Principal Risks

30856 Gymgroup Page7

Our risk management framework is designed to effectively identify, assess and mitigate risks whilst enabling us to deliver the Group’s strategic and operational objectives.


The Board and senior management take very seriously their responsibility for operating a robust risk management and internal controls process, and for reviewing their effectiveness at least annually.

The Board has overall responsibility for ensuring there is an effective risk management process in place which is designed to identify the principal risks that the business faces and to provide reasonable assurance that they are fully understood and managed. The Audit and Risk Committee provides oversight and challenge on the effectiveness of risk management and mitigating controls.


The UK Corporate Governance Code requires companies to determine their risk appetite. This is an expression of the amount and types of risk that the Group is willing to take in order to achieve its strategic and operational objectives. A risk that can seriously affect the performance, prospects or reputation of a company is deemed to be a principal risk. The Group’s risk management process aims to strike a balance between identifying, monitoring and mitigating risks whilst maximising potential opportunities and returns to ensure we deliver against our strategy.

Our commitment to delivering a compelling member experience and operational excellence will not be delivered at the expense of price competitiveness. We are willing to accept the risk of partnering with third parties to deliver our core business activities. However, contracts and relationships with critical suppliers must be well monitored, value-for-money and regularly reviewed. In addition, third parties must comply with appropriate regulatory and ethical standards.

We seek to provide a great place to work, and balance costs and risks to ensure our colleagues are engaged and have the capability to deliver our strategy. We have no tolerance for harm (physical or mental) to individuals and actively promote diversity and inclusion. We also have no appetite for the loss of, or otherwise unauthorised or accidental disclosure of, member or other sensitive data and no appetite to knowingly breach the spirit or letter of the laws that apply to us.

In areas of uncertainty, we will have a robust justification and clear rationale for the choices we make. Where possible, high priority projects must be delivered on time, to budget, to expected quality and in a way that safeguards the wellbeing of our colleagues working on the project. However, cost overruns and delays will sometimes be tolerated to achieve the
desired outcome.


The Group’s risk management process is designed to measure, evaluate, document and monitor risks within all areas of the business.

Each area of the business maintains a functional risk register in which functional leads identify and document the risks that their business area faces. Areas covered include: People; Operations; Marketing; Property Acquisition; Property Maintenance and Facilities; Finance; Technology; Data; and Sustainability.

A review of the functional risk registers is performed twice yearly by the Executive Committee. In addition, the Executive Committee also considers and identifies strategic risks at least annually – i.e. those risks that they believe would have the most significant impact on the Group’s ability to achieve its strategic goals.

The output of the above reviews is discussed with the Audit and Risk Committee (on behalf of the Board). The Group’s principal risk register is made up of those strategic risks (top down) and functional risks (bottom up) that are believed would have the greatest impact on our operations.

Each risk is evaluated against three criteria with equal weighting to arrive at an overall score:

  • Likelihood – the likelihood of occurrence.
  • Financial impact – the financial implications.
  • Control environment – the strength of controls mitigating the risk.

In assessing the risks, consideration is given to ‘what can go wrong’, i.e. what could make the risk become realised. For each risk identified, current and future mitigations are developed and documented.


The roles and responsibilities for designing, monitoring and operating the system of risk management are set out below.

  • Has overall responsibility for strategy, governance, performance, internal control and risk management.

  • Sets the “tone” and culture for managing risk and embedding risk management controls, providing strategic direction on the appropriate balance between risk and reward.

  • Ensures the most significant risks facing the Group are properly managed.

  • Evaluates the risk implications of planned investments.

  • Monitors and reviews the overall effectiveness of the Group’s system of internal control and risk management.
  • Makes recommendations to the Board for improvements or developments.
  • Defines and reviews the Group’s risk appetite.

  • Monitors compliance with internal control systems and oversees the external audit.

  • Promotes and supports the embedding of risk management throughout the business.
  • Ensures there is active management of identified and emerging risks.
  • Formally reviews the functional risk registers at least twice yearly and the strategic risks at least annually.
  • Reports to the Audit and Risk Committee on the internal control environment and principal and emerging risks identified.
  • Manage day-to-day risk in their own areas guided by Group policies, procedures and control frameworks.
  • Identify and report on functional risks to the Executive Committee and ensure mitigations are in place.
  • Deliver the actions associated with managing risk.