? Adverse systems through theft and misuse of confidential Action was taken this year to further develop our effect on data, damage to or manipulation of operationally security profile and maturity against the reputation critical data or interruption to our IT services, internationally recognised National Institute of ? Potential any of which may have serious consequential Standards and Technology - Cyber Security Framework. legal impacts on our reputation, ability to trade and During 2020 we successfully introduced a 24/7 action, compliance with regulations including GDPR. security operations centre capability to monitor for fines and suspicious activity and behaviours and work with penalties resolver teams as required. We assess our main risk of attack to be from opportunistic criminals seeking financial gain from the theft and sale of personal data. We have a cyber-incident response protocol, which is updated with lessons learned from responses to During 2020, the Covid-19 pandemic appears to attempted attacks on the Group and external cases. have heightened this risk and we have seen an Third party forensic capability is in place, should increase in the volume, frequency and it be needed, to support our ability to respond sophistication of attempted cyber-attacks during rapidly and effectively to an incident, restore this period, which is expected to continue. We systems and demonstrate compliance. also face internal risks of data loss or leakage as a result of actions taken by colleagues, whether accidental or deliberate. Our strategy to modernise and digitise capabilities also presents We will prioritise a number of security focused a further dimension to cyber and data security programmes in 2021 to further minimise the risk risk. profile. This includes programmes focused on maintaining GDPR compliance and the optimisation of security technology. People Impact Risk description Risk mitigation People are key to our success. Our ability to Strategic initiatives are in place in relation to recruit, develop, retain and motivate suitably diversity and inclusion and knowledge management. qualified and experienced staff is an important Further information on progress made during the year driver of our overall performance. can be found in the Diversity and inclusion report on page 62. The strength of our customer proposition is underpinned by the quality of our people, The Group's employment policies and practices are particularly those in branch and other customer kept under regular review. facing roles. Many colleagues have worked for us for many years, during which time they have amassed valuable product and customer knowledge and expertise. Retaining those colleagues is key Staff engagement and turnover by job type is to continuing high levels of customer service and reported regularly to the Group Leadership Team and maintaining our competitive advantage. the Board. ? Adverse effect on Ensuring the retention and development of our An established talent and succession process is in delivery of employees, and that robust succession plans exist place, which will be reviewed and refreshed in 2021. strategy for key positions, is important for us to ensure The process is run annually with plans for the most ? Competitive that we have the right skills and experience to senior and critical roles reviewed by the Board. disadvantage deliver on our strategic objectives. ? Adverse effect on reputation The Group's reward and recognition systems are We are exposed to skills shortages in certain actively managed to ensure high levels of employee areas which can result in salary cost pressures. engagement. Salaries and other benefits are In particular, the availability of suitably benchmarked regularly to ensure that the Group qualified commercial drivers remains an area of offering remains competitive and the Group operates ongoing focus, which is critical to the operation incentive structures to ensure that high performing of our fleet to meet customer delivery colleagues are adequately rewarded and encouraged to expectations. remain with the Group. We recognise the benefits of a diverse workforce A wide range of training programmes are in place to and an inclusive workplace, to ensure that encourage staff development. Management development everyone feels welcome, valued for their programmes are available to those identified for contribution and able to perform at their best. more senior positions. The Group's award-winning Making progress in this area will take time and "Learn and Earn" Apprenticeship Programme ("LEAP") there is a risk that we are unable to move has been in place for a number of years and has a quickly enough to capture the benefits or meet track record of successful delivery of colleague and customer expectations. apprenticeships in both branch- based and functional roles. Health, safety & well-being Impact Risk description Risk mitigation Health, safety and well-being is one of our fundamental values. We continue to challenge our thinking and approach to improving safety performance through our well established "Stay Safe" brand. Steps have been taken in 2020 to build on our reporting programme and empower colleagues to "Call It Out" if they see anything that they consider to be unsafe. Guidance has been issued to support colleagues through difficult customer conversations. Regular communications highlight examples where "calling it out" has avoided a safety issue, which is helping to generate an even more open reporting culture around safety. Keeping our colleagues, customers, suppliers and the public safe is a cornerstone of the business and at the heart of how we operate. We expect everyone to go home to their families safely Governance of Stay Safe is well established and every day. designed to promote a continual focus on health and safety. Stay Safe performance is reviewed at all Board meetings, by the Group Leadership Team, by every business leadership team and by the dedicated ? Harm to our We operate a large estate, with many sites Stay Safe Committee, which is chaired by a colleagues, running complex and busy yards. We also operate Non-executive Director. In these forums we also customers or one of the largest vehicle fleets in the UK, monitor the the public distributing heavy and bulky materials. Certain ? Potential products that we sell pose health and safety achievement of transport compliance requirements. legal risks. Poorly implemented safety practices on The Fleet team has recently been restructured and is action, site, on the road and at delivery locations could in the process of delivering improvements against a fines and result in significant harm to our colleagues, Fleet and Driver roadmap, continuing into 2021. penalties customers and the wider community. ? Adverse effect on reputation Incidents are monitored, investigated and corrective The Covid-19 pandemic has had a profound impact action taken to address the root cause. For more

