29 Operational risk
Operational risk is defined as exposure to loss arising from inadequate or failed internal processes, people, systems, or from external events.
Potential for exposure to operational risk extends to all the group’s businesses. All business managers are required to confirm regularly the adequacy of controls to mitigate those operational risks relevant to their responsibilities. Significant control issues are escalated to senior and executive management through the group’s risk management framework. The framework is supported by Risk Oversight teams which facilitate the identification, assessment, monitoring and control of risks across the group’s businesses.
There are a number of categories under which operational risk and its management across the group can be considered, and these are outlined in the following paragraphs.
Internal process failure
The group is potentially exposed to the risk of loss from failure of the internal processes with which it transacts its business. Each business division is responsible for ensuring the adequacy of the controls over its processes. Regular reviews are undertaken of their appropriateness and effectiveness.
The group is potentially exposed to the risk of loss from inappropriate actions by its staff. Recruitment is managed centrally by HR functions, and all new recruits undergo a formal induction programme. All employees have job descriptions setting out their accountabilities and reporting lines, and are appraised annually in accordance with agreed performance management frameworks. Employees in regulated subsidiaries are provided with appropriate training to enable them to meet the relevant regulatory requirements. Risks relating to health and safety and other legislation are managed through the provision of relevant training to all staff.
The group is potentially exposed to the actions or failure of suppliers contracted to provide services on an outsourced basis. The group has defined minimum standards of control to be applied for all outsourced arrangements within a formal outsourcing and critical supplier policy.
Legal risk is the risk of loss from unclear or deficient product documentation; inadequate documentation in support of material contracts such as reassurance treaties; the incorrect interpretation of changes in legislation; employment related disputes and claims; and commercial disputes with suppliers. The group’s product development and broader legal risk framework defines minimum standards of control to be applied to minimise the risk of loss.
Compliance risk within the group relates to the risk of non-adherence to legislative requirements, regulations and internal policies and procedures. Responsibility for ensuring adherence to relevant legal and regulatory requirements is vested in individual business managers. Regulatory risk functions have oversight of the group’s compliance with conduct of business requirements and standards, providing policy advice and guidance and oversight of compliance arrangements and responsibilities.
Event risk relates to the potential for loss arising from significant external events such as terrorism, financial crisis, major changes in fiscal systems or disaster. Typically, such events have a low likelihood of occurrence, a material impact and can be difficult to prevent. The group’s risk mitigation focuses on minimising the business disruption and potential financial loss which may ensue from such an event. This includes maintaining a framework for the management of major incidents, the maintenance and regular testing of detailed business, technical and location recovery plans and the provision of insurance cover for the loss of buildings, contents and information technology systems and for the increased cost of working in the event of business disruption.
The group is potentially exposed to the risk of internal fraud, claims-related fraud, and external action by third parties. The risk of internal fraud is managed through a number of processes including the screening of staff at recruitment, segregation of duties and management oversight. The activities of Internal Audit also act to counter the risk. Claims-related fraud is managed by ensuring business processes are designed to fully validate claims and ensure that only bona fide claims are settled. Anti-fraud techniques are regularly updated to mitigate risks and emerging threats. The group’s approach to mitigating fraud and other dishonest acts is supported by promoting an open and honest culture in all dealings between employees, managers and those parties with which the group has contact. A formal code of ethics sets out the group’s expectations in this respect. Effective and honest communication is essential if malpractice is to be effectively dealt with. The group has defined whistle blowing procedures to enable all employees and those who work with Legal & General to raise matters of concern relating to Legal & General in confidence.
The group places a high degree of reliance on IT in its business activities. The failure of IT systems or a cyber event could potentially expose the group to significant business disruption and loss. To mitigate this risk, standards and methodologies for developing, testing and operating IT systems in a secure manner are maintained. Disaster recovery facilities enable IT operations to be conducted at remote locations in the event of the loss of computer facilities.
The potential for contagion risk arises as a consequence of the use of a common brand across the majority of the group and the provision of intra-group loans and indemnities. The group has defined policies and procedures for managing matters that may have reputational implications, to ensure that Legal & General’s position is correctly understood. The group also has defined policies for the provision of guarantees, indemnities and letters of comfort.