Robust, evolving Enterprise Risk Management
During the past 12 months we have strengthened our risk
management framework, embedding a risk appetite process into the
first line of defence and increasing challenge on risks and
management actions. We have developed a process and accompanying
dashboards to assess the effectiveness of the embedded framework in
business units. We have reviewed and revised the Group top risks to
better reflect the risk profile and developed processes for
continuous review.
We continually review our risk management framework, including
risk assessment and modelling tools, against Solvency II and longer
term requirements. We have aligned our risk categorisation model
with our internal capital model framework and developed key risk
indicators for the Group's top risks. A clearly defined escalation
process for all risk-related matters is now firmly embedded in
business units.
We have enhanced our operational loss data collection and
analysis processes, enabling business units to focus on action to
prevent recurrences as well as remediation. We have put thresholds
in place for reporting losses to appropriate committees, and a
greater emphasis on analysing losses by category has enabled us to
take more streamlined action. The enhanced risk reporting framework
provides better quality management information and the introduction
of standard risk reports has ensured consistency of reporting to
committees. Snapshot reporting outlines key risk information in
each business unit and supports the Executive Committee's decision
making processes. Policies will be amended in line with the revised
strategic controller model, risk management categories and Solvency
II.
The following sections set out our risk management framework,
illustrating how each layer of tools and systems gives us assurance
to manage the upside of risks better by maximising opportunities
while minimising the downsides or threats. In this context, this
section covers:
- Risk management governance
- Group oversight, including
- Strategy and business planning
- Risk appetite
- Stress and scenario testing
- Policy setting
- The risk framework employed by each of our business units to
provide consistent information.
Risk management governance
We strengthened our risk governance framework in 2010 with the
introduction of clearly defined risk appetite reporting, which
allows us to rapidly identify and respond to changes in risk
exposure. Developments expected in Q2 2011 will enable Group Risk
and business units to model a number of different scenarios against
risk appetite and align these scenarios with investment decisions.
Focus will now move towards more active risk-based steering of the
business.
We consolidated our 'three lines of defence' approach to provide
greater clarity within each of the lines. Changes included:
- Reviewing and enhancing the Group's risk governance structure
by strengthening the mandate of the risk committees
- Dual reporting of business unit Chief Risk Officers to line
management and the Group Risk and Actuarial Director
- Segregation of the Board Risk Committee and Board Audit
Committee in accordance with the recommendations in the Walker
Report
- Adoption of a 'strategic controller' model.
The governance framework is designed to align the risk/reward
balance with corporate governance objectives and ensure it promotes
effective risk management. The framework includes a remuneration
policy for determining risk tolerances that do not encourage risk
taking outside the Group's risk appetite. The remuneration policy
has been designed to eliminate conflicts of interest and support
business strategy, objectives, values, and the long-term interests
of the Group.
The policy is overseen by a Remuneration Committee which is
appointed by the Board and consists of at least three non-executive
directors with relevant experience and a good knowledge of the
Company and the environment in which it operates. This enables the
committee to exercise competent judgement on compensation policies
and the incentives for managing risk, value and capital in line
with stakeholders' expectations.
In this report, we focus on the responsibilities of the second
line of defence committees: Board Risk Committee, Group Executive
Risk Committee and Group Capital Management Committee. The
responsibilities and remit of the first- and third-line forums can
be found in the
governance report.
Group Board Risk Committee
This committee's primary purpose is to review, on behalf of the
Board, managements' recommendations on risk in relation to the
structure and implementation of the Group's risk framework. This
includes the quality and effectiveness of the internal controls,
risk appetite limits, risk profile and capital management
processes.
The committee reports to the Board any significant risks to the
Group where it considers actions or improvements are needed, and
makes recommendations as to the adequacy of the risk mitigation
plans. The committee works closely with the Group Audit Committee
in assessing the effectiveness of risk managements systems and
internal controls. Additionally, the committee provides advice to
the Board and Remuneration Committee on the appropriate targets for
risk adjusted performance measures and relationship between
performance objectives, remuneration decisions and risk profile.
The committee meets at least four times a year and otherwise as
required, to review any significant issues that occur outside its
scheduled meetings.
The committee monitors, reviews and provides advice to the Board
on the following key areas:
- The effectiveness of the Group's risk framework and the risk
and regulatory operating plans
- Alignment of the risk appetite to the Group's strategy,
including approving actions plans to bring risk exposures within
appetite
- Optimisation of risk by reviewing, monitoring and challenging
the Group's risk profile in terms of risk exposures, risk trends,
risk concentration and performance versus appetite
- The impact and management of significant issues and losses to
the Group
- Proposed strategic acquisitions and disposals of assets
- Allocation of capital within the Group and within businesses to
ensure compliance with regulatory requirements and consistency with
risk appetite limits
- The Group's resilience to unforeseen economic and other shocks,
as evidenced via stress and scenario testing exercises
- Regulatory compliance processes including changes to the
regulatory environment and the adequacy of management actions to
correct regulatory breaches
- Effectiveness of the Group's policy suite and any changes
necessary to evidence compliance with the Group's minimum
standards.
The committee also provides advice to the Board on a number of
inherent risks within the business and is required to act
independently to investigate any activity within its terms of
reference. The committee is authorised by the Board to obtain
external legal, accounting or other independent professional advice
it considers necessary. In addition to an internal reporting line
to the Group Finance Director, the Group Risk and Actuarial
Director has a reporting line to the committee, with direct access
to the Chairman on a regular basis.
The committee, including its chairman, is appointed by the Board
and includes the Group Finance Director and independent
non-executive directors, at least one of whom must have recent and
relevant risk experience.
Group Executive Risk Committee (GERC)
This committee provides support and assurance to the Group Risk
and Actuarial Director on the implementation of the Group's risk
framework including the quality and effectiveness of internal
controls, risk appetite, risk profiles and capital modelling
processes. The committee forms part of the second line of defence
at Group level and is not responsible for any first line
activities.
The committee comprises senior Group executives from Risk,
Actuarial, Capital, Compliance, and Internal and External Audit.
Its main responsibility is to support the Group Executive Committee
in understanding and overseeing the implementation of the Group's
risk framework, including risk appetite and capital management.
The committee's other key responsibilities are:
- Monitoring and reviewing the Group's risk profile including
losses and control breakdowns
- Proposing risk appetite limits for approval by the Group Board
Risk Committee, allocating these to the Group's respective business
units to optimise results
- Providing assurance that effective risk optimisation is being
fully achieved both within business units and across the Group
- Providing oversight of capital management to ensure allocation
is consistent with risk appetite limits.
The committee receives reports from Group Risk and Actuarial,
Group Finance, Treasury and iCRaFT. It provides input to the Group
Executive Committee and the Group Audit and Risk Committees. It
also works closely with the Group Capital Management Committee.
Group Capital Management Committee
This committee ensures that the Group's capital is managed in a
consistent manner, aligned to the expectations of our shareholders,
and that this capital is provided on an appropriate risk/return
basis, as identified by the GERC. It is the mechanism by which the
Group ensures that capital is allocated to business units in line
with Group strategy, and that appropriate return rates are set and
monitored. If necessary it will reallocate capital for greater
reward.
The committee comprises senior Group executives, including the
Group Chief Executive, Group Finance Director and Group Risk and
Actuarial Director, and representatives from Capital, Treasury,
Strategy and Compliance.
The committee's key responsibilities are:
- Recommending to the Board the Group's capital allocation and
structure and investment strategy
- Setting an appropriate framework for managing capital
- Issuing guidelines and/or recommending targets to ensure the
appropriate management of capital within the agreed risk appetite
limits.
