14 March 2018

Capita plc

(the "Company")

Annual Financial Report

In compliance with Rule 4.1 of the Disclosure Guidance and Transparency Rules (“DTRs”), the Company announces the publication of its Annual Financial Report for the year ended 31 December 2018. Pursuant to Listing Rule 9.6.1, a copy of this document has been submitted to the National Storage Mechanism and will shortly be available for inspection at http://www.hemscott.com/nsm.do. The document is also available on the Company's website: www.capita.com/investors.

Additional Information

A condensed set of the Company's financial statements and information on important events that have occurred during the financial year and their impact on the financial statements, were included in the preliminary results announcement released on 14 March 2018. That information, together with the information set out below, which is extracted from the Annual Report and Accounts 2018, is provided in accordance with DTR 6.3.5. This information should be read in conjunction with the Company's preliminary results announcement. This announcement is not a substitute for reading the full Annual Report and Accounts 2018.

Principal risk categories

Our risk management framework is based around risk categories against which our businesses measure their risk exposure and report on incidents and issues. The ‘critical’ risk exposures are reported directly to the Audit and Risk Committee to provide clear line of sight. The principal risks represent the main risks to the strategy and objectives of Capita.

The principal risks and uncertainties which are considered to have a material impact on Capita’s performance and achievement of its strategy are set out on the following pages. External and internal risk factors are considered. This is not intended to be an exhaustive and extensive analysis of all risks which may affect our businesses. Additional risks and uncertainties not presently known to management, or currently deemed to be less material, may also have an adverse effect on our objectives.

To repeat, Capita is in year one of a fundamental transformation plan. The principal risks reflect this; in particular, Capita’s ability to meet financial expectations, deliver sales growth and protect its reputation, so as to continue to do business. The integrated nature of the transformation plan is designed to mitigate these risks as effectively as possible. Accordingly, such mitigation is dependent on the successful implementation of this plan.

1. Failure of internal systems of control – controls do not operate effectively or do not operate at all. Potential impact:

• Increased fraudulent activity
• Increased risk of financial malpractice
• Increased regulatory scrutiny
• Increased costs associated with remediation activities
• Reputational damage
• Service detriment to our clients or end-customers
• Financial loss

How we manage the risk:

Mitigating actions in 2018

• Governance, boards and committees in place to review
• Internal audit programme of work
• Monitoring of regulatory requirements
• Monthly performance tracking of risk indicators

 Future actions

• Controls and risk self-assessment
• Financial Services Risk Committee put in place
• Implementation of a new finance systems supported by standard processes and controls

2. Failure in information security controls – information held in systems is accessed or shared in breach of policy. Potential impact:

• Significant loss of data
• Loss of customer confidence
• Failure to win new business
• Regulatory censure/fine
• Remediation programme at Capita’s expense

How we manage the risk:

Mitigating actions in 2018

• Capita operates and holds certifications for ISO 27001
• External review of cyber-resilience
• Programme of work of remediate issues
• Detective controls in place and regularly reviewed to consider new threats
• Preventative controls in place and regularly updated to detect new threats
• Data protection programme of work carried out

  Future actions

• Comprehensive review of current status of resilience against group and contract requirements
• Simplify our cybersecurity through the creation of a single cyber-operations centre
• Strengthen our cyber-posture by developing and mandating additional capabilities, including organisational awareness and enhanced training of our people
• Work with organisations, such as Security Alliance (a Gartner company), to help assess the threat to Capita by looking from an external viewpoint
• Run continuous vulnerability assessments across the estate to proactively identify weaknesses that need to be addressed
• Run executive cyber-training to ensure all our senior employees are aware that cybersecurity is a business responsibility and not just an IT responsibility

3. Increased business complexity – business has grown into many diverse business areas. Potential impact:

• Lack of clear accountability within the business

• Risk and performance management are more difficult to operate effectively, leading to sub-optimal outcomes for all stakeholders

• Divisions not working together, duplicating effort and driving up costs

 How we manage the risk:

 Mitigating actions in 2018

• Reorganised business into coherent divisions

• Implemented a clear operating model with supporting governance to clarify accountabilities

• Simplified the range of market offerings

• Strengthened corporate and divisional management

• Disposal of non-core businesses

 Future actions

• Embed operating models across business

• New customer relationship management tool to be put in place

• Financial models agreed where divisions introduce each other

4. Operational IT – IT infrastructure is not fit for purpose. Potential impact:

• Disruptions to service lead to loss of revenue

• Service credits payable to clients

• Loss of confidence in Capita’s IT systems

How we manage the risk:

Mitigating actions in 2018

• Upgrade technical abilities

• Investment in data centre network

• Simplified existing IT environment

• Change management processes help reduce risk and unplanned outages

Future actions

• Continued activity on simplifying data centre network Continued investment in IT resilience

5. Failure to effectively manage our people – unable to recruit and retain key employees. Potential impact: 

• Loss of key employees

• Unable to attract the right people with the right skills

• Lack of skilled, competent resource

• Increased cost of recruitment due to high attrition rates

• Unable to deliver Capita’s strategy

• Lack of continuity at Executive Committee level

How we manage the risk:

Mitigating actions in 2018

• Chief People Officer appointed

• Focus on culture from the top

• Strengthened senior leadership team

• People strategy defined

• Improved engagement across the business

• Capita Academy launched

Future actions

• Focus on succession planning and development of employees

• Talent reviews, enabling employees to identify new opportunities and to move to new roles within Capita

• Investment into new HR systems

6. Weaknesses in acquisition and contracting – entering poorly worded contracts to our detriment. Potential impact: 

• Loss of contracts

• Lack of ability to acquire new business

• Contract terms are punitive

• Contract terms are not met or understood

• Loss of profits

• Exposure to unexpected costs or onerous terms

• Brand and reputation damage if not managed effectively

• Acquisition synergies are not realised

How we manage the risk:

Mitigating actions in 2018

• Contract Review Committee in place to better understand contract risks in new or existing arrangements

Future actions

• Delivery of a clearly defined Contract Management process

• Transactions committee to be put in place

7. Legal and regulatory – breaking the law or not meeting regulations. Potential impact: 

• Censure or fine from a regulator

• Reputational damage

• Lack of confidence from investors and customers

• Data Subject Access requests not completed within required timescales

• Increased costs due to remediation activities

• Increased regulatory scrutiny which could limit potential for growth

How we manage the risk:

Mitigating actions in 2018

• Regular risk committee meetings held throughout the year, including the Audit and Risk Committee

• Engagement with regulatory bodies

• Specialist team monitoring and engaging with regulators over proposed regulatory or legal changes

• Chief General Counsel appointed

• Legal team in place across the divisions to manage potential and actual issues

Future actions

• Financial Services Risk Committee to focus on financial services risk

• Development of controls and risk self-assessment tool

• Refresh and roll-out of a revised risk framework

8. Failure to achieve financial expectations – adverse performance against our stated business plans. Potential impact: 

• Loss of revenues, profits and/ or cash flows

• Failure to return to organic revenue growth

• Loss in shareholder value

• Undermines investor confidence

• Erodes corporate position in the market

• Weakens our ability to attract and retain the best people

How we manage the risk:

Mitigating actions in 2018

• Move to a multi-year strategic planning range

• Detailed bottom-up Board-approved business plan for 2019 and 2020

• Enhanced monthly performance reviews

• Clearer financial and operational KPIs at business, divisional and functional level

• New Executive Committee governance committees

• Appointed Chief Growth Officer

Future actions

• Delivery of upgraded financial systems, processes and controls

• Deep-dive review of businesses to assess progress against the new strategy

• Plan to drive revenue growth

9. Lack of corporate financial stability – failure to manage financial exposures and access to finance. Potential impact: 

• Increase in leverage

• Inflexible balance sheet

• Lack of cash to invest

• Inability to grow

• Lack of confidence from investors and customers

How we manage the risk:

Mitigating actions in 2018

• Launched new strategy

• Completion of the rights issue

• Disposal of non-core businesses

• Reduction in leverage

• Early repayment of debt

• Targeted investment

• Achieving £70m of cost-out savings

• Developed a plan to address pension deficit

Future actions

• Further repayment of debt

10. Failure to innovate – not keeping up with technology or other changes. Potential impact:   

• Inability to grow and develop into new markets

• Loss of new and existing business to competitors

• Erodes corporate position in the market

• Weakens our ability to attract and retain the best people

• Unable to compete with others who are innovative

How we manage the risk:

Mitigating actions in 2018

• Strengthened the executive team with a Chief Digital Officer and Chief Growth Officer

• Working with external technology partners to develop our digital offering

• Share market innovation best practice internally

11. Adverse changes in political landscape – unable to operate under a different political regime. Potential impact:  

• Fewer outsourcing opportunities offered by the public sector

• Existing business no longer outsourced

• Exposure to markets with limited growth opportunities

• Loss of revenues, profits and/ or cashflows

How we manage the risk:

Mitigating actions in 2018

• Engagement with Government and other parties (e.g. regulators) to understand current thinking

• Preparations made in relation to Brexit

• Understanding of client requirements for Brexit if there is a transition period or no deal with Europe

Future actions

• Build a broader base of understanding about Capita as a transforming business, committed to delivery of service

• Demonstrate value delivered in public sector

12. Reputation – poorly thought of by our stakeholders. Potential impact:  

• Loss of confidence in Capita

• Clients suffer reputational damage

• Fewer or no new contracts

• Loss of revenues, profits and/ or cash flows

• Unattractive proposition for shareholders to invest in

How we manage the risk:

Mitigating actions in 2018

• Director of Corporate Affairs appointed

• Reactive and proactive management of media stories

• Working with selected media to promote Capita’s positive image

Future actions

• Deliver new corporate affairs strategy

• Ensure Capita’s multi-year transformation is understood and clearly communicated to all stakeholders

• Embed new corporate purpose, and refreshed values and behaviours

13. Transformation – making the business fit for the future. Potential impact:  

• A more complex business that is unmanageable

• Loss of revenues, profits and/or cash flows

• Money spent on transformation is wasted

• Business is not fit for the future

How we manage the risk:

Mitigating actions in 2018

• ‘Blueprint’ used to ensure consistent approach to operating model across divisions and functions

• Chief Transformation Officer appointed

• Focus by Executive Committee on risks

• Simplification is the way to strengthen the business

Future actions

• Complete operating model work

• Embed the new model

Emerging Risk

Impact of Brexit:

While the details around the UK’s scheduled departure from the EU remained unclear at the time of writing this Annual Report, Capita has continued to review a range of Brexit scenarios and conducted contingency planning. We have taken steps to manage risk in specific areas and are not aware of any material company-specific impacts from Brexit. We are therefore confident that there will be no significant disruption to the services we offer clients.

Capita employs a significant number of EU nationals, and we want to see maximum certainty for our valued employees and colleagues. We are providing guidance and support for those who are applying for settled status in the UK.

Our preparations for any Brexit scenario, including a ‘no deal’ exit, include safeguards to ensure resilience around potential changes to data protection rules, procurement rules and immigration requirements. As with other companies, Capita would be subject to any deterioration in the economy occurring as a result of Brexit.

We continue to monitor political developments and consider scenarios as the Government’s plans and positions develop.

Other risk factors

Protecting our information and data:

Protecting the data of our clients, our company and our people is one of the most fundamental and important responsibilities we have. Our Data Protection and Information Security Policies, Standards and Procedures ensure we treat personal information correctly, in accordance with the law and best practice. When we process personal information (including sensitive personal information), we ensure that we comply with these policies, standards and procedures including its collection, storage, use, retention, transfer, deletion and safe destruction.

In order to ensure compliance with the Data Protection Act 2018 (and General Data Protection Regulations), we have implemented a comprehensive programme, including a network of trained privacy professionals who provide expert help and assistance for anyone handling data within our business or on behalf of our clients.

We continue to raise awareness of the importance of data protection and privacy through our mandatory data protection training and ongoing training programmes, in particular the Think Privacy; Think Security campaigns.

Cyber-attacks:

Cyber-attacks continue to negatively impact all industry sectors.

Capita fully recognises the persistent cyber-threat posed by criminals and nation-states, and that cyber-attacks are increasing both in their number and in their sophistication.

The Board remains focused on ensuring our businesses and systems are resilient against the latest cyber-threats and have instigated a cyber-resilience programme. Supported by external and internal cybersecurity subject matter experts, the cyber-resilience programme liaises with our businesses and IT providers to implement and maintain robust preventative security controls throughout Capita’s IT estate. As a managed service provider, we recognise our role within our client’s supply chain, and the increasing cyber-threat posed by nation-state resourced actors targeting our clients.

We continue to work closely with UK Government agencies and our partner organisations, to help protect our clients’ digital assets and services, and the key parts of the national information infrastructure with which we are entrusted.

Related party transactions

Compensation of key management personnel                                                                  

	2018	2017
	£m	£m
Short term employment  benefits	11.9	11.3
Pension	0.2	0.2
Share based payments	-	0.1
Total	12.1	11.6

Gains on share options exercised in the year by Capita plc Executive Directors were £0.0m (2017: £0.7m) and by key management personnel £0.0m (2017: £0.2m), totalling £0.0m (2017: £0.9m).

During the year, the Group rendered administrative services to Smart DCC Ltd, a wholly-owned subsidiary which is not consolidated (refer to note 34 of the Annual Report and Accounts 2018). The Group received £64.3m (2017: £55.5m) of revenue for these services. The services are procured by Smart DCC on an arm’s length basis under the DCC licence. The services are subject to review by Ofgem to ensure that all costs are economically and efficiently incurred by Smart DCC.

Capita Pension and Life Assurance Scheme is a related party of the Group. Transactions with the Scheme are disclosed in note 32 – Employee benefits on pages 157-164 of the Annual Report and Accounts 2018.

The following companies are substantial shareholders in the Company and therefore a related party of the Company (in each case, for the purposes of the Listing Rules of the UK Listing Authority).

The number of shares held on 5 March 2019 was as below:

Shareholder	No. of shares	% of voting rights
Veritas Asset Management LLP 1	192,533,863	11.54
Invesco Ltd.	191,409,106	11.47
Investec Asset Management Ltd	153,805,729	9.22
RWC Asset Management LLP	127,012,876	7.61
Schroders Investment Management Ltd	101,030,829	6.06
Woodford Investment Management LLP	93,562,659	5.60
Coltrane Asset Management, L.P	82,388,589	4.94
BlackRock, Inc.	74,230,358	4.45
Marathon Asset Management LLP	64,756,810	3.88
Veritas Funds PLC	55,009,900	3.30
Vanguard Group	54,711,874	3.28
Norges Bank Investment Management	54,273,873	3.25
Jupiter Asset Management Limited	53,573,060	3.21

¹ This includes the holding of Veritas Funds PLC

Responsibility Statement of Directors in respect of the annual financial statements

The Directors confirm that, to the best of their knowledge:

• the financial statements, prepared in accordance with the applicable set of accounting standards, give a true and fair view of the assets, liabilities, financial position and profit or loss of the Company and the undertakings included in the consolidation taken as a whole.

• the strategic report includes a fair review of the development and performance of the business and position of the Company and the undertakings included in the consolidation taken as a whole, together with a description of the principal risks and uncertainties that they face.

• The Annual Report and Accounts, taken as a whole, are fair, balanced and understandable, and provide the information necessary for shareholders to assess the Company’s position and performance, business model and strategy.

Cautionary statement

The Directors present the Annual Report for the year ended 31 December 2018 which includes the strategic report, governance and audited accounts for this year. Pages 1 to 98 of the Annual Report comprise a report of the Directors that has been drawn up and presented in accordance with English company law, and the liabilities of the Directors in connection with that report shall be subject to the limitations and restrictions provided by such law. Where the Directors’ report refers to other reports or material, such as a website address, this has been done to direct the reader to other sources of Capita plc information which may be of interest. Such additional materials do not form part of the report.

Contact:  Francesca Todd, Group Company Secretary, 020 7202 0641