NCC Group
Annual Report 2021

Download report
Bookmark report

More annual reports from NCC Group:

2023 Report
2022 Report
2021 Report
2020 Report
2019 Report

Peers and competitors of NCC Group:

Bancorp of New Jersey, Inc.
Capitol Federal Financial, Inc.
Banner
Provident Financial
OceanFirst Financial

Plain-text annual report

Securing the future Peace of mind today and forever Annual report and accounts for the year ended 31 May 2021 We exist to make the world safer and more secure NCC Group is a global cyber and software resilience business operating across multiple sectors, geographies and technologies. As society’s dependence on the connected environment and the associated technologies increase, we use our global insights to help organisations assess, manage and develop their cyber resilience posture, enabling them to confidently take advantage of the opportunities that sustain their business growth. STRATEGIC REPORT Highlights 1 At a glance 2 Our investment case 4 Chair’s statement 6 Our strategic roadmap 8 9 Chief Executive Officer’s review 14 Our continued Covid-19 response 16 Markets 18 Research at NCC Group 20 Business model 29 Strategy and KPIs 32 40 49 Stakeholder engagement 53 Sustainability Chief Financial Officer’s review Principal risks and uncertainties GOVERNANCE 70 Chair’s introduction to governance 73 Governance framework 74 Board of Directors 76 Executive Committee 78 Board composition and division of responsibilities 87 Shareholder engagement 88 Audit Committee report 95 Nomination Committee report Cyber Security Committee report 98 100 Remuneration Committee report 119 Directors’ report 123 Directors’ responsibilities statement FINANCIAL STATEMENTS 125 Independent auditor’s report 133 Consolidated income statement 133 Consolidated statement of comprehensive (loss)/income 134 Consolidated balance sheet 135 Consolidated cash flow statement 136 Consolidated statement of changes in equity 137 Company balance sheet 138 Company cash flow statement 139 Company statement of changes in equity 140 Notes to the Financial Statements ADDITIONAL INFORMATION 187 Glossary of terms – Alternative Performance Measures (APMs) 189 Glossary of terms – other terms 191 Other information 192 Financial calendar Read more online: www.nccgroup.com Highlights 1 GAAP measures Revenue £270.5m . 7 3 6 2 . 5 0 7 2 . 7 0 5 2 . 0 3 3 2 . 3 5 1 2 Operating profit 2,3 £17.3m . 7 3 1 . 5 9 1 . ) 4 3 5 ( . 6 2 1 . 3 7 1 Basic EPS 2,3 3.6p 5 2 . 9 4 . . ) 4 0 2 ( 6 3 . 3 2 . 17 18 19 20 21 17 18 19 20 (restated) 3 21 17 18 19 20 (restated) 3 21 Alternative Performance Measures 2 Net cash/(debt) 2 £83.3m Adjusted operating profit 2, 3 £39.2m Adjusted EPS 2, 3 9.5p . 3 3 8 . 8 0 3 . 7 3 3 . 7 0 3 . 2 9 3 . 5 5 2 2 9 . 2 8 . 6 7 . 5 9 . 2 6 . . ) 8 7 2 ( . ) 2 0 2 ( ) 2 4 ( . . ) 7 3 4 ( 17 18 19 20 21 17 18 19 20 (restated) 3 21 17 18 19 20 (restated) 3 21 Footnotes 1 References for the Group’s results are for continuing operations. 2 3 See Note 3 for an explanation of Alternative Performance Measures (APMs) and adjusting items. Further information is also contained within the Chief Financial Officer’s Review and the Glossary of terms on pages 187 and 188. See Note 34 for an explanation of the prior year restatement recognised in relation to the adoption of the IFRIC agenda decision on cloud configuration and customisation costs in April 2021. The 2017 to 2019 figures above have not been restated. The following additional information and reconciliation is noted in relation to Adjusted operating profit due to the adoption of the IFRIC agenda decision: Adjusted operating profit (as noted above) Proforma amortisation charge in respect of certain cloud-based software arrangements (see explanation below) Adjusted operating profit less a proforma amortisation charge in respect of certain cloud-based software arrangements 2021 £m 39.2 (3.0) 36.2 2020 £m 30.7 (1.4) 29.3 Change 27.7% (114.3%) 23.5% The proforma amortisation adjustment noted above represents an estimate of the amortisation that would have been recognised had the Group not changed its accounting policy in the current year following additional clarification on the accounting in relation to the configuration and customisation costs incurred in implementing Software-as-a-Service (SaaS) arrangements in the IFRIC agenda decision issued in April 2021. The proforma amortisation charge is estimated based on cloud configuration and customisation costs charged to the income statement in the year of £5.1m (2020: £7.9m). The Directors consider that Adjusted operating profit less a proforma amortisation charge in respect of certain cloud-based software arrangements is comparable to Adjusted operating profit previously reported. Strong trading performance despite the pandemic Another year of excellent cash management Successful acquisition of IPM with strategic and financial importance Exciting development and growth of key service lines for the future Our cyber and resilience markets continue to offer excellent long-term growth prospects Investing for the future NCC Group plc — Annual report and accounts for the year ended 31 May 2021 1 Strategic report At a glance What we do NCC Group is a global cyber and software resilience business operating across multiple sectors, geographies and technologies. As society’s dependence on the connected environment and the associated technologies increase, we use our global insights to help organisations assess, manage and develop their cyber resilience posture, enabling them to confidently take advantage of the opportunities that sustain their business growth. This includes: Getting the basics of cyber hygiene correct Knowing what and how to prioritise Coping with the scarcity of skilled resources needed to deliver quality improvement, change and operations Responding to the increasing compliance, regulatory and legislative burden Quantifying cyber spend efficiency and return on investment Our divisions Across our two divisions, we deliver solutions that result in outcomes that match our customers’ goals, budgets and risk appetite, giving them peace of mind that their most important assets – their business, software and personal data – are safe and secure. Assurance Software Resilience We demystify cyber for our customers, and ensure: • Our customers understand the cyber threats and vulnerabilities across their technology environments, supply chains, processes and products • Our customers maintain their licence to do business, having achieved their governance, compliance and accreditation objectives in a changing regulatory environment • Our customers’ resilience against ever increasing cyber threats is materially improved because of implementing remediation plans and solutions • Our customers can reduce risk and achieve greater resilience for less investment • Our customers can outsource their cyber defence operations and increase their confidence in detecting and responding to cyber events We protect the development, supply and use of business-critical technology and software applications: • Our services ensure buyers are safeguarded from supplier failure, software vulnerabilities and unforeseen technology disruption • Our on-premise and cloud offering can demonstrate robust business continuity and risk mitigation, and suppliers benefit from enhanced credibility and intellectual property rights protection • Our escrow contract services secure the long-term availability of business-critical software data and applications • Our verification services assure customers that the knowledge and guidance are readily available to manage, maintain or recreate an application from the original source, should it ever be needed • Our cloud Escrow-as-a-Service (EaaS) offering helps customers transition to the cloud securely, so they can adopt the latest technology with confidence Read more on our markets on pages 16 and 17 Read more on our markets on pages 16 and 17 22 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 Where we operate We operate as one global business, with in-country delivery tailored to local needs and cultures. We have a significant market presence in the UK, Europe and North America, and a rapidly growing footprint in Asia Pacific with offices in Australia, Japan and Singapore. Key: Our offices Group revenues Assurance revenue Software Resilience revenue UK and Asia Pacific £127.9m (2020: £124.7m) North America £90.0m (2020: £90.2m) Europe £52.6m (2020: £48.8m) £233.9m (2020: £226.2m) 65+ 73+ Global Professional Services £172.2m (2020: £166.2m) £36.6m (2020: £37.5m) Software Resilience contracts £24.0m (2020: £25.8m) Global Managed Services £56.2m (2020: £49.6m) Verification services £12.6m (2020: £11.7m) Products £5.6m (2020: £10.4m) Read more on our markets on pages 16 and 17 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 3 Strategic reportStrategic report24 + 3 + 0 + M 35 + M Our strong historical performance and enduring ability to succeed in a rapidly changing market are a result of four characteristics that will continue to fuel our growth now and in the future: Capex light Commitment to sustainability Research driven People centric Our investment case The global market for cyber professional and managed services offers phenomenal potential for growth, now and in the future. As investment in cyber resilience becomes essential to organisations’ licence to operate, NCC Group’s addressable market is expanding. Cyber security market size, 2018–2025 (USD billion) . 9 1 4 2 . 9 7 1 2 C A G R : 1 1 . 0 % . 3 9 5 1 . 5 3 4 1 . 3 6 9 1 . 9 6 7 1 . 3 9 2 1 . 5 6 1 1 18 19 20 21 22 23 24 25 Source: https://seekingalpha.com/article/4335822-check-point- software-market-misunderstands-subscription-growth. Our performance throughout the pandemic and beyond demonstrates our enduring and reliable business model in an agile market. We have grown revenue, gross margin and Adjusted operating profit 2 throughout a period of disruption. The performance of our key future service lines positions us to capture accelerating market growth. We have recurring high margin revenues and sustainable cash flows from our globally scalable Managed Detection and Response (MDR) and Software Resilience services, and a quality customer base. The acquisition of Iron Mountain’s Intellectual Property Management (IPM) business will be accretive to earnings per share (EPS). We expect revenue opportunities from offering a richer set of software verification and cloud and wider cyber resilience services to IPM’s extensive customer base over the medium term. +2.6% revenue growth +5.9% gross margin growth See Note 3 for an explanation of Alternative Performance Measures (APMs) and adjusting items. Further information is also contained within the Chief Financial Officer’s Review and the Glossary of terms on pages 187 and 188. 2 4 Our commitment to sustainability is integral to how we do business. Our approach to sustainability is focused on the recognised elements of environment, social and governance (ESG). They’re brought to life with our framework, which enables us to focus our efforts on the activities that deliver the greatest value to our people, our customers, our shareholders and the world we all live in. We will continue to secure the future today and our sustainability agenda will play a strategic role to support conscious decision making as we begin to set targets that challenge us to continually improve in making the world safer and more secure for all. We are research driven. Our greatest strength is our breadth and depth of world-class technical capabilities. We employ some of the most talented security consultants and researchers on the planet: every researcher on our team is also an active consultant. We consistently perform independent, cutting-edge security research that supports current and future specialist technical consulting capabilities and customer and consultant needs, and responds to world events. Through our agile methodologies, we have delivered six new solutions in response to market demand in the last year, including a next generation SaaS platform for digital escrow deposits and secured digital vault storage, data science-based analytical and machine learning approaches to threat detection, and our new data-driven cyber risk quantification and peer comparison offer. Read more on pages 53 to 68 Read more on pages 18 and 19 3,400 research days 6 new customer-facing propositions 35 tool releases We are people centric. Each day at NCC Group, our technologists and professionals wake up with one mission – to help make the world safer and more secure. Together they form a phenomenal knowledge network, collaborating, innovating and delivering value to our customers. We continue growing our technical people base year on year, even managing to increase our global headcount throughout the disruption of the global pandemic, because we invest in our colleagues’ wellbeing, career development and full potential. As we are taking advantage of remote and flexible delivery models, we have doubled our global resourcing days in 2020. This means that we truly put the best person on any job, all around the world. And we will seek to increase this even further as we grow our global talent pool and our colleagues’ skills and competencies and mature our global delivery model. We are capex light. Unlike other businesses in the technology space, we are an inherently asset-light business, limiting our capital expenditure and promoting our agility and flexibility to respond to changing circumstances. We have strengthened our Balance Sheet through disciplined cash management and reduced overheads which positions us to exploit further opportunities in the future. It has allowed us to invest up to £3m in cloud technology, artificial intelligence/machine learning advanced analytics, and our new remediation and security improvement offer. 8.1% growth in headcount +49 net movement in technical specialists 88.2% cash conversion ratio 2 £34.6m free cash flow Read more on page 50 Read more on pages 32 to 39 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 5 Strategic reportStrategic report Chair’s statement Securing the future As at year end, net cash (excluding lease liabilities 2) amounted to £83.3m including net placing proceeds of £70.2m; adjusting for this has meant that underlying cash amounted to £12.6m compared to net debt of £4.2m 12 months ago. It is also worth noting that we have taken no government subsidies or loans (other than deferring tax payments that have now been fully repaid), nor have we made any colleagues redundant or furloughed them during the pandemic, demonstrating our objective of being a global hub for cyber talent. In Assurance, the North American and EU Assurance businesses grew by 6.5% and 5.9% respectively on a local currency basis. Our UK and APAC business increased 3.9%, supported by growth in MDR and the launch of our Remediation service. Our Global Software Resilience business declined by 2.4%, a result of execution challenges in a remote environment and capacity challenges in sales resourcing. However, we are proud to see that our cloud proposition (EaaS) continues to go from strength to strength, with orders having increased by 83% to £2.2m, providing a promising and exciting platform for the future. Our business performance can be found in more detail on pages 9 to 13 Strategy and sustainable business model Our strategy, mission and vision remain unchanged, and continue to drive progress towards our medium-term objectives: • For our shareholders: • Double-digit revenue growth and margin improvement for Assurance • Return Software Resilience to sustainable growth • Disciplined cash generation • For our customers: • Use our unique data, capability and insight to help customers to meet their cyber resilience needs • For our people: • A global hub for cyber talent • An inclusive environment where everyone feels safe to be authentic and which is representative of the diversity of the world in which we live NCC Group’s research-driven, people-centric and capex-light business model enables us to remain at the forefront of the dynamic cyber industry. Further details on our strategy and value creation through our business model are provided on pages 29 to 31 and 20 and 21 respectively During the year, we agreed the acquisition and associated funding for Intellectual Property Management (IPM), the Software Resilience division of Iron Mountain, and received shareholder approval on 1 June. It was therefore pleasing post year end that we completed the transaction, which will be accretive to profitability and provide further strong cash generation. It is also pleasing that the management team has commenced the integration programme, and this is on plan. The strength and flexibility of our Balance Sheet will allow us to pursue further organic and inorganic growth opportunities where they align with our strategic and financial objectives. Further details on our recent acquisition are provided on page 12 Chris Stone Non-Executive Chair Our colleagues have continued to show their commitment and resilience throughout the pandemic in delivering excellent service to our customers and pursuing our mission, vision and objectives relentlessly. Introduction At the end of a financial year which has seen continued disruption to economies and trading environments worldwide, it is pleasing to be able to report to all our stakeholders that NCC Group has continued to demonstrate its resilience in many ways. In particular, NCC Group has achieved year on year revenue growth and profitability despite the headwinds of a global pandemic. Along the way, we secured the Group’s largest acquisition to date, enjoyed strong growth in our most exciting propositions for the future and, had another year of strong cash management. Business performance Overall, the Group delivered revenue growth of 2.6% (2020: 5.2%), Adjusted EBITDA 2 of £52.5m (2020: £45.5m) and Adjusted operating profit 2 of £39.2m (2020: restated £30.7m 3). On a statutory basis, after the partial recognition of acquisition costs of £7.6m and cloud configuration and customisation costs associated with the Group’s transformation programme SGT (£5.1m, 2020: restated £7.9m 3), operating profit increased by 37% to £17.3m (2020: restated £12.6m 3) and profit before taxation increased 54% to £14.8m giving rise to a statutory EPS of 3.6p (2020: restated 2.3p 3) and Adjusted basic EPS 2 of 9.5p (2020: restated 7.2p 2) respectively. The Group delivered sustainable cash flows with cash conversion 2 of 88.2%, resulting in the Group becoming cash positive in November 2020 prior to the equity funding process for the IPM business US acquisition. 6 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 Dividend We are recommending an unchanged final dividend of 3.15p (2020: 3.15p) per ordinary share, making a total for the year of 4.65p (2020: 4.65p), with our dividend policy continuing to remain under review. The final dividend will be paid on 12 November 2021, subject to approval at the AGM on 4 November 2021, to shareholders on the register at the close of business on 15 October 2021. The ex-dividend date is 14 October 2021. Board composition There have been no changes to the Board during the year. Further details on our Board composition are provided on pages 78 to 86 Board governance and effectiveness As Chair, I am responsible for providing leadership to ensure that the Board operates effectively in all aspects of its performance. We have an established and experienced Board, which actively oversees the Group’s strategic development, monitors the delivery of its business objectives and considers risks and mitigating actions. Our performance and decisions made during this global pandemic are testament to the Board’s effectiveness. customers, an investor survey and shareholder engagement throughout the recent acquisition, and physical and mental wellbeing programmes for all our colleagues. Further details on stakeholder engagement are provided on pages 49 to 52 Colleagues We will always be a people-centric business and our technical colleagues are at the core of our customer offer, supported by agile sales and back-office functions. Our colleagues have continued to show their commitment and resilience throughout the pandemic in delivering excellent service to our customers and pursuing our mission, vision and objectives relentlessly. We seek to provide meaningful and rewarding career paths for all our colleagues. Following our colleague engagement survey, we will continue to create a great place to work and focus on becoming the employer of choice in our markets. We are also embracing more flexible ways of working and intend to continue with that flexibility as we anticipate returning to a hybrid office/remote way of working. In addition, through our colleague resource groups that create conversations inherent to an inclusive culture, we continue making NCC Group an organisation where everybody feels safe to be their authentic selves. Further information on risk management and the key risk identification procedures is set out on pages 40 to 48 Further details on this are provided on page 50 During the year, we have been further embedding the requirements of the UK Corporate Governance Code 2018 (the ‘Code’), particularly the renewed focus on identifying and engaging with all our stakeholders in a remote world. During the year we complied with all other aspects of the Code with the exceptions that our CEO and CFO pensions were not in alignment with our general colleague population, we do not have post-employment shareholding guidelines and we did not engage with the workforce to explain how executive remuneration aligns with the wider Company pay policy. The first of these three areas of non- compliance will be resolved following our 2021 AGM and subject to shareholder approval of our new Directors’ Remuneration Policy. We recognise that we still have much progress to make in terms of improving the diversity of the Board and our Executive Team (and indeed our workforce as a whole). With that in mind, during the year we have made the commitment that by 2024, we will have at least 33% female representation on our Board and at least one person of colour. Although this is best practice for FTSE 350 companies, we will commit to this target regardless of which share index we are in. Please see the Corporate Governance Statement starting on page 70 for further information Executive management composition It has been a delight to welcome Inge Bryan as Managing Director for NCC Group’s European Assurance operations, who joined us after a remarkable career in cyber and security. Inge previously held roles with the Dutch National Police and the General Intelligence and Security Service of the Netherlands and served as Home Affairs Counsellor in the Royal Netherlands Embassy in Paris. Before she joined NCC Group Inge was part of the cyber security leadership team with Deloitte Risk Advisory, securing the critical infrastructure of the Netherlands, including central government. In 2019 she was listed in the top 100 most influential women in the Netherlands and one of the 50 most inspiring women in tech. Further details on our executive management composition are provided on pages 76 and 77 Stakeholder engagement Successful stakeholder engagement is a key area of focus for NCC Group, especially during these remote and challenging times. During the year, we have engaged with our customers, our colleagues, our network and our shareholders. Certain highlights include the CyberUp Campaign, our “working together” approach with our On behalf of the Board, I therefore offer our sincere thanks and appreciation to all of the Group’s colleagues for their continued resilience and professionalism in delivering this performance. As a Board, we also welcome our new colleagues from the IPM business as we look to the future with enduring confidence. Sustainability NCC Group recognises the importance of an environment, social and governance (ESG) framework that underpins our operations as a key indicator of the Group’s sustainability and ethical impact. The Group has developed an ESG framework which continues to evolve. Examples of progress to date include the ongoing review of key policies and maintaining our corporate governance and decision-making structures through the “move to remote” during the pandemic. In addition, we continue to foster partnerships that support the development of future diverse cyber talent and we encourage engagement from colleagues and our external stakeholders around our four focus areas of gender, LGBTQIA+, race and ethnicity and neurodiversity. Further details on sustainability are provided on pages 53 to 68 Outlook • For the current financial year (FY22), the Board expects higher revenue growth partially offset by increased global costs from inflationary pressures as well as a resumption in travel and office usage • Our medium-term objectives continue to be double-digit revenue growth in Assurance and sustainable revenue growth in Software Resilience • We are recommending an unchanged final dividend of 3.15p (2020: 3.15p) per ordinary share Chris Stone Non-Executive Chair 14 September 2021 2 3 See Note 3 for an explanation of Alternative Performance Measures (APMs) and adjusting items. Further information is also contained within the Chief Financial Officer’s Review and the Glossary of terms on pages 187 and 188. See Note 34 for an explanation of the prior year restatement recognised in relation to the adoption of the IFRIC agenda decision on cloud configuration and customisation costs in April 2021. NCC Group plc — Annual report and accounts for the year ended 31 May 2021 7 Strategic report Our strategic roadmap Our connected society presents a world of opportunity It is essential for us all to proactively manage any risk to our safety and security. As you go about your daily routines you can be safe in the knowledge that we are passionate about keeping you and your personal data, the technology and devices you use, and the critical assets and software your business relies on safe and secure. It is our mission and is what drives our strategic roadmap... Mission Vision We exist to make the world safer and more secure. To be the leading cyber resilience provider globally. Trusted to protect and secure our customers’ critical assets. Sought after for our complete people-led, technology-enabled cyber and software resilience solutions that enable our customers to thrive. Delivering our vision through our Securing Growth Together transformation programme We continue to transform our business. Our vehicle for transforming the firm and achieving our vision is the Securing Growth Together programme, which is about connecting our global firm and creating stronger relationships with our customers. The programme is run through five workstreams: Lead the market Win business Deliver excellence Support growth Develop our people Read more in our Chief Financial Officer’s Review on pages 32 to 39 Delivering value to our customers Cyber threats are pervasive, complicated and rapidly changing and there’s no such thing as a “silver bullet”. We help our customers navigate through the complexity of cyber risks. Through our global research capability, technical expertise and full suite of services we can guide customers through the risks to achieve cyber resilience. Assess cyber risk Develop cyber maturity Manage cyber operation Read more in our business model on pages 20 and 21 Our Code of Ethics and values NCC Group is a distinctive place to work where we are guided by our Code of Ethics – treat everyone and everything with respect. Our common values help us to make decisions without the need for a comprehensive instruction manual: We work together We are brilliantly creative We embrace difference Read more on our sustainability on pages 53 to 68 8 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 Chief Executive Officer’s review Resilience is the key Resilience is the key Covid-19, supply chain shocks and rampant ransomware attacks have reminded us all how difficult it is to predict the future and thus of the importance of resilience against unknown risks. We are proud of our own resilience through the past 12 months, demonstrating our ability to deliver great work, to hire more talent and to grow even through the most extreme of shocks. Our resilience starts with our people and I would like to pay tribute to the remarkable skills and commitment of my colleagues. They are at the heart of our success. Last financial year we hired over 200 front-line technical specialists, increasing our global net headcount by 8.1%. It is remarkable to think that many of them have not been into an office or met their colleagues. Happily, the feedback from surveys we have conducted indicates that the work we have done to onboard colleagues in the remote environment has been valued. Overall, the global voluntary attrition rate remained constant at c.15% and our technical attrition increased to 17.0% (2020: 14.4%). We identify two particular influences on this attrition increase. First, the advent of remote working drove significant labour mobility in the United States as it became possible to work for the largest and most exciting technology companies without having to move to the Bay Area. Second, while attrition was much lower in the UK and Europe through the first half, as the world began to open up we saw people leave to change lifestyle or gain variety after being locked down in the same place for an extended period of time. However, once again demonstrating our own resilience, the global operating and resourcing model that we developed mitigated the impact of this higher attrition, enabling us to deliver revenue in North America using resources spread elsewhere across the globe. Everyone is welcome There are not enough cyber skills in the world to meet today’s challenges. We see ourselves as playing a significant role in the attraction and training of new talent, having one of the cyber industry’s most effective training programmes. As we strive to bring more people into the world of cyber and to make the population of cyber specialists representative of the societies in which they live and work, we continue to focus on inclusion and improving the diversity of our teams. In particular: • We are embracing more flexible ways of working – and intend to continue with that flexibility as we explore new ways of working • Our four colleague resource groups – Gender, Race and Ethnicity, LGBTQIA+ and Neurodiversity – have catalysed conversations on topics as diverse as menopause, systemic racism, transvestism and autism, as we strive to raise awareness, create understanding and respect each other to make NCC Group an inclusive place for everyone • Our teams have worked hard to provide mutual support with a particular focus on mental health and wellbeing. We have 61 trained Mental Health First Aiders. Over 100 of our people managers have received training in mental health awareness, and a full wellbeing programme for colleagues is supplemented by employee assistance programmes in our local geographies. All of these efforts continue to help our teams through these difficult times and will provide a legacy of ongoing benefit in the future Adam Palser Chief Executive Officer Our resilience starts with our people and I would like to pay tribute to the remarkable skills and commitment of my colleagues. They are at the heart of our success. Which pandemic will you still be worrying more about next year? Pandemics start somewhere else and affect other people – until very suddenly they are on your doorstep and inside your business, forcing you to re-evaluate how you live and how you work. Our 2021 financial year was a tale of two pandemics, one biological and the other digital. The ensuing tug-of-war between these pandemics defined our markets: • Covid-19 rippled across our geographic operating territories at different speeds and intensities provoking different responses from governments. We saw demand from customers ebb and flow depending on whether their industry was opening up or being placed under more restrictions • Simultaneously, the rapid uptake of remote working drove increased cyber risk, which was exploited by “bad actors” including organised crime and state-sponsored groups. Ransomware, in particular, has now become so prevalent that no organisation can afford to ignore the risk it presents NCC Group plc — Annual report and accounts for the year ended 31 May 2021 9 Strategic reportStrategic report Chief Executive Officer’s review continued Sustainable growth for all of our stakeholders Every day we work for customers in pursuit of our mission: to make the world a safer and more secure place. This mission and the focus on our people are at the heart of our value proposition and how we do business. More broadly, our sustainability approach is focused on the recognised elements of environment, social and governance and our progress is outlined below: • Environment – Building on the new and successful ways of working created by the pandemic we are engaging in conversation with our customers to explore how we can work together to reduce the impact on the environment. In addition, as our office environments come back to life, we are investing in education programmes to reduce our physical impact – from flexible working and preventing unnecessary printing, to recycling. We have also developed our new working policies and therefore will continue to review our physical office requirements to ensure we only use what we need • Social – We continue to foster partnerships that support the development of future diverse cyber talent and encourage colleagues to give back to their local communities through schools, universities and charity partnerships, and the piloting of a giving back day in the UK. In addition, we continue to invest in developing not only our mental health first aid network and resources, but we are now looking to implement our broader wellbeing strategy, partnering again with This Can Happen. Through NCC Conversations we continue to encourage engagement from colleagues and our external stakeholders around our four focus areas of gender, LGBTQIA+, race and ethnicity and neurodiversity, adding accessibility in this coming year. These conversations alongside our performance management programme and career framework development help drive our performance culture, creating an environment where everyone is welcome and can be successful • Governance – We continue to strengthen our governance structures. We assess and consciously decide to work with customers who align with our own values and Code of Ethics. We are currently strengthening our Supplier Code of Conduct to ensure that we enter any supplier or partner relationship with a mutual understanding of each other’s code of ethics and general business policies. In addition, we remain committed to considering the interests of all our stakeholders when making decisions on the Group’s future strategy and priorities Year on year growth led by Assurance Against this backdrop, Group revenues increased by 2.6% (2020: 5.2%). On a constant currency basis 2, Group revenues increased by 3.6%. In our Assurance business, the North American and EU Assurance businesses grew by 6.5% and 5.9% respectively on a local currency basis 2. Our UK and APAC region increased 3.9%, including a notable 9.6% in the second half as industries began to look forward to the easing of restrictions. In our Software Resilience division, we were delighted by the 83% increase in Escrow-as-a-Service orders which herald great promise for the future, but disappointed by an overall revenue decline of 2.4%. Attracting sufficient sales resource, retaining sales colleagues, delivering on-site work and maintaining sales momentum have all been more difficult in a fully remote working environment and we anticipate improvements in all of these factors in the next 12 months as we work to return Software Resilience to sustainable growth. Gross profit increased by 5.9% to £110.6m (2020: £104.4m) with gross margin percentage increasing to 40.9% (2020: 39.6%). The margin increase was significantly driven by the flourishing of our global resourcing engine where skilled resources from every part of our Group can now be deployed on high value engagements, smoothing out peaks and troughs of demand or skill shortages. The gross margin was, however, offset by a c.£2m provision taken in relation to existing long-term European contracts as a result of pandemic disruption, cost increases and project management challenges. Operating profit increased by 37.3% to £17.3m (2020: restated £12.6m 3) after the inclusion of transaction costs of £7.6m in relation to the $220m acquisition of Intellectual Property Management (IPM), the Software Resilience division of Iron Mountain and cloud configuration and customisation costs associated with the Group’s SGT transformation programme (£5.1m, 2020: restated £7.9m 3). The Group manages its performance internally at an Adjusted operating profit 2, 3 level, with Adjusted operating profit 2, 3 increasing by 27.7% to £39.2m albeit with the benefit of a temporary reduction in travel and office usage costs of c.£3m. This information is disclosed below and reconciled to statutory operating profit. During the year, the Group has incurred £12.7m of Individually Significant Items (ISIs) (2020: restated £7.9m 3). These items relate to the acquisition of the IPM business (£7.6m) and cloud configuration and customisation costs associated with the Group’s SGT transformation programme (£5.1m, 2020: restated £7.9m 3). 2021 Assurance £m Software Resilience £m Central and head office £m Revenue Cost of sales Gross profit Gross margin % General administration expenses allocated Adjusted EBITDA 2 Depreciation and amortisation Adjusted operating profit 2, 3 Individually Significant Items Amortisation of acquired intangibles Share-based payments 233.9 (149.5) 84.4 36.1% (45.4) 39.0 (9.4) 29.6 – – – 36.6 (10.4) 26.2 71.6% (9.5) 16.7 (0.7) 16.0 – – – Operating profit 29.6 16.0 – – – – (3.2) (3.2) (3.2) (6.4) (12.7) (6.4) (2.8) (28.3) 10 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 2020 (restated) 3 Software Resilience £m Central and head office £m 37.5 (10.0) 27.5 73.3% (10.0) 17.5 (0.6) 16.9 – – – – – – – (5.0) (5.0) (3.5) (8.5) (7.9) (8.8) (1.4) Assurance £m 226.2 (149.3) 76.9 34.0% (43.9) 33.0 (10.7) 22.3 – – – Group £m 263.7 (159.3) 104.4 39.6% (58.9) 45.5 (14.8) 30.7 (7.9) (8.8) (1.4) 22.3 16.9 (26.6) 12.6 Group £m 270.5 (159.9) 110.6 40.9% (58.1) 52.5 (13.3) 39.2 (12.7) (6.4) (2.8) 17.3 Long-term market prospects are excellent Development of the connected environment Society’s dependence on the connected environment Agility and pace of the threat Regulatory environment The four secular growth drivers of resilience demands (as we refer to them) continue to strengthen: • The connected environment is growing. Every year, more devices are connected to the internet to share data or offer up the possibility of remote access, and the interdependencies between organisations across geographical boundaries increase in complexity too • Society’s reliance on the connected environment is greater than ever. The world is undergoing a digital transformation, accelerated by the pandemic. Our economies and wellbeing have never been more dependent on the safe and secure flow of data, and the continued resilience of essential services they rely on in their daily lives • The threat is growing. Ransomware has now become endemic • Regulatory and legislative requirements are increasing. In response to all of the above, organisations have to comply with a growing set of mandated requirements if they wish to enter or continue operating in their respective markets. This includes proposed legislation by the UK government for consumer IoT manufacturers, US President Biden implementing software supply chain security measures by Executive Order, and global financial regulators updating their rules and guidance on technology, third party technology and cloud outsourcing arrangements For further detail, please refer to the Chief Financial Officer’s review and Note 34 to the consolidated Financial Statements. Profit before taxation increased 54.2% to £14.8m (2020: restated £9.6m 3) and profit for the year increased 56.3% to £10.0m (2020: restated £6.4m 3) giving rise to a basic EPS of 3.6p (2020: restated 2.3p 3). Adjusted basic EPS 2 amounts to 9.5p (2020: restated 7.6p 3). In 2021, our cash conversion 2 was 88.2% (2020: restated 102.9% 3). Net cash/(debt) (including lease liabilities) 2 amounts to £48.9m (2020: net debt £42.4m). A sustainable business model in a dynamic environment We are fortunate to work in a sector of growing opportunity. Naturally, this opportunity attracts significant investment from many organisations leading to healthy competition for customers and talent. In this context, we cherish our research-driven, people-centric and capex-light business model that enables us to stay at the leading edge of the dynamic cyber resilience market and create profitable, cash generative growth. Every year we enable talented individuals from our global teams to research the latest technologies, discover new system vulnerabilities and develop skills. In turn: • The subsequent education of our customers and monetisation of our knowledge allow NCC Group to maintain its world-leading position in this ever-evolving market • The opportunity to work with some of the best minds in the industry and to conduct research is part of our rounded colleague value proposition for technical specialists Although the pandemic has impacted all our colleagues and customers around the world, our business has demonstrated its resilience and remains committed to securing the future for all. 2 3 See Note 3 for an explanation of Alternative Performance Measures (APMs) and adjusting items. Further information is also contained within the Chief Financial Officer’s Review and the Glossary of terms on pages 187 and 188. See Note 34 for an explanation of the prior year restatement recognised in relation to the adoption of the IFRIC agenda decision on cloud configuration and customisation costs in April 2021. The following additional information and reconciliation is noted in relation to Adjusted operating profit due to the adoption of the IFRIC agenda decision: Adjusted operating profit (as noted above) Proforma amortisation charge in respect of certain cloud-based software arrangements (see explanation below) Adjusted operating profit less a proforma amortisation charge in respect of certain cloud-based software arrangements 2021 £m 39.2 (3.0) 36.2 2020 £m 30.7 (1.4) 29.3 Change 27.7% (114.3%) 23.5% The proforma amortisation adjustment noted above represents an estimate of the amortisation that would have been recognised had the Group not changed its accounting policy in the current year following additional clarification on the accounting in relation to the configuration and customisation costs incurred in implementing Software-as-a-Service (SaaS) arrangements in the IFRIC agenda decision issued in April 2021. The proforma amortisation charge is estimated based on cloud configuration and customisation costs charged to the income statement in the year of £5.1m (2020: £7.9m). The Directors consider that Adjusted operating profit less a proforma amortisation charge in respect of certain cloud-based software arrangements is comparable to Adjusted operating profit previously reported. NCC Group plc — Annual report and accounts for the year ended 31 May 2021 11 Strategic reportStrategic report Chief Executive Officer’s review continued Creating value through the execution of our strategy Over the past three years – and even through the disruption caused by Covid-19 – our confidence in the direction of our Company has grown. Our mission, vision and values have remained the same and we have created value through the relentless execution of our transformation programme, “Securing Growth Together”. Our mission is to make the world safer and more secure. Our vision is to be the leading cyber resilience provider globally, trusted to protect and secure our customers’ critical assets and sought after for our complete people-led, technology-enabled cyber resilience solutions that enable our customers to thrive. Our values are work together, be brilliantly creative and embrace difference. Our medium-term objectives are: • For our shareholders: • Medium-term target of double-digit revenue growth and margin improvement for Assurance • Return Software Resilience to sustainable growth • Disciplined cash generation • For our customers: • Use our unique data, capability and insight to help customers to meet their cyber resilience needs • For our people: • A global hub for cyber talent • An inclusive environment where everyone feels safe to be authentic and which is representative of the diversity of the world in which we live As noted at our interim results, we are now building on the strong initial foundations of our Securing Growth Together programme and have moved to the next phase of becoming the complete provider of global cyber resilience solutions, particularly by: • Broadening our portfolio (adding services and solutions across the cyber lifecycle) • Improving how we go to market globally (becoming easier to engage with and buy from) At our interim results, we announced the investment of £3m into propositions that we consider critical for the future and for realising our ambition to become a complete provider of cyber resilience services, acting as a one-stop shop to meet our customers’ demand for evidence-based solutions that offer them peace of mind. The table below describes these propositions and highlights our progress in FY21: Proposition Progress Escrow-as-a-Service (EaaS), our cloud escrow proposition • 83% increase in EaaS orders to £2.2m • Weighted year end EaaS pipeline at £1.1m • Notable FY21 wins include Sky, Carrefour, Christie’s, Deutsche Bank, Standard Chartered and Barclays Global Managed Services (GMS) • MDR revenue growth of 14.3% • Sales orders growth of 15.8% to £71.8m New MDR service based on Microsoft’s Azure Sentinel platform • Launched at the end of the financial year New Remediation service to develop clients’ resilience • Global rollout after successful UK launch (revenues of £2.1m with current pipeline of c.£3m) We will invest further in FY22 and beyond to build on these successes. Acquisition of IPM business The most significant investment of the year was our recent acquisition of the IPM business, which marked an exciting culmination of our financial year. We obtained shareholder approval on 1 June and completed the transaction on 7 June for $220m, subject to a normalised working capital adjustment during FY22. On this basis, the results of the IPM business will be consolidated from 1 June 2021. The acquisition was funded through an equity placing (£70.2m) in May combined with a new three year $70m term loan, existing cash balances and our revolving credit facility. The acquisition aligns with the Group’s existing strategy and will: • Scale up the Group’s core business to create a global business and platform for further growth • Generate revenue synergies through allowing the enlarged division to offer NCC Group’s broader suite of established verification services as well as the newer Escrow-as-a- Service (EaaS) cloud offering to the IPM business’ existing customer base • Present an exciting new opportunity to sell NCC Group’s cyber security services from its Assurance division into the IPM business’ broad and blue-chip customer base in the medium term • Be accretive to earnings per share from completion, even without factoring in revenue synergies • Result in greater strategic strength for the future Financially and, prior to our ownership, the business generated revenues of c.£23m and operating profit of c.£15m for the 12 months ended 31 December 2020, with cash conversion of c.90%. It is expected that for NCC Group’s FY22 financial year, the business will incur c.£2.5m of one-off integration costs. From an integration perspective, integration is on plan with all workstreams (People, Customers, Operations, Finance and IT) making good progress against objectives. The business is also supported by TSA and MSA arrangements. From a personal perspective, it has been a pleasure to welcome our new colleagues from the IPM business. I look forward with confidence to the future as we transform our Software Resilience business into a growing, high margin global leader. 12 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 Summary Financial • Year on year growth in Group revenue, gross profit, Adjusted operating profit and profit before taxation • Another year of excellent cash management Operational • Successful acquisition of IPM with strategic and financial importance • Exciting development and growth of key service lines for the future • Market prospects continue to evolve and create opportunities • We continue to have a strong and flexible Balance Sheet that will allow us to fund future organic and inorganic growth Our FY22 operational priorities are: Assurance • Broadening our portfolio (adding services and solutions across the cyber lifecycle) • Growing recurring global MDR services • Effective use of our global resourcing model Software Resilience • Addressing execution challenges and returning Software Resilience to sustainable growth • Continuing to broaden the portfolio through innovation and growing our EaaS proposition • Embedding the IPM acquisition and minimising integration costs Outlook • For the current financial year (FY22), the Board expects higher revenue growth as compared to FY21 partially offset by increased global costs from inflationary pressures as well as a resumption in travel and office usage. IPM integration costs are expected to be c.£2.5m • Our medium-term objectives continue to be double-digit revenue growth in Assurance and sustainable revenue growth in Software Resilience • Q1 FY22 revenue growth was stronger than prior year in local currency but we experienced some un-anticipated disruption in customer buying patterns over the summer period. Q1 orders were ahead YoY and our orders pipeline is robust. Consequently, the full year outturn remains in line with management expectations • The Board is recommending an unchanged final dividend of 3.15p (2020: 3.15p) per ordinary share Adam Palser Chief Executive Officer 14 September 2021 S t r a t e g c i r e p o r t Read more online: www.nccgroup.com 13 Strategic reportStrategic report Our continued Covid-19 response Planning ahead to survive and thrive in a global pandemic When the World Health Organization announced the global pandemic, we began planning to support our colleagues and our customers through the inevitable lockdown. The priority was colleague welfare and customer safety. Beyond that, we set out two clear objectives that would guide our actions: • Maintain a strong Balance Sheet to ensure the survival of the Company and its ability to pounce on opportunities as the pandemic subsided • Maintain the capacity and capability we knew we would need to meet future demand We worked towards these objectives using five strategic pillars. Anticipate Be resilient Objective: Plan for different outcomes and track KPIs to inform our decision making Objective: Ensure the safety of our colleagues and customers, and maintain continuous operations Examples of our actions: Examples of our actions: • Scenario planning • Preparation for contingency plans with different levels of response • Data-led insights from our new systems • Regular communication • Global systems set up to ensure colleagues delivering customer work were supported to do this remotely • Developed a programme that enabled critical need colleagues to access office environments when it was safe and permitted to do so • Provided colleagues with resources to support longer-term remote working 14 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 S t r a t e g c i r e p o r t Stay profitable Exploit any downtime Prepare for the bounce back Objective: Proactively sell remote services; careful control of cost and cash Examples of our actions: • More than 95% of our services can be delivered remotely • Provided advice and guidance to customers with practical solutions to stay safe during the global pandemic • Continued to develop our service offerings to support customers with short-term challenges caused by the pandemic as well as through our research capability and global threat intelligence insights, continuing to develop solutions for the future Objective: Strengthen the firm every day through research and development Examples of our actions: • Invested a record 3,400 days on technical security research, which resulted in a significant contribution of conference presentations, vulnerability advisories, blog posts, research papers and open-source tools being released • Created a new internal research working group focused specifically on finding creative and massively scalable solutions to remediate (even prevent) security vulnerabilities at internet scale, and a group which focuses exclusively on the security implications of emerging technologies yet unstudied by any other security research firm Read more on our research on pages 18 and 19 • Developed our Global Assurance operating model, investing in our future delivery capability and value proposition Objective: Preserve capability and capacity to invest selectively for the future Examples of our actions: • Acquisition of Iron Mountain’s Intellectual Property Management (IPM) business to provide a robust platform for growth, particularly in North America but also for our Software Resilience division and NCC Group as a whole • Redesigned and launched our regional websites, which supports our new global marketing operating model • Reimagined our future world of work by learning from and listening to the experience of the pandemic including how flexible working could be an enabler for a more inclusive and diverse workforce • Continued investment and development in services and solutions to broaden our portfolio and better serve our customers including the launch of our new Remediate service and our flagship Partner Network for our Software Resilience offering in the UK NCC Group plc — Annual report and accounts for the year ended 31 May 2021 15 Strategic reportStrategic report Markets Market dynamics A changing threat landscape and exponential digital transformation, coupled with society’s ever-growing reliance on digital technologies and increasing regulatory and legislative requirements, mean that investment in cyber and software resilience is no longer optional and NCC Group’s addressable market is growing. Changing threat landscape Exponential digital transformation Society’s ever-growing reliance on digital technologies Increasing regulatory and legislative requirements A changing threat landscape The global geo-political environment fuels a buoyant cyber resilience market. Strategic competition is coming from China, and hostile threats from Russia, Iran and North Korea. This, coupled with emerging offensive capabilities in other nation states and organised crime groups, creates a volatile state of unpeace that organisations need to prepare for, navigate and defend against. As the scourge of ransomware emerges as a distinct threat to organisations of all sizes, and software supply chain attacks inflict mass disruption in all geographies, the real-world kinetic impact of recent cyber attacks has catapulted a deeper awareness of the threat to our digital lives into the mainstream. Society’s ever-growing reliance on digital technologies This has been exacerbated by exponential digital transformation. Software and cloud consumption, driven by the Internet of Things (IoT), has never been higher, and the digital supply chains upon which our connected environment depends have never been more complex and interdependent. And as the fall-out from ransomware attacks and technical outages alike has shown, we have never relied more on the smooth functioning of digital technologies than we do now. Increasing regulatory and legislative requirements That means, too, that focus on and expectations of ensuring the continuity of essential services – and with it a renewed awareness of the crucial importance of digital business continuity planning – have increased significantly. And while citizens rightly expect organisations to act responsibly, so legislators and regulators have concluded that the defence and resilience of schools and hospitals, banks and insurers, water treatment facilities and gas pipelines are too important to be left to chance. As a result, we are seeing a global increase in the depth and breadth of mandated requirements with which organisations must comply to enter or continue operating in their respective markets. Cyber resilience measures are becoming an integral element of an organisation’s licence to operate. We are seeing evidence of this in the UK with the government’s proposed legislation for consumer IoT manufacturers, and the strengthening of security requirements for telecommunications companies. In the US, the government is taking forward software supply chain security measures by Executive Order and the Australian government is enhancing incident management for critical infrastructure operators, while the European Union is pressing ahead with expanding the scope of the Network and Information Security Directive. At the same time, we are seeing a growing convergence of cyber and software resilience as part of a broader trend towards digital operational resilience. Global financial regulators, from the Basel Committee to the UK’s Prudential Regulation Authority and Canada’s Office of the Superintendent of Financial Institutions, have updated their rules and guidance on technology, third party technology and cloud outsourcing arrangements. All acknowledge that the financial systems’ reliance on third party solutions presents risks that need to be mitigated before they fundamentally threaten the global financial system. 16 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 Although competition for customers and talent is also growing, our continued portfolio evolution and differentiation enable us to take advantage of the tremendous opportunities the cyber services market offers, fuelling our growth now and in the future. Growing competition for customers and talent Continued portfolio evolution and differentiation Competition for customers As board-level and senior executive understanding – and liability – grows, cyber and software resilience is increasingly seen as a strategic investment. That also means that the competitive landscape continues to be busy on all fronts, and that new and disruptive ways of working and service delivery come to market frequently. Excitement about new and emerging technologies – from artificial intelligence to quantum computing – that infuse traditional cyber offerings continues unabated. By way of example, venture capital activity until May 2021 rivalled the full-year activity level in 2020 and continues on an upward trajectory, and private equity investment continues to focus on the typical “platform buy and bolt on” strategies across cyber services and technology domains globally. We’ve also seen continued evolution in penetration testing to continuous, automated and on-demand/crowd-sourced models and experienced competitive pressures in the Managed Detection and Response space, and from regionally and vertically aligned specialists in the wider Software Resilience offering. Competition for talent In addition, competition for talent continues unabated, not least as regulatory authorities are equally seeking to fill their capability gaps as they discharge their new responsibilities. As the global pandemic has driven remote working models more widely, we have, moreover, experienced external challenges to our traditionally uncontested talent pools, for example, where US technology companies have acquired talent in the European and Asia Pacific regions. NCC Group’s continued portfolio evolution and differentiation Through our combined Cyber and Software Resilience offering, we are uniquely placed to offer our customers – current and new – easy-to-access peace of mind in an ever-more complex digital world. Our service orientated research and development, and selective investments to meet our customers’ changing challenges and demands have and will allow us to: • Evolve our penetration testing services to address risks of commoditisation • Establish our Managed Detection and Response offering as a leading proposition in a competitive and diverse space, building on a full suite of incident response and threat intelligence services across a leading, sovereign European business, while adding analytical and machine learning approaches to our threat detection, to offer customers insight and context into malicious activity and response capabilities to identify and mitigate sophisticated cyber threats • Innovate to integrate Microsoft Sentinel into our offering which means we are fully equipped to manage threat monitoring and detection for Microsoft customers • Differentiate our Remediate service against competition from system integrators, generalist consultancies and fragmented boutiques, through our technical depth, expertise, scale and global footprint which mean we are able to work with our customers to assess their existing risk position, and prioritise and fix security weaknesses as part of a structured improvement plan to reduce their cyber risk • Enhance our Software Resilience capabilities into a market- leading combination of service modernisation and trusted reputation, through the acquisition of Iron Mountain’s Intellectual Property Management (IPM) business, which completed on 7 June 2021, and the continued innovation in cloud-delivered services and a next generation Software-as-a-Service platform for digital escrow deposits and secure digital vault storage Finally, our tenure, stability and reputation mean we remain an attractive destination for global talent at all stages of their career and we continue to invest in creating a world-class environment in which everybody is welcome and can be successful. NCC Group plc — Annual report and accounts for the year ended 31 May 2021 17 Strategic reportStrategic report INSIGHTS: RESEARCH AT NCC GROUP Cutting-edge research and technical capabilities NCC Group employs some of the most talented security consultants and researchers on the planet, serving customers worldwide and uncovering countless vulnerabilities per year through both customer work and independent vulnerability research. We are a research-driven firm where every researcher on our team is also an active consultant. Our greatest strength is our breadth and depth of world-class technical capabilities, publicly exemplified by our research publications, now spanning into the hundreds per year, across two decades 1. We consistently perform independent, cutting-edge security research across hardware and embedded systems security, applied cryptography, programming languages, artificial intelligence and machine learning, mobile privacy, cloud and container security, exploit development, critical infrastructure security and threat intelligence, and beyond all technologies, and in all sectors – the outputs of which support current and future specialist technical consulting capabilities and customer and consultant needs, and respond to world events. We host a GitHub repository of over 200 open-source security tools 2 , have a research group dedicated to security research in the public interest 3 , and are trusted experts to whom open-source projects and major tech companies alike regularly turn for our publicly reported security audits of their most important technologies 4. Public-facing reports, research papers and tool releases are published on our dedicated research blog, research.nccgroup.com, and are also regularly covered by publications including the Wall Street Journal, New York Times, Washington Post, DarkReading and Politico, as well as other mainstream and trade publications globally. Our research blog attracted over a quarter of a million visitors in the past financial year. We also regularly work with independent UK consumer body Which? undertaking research across a range of smart devices – from toys to doorbells. The results are published in its online and print magazine titles as well as extensively covered by the mainstream media with our more detailed research findings published on our blog. In addition to our published work, our researchers regularly present their work in top research venues across as the world as well as serving on review boards of conferences. These include Black Hat USA, Chaos Communication Congress, HITB Amsterdam, CanSecWest and DEF CON to name a few. Our technical capabilities extend beyond our public-facing work, to include our internal-only research and development function, including our Exploit Development Group, Threat Intelligence Fusion Centre and Full Spectrum Attack Simulation Group as well as unpublished proprietary tooling. FY21 research Our research investment has had a direct and positive impact on the safety and security of our digital world for everyone, from operators of critical infrastructure to everyday consumers. We discover and remediate existing vulnerabilities before they can be uncovered and exploited by threat actors. We continue to invest in our future – both as a firm, and in improving the security of the global internet ecosystem. In January 2021, we published our inaugural Annual Research Report, in which we summarised our security research findings from across all our conference publications, blog posts and tool releases published by researchers at NCC Group between 1 January and 31 December 2020. In this report, we presented our findings and their impact in context, with links to the associated research papers, recorded conference presentations, publicly reported security audits, technical advisories and open-source tools, as well as selected media coverage of our work 5. 51 conference presentations, including over 20 presentations at “Tier 1” research venues 9 internal research working groups 8 whitepapers, research papers and research reports 35 open-source tool releases 71 research blog posts 37+ technical advisories/CVEs 18 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 Jennifer Fernick SVP & Global Head of Research Highlights include: • We invested a record 3,400 days on technical security research, which resulted in a significant contribution of conference presentations, vulnerability advisories, blog posts, research papers and open-source tools being released 3,400 days dedicated to research • We co-founded the Open Source Security Foundation 5 – a group of industry experts working together to improve the security of the open-source ecosystem – forming the group’s governing board alongside representatives from GitHub, Google, IBM, JPMorgan Chase, Microsoft, OWASP Foundation and Red Hat, among others • We served on the Industry Advisory Board at King’s College London, the Executive Steering Board for the Internet of Things Security Foundation (IoTSF), the UK’s National Cyber Security Centre (NCSC) Research Advisory Panel and the Technical Advisory Council of the Open Source Security Foundation, as well as contributing to standards groups like the CIS Benchmarks, the ioXt Alliance and the C Standards Committee • We created a new internal research working group focusing specifically on finding creative and massively scalable solutions to remediate – and perhaps even prevent – security vulnerabilities at internet scale, as well as a group which focuses exclusively on the security implications of emerging technologies yet unstudied by any other security research firm • It’s this technical excellence that makes NCC Group attractive to some of the world’s most talented security consultants. Attractive to those just starting out in their career, and to those who have already established a name for themselves in the infosec community, there is a research path for every single consultant who wants it here at NCC Group Research at NCC Group typically falls under one or more of six core categories: Offensive – we perform deep technical vulnerability research to understand the complexities involved in attacking different technologies and systems and the true impact of any successes that attackers might derive with similar capabilities. Defensive – outputs from our offensive research inform our defensive research – this is where we research methods, tooling and solutions to mitigate the issues that we identify across technologies. Capability – we are constantly innovating and developing new technical testing capabilities and methodologies to keep pace with the rapid change in technology and threat landscapes. This ensures that when we assess client systems and networks, our techniques are at least as good as those of their adversaries. Future looking/horizon scanning – we routinely research emerging technologies to understand the potential security impact of those technologies on the sectors in which our customers operate. Customer-driven commercial research – we regularly perform paid research for customers, helping them to answer any uncertainties they might have on technology risk, such as understanding security capabilities of specific technologies or emerging technological security impact on an industry or sector. Collaborative – we are open to research collaborations and regularly work with academia through joint research and PhD sponsorships. We also contribute many of our research outputs to various international security standards bodies and we are open to B2B and consortia-based research collaborations. https://research.nccgroup.com/2020/08/21/immortalising-20-years-of-epic-research/. 1 2 https://github.com/nccgroup. 3 https://research.nccgroup.com/2021/01/31/2020-annual-research-report/ #PublicInterestTechnology. 4 https://research.nccgroup.com/category/public-report/. 5 https://newsroom.nccgroup.com/news/ncc-group-joins-forces-with-industry- leaders-to-improve-security-of-open-source-software-oss-408150. https://research.nccgroup.com @NCCGroupInfoSec NCC Group plc — Annual report and accounts for the year ended 31 May 2021 19 Strategic reportStrategic report Business model Creating value We draw on our expertise, capabilities and global footprint to develop solutions to meet current and future cyber challenges. We help to educate policymakers and regulators. We give back to protect our local community services. And we share opportunities to experience the world of cyber and inspire the next generation to secure our future. A K Assurance How we create value S S E S S CYBER RIS 33+ D E V E L O P C Y B Software Resilience M A N A G E TION ER M R+D ITY A C R E Y B P R U A T E O R 33+ Research and development investment We continue to innovate and develop new technical testing capabilities to keep pace with the rapid change in technology and threat landscapes. Our ongoing research allows us to understand and quantify risk for our customers about the technologies they use and the threats to the sectors and industries in which they operate. Read more on pages 18 and 19 Inputs Securing Growth Together strategy • In a fast-moving and complex environment our enduring strategy enables us to be agile to continue to make sustainable investments, creating the world’s leading cyber and software resilience, risk mitigation and remediation specialist Talented and motivated colleagues • We are a global community of talented individuals working together, being brilliantly creative and embracing difference to help make the world safer and more secure Culture of innovation • Research driven where every researcher is also an active consultant. We invest in sustainable product development, continually enhancing our proposition to meet current and future needs of customers Stronger partner relationships • We are active members of the global cyber and software resilience community, working in collaboration and in partnership with key industry players. Many successful global partnerships have delivered integrated, seamless solutions to customers Market-leading reputation • We understand our customers’ challenges and the risks these pose to their business. Successful delivery to customers worldwide means we are in a strong position to help them understand and improve their cyber resilience posture and how best to mitigate against evolving threats, keeping them up to date and aligned to regulations and compliance needs throughout 20 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 34 + 33 + I I 34 + 33 + I How we create value Read more on our strategy on pages 29 to 31 S t r a t e g c i r e p o r t Value creation Colleagues • Our core strength is the expertise of our colleagues and we aim to create an environment where everyone can reach their full potential. From our technical teams to our professional teams, we work together in support of our customers. Colleagues are part of a phenomenal knowledge network, connected through online collaboration and communication platforms with access to formal and on the job learning opportunities Customers • The cyber landscape is complex, and our unrivalled global footprint, technical community and scientific approach mean we can confidently say: we understand it, we are good at it and we can help mitigate the risks • We advise on the right solution to match our customers’ cyber and software resilience posture requirements – based on goals, budgets and risk appetite • We balance our global knowledge with customer-specific prioritisation of risks to ensure the right actions are taken to mitigate them Our network • We are active members of the cyber and software resilience community, working in collaboration and partnership with key industry players around the world. Our network extends to ensuring we have the relevant accreditations and certifications to assure our customers of our professional services. This includes our partner programme Shareholders • Our scale provides us insights and understanding of the vulnerability landscape and our technical teams and tools allow us to provide insight into the patterns of vulnerability. This, along with our people-led culture, gives us a competitive advantage and superior shareholder value 33+ 33+ 33+ 33+ 33+ Assurance As one of the world’s leading cyber security service providers we are best placed to help businesses assess, develop and manage the cyber security risks they face. Through an unrivalled suite of services, we provide organisations with peace of mind that their most important assets are protected. Software Resilience Regardless of whether the infrastructure or data is on-premise or in the cloud, security and regulatory compliance of business-critical technology need to be assured. Through our data and application continuity solutions we safeguard buyers from supplier failure, software vulnerabilities and unforeseen technology disruption while providing credibility and intellectual property rights protection for software suppliers. Assess cyber risk A fast and global response with the ability to understand what the problem is, using experience and/or relevant industry frameworks. The value is not just in the assessment but in the clear advice and guidance from the results to improve cyber resilience. Read more on pages 22 and 23 Develop cyber maturity We work together with our customers to help them develop security capability or fix the issues identified during the assess stage. It is only once these areas have been remediated that the true return on investment will be realised against their cyber spend. Read more on pages 24 and 25 Manage cyber operation The ever-evolving threat landscape means that beyond the initial assess and develop phases it is vital to continually improve levels of security, detect incidents and react to them. We help companies manage their own capability or provide it through efficient security managed services. Read more on page 28 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 21 Strategic report34 + 33 + I I 34 + 33 + I I 34 + 33 + I I 34 + 33 + I I 34 + 33 + I I BUSINESS MODEL INSIGHTS: ASSESS CYBER RISK 33+ Making the automotive sector safer and more secure The key priority for the automotive industry has for many years been safety – the safety of vehicle occupants, other road users and pedestrians, by trying to prevent crashes from occurring and minimising injury when a crash does occur. Established international standards and regulations are in place to support this initiative. However, as connectivity and automation have increased (and are still increasing at pace), the safety challenge has now been joined by a cyber security challenge, resulting in a concept of cyber safety. Many modern vehicles have Advanced Driver Assistance Systems (ADAS), such as Adaptive Cruise Control and Lane Keep Assist, that require software to automatically control physical aspects of the vehicle, e.g. steering, braking and acceleration. These systems have primarily been designed to increase safety; however, as thousands of lines of complex code are controlling these vehicle functions, cyber security flaws could result in catastrophic outcomes and, therefore, cyber security and functional safety have become closely coupled. Regulatory compliance Automotive cyber security standards are being developed to support the industry and regulations have been recently introduced. These will ensure that the vehicle manufacturers and their suppliers don’t just consider cyber security as a checklist item during their production phase, but instead embed cyber security into their entire vehicle design and development lifecycle, making fundamental cultural changes to the way vehicles are created. Cyber security and functional safety have become closely coupled. Cyber security basics and the prioritisation of cyber activities The diverse nature of the automotive industry – from small electric vehicle start-ups to huge multinational manufacturing groups and many other shapes and sizes of organisation in between – means that cyber security has had different priorities in different companies historically. This is especially due to the tight margins within the sector. A recent industry report 6 highlighted that 30% of car manufacturers and suppliers do not have an established product cyber security programme or team. Therefore, the automotive industry is facing a steep learning curve and will require significant assistance from the cyber security community. Resourcing challenges and return on cyber investment As in many other industries, the automotive sector faces serious cyber security resourcing challenges. In an article 7, our CTO, Ollie Whitehouse, highlighted the shortage of cyber resilience skills, explaining that from our own research, of those who planned to outsource elements of their cyber security in the next 12 months, 43% said that this was being driven by return on investment. This suggests that organisations recognise the importance of validating cyber security spend, but they are not confident that they have the skills or resources to do so in house. How we are helping the automotive industry tackle these challenges The NCC Group Transport practice has been part of the independent review process validating new automotive cyber security standards and has aligned our services (in some cases, developing new ones) to help support vehicle manufacturers to achieve compliance with the new regulations, as the most serious consequence of non-compliance is the inability to sell new vehicles. The services involve close collaboration between our governance, risk and compliance teams and deeply technical cyber security experts with automotive industry-specific knowledge and expertise. Our services help vehicle manufacturers to address some fundamental cyber security challenges, not just to achieve initial compliance with the regulations, but to maintain that compliance by changing cyber security culture. As advisory partners to our customers, we will continue to help them increase their cyber security maturity by providing expert advice, security assurance and software resilience, which over time is expected to become a market differentiator within the automotive industry. 6 7 Securing the Modern Vehicle: A Study of Automotive Industry Cybersecurity Practices – Ponemon Institute https://www.mynewsdesk.com/nccgroup/blog_posts/technical-viewpoint-cyber- resilience-skills-please-mind-the-gap-101288. 22 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 34 + 33 + I I Regulatory compliance driving automotive industry investment in cyber security * e z s i t e k r a m r e b y c e v i t o m o t u A n b $ $9 $8 $7 $6 $5 $4 $3 $2 $1 $0 0.6 2.0 2.4 1.0 3.9 3.5 2020 2021 2022 2023 2024 2025 Cyber security hardware Cyber security software Cyber security processes Key NCC Group services: Risk management Remediate SDLC Pentesting Vehicle SOC UNECE cyber security regulation adopted January 2021 Supporting international standard published Q3 2021 New vehicle types with over-the-air software updates must be certified July 2022 New vehicle types without over-the-air software updates must be certified July 2024 All new registrations with over-the-air software updates must be certified July 2024 All new registrations without over-the-air software updates must be certified April 2026 Japan and Europe Japan Japan and Europe Japan Preparation for certification Certification deadlines * Source: https://www.mckinsey.com/industries/automotive-and-assembly/our-insights/cybersecurity-in-automotive-mastering-the-challenge. NCC Group plc — Annual report and accounts for the year ended 31 May 2021 23 Strategic reportStrategic report BUSINESS MODEL INSIGHTS: DEVELOP CYBER MATURITY 33+ Building resilience within local government A ransomware attack on a UK local government authority in early 2020, which significantly disrupted its ability to maintain operations, brought into sharp focus the risk posed by cyber criminals and other malicious actors. This event raised concerns that comparable organisations within the public sector may also be similarly vulnerable and the importance of maintaining citizen services and operational resilience. In response a central government sponsored 14-week remediation programme was initiated to rapidly establish the risk position in 28 organisations thought to be at the greatest risk of ransomware, and to make practical interventions to reduce the specific risks identified. The objectives were: • Reduce vulnerability of backups to ransomware attack • Reduce the susceptibility of organisations to ransomware attacks • Improve the longer-term resilience of each organisation An initial view of the risk in key areas was established through a targeted questionnaire and workshops, with a programme of accelerated security improvement and remediation work initiated to quickly reduce risk across all organisations. A collaborative approach The pace of the programme required a high degree of integration and collaboration across the broad stakeholder group, working with multiple independent organisations each with different priorities. The joint programme between the local authorities, Ministry of Housing, Communities and Local Government, Cabinet Office and our team of NCC Group experts coupled with the broader stakeholders required a highly transparent and flexible operating model to succeed. A baseline of vulnerability exposure and security posture was established through a facilitated, self-assessment approach via a workshop. This provided an indication of the risk present in each estate; however, in most cases, a cyber threat actor emulation was required to truly understand security posture. The delivery of risk prioritised remediation at this scale was only achievable through a modular approach that delivered essential solutions to the organisations that needed them. The modules are continually updated based on the latest technology and threat information and cover key security and resilience themes. This approach allowed consistency of delivery at scale for common risks, while enabling a more flexible approach to unique risks where required. Outcomes The programme quantifiably reduced the risk of the ransomware threat across many organisations critical to the UK government’s Covid-19 response: • All critical and high risks identified in relation to both the vulnerability of backups to ransomware and the broader susceptibility to ransomware were reduced to a controllable level • All organisations received a long-term security improvement plan detailing residual risk and recommendations for continuous improvement • 221 remediation modules were delivered across all organisations using multi-disciplinary teams of cyber consultants and engineers 24 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 34 + 33 + I I Achieving sustainable cyber security resilience What needs to be in place? • The desire to tackle deep-seated challenges • Understanding the technology is vital rather than simply executing compliance • The importance of long-term improvement programmes • A minimum cyber resilience criteria to support investment The scale and criticality of the cyber security challenges we all face can only be tackled through a collaborative approach that embraces diverse teams and perspectives across the public and private sectors. It’s not easy, but the benefits in understanding and reducing risk are significant. Pete Cooper Deputy Director Cyber Defence in the UK Cabinet Office NCC Group plc — Annual report and accounts for the year ended 31 May 2021 25 Strategic reportStrategic report BUSINESS MODEL INSIGHTS: DEVELOP “RESILIENCE BY DESIGN” 33+ Promoting safe and secure cloud adoption worldwide The last year has seen intensified global dialogue on the challenges facing regulatory authorities around the world, to update guidance, rules and frameworks on third party and technology risk management and operational resilience in the face of accelerated cloud and technology adoption, particularly in financial services. Third party software has become a permanent fixture of many competitive organisations’ supply chains: according to the Bank of England, 40 to 90% of banks’ workloads globally could be hosted on public cloud or Software-as-a-Service within a decade. We have been delving into the topic of operational resilience and third party risk management within financial institutions (FIs), exploring what the latest guidelines and proposals released by regulators across the globe mean for businesses, their resilience, and the pace of digital transformation across the sector. As reliance on third party software and its availability continues to increase, financial institutions must ensure that all providers they work with have the necessary risk mitigation and business continuity measures in place. Taking action • Organisations should assess the resilience of their supply chain, categorising outsourcers on their criticality, financial stability and concentration risk, with particular attention paid to services in the cloud • Once this is understood, businesses can put the appropriate strategies and systems in place to manage risk. Organisations should look for suppliers that proactively deliver complementary risk mitigation and business continuity assurance that fit with the organisation’s needs. This can include implementing robust onboarding and procurement policies that ensure that software escrow agreements and verification testing are built into any supplier contracts • For every outsourcing agreement, organisations are required to develop a business continuity plan in order to protect business-critical applications. This can be tested repeatedly using software escrow verification tests, which ensure that an application can be rebuilt should the need arise • For many financial institutions and their outsourcers, these regulatory changes could mean that a lot of resource must be used on the creation and implementation of viable stressed exit plans. However, for those with escrow agreements already in place, organisations can test their existing procedures and cover anything that has been missed NCC Group has long taken the view that software, technology and data escrow solutions offer legal and technical assurance to allow firms to adopt, innovate and manage third party technologies with confidence. We continue to engage with regulators worldwide to encourage them to acknowledge escrow agreements as a mechanism that enables organisations to comply with third party risk mitigation, outsourcing and business continuity requirements and as a way to operate and grow in a resilient, safe and secure way. We believe that awareness and education of operational resilience need to improve and that regulators can play a role in supporting financial institutions in achieving resilience by design. Simon Fieldhouse Global Managing Director, Software Resilience 26 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 34 + 33 + I I Overview of the financial regulatory authorities publishing consultations, supervisory statements and update guidance on operational resilience and third-party risk management over the past 12 months. Canada Office of the Superintendent of Financial Institutions (OSFI) Technology Risk Consultation United Kingdom Prudential Regulation Authority (PRA) Supervisory Statement SS2/21 on Outsourcing and Third Party Risk Management European Union Digital Operational Resilience Act Ireland Central Bank of Ireland Consultation on Cross Industry Guidance on Operational Resilience United States Proposed Interagency Guidance on Third-Party Relationships: Risk Management Financial Stability Board Discussion Paper on Outsourcing and Third Party Relationships Dubai Dubai Financial Services Authority Guidelines for Financial Institutions Adopting Enabling Technologies Singapore Monetary Authority of Singapore (MAS) Technology Risk Management Guidelines NCC Group plc — Annual report and accounts for the year ended 31 May 2021 27 Strategic reportStrategic report MANAGE CYBER OPERATION I BUSINESS MODEL INSIGHTS: 33+ Protecting critical research and education The ever-evolving threat landscape means that beyond the initial assess and develop phases it is vital to continually improve levels of security, detect incidents and react to them. We were engaged by a university to design a comprehensive package, including a broad, ongoing Managed Detection and Response (MDR) solution. From our previous experience in the higher education sector, we knew that securing universities from cyber threat can be more complex than in other sectors. Liberal expectations of information sharing from the student body need to be balanced with the requirement to protect extremely valuable intellectual property. A nuanced and segmented approach to risk is required. Additionally, any solution had to work for both on-premise and cloud architectures. The starting point was to understand the enterprise deployment in a way that was digestible by the customer’s security team. From this baseline, the priority was to implement a solution to identify malicious activity at the earliest point to accurately report incidents so that effective remediation could be conducted. The NCC Group technical team designed a multi-layered solution, including a Managed Detection and Response (MDR) suite incorporating Security Information and Event Management, endpoint detection and network detection with a unifying service wrap centred on a 24/7 security operations centre (SOC) facility. During the engagement, we were presented with a time-critical challenge to assure the security of its essential Covid-19 research programme, which was part of a World Health Organization global megatrial on treatments. Our specialist team worked round the clock to ensure the infrastructure was penetration tested, remediated and added to 24/7 monitoring within three days. One year on, the customer’s cyber risk was detailed and demonstrated and a risk mitigation solution was designed and is now managed through a 24/7 MDR solution. The benefit is the university is better informed and more secure and the solution enables it to continue in its critical research and develop the next generation of leaders through its educational programmes. SURF partnership – protecting universities in the Netherlands In January 2021 we announced a partnership with SURF – the IT cooperative for education and research across the Netherlands – to provide 24/7 security incident and event management (SIEM) and security operations centre (SOC) services over the next five years. Our specialist team in Delft provides the services in support of SURFsoc – the security operations service launched by SURF, which is dedicated to securing and continuously monitoring the systems of all its member institutions. SURFsoc is a forward-thinking example of how industry-wide bodies, individual institutions and security teams can work together to improve the resilience of entire sectors and we are proud to be providing our expert services in support of this mission. This combination of ongoing knowledge sharing and 24/7 threat intelligence gathering is a model that will not only increase the resilience of individual educational institutions, but will be at the forefront of educational security around the world in the years to come. Inge Bryan Managing Director, Assurance Europe 28 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 34 + 33 + I Strategy and KPIs Executing our strategy We are successfully executing our strategy, realising our vision to become the complete provider of cyber and software resilience solutions globally. This section demonstrates how we are making progress to becoming a one-stop shop for our customers, offering them a complete set of cyber and software resilience services, which are promoted and sold to a global market, underpinned by research, data and quantification. In securing NCC Group’s future, we build on strong foundations to create a highly engaged and diverse talent base, as we continue to: • Broaden our portfolio, adding services and solutions across the complete Assess – Develop – Manage cyber lifecycle • Improve how we go to market globally, becoming easier to engage with and buy from Read more on our business model on pages 20 and 21 Link to risks: 1 Business strategy 2 Management of strategic change 3 Global pandemic – Covid-19 4 Availability of critical information systems 5 Attracting and retaining appropriate colleague capacity and capability 6 Information security risk (including cyber risk) 7 Quality of Management Information Systems (MIS) and internal business processes 8 Quality and Security Management Systems 9 Post-Brexit 10 Sustainability Read more on our risks on pages 40 to 48 Lead the market Deliver world-class research and thought leadership coupled with leaders who can gauge audiences and convey our message across all channels What we said we would do • Continue high impact research What we have achieved • Published 71 blog posts and 37+ technical advisories on our dedicated research blog, attracting a quarter of a million visitors • Released 35 open-source tools, and contributed to security standards development for C, Kubernetes and post-quantum cryptography • Recognised as some of Microsoft Security Response Center’s (MSRC) most valuable security researchers • Led the CyberUp Campaign to improve legal protections for cyber security and threat intelligence researchers Read more on page 49 • Commercial R&D accounted for up to nearly 1.5% of total revenue, under leadership of newly appointed Head of Commercial Research Read more on our research on pages 18 and 19 KPIs 3,400+ research days (2020: 3,300) 51 conference presentations, over 20 at Tier 1 venues (2020: 76) Link to risks 1 2 4 5 6 7 8 10 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 29 Strategic reportStrategic report Strategy and KPIs continued Win business Deliver excellence Win high value work as a result of a deep understanding of our customers’ cyber needs in the context of their business What we said we would do • Create “One Global Offer” that articulates the full spectrum of our services to deliver the firm across the globe What we have achieved • Increased amount and effectiveness of marketing spend following formation of one global marketing team • Validated strategic focus on cloud, data, managed services and remediation solutions while creating a more consolidated and focused platform for future growth • Used agile methodology to deliver six new solutions in response to market demand, including a next generation SaaS platform for digital escrow deposits and secured digital vault storage, data science-based analytical and machine learning approaches to threat detection, and our new data-driven cyber risk quantification and peer comparison offer • Formally launched our Software Resilience Partner Network, working with 51 software vendor partners as their resilience partner of choice Deliver consistently high quality solutions that our customers value, fully utilising our global capability and the technical excellence of our consultants What we said we would do • Promote a global delivery model and embed new ways of working with our clients, providing a distinctive service What we have achieved • Invested £3m to launch and grow our new Remediation proposition globally, and expand our technology suite across Managed Detection and Response (MDR) to include Splunk, CarbonBlack and, now, Microsoft Sentinel • Implemented Global Assurance (specifically the creation of one EU business, Global Professional Services and Global Managed Services) to drive collaboration and unlock efficiencies through common delivery methodologies and global resourcing, and common technology stacks and global product development roadmaps • Launched a new customer operations team to provide a single post-sales interface for our UK Software Resilience customers KPIs Technical specialists increased by 49 (2020: 91) 10,600 days’ global resourcing (2020: 5,100 days) KPIs Revenue (£m) £270.5m . 3 5 1 2 . 0 3 3 2 . 7 0 5 2 . 7 3 6 2 . 5 0 7 2 17 18 19 20 21 134 orders with a value greater than £250k (2020: 144) £2.2m Software Resilience cloud proposition orders (EaaS) (2020: £1.2m) Link to risks 1 6 10 Link to risks 1 2 3 4 5 6 7 8 10 30 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 Support growth Develop our people Provide the tools and processes that enhance how we work today enabling access to quality management information Create a positive colleague experience like no other offer in the industry, investing in our talent and organisation to unlock our full potential What we said we would do • Deploy systems that provide us with the information we need to run the business in an assertive and agile way What we have achieved • On track to build a system ready for the future, offering global visibility of quality data and improved efficiencies and profitability • YoY gross margin improvement of 1.4% • Systems and process landscape is more robust than ever • North America Assurance division pilot of Workday PSA and Kimble to improve user acceptance and embrace cultural change • Launch of Workday Adaptive to shift to active forecasting processes • Creation of benefits delivery team to drive business ownership and closer alignment across systems KPIs Adjusted operating profit (£m) 2,3 £39.2m . 8 0 3 . 7 3 3 . 7 0 3 . 5 5 2 . 2 9 3 17 18 19 20 (restated) 3 21 Cash conversion (%) 2,3 88.2% . 0 8 8 . 0 1 9 . 0 0 1 1 . 9 2 0 1 . 2 8 8 What we said we would do • Be a hub for cyber talent, and a quirky, distinctive environment where individuals and teams thrive • Support our people on learning and development What we have achieved • Launched a career framework and learning pathways pilot for our UK Assurance delivery colleagues across technical, consulting and management functions • Launched the Next Generation Manager Programme in the North America and UK Assurance divisions following its successful pilot in Software Resilience (100% of the initial cohort are now in manager roles) • Created a global people managers’ forum to support them to manage the drivers of engagement, and expanded our colleague forums globally, as part of a culture of active listening • Gender decoded our job adverts and piloted the redaction of CVs to remove unconscious bias Read more on our sustainability on pages 53 to 68 KPIs Attrition rate (%) 17.0% . 4 3 2 . 1 1 2 . 2 8 1 . 0 7 1 . 4 4 1 17 18 19 20 21 Engagement score (Best Companies) One to Watch Employee engagement score 642.7 (2020: 626.9) 17 18 19 20 (restated) 3 21 Link to risks 1 2 3 4 5 7 9 10 Link to risks 1 3 5 10 2 3 See Note 3 for an explanation of Alternative Performance Measures (APMs) and adjusting items. Further information is also contained within the Chief Financial Officer’s Review and the Glossary of terms on pages 187 and 188. See Note 34 for an explanation of the prior year restatement recognised in relation to the adoption of the IFRIC agenda decision on cloud configuration and customisation costs in April 2021. NCC Group plc — Annual report and accounts for the year ended 31 May 2021 31 Strategic report Chief Financial Officer’s review Strong financial performance Total administrative expenses (including Individually Significant Items) have increased by £1.5m compared to the adjusted prior year figure mainly owing to a tighter control of overheads, a reduction on travel and office costs of c.£3m, a profit arising on disposal of an intangible asset of £0.5m and a reduction in amortisation of intangibles of £2.4m, offset by increased system licence costs of £1.3m, a foreign exchange charge of £1.5m, an increase in a share-based payment charge of £1.4m and an increase in Individually Significant Items of £4.8m. Following the adoption of the IFRIC agenda decision on cloud configuration and customisation costs, capitalised software and development costs during the year amounted to £2.3m (2020: restated £2.3m 3), with all cloud configuration and customisation costs now being expensed as incurred. Further details on the application of IFRIC agenda decision and prior year restatement are included later in this review. Operating profit has increased by 37.3% to £17.3m (2020: restated £12.6m 3) following the inclusion of Individually Significant Items of £12.7m (2020: restated £7.9m 3) in relation to the IPM US Acquisition (£7.6m) and cloud configuration and customisation costs associated with the Group’s SGT transformation programme (£5.1m, 2020: restated £7.9m 3). Operating profit also includes amortisation of acquired intangible assets of £6.4m (2020: £8.8m) and share-based payments of £2.8m (2020: £1.4m). Adjusted operating profit 2, 3 increased by 27.7% to £39.2m (2020: restated £30.7m 3). Adjusted EBITDA 2 increased by 15.4% to £52.5m (2020: £45.5m). Profit before taxation increased by 54.2% to £14.8m (2020: restated £9.6m 3) following the inclusion of Individually Significant Items noted above. Basis EPS amounted to 3.6p and diluted EPS amounted to 3.5p (2020: restated basic and diluted 2.3p 3). Adjusted basic EPS 2 amounts to 9.5p (2020: restated 7.6p 3). During the year, we secured the acquisition of the IPM business and following shareholder approval on 1 June we completed the transaction for $220m, subject to a normalised working capital adjustment. On this basis, the results of the IPM business will be consolidated from 1 June 2021. The acquisition was funded through an equity placing in May (£70.2m) combined with a new three year $70m term loan, existing cash balances and our revolving credit facility. Our Balance Sheet remains strong; we have continued to demonstrate effective cash management with cash conversion 2 of 88.2% and are now cash positive. Our Balance Sheet strength can therefore continue to fund organic and inorganic opportunities. The Board is also declaring an unchanged interim dividend of 3.15p per ordinary share (2020: 3.15p). This represents a dividend equal to that paid in the prior year as the Board is conscious of the need to invest in initiatives to support longer-term growth and service debt profile following the recent acquisition. The dividend policy will therefore continue to remain under review. Tim Kowalski Chief Financial Officer Our Balance Sheet strength can continue to fund organic and inorganic opportunities. Overview 1 We have delivered another period of good financial results, demonstrating our resilience during a global pandemic. During 2022, the Group will continue to strategically invest for the future with the expectation of higher revenue growth accompanied by increased global costs from inflationary pressures as well as a resumption in travel and office usage. Group revenues increased by 2.6%. On a constant currency basis 2, Group revenues increased by 3.6% due to the strengthening of Sterling against the US Dollar. In Assurance, the North American and EU Assurance businesses grew by 6.5% and 5.9% respectively on a local currency basis 3. Our UK and APAC region increased 3.9%, supported by growth in MDR and the launch of the Remediation service. Disappointingly, Software Resilience declined by 2.4%. This decline was mainly a result of execution challenges in a remote environment together with retaining sales colleagues and attracting sufficient sales resource to enable a return to contract growth. Gross profit increased by 5.9% to £110.6m (2020: £104.4m) with margin percentage increasing to 40.9% (2020: 39.6%) mainly owing to higher global resourcing and utilisation offset by a c.£2m provision taken in relation to long-term European contracts as a result of pandemic disruption, cost increases and project management challenges. Assurance margin percentage increased to 36.1% (2020: 34.0%) and Software Resilience decreased to 71.6% (2020: 73.3%) due to execution challenges. 1 2 3 References for the Group’s results are for continuing operations. See Note 3 for an explanation of Alternative Performance Measures (APMs) and adjusting items. Further information is also contained within the Chief Financial Officer’s Review and the Glossary of terms on pages 187 and 188. See Note 34 for an explanation of the prior year restatement recognised in relation to the adoption of the IFRIC agenda decision on cloud configuration and customisation costs in April 2021. 32 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 Financial summary Summary Income Statement 1: £m Revenue Cost of sales Gross profit Depreciation and amortisation Other administration expenses Adjusted operating profit 2, 3 Individually Significant Items Acquired intangible amortisation Share-based payments Operating profit Finance costs Profit before taxation Taxation Profit for the year EPS Basic Diluted Revenue summary: £m Assurance Software Resilience Total revenue Operating profit summary: £m Assurance Software Resilience Central and head office Adjusted operating profit 2, 3 Individually Significant Items Acquired intangible amortisation Share-based payments Operating profit Operating profit margin % 2021 270.5 (159.9) 110.6 (13.3) (58.1) 39.2 (12.7) (6.4) (2.8) 17.3 (2.5) 14.8 (4.8) 10.0 3.6p 3.5p 2020 (restated) 3 263.7 (159.3) 104.4 (14.8) (58.9) % change 2.6% (0.4%) 5.9% 10.1% 1.4% 30.7 27.7% (7.9) (8.8) (1.4) 12.6 (3.0) 9.6 (3.2) 6.4 (60.8%) 27.3% (100.0%) 37.3% 16.7% 54.2% (50.0%) 56.3% 2.3p 2.3p 56.5% 52.2% 2021 2020 % change 233.9 36.6 270.5 226.2 37.5 263.7 3.4% (2.4%) 2.6% 2021 29.6 16.0 (6.4) 39.2 (12.7) (6.4) (2.8) 17.3 6.4% 2020 (restated) 3 22.3 16.9 % change 32.7% (5.3%) (8.5) 24.7% 30.7 27.7% (7.9) (8.8) (1.4) (60.8%) (27.3%) 100% 12.6 37.3% 4.8% 1.6% pts NCC Group plc — Annual report and accounts for the year ended 31 May 2021 33 Strategic reportStrategic report Chief Financial Officer’s review continued Financial summary continued Alternative Performance Measures (APMs) Throughout this Financial Review, certain APMs are presented. As discussed in the FY20 Annual Report and in accordance with FRC guidelines, the Group no longer presents a Consolidated Income Statement showing adjusting items separately. In prior periods, the Group disclosed adjusting items in 2020 of £10.2m relating to amortisation of acquired intangibles (2020: £8.8m) and share- based payments (2020: £1.4m) as a separate column on the face of the Consolidated Income Statement. This is no longer disclosed in this way to simplify the Group’s results. However, as the Group manages internally its performance at an Adjusted operating profit level (before Individually Significant Items, amortisation of acquired intangibles and share-based payments), which management believes better represents the underlying trading of the business, this information is still disclosed as an APM. This APM is reconciled to statutory operating profit, together with the consequently Adjusted basic EPS (before Individually Significant Items, amortisation of acquired intangibles, share-based payments and the tax effect thereon) to statutory basic EPS. This change has removed the following adjusted measures from the Group’s narrative reporting and disclosures: • Adjusted profit before taxation • Adjusted taxation Following this revision to APMs, the Group has the following APMs/ non-statutory measures: • Adjusted EBITDA (reconciled below and in Note 3) • Adjusted operating profit (reconciled below and in Note 3) • Adjusted basic EPS (pence) (reconciled in Note 10) • Net cash/(debt) excluding lease liabilities (reconciled in Note 3) • Net cash/(debt) (reconciled in Note 3) • Cash conversion (reconciled in Note 3) These measures provide supplementary information that assists the user to understand the financial performance, position and trends of the Group. Further detail is included within the glossary of terms to these Financial Statements that provide supplementary information that assists the user in understanding these APMs/non-statutory measures. The Group also reports certain geographic regions on a constant currency basis to reflect the underlying performance taking into account constant foreign exchange rates year on year. This involves translating comparative numbers to current year rates for comparability to enable a growth factor to be calculated. In addition, the Group also reports these regions on a local currency basis to demonstrate the revenue performance on a local basis. As these measures are not statutory revenue numbers, management considers these to be APMs; see Note 3 for further details. Divisional performance Divisional performance includes the allocation of certain central costs incurred on behalf of the divisions. Segmental information is disclosed below: 2021 Assurance £m Software Resilience £m Central and head office £m Revenue Cost of sales Gross profit Gross margin % General administrative expenses allocated Adjusted EBITDA 2 Depreciation and amortisation Adjusted operating profit 2, 3 Individually Significant Items Acquired intangible amortisation Share-based payments 233.9 (149.5) 84.4 36.1% (45.4) 39.0 (9.4) 29.6 – – – 36.6 (10.4) 26.2 71.6% (9.5) 16.7 (0.7) 16.0 – – – Operating profit 29.6 16.0 – – – – (3.2) (3.2) (3.2) (6.4) (12.7) (6.4) (2.8) (28.3) 2020 (restated) 3 Software Resilience £m Central and head office £m 37.5 (10.0) 27.5 73.3% (10.0) 17.5 (0.6) 16.9 – – – – – – – (5.0) (5.0) (3.5) (8.5) (7.9) (8.8) (1.4) Assurance £m 226.2 (149.3) 76.9 34.0% (43.9) 33.0 (10.7) 22.3 – – – 22.3 16.9 (26.6) Group £m 263.7 (159.3) 104.4 39.6% (58.9) 45.5 (14.8) 30.7 (7.9) (8.8) (1.4) 12.6 Group £m 270.5 (159.9) 110.6 40.9% (58.1) 52.5 (13.3) 39.2 (12.7) (6.4) (2.8) 17.3 2 3 See Note 3 for an explanation of Alternative Performance Measures (APMs) and adjusting items. Further information is also contained within the Chief Financial Officer’s Review and the Glossary of terms on pages 187 and 188. See Note 34 for an explanation of the prior year restatement recognised in relation to the adoption of the IFRIC agenda decision on cloud configuration and customisation costs in April 2021. The following additional information and reconciliation is noted in relation to Adjusted operating profit due to the adoption of the IFRIC agenda decision: Adjusted operating profit (as noted above) Proforma amortisation charge in respect of certain cloud-based software arrangements (see explanation below) Adjusted operating profit less a proforma amortisation charge in respect of certain cloud-based software arrangements 2021 £m 39.2 (3.0) 36.2 2020 £m 30.7 (1.4) 29.3 Change 27.7% (114.3%) 23.5% The proforma amortisation adjustment noted above represents an estimate of the amortisation that would have been recognised had the Group not changed its accounting policy in the current year following additional clarification on the accounting in relation to the configuration and customisation costs incurred in implementing Software-as-a-Service (SaaS) arrangements in the IFRIC agenda decision issued in April 2021. The proforma amortisation charge is estimated based on cloud configuration and customisation costs charged to the income statement in the year of £5.1m (2020: £7.9m). The Directors consider that Adjusted operating profit less a proforma amortisation charge in respect of certain cloud-based software arrangements is comparable to Adjusted operating profit previously reported. 34 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 Amortisation of acquired intangibles decreased during the year as certain historical acquisitions became fully amortised. It is expected that for FY22, the charge will increase significantly following the US acquisition of the IPM business. Share-based payments increased during the year following the introduction of new share schemes for key management. Assurance The Assurance division accounts for 86.5% of Group revenue (2020: 85.8%) and 76.3% of Group gross profit (2020: 73.7%). Assurance revenue analysis – by originating country: UK and APAC * North America Europe * Total Assurance revenue 2021 £m 102.7 82.7 48.5 233.9 2020 £m 98.8 82.4 45.0 226.2 % change 3.9% 0.4% 7.8% 3.4% * With the continuing growth and formation of a European division we have changed geographical segments in line with how this information is reported to the Board and managed on an ongoing basis and have restated prior year figures on a like-for-like basis. The APAC division was previously included within the segment Europe and APAC. See the notes to the Financial Statements for further detail. Assurance revenue increased by 3.4% despite lower rechargeable travel expenses, foreign exchange and the ongoing disruption of a global pandemic. UK and APAC increased by 3.9% supported by growth in MDR and the launch of the Remediation service. North America grew by 6.5% on a local currency basis ($) and Europe experienced continued growth after benefit from multi-year product sales in 2020. Our global average order value increased by 2.3% year on year. Assurance revenue analysed by type of service/product line: Global Professional Services (GPS) ** Global Managed Services (GMS) ** Product sales (own and third party) Total Assurance revenue 2021 £m 172.2 56.2 5.5 233.9 2020 £m 166.2 49.6 10.4 226.2 % change 3.6% 13.3% (47.1%) 3.4% ** With the continuing global growth and focus on recurring revenues we have changed the type of service/product lines in line with how this information is to be reported to the Board and managed on an ongoing basis and have restated prior year figures on a like-for-like basis. Previously Risk Management Consulting was shown separately and is now included within Global Professional Services, and certain other activities are now included in Global Managed Services. Contained within GMS is Managed Detection and Response (MDR) which is considered the high growth service line due to the nature of the cyber resilience market. Product sale categorisation has remained the same. Global Professional Services grew by 3.6% to £172.2m (2020: £166.2m) supported by global resourcing with Covid-19 still felt across all geographies. During the year, day rates have remained consistent. Global Managed Services, a service line that provides operational cyber defence and managed security services, grew in total by 13.3% to £56.2m (2020: £49.6m). Within GMS, our MDR offering grew by 14.3% to £45.5m. Sales orders secured during the period amounted to £71.8m compared to £62.0m in 2020, a 15.8% increase, although slower procurement processes were still experienced due to the pandemic. Assurance gross profit is analysed as follows: UK and APAC * North America Europe * Assurance gross profit and % margin 2021 £m 41.0 27.4 16.0 84.4 2021 % margin 39.9% 33.1% 33.0% 36.1% 2020 £m 35.0 25.9 16.0 76.9 2020 % margin % pts change 35.4% 4.5% pts 31.4% 1.7% pts 35.6% (2.6% pts) 34.0% 2.1% pts Gross margin improved due to higher global resourcing (increased from 5,094 days to 10,602 days), lower client travel and billable utilisation (+7%) through remote delivery, offset by a c.£2m provision taken in relation to long-term European contracts caused by pandemic disruption, cost increases and project management challenges. NCC Group plc — Annual report and accounts for the year ended 31 May 2021 35 Strategic reportStrategic report Chief Financial Officer’s review continued Divisional performance continued Software Resilience The Software Resilience division accounts for 13.5% of Group revenues (2020: 14.2%) and 23.7% of Group gross profit (2020: 26.3%). Software Resilience revenue analysis – by originating country: UK North America Europe Total Software Resilience revenue 2021 £m 25.2 7.3 4.1 36.6 2020 £m 25.9 7.8 3.8 37.5 % change (2.7%) (6.4%) 7.9% (2.4%) In Software Resilience, we experienced a disappointing overall revenue decline of 2.4%. This decline was mainly a result of execution challenges in a remote environment together with recruiting sufficient sales resource to enable a return to contract growth. The UK experienced a decline of 2.7% exacerbated by recruitment challenges in a pandemic market. North America declined 6.4% albeit 2.9% on a constant currency basis due to a decrease in on-premise testing. Europe, as a relatively new market, continued to progress positively during the year mainly due to increased testing revenues. Renewal rates improved to 89.2% (2020: 87.0%) and remain within our expected range. Software Resilience revenues analysed by service line: Software Resilience services revenue Software Resilience contracts Verification services Total Software Resilience revenue 2021 £m 24.0 12.6 36.6 2020 £m 25.8 11.7 37.5 % change (7.0%) 7.7% (2.4%) Our contract revenue was impacted by the pandemic and sales recruitment challenges. Our future expectation is that our nascent channel sales model will contribute to revenue going forward. Verification services grew 7.7% to £12.6m owing to the success of EaaS (£0.8m). Gross margin is analysed as follows: UK North America Europe 2021 £m 18.4 4.9 2.9 2021 % margin 73.0% 67.1% 70.7% 2020 £m 19.5 5.3 2.7 2020 % margin % pts change 75.3% (2.3% pts) 67.9% (0.8% pts) 71.1% (0.4% pts) Software Resilience gross profit and % margin 26.2 71.6% 27.5 73.3% (1.7% pts) Gross profit has declined due to the challenges noted above and as we started to make investments in our channel proposition and cloud infrastructure to underpin sustainable growth. Individually Significant Items During the period, the Group has incurred £12.7m of Individually Significant Items (ISIs) (2020: restated £7.9m 3). These items relate to the acquisition of the IPM business (£7.6m) and cloud configuration and customisation costs associated with the Group’s transformation programme SGT (£5.1m, 2020: restated £7.9m 3). These costs are considered material and are in accordance with the Group’s policy on identification of certain costs that distort the underlying performance of the Group. For further detail, please refer to Note 5 to the consolidated Financial Statements. 36 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 Net finance costs Net finance costs for the period were £2.5m compared to £3.0m in 2020 due to the reduction in our drawn facilities and LIBOR during the global pandemic. Net finance costs include lease financing costs from IFRS 16 of £1.2m (2020: £1.2m). Taxation The Group’s effective statutory tax rate is 32.4% (2020: restated 33.3% 3). The Group’s adjusted tax rate is 27.8% (2020: 23.5%). The effective rate remains above the UK standard rate of corporation tax, reflecting the origin of a reasonable proportion of Group profits in overseas territories with higher tax rates than the UK and due to a review of US R&D tax credits recognition. Earnings per share (EPS) Statutory Basic EPS Diluted EPS Adjusted 2 Basic EPS 2021 pence 3.6p 3.5p 2020 (restated) 3 pence 2.3p 2.3p 9.5p 7.6p Cash flow and net debt 2 The table below summarises the Group’s cash flow and net debt 2: Operating cash inflow before movements in working capital Increase/(decrease) in trade and other receivables Increase in inventories (Decrease)/increase in trade and other payables Cash generated from operating activities before interest and taxation Interest element of lease payments Finance interest paid Taxation paid Net cash generated from operating activities Purchase of property, plant and equipment Software and development expenditure Proceeds on disposal of intangibles Equity dividends paid Repayment of lease liabilities Proceeds from the issue of ordinary share capital Net movement Opening net debt Non-cash movements (release of deferred issue costs and lease financing costs) Foreign exchange Closing net cash/(debt) excluding lease liabilities 2 Lease liabilities Closing cash/net (debt) 2 Free cash flow (net cash generated from operating activities less net capital expenditure) 2021 £m 2020 (restated) 3 £m 47.3 38.8 4.7 (0.2) (11.0) (0.2) (5.5) 19.2 46.3 (1.2) (1.1) (5.1) 38.9 (2.7) (2.1) 0.5 (13.0) (6.0) 72.6 88.2 (4.2) (0.2) (0.5) 83.3 (34.4) 48.9 46.8 (1.2) (1.6) (4.8) 39.2 (2.8) (2.5) – (12.9) (5.3) 1.1 16.8 (20.2) (0.2) (0.6) (4.2) (38.2) (42.4) 34.6 33.9 2 3 See Note 3 for an explanation of Alternative Performance Measures (APMs) and adjusting items. Further information is also contained within the Chief Financial Officer’s Review and the Glossary of terms on pages 187 and 188. See Note 34 for an explanation of the prior year restatement recognised in relation to the adoption of the IFRIC agenda decision on cloud configuration and customisation costs in April 2021. NCC Group plc — Annual report and accounts for the year ended 31 May 2021 37 Strategic reportStrategic report Chief Financial Officer’s review continued Cash flow and net debt 2 continued Net cash/(debt) 2 can be reconciled as follows: Cash and cash equivalents Borrowings (net of deferred issue costs) Net cash/(debt) excluding lease liabilities 2 Lease liabilities Net cash/(debt) 2 2021 £m 116.5 (33.2) 83.3 (34.4) 48.9 2020 £m 95.0 (99.2) (4.2) (38.2) (42.4) The calculation of the cash conversion ratio 2 is set out below: Net operating cash flow before interest and taxation (A) Adjusted EBITDA 2 (B) Cash conversion ratio 2 (%) (A)/(B) 2021 £m 46.3 52.5 2020 (restated) 3 £m % change 46.8 45.5 (1.1%) 15.4% 88.2% 102.9% (14.7% pts) Cash conversion remains above our medium target of c.85%, as we have maintained strong cash management through the global pandemic. The increase in tax paid is mainly due to the FY20 deferral of £1.2m under government tax deferral schemes now fully repaid. Net cash capital expenditure during the year was £4.3m (2020: restated £5.3m 3) which includes tangible expenditure of £2.7m (2020: £2.8m) and capitalised software and development costs of £2.1m (2020: restated £2.5m 3), which has been offset by proceeds from the disposal of an intangible asset for £0.5m. Additional cash capital expenditure will be incurred during 2022 as we finish the installation and improve our new systems. Acquisition costs paid prior to the shareholder approval on 1 June 2021 of the US acquisition of IPM amounted to £1.2m. During early FY22, further costs have been paid of c.£6.4m. Dividends Dividends of £13.0m paid in the year (2020: £12.9m) comprised the final dividend for FY20 of 3.15p and the interim dividend of 1.5p per ordinary share for FY21 (2020: 1.5p). The Board is declaring an unchanged final dividend of 3.15p per ordinary share (2020: 3.15p). This represents a dividend equal to that paid in the prior year as the Board is conscious of the need to invest in initiatives to support longer-term growth and service debt profile following the recent acquisition. The dividend policy will therefore continue to remain under review. The final dividend will be paid on 12 November 2021, to shareholders on the register at the close of business on 15 October 2021. The ex-dividend date is 14 October 2021. IPM acquisition and future statutory reporting As noted within the Business Review, prior to our ownership of IPM, the business generated revenues of c.£23m and operating profit of c.£15m for the 12 months ended 31 December 2020, with cash conversion of c.90%. It is expected that for NCC Group’s FY22 financial year, the business will report proforma numbers on a similar basis and that we will incur c.£2.5m of one-off integration costs. However, on a statutory basis the Group will have to recognise acquisition fair value adjustments for the first year only in relation to deferred income, resulting in an expected consequential reduction to IPM numbers in relation to revenue and operating profit for the first year only. Application of IFRIC agenda decisions and prior year restatement In April 2021, the IFRS Interpretations Committee (IFRIC) published an agenda decision on the clarification of accounting in relation to the configuration and customisation costs incurred in implementing Software-as-a-Service (SaaS) as follows: • Amounts paid to the cloud vendor for configuration and customisation that are not distinct from access to the cloud software are expensed over the SaaS contract term • In limited circumstances, other configuration and customisation costs incurred in implementing SaaS arrangements may give rise to an identifiable intangible asset, for example, where code is created that is controlled by the entity • In all other instances, configuration and customisation costs will be expensed as the customisation and configuration services are received Due to the nature of this agenda decision and the level of spend incurred in relation to the Group’s Securing Growth Together digital transformation programme, the Group’s accounting policy has been reviewed retrospectively to align with the IFRIC guidance recently issued in relation to SaaS costs previously capitalised. This has resulted in a prior year restatement to reflect costs previously capitalised as an expense when incurred and represents a non-cash adjustment. See Notes 1, 5, 12 and 34 to the Financial Statements for further details. Financing facilities The Group is financed through a combination of bank facilities, retained profits and equity. As at 31 May 2021, the Group had committed bank facilities (revolving credit facility) of £100m (2020: £100m), of which £33.8m (2020: £100m) was drawn down. These arrangements were agreed in June 2019 and are due for renewal in June 2024. Under these arrangements the Group can also request (seeking bank approval) an additional accordion facility to increase the total size of the revolving credit facility by up to £75m. On 12 May 2021, the Group entered into a new Term Loan Facility Agreement of $70m, to fund the US acquisition of the IPM Software Resilience business in early June 2021. The Term Facility is repaid in annual instalments of $23.3m on each of 10 June 2022 and 10 June 2023, with a final instalment of $23.4m payable on 10 June 2024. The Term Facility Agreement also contains financial covenants consistent with the revolving credit facility. On our banking covenants, leverage as at 31 May 2021 amounted to (1.8)x as we have become cash positive (2020: 0.1x) and net interest cover amounted to 35.0x (2020: 22.7x). The Group was in compliance with the terms of all its facilities, including the financial covenants, at 31 May 2021 and expects to remain in compliance with the terms going forward. The terms and ratios are specifically defined in the Group’s banking documents (in line with normal commercial practise) and are materially similar to GAAP with the exceptions being net debt excludes IFRS 16 lease liabilities and Adjusted EBITDA 2 excludes amortisation of acquisition intangibles, share-based payments and Individually Significant Items. 38 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 Going concern The Directors have acknowledged guidance published in relation to going concern assessments. The Group’s business activities, together with the factors likely to affect its future development, performance and position, are set out in the Business Review and Financial Review. The Group’s financial position, cash and borrowing facilities are also described within these sections. The Financial Statements have been prepared on a going concern basis which the Directors consider to be appropriate for the following reasons. The Directors have prepared cash flow and covenant compliance forecasts for the 12 month period ending September 2022 which indicate that, taking account of severe but plausible downsides and the anticipated impact of Covid-19 on the operations of the Group and its financial resources, the Group and Company will have sufficient funds to meet their liabilities as they fall due for that period. The Group is financed primarily by a £100m committed revolving credit facility that matures in June 2024. The Group is required to comply with financial covenants for leverage (net debt to Adjusted EBITDA 2) and interest cover (Adjusted EBITDA 2 to interest charge) that are tested bi-annually at 31 May and 30 November each year. As at 31 May 2021, the Group had drawn down £33.8m for working capital requirements. Subsequent to the year end and shareholder approval on 1 June, the Group acquired on 7 June the IPM business for $220m; the US acquisition was funded through an equity placing in May of £70.2m (net proceeds) combined with a new three year $70m term loan, existing cash balances and our existing revolving credit facility. The impact of the acquisition on the Group’s financial performance, covenants and business model has therefore been considered within this going concern assessment. As at 2 June 2021, following the acquisition of the IPM business, the Group had drawn down £75.5m of its revolving credit facility and was due to incur further transaction costs of £6.4m. As at 31 August 2021, cash, net debt (excluding lease liabilities) 2 and headroom amounted to £43.6m, £74.7m and £80.5m respectively. Although the Group has demonstrated resilience to the challenging environment resulting from Covid-19, the Directors acknowledge that the financial performance of the Group has been adversely impacted to a certain degree since the commencement of the pandemic, and for this reason the base case forecast for 2021 reflects this assessment. The continuing macro-economic risks and potential changes in government policies (on the severity of enforced lockdowns worldwide) could have a continued effect on the Group’s performance. However, trading throughout the pandemic has demonstrated resilience. The Directors have prepared a number of severe but plausible scenarios as follows: 1. 2. 3. 4. 5. The performance of FY22 continues to be similar to that of 2021, including the impact on regional and international operations of the Group and a potential reduction in growth. An additional impact of Covid-19 during a two month period from January to February 2022 which coincides with a similar economic pandemic pattern as 2021. Potential impact of customers’ inability to pay during a specified period. Failure of execution of the strategy, loss of key customers and a number of acquisition related risks crystallising (for example increased customer churn, integration and cash collection issues). Software Resilience performance does not return to growth and the Assurance business experiences similar impact of Covid-19 on its performance as 2021. These scenarios have been modelled individually and also in combination in order to assess the Group’s ability to withstand multiple challenges, although the Directors do not believe a scenario combining all these risks to be plausible. The impact of these sensitivities has been reviewed against the Group’s projected cash flow position, available bank facilities and compliance with financial covenants. In the instance that a combination of the above scenarios arise, mitigating actions would be required to ensure that the Group remains liquid and financially viable, which might include a reduction of planned capital expenditure, freezing pay and recruitment and not paying a dividend to shareholders. All of the mitigating actions are within the Directors’ control. These forecasts, including the severe but plausible downsides, show that the Group is able to operate within its available banking facilities, with no forecasted covenant breaches, and that the Group will have sufficient funds to meet its liabilities as they fall due for that period. From a Company perspective, the Company places reliance on other Group trading entities for financial support. Having reviewed the current trading performance, forecasts, other Group trading entities’ financial support, debt servicing requirements, total facilities and risks, the Directors are confident that the Company and the Group will have sufficient funds to continue to meet their liabilities as they fall due for a period of at least 12 months from the date of approval of these Financial Statements. Accordingly, they continue to adopt the going concern basis of accounting in preparing the Group’s Financial Statements for the year ended 31 May 2021. Brexit The Group’s operations based in Continental Europe have so far proven structurally resilient to any significant disruption caused by Brexit. The main risks to the Group from Brexit continue to be any reduction in demand from an economic slowdown as well as real or perceived differences in data protection standards which impact our global ways of working. Tim Kowalski Chief Financial Officer 14 September 2021 2 3 See Note 3 for an explanation of Alternative Performance Measures (APMs) and adjusting items. Further information is also contained within the Chief Financial Officer’s Review and the Glossary of terms on pages 187 and 188. See Note 34 for an explanation of the prior year restatement recognised in relation to the adoption of the IFRIC agenda decision on cloud configuration and customisation costs in April 2021. NCC Group plc — Annual report and accounts for the year ended 31 May 2021 39 Strategic reportStrategic report Principal risks and uncertainties Embedded risk management systems Embedded risk management systems have supported the Group in pursuing its strategy for sustainable and profitable growth. Risk management Risk is an inherent part of doing business and risk management is a fundamental part of good corporate governance. A successful risk management process balances risk and reward and is underpinned by sound judgement of their impact and likelihood. The Board has overall responsibility for ensuring that NCC Group has an effective risk management framework, which is aligned to our business objectives. The Board has established a Risk Management Policy, which has established protocols, including: • Roles and responsibilities for the risk management framework • Risk scoring framework • A definition of risk appetite The integrated approach to risk management diagram summarises the Group’s overall approach to risk management, which is supported by a web-based tool – the Integrated Risk Management System (IRMS). The tool is designed to follow the risk management model described in the next section and records both strategic and operational risk registers and tracks risk mitigation action plans, helping embed ownership of risks and treatment actions while also providing access to live management information, which is used at both a Board and operational management level. NCC Group’s approach to risk management NCC Group adopts both a “top down” and “bottom up” approach to risk, to manage risk exposure across the Group to enable the effective pursuit of strategic objectives. The approach is summarised in the diagram on page 41. The approach is one of collaboration, which supports our comprehensive approach to risk identification, from the “top down” and “bottom up”. The Group believes that this is the most efficient and effective way to identify its business risks. Top down The Board, Audit Committee and Cyber Security Committee review risks on an ongoing basis and are supported by the Executive Committee and subject matter specialists (including Software Resilience, Assurance, information security, data protection and health and safety). The Board gives consideration to the Group’s strategic objectives and any barriers to their achievement. Bottom up The Board and senior leadership team engage with colleagues at every level of the Group in recognition of the importance of their expertise, contribution and views. In relation to matters of wrongdoing, or risks not being recognised and adequately managed, the Group has a robust and effective whistleblowing procedure, which is supported by the Safecall reporting line. 40 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 Top down Strategic risk management Bottom up Operational risk management • Establishing guidance on the Group’s approach to risk management and establishing the parameters for risk appetite and associated decision making • Identification, review and management of identified Group strategic risks and associated actions • Ongoing consideration of: – IT and cyber-centric risk – Environmental risk • Implementing and embedding the Group’s Risk Management Policy and approach • Directing the delivery of the Group’s identified actions associated with managing/mitigating risk • Identification of key risk indicators, monitoring and taking timely action where appropriate • Instrumental in developing the risk management framework adopted by the Board • Providing governance and control over the IRMS • Conduit between the Board and the business units – providing training and support where appropriate • Developing and executing a risk-based internal audit plan to assess the management of risks • Execution of the delivery of the Group’s identified actions associated with managing risk • Timely reporting on the implementation and progress of agreed action plans • Provision of key risk indicator updates n w o d p o t e h t m o r f i k s i r g n g a n a M Board Audit Committee Cyber Security Committee • Periodically assessing the effectiveness of the embedded Group risk management process • Challenging the content of the strategic risk register to support a comprehensive and balanced assessment of risk • Reporting on the principal risks and uncertainties of the Group Executive Board and leadership team • Responsible for reviewing the operational risks across the business units and Group • Challenging the appropriateness and adequacy of proposed action plans to mitigate risk • Giving due consideration to the aggregation of risk across the Group • Provisioning suitable cross-functional/business unit resource to effectively manage risk where appropriate Global Governance function, incl. dedicated CISO • Ongoing monitoring and reporting to the Board in relation to the progress being made by the business units in implementing agreed action plans to mitigate strategic risk • CISO dedicated to the identification, management, monitoring and reporting of data security risks Business units • Identification and reporting of strategic risk to the Board • Provision of reports and data relating to significant emerging risks to the Group (internal and external) • Implementation of risk management approach which promotes the ongoing identification, evaluation, prioritisation, mitigation and monitoring of operational risk M a n a g n g r i s k i f r o m t h e b o t t o m u p Effective pursuit of strategic objectives NCC Group plc — Annual report and accounts for the year ended 31 May 2021 41 Strategic reportStrategic report Principal risks and uncertainties continued C o r p o r a te governance Identify risks M onito r Monitor delivery of action plans/ risk universe Id e n tif y Identify inherent risks and likelihood of impact Risk management model Develop action plans (treat, transfer, tolerate, terminate) Assess adequacy and effectiveness of existing controls A d d r e s s Assign Director-level sponsorship Evaluate mitigated risks and likelihood of impact A ssess Corporate gov e r n a n c e Risk management model The Board has overall responsibility for ensuring that NCC Group adopts an effective risk management model, which is aligned to our objectives and promotes good risk management practice. We have therefore adopted the model described in this section and summarised in the diagram above. The Board, Audit Committee, Cyber Security Committee and Executive Team review risks on an ongoing basis throughout the year. The appropriateness and relevance of the risks and issues tracking system – IRMS – are monitored by the global governance team to ensure that it continues to be updated, meets the needs of the Group and remains in line with good risk management practice. In addition, there is a robust process in place for monitoring and reporting the implementation of agreed actions. We are satisfied that the Risk Management Policy, framework and model currently in place are sufficient to manage risk across the Group. The key areas of identifying, assessing, addressing and monitoring risks are explained in more detail below: Identify Risks exist within all areas of our business and it is important for us to identify and understand the degree to which their impact and likelihood of occurrence will affect the delivery of our key objectives. This is achieved through day-to-day working practices and incorporates risks in both the internal and external environment. Examples of identification include horizon scanning for legislative and market changes, operational and delivery reviews (such as SGT), procedures in relation to projects and change and independent systems audits. All identified risks are initially assessed for their “inherent” risk (risk with no controls in place), using a scoring mechanism that accounts for the likelihood of an event occurring and the impact that it may have on the Group. The scoring mechanism adopted takes account of high impact, low likelihood events and these risks are managed in a timely manner. In addition to ongoing risk identification, an annual exercise is undertaken to review the Group’s strategic risk universe by the Board. This exercise is reliant on the “top down” “bottom up” approach discussed earlier. Assess Post identification of the Group’s inherent risk exposure, a comprehensive assessment of the effectiveness of current mitigating controls is undertaken. This exercise takes account of the design of the current control environment and the application of these controls prior to assessing the Group’s current exposure to risk – mitigated risk score. The Board uses a number of sources of information to support the scoring of risk and these include, but are not limited to: • Management updates • Action tracking and reporting • Control environment policies and procedures • Independent audit activity • Project monitoring reports Address Having identified and assessed the risks faced by the Group, the risks are scored according to likelihood of occurring and impact to the business should they occur. The risks are then mapped according to their rating onto a risk heat map, which reflects the Group’s overall risk appetite set by the Board. The Group’s Risk Management Policy then provides guidance on the expected level of response to those risks, depending on where they sit on the risk heat map. The heat map shows the four bandings in the different shades of risks as set out below as well as expected actions and responses to risks in these areas: • Green – within appetite. Ongoing monitoring in place • Amber – out of appetite. Some actions are required to treat the risk to bring this within acceptable levels • Purple – significantly out of appetite. High combination of residual probability and impact. Management actions required, with some urgency, to treat the risk, reducing this to acceptable levels • Grey/black – risks that are deemed to have such an impact that they could theoretically impact the ability of the business to continue in existence. If any, they would need consideration in assessing in the Directors’ Viability Statement An assessment of whether additional actions are required to reduce our risk exposure is undertaken, with actions falling into the one of four categories: • Treat – develop an action plan (applying responsibility, deadlines and prioritisation) that may include the implementation of additional controls, or increase the requirement for additional assurance over the adequacy and effectiveness of the existing controls • Transfer – use a third party specialist to undertake the activity, thus mitigating the risk • Tolerate – determine the risk is within appetite • Terminate – exit the activity Output from the evaluation of strategic risks has resulted in milestone plans owned by senior business leaders, or has been used in the development of the Group’s transformation programme. 42 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 h g H i t c a p m I 8 4 3 7 1 11 6 5 10 9 2 w o L Low 1 Business strategy 2 Management of strategic change 3 Global pandemic – Covid-19 4 Availability of critical information systems 5 Attracting and retaining appropriate colleague capacity and capability 6 Information security risk (including cyber risk) Likelihood High 7 Quality of Management Information Systems (MIS) and internal business processes 8 Quality and Security Management Systems 9 Post-Brexit 10 Sustainability 11 Acquisition of IPM Monitor Ongoing monitoring of risks and related actions is key to the implementation of our risk management model and, therefore, NCC Group is committed to making enterprise-wide risk management part of business as usual. Examples of ongoing monitoring of business risks include, but are not limited to: • Annual review of the external audit strategy and plan by the Audit Committee and Chief Financial Officer to ensure inclusion of key financial risks • Annual review of the annual internal audit plan to validate that it incorporates key areas of business risk • At each Audit Committee, a review of internal audit reports issued during the period, including a summary of progress against previously raised management actions • Annual review of the strategic risk register by the Enterprise Risk Management Steering Group (introduced in FY21) and Board to ensure that it includes risks arising in year Internal control Whilst risk management identifies threats to the Group achieving its strategic objectives, internal controls are designed to provide assurance that these objectives are being achieved, such as the effectiveness and efficiency of operations and delivery, accurate and reliable financial reporting, and compliance with applicable laws and regulation. NCC Group has established a robust internal control framework which is made up of a number of components: Control environment The control environment has primarily been established taking account of the Group’s values (working together, being brilliantly creative and embracing difference) and its Code of Ethics, which sets the foundations for the expected behaviours, values and competencies for all colleagues across the Group. The Board, Executive Committee and extended leadership team lead by example and strive to maintain effective control environments, whilst also maintaining integrity and transparency. Risk assessments Risk assessments are conducted at both a strategic and operational level of the Group and support the Group in understanding the risks that it faces and the controls in place to mitigate them. Importantly, they provide a mechanism to identify operational improvements which is vital in our transformational programmes. Policies and procedures Established policies communicate expected behaviours and these are supported through procedures and guidelines defining required processes and controls. This in turn supports the business to adopt efficient and effective control environments. Information and communication Access to accurate and timely data is key in supporting our colleagues to make decisions and to be well informed in order to conduct, manage and control their areas of responsibility. During the year, the Group has continued to focus on its data systems – rolling out the Workday Finance system to support consistent controls and reporting. Activity monitoring Financial minimum controls were established during FY20 for local finance teams. The financial minimum controls have been self- assessed by all finance teams and a programme of audit against these standards launched in FY21. The financial minimum controls framework was established in consultation with the Chief Financial Officer, Group Financial Controller and local Finance Directors and has taken account of the implementation of Workday Finance. Further enhancement of the framework is being considered in preparation for potential changes proposed in the Brydon Review and related white paper issued by the Department for Business, Energy and Industrial Strategy. Financial accounting and reporting follows generally accepted accounting practices. Group review and approval procedures exist in relation to major areas of risk and require Executive Committee/Board approval, including mergers and acquisitions, major contracts, capital expenditure, litigation, treasury management and taxation policies. Compliance with all legislation, current and new, is closely monitored. Risk and control reporting structure During the current financial year, NCC Group has focused on establishing the “three lines of defence” to provide a robust internal controls structure that will support the Board, Audit Committee, Cyber Security Committee, Executive Committee and extended leadership team with accurate and reliable information in relation to the systems of internal control. Three lines of defence: • First line – Group policies and procedures • Second line – Global Governance function, incorporating Health and Safety; Information Security; Data Protection; Compliance and Standards; and Corporate Legal • Third line – independent challenge and assessment, including ISO certification and internal and external audit NCC Group plc — Annual report and accounts for the year ended 31 May 2021 43 Strategic reportStrategic report Principal risks and uncertainties continued Principal risks and uncertainties The Group continues to operate in a particularly dynamic and evolving marketplace. The current strategic risk register has been developed to reflect those factors and includes those risks that would threaten its business model, future performance, solvency or liquidity. Detailed descriptions of the current principal risks and uncertainties faced by the Group, their potential impact and mitigating processes and controls are set out below. A risk related to sustainability (10) has been added to the strategic risks for FY21 and reflects the importance being placed on a sustainable business strategy by NCC Group and its investors. The heat map provides a pictorial representation of the Group’s strategic risks and their direction of travel. Strategic 1. Business strategy VR Link to strategy: Lead the market Win business Deliver excellence Support growth Develop our people A comprehensive business strategy is essential to the continued success of the Group as we strive to maximise shareholder value. Accountable Executive Adam Palser, Chief Executive Officer Impact A poor strategy or ineffective execution of a strategy could have a material negative impact on the Group’s financial performance and value. It would potentially weaken the Group compared to its competitors and risk the Group’s established position in the marketplace. Key controls and mitigating factors Members of the Board have significant experience in evolving business strategies. The Board is significantly engaged in both setting and reviewing strategy and held a dedicated strategy session in March 2021. Risk movement/impact 2. Management of strategic change Link to strategy: Win business Support growth Develop our people As the Group adapts and executes its strategy there are a number of complex projects and initiatives that not only need to be delivered but also require understanding and support from all colleagues. Impact Poor change management could lead to ineffective implementation of projects that then cost more to deliver, take longer to deliver and result in fewer benefits being realised (or all three). Poor delivery of change could ultimately impair business performance. Key controls and mitigating factors The Group has established a strategic change management capability and this includes access to programme management professionals and the deployment of associated change management processes, for example the operation of senior change oversight committees. Accountable Executive Adam Palser, Chief Executive Officer Operational Risk movement/impact 3. Global pandemic – Covid-19 Link to strategy: Lead the market Support growth Develop our people NCC Group has a number of features which give the Group greater resilience in the face of a global pandemic. Failure to prepare for this may cause disruption and uncertainty to our business, as well as risk the health and safety of our people. Any disruption or uncertainty could have an adverse effect on our business, financial results and operations. Accountable Executive Tim Kowalski, Chief Financial Officer Impact The potential impact of a pandemic globally is closed offices, people who are unwell and unable to work for periods of time and a slow-down in business from our clients. Risk movement/impact Key controls and mitigating factors During 2021, we successfully moved to remote working during the lockdown periods across our offices and were able to deliver our services off client sites. We have also used remote working as an opportunity to develop our services to support remote delivery. In addition, the Group has developed an office re-opening programme, which has taken into account the health and wellbeing of our colleagues, which has further supported our successful service delivery. Risk movement: Increased Decreased Unchanged Risk impact: High Medium Low Viability risk: VR New risk: NR 44 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 4. Availability of critical information systems VR Link to strategy: Win business Support growth Develop our people Impact If the Group’s critical systems failed, this could affect the Group’s ability to provide services to our customers. Risk movement/impact The Group is heavily reliant on continued and uninterrupted access to its IT systems. As well as environmental and physical threats, the Group is a natural target for individuals who may seek to disrupt the Group’s commercial activities. Accountable Executive Steve Boughton, Global Operations Director Key controls and mitigating factors The Group continues to make significant investment in its IT infrastructure to ensure it continues to support the growth of the organisation. This has been particularly pertinent during home working as part of the response to Covid-19. The Group has controls in place in order to reduce the risk of actual loss of critical systems; this has included a review of single points of failure and these have been mitigated. Further, controls are operated to ensure the availability of backup media in the event of prolonged loss of systems. The Group also standardises and simplifies processes whilst increasing resilience. Additional focus is given to proving the recoverability of systems and data. 5. Attracting and retaining appropriate colleague capacity and capability VR Link to strategy: Lead the market Win business Support growth Develop our people The Group would be adversely impacted if it were unable to attract and retain the right calibre of skilled colleagues. Some roles within the Group operate in highly technical and extremely specialised areas in which there are shortages of skilled people. Accountable Executive Colin Watt, Chief People Officer Impact Loss of key colleagues or significant colleague turnover could result in a lack of necessary expertise or continuity to execute the Group’s strategy. Key controls and mitigating factors Colleagues are offered a rewarding career structure and attractive salary and benefits packages, which can include participation in share schemes. An inability to attract and retain sufficient high- calibre colleagues could become a barrier to the continued success and growth of NCC Group. Comprehensive communications with our colleagues are ongoing and include all-hands calls, The Wire and Group and local communications. Risk movement/impact Linked to the development of our people, the Group continues to review our values and continues to use personal performance management processes, and aligned development programmes, which are linked to succession planning. 6. Information security risk (including cyber risk) VR Link to strategy: Win business Deliver excellence Support growth Due to the nature of the services provided by NCC Group, clients have a high expectation of the systems, processes and people handling their data. In addition, as a cyber security provider, NCC Group is more exposed to its systems being maliciously compromised. As a result, NCC Group could experience a malicious cyber- attack, inadvertent disclosure and/ or compromise of confidential data and/or any other information security incident. Accountable Executive Steve Boughton, Global Operations Director Impact Failure to maintain control over customer, colleague, commercial and/or operational data could lead to a range of impacts, including reputational damage. The misuse of personal data, for example without the customer’s consent, or retaining data for longer than is necessary, may also result in reputational harm, regulatory investigations and potential fines. Risk movement/impact Key controls and mitigating factors The Board operates a Cyber Security Committee chaired by the Chair of the Board and is responsible for the ongoing oversight of this risk and related control environments. All colleagues globally are required to undertake annual security training and updates to alert them to potential methods of security breach and to their responsibilities in safeguarding information and reporting potential issues. Security testing is regularly carried out on the Group’s infrastructure and there are extensive response plans, which were reviewed during the year, in the event of a major security incident. Comprehensive plans are in place and being delivered associated with discharging our data protection obligations. Risk movement: Increased Decreased Unchanged Risk impact: High Medium Low Viability risk: VR New risk: NR NCC Group plc — Annual report and accounts for the year ended 31 May 2021 45 Strategic reportStrategic report Principal risks and uncertainties continued Principal risks and uncertainties continued Operational continued 7. Quality of Management Information Systems (MIS) and internal business processes VR Link to strategy: Win business Support growth Develop our people We need to ensure that trusted and relevant MIS are available on a day-to-day basis to inform management decisions and drive performance. Accountable Executive Tim Kowalski, Chief Financial Officer Impact Suboptimal business decision making and performance as key financial performance data is not available or trusted. Risk movement/impact 8. Quality and Security Management Systems Link to strategy: Win business Support growth We aspire to attain and retain key internationally recognised standards, which form an important component for many of our customers. Accountable Executive Tim Kowalski, Chief Financial Officer Impact The risk of the Group failing to retain a core standard, e.g. 9001, 27001 or PCI, with a consequential loss of key customer accounts or ability to operate. Risk movement/impact 9. Post-Brexit Link to strategy: Develop our people Failure to comply with changing EU regulations as a result of Brexit may cause disruption to our business. Any disruption could have an adverse effect on our business operations. Accountable Executive Tim Kowalski, Chief Financial Officer Impact There remains some uncertainty around the detail of EU regulatory changes as these are finalised (for example, finalisation of trade negotiations with the wider world), which may impact on some of the services delivered by the Group, which fall under export control regulations. Risk movement/impact Key controls and mitigating factors The Group finance function has developed a forward-facing Finance Functional Strategy. Enhancements were identified covering system and process standardisation. A comprehensive milestone plan is in place and progress is tracked and reported to each Audit Committee. The rollout of Workday across our global finance teams has been significantly completed and will support the standardisation of policies and procedures, in addition to improving efficiency and effectiveness. Standardised business process control standards are in place across all parts of the Group. Financial year 2021 has seen the implementation of the new control self-assessment questionnaires along with an aligned programme of internal audits. Key controls and mitigating factors We operate a comprehensive programme to ensure the retention of our core standards. This includes a portfolio of aligned policies and cascading business processes. A programme of internal audit provides assurance over the design and application of these policies and procedures. External assessors provide a further layer of review and challenge, confirming during the year the retention of our Quality and Security standards, which were renewed in April 2021. VR Key controls and mitigating factors Similar to any UK company, we list post-Brexit as a significant risk due to the continued uncertainty surrounding the final EU post-Brexit trade deals with Europe and other international countries, which are still being negotiated. As our operations around the world include business entities based in Continental Europe and the wider world, we believe NCC Group is structurally resilient to the post-Brexit trading environment. The main risks to our business post-Brexit are: • Changes to export control requirements and related tariffs being implemented which may impact on some areas of service delivery • Real or perceived differences in data protection standards, which impact our global ways of working Risk movement: Increased Decreased Unchanged Risk impact: High Medium Low Viability risk: VR New risk: NR 46 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 10. Sustainability Link to strategy: Support growth Develop our people NCC Group recognises the importance of good environment, social and governance (ESG) frameworks as a key indicator of the Group’s sustainability and ethical impact of our business. Accountable Executive Yvonne Harley, Global Director of Sustainability and Corporate Affairs Impact Non-compliance with the Group’s frameworks related to ESG will impact on our ability to display robust working practices, grounded in good working practice, which take account of our environment, people and communities. This in turn could impact on our ability to develop and maintain business relationships and may lead to the loss of key customer accounts and shareholder investment. Risk movement/impact New NR Key controls and mitigating factors The Group has developed an ESG framework which continues to evolve. Examples of progress to date include: • Ongoing review of key policies, such as the Code of Ethics, Whistleblowing Policy, Anti-Bribery and Corruption Policy and Anti-Trust Policy. These policies reflect our global footprint and will be translated into all of our jurisdictional languages in 2022 • Maintained our corporate governance and decision-making structures during the “move to remote” during Covid-19 lockdowns More examples are outlined in the sustainability section of the report. 11. Acquisition of IPM (Intellectual Property Management) NR Link to strategy: Deliver excellence Support growth Develop our people Impact Ineffective implementation of the integration plan may lead to: • Staggered transition to key systems • Increased costs against the budgeted £2.5m Risk movement/impact New Key controls and mitigating factors The Group has established a comprehensive integration plan, which has been sub-divided into specific workstreams, including, but not limited to, finance; legal; compliance; and IT. Each workstream has specific deliverables, along with deadlines, and these are being regularly monitored to validate “on time” delivery and to enable additional actions/resource to be deployed if required. NCC Group obtained shareholder approval to acquire Iron Mountain’s Intellectual Property Management (IPM), post extensive due diligence on 1 June 2021. The acquisition of the IPM division significantly grows the US Software Resilience customer base and allows us to support them with a broader set of services. A comprehensive integration plan has been established to support the effective and efficient transition of IPM into the Group. Accountable Executive Simon Fieldhouse, Global Managing Director – Software Resilience Risk movement: Increased Decreased Unchanged Risk impact: High Medium Low Viability risk: VR New risk: NR Extraordinary risk during the year During the year, the global pandemic of Covid-19 continued, with minimal impact on financial performance; it also provided opportunities. The Group mobilised its Executive Support Team and its business continuity plan in January 2020 and this enabled a number of planned initiatives to be brought forward to support a Group-wide response to remote working and delivery. We have continued to successfully negotiate with our customers where appropriate to work remotely, which has minimised disruption to service delivery. NCC Group plc — Annual report and accounts for the year ended 31 May 2021 47 Strategic reportStrategic report Principal risks and uncertainties continued Viability Statement The context for assessment In accordance with the requirements of the UK Corporate Governance Code, the aim of the Viability Statement is for the Directors to report on the assessment of the prospects of the Group meeting its liabilities over the assessment period, taking into account the current financial position, outlook, principal risks and uncertainties and key judgements and estimates in preparing the Financial Statements. The Directors have based their assessment of viability on the Group’s current business model and strategic plan, which is updated and approved annually by the Board, in line with our objectives to deliver sustainable and profitable growth, increase shareholder value and offer an improved service and product offering to our customers. This is underpinned by the strategic priorities outlined on pages 20 and 21 of the Strategic Report. The effective management of principal risks and uncertainties is outlined within pages 40 to 48 and this assessment emphasises those risks that could theoretically threaten the Group’s ability to operate, or to continue in existence (with the VR designation). The assessment period The Directors have assessed the viability of the Group over the three year period to May 2024, as this is an appropriate planning time horizon given the speed of change and customer demand in the industry and is in line with the Group’s strategic planning period. Assessment of viability The viability of the Group has been assessed taking into account the Group’s current financial position, available bank facilities, and the Board approved FY22 budget and three year strategic plan. The Directors have produced a budget for FY22 which reflects the anticipated trading levels in the current environment and years two to three of the strategic plan represent the expected trading growth over this period factoring in the initial planned growth in the budget. The Directors have also assessed the viability of the Group taking into account the current financial position, including the recent acquisition of the Intellectual Property Management division of Iron Mountain and the associated new equity issue and additional debt taken on to fund that acquisition. The Directors have also modelled the impact of certain severe but plausible scenarios, which have the greatest potential impact on viability in the period under review, as set out in the table below. In particular, the Directors have considered the potential impact of additional Covid-19 related economic disruption on both the short and long-term growth prospects for the Group in a number of different scenarios, the potential impact of Covid-19 on customers and the associated impact on the Group’s performance, as well as the Group’s ability to execute its strategy. The impact of these sensitivities has been reviewed against the Group’s projected cash flow position, available bank facilities and compliance with financial covenants over the three year viability period. Should these occur, mitigating actions would be required to ensure that the Group remains liquid and financially viable, which include a reduction of planned capital expenditure, freezing pay and recruitment and not paying a dividend to shareholders, all of which are within the Directors’ control. Conclusions Based on these severe but possible scenarios, the Directors have a reasonable expectation that the Group and Company will be able to continue in operation and remain commercially viable over the three year period of assessment. Scenario Associated principal risks and uncertainties Description and potential impact Business strategy Attracting and retaining appropriate colleagues’ capacity and capability Failure to deliver the Securing Growth Together transformation programme. Loss of key colleagues or inability to attract and retain key talent. The potential impact of the above would act as a barrier to future growth. A critical systems failure, leading to an inability to provide services to customers. The potential impact of this would be short-term reputational damage and an inability to do business in the short term, impacting revenue and profits. A cyber security breach occurs with theft of data and disruption to business services. The potential impact of this would be long-term reputational damage significantly impacting future revenue. The world was victim to a global pandemic of Covid-19 in early 2020. Most affected countries were locked down for a minimum of six weeks and the economic disruption is still ongoing. The potential longer-term impact of this would be loss of jobs due to loss of revenue. There would also be reputational damage if there was a cyber security breach due to the remote working we have put in place to safeguard our people. Systems failure Availability of critical information systems Cyber risk (including data protection) Cyber risk (including data protection) Global pandemic – Covid-19 Cyber security breach Covid-19 (over and above base case short- term impact) 48 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 INSIGHTS: STAKEHOLDER ENGAGEMENT Leading reform through stakeholder engagement Katharina Sommer Head of Public Affairs Our public affairs function is focused on creating a conducive political and regulatory operating environment to improve cyber security policies, so they materially improve the cyber resilience for our customers and broader society (see pages 50 to 52 for more on stakeholder engagement). Nowhere is this demonstrated better than in our continued efforts to reform the UK’s Computer Misuse Act 1990, to enable cyber security professionals to undertake this critical work without fear of prosecution and unleash their full potential in making the world safer and more secure. As founding members of the CyberUp Campaign 1, we brought together peers from across the cyber security industry alongside trade associations, incubators, academics and parliamentarians, all of whom believe that UK cyber crime laws should not inadvertently criminalise the very same people seeking to keep the nation safe and secure. This campaign approach paid off, when, in May 2020, UK Home Secretary, the Rt Hon Priti Patel MP, announced that “now is the right time to undertake a formal review of the Computer Misuse Act” 2 and launched a call for information to assess if the law remained fit for use following the technological advances since its introduction in 1990 3. The campaign, driven by an evidence-based, pragmatic approach, considers the operational realities of cyber resilience in modern day society. The security of the internet and our digital world is strengthened by the work undertaken by security and threat intelligence researchers who help us identify and fix weaknesses, to stay one step ahead of our adversaries. Our vulnerability assessments of smart doorbells, for example, demonstrated attackers would be able remotely to control some devices, further highlighting the importance of good security practices in developing Internet of Things (IoT) products, and our research into a cyber threat group showed its preference for abusing cloud services in its operations, enabling us to help organisations improve their detection of and protection against future attacks. We will continue working with all our key stakeholders to create a reformed law that adequately protects security and threat intelligence researchers. 1 https://www.cyberupcampaign.com/. 2 3 https://www.gov.uk/government/speeches/home-secretary-priti-patel-speech-to-cyberuk-conference. https://www.gov.uk/government/consultations/computer-misuse-act-1990-call-for-information. NCC Group plc — Annual report and accounts for the year ended 31 May 2021 49 Strategic report Stakeholder engagement continued Consistent and authentic engagement We believe by understanding and meeting the needs of our stakeholders, we will secure long-term success. This is achieved through consistent and authentic engagement. Here we have highlighted our key stakeholders, their identified needs and how we have engaged with them. Engagement of each stakeholder is done so with the NCC Group values at the heart of everything we do. We recognise the importance of listening to and understanding the views of our key stakeholders. We use insights to support our approach, addressing opportunities to build enduring and trusted relationships. Insights are gathered during our day-to- day business and are used to improve decision making at every level of the organisation – from the Board down to operations. Section 172 statement Section 172 of the Companies Act 2006 requires a director of a company to act in the way they consider, in good faith, would most likely promote the success of the company for the benefit of its members as a whole but having regard to a range of factors set out in section 172(1)(a)–(f) in the Companies Act 2006. In discharging our section 172 duty, we have regard for these factors taking them into consideration when decisions are made. Examples of how our Directors have oversight of stakeholder matters and have regard for these matters when making decisions are set out on these pages. Colleagues We are a people business and our 2,000+ colleagues around the world each have an important role in helping to make the world safer and more secure. The opportunity • Understanding our mission, vision, values and strategy • Understanding what is expected of them and knowing how they are contributing to our success • Spending quality time with their line manager, feeling listened to and supported, enabling them to feel confident they have the skills to be successful in their role • Feeling they are welcome to bring their whole selves to work How we listen and engage • Global internal news platform, which gives colleagues the option to keep up with what’s happening around the Group. Built using the Dynamic Signal platform, colleagues can share approved content with their social networks directly at the touch of a button • Online knowledge hubs to support consistent ways of working and make it easy for colleagues to understand requirements of their role • Knowledge sharing events – locally, regionally and globally • ExCom-led engagement at the local level, targeted as appropriate for different colleague groups, which includes colleague forums and, in Europe, Works Councils • Annual colleague engagement survey with local teams empowered to drive actions to continue to make NCC Group a great place to work • Non-Executive Director regular engagement sessions hosted with colleagues (see page 80) 2020/21 highlights • Hosted a virtual sales conference and our flagship technical event – Not the NCC Con – went virtual too, showcasing both our technical and professional brilliance over a three day period. We were joined by distinguished external speakers from the infosec world and business as well as Lord Chris Holmes, a supporter of the UK Computer Misuse Act reform campaign • Launched our first ever global team and individual awards programme (page 66) • Launched our inclusion and diversity engagement programme – NCC Conversations (page 55) • Continued to invest in our colleague wellbeing programme, which included partnering with This Can Happen, as well as creating a global network of trained Mental Health First Aiders, and training managers in mental health awareness to help build resilience throughout the organisation • Welcomed our new colleagues who joined us from the IPM acquisition • Continued to invest in colleague engagement, with significant improvement being seen in how colleagues feel about management, which represents the investment we’ve made over the past 12 months in management and leadership development Covid-19 action • Made provision for longer-term working from home with physical and mental wellbeing programmes put in place • Created a system to support colleagues with urgent needs to access alternative places to work where home working was not conducive to a positive working environment Link to strategy: Lead the market Win business Deliver excellence Support growth Link to strategy: Develop our people 50 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 Customers Shareholders NCC Group is committed to engaging with our shareholders through continued sufficient and effective communication. The opportunity • Financial performance • Dividend • Sound long-term sustainable strategy • Sound corporate governance and stewardship How we listen and engage • CEO and CFO regularly meet investors • Investor roadshows after the full and half year results • Chair meets investors on an annual basis • Open door policy with investors • The AGM (and this year a general meeting to support the IPM acquisition) 2020/21 highlights • All resolutions (with the exception of the Directors’ Remuneration Report) passed at the 2020 AGM with at least 81% of votes for, with over 70% of the issued share capital voting • Further engagement with investors following the significant vote against the Directors’ Remuneration Report at the 2020 AGM • Consultation with shareholders on a new 2021–2024 Directors’ Remuneration Policy • 100% shareholder vote in favour of IPM acquisition • All Directors attended the AGM and were available to answer shareholder questions • Brokers and financial PR firm presented to the Board • Regular reports to the Board on investors and their feedback The past 12 months have seen threats turn into impacts across all markets. Our solutions continue to help to keep our customers’ businesses secure and operational. The opportunity • Using our global understanding of the risks and our customers’ operational challenges • Developing “right-fit” solutions which improve and enhance our customers’ cyber resilience • Bringing our technical investment into solutions beyond what non-cyber business can do • Ability to work collaboratively with them, their partners and supply chains How we listen and engage • Active account management • Regular client surveying and management feedback loops • Increasing investment in research to understand and mitigate risks across a wide range of current and future technology and industries 2020/21 highlights • Launched our Partner Network, initially for UK Software Resilience, expanding the offering through software vendors and helping them support their customers and scale their businesses • Partnered with SURF, the cooperative association of Dutch educational and research institutions, to provide 24/7 security incident and event management (SIEM) and security operations centre (SOC) services over the next five years • Achieved global partner “co-sell readiness” with Microsoft on Azure Sentinel. This opens up a marketplace for MDR where customers can use our expertise and achieve their cyber resilience via their Microsoft Azure technology • Enhanced our support to the increasing need for security assessments by becoming an approved provider for Google and Facebook third party app developer programmes such as ioXt Authorise Lab, Google OAuth API Verification, Facebook Workplace Security Review and Alexa Built-in Devices Authorised Third Party Lab and others • The Escrow division rebranded as Software Resilience – strengthening its proposition to support customers in achieving broader resilience of their critical software • The acquisition of Iron Mountain’s Intellectual Property Management (IPM) division significantly grows the US customer base and allows us to support them with a broader set of services Covid-19 action • Continued successful delivery through remote working and maintained a “working together” approach to match our customers’ challenging needs through the impact of local restricted working practices Link to strategy: Link to strategy: NCC Group plc — Annual report and accounts for the year ended 31 May 2021 51 Strategic reportStrategic report Stakeholder engagement continued Suppliers Our network We engage with a large number of different suppliers across our global business. Historically, we have had a very local and transactional relationship with suppliers; however, to enhance our competitiveness and remain agile, we are developing more formalised and sustainable relationships with our key suppliers based on both spend level and risk profile. The opportunity • Long-term trusted partnerships facilitating real, sustainable overhead cost reduction and cost of sale margin improvement • Strong working relationships • Fit for purpose contracts and payment terms, ensuring suppliers deliver to acceptable service levels and protecting NCC Group from any long-term commercial inflation • Ensuring we have a safe supply chain to protect our service delivery to customers and brand reputation How we listen and engage • We now have a small professional, dedicated and experienced procurement function which actively manages key suppliers, monitors supply chain trends and supports the business units to achieve their commercial targets • Regular meetings to be held with key suppliers to better inform them of NCC Group’s strategy and future forecasting • Due diligence completed at the beginning of our relationship with suppliers • Intention to host a supplier conference (post-Covid-19) • Supplier “Code of Conduct” launched to provide clarity around NCC Group’s expectations of our supply chain 2020/21 highlights • Delivery of substantial cost savings to support the businesses growth strategy • Significant restructure of NCC Group’s global estate portfolio to support the expected new ways of working, post-Covid-19 • Introduction of risk-based analysis of NCC Group’s supply chain to provide valuable insight supporting the Company though the significant changes due to Brexit and Covid-19 • Proactive communication of the Source to Pay Policy which underpins NCC Group’s relationship with its supply chain • Consistently engaging other business units and corporate functions to recommend, based on experience, internal efficiency improvements to drive clearer planning and spend reporting NCC Group is committed not only to creating a conducive operating environment to enable our long-term growth ambitions but to using our expertise to inform evidence-based policy making and improving the resilience of our societies. The opportunity • Our expertise, capabilities and global footprint allow us to offer solutions to modern society’s cyber challenges • Educating policymakers and regulators • Providing access to basic cyber knowledge to those organisations that are vital to their local communities • Sharing opportunities to experience the world of cyber and inspiring the next generation How we listen and engage • We work in partnership and build alliances with like-minded and trusted organisations – from global think tanks and foundations, to trade associations, charities and campaign groups – to pool resources, amplify our messages and maximise impact • We support initiatives by governments and public bodies where we have shared objectives, such as the UK government’s CyberFirst skills programme, work with schools and universities to offer mentoring and industry support, and maintain strategic relationships with national technical authorities across all of our regions • We undertake direct engagement and advocacy to share our expertise with regulators, officials and politicians grappling with the challenges of emerging technologies and keeping their citizens safe in an interconnected digital world 2020/21 highlights • Campaigned forcefully for better legal protections for the crucial work of security and threat intelligence researchers around the world, as a founding member of the CyberUp Campaign in the UK that brings together cyber security professionals, technology firms and start-up incubators alike, and has seen the UK government undertake a formal review of the Act, and as a member of the Open Source Security Foundation (OSSF), to press for security research exemptions in the US Digital Millennium Copyright Act (DMCA) • Supported the UK National Cyber Security Centre’s (NCSC) CyberUK flagship conference for the fifth year running and delivered the NCSC Cyber Security PhD Winter School virtually allowing academics, industry and government to connect; offered remote work experience to pupils, students and interested parties from law enforcement; and concluded the first year of partnership with the Small Charities Coalition which helped to build the cyber resilience of up to 12,500 charity employees, trustees, volunteers, beneficiaries and service users • Joined the UK’s Cyber Growth Partnership; became part of the UK Department for Digital, Culture, Media and Sport (DCMS) Secure Connected Places External Advisory Group; educated global financial regulators, from the Financial Stability Board to Canada’s OSFI, on the benefits of technology and software escrow agreements in supporting operational resilience objectives; and worked with the UK Industry & Parliament Trust to continue giving parliamentarians an insight into the day-to-day realities of cyber resilience, and with the Linux Foundation in the United States to educate Congressional staffers on workable policy solutions to high profile technology challenges Link to strategy: Link to strategy: 52 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 Sustainability Making the world safer and more secure for all NCC Group’s commitment to sustainability is integral to how we do business – simply it is our licence to operate. Grounded in our values and principles, we’re guided by our Code of Ethics and driven by our mission to make the world safer and more secure for our people, our customers, our investors, and the communities we live and work in. As society’s dependence on the connected environment and its associated technologies increase, we use our global insights to help organisations assess, develop and manage their cyber resilience posture, enabling them to confidently take advantage of the opportunities that sustain their business growth. We draw on our expertise, capabilities and global footprint to develop solutions to meet current and future cyber challenges. We help to educate policymakers and regulators. We give back to protect our local community services and we share opportunities to experience the world of cyber and inspire the next generation to secure our future. Read more on our business model on pages 20 and 21 Read more on how we manage and monitor risk in relation to sustainability on page 47 Our approach to sustainability is focused on the recognised elements of environment, social and governance (ESG). These are brought to life with our framework, which enables us to focus our efforts on the activities that deliver the greatest value to our people, our customers, our shareholders, and the world we all live in. We will set objectives that consider people and the planet, and we will hold ourselves to account through our annual reporting cycle and through regular stakeholder engagement. Yvonne Harley Global Director of Sustainability and Corporate Affairs NCC Group plc — Annual report and accounts for the year ended 31 May 2021 53 Strategic reportStrategic report Sustainability continued Our key sustainability focus areas and objectives Efficiency Community engagement Climate change Respect our environment T M E N N O IR V N E S O C I A L Focus areas and objectives Wellbeing Inclusion, diversity, skills and development G OVERN A N C E Good governance enabling investment, innovation and sustainable growth Responsible supply chain Quality services and satisfied customers Environment Social Governance • This is a priority area for us to focus on in this new financial year • Building on the new and successful ways of working created by the pandemic we will engage in conversation with our customers to explore how we can work together to reduce the impact on the environment through reducing non-essential travel • As our office environments come back to life, we are investing in education programmes to reduce our physical impact – from flexible working and minimising printing, to increasing recycling. And we will continue to review our physical office requirements to ensure we only use what we need • We’ll design solutions for the future, driving efficiency into our design and delivery • We have partnered with Willis Towers Watson to develop our approach to identifying and assessing climate change risk, which will support the development of a robust strategy and enable reporting against the Task Force on Climate-Related Financial Disclosures (TCFD) in 2022 • We continue to foster partnerships that support development of future diverse cyber talent • Building on the development of our pilot programme in the UK (in preparation for lockdown restrictions easing) we will develop a global giving back programme, which will enable colleagues to take part in local community programmes • We will continue to invest in developing our mental health first aid network and resources and look to implement our broader wellbeing strategy, partnering again with This Can Happen • Through NCC Conversations we will continue to encourage engagement from colleagues and our external stakeholders around our four focus areas of gender, LGBTQIA+, race and ethnicity and neurodiversity. Our signing of the UN Global Compact will reinforce our commitment to our responsible business operations • The conversations alongside our performance management programme and career framework development will help drive our performance culture, creating an environment where everyone is welcome and can be successful • We continue to be committed to building long-term sustainable relationships, earning trust through understanding the challenges our customers have and delivering high quality solutions to take their pain away • We will win business fairly and use our internal processes to assess and consciously accept working with customers who align with our own values and Code of Ethics • We will strengthen our Supplier Code of Conduct to ensure we protect the integrity of our ethics across the supply chain, entering any supplier or partner relationships with a mutual understanding of each other’s code of ethics and general business policies • We will provide accurate and timely information to shareholders and always observe the relevant regulations and corporate governance principles to protect the integrity of our business operations • We will consider the interests of all our stakeholders when we make decisions on the Group’s future strategy and priorities 54 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 How we will measure our commitments In FY22, we are conducting a Responsible Business Tracker with the UK’s Business in the Community organisation. This will provide us with a detailed report of how we are performing and coupled with recent investment ratings feedback will support us to identify longer-term sustainability targets. In the interim, in FY22, building on our work to date we aim to: • Report against the Task Force on Climate-Related Financial Disclosures (TCFD) • Establish our local office champion network and provide training and toolkits to support responsible business practices in line with health, safety, security and environment requirements • Create an Accessibility colleague resource group, to look at inclusion across everything we do – from websites, to our offices and working off-site – through multiple lenses, always seeking to improve how we operate • Measure our travel behaviour and understand the impact on the environment and how we can improve/offset, with an aim to reduce activity by 30% based on FY19 (our last full year of travel pre the pandemic) by: • Continuing to host routine meetings virtually where it makes sense to do so • Embracing flexibility, family friendly policies and remote working • Piloting a new pricing model in our UK Assurance business to help customers understand the environmental impact of on-site delivery versus remote delivery • Continue to increase the diversity of our workforce by establishing partnerships and ensuring our focus on creating an environment where everyone feels welcome: • In FY21, 29% of all hires (where gender was disclosed) were female, with an increase of 43.5% on actual female hires compared to FY20; in FY22 we commit to achieving the same or better through our targeted efforts and working with hiring managers to realise the value of difference • Establish partnerships in the UK and North America to support our early careers programme, with a focus on underrepresented groups • 100% of eligible colleagues undertake compliance training covering Code of Ethics, Inclusion and Diversity, Anti-Bribery and Corruption, Data Privacy and Data Protection and Information Security • Launch our Action Ally programme, led by the Gender colleague resource group, to educate and inspire 100% of our colleagues to be inclusive every day Reflections on the past year While technology was able to break (in part) the barrier of isolation caused by the global pandemic, there was also a risk of it becoming a barrier as fatigue and frustration started to creep in. We know from our engagement with other organisations we weren’t unique, and we took action to mitigate the risk to our Covid-19 survive and thrive strategy. We continued to focus on the health and wellbeing of colleagues – prioritising the training of a global network of 61 Mental Health First Aiders and training over 100 managers in mental health awareness and supporting wellbeing, building resilience through a series of engagements throughout the organisation. We also launched our NCC Conversations programme to support engagement around our four inclusion and diversity priorities (page 62) – gender, LGBTQIA+, race and ethnicity and neurodiversity. The conversations, hosted through panel sessions, articles, workshops and podcasts, have led to positive changes in how we operate as a firm. NCC Conversations is such a great initiative and, although we are all remote working, it feels like this has somehow brought us closer together. Holly Duncalf Project Manager Our focus on inclusion and diversity is sustained through embedding insights for dialogue, and local target setting into our monthly executive business reviews and is a key priority in our growth strategy. We continued to reduce complexity in our business, reducing our legal entities, combining our Benelux and Danish entities to create one powerful European business and creating a global operating committee to unify how our professional and managed services operate in service of our customers. This not only increases our ability to attract a wider and more diverse talent pool but also reduces the risk of regional talent challenges affecting our ability to deliver for customers. In the ever-increasing connected society, cyber resilience is important and should be part of responsible business practice – from design to operations. As a major player in the cyber resilience market, we have a responsibility to apply our world-class research skills, market knowledge and threat intelligence to ensure we design products and services that support our customers to meet their whole cyber resilience posture requirements. This is the driver of the progress towards our vision to be the complete global provider of cyber resilience solutions within a growing global market and evidenced with the launch of new propositions to meet this requirement. Partnership for the goals We review partnerships on an annual basis with a view to ensure they continue to be of value. In the past year we became members of the UK’s Business in the Community programme, undertaking its Responsible Business Tracker assessment to support our future sustainability plans. In this new financial year, we have become members of the United Nations Global Compact, with full Board and CEO endorsement to embed its principles into our strategy, culture and ways of working. More broadly, our active network engagement and industry partnerships help us to further support the United Nations Sustainable Development Goals, build global cyber resilience and help make the whole world safer and more secure. Investing in a sustainable future Our commitment is to create an environment where all colleagues feel psychologically, emotionally and physically safe to be authentic and representative of the diversity of the world they live in, to share their personal experiences and to have equal opportunity to achieve. We want to drive the focus globally but empower local action ensuring that we reflect and embrace our differences. This commitment influences our partnerships, how we recruit and how we deliver value to our customers. We will continue to secure the future today and our sustainability agenda will play a strategic role to support conscious decision making as we begin to set targets that challenge us to continually improve in making the world safer and more secure for all. NCC Group plc — Annual report and accounts for the year ended 31 May 2021 55 Strategic reportStrategic report w Sustainability continued Aligning to the United Nations Sustainable Development Goals for best practice The United Nations Sustainable Development Goals provide us with a blueprint to achieving a better and more secure future for all. We selected the following goals, which we felt were most relevant to our business and to our stakeholders: Our Sustainable Development Goals 3 – Good health and wellbeing Through our threat intelligence and cyber resilience solutions, we are helping to secure the technology for increasing and protecting the provision of health services globally. 4 – Quality education We are focused on investing in the future of cyber security skills, developing not only career frameworks and pathways for research, but also helping to protect the technology, which gives access to education. 5 – Gender equality and 10 – Reduced inequalities We are committed to building a diverse and inclusive culture, for our colleagues and our customers. We are focused on equality, creating an environment where everyone is welcome and can be successful. 8 – Decent work and economic growth We are a global business, with local hubs, attracting and developing diverse talent – from early careers to senior experts – all to support the global need for cyber resilience skills. 9 – Industry, innovation and infrastructure and 17 – Partnerships for the goals Our commitment to research, vulnerability disclosure and threat intelligence and the industry partnerships we foster help to provide safe and secure by design technologies, which enable industrialisation and innovation to drive future developments. 13 – Climate action As well as our own ambition to reduce our carbon footprint, working with our customers we will seek to contribute to reductions in global greenhouse gas emissions through continuing to develop remote solutions. 16 – Peace, justice and strong institutions Our value proposition is based on trust and this is founded on our Code of Ethics, considering the interests of all our stakeholders when we make decisions on the Group’s future strategy and priorities. 56 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 Environment Out of 207 company cars (the UK and Netherlands): 61 are fully electric 113 are other 33 are hybrid 78 Average CO2 emissions of our company car fleet Greenhouse gas emissions The greenhouse gas (GHG) reporting period is aligned with our financial reporting year running from 1 June to 31 May. The reported figures detail annual GHG emissions from activities for which NCC Group is directly responsible. Having considered the production metrics within the business, we have concluded that annual turnover is the most appropriate to achieve a benchmark, which aligns with the carbon reduction policy and methodology that we will work towards in FY22. The methodology used to calculate total energy consumption and carbon emissions has been through the extraction of consumption data from invoices and meter reads for the financial years stated. Where data was not available, estimates have been calculated using historical profiles and details held on record by the Group’s Compliance department for audit purposes. Energy and fuel consumption has been expressed in tonnes of carbon dioxide equivalent (tCO2e), using 2019 DEFRA published conversion factors. Fuel for transportation has been converted using statistical data sets published by the UK Department of Transport. The overall energy and carbon report was produced by PEP Energy, an independent third party that analysed invoices from energy suppliers and data from expense systems to calculate the overall results. Pandemic considerations Over the past year, we’ve had little use of our global office space due to pandemic restrictions and we’ve also reduced our office footprint so comparing like for like is not possible. Our calculations do not consider the impact of our colleagues working from home and the increase of their domestic energy use or decrease of their commuting over the full year. We are continuing to seek expert advice on how this can be measured to enable us to truly reflect the CO2 emissions of our organisation as we continue to operate in a more flexible environment in the future. Energy performance benchmarking In FY22 our aim is to reduce carbon intensity for the Group and, working with our key stakeholder groups, we will set out targets, which will minimise the impact of our operations on the environment. Due to the size and nature of NCC Group, an external environment audit is not required; however, we will continue to assess this as the Group grows in conjunction with any legislative developments. Electricity: 65.63 Emissions by type % Air: 6.42 Gas: 17.62 6+ Electricity (tCO2e) Petrol: 5.32 Diesel: 5.00 345 415 298 2018/19 2019/20 2020/21 Gas (tCO2e) 63 61 80 2018/19 2019/20 2020/21 Diesel (tCO2e) 187 122 23 2018/19 2019/20 2020/21 Petrol (tCO2e) 122 64 24 2018/19 2019/20 2020/21 Air (tCO2e) 611 222 29 2018/19 2019/20 2020/21 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 57 Strategic reportStrategic report66 + 5 + 5 + 18 M Sustainability continued Environment continued Source Scope 1 Gas Company vehicles Diesel Petrol Total scope 1 Scope 2 Electricity Total scope 2 Total scope 1 and 2 Scope 3 Business travel Total scope 3 Total scope 1, 2 and 3 Underlying energy use The table below shows the proportion of Scope 1 and Scope 2 energy use that occurs in the UK and non-UK countries alongside the total carbon emissions. In FY21, 45% of the Group’s energy consumption and 72% of carbon emissions arose from the UK. Area UK Non-UK 1,436,210 1,780,945 Total 3,217,155 FY21 energy use FY21 carbon emissions KwH % of global energy use tCO2e % tCO2e 45% 55% N/A 305.003 119.577 424.58 72% 28% N/A Task Force on Climate-Related Financial Disclosures (TCFD) We recognise the importance of identifying the financial and non-financial impacts of climate change on the business. To make more informed financial decisions, we and our investors, lenders and insurance underwriters need to understand how climate related risks and opportunities are likely to impact our future financial position. A robust approach to assessing climate change risks and opportunities will support us to develop business strategies, which will support future sustainability and growth. While we are not required to report against TCFD requirements this year, we recognise the importance of this initiative and how it aligns with our wider ESG agenda. We have established a partnership with Willis Towers Watson to further develop our approach to identifying and assessing climate change risk, which supports the development of a robust strategy. The model to achieve this is shown opposite. Total GHG tCO2e 2019 2020 2021 63.11 185.83 121.98 63.85 61.35 309.42 187.27 122.15 79.96 46.83 22.68 24.15 248.94 370.77 126.79 345.43 415.32 345.43 415.32 594.36 786.09 222.32 611.17 222.32 611.17 297.79 297.79 424.58 29.14 29.14 816.68 1,397.26 453.72 tCO2 change from previous year (2020 and 2021) % change from previous year 19 (263) (165) (98) (244) (118) (118) (362) (582) (582) (944) 30 (85) (88) (80) (192) (39) (39) (85) (95) (95) (68) UK cycle to work scheme In April 2021 we enhanced the benefit allowance, in line with the UK government’s cycle to work scheme, from £1,000 to £6,000 for colleagues living in the UK and using a bike to commute to work. Colleagues can purchase a bike and equipment through this organised salary sacrifice scheme and the increase was made because of their feedback in our colleague forums and annual engagement survey. This enhancement is part of our overall wellbeing programme and commitment to reducing the impact we have on the environment. Secure leadership buy-in Establish committee oversight Audit Com mitte e Integrate into reporting Assess financial impacts Ris k C o m m i t t e e Perform scenario analysis Adapt ERM Obtain assurance Implement internal control Collaborate across the business Use existing tools Solicit investor feedback 58 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 At the very start of the pandemic in early 2020, an important consideration for organisations around the world was how they were going to function as restrictions impacted their traditional way of working. With remote working becoming the norm, trust was required to make it work. Product development – designing today for the future We are committed to building new products, which support our sustainability commitments and meet our customers’ current and future needs. Our product development ethos is to improve our end-to-end product design and build processes, ensuring we design with sustainability in mind, purposely and continuously. This approach enabled us to be agile in adapting many of our products to be purchased, deployed and implemented remotely, ensuring we could support our customers as they moved to remote/ hybrid working models due to pandemic restrictions. (An example of this is our Firebase appliance illustrated opposite.) Another critical element of our design approach is to ensure our product offerings are accessible. Our new Calibrate platform, which offers intelligent data-driven cyber resilience dashboards to guide risk strategy, is a great example of this. The platform was purposely designed to support user accessibility for those with the visual impairment of colour blindness. This inclusive design provides high colour contrast visual aids to support the interactive engagement between users and the Calibrate platform. We listen to our customers, ensuring their voice is represented in the products we take to market. S t r a t e g c i r e p o r t Firebase With 80% of the work we traditionally do for customers already being delivered remotely, one area that is often overlooked is routine security testing. In 2018 our consultants developed an appliance – Firebase – that would enable remote security testing to be conducted – a great example of designing for the future. From the early prototype, NCC Group’s Nick Watkins developed the current appliance as a research project supported by Simon Beattie. Their current version can be downloaded or posted and provides our customers with a credible and necessary alternative to ensuring their systems were secure. Initially launched in the UK, and later in North America and our APAC region, the Firebase appliance is being developed and used to support our incident response teams as well as being planned for use by our European business. Between 1 April 2020 and 31 May 2021, we conducted 761 jobs using Firebase, which equalled 11,656 days of remote working, and with an average of a 45–50 mile round trip from a consultant’s home to customer premises, we reduced our travel impact by c.500–600k miles – the equivalent of 20–25 times around the world. We will continue to engage with customers and encourage continued deployment of security testing remotely to improve efficiency for their business and remove unnecessary travel, which has a negative impact on climate change. We design today for the future, working in collaboration with our colleagues across the Group, understanding the whole needs of our customers and ensuring our product offerings are accessible by all. Michelle Barry Director of Product and Development NCC Group plc — Annual report and accounts for the year ended 31 May 2021 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 5959 Strategic reportStrategic report Sustainability continued Social Each day at NCC Group our technologists and professionals wake up with one mission – to help make the world safer and more secure. Together they form a phenomenal knowledge network, collaborating, innovating and delivering value to our customers. This culture is important to us and we strive to create a great place to work, a place where everyone is welcome and can be successful. We are guided by our Code of Ethics – treat everyone and everything with respect; our common values are: We work together No matter how brilliant an individual might be, they are no match for a team. Our best and most impactful work has always resulted from collaboration. We act in the best interests of the whole Group and we never miss an opportunity to help each other and our customers. We exist to help keep our customers safe and secure – the better we understand our customers and their values, the better we can help them thrive. So, we work closely with our customers too. We are brilliantly creative We like to win. We like to, and we are good at, solving hard problems. We work hard but, in our world, success does not just come from hard work – it comes from looking at things differently and never being satisfied with the way things are. In being brilliantly creative, we need to work together – we expect collaboration, innovation, and diversity, which brings us onto our third value… We embrace difference The ability to think in a different way (to, for example, how systems were intended to be used) is what leads to much cyber vulnerability and is the cornerstone of the security testing and risk work we do. So, we work together, we are brilliantly creative and: • We welcome and actively seek out diversity in our thinking and in our internal representation • We seek constructive challenge as we gather information before making a decision • We want to keep our quirky and distinctive culture (unusual in an attractive and interesting way) Listening to colleagues During the past year, we continued to improve how we listen to colleagues both at a global and a local level. We created a monthly team engagement pack for managers to talk to their teams about various aspects of our business – all with the aim to ensure we kept connected to our mission, vision, values, and strategy despite the isolation of the pandemic restrictions. These monthly sessions encouraged teams to talk, explore and feed back – not just about our business operations but also how they were feeling. From those conversations we recognised the opportunity to create a global people managers’ forum to support them to manage the drivers of engagement – it enables them to get closer to their local executive member and our HR team has created a dedicated resource centre to further support people managers and to improve how we listen at every level of the organisation. Building on the UK colleague forum pilot launched in the previous year, we extended the colleague forums to our operations in Spain, Australia, Singapore and Japan and our Global Software Resilience business and Group functions, and we launched a new Works Council for colleagues in Denmark alongside our existing Works Council in the Netherlands. We ran our annual b:Heard employee engagement survey with Best Companies, increasing our response rate to 81.85% (up nearly 2%) on the prior year, and continuing to improve our colleague engagement score to 642.7 (626.9 in 2019). While still within Best Companies’ index of “one to watch” companies, through robust local and global action planning and active listening we strive to match our world-class participation rate with a world-class engagement score of 3*. The investment in our Manager Essentials programme can be seen in the results from our engagement survey where 77% of eligible managers were recognised by their teams: Good Very good Outstanding World class 20.5% 18% 18% 20.5% Jennifer Duvalier, our designated Non-Executive Director for colleague engagement, continued to meet with colleagues around the world virtually, extending our listening ability, and you can read more about her experience on page 80. Regular town hall events and the creation of virtual communities using Microsoft Teams gave more opportunities for us to improve how we listen and learn through our day-to-day operations. Visible leadership played a critical role in this improvement and even more so due to the continued isolation of colleagues due to the ongoing pandemic restrictions. 60 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 Investing in personal development Our ambition is to be known as a hub for cyber talent, a place where people can come and develop personally and professionally. In FY21 we: • Launched a sales academy pilot in our UK and APAC Assurance division, which provides structured training to support sales colleagues at every stage of their career – from joining NCC Group through to advance sales techniques • Began to build leadership development, with 40 North American leaders undertaking the Stanford Leadership Development programme with over 180 managers globally attending our Manager Essentials programme • Extended investment in developing our next generation managers and 22 colleagues in the UK and North America due to graduate in September 2021. All colleagues from the pilot cohort in FY20 went on to be promoted to managerial roles In addition, listening to feedback from our colleague forums and engagement survey, we launched our career framework pilot in March 2021. The initial focus for the pilot is our technical community in our Global Professional Services in the UK and APAC region. The aim is to clarify how colleagues can progress from junior through to senior levels and how to move across specialist and management roles, with a view to empowering them to manage their own career. The career framework will include: • A toolkit to help colleagues plan potential career steps/paths across the role options • A learning catalogue linked to roles, with details of how to access learning • Optional career development workshops for colleagues • Regular career development discussions as part of our performance management process • Clarity on our approach to promotions The pilot will extend to other parts of the business including our Global Software Resilience, Global Managed Services and Sales colleagues over the coming year. NCC Group plc — Annual report and accounts for the year ended 31 May 2021 61 Strategic reportStrategic report Sustainability continued Social continued Creating an inclusive and diverse community We want to create an environment where all colleagues feel psychologically, emotionally and physically safe to be authentic, representative of the diversity of the world they live in, share their personal experiences and have equal opportunity to achieve. Our inclusion and diversity plan underpins our growth strategy and in FY21 was focused on four areas that were identified as being important to our colleagues: • Gender • LGBTQIA+ • Neurodiversity • Race and ethnicity For each of these focus areas we have colleague resource groups led by a Steering Committee, each of which has an Executive sponsor, HR and a Talent Partner. A dedicated Group Communications Business Partner is responsible for supporting our colleague resource groups to drive engagement both internally and externally. At the heart of our commitment to inclusion and diversity is our NCC Conversations programme, which we launched in August 2020. Each month the focus area Steering Committees work together to produce content, from blogs to panel sessions and resources, which support our ongoing awareness and education for colleagues. In addition, the programme includes workshops with external experts invited to support learning around topics exploring what it means personally and in the workplace. What a journey we’ve been on over the past nine months. The content, the resources, the conversations and the personal experiences being shared, alongside the feedback we’ve received both internally and externally, have been inspiring. Our NCC Conversations programme is a great example of our values in action. We work together, being brilliantly creative and embracing difference, and what connects us – what we all have in common – is our desire to make this a safe and great place for all. A highlight for me was when a colleague said: “Had I ever before today come out as a transvestite in the workplace? Well, I never had. This is a first for me and it is indeed a big step. So why did I feel the need to do it? It is because of our inclusion and diversity programme that I felt like it was no longer a matter of why, but why not.” Chloe Kersey Communications Business Partner and NCC Conversations lead Inclusion and diversity engagement FY21 highlights 4 colleague resource groups: Race and Ethnicity, LGBTQIA+, Neurodiversity and Gender 36 13 external guest speakers 15 Steering Committee members across the four groups articles published externally (newsroom.nccgroup.com) 90 inclusion and diversity community members 6 Executive sponsors 20 Instagram posts 90 pieces of content shared internally 1/3 of colleagues attended at least one workshop 250 average workshop attendance Read more online: www.nccgroupplc.com 62 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 These conversations are leading to positive changes in how we operate as a firm – investing in annual inclusion and diversity training as well as building into Manager Essentials training, partnering with organisations to develop future pathways for diverse talent to enter the industry, reviewing colleague policies, and improving how we recruit new talent and invest in career development. Gender pay gap * We take our role as a responsible employer seriously and see the UK requirement to publish gender pay gap figures as an important step towards transparency around a key issue within our industry. We recognise steps need to be taken to continually improve our gender mix at all levels as part of our broader strategy and the investment we are making under our broader sustainability commitment is supporting us to achieve this. Our full report is available to view on our website and in FY21, in addition to the work of our Gender colleague resource group, we continued to support local initiatives aimed at encouraging more women to enter the world of cyber security. * Source: NCC Group payroll data. Read more online: www.nccgroupplc.com/investor- relations/corporate-governance/gender-pay-gap/ Main Board 14% 40% 86% Direct reports to the Executive Committee 8686+ 6060+ 7676+ Group 76% 23% 60% 1% 80% 20% Executive Committee New hires in FY21 8080+ 6767+ 29% 67% 4% Male Female Undisclosed NCC Group plc — Annual report and accounts for the year ended 31 May 2021 63 Strategic reportStrategic report + 14 14 + + 0 0 + + 0 0 + + M M + 23 23 + + 1 1 + + 0 0 + + M M + 40 40 + + 0 0 + + 0 0 + + M M + 20 20 + + 0 0 + + 0 0 + + M M + 29 29 + + 4 4 + + 0 0 + + M M Sustainability continued Social continued Colleague resource groups – reviews from each chair Race and Ethnicity Nadia Batool Data Protection and Governance Officer LGBTQIA+ Liz James Security Consultant Neurodiversity Joy Evans Chief Data Protection and Governance Officer We are a global business with colleagues in many different countries around the world. We work hard to be an inclusive workplace, where everyone is treated with respect. Discrimination and harassment due to race or ethnicity are unacceptable and will not be tolerated here. But saying it isn’t enough, and like many companies addressing the systemic racism embedded in our societies, we are planning action to remove barriers for underrepresented individuals that exist within our organisation. Over the past nine months our Race and Ethnicity Steering Committee has covered key themes such as an introduction to race and ethnicity, and cultural intelligence, with guest speakers from North America and the UK discussing how to build an anti-racist organisation. We have also been working hard on providing colleagues across the Group with resources on inclusive language and behaviours and why representation matters as well as sharing personal and historic experiences of racism across the world. We believe that a workplace in which colleagues feel safe and empowered regardless of their sexual and romantic orientation, and their gender identity enables everyone to perform at their best. We are at the beginning of a long journey and committed to increasing our awareness and activity in this space to work towards creating an environment that provides inclusion for all underrepresented groups, ensuring their voices are heard. As the first colleague resource group in NCC Group, launched in 2019, we were delighted to be joined by the other groups to create a broader inclusion and diversity community. This year, our LGBTQIA+ Steering Committee has helped colleagues explore sexual and gender identity in its many forms, taken a deeper dive into the importance of inclusion and hosted talks on topics including how language matters, asexuality, being transgender and transvestism, as well as providing content based on personal experience and informative articles. Together we have utilised our social platforms to provide advice and support to parents of children who sit within the community, written to UK Members of Parliament to show our support against anti-trans bills, made pronoun badges available to colleagues across the globe and given guidance on adding pronouns onto email signatures. We strive to create a working environment where neurodiversity is embraced. We value all colleagues equally and adjust as necessary to meet the personal needs of neurodiverse individuals. The NCC Conversations series we’ve led has so far focused on both dyslexia and autism as a subcategory of neurodiversity, where the Steering Committee has been challenging taboos and taking a deeper dive into dyslexia and autism in the workplace through a range of activities including panel discussions, resources, tips for managers and a podcast on parenting an autistic child. Most recently, we’ve invited Lexxic, a specialist consultancy championing and advising on neurodiversity in the workplace, to run an interactive workshop with colleagues to produce a neurodiversity smart roadmap with recommendations and actions based on any gaps identified in our business. This workshop builds on an earlier webinar that was hosted as part of our NCC Conversations series. Neurodiverse individuals bring many strengths that not only need to be understood but further celebrated and valued. At NCC Group we are lucky to work with neurodiverse colleagues who bring many positive attributes to our workplace. 64 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 Gender Natasha Gardner Technical Pre-Sales Engineer We recognise that gender inequality affects everyone across all genders. We want to provide opportunities for every colleague across the Group to be involved, to share experiences and to help set the vision for how we can work together in creating a more gender inclusive and diverse workplace. We are committed to ensuring that equal opportunities are presented across the Group. We will do this by constantly reviewing and improving our hiring processes and examining the channels we use for talent attraction and recruitment, at the same time as leading with an approach of inclusivity and fairness to promote career progression. Over the past year the Gender Steering Committee, working closely with our people team, has shone a light on mental and physical health with external talks on the menopause and prostate cancer, and internal panels on male mental health as well as publishing an external webpage celebrating some of the incredible women we have working here across the Group. Our recent project, Action Ally, aims to support and educate colleagues on what allyship looks like in certain situations through using examples of uncomfortable instances that colleagues have either experienced or observed throughout their careers in a bid to recognise and call out poor behaviour. We’ve also established NCC Group Women’s International Network (WIN), which is open to those who identify as women and are passionate about championing an inclusive and diverse workforce. We recognise that now, more than ever, it’s important for us all to pull together, as families, as colleagues, and as communities. Our giving back day is designed to help colleagues connect with and support local communities and causes that mean something to them. Ian Thomas Managing Director, Assurance UK and RoW Giving back in our local communities Through our annual engagement survey and local colleague forums, we know that giving back to our local communities is important to colleagues. Up until more recently these giving back activities have been informal and led entirely locally and colleagues were keen for us to create a more formal giving back activity while still retaining that local action. So last year, in preparation for pandemic restrictions lifting, we developed a pilot giving back programme with colleagues in our UK, Spain and APAC Assurance division. The programme enables colleagues to take one day of additional paid leave in a calendar year, to support a local community or charitable organisation. During FY22, the programme will be rolled out to the wider Group, ensuring compliance with local requirements relating to volunteering. NCC Group plc — Annual report and accounts for the year ended 31 May 2021 65 Strategic reportStrategic report Sustainability continued Social continued Partnering with the UK Small Charities Coalition In 2019, we launched our partnership with the Small Charities Coalition, organising cyber resilience training workshops to give small charities the practical tools to improve their cyber resilience. In FY 2020, despite the challenges of the pandemic restrictions, we continued to invest in our commitment. Across four virtual workshops, offering ad-hoc advice, and the production of four easy to understand cyber security videos, more than ten colleagues invested over 40 hours to help make the world safer and more secure. 71 representatives from small charities across the UK, with an average annual income of less than £190,000, attended our virtual workshops: that means that, on average, the cost of a cyber breach 1 represents at least 1% of those charities’ annual income, highlighting the importance of improved cyber resilience for their future. Moreover, those charities play a fundamental role in their local communities and often work with vulnerable communities, or on sensitive issues, from addiction and mental health support, to supporting asylum seekers, veterans, disabled children or disadvantaged communities. 1 https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2021/ cyber-security-breaches-survey-2021. Northern Ireland Republic of Ireland Scotland North North East East Midlands West Midlands East Anglia Wales South West South East I found it so helpful to get a broad introduction about the main areas of cyber security while also getting lots of specific and practical tips about the many things I can do to make our charity as safe as possible. Workshop attendee Demonstrating the impact of our work, 80% of charity attendees said they felt better informed on cyber resilience issues and were very keen to implement their learnings. And their combined reach includes the more than 2,500 staff, volunteers and trustees who work with them, and the more than 28,000 service users and beneficiaries they support. Our support has extended to becoming a referral partner for the Small Charities Coalition helpdesk, so that callers with cyber security queries will be routed to our NCC Group experts. This builds on our work with the Federation of Small Businesses’ cyber advice helpline and the Scottish Business Resilience Centre’s cyber incident helpline. Celebrating our colleagues We launched our global NCC Diamonds and Stars awards in July 2020 to celebrate the incredible achievements of our colleagues – as they work together and as individuals. Our aim was to create a public platform where we could recognise colleagues and say thank you, as well as to shine a light on these achievements. It helps to instil a sense of pride and accomplishment and, importantly, the value we place on every colleague who every single day helps to make our world safer and more secure. Our team awards – NCC Stars – saw 68 entries highlighting contributions against each of our five nomination categories – Working Together, Being Brilliantly Creative, Embracing Difference, Delighting the Customer and Community Champion. Our global winners were announced in a virtual online ceremony – not allowing the pandemic restrictions to get in the way of our celebrations. Next up in February 2021 we launched our NCC Diamonds, inviting colleagues to nominate their colleagues. We received 498 nominations, which were judged locally, and winners of each category were given an “experience of their choice” prize. The local winners were then submitted to a global judging panel with our global winners being celebrated across the Group. Nomination categories: • Working together • Being brilliantly creative • Embracing difference • Inspiring colleague • Inspiring manager • Brand ambassador 66 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 Global winners Working together Carla Strong Inspiring colleague Natasha Gardner Carla is the person you want to go to whenever you need some information or have a problem, or if you’re a fresh face at NCC looking for a little guidance. Along with mentioning her infectious positive energy, her nominators said that Carla is a fount of all knowledge on office administration, facilities management, delivery operations, and any other way she can support colleagues. Her commitment to ensure that everyone has support means she truly is an #NCCDiamond. Beyond her role as a Technical Pre-Sales Engineer, she is chair of our Gender colleague resource group, a Mental Health First Aider, a member of the UK Colleague Forum, and host of our internal podcast series, NCC Untitled. As her nominators said, she manages each of these responsibilities with an unfailingly positive attitude and puts her heart and soul into everything she does. Embracing difference Charlotte Tanner Inspiring people manager Ben Mitchell When her secondment to Sydney was prevented by the Covid-19 pandemic, she still took on the responsibilities of her new Business Partner role, despite being unable to relocate. This meant supporting the APAC team with long, unsociable hours across two time zones! Those who nominated her spoke of her appreciation of cultural differences and acknowledgement and respect of colleagues’ diverse perspectives on issues. This, combined with her flexibility, empathy, and commitment to going above and beyond, has resulted in several brilliant outcomes for her team. Ben Mitchell was recognised as the global winner of the NCC Diamonds inspiring people manager award for his caring, positive and empathetic attitude. Those who nominated him mentioned his genuine care for those he manages, his extraordinary support and encouragement, and his willingness to go above and beyond for those who need his help. Being brilliantly creative aschmitz Brand ambassador Tim Anderson aschmitz was nominated several times for being brilliantly creative, but one example stands out in particular. When we moved to a new system in North America, aschmitz was quick to notice that colleagues required greater functionality than was initially built in. Realising that the data required for the functionality was available to them, aschmitz worked around the clock to develop a tool that would help colleagues use the new system and continue their work uninterrupted. This brilliantly creative idea is a great example of how they jump on opportunities to find solutions and help others. Our brand ambassador award acknowledges those who love sharing the brilliant things people get up to across the business. Our global winner, Tim Anderson, kept his network in the loop on recent research, new partnerships, expert insights, and the latest NCC Group news with an unparalleled number of shares. His commitment to letting people know what’s going on at the Group makes him a true #NCCDiamond. In addition to colleague nominations, CEO Adam Palser selected Sourya Biswas as the recipient of the CEO choice award. Nominated by a significant number of colleagues for a variety of different reasons, Sourya’s impact is felt across NCC Group. Known for delighting customers through brilliantly creative solutions to problems, his expert insight is invaluable. He provides support and guidance for colleagues through guides on technical processes, by setting an admirable example, and by encouraging colleagues to be the best they can be through thoughtful feedback. His speaking engagements and publications demonstrate his great knowledge and provide new opportunities to engage with customers and prospects. NCC Group plc — Annual report and accounts for the year ended 31 May 2021 67 Strategic reportStrategic report Sustainability continued Our focus is on building long-term sustainable relationships, earning trust through meeting our customers’ needs and delivering the highest quality of services. We, and our customers, expect our supply chain partners (and their supply chain) to behave ethically and securely and to treat everyone fairly and with respect. Supply chain partners are an extension of the NCC Group team, and our Supply Chain Code of Conduct exists to clearly articulate the standards and behaviours we expect to see in our supply chain partnerships. Our Code of Ethics sets the standard we uphold ourselves to and we take pride in our approach. We consider the interests of all our stakeholders, including colleagues, when we make decisions on the Group’s future priorities and plans. Anti-corruption and anti-bribery We do not tolerate bribery and corruption. We have established policies on anti-bribery and the receiving and giving of gifts, and hospitality. Anti-bribery awareness is part of our colleague induction process and regular refresher training is mandated. Colleagues are encouraged to report any concerns to their manager or, if required, our confidential and independent whistleblowing service. The whistleblowing process is overseen by the Audit Committee. We aim to engender in our colleagues principles of honesty and integrity and the desire to work to the best of their ability. We strive to act in a professional, honest and ethical manner in all our dealings with our customers, colleagues, shareholders, suppliers, and the community. Our reputation is paramount and nothing we do should detract from or compromise our standing in the market and the community. Our independence and impartiality as a Group are fundamental. We have a Code of Ethics, which all colleagues are required to adhered to. Supply chain Our customers and colleagues respect us for providing a trusted service, and to achieve this we rely on supply chain partners to support our business operations. We are fully aware of the responsibility we have toward our stakeholders and we seek to work with supply chain partners who are equally aware of and proud to uphold these high standards. Our relationship with supply chain partners is based on trust, collaboration and continuous improvement, underpinned by fair contracts. Human rights (including anti-slavery and human trafficking) We recognise our responsibility to uphold and protect the rights of individuals in all aspects of our operations across the world. Through our published statement and our global policies, we make it clear that we will observe and uphold the principles contained in the Universal Declaration of Human Rights and the International Labour Organization Fundamental Conventions. We believe that human rights belong equally to all people without distinction as to race, colour, sex, language, religion, political or other convictions, national or social origin, birth or other traits. We support freedom of association, the abolition of forced labour and the elimination of child labour. We have a zero-tolerance approach to modern slavery and are committed to acting ethically and with integrity in all our business dealings and relationships. We communicate this to all our suppliers, contractors, and business partners at the outset of the relationship and regularly thereafter. Our Anti-Slavery and Human Trafficking Statement is available to download from our website. Governance and oversight The Board recognises that robust governance and oversight are vital to maintaining a strong business, which can weather a changing business environment. We have a dedicated and independent Global Governance function, which has been designed to work together to ensure seamless oversight of the control environment and management decision making. This team is made up of: • Group Legal Services • Information Security • Data Protection • Compliance and Standards • Health and Safety • Internal Audit The Global Governance function reports into the Group Board, or its sub-committees, the Audit Committee and Cyber Security Committee. The primary remit of the team is to validate compliance with the Group’s policies and procedures, legislation and regulations and good practice. Read more about our governance on pages 70 to 73 and risk management on pages 40 to 48 This Strategic Report was approved by the Board of Directors and signed on its behalf by: Adam Palser Chief Executive Officer 14 September 2021 Tim Kowalski Chief Financial Officer 14 September 2021 68 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 Governance As Directors we recognise the renewed focus on the contribution that a successful company can make to wider society in general, in addition to generating value for shareholders, and as a Board we want to ensure that we have effective engagement with, and encourage participation from, shareholders and other stakeholders Board composition and division of responsibilities IN THIS SECTION 70 Chair’s introduction to governance 73 Governance framework 74 Board of Directors 76 Executive Committee 78 87 Shareholder engagement 88 Audit Committee report 95 Nomination Committee report Cyber Security Committee report 98 100 Remuneration Committee report 119 Directors’ report 123 Directors’ responsibilities statement NCC Group plc — Annual report and accounts for the year ended 31 May 2021 69 Chair’s introduction to governance Committed to good governance During the year we have made the commitment that by 2024, we will have at least 33% female representation on our Board and at least one person of colour. Although this is best practice for FTSE 350 companies, we will commit to this target regardless of which share index we are in. Chris Stone Non-Executive Chair Dear Shareholder The last year has been one of unprecedented upheaval and disorder from the Covid-19 pandemic reaching all parts of the globe and significantly impacting economies everywhere. We as a Board had a very busy year dealing with the impact of the pandemic on the Group and also considering its impact on all of our stakeholders. It is worth noting that we have taken no government subsidies or loans (other than deferring tax payments), nor have we made any colleagues redundant or furloughed them during the pandemic. We continued to pay dividends, in line with our policy, throughout the year. We have also been engaged with the Executive Team in ensuring that all of our colleagues received the best support we could give them, specific to each of their individual needs, to manage in these new and changed circumstances. I have been very impressed by the depth and quality of the colleague support programme that the team has delivered. The Board is committed to creating and maintaining a culture where strong levels of governance thrive throughout the organisation, specifically ensuring that we send out consistent messages on our values and acceptable behaviours for our colleagues, our customers, our suppliers and our advisers. 2020/21 highlights • Continued to hear from our designated NED for workforce engagement who reports to every Board meeting • Supported management in the major acquisition of Iron Mountain’s Intellectual Property Management (IPM) business which will now form part of our Global Software Resilience division • Obtained a better understanding of our stakeholders and how we engage with them • An increased focus on ESG matters • Kept normal Board meetings and strategy day scheduled during lockdown with no meetings cancelled 2021/22 priorities • Continuing to focus on our stakeholders, particularly colleague engagement • Restarting off-site and overseas Board meetings to support better engagement with all colleagues • A focus on diversity around the Board table with our commitment to gender and ethnic diversity by 2024 • Continuing to focus on succession planning and diversity and inclusion amongst our wider colleague population 70 Governance standards As a Board we have focused our attention on the requirements of the UK Corporate Governance Code 2018 (the ‘Code’) and are reporting against this Code in our Annual Report and Accounts. A key focus for the 2018 Code is culture and ensuring that it aligns with the Group’s purpose, strategy and values. Culture has been high on the Board’s agenda for some time and the Board considers culture to be an essential ingredient in meeting our long-term, sustainable returns to shareholders and indeed our stakeholders. The Board, the Executive Committee and the senior management continue to promote our culture and standards throughout the business and lead by example to provide a strong corporate governance framework. One of the most significant changes to the Code affecting NCC Group is in respect of workforce engagement. Our main stakeholder is our colleagues and we wanted to develop meaningful mechanisms to ensure that we, as a Board, have meaningful and regular dialogue with our dedicated and committed workforce. This then puts us in a strong position to deliver our strategy. To assist us with this, during the year, Jennifer Duvalier, a Non-Executive Director, has continued her excellent work as our designated Non-Executive Director for workforce engagement. Jennifer (along with other Non-Executive colleagues, including me) has been meeting (albeit virtually) and speaking with colleagues around the world and reporting back on findings at each Board meeting via a dedicated agenda slot. We have not let Covid-19 be a barrier to hearing our colleagues’ opinions around the Board table. As a people business, this is a crucial area for us to focus on and get right. Towards the end of our financial year, we re-joined the FTSE 350 so we are now reflecting on the new governance provisions that are now relevant and we will report back on these next year. Board tenure as at 31 May 2021 Chris Stone Adam Palser Tim Kowalski Chris Batterham 6 years 1 month Jonathan Brooks Jennifer Duvalier Mike Ettling 4 years 2 months 3 years 6 months 2 years 10 months 4 years 3 months 3 years 1 month 3 years 8 months 31 May: 2015 2016 2017 2018 2019 2020 2021 Our approach As individual Directors we recognise our statutory duty to act in the way we each consider, in good faith, would be most likely to promote the success of NCC Group for the benefit of its members as a whole, as set out in section 172 of the Companies Act 2006. Our role as the Board is to set the strategy of the Group and ensure that management operates the business in accordance with this strategy. We believe this approach will promote the Group’s long-term success and our customers’ interests as well as create value for shareholders and have regard to our other key stakeholders such as our colleagues. The Board’s intention is to hand over the business to our successors in a better and more sustainable position for the future. We recognise the renewed focus on the contribution that a successful company can make to wider society in general in addition to generating value for shareholders, and as a Board we want to ensure that we have effective engagement with, and encourage participation from, shareholders and other stakeholders. During the year we have reflected on who our key stakeholders are and assessed our current engagement mechanisms to ensure the effectiveness of that engagement. We then factor into our decision making any feedback from that engagement. Board changes We have made no changes to the Board during the year. The biographies of all the Board members can be found on pages 74 and 75. Board composition and diversity With regard to our current diversity, I am satisfied that we have an appropriately diverse Board in terms of experience, skills and personal attributes among our Board members. The Directors have many years of experience gained across a variety of industries and sectors, ensuring a mix of views and providing a broad perspective. All that said, we recognise that we still have much progress to make in terms of improving the diversity of the Board and our Executive Team (and indeed our workforce as a whole). With that in mind, during the year we have made the commitment that by 2024, we will have at least 33% female representation on our Board and at least one person of colour. Although this is best practice for FTSE 350 companies, we will commit to this target regardless of which share index we are in. (To achieve this commitment by 2024 based on our current Board size of seven Directors, we would need to have at least three female Directors out of the seven. At least one of the seven would be a person of colour). We will look to address this during future Board and Executive Committee appointments. Given that this is a fairly young Board in terms of tenure, this improvement in diversity will not be a quick process but we are very mindful of the need to take positive action, and the matter is fully on our agenda. Accessing the candidates we require to reach this target will involve us looking beyond the obvious pool of existing board directors within the UK and we intend to ensure that we extend our talent search to other sectors and countries to ensure we find a diverse pool of candidates from which to choose to provide us with true diversity around our Board table. NCC Group plc — Annual report and accounts for the year ended 31 May 2021 71 GovernanceGovernance Chair’s introduction to governance continued Effectiveness As Chair, I am responsible for providing leadership to ensure that the Board operates effectively. I have been supported in this by all the Directors, in particular Chris Batterham, our Senior Independent Director. The annual reviews of Board effectiveness help the Board to consider how it operates and how its operations can be improved. This year, the review was undertaken internally and the findings of this review have provided us with ideas to further improve the manner in which the Board operates, and build on previous evaluations. The results were very useful and insightful and have been incorporated into our plans for the coming year. In particular, Board succession planning remains a priority, particularly as we look to ensure the Board and Executive Committee have the right set of skills and experience to support the Group as the business evolves. I have been very impressed about how effectively the business as a whole, and indeed the Board, has transitioned to remote working during the Covid-19 pandemic. Although I feel that longer meetings are best done face to face, we have continued to hold all of our scheduled Board and Committee meetings as planned and also our strategy day in March, which all attendees agreed was our best strategy session to date. While being mindful of the impact of Covid-19 on the wider world and us as a business, our approach as a Board has been one of “business as usual” and we continue to focus on important longer-term strategic and governance issues facing the Group, while supporting management on more short-term tactical decisions. Despite most colleagues working from home, we managed to successfully purchase Iron Mountain’s Intellectual Property Management (IPM) business which will now form part of our Global Software Resilience division. The acquisition meant that we held a number of additional Board meetings throughout the year, and I was very grateful for the flexibility demonstrated by my colleagues to make sure that they were available for this process. As lockdown eases, the Board is very much looking forward to holding some in-person meetings and reconnecting with our colleagues as part of office and site visits. Our investors We are in regular contact with our large investors through a regular scheduled programme of meetings attended by either our CEO or CFO or both of them. Chris Batterham, our Senior Independent Director, and I are also available to meet with investors should the need arise. I met with our larger investors in February/March 2021 and fed back my findings to Board colleagues at the next Board meeting. In addition, our brokers undertook an investor survey on the back of our half year results in January and the results of this were presented and discussed at a Board meeting. Our aim is to engage with our shareholders in an open and meaningful way. Ensuring that the Directors’ remuneration packages align the Directors’ and senior managers’ interests with the long-term interests of NCC Group and its shareholders is always a key area of interest for investors. Our Directors’ Remuneration Policy was last approved by shareholders at the 2020 AGM and at the 2021 AGM we will be asking shareholders to approve a new Remuneration Policy. The 2020 Directors’ Remuneration Policy received 81.44% of votes in favour at the 2020 AGM. Our 2018 and 2019 Directors’ Remuneration Reports received over 99% of votes in favour, recognising the continued support of our shareholders for our approach to executive remuneration, so naturally we were very disappointed with the voting outcome of the 2020 AGM of only 51.53% votes in favour. Jonathan Brooks, as our Remuneration Committee Chair, consulted with our shareholders who voted against the Remuneration Report following this significant vote against and we published our response on 2 February 2021 which can be read here, https://www.nccgroupplc.com/media/zfhhxutu/ voting-results-of-2020-annual-general-meeting.pdf. The UK Corporate Governance Code 2018 has increased the role and remit of the Remuneration Committee and this is reported on within the Remuneration Report. As part of our new Remuneration Policy, we will be aligning our Executive Directors’ pensions with our wider colleague population, and introducing post-employment shareholding rules. Statement of compliance with the UK Corporate Governance Code The Company measures itself against the requirements of the UK Corporate Governance Code 2018 (the ‘Code’), which is available on the Financial Reporting Council website (www.frc.org.uk). From 1 June 2020 to 31 May 2021, the Company complied with the Code in full with the exceptions that our CEO and CFO pensions were not in alignment with our general colleague population, and we do not have post-employment shareholding guidelines. Both of these areas of non-compliance will be attended to post our 2021 AGM and subject to shareholder approval of our new Directors’ Remuneration Policy. Also between 1 June 2020 and 31 May 2021, the Company did not engage with the workforce to explain how executive remuneration aligns with the wider Company pay policy as required by the Code. However, the Remuneration Committee compares information on general pay levels and policies across the Group when setting Executive Director pay. Jennifer Duvalier undertakes regular colleague engagement sessions where colleagues are able to ask about Executive Director pay. During the year no questions or concerns on executive pay were raised to Jennifer. Thank you We are immensely proud of our colleagues for their extraordinary efforts during the pandemic, recognising that many were working from home in far from ideal circumstances, acting in the best interests of our customers and our stakeholders. I would like to thank all our colleagues for their incredible contribution in stepping up and meeting the unprecedented challenges of the Covid-19 pandemic. Chris Stone Non-Executive Chair 14 September 2021 72 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 Governance framework The different parts of the Company’s governance framework are shown below, with a description of how they operate and the linkages between them. Board Provides leadership and is responsible for the overall management of NCC Group, its strategy, long-term objectives and risk management. It ensures the right Company structure is in place to deliver long-term value to shareholders and other stakeholders. Board Committees Support the Board in its work with specific areas of review and oversight objectives and risk management. They ensure the right Company structure is in place to deliver long-term value to shareholders and other stakeholders. Audit Committee Nomination Committee Cyber Security Committee Remuneration Committee Primary function is to assist the Board in fulfilling its financial and risk responsibilities. It also reviews financial reporting, the internal controls in place and the external audit process. Responsible for considering the Board’s structure, size, composition, diversity and succession planning. Responsible for overseeing and advising on the Group’s exposure to cyber risk and its future cyber risk strategy, its cyber security breach response and its crisis management plan and the review of reports on any cyber security incidents. Responsible for determining the overall remuneration of the Executive Directors and the remuneration of senior managers (ExCom) within the broader institutional context of remuneration practice. Read more on pages 88 to 94 Read more on pages 95 to 97 Read more on pages 98 and 99 Read more on pages 100 to 118 Chief Executive Officer Has responsibility for managing the business and overseeing the implementation of the strategy agreed by the Board. Executive Committee (ExCom) Currently comprises the Group’s most senior business and operational executives. It is responsible for assisting the Chief Executive Officer in the performance of its duties including: • Developing the budget • Reviewing the Company’s policies and procedures • Monitoring the performance of the different divisions of the Company against the plan • Carrying out a formal risk review process • Prioritisation and allocation of resources • Overseeing the day-to-day running of the Company • Being responsible for people, talent and culture For further details on Board composition and division of responsibilities see pages 78 to 86 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 73 GovernanceGovernance Board of Directors Our business is led by our Board of Directors. Biographical and other details of the Directors as at 31 May 2021 are as follows: Chris Stone Non-Executive Chair Adam Palser Chief Executive Officer Tim Kowalski Chief Financial Officer and Company Secretary N C Chris Batterham Senior Independent Non-Executive Director A C N R Appointment to the Board: 6 April 2017 Appointment to the Board: 1 December 2017 Appointment to the Board: 23 July 2018 Appointment to the Board: 1 May 2015 Career experience Prior to NCC Group, Adam was the CEO of NSL Ltd, the public services provider. He joined NSL in 2015 and led the successful transformation and sale of the business for its private equity owner. Between 2003 and 2013 Adam performed a number of different roles at QinetiQ including taking responsibility of QinetiQ’s cyber, information warfare and professional services businesses. External appointments Adam does not currently have any external appointments. Internal appointments Adam is an Executive sponsor of the Gender resource group. Career experience Chris has held various Non-Executive Director and Chief Executive roles at listed and private equity backed technology companies. He was CEO of Northgate Information Solutions plc from 1999 to 2008, until its sale, and stayed as CEO until 2011. From 2013 to 2016, he was CEO of Radius Worldwide. Chris was also a Non-Executive Director of CSR plc, and Chair of the Remuneration Committee, from 2012 until its sale in 2015. Chris was also Chair of AIM listed CityFibre plc from January 2017 until June 2018, when it was sold to private equity buyers. External appointments Chris is the Chair of Everynet BV, a privately owned Internet of Things infrastructure business, and Chair of AIM listed Idox plc. Chris is also a Non-Executive Director of Rural Broadband Solutions Plc. Career experience Tim is an accomplished CFO with significant listed and private company experience. Prior to joining NCC Group, Tim was Group Finance Director of Findel Plc between 2010 and 2017 and prior to that held similar roles with Homestyle Group Plc and N Brown Group Plc. Tim has significant experience of divisional financial management within the hospitality sector. Tim qualified as a Chartered Accountant with KPMG and spent his early career there. Tim has a wide breadth of finance expertise obtained from experiencing differing finance roles within organisations and also within a variety of companies, and has been involved in a number of high profile financial turnarounds. External appointments Tim does not currently have any external appointments. Internal appointments Tim is an Executive sponsor of the Race and Ethnicity resource group. Career experience Chris is a qualified Chartered Accountant, spending his early career with Arthur Andersen, and also has significant experience in senior finance roles across the technology sector. Chris was Finance Director of Unipalm plc (the first internet company to IPO in the UK) from 1996 until 2001, before becoming CFO of Searchspace Limited until 2005 and has since held a wide variety of non-executive and advisory roles, the majority having a technology focus. External appointments Chris is currently the Senior Independent Director and Non-Executive Deputy Chair of Blue Prism Group plc (and also chairs the nomination committee, as well as being a member of its audit and remuneration committees) and Non-Executive Director at Nanoco Group plc (and also chairs the audit committee, as well as being a member of its nomination and remuneration committees). Chris is also Chair of Racing Digital Limited. Committee key: A Member of Audit Committee C Member of Cyber Security Committee N Member of Nomination Committee R Member of Remuneration Committee Committee Chair 74 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 Diversity of skills and experience Strategy development Jonathan Brooks Independent Non-Executive Director Jennifer Duvalier Independent Non-Executive Director Mike Ettling Independent Non-Executive Director Sales and marketing R A C N C N R A Human resources Corporate governance Financial management M&A Professional services Appointment to the Board: 16 March 2017 Appointment to the Board: 25 April 2018 Appointment to the Board: 22 September 2017 Career experience Jonathan was Chief Financial Officer of ARM Holdings plc from 1995 until 2002. He has since held a number of Non-Executive Director positions with listed and private technology businesses, including chairing the audit committees at IP Group, Aveva Group, FDM Group, Sophos Group PLC, and e2v PLC. He also chaired the remuneration committees of IP Group and Xyratex Ltd, where he also served as Chair between 2011 and 2013. External appointments Jonathan does not currently have any external appointments. Career experience Jennifer was Executive Vice President of People at ARM Holdings plc, with responsibility for all people and internal communications activity globally, from September 2013 to March 2017. External appointments Jennifer is currently the Senior Independent Director of Trainline plc (where she is also a member of the audit and risk, nomination and remuneration committees) and an independent Non-Executive Director and Chair of the Remuneration Committee of Mitie Group plc (as well as being a member of its nomination committee) (she is also the designated Non-Executive Director for colleague engagement at both companies) and of Guardian Media Group plc. She is Non-Executive Director of The Cranemere Group Ltd, a member of The Council of the Royal College of Art and Chair of the Remuneration Committee, and a senior adviser to the Cleveland Clinic London and M Squared. Career experience Mike has strong sector and non-executive experience. He has had an extensive career in global technology businesses including SAP-Sucessfactors, NorthgateArinso, Unisys, Synstar and EDS and was formerly a Non-Executive Director of Backoffice Associates LLC, a US PE backed data business, and also formerly a Non-Executive Director of Telkom BCX Ltd, a South African IT and telecommunications business. Mike has also served as a Non-Executive Director with Topia Inc, a Silicon Valley cloud relocation software business. External appointments Mike is currently CEO of Unit4, a world leader in enterprise applications for services and people organisations. He is also Non-Executive Director of Impellam PLC, an AIM listed recruitment business. NCC Group plc — Annual report and accounts for the year ended 31 May 2021 75 GovernanceGovernance Executive Committee Max Baldwin Group Sales and Marketing Director Steve Boughton Global Operations Director Max joined the Group in October 2019 and is responsible for inspiring and challenging its business growth plans towards continued sustainable and profitable revenue. Max owns the Group Marketing function and provides regional sales and portfolio teams with global insight, tools, techniques and direction that support their business winning objectives. Max was the Executive sponsor of the Race and Ethnicity resource group in FY21. Steve is responsible for our Group transformation programme and for Group central services around the world. He joined the business in March 2018 from the NSL Group where he was the Chief Operating Officer supporting the business through its sale in 2017, and previously served as Managing Director of QinetiQ’s technical advisory business, leading software and service subsidiaries in the UK, Canada and Australia. In FY22 Steve will be the Executive sponsor of the new Accessibility resource group. Simon Fieldhouse Global Managing Director, Software Resilience Yvonne Harley Global Director of Sustainability and Corporate Affairs Simon is Global Managing Director of the Software Resilience division, with locations in the UK, the USA, Europe and the Middle East. Simon is focused on returning the division to sustainable growth, supporting Group investment in product innovation to underpin growth across our EaaS cloud portfolio. Having completed the acquisition of the Intellectual Property Management company from Iron Mountain, Simon is leading the integration of the IPM business into NCC Group. Prior to NCC Group, Simon was the CEO of Hardware.com, an international value-added reseller of hybrid IT solutions operating in the UK, the USA, Europe and South Africa. In FY22 Simon will be Executive sponsor alongside Tim Kowalski of the Race and Ethnicity resource group. Yvonne is Global Director of Sustainability and Corporate Affairs responsible for driving our sustainability strategy and setting communication standards, channels, brand reputation, colleague communication, public relations and crisis communication as well as co-sponsoring our inclusion and diversity engagement initiatives with Chief People Officer, Colin Watt. Joining the Group in July 2018, Yvonne has international experience across a range of industry sectors, which includes senior roles in financial services, oil and gas, and shipping. Robert Horton Global Head of Assurance Delivery Nick Rowe Managing Director, Assurance North America Robert has worked in a number of areas across the Group, most recently on the creation of the single European division. He is also the Executive sponsor for Global Managed Services. Currently he is involved in the business transformation programme driving business alignment. Robert was a Director of NGS Software, a security consulting company he co-founded, from its formation in 2001 through to its acquisition by and successful integration into the Group in 2008. Nick is Managing Director of the North American Assurance division based in California. He has held positions across business development, consulting and operations management since joining the firm in 1998. Currently Nick is responsible for the Group’s North American operations since relocating from the UK in 2013 and while the primary focus is on the growth of this region Nick also sponsors global initiatives across sales, marketing and, as part of the Group-wide commitment to diversity and inclusion, the Neurodiversity resource group in FY21. 76 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 Inge Bryan Managing Director, Assurance Europe Ian Thomas Managing Director, Assurance UK and RoW Inge is Managing Director for NCC Group’s Continental European operations, including Fox-IT and the former Fort Consult brand (Denmark). With a strong career in cyber and security she has previously held roles with the Dutch National Police and the General Intelligence and Security Service of the Netherlands and served as Home Affairs Counsellor in the Royal Netherlands Embassy in Paris. Before she joined NCC Group Inge was part of the cyber security leadership team with Deloitte Risk Advisory, securing the critical infrastructure of the Netherlands, including central government. In 2019 she was listed in the top 100 most influential women in the Netherlands and one of the 50 most inspiring women in tech. In FY22 Inge will sponsor the Neurodiversity resource group. Ian joined NCC Group in December 2018 and is responsible for the Group’s UK and RoW Assurance division and acts as Executive sponsor for Global Professional Services and for the LGBTQIA+ community. Prior to that he was UK MD at Sopra Steria for two and a half years, following a successful interim career working for a number of global businesses and private equity backed firms, in Managing Director and Sales Director positions. He was at Cable&Wireless for eight years, where he ran global service assurance and the wholesale and public sector divisions. Ian’s early career includes 14 years at British Airways. Colin Watt Global Chief People Officer Ollie Whitehouse Chief Technical Officer Colin is the Global Chief People Officer for NCC Group. He is responsible for the human resources team across the Group, as well as being the co-sponsor with Yvonne Harley on the Group’s inclusion and diversity initiatives. Prior to joining NCC Group, Colin was the Director of Employee Engagement and Relations at Shop Direct, the online digital retailer. He previously held a number of senior leadership roles in Telefonica’s O2UK, research, European and global HR teams and Co-operative Financial Services. Ollie is Chief Technical Officer at NCC Group responsible for the Group’s technical strategy, research, product and development functions. Ollie is ultimately tasked with ensuring that NCC Group is well placed with capability and technology to exploit market opportunities now and in the future. In FY21 Ollie was the Executive sponsor of the Gender resource group. Joining the Group in 2012, over the past 25 years Ollie has worked in a variety of cyber security consultancy, applied research and management roles. Ollie is Chair of a science advisory council to the UK government and is an adviser on matters of cyber security to several government departments. NCC Group plc — Annual report and accounts for the year ended 31 May 2021 77 GovernanceGovernance Board composition and division of responsibilities Role profiles are in place for the Chair and Chief Executive Officer, which clearly set out the duties of each role. Role Responsibilities Chair of the Board (Chris Stone) Chief Executive Officer (Adam Palser) Chief Financial Officer (Tim Kowalski) Senior Independent Director (Chris Batterham) Is responsible for the running and leadership of the Board, setting its agenda and ensuring its effectiveness on all aspects of its role, and promoting a culture of openness, debate and the highest standards of corporate governance. The Chair, in conjunction with the CEO and other Board members, plans the agendas, which are issued with the supporting Board papers in advance of the Board meetings. These supporting papers provide appropriate information to enable the Board to discharge its duties which include monitoring, assessing and challenging the executive management of the Group. Together with the senior management team (ExCom), is responsible for the day-to-day running of the Group’s business, implementing the strategy and policies approved by the Board, and regularly providing performance reports to the Board. The role of CEO is separate from that of the Chair to ensure that no one individual has unfettered powers of decision. Works closely with the CEO with specific responsibility for all financial matters, including Group accounting policies, financial control, tax and treasury management, risk management and financial probity. The CFO is also accountable for the transparency and appropriateness of management information and key performance indicators, internally and externally. Provides a sounding board for the Chair and serves as an intermediary for other Directors, colleagues and shareholders when necessary. The main responsibility is to be available to the shareholders should they have concerns that they have been unable to resolve through normal channels or when such channels would be inappropriate. Non-Executive Directors (Jonathan Brooks, Jennifer Duvalier and Mike Ettling) Bring experience and independent judgement to the Board. Maintain an ongoing dialogue with the Executive Directors which includes constructive challenge of performance and the Group’s strategy. Designated Non-Executive Director for engagement with the workforce (Jennifer Duvalier) Company Secretary (Tim Kowalski) Leads on Board engagement with the workforce (please see separate section on page 80). Ensures good information flows within the Board and its Committees and between senior management and Non-Executive Directors. The Company Secretary is responsible for facilitating the induction of new Directors and assisting with their professional development as required. All Directors have access to the advice and services of the Company Secretary to enable them to discharge their duties as Directors. The Company Secretary is responsible for ensuring that Board procedures are complied with and for advising the Board through the Chair on governance matters. The appointment and removal of the Company Secretary is a matter for the Board as a whole. Tim is supported with his company secretarial duties by a Deputy Company Secretary. Meetings and attendance The Board considers that each Director is able to allocate sufficient time to the Company to discharge their responsibilities effectively. The Non-Executive Directors are contracted to spend a minimum of 24 days per annum on the Group’s affairs, and the Chair 60 days. A summary of each current Director’s attendance at meetings that they were eligible to attend of the Board and its Committees during the financial year ended 31 May 2021 is shown below. Unless otherwise indicated, all Directors held office throughout the year. More Board meetings than usual were held during the year due to the delayed full year results caused by Covid-19, plus the acquisition of IPM. Board Audit Nomination Cyber Security Remuneration Chris Stone Adam Palser Tim Kowalski Chris Batterham Jonathan Brooks 1 Jennifer Duvalier Mike Ettling 2 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A Committee Chair 1 Was absent for July 2020’s meetings due to sudden illness. Jennifer Duvalier chaired the July 2020 Remuneration Committee meeting. 2 Was absent due to personal circumstances. 78 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 What have we looked at as a Board during 2020/21? At every meeting the Board reviews the minutes from the previous meeting and the status of any outstanding actions. Colleague engagement is a standing agenda item presented by Jennifer Duvalier as our designated Non-Executive Director for workforce engagement. The CEO and CFO present their monthly performance update reports, which are also circulated to Board members in months where there is no scheduled Board meeting. Over the year, the Board has had reports on the Group’s trading in light of Covid-19 along with the defensive measures the Group has taken in response to the pandemic. Potential opportunities created by Covid-19 have also been discussed. A significant proportion of the Board’s time has been spent on the IPM acquisition. The Board has also reviewed the following during 2020/21: Leadership and colleagues • Received an update on colleague engagement and the results of the annual colleague engagement survey • Approved a number of share scheme grants to colleagues including UK Sharesave, International Sharesave (in Australia, Denmark, the Netherlands, and Spain), and the Employee Stock Purchase Plan (in the US and Canada) • Discussed a colleague death in service and approved the placing of the insurance proceeds into trust for the beneficiary • Continued with the colleague engagement programme, with an appointed designated Non-Executive Director leading, with an update to the Board at every Board meeting • Appointed a European Managing Director for Assurance (Inge Bryan) • Had a presentation from the Global Head of Research and Development Strategy • Received regular updates on the Group’s transformation programme, “Securing Growth Together” (SGT) • Held a dedicated one day strategy session (see page 80) • Discussed the strategy day and the key points arising out of it, and had a strategy day progress check six months later • Approved a Group entity reorganisation and the establishment of subsidiary companies in Belgium, Germany and Sweden • Discussed a number of sector IPOs plus investments that competitors had made during the year Governance • Completed the Board, Committee and Chair effectiveness reviews and discussed the results of these reviews, agreeing on key focus areas for the coming year • Approved the Notice of AGM and Proxy Form • Had a number of presentations on the Group’s ESG work and progress (labelled as “sustainability” internally) • Attended the AGM and the general meeting to seek shareholder approval for the IPM acquisition • Recommended new share plan rules to shareholders for approval at the AGM • Received a governance and audit update from KPMG • Had presentations on the Group’s key stakeholders, e.g. our customers, suppliers and network, and reflected on Board stakeholder engagement and improving the mechanisms for this • Noted and approved the updated Code of Ethics Policy • Had a presentation from a representative from the National Cyber Security Centre • Received updates on a number of high profile cyber attacks that had been targeted at other companies and organisations • Approved some minor amendments of an administrative nature to share plan rules • Discussed and approved the Group’s Modern Slavery Statement • Reviewed Directors’ outside directorships and potential conflicts of interest and also Directors’ shareholdings, along with the annual review of Non-Executive Director independence Financial • Reviewed and approved the Annual Report and Accounts, ensuring that it is fair, balanced and understandable • Discussed and approved the full year and half year results and associated presentations to investors • Approved the interim and final dividends and discussed the dividend policy • Noted and approved the 2020/21 Group insurance cover renewal and had a presentation from the Group’s insurance brokers • Discussed and approved the 2021/22 budget • Received presentations from the brokers and financial PR advisers • Considered and approved trading updates at the full and half year end • Received regular updates from investor meetings and noted circular investor letters • Received presentations on shareholder perspectives on the Company • Continued with the colleague engagement programme, with an appointed designated NED leading the Board’s engagement activities Other Group business • Numerous Board meetings, discussions and presentations from colleagues and external advisers on the IPM acquisition • Kept updated on a number of strategic projects including the implementation of new business systems such as Salesforce and Workday and SGT • Had a presentation on the Group’s Transport practice • Approved a number of major customer contracts and bids • Received regular updates on material litigation affecting the Group NCC Group plc — Annual report and accounts for the year ended 31 May 2021 79 GovernanceGovernance Board composition and division of responsibilities continued Board strategy session In March 2021 the Board held a dedicated one day strategy session which allowed for “deep dives” into all aspects of the Group’s business. As the Group remains focused on the successful execution of its strategy, the March 2021 Board strategy day presented an opportunity to understand the trends and changes in the cyber and software resilience markets, assess the Board’s confidence in the Group’s strategic direction, and discuss our preparedness to make any future changes. To prepare, Board members received a briefing pack in advance of the day which contained a concise, high level presentation for each business unit, including an overview of global and regional inclusion and diversity initiatives and colleague engagement programmes, along with additional background briefing material, to allow for high quality presentations and discussions on the day. The Board strategy day itself focused on our Global Software Resilience and Global Assurance divisions. Advisers and brokers offered an external view of the broader market environment for both, before the divisions’ Managing Directors presented to the Board on their transformation plans for growth, provided their reflections on NCC Group’s opportunities within Europe and beyond, and outlined progress and expectations for the Group’s growth propositions, notably the Microsoft Sentinel and Remediate offers. Following an open exchange of views between Managing Directors and the Board to discuss any outstanding questions, the Board strategy day concluded with a Board only discussion that focused on driving long-term value creation for NCC Group. The Board agreed that the 2021 strategy day had been the best to date, provided thought provoking and inspirational insights, and demonstrated the Group’s decisive strategic action to realise its vision. Managing Directors used the feedback from the day to inform their 2021/22 budget considerations and associated approvals, and a progress check will be held at the halfway point to the 2022 strategy day to ensure that the agreed actions remain on track and the Group remains in the best possible position to increase its chances of success. Colleague engagement I have really enjoyed getting out and meeting with colleagues across the Group albeit virtually. I have been very pleased by the positive comments received and have been impressed by the people I have met and their engagement and dedication particularly working remotely, with a number of recent joiners never having met their colleagues in person! Of course, there are things to be addressed, of which some are “quick wins”, but some matters will take longer to address. Colleagues also make really helpful suggestions as to how we can improve how the business runs which I feed back to management. I hope that as the designated Non-Executive Director I am able to facilitate positive change and ensure that the colleague voice is heard strongly within the boardroom and reflected within all the decisions we as a Board make that impact our most important stakeholder. Jennifer Duvalier Designated Non-Executive Director Jennifer Duvalier is the Board’s designated Non-Executive Director to lead the Board’s colleague engagement programme. Jennifer also undertakes the designated Non-Executive Director role at both Trainline plc and Mitie Group plc meaning she has the relevant experience as to what is needed and can draw on her successful HR career. She is committed to understanding the views of our colleagues and ensuring they are incorporated into the Board’s decision-making process. Colleagues were introduced to Jennifer via our internal social channels where she explained her role through a video and written communications. Jennifer has access to these channels to enable her to engage fully outside of the formal events. Jennifer has not let Covid-19 get in the way of her engagement activities and the past year has been a busy one with Jennifer meeting colleagues virtually from Australia, the Netherlands, San Francisco, Seattle, Canada, Singapore, Japan and Spain. We were keen to build on the momentum in the previous year. Jennifer is sometimes joined by our Chair, Chris Stone, or other Non-Executives, to meet colleagues, all of whom are invited from below the mid-management level and all parts of the business to ensure diversity of thought. We ensure that no one has their line manager in the (virtual) room to ensure they can speak freely and tell Jennifer what is on their mind. Feedback from each session’s participants is shared anonymously to the Board and to our CEO, Adam Palser. This enables action to be taken, further strengthening the value of listening. Colleagues attending are invited to give their feedback and, so far, results have been positive and valued. 80 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 Independent advice All Directors have access to the advice and services of the Company Secretary and Directors are entitled to take independent professional advice if necessary, at the expense of the Company. Conflicts of interest The Companies Act 2006 requires Directors to avoid situations where they have, or could have, a direct or indirect interest that conflicts or potentially conflicts with the interests of the Company. The Company’s Articles of Association require any Director with a conflict or potential conflict to declare this to the Board. That Director will not then be involved in the discussions relating to the proposal, transaction, contract or arrangement in which they have an interest, unless agreed otherwise by the Directors of the Company in the limited circumstance specified in the Articles of Association, nor will they be counted in the quorum or be permitted to vote on any issue in which they have an interest. Directors are required to inform the Board without delay should they be aware of any actual or potential conflicts of interest and a check on conflicts is undertaken each year with a report to the Board. Board independence As required by the Code, at least 50% of the Board, excluding the Chair, are independent Non-Executive Directors. The Board comprises two Executive Directors, four independent Non-Executive Directors, and the Non-Executive Chair. The Board has debated and considers that all of the current Non-Executive Directors are independent, and in so doing considered the profile of all of the individuals, concluding that none of them: • Has ever been a colleague of the Group • Has ever had a material business relationship with the Group or receives any remuneration other than their salary or fees • Has close family ties with the advisers, other Directors or senior management of the Group that could reasonably be expected to cause a conflict • Holds cross-directorships or has significant links with other Directors through involvement with other companies or bodies • Represents a significant shareholder • Has at the point of this report served on the Board for more than nine years from the date of their first election The Non-Executive Directors provide a strong independent element on the Board and are well placed to constructively challenge and help develop proposals on strategy and succession planning. Between them they bring an extensive and broad range of experience to the Group. Details of the Directors’ respective experience are set out in their biographical profiles on pages 74 and 75. The terms and conditions of appointment of Non-Executive Directors are available for inspection at the Company’s registered office during normal business hours. Diversity The principle of Board diversity (and indeed diversity across the Group) is strongly supported by the Board. It is the Board’s policy that appointments to the Board will always be based on merit so that the Board has the right balance of individuals in place. The Board recognises that diversity of thought, approach and experience is an important consideration and is therefore one of the selection criteria used to assess candidates prior to any Board appointments. Read more about diversity in the Nomination Committee Report on pages 95 to 97. The Company’s policy is to find, develop and maintain a diverse workforce at all levels with an initial focus on developing a culture where women can achieve and retain senior positions. Annual re-election In accordance with the Code, any Directors appointed in the financial year are subject to election by shareholders at the AGM and, in line with best practice, all the other Directors are subject to re-election annually. Director induction, training and development No new members of the Board were appointed during the year. New Directors are provided with an induction on appointment, which would include visits to the Group’s operations and meetings with operational and executive management. Each Director’s induction is tailored to their experience and background with the aim of enhancing their understanding of the Group’s strategy, business, operating divisions, colleagues, customers, suppliers and advisers and the role of the Board in setting the tone of our culture and governance standards. The Company acknowledges the importance of developing the skills of the Directors to run an effective Board. To assist in this, Directors are given the opportunity to attend relevant courses and seminars to acquire additional skills and experience to enhance their contribution to the ongoing progress of the Group. All of the Directors attend sessions which are aimed at updating the Board on trends and developments in corporate governance. Board and Committee effectiveness review The performance of the Board and its Committees is appraised annually and an internal effectiveness review was completed for 31 May 2021. The overall rating was very positive meaning that the Board and its Committees continue to function well. The results were presented to the May 2021 Board meeting and the Chair also held one-to-one calls with Board colleagues for “deeper dives” into any areas they wished to discuss in more detail and with the CEO to discuss areas highlighted by the evaluation process. We have also scheduled in a progress check in September 2021 to ascertain how we are doing against our proposed improvements and whether we need to do anything different in the second half of the financial year. The evaluation identified changes which would improve the working of the Board, including: • An increased focus on diversity • Assessing and monitoring culture • A continued focus on strategy and strategic discussion • An increased focus on succession planning and ensuring that these plans are reviewed on a regular basis • An increased focus on CSR/ESG Although all of the above were considered important, it was agreed that the key area to focus on would be succession planning. NCC Group plc — Annual report and accounts for the year ended 31 May 2021 81 GovernanceGovernance Board composition and division of responsibilities continued Board and Committee effectiveness review continued How will we improve in these areas? To focus on these actions, we have agreed the following: Action Progress and our plan An increased focus on diversity • Firm commitment to at least 33% female representation and at least one person of colour on the Board by 2024 Assessing and monitoring culture • Presenters to the Board encouraged to highlight diversity statistics within their business area as happened during the strategy day, when each presenter did this • Appointment of Inge Bryan as Managing Director of NCC Assurance Europe • Unconscious bias training has now been completed by the Board with the ExCom having already completed it • Significant work underway internally on creating an inclusive culture throughout the organisation • More Board discussion on ensuring our culture aligns with our values • Regular updates on how colleagues were coping with remote working during Covid-19 and the support available to them • Presenters to the Board encouraged to highlight culture initiatives within their business area • Board to have more exposure to senior executives across the business • Having a designated NED for workforce engagement reporting back to every Board meeting has helped with this (please see page 80 on colleague engagement for further details) • NEDs to spend more time in the business and at different offices (which will be done in person as we come out of lockdown) • Reporting on the “mood” of the business within the monthly CEO reports and areas of concern or where there are higher than expected colleague attrition levels • Discussing the results of both the annual colleague engagement survey and the more regular “pulse” surveys A continued focus on strategy and strategic discussion • One day dedicated strategy session now held annually, attended by all divisional Managing Directors and this year by brokers and advisers to provide an external and wider market perspective • Ensuring strategy is more of an ongoing Board discussion between annual strategy days rather than a once a year activity • Shifting Board discussion away from short-term tactical issues to more longer-term strategic issues • Actions from dedicated strategy day circulated to the Board with a check-in on strategy halfway through the year An increased focus on succession planning and ensuring that these plans are reviewed on a regular basis • Nomination Committees now being held with a programme of four Committee meetings planned every year with the Committee moving away from a transactional Committee (e.g. to recruit a new Director) to a more holistic view encompassing: future skills needs, talent pipelines, diversity, succession planning, and reviewing leadership needs of the Company • Nomination Committee redoubling focus on succession planning for the Board and senior management including discussing Executive Director succession planning in general terms • Chris Stone (Nomination Committee Chair) and Colin Watt (Global Chief People Officer) are now meeting regularly and discussing a separate workstream on succession planning 82 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 Action Progress and our plan An increased focus on CSR/ESG (labelled as “sustainability” internally) • Global Director of Sustainability and Corporate Affairs taken on ESG lead within the Group and presents every six months to the Board • Gap analysis has been undertaken to provide an action plan to close the gaps and an ESG framework has now been developed • Policies have been refreshed and standardised (e.g. Code of Ethics and Modern Slavery). The whole organisation has undertaken Code of Ethics refresher training • Increasing recognition that this area will become an ever-more important area for new and existing clients and investors when they are evaluating who to buy from and partner with/invest in • Improving the visibility of what the organisation is doing with regard to ESG and ensuring that all the ESG initiatives and activities are being properly recorded and reported • TCFD will be reported on within the 2022 Annual Report. A TCFD steering group has been formed • Partnerships with external organisations being developed, e.g. we have become a member of Business in the Community (BitC) and joined the UN Global Compact (UNCG) at the “Participant” membership level. With BitC, we have taken part in its Responsible Business Tracker Progress from the previous year The 2021 evaluation process also reviewed progress on actions identified in previous evaluation processes. Areas identified in previous evaluations An increased focus on succession planning and ensuring that these plans are reviewed on a regular basis An increased focus on CSR/ESG A continued focus on strategy and strategic discussion Enhancing Board interactions and communications with the Company and its customers Developing Board involvement in the Group’s culture related initiatives 2021 evaluation – progress Good progress and firmly on the Board’s and Nomination Committee’s agenda with a firm commitment to at least 33% female representation on the Board and at least one person of colour by 2024 (see above table for further details). Good progress and firmly on the Board’s agenda (see above table for further details). Good progress with the 2021 strategy day felt to be the best to date (see above table for further details). Good progress. The Board has continued to interact with a significant number of colleagues on both a Company-wide basis and via receiving presentations from various members of the ExCom plus senior managers. There are regular updates on customers within the CEO’s Report. Good progress (see above table for further details). NCC Group plc — Annual report and accounts for the year ended 31 May 2021 83 GovernanceGovernance Board composition and division of responsibilities continued Board, Committee and Chair evaluation process 2021 Company Secretary reviewed 2020 questionnaires and evaluation exercise results and, based on this, proposed questionnaires for the 2021 evaluation exercise. The proposed questionnaires were reviewed and approved by the Chair and Committee Chairs and (for the Chair’s review) the Senior Independent Director. Questionnaires were added to an online survey website which ensured the anonymous and efficient collection of answers. Summary reports together with the results and comments received were prepared for the Board and Committee meetings where the results were discussed and key actions for the coming year agreed. The responses were collated and analysed by the Company Secretary who then shared these with the Chair and Committee Chairs and (for the Chair’s review) the Senior Independent Director. Board members, the Company Secretary and regular Committee attendees were then invited to complete the questionnaires. The Chair held one-to-one meetings with Board members where areas of interest could be discussed in more detail. The Senior Independent Director met with the Chair to discuss the Chair evaluation results. Committee evaluation During the year, each of the Audit, Remuneration, Nomination and Cyber Security Committees carried out an internal self-evaluation on their effectiveness. The conclusion from the Committee reviews is that, overall, the Committees are working well but some recommendations were made, as per the table below. Committee Audit Focus areas • Continuing to focus on reducing the length of Committee papers (using summaries where appropriate) but acknowledgement that the internal papers had improved • Continuing to ensure that Committee papers were circulated as early as possible • An acknowledgement that Covid-19 (and the delay to the 2020 full year results) had resulted in too many Committee meetings and the number of meetings should be reduced to normal levels • The change in audit partner during the year was felt to have brought a refreshed perspective to the external auditor’s view and the audit partner’s onboarding should continue Cyber Security • Continuing to take the papers/presentations as read and focusing on more value-adding dialogue, discussion, and interaction rather than going through the Committee briefing packs • Acknowledgement that the presentation from the Director of Operations at the UK’s National Cyber Security Centre (NCSC) had been excellent and more external presenters should be used where possible • A review of whether external advisers/consultants could attend future Committee meetings • More frequent updates on the nature of the changing cyber threat landscape, e.g. what are the current major topics within cyber and the significant threats 84 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 Committee Nomination Focus areas • Making strong initial progress with our firm commitment to have at least 33% female representation and at least one person of colour on the Board by 2024 • Succession planning for the Board and senior management and in particular a discussion on Executive Director succession planning in general terms over the next 6–12 months • Improving succession plans for senior executives and improving exposure to senior executives at Board meetings and within more informal settings Remuneration • Continuing to have opportunities for more open and unfettered discussion (Executive Directors and HR colleagues are now invited to meetings on a by exception basis) • Embedding the 2021–2024 Directors’ Remuneration Policy (subject to shareholder approval at the 2021 AGM) • Ensuring that the Group’s reward structure aligns to the key issues facing the Group rather than standard industry practice • Continuing to focus on choosing appropriate benchmarks against which to compare NCC Group’s remuneration packages against Individual Director appraisal process During the year, the Senior Independent Non-Executive Director evaluated the performance of the Chair and the Chair evaluated the performance of each Director. In addition, the Non-Executive Directors met independently from the Executive Directors to discuss with the Chair the overall functioning of the Board and his contribution in making it effective. Operation of governance framework Role of the Board The Board is responsible for reviewing, challenging and approving the strategic direction of the Group, while providing strong values-based leadership of the Company, within a framework of prudent and effective controls, which enable risk to be assessed and appropriately managed. The Board reviews the Group’s business model and strategic objectives to ensure that the necessary financial and human resources are in place to achieve these objectives, to sustain them over the long term and to review management’s performance in their delivery. The Board sets the tone of the Company’s values and ethical standards and manages the business in a manner to meet its obligations to shareholders and other stakeholders. The Board receives information on at least a monthly basis to enable it to review trading performance, forecasts and strategy and it has a schedule of matters specifically reserved for its decision. The most significant of these are: • Approval of strategic plans, the annual budget and any material changes to them • Oversight of the Group’s operations, ensuring competent and prudent management, sound planning, and an adequate system of internal control and governance • Through the Audit Committee, oversight of financial reporting systems and information and adherence to appropriate accounting policies • Changes to the structure, size and composition of the Board and Executive Committee, and oversight of the Company culture and the ethical standards of the leadership and the independence of Non-Executive Directors, taking into consideration prudent succession planning • Approval of the acquisition or disposal of subsidiaries and major investments and capital projects • Approval of the dividend, treasury and banking policies, including the Group’s capital structure • Through the Remuneration Committee, the delivery of an effective executive and senior management Remuneration Policy • Receiving reports on the views of shareholders and approval of all documents put to shareholders at a general meeting or circulated to shareholders • Approval of the appointment of key advisers The Board has a schedule of specific matters reserved for its decision where it feels they are critical to the ongoing success of the business and are of a significant nature to merit the Board having such a decision reserved to it. The Group also has a Group Authority Matrix (which documents the levels of authority delegated from the Board to various role holders within the Group). The schedule of matters reserved for decision by the Board and the Group Authority Matrix are complementary documents and are designed to ensure that decisions are either made by the Board or delegated to an appropriate senior colleague within the Group. As noted above, the operational management of the Group is delegated to the Executive Committee. The Board also delegates other matters to Board Committees and management as appropriate. NCC Group plc — Annual report and accounts for the year ended 31 May 2021 85 GovernanceGovernance Board composition and division of responsibilities continued The Audit Committee makes a recommendation to the Board on effectiveness which the Board considers, together with reports from the Cyber Security Committee, in forming its own view on the effectiveness of the risk management and internal control systems. During the year ended 31 May 2021, the Board reviewed the effectiveness of the Group’s risk management and internal control systems. We confirm that the processes outlined above and on page 92 have been in place for the year under review and up to the date of approval of this Annual Report and Accounts and that these processes accord with the UK Corporate Governance Code and the FRC Guidance on Risk Management, Internal Control and Related Financial and Business Reporting. We also confirm that no significant failings or weaknesses were identified in relation to the review. Executive remuneration During the year, we operated within the Remuneration Policy approved by shareholders at the 2020 AGM. Details of how the Remuneration Policy has been applied during this financial year are set out on pages 103 to 108 of the Remuneration Committee Report. Risk management The Board has ultimate responsibility for ensuring that business risks are effectively managed. The Board has delegated regular review of the risk management procedures to the Cyber Security Committee in relation to cyber risks and to the Audit Committee in relation to all other risks. The Board reviews the overall risk environment on at least an annual basis. The day-to-day management of business risks is the responsibility of the Executive Committee. Internal control The Group has a system of internal controls which aims to support the delivery of the Group’s strategy by managing the risk of failing to achieve business objectives and to protect the stewardship of the Group’s assets. As with all such systems, the goal is to manage risk within acceptable parameters rather than to eliminate risk entirely. The Group can therefore only provide reasonable and not absolute assurance that the business objectives and asset stewardship will be provided successfully. In addition, the Group insures against various risks, but certain risks remain difficult to insure, due to the breadth and cost of cover. In some cases, external insurance is not available at all, or at least not at an economically viable price. The Group regularly reviews both the type and amount of external insurance that it buys in conjunction with its insurance brokers. For a more detailed review of risk management processes, the principal risks faced by the Group and their mitigation, see pages 40 to 48. The Audit Committee is responsible for reviewing the effectiveness of the risk management and internal control systems. The steps it takes in relation to the review are set out on page 92. 86 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 Shareholder engagement Share capital structure The Company’s issued share capital at 31 May 2021 consisted of 308,956,045 ordinary shares of 1p each. There are no special control rights or restrictions on share transfer or special rights pertaining to any of the shares in issue and the Company does not have preference shares. As far as is reasonably known to the Board, the Company is not directly or indirectly owned or controlled by another company or by any government. Board engagement with shareholders Communications with shareholders are given high priority. There is a regular dialogue with institutional investors including presentations after the Company’s year end and half year results announcements. A programme of meetings takes place throughout the year with major institutional shareholders, and private shareholders have the opportunity to meet the Board face to face and ask questions at the AGM. We are in regular contact with our large investors through a regular scheduled programme of meetings attended by either our CEO or CFO or both of them. Chris Batterham, our Senior Independent Director, and I are also available to meet with investors should the need arise. I met with our larger investors in February 2021 and fed back my findings to Board colleagues at the next Board meeting. In addition, our brokers undertook an investor survey on the back of our half year results in January and the results of this were presented and discussed at a Board meeting. Our aim is to engage with our shareholders in an open and meaningful way. During the financial year the Directors held a number of meetings with shareholders as set out below. Board shareholder updates Feedback from major institutional shareholders is provided to the Board on a regular basis and, where appropriate, the Board takes steps to address their concerns and recommendations. Investor meetings One-to-one meetings (held virtually due to Covid-19) Group meetings 31 2 Substantial shareholdings As at 31 May 2021, the Company had been notified of the following interests of 3% or more in the issued share capital of the Company under the UK Disclosure and Transparency Rules: Shareholder Artemis Investment Management BlackRock, Inc Castlefield Fund Partners Montanaro Asset Management Schroder Investment Management Unicorn Asset Management Number of ordinary shares 13,822,640 14,224,646 14,325,000 16,546,426 15,364,318 10,796,426 % of NCC’s total share capital 4.98% 5.15% 5.16% 5.90% 5.53% 3.89% The following changes to the above interests have been notified to the Company from 31 May 2021 to 14 September 2021. Shareholder Number of ordinary shares % of NCC’s total share capital Canaccord Genuity Wealth Group Limited 15,580,182 5.04% Directors’ shareholdings For details of Directors’ shareholdings, remuneration and interests in the Company’s shares and options, together with information on service contracts, see pages 109 to 118 of the Directors’ Remuneration Report. Annual General Meeting The AGM is an opportunity for shareholders to vote on certain aspects of Group business and provides a useful forum for one-to-one communication with private shareholders. At the AGM shareholders receive presentations on the Company’s performance and may ask questions of the Board. The Chair seeks to ensure that the Chairs of the Audit, Remuneration, Nomination and Cyber Security Committees are available at the meeting to answer questions and all Directors attend. The Company prepares separate resolutions on each substantially separate issue to be voted upon at the AGM. The result of the vote on each resolution is published on the Company’s website after the AGM and will be announced via the regulatory information service. At the 2020 AGM, shareholders representing over 70.78% of the Company’s issued share capital returned their proxy votes. On behalf of the Board Chris Stone Non-Executive Chair 14 September 2021 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 87 GovernanceGovernance Audit Committee report Ensuring integrity of our financial reporting and internal controls The Committee particularly focuses on systems and processes of management control, the reporting of internal management information and externally reported financial information. Chris Batterham Committee Chair The Audit Committee’s key objectives The purpose of the Audit Committee is to assist the Board in the discharge of its fiduciary duties of stewardship of the Group’s assets. The Committee particularly focuses on systems and processes of management control, and the reporting of internal management information and externally reported financial information. The Committee also provides a forum for reporting by the external auditor. The Audit Committee’s responsibilities The Committee’s main responsibilities include: • Monitoring the integrity of the Financial Statements relating to the Group’s financial performance and their compliance with the provisions of IFRS, the UK Corporate Governance Code, the Disclosure Guidance and Transparency Rules and other regulations • Reviewing material information and significant accounting judgements contained in the Annual Report and Accounts • Advising the Board on the continuing appropriateness of the Group’s existing accounting policies and the application of any new or modified accounting and reporting standards • Advising the Board on the effectiveness of the processes ensuring that the Annual Report and Accounts, when taken as a whole, is fair, balanced and understandable • Reviewing the audit findings with the external auditor including discussing any major issues that arise during an audit, the accounting and audit judgements made, the level of any errors identified during the audit and the effectiveness of the audit process itself 2020/21 key activities • Reviewing SGT progress, and ensuring controls are in place to prevent additional time/cost overruns • Monitoring ongoing impact of Covid-19 on key areas of judgement • Ensuring compliance with new policy on APMs and ISIs • Reviewing a change in accounting policy in relation to the configuration and customisation costs incurred in implementing Software-as-a-Service (SaaS), following the publication of the IFRIC agenda decision in April 2021 2021/22 priorities • Understanding integration plans and associated risks for Iron Mountain’s IPM business as well as monitoring costs of integration • Ensuring adequate controls exist as the Iron Mountain’s IPM business is consolidated into the Group’s results and that the existing Group controls are implemented within the newly acquired business • Ensuring the Iron Mountain’s IPM business fair value accounting including the assessment of deferred revenue is appropriately accounted for and disclosed • Review of SGT progress and time/cost overruns and ensuring any lessons learnt are adequately captured • Planning for regulatory changes arising from the BEIS white paper, “Restoring trust in audit and corporate governance”, and Task Force on Climate-Related Financial Disclosures (TCFD) 88 • Reviewing the effectiveness of the Group’s internal control systems • Received a self-assessment of the finance controls highlighting • Reviewing the nature and extent of significant financial risks and how they can be mitigated • Making recommendations to the Board in relation to the appointment of the external auditor, approving its remuneration and terms of engagement • Overseeing the relationship with the external auditor including, but not limited to, assessing its independence, objectivity and effectiveness • Reporting to the Board on the procedures for responding to whistleblowing, fraud or potential breaches of anti-bribery legislation A full copy of the Committee’s terms of reference can be found in the Investor Relations section of the Group’s website at www.nccgroup.trust/uk/about-us/investor-relations. Activities during the year During the year, the Committee: • Assessed the effectiveness of the 2020 external audit process • Considered and approved updated policies including policies on hedging, functional currencies and Individually Significant Items • Undertook a Committee evaluation exercise to assess where the Committee should best focus its attention • Received a summary of health and safety updates including new initiatives and activities • Considered recent technical updates including guidance issued by the Financial Reporting Council • Following the publication of the April 2021 IFRIC agenda decision, ensured compliance of change in accounting policy regarding configuration and customisation costs incurred in implementing Software-as-a-Service (SaaS). Reviewed associated prior year restatement disclosures • Received regular briefings from the Director of Global Governance summarising risk management and control issues • Reviewed the findings from the internal audit projects conducted during the year and approved the internal audit plan for the forthcoming year • Reviewed the findings from the audit for the year ended 31 May 2021 and from the auditor’s review of the half year results to 30 November 2020 • Reviewed all significant accounting areas and areas of key estimation including specific loss-making contracts and amounts recognised in respect of research and development tax credits. Reviewed KPMG audit conclusions in these areas • Reviewed the application of the Group’s revenue recognition with respect to Managed Detection and Response, a significant growth area for the Group, to ensure accordance with IFRS 15 • Reviewed management’s going concern and Viability Statement assessment, including Brexit and Covid-19 considerations. Reviewed KPMG audit conclusions in these areas • Reviewed the progress of Securing Growth Together and conducted a review of the reasons for any time and cost overruns experienced (e.g. systems implementation) enhancements made during the year, areas of continuous improvement and specific actions to implement minimum control standards • Reviewed a summary of why management considers the Annual Report is fair, balanced and understandable Composition The Audit Committee is chaired by me, a Chartered Accountant of 42 years’ standing. I have previously served as the Finance Director of Unipalm plc, before becoming Chief Financial Officer of Searchspace Limited until 2005. Both businesses operated in digital technology sectors. My earlier career included roles with BICC Group and accountants Arthur Andersen. I also am a member of the audit committee at Blue Prism Group plc and chair the audit committee at Nanoco Group plc (both listed companies) which provides me with additional external perspectives to bring to my chairing of this Committee. The Board considers that I have the recent and relevant experience required by the Code. The other members of the Committee who served throughout the year are Jonathan Brooks and Mike Ettling. All members of the Committee are considered to be independent and the Committee as a whole continues to have competence in the technology sector. Summary biographies of each member of the Committee are included on pages 74 and 75. Meeting frequency and attendance The terms of reference for the Committee require at least three meetings per year. During this financial year the Committee met seven times. As well as the members of the Committee, standing invitations are given to the Chair, the other independent Non-Executive Directors, the Chief Executive Officer, the Chief Financial Officer and the Group Financial Controller, with other attendees also appearing by invitation. The external auditor also attends each meeting. During the year the Committee met, on a number of occasions, with the external auditor without the Executive Directors being present. In addition, following the appointment in early 2020 of the Group’s Director of Global Governance, who heads up the Group’s internal audit function, a number of meetings were held with her without management being present. The attendance of individual Committee members at Audit Committee meetings is shown in the table below: Meetings attended Attendee Chris Batterham Jonathan Brooks 1 Mike Ettling 2 1 Absence due to sudden illness. 2 Absence due to personal circumstances. At all times the Committee remained quorate. NCC Group plc — Annual report and accounts for the year ended 31 May 2021 89 GovernanceGovernance Audit Committee report continued Significant accounting areas and areas of significant management judgement or estimation uncertainty The table below summarises the significant accounting issues, judgements and estimates that the Committee considered during the year in relation to the Financial Statements. These are split between those items which are identified either as recurring items that the Committee regularly reviews or as items of current year focus. The table also sets out the financial context and potential impact of each item as well as the impacted metric. Finally, the table shows the degree of judgement or estimation that the Committee feels has to be applied for each item. Items with a significant impact but with a “low” judgement level will typically have extensive independent third party evidence of the bases for any judgement. Areas assessed as requiring a “high” level of judgement tend to rely more heavily on management estimates and historical trends than extensive independent third party evidence. Review items Goodwill carrying values (recurring) Intangible assets – capitalisation of cloud-based software and development costs (revised) Control of Iron Mountain IPM business (new) Research and development tax credits (new) Long-term loss-making contracts – other estimate (recurring) Accounting judgement Estimation required N/A Yes Yes N/A Yes High N/A N/A High Low Significant issues considered during the year in relation to the Financial Statements During the year, the Committee reviewed and considered the following areas in respect of financial reporting and the preparation of the interim and annual Financial Statements: • The appropriateness of the accounting policies used • Significant areas of management judgement or estimation Goodwill carrying value (Recurring item: see Note 12 to the Financial Statements) The Group has significant balances relating to goodwill at 31 May 2021 as a result of acquisitions of businesses in previous years. The carrying value of goodwill at 31 May 2021 is £182.9m (2020: £193.1m). Goodwill balances are tested annually for impairment. Tests for impairment are primarily based on the calculation of a value in use for each CGU. • The effectiveness and changes to the financial control environment • Compliance with external and internal financial reporting standards and policies This involves the preparation of discounted cash flow projections, which require significant estimates of both future operating cash flows and an appropriate risk-adjusted discount rate. • Disclosure and presentation of GAAP and Alternative Performance Measures (APMs) The commercial viability of individually capitalised development project costs is also part of the overall assessment of carrying values. • Whether the Annual Report and Accounts, taken as a whole, is fair, balanced and understandable and provides the information necessary to assess the Group’s financial position, performance, business model and strategy Future cash flow estimates are based on two critical estimates: the rate of revenue growth and the discount rate, particularly in relation to the Europe Assurance CGU which is the most sensitive to movements in estimates. In carrying out this review the Committee challenged the significant estimates and judgements made by the Group’s finance team and considered the external auditor’s reports setting out its views on the accounting treatments and judgements included in the Financial Statements. The calculation of an appropriate discount rate to apply to the future cash flow estimate is itself an estimate. While some aspects of discount rate calculations can be more mechanical in nature (such as using the 30 year gilt yield as a proxy for the risk free rate) others, such as entity or sector-specific risk adjustments, rely more on management estimates. The discount rate is also a key component in assessing the terminal value which is often an important part of any valuation. Sensitivity analysis on what are regarded as reasonably possible changes is provided in Note 12. 90 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 The Committee has reviewed the rationale used to determine the CGUs including a change in CGUs driven by how the business is managed. The Committee also reviewed assumptions used in future cash flows that underpin the valuation of goodwill, particularly in relation to Europe Assurance since this CGU is the most sensitive to movements in estimates and assumptions. The Committee concurred with the view of management that no impairment should be recognised as either the discounted future cash flows or fair value was higher than carrying value. Intangible assets – capitalisation of cloud-based software and development costs (Revised item: see Note 12 and 34 to the Financial Statements) Where software costs are incurred as part of a service agreement, judgement is required in assessing whether the Group has control over the resources defined in the arrangement. Software development activities involve a plan or design for the production of new or substantially improved products or processes. Judgement is required in determining whether the project is technically and commercially feasible; judgement is required in assessing the future economic benefit and viability of the project. Such judgements are inherently subjective and can have a material impact on determining whether such costs should be capitalised. The total net book value of software and development costs on 31 May 2021 was £5.4m, including additions of £2.3m. The Committee reviews the level of intangible additions and especially how capitalised internal staff time relates to specific assets to ensure alignment with the Group’s policy and is satisfied the policy was applied appropriately for the year ended 31 May 2021. During the year, the Committee has reviewed judgements taken when applying the Group’s new accounting policy in relation to the IFRIC agenda decision regarding configuration and customisation costs incurred in implementing Software-as-a-Service (SaaS). This resulted in a prior year restatement. See Note 34 of the consolidated Financial Statements for further details. The Committee is satisfied with the judgements made for the year ended 31 May 2021. Control of IPM Software Resilience business (Current year focus item: see Note 35 to the Financial Statements) A key judgement in the year ended 31 May 2021 is the acquisition date for the purchase of the IPM Software Resilience business. Management considers shareholder approval of the transaction constitutes a change in control and therefore the date of shareholder approval is considered to be the acquisition date for the transaction. Shareholder approval was granted on 1 June 2021 and the IPM Software Resilience business will be consolidated into the Group results from that date. The Committee has reviewed management’s assessment of the date of change of control of the Iron Mountain IPM business and is satisfied that it is reasonable. Recognition of research and development tax credits (Current year focus item: see Note 9 to the Financial Statements) The tax expense reported for the current year and prior year is affected by certain positions taken by management where there may be uncertainty. The most significant source of uncertainty arises from claims for US research and development (R&D) tax credits relating to historical periods. Uncertainty arises as a result of a degree of uncertainty concerning interpretation of US legislation and because the statute of limitations has not expired. The basis on which the Group has claimed R&D tax credits involves a technical assessment of which party bears the economic risk in any research contracts entered into with third parties. This assessment is a key estimate. It is considered “probable” that the US taxation authority would accept the uncertain tax treatment in relation to the utilised tax credits recognised. For the periods ending 31 May 2017 to 31 May 2021, the aggregate net current tax benefit included in the Income Statement relating to the R&D tax credits is £2.7m (2020: £4.3m). The gross deferred tax asset relating to the R&D tax credits is £1.0m, although due to the uncertainty we have made a provision of £0.6m against this asset. The aggregate gross amount of US R&D tax credits recognised amounts to £8.2m (2020: £5.1m) and we have made a provision of £5.1m (2020: £0.8m) against this gross position. Sensitivity analysis on what are regarded as reasonably possible changes is provided in Note 2. The Committee has reviewed management’s assessment of US R&D tax credits together with an independent third party review assessment and is satisfied the estimate made is reasonable and consistent with IFRIC 23 ‘Uncertainty over Income Tax Treatments’. Loss-making contracts – other estimate (Recurring item: see Note 21 to the Financial Statements) Some aspects of the Group’s revenue are derived from relatively long-term fixed price contracts. On this basis, an estimate is disclosed in relation to one contract: • An onerous provision recognised during the year ended 31 May 2020 of £0.2m has increased during the period by a further £1.9m, of which £1.7m has been utilised leaving a closing balance of £0.4m of a total provision for loss-making contracts of £1.1m (see Note 21). This additional provision relates to a European contract and has been caused by Covid-19 disruption and some project management challenges during the year. Management prepares projections, which, due to the complexity of the contract, require estimates and accounting judgement of both revenue and cost recognition (including the number of performance obligations). Revenue is recognised based on the input method of IFRS 15 in relation to total costs and therefore management has to estimate the number of hours still required to complete the long-term projects and labour cost to complete. Sensitivity analysis on what are regarded as reasonably possible changes is provided in Note 2 The Committee reviewed and challenged the assumptions underpinning this accounting treatment and is satisfied that the contract has been correctly treated, and that in the case of the loss-making contract the liabilities recorded are reasonable. The Group’s approach to materiality In considering the materiality of any individual issue or issues in aggregate, the Group looks at a range of qualitative and quantitative measures to assess whether or not omitting, misstating or obscuring information could reasonably be expected to influence decisions that the primary users of general purpose financial statements make on the basis of those financial statements. The range of measures includes (but is not limited to) the primary Financial Statements themselves, the individual line item in question, and whether or not the issue moves the result from one side of an inflection point to another (for example, turning a profit into a loss or a net asset into a net liability). Qualitative and quantitative measures are both considered as is any potential impact on remuneration or banking arrangements such as debt covenants. NCC Group plc — Annual report and accounts for the year ended 31 May 2021 91 GovernanceGovernance Audit Committee report continued Internal audit The internal audit function is responsible for internal audit, the assurance of other quality systems and processes, and monitoring the embedding of risk management processes throughout our operations. The internal audit plan was approved by the Committee during the financial year and a number of audits were performed, the findings of which have been reviewed by the Committee. During the year, eight internal audit reports were issued. The Group will look to increase the scope of the audit plan during FY22, drawing on third party resource provided under co-source arrangements, and through the use of data analytics. Internal controls and risk management The Board is responsible for establishing, maintaining and monitoring the Group’s system of risk management and internal control and reviewing its effectiveness. The Committee monitors the performance of management in this area. We have an ongoing process for identifying, evaluating and managing the principal risks faced by the Group which has been in place for the year under review and up to the date of approval of the Annual Report and Accounts. The Group’s non-cyber security risks are monitored by the Audit Committee on behalf of the Board which sets aside time for an in-depth discussion of notable or changing risks to the business. A description of the process for managing risk together with a description of the principal risks and strategies to manage those risks is provided on pages 40 to 48. Cyber risks are reviewed by the Cyber Security Committee; the Cyber Security Committee Report can be found pages 98 and 99. Internal control systems are designed to meet the particular needs of the Group and the risks to which it is exposed. By their nature, however, internal control systems are designed to manage rather than eliminate the risk of failure and can provide only reasonable but not absolute assurance against material misstatement or loss. During the year, the Group has implemented new systems which have brought about some changes in controls, as the Group transitions away from historic systems. These controls will require further changes in the forthcoming year as we continue to embed new ways of working across all our systems. Key elements of the risk management and internal control system are described below. Enhancements during the year are highlighted while the other elements have all been in place throughout the year. Controls relating to financial reporting and preparation of the Annual Report and Accounts • Information provided to management covering financial performance and key performance indicators, including non-financial measures (enhanced by new KPIs and targeted management reports) • A detailed budgeting process where business units prepare plans for the coming year (enhanced with new standardised reporting, discretionary cost reviews and consolidation models and systems) • Procedures for the approval of capital expenditure and investments and acquisitions (enhanced by standardised capital approval request forms) • Monthly operational reviews to monitor and reforecast results as required against the annual operating plan, with major variances followed up and management action taken where appropriate Other controls • Defined management structure and delegation of authority to Committees of the Board, subsidiary boards and associated business units (enhanced by more detailed authorities and guidance notes) • Recruitment standards and training to ensure the integrity and competence of staff • Anti-bribery, security and compliance training for all colleagues • Clearly documented internal procedures set out in the Group’s ISO 9001:2015 accredited quality manual • Regular internal audits of key processes and procedures under the Group’s ISO 9001 and ISO 27001 accredited quality assurance process • Monitoring of any whistleblowing or fraud reports The external auditor regularly reports its findings on those areas of internal control which it assesses as part of the external audit and half year review to the Board and the Audit Committee. Our internal control effectiveness is assessed through the performance of regular checks, which in the year ended 31 May 2021 included: • Assessment of the identification and management of risks connected to the Group’s strategy and management of strategic change • Reviewing and testing the Group’s financial reporting processes • Performing compliance monitoring activities • Assessment of the Group’s processes for identifying and mitigating potential conflicts of interest • Monitoring the completion of the Group’s mandatory colleague training 92 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 Whistleblowing and confidential reporting procedures The Group operates a confidential reporting and whistleblowing procedure (known as our “Whistleblowing Policy”). The policy aims to support the stewardship of the Group’s assets and the integrity of the Financial Statements as well as protecting colleague welfare. The procedure is reviewed annually by the Committee to ensure that it remains fit for purpose. The Group has appointed an independent third party reporting agent to be the first point of contact for those who do not wish to use normal internal line management channels for reporting their concerns. This is advertised internally via colleague noticeboards and our intranet. During the year, the Code of Ethics Policy was updated and all colleagues were asked to undertake refresher training. As part of this training, colleagues were reminded of the existence of the Whistleblowing Helpline. The Committee reviews any whistleblowing or confidential reporting of concerns raised during the year with respect to their nature, scale and any associated or consequential risks. Review of the Audit Committee’s effectiveness The Committee has reviewed and considered the effectiveness of its performance during the year. The review included the views of members of the Committee and of regular attendees at the various meetings (including the Executive Directors). I am satisfied that the degree of rigour and challenge applied in performing the Committee’s responsibilities is appropriate and effective and continues to improve. Please see page 84 for further details of the Committee evaluation process. Auditor’s independence and objectivity The Committee received a formal statement of independence from the external auditor. The Company also operates a rigorous policy designed to ensure that the auditor’s independence is not compromised by it undertaking inappropriate non-audit work. The Audit Committee’s approval is therefore required for any fees for any non-audit work undertaken by the auditor. However, the Company recognises that it can receive particular benefit from certain non-audit services provided by the external auditor due to its technical skill and detailed understanding of the Company’s business. During this financial year non-audit fees of £75,000 (2020: £50,000) were paid to the external auditor for the half year review. All significant pieces of non-audit work are put to informal tender to suitable parties that, if appropriate, can include the external auditor. Upon review as to suitability and price, the work will then be placed with the service provider recommended. If this is the external auditor, then Audit Committee approval is required. The external auditor was not engaged during the year to provide any services which may have given rise to a conflict of interest. The Committee is satisfied that the overall levels of audit and non-audit fees (i.e. the half year review fee) are not material relative to the income of the external auditor as a whole and therefore that the objectivity and independence of the external auditor were not compromised. External auditor’s effectiveness and appointment The Committee reviews and makes recommendations regarding the reappointment of the external auditor following a formal review of the auditor’s performance following completion of the prior year Financial Statements’ audit. In making these recommendations the Committee considers: • The experience, industry knowledge and expertise of the auditor • The scope and planning of the audit and any variations from the plan • The quality of the processes adopted • The auditor’s explanations of significant risks to audit quality by reference to the Company’s specific circumstances and changes to the risks, including Covid-19 implications • The fees charged • Its attitude to and handling of key audit judgements • Its ability to challenge and communicate effectively with management • The quality of the final report • The FRC’s Audit Quality Review report relating to KPMG During the financial year, I attended regular meetings with KPMG’s engagement partner without management being present. This provided the opportunity for open dialogue. The engagement partner demonstrated her understanding of the Group’s business risks and the consequential impact on the Financial Statements. Feedback on the conduct of the audit from the engagement partner’s perspective is used to determine if any challenges in the prior year audit would be sufficiently addressed in the next audit cycle. The Group’s current auditor, KPMG LLP, has been in place since 1 November 2013 with a competitive audit tender process having last been undertaken in November 2011. Frances Simpson has replaced Mick Davies as KPMG’s engagement partner for the year ended 31 May 2021. The lead audit partner rotates at least every five years to ensure independence. The Group will continue to keep this position under review during the new financial year. The Group intends to remain in full compliance with the requirement to carry out a formal tender at least once every ten years; therefore, a formal tender is expected to be undertaken before November 2023. Therefore, having fully considered the effectiveness, independence and objectivity of the external auditor and the reports it has produced in the current financial year, the Committee has concluded that it is appropriate to recommend to the Board the reappointment of KPMG LLP as the Group’s external auditor for the next financial year. NCC Group plc — Annual report and accounts for the year ended 31 May 2021 93 GovernanceGovernance Audit Committee report continued 1 Financial information 4 Audit Committee Chair 2 Narrative disclosures 3 Independent reviewers Fair, balanced and understandable The following process was followed by the Committee in making its assessment: 1. Financial information • Prepared by individual business units • Consolidated by Group finance team • Reviewed by Group Financial Controller and CFO 2. Narrative disclosures • Prepared by Group finance team • Reviewed by Group Financial Controller and CFO • Various reports prepared by Committee Chairs, CEO and CFO 3. Independent reviewers • Senior members of the Executive Committee or other senior colleagues • Those who have not been major contributors 4. Audit Committee Chair • Review of detailed verification documents • Review of findings and observations from independent reviewers Related party transactions and other fees approved by the Committee Refer to Note 32 for related party transactions in the year. There were no such fees payable in the current year. Fair, balanced and understandable At the request of the Board, the Committee considered whether the 2021 Annual Report and Accounts, when taken as a whole, was fair, balanced and understandable (FBU) and whether it provided the necessary information for shareholders to assess NCC Group’s position and performance, business model and strategy. The reviews outlined in the diagram above include reviews of all material matters, as reported elsewhere in this Annual Report and Accounts, and reviews of the balance of good and bad news and ensure the Annual Report and Accounts correctly reflects: • The Group’s position and performance as described on pages 9 to 13 and 32 to 39 • The Group’s business model as described on pages 20 and 21 • The Group’s strategy as described on pages 29 to 31 The independent reviewers were not major contributors to the Annual Report and Accounts but, at the same time, as members of the Executive Committee or other senior colleagues, are deemed to be sufficiently well informed on the Group’s activities to be able to give appropriate feedback on the FBU criteria. They undertake a qualitative review of disclosures and a review of internal consistency throughout the Annual Report and Accounts. The Directors’ statement on a fair, balanced and understandable Annual Report and Accounts is set out on page 123. Chris Batterham Chair, Audit Committee 14 September 2021 94 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 Nomination Committee report An increased focus on succession planning for the Board and senior management During this year we have made the formal commitment that by 2024, we will have at least 33% female representation on our Board and at least one person of colour. Although this is best practice for FTSE 350 companies, we will commit to this target regardless of which share index we are in. Chris Stone Committee Chair The members of the Nomination Committee are Chris Batterham, Jonathan Brooks and Jennifer Duvalier along with me. The Nomination Committee’s objectives and responsibilities The Nomination Committee is responsible for reviewing the size, structure, balance, composition and progressive refreshing of the Board and its Committees and as such its duties include: 2020/21 highlights • Session to review senior management and Executive Director succession plans • Focused on diversity and inclusion in every meeting, including undertaking unconscious bias training • Undertook a review of the colleague engagement results and continued with the non-executive colleague engagement sessions 2021/22 priorities Our priorities for the coming year focus on three areas: • Broadening our approach to talent and succession • Reviewing the structure of the Board enabled by Workday • Continuing to support the development of a diverse leadership profile and pipeline • Creating the right working environment to support colleague engagement and working post pandemic • Evaluating the balance of skills, knowledge, experience and diversity on the Board • Making recommendations for further recruitment to the Board or proposing changes to the existing structure of the Board, or individual Directors • Reviewing the leadership needs of the Company, both Executive and Non-Executive • Succession planning for Directors and other senior executives within the business • Recruiting, appointing and exiting of Directors • Overseeing membership of, and succession to, the various Board Committees • Reviewing the time commitment required from the Non-Executive Directors on NCC Group business 95 GovernanceGovernance Nomination Committee report continued The Nomination Committee’s objectives and responsibilities continued The Chair of the Board leads the process for the appointment of new Non-Executive Directors to the Board and for the appointment of the Chief Executive Officer. The Chief Executive Officer, in conjunction with the Chair, leads the process for the Chief Financial Officer. The Senior Independent Director leads the process for a new Chair of the Board. In relation to an appointment to the Board, the Committee draws up a specification and assesses the capabilities and experience required for such a role, taking into account the Board’s existing composition, including relevant experience and understanding of our stakeholder groups. We will look to address this during future Board and Executive Committee appointments to improve our diversity. Given that this is a fairly young Board in terms of tenure, this improvement in diversity will not be a quick process but we are very mindful of the need to improve this and take positive action, and the matter is fully on our agenda. Accessing the candidates we require to reach this target will involve us looking beyond the obvious, for example existing board directors within the UK, and we intend to ensure that we extend our talent search to other sectors and countries to ensure we find a diverse pool of candidates from which to choose from. When a new Director is appointed they receive a full, formal and tailored induction into the Company and discuss with the Chair any immediate training requirements. We also assess the time commitment required. Candidates are sought by third party executive search consultants and, where appropriate, through the assessment of internal candidates and are then formally considered by the Nomination Committee. Extensive external referencing is completed. The Committee’s terms of reference can be found in the Investor Relations section of the Company’s website: www.nccgroupplc.com/investor-relations. The terms of reference are reviewed annually and updated when necessary. Diversity Our objective is to have a broad range of skills, backgrounds, experiences and personal attributes within the Board as this ensures the Board is best placed to serve the Company. All appointments are made on merit and against objective criteria with due regard for the benefits of diversity on the Board, including gender, nationality, and educational and professional background, as well as individual characteristics which will enhance diversity of thinking on the Board. The Company and the Committee value the aims and objectives of the Hampton-Alexander Review on FTSE women leaders and the Parker Review on ethnic diversity of UK boards and support and apply the Group’s diversity policy. The Group’s gender diversity statistics are set out on page 63. At Board level, we currently have one female on our Board and no people of colour, but we note that diversity extends beyond the measurable statistics of gender and ethnicity. As such, while we historically have not set any particular targets, we continue to take diversity in its wider context into account, having regard to the diversity policy, and recommend only the most appropriate candidates for appointment to the Board. That said, we recognise that we still have much progress to make in terms of improving the diversity of the Board and our Executive Team (and indeed our workforce as a whole). With that in mind, during the year we have made the formal commitment that by 2024, we will have at least 33% female representation on our Board and at least one person of colour. Although this is best practice for FTSE 350 companies, we will commit to this target regardless of which share index we are in. (To achieve this commitment by 2024 based on our current Board size of seven Directors, we would need to have at least three female Directors out of the seven. At least one of the seven would be a person of colour.) Committee meetings During this financial year, the Committee held three scheduled meetings. The attendance of individual Committee members at Nomination Committee meetings is shown in the table below. Unless otherwise indicated, all Directors held office throughout the year. Meetings attended Attendee Chris Stone Chris Batterham Jonathan Brooks Jennifer Duvalier Activities during the year During the year, the Committee: • Evaluated the skills, knowledge and experience around the Board table • Reviewed the structure, size and composition of the Board • Reviewed the Directors’ length of service • Reviewed the diversity of the Board • Reviewed the memberships of all Committees • Reviewed the expected time commitment of the Chair and the Non-Executive Directors During the year, the Nomination Committee has had several in-depth presentations from the Chief People Officer and the Global Head of Learning and Development which focused on people, talent and succession planning. These presentations looked at the overall current position and in particular senior succession, i.e. the Executive Committee and its direct reports. 96 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 One presentation also described a roadmap to a 2022 future state where we wish to be a “destination employer with a quirky, distinctive environment”. In terms of our ongoing focus on improving diversity, we are focusing on: Processes • Reviewing all our processes/documentation as part of our Workday system go-live – i.e. ensuring the wording on adverts and job descriptions is gender neutral • Providing better tracking and reporting at all points of the colleague cycle to check for bias Training • Introducing a Manager Essentials programme which covers recruiting and managing a diverse team • Providing unconscious bias training for leadership groups (the Board and ExCom have both now undertaken unconscious bias training). Participated in NCC Conversations – promoting equality Colleague voice • Continuing to develop and assess the broad range of opportunities for colleagues to ask questions, to provide feedback and to play an active role in creating a great place to work. (For further information, please see the stakeholder engagement section on pages 49 to 52) Long term • Building strategic partnerships with organisations to support our commitment to create an inclusive and diverse environment • Connecting the initiatives we are involved in so we get the best return for investment – work experience, mentoring and CyberFirst bursaries Committee effectiveness During the year, the Nomination Committee carried out an internal self-evaluation on its effectiveness. A number of recommendations were made, including the need to: • Make strong initial progress with our firm commitment to have at least 33% female representation and at least one person of colour on the Board by 2024 • Focus strongly on succession planning for the Board and senior management and in particular discuss Executive Director succession planning in general terms over the next 6–12 months • Improve succession plans for senior executives and improve exposure to senior executives at Board meetings and within more informal settings The intention is to again have a Committee discussion on all senior roles during the 2021/22 financial year, to ensure that we have the depth and breadth of diverse talent to deliver our strategy. External search consultancies No external search consultancies were utilised in the year. Chris Stone Chair, Nomination Committee 14 September 2021 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 97 GovernanceGovernance Cyber Security Committee report Maintaining and improving the Group’s resilience to cyber-attack as the threat landscape changes Through the Committee, the Group continues to review and challenge the data governance and information security risks that affect the Group, particularly in light of the “move to remote” during the Covid-19 pandemic and the changing regulatory landscape post-Brexit and Schrems II. Chris Stone Committee Chair The Cyber Security Committee was formed to focus specifically on the cyber risks faced by the Group. This reflects the significant threat posed by cyber risks, the nature of our business, and the potential damage to the business as a high value target for malicious acts. The Committee’s activities aim to challenge and support improvements to the Group’s information security and data protection policies, defences and controls, so as to comply with global data protection regulations around the world, and ensure that the Group looks after its own information, and the information that its customers entrust to it, with the proper care and attention. The Committee was formed in November 2016 and I have been Chair since January 2018. Chris Batterham, Jonathan Brooks and Jennifer Duvalier (all independent Non-Executive Directors) served as members of the Committee throughout the year. The Group’s Director of Global Governance, the Group’s Chief Information Security Officer (CISO), and the Group’s Chief Data Protection and Governance Officer (CDPGO) are standing invitees of the Committee. The Executive Directors are invited to attend Committee meetings when the Committee considers it to be appropriate. The Cyber Security Committee’s objectives and responsibilities The Cyber Security Committee is responsible for assessing the performance of the Group’s internal security and defences and as such its duties are to: • Oversee and advise the Board on the current cyber risk exposure of the Group and future cyber risk strategy • Review at least annually the Group’s cyber security breach response and crisis management plan • Review reports on any cyber security incidents and the adequacy of resulting actions 2020/21 highlights • Enhanced SOC coverage and detection capabilities across our network • Extending our Microsoft Defender for Endpoint rollout; implementation of remote application patching capability • Development of a Data Protection by Design framework, including new and revised policies, procedures and guidance • Global risk management framework initial implementation and rollout 2021/22 priorities • Running more complex cyber exercises to test our response processes • Implementing a new security awareness platform across NCC Group globally • Implementing a system to facilitate dynamic maintenance of Records of Processing across the NCC Group business • Implementing the Data Protection by Design framework across NCC Group globally 98 • Receive and consider the regular update reports from the CISO and CDPGO and ensure the CISO and CDPGO are given the right of direct access to the Committee • Consider and recommend actions in respect of all cyber risk issues escalated to it • Keep under review the effectiveness of the Group’s controls, services and products to analyse potential vulnerabilities that could be exploited • Regularly assess what are the Group’s most valuable intangible assets and the most sensitive Group and customer information and assess whether the controls in place sufficiently protect those assets and information • Review the Group’s ability to identify and manage new cyber risks • Assess the adequacy of resources and funding for cyber security defence and control activities • Regularly review the cyber risk posed by third parties including outsourced IT and other partners • Oversee cyber security due diligence undertaken as part of an acquisition and advise the Board of the risk exposure • Annually assess the adequacy of the Group’s cyber insurance cover The Committee’s terms of reference can be found in the Investor Relations > Corporate Governance section of the Company’s website (www. nccgroupplc.com/investor-relations/corporate-governance). The terms of reference are reviewed annually and updated when necessary. Committee effectiveness During the year, the Cyber Security Committee carried out an internal self-evaluation on its effectiveness, as it continues to mature since its formation in November 2016. The Committee was found to be working effectively and I am satisfied that the degree of rigour and challenge applied in performing the Committee’s responsibilities is appropriate and effective and continues to improve. In terms of specific focus areas for the year ahead we agreed on the following: • Continuing to take the papers/presentations as read and focusing on more value-adding dialogue, discussion, and interaction rather than going through the Committee briefing packs • Acknowledgement that the presenter from the National Cyber Security Centre had been excellent and more external presenters should be used where possible • A review of whether external advisers/consultants could attend future Committee meetings • More frequent updates on the nature of the changing cyber threat landscape, e.g. what are the current major topics within cyber and the significant threats As an output of both this and previous evaluations, the Committee, along with the Board, reaffirmed that cyber security is a sufficiently important risk for the business that the Committee should remain focused on this specific set of risks. Therefore, the current structure in which the responsibility for broader risk management remains with the Audit Committee will continue. Committee activities during the year The Committee continues to make sure that the Group’s resilience to cyber-attack is maintained and improved as the threat landscape changes. As the Securing Growth Together programme comes to its latter stages, more focus was put on longer-term initiatives that will stand the Group in good stead in the years to come. In November, the Committee had a fascinating talk from the Director of Operations at the UK’s National Cyber Security Centre (NCSC), about the NCSC’s perception and analysis of the cyber threat that faces the UK. The Group continues to improve its cyber security controls. Building on our initial rollout of Microsoft Defender for Endpoint in 2020, we extended this to servers as well as endpoints, giving us ever-deeper security insight into our IT assets. In addition, we invested in technology that allows us to patch application software on endpoints in a more automated way across the internet, rather than requiring a VPN connection. Both of these controls stood us in good stead during the coronavirus pandemic, when almost all colleagues were working remotely. Our SOC implemented its latest detection suite across our networks, and we continue to benefit from novel detection methods and techniques as the SOC’s “customer zero”; as those detection techniques are refined, they are rolled out into our commercial offering. In terms of our global data protection programme and internal data privacy activities, we are developing a three year strategy to align the approach across the business, continue to improve our privacy maturity, and support in light of the rapidly changing regulatory landscape. Considerations include the newly approved Standard Contractual Clauses and their requirement for detailed information security provisions to be documented for each service line, as well as updating internal agreements to secure our global business in terms of facilitating data transfers. Noteworthy highlights since our previous report include: • A suite of tools has been created to enable Data Protection by Design to continue, and to make the assessment process more efficient and easier for the business to engage with. These include a Data Protection Impact Assessment (DPIA) triage form, and DPIA light and DPIA full templates, with guidance also produced. The data protection team has been working closely with IT to embed this into its processes • The expansion of the data protection and privacy team’s remit to encompass data governance, including the appointment of Data Protection Officers to partner with North America and APAC, respectively, with appointment of a Data Protection Manager in NCC Europe, headed up by the Chief Data Protection and Governance Officer • Bespoke gap analysis tool created covering all principles and articles within GDPR, which flexes to accommodate the complexity of our different business areas/service lines • Assessment of the situation with the UK adequacy decision and the additional safeguards required to ensure the free flow of data from the EU to the UK should adequacy be revoked, as well as planning for the impact of the recent issue of the new Standard Contractual Clauses by the EU Commission Committee meetings During this financial year, the Committee met three times and the attendance of individual Committee members at the Cyber Security Committee meetings is shown in the table below. Unless otherwise indicated, all Directors held office throughout the year. Meetings attended Attendee Chris Stone Chris Batterham Jonathan Brooks 1 Jennifer Duvalier 1 Was absent for July 2020’s meeting due to illness. Chris Stone Chair, Cyber Security Committee 14 September 2021 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 99 GovernanceGovernance Remuneration Committee report Annual statement Looking beyond the pandemic Our new Remuneration Policy will balance an increase to variable remuneration with a reduction in the threshold vesting level for the LTIP and an increase to the toughness of the LTIP’s stretch EPS target. At the same time, if the new Policy is approved, we will immediately reduce Executive Director pension contributions to the workforce level of 4.5%, and adopt a more demanding post-employment shareholding policy. Jonathan Brooks Committee Chair On behalf of your Board, I am pleased to present our Directors’ Remuneration Report (DRR) for the year ended 31 May 2021. The report is divided into three sections: an Annual Statement, our Directors’ Remuneration Policy and the Annual Report on Remuneration, which sets out the actual application of the Policy. Annual Statement 2020/21 was another busy year for the Remuneration Committee and we had seven meetings in total. The Committee, which remained unchanged for the third year in succession, comprised Chris Batterham, Jennifer Duvalier and me as Chair. Our Board Chair, Chris Stone, also attended all the meetings. We invited our remuneration consultants, Chief People Officer, CEO, CFO, and other executives to meetings as required. Consultation with shareholders following 2020 AGM The arrival of the Covid-19 pandemic at the start of 2020 obliged us to wrestle with the immediate impact to our business of a significant period of uncertainty. The impact of the pandemic fell late on in the financial year and it was immediately apparent that forecasting the financial effects for both the end of the 2019/20 financial year as well as the 2020/2021 financial year would be extremely difficult, although we are pleased that we did not furlough any staff, make any staff redundant or reduce our dividend. As a Committee, and mindful of the desire to keep colleagues appropriately rewarded for their performance and incentivised to deliver the best outcomes for our shareholders during such a difficult period, we took some immediate action to address this period of uncertainty. Firstly, we 2020/21 highlights • Consultation with shareholders following the 2020 AGM • Development of Remuneration Policy for 2021–24 and a second consultation with shareholders • Launch of a new Restricted Share Plan to broaden colleague share ownership 2021/22 priorities • Implement our new Remuneration Policy following approval at the AGM • Integrate Iron Mountain remuneration practices into the Group • Consider the introduction of ESG measures • Continue to ensure our incentive arrangements support the Group’s long-term strategy * The Directors consider that Adjusted operating profit less a proforma amortisation charge in respect of certain cloud-based software arrangements is comparable to Adjusted operating profit previously reported. See Strategic Report for further details and a reconciliation between Adjusted operating profit of £39.2m and Adjusted operating profit less a proforma amortisation charge in respect of certain cloud-based software arrangements of £36.2m. 100 applied our discretion and replaced the formulaic assessment of the financial underpin to the non-financial element of the 2019/20 bonus with a non-formulaic assessment. Secondly, we decided that the non-financial element of the annual bonus for 2020/21 should have a weighting of 40% of the total, compared with the previous year’s figure of 25%. Thirdly, we decided that for 2020/21, we would divide the year in two for bonus target setting purposes, with one set of bonus targets based on the first six months’ performance and a revised target being set for the second half of the year. While many shareholders recognised this pragmatic approach, we were disappointed that a significant minority of others voted against our Annual Remuneration Report in 2020. Immediately after the AGM, I therefore engaged with all major shareholders who voted against the resolutions to better understand their reasons for doing so. There were two main reasons which explained their objections: some did not feel that the application of discretion during the year to replace the annual bonus profit underpin for 2019/20 was appropriate, while others did not support the increased weighting on non-financial measures in the annual bonus from 25% to 40% for 2020/21. The Remuneration Committee acknowledged these views in its statement in early February 2021, and whilst it still considers its decisions were appropriate and pragmatic in the exceptional circumstances of the pandemic, emphasised that the weighting on non-financial measures in the annual bonus would revert to 25% of the total in 2021/22 and that a profit underpin would be applied in future. Development of Remuneration Policy for 2021–24 and separate consultation with shareholders During the 2020/21 financial year, we operated within the Remuneration Policy that was approved by shareholders at the 2020 AGM. With the arrival of the Covid-19 pandemic, changes to the Remuneration Policy last year were minimal and we flagged at the time that we planned on submitting a new Policy this year. The aim of these changes was to reflect the strong performance of the business and development of the senior team over a number of years and ensure that the remuneration of our senior team is appropriately positioned against a highly competitive market for talent within the sectors in which NCC Group operates. We refined some changes with our remuneration consultants and then undertook a period of consultation with shareholders in March and April 2021, who were supportive of our approach. Our proposed new Remuneration Policy can be found in the next section of this report and will be voted upon at our AGM in November. Its main features are to make phased increases to the variable pay opportunity for our CEO and CFO. The first of the proposed changes will take place in 2021/22 and increase the level of LTIP from 100% of salary to 175% and 150% of salary for the CEO and CFO, respectively. Implementation of the second increase will be take place in 2022/23 when the annual bonus opportunity for both the CEO and CFO will increase from 100% to 125% of salary. The Committee considers this phased approach to be appropriate in the current environment and these increases will be balanced by a reduction in the threshold vesting level for the LTIP and an increase to the toughness of the LTIP’s stretch EPS target. At the same time, if the new Policy is approved, we will immediately reduce their pension contributions to the workforce level of 4.5% and adopt a more demanding post-employment shareholding policy. The overall effect of these changes will result in levels of total remuneration that are at or below the market level. Further details can be seen in the next section of the report. With respect to base pay, for the 2020/21 financial year, average salaries in the Group rose by approximately 2.9% but we decided to increase the salary of the CEO and CFO by 1% to take effect from September 2020. For 2021/22, salaries increased by an average of 3.1% and we increased the CEO’s salary by 3%, taking his base salary to £465,000 with effect from 1 June 2021. For the CFO, recognising that his salary is well below the level that the Committee considers to be appropriate given his performance and experience in the role, we consulted with shareholders to increase his pay over a two year period. In June 2021 his salary increased to £308,000, representing an increase of 4.9% above the average workforce increase (i.e. 8% in total). In June 2022, we also intend to increase his salary by up to 3% above the average workforce figure. While these increases will still result in a below market salary, when combined with the proposed increases to variable remuneration this should bring his overall remuneration closer to market levels. Launch of a new below Board Restricted Share Plan to broaden colleague share ownership As a Board, we remain committed to broadening share ownership throughout the Group, both as a reward and retention tool. During the year, we introduced our Restricted Share Plan (RSP), authorisation for which had been granted at the 2020 AGM. An increased number of colleagues were made a share award dependent on their continuing service within the Group for a period of up to three years. RSPs are extremely common in the technology sector in the USA, where we have increased our presence in the last few years, and we expect to issue more RSPs annually. In addition, we also offered colleagues the opportunity to participate in our Save As You Earn/stock purchase share plans in the UK, the US, Canada, the Netherlands, Australia, Denmark and Spain. Once again, these proved popular in terms of take-up and participation levels. Non-Executive Director and Chairman’s fees In line with our Remuneration Policy, Non-Executive Director fees are reviewed annually. During the year, the Non-Executive Director fees were reviewed (by the Company Chair, CEO and CFO) and increases were proposed with effect from 1 June 2021, being the first increases for three years. In addition, as social distancing restrictions are being progressively removed it was decided to reinstate the travel expense allowance with effect from 1 June 2021. This had been withdrawn in March 2020 at the start of the pandemic when physical Board meetings were not possible. The Remuneration Committee also reviewed the Chairman’s fees using data provided by our remuneration consultants. As a result the Chairman’s fees were increased for the first time since his appointment in 2017. Details of these fees and allowances are given in the Annual Report on Remuneration on page 110. Performance related pay – bonus The annual bonus for the year ended 31 May 2021 for both the Chief Executive Officer and Chief Financial Officer was based on the satisfaction of stretching financial and strategic targets. This resulted in an overall payment of 92% of base salary for the CEO and 87% of base salary for the CFO. With respect to the financial targets, as we reported in the Annual Report 2020, in light of the impact of the pandemic and the difficulty in estimating its short-term impact on the business, we decided to divide the 2020/21 financial year into two, with the first six months of the year qualifying for up to a 30% financial bonus if the half year Adjusted operating profit less a proforma amortisation charge in respect of certain cloud-based software arrangements * achieved £17.0 million, with the financial target for the second half of the year being based on a reforecast which took place in November 2020, and an Adjusted operating profit less a proforma amortisation charge in respect of certain cloud-based software arrangements * of £19.0m being required for a further 30% bonus. NCC Group plc — Annual report and accounts for the year ended 31 May 2021 101 GovernanceGovernance Remuneration Committee report continued Annual statement continued Performance related pay – bonus continued The targets for both halves of the 2020/21 financial year, were exceeded, resulting in a total financial bonus for the year of 60%, the maximum for this element. For the 2020/21 financial year, the strategic objectives for both the CEO and CFO were given a weighting of 40% in total. The bonus earned was judged to be 32% for the CEO and 27% for the CFO. The strategic objectives covered three areas: • Broadening the product portfolio: the broad objective was to offer the complete portfolio of products and services tailored to specific customer sectors and to be able to deliver this globally. This was broken down by market with specific revenue objectives for different products (20%) • Sustainability: to act as a responsible corporate citizen to ensure our future. This included objectives with respect to training of future leaders in the Group, diversity targets for recruitment, the development of action plans to improve engagement with underrepresented groups and the assessment of customer and colleague experience (10%) • Specific improvements and efficiencies: these were delivered through strategic programmes with the objective of placing data and process re-engineering at the heart of the business and included the development of global support functions and certain identified key hires, as well as specific global product lines (10%) Further detail on performance against strategic objectives is provided later in the report. For both the CEO and CFO, 35% of the actual bonuses achieved will be deferred into nominal cost share options and will vest after two years. Clawback and malus provisions are also in place for the annual bonus. For 2021/22, the Committee will change the annual bonus weightings back to its more normal weightings of 75% financial and 25% non-financial. For the financial bonus, as in previous years, it will be set within a tight range with bonuses between 15% and 75% of base salary being calculated by linear interpolation. For 2021/22, we will introduce a revenue target component for both the Assurance and Software Resilience businesses to complement the targets on Adjusted operating profit. Strategic targets for 2021/22 For the CEO, the strategic targets will be grouped under the following broad headings: • Integration of Iron Mountain IPM division: this will include specific targets for systems, people, customer and operating model integration (10% in total) • Strategic objectives within the Assurance business: these will include specific targets for the development of the MDR and Remediation businesses (10% in total) Performance related pay – LTIP The grant of the 2020–23 LTIPs was delayed as a result of extended prohibited periods including those connected to the acquisition of the Iron Mountain IPM division, as a result of which the grants which would ordinarily have been made in the autumn of 2020 were not made until May 2021. The awards will vest subject to demanding EPS, cash and relative TSR targets outlined later in this report. The LTIP outcome for those LTIPs issued in 2018 was an award equivalent to 40% of the maximum award, which in the case of the CEO constituted an award of 78,914 shares, and the CFO constituted an award of 49,779 shares. Our LTIP award for 2021–24 will be granted after our next AGM in November and subject to shareholder approval of the revised Remuneration Policy, the Committee intends to make awards of up to 175% of base salary for the CEO and 150% for the CFO compared to 100% of base salary for both executives as at present. These will vest after three years as long as a number of demanding performance targets are satisfied. As in previous years, 60% of the potential award will be based on the achievement of a demanding EPS target, 30% on the achievement of certain cash targets and 10% on relative TSR targets. We plan to issue LTIPs to the Executive Directors shortly after the 2021 AGM in November 2021. Clawback and malus provisions are in place for the LTIP. In order to further align executives with shareholders, executives are required to retain any LTIP vested shares (net of tax) for a period of two years. After this holding period, all vested shares must also be retained if the shareholding requirement has not been met. In addition, our new post-employment shareholding policy requires executives to retain the lower of the value of their holding on cessation or 200% of salary for the first year following cessation, reducing to 100% of salary for the second year following cessation. It is envisaged that this will be managed through a restricted account maintained by NCC’s registrars and the Company Secretariat. At the AGM in October 2020, 51.53% of shareholders voted in favour of the adoption of the Annual Report on Remuneration. The 2021 Annual Statement and Annual Report on Remuneration will be put to an advisory vote at the AGM on 4 November 2021, providing shareholders with the opportunity to express their support on how the Committee has implemented the Remuneration Policy this year. As always, the Committee remains committed to engagement and transparency and I welcome the opportunity for discussion of the Group’s remuneration with any shareholder, at our AGM or at any other time during the year. During the coming year, we intend to focus on embedding our 2021–24 Remuneration Policy along with continuing to focus on the Committee’s responsibilities under the 2018 UK Corporate Governance Code (the ‘Code’). These include: • Sustainability objectives: these will include objectives with respect to diversity targets, colleague retention in certain areas, and corporate social responsibility (5% in total) • Ensuring that the Remuneration Policy continues to support and incentivise the achievement of our strategy and considering the incorporation of ESG measures For the CFO, the strategic objectives will be similar but, instead of strategic objectives within the Assurance business, he will have objectives related to the effective configuration and optimisation of our integrated systems to meet the evolving needs of the business. • Setting the remuneration for the Executive Committee (i.e. the layer of senior management immediately below Board level) and monitoring the success of the Restricted Share Plan • Ensuring that the Committee takes into account workforce remuneration and related policies when setting executive remuneration * The Directors consider that Adjusted operating profit less a proforma amortisation charge in respect of certain cloud-based software arrangements is comparable to Adjusted operating profit previously reported. See Strategic Report for further details and a reconciliation between Adjusted operating profit of £39.2m and Adjusted operating profit less a proforma amortisation charge in respect of certain cloud-based software arrangements of £36.2m. Jonathan Brooks Chair, Remuneration Committee 14 September 2021 102 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 Directors’ remuneration policy The Remuneration Committee determines the Company’s policy on the remuneration of the Executive Directors and (from 1 June 2019) the Executive Committee (ExCom). The principles which underpin the Remuneration Policy for the Company are to: • Ensure Executive Directors’ rewards and incentives are directly aligned with the interests of the shareholders in order to reinforce the strategic priorities of the Group, optimise the performance of the Group and create long-term sustained growth in shareholder value, without encouragement to take undue risk • Provide the level of remuneration required to attract, retain and motivate Executive Directors and senior executives of an appropriate calibre • Ensure a proper balance of fixed and variable performance related components, linked to short and longer-term objectives and delivered in a mix of cash and shares • Reflect market competitiveness, taking account of the total value of all the benefit elements Our remuneration strategy has been designed to reflect the needs of a complex multinational organisation, which has grown both organically and by acquisition. Remuneration for the Executive Directors is structured so that the variable pay elements (annual bonus and long-term incentives) form a significant proportion of the overall package. This provides a strong link between the remuneration paid to Executive Directors and the performance of the Group, as well as providing a strong alignment of interest between the Executive Directors and shareholders. For the purposes of section 226D-(6)(b) of the Companies Act 2006, this Policy, if approved, will take effect from the date of the 2021 AGM on 4 November 2021. Current Policy table for Executive Directors Purpose and link to short and long-term strategic objectives Salary Operation (including framework to assess performance) Maximum opportunity Changes since last Directors’ Remuneration Policy To attract, retain and reward high calibre Executive Directors The Remuneration Committee reviews salaries for Executive Directors and also the Executive Committee (ExCom) annually unless responsibilities change. Details of current Executive Director salaries are set out on page 110. N/A Pay reviews take into account Group and personal performance. Salaries are set on appointment and benchmarked periodically against market data for companies operating in IT services, management consulting and relevant high tech sectors, which, although not directly comparable, provide an indicative range. In setting appropriate salary levels the Committee takes into account pay and employment conditions of colleagues elsewhere in the Group, alongside the impact of any increase to base salaries on the total remuneration package. Any changes are normally effective from 1 June each year. Salary increases are normally in line with those for other colleagues but also take account of other factors such as changes to responsibility, development and the complexity of the role. Benefits To attract, retain and reward high calibre Executive Directors Benefits in kind currently include the provision of a car or car allowance, payment of private fuel, car insurance, private medical insurance, life assurance and permanent health insurance. Executive Directors may be invited to participate in the Sharesave Scheme approved by HMRC or other benefits introduced for all colleagues. Market-competitive benefits. N/A SAYE Sharesave Scheme subject to HMRC-approved limits. Pension To provide a competitive benefit, which attracts high calibre executives and allows flexible retirement planning to suit individual needs Executive Directors are entitled to a Company pension contribution, which is paid into the Group defined contribution personal pension scheme. They can also opt to have the same level of contribution made in the form of a cash contribution. For both the current CEO and CFO, cash contributions in lieu of a pension are paid. Until 30 November 2021: up to 10% of base salary as a contribution into the Group scheme or base salary supplement of 10% of base salary. From 1 December 2021: capped at the level of the majority of the workforce (currently 4.5%). Alignment of Executive Directors’ pensions with the wider workforce from 1 December 2021. NCC Group plc — Annual report and accounts for the year ended 31 May 2021 103 GovernanceGovernance Remuneration Committee report continued Directors’ remuneration policy continued Current Policy table for Executive Directors continued Purpose and link to short and long-term strategic objectives Annual bonus To drive and reward sustainable business performance Operation (including framework to assess performance) Maximum opportunity 125% of base salary. A lower maximum of 100% of base salary will be operated in 2021/22. Based on a range of stretching targets measured over one year. This might include, but not exclusively, profit measures and other strategic objectives such as cash management, brand development, customer satisfaction and retention, business unit sales growth and colleague engagement. Performance below the minimum performance target results in no bonus. No more than 20% of the maximum opportunity is paid for achievement of the threshold performance targets. Payments rise from the threshold payment to 100% of the maximum opportunity for levels of performance between the threshold and maximum targets. The rate of the rise and the various payment targets are determined annually by the Committee. The Committee has discretion to reduce the formulaic bonus outcome if individual performance is determined to be unsatisfactory or if the individual is the subject of disciplinary action. At least 35% of any bonus payment is normally deferred into shares or nominal cost share options which vest after a two year period. Dividend equivalents are paid on vesting share options. Malus and clawback provisions are in place for both cash and deferred elements. Long Term Incentive Plan To drive long-term performance in line with Group strategy and incentivise through share ownership Awards have a performance period of at least three years and normally must be held for a further two years after vesting. The level of vesting is determined by measures appropriate to the strategic priorities of the business. At least half of any award will normally be subject to financial performance measures. Measures might include, but not exclusively, EPS, cash flow and relative TSR metrics. Award over shares with a face value at grant of 175% of salary p.a. with awards to the CFO normally capped at 150% of salary. The Remuneration Committee has the discretion to determine the number of measures to be used. Performance below the threshold target results in no vesting. For performance between the threshold target and maximum performance target, vesting starts at 15% and rises to 100% of the shares vesting. Should a change in control of the Group occur, crystallisation of any LTIP awards is within the discretion of the Remuneration Committee. Malus and clawback provisions are in place. Changes since last Directors’ Remuneration Policy With effect from 2022/23, the intention is to increase the opportunity to 125% of salary for both the CEO and CFO. For any awards made following the 2021 AGM, the intention is to increase the award to 175% for the CEO, and to 150% for the CFO. 104 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 Purpose and link to short and long-term strategic objectives Operation (including framework to assess performance) Maximum opportunity Executive Director shareholding requirement To align the interests of Executive Directors with the interests of all of the Company’s shareholders The Executive Directors are expected to build and retain a shareholding in the Group at least equivalent to 200% of base salary. Executives will be required to retain all vested deferred bonus shares and LTIP shares released from the holding period until they have attained the minimum shareholding requirement and even then they may normally only sell when they have held vested LTIP shares for a minimum period of two years. N/A For the avoidance of doubt, Executive Directors are permitted to sell sufficient shares in order to meet any tax or withholding obligation arising from vesting shares. Retention of shares post-employment: Executives will be expected to retain the lower of their holding on cessation or 200% of salary for the first year following cessation, reducing to 100% of salary for the second year. Only shares granted from the conclusion of the 2021 AGM will count towards this requirement. Changes since last Directors’ Remuneration Policy For any awards made following the 2021 AGM, the post- employment shareholding policy will require 200% of base salary to be held in the first year post- employment, falling to 100% for the second year. Choice of performance measures and target setting For both the annual bonus and LTIPs, the objective of our Policy is to choose performance measures which help drive and reward the achievement of our strategy and which also provide alignment between executives and shareholders. The Committee reviews metrics annually to ensure they remain appropriate and reflect the future strategic direction of the Group. Targets for each performance measure are set by the Committee with reference to internal plans and external expectations. Performance is generally measured so that incentive payouts increase pro rata for levels of performance in between the threshold and maximum performance targets. With regard to the annual bonus, the Remuneration Committee believes that a simple and transparent scheme with sufficiently stretching targets and an element of bonus deferral prevents short-term decisions being made and ensures that the executives are focused on the delivery of sustainable business performance. For 2021/22, overall Adjusted operating profit and revenue growth by division have been selected as the principal financial measures, with non-financial measures selected that support the delivery of our key in-year strategic goals. With regard to the LTIP, the Committee believes in setting demanding objectives, which reward steady, progressive growth, in order to incentivise and encourage long-term growth and enhance shareholder value. EPS, cash conversion and relative TSR have been chosen for the awards to be granted in 2021/22 as these meet these criteria and are aligned with our strategy. Performance measures and targets are disclosed in the Annual Report on Remuneration. In cases where targets are commercially sensitive, for example annual profit targets for the annual bonus, they will normally be disclosed retrospectively in the year in which the bonus is paid. Differences in Remuneration Policy for colleagues and Executive Directors The principles behind the Remuneration Policy for Executive Directors are cascaded down through the Group and their aims are to attract and retain the best staff and to focus their remuneration on the delivery of long-term sustainable growth by using a mix of salary, benefits, bonus and longer-term incentives. As a result, no element of the Executive Director Remuneration Policy is operated exclusively for Executive Directors other than the post-employment shareholding policy: • The annual performance related pay scheme for Executive Directors is largely the same as that of the Executive Committee and other senior managers within the business and all are aligned with similar business objectives • Participation in the LTIP is extended to the Executive Committee and other senior managers where possible although restricted shares rather than performance shares are typically granted at levels below the Executive Committee • The pension scheme is operated for all permanent colleagues and from 1 December 2021 the Executive Directors will receive the same level of contribution as the majority of other colleagues The main difference between pay for Executive Directors and colleagues is that, for Executive Directors, the variable element of total remuneration is greater while the total remuneration opportunity is also higher to reflect the increased responsibility of the role. In addition, we have the ability to grant awards of restricted shares to Executive Committee members. This will enable us to be competitive in certain markets, most notably the USA, where such plans are very much part of any executive remuneration package. NCC Group plc — Annual report and accounts for the year ended 31 May 2021 105 GovernanceGovernance Remuneration Committee report continued Directors’ remuneration policy continued Non-Executive Director Policy table Purpose and link to short and long-term strategic objectives Fees Operation (including framework to assess performance) Maximum opportunity To attract, reward and retain experienced Non-Executive Directors Fees for the Non-Executive Directors are determined by the Board within the limits set by the Articles of Association and are based on information on fees paid in similar companies, taking into account the experience of the individuals and the relative time commitments involved. There will be separate disclosures of fees paid for chairing the Audit and Remuneration Committees and for acting as Senior Independent Director or for other additional responsibilities. Fees for the Non-Executive Directors are reviewed annually. Additional fees may be paid in certain circumstances such as taking on extra duties, or if exceptionally the time commitment is significantly increased. An expenses allowance is paid or alternatively any reasonable business related expenses (including tax thereon) can be reimbursed if determined to be a taxable benefit. Current fee levels are set out on page 110. The overall fee limit will be within the current £750,000 limit set out in the Company’s Articles of Association, approved on 25 September 2019, which is subject to increase on 25 September each year by the same percentage increase as the percentage increase in the General Index of Retail Prices for all items (or such other comparable index as may be substituted for it from time to time before such anniversary) in the 12 months immediately preceding such date. Changes since last Directors’ Remuneration Policy The overall fee limit is now £750,000. Extra fees may be paid in certain circumstances such as taking on extra duties. Approach to recruitment The principle applied in the recruitment of a new Executive Director is for the remuneration package to be set in accordance with the terms of the approved Remuneration Policy for existing Executive Directors in force at the time of appointment. Further details of this Policy for each element of remuneration are set out below. Pay element Approach Areas of flexibility Salary Set to reflect the executive’s skills and experience, the Company’s intended pay positioning and the market rate for the applicable role. Benefits and pension Benefits will be provided in line with those offered to other Executive Directors, taking account of local market practice, with relocation expenses or arrangements provided if necessary. The Committee will have the discretion to allow phased salary increases over a period of time for newly appointed Directors, even though this may involve increases in excess of the rate for the wider workforce and inflation in circumstances where starting salary was below median levels. Tax equalisation may also be considered if an Executive Director is adversely affected by taxation due to their employment with the Company. The Company may also pay legal fees and other costs incurred by the individual. These would all be disclosed. Pension would be set in line with the workforce level. The aggregate ongoing incentive opportunity offered to new recruits will be no higher than that offered under the annual bonus plan and the LTIP to the existing Executive Directors. Different performance measures and targets may be set initially for the annual bonus plan, taking into account the responsibilities of the individual and the point in the financial year at which they join. Incentive opportunity “Buyout” awards Sign-on bonuses are not generally offered by the Group but, at Board level, the Committee may offer additional cash and/or share-based “buyout” awards when it considers these to be in the best interests of the Company and, therefore, shareholders, including awards made under Listing Rule 9.4.2R. Any such “buyout” payments would be based solely on remuneration lost when leaving the former employer and would reflect the delivery mechanism such as cash, shares, options, time horizons and performance requirements attaching to that remuneration. In addition, any other ongoing remuneration obligations existing prior to appointment may continue, provided that they are put to shareholders for approval at the first AGM following their appointment. Transitional arrangements for internal appointments to the Board In the case of an internal appointment, any variable pay element awarded in respect of the prior role may be allowed to pay out according to its terms on grant, adjusted as relevant to take into account the appointment. 106 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 Approach to service contracts and letters of appointment The Committee’s policy is to offer service contracts for Executive Directors with notice periods of between six and 12 months exercisable by either party. In addition, the Executive Directors are subject to a non-compete clause from the date of termination, where enforceable. All Non-Executive Directors’ appointments are terminable on at least three months’ notice on either side. The Executive Directors and Non-Executive Directors offer themselves for re-election at the AGM every year. Policy on payment for loss of office Payments on termination for Executive Directors are restricted to the value of salary and contractual benefits for the duration of the notice period. It is the policy of the Remuneration Committee to seek to mitigate termination payments and pay what is due and fair. There are no predetermined special provisions for Executive Directors with regard to compensation in the event of loss of office. The Company may also pay an amount considered to be reasonable by the Committee where loss of office is due to redundancy or in respect of fees for legal advice for the outgoing Director or to settle or compromise any legal claims. Assistance with outplacement may also be provided. Elements of variable remuneration would be treated as follows: Pay element Approach Areas of flexibility Annual bonus Determined on a case-by-case basis. When the Committee determines that the payment of an annual bonus is appropriate, the annual bonus payment is typically: • Prorated for the period of time served from the start of the financial year to the date of termination and not for any period in lieu of notice or garden leave • Subject to the normal bonus targets, tested at the end of the year, and would take into account performance over the notice period • Subject to deferral of 35% of the value The Committee has the discretion to pay cash bonus amounts or allow deferred bonus awards to vest on cessation or whether they lapse. If the Committee exercises this discretion, it can also determine if the vesting should be prorated to reflect time served since the beginning of the deferral date. The same discretionary principle would apply to the payment of dividend equivalents on any shares that have been deferred, but not yet vested. Long Term Incentive Plan Unvested awards will normally lapse upon cessation of employment. The Committee has discretion to allow awards to vest at the normal vesting date or earlier. If the Committee exercises this discretion, awards are normally prorated to reflect time served since the date of grant and based on the achievement of the performance criteria. The holding period detailed above will apply to such incentives. All-colleague share schemes The Executive Directors, where eligible for participation in all-colleague share schemes, participate on the same basis as for other colleagues. None. Illustration of remuneration scenarios The chart below details the hypothetical composition of each Executive Director’s remuneration package and how it could vary at different levels of performance under the new Remuneration Policy set out above. 2,500 2,000 1,500 0 0 0 £ 1,000 500 0 £2,188,000 £1,781,000 £856,000 14% 27% £502,000 46% 56% 26% 21% £1,354,000 £1,123,000 £576,000 12% 27% £353,000 41% 51% 27% 23% 100% 59% 28% 23% 100% 61% 32% 26% Minimum Target Maximum Maximum + 50% share price growth Minimum Target Maximum Maximum + 50% share price growth Chief Executive Officer Chief Financial Officer Long-term incentives Annual bonus Fixed pay NCC Group plc — Annual report and accounts for the year ended 31 May 2021 107 GovernanceGovernance Remuneration Committee report continued Directors’ remuneration policy continued Illustration of remuneration scenarios continued Note that the charts are indicative, as actual amounts may depend on share price. Assumptions made for each scenario are as follows: • Minimum. Fixed remuneration only: salary, benefits and pension. Salary based on 2021/22 salary and benefits based on 2020/21 disclosed benefit amounts • Target. Fixed remuneration plus “target” annual bonus opportunity of 50% of salary for both the Chief Executive Officer and Chief Financial Officer, plus 15% vesting of the maximum award under the Long Term Incentive Plan. NCC does not use the concept of a “target” bonus; however, in order to be fully compliant with the regulations an assumption of 50% of the maximum for 2021/22 has been used • Maximum. Fixed remuneration plus maximum annual bonus opportunity equivalent to 100% of salary for both the Chief Executive Officer and Chief Financial Officer for 2021/22, as well as 100% vesting of the maximum award under the Long Term Incentive Plan, being 175% of salary for the CEO and 150% of salary for the CFO. Note that from 2022/23 it is intended that the maximum annual bonus will increase from 100% of salary to 125% of salary • Effect of a 50% increase in share price. Same assumptions as for the maximum scenario, but with the additional assumption that the value of LTIP awards increases by 50% as a result of share price appreciation over the performance period Statement of consideration of employment conditions elsewhere in the Group The Remuneration Committee does not consult directly with colleagues when determining the Remuneration Policy for Executive Directors. However, as stated above, the annual bonus and LTIP are operated for other colleagues to ensure alignment of objectives across the Group and the terms of the pension scheme (save for the contribution entitlements) are the same for all permanent colleagues. In addition, the Committee compares information on general pay levels and policies across the Group when setting Executive Director pay. Jennifer Duvalier undertakes regular colleague engagement sessions where colleagues are able to ask about Executive Director pay. During the year no questions or concerns on Executive pay were raised to Jennifer (please see page 80 for further information). How shareholder views are taken into account The Remuneration Committee considers shareholder feedback received on the Directors’ Remuneration Report each year and guidance from shareholder representative bodies more generally. Shareholders’ views are key inputs when shaping remuneration policy. When any material changes are proposed to the Remuneration Policy, the Remuneration Committee Chair will inform major shareholders in advance and will generally offer a meeting to discuss these. Key areas of discretion in the Remuneration Policy The Committee operates the Group’s variable incentive plans according to their respective rules and in accordance with HMRC rules where relevant. To ensure the efficient administration of these plans, the Committee will apply certain operational discretions. These discretions are implicit in the Policy stated above, but we have listed them for clarity. These include, but are not limited to, the following: • Selecting the participants in the incentive plans on an annual basis • Determining the timing of grants of awards and/or payments • Determining the quantum of awards and/or payments (within the limits set out in the Policy table) • Reviewing performance against annual bonus and LTIP performance metrics • Determining the extent of payout or vesting based on the assessment of performance • Making the appropriate adjustments required in certain circumstances, for instance for changes in capital structure • Determining “good leaver” status for incentive plan purposes and applying the appropriate treatment • Undertaking the annual review of weighting of performance measures and setting targets for the incentive plans, where applicable, from year to year • Discretion to override formulaic outcomes of the incentive schemes if an event occurs which results in the annual bonus plan or LTIP performance conditions and/or targets being deemed no longer appropriate (e.g. material acquisition or divestment); the Committee will have the ability to adjust appropriately the measures and/or targets and alter weightings, provided that the revised conditions are not materially less challenging than the original conditions • Discretion to override formulaic vesting outcomes if they are judged by the Committee not to be an accurate reflection of Company performance Legacy arrangements For the avoidance of doubt, in approving the Remuneration Policy, authority is given to the Company to honour any commitments entered into with current or former Directors before the current legislation on remuneration policies came into force or before an individual became a Director, such as the payment of outstanding incentive awards, even where it is not consistent with the policy prevailing at the time such commitment is fulfilled. Details of any payments to former Directors will be set out in the Annual Report on Remuneration as they arise. External directorships for Executive Directors Executive Directors may accept one external non-executive directorship with the prior agreement of the Board, provided it does not conflict with the Group’s interests and the time commitment does not impact upon the Executive Director’s ability to perform their primary duty. The Executive Directors may retain the fee from external directorships. 108 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 Annual report on remuneration This part of the report has been prepared in accordance with Part 3 of The Large and Medium-sized Companies and Groups (Accounts and Reports) (Amendment) Regulations 2013 as amended and 9.8.8R of the Listing Rules. The following report will be subject to an advisory shareholder vote at the 2021 AGM, which is scheduled to be held on 4 November 2021. The information on pages 109 to 118 has been audited where indicated. How will the Remuneration Policy be implemented in the year ending 31 May 2022? Executive Directors’ base salaries The Committee has decided to award a salary increase to the Chief Executive Officer of 3%, which is in line with the average increase for the workforce of 3.1%. As set out in the Annual Statement, the base salary of the Chief Financial Officer is significantly below the market level for comparable roles and a base salary increase of approximately 4.9% above the level of the workforce with effect from 1 June 2021. The table below details the Executive Directors’ salaries as at 31 May 2021 and salaries which took effect from 1 June 2021: Chief Executive Officer Chief Financial Officer Base salary at 31 May 2021 £000 Base salary at 1 June 2021 £000 451 285 465 308 % change 3% 8% Pension and benefits There will be no changes to benefits provision. Effective 1 December 2021, and conditional on the approval of the Directors’ Remuneration Policy at the 2021 AGM, the CEO’s and CFO’s pension provision will reduce from 5% of base salary and 10% of base salary, respectively, to the level of the wider workforce, which is currently 4.5%. These contributions are cash payments in lieu of formal pension contributions. Annual bonus The annual bonus maximum for the Chief Executive Officer and the Chief Financial Officer in 2021/22 will be 100% of salary with 75% based on the achievement of certain Adjusted operating profit and revenue targets and 25% based on the achievement of strategic targets as outlined on page 102. A financial underpin will apply to the revenue and non-financial bonus targets. To the extent they are no longer commercially sensitive, these targets will be disclosed in next year’s report. In addition, to ensure that this bonus opportunity results in shareholder alignment and provides greater retention value, 35% of any bonus payment will be deferred into nominal cost share options for two years. The bonus, nominal cost share options and associated dividend equivalents are also subject to malus and clawback provisions. Long Term Incentive Plan (LTIP) Subject to approval of the new Remuneration Policy it is intended that awards with a maximum value of 175% and 150% of base salary to the CEO and CFO respectively will be made under the LTIP shortly following the 2021 AGM. These will be subject to a two year post-vesting holding period for the Executive Directors. As well as the holding period, the executives have to achieve a shareholding requirement of 200% of salary (post shares sold to cover any tax) before they can sell any shares that vest, with these awards also counting towards the post-employment shareholding requirement. The awards are also subject to malus and clawback provisions. The vesting of these LTIP awards will be based on earnings per share (60%), a cash flow metric (30%) and a relative total shareholder return metric (10%). 15% of each element will vest at the threshold performance level, rising to 100% vesting at maximum. The proposed targets are as follows: Metric Earnings per share growth Average cash conversion Relative TSR vs FTSE 250 (excluding investment trusts) Weight 60% 30% 10% Threshold (15% vests) Maximum (100% vests) 9% p.a. 70% Median 22.5% or higher 80% or higher Upper quartile or above For performance between threshold and maximum, awards vest on a straight-line basis. The Committee believes that these three measures are transparent, easy to understand, easy to track and communicate, cost effective to measure and fundamentally aligned to the Group’s strategic goals. NCC Group plc — Annual report and accounts for the year ended 31 May 2021 109 GovernanceGovernance Remuneration Committee report continued Annual report on remuneration continued Non-Executive Directors’ remuneration In line with the current Policy, Non-Executive Director fees are reviewed annually. Annualised fees (inclusive of travel allowance of £8,200 for the Chair and £4,750 for other Non-Executive Directors which was waived in 2020/21) Chris Stone Chris Batterham Jonathan Brooks Mike Ettling Jennifer Duvalier As at 1 June 2021 £000 158 75 65 55 60 As at 1 June 2020 £000 147 64 58 51 51 How has the Remuneration Policy been implemented in the year ended 31 May 2021? This section sets out how the Remuneration Policy was implemented in 2020/21. The key implementation decisions during the year related to: • Review of salary increases for Executive Directors • The determination of annual bonus outcomes for the 2020/21 performance period • The performance targets and value of awards granted under the LTIP, which will vest in 2023 Further detail on these decisions, together with other information on payments made to Directors, is set out in the following sections. Single total figure of remuneration (audited) The detailed emoluments received by the Executive and Non-Executive Directors for the year ended 31 May 2021 are below: Director Chris Stone Adam Palser Tim Kowalski 6 Chris Batterham Jonathan Brooks Jennifer Duvalier 7 Mike Ettling Total Salary/ Non-Executive Director fees 1 £000 138 145 450 447 284 282 59 63 53 57 51 50 46 50 Benefits 2 £000 Pension benefits 3 £000 Total fixed pay £000 Annual bonus 4 £000 Long-term incentive 5 £000 – – 16 16 31 17 – – – – – – – – – – 22 22 28 28 – – – – – – – – 138 145 488 485 343 327 59 63 53 57 51 50 46 50 – – 414 103 247 56 – – – – – – – – – – 218 273 137 – – – – – – – – – Total variable pay £000 – – 632 376 384 56 – – – – – – – – Total £000 138 145 1,120 861 727 383 59 63 53 57 51 50 46 50 1,081 1,094 47 33 50 50 1,178 1,177 661 159 355 273 1,016 313 2,194 1,609 Year ended 31 May 2021 31 May 2020 31 May 2021 31 May 2020 31 May 2021 31 May 2020 31 May 2021 31 May 2020 31 May 2021 31 May 2020 31 May 2021 31 May 2020 31 May 2021 31 May 2020 31 May 2021 31 May 2020 1 2 3 4 5 The Chair and Non-Executive Directors each receive an allowance paid as part of their base fees of £8,200 and £4,750 respectively, to cover all travel and expenses related to their roles on the Board. In light of Covid-19 and the fact that Board meetings were being held virtually, these allowances were not paid between 1 June 2020 and 31 May 2021. Taxable benefits include the provision to every Executive Director of a car or car allowance, payment of private fuel, car insurance, private medical insurance, life assurance and permanent health insurance. In 2020/21, Tim Kowalski switched from receiving a car allowance to a leased vehicle at no additional cost to the Group. The P11D value of the leased vehicle is higher than the monthly cash value of the car allowance which he forfeited. Pension benefits include employer contributions to the Group pension scheme and payments in lieu of pension contributions. The Company provided pension payments in lieu of pension contributions for two Executive Directors during the year ended 31 May 2021. Annual bonus payments for performance in the relevant financial year; 35% of this bonus is deferred into nominal cost share options for two years. Dividend equivalents accrue on these shares. Long-term incentive awards vesting under the LTIP. 78,914 shares vested to Adam Palser and 49,773 shares vested to Tim Kowalski with respect to the LTIP granted in 2018 which had a performance period ending on 31 May 2021. These have been valued using a share price of £2.76 which is the three month average share price over March, April and May 2021. These shares were awarded based on a share price of £2.21 on the day before the date of grant. As a result, the change in share price since the date of grant has resulted in an increase in value of £43,402.70 and £27,375.15 respectively. With regard to the LTIP awards with a performance period ending on 31 May 2020, 93,533 shares vested to Adam Palser which have been valued using the share price at the date of vesting of £2.92. 6 Tim Kowalski was appointed as Chief Financial Officer on 23 July 2018. 7 Jennifer Duvalier’s fee was increased by £5,000 with effect from 1 June 2020 to reflect her additional responsibilities for engaging with colleagues on behalf of the Board. 110 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 Additional information in respect of the single total figure of remuneration Annual bonus 2020/21 annual bonus (audited) For the year ended 31 May 2021, the maximum potential bonus opportunity for Adam Palser was 100% of salary. For Tim Kowalski, the maximum potential bonus opportunity was also 100% of salary. For the year ended 31 May 2021, bonuses of 92% and 87% of base salary respectively were payable. The actual bonus awarded to Adam Palser was £413,876 and to Tim Kowalski was £247,071 based on the achievement of the performance conditions set out below. 35% of each payment will be deferred into nominal cost share options for two years, with the remaining 65% paid in cash. The performance measures and targets are set out below. Financial targets – up to 60% of the bonus 30 November 2020 Adjusted operating profit less a proforma amortisation charge in respect of certain cloud-based software arrangements * 31 May 2021 Adjusted operating profit less a proforma amortisation charge in respect of certain cloud-based software arrangements * Strategic targets Performance targets Threshold Maximum Actual Threshold Maximum Actual £11.5m £12.5m £17.0m £16.0m £19.0m £19.2m Weighting (% of salary) Weighting (% of salary) Payout (% of salary) Weighting (% of salary) Weighting (% of salary) Payout (% of salary) The strategic targets were set individually for the Executive Directors based on key strategic objectives for the year in their area of responsibility – see below Weighting (% of salary) Payout (% of salary) Adam Palser Tim Kowalski 6% 30% 30% 6% 30% 30% 40% 32% 6% 30% 30% 6% 30% 30% 40% 27% Payout (% of salary) 92% 87% Total bonus £413,876 £247,071 Amount paid in cash £269,019 £160,596 Amount deferred in shares £144,857 £86,475 * The Directors consider that Adjusted operating profit less a proforma amortisation charge in respect of certain cloud-based software arrangements is comparable to Adjusted operating profit previously reported. See Strategic Report for further details and a reconciliation between Adjusted operating profit of £39.2m and Adjusted operating profit less a proforma amortisation charge in respect of certain cloud-based software arrangements of £36.2m. NCC Group plc — Annual report and accounts for the year ended 31 May 2021 111 GovernanceGovernance Remuneration Committee report continued Annual report on remuneration continued Additional information in respect of the single total figure of remuneration continued Annual bonus continued Strategic targets – up to 40% of the bonus The table below highlights the key strategic targets and achievements for each Executive Director. Bonus target ranges have been disclosed to the extent possible, but the achievement of some areas is determined by the Committee based on its judgement of performance. Maximum % of bonus Target and performance conditions 20% Broaden the portfolio (20%) EaaS orders (5%) – Target range of £1.5m to £2.0m. Exceeded max target by +10%. Remediation revenue (5%) – Target range of £1.0m to £1.5m. Exceeded max target by +40%. MDR revenue growth (5%) – Target range of 15% to 20% growth. Positive double-digit growth was achieved but below the target range. Hyperscaler (2%) – Target to certify 43 new consultants and deploy them successfully. Target was exceeded with more than 43 consultants certified and deployment resulting in launch of Sentinel offering, sales growth, and strong pipeline. Data (3%) – Target of progress towards (1) being able to benchmark clients’ cyber maturity and underpin FY22 revenues and (2) improved data analytics and machine learning to satisfy our more demanding MDR clients and underpin future revenue growth. Both objectives were met and exceeded as models have been developed and even deployed to meet both objectives. Sustainability (10%) Diversity (3%) – Evidence of a comprehensive programme to nurture and promote diversity and inclusion including: effective steering committees, improved hiring practices, rollout of unconscious bias training and awareness raising/engagement programme. Target achieved and exceeded as all objectives achieved and demonstrating success. Diversity (2%) – Evidence of greater diversity and inclusion in the workforce, especially in leadership roles. Target achieved and exceeded by improving hiring practices which has resulted in the number of men employed for every woman reducing by over 50% at senior levels and by 11% overall. Reduce attrition (3%) – Target range for a reduction of 1% to 2%. Performance below threshold. Clear measurement of colleague and customer engagement (2%) – achieved. Key hires (5%) – Progress against recruitment/upgrade plan measured through: assessment of number and quality of hires, team progress against development plans, and how these changes have improved reporting deliverables. Partial achievement and progress made. Improvement and efficiencies (10%) Overheads as % revenue (3%) – Target to reduce overheads/revenue vs. prior year – achieved and exceeded. Creation of an EU division (2%) – Evidence of the successful creation of a single (Continental) European division. Achieved – new MD in place and management team confirmed. Global resourcing (3%) – 3% awarded if there is >20% increase in cross-border delivery (demonstrating our global way of operating). Achieved and exceed with an increase of over 100%. Creation of “Global Professional Services” and “Global Managed Services” business to underpin future growth and efficiency (2%). Set-up of global product lines with strategic business plans in place and initial progression tracked against these. Achieved. Finance function (7%) – Evidence of team improvements and efficiencies including: systems installation to time/quality/risk targets, assessment, design, and delivery of new reporting requirements for Europe and GPS/GMS, improvement in timings/accuracy/quality of month end and end of year reporting and quality of analyst presentations. Evidence of progress in all areas and improvement in quality of analyst presentations, but too early to judge the success of all actions taken. As a result, a partial outcome was awarded. 5% 5% 5% 2% 3% 3% 2% 3% (CEO) 2% (CEO) 5% (CFO) 3% 2% (CEO) 3% (CEO) 2% (CEO) 7% (CFO) Total 31 May 2021 Adam Palser Tim Kowalski 5% 5% 0% 2% 5% 5% 0% 2% 3% 3% 15% 15% 3% 3% 2% 2% 0% 2% – – – 2% 7% 7% 3% 2% 3% 2% 3% – – – – 2% 10% 32% 5% 27% 112 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 Long Term Incentive Plan vesting The LTIP awards made in August 2018 vested in May 2021. Adam Palser and Tim Kowalski were beneficiaries of these and achieved a vesting of 40% of the award of 197,285 and 124,434 shares respectively, being 78,914 and 49,773 shares respectively: Executive Number of LTIP awards 1 Basis Performance condition Adam Palser 197,285 Tim Kowalski 124,434 100% of base salary Vesting determined by: • Growth in Adjusted EPS 3 over the performance period • Average cash conversion ratio ³ over the performance period • TSR over the performance period vs FTSE 250 comparator group The performance conditions for these awards are set out below: Performance period 1 June 2018 to 31 May 2021 Proportion Component Metric Threshold Maximum vesting Actual performance Actual % vested 60% 30% Adjusted EPS 3 Average growth over a three year period Cash conversion 3 Average cash conversion ratio ³ over three years 9% 20% 8.2% 0% 70% 80% 109.3% 30% Vesting basis Straight line between threshold and maximum Straight line between threshold and target, then target and maximum 10% TSR TSR over three years vs FTSE 250 comparator group (excluding investment trusts) Median Upper quartile Above upper quartile 10% Straight line between threshold and maximum Long-term incentives granted during the year (audited) During the financial year, the Executive Directors were granted awards subject to the performance conditions set out below. The awards were as follows: Executive Number of LTIP awards 1 Adam Palser 151,876 Basis Face value 2 Performance condition 100% of base salary £447,000 Vesting determined by: • Growth in Adjusted EPS ³ over the performance period • Average cash conversion ratio ³ over the performance period • TSR over the performance period vs FTSE 250 comparator group Tim Kowalski 95,875 100% of base salary £282,000 As above The performance conditions for these awards are set out below: Proportion Component Metric Threshold Threshold vesting 9% 20% Target N/A Target vesting N/A Maximum Maximum vesting 20% 100% 70% 20% 75% 50% 80% 100% Performance period 1 June 2020 to 31 May 2023 1 June 2020 to 31 May 2023 Vesting basis Straight line between threshold and maximum Straight line between threshold and target, then target and maximum Median 20% N/A N/A Upper quartile 100% Straight line between threshold and maximum 60% 30% Adjusted EPS 3 Cash conversion ³ Average growth over a three year period Average cash conversion ratio ³ over three years 10% TSR TSR over three years vs FTSE 250 comparator group (excluding investment trusts) 1 LTIP awards are structured as nominal cost options. 2 Based on a share price of £2.94, which was the closing mid-market price of the Company’s shares on the day before the date of grant. 3 See Note 3 for an explanation of Alternative Performance Measures (APMs) and adjusting items. Further information is also contained within the Chief Financial Officer’s Review and the Glossary of terms on pages 187 and 188. NCC Group plc — Annual report and accounts for the year ended 31 May 2021 113 GovernanceGovernance Remuneration Committee report continued Annual report on remuneration continued SAYE options granted in the year The Group operates an HMRC-approved SAYE scheme. All eligible colleagues, including Executive Directors, may be invited to participate on similar terms for a fixed period of three years. During the year Adam Palser and Tim Kowalski did not join any new SAYE schemes. Neither Executive Director participated in the 2020 or 2021 SAYE schemes as both contribute the maximum £500 per month to the 2018 SAYE scheme. Directors’ interests in shares (audited) The tables below set out details of the Executive Directors’ outstanding share awards, which will vest in future years subject to performance conditions and/or continued service. Summary of maximum LTIP awards outstanding Adam Palser Tim Kowalski Includes only unvested and unexercised LTIP options. 1 2 £2.92 was the sale price. Total LTIP options held at 31 May 2020 1 Granted during the period Exercised during the period Share price on date of exercise Lapsed during the period Total LTIP options held at 31 May 2021 1 536,156 151,876 93,533 £2.92 2 (118,371) 476,128 279,310 95,875 – – (74,655) 300,530 All awards granted under the LTIP are subject to continued employment and the satisfaction of the performance conditions as set out above. The awards were all nominal cost options. Share ownership (audited) The beneficial and non-beneficial interests of the current Directors in the share capital of NCC Group plc at 31 May 2021 are set out below: Beneficial interests in ordinary shares 1 Maximum share awards subject to performance conditions 2 Share options 3 Deferred Bonus Plan 4 Vested but unexercised nil-cost options Total 31 May 2021 31 May 2020 31 May 2021 31 May 2020 31 May 2021 31 May 2020 31 May 2021 31 May 2020 31 May 2021 31 May 2020 31 May 2021 31 May 2020 Chris Stone Adam Palser Tim Kowalski 162,843 124,382 – – – – – – – – 162,843 124,382 94,502 23,779 397,214 442,623 10,273 10,273 53,458 52,225 78,914 93,533 634,361 622,433 48,964 23,614 250,751 279,310 10,273 10,273 27,173 20,462 49,773 Chris Batterham 55,000 50,000 Jonathan Brooks Jennifer Duvalier Mike Ettling 50,000 50,000 19,115 9,500 50,000 50,000 – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – 386,934 333,659 55,000 50,000 50,000 50,000 19,115 9,500 50,000 50,000 1 This information includes holdings of any connected persons. 2 These awards represent the outstanding LTIP interests, included in the table above, which are due to vest in either July/August 2022 or July/August 2023. 3 Representative SAYE scheme interests, which are due to vest in October 2021. 4 Nominal cost share options granted under the 2018–20, 2019–21 and 2020–22 Deferred Bonus Plans on 23 August 2018, 4 September 2019 and 20 May 2021, subject to a service condition, tax and National Insurance. Shareholding requirements The Executive Directors are expected to build and retain a shareholding in the Group equivalent to at least 200% of base salary. Executives will normally be required to retain all vested deferred bonus shares and LTIP shares released from the holding period, until they have attained the minimum shareholding requirement and, even then, only when they have held vested LTIP shares for a minimum period of two years. Executive Directors will also be required to retain all shares vesting from SAYE schemes. For the avoidance of doubt, Executive Directors are permitted to sell sufficient shares in order to meet any tax obligation arising from vesting shares. 114 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 The percentages within this table have been calculated using a three month average share price (1 March 2021 to 31 May 2021) of £2.76 and include Adam Palser’s and Tim Kowalski’s vested 2018–2021 LTIP of 78,914 and 49,773 shares respectively on a net of tax and National Insurance basis, and all unvested deferred bonus plans on a net of tax and National Insurance basis. Adam Palser Tim Kowalski Appointment terms for new Directors No new Directors were appointed within the year. Shareholding as at 31 May 2021 (% of salary) Shareholding requirements (% of salary) Requirement met 200% 200% 101% 87% No No Relative importance of the spend on pay The following table sets out the percentage change in distributions to shareholders and colleague remuneration costs. Colleague remuneration costs 1 Dividends 2 31 May 2021 £m 174.3 13.0 31 May 2020 £m 170.1 12.9 % change 2.5% 0.8% 1 Based on the figure shown in Note 7 to the Consolidated Financial Statements. 2 Based on the total cash returned to shareholders in the year ended 31 May 2021 through dividends, as shown in Note 10 to the Consolidated Financial Statements (excluding the proposed 2021 final dividend). Percentage increase in the remuneration of the Directors The table below shows the movement in the salary or fees, benefits and annual bonus for each Director between the current and previous financial year compared to the equivalent changes for all colleagues of the Company. The comparator group for salaries and benefits is all colleagues in the UK – there were no benefit policy changes in this time. The comparator group for the bonus is those in the senior management population who also have an annual scheme and excludes those on commission and incentive plans. Director Chris Stone 1 Adam Palser 2 Tim Kowalski 2 Chris Batterham 1 Jonathan Brooks 1 Jennifer Duvalier 1 Mike Ettling 1 All colleagues % increase in salary % increase in benefits % increase in annual bonus – 1% 1% – – – – 3.1% – – – – – – – – – 303% 341% – – – – 173% 1 Pay decreased for the Chair and Non-Executives during the year as they were not paid the travel allowance. 2 These increases represent the change in bonus payment from 2019/20 to 2020/21. For Adam Palser, this was an increase from £103,000 to £414,000 (i.e. from 23% of maximum to 92% of maximum). For Tim Kowalski, this was an increase from £56,000 to £247,000 (i.e. from 20% of maximum to 87% of maximum). NCC Group plc — Annual report and accounts for the year ended 31 May 2021 115 GovernanceGovernance Remuneration Committee report continued Annual report on remuneration continued Chief Executive pay compared to pay of UK colleagues The following table shows the ratio between the single total figure of remuneration (STFR) of the Chief Executive for 2020/21 and the lower quartile, median and upper quartile pay of our UK colleagues. The salary and total pay and benefits for the lower quartile, median and upper quartile colleagues are also shown. Total pay ratio Financial year 2019/20 2020/21 Salary (£000) Total pay and benefits (£000) Method 25th percentile pay ratio 50th percentile pay ratio 75th percentile pay ratio Option B Option B 18:1 27:1 12:1 18:1 8:1 11:1 CEO 25th percentile 50th percentile 75th percentile 450 1,120 38 41 55 61 84 99 CEO pay ratio Option B was chosen to calculate the CEO pay ratio. This option uses the most recent gender pay gap information to determine the relevant colleague at the 25th, 50th and 75th percentile. We have omitted joiners and leavers from the data to ensure that the data is on a like-for- like basis. This option was chosen in preference to the other possibilities as it uses the most accurate and comprehensive data currently available. It refers to gender pay data as at April 2020. The CEO pay ratio has increased compared to the prior year. This increase is not attributable to a change in remuneration for the CEO, pay and benefits for colleagues as a whole, or a change in the composition of our workforce. Instead, the change in CEO pay ratio is attributable to the increase in share price over the financial year and the strong financial performance which increased payments from our variable incentive plans. As CEO pay places greater weight on “at risk” variable remuneration, Company performance has a greater impact on CEO pay than on pay for the median colleague, which leads to greater year-on-year variations. The pay ratio is consistent with the pay, reward and progression policies currently in place at NCC. A common pay structure operates throughout our organisation in the United Kingdom with a greater focus on performance related pay for more senior levels. Performance graph and table The following graph shows the total shareholder return, with dividends reinvested, from 31 May 2011 against the corresponding changes in a hypothetical holding in shares in both the FTSE All Share and FTSE 250 Indices. The FTSE All Share and FTSE 250 Indices represent broad equity indices. The Company is a constituent member of the FTSE All Share Index and the Committee has adopted the FTSE 250 Index for part of its LTIP performance measure. Both indices give a market capitalisation-based perspective. During the year, the Company’s share price varied between £1.492 and £3.075 and ended the financial year at £2.96. Ten year historical TSR performance is the growth in the value of a hypothetical £100 holding over ten years. It has been calculated for NCC Group plc, and the FTSE All Share and FTSE 250 Indices (excluding investment trusts) based on spot values. ) £ ( e u a V l 500 400 300 200 100 0 £136 £122 £100 £337 £205 £245 £205 £209 £257 £198 £390 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 NCC Group FTSE All Share FTSE 250 (excluding investment trusts) The share price was £1.586 on 1 June 2020 and £2.96 on 31 May 2021. Year ended 31 May 116 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 The table below shows the total remuneration for the Chief Executive over the same ten year period, including share awards valued at the date they vested. Year ended 1, 2, 3 31 May 2021 31 May 2020 31 May 2019 31 May 2018 1 31 May 2018 2 31 May 2017 31 May 2016 31 May 2015 31 May 2014 31 May 2013 31 May 2012 31 May 2011 Total remuneration £000 1,120 861 679 292 1 257 2 610 1,091 993 1,089 1,118 1,074 1,222 Annual bonus % of maximum 4 Long-term incentives % of max imum 5 92 23 48 32.5 32.5 – 70 73 73 – 6 85 67 40 52 – – – – 20 15 50 63 70 54 1 Adam Palser was appointed on 1 December 2017. The total remuneration figure above is in respect of the period from 1 December 2017 to 31 May 2018. 2 During the year ended 31 May 2018, Brian Tenner acted as Interim Chief Executive Officer for the period 1 June 2017 to 30 November 2017. The total remuneration figure above is the total remuneration received in relation to that six month period. 3 Relates to the former CEO in the period above between 1 June 2010 and 31 May 2017. 4 Note that this shows the annual bonus payments as a percentage of the maximum opportunity. 5 This shows the LTIP vesting level as a percentage of the maximum opportunity. 6 In 2012/13 the former CEO waived his right to a bonus, which would have been equal to 32% of salary. This was equivalent to 50% of the maximum bonus opportunity. Membership and attendance The Remuneration Committee membership consists solely of Non-Executive Directors and comprises Jonathan Brooks as Chair, Chris Batterham and Jennifer Duvalier. The Company Chair, Chief Executive Officer, Chief Financial Officer, Chief People Officer and Company Secretary attend the Remuneration Committee by invitation of the Chair of the Committee from time to time and assist the Committee with its considerations. No Director is involved in setting their personal remuneration. The attendance of individual Committee members at Remuneration Committee meetings is shown in the table below: Attendee Jonathan Brooks 1 Chris Batterham Jennifer Duvalier Meetings attended 1 Jonathan Brooks missed the July 2020 Committee meeting as he was taken ill on the day of the Committee meeting. Jennifer Duvalier chaired the July 2020 meeting. NCC Group plc — Annual report and accounts for the year ended 31 May 2021 117 GovernanceGovernance Remuneration Committee report continued Annual report on remuneration continued Adviser to the Committee During the year, the Committee received advice on senior executive remuneration from Alvarez and Marsal (A&M) and was comfortable that the advice was objective and independent. A&M is a member of the Remuneration Consultants Group and is a signatory to its Code of Conduct. The total fee charged in 2020/21 for providing advice in relation to executive remuneration was £59,100. A&M did not provide any other services to the Company during the year. The Committee reviews the performance and independence of its adviser on an annual basis. Service contracts and letters of appointment The service contracts and letters of appointment of the current Directors include the following terms: Date of contract Notice period Executive Adam Palser Tim Kowalski Non-Executive Chris Stone Chris Batterham Jonathan Brooks Jennifer Duvalier Mike Ettling 29 November 2017 16 July 2018 31 March 2017 9 April 2015 13 March 2017 25 April 2018 21 September 2017 12 months 6 months 3 months 3 months 3 months 3 months 3 months Dilution The LTIP has a dilution limit, for new and treasury shares, of 10% of the issued ordinary share capital of the Company in any ten year period for any share option scheme operated by the Company. As at 31 May 2021 the Company had utilised 15,956,413 (31 May 2020: 15,250,101) ordinary shares through LTIP, DABS, SAYE, CSOP, ISO, RSP and ESPP awards counting towards the 10% limit which represents 5.17% (2020: 5.47%) of the issued ordinary share capital of the Company. To clarify, this figure of 5.17% includes both discretionary and all-colleague share schemes. Statement of shareholder voting The following votes were received from the shareholders in respect of the Directors’ Remuneration Report and in respect of the Remuneration Policy: Remuneration Report (2020 AGM) Remuneration Policy (2020 AGM) For 1 Against Total votes cast (for and against excluding withheld votes) Votes withheld 2 Total number of votes 102,161,835 96,087,573 198,249,408 12,904,409 Total votes cast (including withheld votes) 211,153,817 % of votes cast 51.53 48.47 Total number of votes 163,090,941 37,158,392 200,249,333 10,904,484 211,153,817 Includes Chair’s discretionary votes. 1 2 A vote withheld is not a vote in law and is not counted in the calculation of the proportion of votes cast “for” and “against” a resolution. Approved by the Board and signed on its behalf: % of votes cast 81.44 18.56 Jonathan Brooks Chair, Remuneration Committee 14 September 2021 118 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 Directors’ report The Directors present their report The Directors present their report and the Group and Company Financial Statements of NCC Group plc (the ‘Company’) and its subsidiaries (together the ‘Group’) for the financial year ended 31 May 2021. Principal activities The Company is a public limited company incorporated in England, registered number 4627044, with its registered office at XYZ Building, 2 Hardman Boulevard, Spinningfields M3 3AQ. The principal activity of the Group is the provision of independent advice and services to customers through the provision of Software Resilience and cyber assurance services. The principal activity of the Company is that of a holding company. Going concern The Directors have acknowledged guidance published in relation to going concern assessments. The Group’s business activities, together with the factors likely to affect its future development, performance and position, are set out in the Business Review and Financial Review. The Group’s financial position, cash and borrowing facilities are also described within these sections. The Financial Statements have been prepared on a going concern basis which the Directors consider to be appropriate for the following reasons. The Directors have prepared cash flow and covenant compliance forecasts for the 12 month period ending September 2022 which indicate that, taking account of severe but plausible downsides and the anticipated impact of Covid-19 on the operations of the Group and its financial resources, the Group and Company will have sufficient funds to meet their liabilities as they fall due for that period. The Group is financed primarily by a £100m committed revolving credit facility which matures in June 2024. The Group is required to comply with financial covenants for leverage (net debt to Adjusted EBITDA 1) and interest cover (Adjusted EBITDA 1 to interest charge) which are tested bi-annually at 31 May and 30 November each year. As at 31 May 2021, the Group had drawn down £33.8m for working capital requirements. Subsequent to the year end and shareholder approval on 1 June, the Group acquired on 7 June the IPM business for $220m; the US acquisition was funded through an equity placing in May of £70.2m (net proceeds) combined with a new three year $70m term loan, existing cash balances and our existing revolving credit facility. The impact of the acquisition on the Group’s financial performance, covenants and business model has therefore been considered within this going concern assessment. As at 2 June 2021, following the acquisition of the IPM business, the Group had drawn down £75.5m of its revolving credit facility and was due to incur further transaction costs of £6.4m. As at 31 August 2021, cash, net debt (excluding lease liabilities) 1 and headroom amounted to £43.6m, £74.7m and £80.5m respectively. 1 See Note 3 for an explanation of Alternative Performance Measures (APMs) and adjusting items. Further information is also contained within the Chief Financial Officer’s Review and the Glossary of terms on pages 187 and 188. Although the Group has demonstrated resilience to the challenging environment resulting from Covid-19, the Directors acknowledge that the financial performance of the Group has been adversely impacted to a certain degree since the commencement of the pandemic, and for this reason the base case forecast for 2021 reflects this assessment. The continuing macro-economic risks and potential changes in government policies (on the severity of enforced lockdowns worldwide) could have a continued effect on the Group’s performance. However, trading throughout the pandemic has demonstrated resilience. The Directors have prepared a number of severe but plausible scenarios as follows: 1. 2. The performance of FY22 continues to be similar to that of 2021, including the impact on regional and international operations of the Group and a potential reduction in growth. An additional impact of Covid-19 during a two month period from January to February 2022 which coincides with a similar economic pandemic pattern as 2021. 3. Potential impact of customers‘ inability to pay during a specified period. 4. 5. Failure of execution of the strategy, loss of key customers and a number of acquisition related risks crystallising (for example increased customer churn, integration and cash collection issues). Software Resilience performance does not return to growth and the Assurance business experiences similar impact of Covid-19 on its performance as 2021. These scenarios have been modelled individually and also in combination in order to assess the Group’s ability to withstand multiple challenges, although the Directors do not believe a scenario combining all these risks to be plausible. The impact of these sensitivities has been reviewed against the Group’s projected cash flow position, available bank facilities and compliance with financial covenants. In the instance that a combination of the above scenarios arise, mitigating actions would be required to ensure that the Group remains liquid and financially viable, which might include a reduction of planned capital expenditure, freezing pay and recruitment and not paying a dividend to shareholders. All of the mitigating actions are within the Directors’ control. These forecasts, including the severe but plausible downsides, show that the Group is able to operate within its available banking facilities, with no forecasted covenant breaches, and that the Group will have sufficient funds to meet its liabilities as they fall due for that period. From a Company perspective, the Company places reliance on other Group trading entities for financial support. Having reviewed the current trading performance, forecasts, other Group trading entities‘ financial support, debt servicing requirements, total facilities and risks, the Directors are confident that the Company and the Group will have sufficient funds to continue to meet their liabilities as they fall due for a period of at least 12 months from the date of approval of these Financial Statements. Accordingly, they continue to adopt the going concern basis of accounting in preparing the Group’s Financial Statements for the year ended 31 May 2021. NCC Group plc — Annual report and accounts for the year ended 31 May 2021 119 GovernanceGovernance Directors’ report Directors’ report continued Results and dividends The Group’s and Company’s audited Financial Statements for the financial year ended 31 May 2021 are set out on pages 133 to 186. The Company is not aware of any agreements between shareholders that may result in restrictions on the transfer of securities and/or voting rights. The Directors propose a final dividend of 3.15p per ordinary share, which, together with the interim dividend of 1.5p per ordinary share paid on 5 March 2021, makes a total dividend of 4.65p for the year. The Directors may refuse to register a transfer of shares in certificated form that are not fully paid up or otherwise in accordance with the Articles. Authority to purchase own shares At the AGM held on 20 October 2020, shareholders authorised the Company to make market purchases of up to 27,906,500 ordinary shares representing approximately 10% of the issued share capital. This authority was not used during the financial year ended 31 May 2021. At the 2021 AGM, shareholders will be asked to give a similar authority. The Company does not currently hold any ordinary shares in treasury. Directors Biographical details of the Company’s current Directors are set out on pages 74 and 75. Subject to law and the Company’s Articles of Association, the Directors may exercise all of the powers of the Company and may delegate their power and discretion to Committees. The Company’s Articles of Association give the Directors power to appoint and replace Directors. Under the terms of reference of the Nomination Committee, any appointment to the Board of the Company must be recommended by the Nomination Committee for approval by the Board. The Articles of Association also require one-third of the Directors to retire by rotation each year end and each Director must offer themself for re-election at least every three years. However, in accordance with previous years and in accordance with best practice, all Directors will submit themselves for re-election at the AGM each year. During the year, no Director had any material interest in any contract of significance in the Group’s business. Directors’ and Officers’ insurance and indemnities The Company maintains Directors’ and Officers’ liability insurance, which provides appropriate cover for any legal action brought against its Directors (including those who served as Directors or Officers during 2020/21). This cover was in place throughout the financial year ended 31 May 2021 and up to the date of this Directors’ Report. The Directors of the Company have also entered into individual deeds of indemnity with the Company which constitute as qualifying third party indemnity provisions for the purposes of section 234 of the Companies Act 2006. The deeds were in effect during the course of the financial year ended 31 May 2021 for the benefit of the Directors and, at the date of this report, are in force for the benefit of the Directors in relation to certain losses and liabilities which they may incur (or have incurred) in connection with their duties, powers or office. The final dividend will be paid on 12 November 2021, subject to approval at the AGM on 4 November 2021, to shareholders on the register at the close of business on 15 October 2021. The ex-dividend date is 14 October 2021. Post-Balance Sheet events On 1 June 2021, shareholder approval was passed for the acquisition of the IPM business of Iron Mountain, comprising substantially all of the assets of Iron Mountain Intellectual Property Management, Inc. together with certain other assets of affiliates of Iron Mountain exclusively related to the IPM business. Details of assets acquired that are subject to provisional fair value adjustments will be reported for the year ending 31 May 2022. The acquisition for a total consideration of $220m was funded through an equity gross placing of £72.6m (see Note 27) on 17 May 2021 combined with a new three year $70m term loan, existing cash balances and our revolving credit facility. The term loan was entered into on 12 May 2021 but not drawn down until 2 June 2021. See further details within Note 34 to the consolidated Financial Statements. Share capital and control At the AGM held on 20 October 2020, the Directors were granted authority to allot up to 93,021,700 ordinary shares representing approximately a third of the Company’s issued share capital. In addition, the Directors were granted authority to allot a further 93,021,700 ordinary shares, again representing approximately a third of the Company’s issued share capital, solely to be used in connection with a pre-emptive rights issue. As at 31 May 2021, the Company’s issued ordinary share capital comprised 308,956,045 ordinary shares with a nominal value of 1p each, of which no ordinary shares were held in treasury. During the year ended 31 May 2021, 2,140,474 shares in the Company were issued further to the exercise of options pursuant to the Company’s share option schemes. The holders of ordinary shares are entitled, among other rights, to receive the Company’s Annual Reports and Accounts, to attend and speak at general meetings of the Company, to appoint proxies and to exercise voting rights. Details of the movements of the called up share capital of the Company are set out in Note 27 to the Financial Statements and the information in this Note is incorporated by reference and forms part of this Directors’ Report. All rights and obligations attaching to the Company’s ordinary shares are set out in the Company’s Articles of Association (the ‘Articles’), copies of which can be obtained from the Companies House website or by writing to the Company Secretary. Unless otherwise provided in the Articles, the terms of issue of any shares, any restrictions from time to time imposed by laws or regulations (for example insider trading laws) or pursuant to the UK Market Abuse Regulations whereby certain Directors, officers and colleagues of the Group require the approval of the Company to deal in ordinary shares of the Company, any shareholder may transfer any or all of their shares. 120 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 Colleagues The Group uses a number of ways to engage with its colleagues on matters that impact them and the performance of the Group. These include briefings by members of the Executive Committee, regular team meetings, the Group’s intranet site, global communications and update emails which together provide, among other information, an awareness of the financial and economic factors affecting the Company’s performance. Further information on how the Directors engage with colleagues along with how colleague interests are taken into account during decision making can be found within the Corporate Governance Report on page 80. We conduct a colleague engagement survey to ensure all colleagues are given a voice in the organisation. In 2018, using insights from our survey and subsequent colleague engagement, we defined new values for the organisation. Details of these values are set out in the Sustainability Report on page 60. We offer colleagues the opportunity to purchase ordinary shares in the Company through participation in the Company’s Save As You Earn Scheme. At the 2019 AGM, shareholders also approved a Share Incentive Plan. Both schemes help to encourage colleague interest in the performance of the Group. Equal opportunities The Group is committed to providing equality of opportunity to all colleagues without discrimination and applies fair and equitable employment policies which seek to promote entry into and progression within the Group. Appointments are determined solely by application of job criteria, personal ability, behaviour and competency. In the opinion of the Directors, all colleague policies are deemed to be effective and in accordance with their intended aims. Disabled persons Disabled persons have equal opportunities when applying for vacancies, with due regard to their aptitudes and abilities. Procedures ensure that disabled colleagues are fairly treated in respect of training and career development. For those colleagues becoming disabled during the course of their employment, the Group is supportive so as to provide an opportunity for them to remain with the Group, wherever reasonably practicable. Political donations During the year the Company made no political donations (2020: £nil). Sustainability Report The Company’s Sustainability Report on pages 53 to 68 provides an update on the Group’s policies and activities in respect of its wider stakeholders, including colleagues; community, environmental, ethical and health and safety issues; and modern slavery. Overseas branches As at 31 May 2021, the Group had no overseas branches. Research and development We are committed to using innovative, cost effective and practical solutions for providing high quality services and we recognise the importance of ensuring that we focus our investment on the development of technology. The Group’s research and development expenditure is predominantly associated with computer and software systems. Change of control In the event of a change of control of the Company, the Group and each of its lenders shall enter into negotiation for a period to determine how the Group’s loan facilities may continue and if after negotiation there is no agreement the lender has the right to cancel the commitment. There are no agreements between the Company and its Directors or colleagues providing for compensation for loss of office or employment (whether through resignation, purported redundancy or otherwise) that occurs because of a takeover bid. Disclosure of information to the auditor The Directors who held office at the date of approval of this Directors’ Report confirm that, so far as they are each aware, there is no relevant audit information of which the Company’s auditor is unaware; and each Director has taken all reasonable steps to ascertain any relevant audit information and ensure the auditor is aware of such information. Reappointment of auditor The Board approved the Audit Committee’s recommendation to put a resolution to shareholders recommending the reappointment of KPMG LLP as the Company’s auditor and KPMG LLP has indicated its willingness to accept the reappointment as auditor to the Company. The Audit Committee, in its recommendation, confirmed that (1) the recommendation was free from influence by a third party and (2) no contractual term of the kind mentioned in Article 16(6) of the EU Regulation 537/2014 has been imposed on the Company. A resolution to reappoint KPMG LLP as auditor will be put to the members at the AGM. Annual General Meeting The notice of the Company’s AGM to be held at 2pm on 4 November 2021 at its head office at XYZ Building, 2 Hardman Boulevard, Spinningfields, Manchester M3 3AQ, along with details of the business to be proposed and explanatory notes, will be available on the Group’s website together with the Annual Report and Accounts. All shareholders will be notified by post or email, at their request, when the documents have been made available. Although the Company is not expecting to be legally restricted in terms of attendance at the AGM, the Board remains committed to protecting the health and wellbeing of its shareholders and of the general public. Therefore, it is regrettably the opinion of the Board that due to the increase in the number of Covid-19 cases reported in the UK, shareholders should not physically attend the AGM. Accordingly, the Board strongly urges shareholders to consider whether travelling to and attending the AGM would be necessary under the current circumstances. In any event, attendees may be required to wear face coverings and will be required to keep a distance between themselves and other attendees. The Company will arrange for the AGM to be convened with the minimum necessary quorum, to conduct the necessary business of the AGM. The Company therefore strongly encourages all shareholders to appoint the Chair of the Meeting as their proxy and to submit their voting instructions electronically in advance of the Meeting, in accordance with the instructions contained in the Notice of AGM. Capitalised interest During the period, no interest was capitalised by the Group (2020: £nil). The tax benefit on this amount was £nil (2020: £nil). NCC Group plc — Annual report and accounts for the year ended 31 May 2021 121 GovernanceGovernance Directors’ report continued Reporting requirements The following sets out the location of additional information forming part of the Directors’ Report which is incorporated by reference into this report: Reporting requirement Location Board’s assessment of the Group’s internal control systems Details of uses of financial instruments and specific policies for managing financial risk Corporate Governance Report on pages 70 to 86 and Audit Committee Report on page 92 Note 25 (Financial Instruments) on pages 173 to 177 Directors’ interests Directors’ Remuneration Report on page 114 Directors’ Responsibilities Statement Directors’ Responsibilities Statement on page 123 Directors’ remuneration including disclosures required by Schedule 5 and Schedule 8 of SI2008/410 – Large and Medium-sized Companies and Groups (Accounts and Reports) Regulations 2008 Directors’ Remuneration Report on pages 109 to 118 DTR4.1.8.R – Management Report – the Directors’ Report and Strategic Report comprise the management report Directors’ Report on pages 119 to 122 and Strategic Report on pages 1 to 68 Going concern statement Chief Financial Officer’s Review on page 39 and going concern section within Note 1 on pages 140 to 151 Greenhouse gas emissions and energy consumption Sustainability Report on page 57 Likely future developments of the business and Group Strategic Report on pages 9 to 13 LR 9.8.4 (4) – Long-term incentive schemes Directors’ Remuneration Report on pages 109 and 113 to 115 LR 9.8.6 (2) – Substantial shareholders Statement on corporate governance Shareholder relations section of Corporate Governance Report on page 87 Corporate Governance Report, Audit Committee Report, Nomination Committee Report and Directors’ Remuneration Report on pages 70 to 118. Statement of compliance with the UK Corporate Governance Code is on page 72 Strategic Report – Companies Act 2006 section 414A-D Strategic Report on pages 1 to 68 The Strategic Report on pages 1 to 68 and this Directors’ Report on pages 119 to 122 have been approved and authorised for issue by the Board. They were signed on its behalf by: Adam Palser Chief Executive Officer 14 September 2021 Tim Kowalski Chief Financial Officer 14 September 2021 122 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 Responsibility statement of the Directors in respect of the annual financial report We confirm that to the best of our knowledge: • The Financial Statements, prepared in accordance with the applicable set of accounting standards, give a true and fair view of the assets, liabilities, financial position and profit or loss of the Company and the undertakings included in the consolidation taken as a whole • The Strategic Report includes a fair review of the development and performance of the business and the position of the issuer and the undertakings included in the consolidation taken as a whole, together with a description of the principal risks and uncertainties that they face We consider the Annual Report and Accounts, taken as a whole, is fair, balanced and understandable and provides the information necessary for shareholders to assess the Group’s position and performance, business model and strategy. For and on behalf of the Board Adam Palser Chief Executive Officer 14 September 2021 Tim Kowalski Chief Financial Officer 14 September 2021 Directors’ responsibilities statement Statement of Directors’ responsibilities in respect of the Annual Report and Accounts and the Financial Statements The Directors are responsible for preparing the Annual Report and Accounts and the Group and Parent Company Financial Statements in accordance with applicable law and regulations. Company law requires the Directors to prepare Group and Parent Company Financial Statements for each financial year. Under that law they are required to prepare the Group Financial Statements in accordance with International Accounting Standards in conformity with the requirements of the Companies Act 2006 and applicable law and have elected to prepare the Parent Company Financial Statements on the same basis. In addition the Group Financial Statements are required under the Financial Conduct Authority’s Disclosure Guidance and Transparency Rules (DTRs) to be prepared in accordance with International Financial Reporting Standards adopted pursuant to Regulation (EC) No 1606/2002 as it applies in the European Union (‘IFRSs as adopted by the EU’). Under company law the Directors must not approve the Financial Statements unless they are satisfied that they give a true and fair view of the state of affairs of the Company and of the Group’s profit or loss for that period. In preparing each of the Group and Parent Company Financial Statements, the Directors are required to: • Select suitable accounting policies and then apply them consistently • Make judgements and estimates that are reasonable, relevant and reliable • State whether they have been prepared in accordance with International Accounting Standards in conformity with the requirements of the Companies Act 2006 and, as regards the Group Financial Statements, International Financial Reporting Standards adopted pursuant to Regulation (EC) No 1606/2002 as it applies in the European Union (‘IFRSs as adopted by the EU’) • Assess the Group and Parent Company’s ability to continue as a going concern, disclosing, as applicable, matters related to going concern • Use the going concern basis of accounting unless they either intend to liquidate the Group or the Parent Company or to cease operations, or have no realistic alternative but to do so The Directors are responsible for keeping adequate accounting records that are sufficient to show and explain the Parent Company’s transactions and disclose with reasonable accuracy at any time the financial position of the Parent Company and enable them to ensure that its Financial Statements comply with the Companies Act 2006. They are responsible for such internal control as they determine is necessary to enable the preparation of Financial Statements that are free from material misstatement, whether due to fraud or error, and have general responsibility for taking such steps as are reasonably open to them to safeguard the assets of the Group and to prevent and detect fraud and other irregularities. Under applicable law and regulations, the Directors are also responsible for preparing a Strategic Report, Directors’ Report, Directors’ Remuneration Report and Corporate Governance Statement that comply with that law and those regulations. The Directors are responsible for the maintenance and integrity of the corporate and financial information included on the Company’s website. Legislation in the UK governing the preparation and dissemination of Financial Statements may differ from legislation in other jurisdictions. NCC Group plc — Annual report and accounts for the year ended 31 May 2021 123 GovernanceGovernance Financial statements Resilient financial performance IN THIS SECTION 125 Independent auditor’s report 133 Consolidated income statement 133 Consolidated statement of comprehensive (loss)/income 134 Consolidated balance sheet 135 Consolidated cash flow statement 136 Consolidated statement of changes in equity 137 Company balance sheet 138 Company cash flow statement 139 Company statement of changes in equity 140 Notes to the Financial Statements ADDITIONAL INFORMATION 187 Glossary of terms – Alternative Performance Measures (APMs) 189 Glossary of terms – other terms 191 Other information 192 Financial calendar 124 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 Independent auditor’s report to the members of NCC Group plc 1 Our opinion is unmodified We have audited the financial statements of NCC Group plc (“the Company”) for the year ended 31 May 2021 which comprise the consolidated income statement, consolidated statement of comprehensive income, consolidated balance sheet, consolidated cash flow statement, consolidated statement of changes in equity, company balance sheet, company cash flow statement, company statement of changes in equity, and the related notes, including the accounting policies in note 1. In our opinion: • the financial statements give a true and fair view of the state of the Group’s and of the parent Company’s affairs as at 31 May 2021 and of the Group’s profit for the year then ended; • the Group financial statements have been properly prepared in accordance with international accounting standards in conformity with the requirements of the Companies Act 2006; • the parent Company financial statements have been properly prepared in accordance with international accounting standards in conformity with the requirements of, and as applied in accordance with, the provisions of, the Companies Act 2006; and • the financial statements have been prepared in accordance with the requirements of the Companies Act 2006 and, as regards the Group financial statements, Article 4 of the IAS Regulation to the extent applicable. Basis for opinion We conducted our audit in accordance with International Standards on Auditing (UK) (“ISAs (UK)”) and applicable law. Our responsibilities are described below. We believe that the audit evidence we have obtained is a sufficient and appropriate basis for our opinion. Our audit opinion is consistent with our report to the audit committee. We were first appointed as auditor by the directors on 1 November 2013. The period of total uninterrupted engagement is for the eight financial years ended 31 May 2021. We have fulfilled our ethical responsibilities under, and we remain independent of the Group in accordance with, UK ethical requirements including the FRC Ethical Standard as applied to listed public interest entities. No non-audit services prohibited by that standard were provided. Overview Materiality: Group financial statements as a whole £1.2m (2020: £0.8m) 4.5% (2020: 5.0%) of normalised Group profit before tax Coverage 87% (2020: 93%) of the total profit and losses that make up Group profit before tax Key audit matters Recurring risks: vs 2020 Recoverability of goodwill in EU Assurance cash generating unit (‘CGU’) Fox IT long term fixed price contract accounting Assurance revenue recognition in the cut off period Recoverability of parent company investments and intercompany receivables Event driven risks: Accounting treatment of costs related to cloud-based software arrangements Recognition of US research and development (‘R&D’) tax credits New New NCC Group plc — Annual report and accounts for the year ended 31 May 2021 125 Financial statements Independent auditor’s report continued to the members of NCC Group plc 2 Key audit matters: our assessment of risks of material misstatement Key audit matters are those matters that, in our professional judgement, were of most significance in the audit of the financial statements and include the most significant assessed risks of material misstatement (whether or not due to fraud) identified by us, including those which had the greatest effect on: the overall audit strategy; the allocation of resources in the audit; and directing the efforts of the engagement team. We summarise below the key audit matters, in decreasing order of audit significance, in arriving at our audit opinion above, together with our key audit procedures to address those matters and, as required for public interest entities, our results from those procedures. These matters were addressed, and our results are based on procedures undertaken, in the context of, and solely for the purpose of, our audit of the financial statements as a whole, and in forming our opinion thereon, and consequently are incidental to that opinion, and we do not provide a separate opinion on these matters. The risk Our response Accounting treatment of costs related to cloud-based software arrangements Costs related to cloud-based software £5.1m (2020 restated: £7.9m) Refer to page 91 (Audit Committee Report), page 142 (accounting policy) and page 151, page 156, pages 160–161 and pages 184–185 (financial disclosures) Accounting treatment Previously, the Group capitalised internal and external costs in respect of cloud-based software arrangements. In April 2021 the IFRS Interpretations Committee (‘IFRIC’) published an agenda decision on configuration and customisation costs incurred in implementing Software-as-a-Service (SaaS) arrangements. This IFRIC decision has been considered by the Group and the Group have identified that a change in accounting policy in respect of the capitalisation of certain costs associated with SaaS arrangements is required. The risk is that the accounting policy change is not appropriately applied to both the current and prior years. Recognition of US R&D Tax Credits US R&D net current tax benefit £2.7m and US R&D deferred tax asset £0.4m Uncertain tax position The Group submits R&D tax claims in the US. These claims are open to challenge by the Internal Revenue Service (‘IRS’). Refer to page 91 (Audit Committee Report), page 151 (accounting policy) and page 152, pages 158–159 and page 168 (financial disclosures) Unutilised tax credits of £1.0m remain open to challenge by the IRS as at 31 May 2021 and utilised tax credits of £7.2m. The Group have recognised a provision against these balances to reflect the uncertain tax position, therefore the net tax creditor and net deferred tax asset recognised in the accounts are £2.7m and £0.4m respectively. Therefore a risk exists in relation to the accounting estimation applied by management. The basis on which the Group has claimed R&D tax credits involves a technical assessment of which party is bearing economic risk in research contracts entered into with third parties. The risk has increased in year following the increase in quantum of claims, resulting in a high risk of material misstatement. The Group have engaged an external expert to assess these claims. The effect of these matters is that, as part of our risk assessment, we determined that the US R&D tax credit accounting has a high degree of estimation uncertainty with a potential range of outcomes greater than our materiality for the financial statements as a whole. The financial statements (note 2) disclose the range estimated by the Group. Our procedures included: • Accounting clarity: We assessed the accounting clarification of the IFRIC April 2021 decision against the proposed change in the Group’s accounting policy • Test of detail: We agreed a sample of costs related to cloud-based software arrangements to supporting documentation, including labour costs to timesheets and other relevant project information to understand the nature of the items and considered this against the accounting standards and related interpretations • Personnel enquiries: We interviewed selected employees who were assigned to projects to corroborate the nature of the work performed and considered this against the accounting standards and related interpretations • Assessing transparency: We assessed the adequacy of the Group’s related disclosures in respect of the change in accounting policy and the judgements taken by management Our results We found the accounting treatment of costs related to cloud-based software arrangements to be acceptable. Our procedures included: • Inspecting correspondence: We inspected correspondence with the Group’s tax advisors for both the current and historic claims • Assessment of experts: We assessed the competence, capabilities and objectivity of the external tax experts engaged by the Group • Tests of detail: Together with our own tax specialists, we challenged the appropriateness of recognition of the US R&D tax credits and the basis on which the claims have been made, focussing on economic risk and who bears this under the contractual arrangements entered into by the Group. We have challenged the findings of management’s experts, including performing sample testing on the findings of management’s experts • Assessing transparency: We assessed the adequacy of the Group’s related disclosures in respect of the uncertain tax position and the estimation uncertainty Our results We found the recognition of US R&D Tax Credits and the related disclosures to be acceptable. 126 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 2 Key audit matters: our assessment of risks of material misstatement continued The risk Our response Recoverability of goodwill in respect of EU Assurance cash generating Unit (‘CGU’) Goodwill £64.7m (2020: £64.3m before current year change in CGUs) Refer to page 90 (Audit Committee Report), pages 142–143 (accounting policy) and page 152 and pages 161–163 (financial disclosures) Fox IT long term fixed price contract accounting Revenue associated with long term contracts £1.8m (2020: £1.1m) Provision for long term contracts £1.1m (2020: £0.2m) Refer to page 91 (Audit Committee Report), page 149 (accounting policy) and page 152 and page 170 (financial disclosures) Forecast based valuation There is inherent uncertainty involved in forecasting and discounting future cash flows, which are the basis of the assessment of goodwill recoverability. The outcome could vary significantly if different assumptions were applied in the model. There is a risk of error, due to the judgemental and complex nature of the impairment model. This risk currently is specific to the EU Assurance Cash generating unit (‘CGU’). This is a result of limited headroom historically in the impairment model and the sensitivity of the value in use calculation to reasonably possible changes in key assumptions. We consider that the value-in-use calculation of EU Assurance has a high degree of estimation uncertainty, specifically around the revenue growth assumptions, with a potential range of reasonable outcomes greater than our materiality for the financial statements as a whole, and possibly many times that amount. The financial statements (note 12) disclose the sensitivity estimated by the Group. Our procedures included: • Historical comparison: We assessed the reasonableness of the forecast used, by considering the Group’s forecasting accuracy by comparing actual results in the year to the Group’s previous forecast for the year • Benchmarking assumptions: We challenged, with the support of our own valuation specialists, the risk adjusted discount rates, having regard for market observable data with regard to risk free rates and returns on equity for comparator companies. We also evaluated the revenue growth assumptions and the long-term growth rates into perpetuity, comparing to external sources of data including industry growth rates and internal sources including the order book • Sensitivity analysis: We performed breakeven analysis on the key assumptions, including the revenue compound annual growth rate (“CAGR”) and the discount rate • Comparing valuations: We compared the sum of the discounted cash flows to the Group’s market capitalisation adjusted for debt to assess the reasonableness of the value in use calculations • Assessing transparency: We assessed whether the Group’s disclosures regarding the sensitivity of the impairment assessment to changes in key assumptions reflected the risks inherent in the valuation of the goodwill Accounting treatment and subjective estimates The contractual arrangements that underpin the measurement of revenue and associated profit, within the long-term contracts within Fox IT can be complex. These involve judgements around the accounting treatment and subjective estimates, which form the basis of both the in-year and future recognition of revenue and profit. Incentives and pressures to meet market expectations, increase the risk of fraudulent revenue recognition. The significant risk relates to fixed price long term contracts that are not completed as at the balance sheet date. Within Fox IT, the forecasts used in assessing the contract outturn positions are inherently judgemental, due to the uncertainty involved in forecasting future cash flows, including costs to complete. Furthermore, where the fixed price contracts are loss-making or low margin, these assumptions may have a significant impact on the recognition of revenue and profit in the period and may result in impairment of related contract assets or further onerous contract provisions being required. The financial statements (note 2) disclose the sensitivity estimated by the Group. Our results We found the carrying value of the goodwill related to the EU Assurance CGU to be acceptable (2020 result: acceptable). Our procedures included: • Test of detail: For a sample of the selected contracts, we agreed costs incurred to date (such as direct costs, labour charges and hardware costs) to purchase orders and challenged the internal hours charged, to assess the stage of completion • Personnel enquiries: We corroborated forecasts used in the long-term contract accounting through discussions with operational management for the same sample of contracts regarding their expectations for the contracts, including forecast costs to complete and the timetable to completion for these contracts. We also periodically attended regular project meetings throughout the year to observe the project teams and challenge • Historical comparison: We assessed the forecasting accuracy of costs to complete by comparing actual results in the year to what was previously forecast • Assessing transparency: We assessed the completeness and accuracy of the matters covered in the disclosures relating to Fox IT long term contract accounting and assessed the adequacy of the Group’s disclosures about the sensitivity of the impact of reasonably possible changes in the key assumptions in the long term contract accounting Our results We found the accounting treatment and estimates of the revenue associated with long term contracts and the provisions for long term contracts and the related disclosures to be acceptable (2020 result: acceptable). NCC Group plc — Annual report and accounts for the year ended 31 May 2021 127 Financial statements Independent auditor’s report continued to the members of NCC Group plc 2 Key audit matters: our assessment of risks of material misstatement continued The risk Our response Assurance revenue recognition in the cut off period Contract assets – accrued income £21.3m; (2020: £17.6m) Contract liabilities – deferred income £32.6m; (2020: £29.7m) Refer to pages 144–149 (accounting policy) and pages 166 and 171 (financial disclosures) 2021/2022 sales Incentives and pressures to meet market expectations, increase the risk of fraudulent revenue recognition. There is a specific risk around the cut-off period at the year end, with regards to ensuring revenue, including accrued and deferred income are recognised in the correct accounting period. This is a particular risk for projects in the assurance business, where projects are ongoing at the year end and there are judgements taken in determining completion and progress to date. Recoverability of parent company’s investments in subsidiaries and intercompany receivables Investments – £151.8m (2020: £78.3m) Intercompany receivables £162.6m (2020: £142.0m) Refer to page 144 and 151 (accounting policy) and pages 166 and 182 (financial disclosures) Low risk, high value The carrying amount of the Parent Company’s investments in subsidiaries and intercompany receivables represents 48% (2020: 34%) and 52% (2020: 63%) respectively of the Company’s total assets. Their recoverability is not at a high risk of significant misstatement or subject to significant judgement. However, due to their materiality in the context of the Parent Company financial statements, this is the area that had the greatest effect on our overall Parent Company audit. Our procedures included: • Tests of detail: We agreed a sample of revenue transactions within the cut off period pre and post year end to supporting documentation to assess whether these have been recorded in the correct accounting period. This also included specific item testing of a sample of items held in accrued and deferred income at the year end. We performed an assessment of whether over and under statements of revenue, accrued income and deferred income identified through these procedures were material • Analytic Sampling: We also used data & analytics tools to identify journals with unusual account combinations involving revenue and performed testing over the identified items. This included procedures to understand the nature and substance of the transaction and obtaining supporting documentation Our results We found the recognition of Assurance revenue in the cut-off period to be acceptable (2020 result: acceptable). Our procedures included: • Tests of detail: We compared the carrying amount of investments and intercompany receivables with the relevant subsidiaries’ draft balance sheet as at 31 May 2021 to identify whether their net assets, being an approximation of their minimum recoverable amount, were in excess of their carrying amount and assessing whether those subsidiaries have historically been profit-making • Assessing subsidiary audits: We assessed the work performed by the group and subsidiary audit team on a sample of those subsidiaries and considering the results of that work, on those subsidiaries’ profits and net assets Our results We found the Group’s assessment of the recoverability of the parent company’s investment in subsidiaries to be acceptable (2020 result: acceptable). For each of the key audit matters reported, we performed the detailed tests above rather than seeking to rely on any of the Group’s controls. This is because our knowledge of the design of these controls indicated that we would not be able to obtain the required evidence to support reliance on controls. We continue to perform procedures over going concern and the impact of uncertainties due to the UK exiting the European Union on our audit. However, following the Group’s trading in the period, as well as the UK’s departure from the European Union and the end of the transition period in January 2021, we have not assessed these as one of the most significant risks in our current year audit and, therefore, they are not separately identified in our report this year. 128 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 3 Our application of materiality and an overview of the scope of our audit Materiality for the Group financial statements as a whole was set at £1.2 million (2020: £0.8 million), determined with reference to a benchmark of Group profit before tax, normalised to exclude individually significant items as disclosed in note 5 of £27.5 million (2020: profit before tax of £16.1 million, as stated in the accounts before the prior period restatement), of which it represents 4.5% (2020: 5.0%). Materiality for the Parent Company financial statements as a whole was set at £0.3 million (2020: £0.3 million), determined with reference to a benchmark of Company total assets, of which it represents 0.1% (2020: 0.1%). In line with our audit methodology, our procedures on individual account balances and disclosures were performed to a lower threshold, performance materiality, so as to reduce to an acceptable level the risk that individually immaterial misstatements in individual account balances add up to a material amount across the financial statements as a whole. Performance materiality was set at 65% (2020: 65%) of materiality for the financial statements as a whole, which equates to £0.78 million (2020: £0.5 million) for the Group and £0.2 million (2020: £0.2 million) for the parent company. We applied this percentage in our determination of performance materiality based on the level of identified misstatements and control deficiencies during the prior period. We agreed to report to the Audit Committee any corrected or uncorrected identified misstatements exceeding £60,000 (2020: £40,000), in addition to other identified misstatements that warranted reporting on qualitative grounds. Of the Group’s 41 (2020: 23) reporting components, we subjected 8 (2020: 10) to full scope audits for Group purposes. We conducted reviews of financial information (including enquiry) at a further 4 (2020: 4) non-significant components as these components were not individually financially significant enough to require an audit for Group reporting purposes but a review was performed to provide further coverage over the Group’s results. The components within the scope of our work accounted for the percentages illustrated opposite. For the residual components, we performed analysis at an aggregated group level to re-examine our assessment that there were no significant risks of material misstatement within these. The Group team instructed component auditors as to the significant areas to be covered, including the relevant risks detailed above and the information to be reported back. The Group team approved the component materialities, which ranged from £0.22m to £0.55m (2020: £0.10m to £0.63m), having regard to the mix of size and risk profile of the Group across the components. The work on 1 of the 41 components (2020: 1 of the 23 components) was performed by component auditors and the rest, including the audit of the Parent Company, was performed by the Group team. The Group team held video and telephone conference meetings with 1 (2020: 1) component location in the Netherlands to assess the audit risk and strategy as well as updates on performance. Video and telephone conference meetings were also held with the component auditors for the Netherlands. At these meetings, the audit findings reported to the Group team were discussed in more detail, and any further work required by the Group team was then performed by the component auditor. Normalised Group profit before tax £27.5m (2020: £16.1m) 96++4++II Normalised PBT Group materiality Group revenue 8 9 86 86 Group total assets 94% (2020: 95%) I86+86+ 86+86+ I96+96+ 92+92+ 95% (2020: 98%) 92 96 3 2 Group materiality £1.2m (2020: £0.8m) £1.2m Whole financial statements materiality (2020: £0.8m) £0.78m Whole financial statements performance materiality (2020: £0.5m) £0.55m Range of materiality at 8 components (£0.22m–£0.55m) (2020: £0.10m to £0.63m) £0.06m Misstatements reported to the audit committee (2020: £0.04m) 6 2 87 87 Total profits and losses that made up Group profit before tax 89% (2020: 93%) I87+87+ 87+87+ I80+80+ 88+88+ Total profits and losses that made up Group profit before individually significant items and tax 90% (2020: 93%) 10 88 80 2 Full scope for group audit purposes 2021 Reviews of financial information (including enquiry) 2021 Full scope for group audit purposes 2020 Reviews of financial information (including enquiry) 2020 The US components were audited remotely by the Group audit team. Residual components NCC Group plc — Annual report and accounts for the year ended 31 May 2021 129 Financial statements8 8 + + 6 6 + + I 9 9 + + 5 5 + + I I 2 2 + + 11 11 + + I 6 6 + + 7 7 + + I I 3 3 + + 5 5 + + I 2 2 + + 2 2 + + I I 2 2 + + 10 10 + + I 10 10 + + 10 10 + + I I Independent auditor’s report continued to the members of NCC Group plc 4 Going concern The Directors have prepared the financial statements on the going concern basis as they do not intend to liquidate the Group or the Company or to cease their operations, and as they have concluded that the Group’s and the Company’s financial position means that this is realistic. They have also concluded that there are no material uncertainties that could have cast significant doubt over their ability to continue as a going concern for at least a year from the date of approval of the financial statements (“the going concern period”). We used our knowledge of the Group, including the post-year end acquisition of trade and assets of Iron Mountain Intellectual Property Management Inc., its industry, and the general economic environment to identify the inherent risks to its business model and analysed how those risks might affect the Group’s and Company’s financial resources or ability to continue operations over the going concern period. The risk that we considered most likely to adversely affect the Group’s and Company’s available financial resources, and metrics relevant to debt covenants, over this period was in respect of the economic impact of COVID-19, with uncertainty remaining over the full range of possible effects on the Group’s financial and operational performance. We also considered less predictable but realistic second order impacts, such as the erosion of customer confidence. We considered whether these risks could plausibly affect the liquidity or covenant compliance in the going concern period by comparing severe, but plausible downside scenarios that could arise from these risks, individually and collectively, against the level of available financial resources and covenants indicated by the Group’s financial forecasts. Our procedures also included: • A review of the availability of cash and the cash flow forecasts to determine whether the assumptions are realistic, achievable and consistent with the external and internal environment; we assessed loan covenant compliance to consider the headroom forecast for each financial covenant; • An evaluation of sensitivities over the level of financial resources indicated by the Group’s financial forecasts, taking account of reasonably possible (but not unrealistic) adverse effects that could arise from the risks identified individually and collectively; • An assessment of the adequacy of the going concern disclosure in note 1 to the financial statements. Our conclusions based on this work: • we consider that the directors’ use of the going concern basis of accounting in the preparation of the financial statements is appropriate; • we have not identified, and concur with the directors’ assessment that there is not, a material uncertainty related to events or conditions that, individually or collectively, may cast significant doubt on the Group’s or Company’s ability to continue as a going concern for the going concern period; • we have nothing material to add or draw attention to in relation to the directors’ statement in note 1 to the financial statements on the use of the going concern basis of accounting with no material uncertainties that may cast significant doubt over the Group and Company’s use of that basis for the going concern period, and we found the going concern disclosure in note 1 to be acceptable; and • the related statement under the Listing Rules set out on page 119 is materially consistent with the financial statements and our audit knowledge. However, as we cannot predict all future events or conditions and as subsequent events may result in outcomes that are inconsistent with judgements that were reasonable at the time they were made, the above conclusions are not a guarantee that the Group or the Company will continue in operation. 5 Fraud and breaches of laws and regulations – ability to detect Identifying and responding to risks of material misstatement due to fraud To identify risks of material misstatement due to fraud (“fraud risks”) we assessed events or conditions that could indicate an incentive or pressure to commit fraud or provide an opportunity to commit fraud. Our risk assessment procedures included: • Enquiring of directors, the audit committee and internal audit; and inspection of policy documentation as to the Group’s high-level policies and procedures to prevent and detect fraud, including the internal audit function, and the Group’s channel for “whistleblowing”, as well as whether they have knowledge of any actual, suspected or alleged fraud • Reading Board, audit committee and remuneration committee minutes • Considering remuneration incentive schemes and performance targets for directors including the EPS target for management remuneration • Using analytical procedures to identify any unusual or unexpected relationships We communicated identified fraud risks throughout the audit team and remained alert to any indications of fraud throughout the audit. This included communication from the Group to the component audit team of relevant fraud risks identified at the Group level and request to the component audit team to report to the Group audit team any instances of fraud that could give rise to a material misstatement at Group. As required by auditing standards, and taking into account possible pressures to meet expectations of third parties, we perform procedures to address the risk of management override of controls and the risk of fraudulent revenue recognition, in particular the risk that Assurance revenue is recorded in the wrong period and the risk that Group and component management may be in a position to make incorrect accounting entries, and the risk of bias in accounting estimates and judgements such as provisions against long term contracts. On this audit we do not believe there is a fraud risk related to Software resilience revenue recognition because there is minimal opportunity for manipulation since the revenue stream is relatively straightforward and is typically based on annual agreements which set out the period over which revenue is to be recognised. We did not identify any additional fraud risks. Further detail in respect of Assurance revenue recognition and Fox IT long term fixed price contracts are set out in the key audit matter disclosures in section 2 of this report. We also performed procedures including: • Cut-off sample testing around the year end over assurance revenue, accrued income and deferred income; • Assessing significant accounting estimates for bias; • Identifying journal entries to test for all full scope components using data analytics tools based on risk criteria and comparing the identified entries to supporting documentation. These included those posted to unusual accounts. 130 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 5 Fraud and breaches of laws and regulations – ability to detect continued Identifying and responding to risks of material misstatement due to non-compliance with laws and regulations We identified areas of laws and regulations that could reasonably be expected to have a material effect on the financial statements from our general commercial and sector experience, and through discussion with the directors and other management (as required by auditing standards), and discussed with the directors and other management the policies and procedures regarding compliance with laws and regulations. As the Group is regulated, our assessment of risks involved gaining an understanding of the control environment including the entity’s procedures for complying with regulatory requirements. We communicated identified laws and regulations throughout our team and remained alert to any indications of non-compliance throughout the audit. This included communication from the Group to the component audit team of relevant laws and regulations identified at the Group level, and a request for component auditors to report to the Group team any instances of non-compliance with laws and regulations that could give rise to a material misstatement at Group. The potential effect of these laws and regulations on the financial statements varies considerably. Firstly, the Group is subject to laws and regulations that directly affect the financial statements including financial reporting legislation (including related companies legislation), distributable profits legislation and taxation legislation, and we assessed the extent of compliance with these laws and regulations as part of our procedures on the related financial statement items. Secondly, the Group is subject to many other laws and regulations where the consequences of non-compliance could have a material effect on amounts or disclosures in the financial statements, for instance through the imposition of fines or litigation. We identified the following areas as those most likely to have such an effect: health and safety, employment law and certain aspects of company legislation recognising the nature of the Group’s activities and its legal form. Auditing standards limit the required audit procedures to identify non-compliance with these laws and regulations to enquiry of the directors and other management and inspection of regulatory and legal correspondence, if any. Therefore if a breach of operational regulations is not disclosed to us or evident from relevant correspondence, an audit will not detect that breach. We assessed the legality of the distribution in the period based on the level of distributable reserves available when the distributions were approved. Context of the ability of the audit to detect fraud or breaches of law or regulation Owing to the inherent limitations of an audit, there is an unavoidable risk that we may not have detected some material misstatements in the financial statements, even though we have properly planned and performed our audit in accordance with auditing standards. For example, the further removed non-compliance with laws and regulations is from the events and transactions reflected in the financial statements, the less likely the inherently limited procedures required by auditing standards would identify it. misstatement. We are not responsible for preventing non-compliance or fraud and cannot be expected to detect non-compliance with all laws and regulations. 6 We have nothing to report on the other information in the Annual Report The directors are responsible for the other information presented in the Annual Report together with the financial statements. Our opinion on the financial statements does not cover the other information and, accordingly, we do not express an audit opinion or, except as explicitly stated below, any form of assurance conclusion thereon. Our responsibility is to read the other information and, in doing so, consider whether, based on our financial statements audit work, the information therein is materially misstated or inconsistent with the financial statements or our audit knowledge. Based solely on that work we have not identified material misstatements in the other information. Strategic report and directors’ report Based solely on our work on the other information: • we have not identified material misstatements in the strategic report and the directors’ report; • in our opinion the information given in those reports for the financial year is consistent with the financial statements; and • in our opinion those reports have been prepared in accordance with the Companies Act 2006. Directors’ remuneration report In our opinion the part of the Directors’ Remuneration Report to be audited has been properly prepared in accordance with the Companies Act 2006. Disclosures of emerging and principal risks and longer-term viability We are required to perform procedures to identify whether there is a material inconsistency between the directors’ disclosures in respect of emerging and principal risks and the viability statement, and the financial statements and our audit knowledge. Based on those procedures, we have nothing material to add or draw attention to in relation to: • the directors’ confirmation within the Viability Statement on page 48 that they have carried out a robust assessment of the emerging and principal risks facing the Group, including those that would threaten its business model, future performance, solvency and liquidity; • the Principal Risks and Uncertainties disclosures describing these risks and how emerging risks are identified, and explaining how they are being managed and mitigated; and • the directors’ explanation in the Viability Statement of how they have assessed the prospects of the Group, over what period they have done so and why they considered that period to be appropriate, and their statement as to whether they have a reasonable expectation that the Group will be able to continue in operation and meet its liabilities as they fall due over the period of their assessment, including any related disclosures drawing attention to any necessary qualifications or assumptions. In addition, as with any audit, there remained a higher risk of non-detection of fraud, as these may involve collusion, forgery, intentional omissions, misrepresentations, or the override of internal controls. Our audit procedures are designed to detect material We are also required to review the Viability Statement, set out on page 48 under the Listing Rules. Based on the above procedures, we have concluded that the above disclosures are materially consistent with the financial statements and our audit knowledge. NCC Group plc — Annual report and accounts for the year ended 31 May 2021 131 Financial statements Independent auditor’s report continued to the members of NCC Group plc 6 We have nothing to report on the other information in the Annual Report continued Disclosures of emerging and principal risks and longer-term viability continued Our work is limited to assessing these matters in the context of only the knowledge acquired during our financial statements audit. As we cannot predict all future events or conditions and as subsequent events may result in outcomes that are inconsistent with judgements that were reasonable at the time they were made, the absence of anything to report on these statements is not a guarantee as to the Group’s and Company’s longer-term viability. Corporate governance disclosures We are required to perform procedures to identify whether there is a material inconsistency between the directors’ corporate governance disclosures and the financial statements and our audit knowledge. Based on those procedures, we have concluded that each of the following is materially consistent with the financial statements and our audit knowledge: • the directors’ statement that they consider that the annual report and financial statements taken as a whole is fair, balanced and understandable, and provides the information necessary for shareholders to assess the Group’s position and performance, business model and strategy; • the section of the annual report describing the work of the Audit Committee, including the significant issues that the Audit Committee considered in relation to the financial statements, and how these issues were addressed; and • the section of the annual report that describes the review of the effectiveness of the Group’s risk management and internal control systems. We are required to review the part of the Corporate Governance Statement relating to the Group’s compliance with the provisions of the UK Corporate Governance Code specified by the Listing Rules for our review. We have nothing to report in this respect. 7 We have nothing to report on the other matters on which we are required to report by exception Under the Companies Act 2006, we are required to report to you if, in our opinion: • adequate accounting records have not been kept by the parent Company, or returns adequate for our audit have not been received from branches not visited by us; or • the parent Company financial statements and the part of the Directors’ Remuneration Report to be audited are not in agreement with the accounting records and returns; or • certain disclosures of directors’ remuneration specified by law are not made; or • we have not received all the information and explanations we require for our audit. We have nothing to report in these respects. 8 Respective responsibilities Directors’ responsibilities As explained more fully in their statement set out on page 123, the directors are responsible for: the preparation of the financial statements including being satisfied that they give a true and fair view; such internal control as they determine is necessary to enable the preparation of financial statements that are free from material misstatement, whether due to fraud or error; assessing the Group and parent Company’s ability to continue as a going concern, disclosing, as applicable, matters related to going concern; and using the going concern basis of accounting unless they either intend to liquidate the Group or the parent Company or to cease operations, or have no realistic alternative but to do so. Auditor’s responsibilities Our objectives are to obtain reasonable assurance about whether the financial statements as a whole are free from material misstatement, whether due to fraud or error, and to issue our opinion in an auditor’s report. Reasonable assurance is a high level of assurance, but does not guarantee that an audit conducted in accordance with ISAs (UK) will always detect a material misstatement when it exists. Misstatements can arise from fraud or error and are considered material if, individually or in aggregate, they could reasonably be expected to influence the economic decisions of users taken on the basis of the financial statements. A fuller description of our responsibilities is provided on the FRC’s website at www.frc.org.uk/auditorsresponsibilities. 9 The purpose of our audit work and to whom we owe our responsibilities This report is made solely to the Company’s members, as a body, in accordance with Chapter 3 of Part 16 of the Companies Act 2006. Our audit work has been undertaken so that we might state to the Company’s members those matters we are required to state to them in an auditor’s report and for no other purpose. To the fullest extent permitted by law, we do not accept or assume responsibility to anyone other than the Company and the Company’s members, as a body, for our audit work, for this report, or for the opinions we have formed. Frances Simpson (Senior Statutory Auditor) for and on behalf of KPMG LLP, Statutory Auditor Chartered Accountants 1 St. Peter’s Square Manchester M2 3AE United Kingdom 14 September 2021 132 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 Consolidated income statement 1 for the year ended 31 May 2021 Revenue Cost of sales Gross profit Administrative expenses Depreciation and amortisation Other administrative expenses Individually Significant Items Total administrative expenses Operating profit Finance costs Profit before taxation Taxation Profit for the year attributable to the owners of the Company Earnings per ordinary share Basic EPS Diluted EPS Notes 4 4 4 5 4 8 6 9 11 2021 £m 270.5 (159.9) 2020 (restated) 2, 3 £m 263.7 (159.3) 110.6 104.4 (19.7) (60.9) (12.7) (93.3) 17.3 (2.5) 14.8 (4.8) 10.0 (23.6) (60.3) (7.9) (91.8) 12.6 (3.0) 9.6 (3.2) 6.4 3.6p 3.5p 2.3p 2.3p Consolidated statement of comprehensive (loss)/income for the year ended 31 May 2021 Profit for the year attributable to the owners of the Company Other comprehensive (loss)/income Items that may be reclassified subsequently to profit or loss (net of tax) Cash flow hedges – effective portion of changes in fair value Foreign exchange translation differences Total other comprehensive (loss)/income Total comprehensive (loss)/income for the year (net of tax) attributable to the owners of the Company The accompanying Notes 1 to 35 are an integral part of these consolidated Financial Statements. 2021 £m 10.0 2020 (restated) 2 £m 6.4 (0.8) (11.6) (12.4) (2.4) – 4.0 4.0 10.4 Footnotes for consolidated Financial Statements 1 See Note 3 for an explanation of Alternative Performance Measures (APMs) and adjusting items, including a reconciliation to statutory information. Further information is also contained within the Glossary of terms on pages 187 and 188. 2 See Note 34 for an explanation of the prior year restatement recognised in relation to the adoption of the IFRIC agenda decision on cloud configuration and customisation costs in April 2021. 3 Results for the year ended 31 May 2020 have been re-presented to include adjusting items within statutory results. NCC Group plc — Annual report and accounts for the year ended 31 May 2021 133 Financial statements Consolidated balance sheet at 31 May 2021 Non-current assets Goodwill Intangible assets Property, plant and equipment Right-of-use assets Investments Deferred tax asset Total non-current assets Current assets Inventories Trade and other receivables Current tax receivable Cash and cash equivalents Total current assets Total assets Current liabilities Trade and other payables Borrowings Lease liabilities Current tax payable Derivative financial instruments Provisions Contract liabilities – deferred revenue Total current liabilities Non-current liabilities Borrowings Lease liabilities Deferred tax liabilities Provisions Contract liabilities – deferred revenue Total non-current liabilities Total liabilities Net assets Equity Share capital Share premium Hedging reserve Merger reserve Currency translation reserve Retained earnings 31 May 2021 £m Notes 31 May 2020 1 June 2019 (restated) 2 (restated) 2 £m £m 12 12 13 14 15 18 16 17 24 19 24 20 25 21 22 24 20 18 21 22 27 27 27 27 27 27 182.9 193.1 189.4 21.0 11.5 23.8 0.3 2.0 29.0 13.9 28.7 0.3 2.3 38.3 16.9 26.5 0.3 2.2 241.5 267.3 273.6 1.1 68.7 4.5 116.5 190.8 432.3 45.2 – 5.1 4.0 0.8 2.4 43.6 101.1 33.2 29.3 1.2 0.6 0.7 65.0 166.1 266.2 3.1 223.2 (0.8) 42.3 20.3 (21.9) 0.9 73.4 0.6 95.0 169.9 437.2 46.4 – 5.3 – – 2.0 39.5 93.2 99.2 32.9 2.9 1.7 1.4 138.1 231.3 205.9 2.8 150.9 – 42.3 31.9 0.7 61.6 0.6 34.9 97.8 371.4 31.6 5.0 5.2 – – 0.2 36.2 78.2 50.1 30.5 5.4 1.3 – 87.3 165.5 205.9 2.8 149.8 – 42.3 27.9 (22.0) (16.9) Total equity attributable to equity holders of the Parent 266.2 205.9 205.9 The accompanying Notes 1 to 35 are an integral part of these consolidated Financial Statements. These Financial Statements were approved and authorised for issue by the Board of Directors on 14 September 2021. They were signed on its behalf by: Adam Palser Chief Executive Officer 14 September 2021 Tim Kowalski Chief Financial Officer 14 September 2021 134 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 Consolidated cash flow statement for the year ended 31 May 2021 Cash flows from operating activities Profit for the year Adjustments for: Depreciation of property, plant and equipment Depreciation of right-of-use assets Share-based payments Amortisation of customer contracts and relationships Amortisation of software and development costs Impairment of right-of-use assets Lease financing costs Other financing costs Foreign exchange Acquisition of businesses – transaction costs Individually Significant Items (non-cash impact) Profit on disposal of right-of-use assets Profit on sale of intangible assets Loss on sale of property, plant and equipment Research and development UK tax credits Research and development US tax credits Income tax expense Increase in provisions Cash inflow for the year before changes in working capital Decrease/(increase) in trade and other receivables Increase in inventories (Decrease)/increase in trade and other payables Cash generated from operating activities before interest and taxation Interest element of lease payments Other interest paid Taxation paid Net cash generated from operating activities Cash flows from investing activities Purchase of property, plant and equipment Software and development expenditure Net proceeds from sale of intangible assets Net cash used in investing activities Cash flows from financing activities Proceeds from the issue of ordinary share capital Principal element of lease payments Drawdown of borrowings (net of deferred issue costs) Issue costs related to borrowings Repayment of borrowings Equity dividends paid Net cash (used in)/generated from financing activities Net increase in cash and cash equivalents Cash and cash equivalents at beginning of year Effect of foreign currency exchange rate changes Cash and cash equivalents at end of year Reconciliation of net change in cash and cash equivalents to movement in net cash/(debt) 1 Net increase in cash and cash equivalents Change in net debt 1 resulting from cash flows (net of deferred issue costs) Interest incurred on borrowings Interest paid on borrowings Non-cash movements (release of deferred issue costs) Effect of foreign currency on cash flows Foreign currency translation differences on borrowings Change in net cash/(debt) 1 during the year Net debt 1 at start of year excluding lease liabilities Net cash/(debt) 1 at end of year excluding lease liabilities Lease liabilities Net cash/(debt) 1 at end of year The accompanying Notes 1 to 35 are an integral part of these consolidated Financial Statements. Notes 13 14 26 12 12 14 8 8 5 9 9 27 10 24 2021 £m 10.0 4.4 5.9 2.8 6.4 3.0 – 1.2 1.3 1.5 (1.2) 7.6 (0.2) (0.5) 0.2 (0.6) 1.9 2.9 0.7 47.3 4.7 (0.2) (5.5) 46.3 (1.2) (1.1) (5.1) 38.9 (2.7) (2.1) 0.5 (4.3) 72.6 (6.0) – – (60.4) (13.0) (6.8) 27.8 95.0 (6.3) 116.5 2021 £m 27.8 60.4 (1.1) 1.1 (0.2) (6.3) 5.8 87.5 (4.2) 83.3 (34.4) 48.9 2020 (restated) 2 £m 6.4 5.8 6.0 1.4 8.8 3.0 1.1 1.2 1.8 – – – (0.1) – – (0.6) 0.5 2.7 0.8 38.8 (11.0) (0.2) 19.2 46.8 (1.2) (1.6) (4.8) 39.2 (2.8) (2.5) – (5.3) 1.1 (5.3) 44.3 (1.0) – (12.9) 26.2 60.1 34.9 – 95.0 2020 £m 60.1 (43.3) (1.6) 1.6 (0.2) – (0.6) 16.0 (20.2) (4.2) (38.2) (42.4) NCC Group plc — Annual report and accounts for the year ended 31 May 2021 135 Financial statements Consolidated statement of changes in equity for the year ended 31 May 2021 Share capital £m Share premium £m Hedging reserve £m Notes Balance at 1 June 2019 (as reported) 2.8 149.8 Impact of change in accounting policy in respect of cloud configuration and customisation costs (Note 34) Balance at 1 June 2019 (as restated) 2 Profit for the year (as restated) 2 (Note 34) Other comprehensive income for the year Total comprehensive income for the year (restated) 2 Transactions with owners recorded directly in equity Dividends to equity shareholders Share-based payments Shares issued 10 26 27 Total contributions by and distributions to owners – 2.8 – 149.8 – – – – – – – – – – – – 1.1 1.1 Balance at 31 May 2020 (restated) 2 2.8 150.9 Profit for the year Other comprehensive income for the year Total comprehensive income for the year Transactions with owners recorded directly in equity Dividends to equity shareholders Share-based payments Tax on share-based payments Shares issued Total contributions by and distributions to owners Balance at 31 May 2021 10 26 26 27 – – – – – – 0.3 0.3 3.1 – – – – – – 72.3 72.3 223.2 Merger reserve £m 42.3 Currency translation reserve £m Retained earnings £m Total £m 27.9 (14.0) 208.8 – – (2.9) (2.9) 42.3 27.9 (16.9) 205.9 – – – – – – – – 4.0 4.0 – – – – 6.4 – 6.4 6.4 4.0 10.4 (12.9) (12.9) 1.4 – 1.4 1.1 (11.5) (10.4) 42.3 31.9 (22.0) 205.9 – – – – – – – – – (11.6) (11.6) 10.0 – 10.0 10.0 (12.4) (2.4) – – – – – (13.0) (13.0) 2.8 0.3 – 2.8 0.3 72.6 (9.9) 62.7 – – – – – – – – – – – – (0.8) (0.8) – – – – – (0.8) 42.3 20.3 (21.9) 266.2 The accompanying Notes 1 to 35 are an integral part of these consolidated Financial Statements. 136 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 Company balance sheet at 31 May 2021 Company no: 4627044 Non-current assets Investments in subsidiary undertakings Trade and other receivables Total non-current assets Current assets Cash and cash equivalents Total current assets Total assets Current liabilities Trade and other payables Total current liabilities Total liabilities Net assets Equity Share capital Share premium Merger reserve Retained earnings Total equity Notes 2021 £m 2020 £m 33 17 24 19 27 27 27 27 151.8 162.6 314.4 0.6 0.6 78.3 142.0 220.3 6.8 6.8 315.0 227.1 13.5 13.5 13.5 13.0 13.0 13.0 301.5 214.1 3.1 223.2 42.3 32.9 301.5 2.8 150.9 42.3 18.1 214.1 The accompanying Notes 1 to 35 are an integral part of these Financial Statements. These Financial Statements were approved and authorised for issue by the Board of Directors on 14 September 2021. They were signed on its behalf by: Adam Palser Chief Executive Officer 14 September 2021 Tim Kowalski Chief Financial Officer 14 September 2021 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 137 Financial statements Company cash flow statement for the year ended 31 May 2021 Cash flows from operating activities Profit for the year Cash inflow for the year before changes in working capital Increase in trade and other receivables Increase in trade and other payables Net cash generated from operating activities Cash flows from investing activities Investments in subsidiary undertakings Net cash used in investing activities Cash flows from financing activities Proceeds from the issue of ordinary share capital Equity dividends paid Net cash generated from/(used in) financing activities Net (decrease)/increase in cash and cash equivalents Cash and cash equivalents at beginning of year Cash and cash equivalents at end of year The accompanying Notes 1 to 35 are an integral part of these Financial Statements. Notes 28 32 27 10 2021 £m 2020 £m 25.0 25.0 (20.6) 0.5 4.9 (70.7) (70.7) 72.6 (13.0) 59.6 (6.2) 6.8 0.6 6.0 6.0 (0.6) 13.0 18.4 – – 1.1 (12.9) (11.8) 6.6 0.2 6.8 138 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 Company statement of changes in equity for the year ended 31 May 2021 Balance at 31 May 2019 and 1 June 2019 Profit for the year Total comprehensive income for the year Transactions with owners recorded directly in equity Dividends to equity shareholders Increase in subsidiary investment for share-based charges Shares issued Total contributions by and distributions to owners Balance at 31 May 2020 Profit for the year Total comprehensive income for the year Transactions with owners recorded directly in equity Dividends to equity shareholders Increase in subsidiary investment for share-based charges Shares issued Total contributions by and distributions to owners Balance at 31 May 2021 Notes Share capital £m Share premium £m 2.8 149.8 Merger reserve £m 42.3 10 27 10 27 – – – – – – – – – – 1.1 1.1 – – – – – – 2.8 150.9 42.3 – – – – 72.3 72.3 – – – – – – – – – – 0.3 0.3 3.1 Retained earnings £m Total £m 21.9 216.8 6.0 6.0 6.0 6.0 (12.9) (12.9) 3.1 – (9.8) 18.1 25.0 25.0 3.1 1.1 (8.7) 214.1 25.0 25.0 (13.0) (13.0) 2.8 – (10.2) 2.8 72.6 62.4 223.2 42.3 32.9 301.5 The accompanying Notes 1 to 35 are an integral part of these Financial Statements. NCC Group plc — Annual report and accounts for the year ended 31 May 2021 139 Financial statements Notes to the Financial Statements for the year ended 31 May 2021 1 Accounting policies Basis of preparation NCC Group plc (the ‘Company’) is a company incorporated in the UK, with its registered office at XYZ Building, 2 Hardman Boulevard, Manchester M3 3AQ. The Group Financial Statements consolidate those of the Company and its subsidiaries (together referred to as the ‘Group’). The principal activity of the Group is the provision of independent advice and services to customers through the supply of cyber assurance and Software Resilience services. The Parent Company Financial Statements present information about the Company as a separate entity and not about the Group. These Financial Statements have been approved for issue by the Board of Directors on 14 September 2021. These Group and Parent Company Financial Statements were prepared in accordance with International Accounting Standards in conformity with the requirements of the Companies Act 2006 and these Group Financial Statements were also in accordance with International Financial Reporting Standards adopted pursuant to Regulation (EC) No 1606/2002 as it applies in the European Union (‘IFRSs as adopted by the EU’). On publishing the Parent Company Financial Statements here together with the Group Financial Statements, the Company is also taking advantage of the exemption in s408 of the Companies Act 2006 not to present its individual Income Statement and related notes that form a part of these approved Financial Statements. Brexit Management has reviewed the impact of Brexit on the Financial Statements. The Group has so far proven structurally resilient to any significant disruption caused by Brexit. The main risks to the Group from Brexit continue to be any reduction in demand from an economic slowdown as well as real or perceived differences in data protection standards which impact our global ways of working. On this basis, management has concluded that the impact should be limited; this includes any impact on the IFRS 9 expected credit loss model. Management also notes no changes to this assessment from a post-Balance Sheet event perspective. Covid-19 Management has reviewed the potential impact of Covid-19 on the Financial Statements. Accordingly, consideration has been given to the impact on the IFRS 9 expected credit loss model, IFRS 15 collectability assessments, IFRS 16 lease term assessments (no material impact on lease term assessment), the annual impairment review and the going concern and viability assessments. New and amended accounting standards that have been issued but are not yet effective At the date of authorisation of these Financial Statements, the following standards and interpretations were in issue but have not been applied in these Financial Statements as they were not yet mandatory: • IFRS 17 ‘Insurance Contracts’ • ‘Classification of Liabilities as Current or Non-Current’ (Amendments to IAS 1) • Interest Rate Benchmark Reform (Amendments to IFRS 9, IAS 39 and IFRS 7) • Amendments to IAS 37 ‘Onerous Contracts – Cost of Fulfilling a Contract’ • Conceptual Framework – ‘Amendments to References to the Conceptual Framework in IFRS Standards’ • Amendments to IAS 16 ‘Property, Plant and Equipment – Proceeds Before Intended Use’ • Annual Improvements to IFRS Standards 2018–2020 Cycle – Amendments to IFRS 1 ‘First-time Adoption of International Financial Reporting Standards’, IFRS 9 ‘Financial Instruments’, IFRS 16 ‘Leases’, and IAS 41 ‘Agriculture’ These IFRSs are not expected to have a material impact on the Group’s consolidated financial position or performance of the Group. Application of significant new or amended EU-endorsed accounting standards The following amended standards and interpretations were also effective during the year; however, they have not had a material impact on our consolidated Financial Statements. • Amendments to IFRS 3 ‘Definition of a Business’ • Amendments to IAS 1 and IAS 8 ‘Definition of Material’ • Covid-19 Related Rent Concessions – Amendment to IFRS 16 Application of IFRIC agenda decisions In April 2021, the IFRS Interpretations Committee (IFRIC) published an agenda decision on the clarification of accounting in relation to the configuration and customisation costs incurred in implementing Software-as-a-Service (SaaS) as follows: • Amounts paid to the cloud vendor for configuration and customisation that are not distinct from access to the cloud software are expensed over the SaaS contract term • In limited circumstances, other configuration and customisation costs incurred in implementing SaaS arrangements may give rise to an identifiable intangible asset, for example, where code is created that is controlled by the entity • In all other instances, configuration and customisation costs will be expensed as the customisation and configuration services are received See Notes 12 and 34 for further details. Basis of measurement The consolidated Financial Statements have been prepared on the historical cost basis except for consideration payable on acquisitions, the revaluation of certain financial instruments and investments. Functional and presentation currency The Group and Company Financial Statements are presented in millions of Pounds Sterling (£m) because that is the currency of the principal economic environment in which the Group operates. 140 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 1 Accounting policies continued Going concern The Directors have acknowledged guidance published in relation to going concern assessments. The Group’s business activities, together with the factors likely to affect its future development, performance and position, are set out in the Business Review and Financial Review. The Group’s financial position, cash and borrowing facilities are also described within these sections. The Financial Statements have been prepared on a going concern basis which the Directors consider to be appropriate for the following reasons. The Directors have prepared cash flow and covenant compliance forecasts for the 12 month period ending September 2022 which indicate that, taking account of severe but plausible downsides and the anticipated impact of Covid-19 on the operations of the Group and its financial resources, the Group and Company will have sufficient funds to meet their liabilities as they fall due for that period. The Group is financed primarily by a £100m committed revolving credit facility which matures in June 2024. The Group is required to comply with financial covenants for leverage (net debt to Adjusted EBITDA 1) and interest cover (Adjusted EBITDA 1 to interest charge) which are tested bi-annually at 31 May and 30 November each year. As at 31 May 2021, the Group had drawn down £33.8m for working capital requirements. Subsequent to the year end and shareholder approval on 1 June, the Group acquired on 7 June the IPM business for $220m; the US acquisition was funded through an equity placing in May of £70.2m (net proceeds) combined with a new three year $70m term loan, existing cash balances and our existing revolving credit facility. The impact of the acquisition on the Group’s financial performance, covenants and business model has therefore been considered within this going concern assessment. As at 2 June 2021, following the acquisition of the IPM business, the Group had drawn down £75.5m of its revolving credit facility and was due to incur further transaction costs of £6.4m. As at 31 August 2021, cash, net debt (excluding lease liabilities) 1 and headroom amounted to £43.6m, £74.7m and £80.5m respectively. Although the Group has demonstrated resilience to the challenging environment resulting from Covid-19, the Directors acknowledge that the financial performance of the Group has been adversely impacted to certain degree since the commencement of the pandemic, and for this reason the base case forecast for 2021 reflects this assessment. The continuing macro-economic risks and potential changes in government policies (on the severity of enforced lockdowns worldwide) could have a continued effect on the Group’s performance. However, trading throughout the pandemic has demonstrated resilience. The Directors have prepared a number of severe but plausible scenarios as follows: 1. 2. The performance of FY22 continues to be similar to that of 2021, including the impact on regional and international operations of the Group and a potential reduction in growth. An additional impact of Covid-19 during a two month period from January to February 2022 which coincides with a similar economic pandemic pattern as 2021. 3. Potential impact of customers’ inability to pay during a specified period. 4. 5. Failure of execution of the strategy, loss of key customers and a number of acquisition related risks crystallising (for example increased customer churn, integration and cash collection issues). Software Resilience performance does not return to growth and the Assurance business experiences similar impact of Covid-19 on its performance as 2021. These scenarios have been modelled individually and also in combination in order to assess the Group’s ability to withstand multiple challenges, although the Directors do not believe a scenario combining all these risks to be plausible. The impact of these sensitivities has been reviewed against the Group’s projected cash flow position, available bank facilities and compliance with financial covenants. In the instance that a combination of the above scenarios arise, mitigating actions would be required to ensure that the Group remains liquid and financially viable, which might include a reduction of planned capital expenditure, freezing pay and recruitment and not paying a dividend to shareholders. All of the mitigating actions are within the Directors’ control. These forecasts, including the severe but plausible downsides, show that the Group is able to operate within its available banking facilities, with no forecasted covenant breaches, and that the Group will have sufficient funds to meets its liabilities as they fall due for that period. From a Company perspective, the Company places reliance on other Group trading entities for financial support. Having reviewed the current trading performance, forecasts, other Group trading entities’ financial support, debt servicing requirements, total facilities and risks, the Directors are confident that the Company and the Group will have sufficient funds to continue to meet their liabilities as they fall due for a period of at least 12 months from the date of approval of these Financial Statements. Accordingly, they continue to adopt the going concern basis of accounting in preparing the Group’s Financial Statements for the year ended 31 May 2021. Business combinations Business combinations are accounted for by applying the acquisition method at the acquisition date, which is the date on which control is transferred to the Group. The Group controls an entity when the Group is exposed to, or has rights to, variable returns from its involvement with the entity and has the ability to affect those returns through its power over the entity. Acquisitions The Group measures goodwill at the acquisition date as: • The fair value of the consideration transferred; plus • The recognised amount of any non-controlling interests in the acquiree; plus • If the business combination is achieved in stages, the fair value of the existing equity interest in the acquiree; less • The fair value of the identifiable assets acquired and liabilities assumed. When the excess is negative, a bargain purchase gain is recognised immediately in profit or loss. The consideration transferred does not include amounts related to the settlement of pre-existing relationships. Such amounts generally are recognised in the Income Statement. NCC Group plc — Annual report and accounts for the year ended 31 May 2021 141 Financial statements 1 Accounting policies continued Acquisitions continued Costs related to the acquisition, other than those associated with the issue of debt or equity securities, are expensed as incurred. Any deferred or contingent consideration payable is recognised at fair value at the acquisition date. If the contingent consideration is classified as equity, it is not remeasured and settlement is accounted for within equity. Otherwise, subsequent changes to the fair value of contingent consideration are recognised in the Income Statement. On a transaction-by-transaction basis, the Group elects to measure non-controlling interests either at their fair value or at their proportionate interest in the recognised amount of the identifiable net assets of the acquiree at the acquisition date. Subsidiaries Subsidiaries are entities controlled by the Group. The Financial Statements of subsidiaries are included in the consolidated Financial Statements from the date that control commences until the date that control ceases. Control is achieved where the Company has the power to govern the financial and operating policies of an investee entity so as to obtain benefits from its activities. Intercompany transactions and balances between subsidiaries are eliminated on consolidation. Intangible assets and goodwill Goodwill represents amounts arising on acquisition of subsidiaries. In respect of business acquisitions that have occurred since 1 June 2004, goodwill represents the difference between the cost of the acquisition and the fair value of the net identifiable assets acquired including identifiable intangible assets. Identifiable intangibles are those which can be sold separately or which arise from legal rights regardless of whether those rights are separable. In respect of acquisitions prior to 1 June 2004, goodwill is included at its deemed cost, which represents the amount recorded under UK GAAP at 31 May 2004 which was broadly comparable, save that only separable intangibles were recognised and goodwill was amortised. Goodwill is stated at cost less any accumulated impairment losses. Goodwill is allocated to cash generating units and is not amortised but is tested annually for impairment. In respect of equity accounted investees, the carrying amount of goodwill is included in the carrying amount of the investment in the investee. Research and development Expenditure on research activities is recognised in the Income Statement as an expense as incurred. Expenditure on development activities is capitalised as “development costs” if the product or process is technically and commercially feasible, if the Group has the technical ability and sufficient resources to complete development, if future economic benefits are probable and if the Group can measure reliably the expenditure attributable to the intangible asset during its development. Development activities involve a plan or design for the production of new or substantially improved products or processes. Software costs The Group capitalises “software costs” in accordance with the criteria of IAS 38. Software costs comprise third party costs and internal employee time costs for internal system developments. Capitalised amounts are initially measured at cost and amortised on a straight-line basis over the period for which the developed system is expected to be in use as a business platform. Software costs incurred as part of a service agreement are only capitalised when it can be evidenced that the Group has control over the resources defined in the arrangement. The expenditure capitalised includes the cost of materials, direct labour, overhead costs that are directly attributable to preparing the asset for its intended use and capitalised borrowing costs. Other development expenditure is recognised in the Income Statement as an expense as incurred. Software customisation and configuration costs relating to software not controlled by the Group are expensed over the period such services are received. Software costs are stated at cost less accumulated amortisation and less accumulated impairment losses. Intangible assets Expenditure on internally generated goodwill is recognised in the Income Statement as an expense as incurred. Intangible assets that are acquired by the Group are stated at cost less accumulated amortisation and less accumulated impairment losses. Subsequent expenditure Subsequent expenditure is capitalised only when it increases the future economic benefits embodied in the specific asset to which it relates. All other expenditure, including expenditure on internally generated goodwill, is recognised in the Income Statement as an expense as incurred. Amortisation Amortisation is charged to the Income Statement on a straight-line basis over the estimated useful economic lives of intangible assets unless such lives are indefinite. Intangible assets with an indefinite useful life and goodwill are systematically tested for impairment at each Balance Sheet date. Intangible assets are amortised from the date they are available for use. The estimated useful lives are as follows: Acquired customer contracts and relationships – between three and ten years Software Capitalised development costs – between three and five years – between three and five years Financial instruments Financial assets and financial liabilities, in respect of financial instruments, are recognised in the Group Balance Sheet when the Group becomes a party to the contractual provisions of the instrument. Classification and measurement of financial assets and liabilities Classification of financial assets is generally based on the business model in which the financial asset is managed and its contractual cash flow characteristics. A financial asset is measured at amortised cost if it is held with the objective of collecting the contractual cash flows and its contractual terms give rise on specified dates to cash flows that are solely payments of principal and interest on the principal amount outstanding. All other financial assets are measured at fair value through other comprehensive income or the Income Statement. 142 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 Notes to the Financial Statements continuedfor the year ended 31 May 2021 1 Accounting policies continued Financial assets at amortised cost Trade and other receivables Trade receivables and other receivables that have fixed or determinable payments that are not quoted in an active market are classified as financial assets measured at amortised cost. Under the IFRS 9 “expected credit loss” model, a credit event (or impairment “trigger”) no longer needs to occur before credit losses are recognised. The Group analyses the risk profile of trade receivables based on past experience and an analysis of the receivables’ current financial position, potential for a default event to occur, adjusted for specific factors, general economic conditions of the industry in which the receivables operate and assessment of both the current and the forecast direction of conditions at the reporting date. A default event is considered to occur when information is obtained that indicates that a receivable is unlikely to be paid to the Group. Credit risk is regularly reviewed by management to ensure the expected credit loss (ECL) model is being appropriately applied. The Group has performed the calculation of ECL separately for each business unit. Financial liabilities at amortised cost Trade payables Trade payables are other financial liabilities initially measured at fair value and subsequently measured at amortised cost. Impairment of non-financial assets The carrying amounts of the Group’s non-financial assets, other than deferred tax assets, are reviewed at each reporting date to determine whether there is any indication of impairment. If any such indication exists, then the asset’s recoverable amount is estimated. For goodwill, and intangible assets that have indefinite useful lives or that are not yet available for use, the recoverable amount is estimated each year at the same time. The recoverable amount of an asset or cash generating unit is the greater of its value in use and its fair value less costs to sell. In assessing value in use, the estimated future cash flows are discounted to their present value using a pre-tax discount rate that reflects current market assessments of the time value of money and the risks specific to the asset. For the purpose of impairment testing, assets that cannot be tested individually are grouped together into the smallest group of assets that generates cash inflows from continuing use that are largely independent of the cash inflows of other assets or groups of assets (the ‘cash generating unit’). The goodwill acquired in a business combination, for the purpose of impairment testing, is allocated to cash generating units (CGUs). Subject to an operating segment ceiling test, for the purposes of goodwill impairment testing, CGUs to which goodwill has been allocated are aggregated so that the level at which impairment is tested reflects the lowest level at which goodwill is monitored for internal reporting purposes. Goodwill acquired in a business combination is allocated to groups of CGUs that are expected to benefit from the synergies of the combination. An impairment loss is recognised if the carrying amount of an asset or its CGU exceeds its estimated recoverable amount. Impairment losses are recognised in the Income Statement. Impairment losses recognised in respect of CGUs are allocated first to reduce the carrying amount of any goodwill allocated to the units, and then to reduce the carrying amounts of the other assets in the unit (group of units) on a pro rata basis. An impairment loss in respect of goodwill is not reversed. In respect of other assets, impairment losses recognised in prior periods are assessed at each reporting date for any indications that the loss has decreased or no longer exists. An impairment loss is reversed if there has been a change in the estimates used to determine the recoverable amount. An impairment loss is reversed only to the extent that the asset’s carrying amount does not exceed the carrying amount that would have been determined, net of depreciation or amortisation, if no impairment loss had been recognised. Related party transactions Details of related party transactions are set out in Note 32 to these Financial Statements. Property, plant and equipment Property, plant and equipment assets are carried at cost less accumulated depreciation and any recognised impairment in value. To the extent that borrowing costs relate to the acquisition, construction or production of a qualifying asset, borrowing costs are capitalised as part of the cost of that asset. Depreciation is charged to the Income Statement on a straight-line basis over the estimated useful economic lives of each part of an item of plant and equipment as follows: Computer equipment – between three and five years Plant and equipment – between three and five years Furniture – between three and five years Fixtures and fittings Motor vehicles – five years – four years Property, plant and equipment is also tested for impairment whenever there is an indication of potential impairment. Leases At inception of a contract, the Group assesses whether a contract is, or contains, a lease. A contract is, or contains, a lease if the contract conveys the right to control the use of an identified asset for a period of time in exchange for consideration. To assess whether a contract conveys the right to control the use of an identified asset, the Group assesses whether: • The contract involves use of the identified asset; this may be specified explicitly or implicitly and should be physically distinct or represent substantially all of the capacity or a physically distinct asset. If the supplier has a substantive substitution right, then the asset is not identified • The Group has the right to obtain substantially all of the economic benefits from use of the asset and throughout the period of use NCC Group plc — Annual report and accounts for the year ended 31 May 2021 143 Financial statements 1 Accounting policies continued Leases continued • The Group has the right to direct the use of the asset. The Group has this right when it has the decision-making rights that are most relevant to changing how and for what purpose the asset is used. In rare cases where all the decisions about how and for what purpose the asset is used are predetermined, the Group has the right to direct the use of the asset if either: • The Group has the right to operate the asset • The Group designed the asset in a way that predetermines how and for what purpose it will be used The Group recognises a right-of-use asset and a lease liability at the lease commencement date. The right-of-use asset is initially measured at cost, which comprises the initial amount of the lease liability adjusted for any lease payments made at or before the commencement date, and an estimate of costs to dismantle and remove the underlying asset or to restore the underlying asset or the site on which it is located, less any lease incentives received. The right-of-use asset is subsequently depreciated using the straight-line method from the commencement date to the earlier of the end of the useful life of the right-of-use asset or the end of lease term. The estimated useful lives of right-of-use assets are determined on the same basis as those of property, plant and equipment. In addition, the right-of-use asset is periodically reduced by impairment losses, if any, and adjusted for certain remeasurements of the lease liability. The lease liability is initially measured at the present value of the lease payments that are not paid at the commencement date, discounted using the interest rate implicit in the lease or, if that rate cannot be readily determined, the Group’s incremental borrowing rate. The lease liability is measured at amortised cost using the effective interest method. It is remeasured when there is a change in future lease payments arising from a change in an index or rate, if there is a change in the Group’s estimate of the amount expected to be payable, or if the Group changes its assessment of whether it will exercise a purchase, extension or termination option. When the lease liability is remeasured in this way, a corresponding adjustment is made to the carrying amount of the right-of-use asset, or is recorded in the Income Statement if the carrying amount of the right-of-use asset has been reduced to zero. The Group has elected not to recognise right-of-use assets and lease liabilities for short-term leases that have a lease term of 12 months or less and leases of low value assets, including certain IT equipment. The Group recognises the lease payments associated with these leases as an expense on a straight-line basis over the lease term. Lease rental costs in respect of short-term leases (less than one year) and low value assets which are exempt from being accounted for under IFRS 16 are charged to the Income Statement on a straight-line basis over the period of the lease. Investments Investments in subsidiaries are carried at cost less impairment. Investments in property and unlisted shares are carried at cost less impairment, which is based on the fair value at acquisition. Inventory Inventory is held at the lower of cost or net realisable value. Revenue recognition Summary The Group provides independent global cyber assurance security and Software Resilience services. The revenue streams in relation to Assurance include: • Global Professional Services (GPS) – global cyber security consultancy services • Global Managed Services (GMS) – operational cyber defence, incident response, scanning, simulation and managed security operations centres (SOCs) • Product sales – sale of own manufactured and/or resale of third party products The revenue streams in relation to Software Resilience include: • Escrow contract services – securely maintain in “escrow” the long-term availability of business critical software and applications • Verification services – verify source code, and provide a fully managed secure service and result validation While the detailed recognition is contract specific, and set out in the table on pages 145 to 148, in most cases: • GPS revenues are recognised on an input method over time • GMS revenues are bifurcated according to the separate performance obligations (see pages 146 and 147) • Product sales are recognised when control passes, usually on delivery • Escrow contract revenues are recognised over time • Verification services are recognised on the completion of the verification service Revenue is presented net of VAT and other sales related taxes. Revenue is measured based on the consideration specified in a contract with a customer. The Group recognises revenue when it transfers control over a good or service to a customer. 144 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 Notes to the Financial Statements continuedfor the year ended 31 May 2021 1 Accounting policies continued Revenue recognition continued Summary continued Due to the nature of the Group’s activities, the Group transaction price for the majority of its contracts is entirely variable consideration as these contracts are on a time and material basis, using set contractual rates per hour/day worked, giving rise to no estimation or reversal risk at period end. The Group does not have any material obligations in respect of returns, refunds or warranties. The impact of any financing component within contracts with customers has been assessed and concluded to be immaterial. On contract inception, the probability of collectability is assessed across the Group and, unless there is a significant change in facts and circumstances, revenue is recognised. During the year, no instances have been identified where reassessment of the collectability has had to be reassessed, nor have there been any new contracts with customers for which the collection of consideration has not been assessed at inception as probable. This current year assessment also takes into account the impact of Covid-19 on the Group’s customer base. Detailed policies The following table provides information about the nature and timing of the satisfaction of performance obligations in contracts with customers by reportable segments, including significant payment terms, and the related revenue recognition policies. Assurance Revenue stream Nature Timing of satisfaction of performance obligations and significant payment terms Revenue recognition policies, including determination of transaction price and rationale Global Professional Services (GPS) GPS is the Group’s core consulting service represented by consultants providing cyber security consultancy services to a customer over time or to a set deliverable. Some contracts may contain multiple services (e.g. cyber security assessment and certified product evaluation services). These will be identified as separate performance obligations, and the transaction price allocated to each of these is determined by using the fixed contract rate based upon day rates, being the relative standalone selling price basis. Specifically, the contract terms range from time and materials (based upon consultants’ time and expenses) and discrete statements of work, whereby the customer benefits gradually over the period over which the work is performed, unless there is a set deliverable (for example a defined security assessment report). The Group in certain situations operates on agreed customer terms which allow the Group to recover any abortive revenue from its customer in the event that a customer terminates a contract before the contract or deliverable is complete. The customer simultaneously receives the benefits of the consulting services provided by the Group over the period over which the work is performed and one promise (performance obligation) is identified. Work is performed on a daily basis. Invoices are raised monthly or based on an agreed invoicing profile with the customer. Invoices are usually payable within 30 days. No discounts or retrospective rebates are provided. Where a set deliverable is required and the customer receives the incremental benefit at the end of the work when the deliverable is transferred to the customer, this represents one performance obligation. In this situation, the contract will have no abortive revenue rights; therefore, the Group has no right to consideration for performance to date. Invoicing will usually be on completion of the set deliverable and payable within 30 days. The customer simultaneously receives and consumes the benefits of the consulting services provided by the Group over the period over which the work is performed by the Group and one performance obligation is identified. Invoices in relation to the abortive revenue will be recognised when aborted. Invoices are usually payable within 30 days. Revenue is recognised on an input basis to measure the satisfaction of performance obligations over time. This is done according to the number of days worked in comparison to the total contracted number of days of the performance obligation. The work performed occurs on a daily basis (for example security assessment of a customer’s security environment). It is considered that as the customer benefits over time based on consultants’ time, the input method faithfully depicts the Group’s performance towards complete satisfaction of the single performance obligation. Transaction price is determined by fixed contract rates based upon day rates and number of days. Revenue is recognised at a point in time, on completion of the performance obligation deliverable. It is considered that as the customer benefits once the set deliverable is received, the point in time method faithfully depicts the Group’s performance towards complete satisfaction of the single performance obligation. Transaction price is determined by fixed contract rates. Revenue is recognised on an input basis to measure the satisfaction of performance obligations over time. This is done according to the number of days worked in comparison to the total contracted number of days of the performance obligation. Transaction price is determined by fixed contract rates based upon day rates and number of consultancy days. NCC Group plc — Annual report and accounts for the year ended 31 May 2021 145 Financial statements 1 Accounting policies continued Assurance continued Revenue stream Nature Global Managed Services (GMS) These services provide operational cyber defence, incident response, scanning, simulation and managed security operations centres (SOCs). Services are typically for an extended delivery duration, with contract lengths varying up to a maximum of five years. The proposition will also provide the customer with software licence(s) to enable these services to occur. On this basis, the Group operates two types of contracts: • A Managed Service Provider (MSP) model whereby the customer is supplied with one complete integrated service including the software licence(s) • A reseller model whereby the Group sources the software licence(s) on behalf of the customer and provides the Managed Detection and Response services These services will also include set-up fees. Set-up fees represent workshops, design, and configuration to create a “connection” between systems. Following services going live, the Group will also provide a certain level of professional service consultancy days based on a day rate (post-go-live fees). Timing of satisfaction of performance obligations and significant payment terms Revenue recognition policies, including determination of transaction price and rationale The customer will benefit from the services over the period of the contract. The amount of revenue recognised in relation to software licence(s) depends on whether the Group acts as an agent or as a principal. However, the type of contract will depend on how the customer benefits from the software licence(s). Where a MSP model is selected by the customer, the Group recognises three performance obligations: • Set-up fees • Post-go-live fees • Combined monitoring cyber and licence service The MSP model is considered to be under a principal arrangement whereby the Group controls the service prior to transfer. Where a reseller model is selected by the customer, the Group recognises four performance obligations: • Sourced software licence(s) • Set-up fees • Post-go-live fees • Monitoring cyber service The reseller model is considered to be under an agency arrangement whereby the customer receives the benefit and control of the licence on delivery. Invoices are raised monthly or based on an agreed invoicing profile with the customer. Invoices are usually payable within 30 days. The Group acts as principal when the Group controls the specified software licence or service prior to transfer (MSP model). When the Group acts as a principal the revenue recorded is the gross amount billed. The transaction price is determined by a contract price (cost plus mark-up). The transaction price for the overall service is outlined within the customer contract. In certain scenarios, the contract will outline the price for each performance obligation, which is considered to be the standalone selling price of the services/ goods, and the transaction price is allocated to each performance obligation on this basis. Where the contract does not stipulate the price per performance obligation, management determines the relative standalone selling price for each performance obligation based on a market assessment approach for the services provided in comparison to market prices, and the contract transaction price is allocated to each performance obligation in proportion to those standalone selling prices. Under a reseller model, the Group’s responsibility is to arrange for a third party to provide a specified software licence(s) to the customer. In these cases, the Group is acting as an agent and the Group does not control the relevant licence(s) before it is transferred to the customer. In particular, the Group does not have inventory risk, have access to its source code or hold the IP rights. When the Group is acting as an agent, the revenue is recorded at the net amount retained (commission) at a point in time as the customer receives immediate benefit from access to the licence and the Group does not have any further obligations in relation to the provision of the licence. The commission transaction value represents the mark-up on the licence provided. Set-up fees are recognised over time of the set-up. In particular, the level of administrative tasks involved in the set-up process is considered immaterial and therefore the work performed is considered a distinct promised service and incremental benefit of the installation to the customer. The fees are based on day rates incurred (defined by an in-house day rate sales pricing matrix). Accordingly, the charge out rates are recognised and allocated to these tasks when performed akin to technical professional day rate services. These rates are considered to be the standalone selling prices and are not discounted or reduced for other services. 146 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 Notes to the Financial Statements continuedfor the year ended 31 May 2021 1 Accounting policies continued Assurance continued Revenue stream Nature Global Managed Services (GMS) continued Timing of satisfaction of performance obligations and significant payment terms Revenue recognition policies, including determination of transaction price and rationale Post-go-live fees are recognised on delivery of consultancy services over time as the customer obtains incremental benefit from the hours provided. Revenue is recognised on an input basis (day rates) to measure the satisfaction of performance obligations over time. Transaction price is determined by fixed contract rates based upon day rates and number of post-go-live consultancy days. One performance obligation, being a combined monitoring cyber and licence service, is identified in relation to the MSP model monitoring service. Revenue is recognised over the contract length as the software and monitoring process is an overall service, whereby the Group retains control of the licence and provides a complete monitoring service to the customer. If the customer cancels the contract, the Group will retain control of the licence. The customer benefits from a 24/7 monitoring service whereby benefit is obtained daily and therefore revenue is recognised on straight-line basis as the performance obligation is satisfied over time. The transaction price is determined by fixed contract rates for the combined services. Revenue in relation to the reseller model monitoring service is recognised over the contract length on a straight-line basis as the performance obligation is satisfied over time. The customer benefits from a 24/7 monitoring service whereby benefit is obtained daily on straight-line basis. Revenue is recognised when control of the product is transferred to the customer. This occurs upon delivery under the contractual terms. On certain sales of third party products, the control of the product is considered to pass from the vendor to the end customer and in these cases the Group acts as an agent, and hence only records a commission on sale as opposed to gross revenue and costs of sale. NCC Group plc — Annual report and accounts for the year ended 31 May 2021 147 Product sales This revenue represents the sale of own manufactured and/or resale of third party products with no connection to other Group services. The customer only benefits from the products on delivery. Invoices are raised monthly or based on an agreed invoicing profile with the customer. Invoices are usually payable within 30 days. Financial statements 1 Accounting policies continued Assurance continued Revenue stream Nature Long-term fixed price contracts This revenue represents the long-term development and/or manufacture of specialised software and hardware solutions. Timing of satisfaction of performance obligations and significant payment terms Revenue recognition policies, including determination of transaction price and rationale Revenue is recognised on an input basis to measure the satisfaction of the performance obligation over time. This is done according to total costs incurred in comparison to the total expected costs to be incurred to satisfy the performance obligation. This input measure is driven by the nature of the activities carried out in satisfying the performance obligation. The transaction price is fixed within the terms of the contractual arrangement. Delivery of the product is considered to represent one performance obligation. The development and/or manufacturing work carried out by the Group is not considered to create an asset with an alternative use to the entity. The Group is entitled to payment as performance of the contract is completed. On this basis, revenue is recognised over time. Invoices are raised based on achievements of pre-defined milestones in the contract. Invoices are usually payable within 30 days. Software Resilience Escrow contract services These services securely maintain in “escrow” the long-term availability of business critical software and applications while protecting the intellectual property rights (IPR) of technology partners. The service will include set-up time which is administrative in nature. The customer benefits from the escrow service evenly over a contract period, usually at least a year and potentially up to three years. The service represents one performance obligation. Invoices are raised based on an agreed invoicing profile with the customer. Invoices are usually payable within 30 days. Revenue is recognised over time on a straight- line basis representing the service delivery agreement. The nature of the agreement gives rise to the customer having the benefit of software resilience if and when required over the contract period. Revenue is recognised on a straight-line basis as the pattern of benefit to the customer as well as the Group’s efforts to fulfil the contract are generally even throughout the period. The transaction price is determined by a contract price. Set-up time is not considered distinct and a separate performance obligation due to the administrative nature and therefore is recognised over the period of the contract. Verification services These services verify source code based upon an agreed scope between all parties, and provide a fully managed secure service and result validation, typically delivered over a short period of time (days). These include SaaS services and ICANN services. The customer benefits from the verification service on completion because the source code will only have been fully verified/validated at that point. Revenue is recognised on completion of the verification services. Transaction price is determined by fixed contract rates based upon day rates and number of verification days. The service represents one performance obligation. Invoices are raised monthly or based on an agreed invoicing profile with the customer. Invoices are usually payable within 30 days. Contract costs Contract costs comprise incremental sales commissions paid to sales agents which can be directly attributed to an acquired or retained contract. Capitalised commission costs are amortised on a systematic basis that is consistent with the transfer to the customer of the services when the related revenues are recognised. In all other cases, all internal and external costs of obtaining the contract are recognised as incurred. Costs directly incurred in fulfilling a contract with a customer, which comprise labour hours on long-term contracts, are recognised as an asset to the extent they are recoverable. Such costs are amortised on a systematic basis that is consistent with the transfer to the customer of the services when the related revenues are recognised. 148 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 Notes to the Financial Statements continuedfor the year ended 31 May 2021 1 Accounting policies continued Accrued income Accrued income represents the Group’s rights to consideration for work completed but not billed at the reporting date. Remaining balances are transferred to receivables when the rights become unconditional. Deferred revenue Deferred revenue represents advanced consideration received from customers, for which revenue is recognised over time. Long-term loss-making contracts Long-term contracts are reviewed annually to establish if the contract is onerous in nature. In particular, the long-term contract becomes an onerous contract when the unavoidable costs (i.e. the lower of the cost of fulfilling the contract and any compensation or penalties arising from failure to fulfil it) exceed the economic benefits expected to be received under the contract. The assessment of cost to fulfil includes costs that relate directly to the contract and includes direct costs of production, direct costs of supplies/hardware from external suppliers (materials), direct labour in relation to performance obligations and if appropriate any potential contractual fine dependent on items (performance obligations) not being delivered/performed. Any assets dedicated to the specific contract are also tested for potential impairment. Determination and presentation of operating segments The Group determines and presents operating segments based on the information that is provided to the Board, which acts as the Group’s chief operating decision maker (CODM) in order to assess performance and to allocate resources. An operating segment is a component of the Group that engages in business activities from which it may earn revenues and incur expenses, including revenues and expenses that relate to transactions with any of the Group’s other components. An operating segment’s results are reviewed regularly by the CODM to make decisions about resources to be allocated to the segment and to assess its performance. The Group reports its business in two key segments: the Assurance division and the Software Resilience division. The two reporting segments provide distinct types of service. Within each of the reporting segments the operating segments provide a homogeneous group of services. The operating segments are grouped into the reporting segments on the basis of how they are reported to the CODM. Operating segments are aggregated into the two reportable segments based on the types and delivery methods of services they provide, common management structures, and their relatively homogeneous commercial and strategic market environments. Both of the Group’s divisions (segments) are run by a senior executive team; those teams make all decisions on resource allocation, product development, marketing and areas for focus and investment. Allocation of central costs Some costs are collected and managed in one location but are actually incurred on behalf of multiple operating segments or reporting segments. These costs are then allocated to the reporting segments. The allocation is based on logical or activity driven cost algorithms. The allocation is necessary to give an accurate picture of the consumption of resources by each reporting segment. Individually Significant Items Individually Significant Items are identified as those items that based on their size and nature and/or incidence are assessed to warrant separate disclosure to provide supplementary information to support the understanding of the Group’s financial performance. Individually Significant Items typically comprise costs/profits/losses on material acquisitions/disposals/business exits, fundamental reorganisation/ restructuring programmes and other significant one-off events. Individually Significant Items are considered to require separate presentation in the notes to the Financial Statements in order to fairly present the financial performance of the Group. Foreign currencies Transactions in foreign currencies are recorded using the appropriate monthly exchange rate ruling at the date of the transaction. Monetary assets and liabilities denominated in foreign currencies are retranslated using the exchange rate ruling at the Balance Sheet date and the gains or losses on translation are included in the Income Statement. The assets and liabilities of overseas subsidiaries denominated in foreign currencies are retranslated at the exchange rate ruling at the Balance Sheet date. The income statements of overseas subsidiary undertakings are translated at the weighted average exchange rates for the financial year. Gains and losses arising on the retranslation of overseas subsidiary undertakings are taken to the currency translation reserve. They are released to the Income Statement upon disposal of the subsidiary to which they relate. Foreign currency differences arising from the translation of qualifying cash flow hedges are recognised in OCI to the extent that the hedges are effective. Derivative financial instruments and hedge accounting The Group holds derivative financial instruments to hedge its foreign currency risk exposures. Derivatives are initially measured at fair value. Subsequent to initial recognition, derivatives are measured at fair value, and changes therein are generally recognised in profit or loss. The Group designates certain derivatives as hedging instruments to hedge the variability in cash flows associated with highly probable forecast transactions arising from changes in foreign exchange rates. At inception of designated hedging relationships, the Group documents the risk management objective and strategy for undertaking the hedge. The Group also documents the economic relationship between the hedged item and the hedging instrument, including whether the changes in cash flows of the hedged item and hedging instrument are expected to offset each other. Cash flow hedges When a derivative is designated as a cash flow hedging instrument, the effective portion of changes in the fair value of the derivative is recognised in OCI and accumulated in the hedging reserve. The effective portion of changes in the fair value of the derivative that is recognised in OCI is limited to the cumulative change in fair value of the hedged item, determined on a present value basis, from inception of the hedge. Any ineffective portion of changes in the fair value of the derivative is recognised immediately in profit or loss. The Group designates only the change in fair value of the spot element of forward exchange contracts as the hedging instrument in cash flow hedging relationships. The change in fair value of the forward element of forward exchange contracts (forward points) is separately accounted for as a cost of hedging and recognised in a costs of hedging reserve within equity. NCC Group plc — Annual report and accounts for the year ended 31 May 2021 149 Financial statements 1 Accounting policies continued Cash flow hedges continued When the hedged forecast transaction subsequently results in the recognition of a non-financial item, the amount accumulated in the hedging reserve and the cost of hedging reserve is included directly in the initial cost of the non-financial item when it is recognised. For all other hedged forecast transactions, the amount accumulated in the hedging reserve and the cost of hedging reserve is reclassified to profit or loss in the same period or periods during which the hedged expected future cash flows affect profit or loss. If the hedge no longer meets the criteria for hedge accounting or the hedging instrument is sold, expires, is terminated or is exercised, then hedge accounting is discontinued prospectively. When hedge accounting for cash flow hedges is discontinued, the amount that has been accumulated in the hedging reserve remains in equity until, for a hedge of a transaction resulting in the recognition of a non-financial item, it is included in the non-financial item’s cost on its initial recognition or, for other cash flow hedges, it is reclassified to profit or loss in the same period or periods as the hedged expected future cash flows affect profit or loss. If the hedged future cash flows are no longer expected to occur, then the amounts that have been accumulated in the hedging reserve and the cost of hedging reserve are immediately reclassified to profit or loss. Employee benefits – defined contribution pensions The Group operates a defined contribution pension scheme. The assets of the scheme are kept separate from those of the Group in an independently administered fund. The amount charged as an expense in the Income Statement represents the contributions payable to the scheme in respect of the accounting period. Short-term benefits Short-term employee benefit obligations are measured on an undiscounted basis and are expensed as the related service is provided. A liability is recognised for the amount expected to be paid under short-term cash bonus or profit-sharing plans if the Group has a present legal or constructive obligation to pay this amount as a result of past service provided by the employee and the obligation can be estimated reliably. Share-based payment transactions Share-based payments in which the Group receives goods or services as consideration for its own equity instruments are accounted for as equity settled share-based payment transactions, regardless of how the equity instruments are obtained by the Group. The grant date fair value of share-based payment awards granted to employees is recognised as an employee expense, with a corresponding increase in equity, over the period that the employees become unconditionally entitled to the awards. The fair value of the options granted is measured using an option valuation model, taking into account the terms and conditions upon which the options were granted. The amount recognised as an expense is adjusted to reflect the actual number of awards for which the related service and non-market vesting conditions are expected to be met, such that the amount ultimately recognised as an expense is based on the number of awards that do meet the related service and non-market performance conditions at the vesting date. For share-based payment awards with non-vesting conditions, the grant date fair value of the share-based payment is measured to reflect such conditions and there is no true-up for differences between expected and actual outcomes. Share-based payment transactions in which the Group receives goods or services by incurring a liability to transfer cash or other assets that is based on the price of the Group’s equity instruments are accounted for as cash settled share-based payments. The fair value of the amount payable to employees is recognised as an expense, with a corresponding increase in liabilities, over the period in which the employees become unconditionally entitled to payment. The liability is remeasured at each Balance Sheet date and at settlement date. Any changes in the fair value of the liability are recognised as personnel expense within the Income Statement. Where the Company grants options over its own shares to the employees of a subsidiary it recognises in its individual Financial Statements, an increase in the cost of investment in that subsidiary equivalent to the equity settled share-based payment charge is recognised in respect of that subsidiary in its consolidated Financial Statements with the corresponding credit being recognised directly in equity. Holiday or vacation pay The Group recognises a liability in the Balance Sheet for any earned but not yet taken holiday entitlement for staff. Earned holiday is calculated on a straight-line basis over a holiday year which can vary by business unit. Taken holiday is based on actually taken holiday. Any movement in the liability between the opening and closing balance in the year is recorded as an employee cost or a reduction in employee costs in the Income Statement in the year. Borrowings Borrowings are recognised initially at fair value less attributable transaction costs. Subsequent to initial recognition, borrowings are stated at amortised cost with any difference between cost and redemption value being recognised in the Income Statement over the period of the borrowings on an effective interest basis. Finance costs Finance costs are recognised within the Income Statement in the year in which they are incurred. Provisions Provisions are determined by discounting the expected future cash flows at a pre-tax rate that reflects current market assessments of the time value of money and the risks specific to the liability. The unwinding of the discount is recognised as finance cost. 150 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 Notes to the Financial Statements continuedfor the year ended 31 May 2021 1 Accounting policies continued Taxation Taxation on the profit or loss for the year comprises current and deferred taxation. Taxation is recognised in the Income Statement except to the extent that it relates to items recognised directly in equity, in which case it is recognised in equity. Current tax is the expected tax payable or receivable on the taxable income or loss for the year, using tax rates enacted or substantively enacted at the Balance Sheet date, and any adjustment to tax payable in respect of previous years. Deferred tax is provided on temporary differences between the carrying amounts of assets and liabilities for financial reporting purposes and the amounts used for taxation purposes. The following temporary differences are not provided for: the initial recognition of goodwill; the initial recognition of assets or liabilities that affect neither accounting nor taxable profit other than in a business combination; and differences relating to investments in subsidiaries to the extent that they will probably not reverse in the foreseeable future. The amount of deferred tax provided is based on the expected manner of realisation or settlement of the carrying amount of assets and liabilities, using tax rates enacted or substantively enacted at the Balance Sheet date. A deferred tax asset is recognised only to the extent that it is probable that future taxable profits will be available against which the temporary difference can be utilised. R&D tax credits are recognised for the UK tax jurisdiction within administrative expenses and within income tax for the US tax jurisdiction. Intra-group financial instruments Where the Company enters into financial guarantee contracts to guarantee the indebtedness of other companies within the Group, the Company considers these to be insurance arrangements and accounts for them as such. In this respect the Company treats the guarantee contract as a contingent liability until such time as it becomes probable that the Company will be required to make a payment under the guarantee. Cash and cash equivalents Cash and cash equivalents comprise cash in hand and deposits repayable on demand. Bank overdrafts that are repayable on demand form part of the Group’s cash management and are included as a component of cash and cash equivalents for the purpose only of the Statement of Cash Flows. Treasury shares NCC Group plc shares held by the Group are deducted from equity as “treasury shares” and are recognised at cost. Consideration received for the sale of such shares is also recognised in equity, with any difference between the proceeds from sale and the original cost being taken to reserves. No gain or loss is recognised in the Income Statement on the purchase, sale, issue or cancellation of equity shares. 2 Critical accounting judgements, key sources of estimation uncertainty and other estimates The preparation of Financial Statements requires management to exercise judgement in applying the Group’s accounting policies. Different judgements would have the potential to change the reported outcome of an accounting transaction or Statement of Financial Position. It also requires the use of estimates that affect the reported amounts of assets, liabilities, income and expenses. Actual results may differ from these estimates. Estimates and underlying assumptions are reviewed on an ongoing basis, with changes recognised in the period in which the estimates are revised and in any future periods affected. The table below shows those areas of critical accounting judgements and estimates that the Directors consider material and that could reasonably change significantly in the next year. Accounting area Carrying value of goodwill Control of IPM Software Resilience business Recognition of research and development tax credits Intangible assets – cloud-based software and development costs Accounting judgement? Accounting estimate? No Yes No Yes Yes No Yes No 2.1 Critical accounting judgements Information about critical accounting judgements made in applying accounting policies that have the most significant effects on the amounts recognised in the consolidated Financial Statements are as follows. Control of IPM Software Resilience business A key judgement in the year ended 31 May 2021 is the acquisition date for the purchase of the IPM Software Resilience business. Management considers shareholder approval of the transaction constitutes a change in control and therefore the date of shareholder approval is considered to be the acquisition date for the transaction. Shareholder approval was granted on 1 June 2021 and the IPM Software Resilience business will be consolidated into the Group results from that date. Intangible assets – cloud-based software and development costs When the Group incurs customisation and configuration costs, as part of a service agreement, judgement is also required in assessing whether the Group has control over the resources defined in the arrangement. Management has considered the IFRS Interpretations Committee (IFRIC) agenda decision in April 2021 on the clarification of accounting in relation to these costs. The costs expensed amount to £5.1m (2020: £7.9m). See further details in Notes 12 and 34 in relation to a prior year restatement. Development activities involve a plan or design for the production of new or substantially improved products or processes. Judgement is required in determining whether the project is technically and commercially feasible; judgement is required in assessing the future economic benefit and viability of the project. Such judgements are inherently subjective and can have a material impact on determining whether such costs should be capitalised. NCC Group plc — Annual report and accounts for the year ended 31 May 2021 151 Financial statements 2 Critical accounting judgements, key sources of estimation uncertainty and other estimates continued 2.2 Estimation uncertainties Information about estimation uncertainties that have a significant risk of resulting in a material adjustment to the carrying values of assets and liabilities within the next financial year is addressed below. Whilst every effort is made to ensure that such estimates and assumptions are reasonable, by their nature they are uncertain, and as such changes in estimates and assumptions may have a material impact. Estimates and assumptions used in the preparation of the Financial Statements are continually reviewed and revised as necessary at each reporting date. Carrying values of goodwill The Group has significant balances relating to goodwill at 31 May 2021 as a result of acquisitions of businesses in previous years. The carrying value of goodwill at 31 May 2021 is £182.9m (2020: £193.1m). Goodwill balances are tested annually for impairment. Tests for impairment are primarily based on the calculation of a value in use for each CGU. This involves the preparation of discounted cash flow projections, which require significant estimates of both future operating cash flows and an appropriate risk-adjusted discount rate. The commercial viability of individually capitalised development project costs is also part of the overall assessment of carrying values. Future cash flow estimates are based on two critical estimates: the rate of revenue growth and the discount rate, particularly in relation to the Europe Assurance CGU which is the most sensitive to movements in estimates. The calculation of an appropriate discount rate to apply to the future cash flow estimate is itself an estimate. While some aspects of discount rate calculations can be more mechanical in nature (such as using the 30 year gilt yield as a proxy for the risk free rate) others, such as entity or sector-specific risk adjustments, rely more on management estimates. The discount rate is also a key component in assessing the terminal value which is often an important part of any valuation. Sensitivity analysis on what are regarded as reasonably possible changes is provided in Note 12. Recognition of research and development tax credits The tax expense reported for the current year and prior year is affected by certain positions taken by management where there may be uncertainty. The most significant source of uncertainty arises from claims for US research and development (R&D) tax credits relating to historical periods. Uncertainty arises as a result of a degree of uncertainty concerning the interpretation of US legislation and because the statute of limitations has not expired. The basis on which the Group has claimed R&D tax credits involves a technical assessment of which party bears the economic risk in any research contracts entered into with third parties. This assessment is a key estimate. It is considered “probable” that the US taxation authority would accept the uncertain tax treatment in relation to the utilised tax credits recognised. For the periods ending 31 May 2017 to 31 May 2021, the aggregate net current tax benefit included in the Income Statement relating to the R&D US tax credits is £2.7m (2020: £4.3m). The gross deferred tax asset relating to the R&D US tax credits is £1.0m (2020: £0.8m), although due to the uncertainty we have made a provision of £0.6m (2020: £0.8m) against this asset. The aggregate gross amount of US R&D tax credits recognised amounts to £8.2m (2020: £5.1m) and we have made a provision of £5.1m (2020: £0.8m) against this gross position. It is considered reasonably possible that the outcome relating to historical claims ranges from a potential increase of tax credits of £5.1m to a potential reduction of £3.1m. 2.3 Other estimates Long-term loss-making contracts Some aspects of the Group’s revenue are derived from relatively long-term fixed price contracts. On this basis, estimation uncertainty is disclosed in relation to one contract: • An onerous provision recognised during the year ended 31 May 2020 of £0.2m has increased during the period by a further £1.9m, of which £1.7m has been utilised leaving a closing balance of £0.4m of a total provision for loss-making contracts of £1.1m (see Note 21). This additional provision relates to a European contract and has been caused by Covid-19 disruption and some project management challenges. Management prepares projections, which, due to the complexity of the contract, require estimates and accounting judgement of both revenue and cost recognition (including the number of performance obligations). Revenue is recognised based on the input method of IFRS 15 in relation to total costs and therefore management has to estimate the number of hours still required to complete the long-term projects and associated labour cost to complete. Due to the level of estimation and dependency on hours remaining to complete the performance obligation, sensitivity analysis on what is regarded a reasonably possible scenario for this contract is provided below: • A 20% increase in total labour hours to the project would give rise to a further provision of up to £0.2m 3 Alternative Performance Measures (APMs) and adjusting items The consolidated Financial Statements include APMs as well as statutory measures. These APMs used by the Group are not defined terms under IFRS and may therefore not be comparable with similarly titled measures reported by other companies. They are not intended to be a substitute for, or superior to, Generally Accepted Accounting Practice (GAAP) measures. All APMs relate to the current year results and comparative periods where provided. This presentation is also consistent with the way that financial performance is measured by management and reported to the Board, and the basis of financial measures for senior management’s compensation schemes, and provides supplementary information that assists the user in understanding the financial performance, position and trends of the Group. At all times, the Group aims to ensure that the Annual Report and Accounts give a fair, balanced and understandable view of the Group’s performance, cash flows and financial position. IAS 1 ‘Presentation of Financial Statements’ requires the separate presentation of items that are material in nature or scale in order to allow the user of the accounts to understand underlying business performance. 152 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 Notes to the Financial Statements continuedfor the year ended 31 May 2021 3 Alternative Performance Measures (APMs) and adjusting items continued As discussed in the prior year Annual Report and in accordance with FRC guidelines, the Group no longer presents a Consolidated Income Statement showing adjusting items separately. In the prior year, the Group disclosed adjusting items of £10.2m relating to amortisation of acquisition intangibles (2020: £8.8m) and share-based payments (2020: £1.4m) as a separate column on the face of the Consolidated Income Statement. This is no longer disclosed in this way to simplify the Group’s results. However, as the Group manages internally its performance at an adjusted operating profit level (before amortisation of acquisition intangibles, share-based payments and Individually Significant Items), which management believes better represents the underlying trading of the business, this information is still disclosed as an APM within this Annual Report. This APM is reconciled to statutory operating profit, together with the consequently Adjusted basic EPS (before amortisation of acquisition intangibles, share-based payments and Individually Significant Items and tax effect thereon) to statutory basic EPS. This change has removed the following adjusted measures from the Group’s narrative reporting and disclosures: • Adjusted profit before taxation • Adjusted taxation Following this revision to APMs, the Group has the following APMs/non-statutory measures: • Adjusted EBITDA (reconciled below) • Adjusted operating profit (reconciled below) • Adjusted basic EPS (pence) (reconciled in Note 11) • Net cash/(debt) excluding lease liabilities (reconciled below) • Net debt (reconciled below) • Cash conversion (reconciled below) • Constant currency revenue These measures provide supplementary information that assists the user to understand the financial performance, position and trends of the Group. Further detail is included within the glossary of terms to this Annual Report which provides supplementary information that assists the user in understanding theses APMs/non-statutory measures. The Group reports certain geographic regions on a constant currency basis to reflect the underlying performance taking into account constant foreign exchange rates year on year. This involves translating comparative numbers to current year rates for comparability to enable a growth factor to be calculated. In addition, the Group also reports these regions on a local currency basis to demonstrate the revenue performance on a local basis. As these measures are not statutory revenue numbers, management consider these to be APMs. Adjusted EBITDA and Adjusted operating profit The calculation of Adjusted EBITDA and Adjusted operating profit is set out below: Operating profit Depreciation of property, plant and equipment Depreciation of right-of-use assets Amortisation of customer contracts and relationships (acquired intangibles) Amortisation of software and development costs Individually Significant Items (Note 5) Share-based payments charge (Note 26) Adjusted EBITDA Depreciation and amortisation (excluding amortisation charged on acquired intangibles) Adjusted operating profit 2021 £m 17.3 4.4 5.9 6.4 3.0 12.7 2.8 52.5 (13.3) 39.2 2020 (restated) 2 £m 12.6 5.8 6.0 8.8 3.0 7.9 1.4 45.5 (14.8) 30.7 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 153 Financial statements 3 Alternative Performance Measures (APMs) and adjusting items continued Net cash/(debt) The calculation of net cash/(debt) is set out below: Cash and cash equivalents (Note 24) Borrowings (Note 24) Net cash/(debt) excluding lease liabilities Lease liabilities Net cash/(debt) Cash conversion ratio The calculation of the cash conversion ratio is set out below: Cash generated from operating activities before interest and taxation (A) Adjusted EBITDA (B) Cash conversion ratio (%) (A)/(B) 2021 £m 116.5 (33.2) 83.3 (34.4) 48.9 2020 £m 95.0 (99.2) (4.2) (38.2) (42.4) 2021 £m 46.3 52.5 2020 (restated) 2 £m 46.8 45.5 88.2% 102.9% 4 Segmental information The Group is organised into the following two (2020: two) reportable segments: Assurance and Software Resilience. The two reporting segments provide distinct types of service. Within each of the reporting segments the operating segments provide a homogeneous group of services. The operating segments are grouped into the reporting segments on the basis of how they are reported to the chief operating decision maker (CODM) for the purposes of IFRS 8 ‘Operating Segments’, which is considered to be the Board of Directors of NCC Group plc. Operating segments are aggregated into the two reportable segments based on the types and delivery methods of services they provide, common management structures, and their relatively homogeneous commercial and strategic market environments. Performance is measured based on reporting segment profit, which comprises Adjusted operating profit 1 and adjusting items are not allocated to business segments.. Interest and tax are also not allocated to business segments and there are no intra-segment sales. Segmental analysis 2021 Revenue Cost of sales Gross profit Gross margin % General administrative expenses allocated Adjusted EBITDA 1 Depreciation and amortisation Adjusted operating profit 1 Individually Significant Items (Note 5) Amortisation of acquired intangibles Share-based payments Operating profit Assurance £m Software Resilience £m Central and head office £m 233.9 (149.5) 84.4 36.1% (45.4) 39.0 (9.4) 29.6 – – – 36.6 (10.4) 26.2 71.6% (9.5) 16.7 (0.7) 16.0 – – – 29.6 16.0 – – – – (3.2) (3.2) (3.2) (6.4) (12.7) (6.4) (2.8) (28.3) Group £m 270.5 (159.9) 110.6 40.9% (58.1) 52.5 (13.3) 39.2 (12.7) (6.4) (2.8) 17.3 154 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 Notes to the Financial Statements continuedfor the year ended 31 May 2021 4 Segmental information continued Segmental analysis 2020 (restated) 2 Revenue Cost of sales Gross profit Gross margin % General administrative expenses allocated Adjusted EBITDA 1 Depreciation and amortisation Adjusted operating profit 1 Individually Significant Items (Note 5) Amortisation of acquired intangibles Share-based payments Operating profit Segmental analysis 2021 Additions to non-current assets Reportable segment assets Reportable segment liabilities Segmental analysis 2020 (restated) 2 Additions to non-current assets Reportable segment assets Reportable segment liabilities Assurance £m Software Resilience £m Central and head office £m 226.2 (149.3) 76.9 34.0% (43.9) 33.0 (10.7) 22.3 – – – 37.5 (10.0) 27.5 73.3% (10.0) 17.5 (0.6) 16.9 – – – – – – – (5.0) (5.0) (3.5) (8.5) (7.9) (8.8) (1.4) 22.3 16.9 (26.6) Assurance £m Software Resilience £m Central and head office £m 6.0 69.3 (94.9) – 13.5 (4.5) 2.1 349.5 (66.7) Assurance £m 4.7 88.0 Software Resilience £m Central and head office £m 0.2 18.4 12.3 330.8 Group £m 263.7 (159.3) 104.4 39.6% (58.9) 45.5 (14.8) 30.7 (7.9) (8.8) (1.4) 12.6 Group £m 8.1 432.3 (166.1) Group £m 17.2 437.2 (73.9) (14.5) (142.9) (231.3) The Central and head office cost centre is not considered to be a separate operating segment nor part of any other operating segment as it does not generate any revenues. Included within Central and head office are assets and liabilities not specifically allocated to the reporting segments and include investments, head office tangible and intangible assets, deferred tax assets and liabilities, right-of-use assets and associated lease liabilities, Parent Company cash balances, the RCF facility and certain provisions. Central and head office assets and liabilities are disclosed to allow a reconciliation back to the Group’s assets and liabilities. During the year, management has amended its segment disclosure to reflect the way the performance of the business is reported to the CODM and managed. The performance of the APAC region was previously included within Europe and APAC. For the year ended 31 May 2021, the APAC region is now included together with the UK segment until it becomes such a size that warrants separate reporting to the CODM. In addition, with the continuing growth and formation of a European division we have changed geographical segments in line with how this information is reported to the Board and managed today and have represented prior year figures on a like-for-like basis. The net book value of non-current assets is analysed geographically as follows: UK and APAC North America Europe Total non-current assets 2021 £m 172.0 60.5 9.0 241.5 2020 (restated) 2 £m 188.3 68.6 10.4 267.3 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 155 Financial statements 4 Segmental information continued Revenue is disaggregated by primary geographical market, by category and timing of revenue recognition as follows: Revenue by originating country UK and APAC North America Europe Total revenue Revenue by category Services Products Total revenue Timing of revenue recognition Services and products transferred over time Services and products transferred at a point in time Total revenue Assurance £m Software Resilience £m 102.7 82.7 48.5 233.9 25.2 7.3 4.1 36.6 Assurance £m Software Resilience £m 228.3 5.6 233.9 47.9 186.0 233.9 36.6 – 36.6 24.0 12.6 36.6 2021 Total £m 127.9 90.0 52.6 270.5 2021 Total £m 264.9 5.6 270.5 71.9 198.6 270.5 Assurance £m Software Resilience £m 98.8 82.4 45.0 226.2 25.9 7.8 3.8 37.5 Assurance £m Software Resilience £m 215.7 10.5 226.2 41.4 184.8 226.2 37.5 – 37.5 25.7 11.8 37.5 2020 Total £m 124.7 90.2 48.8 263.7 2020 Total £m 253.2 10.5 263.7 67.1 196.6 263.7 There are no customer contracts in either 2021 or 2020 which account for more than 10% of segment revenue. 5 Individually Significant Items The Group separately identifies items as Individually Significant Items. Each of these is considered by the Directors to be sufficiently unusual in terms of nature or scale so as not to form part of the underlying performance of the business. They are therefore separately identified and excluded from adjusted results (as explained in Note 3). Individually Significant Items (ISIs) Cloud configuration and customisation costs Costs directly attributable to the acquisition of the IPM Software Resilience business Total ISIs 2021 £m 5.1 7.6 12.7 2020 (restated) 2 £m 7.9 – 7.9 Cloud configuration and customisation costs These costs relate to the material spend previously capitalised in relation to the Group’s Securing Growth Together digital transformation programme that have now been expensed following the adoption of the IFRIC agenda decision. The costs meet the Group’s policy for ISIs. See Note 34 for further details in relation to the prior year restatement. Costs directly attributable to the acquisition of the IPM Software Resilience business These costs are directly attributable to the material acquisition of the IPM Software Resilience business (see Note 35) and are therefore considered to meet the Group’s policy for ISIs. The nature of the costs includes legal, accountancy, due diligence and other advisory services. 156 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 Notes to the Financial Statements continuedfor the year ended 31 May 2021 6 Expenses and auditor’s remuneration Continuing activities Profit before taxation is stated after charging/(crediting): Amounts receivable by auditor and its associates in respect of: Audit of these Financial Statements Audit of Financial Statements of subsidiaries pursuant to legislation Total audit 4 Amortisation of development costs (Note 12) Amortisation of software costs (after the adoption of the IFRIC agenda decision on cloud configuration and customisation costs) (Note 12) Amortisation of acquired intangibles (Note 12) Depreciation of property, plant and equipment (Note 13) Depreciation of right-of-use assets (Note 14) Impairment of right-of-use assets (Note 14) Costs directly attributable to the acquisition of the IPM Software Resilience business (included within ISIs) (Note 5) Cloud configuration and customisation costs (Note 5) Credit losses recognised on financial assets Cost of inventories recognised as an expense Foreign exchange losses Lease rental costs charged: – Hire of property, plant and equipment 5 Research and development expenditure Profit on disposal of intangible assets Profit on disposal of right-of-use assets Loss on sale of property, plant and equipment 2021 £m 2020 (restated) 2 £m 0.7 0.1 0.8 2.0 1.0 6.4 4.4 5.9 – 7.6 5.1 0.8 1.1 1.5 0.1 0.5 (0.5) (0.2) 0.2 0.4 0.1 0.5 2.0 1.0 8.8 5.8 6.0 1.1 – 7.9 0.7 0.5 – 0.5 0.6 – (0.1) – 4 The only non-audit service provided by the auditor was for the interim review at 30 November 2020, for which the fee was £75,000 (2020: £50,000). 5 The charge to the Income Statement in respect of lease rental costs relates entirely to short-term leases for which the Group has taken the exemption allowed from applying the principles of IFRS 16. 7 Staff numbers and costs Directors’ emoluments are disclosed in the Remuneration Committee Report. Total aggregate emoluments of the Directors in respect of 2021 were £2.2m (2020: £1.6m). Employer contributions to pensions for Executive Directors for qualifying periods were £nil (2020: £50,000). The Company provided pension payments in lieu of pension contributions for two Executive Directors during the year ended 31 May 2021 amounting to £50,000. The aggregate net value of share awards granted to the Directors in the period was £0.7m (2020: £0.7m). The net value has been calculated by reference to the closing mid-market price of the Company’s shares on the day before the date of grant. During the year, 104,526 share options were exercised by Directors (2020: nil) and their gain on exercise of share options was £88,000 (2020: £nil). The average monthly number of persons employed by the Group during the year, including Directors, is analysed by category as follows: Operational Administration Total The aggregate payroll costs of these persons were as follows: Wages and salaries Share-based payments (Note 26) Social security costs Other pension costs (Note 31) Total payroll costs Number of employees 2021 1,523 374 1,897 2020 1,518 355 1,873 2021 £m 2020 £m 152.5 148.4 2.8 13.7 5.3 1.4 14.7 5.6 174.3 170.1 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 157 Financial statements 8 Finance costs Interest payable on bank loans and overdrafts Interest expense on lease liabilities Finance costs The above finance costs relate entirely to liabilities not at fair value through profit or loss. 9 Taxation Recognised in the Income Statement Current tax expense Current year Adjustment to tax expense in respect of prior periods Impact of prior year US R&D tax credits Foreign tax Total current tax Deferred tax expense Origination and reversal of temporary differences Movement in tax rate Recognition of previously unrecognised deductible timing differences Impact of prior year US R&D tax credits Adjustment to tax expense in respect of prior periods Total deferred tax Tax expense on continuing operations Reconciliation of effective tax rate Profit before taxation Current tax using the UK corporation tax rate of 19% (2020: 19%) Effects of: Items not (assessable)/deductible for tax purposes Adjustment to tax charge in respect of prior periods Impact of prior year US R&D tax credits Impact of current year US R&D tax credits Differences between overseas tax rates Movements in temporary differences not recognised Movement in tax rate Total tax expense 2021 £m 1.3 1.2 2.5 2021 £m (0.8) (0.4) 2.7 4.3 5.8 (0.7) 0.4 – (0.8) 0.1 (1.0) 4.8 2021 £m 14.8 2.8 (0.5) (0.3) 1.9 (0.3) 0.7 0.1 0.4 4.8 2020 £m 1.8 1.2 3.0 2020 (restated) 2 £m 2.0 (0.6) – 4.4 5.8 (2.7) (0.3) (0.4) 0.5 0.3 (2.6) 3.2 2020 (restated) 2 £m 9.6 1.8 0.9 (0.3) 0.5 – 0.9 (0.3) (0.3) 3.2 Current and deferred tax recognised directly in equity was a credit of £0.3m (2020: £nil). In the March 2021 budget the UK government announced that legislation will be introduced in the Finance Bill 2021 to increase the main rate of UK corporation tax from 19% to 25%, effective 1 April 2023. This rate was substantively enacted on 24 May 2021 and therefore the deferred tax balances as at 31 May 2021 are generally measured at a rate of 25%. 158 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 Notes to the Financial Statements continuedfor the year ended 31 May 2021 9 Taxation continued Application of IFRIC agenda decisions During the year, the Group has reviewed its accounting policy to align with IFRIC guidance issued in April 2021 in relation to Software-as-a-Service (SaaS) costs previously capitalised; following this review certain costs previously capitalised in relation to cloud-based arrangements have been expensed and amortisation charged on those assets has been reversed. This had the impact on the UK tax charge in the prior year of £1.2m. See Note 34 for further details on this prior year restatement. Tax uncertainties The tax expense reported for the current year and prior year is affected by certain positions taken by management where there may be uncertainty. The most significant source of uncertainty arises from claims for US R&D tax credits relating to historical periods. Uncertainty arises as a result of a degree of uncertainty concerning interpretation of US legislation and because the statute of limitations has not expired. For the periods ending 31 May 2017 to 31 May 2021, the aggregate net current tax benefit to the Income Statement relating to the US R&D tax credits is £2.7m (2020: £4.3m). The gross deferred tax asset relating to the US R&D tax credits is £1.0m (2020: £0.8m), although due to the uncertainty we have made a partial provision of £0.6m (2020: £0.8m) against this asset. The aggregate gross amount of US R&D tax credits recognised amounts to £8.2m (2020: £5.1m) and we have made a provision of £5.1m (2020: £0.8m) against this gross position. 10 Dividends Dividends paid and recognised in the year Dividends per share paid and recognised in the year Dividends per share proposed but not recognised in the year 2021 £m 13.0 4.65p 3.15p 2020 £m 12.9 4.65p 3.15p The proposed final dividend for the year ended 31 May 2021 of 3.15p per ordinary share on approximately 309.8m ordinary shares (approximately £10m) was approved by the Board on 14 September 2021 and will be recommended to shareholders at the AGM on 4 November 2021. The dividend has not been included as a liability as at 31 May 2021. The payment of this dividend will not have any tax consequences for the Group. 11 Earnings per ordinary share Earnings per ordinary share are shown on a statutory and an adjusted basis to assist in the understanding of the performance of the Group. Statutory earnings (A) Basic weighted average number of shares in issue (C) Dilutive effect of share options Diluted weighted average shares in issue (D) 2021 £m 10.0 Number of shares m 281.2 1.5 282.7 2020 (restated) 2 £m 6.4 Number of shares m 278.0 2.5 280.5 For the purposes of calculating the dilutive effect of share options, the average market value is based on quoted market prices for the period during which the options are outstanding. Earnings per ordinary share Basic (A/C) Diluted (A/D) 2021 Pence 3.6 3.5 2020 (restated) 2 Pence 2.3 2.3 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 159 Financial statements 11 Earnings per ordinary share continued Adjusted basic EPS 1 is reconciled as follows: Statutory earnings (A) Amortisation of acquired intangibles Share-based payments Individually Significant Items (see Note 5) Tax effect of above items Adjusted earnings (B) Adjusted earnings per ordinary share Basic (B/C) Diluted (B/D) 12 Goodwill and intangible assets Cost At 1 June 2019 – restated 2 Additions – restated 2 Transfers Disposals Effects of movements in exchange rates At 31 May 2020 – restated 2 Additions Disposals Effects of movements in exchange rates At 31 May 2021 Accumulated amortisation At 1 June 2019 – restated 2 Charge for year – restated 2 Disposals Effects of movements in exchange rates At 31 May 2020 – restated 2 Charge for year Disposals Effects of movements in exchange rates At 31 May 2021 Net book value At 31 May 2021 At 31 May 2020 – restated 2 2021 £m 10.0 6.4 2.8 12.7 (5.1) 26.8 2021 Pence 9.5 9.5 Goodwill £m Software £m Development costs £m Customer contracts and relationships £m Intangibles subtotal £m 2020 (restated) 2 £m 6.4 8.8 1.4 7.9 (3.4) 21.1 2020 (restated) 2 Pence 7.6 7.5 Total £m 255.6 – – – 3.7 259.3 – (10.2) (10.2) 20.7 1.0 0.2 (9.1) – 12.8 1.7 – – 238.9 14.5 (66.2) – – – (66.2) – 10.2 – (18.9) (1.0) 9.1 – (10.8) (1.0) – – (56.0) (11.8) 182.9 193.1 2.7 2.0 12.7 1.3 (0.2) (2.3) – 11.5 0.6 – (0.4) 11.7 (7.5) (2.0) 2.3 (0.1) (7.3) (2.0) – 0.3 (9.0) 2.7 4.2 87.1 120.5 376.1 – – – 1.1 88.2 – (13.0) (2.1) 2.3 – 2.3 – (11.4) (11.4) 1.1 4.8 112.5 371.8 2.3 (13.0) (2.5) 2.3 (23.2) (12.7) 73.1 99.3 338.2 (55.8) (8.8) – (0.8) (82.2) (11.8) 11.4 (0.9) (148.4) (11.8) 11.4 (0.9) (65.4) (83.5) (149.7) (6.4) 13.0 1.3 (9.4) 13.0 1.6 (9.4) 23.2 1.6 (57.5) (78.3) (134.3) 15.6 22.8 21.0 29.0 203.9 222.1 160 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 Notes to the Financial Statements continuedfor the year ended 31 May 2021 12 Goodwill and intangible assets continued Development costs are capitalised in accordance with IAS 38 development criteria. For this reason, these are not regarded as realised losses. Application of IFRIC agenda decisions During the year, the Group has reviewed its accounting policy to align with IFRIC guidance issued in April 2021 in relation to Software-as-a-Service (SaaS) costs previously capitalised; following this review of costs previously capitalised for the year ended 31 May 2020 of £7.9m relating to cloud-based arrangements have now been expensed and amortisation of £1.4m charged on those assets has been reversed. Consequentially, the net impact on operating profit for the year ended 31 May 2020 is £6.5m. In addition, costs of £0.2m have been reclassified to prepayments. For the year ended 31 May 2019, the Group identified £3.6m of costs previously capitalised under cloud computing arrangements that should be expensed and £0.1m of amortisation was charged, which is to be reversed. See Note 34 for further details on this prior year restatement. Cash generating units (CGUs) Goodwill and intangible assets are allocated to CGUs in order to be assessed for potential impairment. CGUs are defined by accounting standards as the lowest level of asset groupings that generate separately identifiable cash inflows that are not dependent on other CGUs. The Directors have reviewed the continuing applicability of the judgements made in the prior year in determining the CGUs within the Group and in allocating goodwill to these CGUs. The assessment of CGUs is a key accounting judgement as set out in Note 2 of the consolidated Financial Statements. During the year, the Group revised its CGUs as follows: • On 1 June 2020, Virtual Security Research LLC (VSR) was merged into NCC Group Security Services Incorporated, which forms part of the North America Assurance CGU, and following this merger VSR no longer exists as a standalone entity. VSR continues to be included within the North America segment. From this date, the VSR business no longer generates independent cash flows since its resources are now pooled with the remainder of the US Assurance technical delivery teams and its support functions are delivered by the shared US Assurance functions. Furthermore, VSR is no longer reported separately from the rest of the US business. On the basis of the above, management has concluded that the VSR business is no longer a standalone CGU and has been subsumed into the North America Assurance CGU • During the year, the Group ceased measuring and forecasting the performance of the Payment Software Company Inc. business (PSC), which now forms part of the North America Assurance segment. On the basis of the above, management has concluded that the PSC business is no longer a standalone CGU as it is not capable of generating independent cash flows and has been subsumed into the North America Assurance CGU • During FY21, the Group has rearranged its operations so that there is now a European-wide Assurance operation, combining the Fort business unit previously included within the UK Assurance CGU and the Fox-IT business unit under a single management and reporting structure, known as Europe Assurance. As part of the integration measuring and forecasting of performance is done at the Europe Assurance level and operations such as the sales and delivery teams and support functions have been integrated such that independent cash flows are no longer identifiable below the Europe Assurance level. On this basis, management has concluded that the cash flows associated with Fox-IT and Fort should now be combined to form a single CGU The CGUs and the allocation of goodwill to those CGUs are shown below: Cash generating units UK Software Resilience North America Software Resilience Europe Software Resilience Total Software Resilience UK and APAC Assurance North America Assurance Europe Assurance Total Assurance Total Group Goodwill 2021 £m Goodwill * 2020 £m 22.9 7.5 7.2 37.6 44.2 36.4 64.7 22.9 8.7 7.5 39.1 47.3 42.4 64.3 145.3 182.9 154.0 193.1 * The prior year comparative figures have been re-presented to reflect the change in CGUs in the year described above. Impairment review Goodwill is tested for impairment annually at the level of the CGU to which it is allocated. In each of the tests carried out as at 31 May 2021, the recoverable amount of the CGUs concerned was measured on a value in use basis (VIU). VIU represents the present value of the future cash flows that are expected to be generated by the CGU to which the goodwill is allocated. Capitalised development and software costs are included in the CGU asset bases when performing the impairment review. Capitalised development projects and software intangible assets are also considered, on an asset-by-asset basis, for impairment where there are indicators of impairment. During the year, management carried out a detailed review of the capitalised product portfolio and, based on cash flow projections for the respective projects, concluded that no impairment was required. VIU calculations are an area of material management estimation as set out in Note 2 to the consolidated Financial Statements. These calculations require the use of estimates, specifically: pre-tax cash flow projections; long-term growth rates; and a pre-tax discount rate. Further detail in relation to these key assumptions used in the Group’s goodwill annual impairment review is as follows: NCC Group plc — Annual report and accounts for the year ended 31 May 2021 161 Financial statements 12 Goodwill and intangible assets continued Pre-tax cash flow projections Pre-tax cash flow projections are based on the Group’s budget for the forthcoming financial year and longer-term three year strategic plans to 2024. The budget and three year strategic plan are compiled by the business unit management teams using a detailed, bottom-up process with respect to revenue, margin and overheads, taking into account factors specific to that business unit as well as wider economic factors such as industry growth expectations and the impact of Covid-19. The Group’s revenue forecasts are developed using the most reliable data available, such as the size of the existing contract base and details of confirmed orders, as well as assumptions over key operational inputs to underpin the forecast for each revenue stream. The combined effect of these individual assumptions on the overall growth rate assumed for each area of the business is then compared to management’s experience of growth and the industry’s expected growth rate. For cost forecasts, the majority of which are people related, headcount changes are forecast for delivery and sales staff in order that there are sufficient resources to support the forecasted required revenue delivery capacity as well as to deliver against sales targets, whilst also factoring in payroll inflation expectations. Overhead costs are also forecast using a bottom-up process. Forecasts go through a detailed review process and are subject to challenge at each stage of review, including by the Executive Committee. Ultimately the forecasts are approved by the Board. Assumptions have then been applied for expected revenue, margin growth, overheads and Adjusted EBITDA ¹ for the subsequent two years from the end of 2024. Adjusted EBITDA ¹ is considered a proxy for operating cash flow before changes in working capital. Pre-tax cash flow projections also include assumptions on working capital and capital expenditure requirements for each CGU. These assumptions are based on management’s experience of growth and knowledge of the industry sectors, markets and the Group’s internal opportunities for growth and margin enhancement. The projections beyond five years into perpetuity use an estimated long-term growth rate. Management has taken into account the impact of Covid-19 in formulating the above assumptions, and the underlying uncertainty of Covid-19 has been reflected in the assumptions underpinning the cash flow forecasts for each CGU rather than the pre-tax discount rates used in the impairment test. Forecast working capital and capital expenditure included within the pre-tax cash flow projections are based on management’s expectations of future expenditure required to support the Group and current run rate requirements. The revenue growth rate is considered a critical estimate by management. Revenue growth is considered to be the most critical estimate, rather than Adjusted EBITDA 1 growth which was used in the prior year, due to the Group’s relatively stable overhead base and high operating leverage. The table below summarises the cumulative average growth rate (CAGR) assumed for revenue over the five year forecast period to 2026 for each CGU: UK Software Resilience North America Software Resilience Europe Software Resilience UK and APAC Assurance North America Assurance Europe Assurance Revenue CAGR (%) 2021 Revenue CAGR (%) 2020 5.8 12.3 11.4 9.0 10.4 11.7 5.5 1.2 5.1 8.3 8.3 13.1 The revenue % growth for Europe Assurance is considered by management to be appropriate for the specific industry to which the CGU operates. Management has considered available external market data in determining the revenue growth rates over the five year forecast period. Long-term growth rates To forecast growth beyond the detailed cash flows into perpetuity, a long-term average growth rate ranging between 1.5 and 1.7% (2020: between 1.9 and 2.5%) has been used based on the specific geography of the CGU, as shown in the table below. This range represents management’s best estimate of a long-term annual growth rate aligned to an assessment of long-term GDP growth rates. A higher sector-specific growth rate would be a valid alternative estimate. A different set of assumptions may be more appropriate in future years dependent on changes in the macro-economic environment. These rates are not greater than the published International Monetary Fund average growth rates in gross domestic product for the next five year period in each relevant territory in which the CGUs operate. UK Software Resilience North America Software Resilience Europe Software Resilience UK and APAC Assurance North America Assurance Europe Assurance 162 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 Growth rate (%) 2021 Growth rate (%) 2020 1.7 1.6 1.5 1.7 1.6 1.5 1.9 2.5 1.9 1.9 2.5 1.9 Notes to the Financial Statements continuedfor the year ended 31 May 2021 12 Goodwill and intangible assets continued Pre-tax discount rates Discount rates can change relatively quickly for reasons both inside and outside of management’s control. Those outside management’s direct control or influence include changes in the Group’s Beta, changes in risk free rates of return and changes in Equity Risk Premia. The discount rates are determined using a capital asset pricing model and reflect current market interest rates, relevant equity and size risk premiums and the risks specific to the CGU concerned. On this basis, specific discount rates are used for each CGU in the VIU calculation and the rates reflect management’s assessment on the level of relative risk in each respective CGU. The table below summarises the pre-tax discount rates used for each CGU: UK Software Resilience North America Software Resilience Europe Software Resilience UK and APAC Assurance North America Assurance Europe Assurance Pre-tax discount rate (%) 2021 Pre-tax discount rate (%) 2020 12.9 15.3 13.6 13.0 14.2 13.7 15.4 13.5 13.6 11.6 13.5 12.7 Sensitivity analysis Sensitivity analysis has been performed in respect of certain scenarios where management considers a reasonably possible change in key assumptions could occur. The following key assumptions are considered to carry the greatest level of sensitivity to forecasts: • Revenue is the primary cash flow driver (since due to the Group’s operating leverage, revenue is the key driver of Adjusted EBITDA ¹, considered as a proxy for operating cash flow before changes in working capital and capital expenditure), and a key contributor to VIU • The discount rate for each CGU: both factors inside and outside of management’s control impact the discount rate and can have a significant impact on the VIU calculation With the exception of the Europe Assurance CGU, the outcome of applying sensitivity analysis in respect of the above inputs indicated that there is no reasonably possible scenario in which the carrying value of goodwill would be considered impaired. With respect to the Europe Assurance CGU, management has considered the impact of Covid-19 on the challenging growth targets for this CGU and believes a reasonably possible change in the key assumptions of a 1.7% pts reduction in the revenue CAGR or a 1% pts increase in the discount rate would significantly reduce the headroom or give rise to an impairment. The impact of these changes in assumptions is illustrated in the table below, together with the change in each assumption that would result in the VIU falling below the carrying amount. It is noted that, whilst a 1.7% pts reduction in the revenue CAGR would give rise to a potential impairment of goodwill, it is expected that any such deterioration in expected growth rates would also lead to a reduction in expected future costs. This expected future cost reduction has not been factored into the calculations illustrated below. Sensitivity analysis £m Carrying value of assets (goodwill, development and software costs, right-of-use assets) Total VIU Surplus over carrying value of assets Assumptions used in VIU calculation: Five year CAGR Impact of reduction of 1.7% pts to five year revenue CAGR on VIU Change required in five year revenue CAGR % for VIU to fall below carrying value Pre-tax discount rate Impact of 1% pts increase in pre-tax discount rate on VIU Change required in pre-tax discount rate for VIU to fall below carrying value Impact of both 1.7% pts reduction to revenue CAGR and 1% pts increase in pre-tax discount rate on VIU Europe Assurance 31 May 2021 31 May 2020 76.9 95.1 18.2 72.9 92.3 19.4 11.7% 13.1% (43.4) 0.7% N/A 0.7% 13.7% 12.7% (7.9) 2.6% (47.6) (8.1) 2.5% N/A NCC Group plc — Annual report and accounts for the year ended 31 May 2021 163 Financial statements 13 Property, plant and equipment Cost At 1 June 2019 Additions Disposals Movement in foreign exchange rates At 31 May 2020 Additions Disposals Movement in foreign exchange rates At 31 May 2021 Depreciation At 1 June 2019 Charge for year Disposals Movement in foreign exchange rates At 31 May 2020 Charge for year Disposals Movement in foreign exchange rates At 31 May 2021 Net book value At 31 May 2020 At 31 May 2021 Computer equipment £m Fixtures, fittings and equipment £m Motor vehicles £m 19.6 21.1 2.9 (2.8) – (0.1) (0.3) 0.3 19.7 21.0 1.8 (0.1) (0.6) 0.9 (3.6) (1.0) 0.2 – (0.1) – 0.1 – – – Total £m 40.9 2.8 (3.2) 0.3 40.8 2.7 (3.7) (1.6) 20.8 17.3 0.1 38.2 (14.6) (3.0) 2.6 (0.3) (9.3) (2.8) 0.6 – (0.1) (24.0) – – – (5.8) 3.2 (0.3) (15.3) (11.5) (0.1) (26.9) (2.8) 0.2 0.4 (17.5) 4.4 3.3 (1.6) 3.3 0.7 (9.1) 9.5 8.2 – – – (4.4) 3.5 1.1 (0.1) (26.7) – – 13.9 11.5 164 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 Notes to the Financial Statements continuedfor the year ended 31 May 2021 14 Right-of-use assets Cost At 1 June 2019 Additions Disposals At 31 May 2020 Additions Reclassifications from provisions Disposals At 31 May 2021 Depreciation At 1 June 2019 Charge for year Impairment charge At 31 May 2020 Charge for year At 31 May 2021 Net book value At 31 May 2020 At 31 May 2021 Land and buildings £m Motor vehicles £m 24.6 11.0 (2.8) 32.8 3.1 (1.4) (0.7) 33.8 – (4.9) (1.1) (6.0) (4.8) (10.8) 26.8 23.0 1.9 1.1 – 3.0 – – – 3.0 – (1.1) – (1.1) (1.1) (2.2) 1.9 0.8 Total £m 26.5 12.1 (2.8) 35.8 3.1 (1.4) (0.7) 36.8 – (6.0) (1.1) (7.1) (5.9) (13.0) 28.7 23.8 The impairment charge of £1.1m in the prior year relates to leased properties which are not currently occupied by the Group, which have been tested for impairment separately rather than within the CGU impairment tests. The impairment charge is based on the estimated recoverable amount of the right-of-use asset at the assumed date of disposal or termination of the lease, which is considered to be £nil. 15 Investments Interest in unlisted shares Group 2021 £m 0.3 Group 2020 £m 0.3 The investment in unlisted shares relates to a 3.35% ordinary shareholding in an unlisted company acquired as part of the Accumuli acquisition. The investment’s carrying value at acquisition date was considered appropriate to use as the fair value. The Directors consider there has been no change in the year. 16 Inventory Goods for resale Group 2021 £m 1.1 Group 2020 £m 0.9 The Group holds stock of certain critical components for key customers in relation to our own product sales (as opposed to third party products). The carrying value of inventory is expected to be recovered or settled within one year. There have been no write-downs of inventory in the year (2020: £nil). NCC Group plc — Annual report and accounts for the year ended 31 May 2021 165 Financial statements 17 Trade and other receivables Current Trade receivables Prepayments Deferred contract costs Other receivables Contract assets – accrued income Non-current Amounts owed by Group undertakings Total Disclosed as follows: Current assets Non-current assets Group 2021 £m 35.2 8.7 – 1.9 22.9 – 68.7 68.7 – 68.7 Group 2020 (restated) 2 £m Company 2021 £m Company 2020 £m 41.6 10.8 2.1 0.9 18.0 – 73.4 73.4 – 73.4 – – – – – 162.6 162.6 – 162.6 162.6 – – – – – 142.0 142.0 – 142.0 142.0 The carrying value of trade and other receivables classified at amortised cost approximates fair value. The contract costs to fulfil represent recoverable costs relating to future performance obligations and economic benefits to the customer in relation to a long-term onerous contract (see Note 21). No impairment charge has been recognised during the year. No credit losses have been recognised in respect of amounts owed by Group undertakings (Parent Company only) in the year (2020: £nil) since they are not considered material. Amounts owed by Group undertakings in the Parent Company Balance Sheet have been disclosed as repayable after more than one year. Although these are repayable on demand, the disclosure as non-current is based on management’s expectation of the timing of repayment. The ageing of trade receivables and other receivables at the end of the reporting period was: Group Trade receivables: Not past due Past due 0–30 days Past due 31–90 days Past due more than 90 days Other receivables: Not past due Contract assets: Not past due Total The Company had no trade receivables (2020: £nil). Gross 2021 £m Expected credit losses 2021 £m Net 2021 £m 24.3 6.6 3.7 2.3 36.9 (0.1) 24.2 (0.1) (0.1) (1.4) (1.7) 6.5 3.6 0.9 35.2 Gross 2020 £m 19.6 14.4 6.5 3.6 44.1 1.9 – 1.9 0.9 23.1 61.9 (0.2) (1.9) 22.9 60.0 18.0 63.0 Expected credit losses 2020 £m – (0.1) (0.2) (2.2) (2.5) – – (2.5) Net 2020 £m 19.6 14.3 6.3 1.4 41.6 0.9 18.0 60.5 166 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 Notes to the Financial Statements continuedfor the year ended 31 May 2021 17 Trade and other receivables continued The standard period for credit sales varies from 30 days to 60 days. Trade receivables which are over 30 days past due are considered to be credit impaired. The Group assesses creditworthiness of all trade debts on an ongoing basis providing for expected credit losses in line with IFRS 9. The Group has considered credit risk rating grades; these are based on the ageing categories above. Covid-19 has not had a material impact on the collection of trade receivables, and consequently has not materially impacted our forward looking estimates for expected credit losses. New customers are subject to stringent credit checks. The movement in the expected credit losses of trade and other receivables is as follows: Balance at 1 June Released/(charged) to the Income Statement Balance at 31 May Group 2021 £m (2.5) 0.8 (1.7) Group 2020 £m (1.8) (0.7) (2.5) 18 Deferred tax assets and liabilities (Group) Deferred tax assets and liabilities on the Consolidated Statement of Financial Position are offset in accordance with IAS 12. A summary of this, offset with significant jurisdictions, is shown below: Asset/(liability) Plant and equipment Short-term temporary differences IFRS 16 assets/liabilities Intangible assets Share-based payments Tax losses Deferred tax asset/(liability) Analysed as follows: Non-current assets Non-current liabilities Asset/(liability) Plant and equipment Short-term temporary differences IFRS 16 assets/liabilities Intangible assets Share-based payments Tax losses Deferred tax (liability)/asset Analysed as follows: Non-current assets Non-current liabilities UK £m 0.6 0.1 0.3 (1.7) 0.7 – – – – UK £m 0.4 0.1 0.3 (1.8) 0.2 – (0.8) – (0.8) 2021 US £m Netherlands £m Denmark £m – 4.5 0.2 (3.9) 0.7 – 1.5 1.5 – 0.3 0.2 – (1.9) 0.2 – (1.2) – (1.2) – – – – – 0.5 0.5 0.5 – 2020 (restated) 2 US £m Netherlands £m Denmark £m 0.1 6.0 0.2 (4.6) 0.2 – 1.9 1.9 – 0.4 – 0.1 (2.7) 0.1 – (2.1) – (2.1) – – – – – 0.4 0.4 0.4 – Total £m 0.9 4.8 0.5 (7.5) 1.6 0.5 0.8 2.0 (1.2) Total £m 0.9 6.1 0.6 (9.1) 0.5 0.4 (0.6) 2.3 (2.9) NCC Group plc — Annual report and accounts for the year ended 31 May 2021 167 Financial statements 18 Deferred tax assets and liabilities (Group) continued Movement in deferred tax during the year: Plant and equipment Short-term temporary differences IFRS 16 assets/liabilities Intangible assets Share-based payments Tax losses Total Plant and equipment Short-term temporary differences IFRS 16 assets/liabilities Intangible assets Share-based payments Tax losses Total 1 June 2020 (restated) 2 £m 0.9 6.1 0.5 (9.0) 0.5 0.4 (0.6) 1 June 2019 (restated) 2 £m 0.4 5.1 – (10.2) 0.6 0.4 (3.7) Recognised in income £m Exchange differences £m Recognised in equity £m Adjustment to opening reserves £m 31 May 2021 £m – (0.8) – 0.8 0.9 0.1 1.0 – (0.5) – 0.7 (0.1) – 0.1 – – – – 0.3 – 0.3 – – – – – – – 0.9 4.8 0.5 (7.5) 1.6 0.5 0.8 Recognised in income £m Exchange differences £m Recognised in equity £m Adjustment to opening reserves £m 31 May 2020 £m 0.5 0.8 – 1.4 (0.1) – 2.6 – 0.2 – (0.2) – – – – – – – – – – – – 0.5 – – – 0.5 0.9 6.1 0.5 (9.0) 0.5 0.4 (0.6) The Group has recognised a deferred tax asset of £0.5m (2020: £0.4m) on tax losses as management considers it probable that future taxable profits will be available against which it can be utilised. The Group has not recognised a deferred tax asset on £25.6m (2020: £13.9m) of tax losses carried forward in the UK (£21.8m), Australia (£2.8m), North America (£0.5m) and Singapore (£0.3m) due to current uncertainties over their future recoverability (and in the case of the UK and North America because of specific legislative restrictions). A deferred tax asset of £1.0m (2020: £0.8m) in respect of R&D tax claims submitted in North America has been partially provided against due to uncertainty with regard to recoverability; an amount of £0.6m has been provided (2020: £0.8m). No deferred tax liability is recognised on temporary differences of £0.2m (2020: £0.3m) relating to the unremitted earnings of overseas subsidiaries as the Group is able to control the timing of the reversal of these temporary differences and it is probable that they will not reverse in the foreseeable future. 19 Trade and other payables Trade payables Non-trade payables Accruals Amounts owed to Group companies Total Group 2021 £m 3.3 7.9 34.0 – 45.2 Group 2020 £m 10.8 11.7 23.9 – 46.4 Company 2021 £m Company 2020 £m – – – 13.5 13.5 – – – 13.0 13.0 The carrying value of trade and other payables classified as financial liabilities measured at amortised cost approximates fair value. 168 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 Notes to the Financial Statements continuedfor the year ended 31 May 2021 20 Lease liabilities At 1 June 2019 Additions Disposals Lease payments Interest expense At 1 June 2020 Additions Disposals Lease payments Interest expense At 31 May 2021 Analysed as follows: Current Non-current The maturity of lease liabilities is as follows: Less than one year Two to five years More than five years Total lease liabilities Land and buildings £m 33.6 9.6 (2.9) (5.4) 1.1 36.0 1.3 (0.9) (5.9) 1.1 31.6 Motor vehicles £m 2.1 1.1 – (1.1) 0.1 2.2 1.8 – (1.3) 0.1 2.8 2021 £m 5.1 29.3 2021 £m 5.1 15.8 13.5 34.4 Total £m 35.7 10.7 (2.9) (6.5) 1.2 38.2 3.1 (0.9) (7.2) 1.2 34.4 2020 £m 5.3 32.9 2020 £m 5.3 15.7 17.2 38.2 The total cash outflow for leases in the year was £7.3m (2020: £7.0m), which consists of £7.2m (2020: £6.5m) lease payments disclosed above and £0.1m (2020: £0.5m) lease payments charged to the Income Statement in respect of short-term leases. The Group has used its incremental borrowing rate of 3.3% (2020: 3.3%) as the discount rate for the calculation of the lease liabilities. Some leases contain break clauses or extension options to provide operational flexibility. Potential future undiscounted lease payments not included in the reasonably certain lease term, and hence not included in lease liabilities, total £4.0m (2020: £4.0m). NCC Group plc — Annual report and accounts for the year ended 31 May 2021 169 Financial statements 21 Provisions Balance as at 31 May 2019 and 1 June 2019 Provision transferred to right-of-use assets on implementation of IFRS 16 Provisions created in the year Provisions utilised during the year Balance as at 31 May 2020 and 1 June 2020 Reclassification to right-of-use assets Reclassification Provisions created in the year Provisions utilised during the year Balance as at 31 May 2021 Analysed as follows (2021): Current Non-current Analysed as follows (2020): Current Non-current Lease incentives £m Loss-making contracts £m Onerous property costs £m Other provisions £m 4.1 (4.1) – – – – – – – – – – – – – – 0.2 – 0.2 – 1.7 1.9 (2.7) 1.1 1.1 – 0.2 – 4.1 (2.6) 2.1 (0.7) 2.9 (1.4) – 1.0 (0.8) 1.7 1.1 0.6 1.2 1.7 – – 0.6 – 0.6 – – – (0.4) 0.2 0.2 – 0.6 – Total £m 8.2 (6.7) 2.9 (0.7) 3.7 (1.4) 1.7 2.9 (3.9) 3.0 2.4 0.6 2.0 1.7 The lease incentives provision represents capital contributions towards fit-out costs and rent-free incentives. In the prior year on the implementation of IFRS 16, the opening provision of £4.1m has been transferred and offset against the associated right-of-use assets. The loss-making contracts provision represents the estimated remaining net lifetime loss on long-term development and supply contracts and is expected to be completed in 2022. During the year, revenue has been recognised in relation to this long-term contract of £1.8m. The onerous property costs provision relates to vacant premises in Reading and unused floors in the Manchester head office building. In the prior year on the implementation of IFRS 16, the opening provision of £2.6m relating to the onerous rent costs has been transferred and offset against the associated right-of-use asset. The provision of £1.7m (2020: £2.9m) at 31 May 2021 includes £1.2m (2020: £2.5m) of non-rent costs relating to the onerous properties including service charges and insurance and also the estimated costs of disposing or terminating these leases which includes rent incentives, renovation costs and letting fees. The provision at 31 May 2021 also includes estimated dilapidations liabilities of £0.5m (2020: £0.4m) relating to the Group’s leased premises. Both of these provisions are expected to unwind over the period of the relevant leases (2021–2034). Other provisions of £0.2m (2020: £0.6m) include reorganisation costs to which the Group was committed at the Balance Sheet date and are expected to be incurred within the next financial year. 170 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 Notes to the Financial Statements continuedfor the year ended 31 May 2021 22 Contract liabilities – deferred revenue Deferred revenue represents advanced consideration received from customers, for which revenue is recognised over time. Deferred revenue is analysed as follows and is considered a contract liability: Analysed as follows: Current Non-current Group 2021 £m 43.6 0.7 44.3 Group 2020 £m 39.5 1.4 40.9 Revenue recognised in the year ended 31 May 2021 that was included in the contract liability at 1 June 2020 amounted to £39.5m (2020: £35.3m). The Group has taken advantage of the IFRS 15 practical expedient not to disclose when revenue will unwind for all contracts less than 12 months in length. The increase in deferred revenue in the year is due to the growth of the Assurance division. 23 Contract balances The following table provides information about receivables, contract assets and contract liabilities from contracts with customers. Receivables, which are included in trade and other receivables Contract assets – accrued income Contract costs – costs to obtain Contract costs – costs to fulfil an onerous contract Contract liabilities – deferred income Group 2021 £m 35.2 22.9 0.4 – Group 2020 £m 41.6 18.0 0.4 2.1 (44.3) (40.9) Note 17 17 17 17 22 Receivables represent invoiced services usually payable within 30 days whereby performance obligations have been satisfied. Accrued income represents the Group’s rights to consideration for work completed but not billed at the reporting date. Remaining balances are transferred to receivables when the rights become unconditional. Credit losses of £0.1m (2020: £nil) have been recognised in respect of contract assets. The increase in accrued income in the year is due to the growth of the Assurance division. The contract assets were not impacted by any impairment charge. The contract assets are transferred to receivables when the rights become unconditional. This usually occurs when the Group issues an invoice to the customer. Invoices usually become payable within 30 days. The contract costs to obtain of £0.4m (2020: £0.4m) represent incremental sales commissions to obtain specific contracts. The contract costs to fulfil represent recoverable costs relating to future performance obligations and economic benefits to the customer in relation to a long-term onerous contract. Contract liabilities primarily relate to advanced consideration received from customers, for which revenue is recognised over time in line with the respective performance obligation. No information is provided about remaining performance obligations at 31 May 2021 or at 31 May 2020 that have an original expected duration of one year or less, as allowed by IFRS 15. NCC Group plc — Annual report and accounts for the year ended 31 May 2021 171 Financial statements 24 Cash and cash equivalents and borrowings Cash and cash equivalents Cash and cash equivalents comprise: Cash at bank and in hand Borrowings are analysed as follows: Non-current liabilities: Revolving credit facility Total borrowings The maturity profile is as follows: Less than one year Two to five years Total borrowings Maturity 2024 Group 2021 £m 116.5 Group 2021 £m 33.2 33.2 Group 2021 £m – 33.2 33.2 Group 2020 £m 95.0 Group 2020 £m 99.2 99.2 Group 2020 £m – 99.2 99.2 Company 2021 £m 0.6 Company 2020 £m 6.8 Company 2021 £m Company 2020 £m – – – – Company 2021 £m Company 2020 £m – – – – – – In June 2019, the Group renegotiated its previous term loan and multi-currency revolving credit facilities into a new fully revolving credit facility (RCF) of £100m with a new five year term up to June 2024, on similar terms (pricing and covenants). The interest payable on drawn down funds ranges from 0.9% to 2.0% above LIBOR subject to the Group’s leverage (net debt 1 to Adjusted EBITDA ¹) ratio. Under the new arrangements, the Group can request an additional accordion facility to increase the total size of the revolving credit facility by up to £75m. The Group is required to comply with financial covenants for leverage (net debt 1 to Adjusted EBITDA 1), interest cover (Adjusted EBITDA 1 to interest charge) and provisions relating to guarantor coverage such that guarantors must exceed a prescribed threshold of the Group’s gross assets and Adjusted EBITDA 1. Covenants are tested bi-annually at 31 May and 30 November each year. Arrangement fees incurred of £1.0m are being amortised over the term. Since the new facility is on broadly similar pricing terms to the previous facility, the refinancing has been accounted for as a non-substantial modification with no gain or loss arising on modification. On 12 May 2021, the Group entered into a new Term Loan Facility Agreement. The facility made available under the Facility Agreement (the ‘Term Facility’) is a $70m amortising term loan facility, to fund the acquisition of the IPM Software Resilience business. The rate of interest on each loan under the Term Facility is the percentage rate per annum which is equal to the aggregate of a compounded rate based on the secured overnight financing rate (SOFR) administered by the Federal Reserve Bank of New York and the margin (based on a leverage ratchet varying from 1.40% to 2.65% per annum). The Term Facility is repaid in annual instalments of $23.3m on each of 10 June 2022 and 10 June 2023, with a final instalment of $23.4m payable on 10 June 2024. Arrangement fees incurred of £0.3m will be amortised over the term. The Term Facility Agreement also contains financial covenants relating to leverage and interest cover and provisions relating to guarantor coverage consistent with the RCF. The RCF is drawn in short to medium-term tranches of debt that are repayable within 12 months of draw-down. These tranches of debt can be rolled over provided certain conditions are met, including compliance with all loan terms. The Group considers that it is highly unlikely it would not be in compliance and therefore be unable to exercise its right to roll over the debt. The Directors therefore believe that the Group has the ability and the intent to roll over the drawn RCF amounts when due and consequently has presented the RCF as a non-current liability. As at 31 May 2021, the Group had committed bank facilities of £149.3m (2020: £100.0m), of which £33.8m (2020: £100.0m) had been drawn under these facilities, leaving £115.5m (2020: £nil) of undrawn facilities. Unamortised arrangement fees of £0.6m (2020: £0.8m) have been offset against the amounts drawn down, resulting in a carrying value of borrowings at 31 May 2021 of £33.2m (2020: £99.2m). The fair value of borrowings is not materially different to its amortised cost. 172 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 Notes to the Financial Statements continuedfor the year ended 31 May 2021 25 Financial instruments Loans and borrowings Non-current Variable rate: Revolving credit facility Bank term loan Current Variable rate: Bank term loan Total loans and borrowings (excluding lease liabilities) Cash Net cash/(debt 1) (excluding lease liabilities) Non-current Lease liabilities Current Lease liabilities Net cash/(debt 1) Reconciliation of movements in liabilities to cash flows arising from financing activities Group Revolving credit facility/bank term loan: Drawdown on facility Repayment of facility Transaction costs Release of deferred arrangement fees Foreign exchange movement Movement in borrowings IFRS 16 lease liability: IFRS 16 transition adjustment New leases entered into Leases terminated Principal element of lease payments Interest element of lease payments Interest cost (non-cash) Movement in lease liabilities Group 2021 £m Group 2020 £m Company 2021 £m Company 2020 £m (33.2) (99.2) – – (33.2) (99.2) – – – – (33.2) (99.2) 116.5 83.3 95.0 (4.2) (29.3) (32.9) (5.1) 48.9 (5.3) (42.4) – – – – – – 0.6 0.6 – – 0.6 – – – – – – 6.8 6.8 – – 6.8 2021 £m 2020 £m 12.0 (72.4) – 0.2 (5.8) (66.0) – 3.1 (0.9) (6.0) (1.2) 1.2 (3.8) 44.3 – (1.0) 0.2 0.6 44.1 35.7 10.7 (2.9) (5.3) (1.2) 1.2 38.2 Financial risk management The Group has exposure to the following risks from its use of financial instruments: • Credit risk • Liquidity risk • Currency risk • Interest rate risk The Board has overall responsibility for establishing appropriate management of exposure to risk. The Audit Committee oversees how management identifies and addresses risks to the Group. NCC Group plc — Annual report and accounts for the year ended 31 May 2021 173 Financial statements 25 Financial instruments continued Capital management The Board’s policy is to maintain a strong capital base so as to maintain investor, creditor and market confidence and to sustain future development of the business. The Group monitors capital on the basis of the gearing ratio. This ratio is calculated as net cash/(debt) 1 divided by total capital. Net cash/(debt) 1 is calculated as total borrowings as shown in the Consolidated Balance Sheet, less cash and cash equivalents. Total capital is calculated as equity, as shown in the Consolidated Balance Sheet, plus net debt 1. As at 31 May 2021 the Group’s gearing ratio was (45.5)% (2020: 1.9%). Financial instruments policy All instruments utilised by the Company and Group are for financing purposes. The financial management and treasury activities of the Group are controlled centrally for all operations with local finance teams responsible for day-to-day banking activities. Fair value of financial instruments As at 31 May 2021 the Group and Company had no other financial instruments other than those disclosed below. In addition, no embedded derivatives have been identified. There have been no transfers between levels in the year. The following table presents the Group’s financial assets and liabilities that are measured at fair value by level of fair value hierarchy: • Quoted prices (unadjusted) in active markets for identical assets or liabilities (level 1) • Inputs other than quoted prices included within level 1 that are observable for the asset or liability, either directly (that is, as prices) or indirectly (that is, derived from prices) (level 2) • Inputs for the asset or liability that are not based on observable market data (unobservable inputs) (level 3) Borrowings are held at amortised cost which is considered to equate to fair value. All other assets and liabilities are held at either fair value or their carrying value which approximates to fair value. Financial assets at fair value through profit or loss Derivative financial instruments – cash flow hedge Total financial instruments Level 1 £m – – – 2021 Level 2 £m 0.3 (0.8) (0.5) Level 3 £m Level 1 £m – – – – – – 2020 Level 2 £m 0.3 – 0.3 Level 3 £m – – – Credit risk Credit risk is the risk of financial loss to the Group if a customer or counterparty to a financial instrument fails to meet its contractual obligations and arises principally from the Group’s receivables from customers. The Group’s exposure to credit risk is influenced mainly by the individual characteristics of each customer. Exposure to credit risk The carrying value of financial assets represents the maximum credit exposure. The maximum exposure to credit risk at the reporting date was: Trade receivables Other receivables Accrued income Cash and cash equivalents Total Group 2021 £m 35.2 1.9 22.9 116.5 176.5 Group 2020 £m 41.6 0.9 18.0 95.0 155.5 Company 2021 £m Company 2020 £m – – – 0.6 0.6 – – – 6.8 6.8 The maximum exposure to credit risk for trade receivables and other receivables at the reporting date by geographic region was: Debtors by geographical segment UK and APAC * North America Europe Total Group 2021 £m 17.0 11.0 9.1 37.1 Group 2020 (restated) 2 £m 21.9 13.5 7.1 42.5 Company 2021 £m Company 2020 £m – – – – – – – – * With the continuing growth and formation of a European division we have changed geographical segments in line with how this information is reported to the Board and managed on an ongoing basis and have restated prior year figures on a like-for-like basis. The APAC division was previously included within the segment Europe and APAC. 174 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 Notes to the Financial Statements continuedfor the year ended 31 May 2021 25 Financial instruments continued Exposure to credit risk continued The maximum exposure to credit risk at the reporting date by business segment was: Debtors by business segment Assurance Software Resilience Total Group 2021 £m 30.0 7.1 37.1 Group 2020 £m 35.4 7.1 42.5 Company 2021 £m Company 2020 £m – – – – – – The trade receivables of the Group typically comprise many amounts due from a large number of customers and represent a spread of industry sectors. The largest amount due from a single customer at the reporting date represented 3.9% (2020: 9.2%) of total Group receivables. The prior year figure is considered to be exceptionally high due to a high value of sales in the latter part of the year ended 31 May 2020 which were substantially settled by cash receipts. All of the Group’s cash is held with financial institutions of high credit rating. The provisions in respect of trade receivables are used to record expected credit losses. The Group has dedicated credit control teams which regularly review customer debt balances to assess the risk of recovery. Liquidity risk Liquidity risk is the risk that the Group will not be able to meet its financial obligations as they fall due. The Group manages and minimises liquidity risk by using global cash management solutions and actively monitoring both actual and projected cash outflows to ensure that it will have sufficient liquidity to meet its liabilities when due and have headroom to provide against unforeseen obligations. In response to Covid-19, the Group has undertaken regular detailed reviews of both the potential short-term effects of the pandemic on working capital and the longer-term forecast liquidity position. Cash collections have remained strong and, though the Group took advantage of governmental tax payment deferrals during the year, these have been unwound as at 31 May 2021. Longer term, the Group has assessed its liquidity forecast as part of the viability assessment and its ability to continue trading as a going concern. For further detail on the Group’s assessment of liquidity risk refer to the Viability Statement on page 48. The following are the contractual maturities of financial liabilities, including interest payments, of the Group: At 31 May 2021 Borrowings Lease liabilities Trade and other payables At 31 May 2020 Borrowings Lease liabilities Trade and other payables Carrying amount £m Contractual cash flows £m (33.2) (34.4) (45.2) (99.2) (38.2) (46.4) (34.7) (39.6) (45.2) (104.4) (44.8) (46.4) <1 year £m (0.3) (6.3) (45.2) (1.1) (6.4) (46.4) 1–2 years £m (0.3) (5.7) – (1.1) (5.6) – 2+ years £m (34.1) (12.8) – (102.2) (13.5) – 5+ years £m – (14.8) – – (19.3) – The contractual cash flows for borrowings disclosed above relate to the Group’s RCF facility, which terminates in June 2024. The contractual cash flows include an estimate of the interest payable based on the assumption that the facility was fully drawn at £100m, and is calculated based on SONIA plus a margin of 0.9% based on the current leverage ratio. Currency risk The Group is exposed to currency risk on sales, purchases, cash and borrowings that are denominated in a currency other than the respective functional and presentational currency of the Group. The Group’s management reviews the size and probable timing of settlement of all financial assets and liabilities denominated in foreign currencies. The Group’s exposure to currency risk is as follows: Trade receivables Other receivables Cash and cash equivalents Borrowings Lease liabilities Trade and other payables Sterling £m 14.8 0.8 85.0 (30.4) (21.5) (27.3) EUR £m 9.1 – 16.1 – (2.1) (7.6) Total 21.4 15.5 2021 USD £m 10.4 0.6 7.3 (2.8) (8.6) (6.9) – Other £m 0.9 0.5 8.1 – (2.2) (3.4) 3.9 Total £m 35.2 1.9 116.5 (33.2) (34.4) (45.2) 40.8 Sterling £m 16.9 0.7 30.3 (49.9) (24.2) (20.9) (47.1) 2020 USD £m 17.6 – 40.0 (49.3) (10.6) (9.0) EUR £m 5.0 – 17.7 – (2.5) (13.2) Other £m 2.1 0.2 7.0 – (0.9) (3.3) Total £m 41.6 0.9 95.0 (99.2) (38.2) (46.4) 7.0 (11.3) 5.1 (46.3) NCC Group plc — Annual report and accounts for the year ended 31 May 2021 175 Financial statements 25 Financial instruments continued Currency risk continued A change in exchange rate of 10% would have an impact of £15.2m (2020: £14.8m) on revenue, £2.7m (2020: £1.9m) on operating profit, £8.1m (2020: £7.9m) on net assets and £0.3m (2020: £4.9m) on borrowings. The Group’s risk management policy is to hedge foreign currency exposure in respect of significant material transactions that may arise from time to time. At 31 May 2021, the Group had entered into one cash flow hedge in respect of funds to be used as part of the acquisition of the IPM Software Resilience business. The Group uses forward exchange contracts to hedge its currency risk, which are short term in nature to match the maturity of the hedged item. These contracts are generally designated as cash flow hedges. The Group designates the spot element of forward foreign exchange contracts to hedge its currency risk and applies a hedge ratio of 1:1. The forward elements of forward exchange contracts are excluded from the designation of the hedging instrument and are separately accounted for as a cost of hedging, which is recognised in equity in a cost of hedging reserve. The Group’s policy is for the critical terms of the forward exchange contracts to align with the hedged item. The Group determines the existence of an economic relationship between the hedging instrument and hedged item based on the currency, amount and timing of their respective cash flows. Given the short-term nature of these hedges there is limited risk of ineffectiveness. At 31 May 2021, the Group held the following instruments to hedge exposures to changes in foreign currency rates, all of which were due to mature within one month of the Balance Sheet date. Forward exchange contracts Net exposure (£m) Average GBP:USD forward contract rate 2021 £m 70.7 1.402205 2020 £m – – Interest rate risk The Group and Company finance their operations through a combination of retained profits and bank borrowings. The Group borrows and invests surplus cash at floating rates of interest based upon bank base rate. The cash and cash equivalents of the Group and Company at the end of the financial year were as follows: Group Sterling denominated financial assets Euro denominated financial assets US Dollar denominated financial assets Other denominated financial assets Total The financial assets and liabilities of the Company at the end of the financial year were as follows: Company Financial assets Sterling denominated financial assets Amounts owed by Group undertakings Total Financial liabilities Amounts owed to Group undertakings Total 2021 £m 85.0 16.1 7.3 8.1 116.5 2020 £m 30.3 17.7 40.0 7.0 95.0 2021 £m 2020 £m 0.6 162.6 163.2 13.5 13.5 6.8 142.0 148.8 13.0 13.0 A change of 100 basis points in interest rates would result in a difference in annual pre-tax profit of £0.3m (2020: £1.0m). The Directors do not consider that the LIBOR reform will impact the Group significantly in the medium term, apart from a change in the benchmark used within the Group’s borrowing facilities. 176 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 Notes to the Financial Statements continuedfor the year ended 31 May 2021 25 Financial instruments continued Interest rate risk continued The financial liabilities of the Group and their maturity profile are as follows: Less than one year Two to five years More than five years Total Sterling £m (29.5) (39.8) (10.0) (79.3) 2021 USD £m (8.3) (8.4) (1.6) EUR £m (8.4) (1.2) – Other £m (4.1) (1.5) – Total £m (50.3) (50.9) (11.6) Sterling £m (23.6) (57.9) (13.5) EUR £m (14.1) (1.5) (0.1) 2020 USD £m (10.4) (55.0) (3.5) Other £m (3.6) (0.5) (0.1) Total £m (51.7) (114.9) (17.2) (9.6) (18.3) (5.6) (112.8) (95.0) (15.7) (68.9) (4.2) (183.8) 26 Share-based payments The Company has a number of share option schemes under which options to subscribe for the Company’s shares have been granted to Directors and employees, details of which are illustrated in the tables below. Expected term of options represents the period over which the fair value calculations are based. The share-based payment charge for the year was £2.8m (2020: £1.4m) of which £2.3m (2020: £1.3m) related to equity settled payments and £0.5m (2020: £0.1m) to cash settled payments. The share-based payments charge increased during the year due to the introduction of new schemes in the year with a higher fair value than historical schemes that have reached maturity in the current year. Company Share Option (CSOP) scheme – equity settled Under the CSOP scheme, options will vest if the average EPS growth for the three years following their grant is greater than 10% per annum. Options granted in September 2019 do not have any performance criteria. Date of grant July 2012 August 2018 August 2018 September 2019 Expected term of options Exercisable between 7 years 7 years 7 years 7 years July 2015–July 2022 August 2021–August 2028 August 2021–August 2028 September 2022–September 2029 Exercise price £1.36 £2.20 £2.20 £1.79 2021 Number outstanding 58,812 49,995 18,180 363,106 Sharesave schemes – equity settled The Company operates sharesave schemes, which are available to all employees based in the UK, the Netherlands, Denmark, Spain and Australia, and full-time Executive Directors of the Company and its subsidiaries who have worked for a qualifying period. Date of grant August 2017 March 2018 August 2018 March 2019 March 2020 March 2020 May 2021 May 2021 Expected term of options Exercisable between 3 years 3 years 3 years 3 years 3 years 3 years 3 years 3 years October 2020–March 2021 May 2021–October 2021 October 2021–March 2022 May 2022–October 2022 May 2023–October 2023 May 2023–October 2023 July 2023–December 2023 July 2023–December 2023 Exercise price £1.56 £1.58 £1.75 £0.99 £1.84 £1.84 £2.15 2021 Number outstanding 17,352 4,488 372,284 290,598 641,870 324,827 194,391 £2.15 1,053,110 Employee stock purchase plan – equity settled The Company operates a stock purchase plan, which is available to all US-based employees who have worked for a qualifying period. All options are to be settled by equity. Under the scheme the following options have been granted and are outstanding at year end. Date of grant February 2020 May 2021 Expected term of options Exercisable in 1 year 1 year February 2021 May 2022 Exercise price £1.93 £2.15 2021 Number outstanding 439,735 249,580 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 177 Financial statements 26 Share-based payments continued Incentive Stock Option (ISO) scheme – equity settled Under the ISO scheme, options granted will be subject to performance criteria. Options will vest if the average EPS growth for the three years following their grant is greater than 10% per annum. Date of grant August 2018 September 2019 Expected term of options Exercisable between 7 years 7 years August 2021–August 2028 September 2022–September 2029 Exercise price £2.22 £1.82 2021 Number outstanding 9,016 65,928 Long Term Investment Plan (LTIP) schemes – equity settled Options granted on or after November 2017 have three separate vesting conditions as set out below: • 60% will vest based on achieving an increase in Group EPS of 9% over three years. If growth is equal to 20% or more per annum then 100% of the award will vest. If, however, growth is less than 9% per annum, none of the award will vest. Between these two points, vesting is determined on a straight-line basis • 30% will vest based on achieving a cash conversion ratio ¹ expressed as a percentage over the measurement period of greater than 70% per annum on average. If cash conversion ¹ is greater than or equal to 80% per annum then 100% of the award will vest. If, however, cash conversion is less than 70% per annum, none of the award will vest. Between these two points, vesting is determined on a straight-line basis • 10% will vest based on the Group’s total shareholder return (TSR) ranking when measured against the FTSE 250 (excluding investment trusts). If the Group’s TSR is consistent with the median group, 20% of the award will vest; below this level, none of the award will vest. If the TSR is within the upper quartile or above, 100% of the award will vest; between the median and upper quartile, vesting is determined on a straight-line basis Date of grant August 2018 September 2019 March 2020 May 2021 Expected term of options Exercisable between 3 years 3 years 3 years 3 years June 2021–August 2021 June 2022–August 2022 June 2022–August 2022 June 2023–August 2023 Exercise price 2021 Number outstanding £nil * 860,611 £nil * 1,129,172 £nil * 194,116 £nil 682,427 * The option exercise price is £nil; however, £1 is payable on each occasion of exercise. Restricted State Unit (RSU) schemes – equity settled Options granted related to the RSU schemes on or after August 2018 have three separate vesting conditions as set out below: • 60% will vest based on achieving an increase in Group EPS of 9% over three years. If growth is equal to 20% or more per annum then 100% of the award will vest. If, however, growth is less than 9% per annum, none of the award will vest. Between these two points, vesting is determined on a straight-line basis • 30% will vest based on achieving a cash conversion ratio ¹ expressed as a percentage over the measurement period of greater than 70% per annum on average. If cash conversion ¹ is greater than or equal to 80% per annum then 100% of the award will vest. If, however, cash conversion is less than 70% per annum, none of the award will vest. Between these two points, vesting is determined on a straight-line basis • 10% will vest based on the Group’s total shareholder return (TSR) ranking when measured against the FTSE 250 (excluding investment trusts). If the Group’s TSR is consistent with the median group, 20% of the award will vest; below this level, none of the award will vest. If the TSR is within the upper quartile or above, 100% of the award will vest; between the median and upper quartile, vesting is determined on a straight-line basis The options are to be settled in equity. Date of grant August 2018 September 2019 May 2021 Expected term of options Exercisable between 3 years 3 years 3 years June 2021–August 2021 June 2022–August 2022 June 2023–August 2023 Exercise price £0.01 £0.01 £0.01 2021 Number outstanding 227,501 639,465 138,554 Restricted Share Plan (RSP) – equity settled The vesting condition for the award of RSPs relate to colleagues remaining with the Group for a certain period of time, namely two years to receive 50% of the award, and a further year to receive the remaining 50%. There are no other performance conditions. Date of grant 28 May 2021 Expected term of options Exercisable between Exercise price 2021 Number outstanding 2/3 years 50% exercisable August 2022 to August 2031, 50% exercisable August 2023 to August 2031 Nil (£0.01 in the US and Canada) 1,200,000 178 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 Notes to the Financial Statements continuedfor the year ended 31 May 2021 26 Share-based payments continued Deferred share scheme – equity settled Date of grant September 2019 May 2021 Expected term of options Exercisable between 2 years 2 years June 2021–August 2029 August 2022–April 2031 Exercise price 2021 Number outstanding £nil * £nil 61,694 18,937 * The option exercise price is £nil; however, £1 is payable on each occasion of exercise. Phantom schemes – cash settled Phantom schemes are used to allow the grant of LTIPs to members of the Executive Committee based in certain overseas locations at a time when the Group’s option scheme rules were not structured to allow overseas grants. The vesting conditions for the award of the phantom schemes, related to options granted in August 2016, relate to growth in the Group’s EPS over the performance period. If growth is equal to 25% or more per annum then 100% of the award will vest. If, however, growth is less than 10% per annum, none of the award will vest. Between these two points, vesting is determined on a straight-line basis. Options granted in October 2017 and November 2017 have three separate vesting conditions as set out below: • 60% will vest based on achieving an increase in Group EPS of 9%. If growth is equal to 20% or more per annum then 100% of the award will vest. If, however, growth is less than 9% per annum, none of the award will vest. Between these two points, vesting is determined on a straight-line basis • 30% will vest based on achieving a cash conversion ratio ¹ expressed as a percentage over the measurement period of greater than 70% per annum on average. If cash conversion ¹ is greater than or equal to 80% per annum then 100% of the award will vest. If, however, cash conversion is less than 70% per annum, none of the award will vest. Between these two points, vesting is determined on a straight-line basis • 10% will vest based on the Group’s total shareholder return (TSR) ranking when measured against the FTSE 250 (excluding investment trusts). If the Group’s TSR is consistent with the median group 20% of the award will vest; below this level, none of the award will vest. If the TSR is within the upper quartile or above, 100% of the award will vest; between the median and upper quartile, vesting is determined on a straight-line basis Options granted in September 2019 do not have any performance criteria. Date of grant October 2017 November 2017 September 2019 Expected term of options Exercisable between 3 years 3 years 3 years June 2020–October 2021 June 2020–November 2021 September 2022–September 2023 Exercise price 2021 Number outstanding £nil * £nil * £nil * 113,120 8,189 67,036 * The option exercise price is £nil; however, £1 is payable on each occasion of exercise. Measurement of fair values The fair value of services received in return for share options is calculated with reference to the fair value of the award on the date of grant. The fair value is spread over the period during which the employee becomes unconditionally entitled to the award, adjusted to reflect actual and expected levels of vesting. Black Scholes and binomial models have been used to calculate the fair values of options on their grant date for all options issued after 7 November 2002, which had not vested by 1 January 2005. The assumptions used in the model are illustrated in the table below: Grant date Fair value at measurement date Exercise price Expected volatility Option expected term Risk free interest rate CSOP scheme July 2012–September 2019 £0.35–£0.63 £1.36–£2.20 35.0–48.0% 7 years 0.35–2.75% Sharesave scheme August 2017–May 2021 £0.67–£0.88 £0.99–£2.15 39.7–53.2% 3 years 0.50–2.20% ESPP scheme February 2020–May 2021 £0.55–£0.68 £1.93–£2.15 37.60% 1 year 0.50% ISO scheme LTIP scheme RSU scheme RSP scheme August 2018–September 2019 £0.54–£0.65 £1.82–£2.22 40.7–48.4% 7 years 0.38–1.50% November 2017–May 2021 £1.61–£2.87 £nil * 37.4–51.5% 3 years 0.21–2.00% August 2018–May 2021 £1.60–£2.87 £nil *–£0.01 47.6–51.5% 3 years 0.32–2.00% May 2021 £2.85 £nil * N/A 10 years N/A Deferred shares September 2019–May 2021 £1.84–£2.91 £nil * 40.4–55.0% 2 years 0.35–1.50% Phantom schemes October 2017–September 2019 £1.84–£2.75 £nil * 31.0–47.6% 3 years 1.81–1.96% * The option exercise price is £nil; however, £1 is payable on each occasion of exercise. The expected volatility has been based on an evaluation of the historical volatility of the Company’s share price, particularly over the historical period commensurate with the expected term. The expected term of the instruments has been based on historical experience and general option holder behaviour. For the options granted in the year ended 31 May 2021, dividend yield assumed at the time of option grant is 2.5% (2020: 2.7%). NCC Group plc — Annual report and accounts for the year ended 31 May 2021 179 Financial statements 26 Share-based payments continued Reconciliation of outstanding share options The options outstanding at 31 May 2021 have an exercise price in the range of £nil to £2.22 (2020: £nil to £2.22) and a weighted average contractual life of three years (2020: three years). The following table illustrates the number and weighted average exercise prices (WAEP) of, and movements in, outstanding share awards during the year: Outstanding at 1 June Granted during the year Exercised during the year Forfeited in the year Outstanding at 31 May Exercisable at end of year Scheme CSOP schemes Sharesave/SAYE schemes ESPP schemes ISO schemes LTIP schemes RSU schemes RSP scheme Deferred shares Phantom schemes 2021 No (’000) 8,995 3,537 (1,821) (1,217) 9,494 363 2021 WAEP £0.83 £0.91 £0.88 £0.59 £0.79 £1.13 2020 No (’000) 7,326 4,438 (1,098) (1,671) 8,995 385 2020 WAEP £1.01 £0.88 £1.35 £1.39 £0.83 £0.99 Number of instruments as at 1 June 2020 543,584 Instruments granted during the year Options exercised in the year Forfeitures in the year Number of instruments as at 31 May 2021 – (22,056) (31,435) 490,093 3,363,817 1,247,501 (1,297,852) (414,546) 2,898,920 439,735 249,580 91,426 – – – – 689,315 (16,482) 74,944 3,173,813 682,427 (381,414) (608,500) 2,866,326 1,122,146 138,554 (108,945) (146,235) 1,005,520 – 1,200,000 – 72,687 188,345 18,937 (10,993) – – – 1,200,000 – – 80,631 188,345 8,995,553 3,536,999 (1,821,260) (1,217,198) 9,494,094 The liability for the cash settled share-based payments at 31 May 2021 was £0.5m (2020: £0.3m). 27 Called up share capital and reserves Allotted, called up and fully paid Ordinary shares of 1p each at the beginning of the year Ordinary shares of 1p each issued in the year Ordinary shares of 1p each at the end of the year 2021 Number of shares 2020 Number of shares 278,909,171 277,830,625 30,046,874 1,078,546 308,956,045 278,909,171 2021 £m 2.8 0.3 3.1 2020 £m 2.8 – 2.8 During the year, 2,140,474 (2020: 1,078,546) new ordinary shares of 1p were issued as a result of the exercise of share options. The proceeds of £2.4m (2020: £1.1m) were credited to the share premium account. During the year, 27,906,400 (2020: nil) new ordinary shares of 1p were issued as part of funding the acquisition of the IPM Software Resilience business. Of the gross proceeds of £72.6m, £72.3m (2020: £nil) were credited to the share premium account net of issue costs of £2.4m. See Note 35 for further details. As at 31 May 2021, no shares were held in treasury (2020: nil). Share premium The share premium account records the difference between the nominal amount of shares issued and the fair value of the consideration received. The share premium account may be used for certain purposes specified by UK law, including to write off expenses incurred on any issue of shares and to pay fully paid bonus shares. The share premium account is not distributable but may be reduced by special resolution of the Company’s ordinary shareholders and with court approval. 180 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 Notes to the Financial Statements continuedfor the year ended 31 May 2021 27 Called up share capital and reserves continued Hedging reserve The hedging reserve comprises the effective portion of the cumulative net change in the fair value of hedging instruments used in cash flow hedges pending subsequent recognition in profit or loss or directly included in the initial cost or other carrying amount of a non-financial asset or non-financial liability. Merger reserve The merger reserve arose in 2015 from the acquisition of Accumuli plc through a share-for-share exchange in part consideration for the business. Currency translation reserve The results of overseas operations are translated at the average foreign exchange rates for the year, and their balance sheets are translated at the rates prevailing at the Balance Sheet date. Exchange differences arising on the translation of opening net assets and results of overseas operations are recognised in the currency translation reserve. All other exchange differences are included in the Income Statement. Retained earnings Retained earnings for the Group are made up of accumulated reserves. For the Company, retained earnings are made up of accumulated reserves and are considered distributable reserves. 28 Profit attributable to members of the Parent Company The profit for the year dealt with in the accounts of the Parent Company was £25.0m (2020: £6.0m). 29 Other financial commitments Non-cancellable lease rental costs are payable as follows: Within one year or less 2021 2020 Land and buildings £m – Other £m – Land and buildings £m 0.1 Other £m – The lease commitments disclosed above represent short-term (less than one year) leases only, for which the Group has taken the exemption from accounting for under IFRS 16. 30 Contingencies There are no contingent liabilities not provided for at the end of the financial year (2020: £nil). Similarly, there are no contingent assets (2020: £nil). 31 Pension scheme The Group operates a defined contribution pension scheme that is open to all eligible employees. The pension cost charge for the year represents contributions payable by the Group to the fund and amounted to £5.3m (2020: £5.6m). For the Company, the pension cost charge for the year represents contributions payable by the Company to the fund and amounted to £nil (2020: £nil). 32 Related party transactions The Group’s key management personnel comprise the Directors of the Group. Details of the remuneration paid to key management personnel are as follows: Group Salary costs (including bonus) Share-based payments Total There were no other related party transactions during the year. 2021 £m 1.8 0.4 2.2 2020 £m 1.3 0.2 1.5 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 181 Financial statements 33 Investments in subsidiary undertakings Company At 1 June 2019 Increase in subsidiary investment for share-based charges At 31 May 2020 Increase in subsidiary investment for share-based charges Investment in subsidiary undertakings At 31 May 2021 Shares in Group undertakings £m 75.2 3.1 78.3 2.8 70.7 151.8 On 26 May 2021, the Company acquired 70,700,000 ordinary shares of £0.01 in NCC Group Holdings Limited for a consideration of £70,700,000. Fixed asset investments are recognised at cost. The undertakings in which the Company has a 100% interest at 31 May 2021 are as follows: Subsidiary undertakings Country of incorporation Principal activity Registered office NCC Group Holdings Limited England and Wales Holding company XYZ Building, 2 Hardman Boulevard, Spinningfields, Manchester M3 3AQ (XYZ) NCC Group (Solutions) Limited England and Wales Holding company NCC Group Corporate Limited England and Wales Corporate cost centre NCC Group Finance Limited England and Wales Financing company The National Computing Centre Limited England and Wales Dormant NCC Group Software Resilience Limited England and Wales Holding company NCC Group Software Resilience (UK) Limited England and Wales Holding company NCC Services Limited England and Wales Software Resilience and central/ head office costs NCC Group Escrow Limited England and Wales Dormant NCC Group Software Resilience (Europe) BV Netherlands Holding company NCC Group GmbH Germany Software Resilience NCC Group Escrow Europe BV Netherlands Software Resilience XYZ 1 XYZ 1 XYZ 1 XYZ 1 XYZ 1 XYZ 1 XYZ 1 XYZ 1 Van Heuven Goedhartlaan 13A, 1181LE Amstelveen, the Netherlands c/o Deloitte Legal Rechtsanwaltsgesellschaft mbH, Rosenheimer Platz 6, 81669, Munich, Bavaria, Germany Van Heuven Goedhartlaan 13A, 1181LE Amstelveen, the Netherlands NCC Group Escrow Europe (Switzerland) AG NCC Group Software Resilience (MEA-APAC) Limited NCC Group FZ-LLC Switzerland Software Resilience Ibelweg 18A, 6300 Zug, Switzerland England and Wales Holding company XYZ 1 United Arab Emirates Software Resilience Office 30, Building 16, Dubai Internet City, Dubai, UAE NCC Group Cyber Security Limited England and Wales Holding company NCC Group Cyber Security (UK) Limited England and Wales Holding company NCC Group Security Services Limited England and Wales Assurance NCC Group Audit Limited ArmstrongAdams Limited England and Wales Assurance England and Wales Assurance NCC Group Signify Solutions Limited England and Wales Assurance NCC Group Accumuli Security Limited England and Wales Assurance XYZ 1 XYZ 1 XYZ 1 XYZ 1 XYZ 1 XYZ 1 XYZ 1 182 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 Notes to the Financial Statements continuedfor the year ended 31 May 2021 33 Investments in subsidiary undertakings continued Subsidiary undertakings Country of incorporation Principal activity Registered office NCC Group Cyber Security (Europe) BV Netherlands Holding company NCC Group A/S Denmark Assurance NCC Group UAB NCC Group Security Services Espana SLU Lithuania Spain Assurance Assurance Cyber Assurance Sweden AB Sweden Assurance Fox-IT Holding B.V. Netherlands Holding company Fox-IT Group B.V. Fox-IT B.V. Fox-IT Operations B.V. Fox Crypto B.V. Netherlands Netherlands Netherlands Netherlands Holding company Assurance Assurance Assurance NCC Group Cyber Security (APAC) Limited England and Wales Holding company NCC Group Pte Limited NCC Group Pty Limited Singapore Australia Assurance Assurance NCC Group Japan KK Japan Assurance Van Heuven Goedhartlaan 13A, 1181LE Amstelveen, the Netherlands 2nd Floor, Svanevej 12, DK–2400 København NV, Denmark Vilnius, Jogailos st. 9, Lithuania Calle Serrano Galvache, 56, Edificio Abedul, 4a planta, 28033 Madrid, Spain c/o Advokatfirman Delphi, P.O. Box 1432, 111 84 Stockholm Olof Palmestraat 6, 2616 LM Delft, the Netherlands (Fox-IT 3) Fox-IT 3 Fox-IT 3 Fox-IT 3 Fox-IT 3 XYZ 1 20 Collyer Quay, #19-03, Singapore (049319) Level 13, 92 Pitt Street, Sydney NSW 2000, Australia Level 18, Yesibu Garden Place Tower, 4-20-3 Ebisu Shibuya-Ku, Tokyo 650 California Street, Suite 2950, San Francisco, CA 94108, USA (North America HQ 2) NCC Group (Americas) Inc. NCC Group, LLC USA USA Holding company Software Resilience and central/head office costs North America HQ 2 NCC Group Cyber Security (Americas), LLC USA Holding company North America HQ 2 NCC Group Security Services, Inc. NCC Group Secure Registrar, Inc. NCC Group Domain Services, Inc. USA USA USA Assurance Domain services Domain services North America HQ 2 North America HQ 2 North America HQ 2 NCC Group Security Services Corporation Canada Assurance 2800 Park Place, 666 Burrard Street, Vancouver, BC V6C 2Z7, Canada Payment Software Company, Inc. USA Assurance North America HQ 2 Payment Software Company Limited England and Wales Assurance XYZ 1 NCC Group Software Resilience (Americas), LLC USA Holding company North America HQ 2 NCC Group Escrow Associates, LLC USA Software Resilience North America HQ 2 NCC Group Software Resilience (NA), LLC USA Software Resilience North America HQ 2 The undertakings in which the Company holds less than a 100% interest at the year end are as follows: Undertaking Deposit AB % interest Country of incorporation Principal activity 24% Sweden Software Resilience The Directors consider the above ownership structure and no Board representation give rise to no significant influence over the undertaking. Accordingly, the undertaking has not been consolidated. 1 2 Hardman Boulevard, Spinningfields, Manchester M3 3AQ. 2 650 California Street, Suite 2950, San Francisco, CA 94108, USA. 3 Olof Palmestraat 6, 2616 LM Delft, the Netherlands. NCC Group plc — Annual report and accounts for the year ended 31 May 2021 183 Financial statements 34 Prior year restatement In April 2021, the IFRS Interpretations Committee (IFRIC) published an agenda decision on the clarification of accounting in relation to the configuration and customisation costs incurred in implementing Software-as-a-Service (SaaS) as follows: • Amounts paid to the cloud vendor for configuration and customisation that are not distinct from access to the cloud software are expensed over the SaaS contract term • In limited circumstances, other configuration and customisation costs incurred in implementing SaaS arrangements may give rise to an identifiable intangible asset, for example, where code is created that is controlled by the entity • In all other instances, configuration and customisation costs will be expensed as the customisation and configuration services are received Due to the nature of this agenda decision and the level of spend incurred in relation to the Group’s Securing Growth Together digital transformation programme, the Group’s accounting policy in relation to such customisation and configuration costs has been reviewed and changed to align with the IFRIC guidance issued in relation to Software-as-a-Service (SaaS) costs previously capitalised. The restatement represents a non-cash adjustment. The revision to the accounting policy has been accounted for retrospectively resulting in a prior year restatement. The Group identified £17.8m additions made in the years ending 31 May 2019 and 31 May 2020 in relation to software and development costs. £7.9m of these costs capitalised for the year ended 31 May 2020 related to cloud computing arrangements that should be expensed after the consideration of the IFRIC guidance and a further £3.6m for the year ended 31 May 2019. In relation to the year ended 31 May 2020 assets, £1.4m of amortisation was charged, which is to be reversed. A further £0.2m of costs capitalised are to be reclassified to prepayments. These costs give rise to a reduction in the tax charge for the year ended 31 May 2020 of £1.2m and a corresponding increase in the Group’s deferred tax asset. The affected financial statement line items are as follows: 31 May 2020 Income Statement impact Depreciation and amortisation Individually Significant Items – expense cloud configuration and customisation costs previously capitalised Operating profit Profit before taxation Taxation Profit for the year Basic EPS Diluted EPS Balance Sheet impact Expense cloud configuration and customisation costs previously capitalised Amounts reclassified to prepayments in relation to cloud computing arrangements (restated) Reversal of amortisation on cloud configuration and customisation costs previously capitalised Other intangible assets Deferred tax assets Total non-current assets Trade and other receivables Current assets Net assets Retained earnings Total equity 184 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 31 May 2020 (previously reported) £m Restatement £m 31 May 2020 (restated) £m (25.0) – 19.1 16.1 (4.4) 11.7 4.2p 4.2p – – – 39.2 0.5 275.7 73.2 169.7 214.1 (13.8) 214.1 1.4 (7.9) (6.5) (6.5) 1.2 (5.3) (1.9p) (1.9p) (11.5) (0.2) 1.5 (10.2) 1.8 (8.4) 0.2 0.2 (8.2) (8.2) (8.2) (23.6) (7.9) 12.6 9.6 (3.2) 6.4 2.3p 2.3p (11.5) (0.2) 1.5 29.0 2.3 267.3 73.4 169.9 205.9 (22.0) 205.9 Notes to the Financial Statements continuedfor the year ended 31 May 2021 34 Prior year restatement continued 31 May 2020 Cash Flow Statement impact Profit for the year Amortisation of software and development costs Income tax expense Net cash generated from operating activities Software and development expenditure Net cash used in investing activities Net increase in cash and cash equivalents 31 May 2020 (previously reported) £m Restatement £m 31 May 2020 (restated) £m 11.7 4.4 4.4 47.1 (10.4) (13.2) 60.1 (5.3) (1.4) (1.2) (7.9) 7.9 7.9 – 6.4 3.0 3.2 39.2 (2.5) (5.3) 60.1 A third Balance Sheet has been presented in accordance with IAS 1 to illustrate the impact in the opening Balance Sheet for the prior financial year. The Group identified that £3.6m of costs previously capitalised under cloud computing arrangements that should be expensed and £0.1m of amortisation was charged, which is to be reversed. These additional costs give rise to a reduction in the tax charge for the year of £0.6m and a corresponding increase in the deferred tax asset. The opening Balance Sheet of the prior year has accordingly been restated to correct for these, as shown below. Balances at 1 June 2019 are those disclosed after the application of IFRS16 which was adjusted prospectively on inception. The affected financial statement line items are as follows: 1 June 2019 Balance Sheet impact Other intangible assets Deferred tax assets Total non-current assets Net assets Retained earnings Total equity 1 June 2019 (previously reported) £m Restatement £m 1 June 2019 (restated) £m 41.8 1.6 276.5 208.8 (14.0) 208.8 (3.5) 0.6 (2.9) (2.9) (2.9) (2.9) 38.3 2.2 273.6 205.9 (16.9) 205.9 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 185 Financial statements 35 Post-Balance Sheet events Acquisition of IPM business On 1 June 2021, shareholder approval was passed for the acquisition of the IPM business of Iron Mountain, comprising substantially all of the assets of Iron Mountain Intellectual Property Management, Inc. together with certain other assets of affiliates of Iron Mountain exclusively related to the IPM business. The primary reasons for the business combination are to: • Scale up the Group’s core business to create a global business and platform for further growth • Generate revenue synergies through allowing the enlarged division to offer NCC’s broader suite of established verification services as well as the newer Escrow-as-a-Service (EaaS) cloud offering to the IPM business’s existing customer base • Present an exciting new opportunity to sell NCC’s cyber security services from its Assurance division into the IPM business’s broad and blue-chip customer base in the medium term • Be accretive to earnings per share from completion, even without factoring in revenue synergies • Result in greater strategic strength for the future Management considers shareholder approval of the transaction constitutes a change in control and therefore the date of shareholder approval is considered to be the acquisition date for the transaction. Shareholder approval was granted on 1 June 2021 and the IPM Software Resilience business will be consolidated into the Group results from that date (see Note 2). Details of assets acquired that are subject to provisional fair value adjustments will be reported for the year ended 31 May 2022. The acquisition for a total consideration of $220m was funded through an equity gross placing of £72.6m (see Note 27) on 17 May 2021 combined with a new three year $70m term loan (see Note 24) and the remaining $98.2m funded via existing cash balances and our revolving credit facility. The term loan was entered into on 12 May 2021 but not drawn down until 2 June 2021. Costs directly attributable to the acquisition of the IPM business totalling £7.6m have been expensed during the year (see Note 5). Issue costs of £2.4m were incurred as part of the equity placing and have been credited to the share premium account (see Note 27). 186 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 Notes to the Financial Statements continuedfor the year ended 31 May 2021 Glossary of terms – Alternative Performance Measures (APMs) APMs are the way that financial performance is measured by management and reported to the Board, and the basis of financial measures for senior management’s compensation schemes, and provide supplementary information that assists the user in understanding the underlying trading results. APM Closest equivalent IFRS measure Adjustments to reconcile to IFRS measure Note reference for reconciliation Definition, purpose and considerations made by the Directors Income Statement measures: Adjusted operating profit Operating profit or loss Operating profit or loss before amortisation of acquired intangibles, share-based payments and Individually Significant Items Adjusted earnings before interest, tax, depreciation and amortisation (Adjusted EBITDA) Operating profit or loss Operating profit or loss, before adjusting items, depreciation and amortisation, finance costs and taxation Adjusted basic EPS Statutory basic EPS Statutory basic EPS before amortisation of acquired intangibles, share-based payments, Individually Significant Items and the tax effect thereon 3 Represents operating profit before amortisation of acquired intangibles, share-based payments and Individually Significant Items. This measure is to allow the user to understand the Group’s underlying financial performance as measured by management, reported to the Board and used as a financial measure in senior management’s compensation schemes. The Directors consider amortisation of acquired intangibles is a non-cash accounting charge inherently linked to losses associated with historical acquisitions of businesses. The Directors consider share-based payments to be an adjusting item on the basis that fair values are volatile due to movements in share price, which may not be reflective of the underlying performance of the Group. Individually Significant Items are items that are considered unusual by nature or scale, and are of such significance that separate disclosure is relevant to understanding the Group’s financial performance and therefore requires separate presentation in the Financial Statements in order to fairly present the financial performance of the Group. 3 Represents operating profit before adjusting items, depreciation and amortisation to assist in the understanding of the Group’s performance. Adjusted EBITDA is disclosed as this is a measure widely used by various stakeholders and used by the Group to measure the cash conversion ratio. 11 Represents basic EPS before amortisation of acquired intangibles, share-based payments and Individually Significant Items. This measure is to allow the user to understand the Group’s underlying financial performance as measured by management, reported to the Board and used as a financial measure in senior management’s compensation schemes. See further details above in relation to amortisation of acquired intangibles and share-based payments. NCC Group plc — Annual report and accounts for the year ended 31 May 2021 187 Additional information Glossary of terms – Alternative Performance Measures (APMs) continued APM Closest equivalent IFRS measure Adjustments to reconcile to IFRS measure Note reference for reconciliation Definition, purpose and considerations made by the Directors Balance Sheet measure: Net cash/(debt) excluding lease liabilities Total borrowings (excluding lease liabilities) offset by cash and cash equivalents Net cash/(debt) Total borrowings (including lease liabilities) offset by cash and cash equivalents Cash flow measure: Cash conversion ratio Ratio % of net cash flow from operating activities before interest and tax divided by operating profit Ratio % of net cash flow from operating activities before interest and tax divided by EBITDA 3 3 3 Represents total borrowings (excluding lease liabilities) offset by cash and cash equivalents. It is a useful measure of the progress in generating cash, strengthening of the Group Balance Sheet position, overall net indebtedness and gearing on a like-for-like basis. Net cash/(debt), when compared to available borrowing facilities, also gives an indication of available financial resources to fund potential future business investment decisions and/or potential acquisitions. Represents total borrowings (including lease liabilities) offset by cash and cash equivalents. It is a useful measure of the progress in generating cash, strengthening of the Group Balance Sheet position, overall net indebtedness and gearing including lease liabilities. Net cash/(debt), when compared to available borrowing facilities, also gives an indication of available financial resources to fund potential future business investment decisions and/or potential acquisitions. The cash conversion ratio is a measure of how effectively operating profit is converted into cash and effectively highlights both non-cash accounting items within operating profit and also movements in working capital. It is calculated as net cash flow from operating activities before interest and taxation (as disclosed on the face of the Cash Flow Statement) divided by EBITDA for continued and discontinued activities. The cash conversion ratio is a measure widely used by various stakeholders and hence is disclosed to show the quality of cash generation and also to allow comparison to other similar companies. Constant currency and local currency revenue measures: The Group also reports certain geographic regions on a constant currency basis to reflect the underlying performance taking into account constant foreign exchange rates year on year. This involves translating comparative numbers to current year rates for comparability to enable a growth factor to be calculated. In addition, the Group also reports these regions on a local currency basis to demonstrate the revenue performance on a local basis. As these measures are not statutory revenue numbers, management considers these to be APMs. 188 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 Glossary of terms – other terms Other terms Code Adjusted Adjusted earnings Definition and usage Guidance, issued by the Financial Reporting Council in 2016 and updated in 2018, on how companies should be governed, applicable to UK-listed companies including NCC Group plc. Any result described as adjusted excludes the impact of Individually Significant Items, and any tax on any of these items. Adjusted earnings is defined as statutory earnings before amortisation of acquisition intangibles, Individually Significant Items and the share-based payments charge, net of the tax effect of these items. Adjusted operating profit margin 1 Calculated as Adjusted operating profit divided by revenue from continuing activities. AGM Annual General Meeting of shareholders of the Company held each year to consider ordinary and special business as provided in the Notice of AGM. Alternative Performance Measure (APM) An Alternative Performance Measure (which is denoted in each case or use thereof by a footnote) is a non-GAAP performance metric used by management either internally or externally to present management’s view of the underlying business performance. They are not superior to GAAP-based measures and are simply an alternative way of looking at performance. See Note 3 for further information. Board The Board of Directors of the Company (for more information see pages 74 and 75). Cash conversion ratio 1 Calculated as cash generated from operating activities before interest and taxation divided by Adjusted EBITDA 1, expressed as a percentage. CDO CEO CFO CISO Cyber Defence Operations. Chief Executive Officer. Chief Financial Officer. Chief Information Security Officer. Company, Group, NCC, we, our or us We use these terms, depending on the context, to refer to either NCC Group plc, the individual Company, or to NCC Group plc and its subsidiaries collectively. CPO CTO Chief People Officer. Chief Technology Officer. Directors/Executive Directors/ Non-Executive Directors The Directors/Executive Directors and Non-Executive Directors of the Company whose names are set out on pages 74 and 75 of this report. EBIT EBIT margin % EBITDA Earnings before interest and tax. EBIT margin % is calculated as follows: Adjusted EBIT divided by revenue. Earnings before interest, tax, depreciation and amortisation. Calculated as operating profit before Individually Significant Items and adding back depreciation and amortisation charged. EBITDA margin % EBITDA divided by revenue. EPS FCA Financial year FRC Free cash flow FRS Earnings per share. Profit for the year attributable to equity shareholders of the Parent allocated to each ordinary share. Financial Conduct Authority. For NCC Group this is an accounting year ending on 31 May. Financial Reporting Council. Net cash from operating activities less net capital expenditure. A UK Financial Reporting Standard as issued by the UK Financial Reporting Council (FRC). NCC Group plc — Annual report and accounts for the year ended 31 May 2021 189 Additional information Glossary of terms – other terms continued Other terms Gross profit Definition and usage Gross profit is revenue less direct costs of sale. It excludes costs considered to be overheads that are supporting the business as a whole as opposed to a specific revenue item. Gross margin %/GM % Calculated as gross profit divided by revenue from continuing activities. HMRC IAS or IFRS Individually Significant Items KPMG LTIP MD MDR Net debt 1 Ordinary shares SAYE/Sharesave Her Majesty’s Revenue & Customs, the tax collecting authority of the UK. An International Accounting Standard or International Financial Reporting Standard, as issued by the International Accounting Standards Board (IASB). IFRS is also used as the term to describe international generally accepted accounting principles as a whole. Financial Statements are prepared in accordance with IFRS as adopted by the EU. Items that the Directors consider to be material in nature, scale or frequency of occurrence that need to be excluded when calculating some non-GAAP performance measures in order to allow users of the Financial Statements to gain a full understanding of the underlying business performance. See Note 5 for further information. The Company’s external auditor, KPMG LLP. Long Term Incentive Plan established to align the interests of senior and Executive management with those of shareholders. The plan is formally known as the NCC Group Long Term Incentive Plan 2013 (approved by shareholders in 2013). Managing Director. Managed Detection and Response. Total borrowings offset by cash and cash equivalents. Voting shares entitling the holder to part ownership of a company. Save As You Earn, being a tax efficient scheme to encourage colleague share ownership. Software Resilience Software Resilience represents our Escrow resilience services. Subsidiary TSC TSR A company or other entity that is controlled by NCC Group. Technical Security Consulting. Total shareholder return, which is share price growth plus dividends reinvested (where applicable) over a specified period of time, divided by the share price at the start of the period. 190 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 Other information Directors Chris Stone Adam Palser Tim Kowalski – – – Chris Batterham – Non-Executive Chair Chief Executive Officer Chief Financial Officer and Company Secretary Senior Independent Non-Executive Director Jonathan Brooks – Independent Non-Executive Director Mike Ettling Jennifer Duvalier – – Independent Non-Executive Director Independent Non-Executive Director Company Secretary Tim Kowalski Registered and head office XYZ Building 2 Hardman Boulevard Spinningfields Manchester M3 3AQ Registered number 4627044 Registered in England and Wales Joint brokers and corporate finance advisers Jefferies International Limited 100 Bishopsgate London EC2N 4JL Peel Hunt LLP Moor House 120 London Wall London EC2Y 5ET Auditor KPMG LLP 1 St Peter’s Square Manchester M2 3AE Solicitors DLA Piper UK LLP 1 St Peter’s Square Manchester M2 3DE Bankers HSBC UK Bank plc 2nd Floor 4 Hardman Square Spinningfields Manchester M3 3EB National Westminster Bank plc 1 Hardman Boulevard Manchester M3 3AQ ING Bank N.V. London Branch 8–10 Moorgate London EC2R 6DA Registrars Equiniti Aspect House Spencer Road Lancing West Sussex BN99 6DA NCC Group plc — Annual report and accounts for the year ended 31 May 2021 191 Additional information Financial calendar Ex-dividend date Record date AGM Dividend payment date 2022 half year end 2022 interim statement 2022 year end 2022 year end trading pre-close statement 2022 preliminary year end statement These dates are provisional and may be subject to change. 14 October 2021 15 October 2021 4 November 2021 12 November 2021 30 November 2021 3 February 2022 31 May 2022 June 2022 July 2022 192 NCC Group plc — Annual report and accounts for the year ended 31 May 2021 NCC Group plc’s commitment to environmental stewardship is reflected in this Annual Report. The material is derived from sustainable resources and is FSC® certified. Printed in the UK by Geoff Neal. Both the mill and the printer are certified to ISO 14001 (Environmental Management System) and ISO 9001 (Quality Management System).

Continue reading text version or see original annual report in PDF format above