Risk Management

Risk Management

Our approach to managing risk

The Board recognises that Persimmon is exposed to a range of risks that could threaten our ability to deliver on our strategic objectives and drive value for all of our stakeholders. As such, ensuring we have an effective mechanism for risk management is essential to our future success. This is delivered through the Group’s well-established risk management framework, which involves input from all levels of our operations to assist in the identification, management and ongoing monitoring and reporting of risks.

Risk Management Framework

Open

Close

Overall responsibility for the oversight of risk sits with the Board. This responsibility is largely discharged with the support of the Audit & Risk Committee, which in turn works closely with the Management Risk Committee as the key business forum for risk oversight. Many of the strategic aspects of risk management are carried out on a ‘top down’ basis, with the Board and Audit & Risk Committee agreeing overall appetites and tolerance for our principal risks, providing challenge to management on their approach to mitigating and monitoring these risks effectively, and ensuring the accuracy and integrity of our risk disclosures. Alongside the strategic consideration of risk, a ‘bottom-up’ approach is in place, with risk management integrated into day-to-day activities at all levels of the Group.

This helps to ensure that risks are effectively mitigated at an operational level, and any emerging risk areas are identified, assessed and escalated appropriately. Risk management activities are also supported by work from both internal and external providers of assurance and independent review. The risk management framework governance diagram provides a schematic of our risk management framework and how the different elements interact.

Our risk management framework has been in place for several years, and continues to evolve in response to increasing complexity and pace of change in the external environment. In this context, the Board has overseen various initiatives within 2025 to enhance the maturity of our risk management processes and support continuous improvement. The role of the Management Risk Committee has expanded, enabling greater focus on key risk areas such as cyber risk and business continuity planning. A new risk management strategy has been developed and agreed with the Audit & Risk Committee, with additional specialist resource deployed within the Group Risk & Internal Audit department to support its implementation. These initiatives will integrate with our work on strengthening internal controls in preparation for the Board’s future effectiveness declaration under Provision 29 of the UK Corporate Governance Code, helping to ensure our ongoing resilience.

Risk Management Framework - Governance

Open

Close

Board
  • Sets our risk culture and approach to risk management, providing an effective 'tone at the top'.
  • Has overall responsibility for the effectiveness of risk management processes.
  • Defines our risk appetite and tolerance, and the approach to our principal and emerging risks.
⮝ ⮝ ⮝ ⮝
Audit & Risk Committee
  • Provides oversight on the effectiveness of our systems of risk management and internal control, including our identified material controls.
  • Reviews and approves financial and non-financial reporting, associated risks and controls, and all risk-related disclosures.
  
  • Reviews reporting on risk management activities, including the operation of the Management Risk Committee.
  • Receives reports from risk owners, and both internal and external providers of assurance, on the effectiveness of risk mitigation measures.
Management Risk Committee   Executive Committee   Disclosure Committee   Sustainability Committee
  • Supports the Board in development and oversight of the risk management framework.
  • Reviews risk indicator reports and feedback on risk from operational teams.
  • Reviews the operational effectiveness of control activities.
  
  • Supports the implementation of our strategy and delivery of key priorities.
  • Reviews our operational performance including the routine management of risk.
  
  • Provides oversight and challenge on external reporting.
  • Reviews financial and non-financial reporting ahead of Board and Audit & Risk Committee reviews.
  
  • Provides oversight on all climate and sustainability-related matters.
  • Reviews disclosures associated with climate and sustainability, obtaining appropriate assurance where required.
Regional and Operating Company Management
  • Manage the day-to-day operational performance of the business, including identification of any changes in risks affecting operations.
  • Ensure the effective implementation of internal controls set by the Board and Group functions within the business.
  • Address Group-level priorities as cascaded through regional and Group-wide management meetings.
  • Report routine operational risks and issues through management forums such as the Land Committee and Regional Boards.
  Risk assurance  

Second line

Third line

Fourth line (external assurance)

Our second line comprises a range of functions with a Group-wide remit, which play a key role in mitigating risk through the formulation of Group policies, procedures and control mechanisms designed to mitigate risks. Many of these measures constitute our material controls, which include a range of measures such as financial, operational and compliance controls, that serve to mitigate our principal risks and other key risk areas. For some key areas of risk, such as construction and HS&E activities, the second line functions include programmes of routine monitoring and assurance on the implementation of controls within the Group's operations.

The Group Risk & Internal Audit department is our independent third line function. Its role includes the delivery of a risk-based audit plan to provide assurance on key areas of risk and compliance, provision of regular principal risk reporting for the Audit & Risk Committee and an annual summary report for the Committee to support its conclusions on the overall effectiveness of risk management and internal control.

We benefit from additional assurance on effective risk management from external sources. This includes the work of our external auditor and inspections and audits from regulators, warranty providers, insurers and providers of externally recognised certifications (such as cyber essentials plus and ISO45001).

Risk appetites and tolerance

Open

Close

The Board, with the support of the Audit & Risk Committee, has developed a Risk Appetite Statement, classifying its principal risks against different appetite categories:

  • Averse: Aim to minimise exposure as far as is practically possible, with a low tolerance for potential adverse outcomes. This category is applied to risks that could have severe consequences in areas such as HS&E, compliance, or reputation.
  • Cautious: Acceptance of low to moderate levels of risk in areas that are necessary to achieve operational efficiency and strategic initiatives. Risks are carefully managed to avoid significant negative impacts on the organisation.
  • Enterprising: Openness to accepting moderate to higher levels of calculated risks when pursuing strategic opportunities that could drive our growth or enhance operational performance.

Risk tolerance is considered against various risk‑specific measures and narrative reporting, reviewed and challenged by the Management Risk Committee before presentation for approval at the Audit & Risk Committee. The articulation of risk appetite also informs the design, operation and targeted maturity of each material control linked to the requirements of Provision 29 and the preparations for enhanced disclosures from 2026.

Overall assessment of principal and emerging risks

Open

Close

In line with the requirements of Provision 28 of the UK Corporate Governance Code 2024, the Board has completed its assessment of our principal and emerging risks, assessing these against the FRC’s criteria as those that could threaten our business model, future performance, solvency or liquidity and reputation.

The Board’s assessment, conducted with the support of management, has determined that that 12 risk areas meet the criteria for consideration as principal risks, each of which are broadly aligned with those reported in 2024. In common with the rest of our sector, we retain a particular sensitivity to external risks, most notably those posed by economic and market conditions, Government policy and political risk. There have been two material changes from our 2024 assessment of principal risks. The previously reported ‘legacy buildings’ risk has been broadened into a revised ‘building safety and legacy buildings’ risk, reflecting the Board’s continued focus on building safety through current build, as we continue to make progress in addressing remediation requirements from legacy developments. Similarly, the previously reported ‘cyber and data’ risk has been broadened to ‘business resilience’ risk, considering the potential threats from cyber attacks and other events that could cause widespread operational disruption.

The 2025 assessment considered the ratings of this risk in the context of several high-profile cyber issues for other large UK businesses within the year. While the threat of disruption in this area has increased over the year, we have simultaneously continued to invest in maintaining and improving our cyber security posture and developing stronger business continuity contingency measures. As such, while the risk is considered to be increasing, the previous overall rating of ‘high’ has not been revised. The rating of our ‘HS&E’ risk was also considered in relation to our continued work to strengthen controls, including the achievement of the ISO45001 standard for our health and safety management system. Again, it has been determined that the risk rating remains appropriate and did not warrant change.

The overall assessment of our current principal risks is that all are subject to controls or other mitigations that bring them within the tolerance range defined within our risk appetite, and we remain confident in our ability to manage these risks effectively. However, it is recognised that risks may materialise together rather than in isolation and, should this occur, it could have a material impact on our operations and financial performance. The Viability Statement includes a broad assessment of the resilience of our business model in the face of such challenges, and includes a range of sensitivity analyses and the likely responses of the Board should they materialise.

Emerging risks

Open

Close

Emerging risks, defined as those that are known but cannot be assessed in detail at present and could, under certain conditions, evolve to pose a strategic threat as a principal risk, have also been considered by the Board. Emerging risks were reviewed through the normal operation of our risk management framework, with detailed consideration from the Management Risk Committee contributing to a formal annual presentation for review and challenge by the Audit & Risk Committee.

Our 2025 assessment has not identified any new emerging risk areas beyond changes within our existing principal risks. The previously recognised emerging risk of ‘market disruption’, has been retained. This reflects the potential threats to our business model from disruptions such as Artificial Intelligence (’AI’), market consolidation or breakthrough advances in deployment of technology such as modular construction. This risk will be monitored by the Board and, operationally, by the Executive Committee and Management Risk Committee. Mitigation strategies will be kept under review as the risk evolves.

Principal risks

Open

Close

The Group’s Principal Risks are:

  1. UK economic and market conditions
  2. Government policy and political risk
  3. Climate change and sustainability
  4. Health, Safety & Environment event
  5. Building safety and legacy buildings
  6. Land and planning
  7. Supply chain
  8. Finance and liquidity
  9. Skilled workforce, retention and succession
  10. Business resilience
  11. Reputation
  12. Regulatory compliance

Read more about our Principal Risks in our latest Annual report.