Approach to risk management

Risk is a part of doing business. We identify the risks involved and ensure that these are carefully considered and that the level of risk taken is appropriate in relation to its potential impact on the Group’s financial performance and the achievement of the Group’s strategic objectives. Ultimately, we seek to achieve an appropriate balance between taking risk and generating returns for our shareholders.

Our approach to risk management is therefore closely aligned with the Group’s strategy and objectives. When considering the Group’s strategic direction, the Board reviews the level of risk to be taken. Adherence to this level of risk appetite is monitored by the Group Risk Committee.

Risk management process and governance structure

The Board is ultimately responsible for risk management, which includes the Group’s risk governance or oversight structure, and for maintaining an appropriate internal control framework. Responsibility for oversight of risk management is delegated to the Group Risk Committee which considers the Board’s appetite for risk and any specific limits set. The Group Risk Committee maintains the Group risk review, which summarises the Group’s principal risks and associated mitigating actions.

The Group risk review is a result of thought and input from both management and professionals across the Group, including the Executive Committee. The Group risk review is considered and refined at meetings of the Group Risk Committee and is reviewed by the Audit and Compliance Committee on a quarterly basis. It is also reviewed by the Board with a particular focus on the potential impact on the setting and execution of the Group’s strategy.

The Audit and Compliance Committee is updated at each meeting on the outputs of the latest Group Risk Committee meeting and has the opportunity to contribute views or raise questions.

The Group’s reporting cycle and the dates of key meetings are co-ordinated to ensure that appropriate risk and strategic reviews are performed in alignment with the timetable for meetings of the Board and of the Audit and Compliance Committee.

Further details on the risk management framework can also be found in our Pillar 3 disclosure.