Overall Responsibility for Risk Management
The Board and senior management continue to appreciate that the ongoing success of the Group depends in its collective understanding and management of the Group’s known risks and exposures. At no time has this been brought into clearer relief than during 2020.
The Board has responsibility for ensuring that the Group has an appropriate and proportional approach to risk management across the Group, and that this approach is both generic to the Group’s activities and aligned with the overall corporate strategy. The risks facing the Group continue to evolve and increase or decrease in potential impact and probability of crystallisation over time.
The Group continues to be entrepreneurial and innovative, in spite of, and in many respects because of, the challenges of 2020. COVID-19 has tested the rigour of the Group’s risk management framework and control environment and its ability to adapt, respond and evolve. Both the risk management framework and the control environment have responded well to the challenges posed.
Risk Management Framework and Risk Management Function
The Group has a mature risk management framework and risk function headed by the Chief Risk Officer.
The Group Risk Function is responsible for designing, overseeing, implementing, and improving the risk management framework. It works closely with the Board and senior management, meeting regularly with them to monitor existing identified risks and uncertainties, identify new and emerging risks and to ensure that there are appropriate processes and procedures in place to monitor these risks. It is also responsible for monitoring that the business meets regulatory expectations around enterprise risk management and reporting of risk to the Board and the Group Risk Committee.
Group Risk Committee
The Group Risk Committee is a formally constituted Committee of the Board. A report from the Group Risk Committee Chair on its role, governance, activities, discharging of responsibilities, self-evaluation and plans for 2021 appears on pages 42 to 43 of the 2020 Annual Report.
The risk appetite framework sets the boundaries within which risk taking should remain in order to meet the expectations of the capital providers and other stakeholders. For the Group, it is articulated via a series of quantitative and qualitative statements covering all defined categories of risk.
Risk appetite reflects the amount of risk taking which is acceptable to the Group. Accordingly, risk appetite refers to the Group’s attitude to risk taking and whether it is willing or able to tolerate a high or low level of exposure to specific risk or risk categories.
Risk tolerance represents the Group’s ability and willingness to bear risk. When considering this, factors such as the availability of capital, ability to raise capital, strength of underlying operational processes and procedures and strength of the organisation’s culture are all relevant.
The risk appetite framework, which is set at both the Group level and for each of the key business units, is reviewed annually and/or when there are material changes to the overall risk profile of the Group and or its business units.
Principal Risks and Uncertainties
For each principal risk, the title and a brief description of the risks, high level risk appetite statements and key mitigating actions are described. This also includes an overview of how the management and oversight of the principal risks and uncertainties have been managed in 2020 through the lens of COVID–19.
Click here for a description of the Group’s emerging risks process and identified emerging risks.
Internal Control System
The Group’s internal control system comprises the following key elements:
The Board considers that the controls in place during 2020 were and continue to be relevant, proportional, and appropriate for the needs of the Group, and in addition are sufficiently flexible to evolve with the changing needs of the business. A number of the Group’s subsidiaries are regulated and accordingly are subject to the relevant degree of local regulatory oversight. Members of the Board and senior management regularly meet with the Group’s various regulatory supervisors, conducting the relationship in an open and constructive manner.
The management of risk and uncertainty is ongoing and iterative and the following overarching process is adopted
The Group’s risk management framework and reporting mechanisms have, while remaining fundamentally unchanged, adapted during 2020 to address the ongoing challenges. Refer to Principal Risks and Uncertainties by clicking here.
Risk governance within the Group continues to adopt a three lines of defence model at both Group and business unit/entity level, as depicted in the diagram below.
Own Risk and Solvency Assessments and Equivalents
The own risk and solvency assessment (ORSA) or equivalent is defined as; ‘The entirety of the processes and procedures employed to identify, assess, monitor, manage, and report the short- and long-term risks a firm faces or may face and to determine the own funds necessary to ensure that overall solvency needs are met at all times.’ The report produced as part of this process can be described as the ‘shop window’ of the business planning, capital setting and risk assessment process.