Group Risk Management Understanding and managing our risks is front of mind in everything we do. Our risk management framework helps us meet our strategic and operational objectives and is designed to manage both risk and opportunities. Overall, the framework enables our people to make informed business decisions in the best interest of our customers, the Group and our shareholders whilst encouraging us to embrace the concept of taking measured risks, which drive innovation and growth. 1) Governance - Board responsibility The Board retains overall accountability and responsibility for the Group’s risk management and internal control systems. The Board fulfils their role by: • defining the risk appetite – the Board periodically reviews the nature and amount of risk the Group is willing to accept when doing business and achieving strategic objectives • conducting robust risk assessments – the Board undertakes assessments of the principal and emerging risks to understand the potential that these risks may impact the ability to achieve strategic objectives • reviewing mitigation plans – the Board will review the principal risk assessments and agree how these risks should be managed or mitigated to reduce the likelihood of their incidence or the magnitude of their impact • identifying emerging risks – the Board reviews the procedures in place to identify emerging risks and challenge how these risks are being managed or mitigated • approving the principal risks and uncertainties disclosure - at year end, the Board reviews the descriptions of principal risk and uncertainties, explanations of how these risks are being managed or mitigated, and other relevant information describing the Group’s risk management and internal control systems. The Board recognises that the system of risk management is designed to manage, rather than eliminate, the Group’s exposure to business risks, and can only provide reasonable assurance and not absolute assurance against material misstatement or loss. 2) Governance – Audit and Risk Committee responsibility The Board has delegated the Audit and Risk Committee (‘ARC’) with the responsibility of assessing the effectiveness of risk management framework. The ARC fulfils their role by: • establishing procedures to manage risk and oversee the internal control framework • reviewing and challenging the principal risks, emerging risks and the aggregate risk assessments from the ‘bottom-up’ risk register • approving the annual internal audit plan and reviewing internal audit reports on the effectiveness of internal controls, as a result of independent assurance work undertaken throughout the year • undertaking risk deep dives to review high priority risks, ad-hoc topics and emerging matters • monitoring management’s implementation of audit recommendations and actions arising from risk assessments 3) Risk Management Framework Principal Risk Register
The principal risk register is a summary of the top risks, emerging risks and uncertainties facing the Group Executive Leadership Team (‘ELT’). It is collated into a group view after a process of bottom up and top-down risk assessments, with the risks assigned a member of the Executive leadership team.
Risk Landscape
Risk management framework
Monitoring and oversight
Principal and Group risks – These risks are known to the business and must be managed to ensure we achieve operational and strategic objectives.
• Risk ownership – each risk will have a named owner • Risk causes – a list of reasons why the risk could occur • Likelihood and impact – the possibility and estimated harm caused by the risk • Inherent risk – assessment of the risk before mitigating controls • Mitigating controls – implemented by management to reduce/eliminate the risk • Residual risk – assessment of the risk after mitigating controls are applied • Risk Appetite – set by the Board, this is the level of risk the Group is prepared to accept • Action plans – Workstreams, projects and tasks in place to strengthen controls
Board – determines the Group’s approach to risk and procedures put in place to mitigate exposure to risk
Emerging risks – These risks are emerging threats that may potentially impact us in the future. Due to their nature, we are unable to understand the likely scale, impact or velocity of the risk. We monitor these threats until better understood.
Audit and Risk Committee – has delegated responsibility from the Board to assess the effectiveness of risk management and internal controls ELT risk owners – responsible for managing the risk registers, monitoring internal controls and implementing the actions plans Internal audit – independently reviews the effectiveness of internal controls and provides assurance to the Audit and Risk Committee
Bottom-up registers
Each business unit is responsible for identifying risks arising from day-to-day operations. Management must design and implement adequate control measures and undertake regular risk assessments.
Annual Report and Accounts 2021
55
