Our management of risk underpins the delivery of our purpose and strategy and enables us to focus on providing a sustainable and resilient service for all customers and stakeholders for years to come

In delivering our group-wide activity we are faced with a range of risks which can threaten the quality of the services we provide, introduce delays and ultimately increase cost and damage the reputation of the group. We anticipate and mitigate these risks through an embedded risk management framework which includes:

  • A consistent and reliable enterprise-wide risk management process;
  • A governance and reporting structure which enables the board to oversee and direct the control of risk;
  • Definition of risk appetite by the board with an overarching general risk appetite supplemented where appropriate by specific risk appetites for certain risks;
  • An ISO 31000:2018 aligned assessment and mitigation process; and
  • Policies, practical guidance and training programmes to enable our people to identify, quantify and manage risk effectively.

Our risk identification and management activities are continuous and ongoing, with each functional area responsible for assessing, articulating and controlling relevant risks.

Figure 1: Assessment and management process adapted from ISO 31000:2018

Figure 1

This includes horizon scanning of the internal and external business environment, to identify and review new and emerging risks that could lead to a future impact or emerging circumstances of existing risk that could affect the exposure in the short to medium term.

Risk events are assessed in their current state for the likelihood of occurrence based on the level of threat and the vulnerability of controls, together with the financial and reputational impacts should the identified events materialise. Where we are not satisfied that the current state is consistent with our general risk appetite, or where it could present an unacceptable risk in relation to a specific risk appetite, we determine an appropriate risk exposure as a target state and develop further mitigating controls to deliver this position within an appropriate time frame.

In order to maintain adequate oversight of risk, there are various steering groups and governance forums that focus on individual risks which then escalate and share progress to the group audit and risk board either directly or via the wholesale risk and resilience board.

A complete oversight of our enterprise-wide profile is presented every six months to the group board to highlight the nature and extent of the current risk exposure with focus on the most significant risks relative to the group's principal risks.

We categorise the nature of our principal risks to cover potential issues within the following four categories: Regulatory and legal; Core operations and service provision; Functional service and support; and Hazard-based.

Reports to the board highlight major risks based on the highest impact business risks across the group and wholesale operational risks. These comprise the ten highest scoring risks assessed on the basis of likelihood and financial impact for each of the two categories. In addition, the report covers risks which were scored highly for the severity of their impacts in their current state (net of control effectiveness) but remote on likelihood. The board report also highlights risks where there could be significant reputational impact or which relate to significant new or emerging risks or issues, but which are not encompassed within the other reported categories.

Figure 2: Governance and reporting process

Wholesale risk and resilience board

Monitors status of risk, control and actions associated with wholesale operational risk

Wholesale operational risk

First line identication, analysis, evaluation and management of operational risk

Group board

Reviews the nature and extent of risk, confirms the company's viability and reports on effectiveness of risk management and internal control systems

Group audit and risk board

Reviews governance, risk and compliance matters

Corporate risk team

Second line framework development, advisory, assurance and reporting

Group strategic and tactical risk

First line identication, analysis, evaluation and management of strategic/tactical risk

Audit committee

Reviews the effectiveness of risk management and internal control systems

Corporate audit team

Third line review and assurance of risk management and internal control

Board/Board Committee

Management Committee/Activity

Our approach is in accordance with the UK Corporate Governance Code and incorporates reporting to the group board for every full and half year statutory accounting period. This enables the board to:

  • Determine the nature and extent of the principal risks it is willing to take in achieving its strategic objectives;
  • Oversee the management of those risks and provide challenge to executive management where appropriate;
  • Express an informed opinion on the long-term viability of the company; and
  • Monitor risk management and internal control systems and review their effectiveness.

Key developments

Ofwat's Initial Assessment of Plans (IAP) following the price review submission recognised our leading approach to risk and resilience. Our approach is a combination of top-down assessment, where we consider the impacts on strategic delivery, and bottom-up where we consider localised operational performance, asset health and operational hazards. We have an established approach for the two elements, but continue to drive improved maturity through various initiatives which focus on improved appreciation of related data and information to understand our long-term risk profile, to support decision-making and to deliver a cost-effective and proportionate risk management response which drives resilience.

These initiatives include:

  • Continuation of our focus on cross-business consideration of strategic and tactical risks, for example an in-depth cyber risk assessment that took place throughout the year (see Mitigating the risk of cyber crime) and Brexit contingency planning below;
  • Improvement of our maturity in relation to risk appetite – we have commenced reporting against a general risk appetite boundary and, where appropriate, specific risk appetite boundaries enabling more targeted discussions over the last year (an approach we intend to continue to develop and embed);
  • Development of the assessment and reporting of the full distribution of impacts, including possible maximum and minimum outcomes as well as more likely occurrences. This supports our focus on long-term resilience and tests our response and recovery plans and expectations;
  • Ongoing development of our wholesale risk and asset planning process to prioritise investment and operational management through the identification of risks and issues and monitoring of strategic performance requirements; and
  • An assurance-based strategy within the engineering and programme management team introducing programme and portfolio risk responsibilities and improving capability by focusing on reliable risk information, ownership and learning from risk events.

Profile features

Our risk profile, which currently consists of around 100 event-based risks is enterprise-wide, covering risk across the entire group and considering both internal and external drivers. By their nature, these risks will include many combinations of high to low likelihood and high to low impact.

Political and regulatory risk and uncertainty feature prominently within the profile, notably with the outcome of PR19 being delivered this calendar year. The possibility of 'renationalisation' is a key area of uncertainty as is the opening up to competition of wholesale operations (including the current focus on possible competition in bioresources and water abstraction) and the potential for competition covering domestic retail activities.

Our operations continue to be substantially UK-based, but the potential impacts of Brexit remain under review and have been reported to the group board. In common with other UK companies, a significant issue is the uncertainty surrounding the effects of any Brexit deal that the UK Government may ultimately deliver. Our review has considered the availability of European funding, the availability of critical goods (including chemicals and spare parts) through our supply chain, the price of goods and services due to tariff changes, exchange rate changes and potential inflationary shifts outside current predicted parameters, the effect to the labour resource of both the company and our delivery partners and our ability to collect cash were there to be an economic downturn. For each of these consequences, the impact assessment considers a range of possible impact scenarios and we have developed a contingency plan (in collaboration with Water UK) which has involved discussing the implications of Brexit with our key suppliers and capital delivery partners, as well as considering mitigation measures such as stockpiling and using alternative suppliers, a large proportion of which is already built into our multi-party frameworks.

Following the launch of non-household retail competition in April 2017, we have continued to monitor our operations in the market to review compliance risks and to ensure that we continue to operate in a manner that complements and promotes the 'level playing field'.

From an operational risk perspective, the dominance of the penalty element of Ofwat's outcome delivery incentive mechanism and the continuing effects of changes to the Environmental Sentencing Guidelines continue to be key features of evolving exposure. Reputationally, our core operations/service provision (notably water service) and health, safety and environmental risks have the highest focus for monitoring and reviewing control effectiveness based on the potential impact should the risk event occur.

We continue to adapt to and plan for climate change and its significant and permanent impacts on the water cycle, our operations and the broader operating environment. This includes consideration of the long-term viability of water and wastewater services such as water abstraction, drinking water supply and treatment capability, drainage and sewer capacity, wastewater treatment and its discharge efficiency and effectiveness. The recommendations of the Task Force on Climate-related Financial Disclosures (TCFD) support and reinforce the need to consider climate-related risks and uncertainties. These continue to be factored into risk management and the likely effects of future changes are a critical consideration in our long and medium-term risk, operational and financial planning (see also Key resources in Our business model and Our approach to resilience in Our planning horizons). Our water service and wastewater service risks (Our risk management) also reflect current key risks including the potential for extreme weather and climate change.

Figure 3: Risk map

Heat map
  1. Political and regulatory
  2. Conduct and compliance risk
  3. Water service
  4. Wastewater service
  5. Retail and commercial
  6. Financial
  7. Supply chain and programme delivery
  8. Resources
  9. Security
  10. Health, safety and environmental

Risk increased

Risk decreased

Risk stable

The risk map provides an indicative only view of the current exposure of each of the principal risks relative to each other: illustrating the likelihood of occurrence relative to the associated internal or external drivers; whether the risk is believed to have increased, decreased or remained stable over the last 12 months; and the most likely impact should an event occur.

Material litigation

The group robustly defends litigation where appropriate and seeks to minimise its exposure by establishing provisions and seeking recovery wherever possible. Litigation of a material nature is regularly reported to the group board.

Beyond that reported in previous years on the Argentina multiparty 'class action' and the Manchester Ship Canal Company matters (to which there have been no material developments), there is nothing specific to report on material litigation.

Principal risks

The ten principal risks (combinations of relevant event-based risks) identified in the risk map and described in more detail in the tables which follow, illustrate where value can be lost or gained and could have a material impact on the group's business model, future performance, solvency or liquidity. For each principal risk the nature and the extent of exposure is recorded, with alignment to our strategic themes and mitigating controls identified. Also described are key risks worthy of note, together with current issues and areas of uncertainty. These reflect changing/emerging circumstances which could affect the risk exposure of future activities and are therefore considered as part of the ongoing mitigation.

Risk exposure:

An indication of each category's current exposure relative to the previous year is shown by the coloured disc surrounding the risk number.




Strategic themes:

The best service to customers

At the lowest sustainable cost

In a responsible manner

Regulatory and legal

Potential change in the political and regulatory environment and/or frameworks

Main strategic theme:

Principal/significant impacts:

Potential for increased costs of administration, reduction in income, margin and greater uncertainty of returns.

Potential that reduced confidence among equity investors and difficult debt market conditions lead to funding pressures in the context of raising finance and refinancing debt on an ongoing basis.

In the event of renationalisation the business could be acquired below fair value.

Management and mitigation:

We regularly engage in relevant government and regulatory consultations which may affect policy and regulation in our industry as well as consulting with the opposition. We also consult our customers to better understand their requirements and proactively consider opportunities and threats associated with any potential change, exploiting opportunities and mitigating risks where appropriate. We keep customers and the public informed. We also provide information to the government, regulators, customers and the public as appropriate to help them to make informed decisions.

Current key risks, issues and uncertainties:

  • Potential renationalisation of the water sector
  • Further market reform including upstream competition in water resources and bioresources, as well as additional markets in future, and the potential for the introduction of domestic competition
  • Final determination of PR19 and associated tougher regulatory targets
  • Brexit and potential changes to the regulatory regime

The failure to meet all legal and regulatory obligations and responsibilities

Main strategic theme:

Principal/significant impacts:

The detrimental impact to customers and other stakeholders through inappropriate culture, behaviour or decisions and the potential to receive penalties of up to 10 per cent of relevant turnover and ultimately revocation of our licence or the appointment of a special administrator.

Management and mitigation:

Corporate social responsibility features prominently within the group. We work in collaboration with landowners, environmental organisations, community groups and other stakeholders to deliver enhanced environmental outcomes and engage with the community and support agencies regarding vulnerable customers and ensure diversity and equality of employees and an ethical supply chain.

Legislative and regulatory developments are continually monitored as is the governance framework utilised by the group. Risk-based training of employees is undertaken and we participate in consultations to influence legislative and regulatory developments. Allowance for any material additional compliance costs in the regulated business is sought as part of the price determination process. The group also robustly defends litigation where appropriate and seeks to minimise its exposure by establishing provisions and seeking recovery wherever possible.

Current key risks, issues and uncertainties:

  • The effects of Brexit on legislation/laws, enforcement and the regulatory regime
  • Competition law requirements in relation to the non-household retail market and other competitive markets
  • Current material litigation
  • Continuing high fines for environmental offences
  • Data management and governance (GDPR)

Core operations and service provision

A failure to provide a secure supply of clean, safe drinking water and the potential for a negative impact on public confidence in water supply

Main strategic theme:

Principal/significant impacts:

The potential for public health issues associated with poor water quality.

The potential for supply interruptions that could affect large populations within the region for long durations.

Management and mitigation:

Mitigation is provided through core business processes, including centralised planning and control, quality assurance procedures, risk assessments and rigorous sampling/testing regimes. Optimisation of operational and maintenance tasks together with targeted capital interventions help to ensure services to customers are maintained.

Our 25-year Water Resources Management Plan defines our strategy to achieve a long-term, best-value and sustainable plan for water supplies in the North West including consideration of multiple different climate change scenarios including a 2 degree (Celsius) global warming scenario (assessing systems resilience).

We continue to develop innovative solutions and invest in resilience to further support the delivery of water and wastewater services in the long term.

Current key risks, issues and uncertainties:

  • Population growth
  • Extreme weather, climate change and drought
  • Expected change to the abstraction licensing regime
  • Drinking water safety and security
  • Critical asset failure
  • Brexit, in particular the effects of a no-deal scenario on the chemicals supply chain

A failure to remove and treat wastewater

Main strategic theme:

Principal/significant impacts:

The potential for sewer flooding or serious pollution to air, soil or water leading to harm or disruption to the public, businesses and the environment (wildlife, fish and natural habitats) resulting in fines and reputational damage.

Management and mitigation:

Mitigation is provided through core business processes, including centralised planning and control, quality assurance procedures, risk assessments, rigorous sampling/testing regimes and close management of discharge consent requirements. Optimisation of operational and maintenance tasks together with targeted capital interventions help to ensure services to customers are maintained.

Current key risks, issues and uncertainties:

  • The effects of extreme weather on overloading the sewer network
  • Pollution incidents
  • Population growth
  • Increased regulatory scrutiny and penalties
  • Higher fine levels for environmental offences
  • Climate change
  • Brexit, in particular the effects of a no-deal scenario on the chemicals supply chain

Failing to provide good and fair service to domestic customers and third-party retailers or a failure of or issue in relation to non United Utilities Water operations or businesses (including Water Plus)

Main strategic theme:

Principal/significant impacts:

The potential for significant losses, regulatory penalties and long-term reputational damage associated with poor customer satisfaction. The potential for a significant increase in the bad debt charge, reducing profitability.

Management and mitigation:

For domestic retail there is a wide range of initiatives and activities focused on improving customer satisfaction, including proactive incident communication, complaints handling and use of appropriate tariffs. Bad debt risk is managed through the adoption of best practice collection techniques, segmentation of customers based on their credit risk profile and the use of data sharing to better understand customers' circumstances to determine the most appropriate collection and support activities. Our wholesale business maintains processes, systems, data and organisational capacity and capability to deal fairly with market participants and the central market operator in the Business Retail market in order to generate and collect revenue. Similarly strong governance applies to non United Utilities Water operations and businesses.

Current key risks, issues and uncertainties:

  • Socio-economic deprivation in the North West
  • Economic downturn (due to welfare reform, Brexit or other factor) and the effect on domestic bad debt
  • Competition in the water and wastewater market and competitor positioning
  • Non-household retail competition and the ability to treat other participants equally
  • The challenges associated with being involved in a joint venture water retail business operating in a competitive environment

Functional service and support

Potential inability to finance the business appropriately

Main strategic theme:

Principal/significant impacts:

The potential for worse credit ratings, associated funding costs or reduced access to debt capital markets leading to lower liquidity and adversely impacting the economic return on the regulatory capital value (RCV).

Tax inefficiencies, under or overpayment of tax, market fluctuations in inflation, interest rates and energy prices and a potential worsening of the pension scheme funding position could all lead to a significant increase in costs to the group.

Management and mitigation:

Refinancing is long-term with staggered maturity dates to minimise the effect of short-term downturns. Counterparty credit exposure and settlement limits exist to reduce any potential future impacts. These are based on a number of factors, including the credit rating and the size of the asset base of the individual counterparty. The group also employs hedging strategies to manage the impact of market fluctuations for inflation, interest rates and energy prices. Sensitivity analysis is carried out as part of the business planning process, influencing the various financial limits employed. Continuous monitoring of the markets takes place including movements in credit default swap prices and movements in equity levels.

Current key risks, issues and uncertainties:

  • Inflation/deflation
  • Financial market conditions, interest rates and funding costs due to economic uncertainty (e.g. Brexit)
  • Paying an appropriate amount of tax

Potential ineffective delivery of capital, operational and change programmes/processes

Main strategic theme:

Principal/significant impacts:

The potential failure to meet our obligations and customer outcomes resulting in an impact at future price reviews, negative reputational impact with customers and regulators.

Management and mitigation:

Supply chain management is utilised to deliver an end-to-end contract management service, including contract strategy, tendering and category management, which provides a risk-based approach and relationship management programmes for suppliers. We prioritise our investment programmes, projects and integrated business and asset plans. We have created better alignment and integration between our capital delivery partners and engineering service providers including alignment with our operating model.

Our programmes and project managementcapabilities are well established with strong governance and embedded processes to support delivery, manage risks and achieve business benefits. We utilise a time, cost and quality index (TCQi) as a key performance indicator and enhance our performance through a dedicated programme change office to deliver change in a structured and consistent way.

Current key risks, issues and uncertainties:

  • New partnership structure and arrangement in AMP 7
  • Direct procurement for customers (DPC)
  • Technical quality and innovation
  • Brexit and increased uncertainty of availability of materials sourced from Europe

Failing to provide appropriate resources (human, technological or physical resource) required to support business activity

Main strategic theme:

Principal/significant impacts:

The potential inability to recruit, retain or deploy knowledge and/or expertise.

The potential inability to respond and recover due to ineffective non resilient business activity.

Management and mitigation:

Developing our people with the right skills and knowledge, combined with delivering effective technology are important enablers to support the business to meet its objectives. Employees are kept informed regarding business strategy and progress through various communication channels. Training and personal development programmes exist for all employees in addition to talent management programmes and apprentice and graduate schemes. We focus on change programmes and innovative ways of working to deliver better, faster and more cost-effective operations.

Current key risks, issues and uncertainties:

  • Delivering required employee engagement
  • Personal development, talent management and succession planning
  • Optimising technology and innovation


Potential for malicious activity (physical or technological) against people, assets or operations

Main strategic theme:

Principal/significant impacts:

The potential for a loss of data/information and the consequent effect on service provision.

The potential for catastrophic damage to UU property, infrastructure and non-infrastructure and the consequent effect on service provision.

Management and mitigation:

Physical and technological security measures and awareness training combined with strong governance and inspection regimes aim to protect infrastructure, assets and operational capability. Externally, we work closely with our industry peers, the Centre for the Protection of National Infrastructure (CPNI), the National Cyber Security Centre (NCSC), the Drinking Water Inspectorate (DWI) and Defra to shape the sector approach to security, particularly cyber security, and to understand how we can best deliver the appropriate levels of protection to our business and in compliance with the new Network and Information Systems Directive (NIS). Ongoing system and network integration improves operational resilience and we maintain robust incident response, business continuity and disaster recovery procedures. We also maintain insurance cover for loss and liability, and the licence of the regulated business also contains a 'shipwreck' clause that, if applicable, may offer a degree of recourse to Ofwat/customers in the event of a catastrophic incident.

Current key risks, issues and uncertainties:

  • Cybercrime
  • Terrorism
  • Fraud
  • Ownership of critical national infrastructure and national infrastructure

Potential harm to people (employees, contractors or the public) and the environment

Main strategic theme:

Principal/significant impacts:

The potential for serious injury or loss of life in remote, extreme circumstances.

The potential for catastrophic damage to private, public or commercial property/infrastructure including the consequent effect on water and wastewater service provision.

The potential for serious impact on wildlife, fish or natural habitats resulting in significant fines and reputational damage.

Management and mitigation:

Supported by strong governance and management systems certified to OHSAS 18001 we have developed a strong health and safety culture where 'nothing we do at United Utilities is worth getting hurt for'. We actively seek to improve health, safety and wellbeing across the group through targeted improvements and benchmarking against our peers. Also certified to ISO 14001, we seek to protect and improve the environment through the responsible delivery of our services. This includes helping to support rare species and habitats through targeted engagement and activity and commitment to reducing our carbon emissions by designing out waste from our operations, generating our own energy and looking at ways to reduce our use of raw materials. We also recognise the impact the environment can have on our service provision with extreme weather and climate change being integrated into our risk, planning and decision-making processes.

Current key risks, issues and uncertainties:

  • Impounding reservoirs containing significant volumes of water
  • Other critical asset failure
  • Multiple hazards including process safety, use or accidental release of chemicals, excavation, tunnelling and construction work
  • Fluvial and coastal flooding associated with climate change

Business insight:

Mitigating the risk of cyber crime