Governance structures & processes

How we elevate our commitments in line with managing and seeking certification in the same way as other important business areas.

GOVERNANCE STRUCTURES & PROCESSES

Governance, Risk Management & Compliance Team (GRC)

Reed & Mackay's GRC department is responsible for overseeing the company's activities relating to formulating policies and processes. These are in line with the objectives, directions and intentions defined by Reed & Mackay's Executive Team.

In addition to overseeing Reed & Mackay's compliance to ISO certifications, Integrated Management System and other obligations, the department also plays a critical role in managing risk and ensuring the company operates in an ethical and responsible manner. These activities assure our clients and stakeholders that we are committed to delivering high-quality services and operating in a transparent and accountable manner.

Information Security Team

The scope of the Information Security department is to manage and maintain Reed & Mackay’s Information Security posture and support our vision and objectives from an Information Security perspective.

The department carries out and oversees activities relating to the management of information security controls, formulating policies, aligning processes and business practices, in line with the objectives, directions and intentions defined by Reed & Mackay’s Executive Team. The aim is to ensure Reed & Mackay conducts its business in a secure, effective and efficient manner in accordance with its compliance obligations. It will be doing this while ensuring the confidentiality, integrity and availability of the company’s infrastructure, information assets and information systems at all times.

The Information Security Department’s activities are geared towards maintaining the security of Reed & Mackay’s information assets and compliance with industry best practice, as well as relevant standards, regulations and certifications. These include, but are not limited to:

The Information Security Team works closely with the GRC team and the Global Technical Services Team. It also works closely with the Legal team, in particular the General Counsel (DPO) and Data Privacy Specialist to support Reed & Mackay’s adherence to General Data Protection Regulation (GDPR) / other Data Protection regulations.

ISO/IEC 27001 – Information Security Management System
Payment Card Industry Data Security Standard (PCI DSS)
Cyber Essentials
SOC 2
NIST CSF
The Sarbanes-Oxley Act of 2002
Other applicable Information Security standards or frameworks

Data Privacy

Our Data Privacy Specialist plays a crucial role in ensuring Reed & Mackay collects, processes, stores and shares personal data securely, protects individuals' privacy rights and complies with relevant privacy regulations. Responsibilities include:

Negotiating data protection clauses in contracts with clients, suppliers and partners
Drafting and negotiating sub-processor agreements with 3rd-party vendors processing personal data
Management of partner and supplier due diligence to ensure compliance with data protection laws and regulations
Addressing client data privacy due diligence requirements
Management of personal data breaches and incidents, which may involve investigating the breach, notifying affected individuals and reporting it to relevant authorities
Developing and delivering company-wide training and awareness programmes on data privacy so all employees are aware of their responsibilities in protecting personal data
Ensuring data privacy is considered in all project and platform development initiatives by incorporating Privacy by Design principles
Conducting Data Protection Impact (threshold) Assessments
Management of individual rights requests, which may involve responding to requests from individuals to access, rectify or erase their personal data
Providing data privacy advice and answering queries from across the business
Implemented a new process for managing Client Data Access and 3rd-Party Release requests.

Executive Level Sponsorship, Leadership & Accountability

At Reed & Mackay, our Executive Teams are committed to establishing a culture of quality, security, resilience and environmental responsibility throughout the business. The Group Chief Information Officer (CIO) has overall accountability for Reed & Mackay's Integrated Management System (IMS) and ensures IMS objectives meet the strategic direction of the business. The Group CIO regularly reviews the status of the IMS with the GRC department and ensures the necessary resources are allocated to establish and maintain the IMS effectively.

The Director of Sustainability is responsible for developing the business’ sustainability strategy and roadmap. This includes overseeing initiatives related to our environmental impact, social responsibility, future growth opportunities and the external reporting and assessments we undertake. The Director of Sustainability reports progress on these initiatives to the CEO on a fortnightly basis. The CEO then approves any decisions based on the progress and feedback provided by the director. This ensures the sustainability strategy is aligned with the overall business objectives and that progress is being made towards Reed & Mackay’s sustainability goals.

Reed & Mackay’s Integrated Management System

Reed & Mackay's Integrated Management System is comprised of four individual Management Systems, all of which we have achieved ISO certifications for:

ISO 9001 - Quality Management Systems (certified since 2006)
ISO 27001 - Information Security Management Systems (certified since 2007)
ISO 14001 - Environmental Management Systems (certified since 2009)
ISO 22301 - Business Continuity Management Systems (certified since 2013)

Our Integrated Management System provides a platform for risk management and continuous improvement. It enables us to provide a structured approach for protecting information, establishing continuity, reducing environmental impact and meeting client requirements.

Risk Management Framework

In line with ISO standards and good business practice, risk-based thinking and awareness is incorporated into Reed & Mackay’s management system and the processes that underpin it.

We have a Risk Management Framework in place for addressing risks across the business, which describe the Risk Policy and Risk Management Activities.

Reed & Mackay maintains a Corporate Risk Register, which recognises the different characteristics of risk from different perspectives.

We use a context-based approach. Risks are identified, assessed and evaluated, treated and reviewed and reported against contexts, including Information Security, Data Protection, Business Continuity, Quality and Environmental.

Identified risks are rated as per Reed & Mackay’s risk assessment matrix, containing specific guidance to enable risks to be assessed and rated accurately for each context. Where appropriate, risk scenarios can also be assessed and rated across multiple contexts, allowing them to be prioritised and treated differently for each context.

Risk owners are assigned and treatment plans drawn up to address the risks. All risks are treated in accordance with a risk-treatment plan and are reviewed and reported throughout the lifecycle.

Risk management in Reed & Mackay takes place across the business as part of a variety of activities that can be characterised as formal or informal, and as having different “triggers”, including:

Cycle: (eg calendar driven or periodic)
Change: “managed by Reed & Mackay” (eg projects, new suppliers, technology changes, new offices etc)
Events: “happening to Reed & Mackay”, typically unplanned (eg Info Sec, Data Protection or BC incidents, threat landscape changes, client requirements to queries, legislation changes etc.)

Review and reporting of risks take place at all stages of risk management. This guarantees individual risks are being treated effectively and are timely; gaining an understanding of the organisation's overall risk profile; and checking risk management processes are effective in identifying, assessing and treating risks to the organisation achieving its objectives.

Corporate risks and risk treatment/mitigation plans are reviewed by the Risk Owner at intervals appropriate to the risk and the treatment plan. These are then updated accordingly and may take place through direct feedback from, or dialogue with, the risk owner or as part of some other regular or triggered activity. Reporting of risks is through a number of mechanisms or forums, including Information Security and Data Protection Risk Reviews, monthly Exec Team Reports, bi-annual Corporate Risk Review etc.

Environmental Reporting & Assessments

Reed & Mackay is required to undergo an Energy Savings Opportunity Scheme (ESOS) assessment every four years. This is a legal requirement set by the UK government.

As a responsible business, we recognise the importance of reducing our carbon footprint and promoting sustainable practices. Therefore we are committed to implementing any identified findings and, as a result, we can further reduce our environmental impact, while also benefitting from cost savings.

Our most recent ESOS assessment in 2019 provided assurance our energy efficiency is very good. In 2023 we will be participating in ESOS Phase 3 and will strive to implement any further opportunities for improvement identified in our assessment report.

In addition, Reed & Mackay is required to comply with the Streamlined Energy & Carbon Reporting (SECR) Framework, which is a mandatory UK government scheme for large businesses. The scheme requires us to report our energy consumption, greenhouse gas emissions and energy efficiency measures annually.

Managing Compliance Obligations

Statutory, regulatory and compliance requirements applicable to Reed & Mackay’s operations, products and services are monitored on an on-going basis. We use information from different sources, including, but not limited, to:

Governmental and public bodies (eg EU, ICO, HSE, DEFRA, HMRC and local equivalents etc)
Industry bodies/licensing bodies (including International Air Travel Association (IATA), Air Travel Organisers License (ATOL), Association of Train Operating Companies (ATOC), Business Travel Association (BTA), Civil Aviation Authorities (CAA), Global Business Travel Association (GBTA), Association of Corporate Travel Executives (ACTE) etc
Standards and Certification bodies (eg ISO, LR, Alcumus ISOQAR, PCI, NCSC, BSi, AICPA, NIST, Coalfire)
Financial and legal auditors/advisors and third-party service providers (eg Deloitte, BDO, Travers, IT Governance, OneTrust, ClimateCare, Nettitude etc)

Membership of Professional Associations/Special Interest Groups including Chartered Quality Institute (CQI), International Systems Audit and Control Association (ISACA), Business Continuity Institute (BCI) and CyberSecurity
Information Sharing Partnership (CiSP), Cyber Security Body of Knowledge (CyBOK), by appropriate subject matter experts. Information from these sources is reviewed by our Legal, GRC, Information Security, Data Privacy and Executive teams; Department Heads and ROAR Groups/other working groups as appropriate and additional external advice taken when required.