An Introduction to Enterprise Risk Management

By James Redmond, BBS, MBS, ACMA: Examiner - Strategic Level, Strategy & Leadership

Introduction

All organisations seek to provide value for their stakeholders, but in doing so, organisations also face
and must try to manage uncertainty. The COSO (2017) suggests that the challenge for management is
to determine how much uncertainty to accept as the organisation attempts to grow stakeholder value.
Enterprise risk management enables management to more effectively deal with uncertainty and the
associated risks and opportunities. It also allows organisations to address all the risks they face
comprehensively and coherently, instead of trying to manage them individually (Bromiley et al, 2014).

Lundqvist (2013) highlights that the increased visibility of enterprise risk management is a result of
pressure on organisations to more effectively and holistically manage its risk profile. She continues,
outlining how organisations face a ‘broader scope of risks arising from globalisation, industry
consolidation, and deregulation.’ Enterprise risk management has become especially important as a
consequence of the financial crisis of 2008, and as repeated by the COSO (2017) the World Economic
Forum has referred to the ‘increasing volatility, complexity and ambiguity of the world.’ A range of
organisations, including rating agencies, professional associations, regulators, and legislative bodies
have urged organisations to adopt enterprise risk management (Bromiley et al, 2014). Therefore while
the understanding of risk and the practice of enterprise risk management have improved, organisations
still face serious challenges in effectively managing risk. Today, stakeholders are more engaged, and
want greater transparency and accountability for managing the impact of risk.

The aim of this article is to discuss some of the key issues in enterprise risk management. In particular,
the article will discuss the following issues:
1. Defining enterprise risk management
2. Benefits of enterprise risk management
3. Types of risk
4. The three lines of defence model
5. The COSO Framework
6. The Risk Management Association Framework
7. Strategic risk management

Defining Enterprise Risk Management

There are a wide range of definitions of enterprise risk management. For example, the COSO defines
enterprise risk management as, ‘a process, effected by an entity’s board of directors, management and
other personnel, applied in strategy setting and across the enterprise, designed to identify potential
events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable
assurance regarding the achievement of entity objectives.’ While the Risk Management Association
council defines enterprise risk management as ‘the management capability to manage all business risks
in pursuit of acceptable returns.’ Lastly, FERMA refer to the ISO definition of risk, ‘the combination of
the probability of an event and its consequences.’

-1-
Benefits of Enterprise Risk Management

Nocco and Stulz (2006) describe how enterprise risk management creates value in organisations at
both a ‘macro’ and ‘micro’ level. They state that at the macro level enterprise risk management enables
the board of directors and senior management to identify, quantify and manage the risk-return trade-off
facing the entire organisation. On the other hand, at the micro level, enterprise risk management
ensures that all material risks are ‘owned’ by operating managers and employees throughout the
organisation. The enterprise risk management framework becomes part of the ‘way of life’ at operational
levels and an important building block of the organisation’s culture.

Types of Risk

The nature and extent of risks faced by

organisations will naturally be different,
depending on a range of factors, including an
organisation’s nationality, its level of
multinationality of activities, its main industry,
and its diversification and organisational scale.
The diagram, taken from the FERMA European
Risk Manager Report 2020, illustrates some of
the most important risks facing European firms
in 2020. It is noticeable from the diagram, and
the diagram below, that the five key risks over
the next twelve months are different to those
identified as risks over the next decade.

The FERMA report identifies the following as the top five risks within the next twelve months: cyber
threats; uncertain economic growth; availability of key skills; data fraud or theft; and over-regulation.
(These are depicted in the inner circle in the diagram.) On the other hand, the survey identified climate
change and environmental damage, changing customer behaviour and extreme weather events as the
critical risks to be addressed over the next decade. The diagram below, also taken from the FERMA
European Risk Manager Report 2020, contrasts the risks that organisations face in the short term
(twelve months) and the long term (ten years).

Top Risks

Source: FERMA, 2020: 3

The Three Lines of Defence Model

Many organisations structure their risk management by having ‘three lines of defence’. In larger
organisations especially, there are frequently a range units and teams to help manage risk: risk officers,
internal auditors, compliance officers, internal control specialists, quality inspectors, and so on.

-2-
However, because their work is dispersed, they need to be coordinated carefully to assure that risk
management processes operate as intended. The coordination will ensure that there are no significant
gaps in risk management, nor is there unnecessary and expensive duplication. Within the organisation’s
risk management structure, each unit and team must have clear responsibilities and boundaries and
each must be aware of how their positions fit into the organisation’s overall risk management structure.
The Institute of Internal Auditors (2013) has outlined the ‘Three Lines of Defence Model’, and the
diagram below illustrates the model. In the model, management control is the first line of defence, the
second line of defence is the different internal controls and compliance functions, while the last line is
independent assurance. Although not specifically ‘a line of defence’ senior management and boards of
directors have responsibility to determine organisational objectives and manage the risks faced in
achieving these objectives.

Three Lines of Defence Model

Source: The Institute of Internal Auditors, 2013: 2

The Institute of Internal Auditors (2013) outlines how the Three Lines of Defence model identifies three
groups necessary for effective risk management:
• Functions that own and manage risks.
• Functions that oversee risks.
• Functions that provide independent assurance.

1st Line of Defence

Front line, operational managers are the first line of defence. Operational management implement
policies and procedures on a day-to-day basis, and are responsible for taking corrective actions when
there are problems or control deficiencies. As part of their normal work, operational management
identify, assess, and mitigate risks to achieve their units’ targets. Through the organisational structure,
mid-level managers design and implement detailed procedures to monitor and supervise the
performance and actions of lower level managers and staff.

2nd Line of Defence

In addition to the day-to-day risk monitoring activities of operational management, organisations also
establish separate functions and units to ensure the first line of defence is properly designed and is
operating as intended. These functions and units are mostly independent of the risk monitoring activities
of operational management and the first line of defence. However, they are established by
management, and are by nature management functions, and therefore cannot be fully independent.
The Institute of Internal Auditors (2013) identified the following typical functions in the second line of
defence:
• A risk management function and/or committee. These monitor the implementation of effective risk
management practices by operational management.

-3-
• A compliance function. This monitors specific risks such as noncompliance with applicable laws
and regulations. Organisations may have multiple compliance functions depending on their
industry.
• A controllership function. This monitors financial risks and financial reporting issues.

3rd Line of Defence

The third line of defence in the model is an Internal Audit function. As illustrated in the diagram above,
an internal audit function will report directly to senior management and/or to the board of directors. An
effective internal audit function can therefore provide the organisation and its board of directors with
comprehensive assurance based on the highest possible level of independence and objectivity. The
internal audit function may investigate and report on any division, unit, process or activity within the
organisation.

External Bodies
In addition to the three lines of defence that are internal to the organisation, and again as illustrated in
the diagram above, there are a range of external bodies that may monitor and report on the
organisation’s governance, control and risk management. These bodies may include external auditors,
industry regulators and government agencies. These bodies may set additional requirements intended
to strengthen the controls in an organisation or on occasion, perform an independent evaluation of some
element of the organisation.

Organisational risk management is usually most effective when there are three separate and clearly
identified lines of defence, irrespective of the organisation’s size or complexity. However, it is also
important that activities are coordinated and information is shared among the units and functions
responsible for managing the organisation’s risks.

Appendix One is an excerpt from the CRH Annual Report 2019. It outlines the risk governance within
CRH, including its use of the ‘three lines of defence’ approach.

The COSO Framework

The Committee of Sponsoring Organisations (COSO) is a US based organisation, established in 1985.

Its mission is to ‘help organisations improve performance by developing thought leadership that
enhances internal control, risk management, governance and fraud deterrence.’ In 2001, the COSO
initiated the development of the ‘Enterprise Risk Management - Integrated Framework’. The objective
of the Framework is to facilitate organisations to evaluate and improve their enterprise risk management.
The diagram below identifies the main elements of the Framework.

The diagram illustrates the integrated and comprehensive nature of the COSO ERM Framework.
Identified on the top face of the cube diagram, the Framework addresses risks at strategic and
operational levels, as well as in terms of reporting and compliance. The second face of the cube diagram
illustrates that the framework is useful organisation-wide as well as at organisational subunit level. The
third and front face the cube diagram identifies the eight components of the ERM Framework itself.
These will be outlined in the following paragraphs.

-4-
 The COSO’s ‘Enterprise Risk Management Framework’

Source: COSO, 2004: 5

Internal Environment
The internal environment creates the context for how risk is perceived and establishes the tone of the
organisation (COSO, 2004). The internal environment influences organisational risk appetite, attitudes
towards risk management and ethical values (ACCA). An organisation’s internal environment is
established by the board of directors. The board needs to have strong, independent voices and the
appropriate experience, knowledge and diversity to set the right tone. According to the ACCA, a criticism
of the COSO ERM framework it does not reflect sufficiently the impact of the competitive environment,
regulation and external stakeholders on risk appetite and management and culture.

Objective Setting
Objectives are stepping stones toward the achievement of the organisation’s mission. The organisation
should set objectives that support the organisation’s mission and which are consistent with its risk
appetite (ACCA). The board of directors needs to consider risk appetite and take a high-level view of
how much risk it is willing to accept. There are different levels of risk associated with different objectives,
and the organisation needs to be aware of the risks arising if different objectives are pursued.

Event Identification
The organisation need to identify internal and external events that affect the achievement of its
objectives. The organisation should distinguish between negative events that are risks and positive
events that are opportunities. The organisation needs to also distinguish between strategic and
operational risks. Operational risks may result in a disruption to the organisation’s operations, while
strategic risks may disrupt the achievement of its strategic objectives. The ACCA suggests that a
problem with the COSO ERM Framework is that it has an excessive focus on internal factors and
therefore operational risks. Organisations need to have processes in place to identify potential risks
arising from individual events as well as being able to identify more gradual trends that may result in
changes in risk profile.

Risk Assessment
The organisation must analyse the risks that have been identified; in terms of their likelihood of
occurrence, and their potential impact on the organisation and its operations and objectives. This should
provide the organisation with an understanding of how to manage the risks it faces. The organisation
needs to employ a combination of qualitative and quantitative risk assessment methodologies to analyse
potential risks. The organisation needs to evaluate the inherent risk levels in events and trends but
needs to also evaluate the level of potential residual risk remaining after any risk management
interventions have taken place. Lastly, the organisation needs to consider how individual risks
interrelate and not evaluate them in isolation.

-5-
Risk Response
Once the organisation has identified and evaluated the range of risks it faces, it must then select
appropriate actions to align risks with the organisation’s risk appetite. The COSO emphasises the
importance of taking a portfolio view of risk, otherwise risks may be managed in isolation without
considering the potential collateral impact on the wider organisation. The organisation may use a
combination of four generic management responses to risk: (1) reduce, (2) accept, (3) transfer or (4)
avoid. The organisation must chose a risk response that is realistic and which factors in the cost to the
organisation of any individual risk response in the context of the potential organisational impact of that
risk. The ACCA refers to the ALARP principle, or ‘as low as reasonably practicable’. This idea is
especially important in more regulated industries, such as pharmaceuticals or retail banking.

Control Activities
The organisation must develop and implement a range of policies and procedures to ensure that risk
responses are effectively managed. Once controls and systems are in place they need to operate
effectively. The COSO emphasises that control activities are only a means to an end. The critical factor,
and weakness, in any control system, is people. The main reason why controls fail is because of
problems with how managers and staff utilise controls. There are several reasons for this: the controls
are not taken seriously, people make mistakes, or even management telling staff to ignore or over-ride
controls.

Information and Communication

The organisation needs to identify, capture and communicate information in a relevant and timely
manner to enable managers and staff to carry out their responsibilities. There also needs to be effective
communication with staff in relation to risk areas in the organisation and the activities of staff. This
should strengthen the internal environment by increasing staff’s risk awareness. As with all control
systems, if the organisation does not take information distribution and communication seriously, it can
undermine risk management.

Monitoring
The organisation needs to monitor and manage its entire enterprise risk management framework and
systems. Systems and controls tend to deteriorate over time if they are not effectively monitored and
modified as the need arises. The process of monitoring may involve a regular review, or ongoing
monitoring, and periodic review, where an evaluation exercise is completed on a specific group of control
activities. Irrespective of how they are identified, any weaknesses in controls or their implementation
need to be assessed and rectified.

COSO Enterprise Risk Management (Updated) Framework

In 2017, the COSO published an updated version of its Framework, called ‘Enterprise Risk Management
- Integrating with Strategy and Performance’. The updated Framework highlights the importance of
considering risk in both the strategy-setting process and in driving performance. The updated
Framework is reorganised into five components, rather than eight, but attempts to achieve the same
outcome as the original Framework. The five components in the updated Framework are shown in the
diagram below, along with the set of principles that underpin them.

-6-
COSO Enterprise Risk Management (Updated) Framework
The Principles
The COSO outline the underlying principles as follows:
1 Exercises Board Risk Oversight
2 Establishes Operating Structures
3 Defines Desired Culture
4 Demonstrates Commitment to Core
Values
5 Attracts, Develops, and Retains
Capable Individuals
6 Analyses Business Context
7 Defines Risk Appetite
8 Evaluates Alternative Strategies
9 Formulates Business Objectives
10 Identifies Risk
11 Assesses Severity of Risk
12 Prioritises Risks
13 Implements Risk Responses
14 Develops Portfolio View
15 Assesses Substantial Change
16 Reviews Risk and Performance
17 Pursues Improvement in Enterprise
Risk Management
18 Leverages Information Systems
19 Communicates Risk Information
20 Reports on Risk, Culture, and
Performance
The Risk Management Association Framework
The Risk Management Association (RMA) is a US based, professional association serving the financial
services industry. Its mission is to promote sound risk management principles in the financial services
Source: COSO, 2004: 5
The board of directors provides oversight of the strategy and carries out
governance responsibilities to support management in achieving strategy and
business objectives
The organisation establishes operating structures in the pursuit of strategy and
business objectives
The organisation defines the desired behaviours that characterise the entity’s
desired culture
The organisation demonstrates a commitment to the entity’s core values
The organisation is committed to building human capital in alignment with the
strategy and business objectives
The organisation considers potential effects of business context on risk profile
The organisation defines risk appetite in the context of creating, preserving, and
realising value
The organisation evaluates alternative strategies and potential impact on risk
profile
The organisation considers risk while establishing the business objectives at
various levels that align and support strategy
The organisation identifies risk that impacts the performance of strategy and
business objectives
The organisation assesses the severity of risk
The organisation prioritises risks as a basis for selecting responses to risks
The organisation identifies and selects risk responses
The organisation develops and evaluates a portfolio view of risk
The organisation identifies and assesses changes that may substantially affect
strategy and business objectives
The organisation reviews entity performance and considers risk
The organisation pursues improvement of enterprise risk management
The organisation leverages the entity’s information and technology systems to
support enterprise risk management
The organisation uses communication channels to support enterprise risk
management
The organisation reports on risk, culture, and performance at multiple levels and
across the entity
-7-
industry. According to the RMA, enterprise risk management is designed to support the senior
management team and the board of directors to consider the following questions:
1. What are all the risks to our business strategy and operations (coverage)?
2. How much risk are we willing to take (risk appetite)?
3. How do we govern risk taking (culture, governance, and policies)?
4. How do we capture the information we need to manage these risks (risk data and infrastructure)?
5. How do we control the risks (control environment)?
6. How do we know the size of the various risks (measurement and evaluation)?
7. What are we doing about these risks (response)?
8. What possible scenarios could hurt us (stress testing)?
9. How are various risks interrelated (stress testing)?

The RMA have developed its alternative enterprise risk management framework. The RMA emphasises
that at the centre of the enterprise risk management framework is organisational culture. The RMA
states that without a strong culture and effective strategic leadership, the enterprise risk management
framework cannot work. In other words, organisations must use the framework and absorb it into its
‘way of doing things’, as mechanical compliance with the stages and components is not sufficient to
effectively manage risk. The circular nature of the framework reinforces that the individual components
of the framework are not sequential, but rather they are a dynamic flow in both directions. The RMA
‘Enterprise Risk Management Framework’ is illustrated below.

The RMA’s ‘Enterprise Risk Management Framework’

Source: The Risk Management Association

The various stages of the RMA’s Enterprise Risk Management Framework are outlined below.

Coverage
Enterprise risk management can only be managed and assessed in the context of the organisation’s
business strategy and strategic objectives. The organisation must detail what it wants to achieve in
terms of markets, geographies, products, earnings, and so on. Only by doing this can the organisation
consider the nature and level of risk implied in that strategy, and as a consequence discuss the level of
risk it is willing to accept in pursuit of this strategy and objectives. As identified ante, there are a range
of risks potentially facing an organisation as a result of its strategy, including, strategic risk, operational
risk, compliance risk, as well as financial and liquidity risks.

-8-
Risk Appetite
As discussed above, an organisation’s ‘risk appetite’ is a key element of its enterprise risk management
strategy. The RMA defines risk appetite as ‘the amount of risk (volatility of expected results) an
organisation is willing to accept in pursuit of a desired financial performance (returns).’ A statement of
an organisation’s risk appetite is critical to link the organisation’s strategy, business plans and level and
nature of organisational risk.

Governance and Policies

Organisational culture is frequently described as ‘the way we do things around here’, or as the RMA
describe it, ‘what people do when they are not being watched’. The organisation needs to develop and
manage a strong, risk aware, organisational culture, as it is a cornerstone of effective ERM competency.
The organisation’s risk appetite is realised through its policies and procedures. The organisation’s
policies and procedures describe what the organisation intends to do and how it intends to do it. They
will be developed and implemented in the context of the risk appetite articulated by the organisation’s
board of directors and senior management.

Risk Data and Infrastructure

A good risk management framework and infrastructure needs an effective supporting management
information system. The senior management team and board of directors need to understand the
evolving risk profile of the organisation, and to do this they require relevant, reliable and timely
information. The construction of organisation-wide information systems can be expensive and does not
always result in access to relevant, etc, information. The organisation’s management information
systems needs to be able to collect, integrate, analyse, and ‘translate’ information into a cohesive story
on the risk profile of the organisation.

Control Environment
The organisation’s internal control environment is a critical element in its management of the various
risks it faces. Over time, organisations develop a wide range of internal controls to help reduce the level
of inherent risk it faces. This system of organisational internal controls is multifaceted, and includes
organisational culture as referred to above, corporate governance, organisational policies and
procedures, internal audit, and so on. The level of inherent risks, as reduced by internal controls, is
referred to as residual risk, and the organisation will want to minimise this; although risk cannot be
eliminated fully. The organisation needs to ensure that its internal controls are both adequate and being
effectively implemented.

Measurement and Evaluation

At any given time, the organisation must manage a portfolio of risks: these may include, inter alia,
liquidity, interest rates, business continuity, cyber security, privacy, etc. While these risks may exist,
depending on their nature and scale, they are not all of equal importance. The organisation needs to
develop the ability and experience to evaluate which risks are significant and which ones are not, at any
point in time. This evaluation of relative importance will enable the organisation to decide where to
invest time, energy, and effort in managing the most critical risks it faces.

Scenario Planning and Stress Testing

The organisation needs to understand what can potentially go wrong, and needs to consider ‘known,
knowable, and unknowable risks’ (The RMA). The organisation needs to work with scenario planning
and stress testing to evaluate the potential impact of possible future scenarios. Scenario planning is
making assumptions on what the future is going to be and identifying a specific set of uncertainties, or
different ‘realities’ for the organisation. These future realities can then be analysed and the
organisation’s strategies and plans stress tested to evaluate whether there are significant risks facing
the organisation.

-9-
Response
In the last step, the organisation must consider how to respond to the risks that it faces. It may decide
that continued monitoring of the relevant trend or event is sufficient. On the other hand, at the extreme,
the organisation may decide that the risks are significant and imminent, and as a result a change in
strategic objectives or strategic plan is required.

Strategic Risk Management

While the article has discussed enterprise risk management, a particularly relevant component of this is
Strategic Risk Management. According to Bromiley et al (2015) the uncertainty associated with strategic
choices poses challenges for enterprise risk management. They go on to state that if organisational
strategic choices strongly influence firm-level risk, then risk management efforts at lower levels may
have limited value. According to Frigo and Anderson (2011) strategic risk management is, ‘a process
for identifying, assessing and managing risks and uncertainties, affected by internal and external events
or scenarios, that could inhibit an organisation’s ability to achieve its strategy and strategic objectives
with the ultimate goal of creating and protecting shareholder and stakeholder value. It is a primary
component and necessary foundation of enterprise risk management.’

Strategic risks are those internal and external events and trends that can inhibit an organisation’s ability
to achieve its strategic objectives. As a result, strategic risk management focuses on the most important
and significant risks to organisations and to stakeholder value. Strategic risk management addresses
senior management’s view on the likelihood, and potential impact on the organisation of the most
significant risks facing the organisation. Although the formalised strategic management process
remains important, many strategic decisions occur outside of this formalised process. Therefore if
enterprise risk management is to have an impact at the strategic level, it needs to ensure that risk
analysis is a core element of any strategic decision and that there is adequate consideration of the risk
management issues involved. Frigo and Anderson (2011) identify the following steps in strategic risk
management:
1. Assess the senior managements and board of director’s understanding of the organisation’s
strategic risks and risk management processes.
2. Assess the maturity of the organisation’s enterprise risk management efforts relative to its strategic
risks.
3. Complete a strategic risk assessment to identify, prioritise and understand the organisation’s
strategic risks.
4. Review the organisation’s process for setting and updating its strategies and strategic objectives
to ensure that the process includes an analysis of the risks embedded in the suggested strategies.
5. Review the organisational processes to measure and monitor key performance indicators to ensure
that they include indicators related to strategic risks.
6. Make the strategic risk assessment process an ongoing one with periodic updating and reporting.

Conclusion

Enterprise risk management enables management to effectively deal with uncertainty and the
associated risks and opportunities. Enterprise risk management has become an important
organisational and management issue, especially in the context of increasing levels of globalisation,
industry consolidation, and deregulation, and the increasing volatility, complexity and ambiguity of the
world. As part of enterprise risk management, strategic risk management looks to respond to the internal
and external events or trends that could limit an organisation’s ability to achieve its strategic objectives.
This article explained the nature and importance of enterprise risk management, and identified the types
of risks that organisations face. The article then outlined the three lines of defence model that most

- 10 -
organisations use in addressing the strategic, financial and operational risks they face. The article then
explained two enterprise risk management frameworks, among the many that are promulgated; one by
the COSO and the second by the Risk Management Association. Lastly, the article outlined the nature
and importance of strategic risk management, and the relationship between it and enterprise risk
management.

- 11 -
Bibliography and References

ACCA (nd) COSO's Enterprise Risk Management Framework, Available at:

https://www.accaglobal.com/ie/en/student/exam-support-resources/professional-exams-study-
resources/strategic-business-leader/technical-articles/coso-enterprise-risk-management-
framework.html (Accessed 23 July 2021).

Bromiley, P., McShane, M., Nair, A. and Rustambekov, E. (2015) ‘Enterprise Risk Management:
Review, Critique, and Research Directions’, Long Range Planning, 48, pp. 265-276.

COSO (2004) ‘Enterprise Risk Management - Integrated Framework: Executive Summary’

COSO (2017) ‘Enterprise Risk Management: Integrating with Strategy and Performance’

CRH Annual Report 2019.

FERMA (2020) ‘The European Risk Manager Report 2020’.

Frigo, M. and Anderson, R. (2011) ‘What Is Strategic Risk Management?’, Strategic Finance, April 2011.

Lundqvist, S. (2014) ‘An Exploratory Study of Enterprise Risk Management: Pillars of ERM’, Journal of
Accounting, Auditing & Finance, 29(3), pp. 393-429.

Nocco, B. and Stulz, R. (2006) ‘Enterprise Risk Management: Theory and Practice’, Journal of Applied
Corporate Finance, 18(4), pp.8-20.

Paape, L. and Speklé, R. F. (2012) ‘The Adoption and Design of Enterprise Risk Management Practices:
An Empirical Study’, European Accounting Review, 21(3), pp. 533-564. DOI:
10.1080/09638180.2012.661937

The Institute of Internal Auditors (2013) ‘The Three Lines of Defense in Effective Risk Management and
Control’

The International Organisation for Standardisation (nd) ‘ISO 31000:2018(en) Risk Management –
Guidelines, Available at: https://www.iso.org/obp/ui/#iso:std:iso:31000:ed-2:v1:en (Accessed 23
July 2021).

The Risk Management Association (nd) Enterprise Risk Management Framework, Available at:
https://www.rmahq.org/erm-framework/?gmssopc=1 (Accessed 23 July 2021).

- 12 -
26 CRH ANNUAL REPORT AND FORM 20-F I 2019

Risk Governance
Appendix One: CRH Risk Governance

Effective risk governance supports the realisation of our strategic objectives and the continued
success of our business. Our ERM framework is a core component of our performance orientated
culture, with leadership guided by a clear line of sight on risks and opportunities across the strategic
planning horizon. Embedding ERM into our business processes creates an environment where
leaders take a disciplined and focused view on risks to inform and hone our strategy.

Adding Value to
Decision-Making Risk Management Framework
ERM in CRH is a forward-looking, strategy-
centric approach to managing the risks inherent
in decision-making. It is a tool readily employed Risk Risk
by the Board and the wider business leadership, Intelligence Process
firstly, when considering and setting strategic Risk Identification Viability
Impact
objectives, and secondly, during strategic
execution to ensure we are dynamic and
responsive to threats and opportunities for the
Reporting
Group.

Risk informed strategic planning is fundamentally

Risk Risk Risk
important to successfully address the myriad Appetite
of challenges we face in our relentless focus on
Governance Strategy
Monitoring
value creation. We are becoming a narrower,
deeper, more focused Group and strategic
decisions, such as the divestment of our Europe
Distribution business, are comprehensively
analysed with a risk lens during consideration
and execution.

As the leading building materials business in the

world we hold ourselves to stringent standards,
governed by our robust ERM framework. Our
framework allows us to add new depth to our
understanding of our customers and markets,
so we can buy better, run our assets better and
sell better than anyone else. It also gives us
insight to strengthen our existing platforms and
confidence to step into new markets.
At CRH we believe
ERM Framework
Our framework, embedded across the Group,
ensures a standardised, global system of
identification, management and reporting of
risks and sets out a structured and consistent
approach to threats and opportunities
throughout all our operations.
We employ the Three Lines of Defence
governance model to support the Board in its
responsibilities for risk management. Clarity
of ownership and responsibility is pervasive
throughout the Group, supported by a robust
governance structure.
Our risk framework is reinforced by integrated
Integrated Risk Process
Given the dynamic nature of risk and the
evolutionary nature of ERM, the framework
operates as a business process at all levels
of the Group. Integration with strategy and
performance agendas, in addition to ongoing
management processes, ensures a robust and
effective risk environment assisting in maximising
the performance of our businesses.
Uncertainties that present themselves as
downside risks are assessed in line with the
Group's risk appetite and those which present
themselves as opportunities are sufficiently
explored and captured, where possible.

we realise reward processes which harness the collective risk
intelligence of the Group. The maturity of our risk
when we manage structures has integrated our bottom, middle
risk effectively. and top line perspectives, ensuring transparency
of threats, opportunities and controls in the
context of individually and collectively held
strategic objectives.
To reflect the Group’s diverse risk landscape
and thoroughly understand potential risks that
may materialise over the coming years, the
Group Risk function facilitates risk workshops
and Risk Committee meetings, supplemented,
for example, by seminars and regional risk
champion forums.
 CRH ANNUAL REPORT AND FORM 20-F I 2019 27

2019 Highlights

Risk Committee Risk Strategy Risk Oversight Risk Champion Network

Robust schedule with executive
representation, fostering
wide-ranging discussion and
informing strategy.
The Risk Committee provides
oversight, leadership and challenge
to the processes in place across
the Group to identify, assess and
manage risks inherent in strategic
decision-making and execution.
Redefined five year risk strategy
setting a roadmap for improvement
in risk management frameworks,
principles and practices.
Five key themes have been
identified to achieve our targeted
maturity, bringing risk closer to
our businesses, improving risk
governance and delivering value
creation.
c. 3,000 risks being managed
through our global ERM framework,
enabling full visibility, capability and
execution of strategy.
Our bottom-up reporting process
garners comprehensive risk insights
to ensure appropriate execution
of risk management and that
opportunities to leverage scale are
identified and acted upon.
c. 90 Risk Champions appointed
at all levels of the Group to support
and coordinate risk management
activities.
Our networks enhance the maturity
of the ERM framework locally and
globally by sharing risk profiles,
mitigation strategies and best
practice from around the Group.
Physical forums and virtual tools
ensure robust supports for this
cooperative community.

Risk Governance Framework

Climate-related Disclosures
Ultimately responsible for risk management across CRH. Sets With our global presence and industry
Board the risk appetite and ensures risks are managed within appetite. leadership positions, we are very aware
Delegates responsibility to Audit Committee. of our role in maintaining sustainability
principles while we fulfil the needs of each
communities’ stakeholders. We welcome
Responsible for monitoring and providing challenge on the principal the development of recommendations for
Audit
risks and uncertainties facing the Group. Receives regular updates improving climate-related disclosures and
Committee on risk management strategies, mitigation and action plans. an increasing focus from both regulators
and shareholders on our non-financial
performance. As a Group we will continue
Executive committee responsible for setting risk strategy and
to be diligent in ensuring transparency and
Risk overseeing our Three Lines of Defence and how we identify, assess
responsiveness to climate-related risks
Committee and manage the principal and emerging global risks the Group
and opportunities.
encounters in the pursuit of our strategic objectives.
CRH is participating in a World Business
Council for Sustainable Development
Responsible for identifying and managing divisional risks, ensuring
Regional (WBCSD) and Task Force on Climate-
risk management frameworks are operating effectively and related Financial Disclosures (TCFD)
Leadership capturing upside of risk, where possible. convened “Preparer Forum” for the
construction sector to review current levels
of disclosure and develop guidelines for
Embedded across businesses, functions and divisions. Responsible the sector with respect to TCFD reporting.
Risk
for integration of risk management frameworks, regular reporting of
Champions risks and sharing best practice mitigation. We take a risk-based, collaborative
and strategic approach to responding
to climate change. The identification,
assessment and effective management
of climate-related risks and opportunities
are fully embedded in our dynamic risk
management process and our Climate
First Line Second Line Third Line Change and Policy Principal Risk is
described in detail on pages 110 and 236.
of Defence of Defence of Defence
We are committed to reporting on the
breadth of our sustainability performance
Operating company/ CRH has various oversight Group Internal Audit and to publishing performance indicators,
business leaders are functions which are provides independent ambitions and outcomes in key
responsible for risk responsible for providing assurance over the sustainability areas. We publish an annual
identification, management subject matter expertise, control environment independently-assured Sustainability
and ensuring that the control defining standards and on a continuous basis. Report, which is prepared in line with the
environment is robust. ensuring adherence. Global Reporting Initiative Standards and
available on www.crh.com.
28 CRH ANNUAL REPORT AND FORM 20-F I 2019

Risk Governance - continued

Principal Risks
The risks and uncertainties presented below, supplemented by a
broader discussion on pages 108 to 113 and 233 to 241, are
reviewed regularly and represent the principal risks and uncertainties
faced by the Group at the time of compilation of the 2019 Annual
Report and Form 20-F.
The Risk Committee helps ensure the risks highlighted in this report
are reflective of the potential barriers to the realisation of our business
strategy and that senior executives actively engage with risk, and
provide strategic direction. These risks form the basis of Board and
Audit Committee communications and discussions.

Benefits of
Link between Principal Risks Continuous Focused Scale and Developing
and Strategic Objectives Improvement Growth Integration Leaders

PRINCIPAL STRATEGIC RISKS AND UNCERTAINTIES

Industry Cyclicality and Adverse Economic Conditions

Portfolio Management
Strategic
Commodity Products and Substitution

Geopolitical and/or Social Instability

Strategic Mineral Reserves

Brexit

People Management

Joint Ventures and Associates

PRINCIPAL OPERATIONAL RISKS AND UNCERTAINTIES

Climate Change and Policy

Operational Health and Safety Performance

Sustainability and Corporate Social Responsibility

Information Technology and/or Cyber Security

PRINCIPAL COMPLIANCE RISKS AND UNCERTAINTIES

Compliance
Laws and Regulations

PRINCIPAL FINANCIAL AND REPORTING RISKS AND UNCERTAINTIES

Financial Instruments

Defined Benefit Pension Schemes and Related Obligations

Financial
Taxation Charge and Balance Sheet Provisioning

Foreign Currency Translation

Goodwill Impairment

Climate Change and Policy has been created as a separate risk, having previously been disclosed as part of our sustainability risk. Following
Changes detailed analysis and internal assessment carried out by the Risk Committee, and an increased focus on business continuity management,
Operational Continuity has been removed as a principal risk, with the risk being downgraded to a divisional risk.

Risk Appetite Framework Emerging Risks

The Risk Appetite Framework is a critical component
of CRH’s risk governance system through defining
the key risk parameters within which strategic
decision-making takes place, assisting with our
objectives of disciplined and focused growth.
The Board approves the Risk Appetite Framework
on an annual basis in line with good corporate
governance practice.
The Group considers emerging risks as part of our comprehensive ERM framework.
We define an emerging risk to be a potentially significant threat where the impact
can’t yet be fully understood, restricting our ability to confidently define a strategy and
build capabilities to significantly influence the materiality of the risk.
A dynamic threat watchlist is maintained to enable early recognition of threats which
could impact the long-term performance of many areas of our business. The Risk
Committee regularly reviews the watchlist and deems certain threats to be accepted
emerging risks, which are integrated into our risk register and are subject to oversight
by the Audit Committee.

Longer Term Viability Statement
Our Viability Statement, which does not form
part of the Annual Report and Form 20-F,
as filed with the SEC, has been prepared in
accordance with the UK Corporate Governance
Code 2018.
The Board has carried out a robust assessment
of our current position and the principal risks
facing the Group, including those which
would threaten its business model, future
performance, solvency or liquidity. The nature
of the strategies, practices and controls to
mitigate those risks are addressed in the
Principal Risks and Uncertainties section on
pages 108 to 113.
The Board’s consideration of the long-term
viability of the Group is an extension of the
strategic planning process. This process
includes regular budget reviews as part of the
internal reporting cycle, financial forecasting
and performance reviews, a comprehensive
enterprise risk management assessment and
scenario planning involving our principal risks
and uncertainties. Our business strategy is to
deliver sustainable value for our stakeholders
by maintaining financial and operational
discipline for the long term.
Period of Viability Statement
In accordance with Provision 31 of the UK
Corporate Governance Code 2018, the Board
has reviewed the length of time to be covered
by the Viability Statement, particularly given its
primary purpose of providing investors with a
view of financial viability that goes beyond the
period of the Going Concern Statement.
Using the Group Strategic Plan (the ‘Plan’),
which is prepared annually on a bottom up
basis and is approved by the Board, the
prospects of the Group have been assessed
over a three-year period from 1 January 2020
to 31 December 2022 inclusive.
The Board believes that a three-year viability
statement is appropriate for the following
reasons:
• It aligns with our normal strategic planning
time horizon and associated principal risks
and uncertainties;
• Construction activity, and therefore demand
for the Group’s products, is inherently
cyclical as it is influenced by global and
national economic circumstances, creating
uncertainty for long-term forecasting;
* EBITDA is defined as earnings before interest, taxes, depreciation, amortisation, asset impairment charges, profit on disposals and the Group’s share of equity accounted investments’ profit after tax.
Scenario Modelled
Scenario 1:
Economic Environment
Global downturn prompting
revenue reduction and
margin compression
Scenario 2:
One-Off Expense
Impact of a potential large
event, fine and/or penalty
Scenario 3:
Combination (1 and 2)
Combination of prior
scenarios overlapping or
occurring simultaneously
- Information Technology and/or Cyber Security
• It aligns with our long-term management
incentives, such as the deferred element of
the Annual Performance-related Incentive
Plan which links the value of executive
Directors’ reward with the long-term
performance of the CRH share price; and
• Uncertainty increases inherently with
expanding time horizons potentially
impacting the large number of external
variables that need to be factored in to
establish a reasonable and robust forecast
of the Group’s business.
Overall, a three-year period is deemed to
achieve a suitable balance between long and
short-term influences on performance.
Approach to Assessing Viability
The prospects of the Group are assessed
against the Plan and projections consider
the Group’s cash flows, committed funding
and liquidity positions, forecast future funding
requirements and other key financial ratios,
including those relevant to maintaining the
Group’s investment grade credit ratings.
In conducting the viability assessment, the
Board has considered our strong balance
sheet and cash flow generation, our dynamic
capital allocation model underpinned by
comprehensive portfolio reviews and capital
appraisals, and our philosophy of continuous
improvement.
CRH ANNUAL REPORT AND FORM 20-F I 2019 29
Relevant Principal Risks
- Industry Cyclicality and Adverse Economic Conditions
- Portfolio Management
- Brexit
- Laws and Regulations
- Geopolitical and/or Social Instability
- Information Technology and/or Cyber Security
- Industry Cyclicality and Adverse Economic Conditions
- Portfolio Management
- Brexit
- Laws and Regulations
- Geopolitical and/or Social Instability
Appropriate stress testing of certain key
performance, solvency and liquidity assumptions,
such as EBITDA (as defined)* margins, Net Debt/
EBITDA (as defined)*, and EBITDA (as defined)*
Net Interest Cover, underlying the Plan has been
conducted taking account of the principal risks
and uncertainties faced and possible severe
but plausible combinations of those risks and
uncertainties. Formal and systematic analysis
of risk scenarios is a core focus of the Risk
Committee and is supplemented by the sensitivity
analysis focused on the three core scenarios
modelled above.
The sensitivity analysis presumed the availability
and effectiveness of various mitigating actions,
such as the reduction of capital expenditure and
cost rationalisation, which could realistically be
implemented to avoid or reduce the impact or
occurrence of those risks and uncertainties. In
evaluating the likely effectiveness of such actions,
the conclusions of the Board’s regular monitoring
and review of risk management and internal
control systems were taken into account.
Conclusion
While the Board acknowledges that the
potential severity, complexity and velocity of
the risks assessed may change, based on their
assessment of viability as described, the Board
has a reasonable expectation that the Group will
be able to continue in operation and meet its
liabilities as they fall due over the aforementioned
three-year period to 31 December 2022.
108 CRH ANNUAL REPORT AND FORM 20-F I 2019

Principal Risks and Uncertainties

Appendix Two: CRH Principal Risks and Uncertainties

Under Section 327(1)(b) of the Companies Act 2014 and Regulation 5(4)(c)(ii) of the Transparency
(Directive 2004/109/EC) Regulations 2007, the Group is required to give a description of the principal
risks and uncertainties which it faces. These risks and uncertainties reflect the international scope of
the Group’s operations and the Group’s decentralised structure. The risks and uncertainties presented
below, which are supplemented by a broader discussion of Risk Factors set out on pages 233 to 241,
are reviewed on an annual basis and represent the principal risks and uncertainties faced by the Group
at the time of compilation of the 2019 Annual Report and Form 20-F. During the course of 2020, new
risks and uncertainties may materialise attributable to changes in markets, regulatory environments
and other factors and existing risks and uncertainties may become less relevant.

Link to strategic objective

Continuous Improvement Focused Growth Benefits of Scale and Integration Developing Leaders

Principal Strategic Risks and Uncertainties

Industry Cyclicality and Adverse Economic Conditions
Description Impact How we Manage the Risk
Construction activity, and therefore demand for Failure to predict and plan for cyclical • Market diversification strategies, in addition to the Group’s
the Group’s products, is inherently cyclical as it events or adverse economic multiple end-use sectors
is influenced by global and national economic conditions could negatively impact • Constant focus on cash control, strong cash generation and
circumstances, governments’ ability to fund financial performance. disciplined financial management
infrastructure projects, consumer sentiment and
• Dynamic capital allocation and reallocation aimed at ensuring
weather conditions. The Group may also be
profitable growth
negatively impacted by unfavourable swings in
fuel and other commodity/raw material prices.

Risk trend:

Portfolio Management
Description Impact How we Manage the Risk
The Group may engage in acquisition and Failure to identify and execute deals in • Expertise in identifying and evaluating targets, conducting due
divestment activity during the year as part of an efficient manner may limit the diligence and executing integration
the Group’s active portfolio management Group’s growth potential and impact • Many core markets are fragmented and continue to offer growth
which presents risks around due diligence, financial performance. opportunities
execution and integration of assets.
• The Group’s detailed due diligence programmes are supported
Additionally, the Group may be liable for
by external specialists when necessary
liabilities of companies it has acquired or
divested.

Risk trend:

Principal Strategic Risks and Uncertainties - continued
Commodity Products and Substitution
Description
Many of the Group’s products are commodities,
which face strong volume and price
competition, and may be replaced by substitute
products which the Group does not produce.
Further, the Group must maintain strong
customer relationships to ensure changing
consumer preferences are addressed.
Risk trend:
Geopolitical and/or Social Instability
Description
Adverse and fast changing economic, social,
political and public health situations in any
country in which the Group operates could lead
to business interruption, restrictions on
repatriation of earnings or a loss of plant
access.
Risk trend:
Strategic Mineral Reserves
Description
Appropriate reserves are an increasingly scarce
commodity and licences and/or permits
required to enable operation are becoming
harder to secure. There are numerous
uncertainties inherent in reserves estimation
and in projecting future rates of production.
Risk trend:
Brexit
Description
Uncertainties resulting from the UK’s withdrawal
from the European Union could pose
challenges with currency devaluations, a fall in
construction activity in the UK, challenges in
labour resources accessing the UK, movement
of goods and services and repatriating
earnings.
Risk trend:
Impact
Failure to differentiate and innovate
could lead to market share decline,
thus adversely impacting financial
performance.
Impact
Changes in these conditions may
adversely affect the Group’s business,
results of operations, financial
condition or prospects.
Impact
Failure by the Group to plan for
reserve depletion, or to secure
permits, may result in operation
stoppages, adversely impacting
financial performance.
Impact
Failure by the Group to manage the
uncertainties posed by Brexit could
result in adverse financial performance
and a fall in the Group’s net worth.
CRH ANNUAL REPORT AND FORM 20-F I 2019 109
How we Manage the Risk
• Strong focus on customer service ensures differentiation from
competitors
• Business-led innovation and Research and Development services
aimed at ensuring the Group aligns its products and services to
the demands of customers
• Robust cost management practices and innovation in production
processes ensure competitively-priced products
How we Manage the Risk
• Mitigation strategies to protect CRH’s people and assets are
in place in high risk areas
• Senior management and Board monitoring of commentaries
and economic indicators
• Two-phase budgeting process with prevailing economic and
GOVERNANCE
market forecasts factored in
How we Manage the Risk
• Effective permit management systems in place in all operating
entities ensure compliance with permit conditions and timely
renewal
• Planning for reserves enlargement and security of permits is a
key point of focus for materials businesses
• Efficient and economic extraction and utilisation of mineral
reserves are constantly monitored
How we Manage the Risk
• Executive management receive regular reports on Brexit and
closely monitor the changing economic situation in the UK
• Contingency plans have been put in place within UK operations
to address the range of potential economic, financial and
operational effects of Brexit
• Stress tests and scenario analysis have been conducted to
understand potential outcomes and inform contingency plans
110 CRH ANNUAL REPORT AND FORM 20-F I 2019
Principal Strategic Risks and Uncertainties - continued
People Management
Description
Existing processes around people management
(such as attracting, retaining and developing
people, leadership succession planning, as well
as dealing with collective representation groups)
may not deliver, inhibiting the Group achieving
its strategy.
Risk trend:
Joint Ventures and Associates
Description
The Group does not have a controlling interest
in certain of the businesses (i.e. joint ventures
and associates) in which it has invested and
may invest, which gives rise to increased
governance complexity and a need for
proactive relationship management.
Risk trend:
Principal Operational Risks and Uncertainties
Climate Change and Policy
Description
The cement industry has recognised the
impact of climate change and its
responsibilities in transitioning to a lower
carbon economy. The Group is exposed to
financial, reputational and market risks arising
from changes to CO2 policies and regulations.
Risk trend:
Impact
Failure to effectively manage talent
and plan for leadership succession
could impede the realisation of
strategic objectives.
Impact
The lack of a controlling interest could
impair the Group’s ability to manage
joint ventures and associates effectively
and/or realise its strategic goals for
these businesses.
Impact
Should the Group not reduce its
greenhouse gases (GHGs) emissions
by its identified targets, the Group may
be subject to increased costs, adverse
financial performance and reputational
damage.
How we Manage the Risk
• Talent management processes are in place within operating
companies with oversight and support from Group Human
Resources and Talent Development
• Succession planning and talent management initiatives
implemented across the Group
• Positive employee and trade/labour union relations are
maintained
How we Manage the Risk
• Board-approved governance protocols are in place which
require acquisition/investment contracts to contain appropriate
provisions as regards future Board participation and ongoing
management and interaction, amongst other items
• In joint venture arrangements, CRH has traditionally appointed
CRH personnel, by way of the legal agreement entered into, to
facilitate integration, assist in best practice transfer and drive
performance and growth
How we Manage the Risk
• The Group has delivered on a CO2 reduction programme from
2007 to 2020. A revised CO2 reduction programme has been
developed to 2030, details of which can be found on page 21 of
this Annual Report and Form 20-F. This initiative encompasses all
cement plants in our portfolio at present
• Operational improvements at plants are focused on reducing the
CO2 footprint of our businesses
• For more information please refer to page 21 in this Annual
Report and Form 20-F or to our independently-assured
Sustainability Report, which is prepared in line with the Global
Reporting Initiative Standards and is available on www.crh.com

Principal Operational Risks and Uncertainties - continued
Health and Safety Performance
Description
The Group’s businesses operate in an industry
where health and safety risks are inherently
prominent. Further, the Group is subject to
stringent regulations from a health and safety
perspective in the various jurisdictions in which
it operates.
Risk trend:
Sustainability and Corporate Social Responsibility
Description
The nature of our activities poses inherent
environmental, social and governance (ESG)
risks, which are also subject to an evolving
regulatory framework and changing societal
expectations.
Risk trend:
Information Technology and/or Cyber Security
Description
The Group is dependent on information and
operational technology systems to support its
business activities. Any significant operational
event, whether caused by external attack,
insider threat or error, could lead to loss of
access to systems or data, adversely
impacting business operations.
Risk trend:
Impact
A serious health and safety incident
could have a significant impact on the
Group’s operational and financial
performance, as well as the Group’s
reputation.
Impact
Failure to embed sustainability
principles within the Group's
businesses and strategy may result in
non-compliance with relevant
regulations, standards and best
practices and lead to adverse
stakeholder sentiment and reduced
financial performance.
Impact
Security breaches, IT interruptions or
data loss could result in significant
business disruption, loss of
production, reputational damage
and/or regulatory penalties. Significant
financial costs in remediation are also
likely in a major cyber security
incident.
CRH ANNUAL REPORT AND FORM 20-F I 2019 111
How we Manage the Risk
• A robust health and safety framework is implemented throughout
the Group’s operations requiring all employees to complete
formal health and safety training on a regular basis
• The Group monitors the performance of its health and safety
framework, and takes immediate and decisive action where
non-adherence is identified
• The development of a strong safety culture is driven by
management and employees at every level and is a core part of
doing business with integrity
How we Manage the Risk
• CRH’s strategy and business model are built around sustainable,
responsible and ethical performance. CRH takes a lead in
re-thinking the nature of future developments and communities,
GOVERNANCE
offering multiple products and building solutions that enhance
the environmental performance of the built environment
• Sustainability performance continues to be subject to rigorous
external evaluation. The Group’s achievements have been
recognised through its inclusion in a variety of leading global
sustainability indices
How we Manage the Risk
• Ongoing strategic and tactical efforts to address the evolving
nature of cyber threats and the challenges posed, including
enhancement of existing information and cyber security practices
towards best practices for organisational assets, which include
people, processes and technology
• Ongoing investment and development of risk management and
governance associated with cyber security and information
technology
112 CRH ANNUAL REPORT AND FORM 20-F I 2019
Principal Compliance Risks and Uncertainties
Laws and Regulations
Description
The Group is subject to a wide variety of local
and international laws and regulations across
the many jurisdictions in which it operates,
which vary in complexity, application and
frequency of change.
Risk trend:
Principal Financial and Reporting Risks and Uncertainties
Financial Instruments
Description
The Group uses financial instruments
throughout its businesses giving rise to interest
rate and leverage, foreign currency,
counterparty, credit rating and liquidity risks.
Risk trend:
Defined Benefit Pension Schemes and Related Obligations
Description
The assets and liabilities of defined benefit
pension schemes, in place in certain operating
jurisdictions, exhibit significant period-on-period
volatility attributable primarily to asset values,
changes in bond yields/discount rates and
anticipated longevity.
Risk trend:
Impact
Potential breaches of local and
international laws and regulations
could result in the imposition of
significant fines or sanctions and may
inflict reputational damage.
Impact
A downgrade of the Group’s credit
ratings or inability to maintain certain
financial ratios may give rise to
increases in future funding costs and
may impair the Group’s ability to raise
funds on acceptable terms. In
addition, insolvency of the financial
institutions with which the Group
conducts business may adversely
impact the Group’s financial position.
Impact
Significant cash contributions may be
required to remediate deficits
applicable to past service. Fluctuations
in the accounting surplus/deficit may
adversely impact the Group’s credit
metrics thus harming its ability to raise
funds.
How we Manage the Risk
• CRH’s Code of Business Conduct, which is in effect mandatorily
across the Group, stipulates best practices in relation to legal,
compliance and ethical matters amongst other issues. The Code
of Business Conduct is available on www.crh.com
• Proactive on-the-ground engagement throughout the Group,
through an extensive training programme, a dedicated
whistleblowing hotline (the results of which are reported to
the Audit Committee) and detailed policies and procedures to
support the Code of Business Conduct
How we Manage the Risk
• The Group seeks to ensure that sufficient resources are
available to meet the Group’s liabilities as they fall due through
a combination of cash and cash equivalents, cash flows and
undrawn committed bank facilities. Systems are in place to
monitor and control the Group’s liquidity risks, which are reported
to the Board on a monthly basis. Cash flow forecasting is
provided to executive management on a weekly basis
• All of the Group’s financial counterparties are leading financial
institutions of international scope with a strong investment grade
credit rating with S&P and/or Moody's
• Please see note 24 to the Consolidated Financial Statements for
further detail
How we Manage the Risk
• De-risking frameworks (for example, Liability-Driven Investment
techniques) have been instituted to mitigate deficit volatility and
enable better matching of investment returns with the cash
outflows related to benefit obligations
• Where closure to future accrual was not feasible for legal and
other reasons, the relevant final salary schemes were transitioned
to a career-average methodology for future service with
severance of the final salary link and the introduction of defined
contribution for new entrants

Principal Financial and Reporting Risks and Uncertainties - continued
Taxation Charge and Balance Sheet Provisioning
Description
The Group is exposed to uncertainties
stemming from governmental actions in respect
of taxes paid and payable in all jurisdictions of
operation. In addition, various assumptions are
made in the computation of the overall tax
charge and in balance sheet provisions which
may not be borne out in practice.
Risk trend:
Foreign Currency Translation
Description
The principal foreign exchange risks to which
the Consolidated Financial Statements are
exposed pertain to (i) adverse movements in
reported results when translated into the
reporting currency; and (ii) declines in the
reporting currency value of net investments
which are denominated in a wide basket of
currencies other than the reporting currency.
Risk trend:
Goodwill Impairment
Description
Significant under-performance in any of the
Group’s major cash-generating units or the
divestment of businesses in the future may
give rise to a material write-down of goodwill.
Risk trend:
Impact
Changes in tax regimes or assessment
of additional tax liabilities in future
audits could result in incremental tax
liabilities which could have a material
adverse effect on cash flows, financial
condition and results of operations.
Impact
Adverse changes in the exchange
rates will continue to negatively affect
retained earnings. The annual impact
is reported in the Consolidated
Statement of Comprehensive Income.
Impact
A write-down of goodwill could have a
substantial impact on the Group’s
income and equity.
CRH ANNUAL REPORT AND FORM 20-F I 2019 113
How we Manage the Risk
• The Group Tax and Transfer Pricing Guidelines and SOX controls
provide a tax governance framework operable throughout the
Group
• Group Tax is managed by in-house specialists with significant
experience. The in-house expertise is supplemented by the
assistance of external advisors where required
How we Manage the Risk
• The Group has decided to change to US Dollar reporting
currency effective 1 January 2020, in consideration of the current
GOVERNANCE
portfolio and business mix which has now significantly higher US
Dollar exposure
• The Group’s activities are conducted primarily in the local
currency of operation resulting in low levels of foreign currency
transactional risk
• The Group’s established policy is to spread its net worth across
the currencies of the various operations with the objective of
limiting its exposure to individual currencies and thus promoting
consistency with the geographical balance of its operation
How we Manage the Risk
• Economic indicators of goodwill impairment are monitored
closely through the monthly reporting process. Detailed
impairment testing is undertaken prior to year end
• The goodwill impairment assessment is subject to regular review
by the Audit Committee
• For further information on how the Group manages the risk
posed by goodwill impairment, please refer to note 16 to the
Consolidated Financial Statements on pages 166 to 168