Annual Report • Sep 29, 2023
Annual Report
Open in ViewerOpens in native device viewer
213800DJCGZRB65239342022-06-012023-05-31213800DJCGZRB65239342021-06-012022-05-31213800DJCGZRB65239342023-05-31213800DJCGZRB65239342022-05-31213800DJCGZRB65239342021-05-31213800DJCGZRB65239342021-05-31ifrs-full:IssuedCapitalMember213800DJCGZRB65239342021-05-31ifrs-full:SharePremiumMember213800DJCGZRB65239342021-05-31ifrs-full:ReserveOfCashFlowHedgesMember213800DJCGZRB65239342021-05-31ifrs-full:MergerReserveMemberiso4217:GBPiso4217:GBPxbrli:shares213800DJCGZRB65239342021-05-31ifrs-full:ReserveOfExchangeDifferencesOnTranslationMember213800DJCGZRB65239342021-05-31ifrs-full:RetainedEarningsMember213800DJCGZRB65239342021-06-012022-05-31ifrs-full:IssuedCapitalMember213800DJCGZRB65239342021-06-012022-05-31ifrs-full:SharePremiumMember213800DJCGZRB65239342021-06-012022-05-31ifrs-full:ReserveOfCashFlowHedgesMember213800DJCGZRB65239342021-06-012022-05-31ifrs-full:MergerReserveMember213800DJCGZRB65239342021-06-012022-05-31ifrs-full:ReserveOfExchangeDifferencesOnTranslationMember213800DJCGZRB65239342021-06-012022-05-31ifrs-full:RetainedEarningsMember213800DJCGZRB65239342022-05-31ifrs-full:IssuedCapitalMember213800DJCGZRB65239342022-05-31ifrs-full:SharePremiumMember213800DJCGZRB65239342022-05-31ifrs-full:ReserveOfCashFlowHedgesMember213800DJCGZRB65239342022-05-31ifrs-full:MergerReserveMember213800DJCGZRB65239342022-05-31ifrs-full:ReserveOfExchangeDifferencesOnTranslationMember213800DJCGZRB65239342022-05-31ifrs-full:RetainedEarningsMember213800DJCGZRB65239342022-06-012023-05-31ifrs-full:IssuedCapitalMember213800DJCGZRB65239342022-06-012023-05-31ifrs-full:SharePremiumMember213800DJCGZRB65239342022-06-012023-05-31ifrs-full:ReserveOfCashFlowHedgesMember213800DJCGZRB65239342022-06-012023-05-31ifrs-full:MergerReserveMember213800DJCGZRB65239342022-06-012023-05-31ifrs-full:ReserveOfExchangeDifferencesOnTranslationMember213800DJCGZRB65239342022-06-012023-05-31ifrs-full:RetainedEarningsMember213800DJCGZRB65239342023-05-31ifrs-full:IssuedCapitalMember213800DJCGZRB65239342023-05-31ifrs-full:SharePremiumMember213800DJCGZRB65239342023-05-31ifrs-full:ReserveOfCashFlowHedgesMember213800DJCGZRB65239342023-05-31ifrs-full:MergerReserveMember213800DJCGZRB65239342023-05-31ifrs-full:ReserveOfExchangeDifferencesOnTranslationMember213800DJCGZRB65239342023-05-31ifrs-full:RetainedEarningsMember Annual report and accounts for the year ended 31 May 2023 Protecting clients and helping to build a more secure digital future NCC Group plc Annual report and accounts for the year ended 31 May 2023 In this report NCC Group is a people-powered, tech-enabled global Cyber Security and software escrow business. We harness our collective insight, intelligence and innovation to power end-to-end cyber services that protect our clients from cyber threat. Strategic report 1 Highlights 2 At a glance 4 Our investment case 5 Our strategic roadmap 6 Chair’s statement 9 CEO’s review 14 Our business model 16 Meet the CTO 18 Market dynamics 24 Our strategy 29 Meet the COO 32 Our solutions 35 Meet the Global Managing Director 40 Stakeholder engagement 42 Culture 46 Non-financial and sustainability information statement 53 TCFD 60 Meet the CFO 61 Financial review 70 Principal risks and uncertainties 81 Viability statement Governance 84 Chair’s introduction to governance 87 Governance framework 88 Board of Directors 90 Executive Committee 92 Board composition and division of responsibilities 102 Shareholder engagement 103 Audit Committee report 110 Nomination Committee report 113 Cyber Security Committee report 115 Remuneration Committee report 138 Directors’ report 142 Directors’ responsibilities statement Financial statements 144 Independent auditor’s report 152 Consolidated income statement 152 Consolidated statement of comprehensive (loss)/income 153 Consolidated balance sheet 154 Consolidated cash flow statement 156 Consolidated statement of changes in equity 157 Company balance sheet 158 Company cash flow statement 159 Company statement of changes in equity 160 Notes to the Financial Statements Additional information 215 Glossary of terms – other terms 217 Other information 218 Financial calendar Intelligence Read more on page 38 Read more on page 30 Read more on page 22 Insight Innovation It’s in our DNA It’s what makes us different. A part of who we are that underpins everything we do. View our latest results: nccgroup.com While the market conditions we announced in our March Trading Update have impacted our FY23 Mike Maddison Chief Executive Officer Highlights 1 Net (debt)/cash excluding lease liabilities, Adjusted operating profit and Adjusted EPS are APMs and not IFRS measures. See Note 3 for an explanation of APMs and adjusting items. Further information is also contained within the Chief Financial Officer’s Review on pages 60 to 69. 1 Adjusted operating profit is an APMs and not IFRS measure. See Note 3 for an explanation of APMs and adjusting items. Further information is also contained within the Chief Financial Officer’s Review on pages 60 to 69. Headlines Revenue (£m) £335.1m Net (debt)/cash excluding lease liabilities 1 (£m) £(49.6m) Adjusted operating profit 1 (£m) £28.8m Adjusted EPS 1 (p) 6.1p Basic EPS (p) (1.5p) 263.7 21 21 21 21 21 21 30.7 7.6 9.6 2.3 250.7 20 20 20 20 20 20 33.7 9.2 17.8 4.9 19 19 19 19 19 19 23 23 23 23 23 23 335.1 28.8 6.1 22 22 22 22 22 22 270.5 314.8 83.3 39.2 48.1 9.5 10.8 14.8 31.0 7.4 3.6 (£m) £(4.3m) IFRS measures Alternative Performance Measures We made significant progress implementing our Next Chapter strategy in a challenging environment: • Market dynamics reinforced the need to implement our new strategy • While material clients were retained, we saw delays in buying decisions and project cancellations in the North American tech sector and the UK market in general • In our Cyber Security business we saw growth in Europe, and the UK and APAC region with a decline in North America • Our Software Resilience business returned to revenue growth in H2 • Current trading for the Group is in line with expectations with cost efficiencies already being realised in FY24. North America Cyber Security revenue performance experienced in H2 FY23 is currently annualising through H1 FY24 giving rise to YoY double digit Q1 revenue decline • FY24 revenue and Adjusted operating profit 1 expectations remain the same NCC Group plc 1 Strategic report We protect the development, supply and use of business critical technology and software applications: • Buyers are safeguarded from supplier failure, software vulnerabilities and unforeseen technology disruption • Our on-premise and cloud offering can demonstrate robust business continuity and risk mitigation, and suppliers benefit from enhanced credibility and intellectual property rights protection • Escrow contract services secure the long-term availability of business critical software data and applications • Our verification services assure clients that the knowledge and guidance are readily available to manage, maintain or recreate an application from the original source, should it ever be needed • helps clients transition to the cloud securely, so they can adopt the latest technology with confidence NCC Group is a global Cyber Security and Software Resilience business operating across multiple sectors, geographies and technologies. The trend of technological change within increasingly complex, connected ecosystems, means cyber threats continue to evolve and grow at pace. We bring decades of collective experience and expertise across the whole cyber spectrum to assess, manage and deliver cyber resilience for clients in both the public and private sector. We are driven by a collective purpose – to help create a more secure digital future. Our business We have two distinct businesses, through which we deliver solutions to support our clients’ operational goals, budgets and risk appetite, providing confidence that their most important assets – business reputation, software and personal data – are safe and secure. As we went to print we concluded the new distinct brand for our Software Resilience business to Escode, which will roll out from January 2024. See page 36 for more about this. We demystify cyber and ensure clients: • Understand the cyber threats and vulnerabilities across their technology environments, supply chains, processes and products • Maintain their licence to do business, having achieved their governance, compliance and accreditation objectives in a changing regulatory environment • Materially improve their resilience against ever- increasing cyber threats by implementing remediation plans and solutions • Reduce risk and achieve greater resilience for less investment • Can improve their cyber defence operations and increase their confidence in detecting and responding to cyber event At a glance Read more on Our solutions on page 32 Read more on Our solutions on page 34 What we do CYBER SECURITY NCC Group plc 2 Group revenues North America £133.8m Europe £57.1m UK and Asia Pacific £144.2m We operate as one global business, with in-country delivery tailored to local needs and cultures, as well as a global delivery team to respond quickly to our clients’ challenges. We have a significant market presence in the UK, Europe and North America, and a growing footprint in Asia Pacific, with offices in Australia and Singapore, and our new global delivery and operations centre in Manila, the Philippines. Our offices Key: Where we operate Cyber Security revenue £270.8m • Global Professional Services: £199.3m • Global Managed Services: £67.8m • Products: £3.7m £64.3m Software Resilience revenue • Escrow contracts: £42.8m • Verification services: £21.5m NCC Group plc 3 Strategic report Our investment case With decades of experience and a We draw on our expertise, capabilities and global footprint to develop sustainable solutions to help our clients meet their current and future cyber security challenges. With the ability to attract top talent with both technical expertise and passion, we continue to deliver results in what is a competitive and dynamic market. • Cyber Security is not optional; increasingly it’s a C-suite and Board issue to operate safely, protect reputation and comply with growing regulatory requirements • The global threat landscape continues to evolve as new technologies enable even more connectivity in our day-to-day lives, creating new, larger and more complex vulnerabilities for threat actors to exploit • Global Cyber Security market is expected to exhibit a CAGR of 10% between 2022 and 2027 1 Structural growth in an addressable market • Cyber Security: a global footprint protecting companies against an evolving spectrum of cyber threats • managing commercial risk with software vendors • Underpinned by insight, innovation and intelligence across our whole organisation Client focused with two distinct businesses • Focused on broadening our Cyber Security offer in priority sectors, ensuring clients address their full Cyber Security lifecycle • Building an alliance ecosystem to enhance routes to market, and developing our global delivery model to better serve client needs in the future • Complemented by a focused acquisition strategy where it makes strategic and financial sense A strategy to enhance growth by focusing on Cyber Security • Investment in professional development with career paths to promote talent from within • Established next generation talent programme bringing new cyber talent from non-traditional tech backgrounds • Partnerships to enhance diversity and make cyber accessible for all A hub for both attracting and developing talent and active alumni network Read more about our Cyber Security business on pages 32 and 33. Read more about our Software Resilience business on page 34 Read more on page 27 Read more on page 43 www.expertmarketresearch.com/pressrelease/global-cyber-security-market 4 NCC Group plc — Annual report and accounts for the year ended 31 May 2023 Our aspiration is to move beyond our historical strengths to become a truly global Cyber Security and Software Resilience services provider capable of delivering an end-to-end cyber solution that harnesses our strengths in insight, intelligence and innovation and is accompanied by a fantastic client experience. Creating a more secure digital future. Vision Purpose Our strategic roadmap We are guided by our Code of Ethics – treating everyone and everything with respect, underpinned by common values to bring us together. Our Code of Ethics and values Read more on our culture on pages 42 to 45 We embrace difference We take responsibilityWe work together We are brilliantly creative It is essential that we all proactively manage any risk to our safety and security. Our purpose is to help organisations to do this by keeping their personal data, and the technology and devices they use, as well as the critical assets and software they rely on, safe and secure. It’s what drives our strategic roadmap: We have a relentless focus on creating value for our stakeholders. Guided by our purpose, focused on our vision, we will continue to evolve and transform with our new growth strategy focused on four core areas: Insight InnovationIntelligence adapt to changing environments and deliver exceptional value for our clients. Creating growth by putting the client experience at the heart of our proposition Creating value for our clients Read more on our strategy on pages 24 to 27 Our clients on the most pressing Cyber Security needs. Our capabilities Broader service portfolio addressing the full Cyber Security lifecycle. Global delivery Transitioning from an international to a fully global business. Brands brands for Cyber Security and Software Resilience. Read more on our business model on pages 14 and 15 NCC Group plc 5 Strategic report 2022/23 key activities • Developed and communicated the Group’s next chapter strategy • Completed the full operational review of the Software Resilience business to create additional contribution • Commenced a strategic review of Software Resilience • Commenced planning for a new global delivery and operations centre in Manila • Improved Board and executive management diversity and enacted succession planning • Planning the broad restructuring of the business 2023/24 priorities • Realise cost efficiencies across Cyber Security and corporate functions • Implement our next chapter strategy with a renewed focus on priority sectors and development of end-to-end Cyber Security services • Open the new delivery and operations centre in Manila • Complete the rebrand of both Software Resilience and Cyber Security businesses • Revisit the strategic review of Software Resilience Chair’s statement It has been a challenging year for NCC Group. Chris Stone Non-Executive Chair Introduction It has been a challenging year for NCC Group. Despite the decline in the rate of our revenue growth and the loss for the year, our new strategy, which gives us a clear direction of travel, fills me with optimism that we are on track for a brighter future. This was very much a year of two halves. We enjoyed a strong first half, which saw us post strong revenues and profits, but our North American and UK Cyber Security businesses were materially affected by changes in the macro-economic environment in the second half. We are trusted partners to the most significant businesses on the North American West Coast – and each one of these businesses paused projects as they grappled with their own costs and made extensive layoffs. This led to a reduction in our revenues with a direct impact on utilisation and margins. While this had a considerable effect on our revenues in the year, it validated the next chapter strategy set out in February 2023 by our new CEO Mike Maddison following his appointment in July 2022. It’s a strategy designed to set us up for consistent, global growth creating a sustainable business. By focusing on clients, our capabilities, global delivery and brand, harnessing insight, innovation and intelligence, we’ll be more resilient in the future. A tangible difference to our business will be the creation of more recurring revenues, giving us a more stable base. 6 NCC Group plc — Annual report and accounts for the year ended 31 May 2023 There were several positives in the year, and we are pleased with the performance of our Software Resilience business. Our strategic review announced at our half-year results has been stopped and will be revisited later in the calender year. This ensures a focus on navigating the market conditions for Cyber Security and implementing strategic actions, so the Group is well positioned to return to growth when the market improves. In the meantime, the Software Resilience business continues to grow and reap the benefits of our acquisition of IPM last year – making us the largest software escrow player globally. The operational improvement programme and new management team that we announced last year have delivered the expected benefits, and we will see the consequent improvement in Software Resilience operating profit margins flow through into next year’s results, as well as the benefit we have experienced this year. In our Cyber Security business, while our financial performance was ultimately disappointing due to the drop off in short-term demand from clients in the US West Coast tech sector in the second half, our underlying technical capability and our next chapter strategy give us solid foundations to diversify our client base. There is a reason the biggest brands in the world trust us to manage their security, and the executive team is building on this trust while ensuring our Cyber Security offer is wholly designed around the needs of our clients. This is why the creation of a new global delivery and operations centre is a central element of the strategy, reflecting our focus on adapting to the changing needs of our clients. Further details on our strategy and business model are provided on pages 24 to 27 and pages 14 and 15 respectively Business performance 1 currency 1 decreased by 2.7% pts to 39.4% due to reduced revenue contribution from Global Professional Services within Assurance utilisation, offset by an improvement in Software Resilience revenue contribution. 1 and Adjusted operating profit 1 • offset by an improvement in Software Resilience profitability which was driven by improved operating efficiency, as targeted at the time of the May 2022 operational review • and an increase in base interest rates. All of the above, resulted in a 1 of 6.1p This performance led us to a broad restructuring of the business, which has been planned and implemented with the assistance of a third party and has given rise to Individually Significant Items and cost efficiencies being realised in FY24. 1 1 1 Total borrowings (including lease liabilities) offset by cash and Our business performance can be found in more detail on page 61 Dividend the register at the close of business on 10 November 2023. The ex-dividend date is 9 November 2023. Board and executive management composition I am responsible for the leadership of our Board, and I am very pleased with the progress we have made to increase diversity across both the Board and the executive team. We appointed Lynn Fordham to the Board on 1 September 2022 and she is Head of the Audit Committee as well as the appointed who joined us in 2022, has taken over as Senior Non-Executive Committee. In addition, I am very pleased with our internal promotion of Guy Ellis to Chief Financial Officer following Tim Kowalski’s decision to step down on 30 June 2023 after five years in the role. our Software Resilience business, and most recently as roles in the retail sector for brands including Asda and Specsavers. This experience and the recent interim roles in NCC Group have given him a breadth of understanding of the commercial drivers and operations across the whole business. Turning to our executive management team composition, Mike Maddison has continued to review the organisation and made good progress in establishing a new Executive Committee, with Officer). I am confident this diversity of perspectives and experiences will ensure we make better Board and executive decisions, particularly as the business starts to execute its next chapter strategy in earnest. Further details on our Board composition are provided on pages 92 to 101 Further details of our executive management composition are provided on pages 90 and 91 NCC Group plc 7 Strategic report Sustainability We continue to recognise the importance of an environmental, operations and measures our sustainability and ethical impact. The Board had a debrief workshop with our environmental partner Planet Mark as part of developing our net zero journey. We also fully supported the partnership with Ever Sustainable to lead our independent materiality assessment – looking at not only inward but also outward impacts – addressing future requirements to comply with the European Corporate sustainability strategy fully supports and will be integral to our business strategy and I am proud of the continuous improvement we make year on year regarding ESG factors. Further information on risk management and the key risk identification procedures is set out on pages 70 to 80 Summary Overall, this year and in particular the second half, has been challenging. The drop in value of our business has been disappointing, and the Board and Executive Committee are fully focused on restoring shareholder value. However, this has also been a particularly challenging year for our colleagues, and on behalf of the Board I offer our thanks and appreciation for their unwavering commitment and focus. As always, I am personally very grateful for their continuing commitment to NCC Group. It is through this continued hard work that we will achieve our vision to become the leading Cyber Security and Software Resilience provider globally. We move into this next phase whereby we will realise cost efficiencies across Cyber Security and corporate functions and implement our next chapter strategy. Chris Stone Non-Executive Chair operating profit, cash conversion and net debt excluding lease liabilities are APMs and not IFRS measures. See Note 3 for an explanation of APMs and adjusting items. Further information is also contained within the Financial Review. Chair’s statement continued NCC Group plc 8 2022/23 key activities • Completed an operational review of the Software Resilience business to create additional Group contribution • Introduced the next chapter of our strategy • Created a new executive team • Embraced new ways of working including hybrid • Commenced planning for a new global delivery and operations centre in Manila • Planning the Restructuring of the business following H2 FY23 performance 2023/24 priorities • Realise cost efficiencies across Cyber Security and corporate functions • Embed our new strategy with a renewed focus on our clients, priority sectors and development of end-to-end Cyber Security services • Open the new delivery and operations centre in Manila • Continue focus on relevant stakeholder engagement and evolve our sustainability agenda CEO’s review An ever-changing market There is only one certainty in our industry: change. I have worked in this space since the 1990s when “computing security” was a niche specialism. Today, Cyber Security is high on the risk registers of every enterprise and government in the world, and this industry will continue to change as Cyber Security becomes even more fundamental to societies and economies. Our lives are becoming more digitally connected each year, cyber criminals and nation states are constantly innovating and improving their attack capabilities, and AI and quantum computing have the potential to cause paradigm shifts that will reverberate around the globe. As a business we have to be alive to the pace of this change. If we stand still, we will be left behind. Our next chapter strategy is designed to address this challenge head on, creating an organisation that gets ahead of its market drivers with foundations that are fit for today and the future. It is relentlessly focused on clients and our ability to address the issues they face. I want to thank colleagues challenges this year. They and the resilience they have shown in the circumstances Mike Maddison Chief Executive Officer Strategic report 9NCC Group plc — Annual report and accounts for the year ended 31 May 2023 An ever-changing market continued It sees us become even more globally integrated, while confidently telling our story with an energised, simplified brand. This is why optimistic about where we are heading. NCC Group exists to make the world safer and more secure. This purpose remains unchanged. But the market has changed around us, so as a business we must adapt. A client-centric approach When I joined NCC Group I was immediately struck by the breadth and depth of our technical expertise. It is truly world class. Our insight, innovation and intelligence are respected globally. This expertise sits at our core. However, we have to unlock its potential by harnessing it to create solutions that are designed around the needs of our clients. This starts with clarity around the markets we serve. It’s why our strategy sees us focus on our fastest growing sectors – specifically those which are highly regulated and most exposed to cyber risk, like financial services, industrials and technology. We will build deeper relationships at the C-level within those businesses to give us the opportunity to move beyond transactional sales and into the position of trusted advisor. We have brilliant individuals in our business who are already working at this level, but we will invest in the right talent to enable scale. With that in place, we can properly unlock the potential of our expertise and be a true end-to-end Cyber Security services partner that can deliver business outcomes. In practice, this means rather than simply testing a client’s infrastructure annually, we’ll also work with them to address the security vulnerabilities we discover. Rather than providing a one-off incident response to a client following a cyber-attack, we’ll provide consultancy and remediation after the event to enable greater resilience – and then manage their Cyber Security operations 24/7. This is why we are making targeted investments into specific capabilities – like building out our consulting team and enhancing our Managed Services offering. It is all driven by our target customers and their needs. We will have all the constituent parts to continually create these customer journeys. Our strategy sees us knit them together to ensure consistent, consultative client relationships globally – all powered by our unrivalled technical expertise. Further details on this are provided on pages 24 to 27 True global delivery As our industry continues to change, the way we deliver work is changing too. A standard penetration test – the evaluation of software or hardware to identify security vulnerabilities – is ago. We are now more efficient, there is more automation, and we can test on a much larger scale. The need for us to continually adapt was underlined during the pandemic. A significant amount of testing that previously took place on site at secure client locations was being delivered remotely. It showed that some low-level testing could be done in a different way, and at a lower cost. Fast forward to 2023 and the cost cutting across the industry, and layoffs led by North American West Coast tech firms accelerated this move and we felt this acutely. Clients still need this service, but they want it delivered in a more cost-effective way. This shift has informed our strategic focus on global delivery and flexible resourcing. We can get better at using capabilities in our expertise for an Australian assignment. Our delivery has been too local and rigid in the past. It’s been a driving factor in our decision to open in September 2023 an offshore delivery and operations centre. Some of the best Cyber Security talent in the world is found in emerging this investment will mean we can harness that talent and complement it with our existing colleagues to be more flexible to our clients’ needs. We are trusted by governments and the most highly regulated organisations to test and manage their security. There will always be demand for in-market talent to work on sensitive, complex programmes of work. Our new delivery and operations centre simply means we can expand our capabilities and provide more value for our clients. Further details on this are provided on pages 24 to 27 Communicating with impact We also have an opportunity to better tell our story and explain the value we offer. We provide counsel to governments around the world on high level Cyber Security issues. We are handpicked by the most significant businesses globally to protect their digital assets. We are trusted by critical national infrastructure providers to secure their systems and keep them running. This trust has been created through our insight, intelligence and innovation. It has taken years to build. It enables us to act as a convenor of decision makers – on policy, regulation and the macro forces affecting our collective ability to secure our digital future. This credibility and track record should form the core of our messaging. We have a unique position in the market. As a client, this is what you gain access to when you engage with us. Yet we have been reluctant to talk about it. We are going to seize this opportunity, with our new Chief Marketing Officer bringing together our global marketing, communications and public affairs team to deliver on this strategy. It starts through the creation of distinct and relevant brands for Cyber Security and Software Resilience, with clearer, simpler propositions. From here we will focus on boosting our profile through marketing programmes designed around the C-suite in our target sectors. We will become more present, more active and bolder in our marketing and communications. We are trusted by the globally to protect their CEO’s review continued NCC Group plc 10 Financial performance summary It’s been a challenging year for the Group with a decline in the rate of revenue growth and overall profitability, resulting in a loss for the year. Our revenue performance and profitability suffered from the market dynamics within Cyber Security. In particular, the Group experienced buying decision delays and cancellations in the North American tech sector and to a lesser extent in our UK market, effecting our Global Professional Services revenue and overall gross profit performance. These headwinds have further reinforced the need to accelerate the implementation of our next chapter of the Group strategy. 1 prior year Software Resilience fair value revenue adjustment 2 , Group revenues were flat at constant currency 1 at actual rates). In our Cyber Security business, the Europe and UK and APAC businesses grew on a constant currency basis 1 currency basis 1 tech sector spend. constant currency basis 1 1 In our Software Resilience business, following the completion of the acquisition of IPM in June 2021, we experienced our first full year of IPM contract renewals which contributed to overall 1 to total Software Resilience revenue (on an unaudited pro forma 1 pleasing to see that our new leadership team (appointed in November growth, price rises, and realisation of efficiency contribution targeted at the time of the May 2022 operational review. performance of the Cyber Security business and the consequential and training costs arising from inflationary pressures and further travel and office costs (including the impact of our NCC 1 Revenue at constant currency is an Alternative Performance Measures and adjusting items, including a reconciliation to statutory information. 2 See Note 3 for an explanation of unaudited proforma total Revenue and a Revenue is an APM and not a IFRS measure. NCC Group plc 11 Strategic report 2023 2022 Cyber Security £m Software Resilience £m Central and head office £m Group £m Cyber Security Software Resilience Central and head office Group Revenue 270.8 64.3 – 335.1 – Cost of sales – – Gross profit 86.1 45.9 – 132.0 92.3 40.3 – 132.6 Gross margin % 31.8% 71.4% – 39.4% 71.6% – 42.1% 2 Adjusted EBITDA 1 15.4 31.2 41.4 39.1 Adjusted operating profit 1 6.9 30.6 28.8 31.9 22.0 Amortisation of acquired intangibles Share-based payments Individually Significant Items – – – Operating (loss)/profit 22.3 1.9 16.0 34.7 Operating margin % 34.7% n/a 0.6% 11.2% n/a 11.0% Finance costs 31.0 Taxation 23.0 EPS Basic EPS 7.4p Adjusted basic EPS 6.1p items. Further information is also contained within the Financial Review. 2 Administrative expenses excludes depreciation and amortisation, Individually Significant Items, amortisation of acquired intangibles and share-based payments. Assurance business following the recent reduction in spend reorganisation costs as we reshaped the Group to implement the next chapter of the Group’s strategy. The impairment of North American Goodwill has been recognised based on the annual assessment of circumstances as at 31 May 2023. ISIs also include costs associated with the strategic review of our reorganisation. These were partially offset by a profit on profit performance, increased ISIs (mainly the impairment of North American Assurance Goodwill) and increased borrowing 1 amounts to 6.1p At 31 May 2023, our cash conversion 1 Net debt 1 excluding lease liabilities 1 Total borrowings (including lease liabilities) offset by cash and Financial performance summary continued 1 level, Adjusted operating profit 1 gross profit and overall profitability and an improvement in Software Resilience gross profit and overall profitability is disclosed below and reconciled to profit after taxation: CEO’s review continued NCC Group plc 12 A global leader We have faced a number of challenges this year. We’ve had to make some difficult decisions to ensure we are set up to achieve our purpose – to create a more secure digital future. I want to thank colleagues for their support during the challenges this year. They have been truly remarkable and the resilience they have shown in the circumstances has been inspiring. And it’s this resilience, which provides the foundations for us to execute our strategy and make NCC Group the global leader in Cyber Security, and Escrow Software Resilience services. We will emerge as a more confident and sustainable business built around the needs of our clients – one that is set up to adapt to our ever-changing industry. This confidence is already starting to emerge as our strategic relentless focus on being a global, agile and client focused business led by my new leadership team with recognised deep cyber industry experience, is resonating with our stakeholders. I’m particularly proud of the efforts of a multi-disciplinary team, who have enabled our new global operations and delivery centre in Manila to launched in September 2023. Not only do we have a fully staffed business ready to go, led by Saira Acuna, who previously ran our sales and client experience team in the APAC region, but we’ve also won work that we wouldn’t previously have won as a result. This is just one example of the progress being made across the strategy and if we continue to execute on what we said we would do – the future is bright. FY24 current trading Current trading in line with expectations with: • Cost efficiencies across Cyber Security and corporate functions already being realised • Global Professional Services sales orders stabilised, no material clients lost, however North America revenue performance experienced in H2 FY23 is currently annualising through H1 FY24 giving rise to YoY double digit Q1 revenue decline • YoY double digit Q1 revenue growth in Global Managed Services • YoY single digit Q1 revenue growth in Software Resilience against a low comparator Outlook • The Board expects FY24 to be a period of considerable change for the Group, targeting a modest improvement in Group Adjusted Operating profit driven by both the Cyber Security and Software Resilience businesses In Cyber Security: • We expect low single digit revenue growth driven by stronger This will offset the annualisation of the sales declines in North American Professional Services and UK Professional Services experienced during H2 FY23 • Security) and corporate functions as announced in the June 2023 trading update and are on track to meet these In Software Resilience: • We expect revenue growth in low single digits, underpinned by sustainable actions successfully taken on pricing and sales execution. The operating profit growth will be delivered net of in-year systems investments that will realise newly identified The Board is confident that continued execution of the strategy will deliver double-digit revenue growth and mid-teens operating profit margins from FY26 onwards. Strategy • Execution of the Next Chapter strategy progressing well following key leadership appointments with deep industry recognised expertise • New global delivery and operations centre opened in Manila in September 2023 • New distinct brand for our Software Resilience business will roll out early in 2024 Mike Maddison Chief Executive Officer NCC Group plc 13 Strategic report Our business model We draw on our expertise, capabilities and global footprint to develop solutions tailored to sectors most at risk to meet current and future cyber challenges. We help to educate policymakers and regulators and we give back to protect our local communities. To address the changing landscape NCC Group needs to continually evolve. In February 2023 we launched our next chapter strategy, resetting how we go to market aligned with our clients’ changing needs. Read more on market dynamics on page 16 Sustainable growth strategy In a fast-moving and complex environment, our strategy puts clients’ needs first, with a roadmap of investments designed to develop future capabilities and a global delivery model to provide clients with the best solution. People-powered, tech-enabled We are a diverse global community of talented and creative individuals, working together and united by the same goal – to make the digital world safer and more secure. Culture of innovation With our roots stretching back to the 1990s we have a track record of being at the cutting edge of innovation. NCC Group was created in 1999 when the National Computing Centre sold its commercial divisions to its existing management; from there we continued to grow through acquisitions. And while history is important, so is the future, with innovation, insights and intelligence the core elements Stronger partner relationships We are active members of the global cyber community, working in collaboration and in partnership with key industry players. Many successful global partnerships have delivered integrated, seamless solutions to clients. Market-leading reputation We understand our clients’ challenges and the risks to their business. We continually enhance our global delivery model to bring our insights, intelligence and innovation together to help clients understand and improve the cyber resilience posture. Read more on our strategy on pages 24 to 27 environments and deliver exceptional value for our clients. At the heart of our proposition is a global delivery model, from our new state of the art centre in the Philippines, to our hubs in Australia, Europe, North America, Singapore and the United Kingdom. This enables us to deliver our complete range of cyber and escrow services in the most efficient and cost effective way for our clients. I n t e l l i g e n c e I n n o v a t i o n E s c r o w M a n a g e d S e r v i c e s C o n s u l t i n g & I m p l e m e n t a t i o n T e c h n i c a l A s s u r a n c e C y b e r I n c i d e n t R e s p o n s e I n s i g h t How we create value Inputs NCC Group plc 14 How we create value Colleagues We strive to create a safe and respectful environment where everyone is empowered to be their very best, able to follow their vocation and say with conviction that what they do helps make our digital society safe and secure. Clients Our resilience solutions enable clients to confidently innovate and embrace new technologies, and build responsible, sustainable and resilient organisations that thrive and succeed. Our network We engage proactively to ensure our insights and vision deliver the best societal outcomes in support of our mission. Our expertise provides access to basic cyber knowledge for the communities we live and work in. Shareholders We operate responsibly aiming to create an inclusive and diverse workplace, taking action to reduce our impact on the environment. We strive to be an ethical, responsible employer and supply chain partner to ensure future long-term growth and return on investment opportunity for our shareholders. Read more on stakeholder engagement on pages 40 and 41 Value creation We operate two distinct businesses offering clients a range of services to help secure their digital assets: Specialist solutions that protect business critical technology and software applications. Our proposition safeguards buyers from various risks, provides robust business continuity, secures long-term availability of essential business software, and offers assurance and guidance for application management. And with our Escrow-as-a-Service proposition, we facilitate a secure transition to the cloud, enabling clients to adopt cutting-edge technology with confidence. Read more on page 34 Providing clients with a clear understanding of cyber threats and vulnerabilities. We help them maintain their licence to operate, by achieving governance, compliance and accreditation objectives. By implementing remediation plans and solutions, we enhance their resilience against cyber threats. We offer the option to outsource cyber defence operations, as well as complementing existing resources, to reduce risk, achieve greater resilience and give confidence in detecting and responding to cyber threats. Read more on pages 32 to 33 CYBER SECURITY NCC Group plc 15 Strategic report Meet the CTO Q&A with Siân John Siân John was appointed Chief Technology Officer NCC Group from Microsoft and is the current Chair of techUK’s Cyber Security Management Committee and a council member for the Engineering and Physical Sciences funding body for engineering and physical sciences research in the UK. She was awarded an MBE in 2018 for services to Cyber Security. Q. Tell us a bit about your career so far I’ve been immersed in technology for over 30 years and 25 of those in cyber, starting off in the Houses of Parliament looking after IT for the guys who carry the mace. I’ve since worked for a number of major technology businesses, most recently with Microsoft where I had a range of strategic Cyber Security roles. The pace of change in the industry has been relentless, which is one of the reasons I find this space so fascinating. Q. What is your overall approach and ethos when it comes to Cyber Security? Security is often seen as a barrier to growth because of a consensus that you can either be secure or productive. But that’s simply not true. If we bake security into our products and processes in a way that reflects the right level of risk, it will actually unlock productivity. Security becomes a competitive advantage. I think it’s incumbent on us as Cyber Security advisors to have digital empathy – and by that, I mean a real understanding of the impact security measures have on the user. If we start from that perspective, we typically end up with better solutions to challenges that businesses face. Q. What attracted you to NCC Group? This is a business that is so well respected in our industry because of the quality of its people. NCC Group is known for having technical abilities at the bleeding edge, and so the opportunity to work with some of the brightest minds globally was one I simply couldn’t turn down. Q. Talk to us about NCC Group’s insight, intelligence and innovation This is what gives us a position in the market that no one else can match, and an offer to our clients that is incredibly strong. Firstly, insight. We work with thousands of clients across the world. We see directly the challenges they are facing. We understand their pressures. We have a deep understanding of what’s happening today, and where it might go tomorrow. And we bring this to every client engagement. We then add intelligence – our ability to see what threats are out there in the wild in real time. What are our adversaries doing? What techniques are they using? And what is the impact? This means our advice to clients is solely focused on the risks that matter. And finally, innovation. This is where we drive the market forward through our research – shaped by the challenges we see our clients facing and the passions of our experts. This is a combination that is unique to NCC Group and what gives me so much confidence about our future. 16 NCC Group plc — Annual report and accounts for the year ended 31 May 2023 This is a business that is so well respected in our industry because of the Siân John CTO 17NCC Group plc Strategic report The ever-changing threat landscape and exponential digital transformation, coupled with society’s continued reliance on digital technologies and increasing regulatory and legislative requirements, mean investment in Cyber Security and Software Resilience is not optional and NCC Group’s addressable market continues to grow. A changing threat landscape 2022 was another year that kept us on our toes. The threat landscape was heavily influenced by the conflict between Russia and Ukraine, during which we have seen the whole arsenal of offensive cyber capabilities, deployed by criminals, hacktivists and nation state groups. Though perhaps not the “cybergeddon” that some expected from the next big global conflict, we have seen state-sponsored attacks ramp up, with cyber warfare proving to be critical across this hybrid cyber-kinetic battlefield. The threat from ransomware will remain. However, we are seeing an evolution in the way groups operate not only because of law enforcement intervention but also co-operation among governments and regulations to tackle the problem. Groups will continue to diversify operations and we have started to see less focus on encryption of data and more emphasis on exfiltration of data along with an increase in the use of distributed denial of service attacks. Threats will persist and organisations must remain vigilant and understand how they could be exposed and take steps to mitigate any risk. show that successful ransomware attacks (where data encryption was actually achieved and not just the prior phases) are only slightly Ransomware: 40% Business email Coin mining: 13% Banking malware: 7% Data breach: 7% Total hack and leak cases year on year begun readjusting after any major internal changes (rebranding or redistributions) and thus are able to compromise more victims. 350 300 250 200 150 100 50 0 Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec 2021 2022 Number of hack and leak cases Market dynamics NCC Group plc 18 Society’s ever-growing reliance on digital technologies There is no slowdown of the exponential digital transformation, with investment continuing to be made in technologies, from the increasingly ubiquitous use of machine learning and large language models to significant public and private investment in future supply chains upon which our connected environment depends are complex and interdependent, a reality that’s been driven home, too, by heightened geopolitical tensions and conflicts. Increasing regulatory and legislative requirements Governments around the world are trying to respond to a threat landscape that is more dynamic than ever. We are seeing significant growth in regulations and legislation globally, creating an ever more complex environment for organisations to navigate and make sense of, and we expect them to focus their cyber investments on meeting growing regulatory requirements. What is more, we expect the trend of growing cyber regulation to continue as thinking converges that: improved cyber resilience is ultimately an issue of national security; the rising cost of cyber crime needs to be tackled; and (better) regulation should unlock growth, as the assured safety and security of digital technology will drive trust, confidence and therefore uptake. As a result, we expect to see more coherence and co-ordination of policy and regulatory initiatives across like-minded governments around the world. For example, the governments of the UK, Canada and Singapore published a joint statement of intent on Cyber Security for Internet connected products. It signalled the three governments’ intention to promote global alignment on standards and security requirements, reducing “duplication of testing and similar assessments and the challenge for industry of needing to apply to multiple schemes underpinned by identical or very similar requirements”. See pages 22 to 23 for how we are contributing to the changes to cyber-related policies and regulations across the world. Hotspot map representing concentration of global attacks events over the whole of 2022. We can see from the below graphical representation the proportion of yearly global attacks levied against the ten most targeted nations. 45.081.06 % of total NCC Group plc 19 Strategic report Other common trends include: • Shifting the “burden for security” to those with the broadest shoulders: The US National Cyber Security Strategy announced a clear shift in responsibility for cyber to software vendors and manufacturers in March. • More confident regulatory interventions to define dynamically what constitutes critical national infrastructure in the digital sphere and make it more secure and resilient: The UK announced plans to move forward with legislation in November, extending its scope to managed service providers, and giving the government powers to extend the scope of NIS more easily. • Efforts around improving incident reporting, driven by the desire to improve visibility and situational awareness of the threat landscape more holistically: The Australian government launched an updated Critical Infrastructure Resilience Strategy and Plan in February, outlining those activities the Cyber and community will pursue to enhance resilience, with a clear focus on a greater role for the Trusted Information Sharing • Greater emphasis on developing frameworks and principles for regulating technologies rather than detailed regulatory proposals per se: are underway in many jurisdictions – a common trend appears to be the desire to open AI decision making to greater scrutiny, as seen in the UK’s AI Paper, the US blueprint for an AI Bill of Rights, and the AI Risk Management Framework and the proposals. Similarly, many jurisdictions are working on plans to develop (and regulate) central bank digital currencies, while global initiatives are underway by the Financial Stability Board, and the NCC Group’s continued portfolio evolution and differentiation As Cyber Security threats change and technology develops to counter them, organisations are demanding fewer, more comprehensive solutions rather than having to manage an increasing number of interdependent but separate tools. As client needs change in this fast moving, evolving threat, technology and regulatory landscape, we are staying agile to best serve them – and deliver on our purpose. We are investing in our cyber capabilities. Above all, that means a broader portfolio addressing the full Cyber Security lifecycle: • Maintain our high quality of Incident Response services to help clients at their critical moments • Enhance the suite of Managed Services we offer to deliver a global, high quality managed security service that is led with world-class threat intelligence capability, provides transparent value, and is delivered through a consistent technology stack and operating model • Invest in our core Technical Assurance capabilities, such as continuous, always-on cyber threat detection and penetration testing • Building additional Consulting & Implementation services proposition to help C-suite buyers confidently meet increasing Cyber Security requirements US National Cyber Security Strategy Significant shift away from voluntary measures to regulation. Digital Operational Resilience Act Enacted. NIS2 Enacted. Cyber Resilience Act In progress. Cyber Solidarity Act In progress. Increase in regulatory developments across our key operating regions Discussion paper on Australia’s Privacy Act review Security of Critical Infrastructure Product Security & Telecommunications Infrastructure Act NIS Regulations Reforms progressing slowly. App: Code of Practice Consulting on software regulation Market dynamics continued NCC Group plc 20 As client needs change in this technology and regulatory landscape, we are staying Strategic report 21NCC Group plc It’s in our DNA We understand the sectors our clients operate in, including market trends, regulatory and overall business environment, and the specific threat landscape. We do this by investing in research and data analysis, listening to clients to understand the intricate details in their field of operation. The value to clients is solutions, which are relevant and personalised and anticipate their current and future requirements. Through our global capability we provide unique perspectives and strategic advice to help clients make more informed decisions and ultimately grow their business responsibly and sustainably. 22 NCC Group plc — Annual report and accounts for the year ended 31 May 2023 How insight supports our strategy Strategic report In focus looms large over the coming years, UK telecoms providers are under While the UK is, in some ways, leading the charge with its TSA, it’s actually part of an overall trend in global policymaking aimed at creating a more secure and resilient telecommunications infrastructure. Across the globe, governments in Europe, Canada, the United States, Australia and Singapore have moved, or are moving quickly, to implement telecoms security standards affecting thousands of industry businesses. Beyond mandatory compliance, there’s also a compelling business case for organisations to use the TSA, and its international equivalents, as an opportunity to build more secure, resilient infrastructure. Working with NCC Group’s government affairs team, and our industry partners, our global team brings cyber expertise within the context of telecoms and cloud services, to simplify these new regulations, and explain not only what’s required but how achieving compliance proactively can be a competitive differentiator. of innovation, it’s important that government policies and regulatory Mike Maddison CEO Strategic report 23NCC Group plc — Annual report and accounts for the year ended 31 May 2023 Link to risks: A Strategy B Cyber and information security C Innovation and product development D People and partners E Market and competition F Brand and reputation G Quality and delivery H Our strategy Our clients pressing Cyber Security and Software Resilience needs. Our capabilities Offering a broader service portfolio addressing the full Cyber Security lifecycle. Read more on page 25 Read more on page 25 Global delivery Transitioning from an international to a fully global business. Brands Creating distinct and relevant brands for our Cyber Security and Escrow Software Resilience businesses. Read more on page 26 Read more on page 26 In February 2023 we announced our new strategy, signalling the next chapter of NCC Group’s story and focused on: This section provides more information on these four elements, what we’ve achieved so far, how we will measure progress, and our FY24 priorities in service of our vision to become a truly global Cyber Security and Software Resilience services provider capable of delivering an end-to-end cyber solution that harnesses our strengths in insights, intelligence and innovation, accompanied by a fantastic client experience. Read more on our risks on pages 70 to 80 Read more on our business model on pages 14 and 15 To be more client centric and operate as a global firm, we are restructuring how we operate. This will help us achieve our ambition, providing clients with not only the best, but also the breadth of NCC Group’s ever-advancing Cyber Security and Software Resilience solutions. We are engaging colleagues, helping them to get excited about NCC Group’s future, building on the past, and identifying the role they play in delivering for our clients. Every single person at NCC Group takes responsibility for client delivery. To co-ordinate, execute and track progress, we have created a modest transformation office – bringing together, for the first time, central co-ordination of strategy delivery for the Group. This will help us continue to deliver value – creating a bright new future for colleagues, clients and shareholders alike. Over the next couple of pages, we outline each of our strategic pillars, what we’ve achieved since the launch in February 2023 and what is coming up in the near to mid-term future. Diji Akinwale Director of Strategy and Transformation NCC Group plc 24 Deeper client engagement on the most pressing Cyber Security and Software Resilience needs What we said we would do: In February 2023 we announced our plan to concentrate on the rapidly growing, highly regulated sectors most vulnerable to cyber risk. These sectors include financial services, technology, media, telecommunications, government and public sector, infrastructure, and industrials. To implement this we are restructuring the organisation. This means moving away from the previous regional P&L model to establishing a global, revenue-focused team, aligned by regions and the sectors identified above. The aim of this restructure is to enhance our client relationships through targeted expertise, while consistently assessing our impact across different regions. This strategy will expand our range of services within existing client relationships and better capture the global scale of the insight, innovation and intelligence we have historically delivered to clients. What we have done: Since initiating our strategy in February 2023, we’ve streamlined our market approach by implementing a sales structure that aligns our major regions by verticals. We have successfully established this vertical alignment in the UK, and the same structure is currently being scaled in North America. For our smaller regions, we’ve strategically aligned them with a country-centric focus, incorporating elements of the vertical structure where suitable. This restructuring forms a crucial part of our commitment to meet our clients’ needs more effectively across various geographies and sectors. We have also invested in Cheltenham and New York offices to ensure our property portfolio echoes our commitment to client service and reflects both the needs of our business and our colleagues . We have also further established our strategic partnerships. We have accelerated our strategic relationship with Microsoft ‘Global Validation’ status from Microsoft, enabling greater access to discount and Microsoft sellers and been awarded a ‘managed account’ status by Microsoft, recognising our investment and growth. Beyond Microsoft, we have now signed a global partnership with Splunk that enables better pricing for our clients and access to wider Splunk sales teams. Link to risks: A Strategy B Cyber and information security D People and partners E Market and competition F Brand and reputation G Quality and delivery H Offering broader service portfolio addressing the full cyber security lifecycle What we said we would do: We proposed that in the coming years, we would look to build out a broader service portfolio addressing the full cyber security lifecycle, including: • Continuing to invest in our core Technical Assurance capabilities • Maintaining high quality of Incident Response services to help clients at their critical moments • Further development of our Managed Services offering, • Building an additional Consulting & Implementation services proposition to help C-suite confidently meet increasing cyber security requirements What we have done: Since February 2023, when we announced our next chapter strategy, we’ve actively sought to enhance global alignment across our cyber security capabilities by establishing three global capability groups, spearheaded by our new Chief Operating Officer, Kevin Brown; see page 29. This structural shift aims to better manage our global cyber security capabilities and our global delivery and operations centre in Manila (see global delivery pillar). This setup plays a vital role in driving global growth by creating the capacity and ability to cater to our clients’ needs. Our Managed Services sector was the first to align globally, and has seen revenue growth of c.16% in FY23. This underpins the positive impact of a more globally centred focus, particularly the second half of the financial year. Our ongoing reputation for cyber can be seen in our recent announcement to be one of the first six providers for the UK NCSC’s new Level 2 Cyber Incident Response scheme. This recognises our ability to help private and public sector organisations (big or small) as well as charities recover from cyber-attacks and should give buyers confidence about the breadth of our capabilities. Read more about this story on our newsroom: www.newsroom.nccgroup. com/news/ncc-group-announced-as-an-assured-service-provider-in- latest-ncsc-cyber-incident-response-cir-scheme-470825 Link to risks: A Strategy B Cyber and information security C Innovation and product development D People and partners E Market and competition F Brand and reputation G Quality and delivery H NCC Group plc 25 Strategic report Our strategy continued Transitioning from an international to a fully global business What we said we would do: We promised we would globalise our delivery capabilities. This would allow us to move from an international to a truly global business and would involve building a global delivery organisation with new leadership tasked with developing the best skills through flexible resourcing, including a new global delivery and operations centre, with implementation in FY24. What we have done: We have concluded our search process for a new global delivery and operations centre and selected Manila as the location for our new office. A sustainable site has been secured, with recruitment (both internally and externally) underway and on track to be operational in 2023. To drive this accelerated launch, our experienced leadership and implementation team have developed local relationships with universities to attract the best skills that will complement recruitment of experienced hires, alongside our global delivery capability, and help deliver existing and new services to clients. This launch of a global delivery centre has required us to rollout a new scheduling system, Kantata, to our US region as the precursor to a global rollout. Putting this system in place will allow us to seamless schedule and allocate work from clients in any region to any of our global delivery colleagues, whether they are based in Manchester or Manilla. Link to risks: A Strategy B Cyber and information security D People and partners G Quality and delivery Creating distinct and relevant brands for our Cyber Security and Escrow businesses What we said we would do: In February 2023, we announced we would create distinct and relevant go-to-market brands for both our Cyber Security and Software Resilience businesses. These would help to us to differentiate and grow our brand profile. As part of our broader brand and marketing programme, we said we would increase our focus at key industry events and be more visible in market, and invest in sustained activity to build and strengthen relationships at C-suite level in our target markets. Finally, we said that we would better leverage our world-class insight and intelligence, such as our regular research from consultants or monthly Threat Intelligence reports. What we have done: We undertook the work to rebrand the Software Resilience business and it will rollout from January 2024. You can read more about this on page 34. Work is also underway for our Cyber Security rebrand. We’ve invested in significant presence at key cyber events such as Gartner’s EU Risk and Security Summit 2023, and Black Hat USA 2023 with bolt-on relationship building activity planned. In the autumn of 2023, we will launch our own events programme, for example, featuring our Global Head of Threat Intelligence, among others, to add value to our clients and the broader cyber community. Brands Link to risks: A Strategy C Innovation and product development E Market and competition F Brand and reputation G Quality and delivery NCC Group plc 26 Part of the vision for NCC Group is to become a go-to provider of cyber services for decision makers through a greater focus on clients, capabilities, global delivery and differentiated brands. This means being able to leverage the moments when we add value for our new and existing clients to create greater impact through offering a broader range of services. We demonstrate this with a case where we were brought in to support an international organisation possessing a complex on-premise and multi-cloud architecture. They had experienced multiple Cyber Security incidents in recent years and brought us in to provide consultancy services to consolidate and enhance their Cyber Security posture quickly. As part of the consulting services initially requested, our team conducted a compromise assessment, where we deployed tools to identify indicators of compromise that threat actors leave during an attack. This led to us carrying out a high level review of its whole infrastructure to identify any vulnerabilities that would present a critical risk to its business operations, examining its external attack surface (including its public cloud services) for potential exposure of data or vulnerable services, analysing data sets related to previous breaches for evidence of undetected data exfiltration. As a result of this consulting work, the client was able to move forward with confidence that there were no urgent issues to address before thinking about the long-term requirements. One of the long-term critical gaps identified during the consulting review was the lack of ongoing protective monitoring. Through our development of Managed Services, we were perfectly placed to plan and implement a rapid deployment of our NCC Group Managed XDR service using Microsoft Sentinel and Defender. The initial launch of this service was completed within five weeks and addressed the on-premise and high priority cloud infrastructure organisation and the client is moving forward with its programme of security improvement in the knowledge its starting position is not critical, and any new threats will be identified quickly if they arise through protective monitoring. We expect in future that much of our growth will come from our ability to offer and embed a greater variety of services with our clients. Our strategy enables this by ensuring that our expanding range of capabilities can be delivered to clients across the globe. This allows us to build on our historical strengths and create greater impact for our clients across the full lifecycle of Cyber Security decisions that they will make. Read more on our cyber solutions pages 32 and 33 Strategic report NCC Group plc 27 We are a Company with a unique perspective. Most Cyber Security business’s operate advise without having a real understanding Kevin Brown COO 28 NCC Group plc — Annual report and accounts for the year ended 31 May 2023 Meet the COO Q& Kevin Brown was appointed COO in June 2023. He spent 20 years in high level UK policing before moving to BT in 2012, where he built a $1bn managed security services business. Most recently, he has been resident CISO for private equity firm Insight Partners, leading its “C-suite in residence” programme and working with cyber companies to challenge and refine their strategies. Q. What attracted you to NCC Group? I gave a lot of thought to what I wanted in my next role. I was looking for three things. Firstly, I only wanted to join a pure-play Cyber Security business. This is where my passion lies. Secondly, I was looking for a company with a clear vision and going for growth. And finally, it had to have the right culture – somewhere that people were supported to do brilliant work. I found all three at NCC Group so in the end it was an easy decision to make. Q. What makes NCC Group different? We are a company with a unique perspective. Most Cyber Security businesses operate from the outside in – they attempt to sell and advise without having a real understanding of what’s going on within a business’s technology infrastructure. But we operate from the inside out. We are often in privileged positions where we gain an intimate knowledge of our clients’ challenges through our world-class incident response capability or ongoing penetration testing. We are trusted to hold the “tip of the spear”. And this means the subsequent consultancy and end-to-end support we deliver is designed around the specific needs of each client. This really sets us apart. Q. Where do you see the biggest opportunities? We are building out a set of services that will act as a natural flywheel. There’s a sequential nature to what we do – one informs the other and allows us to create deeper relationships with our clients. We have all the constituent parts, as well as from some of the most significant businesses globally. This is simply about knitting each element together – and we are already taking some very meaningful steps forward. Q. How do you view the global opportunity for NCC Group? We are already an international business. We have fantastic client relationships and incredible talent in every major market. The opportunity for us lies in greater global consistency – ensuring shared best practice across markets – and flexibility in resourcing, both of which will result in an even better service for clients. Our new global delivery centre in Manila is a prime example of how a global approach can make our business more efficient, agile and scalable. Strategic report 29NCC Group plc — Annual report and accounts for the year ended 31 May 2023 It’s in our DNA The world around us continuously evolves and so must how we operate to stay at the cutting edge of our industry. We think forward, we adapt and we’re not afraid to take calculated risks. For our clients this means access to the latest Cyber Security solutions that offer them peace of mind, knowing that, working in collaboration, we’ll always be scanning and preparing for threats to ensure their business stays operational. 30 NCC Group plc — Annual report and accounts for the year ended 31 May 2023 In focus NCC Group drives for innovation, to improve the security of the industry, our capabilities and the way that we support our clients Strategic partnership Innovation thrives in the land of collaboration, which is why we have built strategic relationships with industry leaders, allowing us to quickly integrate cutting-edge technologies and capabilities into our solutions providing well-rounded competitive offerings. Expert Cyber Security professionals Our Company strengths lie in the proficiency of our Cyber Security experts. We lean upon this core strength to innovate our product and services to provide continuous consultant-led solutions. As an example of this, we continue to evolve our threat intelligence capability to help our clients and the broader cyber community dealing with the rapidly changing risk landscape. Our insights have been cited in the press and clients are increasingly looking to us for intelligence and advice and insights on their exposure and response. This has culminated in our newest threat intelligence service, Online Exposure Monitoring. Online Exposure Monitoring is an example of how we’ve built a partnership, fed requirements and utilised our internal experts to create a new innovative service that fits with our wider portfolio to solve multiple client problems. Online Exposure Monitoring provides a lens that looks from the inside out, creating continuous visibility into a client’s digital risk. Our Company strengths Siân John CTO How innovation supports our strategy Strategic reportStrategic report 31NCC Group plc — Annual report and accounts for the year ended 31 May 2023 Our solutions INCIDENT RESPONSE MANAGED SERVICES Our global response capability provides immediate support to clients under attack and in preparing for attacks. In the event of an attack our service minimises disruption to their business, mitigates threats, protects valuable data, reduces financial loss and safeguards reputation by swiftly identifying, containing and recovering from cyber attacks. Impact Sector: IT/technology Challenge: Highly sophisticated threat actor had maintained elevated access over considerable part of the environment for months. Solution: NCC Group enabled the client to increase its visibility in the environment while tracking the threat actor’s activity and reverse engineer its custom tooling to achieve a successful eradication outcome. Value: The full extent of the compromise was identified, and the threat actor was successfully removed from the environment. The client improved its overall security posture and additional recommendations to further fortifyxthe environment were provided, as well as additional reports to satisfy any enquiring authorities. Revenue sources • Non-recurring revenue but is an entry point for other services that we offer Strategic objectives • Continue to evolve and maintain the high quality we have today of this critical, niche service Our managed security services are known for delivering high quality, consistent protection, informed by our world-class threat intelligence. Our clients can expect us to deliver solutions fit for their unique environment, presented transparently. The outcome is real time threat protection against a very sophisticated group of bad actors. Impact Sector: Education Challenge: Ireland’s National Education and Research Network organisation, HEAnet, was looking for a partner to support the Irish education sector’s fight against cyber crime. Solution: Building on a similar engagement for the and security operation centre services, along with rapid intelligence sharing. Value: We provide a critical support service to HEAnet’s offering to over 30 educational institutions in its network. With our integrated, collaborative alert system, and ongoing monitoring, HEAnet is able to provide institutions with the knowledge they need to build strong defences and quickly respond to evolving threats. Revenue sources • Largely recurring revenue Strategic objectives • As a future growth driver we are investing to enhance our offer to increase annual recurring revenues, and gain a larger share of our client’s Cyber Security spend NCC Group plc 32 CONSULTING & IMPLEMENTATION TECHNICAL ASSURANCE Our Cyber Security experts work in collaboration with our clients to identify potential vulnerabilities, develop a strategy to mitigate these weaknesses, and then execute the plan to strengthen the overall security posture to protect valuable assets from potential threats. Impact Sector: Challenge: Group executives lacked confidence in an external security review and wanted an expert technical opinion to drive security spend. Solution: We baselined their technical capability and researched their threat landscape. We expanded our review into a comprehensive understanding of their system security and produced a roadmap for security investment and capability development. Value: Provided peace of mind and a solution to reduce the client’s attack surface, removed system vulnerabilities, increased security awareness, and improved its ability to monitor for and respond to threats. Revenue sources • Non-recurring revenue but with potential for other services Strategic objectives • As a future growth driver, we are investing in broadening our portfolio of Cyber Security consulting services so that we can better advise clients on their cyber risk strategy and then help them implement technologies and supporting processes that mitigate their cyber risk We provide clients with proactive defence of their digital assets through vulnerability assessment, penetration testing, sophisticated adversary simulation, staff training, third party assurance, and constant compliance and security monitoring to enhance their system resilience and data protection. Impact Sector: Technology Challenge: The client lacked security coverage and needed a partner to provide manual testing services and manage critical vulnerabilities with remediation testing to verify fixes were in place. Solution: We provided the client with 24/7 coverage from our global team, focusing on security testing and providing reliable and effective coverage to help maintain the security of its applications, as an extension to the in-house security team covering multiple time zones and technical specialities. Value: The client had access to a global team of skilled testers bringing diverse expertise and knowledge to address potential security vulnerabilities. As a result it reduced pressure on the in-house team and avoided costly recruitment costs by outsourcing the capability. Revenue sources • Non-recurring revenue but with potential for other services Strategic objectives • Invest in our core Technical Assurance capability, including our continuous, always-on testing proposition Strategic report NCC Group plc 33 Our solutions continued ESCROW AGREEMENT ESCROW VERIFICATION An Escrow Agreement is a simple and effective tri-party arrangement with mutually agreed terms between the software customer, software supplier and NCC Group. Under the Escrow Agreement, the supplier periodically deposits a copy of the software source code and associated materials for secure storage within NCC Group’s secure physical or virtual vaults, ensuring that the material can be accessed and released should the need arise. In the event of a release, the software customer can utilise the escrow deposit to maintain the software, working from the source code, whether that be in house or by engaging with another supplier. Impact Sector: Renewable energy Challenge: When solar energy pioneer BrightSource wanted to develop large-scale innovative projects, its partners and bankers needed insurance against any potential risks that may disrupt the smooth construction and operation of its plants. IP escrow and verification added a level of reassurance at every stage with key project milestones included tied to the release of project funding. Solution: To meet the needs of both BrightSource and investors, NCC Group and BrightSource worked together to develop a tailor-made business continuity and risk management solution to allow investors to witness important developmental stages themselves and to have access to important documentation should the need arise. Revenue sources • Recurring annual revenue through contract renewal Strategic objectives • Increase our footprint in key growth areas of North America, Australia and the critical infrastructure market Software Escrow Verification tests the source code and material held under the Software Escrow Agreement to ensure it is correct and complete and can be rebuilt into the working application, providing a higher level of resilience and business continuity assurance. Impact Sector: Financial services Challenge: One of our customers, a multinational systemic bank, had two challenges: scenarios where supplier was no longer able to provide support for software deployed in house process was a successfully stressed exit plan as required by the PRA SS2/21 outsourcing and third party regulation Solution: An Escrow Agreement had been in place for several years, but the appropriate level of verification had not yet been completed. To meet the requirements of the PRA SS2/21 regulation, a complete end-to-end Escrow Verification was completed. This was conducted in a clean environment at NCC Group, without reliance on the software owner’s infrastructure, using the deposit materials collated as a result of an Entry Level Verification. Value: All results were documented in a comprehensive report and distributed to all stakeholders. Successfully delivering this verification demonstrates the scenario of a release event and ensured that the application could be built from the source code. With the escrow arrangement and the confirmation of the Independent Build Verification, the bank has the peace of mind that it is compliant with the PRA requirements and has a tried and tested plan, should anything happen to its supplier. Revenue sources • Recurring annual revenue through contract renewal and a schedule of verification tests Strategic objectives • Continue to increase our verification attach rate to Escrow Agreements NCC Group plc 34 Meet the Global Managing Director Q& Andrew was appointed as Global Managing Director for NCC Group’s Software business in November 2022. Before joining NCC Group, Andrew was CEO of the then AIM-listed Tungsten Network, and Group Chief Strategy and Transformation Officer of IWG plc (formerly Regus). Prior to that, Andrew held a variety of leadership roles within the technology sector, at Dell Computer Corporation and Toshiba Information Systems, having begun his career with IBM. Q. What have you learned since joining NCC Group? My greatest learning has been that the Software Resilience business has more untapped opportunity than I realised. In any business where revenue has plateaued, you expect to find operating model inefficiencies. The ability to address these comes down to the support from the Board, from the ExCom, our people and our clients. I have found that in abundance, with everyone becoming involved in, and committed to, delivering sustainable growth through a plan that addresses those operating inefficiencies to build the right foundations that underpin growth. The future growth of the Software client at the centre of all that we do, radically simplifying our processes and utilising new and emerging technology to deliver an enhanced client experience. Q. What are your achievements of note since stepping into the role? As a team, I am proud that we returned the business to growth in H2 FY23 by focusing our sales and delivery teams on a single objective – which was to meet the needs and requirements of our clients. Overburdened with priorities, this was achieved through identifying and focusing on the “critical few actions”, which are transformative to our business, our bottom line and our client experience. These included improving internal communications, developing and launching a roadmap to simplify our processes, and building and implementing a credible growth plan. We have witnessed a strong increase in colleague engagement over the period and I am incredibly proud of not only what the team has achieved, but the drive to be innovative in what we deliver to our clients. Today, we have a team who believe in themselves and in the value they are adding and who are passionately committed to our clients and to achieving growth. Q. What makes NCC Group’s Software Resilience business different? Without question our people, our offerings and our clients. At the heart of our organisation are the teams that sell to, support and deliver for our clients. I have spent a great deal of time getting to know the team and listening to their input, which has been used to help shape our change agenda. The commitment and passion the team show continues to make me proud to have each of them within the organisation. Our product portfolio is impressive, not just software escrow, but extending into many related products and offerings, which are some of our best kept secrets. In FY24, we need to be far more vocal about what we offer and what we can do to meet our clients’ needs. Our clients are highly innovative and working with them has enabled us to change the way that we work to help deliver the right solutions to them at the right time. At the end of the day, our clients want to feel protected, safe and reassured that they are receiving the best levels of service and that their needs matter and are being answered. Strategic report 35NCC Group plc — Annual report and accounts for the year ended 31 May 2023 Q. Where do you see the opportunity for Software Resilience? I believe the future for Software Resilience is bright. There is opportunity within our existing client base and within the existing market whitespace for acquiring new clients, and within new and emerging markets, and we have new and emerging products. What we need to maintain is a planned and focused approach, which gives a rigorous approach to the way we manage and develop our business. We will deliver on our simplified, scalable business model to underpin our ability to realise the market opportunities. Q. What are the key initiatives for FY24? In FY24, we will continue to invest in simplifying our processes; we will retire several duplicated systems, enabling us to have a simplified and more effective client journey. We will build out our presence in our existing markets, while also growing our presence in both Europe and Asia. Another focus area for us will be to expand our product portfolio and identify key market adjacencies to further drive growth. Added to this, we will launch our new brand, which will see us move away from the Software Resilience name, amplifying our brand presence and creating a distinct and separate brand from NCC Group’s Cyber Security business. In all, FY24 will be an exciting year for the business, as we demonstrate what the team is truly capable of. Q. How would you describe how the Software Resilience business contributes to the performance of the Group? Our profitability and recent flat revenue performance clearly make us a cash cow for the Group; however, with our team, our client base and our growth plan, we can be so much more! Q. How well known is Software Resilience in the market? It’s a little-known fact that NCC Group is the creator of software escrow as a service, and today we are the world’s largest software escrow provider. We protect and verify code for some of the world’s leading companies and Government organisations. But we don’t tell people enough – now all that’s about to change! Back in February 2023, Mike Maddison, our CEO, said that NCC Group would create distinct brands for both the Cyber and Software Resilience businesses. I’m pleased to say that as of now, we are on the cusp of rolling out our new brand for escrow. Q. What will be the new brand for Software Resilience, and what difference do you think it will make? I’m really excited about our own distinctive brand, Escode, that I think will help us to differentiate and stand out in the market. Visually it’s striking, but a brand is so much more than that. This creates the opportunity for us to build our own identity, to reconnect, and to engage with customers past and present, helping us to build a better connection and creating an opportunity to tell our story. Q. When will we start to see the new brand in the market? We unveiled our new brand to colleagues in September 2023, and expect Escode to be rolled out, including a new website, early in 2024. Exciting times! Meet the Global Managing Director continued I believe the future for Software Resilience is bright. There is opportunity within whitespace for acquiring new clients, and within 36 NCC Group plc — Annual report and accounts for the year ended 31 May 2023 Our new centre in Manila 37NCC Group plc — Annual report and accounts for the year ended 31 May 2023 Strategic report 37 It’s in our DNA We use, analyse and interpret the vast amount of data we collate to make strategic decisions – for our own business and that of our clients through the solutions we offer. We use technology, data and machine learning to make smarter, data- driven decisions, to operate efficiently and predict trends. The value to our client comes from our ability to turn that intelligence into smart solutions. And while we utilise artificial intelligence and other technologies to deliver services at a faster rate, and lower cost, it’s a higher quality and trusted service to our clients. 38 NCC Group plc — Annual report and accounts for the year ended 31 May 2023 How intelligence supports our strategy Strategic report In focus 60 unique data feeds – helps our clients defend against the latest We’re constantly assessing, investigating and aggregating threat intelligence from the dark web, research and our learned insights from client engagements across the globe. Our intelligence provides for the deployment of defences against the latest attacker techniques and IOCs. Our clients are able to leverage NCC Group’s advanced threat intelligence which feeds directly into our custom threat detections. With a local presence in all continents around the world, Siân John CTO Strategic report 39NCC Group plc — Annual report and accounts for the year ended 31 May 2023 We believe we have a responsibility to listen to our stakeholders, considering all their needs, and using insights and learnings to improve how we make important decisions. Our Code of Ethics guides us, informing and helping us to build enduring and trusted relationships. Listening insights are used to inform decision making at every level of the organisation. Stakeholder engagement Link to strategy: Our clients Our capabilities Global delivery Colleagues The opportunity • Know they are contributing to our success • Feel confident they have the skills to do their job or are supported to learn on the job • Know what is expected of them through structured and fair performance management process • Have the opportunity to grow their career through our learning and development offering • Spend quality time with their line manager and feel listened to How we listen and engage • Regular virtual and in-person meetings at different levels in the organisation with line managers and Executives • Internal news and collaboration channels to connect colleagues to what is happening and also enabling them to easily share approved content • where appropriate • Highlights in 2022/23 • Launch of new Talent Partnership Framework to attract diverse talent – entering into partnerships with Women • Launch of a global Speak Up policy to provide clear guidance and signposting to colleagues across our global teams • Scoped and planned launch of gathering of diversity data, due to launch in FY24 We are a people-led, tech-enabled business and our colleagues around the world each play an important role in helping to make the digital world safer and more secure. Clients The opportunity • Using our research and intelligence expertise to understand the threat and how that affects our customers’ operations in their sector • Using our insights to develop “right-fit” solutions, which improve and enhance our customers’ current and future cyber resilience • The ability to work collaboratively with our clients, their partners and broader supply chains • Horizon scanning regulations and legislation, and contributing to government consultations based on understanding of future market needs How we listen and engage • Active account management • Client satisfaction surveys and complaints procedure in place Industry collaboration with investment in sector-based approach to understand and mitigate risks of current and future technologies Highlights in 2022/23 • Streamlined our market approach implementing a sales structure aligning our major regions by verticals. Smaller regions have been strategically aligned with a country-centric focus incorporating elements of the vertical structure where suitable. This forms a crucial part of our commitment to meet our clients’ needs more effectively across various geographies and sectors Rooted in our sector knowledge, we develop solutions tailored to the unique needs of our clients. Bringing our in-depth understanding of the threat and regulatory landscape, we assist our clients in addressing their complex Cyber Security challenges. NCC Group plc 40 Shareholders Our network The opportunity • Financial performance • • Responsible long-term sustainable strategy • Sound corporate governance and stewardship How we listen and engage • Strategic and financial updates issued via RNS Reach and RNS respectively • Regular meetings with investor relations, management and Board members • Investor roadshows after the full and half-year results • Open-door policy with investors • AGM Highlights in 2022/23 • Relations in January 2023 • Implementation of investor management system – with both shareholders and analysts • New strategy launched in February 2023, with investor roadshow to build deeper understanding of our vision • Following our trading update in March 2023, the management team offered shareholders the opportunity to meet to discuss what had happened and further engage how the new strategy would address concerns The opportunity • Building on our technology heritage and our role as trusted advisors to governments and regulators we provide independent, technical expertise to improve cyber resilience policies • By understanding and shaping new and emerging regulations and policy proposals we can develop the right solutions to prepare for our clients’ future needs and requirements How we listen and engage • Building alliances with global think tanks and foundations, trade associations and campaign groups to pool resources, amplify our messages and maximise impact • Strategic relationships with national technical authorities, and support for government initiatives across all our regions through direct engagement • Representation on senior government advisory panels Highlights in 2022/23 • Engaged with regulators around the world to advocate for in Canada, Switzerland, the UK and India, paving the way support compliance • Joined the United Nations’ intersessional consultation on a new cyber crime convention, making recommendations on how to improve international collaboration between law enforcement authorities, promote cyber capacity building, and protect the contribution of the industry in tackling cyber crime We are committed to engaging with our shareholders, creating an opportunity to understand our business, the market, how we are responding and the opportunity to secure growth. Our expertise plays a pivotal role in shaping evidence-based policy decisions. By adopting a proactive engagement approach, we harness our insights to contribute meaningfully towards a more secure digital society and differentiate ourselves in the market. Suppliers The opportunity • Long-term trusted partnerships facilitating sustainable overhead cost reduction and cost of sale margin improvement • Fit for purpose contracts and payment terms, ensuring a safe and responsible supply chain with suppliers delivering to acceptable service levels and protecting NCC Group from any long-term commercial inflation How we listen and engage • Regular meetings are held with key suppliers to help them understand our strategy and future forecasting of service • with suppliers and structured on-boarding process Highlights in 2022/23 • Engaging existing suppliers in ESG to support our journey to net zero • Introduction of a consistent global supplier on-boarding and due diligence process to gain better visibility and control of third party risks • Improved supplier relationship management process implemented to drive better commercial value, operational delivery and future innovation • Successful progression and management of the Group’s real estate strategy to provide quality and productive environments We engage with many different suppliers across our global business and value the role our supply chain plays in supporting responsible business operations. Our procurement operations have been endorsed in line with industry best practice and we proactively work with a consolidated supply chain network to drive innovation, deliver commercial value, mitigate risk and improve operational benefit. NCC Group plc 41 Strategic report Culture At NCC Group we embrace difference and are connected by our purpose to make the digital world safer and more secure. Across our global operations we form a phenomenal network, working together, collaborating and innovating to support our clients. We are guided by our Code of Ethics and our values, which define our behaviours – treating everyone and everything with respect. This is the foundation of our culture and we strive to create an environment where everyone is welcome, feels safe and can be successful. Our mission unites us as a global community. many of the world’s leading businesses. Our focus are supported to be their very best, and they feel empowered with managers and leaders who inspire them. We provide clarity on their role and as Above all, we give colleagues the opportunity to follow their vocation and say with conviction that what they do makes the digital world safer and Michelle Porteus Chief People Officer Our values We work together We have each other’s back We are brilliantly creative We look at things differently We embrace difference We respect each other We take responsibility We get things done in the right way 42 NCC Group plc — Annual report and accounts for the year ended 31 May 2023 Wellbeing Our work can be exciting and intense, delivered by passionate, committed teams. We recognise the level of focus required to deliver to high standards, and acknowledge that the pressures of external and internal factors, when combined, can lead to burnout. We’ve come through a pandemic where the focus was very much on mental and physical wellbeing, into some challenging economic headwinds – not just for NCC Group but also personally for colleagues. This year we enhanced our wellbeing programme to cover financial wellbeing too. As we headed into the Group’s first redundancy programme in February 2023, the support was welcomed by those impacted, and their teammates who remained. Mental wellbeing We have a global network of trained Mental Health First Aiders, who provide support to their colleagues as required or requested. in place for colleagues around the world, as well as on the ground support through the people team. All managers are offered training in mental health awareness and throughout the year we run various colleague engagement campaigns to ensure that it’s always okay to talk about mental health. Physical wellbeing As we continue to evolve how we work, we have made decisions to close offices and embrace hybrid working practices for those close to our main office hubs. Colleagues are supported financially to set up their homeworking space, to ensure they are operating in a safe environment. In the US, we changed the policy for new colleagues, to enable them to access negative vacation of up to 40 hours within their first six months (a period that is normally used to accrue future time off) and putting emphasis on the balance of work and time away from the business, ensuring they are empowered to take time off to rest and recharge as needed. Buy Scheme – to enable colleagues to purchase up to five In addition, long-service colleagues received additional days off added to their annual allowance with the first milestone for an additional day being four years. Financial wellbeing In the US we ran our first financial wellbeing week providing colleagues with an extensive programme of support on personal budgeting, saving for the future, retirement and much more. We also introduced a wellness bundle that supports financial, physical and mental wellness. Our UK financial wellbeing programme included introducing new mortgage broker benefits and free one-to-one pension adviser meetings as well as a host of other internal and external resources for colleagues to access. In Spain we ran two external training sessions to help colleagues learn how to manage stress and build financial resilience. Bringing it all together we also launched Perkbox, a global discounts and perks app which also includes access to a wellbeing hub. Professional development NCC Group has become a hub for talent, a place where people can develop personally and professionally. We offer a broad range of career options across our technology, sales and professional practices. We strive to create an inclusive environment to grow, and we have an embedded transparent performance management process to support this. Performance management Colleagues and their managers are encouraged to meet on a regular basis to review performance, with a formal documented review at the half and full year. The performance review plays an important role in supporting colleagues’ personal development opportunities, while providing role purpose and clarity. Career paths guide options, and our commitment to internal mobility and the open approach to vacancies support our ambition to retain our talented teams and enhance careers within the Group. 64 colleagues took up new roles within the organisation, Learning and development In FY23 we brought the local training teams together as one global team to enhance our learning and development programme. The team is focused on building capabilities to support our move to a global operating model – we’ll continue to invest in career paths and equipping colleagues with the tools and knowledge to develop their own careers, supported by our performance management process. NCC Group plc 43 Strategic report Culture continued Professional development continued Colleague engagement In 2022 we decided to move away from the annual colleague survey to a more progressive way of measuring sentiment on a quarterly basis. We partnered with Glint, the LinkedIn engagement programme, with the benefits of managers having direct access to results (while still preserving anonymity of participants) and being empowered to own the results, the conversation and actions locally with their teams. This regular pulse is critical while NCC Group moves through this phase of transformation in the next chapter of the strategy and provides the executive team with a rounded view on how colleagues are feeling. Other sources of feedback are also sought, and this includes regular and very successful listening sessions hosted local town halls, as well as the team meetings and one-to-one sessions as part of the performance management process. We use these sessions to encourage discussion and opinion on executive remuneration and how this aligns with the wider where the information can be located and answers any questions as they arise. In the UK, Spain and Australia we operate colleague forums, where colleagues are elected by their peers to meet with management on a regular basis to discuss what’s on their minds. And in the Netherlands, colleagues have appointed representatives forming a Works Council. With the implementation of our new strategy and changing colleague recognition scheme with the aim of relaunching it in the second half of FY24. Diversity and inclusion We want to create an environment where all colleagues feel psychologically, emotionally and physically safe to be authentic, share their personal experiences and have equal opportunities to achieve, and that is representative of the diversity of the world they live in. In 2020 we established our colleague resource groups in support Race and Ethnicity, and in 2022 we also launched an Accessibility group. Each of the groups has a people team partner who supports it in running engagement activities and making change happen. Our colleague resource groups have been actively engaged in: • Reviewing and editing our US and Canada Colleague Handbook • Enabling the choice in use of pronouns in Workday – our HR and across our Microsoft tools • enable us to benchmark where we are today and track year on year improvement • Changing the US holiday calendar from 2024 to enable to Juneteenth being observed from 2022 Colleague Resource Groups continue to actively create engagement opportunities for the wider community, bringing everyone together to learn, embrace and celebrate differences. Gender diversity As a UK-based company we see the requirement to publish gender pay gap figures as a positive indicator of our progress towards a fully inclusive workplace. From 2022 we extended this practice to include North America and the Netherlands. We are seeing steady progress but not as fast we would like it to be. Pay gaps exist because genders are not represented equally at different levels in the Company – not because we’re not paying equally. NCC Group still has too few women at senior levels of the organisation and while female representation has significantly improved, and we see women moving from lower pay quartiles to upper pay quartiles, we know there’s still much more to do. Improving gender representation really matters to us. Overcoming the barriers of inclusion to achieve a gender-balanced workplace will take time and sustained effort, underpinned by a plan to drive change. We remain committed to progress on inclusion for the longer term, both for our current colleagues and future talent coming into our industry. Male Female Undisclosed * Includes the CEO and CFO. Direct reports to the Executive Committee 45% 55% Board 37% 63% Executive Committee 44% 56% Group 25% 73% 2% New hires in FY22 26% 9% 65% NCC Group plc 44 NCC Group has become a hub for talent, a place where people can develop personally and Strategic report 45NCC Group plc — Annual report and accounts for the year ended 31 May 2023 As a part of our commitment to bolstering sustainability, this year marks an important milestone in our journey. We partnered with Ever Sustainable to undertake a comprehensive materiality assessment. This initiative has granted us the chance to engage directly with our colleagues, clients and shareholders, and the broader industry to benchmark our current standing, define our future priorities and integrate sustainability deeply into our operations . Upon completion of the materiality assessment, we proudly present our inaugural sustainability strategy, available in our detailed launch report. Making the digital world safer and more secure We recognise the paramount importance of Cyber Security as the world becomes more connected and relies on technology to progress. As a people-driven, technology-empowered global Cyber Security and Software Resilience business, we provide solutions that aim to make the digital world more secure and resilient. Our focus extends from cutting-edge technologies critical to achieving net zero transition plans, to fortifying existing technologies against potential cyber threats. It’s what we do every day for our clients. To further share our expertise, we developed a global giving back programme. This initiative empowers our colleagues to actively protect our local communities and fosters the next generation of cyber talent through partnerships and sponsorships. Delve into our business model on pages 14 and 15 Explore our sustainability strategy launch report The change begins within Recognising the vital role of sustainability, we assigned a Board member, Non-Executive Director and Head of the Audit Committee Lynn Fordham, to be responsible for sustainability in January 2023. Last summer, the Board took part in a workshop with our climate partner, Planet Mark, and now, with our new sustainability strategy in place, we are ready to enhance sustainability engagement at every level of our organisation. Expanding our Climate Change Working Group to support TCFD reporting, we are setting in motion a structure wherein each key area identified in our sustainability launch report has executive ownership and associated KPIs. This will enable us to measure, track and report our progress, in alignment with our overarching business strategy. Read more on our strategy on pages 24 to 28 We are wholly committed to doing Mike Maddison Chief Executive Officer Non-financial and sustainability information statement Championing sustainability through strategic action NCC Group plc 46 In preparation for reporting against the European Union Corporate Sustainability Reporting independent materiality assessment that sought the Company’s activities have an external impact. This double materiality approach enables us to consider both the risk and the opportunity. Methodology Based on the insights we have gained over the past few years from our stakeholders – from rating agencies to colleague surveys and client bid requests – we decided to assess impact against 26 topics across environmental, social and governance factors. It was important to us that we didn’t restrict this list or close out any risks or opportunities, and we gave stakeholders further opportunity to comment on anything they thought was missing. The assessment process sought to integrate industry research, risk, opportunity and impact analysis and insights gained from the stakeholder engagement process. These were then converted into quantitative scores where possible. NCC Group plc 47 Strategic report Key: Social GovernanceEnvironmental Diversity and inclusion GHG emissions Data privacy and ethics Professional development Cyber Security Employee mental health and wellbeing Employee engagement 1. MAXIMISE Significance to stakeholders Impact on the business/external impact Energy management Waste and e-waste Labour practices and human rights Product accessibility and inclusion Social value Product design and lifecycle management Community outreach Anti-bribery and corruption Product security Biodiversity loss Employee engagement Employee mental health and wellbeing Data privacy and ethics Diversity and inclusion Professional development GHG emissions Cyber Security Selling practices and product labelling Climate adaptation Systemic risk management Sustainability awareness and capability Product innovation and impact Digital capabilities and access Executive remuneration and incentivisation Opportunities in cleantech Supply chain management 3. MANAGE 1. MAXIMISE 2. MITIGATE4. MONITOR Taking a multidimensional approach to materiality Labour practices and human rights Energy management Waste and e-waste 3. MANAGE Social value Product accessibility and inclusion Community outreach Product security Anti-bribery and corruption Product design and lifecycle management Selling practices and product labelling Biodiversity loss 4. MONITOR Supply chain management Executive remuneration and incentivisation Product innovation and impact Opportunities in cleantech Sustainability awareness and capability Digital capabilities and access Systemic risk management Climate adaptation 2. MITIGATE Non-financial and sustainability information statement continued Taking a multidimensional approach to materiality continued In assessing the relative importance of the topics in our materiality assessment we used the following process: Prioritising topicsAssigning valuesSetting the scope Step 1 Define and decide the final list of topics keeping scope broad enough to capture the best possible picture. Step 2 Identify the main risks, opportunities and impacts of each topic. Step 3 Assign values for outward and inward impacts and a likelihood rating for risks and opportunities associated with each topic, combining to define a final impact value to plot on the X-axis. Step 4 Input outcome of stakeholder engagement with each topic scored on its significance to the stakeholder group, weighted on importance and size of the sample group. Step 5 Map each topic onto a matrix to help visualise the relative importance. Step 6 Prioritise the topics, linking to the NCC Group purpose, vision and strategy to determine where resources should be allocated to have the greatest impact, minimise risks and maximise opportunities for the business. Using materiality to drive strategy and impact The materiality assessment helped us to identify what environmental, social and governance issues were most material and significant to our business and stakeholders. We looked at the topics plotted on the matrix through four lenses to do this and to identify areas to maximise, mitigate, monitor and manage. Significance to stakeholders Impact on the business/external impact 3. Manage • Engage with stakeholders to gather views on the issue • Disclosure level determined by regulation/stakeholder feedback 1. Maximise • Issues that are core to the sustainability strategy • High level of disclosure to demonstrate ambition and progress 4. Monitor • Monitor the issue for changes to materiality • Lower level of disclosure 2. Mitigate • Build understanding and internal capability to mitigate potential impacts • Transparent disclosure needed NCC Group plc 48 The materiality assessment is just the start, and we will now develop specific goals and targets within our control in line with our business objectives and stakeholder expectations. Enhancing our approach to sustainability enables us to mitigate growth and innovation – something that is at the heart of NCC Group’s DNA. page 16 With a new framework, informed by the materiality assessment, we will continue to improve not only how we report and adhere to reporting regulations, but more importantly how we continue to drive responsible business practice. The full detail of this and how that led to our new framework can be found in the sustainability strategy launch report. Securing our future We firmly believe that our purpose and approach to sustainability are intertwined, ultimately securing our future as a business. Central to our purpose is the drive to make the digital world safer and more secure, building a global Cyber Security and Software Resilience capability that enhances and advances sustainable development. Sustainable development relies on the adoption of digital technologies. The transition to a greener, more equitable and inclusive society manifests through the development of innovative solutions such as smart cities, renewable energy grids and clean transportation, as well as the accessibility and widespread adoption of remote education and healthcare solutions. However, these transformative benefits can only be fully realised when these digital solutions are resilient and trusted, which requires robust Cyber Security measures. By advancing Cyber Security solutions and capacity building, we are facilitating a secure digital space that allows for the full potential of these sustainable initiatives to be unleashed. This makes Cyber Security not merely a defensive measure but a proactive enabler of progress and development. Our purpose to make the digital world safer and secure transcends all five pillars of The United Nations Global Goals – peace, prosperity, people, the planet and partnerships. Digital transformation is a safer, fairer world for everyone, in our increasingly digital lives. Our purpose and our vision as a people-led, tech-enabled business position us as an essential partner in digital transformation and sustainable development. NCC Group plc 49 Strategic report Climate action Non-financial and sustainability information statement continued and Scope 3 emissions were calculated and verified by Planet Mark in line with the GHG Protocol Corporate Standard. Planet Mark calculated this from verified third party data and invoices as part of our overall carbon certification. Note the certification has not been independently audited by KPMG. Scope 3 emissions for transmission and distribution, and travel distances were calculated using the units of energy consumption and travel distances provided respectively, multiplied by the relevant BEIS emissions factors. Some conversions were used, colleagues but neither received the response rate required to provide accurate benchmark data for their respective calculations. Our priority in FY24 is to improve on this with an engagement plan. In FY23 we committed to improving the data collection process required from landlords. We significantly improved the number of offices in our calculations through improved landlord engagement, as well as extending coverage of our external data centres. We have outlined our commitment to decarbonisation and our continuing net zero journey in our new sustainability strategy - and this includes focusing on including the relevant Scope 3 categories in future reporting. Once we have an accurate report on our emissions, we can then work with Planet Mark, and other experts where applicable, to set credible, science-based targets to achieve net zero before 2050. The reporting period is aligned with our financial reporting year for which NCC Group is directly responsible. Having considered the production metrics within the business, we have concluded that annual turnover is the most appropriate to achieve a benchmark, which aligns with the carbon reduction policy and methodology we will work towards in FY24. Our benchmark was set against a year still impacted by restrictions on travel caused by the global pandemic, and therefore this year we’ve observed an increase in travel and office usage. This has led to a temporary rise in our overall carbon intensity. As a people-led business, this revitalisation of travel and face-to-face time was essential, and this is something impacting other businesses too. Despite the overall increase in emissions we were successful in reducing emissions per colleague by 4.6%, which is one of our metrics as we mature our carbon disclosure reporting capability. Our focus continues on improving data, to fully understand the source of our emissions, and to enable us to set credible, science-based reductions to achieve net zero before 2050. By net zero, we follow the guidance from Planet Mark, which is a ligned to the principles of the Science Based Targets initiative absolute emissions across all three Scopes by at least 90%. Read more on our journey to net zero in our sustainability strategy launch report 2020/21 999 2021/22 298 2022/23 979 Electricity and heat and steam (tCO 2 2020/21 125 2021/22 80 2022/23 189 Gas (tCO 2 2020/21 72 2022/232021/22 Company owned cars (tCO 2 47 2020/21 135 2022/232021/22 Business travel (tCO 2 29 Electricity: 74% Heat and steam: 1% Natural gas: 9% Company car travel: 6% Business travel: 10% Emissions by type 13 67 NCC Group plc 50 Total GHG tCO 2 e Source 2022 2023 tCO 2 e change from previous year % change from previous year Scope 1 Gas 80.0 124.7 Company vehicles Diesel 22.6 5.2 3.0 Petrol 24.2 12.3 485% Hybrid — 4.0 — Fleet fuel – petrol — — 43.0 43.0 — 46.8 58.3 47.0 Total Scope 1 200.4 183.0 Scope 2 Electricity 297.8 924.5 979.0 54.5 6.0% Heat and steam — 4.9 19.8 304% Company vehicles – electric — 13.7 Total Scope 2 297.8 1,012.5 9% Total Scope 1 and 2 424.6 1,195.5 63.8 6% Scope 3 Business travel 66.7 134.7 68.0 Transmission and distribution losses — 54.9 52.9 Heat and steam transmission and distribution losses — 0.3 — Fleet transmission and distribution losses — — 0.3 0.3 — Total Scope 3 187.9 66.0 54.0% Total Scope 1, 2 and 3 453.7 1,383.4 Underlying energy use The table below shows the proportion of energy use that occurs in the UK and non-UK countries alongside the total carbon emissions. In FY23, 43% of the Group’s energy consumption and 35% of carbon emissions arose from the UK. FY23 energy use FY23 carbon emissions Area kWh % of global energy use Total emissions (tCO 2 e) % of global emissions UK 2,201,099 43% 484.5 35% Non-UK 2,925,189 57% 898.9 65% Total 5,126,288 100% 1,383.4 100% Intensity metric Total per £m turnover – location based Amount Turnover Total emissions (tCO 2 Intensity per turnover (tCO 2 4.00 335 Comparison 15.10% 6.30% 10.40% 2.50% carbon report on our website NCC Group plc 51 Strategic report Non-financial and sustainability information statement continued Disclosure index Directive requirements contained in sections 414CA and 414CB of the Companies Act 2006. Reporting topic Policies and standards Annual Report and Accounts section reference Page Website resources Climate-related disclosures • Environmental policy • Sustainability report • TCFD report • Principal risks and uncertainties • Stakeholder engagement 53 70 40 • Sustainability strategy launch report • Planet Mark certification • Streamlined Energy Carbon Report Colleagues • Whistle-blowing policy • Code of Ethics • Disciplinary and grievance policy • Sustainability report • Stakeholder engagement • Remuneration Committee report • Our culture 40 42 • Sustainability strategy launch report Social and community matters • Modern slavery statement • Code of Ethics • Supply chain Code of Conduct • Giving back policy • Matched funding policy • Sustainability report • Stakeholder engagement 40 • Sustainability strategy launch report Respect for human rights • Modern slavery statement • Data privacy policy • Global equal opportunities and diversity policy • Sustainability report • Stakeholder engagement • Culture 40 42 • Sustainability strategy launch report Anti-bribery and corruption • Anti-bribery and corruption policy • Gifts and entertainment policy • Sustainability report • Audit Committee Report • Sustainability strategy launch report Business model • N/A • Our business model Principal risks and uncertainties • Risk register • Principal risks and uncertainties • Audit Committee Report 70 NCC Group plc 52 TCFD reporting helps organisations like ours disclose climate- related financial risks and opportunities in a structured way. mandates climate-related disclosure for all UK listed companies – we have produced a comprehensive TCFD Report. Our report strategy, risk management, and metrics/targets and the To ensure consistency across our report, we adhered to section C of the TCFD Annex, titled “Guidance for All Sectors”. As a result the following are documented as partially compliant with further detail available within this report: • financial implications of climate scenarios into our financial planning and in the next reporting period will look to develop a quantitative scenario analysis and integrate into financial planning. • business travel, electricity and distribution losses, heat and steam transmission and distribution losses. We continue to improve data collection from suppliers and understanding of colleague commuting impacts to enhance our reporting across other Scope 3 categories, through various planned engagement activities in the next period. Each pillar of our report includes a table detailing our current disclosure and areas of focus for 2024. Our assessment indicates a low risk of exposure to physical and transitional climate changes, thanks to our business model. However, we acknowledge the high importance of mitigating greenhouse gas emissions, which emerged as a priority from stakeholder feedback in our recent materiality assessment. We continue to partner with Planet Mark, a leading sustainability certification organisation, to calculate, verify and target reductions in our carbon footprint and support our commitment towards net zero before 2050. We recognise the considerable opportunities presented by the growing climate-focused market. Our collaborations with clients in industries such as electric vehicles, renewable energy, operational technology and other climate-friendly technologies underscore our readiness to seize these opportunities for sustainable growth. Evolving our sustainability agenda We are pleased to present NCC Group’s second annual report in accordance Governance TCFD recommended disclosure Compliance NCC Group disclosure Focus areas for FY24 Governance A. Describe the Board’s oversight of climate-related risks and opportunities Compliant • The Board has appointed the Head of the Audit Committee as the lead Non-Executive Director responsible for sustainability. Monthly updates are provided via the CFO report to the Board as well as directly from regular with the Director of Investor Relations and Sustainability with the full Board, including an update on progress against the Group’s goals and targets where appropriate. • The Board takes overall accountability for the management of climate-related risks and opportunities and considers them as part of its overall risk review processes. For example, the Board (and management criteria to facilitate conscious decision making on the location of NCC Group’s new global delivery centre to support execution of the strategy. • We are in the process of incorporating ESG criteria into the Group’s budgetary planning process and financial planning for FY25. • From the 2023 materiality assessment, set goals for FY24, with at least quarterly updates through the CFO report, to show progress against the plan and continue to mature the process by which the Board will oversee progress against the targets for addressing climate-related issues. • Meet at least quarterly with the nominated NED responsible for sustainability to reflect, discuss and ensure actions are being taken. • Continue to develop NCC Group’s net zero journey and broader sustainability strategy with oversight and input from the Board. TCFD NCC Group plc 53 Strategic report How ERM fits into the Group Committee structure Internal audit External and ISO auditors Board Audit Committee Cyber Security Committee Enterprise Risk Committee ExCom The above diagram shows how the Enterprise Risk Management Committee feeds into the Audit and Cyber Security Committees, which in turn reports to the Board. Actions are also driven back down from the Board as reflected in the above diagram. TCFD continued Governance continued TCFD recommended disclosure Compliance NCC Group disclosure Focus areas for FY24 Governance continued B. Describe the management’s role in assessing and managing climate- related risks and opportunities Compliant • A new role was created in January 2022 to bring sustainability and investor relations together. The newly appointed Director of Investor Relations and Sustainability (formerly Director of reporting to the Chief Financial Officer, provides advice and updates to the Executive Committee on climate-related issues as and when relevant. • meets quarterly addresses climate risk as part of that process. • Continue to mature NCC Group’s net zero journey, including improvement of collation of Scope 3 emissions. • Review and update the terms of reference for the Climate Change Working Group in line with the materiality assessment and integrate into the existing Board and executive governance processes. • Once all new executive members are appointed and upon completion of the sustainability strategy, identify executive ownership for each element including climate change and how this is supported through the Climate Change Working Group. • Integrate the output from the double materiality assessment conducted in FY23 into our newly launched business strategy, to incorporate key ESG considerations into decision making where relevant. Lynn Fordham, the lead Non-Executive Director for Sustainability, was appointed by the NCC Group Board Chair. In addition to her position as the Head of the Audit Committee, Lynn’s role is to oversee the Company’s sustainability strategy, ensure its integration with the overall business strategy, and provide regular sustainability updates to the Board. While there is no specific Board committee for environmental by the Director of Global Governance addresses these issues. The ERM meets bi-monthly and is attended by our CEO and CFO. It discusses, among other risks, sustainability and environmental challenges, which are then reported to the Board. From March to May 2023, we conducted our first materiality assessment considering both inward and outward impacts (see various stakeholders, including shareholders, colleagues and clients. The results formed the foundation of our newly launched sustainability framework, which outlines our priority areas for the next one to three years. As NCC Group’s business strategy evolves, the sustainability framework will be integrated into our strategic planning. An engagement programme is being developed to ensure that our internal stakeholders, including the Board, are informed, and engaged on not just climate change but all priority sustainability topics. This programme will feature training sessions, workshops and continued awareness-building initiatives. The Board and the Executive Committee are committed to communicating their dedication to addressing climate change. This will be demonstrated through our annual Sustainability Report and reinforced through other appropriate internal and external communication channels throughout the financial year. NCC Group plc 54 Strategy TCFD recommended disclosure Compliance NCC Group disclosure Focus areas for FY24 Strategy A. Describe the climate-related risks and opportunities the organisation has identified over the short, medium and long term Compliant • See tables on page 56 describing risks and opportunities, which were selected based on location of our existing business and known climate change risks affecting the broader region we operate in. • Monitor actions arising from the risk register. B. Describe the impact of climate-related risks and opportunities in the organisation’s business strategy and financial planning Partially compliant • An impact in our ability to meet climate-related disclosures that are required by clients in their capture of Scope 3 emissions. Each sector we operate in has its own requirements, because of legislation and their own commitments. Not understanding or assessing this could have an impact on NCC Group’s ability to meet the requirements in a contract. • Climate-related taxes, or fines for non-compliance could impact the business if we fail to take action. • Our ability to raise capital to invest in growth, may be restricted if we fail to make progress on climate related action, which forms part of sustainable lending requirements. • As part of the verticalisation element of our strategy, we are undertaking research to ensure we meet the broader ESG criteria that applies to our clients. We are creating a knowledge bank for sales teams and will conduct regular briefings/ updates through internal channels. • Develop a knowledge management repository that supports sales/bid teams in accurately representing how NCC Group supports clients in meeting their specific climate-related disclosures. • Working in collaboration with strategy, marketing and public affairs, ensure that environment and broader sustainability considerations are built into the understanding of client needs by sector and by region. C. Describe the resilience of the organisation’s strategy, taking into consideration different climate-related scenarios, including a 2 O C or lower scenario Partially compliant • We have conducted an initial quantitative O C and 4 O C. • Develop the initial scenario analysis and integrate, aligned to NCC Group’s strategy development, into future financial and strategic planning activities as our net zero journey matures. In our ongoing commitment to the TCFD’s Strategy pillar, we are not only advancing our approach to managing climate-related risks but also actively pursuing growth opportunities within the climate change sphere. We’ve formed strategic partnerships, such as our collaboration with Planet Mark, to help us lower our carbon footprint and develop more sustainable business practices. As a proud member of techUK’s Responsible Business Community, we’re also exchanging insights and best practices with industry peers to collectively address climate change. In early 2023, we appointed our first Director of Strategy, who will play a crucial role in our internal Climate Change Working Group. This group is currently tasked with evaluating the potential impact of climate change on our business operations, identifying both risks and opportunities. To date, the group has been focused on improving the collation of climate-related data to assess our current state and instrumental in helping to progress our ambitions to set achievable targets for reducing our carbon emissions over the next five years. New terms of reference for this working group are to be defined along with clearly identifying how it is embedded into our existing governance process from the Board down. Our focus is not limited to risk mitigation but extends to exploring opportunities where we can make a positive impact. This includes improving the energy efficiency of our operations, collaborating with our landlords and requesting renewable energy sources, and identifying ways our technology solutions can contribute to our clients’ sustainability efforts. As we continue our climate change journey, we are committed to regularly reporting our progress against these objectives, showing transparency in our endeavours, and constantly seeking ways to better our efforts. Climate-related risks Our comprehensive risk management framework (summarised in the Risk Management section of the Annual Report on pages climate-related risks. We categorise these risks into: • policy changes impacting climate-related risks and opportunities as well as existing forecasting processes considered by management which are reviewed and evaluated on an annual basis. • that may affect climate-related risks and opportunities. • of international agreements and commitments, technological trends and changes to policy or carbon pricing and their impact on our operations, client services and supply chain. For instance, short-term risks might include immediate regulatory changes or extreme weather events, while long-term risks could be major shifts in our industry driven by the transition to a low carbon economy. Each identified risk is paired with corresponding mitigation measures, such as implementing energy-efficient technologies or diversifying our supply chain, aimed to reduce our vulnerability. While these risks apply to the Group as a whole, we do recognise that certain locations face unique challenges. For example, our operations in coastal areas are more susceptible to rising sea levels and increased frequency of extreme weather events. For a more detailed understanding of the climate-related risks and opportunities we face, please refer to the table below. It provides a snapshot of the specific challenges we’re addressing and the strategic responses we have undertaken. NCC Group plc 55 Strategic report Climate-related risks continued Risk Risk impact Short/medium/long term Regions impacted Mitigating activities Physical risks Extreme weather (acute) Causing business disruption and loss of service delivery and therefore revenue Short to medium term All but particularly North America • Business interruption cover • Business Continuity Plans • Remote working in place • Dutch flood defences in place Sea level rises (chronic) Increased likelihood of flooding in Delft and Amsterdam offices causing increased insurance premiums Long term Amsterdam offices Transition risks Increase in taxes and levies for greenhouse gas emissions Disruption and increased costs to ensure compliance with new legislation Medium term Depends on local legislation • Working with Planet Mark to calculate our carbon footprint, ways to reduce it, and colleague and Board engagement, and helping progress our net zero journey Move to net zero Increased costs required to lower emissions Long term Global • Remote delivery of client services where possible • Company car scheme only for electric and hybrid • Annual calculation of with Scope 3 emissions collation started • Rigorous and transparent budget setting will identify increasing costs associated with carbon emissions reduction Margin risk Impact on results due to extra costs incurred to lower emissions Medium term Global • Accounting policies regularly reviewed • Rigorous and transparent budget setting will identify increasing costs associated with carbon emissions reduction Reputation risk Increased stakeholder concern and changing customer behaviours Medium term Global • Ongoing dialogue with investors • Benchmarking and independent reviews undertaken through a double materiality assessment • ESG information publicly available Supply chain risk Substitution of existing products and services with lower emission options Medium to long term Global • Scope 3 questionnaires sent to supply chain partners equating to 80% of our spend • Business Continuity Plans • Reviewing office strategy TCFD continued Strategy continued NCC Group plc 56 Opportunities to further reduce NCC Group’s impact on the environment: Resource efficiency: By embracing more efficient modes of transport, promoting recycling, encouraging hybrid working models and operating within efficient buildings, we can lessen our environmental footprint, improve colleague satisfaction and reduce operational costs. For instance, removing unnecessary travel not only reduces our carbon emissions but also empowers colleagues with more control over their work-life balance, contributing to improved morale and productivity (anticipated Energy source: Our transition to lower emission energy sources, underpinned by the introduction of an electric/hybrid car scheme for all UK colleagues, demonstrates our commitment to sustainable practices. By giving colleagues access to green car options, we are mitigating our exposure to future fossil fuel price fluctuations and regulations. It also addresses our colleagues’ material concerns, fostering a culture of environmental responsibility and Market: As industries evolve in response to climate change, we’re strategically positioned to leverage these transformations. For example, by partnering with companies transitioning into alternative energy sources or working on projects involving smart meters, electric vehicles, IoT technology for waste reduction and cloud data centres, we anticipate strengthening our market position and enhancing our reputation as a sustainable and Resilience: Our sustainable business model increases our resilience to climate-related risks, demonstrating our commitment to being a responsible and ethical supply chain partner. This commitment to sustainability not only aligns us with an increasingly eco-aware market but also empowers us to lead in the space, fostering a culture of innovation and responsible business practices (short Scenario analysis To understand the risks and opportunities our business faces considering climate change, we have conducted a quantitative of the scenarios selected is provided below. These scenarios are chosen to reflect the diverse spectrum of possibilities that could unfold due to different levels of global effort to curb climate change. In the context of these scenarios, “transition risks” refer to the challenges associated with the shift towards a lower carbon economy, while “physical risks” denote the potential damage caused by climate change itself. In terms of the risks selected, these were based on physical locations and the nature of our business in key locations of North America, the UK, Europe and Asia Pacific. We are in the process of flowing this into our financial planning and will continue to do so as we mature our climate action planning and reporting. rapid shifts in regulatory and market conditions, but the physical risks would be significantly reduced due to the effective global action on climate change. Conversely, Scenario 2 predicts lower transition risks but considerably higher physical risks due to the lack of substantial progress towards climate goals. We’ve further broken down these risks by timeline, classifying offers a comprehensive overview of NCC Group’s potential exposure to both transition and physical risks under each scenario. While our current analysis is qualitative, we are working towards quantifying these risks and opportunities as we progress towards our net zero targets and improve our data collection across Scope impact on our Financial Statement disclosures based on our materiality assessment results see page 47 of the Annual Report and known near to mid-term regulatory developments. However, we will continuously monitor both transition and physical risks, adjusting our mitigation strategy as necessary. Risk type Risk Risk impact Scenario Short term Medium term Long term Physical risk Rising sea levels Risk to NCC Group offices located in high risk areas, e.g. Delft, as well as colleague and customer homes resulting in business disruption Low Low High 2 Low High High Flooding Impact to service quality and disruption to systems, increased costs to relocate colleagues Low Low Low 2 Low High High Transition risk Increase in taxes and levies Disruption and increased costs to ensure compliance with new legislation Low Medium High 2 Low Low Low Margin risk Impact on results due to extra costs incurred to lower emissions Low Medium High 2 Low Low Low Reputation risk Increased stakeholder concern and changing customer behaviours Low Medium High 2 Low High High Supply chain risk Substitution of existing products and services with lower emission options Low Medium High 2 Low Low High NCC Group plc 57 Strategic report TCFD continued Strategy continued Financial planning We recognise the significant implications of climate-related risks and opportunities on our financial planning. We anticipate shifts in our future business model and strategy in response to evolving market conditions due to climate change. We foresee potential changes in customer preferences towards more sustainable products and services, along with possible disruptions in our supply chain due to extreme weather events. These factors are thoroughly considered in our business strategy development. Our business strategy has been designed to be resilient to future economic and climate-related scenarios. And by running regular scenarios we can test that resilience, and ensure it’s considered in future business strategy development, enabling us to adapt accordingly, without disrupting or negatively impacting current operations. The scenarios are based on industry insights, which were used in the expert input into our materiality assessment. We will look to assess the potential financial implications of various climate scenarios and factor these into our revenue forecasts, expenditure plans and asset valuations from FY25 onwards. This will include a detailed analysis of potential climate-related liabilities and their impact on our financial stability. Our future aspiration is to incorporate climate considerations to influence future investment decisions by the Group, always reducing our carbon footprint, and gradually divesting areas that carry high climate-related risks. For now though, we are actively working to improve our operational efficiency and addressing things we can directly influence to reduce our impact on the environment and realise cost savings. In summary, our organisation is committed to integrating climate considerations into our financial planning process. We will continue to refine our approach as we gain more data and insights into the evolving climate scenarios. Risk management TCFD recommended disclosure Compliance NCC Group disclosure Focus areas for FY24 Risk management A. Describe the organisation’s processes for identifying and assessing climate-related risks Compliant • Climate-related risks are managed through our enterprise risk management framework. • Monitor actions arising from the risk register. B. Describe the organisation’s processes for managing climate-related risks Compliant • Climate-related risks are documented, mitigating actions are considered, a risk rating is assigned and associated actions are documented and followed up. • Monitor actions arising from the risk register. C. Describe how processes for identifying, assessing, and managing climate- related risks are integrated into the organisation’s overall risk management Compliant • Climate-related risks are managed through our enterprise risk management framework. • Monitor actions arising from the risk register. As part of our robust materiality assessment, we conducted in-depth, topic-based and industry research to identify our most material sustainability issues. Through a detailed materiality matrix, we also identified opportunities to enhance our sustainability performance by focusing on reducing GHG emissions, monitoring product design and lifecycle management, and mitigating biodiversity loss. Our approach is to address these opportunities through targeted initiatives in cleantech, increasing sustainability awareness and capability, and climate adaptation. Addressing these issues will involve closer collaboration with our supply chain, particularly our global landlords and our top suppliers. A key initiative in this regard is our Data Centre Management Strategy, aimed at reducing our energy consumption. In collaboration with our web development partner, Nexer, we have successfully reduced the energy consumption of our websites by 50%, applying eco-design principles. Climate-related risks are managed through our NCC Group which is detailed in the Risk Management section of the Annual Report on page 70, uses a sophisticated risk model to assess and score each risk based on likelihood and impact. Risks are re-evaluated consistently to ensure we’re responsive to evolving circumstances. Our risk management approach combines “top-down strategic” and “bottom-up operational” perspectives, fostering collaboration and promoting efficient risk identification. With respect to climate- related risks, we have outlined our strategies and targets for GHG emissions reduction and biodiversity preservation. These climate-related risks are integrated into our Principal Risks plays an active role in the ongoing review of these risks, their mitigations, controls and associated actions. This Committee meets on a regular basis and follows a stringent process for identifying, assessing, responding to and escalating serious concerns related to these risks. We firmly believe that this integrated and transparent approach will ensure effective risk management aligned with the principles of TCFD, while driving our strategic objectives for sustainability. NCC Group plc 58 Obtain assurance Implement internal control Adapt ERM P erform scenario analysis Integrate into reporting Use existing tools S olicit investor feedback Assess financial impacts Collaborate across the business Secure leadership buy-in Establish Committee oversight A u d i t C o m m i t t e e R i s k C o m m i t t e e Metrics and targets TCFD recommended disclosure Compliance NCC Group disclosure Focus areas for FY24 Metrics and targets A. Disclose the metrics used by the organisation to assess climate- related risks and opportunities in line with its strategy and risk management process Compliant • Reporting of greenhouse gas emissions for FY23 compared to prior years. • Commitment to net zero before 2050 in line with the Paris Agreement with regular reviews to improve as and when broader Scope 3 data is available. • Climate-related performance metrics incorporated into Remuneration in line with our Planet Mark certification commitment to reduce greenhouse gas emissions year on year. In our first two years, we are aiming to reduce our total greenhouse gas emissions by 5% recognising that as our data collection matures and improves, we may need to reduction in colleague intensity, but an return to travel and office use following the pandemic. • Improve Scope 3 data collection and management to accelerate NCC Group’s net zero journey. B. Disclose Scope 1, Scope 2, and, if appropriate, Scope 3 greenhouse gas emissions and the related risks Partially compliant emissions still in their infancy • emissions for FY23 vs FY22. • Scope 3 emissions limited to business travel, electricity transmission and distribution losses, heat and steam transmission and distribution losses. • Supplier engagement to provide data was limited in response. • Colleague commuting data collated as part of the materiality assessment but not enough responses to enable calculation. • Improve supplier and colleague engagement to gather required Scope 3 data from supply chain activities and colleagues in relation to commuting and working from home impact. C. Describe the targets used by the organisation to manage climate-related risks and opportunities and performance against targets Compliant • Set year two reduction in line with Planet Mark recommendations of 5%. This includes reducing colleague intensity by intensity by 2.5%. We will also continue to seek location intensity through better understanding of our data and the steps we can take to reduce our impact. • Seek opportunities, as NCC Group’s management of climate change matures, to accelerate achieving net zero before 2050. NCC Group plc 59 Strategic report Meet the CFO Q&A with Guy Ellis Director after senior commercial on all things finance. Prior to Guy spent time as Interim Director of the UK and APAC Cyber Security business. Q. What do you think the role of a finance department should be? The most effective finance functions act as a strategic force Q. What are you going to bring to the role? I’m experienced in driving through transformational change. In the short term I’m focused on standardisation and simplification scale at pace globally. to both the executive team and the Board. I see that as a critical element of my role. Q. risk increases in tandem – so overall I have a positive outlook. into the future. Q. Where do you think the opportunities lie? Security industry. We are building out our capabilities to offer company to a fully global business. The opportunities are significant. This is the right strategy. 60 NCC Group plc — 2022/23 key activities • Finalised the full operational review of the Software Resilience business to create additional Group contribution • Completed a scheduled refinance process with enhanced banking facilities • Continued to demonstrate effective cash management with strong cash conversion 2023/24 priorities • Identify cost efficiencies across Cyber Security and corporate functions, achieving in-year savings and full annualised contribution from FY25 onwards • Drive transformational change in processes and insights to support the business as we embed our strategy • Maintain strong cash conversion Financial review Guy Ellis Chief Financial Officer Overview of financial performance 2023 2022 Cyber Security £m Software Resilience £m Central and head office £m Group £m Cyber Security £m Software Resilience £m Central and head office £m Group £m Revenue 270.8 64.3 – 335.1 258.5 56.3 – Cost of sales – – Gross profit 86.1 45.9 – 132.0 92.3 40.3 – Gross margin % 31.8% 71.4% – 39.4% 35.7% – 2 Adjusted EBITDA 1 15.4 31.2 41.4 22.8 59.2 Depreciation and amortisation Adjusted operating profit 1 6.9 30.6 28.8 22.0 Amortisation of acquired intangibles Share-based payments Individually Significant Items – – – Operating (loss)/profit 22.3 1.9 28.9 34.7 Operating margin % 34.7% n/a 0.6% 28.5% n/a Finance costs Taxation 23.0 EPS Basic EPS 7.4p Adjusted basic EPS 6.1p an explanation of APMs and adjusting items. 2 Administrative expenses excludes depreciation and amortisation, amortisation of acquired intangibles, Share-based payments and individual significant items. 3 Depreciation and amortisation excludes amortisation of acquired intangibles. 2023 has been a challenging year for the Group, as our expected Revenue performance and consequently our gross profit and overall experienced buying decision delays and cancellations in the North American tech sector and to lesser extent our UK market for Global Professional Services. NCC Group plc 61 Strategic report Overview of financial performance continued Encouragingly, no material clients have been lost, however this sharp market correction had a direct impact on our revenue, direct utilisation, gross profit and ultimately our profitability due to the level of employee costs in the business and recognition of Individually Significant items that mainly relate to the impairment of North American Assurance Goodwill. These headwinds have further reinforced the need to implement the next chapter of our Group strategy and identify cost efficiencies across Cyber Security and corporate functions, achieving FY24 savings and full annualised contribution from FY25 onwards. Turning back in detail to our FY23 performance, Group revenues the prior year Software Resilience fair value revenue adjustment In our Cyber Security business, the Europe, and UK and APAC Cyber Security businesses grew on a constant currency basis a constant currency basis decline in tech sector spend. constant currency basis In our Software Resilience division, following the completion of year of IPM contract renewals, which contributed to overall to to these potential contract renewals, total Software Resilience generated sale orders of £4.7m, an increase of 38% compared to performance of the Cyber Security business and lower direct and training costs arising from inflationary pressures and further c.£6.5m. Other higher costs include an increase in non-client travel and office costs (including the impact of our NCC performance also incurred the indirect trading cost hosting our in person global NCC Conferences in June 2022 for the first time impact of c.£5m year-on-year, of which c.£2.3m related directly Individually Significant Items incurred during the year amounted in Goodwill of £9.8m for the North American Assurance business following the recent reduction in spend by North American technology clients and £4.2m in relation to fundamental reorganisation costs as we reshape the Group to implement the next chapter of the Group’s strategy. The impairment of North American Assurance Goodwill has been recognised based on the include costs associated with the strategic review of our reorganisation. These were partially offset by a profit on disposal profit performance, recognition of ISIs and after an increase in The variable rate of interest cost increased due to the macro- economic environment and the write off of existing arrangement amounted to Net debt excluding lease liabilities Our Balance Sheet and facility headroom remains strong, during multi-currency revolving credit facility and the remaining $46.7m of the original $70m term loan that was maturing in June 2024. The new facility now matures in December 2026 and includes a £75m uncommitted accordion option. In addition, we also secured an increase to our leverage covenant from 2.5x to 3.0x with an additional acquisition spike to 3.5x for the first twelve months of any acquisition. The weighted average margin of the facility also decreased and is payable on a ratchet mechanism on the level of the Group’s leverage. The average interest rate for the year was 4.54% and is currently 6.27% following recent changes to base interest rates. that paid in the prior year as the Board is conscious of the need to invest in new strategy and manage its net debt accordingly following the challenging year. Throughout this Financial Review, certain APMs are presented. These APMs used by the Group are not defined terms under IFRS and may therefore not be comparable with similarly titled measures reported by other companies. They are not intended to be a substitute for, or superior to, Generally Accepted current year results and comparative periods where provided. Financial review continued NCC Group plc 62 This presentation is also consistent with the way that financial performance is measured by management and reported to the Board, and the basis of financial measures for senior management’s compensation schemes and provides supplementary information that assists the user in understanding the financial performance, position and trends of the Group. At all times, the Group aims to ensure that the Annual Report and Accounts give a fair, balanced and understandable view of the ‘Presentation of Financial Statements’ requires the separate presentation of items that are material in nature or scale in order to allow the user of the accounts to understand underlying business performance. We believe these APMs provide readers with important additional information on our business and this information is relevant for use by investors, securities analysts and other interested parties as supplemental measures of future potential performance. However, since statutory measures can differ significantly from the APMs and may be assessed differently by the reader we encourage you to consider these figures together with statutory reporting measures noted. Specifically, we would note that APMs may not be comparable across different companies and that certain profit related APMs may exclude recurring business transactions (e.g. acquisition related costs performance and cash flows. As the Group manages internally its performance at an Adjusted operating profit level (before Individually Significant Items, amortisation of acquired intangibles and share-based underlying trading of the business; this information is still disclosed as an APM within this Annual Report. This APM is reconciled to statutory operating profit, together with the consequently Adjusted basic EPS (before amortisation of acquisition intangibles, share-based payments and Individually The Group has the following APMs/non-statutory measures: • • • • • • Cash conversion which includes Adjusted EBITDA (reconciled • The above APMs are consistent with those reported for the year and Software Resilience revenue excluding IPM acquisition which have been removed now that the Group has comparable The Group also reports certain geographic regions on a constant currency basis to reflect the underlying performance considering constant foreign exchange rates period on period. This involves translating comparative numbers to current period rates for comparability to enable a growth factor to be calculated. As these measures are not statutory revenue numbers, management considers these to be APMs. Further detail is included within the Glossary of terms to the Financial Statements that provides supplementary information that assists the user in understanding these APMs/non-statutory measures. Financial summary Summary Income Statement 2023 £m 2022 £m % change Revenue 335.1 6.4% Cost of sales Gross profit 132.0 Depreciation and amortisation 2 Administrative expenses 3 23.4% Adjusted operating profit 1 28.8 Individually Significant Items Acquired intangible amortisation Share-based payments Operating profit 1.9 34.7 Finance costs 67.6% Taxation 23.0 EPS Basic EPS 7.4p Adjusted Basic EPS 6.1p explanation of APMs and adjusting items. 2 Depreciation and amortisation excludes acquired intangible amortisation. 3 Administrative expenses excludes depreciation and amortisation, amortisation of acquired intangibles, share-based payments and Individually Significant Items. NCC Group plc 63 Strategic report Financial summary continued Revenue summary 2023 £m 2022 £m % change at actual rates 2023 £m Constant currency 2022 £m % change at constant Cyber Security 270.8 258.5 4.8% 270.8 270.5 Software Resilience 64.3 56.3 64.3 59.8 7.5% Total revenue 335.1 6.4% 335.1 330.3 at constant currency Divisional performance Cyber Security Cyber Security revenue analysis – by originating country: 2023 £m 2022 £m % change at actual rates 2023 £m Constant currency 2022 £m % change at constant currency UK and APAC 118.4 3.3% 118.4 3.0% North America 99.3 5.5% 99.3 Europe 53.1 49.8 6.6% 53.1 3.9% Total Cyber Security revenue 270.8 258.5 4.8% 270.8 270.5 on a constancy currency basis (increased Turning to the performance between each half of the financial year, the following revenue analysis by originating country demonstrates tech sector and the UK Market within Global Professional Services. H1 2023 £m £m % change at actual rates H1 2023 £m Constant currency £m % change at constant currency UK and APAC 61.6 54.6 61.6 55.0 North America 59.2 44.0 34.5% 59.2 Europe 24.2 24.6 24.2 24.9 Total Cyber Security revenue 145.0 145.0 H2 2023 £m H2 2022 £m % change at actual rates H2 2023 £m Constant currency H2 2022 £m % change at constant currency UK and APAC 56.8 60.0 56.8 60.0 North America 40.1 40.1 53.4 Europe 28.9 25.2 28.9 26.2 Total Cyber Security revenue 125.8 125.8 Financial review continued NCC Group plc 64 Divisional performance continued Cyber Security revenue analysed by type of service/product line: 2023 £m 2022 £m % change at actual rates 2023 £m Constant currency 2022 £m % change at constant currency 199.3 2.0% 199.3 205.6 67.8 58.6 67.8 60.3 3.7 4.5 3.7 4.6 Total Cyber Security revenue 270.8 258.5 4.8% 270.8 270.5 than product sales. cancellations in the North American tech sector and our UK market. service global sales orders for the forthcoming years increasing 72.5% YoY. Turning to the performance between each half of the financial year, the following revenue analysis by type of service/product line North American tech sector and the UK Market with Global Professional Services. H1 2023 £m £m % change at actual rates H1 2023 £m Constant currency £m % change at constant currency 111.1 93.6 111.1 32.2 28.4 32.2 1.7 1.7 Total Cyber Security revenue 145.0 145.0 H2 2023 £m H2 2022 £m % change at actual rates H2 2023 £m Constant currency H2 2022 £m % change at constant currency 88.2 88.2 35.6 30.2 35.6 2.0 3.3 2.0 3.4 Total Cyber Security revenue 125.8 125.8 Cyber Security gross profit is analysed as follows: 2023 £m 2023 % margin 2022 £m 2022 % margin % pts change UK and APAC 40.3 34.0% 46.4 40.5% North America 26.1 26.3% 29.8 Europe 19.7 37.1% 32.3% 4.8% pts Cyber Security gross profit and % margin 86.1 31.8% 92.3 35.7% lower technical attrition. Turning to the performance between each half of the financial year, the following gross profit analysis by originating country further H1 2023 £m H1 2023 % margin £m % margin % pts change UK and APAC 22.9 37.2% 22.4 North America 16.6 28.0% 32.0% Europe 9.7 40.1% 7.9 8.0% pts Cyber Security gross profit and % margin 49.2 33.9% 44.4 36.0% NCC Group plc 65 Strategic report Divisional performance continued Cyber Security continued one-off item, the margin would have increased 3.8%. H2 2023 £m H2 2023 % margin H2 2022 £m H2 2022 % margin % pts change UK and APAC 17.4 30.6% 24.0 40.0% North America 9.5 23.7% Europe 10.0 34.6% 8.2 32.5% Cyber Security gross profit and % margin 36.9 29.3% 47.9 35.4% Software Resilience Software Resilience revenue analysis – by originating country: 2023 £m 2022 £m % change at actual rates 2023 £m Constant currency 2022 £m % change at constant currency UK 25.8 25.4 25.8 25.4 North America 34.5 26.8 28.7% 34.5 30.2 Europe 4.0 4.0 4.2 Total Software Resilience revenue 64.3 56.3 64.3 59.8 7.5% 2 , Software Resilience revenue decreased Turning again to the performance between each half of the financial year, the following revenue analysis by originating country further H1 2023 £m £m % change at actual rates H1 2023 £m Constant currency £m % change at constant currency UK 12.3 12.3 North America 17.3 40.7% 17.3 Europe 2.0 2.0 — 2.0 2.0 — Total Software Resilience revenue 31.6 26.9 31.6 29.4 7.5% H2 2023 £m H2 2022 £m % change at actual rates H2 2023 £m Constant currency H2 2022 £m % change at constant currency UK 13.5 5.5% 13.5 6.3% North America 17.2 17.2 Europe 2.0 2.0 2.2 Total Software Resilience revenue 32.7 29.4 32.7 30.4 7.5% Software Resilience revenues analysed by service line: On a statutory basis 2023 £m 2022 £m % change at actual rates 2023 £m Constant currency 2022 £m % change at constant currency Software Resilience contracts 42.8 42.8 40.4 5.9% Verification services 21.5 21.5 Total Software Resilience revenue 64.3 56.3 64.3 59.8 7.5% Financial review continued NCC Group plc 66 Divisional performance continued Software Resilience continued After considering the prior year Software Resilience fair value revenue adjustment 2 currency FY23 statutory results, as the adjustment has unwound following the renewal of IPM contracts or completion of verification services. Gross margin is analysed as follows: 2023 £m 2023 % margin 2022 £m 2022 % margin % pts change UK 18.2 70.0% 69.3% North America 25.0 72.9% 74.3% Europe 2.7 67.5% 2.8 68.3% Software Resilience gross profit and % margin 45.9 71.4% 40.3 2 , Software Resilience gross profit decreased Turning again to the performance between each half of the financial year, the following gross profit analysis by originating country H1 2023 £m H1 2023 % margin £m % margin % pts change UK 8.4 68.3% 9.0 North America 12.6 72.8% 8.9 72.4% 0.4% pts Europe 1.3 65.0% 70.0% Software Resilience gross profit and % margin 22.3 70.6% H2 2023 £m H2 2023 % margin H2 2022 £m H2 2022 % margin % pts change UK 9.8 72.6% 8.6 67.2% 5.4% pts North America 12.4 72.1% 75.9% Europe 1.4 70.0% 66.7% 3.3% pts Software Resilience gross profit and % margin 23.6 72.2% 0.8% pts Individually Significant Items 2023 £m 2022 £m North America Cyber Security goodwill impairment 9.8 — Fundamental re-organisation costs 4.2 — Costs associated with strategic review of Software Resilience business 3.0 — NCC Group A/S goodwill impairment 3.0 — IPM Software Resilience bushiness deferred income adjustment — Profit on disposal of DDI business — Costs directly attributable to the acquisition of IPM — 0.9 Total ISIs 14.7 0.9 for the NA Assurance business following the recent reduction in spend by North American technology clients and £4.2m in relation to fundamental reorganisation costs as we reshaped the Group to implement the next chapter of the Group’s strategy. Costs associated Finance costs Finance costs for the period were £6.2m compared to £3.7m in 2022 due to an increase in borrowing following the IPM acquisition December 2026. The average interest rate for the year was 4.54% and is currently 6.27% following recent changes to base interest NCC Group plc 67 Strategic report Taxation factors including the non-deductibility impact of goodwill impairment. See note 6 for further details. The Group’s adjusted tax rate is against the benefit of US R&D tax claims and a prior year credit in relation to the tax treatment of the IPM acquisition. 2023 2022 Statutory Basic EPS 7.4p Diluted EPS 7.4p Adjusted 1 Basic EPS 6.1p Weighted average number of shares (million) Basic 310.4 309.5 Diluted 311.2 Cash flow and net debt 1 The table below summarises the Group’s cash flow and net debt : 2023 £m 2022 £m Operating cash inflow before movements in working capital 37.9 49.3 19.7 Decrease in inventories 0.1 0.2 Cash generated from operating activities before interest and taxation 42.6 60.3 Interest element of lease payments Finance interest paid Taxation paid Net cash generated from operating activities 32.1 54.8 Purchase of property, plant and equipment Software and development expenditure 2.0 — Acquisition of trade and assets as part of a business combination Equity dividends paid Purchase of own shares — Proceeds from the issue of ordinary share capital 0.1 0.8 Net movement 4.8 83.3 Foreign exchange movement Closing net debt excluding lease liabilities 1 Lease liabilities Closing net debt 1 Financial review continued NCC Group plc 68 Cash flow and net debt 1 continued Net debt can be reconciled as follows: 2023 £m 2022 £m Cash and cash equivalents 34.1 73.2 Bank overdraft — Net debt excluding lease liabilities 1 Lease liabilities Net debt 1 The calculation of the cash conversion ratio is set out below: 2023 £m 2022 £m % change/ % pts 42.6 60.3 Adjusted EBITDA 41.4 59.2 Cash conversion ratio 1 102.9% measures. See Note 3 for an explanation of APMs and adjusting items. the remaining £3.8m is contingent on novation of certain customer contracts. £2m has been received post year end and it is expected that the remaining proceeds will be received in FY24. Borrowings multi-currency revolving credit facility and the remaining $46.7m of the original $70m term loan that was maturing in June 2024. The new facility now matures in December 2026 and includes an £75m uncommitted accordion option. In addition, we also secured an increase to our leverage covenant from 2.5x to 3.0x with an additional acquisition spike to 3.5x for the first twelve months of any acquisition. The weighted average margin of the facility also decreased and is payable on a ratchet mechanism above SONIA & SOFR was 4.54% and is currently 6.27% following recent changes to base interest rates. Dividends This represents a dividend equal to that paid in the prior year as the Board is conscious of the need to invest in new strategy and manage its net debt accordingly following the challenging year. Guy Ellis 28 September 2023 NCC Group plc 69 Strategic report Principal risks and uncertainties Risk management Risk is an inherent part of doing business and risk management is a fundamental part of good corporate governance. A successful risk management process balances risk and reward and is underpinned by sound judgement of their impact and likelihood. The Board has overall responsibility for ensuring that NCC Group has an effective risk management framework, which is aligned to our business objectives. The Board has established a Risk Management Policy, which has established protocols, including: • Roles and responsibilities for the risk management framework • Risk scoring framework • A definition of risk appetite summarises the Group’s overall approach to risk management, which is supported by a web-based tool – the Integrated Risk management model described in the next section and records both strategic and operational risk registers and tracks risk mitigation action plans, helping embed ownership of risks and treatment actions while also providing access to live management information, which is used at both a Board and operational management level. NCC Group’s approach to risk management NCC Group adopts both a “top-down” and “bottom-up” approach to risk, to manage risk exposure across the Group to enable the effective pursuit of strategic objectives. The approach is The approach is one of collaboration, which supports our comprehensive approach to risk identification, from the “top down” and “bottom up”. The Group believes that this is the most efficient and effective way to identify its business risks. Top down The Board, Audit Committee and Cyber Security Committee review risks on an ongoing basis and are supported by the Executive Committee and subject matter specialists (including Software Resilience, Assurance, information security, data protection and strategic objectives and any barriers to their achievement. Bottom up The Board and senior leadership team engage with colleagues at every level of the Group in recognition of the importance of their expertise, contribution and views. In relation to matters of wrongdoing, or risks not being recognised and adequately managed, the Group has a robust and effective whistleblowing procedure, which is supported by the Safecall reporting line. Embedded risk NCC Group plc 70 NCC Group plc 70 Managing risk from the top down Managing risk from the bottom up Top down Strategic risk management Bottom up Operational risk management • Establishing guidance on the Group’s approach to risk management and establishing the parameters for risk appetite and associated decision making • Identification, review and management of identified Group strategic risks and associated actions • Ongoing consideration of: Board Audit Committee Cyber Security Committee • Periodically assessing the effectiveness of the embedded Group risk management process • Challenging the content of the strategic risk register to support a comprehensive and balanced assessment of risk • Reporting on the principal risks and uncertainties of the Group • Implementing and embedding the Group’s Risk Management Policy and approach • Directing the delivery of the Group’s identified actions associated with managing/mitigating risk • Identification of key risk indicators, monitoring and taking timely action where appropriate Executive Board and leadership team • Responsible for reviewing the operational risks across the business units and Group • Challenging the appropriateness and adequacy of proposed action plans to mitigate risk • Giving due consideration to the aggregation of risk across the Group • Provisioning suitable cross-functional/ business unit resource to effectively manage risk where appropriate • Instrumental in developing the risk management framework adopted by the Board • Providing governance and control over the IRMS • Conduit between the Board and the business units – providing training and support where appropriate • Developing and executing a risk-based internal audit plan to assess the management of risks Global governance function, incl. dedicated CISO • Ongoing monitoring and reporting to the Board in relation to the progress being made by the business units in implementing agreed action plans to mitigate strategic risk • CISO dedicated to the identification, management, monitoring and reporting of data security risks • Execution of the delivery of the Group’s identified actions associated with managing risk • Timely reporting on the implementation and progress of agreed action plans • Provision of key risk indicator updates Business units • Identification and reporting of strategic risk to the Board • Provision of reports and data relating to significant emerging risks to the Group • Implementation of risk management approach which promotes the ongoing identification, evaluation, prioritisation, mitigation and monitoring of operational risk Effective pursuit of strategic objectives NCC Group plc 71 Strategic report Risk management model The Board has overall responsibility for ensuring that NCC Group adopts an effective risk management model, which is aligned to our objectives and promotes good risk management practice. We have therefore adopted the model described in this section and summarised in the diagram above. The Board, Audit Committee, Cyber Security Committee and executive management team review risks on an ongoing basis throughout the year. The appropriateness and relevance of the global governance team to ensure that it continues to be updated, meets the needs of the Group and remains in line with good risk management practice. In addition, there is a robust process in place for monitoring and reporting the implementation of agreed actions. We are satisfied that the Risk Management Policy, framework and model currently in place are sufficient to manage risk across the Group. The key areas of identifying, assessing, addressing and monitoring risks are explained in more detail below: Identify Risks exist within all areas of our business and it is important for us to identify and understand the degree to which their impact and likelihood of occurrence will affect the delivery of our key objectives. This is achieved through day-to-day working practices and incorporates risks in both the internal and external environment. Examples of identification include horizon scanning for emerging risks such as increasing energy costs, takeover risks, legislative and market changes and geopolitical risks. All identified risks are initially assessed for their “inherent” risk accounts for the likelihood of an event occurring and the impact that it may have on the Group. The scoring mechanism adopted takes account of high impact, low likelihood events and these risks are managed in a timely manner. In addition to ongoing risk identification, an annual exercise is undertaken to review the Group’s strategic risk universe by the Board. This exercise is reliant on the “top-down”, “bottom-up” approach discussed earlier. Assess Post-identification of the Group’s inherent risk exposure, a comprehensive assessment of the effectiveness of current mitigating controls is undertaken. This exercise takes account of the design of the current control environment and the application of these controls prior to assessing the Group’s current exposure to risk – mitigated risk score. The Board uses a number of sources of information to support the scoring of risk and these include, but are not limited to: • Management updates • Action tracking and reporting • Control environment policies and procedures • Independent audit activity • Project monitoring reports Address Having identified and assessed the risks faced by the Group, the risks are scored according to likelihood of occurring and impact to the business should they occur. The risks are then mapped according to their rating onto a risk heat map, which reflects the Group’s overall risk appetite set by the Board. The Group’s Risk Management Policy then provides guidance on the expected level of response to those risks, depending on where they sit on the risk heat map. The heat map shows the four bandings in the different shades of risks as set out below as well as expected actions and responses to risks in these areas: • Green – within appetite. Ongoing monitoring in place. • Amber – out of appetite. Some actions are required to treat the risk to bring this within acceptable levels. • Purple – significantly out of appetite. High combination of residual probability and impact. Management actions are required, with some urgency, to treat the risk, reducing this to acceptable levels. • Grey/black – risks that are deemed to have such an impact that they could theoretically impact the ability of the business to continue in existence. If any, they would need consideration in assessing in the Directors’ Viability Statement. The below heat map shows the residual risk after mitigation. An assessment of whether additional actions are required to reduce our risk exposure is undertaken, with actions falling into the one of four categories: • Treat – develop an action plan (applying responsibility, implementation of additional controls, or increase the requirement for additional assurance over the adequacy and effectiveness of the existing controls. • Transfer – use a third party specialist to undertake the activity, thus mitigating the risk. • Tolerate – determine the risk is within appetite. • Terminate – exit the activity. Output from the evaluation of strategic risks has resulted in milestone plans owned by senior business leaders, or has been used in the development of the Group’s transformation programme. Risk management model Assess adequacy and effectiveness of existing controls Identify risks Identify inherent risks and likelihood of impact Monitor delivery of action plans/ risk universe Assign Director- level sponsorship Evaluate mitigated risks and likelihood of impact Develop action plans ( treat, transfer, tolerate, I d e n t i f y M o n i t o r A s s e s s A d d r e s s C o r p o r a t e g o v e r n a n c e C o r p o r a t e g o v e r n a n c e Principal risks and uncertainties continued NCC Group plc 72 Monitor Ongoing monitoring of risks and related actions is key to the implementation of our risk management model and, therefore, NCC Group is committed to making enterprise-wide risk management part of business as usual. Examples of ongoing monitoring of business risks include, but are not limited to: • Annual review of the external audit strategy and plan by the Audit Committee and Chief Financial Officer to ensure inclusion of key financial risks • Annual review of the annual internal audit plan to validate that it incorporates key areas of business risk • A review of internal audit reports issued during the period, including a summary of progress against previously raised management actions at each Audit Committee meeting • Annual review of the strategic risk register by the Enterprise Risk Management Steering Group and Board to ensure that it includes risks arising in year Internal control While risk management identifies threats to the Group achieving its strategic objectives, internal controls are designed to provide assurance that these objectives are being achieved, such as the effectiveness and efficiency of operations and delivery, accurate and reliable financial reporting, and compliance with applicable laws and regulation. NCC Group has established a robust internal control framework, which is made up of a number of components: Control environment The control environment has primarily been established taking account of the Group’s values (working together; being brilliantly Code of Ethics, which sets the foundations for the expected behaviours, values and competencies for all colleagues across the Group. The Board, Executive Committee and extended leadership team lead by example and strive to maintain effective control environments, while also maintaining integrity and transparency. Risk assessments Risk assessments are conducted at both a strategic and operational level of the Group and support the Group in understanding the risks that it faces and the controls in place to mitigate them. Importantly, they provide a mechanism to identify operational improvements and are vital in our transformational programmes. Low 0 2 3 4 5 2 3 4 5 High Impact Likelihood Low High 19 14 12 18 13 21 17 9 10 6 4 7 8 5 1 3 2 24 16 20 22 11 15 23 number number Risk 1 1 Ineffective execution of the Group’s strategy 2 2 Poor and/or ineffective change management mechanisms (previously management of 3 n/a Over-reliance on market sector, region, products/ 4 6 Cyber attack (previously information security risk 5 4 Significant business systems failure (previously 6 n/a 7 7 Insufficient quality, integrity and availability of management information (previously quality of management information systems and internal 8 n/a 9 n/a 10 n/a 11 n/a 12 5 Inability to retain/recruit colleagues to meet the resource needs of the business (previously attracting and retaining appropriate colleague 13 3 Poor colleague health and wellbeing, including 14 n/a Economic changes/volatility impact on revenue 15 n/a Unable to meet the service and resource needs 16 n/a 17 n/a 18 9 International trade (previously international trade 19 n/a 20 n/a Undertaking work with disreputable clients or 21 n/a Service delivery does not achieve established 22 8 Loss of internationally recognised quality and security standards (previously quality 23 n/a Criminal and civil legal action resulting in fines 24 10 Inability to identify and adopt emerging regulations in a timely manner (previously Policies and procedures Established policies communicate expected behaviours and these are supported through procedures and guidelines defining required processes and controls. This in turn supports the business to adopt efficient and effective control environments. Information and communication Access to accurate and timely data is key in supporting our colleagues to make decisions and to be well informed in order to conduct, manage and control their areas of responsibility. NCC Group plc 73 Strategic report Principal risks and uncertainties continued A. Strategy 1. Ineffective execution of the Group’s strategy VR Link to strategy: Our clients Our capabilities Global delivery Differentiated brands Previous risk name Business strategy Risk owner Mike Maddison, CEO R isk impact A poor strategy or ineffective execution of a strategy could have a material negative impact on the Group’s financial performance and value. It would potentially weaken the Group compared to its competitors and risk the Group’s established position in the marketplace. Risk movement Key controls and mitigating factors New strategy launched in February 2023 and in process of being implemented with full Board support. New leadership team in place, including new Head of Strategy. Strategy accelerated (delivery centre in Manila due being made. 2. Poor and/or ineffective change management mechanisms Link to strategy: Our clients Our capabilities Global delivery Differentiated brands Previous risk name Management of strategic change Risk owner Mike Maddison, CEO R isk impact Implementation of projects that then cost more to deliver, take longer to deliver and result in Poor delivery of change could ultimately impair business performance. As the Group adapts and executes its strategy, there are a number of complex projects and initiatives that not only need to be delivered but also require understanding and support from all colleagues. Risk movement Key controls and mitigating factors The Group has recently recruited a new Head of Strategy who will manage the implementation alongside key stakeholders. New leadership team in place to drive the new strategy. Development of business cases which clearly articulate project objectives including delivery metrics which are monitored. Internal control continued Activity monitoring The minimum financial controls framework was established in FY20. Further enhancement of the framework is being designed and implemented to align with the Corporate Reform and upcoming Directors’ attestation of internal controls. Financial accounting and reporting follow generally accepted accounting practices. Group review and approval procedures exist in relation to major areas of risk and require Executive Committee/Board approval, including mergers and acquisitions, major contracts, capital expenditure, litigation, treasury management and taxation policies. Compliance with all legislation, current and new, is closely monitored. Risk and control reporting structure During the current financial year, NCC Group has continued to focus on embedding the “three lines of defence” to provide a robust internal controls structure that will support the Board, Audit Committee, Cyber Committee, Executive Committee and extended leadership team with accurate and reliable information in relation to the systems of internal control. Three lines of defence: • First line • Second line – information security, data protection, health and safety, and legal • Third line – risk and assurance, incorporating internal audit, standards and support, assessing compliance with standards and external audit, both financial and operational, providing independent challenge and assessment Principal risks and uncertainties The introduction of the new strategy in February 2023, and introduction of new Executive Committee members, has resulted in a revisit and relaunch of the Company’s risk management framework giving rise to a robust assessment of principal risks and thus resulting in changes to the identified risks and uncertainties. The Group continues to operate in a particularly dynamic and evolving marketplace. The current risk register has been developed to reflect those factors and includes those risks that would threaten its business model, future performance, solvency or liquidity. Detailed descriptions of the current principal risks and uncertainties faced by the Group, their potential impact and mitigating processes and controls are set out below. The heat map on page 73 provides a pictorial representation of the Group’s net risks and their direction of travel. The strategic risks are based on the four pillars: our clients, our capabilities, global delivery and differentiated brands. We have identified eight risk themes: A. Strategy – this is the overarching strategic risk B. C yber and information security C. Innovation and product development D. P eople and partners E. Market and competition F. B rand and reputation G. Quality and delivery H. L egal, regulatory compliance and governance Extraordinary risk during the year Customer concentration risk materialised and due to some large US-based tech customers not renewing their contracts, this had an adverse effect on revenue resulting in the profit warning. We did recognise this as a risk in FY22 as part of business strategy and viability risk, but the new strategy looks to diversify our client base to ensure this does not occur again. NCC Group plc 74 Risk movement: Increased Decreased Unchanged Viability risk: VR Ne w risk: NR Risk impact: High A. Strategy continued 3. Over-reliance on market sector, product/service or client VR Link to strategy: Our clients Our capabilities Global delivery Differentiated brands Previous risk name N/A Risk owner Mike Maddison, CEO Risk impact A loss of key customers or over-reliance on market sector can result in a reduction in revenue and consequential impact on profitability and cash generation. Risk movement NR Key controls and mitigating factors The new strategy looks to help mitigate this risk and ensure we don’t have any future overexposure to a market sector or client. Viability risk considers this as part of the scenarios modelled. B. Cyber and information security 4. Cyber attack VR Link to strategy: Our capabilities Global delivery Differentiated brands Previous risk name Information security risk Risk owner Rebecca Fox, CIO Risk impact Data breach leading to fines from regulators and reputational damage. Lack of availability in systems. Inability to operate services resulting in loss of customer trust, resulting in loss of revenue and negative impact on share price. Impact on national security due to our work with government clients. Risk movement Key controls and mitigating factors The Board operates a Cyber Security Committee chaired by a NED. All colleagues globally are required to undertake annual and ongoing security training and updates to alert them to potential methods of security breach and to their responsibilities in safeguarding information and reporting potential issues. Security testing is regularly carried out on the Group’s infrastructure and there are extensive response plans, which are tested. Comprehensive plans are in place and being delivered associated with discharging our data protection obligations. Deployed an Information Security Management 5. Significant business systems failure VR Link to strategy: Our capabilities Global delivery Differentiated brands Previous risk name Availability of critical information systems Risk owner Rebecca Fox, CIO Risk impact Inability to transact, operate and deliver services resulting in loss of customer trust, resulting in loss of revenue and negative impact on share price. Risk movement Key controls and mitigating factors Deployed an Information Security Management IT strategy of continued cloud migration which has greater resilience and availability. Business Continuity Plans, including Crisis Management, in place and tested regularly. Change management process in place within IT which assists a reduction in incidents caused by human error. Backups in place and single points of failure identified and mitigated in the event of prolonged loss of systems. 6. Loss of client/colleague data Link to strategy: Our clients Differentiated brands Previous risk name N/A Risk owner Guy Ellis, CFO Risk impact Data breach leading to fines from regulators and reputational damage. Risk movement NR Key controls and mitigating factors Deployed an Information Security Management Regular compliance training, including data protection, provided to all colleagues at least annually. Information classification and handling and data privacy policies in place. NCC Group plc 75 Strategic report Principal risks and uncertainties continued B. Cyber and information security continued 7. Insufficient quality, integrity and availability of management information VR Link to strategy: Our clients Our capabilities Global delivery Previous risk name Quality of management information systems and internal business processes Risk owner Guy Ellis, CFO Risk impact Suboptimal business decision making and performance as key financial performance data is not available or trusted. Risk movement Key controls and mitigating factors Standardised business process control standards are in place and subject to regular review by the global standards and support team. C. Innovation and product development 8. Intellectual property theft or exposure Link to strategy: Differentiated brands Previous risk name N/A Risk owner Siân John, CTO Risk impact Reputational damage from losing client data and industrial espionage, resulting in loss of revenue and loss of competitive advantage from threat of malicious actors. Risk movement NR Key controls and mitigating factors Security and technical controls in place through our 9. Ineffectual product/service management Link to strategy: Global delivery Previous risk name N/A Risk owner Siân John, CTO Risk impact Loss of revenue from uncompetitive solutions and failure to compete effectively. Failure to align to the business strategy resulting in lack of client trust leading to a loss of clients. Failure to maintain competitive advantage. Ineffectual marketing strategy. Risk movement NR Key controls and mitigating factors Suitably qualified and experienced product managers. Quality review process. Customer feedback and escalation process. Marketing strategy in place focused on product development. 10. Failed product/service launch Link to strategy: Global delivery Previous risk name N/A Risk owner Kevin Brown, COO Risk impact Cost implications. Reputational damage. Loss of colleague morale. Loss of customer trust. Poor development processes. Insufficient speed of execution. Risk movement NR Key controls and mitigating factors Robust planning processes and consultation Management oversight and review process. Use of modern development practices such as “Agile” and “design thinking”. Principal risks and uncertainties continued Risk movement: Increased Decreased Unchanged Viability risk: VR N ew risk: NR Risk impact: High NCC Group plc 76 D. People and partners 11. Insufficient workforce resilience Link to strategy: Our capabilities Previous risk name N/A Risk owner Michelle Porteus, Chief People Officer Risk impact Inability to deliver to clients resulting in loss of revenue. Loss of colleague morale and risk of “burnout”. Risk movement NR Key controls and mitigating factors Workforce resourcing managed by Chief People Officer. Full review of workforce requirements undertaken as part of strategic review. 12. Inability to retain/recruit colleagues to meet the resource needs of the business VR Link to strategy: Our capabilities Previous risk name Attracting and retaining appropriate colleague capacity and capability Risk owner Michelle Porteus, Chief People Officer Risk impact Loss of key colleagues or significant colleague turnover could result in a lack of necessary expertise or continuity to execute the Group’s strategy. An inability to attract and retain sufficient high calibre colleagues could become a barrier to the continued success and growth of NCC Group. Risk movement Key controls and mitigating factors Colleagues are offered an industry aligned salary and benefits package, which can include participation in share schemes, salary sacrifice car scheme and retail discount offerings. Improved communications with our colleagues managed by the new Chief Marketing Officer. New global delivery and operations centre opened in Manila in September 2023 13. Poor colleague health and wellbeing, including pandemic Link to strategy: Our capabilities Previous risk name Global pandemic Risk owner Michelle Porteus, Chief People Officer Risk impact High turnover of staff based on low colleague morale or “burnout”. If significant number of colleagues are unable to work this will impact client delivery and could lead to a loss of revenue. Risk movement Key controls and mitigating factors Various channels available to colleagues to support with health and wellbeing. Colleagues continue to successfully work in a hybrid manner, delivering remote client services. Mental health allies across the business. Attractive office environments globally. Risk assessments carried out regularly, for example display screen equipment and shift workers. E. Market and competition 14. Economic changes/volatility impact on revenue and profitability Link to strategy: Our clients Our capabilities Global delivery Differentiated brands Previous risk name N/A Risk owner Mike Maddison, CEO Risk impact Loss of clients or reduction in client spend will result in a loss of revenue. Increases to interest rates or inflation will impact profitability. Risk movement NR Key controls and mitigating factors Strategy accelerated (delivery centre in Manila due being made, making NCC Group more resilient to economic changes. Increased cost control measures and actions. Risk movement: Increased Decreased Unchanged Viability risk: VR N ew risk: NR Risk impact: High NCC Group plc 77 Strategic report Principal risks and uncertainties continued Principal risks and uncertainties continued E. Market and competition continued 15. Unable to continue to meet the service and resource needs of our clients VR Link to strategy: Our capabilities Global delivery Previous risk name N/A Risk owner Mike Maddison, CEO Risk impact Loss of clients will result in a loss of revenue and reputational damage. Risk movement NR Key controls and mitigating factors New strategy includes capabilities as a key pillar and the business has been restructured to mitigate this risk. 16. Lack of visibility in the marketplace Link to strategy: Our clients Our capabilities Global delivery Differentiated brands Previous risk name N/A Risk owner Mike Maddison, CEO Risk impact Loss of clients will result in a loss of revenue. Risk movement NR Key controls and mitigating factors Chief Marketing Officer is planning a rebrand as per the new strategy. Continue to publish expert advice and content publicly. 17. Reliance on relationships with third parties Link to strategy: Our clients Our capabilities Global delivery Differentiated brands Previous risk name N/A Risk owner Mike Maddison, CEO Risk impact Loss of margin. Reputational damage if third parties don’t deliver. Risk movement NR Key controls and mitigating factors Contracts in place with third parties. Ongoing review of service and delivery from third parties. 18. International trade Link to strategy: Our clients Our capabilities Global delivery Differentiated brands Previous risk name International trade Risk owner Kevin Brown, Chief Operating Officer Risk impact Failure to comply with changing global regulations may cause disruption to our business. Risk movement Key controls and mitigating factors The new strategy is focused on globalisation and thus the resource structure is being designed to promote global delivery. F. Brand and reputation 19. Adverse publicity in news and social media Link to strategy: Differentiated brands Previous risk name N/A Risk owner Angela Brown, Chief Marketing Officer Risk impact Reputational damage leading to loss of existing and potential clients resulting in loss of revenue. Risk movement NR Key controls and mitigating factors Policies and procedures in place which follow good practice and ethics. Research quality review process managed by a panel of experts. Risk movement: Increased Decreased Unchanged Viability risk: VR N ew risk: NR Risk impact: High NCC Group plc 78 F. Brand and reputation continued 20. Undertaking work with disreputable clients or in sanctioned/undesirable jurisdictions Link to strategy: Our clients Global delivery Previous risk name N/A Risk owner Angela Brown, Chief Marketing Officer Risk impact Reputational damage. Potential fines. Risk movement NR Key controls and mitigating factors Country risk assessment process in place for new business. Higher risk countries have a risk assessment completed and approved appropriately. G. Quality and delivery 21. Service delivery does not achieve established quality standards VR Link to strategy: Our clients Our capabilities Previous risk name N/A Risk owner Chief Operating Officer Managing Director Risk impact Clients don’t renew, have their SLA breached or cancel mid-service leading to loss of revenue. Negligence in delivery leading to legal action or loss of revenue and reputational damage. Risk movement NR Key controls and mitigating factors Quality assurance processes in place. Standard methodologies and procedures followed. Customer feedback and complaints process. Ongoing internal training programmes. 22. Loss of internationally recognised quality and security standards VR Link to strategy: Our capabilities Global delivery Differentiated brands Previous risk name Quality and security management systems Risk owner Guy Ellis, CFO Risk impact The risk of the Group failing to retain a core consequential loss of key customer accounts or ability to operate. Risk movement Key controls and mitigating factors We operate a comprehensive programme to ensure the retention of our core standards. Policies and procedures in place and audited against the design and application. External assessors conduct audits at least annually confirming the retention of our quality and security standards. We have extended our ISO standards to more locations during FY23. H. Legal, regulatory compliance and governance 23. Criminal and civil legal action resulting in fines and incarceration VR Link to strategy: Our clients Global delivery Differentiated brands Previous risk name N/A Risk owner Guy Ellis, CFO Risk impact Reputational damage from legal action being taken and financial impact of the fines and the impact it may have on key customer accounts. Risk movement NR Key controls and mitigating factors Legal team reviews customer contracts. Annual compliance training undertaken including ethics (covering anti-bribery and corruption, whistleblowing, and safety, information security and data protection. Risk movement: Increased Decreased Unchanged Viability risk: VR N ew risk: NR Risk impact: High NCC Group plc 79 Strategic report In addition to identifying the Group strategic risks, we continuously review and monitor emerging risks through horizon scanning; publications; assessing regulatory changes and how they may impact the Group; and ensuring adequate oversight over significant projects. Emerging risks Risk area Risk Risk description Mitigating controls People and partners Pandemic Colleagues can deliver client services remotely. Market and competition Blackouts Potential energy supply shortages as a result of supply issues created by the Russian invasion of Ukraine. Emergency backup generators in place and tested. Property portfolio being reviewed. Increasing energy costs Energy costs have increased significantly since the Russian invasion of Ukraine. Factored into budget. Geopolitical Legislative change; political party change; and Russian invasion of Ukraine. Country risk assessment process in place for new business. Takeover Profit warning and significant drop in the share price expose the Group to a takeover. New strategy being implemented. Quality and delivery Off-shoring Geopolitical landscape, including changing legislation and taxation. Project team considering all key risks and using subject matter Extending ISO certifications to include new centre of excellence. Project management Significant number of large scale projects which need to be adequately managed. New Head of Strategy responsible for project management. Development of business cases which clearly articulate project objectives including delivery metrics which are monitored. Principal risks and uncertainties continued Principal risks and uncertainties continued H. Legal, regulatory compliance and governance continued 24. Inability to identify and adopt emerging regulations in a timely manner Link to strategy: Our clients Global delivery Differentiated brands Previous risk name Sustainability/climate change Risk owner Guy Ellis, Chief Financial Officer Risk impact Non-compliance with regulations resulting in fines from regulators and reputational damage leading to loss of key customer accounts and shareholder investment. Risk movement Key controls and mitigating factors TCFD came in last year and we disclosed accordingly. Horizon scanning for new regulations, for example CSRD, ISSB, Corporate Governance Reform and NIS. Risk movement: Increased Decreased Unchanged Viability risk: VR N ew risk: NR Risk impact: High NCC Group plc 80 Viability statement Viability statement The context for assessment In accordance with the requirements of the UK Corporate Governance Code, the aim of the Viability Statement is for the Directors to report on the assessment of the prospects of the Group meeting its liabilities over the assessment period, considering the current financial position, outlook, principal risks and uncertainties, and key judgements and estimates in preparing the Financial Statements. The Directors have based their assessment of viability on the Group’s current business model and strategic plan, which is updated and approved annually by the Board, in line with our objectives to deliver sustainable and profitable growth, increase shareholder value and offer an improved service and product offering to our customers. This is underpinned by the strategic priorities outlined on pages 24 to 27 of the Strategic Report. The effective management of principal risks and uncertainties is outlined within pages 70 to 80 and this assessment emphasises those risks that could theoretically threaten the Group’s ability to The assessment period The Directors have assessed the viability of the Group over the three-year period to May 2026, as this is an appropriate planning time horizon given the speed of change and customer demand in the industry and is in line with the Group’s strategic planning period. Assessment of viability The viability of the Group has been assessed considering the Group’s current financial position, available bank facilities, and the Board approved FY24 budget and three-year strategic plan. It’s been a challenging year for the Group with a decline in the rate of revenue growth and overall profitability, resulting in a loss before taxation of £4.3m. The Group’s revenue performance and profitability suffered from market volatility within Cyber Security . In particular, the Group experienced buying decision delays and cancellations in the North American tech sector and our UK market. These headwinds have further reinforced the need to accelerate the implementation of our next chapter of the Group strategy following its communication in February 2023. This strategy requires a level of additional investment in 2024. Despite the above, the Group has maintained consistent cash generation during the year. Following the year end, the Group has engaged in additional generating cost efficiencies across Cyber Security and corporate functions which is resulting in the implementation of a fundamental reorganisation generating further savings compared to the prior year. As a result of all of the above, the base case budget for FY24 has been prepared on the basis that market volatility within Cyber Security partially continues with overall profitability remaining similar to 2023. In addition, the base case budget for FY24 also reflects recent growth patterns in the other geographical regions and operating segments, relevant growth opportunities for the Group based on existing propositions and factoring in current macro-economic factors most specifically existing inflationary pressures. The Directors have also modelled the impact of certain severe but plausible scenarios arising from the principal risks, which have the greatest potential impact on viability in the period under review, as set out in the table below. Further details of how these sensitivities have been applied are provided in the going concern The impact of these sensitivities has been reviewed against the Group’s projected cash flow position, available bank facilities and compliance with financial covenants over the three-year Group’s financing arrangements and expiry dates. The sensitivities applied under stress testing show adequate levels of headroom and that no mitigating actions are required to address severe but plausible scenarios modelled by management. While noting that no mitigating actions are required to address severe but plausible scenarios modelled by management, options available include a reduction of planned capital expenditure, headcount reduction, freezing pay and recruitment and not paying a dividend to shareholders, all of which are within the Directors’ control and give an additional level of headroom. Conclusions Based on these severe but possible scenarios, the Directors have a reasonable expectation that the Group and Company will be able to continue in operation and remain commercially viable over the three year period of assessment. Viability risk Risk as applied to viability assessment Specifics of scenario modelled Potential impact Ineffective execution of the Group’s strategy Inability to retain/ recruit colleagues to meet the resource needs of the business A poor strategy or ineffective execution of a strategy could have a material negative impact on the Group’s financial performance and value. Loss of key colleagues or significant colleague turnover could result in a lack of necessary expertise or continuity to execute the Group’s strategy. In order to consider the impact of the risks identified management has modelled two scenarios: Assurance business does not improve beyond that seen in FY23 Q4. to be implemented as part of the Group’s strategy are not executed. Scenario modelled assumes annualised impact of £3.2m adverse impact on profitability. The impact of these sensitivities has been reviewed against the Group’s projected cash flow position, available bank facilities and compliance with financial covenants over the three year viability period. The sensitivities applied under stress testing show adequate levels of headroom and that no mitigating actions are required. Over reliance on market sector or client Economic changes/ volatility impact on revenue A loss of key customers or over-reliance on market sector can result in a reduction in revenue and consequential impact on profitability and cash generation. Loss of clients or reduction in client spend will result in a loss of revenue. Scenario modelled assumes loss of key customers resulting in a reduction in profitability of £4.2m. The impact of these sensitivities has been reviewed against the Group’s projected cash flow position, available bank facilities and compliance with financial covenants over the three year viability period. The sensitivities applied under stress testing show adequate levels of headroom and that no mitigating actions are required. Economic changes/ volatility impact on profitability Being a global organisation the Group is exposed to global and regional macro-economic factors such as inflation and rising interest rates. Scenario modelled assumes additional wage increases to align with regional inflation rates across different geographies of £5.0m. UK Interest rates on borrowings forecast to rise a further 0.75% from original forecast. Incremental annual utility costs of £0.2m included. The impact of these sensitivities has been reviewed against the Group’s projected cash flow position, available bank facilities and compliance with financial covenants over the three year viability period. The sensitivities applied under stress testing show adequate levels of headroom and that no mitigating actions are required. NCC Group plc 81 Strategic report 82 NCC Group plc — The Board is committed to creating and maintaining a culture where strong levels of governance thrive throughout the organisation, specifically ensuring that we send out consistent messages on our values and acceptable behaviours for our colleagues, our customers, our suppliers and our advisers. In this section 84 Chair’s introduction to governance 87 Governance framework 88 Board of Directors 90 Executive Committee 92 Board composition and division of responsibilities 102 Shareholder engagement 103 Audit Committee report 110 Nomination Committee report 113 Cyber Security Committee report 115 Remuneration Committee report 138 Directors’ report 142 Directors’ responsibilities statement Governance NCC Group plc 83 2022/23 highlights • Continued to hear from our designated NED for workforce engagement who reports to every Board meeting • Recruited and on-boarded a new independent a new perspective and dynamic to our Board discussions, and now chairs the Audit Committee • Undertook our first ever externally facilitated Board and Committee evaluation • Agreed a revised strategy • The Board visited North America and had the opportunity to meet with colleagues 2023/24 priorities • a successful start • Continuing to focus on our stakeholders, particularly in-person colleague engagement • Supporting the executive team with embedding the new strategy • Working through the key priorities raised in the Board evaluation and having regular check-ins on these throughout the year • Supporting the executive team to set up our delivery centre in the Philippines Dear Shareholder On behalf of the Board, I am pleased to present the Corporate Governance Report for the year ended 31 May 2023. Throughout the year the Board has worked cohesively as a team to enable the Company to successfully navigate a turbulent and uncertain period. I would like to thank the Board for its wise counsel and continued efforts during this time. The Board is composed of highly skilled and experienced Directors from a diverse range of industries and backgrounds, all of whom contribute towards the long-term success of the Company and show commitment and enthusiasm in the performance of their roles and duties. The Board believes that good governance is key to the long-term success of the Group and is committed to achieving high standards of governance. I would like to thank all of my Board colleagues for their commitment, support and flexibility over the past year. While we welcome a return to face-to-face meetings, a number of our Board meetings were conducted in a virtual environment by necessity. This new hybrid way of working has enabled us to maintain strong governance and robust decision making, delivering against our strategy. During the year, a particular highlight was our visit as a Board to North America in November 2022 and we enjoyed spending time with colleagues in our New York office, and we look forward to visiting more offices and meeting more colleagues in the coming year. The Board is committed to creating and maintaining a culture where strong levels of governance thrive throughout the organisation, specifically ensuring that we send out consistent messages on our values and acceptable behaviours for our colleagues, our customers, our suppliers and our advisers. A continued commitment With our recent appointments, Chris Stone Chair’s introduction to governance 84 NCC Group plc — Annual report and accounts for the year ended 31 May 2023 Board changes Board composition and diversity Governance standards Our approach Board tenure as at 31 May 2023 6 years 2 months Mike Maddison Guy Ellis Chris Stone 4 years 10 months Tim Kowalski 8 years 1 month Chris Batterham 1 year 5 months Julie Chakraverty 5 years 1 month Jennifer Duvalier 5 years 8 months Mike Ettling NCC Group plc 85 Governance Board composition and diversity Effectiveness You can read more about the Board and the Committee evaluation on page 96 Our investors Statement of compliance with the UK Corporate Governance Code • Thank you Chris Stone Non-Executive Chair Chair’s introduction to governance NCC Group plc 86 Governance framework • • • • • • • Board Board Committees Chief Executive Officer The different parts of the Company’s governance framework are shown below, with a description of how they operate and the linkages between them. Audit Committee Nomination Committee Cyber Security Committee Remuneration Committee Read more on pages 103 to 109 Read more on pages 110 to 112 Read more on pages 113 and 114 Re ad more on pages 115 to 137 pages 92 to 101 NCC Group plc 87 Governance Chris Stone Appointment to the Board: Career experience External appointments Appointment to the Board: Career experience External appointments Appointment to the Board: Career experience External appointments Appointment to the Board: Career experience External appointments Our business is led by our Board of Directors. Biographical and other details of the Directors are as follows: N Mike Maddison Guy Ellis Chris Batterham A NC R Board of Directors C NCC Group plc 88 A C N R Committee key: Jennifer Duvalier Julie Chakraverty Appointment to the Board: Career experience External appointments Appointment to the Board: Career experience External appointments R NC Appointment to the Board: Career experience External appointments Mike Ettling NCA R A Other Directors during the year Adam Palser Tim Kowalski Lynn Fordham Appointment to the Board: Career experience External appointments NCA R NCC Group plc 89 Governance Executive Committee Angela Brown Nick Rowe Kevin Brown Harmen Dikkers NCC Group plc 90 Michelle Porteus Rebecca Fox Andrew Lemonofides Siân John NCC Group plc 91 Governance Board composition and division of responsibilities Role Responsibilities Chair of the Board Chief Executive Officer Chief Financial Officer Senior Independent Director Non-Executive Directors Designated Non- Executive Director for engagement with the workforce Company Secretary NCC Group plc 92 Meetings and attendance Board Audit Nomination Cyber Security Remuneration 14 14 5 5 * 4 4 13 13 14 14 12 14 4 4 4 5 2 4 4 5 14 14 3 3 * 4 4 3 3 4 4 14 14 3 3 5 5 4 4 * 5 5 12 14 5 5 4 4 5 5 * 11 14 3 4 What principal decisions have been made and what have we looked at as a Board during 2022/23? Section 172 statement Principal decisions made during the year NCC Group plc 93 Governance What principal decisions have been made and what have we looked at as a Board during 2022/23? Principal decisions made during the year Topic Stakeholder group Decision taken Engagement process Reference Board changes Colleagues, shareholders, customers, our network Reduction in workforce Shareholders, colleagues, customers Board composition and division of responsibilities NCC Group plc 94 Topic Stakeholder group Decision taken Engagement process Reference Global delivery centre in the Philippines Colleagues, customers, shareholders Revised strategy and the strategic pillars Colleagues, customers, shareholders Refinancing our bank facilities Colleagues, customers, shareholders, our network NCC Group plc 95 Governance Board composition and division of responsibilities What have we looked at as a Board during 2022/23? Leadership and colleagues • • • • • • • • Strategy • • • • • Governance • • • • • • • • • • • • • • • • • Financial • • • • • • • • • • • • • Other Group business • • • • • • • • • NCC Group plc 96 Board strategy review Independent advice Conflicts of interest Colleague engagement Board independence • • • • • • NCC Group plc 97 Governance Board composition and division of responsibilities Lynn Fordham – induction and first impressions Diversity Annual re-election Director induction, training and development Board and Committee effectiveness review My comprehensive induction programme and meeting the right colleagues and advisers before I started on 1 September 2022 meant I had a good appreciation of NCC Group and for the Company’s issues before my first Board meeting. I believe that the insights I gained allowed me to make a positive contribution from the outset and although my first Board meeting was a virtual one, I have now had the opportunity to attend four in-person Board meetings Strategy Day and these, together with various events and site visits, have allowed me to further engage with a number of colleagues. Being on the Audit Committee and then recently taking over from Chris Batterham as Chair has really allowed me to “get under the skin of NCC Group” and add value from my experiences gained elsewhere. I have really enjoyed my early months with NCC Group and look forward to contributing further and driving improvements at NCC Group particularly those within the Audit Committee’s sphere of influence, and also in my work as lead NED for Sustainability.” Lynn Fordham Independent Non-Executive Director NCC Group plc 98 Board, Committee and Chair evaluation process 2023 MSP reviewed, with the Company Secretary, the 2022 questionnaires and evaluation exercise results and, based on this, recommended using the same questionnaires for the 2023 Board Effectiveness Review to maintain continuity and provide year on year comparisons. This approach was approved by the Chair and, for the Chair’s review, the Senior Independent Director. Questionnaires were added to an online survey website, which ensured the anonymous and efficient collection of answers. The results were made available to MSP, under an agreed Non-Disclosure Agreement. MSP met with each member of the Board to conduct a structured interview on the effectiveness of the Board. It also met with selected members of the senior management team. MSP also attended a Board meeting as an observer. NCC Group plc 99 Governance Board composition and division of responsibilities Outcomes Areas identified in previous evaluations Outcome Board composition • Board agendas • • • • • • Board behaviours • • Strategy • • • • Performance monitoring • Succession planning • • Stakeholder management • • Information flows • • • • • Risk management • Committees • NCC Group plc 100 Operation of governance framework Role of the Board • • • • • • • • • Risk management Internal control Executive remuneration NCC Group plc 101 Governance Shareholder engagement Share capital structure Board engagement with shareholders Board shareholder updates Investor meetings One-to-one meetings 66 Group meetings Substantial shareholdings Directors’ shareholdings Annual General Meeting Chris Stone Non-Executive Chair NCC Group plc 102 2022/23 key activities • Assessed the quality of earnings by reviewing one-off, out of period or non-trading items arising over the year considering the background of a challenging year • Continued focus on the adherence to the Individually Significant Items accounting policy • to ensure there is a clear description and explanation, reconciliation, presentation and consistency applied • Critical review and discussion with our external auditor on the assumptions and models used within the Group annual impairment review and resultant disclosures considering the background of a challenging second half performance, a new strategy and managements future action plans • Consideration of going concern and viability assessment and disclosures considering the background of a challenging year and a new strategy • Monitoring integration of IPM business including associated risks, controls and costs of integration and then ensuring that existing Group controls have been implemented within the newly acquired business • • reviewing and approving the Group’s response • Considered a change to the year end (deciding not to at 2023/24 priorities • Review of the risk management and control environment of any significant strategic or operational projects and the resulting changes in the business • Monitoring the project risk management of key new initiatives, ensuring that satisfactory internal controls are embedded from the outset Audit Committee report • Reviewing and monitoring controls • Ensuring continued improvement of the effectiveness of the Group’s risk management and internal control systems • Planning for regulatory changes arising from the new corporate governance reform requirements, including ensuring that we review and consider all UK governance changes following the establishment of Audit Reporting • and embedding sustainability into the business • Undertaking a thorough and comprehensive independent auditor tender process, leading to the reappointment of KPMG, or the on-boarding of a new auditor • Monitoring implementation of the recently implemented I am pleased to present the Audit Committee Report for the year ended 31 May 2023 to explain how we have discharged our responsibilities with an overview of our principal activities and their outcomes. Committee membership, attendees’ access and objectives The Audit Committee had a change of Chair during the year. I am a Chartered Accountant with diverse sector experience across listed companies, private equity and financial services in a number of disciplines including risk management, internal control and financial reporting. I am also currently Chair of the Audit and Risk Committees at Caledonia Investments plc, Domino’s Pizza Group plc and Enfinium Group, all of which provide me with an additional external perspective to bring to my chairing of this Committee. The Board therefore considers that I have the recent and relevant financial experience required by the Code. Lynn Fordham Committee Chair Governance 103NCC Group plc — Annual report and accounts for the year ended 31 May 2023 Committee membership, attendees’ access and objectives Principal duties delegated to the Audit Committee Areas delegated to the Audit Committee Committee responsibilities Activities during the year Financial reporting • • • • • • Narrative reporting • • • • • • Internal controls and risk management systems • • • • Compliance, whistleblowing and fraud • • Internal audit • • External audit • • • • • • • Audit Committee report NCC Group plc 104 Report and Accounts to 31 May 2022 • • • Meeting frequency and attendance 33 44 44 43 Significant accounting areas and areas of significant management judgement or estimation uncertainty Significant issues considered during the year in relation to the Financial Statements • • • • • • • • • • • NCC Group plc 105 Governance Goodwill carrying value Fair value less costs to sell The Group’s approach to materiality Internal audit Audit Committee report NCC Group plc 106 Internal audit Internal controls and risk management Controls relating to financial reporting and preparation of the Annual Report and Accounts • • • • Other controls • • • • • • • • • • • Whistleblowing and confidential reporting procedures Review of the Audit Committee’s effectiveness Auditor’s independence and objectivity NCC Group plc 107 Governance Auditor’s independence and objectivity External auditor’s effectiveness and appointment • • • • • • • • • • • • • Audit Committee report NCC Group plc 108 Fair, balanced and understandable 1. Financial information • • • 2. Narrative disclosures • • • 3. Independent reviewers • • 4. Audit Committee Chair • • 1 Financial information 3 Independent reviewers 2 Narrative disclosures 4 Audit Committee Chair Related party transactions and other fees approved by the Committee Fair, balanced and understandable • • • Lynn Fordham Chair, Audit Committee NCC Group plc 109 Governance 2022/23 highlights • Significant improvement in diversity in the Executive Committee and the Board • Continued focus on building strength in our senior leadership team to support succession planning, senior management and Executive Director succession plans • Relentless focus on diversity and inclusion in every meeting, including undertaking unconscious bias training • Scoped and planned the launch of gathering of diversity • have launched two surveys in the year which have been challenged and reviewed by the Committee 2023/24 priorities • Continue to build and develop diverse senior cyber leadership across the Group • Embed and encourage the data collection, analysis and actionable insights coming from the diversity data launch in Workday • to create insight and action planning • Shift the culture to create growth across the Group by responding to colleague needs in this post-pandemic hybrid world, and the needs of our clients by creating the right working environment to support colleague engagement Nomination Committee report The members of the Nomination Committee are Chris Batterham, The Nomination Committee’s objectives and responsibilities The Nomination Committee is responsible for reviewing the size, structure, balance, composition and progressive refreshing of the Board and its Committees and as such its duties include: • Reviewing the structure of the Board • Evaluating the balance of skills, knowledge, experience and diversity on the Board • Making recommendations for further recruitment to the Board or proposing changes to the existing structure of the Board, or individual Directors • Reviewing the leadership needs of the Company, both Executive and Non-Executive • Succession planning for Directors and other senior Executives within the business • Recruiting, appointing and exiting of Directors • Overseeing membership of, and succession to, the various Board Committees • Reviewing the time commitment required from the Non-Executive Directors on NCC Group business The Chair of the Board leads the process for the appointment of new Non-Executive Directors to the Board and for the appointment of the Chief Executive Officer. The Chief Executive Officer, in conjunction with the Chair, leads the process for the the process for a new Chair of the Board. In relation to an appointment to the Board, the Committee draws up a specification and assesses the capabilities and experience required for such a role, taking into account the Board’s existing composition, including relevant experience and understanding of our stakeholder groups. Our objective is to have a broad range of skills, backgrounds, experiences and personal attributes within the Board as this ensures the Board is best placed to serve the Company.” Chris Stone Committee Chair 110 NCC Group plc — Annual report and accounts for the year ended 31 May 2023 Diversity Committee meetings 5 5 4 5 5 5 5 5 4 4 Activities during the year During the year, the Committee: • • • • • • • • • Presentations and updates during the year • • NCC Group plc 111 Governance Presentations and updates during the year • • • • • • • • • Processes • • • • • Culture • • • • Colleague voice • • Long term • • • • Committee effectiveness • • • External search consultancies Chris Stone Chair, Nomination Committee Nomination Committee report NCC Group plc 112 2022/23 highlights • • Ongoing alignment to the NIST Cybersecurity opportunities for improvement. This is mapped to our existing ISO 27001 certification • Implementation of a “three lines of defence” model for information security, increasing oversight and independence of risk management 2023/24 priorities • Reviewing structure of data protection and governance team in light of attrition and bringing all support back in house • Greater global alignment in terms of policies and procedures, and consolidation of our ISO 27001 accreditation under a single certificate • Group-wide alignment for risk management and consistent reporting of risk to the Board • Migration of our in-house security monitoring to our new service, leveraging the latest technology • New regulatory requirements are emerging for NCC Group, such as NIS in the UK and NIS2/DORA in the EU. We are starting our compliance efforts early, and working directly with governments and regulators to ensure successful compliance ahead of introduction Cyber Security Committee report The Cyber Security Committee was formed to focus specifically on the cyber risks faced by the Group. This reflects the significant threat posed by cyber risks, the nature of our business, and the potential damage to the business as a high value target for malicious acts. The Committee’s activities aim to challenge and support improvements to the Group’s information security and data protection policies, defences and controls, so as to comply with global data protection regulations around the world, and ensure that the Group looks after its own information, and the information that its customers entrust to it, with the proper care and attention. The Committee was formed in November 2016 and I have been Chair since July 2022. Chris Batterham and Jennifer Duvalier (both independent welcome new experience and perspective with her strong financial and risk background and is a strong addition to the a member of the Committee. The Group’s Director of Global Governance, the Group’s Chief invitees of the Committee. The Executive Directors are invited to attend Committee meetings when the Committee considers it to be appropriate. Julie Chakraverty Committee Chair Governance 113NCC Group plc — Annual report and accounts for the year ended 31 May 2023 The Cyber Security Committee’s objectives and responsibilities • • • • • • • • • • • • Committee effectiveness Committee activities during the year • • • • • Committee meetings 4 4 2 4 4 4 4 4 3 3 Julie Chakraverty Chair, Cyber Security Committee Cyber Security Committee report NCC Group plc 114 2022/23 highlights • Continuing to embed the Remuneration Policy for • Making further grants under the Restricted Share Plan for below-Board colleagues, to further broaden colleague share ownership • colleague share ownership at all levels • 2023/24 priorities • Remuneration Policy and consult as appropriate with our major shareholders, before seeking shareholder approval at the 2024 AGM • Continue to ensure our incentive arrangements support the Group’s revised long-term growth strategy • Reviewing the all colleague and discretionary share plans that the Group wishes to offer • Continue to review when the appropriate time is to introduce ESG measures into incentive arrangements Remuneration Committee report On behalf of your Board, I am pleased to present our Directors’ The report is divided into three sections: this Annual Committee and the previously approved Directors’ Remuneration Policy. At the AGM in November 2022, 92.68% of shareholders voted in favour of the Directors’ Remuneration Report, and I would like to thank shareholders for their continuing support. Annual Statement 2022/23 was another busy year for the Remuneration Committee and we had five meetings in total. The Committee as Chair. Our Board Chair, Chris Stone, also attended all the meetings. We invited our remuneration consultants, Chief we always ensure that we have time without Executives present. Corporate Governance Code remuneration requirements for engagement with shareholders and colleagues The Committee closely monitors shareholder guidance and feedback on remuneration. Shareholder voting on AGM remuneration resolutions is reviewed annually, shareholders are consulted when changes to policy are being considered, and major shareholders have the opportunity to provide annual feedback to the Board and Remuneration Committee on NCC Group’s remuneration approach at annual engagement meetings. Jennifer Duvalier Governance 115NCC Group plc — Annual report and accounts for the year ended 31 May 2023 Corporate Governance Code remuneration requirements for engagement with shareholders and colleagues Base salaries Joining terms for CEO and leaver terms for former CEO Remuneration Committee report NCC Group plc 116 Performance related pay – annual bonus • Strategic objectives within the Assurance business: • Strategic objective for the Software Resilience business: • Sustainability and people objectives: NCC Group plc 117 Governance Non-Executive Director and Chair’s fees Details of these fees and allowances are given in the Annual Report on Remuneration on page 119 Grants of shares under a below-Board Restricted Share Plan to broaden colleague share ownership Conclusion • • • Jennifer Duvalier Chair, Remuneration Committee Remuneration Committee report NCC Group plc 118 Annual Report on Remuneration How the Remuneration Policy has been implemented in the year ended 31 May 2023 • • • 31 May 2023 163 – – – 163 – – – – 163 31 May 2023 449 1 16 – 466 39 – 500 539 1,005 31 May 2023 24 1 1 – 26 – – – – 26 31 May 2023 333 13 15 – 361 21 35 – 56 417 31 May 2023 70 – – – 70 – – – – 70 31 May 2023 78 – – – 78 – – – – 78 31 May 2023 67 – – – 67 – – – – 67 31 May 2023 46 – – – 46 – – – – 46 31 May 2023 56 – – – 56 – – – – 56 31 May 2023 1,286 15 32 – 1,333 60 35 500 595 1,928 NCC Group plc 119 Governance Additional information in respect of the single total figure of remuneration Pension and benefits Annual bonus 2022/23 annual bonus (audited) Financial targets – up to 75% of the bonus 7.5% 5.0% Bonus opportunity for FY22/23 £625,000 £415,800 Total bonus for FY22/23 £39,063 £20,790 Amount paid in cash £25,391 £13,513 Amount deferred in shares £13,672 £7,277 Remuneration Committee report NCC Group plc 120 Additional information in respect of the single total figure of remuneration Annual bonus Financial targets – up to 75% of the bonus Strategic targets – up to 25% of the bonus maximum total bonus) 31 May 2023 Weighting Outcome CEO targets 5.0% 0.0% 5.0% 0.0% 5.0% 0.0% 5.0% 5.0% 2.5% 1.25% 2.5% 1.25% CEO outcome 25.0% 7.5% CFO targets 5.0% 0.0% 5.0% 0.0% 5.0% 0.0% 5.0% 0.75% 2.5% 2.5% 2.5% 1.75% CFO outcome 25.0% 5.0% NCC Group plc 121 Governance • • • • • • Remuneration Committee report NCC Group plc 122 Special Replacement Award • • • • • • • SAYE options granted in the year Payments to past Directors Summary of maximum LTIP awards outstanding Total LTIP options held at 31 May 2023 1 436,408 473,849 NCC Group plc 123 Governance 31 May 2023 31 May 2023 31 May 2023 31 May 2023 31 May 2023 31 May 2023 31 May 2023 162,843 – – – – – 162,843 – 436,408 14,269 – – 222,222 672,899 – – – – – – – 147,197 440,956 14,269 66,921 28,764 – 698,107 55,000 – – – – – 55,000 20,249 – – – – – 20,249 19,115 – – – – – 19,115 50,000 – – – – – 50,000 25,000 – – – – 25,000 • • • • • • • • Shareholding requirements Remuneration Committee report NCC Group plc 124 Shareholding as at 31 May 2023 0% 72% Appointment terms for new Directors • • • • • Annual bonus Deferred annual bonus awards • • Post-employment shareholding requirements Other NCC Group plc 125 Governance Relative importance of the spend on pay 31 May 2023 £m 236.9 14.5 Percentage increase in the remuneration of the Directors 2022/23 2022/23 2022/23 3% — — — — — — — — — — — — — — — — — 8% — — — — — — — — — 225% — — — — — — 2% — — — — — — — — — — — — — — — 2% — — — — — — 7.9% — — — Chief Executive pay compared to pay of UK colleagues Total pay ratio Remuneration Committee report NCC Group plc 126 Chief Executive pay compared to pay of UK colleagues CEO pay ratio Performance graph and table 400 350 300 250 200 150 100 50 0 2014 20152013 2016 2017 Year ended 31 May 2018 2019 2020 2021 2022 2023 £100 £164 £198 £273 £166 £208 £169 £166 £232 £315 £101 NCC Group plc NCC Group plc 127 Governance Performance graph and table Membership and attendance 5 5 4 5 5 5 4 4 Adviser to the Committee Remuneration Committee report NCC Group plc 128 Service contracts and letters of appointment Executive Non-Executive Dilution How will the Remuneration Policy be implemented in the year ending 31 May 2024? Executive Directors’ base salaries Base salary at 31 May 2023 £000 Base salary at 1 June 1 £000 % change 500 500 0% 333 333 0% n/a 1 n/a Pension Non-Executive Directors’ fees FY23/24 £154,500 £51,500 £10,000 £11,000 £11,000 £8,000 £11,000 NCC Group plc 129 Governance Annual bonus Metric Weight Statement of shareholder voting Jennifer Duvalier Chair, Remuneration Committee Remuneration Committee report NCC Group plc 130 Overall approach to remuneration • • • • Area of provision 40 of the 2018 UK Corporate Governance Code How fulfilled Clarity Simplicity Risk Predictability Proportionality Alignment to culture NCC Group plc 131 Governance Current Policy table for Executive Directors Purpose and link to short and long-term strategic objectives Operation (including framework to assess performance) Maximum opportunity Changes since last Directors’ Remuneration Policy Salary Benefits Pension Annual bonus Remuneration Committee report NCC Group plc 132 Purpose and link to short and long-term strategic objectives Operation (including framework to assess performance) Maximum opportunity Changes since last Directors’ Remuneration Policy Long Term Incentive Plan Executive Director shareholding requirement Choice of performance measures and target setting Current Policy table for Executive Directors NCC Group plc 133 Governance Differences in Remuneration Policy for colleagues and Executive Directors • • • Non-Executive Director Policy table Purpose and link to short and long-term strategic objectives Operation (including framework to assess performance) Maximum opportunity Changes since last Directors’ Remuneration Policy Fees Remuneration Committee report NCC Group plc 134 Approach to recruitment Pay element Approach Areas of flexibility Salary Benefits and pension Pay element Approach Areas of flexibility Incentive opportunity “Buyout” awards Transitional arrangements for internal appointments to the Board Approach to service contracts and letters of appointment Policy on payment for loss of office NCC Group plc 135 Governance Policy on payment for loss of office Pay element Approach Areas of flexibility Annual bonus • • • Long Term Incentive Plan All-colleague share schemes Illustration of remuneration scenarios Chief Executive Officer 3,000 2,500 2,000 1,500 1,000 500 0 100% 100% 54% 62% 32% 29% 14% 26% 36% 22% 30% 31% 32% 25% 28% 43% 32% 53% 42% Minimum MinimumTarget TargetMaximum MaximumMaximum + 50% share price growth Maximum + 50% share price growth £524 £324 £967 £519 9% £2,024 £924 £1,074 Annual bonus £000 £2,461 Remuneration Committee report NCC Group plc 136 Illustration of remuneration scenarios • Minimum. • Target. • Maximum. • Effect of a 50% increase in share price. Statement of consideration of employment conditions elsewhere in the Group How shareholder views are taken into account Key areas of discretion in the Remuneration Policy • • • • • • • • • • Legacy arrangements External directorships for Executive Directors NCC Group plc 137 Governance Principal activities Going concern Directors’ report NCC Group plc 138 Going concern Results and dividends Post-balance sheet events Share capital and control Authority to purchase own shares Directors NCC Group plc 139 Governance Directors’ and Officers’ insurance and indemnities Colleagues Business relationships with suppliers, customers and others Equal opportunities Disabled persons Political donations Sustainability Report Overseas branches Research and development Change of control Disclosure of information to the auditor Reappointment of auditor Directors’ report NCC Group plc 140 Annual General Meeting Capitalised interest Reporting requirements Mike Maddison Guy Ellis NCC Group plc 141 Governance Directors’ responsibilities statement Statement of Directors’ responsibilities in respect of the Annual Report and the Financial Statements • • • • • Responsibility statement of the Directors in respect of the Annual Report • • Mike Maddison Guy Ellis NCC Group plc 142 In this section 144 Independent auditor’s report 152 Consolidated income statement 152 Consolidated statement of comprehensive income/(loss) 153 Consolidated balance sheet 154 Consolidated cash flow statement 156 Consolidated statement of changes in equity 157 Company balance sheet 158 Company cash flow statement 159 Company statement of changes in equity 160 Notes to the Financial Statements Additional information 215 Glossary of terms – other terms 217 Other information 218 Financial calendar Financial statements NCC Group plc 143 Financial statements Independent auditor’s report 1 Our opinion is unmodified • • • • Basis for opinion Materiality Coverage Key audit matters vs 2022 Recurring risks NCC Group plc 144 2 Key audit matters: our assessment of risks of material misstatement The risk Our response Recoverability of carrying amounts of the North America Cyber Security and Europe Cyber Security cash generating units (‘CGUs’) Subjective estimate • Historical comparison: • Benchmarking assumptions: • Our sector experience: • Our valuation expertise: • Assessment of experts: • Valuation comparison: • Sensitivity analysis: • Assessing transparency: Our results Financial statements NCC Group plc 145 Independent auditor’s report The risk Our response Revenue recognition 2023/2024 sales Tests of detail: • • • Assessing Transparency: Our results Recoverability of Parent Company’s investments in subsidiaries Low risk, high value • Tests of detail: • Comparing valuations: • Comparing valuations: Our results 2 Key audit matters: our assessment of risks of material misstatement NCC Group plc 146 Group materiality Normalised Group profit before tax £1.0m £0.65m £0.7m £0.05m Total profits and losses that made up Group loss before tax Group revenue 94% 86 88 Group total assets 85% 79 96% 96 95 78 0 1 4 5 6 7 3 Our application of materiality and an overview of the scope of our audit Financial statements NCC Group plc 147 Independent auditor’s report 3 Our application of materiality and an overview of the scope of our audit 4 The impact of climate change on our audit 5 Going concern • • • • NCC Group plc 148 5 Going concern • • • • • • • • 6 Fraud and breaches of laws and regulations – ability to detect • • • • • • Financial statements NCC Group plc 149 Independent auditor’s report 6 Fraud and breaches of laws and regulations – ability to detect Identifying and responding to risks of material misstatement related to compliance with laws and regulations Context of the ability of the audit to detect fraud or breaches of law or regulation 7 We have nothing to report on the other information in the Annual Report Strategic report and directors’ report • • • Directors’ remuneration report Disclosures of emerging and principal risks and longer-term viability • • • NCC Group plc 150 7 We have nothing to report on the other information in the Annual Report Disclosures of emerging and principal risks and longer-term viability Corporate governance disclosures • • • 8 We have nothing to report on the other matters on which we are required to report by exception • • • • 9 Respective responsibilities Directors’ responsibilities Auditor’s responsibilities 10 The purpose of our audit work and to whom we owe our responsibilities for and on behalf of KPMG LLP, Statutory Auditor Chartered Accountants 1 St. Peter’s Square Manchester M2 3AE United Kingdom Financial statements NCC Group plc 151 Consolidated income statement for the year ended 31 May 2023 Notes 2023 £m 2022 £m Revenue 4 335. 1 314 .8 Cost of sales 4 (2 0 3 .1) (182 .2) Gross profit 4 132. 0 132. 6 Administrative expenses Individually Significant Items 5 (14. 7) (0.9) Depreciation and amortisation 6 (22.6) (19 .7) Credit gains/(losses) recognised on financial assets 6 1.5 (0.6) (Impairment)/reversal of impairment of non-current assets 6 (1 .1) 0 .1 Other administrative expenses (93. 2) (76.8) Total administrative expenses (13 0 .1) (97 .9) Operating profit 4 1.9 34.7 Finance costs 8 (6. 2) (3 . 7) (Loss)/profit before taxation 6 (4. 3) 31.0 Taxation 9 (0.3) (8.0) (Loss)/profit for the year attributable to owners of the Company (4. 6) 23. 0 Earnings per ordinary share 11 Basic EPS (1.5)p 7. 4p Diluted EPS (1.5)p 7. 4p Consolidated statement of comprehensive (loss)/income for the year ended 31 May 2023 2023 £m 2022 £m (Loss)/profit for the year attributable to the owners of the Company (4. 6) 23. 0 Other comprehensive income/(loss) Items that may be reclassified subsequently to profit or loss (net of tax) Cash flow hedges – effective portion of changes in fair value — (0 .1) Foreign exchange translation differences 2.4 14. 8 Total other comprehensive income 2.4 14. 7 Total comprehensive (loss)/income for the year (net of tax) attributable to the owners of the Company (2. 2) 3 7 . 7 The accompanying Notes 1 to 37 are an integral part of these consolidated Financial Statements. NCC Group plc — Annual report and accounts for the year ended 31 May 2023152 Consolidated balance sheet at 31 May 2023 Notes 31 May 2023 £m 31 May 2022 £m Non-current assets Goodwill 12 255.8 26 6 .1 Intangible assets 12 110.9 11 8. 6 Property, plant and equipment 13 12 .5 12. 9 Right-of-use assets 14 18.6 22.0 Investments 15 0.3 0.3 Deferred tax asset 18 2.9 1.4 Total non-current assets 40 1.0 42 1. 3 Current assets Inventories 16 0.8 0.9 Trade and other receivables 17 58. 1 7 7. 7 Contingent consideration receivable 34 3.8 — Derivative financial instruments 25 — 0.2 Current tax receivable 3.6 3 .1 Cash and cash equivalents 24 3 4 .1 73.2 Total current assets 100. 4 1 5 5 .1 Total assets 5 01.4 57 6.4 Current liabilities Trade and other payables 19 44.7 48.3 Bank overdraft 24 1.8 — Borrowings 24 — 18.5 Lease liabilities 20 6.0 5.4 Current tax payable 4 .2 7. 4 Derivative financial instruments 25 0.6 — Contingent consideration payable 35 1.0 1. 9 Provisions 21 1.2 2.7 Contract liabilities – deferred revenue 22 51.6 61.7 Total current liabilities 111.1 145 .9 Non-current liabilities Borrowings 24 81.9 1 0 7. 1 Lease liabilities 20 24.0 2 7. 2 Deferred tax liabilities 18 1.4 1.6 Provisions 21 1.5 0. 8 Contract liabilities – deferred revenue 22 3.3 0.6 Total non-current liabilities 1 1 2 .1 1 3 7. 3 Total liabilities 223. 2 28 3. 2 Net assets 278.2 293.2 Equity Share capital 27 3 .1 3 .1 Share premium 27 2 2 4 .1 224 . 0 Merger reserve 27 42 .3 42. 3 Currency translation reserve 27 3 7. 5 3 5 .1 Retained earnings 27 (28.8) (11 .3) Total equity attributable to equity holders of the Parent 278.2 293.2 The accompanying Notes 1 to 37 are an integral part of these consolidated Financial Statements. These Financial Statements were approved and authorised for issue by the Board of Directors on 28 September 2023. They were signed on its behalf by: Mike Maddison Guy Ellis Chief Executive Officer Chief Financial Officer 28 September 2023 28 September 2023 Financial statements NCC Group plc — Annual report and accounts for the year ended 31 May 2023 153 Consolidated cash flow statement for the year ended 31 May 2023 Notes 2023 £m 2022 £m Cash flows from operating activities (Loss)/profit for the year (4. 6) 23. 0 Adjustments for: D epreciation of property, plant and equipment 13 4.5 3.9 Depreciation of right-of-use assets 14 5.7 5.4 S hare-based payments 26 2 .2 3.9 Cash settled share-based payments — (0 .5) A mortisation of customer contracts and relationships 12 10.0 8.6 Amortisation of software and development costs 12 2 .4 1. 8 I mpairment of goodwill 12 12 .8 — Impairment of software costs 12 0.6 — I mpairment/(reversal of impairment) of right-of-use-assets 14 0.5 (0 .1) Lease financing costs 8 1 .1 1.2 O ther financing costs 8 5 .1 2.5 Foreign exchange loss/(gain) 6 0.6 (0.6) A cquisition of business – transaction costs 5 — (7. 3) Disposal of business – transaction costs 34 (0 .1) — I SIs (non-cash impact) 5 3. 5 — Profit on disposal of right-of-use assets 6 (0.7) — P rofit on disposal of business (DDI) 34 (4 . 7) — Research and development UK tax credits (0. 5) (1.0) R esearch and development US tax credits (1. 4) (1 .1) Income tax expense 1.7 9 .1 (D ecrease)/increase in provisions 21 (0.8) 0.5 Cash inflow for the year before changes in working capital 3 7. 9 49.3 Decrease/(increase) in trade and other receivables 19.7 (1. 8) Decrease in inventories 0 .1 0. 2 (Decrease)/increase in trade and other payables (1 5 .1) 12.6 Cash generated from operating activities before interest and taxation 42 .6 60.3 Interest element of lease payments 20 (1 .1) (1. 2) Other interest paid (4. 0) (2 .1) Taxation paid (5.4) (2. 2) Net cash generated from operating activities 3 2 .1 54.8 Cash flows from investing activities Acquisition of trade and assets as part of business combinations 35 (1. 0) (153 .0) Purchase of property, plant and equipment (3 .9) (5 .2) Software and development expenditure (3. 4) (3. 0) Sale proceeds of business disposal (DDI) 2.0 — Net cash used in investing activities (6. 3) (16 1. 2) Cash flows from financing activities Proceeds from the issue of ordinary share capital 27 0.1 0.8 Purchase of own shares (0. 5) — Principal element of lease payments 20 (6 .1) (5 .3) Drawdown of borrowings (net of deferred issue costs) 70.8 120.7 Issue costs related to borrowings (1 .5) (0.6) Repayment of borrowings (115. 6) (3 9. 4) Equity dividends paid 10 (14. 5) (14 .4) Net cash (used in)/generated from financing activities (6 7. 3) 61.8 Net decrease in cash and cash equivalents (41 .5) (44 .6) Cash and cash equivalents at beginning of period 73 .2 116 .5 Effect of foreign currency exchange rate changes 0.6 1.3 Cash and cash equivalents at end of year 24 32. 3 73 .2 NCC Group plc — Annual report and accounts for the year ended 31 May 2023154 Consolidated cash flow statement continued for the year ended 31 May 2023 Reconciliation of net change in cash and cash equivalents to movement in net debt 1 Notes 2023 £m 2022 £m Net decrease in cash and cash equivalents (41 .5) (4 4 .6) Change in net debt 1 resulting from cash flows (net of deferred issue costs) 44.8 (8 1. 3) Interest incurred on borrowings 4.0 2.1 Interest paid on borrowings (4. 0) (2 .1) Release of deferred issue costs (1. 0) (0. 4) Issue costs related to borrowings (non-cash) 1.7 0.6 Effect of foreign currency on cash flows 0.6 1.3 Foreign currency translation differences on borrowings (1. 8) (11. 3) Change in net cash/(debt) 1 during the year 2.8 (135. 7) Net (debt)/cash at start of year excluding lease liabilities 1 (52 . 4) 83.3 Net debt at end of year excluding lease liabilities 1 (4 9.6) (52. 4) Lease liabilities 20 (30.0) (32 . 6) Net debt 1 at end of year (79.6) (85 .0) The accompanying Notes 1 to 37 are an integral part of these consolidated Financial Statements. 1 Revenue growth at constant currency, Adjusted EBITDA, Adjusted operating profit, Adjusted EPS, cash conversion, net debt and net debt excluding lease liabilities are APMs and not IFRS measures. See Note 3 for an explanation of APMs and adjusting items. Financial statements NCC Group plc — Annual report and accounts for the year ended 31 May 2023 155 Consolidated statement of changes in equity for the year ended 31 May 2023 Notes Share capital £m Share premium £m Hedging reserve £m Merger reserve £m Currency translation reserve £m Retained earnings £m Total £m Balance at 1 June 2021 3 .1 223 .2 (0. 8) 42. 3 20.3 (21.9) 266 .2 Profit for the year — — — — — 23.0 23 .0 Other comprehensive expense for the year — — (0 .1) — — — (0 .1) Foreign currency translation differences — — — — 14 .8 — 14. 8 Total comprehensive (expense)/income for the year — — (0 .1) — 14 . 8 23.0 3 7. 7 Transactions with owners recorded directly in equity Dividends to equity shareholders 10 — — — — — (14 .4) (14. 4) Transfer hedging reserve to retained earnings — — 0.9 — — (0.9) — Share-based payments 26 — — — — — 3.2 3.2 Tax on share-based payments 9 — — — — — (0.3) (0. 3) Shares issued 27 — 0.8 — — — — 0. 8 Total contributions by and distributions to owners — 0.8 0.9 — — (12 .4) (10.7) Balance at 31 May 2022 3. 1 224.0 — 42.3 35.1 (11. 3) 293.2 Loss for the year — — — — — (4 . 6) (4.6) Foreign currency translation differences — — — — 2 .4 — 2.4 Total comprehensive income/(loss) for the year — — — — 2.4 (4 .6) (2. 2) Transactions with owners recorded directly in equity Dividends to equity shareholders 10 — — — — — (14 .5) (14 .5) Share-based payments 26 — — — — — 2.2 2.2 Tax on share-based payments 9 — — — — — (0 .1) (0 .1) Purchase of own shares — — — — — (0.5) (0.5) Shares issued 27 — 0 .1 — — — — 0 .1 Total contributions by and distributions to owners — 0 .1 — — — (12 .9) (12 . 8) Balance at 31 May 2023 3 .1 2 2 4 .1 — 42.3 3 7. 5 (28.8) 278. 2 The accompanying Notes 1 to 37 are an integral part of these consolidated Financial Statements. NCC Group plc — Annual report and accounts for the year ended 31 May 2023156 Company balance sheet at 31 May 2023 Company no: 4627044 Notes 2023 £m 2022 £m Non-current assets Investments in subsidiary undertakings 33 279.1 276.9 Trade and other receivables 17 23.2 32.9 Total non-current assets 302.3 309.8 Current assets Cash and cash equivalents 24 15.0 20.2 Total current assets 15.0 20.2 Total assets 317.3 330.0 Current liabilities Trade and other payables 19 0.2 18.2 Total current liabilities 0.2 18.2 Total liabilities 0.2 18.2 Net assets 317.1 311.8 Equity Share capital 27 3.1 3.1 Share premium 27 224.1 224.0 Merger reserve 27 42.3 42.3 Retained earnings 27 47.6 42.4 Total equity 317.1 311.8 The accompanying Notes 1 to 37 are an integral part of these Financial Statements. These Financial Statements were approved and authorised for issue by the Board of Directors on 28 September 2023. They were signed on its behalf by: Mike Maddison Guy Ellis Chief Executive Officer Chief Financial Officer 28 September 2023 28 September 2023 Financial statements NCC Group plc — Annual report and accounts for the year ended 31 May 2023 157 Company cash flow statement for the year ended 31 May 2023 Notes 2023 £m 2022 £m Cash flows from operating activities Profit for the year 28 17.5 20.0 Cash inflow for the year before changes in working capital 17.5 20.0 Decrease in trade and other receivables 9.7 8.5 (Decrease)/increase in trade and other payables (18.0) 4.7 Net cash generated from operating activities 9.2 33.2 Cash flows from financing activities Proceeds from the issue of ordinary share capital 27 0.1 0.8 Equity dividends paid 10 (14.5) (14.4) Net cash used in financing activities (14.4) (13.6) Net (decrease)/increase in cash and cash equivalents (5.2) 19.6 Cash and cash equivalents at beginning of year 20.2 0.6 Cash and cash equivalents at end of year 15.0 20.2 The accompanying Notes 1 to 37 are an integral part of these Financial Statements. NCC Group plc — Annual report and accounts for the year ended 31 May 2023158 Company statement of changes in equity for the year ended 31 May 2023 Notes Share capital £m Share premium £m Merger reserve £m Retained earnings £m Total £m Balance at 31 May 2021 and 1 June 2021 3.1 223.2 42.3 32.9 301.5 Profit for the year — — — 20.0 20.0 Total comprehensive income for the year — — — 20.0 20.0 Transactions with owners recorded directly in equity Dividends to equity shareholders 10 — — — (14.4) (14.4) Increase in subsidiary investment for share-based charges — — — 3.9 3.9 Shares issued 27 — 0.8 — — 0.8 Total contributions by and distributions to owners — 0.8 — (10.5) (9.7) Balance at 31 May 2022 3.1 224.0 42.3 42.4 311.8 Profit for the year — — — 17.5 17.5 Total comprehensive income for the year — — — 17.5 17.5 Transactions with owners recorded directly in equity Dividends to equity shareholders 10 — — — (14.5) (14.5) Increase in subsidiary investment for share-based charges — — — 2.2 2.2 Shares issued 27 — 0.1 — — 0.1 Total contributions by and distributions to owners — 0.1 — (12.3) (12.2) Balance at 31 May 2023 3.1 224.1 42.3 47.6 317.1 The accompanying Notes 1 to 37 are an integral part of these Financial Statements. Financial statements NCC Group plc — Annual report and accounts for the year ended 31 May 2023 159 Notes to the Financial Statements for the year ended 31 May 2023 1 Accounting policies Basis of preparation NCC Group plc (the “Company”) is a public company incorporated in the UK, with its registered office at XYZ Building, 2 Hardman Boulevard, Manchester M3 3AQ. The Group Financial Statements consolidate those of the Company and its subsidiaries (together referred to as the “Group”). The principal activity of the Group is the provision of independent advice and services to customers through the supply of Cyber Security 2 and Software Resilience services. The Parent Company Financial Statements present information about the Company as a separate entity and not about the Group. These Financial Statements have been approved for issue by the Board of Directors on 28 September 2023. These Group and Parent Company Financial Statements have been prepared and approved by the Directors in accordance with UK-adopted International Accounting Standards (“UK-adopted IFRS”). On publishing the Parent Company Financial Statements here together with the Group Financial Statements, the Company is also taking advantage of the exemption in s408 of the Companies Act 2006 not to present its individual Income Statement and related notes that form a part of these approved Financial Statements. The Financial Statements ended 31 May 2023 now refer to the Cyber Security 2 division as the Group’s former Assurance division. Climate change The Directors have reviewed the potential impact of climate change and the Task Force on Climate-related Financial Disclosures (TCFD) on the consolidated Financial Statements. During the year, the Group has carried out a materiality assessment to identify what social, environmental and governance issues are most material and significant to the NCC Group business and stakeholders to aid our commitment to achieving net zero by 2050. Our original baseline assessment was impacted by the pandemic and a different business strategy and therefore we have re-based this assessment. Our overall exposure to physical and transitional climate change is considered low in the short to medium term due to the nature of the business and cyber resilience industry. The Group continues to evolve its sustainability agenda with further details on our short, medium, medium to long and long-term goals contained within the non-financial and sustainability information statement on pages 46 to 52 of the Annual Report. The Directors have considered climate change in the following areas of the consolidated Financial Statements, noting no material financial impact in each area: • Critical accounting judgements and key sources of estimation uncertainty • Going concern assessment • Property, plant and equipment – economic life and residual values • Impairment of assets – the impact of environmental change on growth rates and projected cash flows • Inventories – realisable value issues • Provisions – recognition of new liabilities or contingent liabilities arising from climate change and Group physical and transition risks of: • Greenhouse gas emissions – increased costs associated with more taxes and levies • Move to net zero – increased costs required to lower emissions • Margin risk – impact on delivery day rates and associated erosion of profit margin due to increased costs • Reputational risk – failure to comply with regulations resulting in negative impact on Group • Supply chain – increased supply costs and delayed deliveries impacting customer contracts/provision of services • Extreme weather or rising sea levels – reduction in revenue and increased costs • Fair value measurement – climate change variables being incorporated into market participant valuations • Financial instruments – expected credit losses and risk of default on Group borrowings (RCF and term loan) • IFRS 16 ‘Leases’ – changes to property lease portfolio or car lease agreements. During the financial year the Group has moved FY23 from a company car scheme to a salary sacrifice scheme (leased directly by the colleague); this will result over time a reduction in the motor vehicle right-of-use-asset and corresponding lease liabilities, as the contract lease terms ends. New and amended accounting standards that have been issued and are effective from 1 January 2023 At the date of authorisation of these Financial Statements, the following new accounting pronouncements have been issued and are effective from 1 January 2023: • IFRS 17 ‘Insurance Contracts’ – effective on 1 January 2023 and replaces IFRS 4 ‘Insurance Contracts’ • Amendments to IAS 1 ‘Classification of Liabilities as Current or Non-current’ issued in January 2020 and effective from 1 January 2023. An exposure draft was issued in November 2021 proposing for this effective date to be delayed to periods starting no earlier than 1 January 2024 • Amendments to IAS 1 and IFRS Practice Statement 2 ‘Disclosure of Accounting Policies’ issued in February 2021 and effective from 1 January 2023 • Amendments to IAS 8 ‘Definition of Accounting Estimates’ issued in February 2021 and effective from 1 January 2023 • Amendments to IAS 12 ‘Deferred Tax Related to Assets and Liabilities arising from a Single Transaction’ issued in May 2021 and effective from 1 January 2023 • Amendments to IAS 7 and IFRS 7 ‘Supplier Finance Arrangements’ issued in July 2023 and effective from 1 January 2024 • Amendments to IFRS 16 ‘Lease Liability in a Sale and Leaseback’ issued in July 2023 and effective from 1 January 2024 These IFRSs are not expected to have a material impact on the Group’s consolidated financial position or the performance of the Group. These IFRSs are not expected to have a material impact on the Company’s financial position or the performance of the Company. 2 Formerly Assurance. NCC Group plc — Annual report and accounts for the year ended 31 May 2023160 1 Accounting policies continued The UK Endorsement Board has issued the following new accounting pronouncements to be effective from 1 January 2022 and applicable from 31 March 2023: • Reference to the Conceptual Framework (Amendments to IFRS 3) • Property, Plant and Equipment – Proceeds Before Intended Use (Amendments to IAS 16) • Onerous Contracts – Cost of Fulfilling a Contract (Amendments to IAS 37) • Annual improvements make minor amendments to IFRS 1 ‘First-time Adoption of IFRS’, IFRS 9 ‘Financial Instruments’, IAS 41 ‘Agriculture’ and IFRS 16 ‘Leases’ The adoption of these pronouncements has had no significant impact on the Group consolidated Financial Statements. Other new accounting pronouncements In addition to the above, the following new accounting pronouncements have also been issued which are not yet effective but the Group is not expecting them to have a significant impact on the Group’s consolidated Financial Statements: • Amendments to IAS 1 ‘Non-current Liabilities with Covenants’ issued in October 2022 and effective from 1 January 2024 • Amendments to IAS 10 and IAS 28 ‘Sale or Contribution of Assets between an Investor and its Associate or Joint Venture’ issued in September 2014 and postponed indefinitely • Amendments to IFRS 16 ‘Lease Liability in a Sale and Leaseback’ issued in September 2022 and effective from 1 January 2024 Basis of measurement The consolidated Financial Statements have been prepared on the historical cost basis except for the revaluation of certain financial instruments and investments. In addition, at the date of the acquisitions consideration payable is at fair value. Functional and presentation currency The Group and Company Financial Statements are presented in millions of Pounds Sterling (£m) because that is the currency of the principal economic environment in which the Group operates. Going concern The Directors have acknowledged guidance published in relation to going concern assessments. The Group’s business activities, together with the factors likely to affect its future development, performance and position, are set out in the Business Review and Financial Review. The Group’s financial position, cash and borrowing facilities are also described within these sections. The Financial Statements have been prepared on a going concern basis which the Directors consider to be appropriate for the following reasons. The Directors have prepared cash flow and covenant compliance forecasts for the 12 month period ending 30 September 2024 which indicate that, taking account of severe but plausible downsides on the operations of the Group and its financial resources, the Group and Company will have sufficient funds to meet their liabilities as they fall due for that period. The going concern period is required to cover a period of at least 12 months from the date of approval of the Financial Statements and the Directors still consider this 12 month period to be an appropriate assessment period due to the Group’s financial position and trading performance and that its borrowing facilities do not expire until December 2026. The Directors have considered whether there are any significant events beyond the 12 month period which would suggest this period should be longer but have not identified any such conditions or events. The Group is financed primarily by a £162.5m multi-currency revolving credit facility maturing in December 2026. Under these banking arrangements, the Group can also request (seeking bank approval) an additional accordion facility to increase the total size of the revolving credit facility by up to £75m. This accordion facility has not been considered in the Group’s going concern assessment as it requires bank approval and is therefore uncommitted as at the date of approval of these consolidated financial statements. As of 31 May 2023, net debt (excluding lease liabilities) 1 amounted to £49.6m which comprised cash of £34.1m, a bank overdraft of £1.8m, a drawn revolving credit facility of £83.4m had been drawn under these facilities, leaving £79.1m (2022: £28.7m) of undrawn facilities, excluding the uncommitted accordion facility of £75.0m. Unamortised arrangement fees of £1.5m have been offset against the amounts drawn down, resulting in a carrying value of borrowings at 31 May 2023 of £81.9m. The Group’s day-to-day working capital requirements are met through existing cash resources, the revolving credit facility and receipts from its continuing business activities. The Group is required to comply with financial covenants for leverage (net debt to Adjusted EBITDA 1 ) and interest cover (Adjusted EBITDA 1 to interest charge) that are tested bi-annually on 31 May and 30 November each year. As of 31 May 2023, leverage 1 amounted to 1.4x and net interest cover 1 amounted to 6.8 compared to a maximum of 3.0x and a minimum of 3.5x respectively. The terms and ratios are specifically defined in the Group’s banking documents (in line with normal commercial practice) and are materially similar to amounts noted in the these financial statements with the exceptions being net debt excludes IFRS 16 lease liabilities and Adjusted EBITDA 1 . The Group was in compliance with the terms of all its facilities during the year, including the financial covenants on 31 May 2023, and based on forecasts, expects to remain in compliance over the going concern period. In addition, the Group has not sought or is not planning to seek any waivers to its existing facilities. It’s been a challenging year for the Group with a decline in the rate of revenue growth and overall profitability resulting in a loss before taxation of £4.3m. The Group’s revenue performance and profitability suffered from the market dynamics within Cyber Security 2 . In particular, the Group experienced buying decision delays and cancellations in the North American tech sector and our UK market. These headwinds have further reinforced the need to accelerate the implementation of our next chapter of the Group strategy following its communication in February 2023. This strategy requires a level of additional investment in 2024. Despite the above, the Group has maintained consistent cash generation during the year. 1 Revenue growth at constant currency, Adjusted EBITDA, Adjusted operating profit, Adjusted EPS, cash conversion, net debt and net debt excluding lease liabilities are APMs and not IFRS measures. See Note 3 for an explanation of APMs and adjusting items. 2 Formerly Assurance. Financial statements NCC Group plc — Annual report and accounts for the year ended 31 May 2023 161 1 Accounting policies continued Going concern continued Following the year end, the Group has engaged in additional generating cost efficiencies across Cyber Security 2 and corporate functions which is resulting in the implementation of a fundamental reorganisation generating further savings compared to the prior year. As a result of all of the above, the base case going concern assessment has been prepared on the basis that market volatility within Cyber Security 2 partially continues with overall profitability remaining similar to 2023. With this context, the Directors have prepared a number of severe but plausible scenarios to the base cash going concern assessment as follows: a) No recovery from FY23 Q4 Cyber Security 2 trading performance – £6.4m reduction profit before tax b) Loss of key customers – £4.2m reduction in profit before tax c) Shortfall in forecast cost savings – annualised £3.2m reduction in profit before tax d) Further inflationary pressures continue, worse and more prolonged than expected (wages, energy and interest) – £5.6m reduction in profit before tax e) Combination of Scenario a and d – £10.8m reduction in profit before tax These scenarios have been modelled individually in order to assess the Group’s ability to withstand specific challenges. The Directors do not believe it is plausible for all of the above downside scenarios to occur concurrently; however, they have modelled scenarios combining risks (a and d). The impact of these severe but plausible scenarios has been reviewed against the Group’s projected cash flow position, available committed bank facilities and compliance with financial covenants. These forecasts, including the severe but plausible downsides, show that the Group is able to operate within its available committed banking facilities, with no forecasted covenant breaches or requirement for facility waivers, and that the Group will have sufficient funds to meet its liabilities as they fall due for that period. From a Company perspective, the Company places reliance on other Group trading entities for financial support. The Company controls these Group entities and therefore has the ability to direct the financial activities of the Group. Having reviewed the current trading performance, forecasts, debt servicing requirements, total facilities and risks, the Directors are confident that the Company and the Group will have sufficient funds to continue to meet their liabilities as they fall due for a period of at least 12 months from the date of approval of these consolidated Financial Statements, which is determined as the going concern period. Accordingly, the Directors continue to adopt the going concern basis of accounting in preparing the Group’s Financial Statements for the period ended 31 May 2023. There are no post-Balance Sheet events which the Directors believe will negatively impact the going concern assessment. 1 See Note 3 for an explanation of Alternative Performance Measures (APMs) and adjusting items, including a reconciliation to statutory information. Business combinations Business combinations are accounted for by applying the acquisition method at the acquisition date, which is the date on which control is transferred to the Group. The Group controls an entity when the Group is exposed to, or has rights to, variable returns from its involvement with the entity and has the ability to affect those returns through its power over the entity. Acquisitions and disposals The Group measures goodwill at the acquisition date as: • The fair value of the consideration transferred; plus • The recognised amount of any non-controlling interests in the acquiree; plus • If the business combination is achieved in stages, the fair value of the existing equity interest in the acquiree; less • The fair value of the identifiable assets acquired, and liabilities assumed. When the excess is negative, a bargain purchase gain is recognised immediately in profit or loss. The consideration transferred does not include amounts related to the settlement of pre-existing relationships. Such amounts generally are recognised in the Income Statement. Costs related to the acquisition, other than those associated with the issue of debt or equity securities, are expensed as incurred. Any deferred or contingent consideration payable is recognised at fair value at the acquisition date. If the contingent consideration is classified as equity, it is not remeasured, and settlement is accounted for within equity. Otherwise, subsequent changes to the fair value of contingent consideration are recognised in the Income Statement. On a transaction-by-transaction basis, the Group elects to measure non-controlling interests either at their fair value or at their proportionate interest in the recognised amount of the identifiable net assets of the acquiree at the acquisition date. The results of subsidiaries acquired or disposed of during the year are included in the Consolidated Income Statement from the effective date of acquisition or up to the effective date of disposal, as appropriate. In addition, comparatives are also restated to reclassify disposed businesses or those that meet the criteria of IFRS 5 ‘Non-current Assets Held for Sale and Discontinued Operations’, as a discontinued operation. 2 Formerly Assurance. NCC Group plc — Annual report and accounts for the year ended 31 May 2023162 Notes to the Financial Statements continued at 31 May 2023 1 Accounting policies continued Subsidiaries Subsidiaries are entities controlled by the Group. The Financial Statements of subsidiaries are included in the consolidated Financial Statements from the date that control commences until the date that control ceases. Control is achieved where the Company has the power to govern the financial and operating policies of an investee entity so as to obtain benefits from its activities. Intercompany transactions and balances between subsidiaries are eliminated on consolidation. Intangible assets and goodwill Goodwill represents amounts arising on acquisition of subsidiaries. In respect of business acquisitions that have occurred since 1 June 2004, goodwill represents the difference between the cost of the acquisition and the fair value of the net identifiable assets acquired including identifiable intangible assets. Identifiable intangibles are those which can be sold separately, or which arise from legal rights regardless of whether those rights are separable. In respect of acquisitions prior to 1 June 2004, goodwill is included at its deemed cost, which represents the amount recorded under UK GAAP at 31 May 2004, which was broadly comparable, save that only separable intangibles were recognised and goodwill was amortised. Goodwill is stated at cost less any accumulated impairment losses. Goodwill is allocated to cash generating units and is not amortised but is tested annually for impairment. In respect of equity accounted investees, the carrying amount of goodwill is included in the carrying amount of the investment in the investee. Research and development Expenditure on research activities is recognised in the Income Statement as an expense as incurred. Expenditure on development activities is capitalised as “development costs” if the product or process is technically and commercially feasible, if the Group has the technical ability and sufficient resources to complete development, if future economic benefits are probable and if the Group can measure reliably the expenditure attributable to the intangible asset during its development. Development activities involve a plan or design for the production of new or substantially improved products or processes. Software costs The Group capitalises “software costs” in accordance with the criteria of IAS 38. Software costs comprise third party costs and internal colleague time costs for internal system developments. Capitalised amounts are initially measured at cost and amortised on a straight-line basis over the period for which the developed system is expected to be in use as a business platform. Software costs incurred as part of a service agreement are only capitalised when it can be evidenced that the Group has control over the resources defined in the arrangement. The expenditure capitalised includes the cost of materials, direct labour, overhead costs that are directly attributable to preparing the asset for its intended use and capitalised borrowing costs. Other development expenditure is recognised in the Income Statement as an expense as incurred. Software costs are stated at cost less accumulated amortisation and less accumulated impairment losses. When the Group incurs customisation and configuration costs, as part of a service agreement for Software-as-a-Service (SaaS), Infrastructure-as-a-Service (IaaS) or Platform-as-a-Service (PaaS), judgement is applied in assessing whether the Group has control over the resources defined in the arrangement. These costs are treated in accordance with the March 2019 IFRIC update with regard to the Customer’s Right to Receive Access to the Supplier’s Software Hosted on the Cloud (IAS 38 ‘Intangible Assets’) and the IFRIC interpretation ratified by the Interpretations Committee in April 2021 with regard to Configuration or Customisation Costs in a Cloud Computing Arrangement, as follows: • In specific circumstances, development costs incurred may give rise to an identifiable asset, for example where code/intellectual property hosted on third party cloud infrastructure is controlled by the Group and the cost of moving the asset to another provider or bringing on-premise is not prohibitive. • Amounts paid to the cloud vendor or third party for configuration and customisation that are not distinct from access to the cloud software are expensed over the contract term. • In all other instances, configuration and customisation costs will be expensed as the customisation and configuration services are received, for example a cloud provider’s monthly subscription. Intangible assets Expenditure on internally generated goodwill is recognised in the Income Statement as an expense as incurred. Intangible assets that are acquired by the Group are stated at cost less accumulated amortisation and less accumulated impairment losses. Amortisation Amortisation is charged to the Income Statement on a straight-line basis over the estimated useful economic lives of intangible assets unless such lives are indefinite. Intangible assets with an indefinite useful life and goodwill are systematically tested for impairment at each Balance Sheet date. Intangible assets are amortised from the date they are available for use. The estimated useful lives are as follows: Acquired customer contracts and relationships – between three and twenty years Software – between three and five years Capitalised development costs – between three and five years Financial instruments Financial assets and financial liabilities, in respect of financial instruments, are recognised in the Group and Parent Balance Sheet when the Group or Company becomes a party to the contractual provisions of the instrument. Financial statements NCC Group plc — Annual report and accounts for the year ended 31 May 2023 163 1 Accounting policies continued Classification and measurement of financial assets and liabilities Classification of financial assets is generally based on the business model in which the financial asset is managed and its contractual cash flow characteristics. A financial asset is measured at amortised cost if it is held with the objective of collecting the contractual cash flows and its contractual terms give rise on specified dates to cash flows that are solely payments of principal and interest on the principal amount outstanding. All other financial assets are measured at fair value through other comprehensive income or the Income Statement. Financial assets at amortised cost Trade and other receivables Trade receivables and other receivables that have fixed or determinable payments that are not quoted in an active market are classified as financial assets measured at amortised cost. Under the IFRS 9 “expected credit loss” model, a credit event (or impairment “trigger”) no longer needs to occur before credit losses are recognised. The Group analyses the risk profile of trade receivables based on past experience and an analysis of the receivables’ current financial position, potential for a default event to occur, adjusted for specific factors, general economic conditions of the industry in which the receivables operate and assessment of both the current and the forecast direction of conditions at the reporting date. A default event is considered to occur when information is obtained that indicates that a receivable is unlikely to be paid to the Group. Credit risk is regularly reviewed by management to ensure the expected credit loss (ECL) model is being appropriately applied. The Group has performed the calculation of ECL separately for each business unit. Financial liabilities at amortised cost Trade payables Trade payables are other financial liabilities initially measured at fair value and subsequently measured at amortised cost. Impairment of non‑financial assets The carrying amounts of the Group’s non-financial assets, other than deferred tax assets, are reviewed at each reporting date to determine whether there is any indication of impairment. If any such indication exists, then the asset’s recoverable amount is estimated. For goodwill, and intangible assets that have indefinite useful lives or that are not yet available for use, the recoverable amount is estimated each year at the same time. The recoverable amount of an asset or cash generating unit is the greater of its value in use (VIU) and its fair value less costs to sell (FVLCTS). FVLCTS has been used for all CGUs for the year ended 31 May 2023. The FVLCTS valuation has been calculated by assessing the value of each standalone CGU calculated using an Adjusted EBITDA 1 multiple based on estimated sustainable earnings adjusted for specific items where relevant. VIU has predominantly been used in the year ended 31 May 2022, the estimated future cash flows are discounted to their present value using a pre-tax discount rate that reflects current market assessments of the time value of money and the risks specific to the asset. For the purpose of impairment testing, assets that cannot be tested individually are grouped together into the smallest group of assets that generates cash inflows from continuing use that are largely independent of the cash inflows of other assets or groups of assets (the “cash generating unit”). The goodwill acquired in a business combination, for the purpose of impairment testing, is allocated to cash generating units (CGUs). Subject to an operating segment ceiling test, for the purposes of goodwill impairment testing, CGUs to which goodwill has been allocated are aggregated so that the level at which impairment is tested reflects the lowest level at which goodwill is monitored for internal reporting purposes. Goodwill acquired in a business combination is allocated to groups of CGUs that are expected to benefit from the synergies of the combination. An impairment loss is recognised if the carrying amount of an asset or its CGU exceeds its estimated recoverable amount. Impairment losses are recognised in the Income Statement. Impairment losses recognised in respect of CGUs are allocated first to reduce the carrying amount of any goodwill allocated to the units, and then to reduce the carrying amounts of the other assets in the unit (group of units) on a pro rata basis. An impairment loss in respect of goodwill is not reversed. In respect of other assets, impairment losses recognised in prior periods are assessed at each reporting date for any indications that the loss has decreased or no longer exists. An impairment loss is reversed if there has been a change in the estimates used to determine the recoverable amount. An impairment loss is reversed only to the extent that the asset’s carrying amount does not exceed the carrying amount that would have been determined, net of depreciation or amortisation, if no impairment loss had been recognised. Subsequent expenditure Subsequent expenditure is capitalised only when it increases the future economic benefits embodied in the specific asset to which it relates. All other expenditure, including expenditure on internally generated goodwill, is recognised in the Income Statement as an expense as incurred. Consideration of climate risk impact The impact of climate risk on the future cash flows has also been considered for scenarios analysed in line with the climate change risk assessment. The climate change scenario analyses performed in 2023 – conducted in line with TCFD recommendations – identified no material financial impact to the current year impairment assessments. 1 Revenue growth at constant currency, Adjusted EBITDA, Adjusted operating profit, Adjusted EPS, cash conversion, net debt and net debt excluding lease liabilities are APMs and not IFRS measures. See Note 3 for an explanation of APMs and adjusting items. NCC Group plc — Annual report and accounts for the year ended 31 May 2023164 Notes to the Financial Statements continued at 31 May 2023 1 Accounting policies continued Related party transactions A related party is a person or entity that is related to the Group or Company. Related party transactions are the transfer of resources, services or obligations between parties regardless of whether a price is charged. In these circumstances, the Group or Company will disclose the nature of the related party relationship as well as information about the transactions and outstanding balances necessary for an understanding of the potential effect of the relationship on the Financial Statements in accordance with IAS 24 ‘Related Party Transactions’. Details of related party transactions are set out in Note 32 to these Financial Statements. Property, plant and equipment Property, plant and equipment assets are carried at cost less accumulated depreciation and any recognised impairment in value. To the extent that borrowing costs relate to the acquisition, construction or production of a qualifying asset, borrowing costs are capitalised as part of the cost of that asset. Depreciation is charged to the Income Statement on a straight-line basis over the estimated useful economic lives of each part of an item of plant and equipment as follows: Computer equipment – between three and five years Plant and equipment – between three and five years Furniture – between three and five years Fixtures and fittings – five years Motor vehicles – four years Property, plant and equipment is also tested for impairment whenever there is an indication of potential impairment. Leases At inception of a contract, the Group assesses whether a contract is, or contains, a lease. A contract is, or contains, a lease if the contract conveys the right to control the use of an identified asset for a period of time in exchange for consideration. To assess whether a contract conveys the right to control the use of an identified asset, the Group assesses whether: • The contract involves use of the identified asset; this may be specified explicitly or implicitly and should be physically distinct or represent substantially all of the capacity or a physically distinct asset. If the supplier has a substantive substitution right, then the asset is not identified • The Group has the right to obtain substantially all of the economic benefits from use of the asset and throughout the period of use The Group has the right to direct the use of the asset. The Group has this right when it has the decision-making rights that are≈most relevant to changing how and for what purpose the asset is used. In rare cases where all the decisions about how and for≈what purpose the asset is used are predetermined, the Group has the right to direct the use of the asset if either: • The Group has the right to operate the asset • The Group designed the asset in a way that predetermines how and for what purpose it will be used The Group recognises a right-of-use asset and a lease liability at the lease commencement date. The right-of-use asset is initially measured at cost, which comprises the initial amount of the lease liability adjusted for any lease payments made at or before the commencement date, and an estimate of costs to dismantle and remove the underlying asset or to restore the underlying asset or the site on which it is located, less any lease incentives received. The right-of-use asset is subsequently depreciated using the straight-line method from the commencement date to the earlier of≈the end of the useful life of the right-of-use asset or the end of lease term. The estimated useful lives of right-of-use assets are determined on the same basis as those of property, plant and equipment. In addition, the right-of-use asset is periodically reduced by impairment losses, if any, and adjusted for certain remeasurements of the lease liability. The lease liability is initially measured at the present value of the lease payments that are not paid at the commencement date, discounted using the interest rate implicit in the lease or, if that rate cannot be readily determined, the Group’s incremental borrowing rate. The lease liability is measured at amortised cost using the effective interest method. It is remeasured when there is a change in future lease payments arising from a change in an index or rate, if there is a change in the Group’s estimate of the amount expected to be payable, or if the Group changes its assessment of whether it will exercise a purchase, extension or termination option. When the lease liability is remeasured in this way, a corresponding adjustment is made to the carrying amount of the right-of-use asset or is recorded in the Income Statement if the carrying amount of the right-of-use asset has been reduced to zero. The Group has elected not to recognise right-of-use assets and lease liabilities for short-term leases that have a lease term of 12 months or less and leases of low value assets, including certain IT equipment. The Group recognises the lease payments associated with these leases as an expense on a straight-line basis over the lease term. Lease rental costs in respect of short-term leases (less than one year) and low value assets which are exempt from being accounted for under IFRS 16 are charged to the Income Statement on a straight-line basis over the period of the lease. Investments Investments in subsidiaries are carried at cost less impairment. Investments in property and unlisted shares are carried at cost less impairment, which is based on the fair value at acquisition. Inventories Inventories are valued at the lower of cost and new realisable value. Net realisable value is the estimated selling price in the ordinary course of the business, less applicable variable selling expenses. Items in transit where the Group has control are included in inventories. Financial statements NCC Group plc — Annual report and accounts for the year ended 31 May 2023 165 1 Accounting policies continued Revenue recognition Summary The Group provides independent global Cyber Security 2 and Software Resilience services. The revenue streams in relation to Cyber Security 2 include: • Global Professional Services (GPS) – global Cyber Security 2 consultancy services • Global Managed Services (GMS) – operational cyber defence, incident response, scanning, simulation and managed security operations centres (SOCs) including new Microsoft XDR (Sentinel) proposition • Product sales – sale of own manufactured and/or resale of third party products The revenue streams in relation to Software Resilience include: • Escrow contract services – securely maintain in “escrow” the long-term availability of business critical software and applications • Verification services – verify source code, and provide a fully managed secure service and result validation While the detailed recognition is contract specific, and set out in the table on pages 167 to 170, in most cases: • GPS revenues are recognised on an input method over time • GMS revenues are bifurcated according to the separate performance obligations (see pages 167 to 169) • Product sales are recognised when control passes, usually on delivery • Escrow contract revenues are recognised over time • Verification services are recognised on the completion of the verification service Revenue is presented net of VAT and other sales related taxes. Revenue is measured based on the consideration specified in a contract with a customer. The Group recognises revenue when it transfers control over a good or service to a customer. Due to the nature of the Group’s activities, the Group transaction price for the majority of its contracts is entirely variable consideration as these contracts are on a time and material basis, using set contractual rates per hour/day worked, giving rise to no estimation or reversal risk at period end. The Group does not have any material obligations in respect of returns, refunds or warranties. The impact of any financing component within contracts with customers has been assessed and concluded to be immaterial. On contract inception, the probability of collectability is assessed across the Group and, unless there is a significant change in facts and circumstances, revenue is recognised. During the year, no instances have been identified where reassessment of the collectability has had to be reassessed, nor have there been any new contracts with customers for which the collection of consideration has not been assessed at inception as probable. 2 Formerly Assurance. NCC Group plc — Annual report and accounts for the year ended 31 May 2023166 Notes to the Financial Statements continued at 31 May 2023 1 Accounting policies continued Revenue recognition continued Detailed policies The following table provides information about the nature and timing of the satisfaction of performance obligations in contracts with customers by reportable segments, including significant payment terms, and the related revenue recognition policies. Revenue stream Nature Timing of satisfaction of performance obligations and significant payment terms Revenue recognition policies, including determination of transaction price and rationale Global Professional Services ( G P S ) GPS is the Group’s core consulting service represented by consultants providing Cyber Security 2 consultancy services to a customer over time or to a set deliverable. Some contracts may contain multiple services (e.g. Cyber Security 2 assessment and certified product evaluation services). These will be identified as separate performance obligations, and the transaction price allocated to each of these is determined by using the fixed contract rate based upon day rates, being the relative standalone selling price basis. Specifically, the contract terms range from time and materials (based upon consultants’ time and expenses) discrete statements of work, whereby the customer benefits gradually over the period over which the work is performed, unless there is a set deliverable (for example a defined security assessment report). The customer simultaneously receives the benefits of the consulting services provided by the Group over the period over which the work is performed and one promise (performance obligation) is identified. Work is performed on a daily basis. Invoices are raised monthly or based on an agreed invoicing profile with the customer. Invoices are usually payable within 30 days. No discounts or retrospective rebates are provided. Revenue is recognised on an input basis to measure the satisfaction of performance obligations over time. This is done according to the number of days worked in comparison to the total contracted number of days of the performance obligation. The work performed occurs on a daily basis (for example security assessment of a customer’s security environment). It is considered that as the customer benefits over time based on consultants’ time, the input method faithfully depicts the Group’s performance towards complete satisfaction of the single performance obligation. Transaction price is determined by fixed contract rates based upon day rates and number of days. The Group in certain situations operates on agreed customer terms, which allow the Group to recover any abortive revenue from its customer in the event that a customer terminates a contract before the contract or deliverable is complete. The customer simultaneously receives and consumes the benefits of the consulting services provided by the Group over the period over which the work is performed by the Group and one performance obligation is identified. Invoices in relation to the abortive revenue will be recognised when aborted. Invoices are usually payable within 30 days. Revenue is recognised on an input basis to measure the satisfaction of performance obligations over time. This is done according to the number of days worked in comparison to the total contracted number of days of the performance obligation. Transaction price is determined by fixed contract rates based upon day rates and number of consultancy days. Global Managed Services (GMS) These services provide operational cyber defence, incident response, scanning, simulation and managed security operations centres (SOCs). Services are typically for an extended delivery duration, with contract lengths varying up to a maximum of five years. The customer will benefit from the services over the period of the contract. However, the type of contract will depend on how the customer benefits from the software licence(s). The amount of revenue recognised in relation to software licence(s) depends on whether the Group acts as an agent or as a principal. The Group acts as principal when the Group controls the specified software licence or service prior to transfer (MSP model). 2 Formerly Assurance. Financial statements NCC Group plc — Annual report and accounts for the year ended 31 May 2023 167 Revenue stream Nature Timing of satisfaction of performance obligations and significant payment terms Revenue recognition policies, including determination of transaction price and rationale Global Managed Services (GMS) continued The proposition will also provide the customer with software licence(s) to enable these services to occur. On this basis, the Group operates two types of contracts: • A Managed Service Provider (MSP) model whereby the customer is supplied with one complete integrated service including the software licence(s) • A reseller model whereby the Group sources the software licence(s) on behalf of the customer and provides the Managed Detection and Response services These services will also include set-up fees. Set-up fees represent workshops, design, and configuration to create a “connection” between systems. Following services going live, the Group will also provide a certain level of professional service consultancy days based on a day rate (post-go- live fees). Where an MSP model is selected by the customer, the Group recognises three performance obligations: • Set-up fees • Post-go-live fees • Combined monitoring cyber and licence service The MSP model is considered to be under a principal arrangement whereby the Group controls the service prior to transfer. Where a reseller model is selected by the customer, the Group recognises four performance obligations: • Sourced software licence(s) • Set-up fees • Post-go-live fees • Monitoring cyber service The reseller model is considered to be under an agency arrangement whereby the customer receives the benefit and control of the licence on delivery. Invoices are raised monthly or based on an agreed invoicing profile with the customer. Invoices are usually payable within 30 days. When the Group acts as a principal the revenue recorded is the gross amount billed. The transaction price is determined by a contract price (cost plus mark-up). The transaction price for the overall service is outlined within the customer contract. In certain scenarios, the contract will outline the price for each performance obligation, which is considered to be the standalone selling price of the services/goods, and the transaction price is allocated to each performance obligation on this basis. Where the contract does not stipulate the price per performance obligation, management determines the relative standalone selling price for each performance obligation based on a market assessment approach for the services provided in comparison to market prices, and the contract transaction price is allocated to each performance obligation in proportion to those standalone selling prices. Under a reseller model, the Group’s responsibility is to arrange for a third party to provide a specified software licence(s) to the customer. In these cases, the Group is acting as an agent and the Group does not control the relevant licence(s) before it is transferred to the customer. In particular, the Group does not have inventory risk, have access to its source code or hold the IP rights. When the Group is acting as an agent, the revenue is recorded at the net amount retained (commission) at a point in time as the customer receives immediate benefit from access to the licence and the Group does not have any further obligations in relation to the provision of the licence. The commission transaction value represents the mark-up on the licence provided. The majority of set-up fees relate to the reseller model. Set-up fees are recognised over time of the set-up. The set-up activities are completed by a separate deployment team that typically spans a period of 1-2 months. The set-up activities do not customise the licence provided by the third party but only allows a link between the client’s infrastructure and the software to allow monitoring services to be provided by the Group one the set-up process is completed. On this basis, the client can benefit from each of the goods and services either on their own or together with the other goods and services that are readily available and the promise to transfer the goods or service is distinct. The set-up fees are based on day rates incurred (defined by an in-house day rate sales pricing matrix). Accordingly, the charge out rates are recognised and allocated to these tasks when performed akin to technical professional day rate services. These rates are considered to be the standalone selling prices and are not discounted or reduced for other services. 1 Accounting policies continued Revenue recognition continued Detailed policies continued NCC Group plc — Annual report and accounts for the year ended 31 May 2023168 Notes to the Financial Statements continued at 31 May 2023 Revenue stream Nature Timing of satisfaction of performance obligations and significant payment terms Revenue recognition policies, including determination of transaction price and rationale Global Managed Services (GMS) continued Post-go-live fees are recognised on delivery of consultancy services over time as the customer obtains incremental benefit from the hours provided. Revenue is recognised on an input basis (day rates) to measure the satisfaction of performance obligations over time. Transaction price is determined by fixed contract rates based upon day rates and number of post-go-live consultancy days. One performance obligation, being a combined monitoring cyber and licence service, is identified in relation to the MSP model monitoring service. Revenue is recognised over the contract length as the software and monitoring process is an overall service, whereby the Group retains control of the licence and provides a complete monitoring service to the customer. If the customer cancels the contract, the Group will retain control of the licence. The customer benefits from a 24/7 monitoring service whereby benefit is obtained daily and therefore revenue is recognised on straight-line basis as the performance obligation is satisfied over time. The transaction price is determined by fixed contract rates for the combined services. Revenue in relation to the reseller model monitoring service is recognised over the contract length on a straight-line basis as the performance obligation is satisfied over time. The customer benefits from a 24/7 monitoring service whereby benefit is obtained daily on straight-line basis. Product sales This revenue represents the sale of own manufactured and/or resale of third party products with no connection to other Group services. The customer only benefits from the products on delivery. Invoices are raised monthly or based on an agreed invoicing profile with the customer. Invoices are usually payable within 30 days. Revenue is recognised when control of the product is transferred to the customer. This occurs upon delivery under the contractual terms. On certain sales of third party products, the control of the product is considered to pass from the vendor to the end customer and in these cases the Group acts as an agent, and hence only records a commission on sale as opposed to gross revenue and costs of sale. Long-term fixed price contracts This revenue represents the long-term development and/ or manufacture of specialised software and hardware solutions. Delivery of the product is considered to represent one performance obligation. The development and/or manufacturing work carried out by the Group is not considered to create an asset with an alternative use to the entity. The Group is entitled to payment as performance of the contract is completed. On this basis, revenue is recognised over time. Invoices are raised based on achievements of pre-defined milestones in the contract. Invoices are usually payable within 30 days. Revenue is recognised on an input basis to measure the satisfaction of the performance obligation over time. This is done according to total costs incurred in comparison to the total expected costs to be incurred to satisfy the performance obligation. This input measure is driven by the nature of the activities carried out in satisfying the performance obligation. The transaction price is fixed within the terms of the contractual arrangement. 1 Accounting policies continued Revenue recognition continued Detailed policies continued Financial statements NCC Group plc — Annual report and accounts for the year ended 31 May 2023 169 Revenue stream Nature Timing of satisfaction of performance obligations and significant payment terms Revenue recognition policies, including determination of transaction price and rationale Software Resilience Escrow contract services These services securely maintain in “escrow” the long-term availability of business critical software and applications while protecting the intellectual property rights (IPR) of technology partners. The service will include set-up time, which is administrative in nature. The customer benefits from the escrow service evenly over a contract period, usually at least a year and potentially up to three years. The service represents one performance obligation. Invoices are raised based on an agreed invoicing profile with the customer. Invoices are usually payable within 30 days. Revenue is recognised over time on a straight- line basis representing the service delivery agreement. The nature of the agreement gives rise to the customer having the benefit of Software Resilience if and when required over the contract period. Revenue is recognised on a straight-line basis as the pattern of benefit to the customer as well as the Group’s efforts to fulfil the contract are generally even throughout the period. The transaction price is determined by a contract price. Set-up time is not considered distinct and a separate performance obligation due to the administrative nature and therefore is recognised over the period of the contract. Verification services These services verify source code based upon an agreed scope between all parties and provide a fully managed secure service and result validation, typically delivered over a short period of time (days). These include SaaS services and ICANN services. The customer benefits from the verification service on completion because the source code will only have been fully verified/validated at that point. The service represents one performance obligation. Invoices are raised monthly or based on an agreed invoicing profile with the customer. Invoices are usually payable within 30 days. Revenue is recognised on completion of the verification services. Transaction price is determined by fixed contract rates based upon day rates and number of verification days. Contract costs Contract costs comprise incremental sales commissions paid to sales agents or external third parties, which can be directly attributed to an acquired or retained contract. Capitalised commission costs are amortised on a systematic basis that is consistent with the transfer to the customer of the services when the related revenues are recognised. In all other cases, all internal and external costs of obtaining the contract are recognised as incurred. Costs directly incurred in fulfilling a contract with a customer, which comprise labour hours on long-term contracts, are recognised as an asset to the extent they are recoverable. Such costs are amortised on a systematic basis that is consistent with the transfer to the customer of the services when the related revenues are recognised. Accrued income (contract asset) Accrued income represents the Group’s rights to consideration for work completed but not billed at the reporting date. Remaining balances are transferred to receivables when the rights become unconditional. Deferred revenue (contract liability) Deferred revenue represents advanced consideration received from customers, for which revenue is recognised over time. Long‑term loss‑making contracts Long-term contracts are reviewed annually to establish if the contract is onerous in nature. In particular, the long-term contract becomes an onerous contract when the unavoidable costs (i.e. the lower of the cost of fulfilling the contract and any compensation or penalties arising from failure to fulfil it) exceed the economic benefits expected to be received under the contract. The assessment of cost to fulfil includes costs that relate directly to the contract and includes direct costs of production, direct costs of supplies/ hardware from external suppliers (materials), direct labour in relation to performance obligations and if appropriate any potential contractual fine dependent on items (performance obligations) not being delivered/performed. Any assets dedicated to the specific contract are also tested for potential impairment. 1 Accounting policies continued Revenue recognition continued Detailed policies continued NCC Group plc — Annual report and accounts for the year ended 31 May 2023170 Notes to the Financial Statements continued at 31 May 2023 1 Accounting policies continued Determination and presentation of operating segments The Group determines and presents operating segments based on the information that is provided to the Board, which acts as the Group’s chief operating decision maker (CODM) in order to assess performance and to allocate resources. An operating segment is a component of the Group that engages in business activities from which it may earn revenues and incur expenses, including revenues and expenses that relate to transactions with any of the Group’s other components. An operating segment’s results are reviewed regularly by the CODM to make decisions about resources to be allocated to the segment and to assess its performance. The Group reports its business in two key segments: the Cyber Security 2 division and the Software Resilience division. The two reporting segments provide distinct types of service. Within each of the reporting segments the operating segments provide a homogeneous group of services. The operating segments are grouped into the reporting segments on the basis of how they are reported to the CODM. Operating segments are aggregated into the two reportable segments based on the types and delivery methods of services they provide, common management structures, and their relatively homogeneous commercial and strategic market environments. Both of the Group’s divisions (segments) are run by a senior executive team; those teams make all decisions on resource allocation, product development, marketing and areas for focus and investment. Allocation of central costs Some costs are collected and managed in one location but are actually incurred on behalf of multiple operating segments or reporting segments. These costs are then allocated to the reporting segments. The allocation is based on logical or activity driven cost algorithms. The allocation is necessary to give an accurate picture of the consumption of resources by each reporting segment. Individually Significant Items (ISI) Individually Significant Items are identified as those items or projects that based on their size and nature and/or incidence are assessed to warrant separate disclosure to provide supplementary information to support the understanding of the Group’s financial performance. Where a project spans a reporting period(s) the total project size and nature are considered in totality. ISI’s typically comprise costs/ profits/losses on material acquisitions/disposals/business exits, fundamental reorganisation/restructuring programmes and other significant one-off events. ISI’s are considered to require separate presentation in the notes to the Financial Statements in order to fairly present the financial performance of the Group. During the year ended 31 May 2023, the Group commenced a fundamental reorganisation/restructuring programme that will span future reporting periods. In particular, it is expected that material costs will be incurred for the years ending 31 May 2024 and 2025 and the Group will have to exercise judgement in assessing whether the restructuring items should be classified as individual significant items, this will involve taking into account the nature of the item, cause of occurrence scale of the impact of those items on the reported performance and after considering the original reorganisation programme principles and plans. Foreign currencies Transactions in foreign currencies are recorded using the appropriate monthly exchange rate ruling at the date of the transaction. Monetary assets and liabilities denominated in foreign currencies are retranslated using the exchange rate ruling at the Balance Sheet date and the gains or losses on translation are included in the Income Statement. The assets and liabilities of overseas subsidiaries denominated in foreign currencies are retranslated at the exchange rate ruling at the Balance Sheet date. The income statements of overseas subsidiary undertakings are translated at the average exchange rates for the financial year. Gains and losses arising on the retranslation of overseas subsidiary undertakings are taken to the currency translation reserve. They are released to the Income Statement upon disposal of the subsidiary to which they relate. Foreign currency differences arising from the translation of qualifying cash flow hedges are recognised in OCI to the extent that the hedges are effective. Derivative financial instruments and hedge accounting The Group holds derivative financial instruments to hedge its foreign currency risk exposures. Derivatives are initially measured at fair value. Subsequent to initial recognition, derivatives are measured at fair value, and changes therein are generally recognised in profit or loss. The Group designates certain derivatives as hedging instruments to hedge the variability in cash flows associated with highly probable forecast transactions arising from changes in foreign exchange rates. At inception of designated hedging relationships, the Group documents the risk management objective and strategy for undertaking the hedge. The Group also documents the economic relationship between the hedged item and the hedging instrument, including whether the changes in cash flows of the hedged item and hedging instrument are expected to offset each other. Cash flow hedges When a derivative is designated as a cash flow hedging instrument, the effective portion of changes in the fair value of the derivative is recognised in OCI and accumulated in the hedging reserve. The effective portion of changes in the fair value of the derivative that is recognised in OCI is limited to the cumulative change in fair value of the hedged item, determined on a present value basis, from inception of the hedge. Any ineffective portion of changes in the fair value of the derivative is recognised immediately in profit or loss. The Group designates only the change in fair value of the spot element of forward exchange contracts as the hedging instrument in cash flow hedging relationships. The change in fair value of the forward element of forward exchange contracts (forward points) is separately accounted for as a cost of hedging and recognised in a costs of hedging reserve within equity. When the hedged forecast transaction subsequently results in the recognition of a non-financial item, the amount accumulated in the hedging reserve and the cost of hedging reserve is included directly in the initial cost of the non-financial item when it is recognised. For all other hedged forecast transactions, the amount accumulated in the hedging reserve and the cost of hedging reserve is reclassified to profit or loss in the same period or periods during which the hedged expected future cash flows affect profit or loss. 2 Formerly Assurance. Financial statements NCC Group plc — Annual report and accounts for the year ended 31 May 2023 171 1 Accounting policies continued Cash flow hedges continued If the hedge no longer meets the criteria for hedge accounting or the hedging instrument is sold, expires, is terminated or is exercised, then hedge accounting is discontinued prospectively. When hedge accounting for cash flow hedges is discontinued, the amount that has been accumulated in the hedging reserve remains in equity until, for a hedge of a transaction resulting in the recognition of a non-financial item, it is included in the non-financial item’s cost on its initial recognition or, for other cash flow hedges, it is reclassified to profit or loss in the same period or periods as the hedged expected future cash flows affect profit or loss. If the hedged future cash flows are no longer expected to occur, then the amounts that have been accumulated in the hedging reserve and the cost of hedging reserve are immediately reclassified to profit or loss. Colleague benefits – defined contribution pensions The Group operates a defined contribution pension scheme. The assets of the scheme are kept separate from those of the Group in an independently administered fund. The amount charged as an expense in the Income Statement represents the contributions payable to the scheme in respect of the accounting period. Short‑term benefits Short-term colleague benefit obligations are measured on an undiscounted basis and are expensed as the related service is provided. A liability is recognised for the amount expected to be paid under short-term cash bonus or profit-sharing plans if the Group has a present legal or constructive obligation to pay this amount as a result of past service provided by the colleague and the obligation can be estimated reliably. Share‑based payment transactions Share-based payments in which the Group receives goods or services as consideration for its own equity instruments are accounted for as equity settled share-based payment transactions, regardless of how the equity instruments are obtained by the Group. The grant date fair value of share-based payment awards granted to colleagues is recognised as a colleague expense, with a corresponding increase in equity, over the period that the colleagues become unconditionally entitled to the awards. The fair value of the options granted is measured using an option valuation model, taking into account the terms and conditions upon which the options were granted. The amount recognised as an expense is adjusted to reflect the actual number of awards for which the related service and non- market vesting conditions are expected to be met, such that the amount ultimately recognised as an expense is based on the number of awards that do meet the related service and non-market performance conditions at the vesting date. For share-based payment awards with non-vesting conditions, the grant date fair value of the share-based payment is measured to reflect such conditions and there is no true-up for differences between expected and actual outcomes. Share-based payment transactions in which the Group receives goods or services by incurring a liability to transfer cash or other assets that is based on the price of the Group’s equity instruments are accounted for as cash settled share-based payments. The fair value of the amount payable to colleagues is recognised as an expense, with a corresponding increase in liabilities, over the period in which the colleagues become unconditionally entitled to payment. The liability is remeasured at each Balance Sheet date and at settlement date. Any changes in the fair value of the liability are recognised as personnel expense within the Income Statement. Where the Company grants options over its own shares to the colleagues of a subsidiary it recognises in its individual Financial Statements, an increase in the cost of investment in that subsidiary equivalent to the equity settled share-based payment charge is recognised in respect of that subsidiary in its consolidated Financial Statements with the corresponding credit being recognised directly in equity. Holiday or vacation pay The Group recognises a liability in the Balance Sheet for any earned but not yet taken holiday entitlement for staff. Earned holiday is calculated on a straight-line basis over a holiday year, which can vary by business unit. Taken holiday is based on actually taken holiday. Any movement in the liability between the opening and closing balance in the year is recorded as a colleague cost or a reduction in colleague costs in the Income Statement in the year. Borrowings Borrowings are recognised initially at fair value less attributable transaction costs. Subsequent to initial recognition, borrowings are stated at amortised cost with any difference between cost and redemption value being recognised in the Income Statement over the period of the borrowings on an effective interest basis. Finance costs Finance costs are recognised within the Income Statement in the year in which they are incurred. Provisions Provisions are determined by discounting the expected future cash flows at a pre-tax rate that reflects current market assessments of the time value of money and the risks specific to the liability. The unwinding of the discount is recognised as finance cost. NCC Group plc — Annual report and accounts for the year ended 31 May 2023172 Notes to the Financial Statements continued at 31 May 2023 1 Accounting policies continued Taxation Taxation on the profit or loss for the year comprises current and deferred taxation. Taxation is recognised in the Income Statement except to the extent that it relates to items recognised directly in equity, in which case it is recognised in equity. Current tax is the expected tax payable or receivable on the taxable income or loss for the year, using tax rates enacted or substantively enacted at the Balance Sheet date, and any adjustment to tax payable in respect of previous years. Deferred tax is provided on temporary differences between the carrying amounts of assets and liabilities for financial reporting purposes and the amounts used for taxation purposes. The following temporary differences are not provided for: the initial recognition of goodwill; the initial recognition of assets or liabilities that affect neither accounting nor taxable profit other than in a business combination; and differences relating to investments in subsidiaries to the extent that they will probably not reverse in the foreseeable future. The amount of deferred tax provided is based on the expected manner of realisation or settlement of the carrying amount of assets and liabilities, using tax rates enacted or substantively enacted at the Balance Sheet date. A deferred tax asset is recognised only to the extent that it is probable that future taxable profits will be available against which the temporary difference can be utilised. UK RDEC tax credits are recognised for the UK tax jurisdiction within administrative expenses and R&D US tax credits within income tax for the US tax jurisdiction. Intra‑group financial instruments Where the Company enters into financial guarantee contracts to guarantee the indebtedness of other companies within the Group, the Company considers these to be insurance arrangements and accounts for them as such. In this respect the Company treats the guarantee contract as a contingent liability until such time as it becomes probable that the Company will be required to make a payment under the guarantee. Cash and cash equivalents Cash and cash equivalents comprise cash in hand and deposits repayable on demand. Bank overdrafts that are repayable on demand form part of the Group’s cash management and are included as a component of cash and cash equivalents for the purpose only of the Statement of Cash Flows. Treasury shares NCC Group plc shares held by the Group are deducted from equity as “treasury shares” and are recognised at cost. Consideration received for the sale of such shares is also recognised in equity, with any difference between the proceeds from sale and the original cost being taken to reserves. No gain or loss is recognised in the Income Statement on the purchase, sale, issue or cancellation of equity shares. 2 Critical accounting judgements and key sources of estimation uncertainty The preparation of Financial Statements requires management to exercise judgement in applying the Group’s accounting policies. Different judgements would have the potential to change the reported outcome of an accounting transaction or Statement of Financial Position. It also requires the use of estimates that affect the reported amounts of assets, liabilities, income and expenses. Actual results may differ from these estimates. Estimates and underlying assumptions are reviewed on an ongoing basis, with changes recognised in the period in which the estimates are revised and in any future periods affected. The table below shows those areas of critical accounting judgements and estimates that the Directors consider material and that could reasonably change significantly in the next year. Accounting area Accounting judgement? Accounting estimate? Impairment of goodwill No Yes Valuation of separately identifiable intangible assets (prior year) No Yes 2.1 Critical accounting judgements No critical accounting judgements have been made in applying accounting policies that have the most significant effects on the amounts recognised in the consolidated Financial Statements. 2.2 Key sources of estimation uncertainty Information about estimation uncertainties that have a significant risk of resulting in a material adjustment to the carrying values of assets and liabilities within the next financial year is addressed below. While every effort is made to ensure that such estimates and assumptions are reasonable, by their nature they are uncertain, and as such changes in estimates and assumptions may have a material impact. Estimates and assumptions used in the preparation of the Financial Statements are continually reviewed and revised as necessary at each reporting date. The Directors have considered the impact of climate change on the following estimation uncertainties. Due to nature of the climate change impact on the Group, no material impact has been identified. Financial statements NCC Group plc — Annual report and accounts for the year ended 31 May 2023 173 2 Critical accounting judgements and key sources of estimation uncertainty continued 2.2 Key sources of estimation uncertainty continued Impairment of goodwill The Group has significant balances relating to goodwill at 31 May 2023 as a result of acquisitions of businesses in previous years. The carrying value of goodwill at 31 May 2023 is £255.8m (2022: £266.1m). Goodwill balances are tested annually for impairment. The Group allocated goodwill to cash-generating units (CGUs) which represent the lowest level of asset groupings that generate separately identifiable cash inflows that are not dependent on other CGUs. For the year ended 31 May 2023, tests for impairment are based on the calculation of a fair value less costs to sell (FVLCTS) which has been used to establish the recoverable amount of the CGU. The FVLCTS valuation has been calculated by assessing the value of each standalone CGU calculated using an Adjusted EBITDA 1 multiple based on estimated sustainable earnings adjusted for specific items where relevant. Estimated sustainable earnings has been determined taking into account past experience and includes expectations based on a market participant view of sustainable performance of the business based on market volatility and uncertainty as at 31 May 2023. The sustainable earnings figures used in this calculation include key assumptions regarding sustainable revenues and costs for the business. If the assumptions and estimates used in this valuation prove to be incorrect, the carrying value of goodwill may be overstated. The two CGUs which are most sensitive to reasonably possible changes in sustainable earnings are US Cyber Security 2 and Europe Cyber Security 2 . A description of such estimates and reasonably possible sensitivities is provided in note 12. Valuation of separately identifiable intangible assets (prior year) In the prior year, as part of the acquisition of the IPM business the Group has acquired an intangible asset relating to the customer relationships acquired with a fair value of £91.4m. The valuation approach taken is an income approach, specifically the multi-period excess earnings method (MEEM). As part of this valuation exercise certain key sources of estimation uncertainty were identified in the prior year that did have a significant risk of resulting in a material adjustment to the carrying amounts of assets and liabilities in the next current year. A description of such estimates and reasonably possible sensitivities is provided in Note 35. 3 Alternative Performance Measures (APMs) and adjusting items The consolidated Financial Statements include APMs as well as statutory measures. These APMs used by the Group are not defined terms under IFRS and may therefore not be comparable with similarly titled measures reported by other companies. They are not intended to be a substitute for, or superior to, Generally Accepted Accounting Practice (GAAP) measures. All APMs relate to the current year results and comparative periods where provided. This presentation is also consistent with the way that financial performance is measured by management and reported to the Board, and the basis of financial measures for senior management’s compensation schemes, and provides supplementary information that assists the user in understanding the financial performance, position and trends of the Group. At all times, the Group aims to ensure that the Annual Report and Accounts gives a fair, balanced and understandable view of the Group’s performance, cash flows and financial position. IAS 1 ‘Presentation of Financial Statements’ requires the separate presentation of items that are material in nature or scale in order to allow the user of the accounts to understand underlying business performance. We believe these APMs provide readers with important additional information on our business and this information is relevant for use by investors, securities analysts and other interested parties as supplemental measures of future potential performance. However, since statutory measures can differ significantly from the APMs and may be assessed differently by the reader we encourage you to consider these figures together with statutory reporting measures noted. Specifically, we would note that APMs may not be comparable across different companies and that certain profit related APMs may exclude recurring business transactions (e.g. acquisition related costs and certain share-based payment charges) that impact financial performance and cash flows. As the Group manages internally its performance at an Adjusted operating profit level (before Individually Significant Items, amortisation of acquired intangibles and share-based payments), which management believes represents the underlying trading of the business. This information is still disclosed as an APM within this Annual Report. This APM is reconciled to statutory operating profit, together with the consequently Adjusted basic EPS (before amortisation of acquisition intangibles, share-based payments and Individually Significant Items and tax effect thereon) to statutory basic EPS. The Group has the following APMs/non-statutory measures: APM Closest equivalent IFRS measure Adjustments to reconcile to IFRS measure Note reference for reconciliation Definition, purpose and considerations made by the Directors Income Statement measures: Constant currency revenue growth rates Revenue growth rates at actual rates of currency exchange Retranslation of comparative numbers at current year exchange rates to provide constant currency 3 The Group also reports certain geographic regions on a constant currency basis to reflect the underlying performance taking into account constant foreign exchange rates year on year. This involves translating comparative numbers to current year rates for comparability to enable a growth factor to be calculated. 1 Revenue growth at constant currency, Adjusted EBITDA, Adjusted operating profit, Adjusted EPS, cash conversion, net debt and net debt excluding lease liabilities are APMs and not IFRS measures. See Note 3 for an explanation of APMs and adjusting items. 2 Formerly Assurance. NCC Group plc — Annual report and accounts for the year ended 31 May 2023174 Notes to the Financial Statements continued at 31 May 2023 APM Closest equivalent IFRS measure Adjustments to reconcile to IFRS measure Note reference for reconciliation Definition, purpose and considerations made by the Directors Income Statement measures: continued Adjusted operating profit Operating profit or loss Operating profit or loss before amortisation of acquired intangibles, share-based payments and Individually Significant Items 3 Represents operating profit before amortisation of acquired intangibles, share-based payments and Individually Significant Items. This measure is to allow the user to understand the Group’s underlying financial performance as measured by management, reported to the Board and used as a financial measure in senior management’s compensation schemes. The Directors consider amortisation of acquired intangibles is a non-cash accounting charge inherently linked to losses associated with historical acquisitions of businesses. The Directors consider share-based payments to be an adjusting item on the basis that fair values are volatile due to movements in share price, which may not be reflective of the underlying performance of the Group. Individually Significant Items are items that are considered unusual by nature or scale and are of such significance that separate disclosure is relevant to understanding the Group’s financial performance and therefore requires separate presentation in the Financial Statements in order to fairly present the financial performance of the Group. Adjusted earnings before interest, tax, depreciation and amortisation (“Adjusted EBITDA”) Operating profit or loss Operating profit or loss, before adjusting items, depreciation and amortisation, finance costs and taxation 3 Represents operating profit before adjusting items, depreciation and amortisation to assist in the understanding of the Group’s performance. Adjusted EBITDA is disclosed as this is a measure widely used by various stakeholders and used by the Group to measure the cash conversion ratio. Adjusted basic EPS Statutory basic EPS Statutory basic EPS before amortisation of acquired intangibles, share-based payments, Individually Significant Items and the tax effect thereon 11 Represents basic EPS before amortisation of acquired intangibles, share-based payments and Individually Significant Items. This measure is to allow the user to understand the Group’s underlying financial performance as measured by management, reported to the Board and used as a financial measure in senior management’s compensation schemes. See further details above in relation to amortisation of acquired intangibles and share- based payments. Balance Sheet measures: Net debt excluding lease liabilities Total borrowings (excluding lease liabilities) offset by cash and cash equivalents 3 Represents total borrowings (excluding lease liabilities) offset by cash and cash equivalents. It is a useful measure of the progress in generating cash, strengthening of the Group Balance Sheet position, overall net indebtedness and gearing on a like-for-like basis. Net cash/(debt), when compared to available borrowing facilities, also gives an indication of available financial resources to fund potential future business investment decisions and/or potential acquisitions. 3 Alternative Performance Measures (APMs) and adjusting items continued Financial statements NCC Group plc — Annual report and accounts for the year ended 31 May 2023 175 APM Closest equivalent IFRS measure Adjustments to reconcile to IFRS measure Note reference for reconciliation Definition, purpose and considerations made by the Directors Balance Sheet measures: continued Net debt Total borrowings (including lease liabilities) offset by cash and cash equivalents 3 Represents total borrowings (including lease liabilities) offset by cash and cash equivalents. It is a useful measure of the progress in generating cash, strengthening of the Group Balance Sheet position, overall net indebtedness and gearing including lease liabilities. Net cash/(debt), when compared to available borrowing facilities, also gives an indication of available financial resources to fund potential future business investment decisions and/or potential acquisitions. Cash flow measure: Cash conversion ratio Ratio % of net cash flow from operating activities before interest and tax divided by operating profit Ratio % of net cash flow from operating activities before interest and tax divided by EBITDA 3 The cash conversion ratio is a measure of how effectively operating profit is converted into cash and effectively highlights both non-cash accounting items within operating profit and also movements in working capital. It is calculated as net cash flow from operating activities before interest and taxation (as disclosed on the face of the Cash Flow Statement) divided by EBITDA for continuing activities. The cash conversion ratio is a measure widely used by various stakeholders and hence is disclosed to show the quality of cash generation and also to allow comparison to other similar companies. The above APMs are consistent with those reported for the year ended 31 May 2022, except for the removal of the Group revenue and Software Resilience revenue excluding IPM acquisition, which have been removed now that the Group has comparable data following the acquisition in June 2021. Adjusted EBITDA and Adjusted operating profit The calculation of Adjusted EBITDA and Adjusted operating profit from continuing operations is set out below: 2023 £m 2022 £m Operating profit 1.9 34.7 Depreciation of property, plant and equipment 4.5 3.9 Depreciation of right-of-use assets 5.7 5.4 Amortisation of customer contracts and relationships (acquired intangibles) 10.0 8.6 Amortisation of software and development costs 2.4 1.8 Individually Significant Items (Note 5) 14.7 0.9 Share-based payments charge (Note 26) 2.2 3.9 Adjusted EBITDA 41.4 59.2 Depreciation and amortisation (excluding amortisation charged on acquired intangibles) (12.6) (11.1) Adjusted operating profit 28.8 48.1 3 Alternative Performance Measures (APMs) and adjusting items continued NCC Group plc — Annual report and accounts for the year ended 31 May 2023176 Notes to the Financial Statements continued at 31 May 2023 3 Alternative Performance Measures (APMs) and adjusting items continued Net debt excluding lease liabilities and net debt The calculation of net debt excluding lease liabilities and net debt is set out below: 2023 £m 2022 £m Cash and cash equivalents (Note 24) 34.1 73.2 Bank overdraft (Note 24) (1.8) — Borrowings (Note 24) (81.9) (125.6) Net debt excluding lease liabilities (49.6) (52.4) Lease liabilities (30.0) (32.6) Net debt (79.6) (85.0) Cash conversion ratio The calculation of the cash conversion ratio is set out below: 2023 £m 2022 £m Cash generated from operating activities before interest and taxation (A) 42.6 60.3 Adjusted EBITDA (B) 41.4 59.2 Cash conversion ratio (%) (A)/(B) 102.9% 101.9% Constant currency revenue The following tables show how constant currency revenue growth has been calculated and reconciled to statutory actual rate growth. Group Revenue: Revenue 2023 £m Revenue 2022 £m % change at actual rates Revenue 2023 £m Constant currency revenue 2022 £m % change at constant currency Total revenue 335.1 314.8 6.4% 335.1 330.3 1.5% Unaudited proforma total revenue Following the acquisition of IPM in the prior period, goodwill and intangible assets were recognised amounting to £68.6m and £92.6m respectively. Management was required to recognise all assets and liabilities at fair value, giving rise to a fair value adjustment on the level of deferred revenue acquired of £12.1m. This had resulted in a downward adjustment to the book value of IPM’s deferred revenues reflecting the fair value of service still to be delivered. If the fair value adjustment had not applied, revenue would be £4.4m higher for the 12 months ended 31 May 2022. On this basis, management has set out below unaudited proforma information to show the consequential impact on the Group results for the year ended 31 May 2023. Unaudited proforma total revenue is not a statutory measure. Revenue 2023 £m Revenue 2022 * £m % change at actual rates Revenue 2023 £m Constant currency revenue 2022 * £m % change at constant currency Total revenue 335.1 314.8 6.4% 335.1 330.3 1.5% Software Resilience revenue adjustment — 4.4 n/a — 4.8 n/a Unaudited proforma total revenue 335.1 319.2 5.0% 335.1 335.1 — * 2022 revenue is not a statutory measure and includes the Software Resilience revenue adjustment. Financial statements NCC Group plc — Annual report and accounts for the year ended 31 May 2023 177 3 Alternative Performance Measures (APMs) and adjusting items continued Constant currency revenue continued Cyber Security 2 Cyber Security 2 revenue analysis – by originating country: Revenue 2023 £m Revenue 2022 £m % change at actual rates Revenue 2023 £m Constant currency revenue 2022 £m % change at constant currency UK and APAC 118.4 114.6 3.3% 118.4 115.0 3.0% North America 99.3 94.1 5.5% 99.3 104.4 (4.9%) Europe 53.1 49.8 6.6% 53.1 51.1 3.9% Total Cyber Security 2 revenue 270.8 258.5 4.8% 270.8 270.5 0.1% Revenue H1 2023 £m Revenue H1 2022 £m % change at actual rates Revenue H1 2023 £m Constant currency revenue H1 2022 £m % change at constant currency UK and APAC 61.6 54.6 12.8% 61.6 55.0 12.0% North America 59.2 44.0 34.5% 59.2 51.0 16.1% Europe 24.2 24.6 (1.6%) 24.2 24.9 (2.8%) Total Cyber Security 2 revenue 145.0 123.2 17.7% 145.0 130.9 10.8% Revenue H2 2023 £m Revenue H2 2022 £m % change at actual rates Revenue H2 2023 £m Constant currency revenue H2 2022 £m % change at constant currency UK and APAC 56.8 60.0 (5.3%) 56.8 60.0 (5.3%) North America 40.1 50.1 (20.0%) 40.1 53.4 (24.9%) Europe 28.9 25.2 14.7% 28.9 26.2 10.3% Total Cyber Security 2 revenue 125.8 135.3 (7.0%) 125.8 139.6 (9.9%) Cyber Security 1 revenue analysed by type of service/product line: Revenue 2023 £m Restated * Revenue 2022 £m % change at actual rates Revenue 2023 £m Restated * Constant currency revenue 2022 £m % change at constant currency Global Professional Services (GPS) 199.3 195.4 2.0% 199.3 205.6 (3.1%) Global Managed Services (GMS) 67.8 58.6 15.7% 67.8 60.3 12.4% Product sales (own and third party) 3.7 4.5 (17.8%) 3.7 4.6 (19.6%) Total Cyber Security 2 revenue 270.8 258.5 4.8% 270.8 270.5 0.1% * Restated to present revenue by category to be consistent with amounts reported to management. Revenue of £6.4m has been represented within GPS rather than product sales. Revenue H1 2023 £m Revenue H1 2022 £m % change at actual rates Revenue H1 2023 £m Constant currency revenue H1 2022 £m % change at constant currency Global Professional Services (GPS) 111.1 93.6 18.7% 111.1 100.6 10.4% Global Managed Services (GMS) 32.2 28.4 13.4% 32.2 29.1 10.7% Product sales (own and third party) 1.7 1.2 41.7% 1.7 1.2 41.7% Total Cyber Security 2 revenue 145.0 123.2 17.7% 145.0 130.9 10.8% 2 Formerly Assurance. NCC Group plc — Annual report and accounts for the year ended 31 May 2023178 Notes to the Financial Statements continued at 31 May 2023 3 Alternative Performance Measures (APMs) and adjusting items continued Constant currency revenue continued Cyber Security 2 continued Revenue H2 2023 £m Revenue H2 2022 £m % change at actual rates Revenue H2 2023 £m Constant currency revenue H2 2022 £m % change at constant currency Global Professional Services (GPS) 88.2 101.8 (13.4%) 88.2 105.0 (16.0%) Global Managed Services (GMS) 35.6 30.2 17.9% 35.6 31.2 14.1% Product sales (own and third party) 2.0 3.3 (39.4%) 2.0 3.4 (41.2%) Total Cyber Security 2 revenue 125.8 135.3 (7.0%) 125.8 139.6 (9.9%) Software Resilience Software Resilience revenue analysis – by originating country: Revenue 2023 £m Revenue 2022 £m % change at actual rates Revenue 2023 £m Constant currency revenue 2022 £m % change at constant currency UK 25.8 25.4 1.6% 25.8 25.4 1.6% North America 34.5 26.8 28.7% 34.5 30.2 14.2% Europe 4.0 4.1 (2.4%) 4.0 4.2 (4.8%) Total Software Resilience revenue 64.3 56.3 14.2% 64.3 59.8 7.5% Revenue H1 2023 £m Revenue H1 2022 £m % change at actual rates Revenue H1 2023 £m Constant currency revenue H1 2022 £m % change at constant currency UK 12.3 12.6 (2.4%) 12.3 12.7 (3.1%) North America 17.3 12.3 40.7% 17.3 14.7 17.7% Europe 2.0 2.0 — 2.0 2.0 — Total Software Resilience revenue 31.6 26.9 17.5% 31.6 29.4 7.5% Revenue H2 2023 £m Revenue H2 2022 £m % change at actual rates Revenue H2 2023 £m Constant currency revenue H2 2022 £m % change at constant currency UK 13.5 12.8 5.5% 13.5 12.7 6.3% North America 17.2 14.5 18.6% 17.2 15.5 11.0% Europe 2.0 2.1 (4.8%) 2.0 2.2 (9.1%) Total Software Resilience revenue 32.7 29.4 11.2% 32.7 30.4 7.6% Software Resilience revenues analysed by service line: Revenue 2023 £m Revenue 2022 £m % change at actual rates Revenue 2023 £m Constant currency revenue 2022 £m % change at constant currency Software Resilience contracts 42.8 38.1 12.3% 42.8 40.4 5.9% Verification services 21.5 18.2 18.1% 21.5 19.4 10.8% Total Software Resilience revenue 64.3 56.3 14.2% 64.3 59.8 7.5% 2 Formerly Assurance. Financial statements NCC Group plc — Annual report and accounts for the year ended 31 May 2023 179 3 Alternative Performance Measures (APMs) and adjusting items continued Constant currency revenue continued Software Resilience continued Revenue H1 2023 £m Revenue H1 2022 £m % change at actual rates Revenue H1 2023 £m Constant currency revenue H1 2022 £m % change at constant currency Software Resilience contracts 21.3 18.7 13.9% 21.3 20.6 3.4% Verification services 10.3 8.2 25.6% 10.3 8.8 17.0% Total Software Resilience revenue 31.6 26.9 17.5% 31.6 29.4 7.5% Revenue H2 2023 £m Revenue H2 2022 £m % change at actual rates Revenue H2 2023 £m Constant currency revenue H2 2022 £m % change at constant currency Software Resilience contracts 21.5 19.4 10.8% 21.5 19.8 8.6% Verification services 11.2 10.0 12.0% 11.2 10.6 5.7% Total Software Resilience revenue 32.7 29.4 11.2% 32.7 30.4 7.6% Software Resilience unaudited proforma total revenue Following the acquisition of IPM in the prior period, goodwill and intangible assets were recognised amounting to £68.6m and £92.6m respectively. Management was required to recognise all assets and liabilities at fair value, giving rise to a fair value adjustment on the level of deferred revenue acquired of £12.1m. This had resulted in a downward adjustment to the book value of IPM’s deferred revenues reflecting the fair value of service still to be delivered. If the fair value adjustment had not applied, revenue would be £4.4m higher for the 12 months ended 31 May 2022. On this basis, management has set out below unaudited proforma information to show the consequential impact on the Group results for the year ended 31 May 2023. Software Resilience unaudited proforma total revenue is not a statutory measure. Revenue 2023 £m Revenue 2022 1 £m % change at actual rates Revenue 2023 £m Constant currency revenue 2022 1 £m % change at constant currency Software Resilience contracts 42.8 42.3 1.2% 42.8 45.0 (4.9%) Verification services 21.5 18.4 16.8% 21.5 19.6 9.7% Software Resilience unaudited proforma total revenue 64.3 60.7 5.9% 64.3 64.6 (0.5%) 1 2022 revenue is not a statutory measure and includes the Software Resilience revenue adjustment. NCC Group plc — Annual report and accounts for the year ended 31 May 2023180 Notes to the Financial Statements continued at 31 May 2023 4 Segmental information The Group is organised into the following two (2022: two) reportable segments: Cyber Security 2 and Software Resilience. The two reporting segments provide distinct types of service. Within each of the reporting segments the operating segments provide a homogeneous group of services. The operating segments are grouped into the reporting segments on the basis of how they are reported to the Chief Operating Decision Maker (CODM) for the purposes of IFRS 8 ‘Operating Segments’, which is considered to be the Board of Directors of NCC Group plc. Operating segments are aggregated into the two reportable segments based on the types and delivery methods of services they provide, common management structures, and their relatively homogeneous commercial and strategic market environments. Performance is measured based on reporting segment profit, which comprises Adjusted operating profit 1 and adjusting items are not allocated to business segments. Interest and tax are also not allocated to business segments and there are no intra-segment sales. Segmental analysis 2023 Cyber Security 2 £m Software Resilience £m Central and head office £m Group £m Revenue 270.8 64.3 — 335.1 Cost of sales (184.7) (18.4) — (203.1) Gross profit 86.1 45.9 — 132.0 Gross margin % 31.8% 71.4% 39.4% General administrative expenses allocated (70.7) (14.7) (5.2) (90.6) Adjusted EBITDA 1 15.4 31.2 (5.2) 41.4 Depreciation and amortisation (8.5) (0.6) (3.5) (12.6) Adjusted operating profit 1 6.9 30.6 (8.7) 28.8 Individually Significant Items (Note 5) (12.3) (2.4) — (14.7) Amortisation of acquired intangibles (1.2) (5.8) (3.0) (10.0) Share-based payments (1.6) (0.1) (0.5) (2.2) Operating profit (8.2) 22.3 (12.2) 1.9 Finance costs (6.2) Loss before taxation (4.3) Taxation (0.3) Loss for the year (4.6) Segmental analysis 2022 Cyber Security 2 £m Software Resilience £m Central and head office £m Group £m Revenue 258.5 56.3 — 314.8 Cost of sales (166.2) (16.0) — (182.2) Gross profit 92.3 40.3 — 132.6 Gross margin % 35.7% 71.6% — 42.1% General administrative expenses allocated (53.2) (17.5) (2.7) (73.4) Adjusted EBITDA 1 39.1 22.8 (2.7) 59.2 Depreciation and amortisation (7.2) (0.8) (3.1) (11.1) Adjusted operating profit 1 31.9 22.0 (5.8) 48.1 Individually Significant Items (Note 5) — (0.9) — (0.9) Amortisation of acquired intangibles (0.9) (4.8) (2.9) (8.6) Share-based payments (2.1) (0.3) (1.5) (3.9) Operating profit 28.9 16.0 (10.2) 34.7 Finance costs (3.7) Profit/(loss) before taxation 31.0 Taxation (8.0) Profit for the year 23.0 1 Revenue growth at constant currency, Adjusted EBITDA, Adjusted operating profit, Adjusted EPS, cash conversion, net debt and net debt excluding lease liabilities are APMs and not IFRS measures. See Note 3 for an explanation of APMs and adjusting items. 2 Formerly Assurance. Financial statements NCC Group plc — Annual report and accounts for the year ended 31 May 2023 181 4 Segmental information continued Segmental analysis 2023 Cyber Security 2 £m Software Resilience £m Central and head office £m Group £m Additions to non-current assets 7.0 0.3 4.3 11.6 Reportable segment assets 123.7 180.5 197.2 501.4 Reportable segment liabilities (131.4) (21.0) (70.8) (223.2) Segmental analysis 2022 Cyber Security 2 £m Software Resilience £m Central and head office £m Group £m Additions to non-current assets 9.0 161.5 4.7 175.2 Reportable segment assets 128.7 236.9 210.8 576.4 Reportable segment liabilities (102.0) (36.5) (144.7) (283.2) The Central and head office cost centre is not considered to be a separate operating segment nor part of any other operating segment as it does not generate any revenues. Included within Central and head office are assets and liabilities not specifically allocated to the reporting segments and include investments, head office tangible and intangible assets, deferred tax assets and liabilities, right-of-use assets and associated lease liabilities, Parent Company cash balances, the RCF facility and certain provisions. Central and head office assets and liabilities are disclosed to allow a reconciliation back to the Group’s assets and liabilities. The net book value of non-current assets (excluding deferred tax assets) is analysed geographically as follows: 2023 £m 2022 (restated) * £m UK 164.6 171.4 APAC 2.4 2.8 North America 222.6 234.4 Europe 8.5 11.3 Total non-current assets 398.1 419.9 * Restated to reflect non-current assets (excluding deferred tax assets) previously stated at £417.4m (which included deferred tax assets) and represented to present APAC non-current assets of £2.8m separately from the UK segment. UK and APAC previously presented £175.6m non-current assets, this is now presented as APAC £2.8m and the UK restated to £171.4m. North America previously presented £230.5m non-current assets, this has now been restated to £234.4m to reconcile with the closing balance sheet. Revenue is disaggregated by primary geographical market, by category and by timing of revenue recognition as follows: Cyber Security 2 £m Software Resilience £m 2023 Total £m Cyber Security 2 £m Software Resilience £m 2022 Total £m Revenue by originating country UK 106.6 25.8 132.4 103.9 25.4 129.3 APAC 11.8 — 11.8 10.7 — 10.7 North America 99.3 34.5 133.8 94.1 26.8 120.9 Europe 53.1 4.0 57.1 49.8 4.1 53.9 Total revenue 270.8 64.3 335.1 258.5 56.3 314.8 Cyber Security 2 £m Software Resilience £m 2023 Total £m Restated Cyber Security * 2 £m Software Resilience £m 2022 Total £m Revenue by category Services 267.1 64.3 331.4 254.0 56.3 310.3 Products 3.7 — 3.7 4.5 — 4.5 Total revenue 270.8 64.3 335.1 258.5 56.3 314.8 * Restated to present revenue by category to be consistent with amounts reported to management. Revenue of £6.4m has been restated within services rather than product sales. 2 Formerly Assurance. NCC Group plc — Annual report and accounts for the year ended 31 May 2023182 Notes to the Financial Statements continued at 31 May 2023 4 Segmental information continued Cyber Security 2 £m Software Resilience £m 2023 Total £m Restated Cyber Security 2, * £m Software Resilience £m 2022 Total £m Timing of revenue recognition Services and products transferred over time 252.9 42.8 295.7 242.4 37.6 280.0 Services and products transferred at a point in time 17.9 21.5 39.4 16.1 18.7 34.8 Total revenue 270.8 64.3 335.1 258.5 56.3 314.8 * Restated to present revenue by category to be consistent with amounts reported to management. Revenue of £192.8m has restated within services and products transferred over time rather than within services and products transferred at a point in time in the Cyber Security 1 division consistent with the accounting policy applied. There are no customer contracts in either 2023 or 2022 which account for more than 10% of segment revenue. 5 Individually Significant Items (ISI) The Group separately identifies items as Individually Significant Items. Each of these is considered by the Directors to be sufficiently unusual in terms of nature or scale so as not to form part of the underlying performance of the business. They are therefore separately identified and excluded from adjusted results (as explained in Note 3). Reference 2023 £m 2022 £m North America Cyber Security 2 goodwill impairment a 9.8 — Fundamental re-organisation costs b 4.2 — Costs associated with strategic review of Software Resilience business c 3.0 — NCC Group A/S goodwill impairment d 3.0 — IPM Software Resilience business deferred income adjustment e (0.6) — Profit on disposal of DDI business f (4.7) — Costs directly attributable to the acquisition of IPM Software Resilience business g — 0.9 Total ISIs 14.7 0.9 £2.7m of costs associated with the strategic review of the Software Resilience business and £0.8m of fundamental re-organisation costs (total £3.5m) have been accrued for at the year ended 31 May 2023, of which £0.3m are recognised as a redundancy provision. The remaining £3.7m of these costs have been paid as cash during the year ended 31 May 2023 (2022: £nil costs accrued and £0.9m paid as cash). (a) North America Cyber Security 2 goodwill impairment Following the annual impairment review of Goodwill, an impairment has been recognised amounting to £9.8m. For further details, please see note 12. Such costs meet the Group’s policy for ISIs as this is a significant one-off event. (b) Fundamental re‑organisation costs In order to implement the next chapter of the Group’s strategy to enhance future growth, certain strategic actions are required including reshaping the Group global delivery and operational model. This reshaping is considered a fundamental reorganisation and restructuring programme (meeting the Group’s policy for ISIs) that will span reporting periods and the total project size and nature are considered in totality. The programme commencement was accelerated following the Group experiencing specific market conditions that validated the rationale of the next chapter of the Group’s strategy. The programme has three phases as follows: • Phase 1 (March–April 2023) – initial reduction in global delivery and operational headcount; c.7% reduction of the Group’s global headcount • Phase 2 (June–September 2023) – a further reduction in global delivery, operational and corporate functions headcount prior to opening our off-shore operations and delivery centre in Manila • Phase 3 (October 2023–May 2025) – finalisation of the Group’s operating model Phases 2–3 are being implemented by the Group with the assistance of a third party to ensure the Group complete the fundamental reorganisation efficiently. Costs of £4.2m (2022: £nil) and cash outflow of £3.4m (2022: £nil) have been incurred in relation to the implementation of this re-organisation and are made up of severance costs, associated taxes and professional fees for advisory and legal services. It is expected that costs will be incurred for the years ending 31 May 2024 and 2025 and the Group will have to exercise judgement in assessing whether the restructuring items should be classified as ISI, this will involve taking into account the nature of the item, cause of occurrence and scale of the impact of those items on the reported performance, resultant benefits and after considering the original reorganisation programme principles and plans. 2 Formerly Assurance. Financial statements NCC Group plc — Annual report and accounts for the year ended 31 May 2023 183 5 Individually Significant Items (ISI) continued (c) Costs associated with strategic review of Software Resilience business During February 2023, the Group announced its ongoing strategic review of the Software Resilience business and of other core and non-core assets. During the year ended 31 May 2023, professional fees totalling £3.0m (2022: £nil) mainly in respect of advisory services have been incurred. Such costs meet the Group’s policy for ISIs as they have been incurred as part of the wider re-structuring/re-organisation activities that are ongoing within the Group. The Group has now stopped the strategic review of the Software Resilience business, which will be revisited by the Board when considered appropriate. (d) NCC Group A/S goodwill impairment On 1 June 2022, the Group made the decision to re-organise its Danish business (NCC Group A/S) which had previously been a part of the Europe Cyber Security 1 CGU. Following that re-organisation, the cash inflows associated with the Danish business are separately identifiable and therefore the carrying value of the CGU assets has been assessed separately for impairment at 31 May 2023. The charge of £3.0m (2022: £nil) represents the impairment of goodwill associated with the Danish business following completion of that review. Such profits meet the Group’s policy for ISIs as this is a significant one-off event. (e) IPM Software Resilience business deferred income adjustment This represents an adjustment to the opening deferred income balance in respect of the IPM acquisition in June 2021. During FY23, opening deferred income balances on verification tests totalling £0.6m have been identified for which the work has not been performed and the statute of limitations has now expired. As the period of hindsight for adjusting goodwill has now expired management has released these amounts to the income statement. Given the nature of this release which would typically have been adjusted to goodwill it is considered to meet the definition of an individually significant item and has been classified as such. (f) Profit on disposal of DDI business On 31 December 2022, the Group disposed of its DDI business for cash consideration of £5.8m. The profit of £4.7m (2022: £nil) is directly attributable to the disposal of the DDI business. Please see Note 34 for further details. Such profits meet the Group’s policy for ISIs as the proceeds represent a material profit on disposal. (g) Costs directly attributable to the acquisition of the IPM Software Resilience business These costs are directly attributable to the material acquisition of the IPM Software Resilience business during the year ended 31 May 2022 and are therefore considered to meet the Group’s policy for ISIs. The nature of the costs includes legal, accountancy, due diligence and other advisory services. The total costs amount to £8.5m, of which £nil has been charged to the Income Statement in the year ended 31 May 2023 (2022: £0.9m, 2021: £7.6m). Of the total costs of £8.5m incurred, the Group saw a cash outflow of £nil in the year ended 31 May 2023 (2022: £7.3m, 2021: £1.2m). The difference between the cash outflow and the costs charged to the Income Statement relates to £6.4m of costs relating to services performed in the year ended 31 May 2021 but for which the cash outflow did not occur until the year ended 31 May 2022 in line with supplier payment terms. 6 Expenses and auditor’s remuneration 2023 £m 2022 £m Loss/(profit) before taxation is stated after charging/(crediting): Amounts receivable by auditor and its associates in respect of: Audit of these Financial Statements 1.1 1.0 Audit of Financial Statements of subsidiaries pursuant to legislation 0.2 0.2 Total audit 2 1.3 1.2 Amortisation of development costs (Note 12) 1.2 0.9 Amortisation of software costs (Note 12) 1.2 0.9 Amortisation of acquired intangibles (Note 12) 10.0 8.6 Depreciation of property, plant and equipment (Note 13) 4.5 3.9 Depreciation of right-of-use assets (Note 14) 5.7 5.4 Impairment charge/(reversal) of right-of-use-assets 0.5 (0.1) Impairment of software costs 0.6 — Individually Significant Items (ISIs) (Note 5) 14.7 0.9 Credit losses recognised on financial assets (Note 17) (1.5) 0.6 Cost of inventories recognised as an expense 0.6 1.0 Foreign exchange losses/(gains) 0.6 (0.6) Lease rental costs charged: – Hire of property, plant and equipment 3 — 0.1 Research and development UK tax credits (0.5) (1.0) Profit on disposal of right-of-use assets (0.7) — 1 Formerly Assurance. 2 The only non-audit service provided by the auditor was for the interim review at 30 November 2021, for which the fee was £80,000. No interim review was performed in the year ended 31 May 2023. 3 The charge to the Income Statement in respect of lease rental costs relates entirely to short-term leases for which the Group has taken the exemption allowed from applying the principles of IFRS 16. NCC Group plc — Annual report and accounts for the year ended 31 May 2023184 Notes to the Financial Statements continued at 31 May 2023 7 Staff numbers and costs Directors’ emoluments are disclosed in the Remuneration Committee Report. Total aggregate emoluments of the Directors in respect of 2023 were £2.3m (2022: £2.2m). Employer contributions to pensions for Executive Directors for qualifying periods were £nil (2022: £nil). The Company provided pension payments in lieu of pension contributions for three (2022: two) Executive Directors during the year ended 31 May 2023 amounting to £32,000 (2022: £44,000). The aggregate net value of share awards granted to the Directors in the period was £1.9m (2022: £1.4m). The net value has been calculated by reference to the closing mid-market price of the Company’s shares on the day before the date of grant. During the year, 98,598 (2022: 237,448) share options were exercised by Directors and their gain on exercise of share options was £13,463 (2022: £20,895). The average monthly number of persons employed by the Group during the year, including Executive Directors, is analysed by category as follows: Number of colleagues 2023 2022 Operational 1,955 1,848 Administration 478 417 Total 2,433 2,265 The aggregate payroll costs of these persons were as follows: 2023 £m 2022 £m Wages and salaries 208.1 180.7 Share-based payments (Note 26) 2.2 3.9 Social security costs 20.3 17.3 Other pension costs (Note 31) 6.3 5.1 Total payroll costs 236.9 207.0 8 Finance costs 2023 £m 2022 £m Interest payable on bank loans and overdrafts 4.5 2.5 Unamortised underwriting fees associated with old revolving credit facility 0.6 — Interest expense on lease liabilities 1.1 1.2 Finance costs 6.2 3.7 The above finance costs relate entirely to liabilities not at fair value through profit or loss. Financial statements NCC Group plc — Annual report and accounts for the year ended 31 May 2023 185 9 Taxation Recognised in the Income Statement 2023 £m 2022 £m Current tax expense Current year 0.1 2.2 Adjustment to tax expense in respect of prior periods (2.8) 0.2 Impact of prior year US R&D tax credits (1.0) (1.1) Foreign tax 5.9 6.5 Total current tax 2.2 7.8 Deferred tax expense Origination and reversal of temporary differences (3.0) (0.4) Movement in tax rate (0.2) (0.1) Derecognition of deductible timing differences — 0.8 Impact of prior year US R&D tax credits (0.4) — Adjustment to tax expense in respect of prior periods 1.7 (0.1) Total deferred tax (1.9) 0.2 Total tax expense 0.3 8.0 Reconciliation of effective tax rate 2023 £m 2022 £m (Loss)/profit before taxation (4.3) 31.0 Current tax using the UK effective corporation tax rate of 20% (2022: 19%) (0.9) 5.9 Effects of: Items not deductible/(assessable) for tax purposes 2.6 0.5 Adjustment to tax charge in respect of prior periods (1.1) 0.1 Impact of prior year US R&D tax credits (1.4) (1.1) Impact of current year US R&D tax credits (0.3) (0.2) Differences between overseas tax rates 1.0 1.7 Movements in temporary differences not recognised 0.6 1.2 Movement in tax rate (0.2) (0.1) Total tax expense 0.3 8.0 Current and deferred tax recognised directly in equity was a debit of £0.1m (2022: debit £0.3m), which relates to tax on share based payments. A combined prior year adjustment of £(1.1)m (current tax: £(2.8)m; deferred tax: £1.7m) largely reflects an adjustment to the tax treatment of certain revenue and costs associated with the acquisition of the IPM business in FY22. The UK government introduced legislation in the Finance Bill 2021 to increase the main rate of UK corporation tax from 19% to 25% with effect from 1 April 2023. The legislation was substantively enacted on 24 May 2021 and therefore UK deferred tax balances as at 31 May 2021, 31 May 2022 and 31 May 2023 are generally measured at a rate of 25%. Tax uncertainties The tax expense reported for the current year and prior year is affected by certain positions taken by management where there may be uncertainty. The most significant source of uncertainty arises from claims for US R&D tax credits relating to the current and previous periods. Uncertainty relates to the interpretation of US legislation applicable to periods where the statute of limitations has not expired. For the periods ended 31 May 2017 to 31 May 2023, the aggregate net current tax benefit taken to the Income Statement relating to US R&D tax credits is £5.6m (2022: £4.0m). As at 31 May 2023, the gross deferred tax asset relating to US R&D tax credits is £1.4m (2022: £0.5m) although due to uncertainty a partial provision of £0.8m (2022: £0.3m) has been made against this asset. The gross cumulative amount of US R&D tax credits amounts to £10.4m (2022: £9.3m) and the net cumulative amount is £6.2m (2022: £5.1m). The cumulative provision of £4.2m comprises a deferred tax element (£0.8m) relating to tax credits as yet unutilised against US tax and a current tax element (£3.4m) relating to utilised tax credits. The latter provision will unwind as the statute of limitation windows expire for claims made in respective periods. The provision relating to utilised tax credits of £3.4m is expected to unwind as follows: FY24: £1.2m, FY25: £1.0m, FY26: £0.4m and FY27: £0.8m. NCC Group plc — Annual report and accounts for the year ended 31 May 2023186 Notes to the Financial Statements continued at 31 May 2023 10 Dividends 2023 £m 2022 £m Dividends paid and recognised in the year 14.5 14.4 Dividends per share paid and recognised in the year 4.65p 4.65p Dividends per share proposed but not recognised in the year 3.15p 3.15p The proposed final dividend for the year ended 31 May 2023 of 3.15p per ordinary share (approximately £9.8m) was recommended by the Board on 11 September 2023 and will be paid on 8 December 2023, to shareholders on the register at the close of business on 10 November 2023. The ex-dividend date is 9 November 2023. The dividend will be recommended to shareholders at the AGM on 30 November 2023. The dividend has not been included as a liability as at 31 May 2023. The payment of this dividend will not have any tax consequences for the Group. Dividend policy Dividends are the way the Company makes distributions from the Company’s distributable reserves to shareholders. The Board decides the level of the dividend with each half-year reporting period (i.e. 30 November and 31 May). If an interim or final dividend is declared, the Company pays the dividend approximately eight weeks after the results announcement. A dividend is paid for each share, so the amount you receive depends on the number of shares you own. The Company currently continues to pay a dividend equal to that paid in the prior years as the Board is conscious of the need to invest in initiatives to support longer-term growth and service the debt profile following the recent acquisition. 11 Earnings per ordinary share Earnings per ordinary share are shown on a statutory and an adjusted basis to assist in the understanding of the performance of the Group. 2023 £m 2022 £m Statutory earnings (A) (4.6) 23.0 Number of shares m Number of shares m Weighted average number of shares in issue 311.1 309.5 Less: weighted average holdings by Group ESOT (0.7) — Basic weighted average number of shares in issue (C) 310.4 309.5 Dilutive effect of share options 0.8 1.4 Diluted weighted average shares in issue (D) 311.2 310.9 For the purposes of calculating the dilutive effect of share options, the average market value is based on quoted market prices for the period during which the options are outstanding. 2023 Pence 2022 Pence Earnings per ordinary share Basic (A/C) (1.5) 7.4 Diluted (A/D) (1.5) 7.4 Financial statements NCC Group plc — Annual report and accounts for the year ended 31 May 2023 187 11 Earnings per ordinary share continued Adjusted basic EPS 1 is reconciled as follows: 2023 £m 2022 £m Statutory earnings (A) (4.6) 23.0 Amortisation of acquired intangibles 10.0 8.6 Share-based payments 2.2 3.9 Individually Significant Items (see Note 5) 14.7 0.9 Tax effect of above items (3.4) (2.9) Adjusted earnings (B) 18.9 33.5 2023 Pence 2022 Pence Adjusted earnings per ordinary share Basic (B/C) 6.1 10.8 Diluted (B/D) 6.1 10.8 12 Goodwill and intangible assets Goodwill £m Software £m Development costs £m Customer contracts and relationships £m Intangibles sub-total £m Total £m Cost: At 1 June 2021 238.9 14.5 11.7 73.1 99.3 338.2 Additions — 1.6 1.3 — 2.9 2.9 On acquisition 69.7 2.5 — 91.4 93.9 163.6 Effects of movements in exchange rates 13.5 0.1 (0.1) 12.3 12.3 25.8 At 31 May 2022 322.1 18.7 12.9 176.8 208.4 530.5 Additions — 2.5 0.9 — 3.4 3.4 Disposals (see Note 34) (1.0) — — — — (1.0) Effects of movements in exchange rates 3.5 — — 2.4 2.4 5.9 At 31 May 2023 324.6 21.2 13.8 179.2 214.2 538.8 Accumulated amortisation and impairment: At 1 June 2021 (56.0) (11.8) (9.0) (57.5) (78.3) (134.3) Charge for year — (0.9) (0.9) (8.6) (10.4) (10.4) Effects of movements in exchange rates — — 0.1 (1.2) (1.1) (1.1) At 31 May 2022 (56.0) (12.7) (9.8) (67.3) (89.8) (145.8) Charge for year — (1.2) (1.2) (10.0) (12.4) (12.4) Impairment (12.8) (0.6) — — (0.6) (13.4) Effects of movements in exchange rates — — (0.1) (0.4) (0.5) (0.5) At 31 May 2023 (68.8) (14.5) (11.1) (77.7) (103.3) (172.1) Net book value: At 31 May 2022 266.1 6.0 3.1 109.5 118.6 384.7 At 31 May 2023 255.8 6.7 2.7 101.5 110.9 366.7 Development costs are capitalised in accordance with IAS 38 development criteria. For this reason, these are not regarded as realised losses. The impairment of software of £0.6m relates to a specific asset under development which was no longer deemed to be economically viable and therefore development was ceased. 1 Revenue growth at constant currency, Adjusted EBITDA, Adjusted operating profit, Adjusted EPS, cash conversion, net debt and net debt excluding lease liabilities are APMs and not IFRS measures. See Note 3 for an explanation of APMs and adjusting items. NCC Group plc — Annual report and accounts for the year ended 31 May 2023188 Notes to the Financial Statements continued at 31 May 2023 12 Goodwill and intangible assets continued Cash generating units (CGUs) Goodwill and intangible assets are allocated to CGUs in order to be assessed for potential impairment. CGUs are defined by accounting standards as the lowest level of asset groupings that generate separately identifiable cash inflows that are not dependent on other CGUs. On 1 June 2022, the Group made the decision to re-organise its Danish business (NCC Group A/S) which had previously been a part of the Europe Cyber Security 2 CGU. Following that re-organisation, the cash inflows associated with the Danish business are separately identifiable and therefore the carrying value of the CGU assets have been assessed separately for impairment at 31 May 2023. The IPM business was acquired on 1 June 2021, since this date the IPM business has been integrated into the wider North America Software Resilience CGU such that the cash inflows relating to this business are no longer separately identifiable. The CGUs and the allocation of goodwill to those CGUs are shown below: Cash generating units Goodwill 2023 £m Goodwill 2022 £m UK Software Resilience 22.9 22.9 North America Software Resilience 87.2 8.5 IPM Software Resilience — 76.9 Europe Software Resilience 7.4 7.3 Total Software Resilience 117.5 115.6 UK and APAC Cyber Security 2 44.3 45.4 North America Cyber Security 2 31.6 39.9 Europe Cyber Security 2 62.4 65.2 NCC Group A/S — — Total Cyber Security 2 138.3 150.5 Total Group 255.8 266.1 Impairment review Goodwill is tested for impairment annually at the level of the CGU to which it is allocated. For the year ended 31 May 2022, the recoverable amount of all CGUs concerned was measured on a value in use basis (VIU), with the exception of the Europe Cyber Security 2 CGU and the IPM Software Resilience CGU, which were measured on a fair value less costs to sell (FVLCTS) basis. For the year ended 31 May 2023, the recoverable amount of all CGUs was measured on a fair value less costs to sell basis. Capitalised development and software costs are included in the CGU asset bases when performing the impairment review. Capitalised development projects and software intangible assets are also considered, on an asset-by-asset basis, for impairment where there are indicators of impairment. The Directors have considered the impact of climate change on this review, with no material impact identified. Fair value less costs to sell For the year ended 31 May 2023, the recoverable amount of all CGUs has been determined on a fair value less costs to sell basis for the purposes of the impairment review. The valuation under FVLCTS is expected to exceed the valuation under VIU because uncommitted restructurings and resulting operating efficiencies are not considered within in a VIU valuation in line with the requirements of IAS 36. The FVLCTS valuation has been calculated by assessing the value of each standalone CGU calculated using an Adjusted EBITDA 1 multiple based on estimated sustainable earnings adjusted for specific items where relevant. Estimated sustainable earnings has been determined taking into account past experience and includes expectations based on a market participant view of sustainable performance of the business based on market volatility and uncertainty as at 31 May 2023. The sustainable earnings input is a level 3 measurement; level 3 measurements are inputs which are normally unobservable to market participants. The Group incurs certain overhead costs in respect of support services provided centrally to the CGUs. Such support services include Finance, Human Resources, Legal, Information Technology and additional central management support in respect of stewardship and governance. In calculating sustainable earnings these overhead costs have been allocated to the CGUs based on the extent to which each CGU has benefitted from the services provided. Commonly this is driven by time spent by the relevant central department in supporting the CGU, informed by headcount or where possible specific cost allocations have been made. During the year, this allocation has been refined to ensure the allocation is representative of the business operating model. The Adjusted EBITDA 1 multiple used in the calculations is based on an independent third-party assessment of the implied enterprise value of each CGU based on a population of comparable companies as at 31 May 2023. The estimated cost to sell was based on other recent transactions that the Group has undertaken. 1 Revenue growth at constant currency, Adjusted EBITDA, Adjusted operating profit, Adjusted EPS, cash conversion, net debt and net debt excluding lease liabilities are APMs and not IFRS measures. See Note 3 for an explanation of APMs and adjusting items. 2 Formerly Assurance. Financial statements NCC Group plc — Annual report and accounts for the year ended 31 May 2023 189 12 Goodwill and intangible assets continued Fair value less costs to sell continued Impairment During March 2023, the Group gave a trading update that market volatility had materially increased significantly impacting on Cyber Security 2 revenue and profitability, particularly in the North American technology sector. The key factors were: • buying decision delays and cancellations exacerbated by North America tech sector client layoffs. • turmoil in the Banking sector following the failure of Silicon Valley Bank further knocking market confidence leading to reduced appetite to spend on technology projects across sectors. • Interest rate increases in the US creating further inflationary challenges for clients. The board has assessed the recoverable amount of the North America Cyber Security 2 CGU based on its FVLCTS at 31 May 2023 as described above. Based on that assessment, the carrying amount of this CGU exceeded its recoverable amount and therefore an impairment loss of £9.8m has been recognised reducing the value of goodwill allocated to this CGU to £31.6m. This amount has been recognised as an Individually Significant Item (see Note 5). The impairment charge recognised has resulted in a reduction in the carrying value of goodwill only. On 1 June 2022, the Group made the decision to re-organise its Danish business (NCC Group A/S) which had previously been a part of the Europe Cyber Security 2 CGU. Following this re-organisation, management has estimated the recoverable amount of the NCC Group A/S CGU based on its FVLCTS at 31 May 2023 as described above. Based on that estimate an impairment loss of £3.0m has been recognised reducing the value of Goodwill allocated to this CGU to £nil. This amount has been recognised as an individually significant item (see Note 5). The impairment charge recognised has resulted in a reduction in the carrying value of goodwill only. The Board has assessed the recoverable amount of the Europe Cyber Security 2 CGU based on its FVLCTS at 31 May 2023 as described above. Based on that assessment the Board is satisfied that the recoverable amount exceeds the carrying value of assets allocated to that CGU. However, there are reasonably possible changes to certain key inputs that could give rise to an impairment. Please see sensitivity analysis below. Sensitivity analysis The key inputs used in the FVLCTS calculation are the Adjusted EBITDA 1 used and the multiple applied to that sustainable earnings. Specifically, the key assumptions to the Adjusted EBITDA 1 are considered to be the expected revenue and costs that have been used to calculate sustainable earnings. The table below shows the sensitivity of headroom to reasonably possible changes in the key assumptions, after the £9.8m impairment in the North America Cyber Security 2 CGU during FY23. Sensitivities: impact on carrying value CGU Headroom £m Decrease in revenue of 10% 3 £m Increase in all costs of 5% £m North America Cyber Security 2,4 — (21.7) (26.5) Europe Cyber Security 2 13.4 (9.9) (14.3) If revenue included in sustainable earnings for North America Cyber Security 1 increased by 5%, while holding the gross margin percentage at a fixed rate then there would be no impairment associated with this CGU. With respect to the NCC Group A/S CGU, there is no reasonably possible scenario that would support a carrying value of goodwill greater than £nil. No other reasonably possibly changes in key inputs including the multiple could give rise to an impairment or further material impairment to any CGUs. In the prior year, for the Europe Cyber Security 1 CGU and the IPM Software Resilience CGU there were no reasonably possible change in key inputs that could give rise to an impairment to any CGUs. Value in use (for the year ended 31 May 2022 only) VIU represents the present value of the future cash flows that are expected to be generated by the CGU to which the goodwill is allocated. VIU calculations are an area of management estimation. These calculations require the use of estimates (inputs), specifically: pre-tax cash flow projections; long-term growth rates; and a pre-tax discount rate. Further detail in relation to these assumptions used in the Group’s goodwill annual impairment review is as follows: 1 Revenue growth at constant currency, Adjusted EBITDA, Adjusted operating profit, Adjusted EPS, cash conversion, net debt and net debt excluding lease liabilities are APMs and not IFRS measures. See Note 3 for an explanation of APMs and adjusting items. 2 Formerly Assurance. 3 While holding gross margin percentage at a fixed rate. 4 Sensitivities shown for North America Cyber Security are in addition to the £9.8m impairment recognised in the year ended 31 May 2023. NCC Group plc — Annual report and accounts for the year ended 31 May 2023190 Notes to the Financial Statements continued at 31 May 2023 12 Goodwill and intangible assets continued Pre‑tax cash flow projections Pre-tax cash flow projections are based on the Group’s budget for the forthcoming financial year and longer-term three year strategic plans to 2025. The budget and three year strategic plan are compiled by the business unit management teams using a detailed, bottom-up process with respect to revenue, margin and overheads, taking into account factors specific to that business unit as well as wider economic factors such as industry growth expectations and the impact of Covid-19 or the Ukraine conflict. The Group’s revenue forecasts are developed using the most reliable data available, such as the size of the existing contract base and details of confirmed orders, as well as assumptions over key operational inputs to underpin the forecast for each revenue stream. The combined effect of these individual assumptions on the overall growth rate assumed for each area of the business is then compared to management’s experience of growth and the industry’s expected growth rate. For cost forecasts, the majority of which are people related, headcount changes are forecast for delivery and sales staff in order that there are sufficient resources to support the forecasted required revenue delivery capacity as well as to deliver against sales targets, while also factoring in payroll inflation expectations. Overhead costs are also forecast using a bottom-up process. Forecasts go through a detailed review process and are subject to challenge at each stage of review, including by the Executive Committee. Ultimately the forecasts are approved by the Board. Assumptions have then been applied for expected revenue, margin growth, overheads and Adjusted EBITDA ¹ for the subsequent two years from the end of 2023. Adjusted EBITDA ¹ is considered a proxy for operating cash flow before changes in working capital. Pre-tax cash flow projections also include assumptions on working capital and capital expenditure requirements for each CGU. These assumptions are based on management’s experience of growth and knowledge of the industry sectors, markets and the Group’s internal opportunities for growth and margin enhancement. The projections beyond five years into perpetuity use an estimated long-term growth rate. Management has taken into account the impact of Covid-19 in formulating the above assumptions, and the underlying uncertainty of Covid-19 has been reflected in the assumptions underpinning the cash flow forecasts for each CGU rather than the pre-tax discount rates used in the impairment test. Forecast working capital and capital expenditure included within the pre-tax cash flow projections are based on management’s expectations of future expenditure required to support the Group and current run rate requirements. The revenue % growth for the Cyber Security 2 CGU is considered by management to be appropriate for the specific industry in which the CGU operates. Management has considered available external market data in determining the revenue growth rates over the five year forecast period. Long‑term growth rates To forecast growth beyond the detailed cash flows into perpetuity, a long-term average growth rate ranging between 1.5% and 2.5% for the year ended 31 May 2022 was used based on the specific geography of the CGU, as shown in the table below. This range represents management’s best estimate of a long-term annual growth rate aligned to an assessment of long-term GDP growth rates. A higher sector-specific growth rate would be a valid alternative estimate. A different set of assumptions may be more appropriate in future years dependent on changes in the macro-economic environment. These rates are not greater than the published International Monetary Fund average growth rates in gross domestic product for the next five year period in each relevant territory in which the CGUs operate. Growth rate (%) 2023 Growth rate (%) 2022 UK Software Resilience n/a 2.2 North America Software Resilience n/a 2.5 Europe Software Resilience n/a 1.5 UK and APAC Cyber Security 2 n/a 2.2 North America Cyber Security 2 n/a 2.5 1 Revenue growth at constant currency, Adjusted EBITDA, Adjusted operating profit, Adjusted EPS, cash conversion, net debt and net debt excluding lease liabilities are APMs and not IFRS measures. See Note 3 for an explanation of APMs and adjusting items. 2 Formerly Assurance. Financial statements NCC Group plc — Annual report and accounts for the year ended 31 May 2023 191 12 Goodwill and intangible assets continued Pre‑tax discount rates Discount rates can change relatively quickly for reasons both inside and outside of management’s control. Those outside management’s direct control or influence include changes in the Group’s Beta, changes in risk free rates of return and changes in Equity Risk Premia. The discount rates are determined using a capital asset pricing model and reflect current market interest rates, relevant equity and size risk premiums and the risks specific to the CGU concerned. On this basis, specific discount rates are used for each CGU in the VIU calculation, and the rates reflect management’s assessment on the level of relative risk in each respective CGU. The table below summarises the pre-tax discount rates used for each CGU: Pre-tax discount rate (%) 2023 Pre-tax discount rate (%) 2022 UK Software Resilience n/a 13.5 North America Software Resilience n/a 14.4 Europe Software Resilience n/a 12.5 UK and APAC Cyber Security 2 n/a 13.5 North America Cyber Security 2 n/a 14.4 Sensitivity analysis (for the year ended 31 May 2022 only) Sensitivity analysis has been performed in respect of certain VIU scenarios where management considers a reasonably possible change in key assumptions could occur. The outcome of applying sensitivity analysis in respect of the above inputs indicated that there is no reasonably possible scenario in which the carrying value of goodwill would be considered impaired. 13 Property, plant and equipment Computer equipment £m Fixtures, fittings and equipment £m Motor vehicles £m Total £m Cost At 1 June 2021 20.8 17.3 0.1 38.2 Additions 3.7 1.5 — 5.2 Movement in foreign exchange rates 0.1 0.3 — 0.4 At 31 May 2022 24.6 19.1 0.1 43.8 Additions 2.7 1.2 — 3.9 Disposals — — (0.1) (0.1) Movement in foreign exchange rates 0.2 0.1 — 0.3 At 31 May 2023 27.5 20.4 — 47.9 Depreciation At 1 June 2021 (17.5) (9.1) (0.1) (26.7) Charge for year (2.7) (1.2) — (3.9) Movement in foreign exchange rates — (0.3) — (0.3) At 31 May 2022 (20.2) (10.6) (0.1) (30.9) Charge for year (2.7) (1.8) — (4.5) On disposals — — 0.1 0.1 Movement in foreign exchange rates (0.1) — — (0.1) At 31 May 2023 (23.0) (12.4) — (35.4) Net book value At 31 May 2022 4.4 8.5 — 12.9 At 31 May 2023 4.5 8.0 — 12.5 2 Formerly Assurance . NCC Group plc — Annual report and accounts for the year ended 31 May 2023192 Notes to the Financial Statements continued at 31 May 2023 14 Right‑of‑use assets Land and buildings £m Motor vehicles £m Total £m Cost: At 1 June 2021 33.8 3.0 36.8 Additions 1.9 1.6 3.5 At 31 May 2022 35.7 4.6 40.3 Additions 2.9 1.4 4.3 Disposals (1.8) — (1.8) Impairment (0.5) — (0.5) At 31 May 2023 36.3 6.0 42.3 Depreciation: At 1 June 2021 (10.8) (2.2) (13.0) Charge for year (4.2) (1.2) (5.4) Reversal of impairment 0.1 0.0 0.1 At 31 May 2022 (14.9) (3.4) (18.3) Charge for year (4.4) (1.3) (5.7) Disposals 0.3 — 0.3 At 31 May 2023 (19.0) (4.7) (23.7) Net book value: At 31 May 2022 20.8 1.2 22.0 At 31 May 2023 17.3 1.3 18.6 The Directors have considered the impact of climate change on right-of-use assets with no material impact identified. 15 Investments Group 2023 £m Group 2022 £m Interest in unlisted shares 0.3 0.3 The investment in unlisted shares relates to a 3.35% ordinary shareholding in an unlisted company acquired as part of the Accumuli acquisition. The investment’s carrying value at acquisition date was considered appropriate to use as the fair value. The Directors consider there has been no change in the year. An assessment of the investment did not identify any indications of impairment and, accordingly, no indicator-based impairment testing has been undertaken. The Group receives annual dividends from the investment; the trading performance and the net assets reported are strong and profitable. 16 Inventory Group 2023 £m Group 2022 £m Goods for resale 0.8 0.9 The Group holds stock of certain critical components for key customers in relation to our own product sales (as opposed to third party products). The carrying value of inventory is expected to be recovered or settled within one year. There have been no write-downs of inventory in the year (2022: £nil). The Directors have considered the impact of climate change on inventory, with no material impact identified. Financial statements NCC Group plc — Annual report and accounts for the year ended 31 May 2023 193 17 Trade and other receivables Group 2023 £m Group 2022 £m Company 2023 £m Company 2022 £m Current Trade receivables 26.7 40.6 — — Prepayments 10.5 11.8 — — Contract costs (see Note 23) 1.7 1.1 — — Other receivables 2.0 1.2 — — Contract assets – accrued income (see Note 23) 17.2 23.0 — — Non-current Amounts owed by Group undertakings — — 23.2 32.9 Total 58.1 77.7 23.2 32.9 Disclosed as follows: Current assets 58.1 7 7.7 — — Non-current assets — — 23.2 32.9 58.1 77.7 23.2 32.9 The carrying value of trade and other receivables classified at amortised cost approximates fair value. No credit losses have been recognised in respect of amounts owed by Group undertakings (Parent Company only) in the year (2022: £nil). Amounts owed by Group undertakings in the Parent Company Balance Sheet have been disclosed as repayable after more than one year. Although these are repayable on demand, the disclosure as non-current is based on management’s expectation of the timing of repayment. The ageing of trade receivables, other receivables and contract assets at the end of the reporting period was: Group Gross 2023 £m Expected credit losses 2023 £m Net 2023 £m Gross 2022 £m Expected credit losses 2022 £m Net 2022 £m Trade receivables: Not past due 15.6 (0.1) 15.5 28.0 (0.1) 27.9 Past due 0–30 days 6.8 — 6.8 7.7 — 7.7 Past due 31–90 days 4.1 — 4.1 4.6 (0.1) 4.5 Past due more than 90 days 2.2 (1.9) 0.3 3.8 (3.3) 0.5 28.7 (2.0) 26.7 44.1 (3.5) 40.6 Other receivables: Not past due 2.0 — 2.0 1.2 — 1.2 Contract assets: Not past due 17.4 (0.2) 17.2 23.2 (0.2) 23.0 Total 48.1 (2.2) 45.9 68.5 (3.7) 64.8 The Company had no trade receivables (2022: £nil). The standard period for credit sales varies from 30 days to 60 days. The Group assesses the creditworthiness of all trade debts on an ongoing basis providing for expected credit losses in line with IFRS 9. The Group has considered credit risk rating grades; these are based on the ageing categories above. New customers are subject to stringent credit checks. The movement in the expected credit losses of trade and other receivables and contract assets is as follows: Group 2023 £m Group 2022 £m Balance at 1 June (3.7) (1.9) On acquisition (Note 35) — (1.4) Released/(charged) to the Income Statement 1.5 (0.4) Balance at 31 May (2.2) (3.7) NCC Group plc — Annual report and accounts for the year ended 31 May 2023194 Notes to the Financial Statements continued at 31 May 2023 18 Deferred tax assets and liabilities (Group) Deferred tax assets and liabilities on the Consolidated Statement of Financial Position are offset in accordance with IAS 12. A summary of this, offset with significant jurisdictions, is shown below: 2023 Asset/(liability) UK £m US £m Netherlands £m Denmark £m Total £m Plant and equipment 0.2 (0.3) 0.3 — 0.2 Short-term temporary differences 0.2 8.9 — — 9.1 IFRS 16 assets/(liabilities) 0.3 0.2 — — 0.5 Intangible assets (1.4) (7.6) (1.7) — (10.7) Share-based payments 0.3 0.2 — — 0.5 Tax losses 1.7 0.2 — — 1.9 Deferred tax asset/(liability) 1.3 1.6 (1.4) — 1.5 Analysed as follows: Non-current assets 1.3 1.6 — — 2.9 Non-current liabilities — — (1.4) — (1.4) 2022 Asset/(liability) UK £m US £m Netherlands £m Denmark £m Total £m Plant and equipment 0.3 (0.4) 0.3 — 0.2 Short-term temporary differences 0.2 6.2 — — 6.4 IFRS 16 assets/(liabilities) 0.3 0.2 — — 0.5 Intangible assets (1.8) (5.2) (1.8) — (8.8) Share-based payments 0.9 0.6 — — 1.5 Deferred tax (liability)/asset (0.1) 1.4 (1.5) — (0.2) Analysed as follows: Non-current assets — 1.4 — — 1.4 Non-current liabilities (0.1) — (1.5) — (1.6) Movement in deferred tax during the year: 1 June 2022 £m Recognised in income statement £m Exchange differences £m Recognised in equity £m Acquisition £m 31 May 2023 £m Plant and equipment 0.2 — — — — 0.2 Short-term temporary differences 6.4 2.7 — — — 9.1 IFRS 16 assets/liabilities 0.5 — — — — 0.5 Intangible assets (8.8) (1.8) (0.1) — — (10.7) Share-based payments 1.5 (0.9) — (0.1) — 0.5 Tax losses — 1.9 — — — 1.9 Total (0.2) 1.9 (0.1) (0.1) — 1.5 1 June 2021 £m Recognised in income statement £m Exchange differences £m Recognised in equity £m Acquisition £m 31 May 2022 £m Plant and equipment 0.9 (0.5) (0.2) — — 0.2 Short-term temporary differences 4.8 0.9 0.7 — — 6.4 IFRS 16 assets/liabilities 0.5 — — — — 0.5 Intangible assets (7.5) (0.3) (0.3) — (0.7) (8.8) Share-based payments 1.6 0.2 0.1 (0.4) — 1.5 Tax losses 0.5 (0.5) — — — — Total 0.8 (0.2) 0.3 (0.4) (0.7) (0.2) Financial statements NCC Group plc — Annual report and accounts for the year ended 31 May 2023 195 18 Deferred tax assets and liabilities (Group) continued In the year ended 31 May 2023, the Group has recognised a deferred tax asset in relation to tax losses of £1.9m as management considers it probable that future taxable profits will be available against which tax losses may be offset. In 2022, the Group recognised no deferred tax asset in relation to tax losses. The Group has not recognised a potential deferred tax asset on £14.8m (2022: £35.7m) of tax losses carried forward in the United Kingdom (£7.5m), Denmark (£4.1m), Australia (£2.5m) and United States (£0.7m) due to current uncertainties over their future recoverability (and in the case of United Kingdom/United States because of specific legislative restrictions). A deferred tax asset of £1.4m (2022: £0.5m) in respect of R&D tax claims submitted in the United States has been partially provided against due to uncertainty with regard to recoverability; an amount of £0.8m has been provided (2022: £0.3m). No deferred tax liability is recognised on temporary differences of £0.6m (2022: £0.4m) relating to the unremitted earnings of overseas subsidiaries as the Group is able to control the timing of the reversal of these temporary differences and it is probable that they will not reverse in the foreseeable future. 19 Trade and other payables Group 2023 £m Group 2022 £m Company 2023 £m Company 2022 £m Trade payables 6.3 8.7 — — Non-trade payables 8.6 11.4 — — Accruals 29.8 28.2 — — Amounts owed to Group companies — — 0.2 18.2 Total 44.7 48.3 0.2 18.2 The carrying value of trade and other payables classified as financial liabilities measured at amortised cost approximates fair value. 20 Lease liabilities Land and buildings £m Motor vehicles £m Total £m At 1 June 2021 31.6 2.8 34.4 Additions 1.9 1.6 3.5 Lease payments (5.4) (1.1) (6.5) Interest expense 1.0 0.2 1.2 At 1 June 2022 29.1 3.5 32.6 Additions 2.2 1.4 3.6 Disposals (0.2) — (0.2) Lease payments (5.8) (1.3) (7.1) Interest expense 1.0 0.1 1.1 At 31 May 2023 26.3 3.7 30.0 Analysed as follows: 2023 £m 2022 £m Current 6.0 5.4 Non-current 24.0 27.2 The maturity of lease liabilities is as follows: 2023 £m 2022 £m Less than one year 6.0 5.4 Two to five years 16.7 16.5 More than five years 7.3 10.7 Total lease liabilities 30.0 32.6 NCC Group plc — Annual report and accounts for the year ended 31 May 2023196 Notes to the Financial Statements continued at 31 May 2023 20 Lease liabilities continued The total cash outflow for leases in the year was £7.1m (2022: £6.5m), which consists of £6.0m (2022: £5.3m) principal element of lease payments disclosed above, £1.1m (2022: £1.2m) interest element of leases payments and £nil (2022: £0.1m) lease payments charged to the Income Statement in respect of short-term leases. The Group has used its incremental borrowing rate of 5.8% (2022: 3.3%) as the discount rate for the calculation of the lease liabilities. Some leases contain break clauses or extension options to provide operational flexibility. Potential future undiscounted lease payments not included in the reasonably certain lease term, and hence not included in lease liabilities, total £4.9m (2022: £5.0m). 21 Provisions Loss-making contracts £m Onerous property costs £m Redundancy provision £m Other provisions £m Total £m Balance as at 31 May 2021 and 1 June 2021 1.1 1.7 — 0.2 3.0 Provisions created in the year 1.9 — — 0.6 2.5 Provisions utilised during the year (1.2) (0.7) — (0.1) (2.0) Balance as at 31 May 2022 and 1 June 2022 1.8 1.0 — 0.7 3.5 Provisions created in the year — 0.7 0.3 — 1.0 Provisions utilised during the year (0.8) (0.3) — (0.7) (1.8) Balance as at 31 May 2023 1.0 1.4 0.3 — 2.7 Analysed as follows (2023): Current 0.6 0.3 0.3 — 1.2 Non-current 0.4 1.1 — — 1.5 Analysed as follows (2022): Current 1.5 0.5 — 0.7 2.7 Non-current 0.3 0.5 — — 0.8 The loss-making contracts provision represents the estimated remaining net lifetime loss on long-term development and supply contracts that are now expected to be fully completed in the 2024 calendar year mainly due to supply chain sourcing. It was expected in the prior year that these contracts would have been completed in 2023. During the year, revenue has been recognised in relation to these long-term contracts of £0.8m (2022: £2.3m). The onerous property costs provision relates to unused floors in the Manchester head office building. The provision of £1.4m (2022: £1.0m) at 31 May 2023 includes £0.9m (2022: £0.4m) of non-rent costs relating to the onerous properties including service charges and insurance and also the estimated costs of disposing or terminating these leases, which includes rent incentives and letting fees. The provision at 31 May 2023 also includes estimated dilapidations liabilities of £0.5m (2022: £0.6m) relating to the Group’s leased premises. Both of these provisions are expected to unwind over the period of the relevant leases (2023 –2034). The impact of discounting the cash flows is £0.3m (2022: £0.2m). The redundancy provision represents accrued severance costs relating to the implementation of the re-organisation as detailed in Note 5. Other provisions of £nil (2022: £0.7m) include reorganisation and CEO transition costs to which the Group was committed at 31 May 2022 and were settled within the year ended 31 May 2023. 22 Contract liabilities – deferred revenue Deferred revenue represents advanced consideration received from customers, for which revenue is recognised over time. Deferred revenue is analysed as follows and is considered a contract liability: Group 2023 £m Group 2022 £m Analysed as follows: Current 51.6 61.7 Non-current 3.3 0.6 54.9 62.3 Revenue recognised in the year ended 31 May 2023 that was included in the contract liability at 1 June 2022 amounted to £62.4m (2022: £43.6m). The non-current element is expected to unwind in the year ended 31 May 2025. The Group has taken advantage of the IFRS 15 practical expedient not to disclose when revenue will unwind for all contracts less than 12 months in length. Financial statements NCC Group plc — Annual report and accounts for the year ended 31 May 2023 197 23 Contract balances The following table provides information about receivables, contract assets and contract liabilities from contracts with customers. Notes Group 2023 £m Group 2022 £m Receivables, which are included in trade and other receivables 17 26.7 40.6 Contract assets – accrued income 17 17.2 23.0 Contract costs – costs to obtain 17 1.7 1.1 Contract liabilities – deferred income 22 (54.9) (62.3) Receivables represent invoiced services usually payable within 30 days whereby performance obligations have been satisfied. Accrued income of £17.2m (of which £17.0m (2022: £20.3m) represents Cyber Security 2 accrued income) is the Group’s rights to consideration for work completed but not billed at the reporting date. The contract assets accrued in the prior year of £23.0m were fully recognised as trade receivables during the year ended 31 May 2023 and therefore the balance as at 31 May 2023 were fully accrued during the period are transferred to receivables when the rights become unconditional. Credit losses of £0.2m (2022: £0.2m) have been recognised in respect of contract assets. The contract assets were not impacted by any impairment charge. The contract assets are transferred to receivables when the rights become unconditional. This usually occurs when the Group issues an invoice to the customer. Invoices usually become payable within 30 days. The contract costs to obtain of £1.7m (2022: £1.1m) represent incremental sales commissions to obtain specific contracts and are amortised over the length of the contract. The contract costs to fulfil represent recoverable costs relating to future performance obligations and economic benefits to the customer in relation to an onerous contracts. Contract liabilities primarily relate to advanced consideration received from customers, for which revenue is recognised over time in line with the respective performance obligation. No information is provided about remaining performance obligations at 31 May 2023 or at 31 May 2022 that have an original expected duration of one year or less, as allowed by IFRS 15. 24 Cash and cash equivalents and borrowings Cash and cash equivalents Cash and cash equivalents comprise: Group 2023 £m Group 2022 £m Company 2023 £m Company 2022 £m Cash and cash equivalents 34.1 73.2 15.0 20.2 Bank overdraft (1.8) — — — Total cash at bank and in hand 32.3 73.2 15.0 20.2 Borrowings are analysed as follows: Maturity Group 2023 £m Group 2022 £m Company 2023 £m Company 2022 £m Current liabilities: Bank term loan 2024 — 18.5 — — Non-current liabilities: Revolving credit facility 2026 81.9 70.5 — — Bank term loan 2024 — 36.6 — — Total borrowings 81.9 125.6 — — The maturity profile is as follows: Group 2023 £m Group 2022 £m Company 2023 £m Company 2022 £m Less than one year — 18.5 — — Two to five years 81.9 107.1 — — Total borrowings 81.9 125.6 — — 2 Formerly Assurance. NCC Group plc — Annual report and accounts for the year ended 31 May 2023198 Notes to the Financial Statements continued at 31 May 2023 24 Cash and cash equivalents and borrowings continued Cash and cash equivalents continued The RCF is drawn in short to medium-term tranches of debt that are repayable within 12 months of draw down. These tranches of debt can be rolled over provided certain conditions are met, including compliance with all loan terms. The Group considers that it is highly unlikely it would not be in compliance and therefore be unable to exercise its right to roll over the debt. The Directors therefore believe that the Group has the ability and the intent to roll over the drawn RCF amounts when due and consequently has presented the RCF as a non-current liability. On 12 May 2021, the Group entered into a new Term Loan Facility Agreement. The facility made available under the Facility Agreement (the “Term Facility”) was a $70m amortising term loan facility, to fund the acquisition of the IPM Software Resilience business. The rate of interest on each loan under the Term Facility is the percentage rate per annum, which is equal to the aggregate of a compounded rate based on the secured overnight financing rate (SOFR) administered by the Federal Reserve Bank of New York and the margin (based on a leverage ratchet varying from 1.40% to 2.65% per annum). The Term Facility was due to be repaid in annual instalments of $23.3m on each of 10 June 2022 and 10 June 2023, with a final instalment of $23.4m payable on 10 June 2024. The Term Facility Agreement also contained financial covenants relating to leverage and interest cover and provisions relating to guarantor coverage consistent with the RCF. In December 2022, the Group entered into a new four year £162.5m multi-currency revolving credit facility replacing our existing £100m multi-currency revolving credit facility and the remaining $46.7m of the original $70m term loan that was maturing in June 2024. Key terms of the new facility are: • £162.5m multi-currency revolving credit facility maturing in December 2026 • Additional £75m uncommitted accordion option • Increase to leverage covenant from 2.5x to 3.0x with an additional acquisition spike to 3.5x for the first 12 months of any acquisition • Weighted average interest rate of the facility is lower and payable on a ratchet mechanism, with a margin payable above SONIA and SOFR in the range of 1.00% to 2.25% depending on the level of the Group’s leverage. The weighted average interest rate is 5.92% as at 31 May 2023 • The new facility is considered an extinguishment of the previous RCF and Term Loan Facility Agreement and therefore remaining arrangement fees of £0.6m have been charged to the Income Statement during the year ended 31 May 2023. New arrangement fees of £1.7m will be amortised over the new four year term to December 2026. Arrangement fees of £0.4m (2022: £0.4m) have been charged to the Income Statement in the year ended 31 May 2023. • Certain subsidiaries of the Group act as guarantors to the new facility to provide coverage based on aggregate EBITDA 1 and gross assets. As at 31 May 2023, the Group had committed bank facilities of £162.5m (2022: £155.1m), of which £83.4m (2022: £126.4m) had been drawn under these facilities, leaving £79.1m (2022: £28.7m) of undrawn facilities. Unamortised arrangement fees of £1.5m (2022: £0.8m) have been offset against the amounts drawn down, resulting in a carrying value of borrowings at 31 May 2023 of £81.9m (2022: £125.6m). The fair value of borrowings is not materially different to its amortised cost. 25 Financial instruments Loans and borrowings Group 2023 £m Group 2022 £m Company 2023 £m Company 2022 £m Non-current Variable rate: Revolving credit facility (81.9) (70.5) — — Bank term loan — (36.6) — — (81.9) (107.1) — — Current Variable rate: Bank term loan — (18.5) — — Total loans and borrowings (excluding lease liabilities) (81.9) (125.6) — — Cash 34.1 73.2 15.0 20.2 Bank overdraft (1.8) — — — Net (debt)/cash (excluding lease liabilities) 1 (49.6) (52.4) 15.0 20.2 Non-current Lease liabilities (24.0) (27.2) — — Current Lease liabilities (6.0) (5.4) — — Net (debt)/cash 1 (79.6) (85.0) 15.0 20.2 1 Revenue growth at constant currency, Adjusted EBITDA, Adjusted operating profit, Adjusted EPS, cash conversion, net debt and net debt excluding lease liabilities are APMs and not IFRS measures. See Note 3 for an explanation of APMs and adjusting items. Financial statements NCC Group plc — Annual report and accounts for the year ended 31 May 2023 199 25 Financial instruments continued Reconciliation of movements in liabilities to cash flows arising from financing activities Group 2023 £m 2022 £m Revolving credit facility/bank term loan: Drawdown on facility 70.8 120.7 Repayment of facility (115.6) (39.4) Transaction costs (1.7) (0.6) Interest costs (non-cash) 4.0 2.1 Interest paid on borrowings (4.0) (2.1) Release of deferred arrangement fees 1.0 0.4 Foreign exchange movement 1.8 11.3 Movement in borrowings (43.7) 92.4 IFRS 16 lease liability: New leases entered into 3.6 3.5 Disposals (0.2) — Principal element of lease payments (6.0) (5.3) Interest element of lease payments (1.1) (1.2) Interest cost (non-cash) 1.1 1.2 Movement in lease liabilities (2.6) (1.8) Financial risk management The Group has exposure to the following risks from its use of financial instruments: • Credit risk • Liquidity risk • Currency risk • Interest rate risk The Board has overall responsibility for establishing appropriate management of exposure to risk. The Audit Committee oversees how management identifies and addresses risks to the Group. Capital management The Board’s policy is to maintain a strong capital base so as to maintain investor, creditor and market confidence and to sustain future development of the business. The Group monitors capital on the basis of the gearing ratio. This ratio is calculated as net (debt)/cash 1 divided by total capital. Net (debt)/cash 1 is calculated as total borrowings as shown in the Consolidated Balance Sheet, less cash and cash equivalents. Total capital is calculated as equity, as shown in the Consolidated Balance Sheet, plus net debt 1 . As at 31 May 2023 the Group’s gearing ratio was 15.1% (2022: 15.5%). Financial instruments policy All instruments utilised by the Company and Group are for financing purposes. The financial management and treasury activities of the Group are controlled centrally for all operations with local finance teams responsible for day-to-day banking activities. Fair value of financial instruments As at 31 May 2023, the Group and Company had no other financial instruments other than those disclosed below. In addition, no embedded derivatives have been identified. There have been no transfers between levels in the year. The following table presents the Group’s financial assets and liabilities that are measured at fair value by level of fair value hierarchy: • Quoted prices (unadjusted) in active markets for identical assets or liabilities (level 1) • Inputs other than quoted prices included within level 1 that are observable for the asset or liability, either directly (that is, as prices) or indirectly (that is, derived from prices) (level 2) • Inputs for the asset or liability that are not based on observable market data (unobservable inputs) (level 3) 1 Revenue growth at constant currency, Adjusted EBITDA, Adjusted operating profit, Adjusted EPS, cash conversion, net debt and net debt excluding lease liabilities are APMs and not IFRS measures. See Note 3 for an explanation of APMs and adjusting items. NCC Group plc — Annual report and accounts for the year ended 31 May 2023200 Notes to the Financial Statements continued at 31 May 2023 25 Financial instruments continued Fair value of financial instruments continued Borrowings are held at amortised cost, which is considered to equate to fair value. All other assets and liabilities are held at either fair value or their carrying value, which approximates to fair value. 2023 2022 Level 1 £m Level 2 £m Level 3 £m Level 1 £m Level 2 £m Level 3 £m Financial liabilities/(assets) at fair value through profit or loss — 0.6 — — (0.2) — Total financial instruments — 0.6 — — (0.2) — Credit risk Credit risk is the risk of financial loss to the Group if a customer or counterparty to a financial instrument fails to meet its contractual obligations and arises principally from the Group’s receivables from customers. The Group’s exposure to credit risk is influenced mainly by the individual characteristics of each customer. Exposure to credit risk The carrying value of financial assets represents the maximum credit exposure. The maximum exposure to credit risk at the reporting date was: Group 2023 £m Group 2022 £m Company 2023 £m Company 2022 £m Trade receivables 26.7 40.6 — — Other receivables 2.0 1.2 — — Accrued income 17.2 23.0 — — Contingent consideration receivable 3.8 — — — Cash and cash equivalents 34.1 73.2 15.0 20.2 Total 83.8 138.0 15.0 20.2 The maximum exposure to credit risk for trade receivables and other receivables at the reporting date by geographic region was: Trade receivables by geographical segment Group 2023 £m Group 2022 * £m Company 2023 £m Company 2022 £m UK 14.6 14.2 — — APAC 1.2 1.0 North America 6.3 14.3 — — Europe 6.6 12.4 — — Total 28.7 41.9 — — * Represented to present APAC trade receivables of £1.0m separately from the UK segment. The maximum exposure to credit risk at the reporting date by business segment was: Trade receivables by business segment Group 2023 £m Group 2022 £m Company 2023 £m Company 2022 £m Cyber Security 2 25.1 35.4 — — Software Resilience 1.8 6.5 — — Central & head office 1.8 — — — Total 28.7 41.9 — — The trade receivables of the Group typically comprise many amounts due from a large number of customers and represent a spread of industry sectors. The largest amount due from a single customer at the reporting date represented 3.1% (2022: 4.4%) of total Group receivables. All of the Group’s cash is held with financial institutions of high credit rating. The provisions in respect of trade receivables are used to record expected credit losses. The Group has dedicated credit control teams, which regularly review customer debt balances to assess the risk of recovery. 2 Formerly Assurance. Financial statements NCC Group plc — Annual report and accounts for the year ended 31 May 2023 201 25 Financial instruments continued Liquidity risk Liquidity risk is the risk that the Group will not be able to meet its financial obligations as they fall due. The Group manages and minimises liquidity risk by using global cash management solutions and actively monitoring both actual and projected cash outflows to ensure that it will have sufficient liquidity to meet its liabilities when due and have headroom to provide against unforeseen obligations. The Ukraine conflict is not considered to have a direct material impact on liquidity risk in the short term due to the Group having limited direct exposure in the affected region. Longer term, the Group has assessed its liquidity forecast as part of the viability assessment and its ability to continue trading as a going concern. For further detail on the Group’s assessment of liquidity risk refer to the Viability Statement on page 81. The following are the contractual maturities of financial liabilities, including interest payments, of the Group: At 31 May 2023 Carrying amount £m Contractual cash flows £m <1 year £m 1–2 years £m 2+ years £m 5+ years £m Borrowings (81.9) (98.0) (4.9) (4.9) (88.2) — Bank overdraft (1.8) (1.8) (1.8) — — — Contingent consideration payable (1.0) (1.0) (1.0) — — — Lease liabilities (30.0) (33.6) (6.9) (6.1) (12.6) (8.0) Trade and other payables (44.7) (44.7) (44.7) — — — At 31 May 2022 Borrowings (restated) (125.6) (132.0) (21.3) (21.3) (89.4) — Contingent consideration payable (1.9) (1.9) (0.9) (1.0) — — Lease liabilities (32.6) (36.4) (6.5) (5.5) (13.4) (11.0) Trade and other payables (48.3) (48.3) (48.3) — — — * Restated to correct the borrowings contractual cash flows resulting in an increase to those cash flows of £21.3m split between < 1 year increase of £1.6m, 1-2 years increase of £1.6m and 2+ years increase by £18.1m. The contractual cash flows for borrowings disclosed above relate to the Group’s RCF facility for the year ended 31 May 2023, which expires in December 2026, and in the prior year includes the Term Loan Facility Agreement that was due to expire in June 2024. The contractual cash flows include an estimate of the interest payable based on the assumption that the borrowings remain drawn based upon 31 May 2023 levels, except that the term loan which existed at 31 May 2022, is repayable over its term. Interest is calculated based on SONIA/SOFR plus a margin based on the current leverage ratio . Currency risk The Group is exposed to currency risk on sales, purchases, cash and borrowings that are denominated in a currency other than the respective functional and presentational currency of the Group. The Group’s management reviews the size and probable timing of settlement of all financial assets and liabilities denominated in foreign currencies. The Group’s exposure to currency risk is as follows: 2023 2022 Sterling £m EUR £m USD £m Other £m Total £m Sterling £m EUR £m USD £m Other £m Total £m Trade receivables 11.0 7.0 7.1 1.6 26.7 12.9 11.7 15.9 0.1 40.6 Other receivables 2.0 — — — 2.0 0.5 — 0.6 0.1 1.2 Contract assets 5.5 3.9 6.7 1.1 17.2 6.5 4.3 11.5 0.7 23.0 Cash and cash equivalents 17.0 5.0 9.4 2.7 34.1 26.4 2.4 42.4 2.0 73.2 Bank overdraft (1.8) — — — (1.8) — — — — — Borrowings (18.6) — (63.3) — (81.9) (26.2) — (99.4) — (125.6) Lease liabilities (19.6) (2.0) (6.7) (1.7) (30.0) (21.4) (2.0) (7.3) (1.9) (32.6) Trade and other payables (31.8) (9.2) (1.6) (2.1) (44.7) (28.1) (9.0) (8.9) (2.3) (48.3) Total (36.3) 4.7 (48.4) 1.6 (78.4) (29.4) 7.4 (45.2) (1.3) (68.5) A change in exchange rate of 10% would have an impact of £20.3m (2022: £19.0m) on revenue, £3.9m (2022: £4.2m) on operating profit, £64.2m (2022: £43.6m) on net assets and £6.3m (2022: £9.9m) on borrowings. The Group’s risk management policy is to hedge foreign currency exposure in respect of significant material transactions that may arise from time to time. No such hedges were in place at 31 May 2022 or at 31 May 2023. The Group uses forward exchange contracts to hedge its currency risk, which are short term in nature to match the maturity of the hedged item. These contracts are generally designated as cash flow hedges. NCC Group plc — Annual report and accounts for the year ended 31 May 2023202 Notes to the Financial Statements continued at 31 May 2023 25 Financial instruments continued Currency risk continued The Group designates the spot element of forward foreign exchange contracts to hedge its currency risk and applies a hedge ratio of 1:1. The forward elements of forward exchange contracts are excluded from the designation of the hedging instrument and are separately accounted for as a cost of hedging, which is recognised in equity in a cost of hedging reserve. The Group’s policy is for the critical terms of the forward exchange contracts to align with the hedged item. The Group determines the existence of an economic relationship between the hedging instrument and hedged item based on the currency, amount and timing of their respective cash flows. Given the short-term nature of these hedges there is limited risk of ineffectiveness. Interest rate risk The Group and Company finance their operations through a combination of retained profits and bank borrowings. The Group borrows and invests surplus cash at floating rates of interest based upon bank base rate. The cash and cash equivalents of the Group and Company at the end of the financial year were as follows: Group 2023 £m 2022 £m Sterling denominated financial assets 17.0 26.4 Euro denominated financial assets 5.0 2.4 US Dollar denominated financial assets 9.4 42.4 Other denominated financial assets 2.7 2.0 Total 34.1 73.2 The financial assets and liabilities of the Company at the end of the financial year were as follows: Company 2023 £m 2022 £m Financial assets Sterling denominated financial assets 15.0 20.2 Amounts owed by Group undertakings 23.2 32.9 Total 38.2 53.1 Financial liabilities Amounts owed to Group undertakings 0.2 18.2 Total 0.2 18.2 A change of 100 basis points in interest rates would result in a difference in annual pre-tax profit of £0.9m (2022: £1.3m). The financial liabilities of the Group (trade and other payables, borrowings and lease liabilities) and their maturity profile are as follows: 2023 2022 Sterling £m EUR £m USD £m Other £m Total £m Sterling £m EUR £m USD £m Other £m Total £m Less than one year (36.6) (10.3) (3.0) (2.6) (52.5) (30.7) (9.9) (28.9) (2.7) (72.2) Two to five years (28.1) (0.9) (68.4) (1.2) (98.6) (35.8) (1.1) (85.2) (1.5) (123.6) More than five years (7.2) — (0.1) — (7.3) (9.9) — (0.8) — (10.7) Total (71.9) (11.2) (71.5) (3.8) (158.4) (76.4) (11.0) (114.9) (4.2) (206.5) Climate change The Directors have considered the impact of climate change on fair value measurement and financial instruments, with no material impact identified. Financial statements NCC Group plc — Annual report and accounts for the year ended 31 May 2023 203 26 Share‑based payments The Company has a number of share option schemes under which options to subscribe for the Company’s shares have been granted to Directors and colleagues, details of which are illustrated in the tables below. Expected term of options represents the period over which the fair value calculations are based. The share-based payment charge for the year was £2.2m (2022: £3.9m) of which £2.2m (2022: £3.4m) related to equity settled payments and £nil (2022: £0.5m) to cash settled payments. The share-based payments charge decreased during the year due to a number of schemes no longer being expected to meet performance criteria required to give rise to options being granted. Company Share Option (CSOP) scheme – equity settled Under the CSOP scheme, options will vest if the average EPS growth for the three years following their grant is greater than 10% per annum. Options granted in September 2019 do not have any performance criteria. Date of grant Expected term of options Exercisable between Exercise price 2023 Number outstanding August 2018 7 years August 2021–August 2028 £2.20 5,586 September 2019 7 years September 2022–September 2029 £1.79 279,312 Sharesave schemes – equity settled The Company operates sharesave schemes, which are available to all colleagues based in the UK, Netherlands, Denmark, Spain and Australia, and full-time Executive Directors of the Group and its subsidiaries who have worked for a qualifying period. Date of grant Expected term of options Exercisable between Exercise price 2023 Number outstanding March 2019 3 years May 2022–October 2022 £0.99 7 March 2020 3 years May 2023–October 2023 £1.84 339,158 March 2020 3 years May 2023–October 2023 £1.84 202,877 May 2021 3 years May 2024–October 2024 £2.15 128,744 May 2021 3 years May 2024–October 2024 £2.15 251,147 May 2022 3 years May 2025–October 2025 £1.52 314,632 May 2022 3 years May 2025–October 2025 £1.52 755,013 May 2023 3 years June 2026–November 2026 £1.26 1,253,012 May 2023 3 years June 2026–November 2026 £1.26 268,214 Colleague stock purchase plan – equity settled The Company operates a stock purchase plan, which is available to all US-based colleagues who have worked for a qualifying period. All options are to be settled by equity. Under the scheme the following options have been granted and are outstanding at year end. Date of grant Expected term of options Exercisable in Exercise price 2023 Number outstanding May 2022 1 year May 2023 £1.58 — May 2023 1 year May 2024 £1.26 604,321 Incentive Stock Option (ISO) scheme – equity settled Under the ISO scheme, options granted will be subject to performance criteria. Options will vest if the average EPS growth for the three years following their grant is greater than 10% per annum. Date of grant Expected term of options Exercisable between Exercise price 2023 Number outstanding August 2018 7 years August 2021–August 2028 £2.22 — September 2019 7 years September 2022–September 2029 £1.82 49,446 NCC Group plc — Annual report and accounts for the year ended 31 May 2023204 Notes to the Financial Statements continued at 31 May 2023 26 Share‑based payments continued Long Term Investment Plan (LTIP) schemes – equity settled Options granted on or after November 2017 to May 2021 have three separate vesting conditions as set out below: • 60% will vest based on achieving an average increase in Group EPS of 20% or more over a three year period. If growth is equal to an average of 9% (threshold), then 12% of the award will vest. If, however, growth is less than 9%, none of the award element will vest. Between these two points, vesting is determined on a straight-line basis. • 30% will vest based on achieving a cash conversion ratio 1 expressed as a percentage over the measurement period of greater than 70% per annum on average. If cash conversion 1 is greater than or equal to 80% per annum, then 100% of the award element will vest. If, however, cash conversion is less than 70% per annum, none of the award element will vest. Between these two points, vesting is determined on a straight-line basis. • 10% will vest based on the Group’s total shareholder return (TSR) ranking when measured against the FTSE 250 (excluding investment trusts). If the Group’s TSR is consistent with the median group, 20% of the award will vest; below this level, none of the award element will vest. If the TSR is within the upper quartile or above, 100% of the award element will vest; between the median and upper quartile, vesting is determined on a straight-line basis. Options granted in November 2021 have three separate vesting conditions as set out below: • 60% will vest based on achieving an average increase in Group EPS of 22.5% or more over a three year period. If growth is equal to an average of 9% (threshold), then 15% of the award will vest. If, however, growth is less than 9% per annum, none of the award element will vest. Between these two points, vesting is determined on a straight-line basis. • 30% will vest based on achieving a cash conversion ratio 1 expressed as a percentage over the measurement period of greater than 70% per annum on average. If cash conversion 1 is greater than or equal to 80% per annum, then 100% of the award element will vest. If, however, cash conversion is less than 70% per annum, none of the award element will vest. Between these two points, vesting is determined on a straight-line basis. • 10% will vest based on the Group’s total shareholder return (TSR) ranking when measured against the FTSE 250 (excluding investment trusts). If the Group’s TSR is consistent with the median group, 20% of the award will vest; below this level, none of the award element will vest. If the TSR is within the upper quartile or above, 100% of the award element will vest; between the median and upper quartile, vesting is determined on a straight-line basis. Options granted on or after October 2022 have three separate vesting conditions as set out below: • 60% will vest based on achieving an average increase in Group EPS of 18% or more over a three year period. If growth is equal to an average of 6% (threshold), then 15% of the award will vest. If, however, growth is less than 6% per annum, none of the award element will vest. Between these two points, vesting is determined on a straight-line basis. • 20% will vest based on achieving a cash conversion ratio 1 expressed as a percentage over the measurement period of greater than 80% per annum on average. If cash conversion 1 is greater than or equal to 90% per annum, then 100% of the award element will vest. If, however, cash conversion is less than 80% per annum, none of the award element will vest. Between these two points, vesting is determined on a straight-line basis. • 20% will vest based on the Group’s total shareholder return (TSR) ranking when measured against the FTSE 250 (excluding investment trusts). If the Group’s TSR is consistent with the median group, 15% of the award will vest; below this level, none of the award element will vest. If the TSR is within the upper quartile or above, 100% of the award element will vest; between the median and upper quartile, vesting is determined on a straight-line basis. Date of grant Expected term of options Exercisable between Exercise price 2023 Number outstanding September 2019 3 years June 2022–August 2023 £nil 209,760 March 2020 3 years June 2022–August 2024 £nil — May 2021 3 years June 2023–August 2025 £nil 516,791 November 2021 3 years June 2024–August 2026 £nil 1,101,449 October 2022 3 years October 2025–October 2026 £nil 1,297,672 November 2022 3 years November 2025–November 2026 £nil 113,521 1 Revenue growth at constant currency, Adjusted EBITDA, Adjusted operating profit, Adjusted EPS, cash conversion, net debt and net debt excluding lease liabilities are APMs and not IFRS measures. See Note 3 for an explanation of APMs and adjusting items. Financial statements NCC Group plc — Annual report and accounts for the year ended 31 May 2023 205 26 Share‑based payments continued Restricted State Unit (RSU) schemes – equity settled Options granted related to the RSU schemes on or after August 2018 have three separate vesting conditions as set out below: • 60% will vest based on achieving an average increase in Group EPS of 20% or more over a three year period. If growth is equal to an average of 9% (threshold), then 12% of the award will vest. If, however, growth is less than 9%, none of the award element will vest. Between these two points, vesting is determined on a straight-line basis. • 30% will vest based on achieving a cash conversion ratio¹ expressed as a percentage over the measurement period of greater than 70% per annum on average. If cash conversion¹ is greater than or equal to 80% per annum, then 100% of the award element will vest. If, however, cash conversion is less than 70% per annum, none of the award element will vest. Between these two points, vesting is determined on a straight-line basis. • 10% will vest based on the Group’s total shareholder return (TSR) ranking when measured against the FTSE 250 (excluding investment trusts). If the Group’s TSR is consistent with the median group, 20% of the award will vest; below this level, none of the award element will vest. If the TSR is within the upper quartile or above, 100% of the award element will vest; between the median and upper quartile, vesting is determined on a straight-line basis. The options are to be settled in equity. Date of grant Expected term of options Exercisable between Exercise price 2023 Number outstanding May 2021 3 years June 2023–August 2023 £0.01 138,554 Restricted Share Plan (RSP) – equity settled The vesting condition for the award of RSPs relates to colleagues remaining with the Group for a certain period of time, namely two years to receive 50% of the award, and a further year to receive the remaining 50%. There are no other performance conditions. Date of grant Expected term of options Exercisable between Exercise price 2023 Number outstanding May 2021 2/3 years 50% exercisable August 2022 to August 2031, 50% exercisable August 2023 to August 2031 £nil (£0.01 in the US and Canada) 536,839 November 2021 2/3 years 50% exercisable October 2023 to August 2032, 50% exercisable October 2024 to August 2032 £nil (£0.01 in the US and Canada) 1,317,181 October 2022 2/3 years 50% exercisable October 2024 to October 2032, 50% exercisable October 2025 to October 2032 £nil (£0.01 in the US and Canada) 1,139,412 November 2022 2/3 years 50% exercisable November 2024 to November 2032, 50% exercisable November 2025 to November 2032 £nil (£0.01 in the US and Canada) 30,272 Deferred share scheme – equity settled Date of grant Expected term of options Exercisable between Exercise price 2023 Number outstanding October 2021 2 years October 2023–October 2031 £nil 91,616 Phantom schemes – cash settled Phantom schemes are used to allow the grant of LTIPs to members of the Executive Committee based in certain overseas locations at a time when the Group’s option scheme rules were not structured to allow overseas grants. Options granted on or after September 2019 do not have any performance criteria. Date of grant Expected term of options Exercisable between Exercise price 2023 Number outstanding September 2019 3 years September 2022–September 2023 £nil 22,345 July 2021 3 years August 2022–July 2031 £nil 15,500 November 2021 3 years October 2023–November 2031 £nil 15,500 1 Revenue growth at constant currency, Adjusted EBITDA, Adjusted operating profit, Adjusted EPS, cash conversion, net debt and net debt excluding lease liabilities are APMs and not IFRS measures. See Note 3 for an explanation of APMs and adjusting items. NCC Group plc — Annual report and accounts for the year ended 31 May 2023206 Notes to the Financial Statements continued at 31 May 2023 26 Share‑based payments continued Measurement of fair values The fair value of services received in return for share options is calculated with reference to the fair value of the award on the date of grant. The fair value is spread over the period during which the colleague becomes unconditionally entitled to the award, adjusted to reflect actual and expected levels of vesting. The assumptions used in the models are illustrated in the tables below: Scheme Grant date Expected volatility Option expected term Risk free interest rate CSOP scheme August 2018–September 2019 48.0%–52.8% 7 years 0.35%–2.00% Sharesave scheme March 2019–May 2023 39.7%–55.7% 3 years 0.13%–2.20% ESPP scheme May 2022–May 2023 53.8%–55.7% 1 year 1.15%–2.20% Special Award (CEO) September 2022 n/a 2 years n/a ISO scheme September 2019 77.0% 7 years 0.38% LTIP scheme September 2019–November 2022 37.2%–55.5% 3 years 0.21%–2.00% RSU scheme May 2021 42.3% 3 years 0.32% RSP scheme May 2021–November 2022 n/a 10 years n/a Deferred shares October 2021 56.0% 2 years 0.35% Phantom schemes September 2019–November 2021 52.8%–55.5% 3 years 1.81–1.96% Scheme Grant date Fair value at measurement date Weighted average fair value at measurement date Exercise price Weighted average exercise value at measurement date CSOP scheme August 2018–September 2019 £0.55–£0.63 £0.55 £1.79–£2.20 £1.80 Sharesave scheme March 2019–May 2023 £0.39–£0.86 £0.59 £0.99–£2.15 £1.52 ESPP scheme May 2022–May 2023 £0.30–£0.55 £0.30 £1.26–£1.58 £1.26 Special Award (CEO) September 2022 £2.30 £2.30 £2.30 £2.30 ISO scheme September 2019 £0.54 £0.54 £1.82 £1.82 LTIP scheme September 2019–November 2022 £1.61–£2.87 £2.19 £nil £nil RSU scheme May 2021 £2.87 £2.87 £0.01 £0.01 RSP scheme May 2021–November 2022 £1.93–£2.85 £2.28 £nil £nil Deferred shares October 2021 £2.47 £2.47 £nil £nil Phantom schemes September 2019–November 2021 £1.84–£2.87 £2.44 £nil £nil The expected volatility has been based on an evaluation of the historical volatility of the Company’s share price, particularly over the historical period commensurate with the expected term. The expected term of the instruments has been based on historical experience and general option holder behaviour. For the options granted in the year ended 31 May 2023, dividend yield assumed at the time of option grant is 1.75% (2022: 1.75%). Reconciliation of outstanding share options The options outstanding at 31 May 2023 have an exercise price in the range of £nil to £2.15 (2022: £nil to £2.15) and a weighted average contractual life of three years (2022: three years). The following table illustrates the number and weighted average exercise prices (WAEP) of, and movements in, outstanding share awards during the year: 2023 Number ’000 2023 WAEP 2022 Number ’000 2022 WAEP Outstanding at 1 June 11,431 £0.68 9,494 £0.79 Granted during the year 5,114 £0.55 5,605 £0.75 Exercised during the year (1,488) £0.10 (1,028) £0.89 Forfeited in the year (3,837) £0.96 (2,640) £1.39 Outstanding at 31 May 11,220 £0.61 11,431 £0.68 Exercisable at end of year 1,598 £1.00 119 £1.00 Financial statements NCC Group plc — Annual report and accounts for the year ended 31 May 2023 207 26 Share‑based payments continued Reconciliation of outstanding share options continued Scheme Number of instruments as at 1 June 2022 Instruments granted during the year Options exercised in the year Forfeitures in the year Number of instruments as at 31 May 2023 CSOP schemes 324,001 5,586 (11,172) (33,517) 284,898 Sharesave/SAYE schemes 3,714,713 1,593,682 (111,399) (1,684,192) 3,512,804 ESPP schemes 506,218 604,321 — (506,218) 604,321 Special Award — 222,222 — — 222,222 ISO schemes 60,434 — — (10,988) 49,446 LTIP schemes 3,203,721 1,411,193 (528,618) (8 47,103) 3,239,193 RSU schemes 748,711 — (362,003) (248,154) 138,554 RSP scheme 2,734,411 1,233,252 (448,542) (495,417) 3,023,704 Deferred shares 110,553 — (18,937) — 91,616 Phantom schemes 27, 931 43,673 (7,0 86) (11,173) 53,345 11,430,693 5,113,929 (1,487,757) (3,836,762) 11,220,103 The liability for the cash settled share-based payments at 31 May 2023 was £nil (2022: £0.5m). 27 Called up share capital and reserves Allotted, called up and fully paid 2023 Number of shares 2022 Number of shares 2023 £m 2022 £m Ordinary shares of 1p each at the beginning of the year 309,967,243 308,956,045 3.1 3.1 Ordinary shares of 1p each issued in the year 2,161,649 1,011,198 — — Ordinary shares of 1p each at the end of the year 312,128,892 309,967,243 3.1 3.1 During the year, 2,161,649 (2022: 1,011,198) new ordinary shares of 1p were issued as a result of the exercise of share options. The proceeds of £0.1m (2022: £0.8m) were credited to the share premium account. As at 31 May 2023, 868,800 shares were held in treasury (2022: nil). Share premium The share premium account records the difference between the nominal amount of shares issued and the fair value of the consideration received. The share premium account may be used for certain purposes specified by UK law, including to write off expenses incurred on any issue of shares and to pay fully paid bonus shares. The share premium account is not distributable but may be reduced by special resolution of the Company’s ordinary shareholders and with court approval. Hedging reserve The hedging reserve comprises the effective portion of the cumulative net change in the fair value of hedging instruments used in cash flow hedges pending subsequent recognition in profit or loss or directly included in the initial cost or other carrying amount of a non-financial asset or non-financial liability. The reserve is £nil at 31 May 2023 as the hedging instrument has now expired. Merger reserve The merger reserve arose in 2015 from the acquisition of Accumuli plc through a share-for-share exchange in part consideration for the business. Currency translation reserve The results of overseas operations are translated at the average foreign exchange rates for the year, and their balance sheets are translated at the rates prevailing at the Balance Sheet date. Exchange differences arising on the translation of opening net assets and results of overseas operations are recognised in the currency translation reserve. All other exchange differences are included in the Income Statement. Retained earnings Retained earnings for the Group are made up of accumulated reserves. For the Company, retained earnings are made up of accumulated reserves and are considered distributable reserves. NCC Group plc — Annual report and accounts for the year ended 31 May 2023208 Notes to the Financial Statements continued at 31 May 2023 28 Profit attributable to members of the Parent Company The profit for the year dealt with in the accounts of the Parent Company was £17.5m (2022: £20.0m). 29 Other financial commitments Non-cancellable lease rental costs are payable as follows: 2023 2022 Land and buildings £m Other £m Land and buildings £m Other £m Within one year or less — — — 0.1 The lease commitments disclosed above represent short-term (less than one year) leases only, for which the Group has taken the exemption from accounting for under IFRS 16. 30 Contingencies There are no contingent liabilities not provided for at the end of the financial year (2022: £nil). Similarly, there are no contingent assets (2022: £nil). 31 Pension scheme The Group operates a defined contribution pension scheme that is open to all eligible colleagues. The pension cost charge for the year represents contributions payable by the Group to the fund and amounted to £6.3m (2022: £5.1m). For the Company, the pension cost charge for the year represents contributions payable by the Company to the fund and amounted to £nil (2022: £nil). 32 Related party transactions Management has defined that related party transactions are that with key management personnel members only. Key management personnel have been assessed to be the Group’s Board of Directors. During the year ended 31 May 2023 there were nine (2022: seven) key management personnel. The compensation paid or payable to key management for employee services is shown below: Group 2023 £m Group 2022 * £m Company 2023 £m Company 2022 £m Salary costs (including bonus) 1.8 1.5 — — Social security costs 0.3 0.3 — — Pension costs — — — — Share-based payments 0.2 0.4 Total 2.3 2.2 — — * Represented to present social security costs separate from salary costs. There were no other related party transactions identified during the year. 33 Investments in subsidiary undertakings Company Shares in Group undertakings £m At 1 June 2021 151.8 Increase in subsidiary investment for share-based charges 3.9 Investment in subsidiary undertakings 121.2 At 31 May 2022 276.9 Increase in subsidiary investment for share-based charges 2.2 At 31 May 2023 279.1 On 26 May 2022, the Company acquired 121,205,727 ordinary shares of £0.01 in NCC Group Holdings Limited for a consideration of £121,205,727 and was settled through an intercompany loan. The increase in subsidiary investment for share-based charges represents IFRS 2 ‘Share-based Payments’ charges in respect of subsidiaries which will not be recharged. Financial statements NCC Group plc — Annual report and accounts for the year ended 31 May 2023 209 33 Investments in subsidiary undertakings continued Fixed asset investments are recognised at cost. The undertakings in which the Company has a 100% interest at 31 May 2023 are as follows: Subsidiary undertakings Country of incorporation Principal activity Registered office NCC Group Holdings Limited England and Wales Holding company XYZ Building, 2 Hardman Boulevard, Spinningfields, Manchester M3 3AQ (XYZ 1 ) NCC Group (Solutions) Limited England and Wales Holding company XYZ 1 NCC Group Corporate Limited England and Wales Corporate cost centre XYZ 1 NCC Group Finance Limited England and Wales Financing company XYZ 1 The National Computing Centre Limited England and Wales Dormant XYZ 1 NCC Group Software Resilience Limited England and Wales Holding company XYZ 1 NCC Group Software Resilience (UK) Limited England and Wales Holding company XYZ 1 NCC Services Limited England and Wales Software Resilience XYZ 1 NCC Group Escrow Limited England and Wales Dormant XYZ 1 NCC Group Software Resilience (Europe) BV Netherlands Holding company Barbara Strozzilaan 101, 1083HN Amsterdam, Netherlands NCC Group GmbH Germany Software Resilience c/o Deloitte Legal Rechtsanwaltsgesellschaft mbH, Rosenheimer Platz 6, 81669, Munich, Bavaria, Germany NCC Group Deutschland GmbH Germany Cyber Security 4 Leopoldstrasse Business Centre GmbH, Konrad-Zuse-Platz 8, 81829, Munich, Germany NCC Group Escrow Europe BV Netherlands Software Resilience Barbara Strozzilaan 101, 1083HN Amsterdam, Netherlands NCC Group Escrow Europe (Switzerland) AG Switzerland Software Resilience Ibelweg 18A, 6300 Zug, Switzerland NCC Group Software Resilience (MEA-APAC) Limited England and Wales Holding company XYZ 1 NCC Group FZ-LLC United Arab Emirates Software Resilience Dquarters, Building 16, unit EO30, DIC5, Dubai Internet City, Dubai, United Arab Emirates NCC Group Cyber Security Limited England and Wales Holding company XYZ 1 NCC Group Cyber Security (UK) Limited England and Wales Holding company XYZ 1 NCC Group Security Services Limited England and Wales Cyber Security 4 XYZ 1 NCC Group Audit Limited England and Wales Cyber Security 4 XYZ 1 ArmstrongAdams Limited England and Wales Cyber Security 4 XYZ 1 NCC Group Signify Solutions Limited England and Wales Cyber Security 4 XYZ 1 NCC Group Accumuli Security Limited England and Wales Cyber Security 4 XYZ 1 NCC Group Cyber Security (Europe) BV Netherlands Holding company Fox-IT 3 NCC Group A/S Denmark Cyber Security 4 Lautruphøj 1, 2750 Ballerup, Denmark NCC Group Cyber Portuguesa, Unipessoal, LDA Portugal Cyber Security 4 Av. António Augusto de Aguiar nº 19 – 4º, 1050-012 Lisboa, Portugal NCC Group Security Services Espana SLU Spain Cyber Security 4 Plaza Manuel Gómez Moreno, número 2, Edificio Alfredo Mahou, planta 19ª, letra B, 28020, Madrid, Spain Cyber Security Sweden AB Sweden Cyber Security 4 c/o Advokatfirman Delphi, P.O. Box 1432, 111 84 Stockholm Fox-IT Holding B.V. Netherlands Holding company Olof Palmestraat 6, 2616 LM Delft, Netherlands (Fox-IT 3 ) Fox-IT Group B.V. Netherlands Holding company Fox-IT 3 Fox-IT B.V. Netherlands Cyber Security 4 Fox-IT 3 Fox-IT Operations B.V. Netherlands Dormant Fox-IT 3 Fox Crypto B.V. Netherlands Cyber Security 4 Fox-IT 3 NCC Group Cyber Security (APAC) Limited England and Wales Holding company XYZ 1 NCC Group plc — Annual report and accounts for the year ended 31 May 2023210 Notes to the Financial Statements continued at 31 May 2023 Subsidiary undertakings Country of incorporation Principal activity Registered office NCC Group Pte Limited Singapore Cyber Security 4 Unit #10-09 PLUS Building, 20 Cecil Street, Singapore (049705) NCC Group Pty Limited Australia Cyber Security 4 Suite 23.01, Level 23, 45 Clarence Street, Sydney, NSW 2000 NCC Group Japan KK Japan Cyber Security 4 Level 18, Yesibu Garden Place Tower, 4-20-3 Ebisu Shibuya-Ku, Tokyo NCC Group (Americas) Inc. USA Holding company 650 California Street, Suite 2950, San Francisco, CA 94108, USA (North America HQ 2 ) NCC Group, LLC USA Software Resilience and central/head office costs North America HQ 2 NCC Group Cyber Security (Americas), LLC USA Holding company North America HQ 2 NCC Group Security Services, Inc. USA Cyber Security 4 North America HQ 2 NCC Group Secure Registrar, Inc. USA Domain services North America HQ 2 NCC Group Domain Services, Inc. USA Domain services North America HQ 2 NCC Group Security Services Corporation Canada Cyber Security 4 Suite 2700, The Stack, 1133 Melville St, Vancouver, BC V6E 4E5 Payment Software Company, Inc. USA Cyber Security 4 North America HQ 2 Payment Software Company Limited England and Wales Cyber Security 4 XYZ 1 NCC Group Software Resilience (Americas), LLC USA Holding company North America HQ 2 NCC Group Escrow Associates, LLC USA Software Resilience North America HQ 2 NCC Group Software Resilience (NA), LLC USA Software Resilience North America HQ 2 Fox-IT Belgium B.V. Belgium Cyber Security 4 Silversquare, Antwerp Tower, Frankrijklei 5, 2000 Antwerp, Belgium The undertakings in which the Company holds less than a 100% interest at the year end are as follows: Undertaking % interest Country of incorporation Principal activity Deposit AB 24% Sweden Software Resilience The Directors consider the above ownership structure to give rise to no significant influence over the undertaking. There is no Board representation, and the Group has no power to participate in the operating and financial policy decisions of the undertaking. Accordingly, the undertaking of Deposit AB has not been consolidated. 1 2 Hardman Boulevard, Spinningfields, Manchester M3 3AQ. 2 650 California Street, Suite 2950, San Francisco, CA 94108, USA. 3 Olof Palmestraat 6, 2616 LM Delft, Netherlands. 4 Formerly Assurance. 33 Investments in subsidiary undertakings continued Financial statements NCC Group plc — Annual report and accounts for the year ended 31 May 2023 211 2 Formerly Assurance. 34 Disposals On 31 December 2022, the Group completed the planned disposal of its DDI business for consideration of £5.8m. Of this amount, £3.8m, is contingent on the novation of certain customer contracts. The assets and liabilities included as part of the disposal were as follows: 2023 £m Attributable goodwill (1.0) Trade and other receivables (1.2) Trade and other payables 1.2 Net assets disposed of (1.0) Consideration 5.8 Transaction costs (0.1) Gain on disposal 4.7 Satisfied by: Cash and cash equivalents 2.0 Contingent consideration 3.8 Consideration 5.8 35 Acquisitions Prior period acquisition of IPM business On 1 June 2021, shareholder approval was passed for the acquisition of the IPM business of Iron Mountain, comprising substantially all of the assets of Iron Mountain Intellectual Property Management, Inc. together with certain other assets of affiliates of Iron Mountain exclusively related to the IPM business. The primary reasons for the business combination are to: • Scale-up the Group’s core business to create a global business and platform for further growth • Generate revenue synergies through allowing the enlarged division to offer NCC Group broader suite of established verification services as well as the newer Escrow-as-a-Service (EaaS) cloud offering to the IPM business’s existing customer base • Present an exciting new opportunity to sell NCC Group Cyber Security 2 services into the IPM business’s broad and blue-chip customer base in the medium term • Be accretive to earnings per share from completion, even without factoring in revenue synergies • Result in greater strategic strength for the future Management considers shareholder approval of the transaction determines a change in control and therefore the date of shareholder approval is considered to be the acquisition date for the transaction. Shareholder approval was granted on 1 June 2021 and the IPM Software Resilience business has been consolidated into the Group results from that date (see Note 3). Transfer of consideration for the acquisition was made on 7 June 2021, which is commonly referenced within these Financial Statements as being the date of practical completion of the transaction. Details of assets acquired that are subject to fair value adjustments are noted below. The acquisition for an original total consideration of $220.0m was subsequently adjusted during the year ended 31 May 2022 to $216.1m (£152.0m) to reflect a normalised working capital adjustment of $2.7m and a final positive net working capital adjustment of $1.2m. The acquisition was funded through an equity net placing of £70.2m ($98.4m) on 17 May 2021 combined with a new three year $70m term loan and the remaining $47.7m funded via existing cash balances and our revolving credit facility. The term loan was entered into on 12 May 2021 but not drawn down until 2 June 2021. The fair value of assets and liabilities acquired can be summarised as follows: Fair value £m Identifiable intangible assets: (Note 12): C ustomer relationships 91.4 Computer software 1.2 Right-of-use assets 0.2 Trade and other receivables 3.8 Trade and other payables (0.2) Deferred income (12.1) Lease liabilities (0.2) Deferred tax liability (0.7) Total identifiable assets acquired, and liabilities assumed 83.4 Goodwill 68.6 Total consideration 152.0 Satisfied by: Cash 152.0 NCC Group plc — Annual report and accounts for the year ended 31 May 2023212 Notes to the Financial Statements continued at 31 May 2023 35 Acquisitions continued Prior period acquisition of IPM business continued No cash was acquired as part of the acquisition. Total costs directly attributable to the acquisition of the IPM business totalling £8.5m have been expensed to Individually Significant Items during the year ended 31 May 2021 (£7.6m) and the year ended 31 May 2022 (£0.9m). Issue costs of £2.4m were incurred as part of the equity placing and have been debited to the share premium account in the year ended 31 May 2021. The fair value of the financial assets includes trade receivables with a fair value of £3.8m and a gross contractual value of £5.2m. The goodwill of £68.6m arising from the acquisition consists of the know-how and expertise of the employees transferred to NCC Group plc as part of the acquisition, the future economic benefit arising from the aligning of customers’ existing products with the Group’s products, and it’s fit with existing operations. Goodwill is expected to be deductible for income tax purposes. There is a contingent consideration arrangement that requires amounts to be repaid to NCC Group plc in the event that certain customers terminate their contractual agreements as a result of the change in ownership. The fair value of the contingent consideration potentially due to NCC Group plc is considered to be £nil by management. This fair value was estimated based on comparing the expected number of customers likely to terminate their contractual arrangements as a result of the change in ownership to the threshold for repayment to NCC Group plc. On 31 May 2023, no further information has become available that suggests the fair value of this contingent consideration will be greater than £nil. During the year ended 31 May 2022, a final working capital adjustment had been agreed with the vendor resulting in an amount of £0.8m being returned to the Group and giving rise to a decrease in the fair value of consideration of £0.8m to £152.0m. This adjustment leads to a decrease in goodwill of £0.8m. Additionally, management has identified new information in respect of the opening provision for expected credit losses and has subsequently decreased the fair value of acquired trade and other receivables by £0.8m to £3.8m. This adjustment leads to an increase in goodwill of £0.8m. On this basis, goodwill of £68.6m remains unchanged from that reported for the period ended 30 November 2021. The IPM business contributed £20.2m of the Group’s revenue, £15.6m to the Group’s gross profit and £8.6m operating profit for the period between the date of acquisition (1 June 2021) and 31 May 2022. Measurement of fair values Assets acquired Computer software As there is no active market for such bespoke intangible assets a cost approach has been taken to value computer software acquired based on the cost to recreate the assets. The fair value is based on the estimated time required by appropriately skilled individuals to recreate such assets. Customer relationships The valuation approach taken is the income approach, specifically the multi-period excess earnings method (MEEM). The fundamental principle underlying the MEEM is isolating the net earnings attributable to the asset being measured. There are three key steps in calculating the MEEM: 1. Projecting financial information including cash flows, revenue, expenses, etc. for the IPM business acquired. 2. S ubtracting the cash flows attributable to all other assets through a contributory asset charge (CAC). The CAC is a form of economic rent for the use of all other assets in generating total cash flows that is composed of the required rate of return on all other assets and an amount necessary to replace the fair value of certain contributory intangible assets. 3. Calculating the cash flows attributable to the intangible asset subject to valuation and discounting them to present value. Cash flows are forecast through to FY28 and taken into perpetuity beyond this date. Cash flow forecasts include a level of growth in revenue in addition to specific growth synergies expected from the aligning of IPM customers’ existing products with the Group’s products and IPM’s fit with existing operations. Cash flow forecasts include a level of customer attrition based on historical experience of IPM customer termination rates. Both the amount and the duration of the cash flows are considered from a market participant’s perspective. Lease liabilities The Group measured the acquired lease liabilities using the present value of the remaining lease payments at the date of acquisition. Right-of-use assets The right-of-use assets were measured at an amount equal to the lease liabilities. No significant judgements have been identified as part of this assessment. Deferred income The fair value of the deferred revenue liability has been calculated using a top-down approach. This approach relies on market indicators of expected revenue for any obligation yet to be delivered with appropriate adjustments. This approach starts with the amount that an entity would receive in a transaction, less the cost of the selling effort (which has already been performed) including a profit margin on that selling effort. Financial statements NCC Group plc — Annual report and accounts for the year ended 31 May 2023 213 35 Acquisitions continued Measurement of fair values continued The valuation of purchase price accounting is a key source of estimation uncertainty, in which there are several key assumptions where, if a reasonably possible change in assumption is made, this could result in a material adjustment. A description of the key assumptions and possible sensitivities are provided below: Description of key assumption Reasonably possible scenario Impact The valuation of the customer relationships intangible asset of £91.4m assumes a discount rate of 10.7% driven by the internal rate of return implied by the consideration paid for the acquired business. It is considered reasonably possible that this discount rate could be 1% higher or lower depending on the expected performance of the business post-acquisition. The impact of increasing the discount rate by 1% would be to reduce the value of the customer relationship intangible asset by £6.0m with a corresponding increase in the value of goodwill arising on acquisition. The amortisation on acquired intangibles charged to the Income Statement for the year ended 31 May 2022 would reduce by £0.6m. The impact of decreasing the discount rate by 1% would be to increase the value of the customer relationship intangible asset by £6.8m with a corresponding decrease in the value of goodwill arising on acquisition. The amortisation on acquired intangibles charged to the Income Statement for the year ended 31 May 2022 would increase by £0.6m. The valuation of the customer relationships intangible asset of £91.4m includes an estimate of a level of growth of the revenue generated from that customer base, post- acquisition. The forecasts used assume that revenue (excluding synergies) will increase incrementally to a maximum of a 3.7% annual increase in FY25 before returning to levels more consistent with the US long-term inflationary growth rate in FY26 and beyond. It is considered reasonably possible that this growth rate does not exceed an inflationary US long-term inflationary growth rate of 2%. The impact of this scenario is to reduce the value of the customer relationship intangible asset by £3.1m with a corresponding increase in the value of goodwill arising on acquisition. The amortisation on acquired intangibles charged to the Income Statement for the year ended 31 May 2022 would reduce by £0.4m. Prior period acquisition of Adelard business On 20 April 2022, shareholder approval was passed for the acquisition of substantially all of the assets of Adelard LLP for £3m. This gave rise to goodwill of £1.1m, intangible assets of £1.3m, right of use assets of £0.2m, trade receivables and other receivables of £0.9m and current liabilities of £0.5m. Consideration payable of £3.0m is represented by £1.0m cash paid on completion and a further contingent consideration (dependent on novation of contracts and FY23 revenue performance) of £1.9m (discounted). At 31 May 2023, a further £1.0m cash consideration had been paid following the successful novation of certain sales contracts. Adelard is a Cyber Security 2 expert in high value critical systems for national and industrial infrastructure and its services are complementary to the Group. 36 Post balance sheet events In line with the Group’s next chapter strategy, during September 2023, the Group issued external marketing material to potentially dispose of an element of the Europe Cyber Security 2 CGU as it is considered non-core to the Group. 37 Audit exemption The subsidiary undertakings listed below are exempt from the Companies Act 2006 requirements relating to the audit of their individual accounts by virtue of Section 479A of the Act as this company has guaranteed the subsidiary company under Section 479C of the Act. Company name Principal activity Payment Software Company Limited 10059024 NCC Group Cyber Security Limited 13287219 NCC Group Cyber Security (UK) Limited 13294277 NCC Group Cyber Security (APAC) Limited 13294684 NCC Group Audit Limited 04323323 NCC Group Signify Solutions Limited 03915262 NCC Group Finance Limited 13350193 The Directors acknowledge their responsibility for complying with the requirements of the Companies Act 2006 with respect to accounting records and preparation of accounts. 2 Formerly Assurance. NCC Group plc — Annual report and accounts for the year ended 31 May 2023214 Notes to the Financial Statements continued at 31 May 2023 Glossary of terms – other terms Other terms Definition and usage Code Guidance, issued by the Financial Reporting Council in 2016 and updated in 2018, on how companies should be governed, applicable to UK-listed companies including NCC Group plc. Adjusted Any result described as adjusted excludes the impact of Individually Significant Items, and any tax on any of these items. Adjusted earnings Adjusted earnings are defined as statutory earnings before amortisation of acquisition intangibles, Individually Significant Items and the share-based payments charge, net of the tax effect of these items. Adjusted operating profit margin 1 Calculated as Adjusted operating profit divided by revenue from continuing activities. AGM Annual General Meeting of shareholders of the Company held each year to consider ordinary and special business as provided in the Notice of AGM. Alternative Performance Measure (APM) An Alternative Performance Measure (which is denoted in each case or use thereof by a footnote) is a non-GAAP performance metric used by management either internally or externally to present management’s view of the underlying business performance. They are not superior to GAAP-based measures and are simply an alternative way of looking at performance. See Note 3 for further information. Board The Board of Directors of the Company (for more information see pages 88 and 90). Cash conversion ratio 1 Calculated as cash generated from operating activities before interest and taxation divided by Adjusted EBITDA 1 , expressed as a percentage. CDO Cyber Defence Operations. CEO Chief Executive Officer. CFO Chief Financial Officer. CISO Chief Information Security Officer. Company, Group, NCC, we, our or us We use these terms, depending on the context, to refer to either NCC Group plc, the individual Company, or to NCC Group plc and its subsidiaries collectively. CPO Chief People Officer. CTO Chief Technology Officer. Directors, Executive Directors and Non-Executive Directors The Directors/Executive Directors and Non-Executive Directors of the Company whose names are set out on pages 88 and 90 of this report. EBIT Earnings before interest and tax. EBIT margin % EBIT margin % is calculated as follows: Adjusted EBIT divided by revenue. EBITDA Earnings before interest, tax, depreciation and amortisation. Calculated as operating profit before Individually Significant Items and adding back depreciation and amortisation charged. EBITDA margin % EBITDA divided by revenue. EPS Earnings per share. Profit for the year attributable to equity shareholders of the Parent allocated to each ordinary share. FCA Financial Conduct Authority. Financial year For NCC Group this is an accounting year ending on 31 May. FRC Financial Reporting Council. Free cash flow Net cash from operating activities less net capital expenditure and acquisition costs. FRS A UK Financial Reporting Standard as issued by the UK Financial Reporting Council (FRC). FVLCTS Fair value less costs to sell. 1 Revenue growth at constant currency, Adjusted EBITDA, Adjusted operating profit, Adjusted EPS, cash conversion, net debt and net debt excluding lease liabilities are APMs and not IFRS measures. See Note 3 for an explanation of APMs and adjusting items. NCC Group plc — Annual report and accounts for the year ended 31 May 2023 215 Additional information Other terms Definition and usage Gross profit Gross profit is revenue less direct costs of sale. It excludes costs considered to be overheads that are supporting the business as a whole as opposed to a specific revenue item. Gross margin %/GM % Calculated as gross profit divided by revenue from continuing activities. HMRC His Majesty’s Revenue & Customs, the tax collecting authority of the UK. IAS or IFRS An International Accounting Standard or International Financial Reporting Standard, as issued by the International Accounting Standards Board (IASB). IFRS is also used as the term to describe international generally accepted accounting principles as a whole. Individually Significant Items Items that the Directors consider to be material in nature, scale or frequency of occurrence that need to be excluded when calculating some non-statutory performance measures in order to allow users of the Financial Statements to gain a full understanding of the underlying business performance. See Note 5 for further information. KPMG The Company’s external auditor, KPMG LLP. LTIP Long Term Incentive Plan established to align the interests of senior and executive management with those of shareholders. The plan is formally known as the NCC Group Long Term Incentive Plan 2013 (approved by shareholders in 2013). MD Managing Director. MDR Managed Detection and Response. Net debt 1 Total borrowings offset by cash and cash equivalents. Ordinary shares Voting shares entitling the holder to part ownership of a company. SAYE/Sharesave Save As You Earn, being a tax efficient scheme to encourage colleague share ownership. Software Resilience Software Resilience represents our escrow resilience services. Subsidiary A company or other entity that is controlled by NCC Group. TSC Technical Security Consulting. TSR Total shareholder return, which is share price growth plus dividends reinvested (where applicable) over a specified period of time, divided by the share price at the start of the period. 1 Revenue growth at constant currency, Adjusted EBITDA, Adjusted operating profit, Adjusted EPS, cash conversion, net debt and net debt excluding lease liabilities are APMs and not IFRS measures. See Note 3 for an explanation of APMs and adjusting items. Glossary of terms – other terms continued NCC Group plc — Annual report and accounts for the year ended 31 May 2023216 Other information Directors Chris Stone – Non-Executive Chair Mike Maddison – Chief Executive Officer Guy Ellis – Chief Financial Officer Chris Batterham – Independent Non-Executive Director Julie Chakraverty – Senior Independent Non-Executive Director Jennifer Duvalier – Independent Non-Executive Director Mike Ettling – Independent Non-Executive Director Lynn Fordham – Independent Non-Executive Director Company Secretary Jonathan Williams Registered Group and Company head office XYZ Building 2 Hardman Boulevard Spinningfields Manchester M3 3AQ Registered number 4627044 Registered in England and Wales Joint brokers and corporate finance advisers Jefferies International Limited 100 Bishopsgate London EC2N 4JL Peel Hunt LLP Moor House 120 London Wall London EC2Y 5ET Auditor KPMG LLP 1 St Peter’s Square Manchester M2 3AE Solicitors DLA Piper UK LLP 1 St Peter’s Square Manchester M2 3DE Registrar Equiniti Aspect House Spencer Road Lancing West Sussex BN99 6DA Bankers HSBC UK Bank plc 2nd Floor 4 Hardman Square Spinningfields Manchester M3 3EB National Westminster Bank plc 1 Hardman Boulevard Manchester M3 3AQ ING Bank N.V. London Branch 8–10 Moorgate London EC2R 6DA Fifth Third Bank National Association 38 Fountain Square Plaza Cincinnati OH 45263 NCC Group plc — Annual report and accounts for the year ended 31 May 2023 217 Additional information Financial calendar Ex-dividend date 9 November 2023 Record date 10 November 2023 AGM 30 November 2023 Dividend payment date 8 December 2023 2024 half year end 30 November 2023 2024 interim statement 1 February 2024 2024 year end 31 May 2024 2024 year end trading pre-close statement June 2024 2024 preliminary year end statement September 2024 These dates are provisional and may be subject to change. NCC Group plc — Annual report and accounts for the year ended 31 May 2023218 NCC Group plc’s commitment to environmental issues is reflected in this Annual Report, which has been printed on Magno Satin, an FSC ® certified material. This document was printed by Geoff Neal using its environmental print technology, which minimises the impact of printing on the environment, with 99% of dry waste diverted from landfill. Both the printer and the paper mill are registered to ISO 14001. FSC to be supplied NCC Group plc Annual report and accounts for the year ended 31 May 2023 NCC Group plc Annual report and accounts for the year ended 31 May 2023
Building tools?
Free accounts include 100 API calls/year for testing.
Have a question? We'll get back to you promptly.