Our risk management processes.
The core processes we use to identify, measure, manage, monitor and report (IMMMR) risks are set out below:
Identify and measure
We carry out regular risk identification as part of our business planning process and any major business initiatives. We draw on internal and external data, covering both normal conditions and stressed environments. We record risks on a business-wide key risk register.
We measure risks on the basis of economic capital (and other bases if appropriate) to determine their significance, relative to the potential return and appropriately direct resources to their management.
Manage and monitor
We monitor to make sure our risk management and mitigation approaches (accept, avoid, transfer, control) are effective. Monitoring may also identify risk-taking opportunities.
We regularly monitor our risk exposures against risk appetites, as well as key risk indicators against operating and financial risk limits and tolerances. We monitor early warning indicators as triggers for management action, such as putting pre-prepared contingency plans into effect.
We monitor the effectiveness of controls in place to manage operational risks, including compliance with our internal business standards.
Our risk reporting is dynamic and focusses on:
- material risks and trends
- performance and its impact on our risk profile, historical and prospective
- decisions, taking account of risk reward trade-offs
- projections/forward-looking views
- mitigating actions
- risk vs. appetite.
Supported by our organisation and people
Good risk management is supported by our people having clear roles and responsibilities, the right skills and capabilities, and the right incentives and rewards.
We strive to embed a risk-aware culture and values in our business through employee training and communications.