Exposure to risk is an inherent element to carrying out the business activities of the Group; the operation of vessels and provision of related services. Effective risk management and internal control systems are essential to protect the Group from exposure to unnecessary risks and to ensure the sustainability of the Group’s business.
The Board has overall responsibility for establishing procedures to manage risk, oversight of the internal control framework and determining the nature and extent of the principal risks the Group is willing to accept in order to achieve its long-term objectives. The Board has created a culture of risk awareness throughout the organisation whereby risk consideration is embedded in decision making processes.
The Board has delegated the appraisal of the Group’s risk management and internal control systems to the Audit Committee. This assessment is carried out through the review of reports and presentations made by the Risk Management Committee (RMC) and Group Internal Audit. Further information on the Audit Committee activities is set out in its report on pages 94 to 99.
Risk Architecture, Strategy and Protocols
The Group follows international standard ISO 31000 (2018) ‘Risk Management – Guidelines’ in designing its risk architecture, strategy and protocols (RASP).
The Group’s risk architecture includes the roles and responsibilities of the Board and Group personnel in managing risk, along with internal reporting requirements. This is illustrated by the ’three lines of defence’ model.
Roles, responsibilities, risk management policy, objectives and process overviews are documented within the Group’s Risk Code. The Group adopts an Enterprise Risk Management (ERM) system that takes a unifying, broad and integrated approach to managing risks and aligns risk management to the achievement of strategic objectives.
Role of the Risk Management Committee
The Risk Management Committee (RMC) established by the Group comprises members from across the three lines of defence, as well as having Board representation. With its mandate from the Board, the RMC is tasked with;
- Making appropriate recommendations to the Board on all significant matters relating to the development of risk strategy and processes of the Group.
- Keeping under review the effectiveness of the Group’s risk management systems.
- Reviewing the Group’s risk exposures in relation to the Board’s risk appetite.
- Maintaining a robust Group Risk Register and ensuring risks are identified comprehensively and assessed consistently across classified risk areas.
Risk Management Process
The Group’s Risk Management Process is underpinned by its RASP methodology and is led by the RMC. The Group’s process is based on the revised international standard ISO 31000 (2018), ‘Risk Management – Guidelines’, and provides an iterative and systematic approach to managing risks throughout the Group.
Risk Assessments and Monitoring
The Board sets the Group’s risk appetite for classified risk areas. Risk appetite is communicated through the adoption of Risk Appetite Statements. These statements, along with internal capabilities, resources and industry factors provide context to how the Group’s strategy is pursued and to which risks are assessed. With respect to climate and ESG issues, the views of stakeholders are also considered by the Board in setting appropriate appetite levels. Refer to pages 64 to 66 for an overview of the Group’s climate risk framework. The Board has a low acceptance for risks that may impact safety of vessels, workers and customers and compliance with relevant laws and regulations.
Each business owner is responsible for ensuring comprehensive risk identification and assessment is carried out covering their sphere of responsibility. Risks are identified through various means, including the use of an identification tool guiding risk assessors through several internal and external factors in identifying potential barriers to respective objectives. Risks are assigned to risk owners with responsibility for the activity generating the risk. Where a risk contains multiple causes and consequences, risk owners are required to collaborate in performing a cause and consequence analysis.
For some risks, this collaboration spans across departments and divisions within the Group.
Risk owners are ultimately responsible for the completion and maintenance of risk assessments across their respective risk areas. Risks are measured in terms of the likelihood of occurrence and estimated impact using a standardised scoring model. All evaluations are made from a Group perspective and are relative to Group risk appetite. Guidance tools are in place to ensure Group-wide consistency is achieved across risk assessments.
Existing control measures are documented and assessed within the risk assessment forms in determining residual risk scores. All risk assessments are reviewed by members of the RMC before they are released to the Group Risk Register. The RMC and risk owners can prescribe the implementation of further control measures at the review stage.
The Group Risk Register is the central online repository for documenting, assessing and prioritising risks, and for documenting and prescribing control measures. The Register forms a significant portion of the Group’s risk management process. The Group Risk Register is reviewed on a regular basis by the RMC.
Any necessary changes to the Group Risk Register are made throughout the year and can be prompted by;
- The occurrence of a risk event.
- The identification of new emerging risks or as circumstances of existing emerging risks change.
- Quarterly RMC meetings.
- Internal Audit or regulatory reviews.
- Annual risk owner reassessment.
- Changes in Key Risk Indicator measurements.
- New risk assessments completed within business area teams.
Risk information within the Group Risk Register is analysed and used for reporting principal risks to the Board and for Internal Audit planning. A presentation of the Group’s principal and emerging risks is made to the Board at least annually or more frequently if warranted by developments. At these presentations the Board challenges the RMC in their processes and evaluations of the principal and emerging risks identified in the context of the Group’s own risk policy, risk appetite and general market developments both within and outside the industry sector. Key Risk Indicators are in place for highly ranked individual risks at the residual level, to ensure exposure levels are monitored, flagged to the Board and corrective actions taken before impacts are fully realised.
Risk monitoring is an ongoing process to reflect the dynamic nature of the environment in which the Group operates. The Group acknowledges three types of emerging risks that can arise. The first type are new risks that emerge in the Group’s external environment. These are identified through the ongoing Group risk identification process. The second type are previously identified risks recorded in the Group Risk Register whose impact on Group activities has changed, prompting a reassessment. The third type are new risks emerging from the internal environment when changes to core processes are made. These are identified when undertaking new projects or engaging with new business partners.
Emerging risks are closely monitored and assessed as their uncertain nature can result in the risks becoming significant within a short timeframe. Emerging risks currently under review at the date of this report relate to greater employer responsibility for employee welfare, greater environmental and climate awareness driving increased corporate responsibility and regulatory requirements and long-term risks and opportunities associated with technological advancements.
Managing Climate Change Risks
The Group has adopted a framework, based on guidance from the Institute of Risk Management, which identifies the key areas that require attention to enable the development and execution of its climate change risk management strategy. This framework is integrated within the Group’s RASP and related risks assessments are released to the Group Risk Register.
1. Climate Change Risk Landscape
The Group identifies climate risks using the same processes as other emerging risks, with additional emphasis on expert climate risk publications and regulatory updates. Climate change risks are unique in how they; affect every individual and organisation, are long term in nature and are highly uncertain in their ultimate progressions and impacts. Due to these considerations, the Group’s climate risk register contains the following additional details;
- Risks are assessed over three different time horizons; 0-3 years, 3-10 years and >10 years, with the 0-3-year horizon assessments transferring to the Group Risk Register.
- Impacted stakeholder groups are identified for engagement on associated risks.
- Opportunities are identified for each risk to support strategic positioning and resilience planning.
- Impacts are linked to financial statement areas.
A summary of the Group’s climate risks, impacts and opportunities is disclosed on pages 56 to 57.
2. Effective Governance Systems
The Group applies the same risk governance structure to climate change risks as all enterprise risks. The RMC advises the Board on risk appetite, risk management approach and important risk management issues and considerations, which are ultimately approved by the Board or used to facilitate decision making.
The RMC presents to the Board during the year on all important risk management issues, including climate change and ESG risks. Executive Management are also equipped to update the Board on such matters throughout the year, as 75 percent of the Executive Management Team are RMC members. The Group’s recent Board appointments helps ensure there is adequate Non-Executive Director representation with ESG expertise to challenge the RMC and Executive Management on relevant issues.
The RMC is comprised of management across all areas of the business, including; risk and sustainability, sales, operations, health and safety, planning and finance. Collectively, the RMC has the skills, knowledge and experience to best manage the Group’s climate change risks and their wide-ranging impacts. ESG issues are incorporated in the incentive plans of Executive Management and dedicated management roles within the RMC.
3. Stakeholder Insights and Research
The interests and expectations of stakeholders are important considerations in the Group’s climate risk management approach. In 2022, the Group will undertake a stakeholder research program to gain insights on ESG issues facing the Group. This will facilitate an evaluation of our core strategic, operational and compliance processes concerning the environment and climate change expectations. Mapping of these insights will help align stakeholder values to the Group’s strategic objectives and core processes.
4. Risk Appetite Setting
Following the outcome of the stakeholder engagement program, the RMC will develop more specific risk appetite areas across a range of ESG issues. Areas of highest stakeholder importance will be considered in setting the appetite levels for Board approval. All ESG and climate change risks going forward will then be assessed, and mitigation plans updated to ensure they remain proportionate to the relevant appetite levels.
5. Materiality Assessment over Alternative Horizons
Climate change risks are assessed over three separate horizons; 0-3 years, 3-10 years and >10 years. Current known transition risks are most significant in the short and medium term and are expected to curtail from the third time horizon as the Group shifts towards a low carbon economy. While physical risks require attention today, significant physical impacts for the Group may only be experienced over the long-term horizon.
Assessments over the long-term horizon are most challenging to calculate but are key to future resilience planning. The Group is exploring further methods to help quantitively analyse the impact of certain future scenarios.
6. Strategic Positioning and Roadmap
Following a full assessment of risks and opportunities over separate time horizons, the Group can assess strategically its current position against long-term goals. This stage allows the Group to identify any changes to its business model necessary for long-term success, with a focus on opportunity management. Further climate change related controls and projects are then agreed.
7. Implementing Mitigation and Resilience Plans
Further controls and projects to help address climate change risks are implemented and managed. Current resilience plans, including the Group’s Major Incident Response Plans and Disaster Recovery Plans are also reviewed and updated periodically for additional information gathered throughout the process.
8. Operationalise Metrics and Targets
Metrics and targets, including carbon intensity and absolute GHG emissions are monitored and reviewed. Relevant Key Risk Indicators are also introduced to monitor high residual risks, in line with the Group’s risk management process.
Significant and Emerging Risk Events
The Group responded promptly when the Covid-19 pandemic began to affect operations in 2020 and this continued throughout 2021. Actions taken had two principal emphases:
- Measures to ensure continuing safe operations and the communication of such measures to all stakeholders including state authorities and customers; and,
- Measures to ensure the financial viability of services throughout cost-cutting, efficiencies and service restrictions.
A specific and detailed pandemic risk assessment was carried out in 2020 with input from across all divisions and departments which was updated throughout 2021 as necessary.
While some services continued to be curtailed in 2021 and passenger travel was impacted by varying regulations during the year, all operations have been maintained safely including during times of increased passenger demand for ferry services. Global supply chain congestion meanwhile brought opportunities for the Container and Terminal Division. The Group is strongly positioned for success in 2022 as regional restrictions are removed and tourism can safely return to pre-pandemic levels.
A specific and detailed risk assessment was developed prior to the end of the transition period on 31 December 2020. This risk assessment was updated throughout 2021 and the risks which materialised were in relation to:
- Negative impact on the Republic of Ireland (ROI) – Great Britain (GB) freight market due to additional customs and health formalities; and,
- Market distortion due to re-routing of freight traffic via Northern Ireland and via the direct route to France, to avoid customs and health formalities. However, this risk has also brought the opportunity of increased demand for our ROI – France route.
The Group will continue to monitor the impacts of Brexit, particularly as additional requirements for GB customs controls are implemented in 2022.
Environmental Regulations and Impacts
The Group is exposed to long-term physical effects of climate change and to near and long-term transition risks associated with the movement towards a low carbon economy, driven by changing stakeholder expectations and environmental regulations. During the year, significant regulatory measures and proposals were announced by the IMO and the EU to help achieve the respective GHG reduction targets of each organisation for the maritime transport industry.
Current IMO Measures
- An annual operational Carbon Intensity Indicator (CII) assessment and rating from 2023 to determine how efficiently a ship transports goods or passengers.
- The introduction of the Energy Efficiency Design Index for existing ships (EEXI) which sets from 2023 a baseline technical design efficiency that vessels must meet.
Current EU Proposals
- The extension of the ETS to the maritime industry on a phased-in basis from 2023 to full implementation by 2026, requiring ICG to purchase and submit emissions allowances for each equivalent tonne of CO2 emitted from vessel operations.
- The introduction of the FuelEU Maritime regulation to limit the GHG intensity of energy used on board vessels from 2025.
- The removal of the heavy fuel oil exemption for the industry under the Energy Taxation Directive.
The Group will continue to monitor these developments and liaise with regional chambers of shipping, shipowners’ associations and other industry representatives as further information is announced. These regulations could have significant financial and operational impacts for the Group and are currently being managed within the climate risk framework. In mitigation of potential financial impacts, the Group shall seek to recover increased costs through its value chain. The Group has been an early adopter of technology and assessments to certify EEXI compliance for the Isle of Inishmore and Ulysses in 2021, with further studies and measures across the remainder of the fleet scheduled in 2022. The W.B. Yeats is assessed as a new vessel under the Energy Efficiency Design Index (EEDI) and is excluded from EEXI.
War in Eastern Europe
The Group is deeply concerned by developments in Eastern Europe following the invasion of Ukraine by Russia. A full organisational-wide risk assessment was conducted as geopolitical tensions escalated in early February 2022. Among the potential impacts under ongoing assessment at the Annual Report release date include:
- The impact of economic sanctions on Russia on Group operations and fuel prices
- Impact on passenger demand due to ticket price inflation
- Increased cyber security risk to assets and operations
- Business continuity risks associated with supply of fuel and key third party contractors
The principal risks identified through the Group’s risk processes have been considered by the Directors when preparing the Viability Statement on pages 116 to 117, as part of their assessment of the prospects for the Group.
Principal Risks and Uncertainties
Description and Impact
Strategic Risk - Commercial & Market
The Group operates in a highly competitive industry with market risks and opportunities arising from uncertain political and economic landscapes. The Group is at risk of markets not performing in line with expected growth and at risk of loss in market share to competitors, impacting profitability.
The Group undertakes regular assessments of its cost base and performs competitor benchmarking.
Direct and indirect competitor activity and market performance is closely monitored which allows the Group to respond swiftly.
The Group focuses on ensuring a safe, reliable and high-quality service is provided to customers in order to maintain and strengthen alliances.
Exposure to commercial and market risks increased in magnitude during the year as the Group announced its entry to the Dover – Calais route and competitors introduced additional capacity on existing markets served.
Strategic Risk - Economic and Political
Economic and political factors including instability and changes to laws on travel and trade could adversely impact the Group’s activities and demand for its services.
Geopolitical risks, including war risks could have devastating Global impacts, including impacts to Group operations.
The Group liaises with various associations and governmental bodies to share views on proposed legislative changes.
Micro and macroeconomic activity is closely monitored to ensure Group decision making is informed and timely.
In 2021, there was a negative impact experienced on the Ireland-GB freight market due to additional customs and health formalities as a result of Brexit and Covid-19.
There was also market distortion caused by the re-routing of freight traffic via Northern Ireland via France direct to avoid post-Brexit related customs formalities.
The Group is closely monitoring developments in Eastern Europe following the invasion of Ukraine by Russia in February 2022.
Operational Risk - Business Continuity
The Group’s operations are exposed to the risk of fire, flood, storms, vessel incidents and loss of critical supplies caused by accident or by natural disaster.
Minor disruptions can impact revenues while major disruptive events can result in the loss of critical infrastructure causing significant financial loss and reputational damage.
The Group places strategic importance on investment in quality assets and safety, including vessels suitable for challenging sailing conditions and experienced crews and operations teams.
The Group has detailed, coordinated and rehearsed business continuity plans containing crisis management and disaster recovery components to respond to major incidents at land or at sea and ensure affected operations can be resumed promptly and safely.
The Group continues to follow public health guidelines and updates to governmental travel restrictions relating to the Covid-19 pandemic, which saw non-essential passenger travel resume and the Dublin Swift return to service in late summer.
The Group is optimistic its services can operate fully and safely throughout the entire 2022 tourism season.
Some minor disruptions caused by extended drydocking periods and acute weather events including Storm Barra were experienced during the year.
Operational Risk - Health and Safety
The Group is inherently exposed to the risk of incidents, including; workplace accidents, vessel collisions and damages, hazardous cargo and incidents involving passengers.
There is also a risk of outbreak of contagious illness among staff, crews and customers.
These events could result in loss of life, serious personal injury or illness, asset damage and reputational impact concerning safety.
The Group and its service providers adhere to defined operating safety and quality policies and procedures. All sites are regularly inspected by internal second line functions and external regulatory bodies. Emergency procedures and safety training are conducted regularly.
Hazardous cargoes are managed in accordance with international maritime regulations.
Group vessels, offices and facilities are thoroughly and frequently sanitised. World Health Organisation (WHO) and governmental guidance and instructions are followed. Crews are tested before and during their work on board vessels.
Hybrid working arrangements are facilitated for staff to prevent spread of contagious illnesses.
Health and safety metrics for the year are disclosed on page 52.
The rollout of vaccination programmes throughout Europe in 2021 helped to protect staff, crew and customers from Covid-19 impacts and contributed to the safe resumption of non-essential travel for passengers.
The Group is closely monitoring the impacts of new Covid-19 variants and will continue to exercise caution in how meetings and business activities are conducted.
Operational Risk - Operational Compliance
The Group’s activities are governed by a range of IMO, flag state, port state, EU and national governmental regulations. There is a risk that instances of non-compliance may occur that causes disruption, reputational damage or financial penalties.
Ongoing training is provided to operations staff and contractors in line with regulatory requirements.
New regulations are discussed and assessed at management meetings, together with measures to ensure compliance.
The Group’s vessels and port operations are subject to regular inspections and audits from internal second line functions and external bodies.
The Group will continue to monitor new regulatory developments at the IMO and the EU and liaise with regional chambers of shipping, shipowners’ associations and other industry representatives as further information is announced. Compliance risks related to reducing emissions are managed within the Group’s climate change risk framework.
Operational Risk - Environmental Protection
The Group is exposed to long-term physical effects of climate change and to near and long-term transition risks associated with the movement towards a low carbon economy. These risks and impacts are detailed further on pages 56 to 57.
There is also a risk of spillages or incidents causing pollution and discharge to the sea.
Physical and transition climate change risks are managed within the Group’s climate change risk framework.
The Group is employing a range of technical and operational measures to achieve its GHG reduction targets. Refer to pages 44 to 45 for further details.
Over the last 12 months, the Group has placed significant focus on enhancing its approach to ESG and sustainability. Refer to the Sustainability and ESG Report on pages 40 to 61 for further information on activities and developments during the year.
Operational Risk - Human Capital
There is a risk of failure to attract qualified and talented individuals and additionally a risk of losing key personnel. Staff could become unmotivated or dissatisfied with the working environment. These risks can ultimately lead to a poor standard of customer service and decision making, affecting the Group’s market position, reputation and stakeholder relationships.
Pay and conditions are reviewed and benchmarked to ensure the Group remains competitive.
ICG is an equal opportunities employer and seeks a diverse workforce to promote a strong and accepting culture and to help make informed decisions.
Staff are encouraged and supported in their pursuits of further education and career advancement.
Long-term incentive plans are in place to retain and motivate key management personnel.
Work from home arrangements can be attractive opportunities for many individuals. The Group introduced hybrid working arrangements in response to changes in the work environment brought upon by the Covid-19 pandemic.
IT Systems and Cyber Risk - Information Security and Cyber Threats
The Group is heavily reliant on its IT systems to support business activities. These systems are susceptible to data breaches and cyber attacks that can result in disruption, heavy fines and reputational damage.
The Group employs a suite of physical access controls and technical controls to prevent, detect, mitigate and remediate malicious threats and unusual activity. Such controls include rehearsals for major cyber incidents, vulnerability management processes and security awareness training for staff and key contractors.
Cyber-attacks continue to grow in volume and sophistication and have particularly intensified since the beginning of the Covid-19 pandemic.
Notably, in May 2021, a critical national infrastructure provider in Ireland experienced a significant ransomware cyber-attack causing major disruption and damages to systems. This was the largest cyber-attack in Irish history and highlights the importance for the Group to remain vigilant and ensure all efforts to protect its systems are made.
Financial Risk - Financial Loss
The Group is at risk of losses caused by ineffective or inefficient financial policies or practices, such as; inadequate budgeting and planning, insurance provisioning, project management or credit control techniques.
The Group’s financial management activities are performed by experienced and knowledgeable personnel. Regular internal management reporting ensures negative variances and trends are identified timely and acted upon.
Close relations with insurance brokers are maintained and emerging risks are considered when assessing coverage.
Major projects require pre-approval of the Board. Due diligence procedures are carried out for project contractors and new commercial customers while ongoing performance management of projects and debtors are in place.
During the year, the Group successfully implemented a new ferry booking system and underwent fleet expansion to service its new Dover-Calais route. The Group continues to monitor performance of these projects during and after implementation.
Financial Risk - Volatility
The Group is exposed to adverse fluctuations in fuel prices and exchange rates which can reduce revenues, increase cost base and reduce overall profitability.
Group policy has been to purchase commodities in the spot markets and remain unhedged. The Group operates a dynamic surcharge mechanism with its freight customers which allows prearranged price adjustments in line with Euro fuel costs to help mitigate US Dollar exposure arising from fuel purchases. In the passenger sector, in addition to fixed environmental surcharges, changes in bunker costs are included in the ticket price to the extent that market conditions will allow.
The Group employs a matching policy to mitigate exposure to Sterling. Decreases in translation of Sterling revenues to Euro are largely offset against corresponding decreases in translation of Sterling costs.
Fuel prices were highly volatile in 2021, but overall have increased substantially over 2020, leading to an increase in Group fuel costs.
The Group’s magnitude for exposure to unfavourable Sterling movements increased during the year, following entering the Dover-Calais route to be serviced by three vessels.
Financial Risk - Retirement Benefit Scheme
The Group’s pension liabilities are exposed to risks arising from changes in interest rates, inflation, demographics and market values of the underlying investments, resulting in increased scheme obligations or decreased scheme assets.
A portion of the Group’s defined benefit risks are transferred to a third-party insurance company.
All actuarial assumptions are substantiated and challenged where necessary.
Regular communication is maintained with the scheme investment managers to monitor performance relative to agreed benchmarks.
In 2021, the Group continued its de-risking initiatives and active investment management.
Financial Risk - Fraud
A significant volume of transactions is processed throughout the course of the year. These include a large amount of payment exchanges in the booking process, on board passenger vessels and at port ticket desks. This level of activity inherently carries a risk of fraud through the processing of improper payments or misappropriation of cash or assets.
Any instance of fraud affecting ICG could result in financial loss, reputational and cultural damage.
Improper payments are prevented by a segregation of duties within the payment set-up, payment approval and accounts posting processes. Further training and procedures are in place to ensure any requested changes to vendor payments are validated.
Daily reconciliations are performed at cash processing locations. All cash counts require supervisor oversight and CCTV cameras are installed to deter and capture any inappropriate behaviour.
Internal audit procedures are designed with consideration for the scope of fraud where relevant.
The Group is not aware of any confirmed or suspected instances of fraud during the year.
The Group recently enhanced its Protected Disclosure (Whistleblowing) Policy to encourage employees or any person who works or has worked for the Group to make a disclosure in respect of significant matters included instances of fraud. This policy is available on our website.
Financial Risk - Financial Compliance
As a public listed company with operations in different jurisdictions, the Group must comply with multiple financial and administrative regulations. Any policy changes or instances of non-compliance could result in financial loss, penalties or reputational damage.
The Group relies on its professional staff to ensure necessary filings are timely, complete and accurate.
Third party experts are engaged when required to advise on complex matters.
The Group engages productively with Irish tax authorities through the Co-Operative Compliance Framework.
Additional assurance is also gained from the work of the Group’s external auditors.
The Group is monitoring developments in the G20 global tax deal that would increase the rate of corporation tax in Ireland to 15 percent. As the Group is assessed under the tonnage tax regime it does not currently envisage changes to its tax requirements.
The Group is also monitoring and assessing the financial and administrative impact of proposals to include the maritime industry in the EU ETS.