The [Group], in the course of its business activities, is exposed to insurance, market, credit, liquidity, and operational risks. Overall responsibility for the management of these risks is vested in the Board. To support it in this role, a risk framework is in place comprising formal committees, risk review functions, risk management policies, and risk assessment processes. These are underpinned by defined risk principles describing the behaviours, practices and culture to support effective risk governance. The framework provides assurance that risks are being appropriately identified and managed and that an independent assessment of risks is being performed.
A detailed review of the Group’s inherent exposures to market, credit, insurance, liquidity and operational risks, together with the framework for their management and control, is set out at Note 50 to the Financial Statements. Analysis of specific risk factors underpinning Principal Risks and Uncertainties to the Group are set out in the Principal Risks and Uncertainties section.
Fig. 5. Risk Governance Framework
Committee Structure
Oversight of the risk management framework is performed on behalf of the Board by the [GRCC]. The GRCC meets quarterly and is chaired by the Group Chief Executive. All executive directors are members. In addition, senior managers drawn from across the [Group] are regular attendees. The Chairman of the AC and PricewaterhouseCoopers LLP, as external auditors, have a standing invitation to attend.
The primary role of GRCC is to ensure there are appropriate processes in place across the Group to identify, assess, monitor and control critical risks facing the Group. It reports regularly to the Board and as well as providing its minutes to the AC, a formal report is made on its assessment of the operation of the Group’s risk framework. The [GRCC] has sub-committees that provide oversight of specific aspects of the risks to which the Group may be exposed. Details of their roles are set out in Fig. 6. The GRCC monitors contagion risk across the Group.
Detailed monitoring of actual risk positions to tolerances is performed within business operating units. For financial risks, exposures are reported to the relevant sub-committee of the GRCC. To monitor the management of operational risk and compliance with regulation, a Risk and Compliance Committee (RCC) is in place for each of the main business operating units of the Group. [RCCs] formally report both to their operating boards and to the GRCC. Management of risks arising from the Group’s overseas subsidiaries is performed by the boards of the local holding companies, which provide reports to the GRCC.
Risk Review Functions
Group and the business operating units risk review functions provide oversight of the risk management processes within the Group. A central risk function is responsible for setting the risk management framework, policy and standards. Risk Review Functions in each of the business operating units manage the framework in line with these standards. Their responsibilities include the evaluation of changes in the business operating environment and business processes, the assessment of these changes on risks to business and the monitoring of the mitigating actions. The Risk Review Functions also ensure that business operating units’ risk committees are provided with meaningful risk reports and that there is appropriate information to assess risk issues.
Risk Policies
The Group has a common risk language for the classification and aggregation of the types of risk to which it might be exposed. The main categories of financial and non-financial risks are summarised in Fig. 7. below. For each category the Group has defined policies setting out the required risk management framework, minimum standards of control and the approach to determine economic capital for residual exposures. The policies are reviewed and approved by the relevant committees set out in Fig. 6. and ratified by the [GRCC]. Where appropriate, more detailed policies and procedures are in place defining the approach to the management of specific aspects of each risk category. The operation of the Group’s risk policies is supported by Risk Review Functions with independent review by Group Internal Audit.
Further analysis of these risks to the Group, together with high-level management processes, are set out in Note 50 to the Financial Statements.
(Download XLS:)  |
|
Insurance Risk |
The risk arising from higher claims being experienced than was anticipated. |
|---|---|
|
Market Risk |
The risk arising from fluctuations in interest and exchange rates, share prices and other relevant market prices. |
|
Credit Risk |
The risk that the Group is exposed to loss if another party fails to perform its financial obligations to the Group. |
|
Liquidity Risk |
The risk that the Group, though solvent, either does not have sufficient financial resources available to enable it to meet its obligations as they fall due, or can secure them only at excessive cost. |
|
Operational Risk |
The risk arising from inadequate or failed internal processes, people and systems, or from external events. |
|
Contagion Risk |
The occurrence of a risk in one part of the Group may result in contagion risk elsewhere in the Group. |
Risk Assessment Processes
The Group has a standardised assessment framework for the identification and assessment of the different types of risk it may be exposed to and how economic capital should be determined in relation to those exposures. This framework is applicable across all of the Group and establishes a basis of consistency not only for the approach to determining and embedding economic capital management but also for risk assessment, management and reporting processes at all levels of the [Group].
Within the risk assessment framework, four distinct types of risk exposure are identified:
Strategic Risks – uncertainties that arise from the Group’s strategy and the markets in which it operates;
Emerging Risks – matters of internal and external concern;
Inherent Risks – factors that the Group is exposed to as an intrinsic part of the operation of its business; and
Process Risks – Operational risks associated with the operation of systems and processes.
Each risk type may be mapped to the risk categories outlined in Fig. 7.
The risk assessment activity is a continuous process and is performed in the context of the identification and management of the significant risks to the achievement of the Group’s objectives. Stress and scenario tests are used to support the assessment of risk. Senior management and the risk review functions review the output of the assessments, with regular reports provided to the [GRCC]. A Group-level risk assessment process determines the overall risks to the Group.
The overall risk framework and interactions are set out in Fig. 5.
Compliance with the Code
For the year ended 31 December 2008, the Board believes that the Company complied with the principles and provisions of the Code to the extent that they apply to the Company.
Change of Secretary
Following the resignation of C A Davies, G J Timms was appointed Company Secretary with effect from 1 September 2008.