Annual Report & Accounts 2016 - Principal risks/Viability statement
32 Principal risks/Viability statement
GVC Holdings PLC Annual Report 2016
The Group's customer offer includes products
operated using different labels and gaming licences,
the majority of which are now driven by the Group's
proprietary technology obtained through the acquisition
In an industry where service reliability and integrity are
key differentiating factors, our continual commitment
to providing a reliable, safe, secure, compliant and
continuous service has continued to be the Group's
focus this year.
Subsequent to the acquisition of bwin.party, the Group
initiated a significant technology platform migration
which carries inherent project risk.
Other technology-related risks, such as our continuing
operations in the event of a natural or man-made
disaster, have been addressed with a substantial
investment and both the Group's disaster recovery
and business continuity solutions.
With continuous shifts in how consumers choose and
are able to access our services (via different devices
and/or channels), the process of maintaining and
improving our technology will become more complex.
In May 2016, the Internal Audit function performed
a cyber security review over the key systems and
interfaces that collectively form the gaming platform,
over both the bwin.party and GVC infrastructures.
The resilience to cyber and denial of service threats have
been carefully considered and improved upon following
the recommendations arising from this review.
Furthermore, the Group has committed to maintain its
ISO 27001 Information Security Management System
certification, and is progressing with consolidating its
ISO 27001 certification across the locations inherited
through the bwin.party acquisition. Part of this process
involves an internal audit review from an information
security perspective of all certified sites across a
three-year cycle, which form part of the internal audit
The technology platform migration has been executed
in phases, by label and territory to minimise risk
and customer impact. The Group aims to complete
the migration by the end of 2017 and subsequently
decommission legacy systems.
Focusing on nationally regulated and/or taxed markets
safeguards our gaming revenues from potential
national legislation threatening to prohibit or restrict
one or more of the products that we offer, or online
gaming entirely. There are potential risks for the Group
from all markets where regulation is not clearly defined
or adopted, especially in relation to EU law.
To manage this risk, the Group maintains a dialogue
(either directly or indirectly) with national governments
and regulators of to-be regulated markets. The Group's
compliance and regulatory affairs teams keep abreast
of the regulatory landscape and report to the Board on
any developments. However, it should be noted that
most of the risks in relation to the regulatory landscape
are outside of the Group's direct control.
Operating in nationally regulated and/or taxed markets
requires the Group to comply with the rules and
protocols of the particular regimes. Currently, the
Group holds 31 licences each with their own unique
regulatory requirements. The need to sometimes
develop bespoke technological, operational and
promotional offers in each market requires significant
investment. The Group is committed to meeting its
licence obligations and monitors its compliance with
regulatory requirements by performing reviews of
its licensed operations on a periodic basis, with the
results reported to the Audit Committee. The Group
also submits the licensed entities to a series of
external audits by regulators and industry specialists
to ensure that policies and procedures are being
followed as intended.
The Group has companies and employees spread
over a number of jurisdictions which creates tax risk
if actions and decisions are being made in the wrong
jurisdictions by the wrong companies. In addition,
these companies contract with one another for
services which are subject to scrutiny by local
The Group's strategic focus is to operate in nationally
regulated and/or taxed markets. Revenues earned
from customers located in a particular jurisdiction may
give rise to further taxes in that jurisdiction. If such
taxes are levied, either on the basis of existing law or
the current practice of any tax authority, or by reason
of a change in law or practice, then this may have a
material adverse effect on the amount of tax payable
by the Group.
On 1 January 2015, new VAT rules came into force
across the EU impacting several areas of the digital
economy. Gambling has typically been exempt from
VAT but falls within the rules for VAT on electronically
supplied services. Under EU law, Member States
have the ability to apply VAT to gambling, subject
to certain limitations and conditions, and tax may
be due depending on where customers are located
and how Member States implement any exemption.
Whilst substantial uncertainty remains, in light of the
new rules the Group is now filing for, and paying VAT,
in certain EU Member States. It is possible that VAT
could be payable in other EU Member States.
Group companies operate only where they are
incorporated, domiciled or registered across countries.
The multi-location set up of the Group gives rise to
transfer pricing risk, mitigated by the fact that all
intra-group transactions are documented and take
place on an arm's length basis unless local legislation
or other business conditions make an arm's length
basis impossible or impractical.
Following the acquisition of bwin.party, the transfer
pricing arrangements are in the process of being
reviewed by the Group's Director of Tax. As well
as holding workshops with senior management
and business unit leaders, he also meets at least
once a year with the Board to review tax strategy
There are a number of potential risks and uncertainties which could have a material impact on the Group's
future performance. To mitigate against these risks, the Group conducts a continuous process of assessments
that examine whether any risk has increased, decreased or become obsolete; identify new risks; and evaluate
the likelihood of each risk occurring and the impact it would have on the Group.
Our principal risks fall into five broad categories which are set out below, along with how we seek to manage
them. More detail on our approach to risk management can be found in the Audit Committee Report on
pages 46 to 50 of this Annual Report: