Our risk governance.
We govern risk through group-wide risk policies and business standards, risk oversight committees and clear roles, responsibilities and delegated authorities.
Our Board is responsible for setting the Group’s risk appetite and establishing and operating controls to assess and manage the risks.
The Board delegates day-to-day risk management to the Group CEO, who delegates operational aspects to executives within the Group through delegated authority letters.
Line management in the business is accountable for risk management, which together with the risk function and internal audit form our ‘three lines of defence’ of risk management.
Our internal controls facilitate:
- effective and efficient business operations
- the development of robust and reliable internal reporting
- compliance with laws and regulations.
We assess our operational risks, and the adequacy and operating effectiveness of the controls implemented to manage and mitigate them, through our Risk and Control Self Assessment (RCSA) process.
We have a Group-wide reporting manual in relation to International Financial Reporting Standards (IFRS), Solvency II reporting requirements and a Financial Reporting Control Framework (FRCF).
FRCF relates to the preparation of reliable financial reporting, covering both IFRS and Solvency II reporting activity.
The FRCF process follows a risk-based approach, with management identification, assessment (documentation and testing), remediation (as required), reporting and certification over key financial reporting-related controls.
Management regularly undertake quality assurance procedures over the application of the FRCF process and FRCF controls.
Our Board delegates day-to-day management of our company and approval of specific issues up to set financial limits to our Group CEO. This includes limits on revenue and capital expenditure, reinsurance spend, and the settlement of claims. In turn the Group CEO delegates some of his authority to his direct reports. We have a similar delegated authority framework in place throughout the Group.
Management as the first line of defence
Management are responsible for:
- the application of our risk management framework
- implementing and monitoring the operation of our system of internal control
- providing assurance to the Audit Committee, the Risk Committee, the Governance Committee and the Board.
Our Group Executive members and each business unit Chief Executive Officer are responsible for:
- implementing our Group strategies, plans and policies
- monitoring our operational and financial performance
- assessing and controlling financial, business and operational risks
- the maintenance and ongoing development of a robust control framework and environment in their areas of responsibility.
Chaired by our Chief Risk Officer (CRO), the Asset Liability Committee (ALCO) helps the CFO meet his responsibility to manage our Group’s Balance Sheet within risk appetite. It also provides financial and insurance risk management oversight.
Our Operational Risk Committee is also chaired by the CRO. It supports the first line owners of key operations and franchise risks to meet their operational risk management responsibilities.
Our Disclosure Committee is chaired by the CFO and reports to our Audit Committee. It is responsible for:
- overseeing the design and effectiveness of the Group’s disclosure controls, for both financial and non-financial information
- evaluating the Group’s disclosure controls and reviews
- endorsing the Group’s key periodic external reports, including the consolidated financial statements.
Our Business Unit Chief Executive Officers and Chief Financial Officers sign off the results of our FRCF process, and report compliance with FRCF to the Disclosure and the Audit Committees.
The Risk function as the second line of defence
The Risk function is accountable for the quantitative and qualitative oversight and challenge of the identification, measurement, monitoring and reporting of significant risks and for developing the Risk Management Framework (RMF).
As we respond to changing market conditions and customer needs, the Risk function regularly monitors the appropriateness of our risk policies and the RMF to keep them up to date. This helps to provide assurance to risk oversight committees that we have appropriate controls for all core business activities, and our processes for managing risk are understood and followed consistently across the Group.
The second line Risk function also includes our Compliance and Actuarial functions.
Our Actuarial function is accountable for Group-wide actuarial methodology. It reports to the relevant governing body on the adequacy of our reserves and capital requirements, and on the adequacy of our underwriting and reinsurance arrangements.
Our Compliance function supports and advises the business on the identification, measurement and management of its regulatory, financial crime and conduct risks. It is accountable for maintaining our compliance standards and framework, and monitoring and reporting on its compliance risk profile.
Internal Audit as the third line of defence
The Internal Audit function gives independent and objective assessment on:
- the robustness of our RMF
- the appropriateness and effectiveness of our internal control
- the adequacy of these systems to manage business risks and safeguard our assets and resources.
It reports to our Group Audit, Governance and Risk Committees, business unit Audit Committees and the Board.
The Internal Audit function has an Internal Audit Charter and Business Standard. The Charter sets out the function’s purpose, scope and responsibilities and how it maintains independence from the first and second line management of the Group.
The four main functions of Internal Audit are to:
- assess and report on the effectiveness of the design and operation of our framework of controls to assess and manage risk
- assess and report on the effectiveness of our management actions to address deficiencies in the framework of controls
- investigate and report on cases of suspected financial crime and employee fraud and malpractice
- undertake designated advisory projects for management provided that they do not threaten the function’s actual or perceived independence from management.
The Internal Audit Business Standard sets out how our managers support Internal Audit to achieve its objectives. It requires businesses to design and operate processes and controls to satisfy their mandatory requirements in the Standard based on the size and complexity of their business, and nature of the risks and challenges it faces. Any breaches of the Standard must be reported to the Chief Audit Officer (CAO) and others as appropriate.
Our Risk Committee helps the Board oversee risk and risk management across the Group, and makes recommendations on risk appetite to the Board. Its responsibilities and activities are set out in the Risk Committee Report in the Annual report and accounts.
Our Audit Committee, working closely with our Risk Committee, is responsible for assisting the Board to meet its responsibilities for:
- the integrity of our financial statements
- the effectiveness of our system of internal financial controls
- monitoring the effectiveness, performance and objectivity of our internal and external auditors.
Our Audit Committee’s responsibilities are set out in our Audit Committee Report in the Annual report and accounts.