Overall Responsibility for Risk Management
The Board and senior management continue to appreciate that the ongoing success depends on its collective understanding and management of the Group’s known risks and exposures.
The Board has responsibility for ensuring that the Group has an appropriate and proportional approach to risk management across the Group, and that this approach is both generic to the Group’s activities and aligned with the overall corporate strategy. The risks facing the Group continue to evolve and increase or decrease in potential impact and probability of crystallisation over time.
The Group continues to be entrepreneurial and innovative in spite of, and in many respects because of, the challenges of the recent years.
Risk Management Framework and Risk Management Function
The Group has a mature risk management framework and risk function headed by the Chief Risk Officer.
The Group Risk Function is responsible for designing, overseeing, implementing, and improving the risk management framework. It works closely with the Board and senior management, meeting regularly with them to monitor existing identified risks and uncertainties, identify new and emerging risks and to ensure that there are appropriate processes and procedures in place to monitor these risks. It is also responsible for monitoring that the business meets regulatory expectations around enterprise risk management and reporting in risk to the Board and the Group Risk and Compliance Committee.
Group Risk Committee
The Group Risk and Compliance Committee is a formally constituted Committee of the Board. A report from the Group Risk and Compliance Committee Chair on its role, responsibilities, operation, areas of focus during 2022, discharging of responsibilities, self-evaluation and plans for 2022 appears on pages 53 to 55 of the 2022 Annual Report.
The risk appetite framework sets the boundaries within which risk taking should remain in order to meet the expectations of the capital providers and other stakeholders. For the Group, it is articulated via a series of quantitative and qualitative statements covering all defined categories of risk.
Risk appetite reflects the amount of risk taking which is acceptable to the Group. Accordingly, risk appetite refers to the Group’s attitude to risk taking and whether it is willing or able to tolerate a high or low level of exposure to specific risks or risk categories.
Risk tolerance represents the Group’s ability and willingness to bear risk. When considering this, factors such as the availability of capital, ability to raise capital, strength of underlying operational processes and procedures and strength of the organisation’s culture are all relevant.
The risk appetite framework, which is set at both the Group level and for each of the key business units, is reviewed annually and/or when there are material changes to the overall risk profile of the Group and or its business units.
Principal Risks and Uncertainties
The principal risks and uncertainties can be found within the Strategic Report on pages 25 to 27 of the 2022 Annual Report. For each principal risk, the title and a brief description of the risk and key mitigating actions are described.
Internal Control System
The Group’s internal control system comprises the following key elements:
- Documented governance arrangements continue to evolve along with the overall business strategy
- Strategic planning process setting priorities for the forthcoming planning horizon, reviewed by the Board periodically to ensure the Group is focusing on its core strengths
- Detailed planning/budgeting process subject to detailed and ongoing oversight and scrutiny delivering forecasts/targets for Board review and approval
- Management information systems, including corporate reporting on financial/operating performance
- A defined risk appetite framework governing management, control and oversight of key risks and issues
- Overall Group capital adequacy planning conducted biannually
- Compliance arrangements throughout the Group
- Internal audit function providing third line assurance to the Board via the Audit Committee following a risk-based, approved annual Audit Plan, on the effectiveness of the Group’s internal controls in respect of key risks identified
- Risk management function as described above.
The Board considers that the controls in place during 2022 were and continue to be broadly relevant, proportional, and appropriate for the needs of the Group, and in addition are sufficiently flexible to evolve with the changing needs of the business.
A number of the Group’s subsidiaries are regulated and accordingly are subject to the relevant degree of local regulatory oversight. Members of the Board and senior management regularly meet with the Group’s various regulatory supervisors, conducting the relationship in an open and constructive manner.
The scope of the Group Risk Committee in late 2021, to encompass compliance recognised heightened regulatory scrutiny and the requirement for the appropriate level of governance and oversight in this regard. 2022 was the first full year that the Committee operated in its new guise.
The management of risk and uncertainty is ongoing and iterative and the following overarching process is adopted
The Group’s risk management framework and reporting mechanisms have adapted and will continue to adapt to address the Group’s evolving strategic objectives. This is described in more detail in the Strategic Report.
Risk governance within the Group continues to adopt a three lines of defence model at both Group and business unit/entity level.
Own Risk and Solvency Assessments and Equivalents
The own risk and solvency assessment (ORSA) or equivalent is defined as; ‘The entirety of the processes and procedures employed to identify, assess, monitor, manage, and report the short- and long-term risks a firm faces or may face and to determine the own funds necessary to ensure that overall solvency needs are met at all times.’ The report produced as part of this process can be described as the ‘shop window’ of the business planning, capital setting and risk assessment process.