Risk Management Governance

Next Article

PEOPLE CAPABILITY

& Operational Structure at Sector Level

This structure illustrates that risk management is not the sole responsibility of one individual but rather occurs and is supported at all organizational levels. It is important to note that the risk management structure must be supported by the assurance function of the Audit &

Committee.

Board Of Directors

The Parent Board of Directors (Parent Board) provides governance and oversight and establishes major policy guidelines for the enterprise risks assumed by the Group. The Parent Board of Directors is ultimately responsible for overseeing enterprise risk management and for ensuring that the necessary policies, procedures and systems are in place to manage the risks associated with these activities. It is the Parent Board of Directors’ responsibility to clearly communicate its goals and objectives concerning enterprise risk management activities to company personnel. The Parent Board is also responsible for approving overall risk limits.

GROUP RISK & SUSTAINABILITY COMMITTEE

The Group Risk & Sustainability Committee (GRSC) is established and authorized by the Board to oversee enterprise activities in order to ensure compliance with company policies, risk appetite and objectives. The GRSC is comprised of members of senior management and is headed by the Group Chief Executive Officer (GCEO). Specifically, the GRSC is responsible for:

• Overseeing strategies and issues impacting the Group’s overall risk profile

• Advising the Parent Board of Directors concerning risk policy matters

• Delegating risk management authorities to appropriate company personnel

• Reviewing the effectiveness of the specific hedging strategies implemented

• Oversight of compliance with this policy

• Reviewing appropriate enterprise risk control reports on a regular basis

• Reviewing analysis of risks and assumptions associated with proposed new business ventures

• Recommending changes to risk policies and limits for board approval

• Approving performance measurement benchmarks for personnel and reviewing performance against those benchmarks

• Reviewing all policy and limit violations and taking corrective action as applicable

• Approving the applicable procedures manuals across the Group and for individual subsidiaries that set forth processes and procedures governed by this policy

• Other risk related matters that require the Committee’s attention

The GRSC also has responsibility for the Group’s sustainability strategy and initiatives as outlined in its Charter.

The GRSC will comprise of the following persons:

• Group Chief Shared Services Officer (GCSSO)

• Group Chief Financial Officer (GCFO)

• Group Chief Legal and External Affairs Officer (GCLEA)

• Group Chief Strategy Officer (GCSO)

• Group Chief Information Officer (GCIO)

• Group Chief Human Resource Officer (GCHRO)

• Head, Group Internal Audit and Enterprise Risk Management (Head, GIA/ERM)

The GRSC will meet bimonthly at a minimum, to review past, current and proposed risk management strategies. The meetings provide the primary forum for the discussion of risk assessments (very high and high rated risks) and ongoing business. Outside of regularly scheduled meetings members may be called upon to respond to important opportunities or issues. Approval of any issues or submitted strategies requires affirmation by at least 75% of the GRSC members including the Chief Risk Officer (CRO) or equivalent

Group Chief Executive Officer

The Group Chief Executive Officer (GCEO) is directly responsible for the Group’s business performance, review of the risk universe and supports the operation of appropriate business processes and controls. This function ensures compliance with this policy and will provide appropriate support and assistance to the risk management committee and the Chief Risk Officer in the conduct of their responsibilities.

HEAD OF GROUP INTERNAL AUDIT & RISK (GIA)

The Head of GIA shall provide oversight to the Group’s enterprise risk management activities. The responsibilities of this function include:

• Monitoring compliance with the Group’s risk management policies, procedures and limits and reporting any exceptions to the GRSC

• Understanding the Group’s enterprise risk management strategies

• Implementing, performing and documenting stress tests of the Group’s risk positions

• Assessing the effectiveness of the Group’s internal controls and procedures; ensuring existing controls and procedures are appropriate and efficient, and determining the need for, and facilitating the development of, any additional controls and procedures

• Assessing the effectiveness of the Group’s risk reporting and determining additional reporting requirements

• Assessing the appropriateness of the Group’s disclosures regarding enterprise risk management activities

• Distributing to the GRSC all applicable internal and external audit reports, reviews and findings

• Oversight of the development and implementation of risk management systems and models and the approval thereof

• Reports results of risk assessments to Sector Executive Management.

• Recommends the appropriate risk response for any identified risk.

TheHead of GIA will, when applicable, instruct the various functional groups to bring itself within compliance of the Group’s limits and controls.