the Board to identify risks as being within or outside acceptable parameters for the Group.


Output from the evaluation of strategic risks has been used to help shape the Group's Transformation Programme.  Where risks are assessed as being outside of appetite, treatment actions are agreed including owners, priorities and due dates, either within the Transformation governance structures or milestone plans owned by senior business leaders. The IRMS is used to track these actions, with data mining capabilities to produce reports to the Cyber Security and Audit Committees.


The Group uses a simple Risk Heat Map to record an up-to-date view of residual risk. Viability risks are principal risks that the Directors consider are so extreme that they could jeopardise the business viability if they crystallise.


Principal risks and uncertainties 


The Group continues to operate in a particularly dynamic and evolving marketplace. The very latest strategic risk register has been developed to reflect those factors.


The Directors have carried out a robust assessment of the principal risks facing the Group including those that would threaten its business model, future performance, solvency or liquidity. Detailed descriptions of the current principal risks and uncertainties faced by the Group, their potential impact and mitigating processes and controls are set out below. The tables also highlight whether the risk is assessed as increasing or decreasing with a similar assessment for the position last year.  This includes identifying new principal risks and uncertainties.



Risk Areas

Potential Impact



Business Strategy


A comprehensive business strategy

is essential to the continued success

of the Group as we strive to maximise

shareholder value.

A poor strategy or ineffective execution

of a strategy could have a material

negative impact on the Group's financial

performance and value. It would

potentially weaken the Group compared

to its competitors and risk the Group's

established position in the marketplace.


(Medium impact, risk exposure decreased from 2018)


Members of the Board have significant experience in evolving

business strategies. The Board is significantly engaged in both

setting and reviewing strategy and held a dedicated strategy

session in March 2019.

Management of strategic change


As the Group adapts and executes its

strategy there are a number of complex

projects and initiatives that not only need to

be delivered but also require understanding

and support from all colleagues.

Poor change management could lead to ineffective implementation of projects that then cost more to deliver, take longer to deliver and result in fewer benefits

being realised (or all three). Poor delivery

of change could ultimately impair

business performance.


(Medium impact, risk exposure decreased from 2018)


The Group has established a Strategic Change Management

capability and this includes access to Programme Management

professionals and the deployment of associated change

management processes, for example the operation of senior

change oversight committees.

Availability of critical information systems


The Group is heavily reliant on continued

and uninterrupted access to its IT systems.

As well as environmental and physical

threats, the Group is a natural target for

individuals who may seek to disrupt the

Group's commercial activities.

If the Group's critical systems failed, this

could affect the Group's ability to provide

services to our customers

(Medium impact, risk exposure decreased from 2018)


The Group continues to make significant investment in its IT

infrastructure to ensure it continues to support the growth of

the organisation.


The Group has controls in place in order to reduce the risk of

actual loss of critical systems. Further, controls are operated to

ensure the availability of backup media in the event of prolonged

loss of systems.


Initiating to standardise and simplify while increasing resilience,

continues to be implemented. Additional focus is being periodically

given to proving the recoverability of systems and data.






Attracting and retaining appropriate colleagues capacity and capability


The Group would be adversely impacted if

it were unable to attract and retain the right

calibre of skilled colleagues.


Some roles within the Group operate in

highly technical and extremely specialised

areas in which there are shortages of

skilled people.






Loss of key colleagues or significant

colleagues turnover could result in a lack of

necessary expertise or continuity to execute

the Group's strategy.


An inability to attract and retain sufficient high-calibre colleagues could become a barrier to the continued success and

growth of NCC Group.





(Medium impact, risk exposure increased from 2018)


Colleagues are offered a rewarding career structure and attractive

salary and benefits packages, which can include participation in share schemes.


Linked to the development of our people, the Group continues to

review our values, personal performance management processes

and aligned development programmes.

Cyber risk (including GDPR)


As a provider of security services, the

Group is a high profile target and could

therefore be subject to attacks specifically

designed to disrupt the Group's business

and harm the Group's reputation.


There could also be implications relating

to our GDPR control obligations. Such

events could adversely affect the market's

perception of the Group as well as causing

business disruption.

Failure to maintain control over customer,

colleague, commercial and/or operational

data could lead to a range of impacts,

including reputational damage. The misuse

of personal data, for example without

the customer's consent, or retaining for

longer than is necessary, may also result in

reputational harm, regulatory investigations

and potential fines.

(Medium impact, risk exposure unchanged from 2018)


The Board operates a Cyber Security Committee chaired by the

Chairman of the Board. The CISO reports to each meeting, in line

with the Group Risk Management Policy.


Security testing is regularly carried out on the Group's infrastructure and there are extensive response plans, which were reviewed during the year, in the event of a major security incident.


Comprehensive plans are in place and being delivered associated

with discharging our GDPR obligations. Progress is monitored by

the Cyber Security Committee.


Colleagues also receive regular security training and updates.













Quality of Management Information Systems (MIS) and internal business processes


We need to ensure that trusted and

relevant MIS are available on a day-to-day

basis to inform management decisions and

drive performance.












Suboptimal business decision-making and

performance as key financial performance

data is not available or trusted.












(Medium impact, risk exposure unchanged from 2018)


The Group finance function has developed a forward-facing Finance Functional Strategy. Enhancements were identified covering system and process standardisation. A comprehensive milestone plan is in place and progress is tracked and reported to each Audit Committee.


Standardised business process control standards were recently

issued across all parts of the Group. As the new financial year progresses, control self-assessment techniques will be implemented along with an aligned programme of Internal Audits.


Quality and Security Management Systems


We aspire to attain and retain key internationally recognised standards, which form an important component for many of

our customers.

The risk of the Group failing to retain a

core standard, e.g. 9001, 27001 or PCI,

with a consequential loss of key customer

accounts or ability to operate.

(Low impact, risk exposure decreased from 2018)


We operate a comprehensive programme to ensure the retention

of our core standards. This includes a portfolio of aligned policies

and cascading business processes. A programme of internal audit provides assurance over the design and application of these policies and procedures. External assessors provide a further layer of review and challenge, confirming during the year the retention of our Quality and Security standards.




Failure to prepare for the UK's departure

from the EU may cause disruption to, and

create uncertainty around, our business.

Any disruption or uncertainty could have an adverse effect on our business, financial

results and operations.

Uncertainty around the UK's departure from

the EU continues as a result of the political

deadlock. The risks associated with Brexit

are the possibility of a 'no-deal' scenario

and also the potential for an abrupt departure from the EU.

(Medium impact, risk exposure increasing from 2018)


Similar to any UK company, we list Brexit as a significant risk due

to the uncertainty surrounding the final form Brexit will actually

take and when it will happen.


We continue to plan for Brexit internally and the Brexit Steering

Group meets regularly.


As our operations around the world include business entities based in continental Europe we believe NCC Group is structurally resilient to any disruption caused by Brexit. The main risks to our business from Brexit are:

• Any reduction in demand from an economic slowdown; and

• Real or perceived differences in data protection standards, which impact our global ways of working.



Other risks


Furthermore, as the Group's international footprint expands, there is an inherent risk of adverse foreign exchange movements affecting profitability. At present this risk is limited due to the relatively low level of inter-territorial trading but it will increase in future.  Inability to refinance the Group's core banking facilities could call into doubt the Group's longer term viability. We have recently achieved a new five-year refinancing facility, which is more flexible and suited to our future needs. Equally, if those facilities lacked the appropriate flexibility and structure, this could inhibit delivery of the Group's strategy.

The Group's current banking facilities cover all of the expected needs of the Group for the period of such facilities and are sufficiently flexible to allow the Group to function effectively. The Group has a Tax and Treasury Manager. Part of their role is to support the CFO in developing a Treasury strategy and overseeing its implementation.


Impact of Brexit on the Group 


There is continuing uncertainty around the likely impact of Brexit on businesses. This uncertainty is likely to continue until at least 31 October 2019, which is the current deadline for the UK's departure from the EU.


We continue to plan for Brexit and we have a Brexit Steering Group that meets regularly. As our operations around the world include business entities based in continental Europe we believe NCC Group is structurally resilient to any disruption caused by Brexit. The main risks to our business from Brexit are:


• Any reduction in demand from an economic slowdown; and

• Real or perceived differences in data protection standards, which impact our global ways of working."



LEI - 213800DJCGZRB6523934

Classification - Annual Report and Financial Statements and Notice of AGM.






NCC Group plc

Adam Palser - CEO

Tim Kowalski - CFO

Jonathan Williams, Deputy Company Secretary


0161 209 5200

0161 209 5200

0161 209 5374




This information is provided by RNS, the news service of the London Stock Exchange. RNS is approved by the Financial Conduct Authority to act as a Primary Information Provider in the United Kingdom. Terms and conditions relating to the use and distribution of this information may apply. For further information, please contact or visit
London Stock Exchange plc is not responsible for and does not check content on this Website. Website users are responsible for checking content. Any news item (including any prospectus) which is addressed solely to the persons and countries specified therein should not be relied upon other than by such persons and/or outside the specified countries. Terms and conditions, including restrictions on use and distribution apply.