The board has overall responsibility for maintaining a system of internal control that ensures an effective risk management and oversight process operates across the group. The risk management framework and associated governance arrangements are designed to ensure that there is a clear organisational structure with well defined, transparent and consistent lines of responsibility and effective processes to identify, manage, monitor and report the risks to which the group is, or might become, exposed.

Identification, measurement and management of risk are strategic priorities for the group. Over the past 12 months the group has continued to strengthen its risk management framework and further develop the group’s risk committee, and its divisional risk committees, which continue working efficiently and effectively.

A key priority of the risk and control framework is to allow business opportunities to be captured while maintaining an appropriate balance of risk and reward. The group’s risk management framework is designed to ensure that the risks to which the group is or may become exposed are identified and that those which the group chooses to take are managed, controlled and, where appropriate, mitigated so that the group is-not subject to material unexpected loss.

The group reviews and revises its risk appetite as part of the strategy setting process. This aligns risk taking with the achievement of strategic objectives. Adherence to appetite is monitored by the group’s risk committees.

The risk management framework is based on the concept of “three lines of defence”. Business management are responsible for ensuring that all key risks have been identified, assessed and evaluated and that, where necessary, appropriate controls have been put in place to manage and mitigate them within defined risk appetites. Risk functions provide oversight of this and group internal audit ensures that the first and second lines of defence are working effectively. The risk management framework is illustrated in the table below.

The key principles underlying risk management in the group are:

• Business management own all the risks assumed throughout the group and are responsible for ensuring that these are managed on a day-to-day basis to ensure that risk and return are balanced;
• The board and business management promote a culture in which risks are identified, assessed and reported in an open, transparent and objective manner;
• The overriding priority is to protect the group’s long-term viability and produce sustainable medium to long-term revenue streams;
• Risk functions are independent of the businesses and provide oversight of and advice on the management of risk across the businesses;
• Risk management across the group is proportionate to the scale and complexity of the group’s individual businesses;
• Risk mitigation and control activities are commensurate with the degree of risk; and
• Risk management and control supports decision making.

 

First line of defence	Second line of defence	Third line of defence
Group Risk and Compliance Committee	Risk Committee	Audit Committee
Reports to the board via the Risk Committee. Chief executive delegates to divisional and operating business heads day-to-day responsibility for risk management, regulatory compliance and internal control in running their divisions or businesses. Business management has day-to-day ownership, responsibility and accountability for risks: Identifying and assessing risks; Managing and controlling risks; Mitigating risks; and Reporting risks.	Reports to the board. Risk Committee delegates to the chief risk officer day-to-day responsibility for oversight and challenge on risk related issues. Risk functions provide support and independent challenge on: Risk framework; Risk assessment; Risk appetite and strategy; Performance management; Risk reporting; and Adequacy of mitigation plans.	Reports to the board. Audit Committee mandates the head of internal audit with day-to-day responsibility for independent assurance. Group internal audit provides independent assurance on: First and second lines of defence; Appropriateness/effectiveness of internal controls; and Effectiveness of policy implementation.
Key features: Promotes a strong risk culture and focus on sustainable risk-adjusted returns; Implements the risk framework; Promotes a culture of adhering to limits and managing risk exposures; and Ongoing monitoring of positions and management of risks.	Key features: Over -arching “risk oversight unit” takes an integrated view of risk (qualitative and quantitative); Risk management separate from risk control but work together; Supports through developing and advising on risk strategies; and Creates constructive tension through challenge “critical friend”.	Key features: Draws on in depth knowledge of the group and its businesses;  Independent assurance on the activities of the firm including the risk management framework; and Assesses the appropriateness and effectiveness of internal controls.

The role of the Risk Committee in summary is to:

• Oversee the maintenance and development of a supportive culture in relation to the management of risk;
• Review and set risk appetite, which is the level of risk the group is willing to take in pursuit of its strategic objectives;
• Monitor risk profile against the prescribed appetite;
• Review the effectiveness of the risk framework to ensure that key risks are identified and appropriately managed; and
• Provide input from a risk perspective into the alignment of remuneration with performance against risk appetite (through the Remuneration Committee).

The full terms of reference of the Risk Committee can be found here.