Risk management is the process of identifying the principal business risks, including regulatory compliance risks, to the group achieving its strategic objectives, establishing appropriate controls to manage those risks and ensuring that appropriate monitoring and reporting systems are in place. The group’s risk management process balances cost against risk within the constraints of the group’s risk appetite and is consistent with the prudent management required of a large financial organisation.

The risk management framework is based on the concept of “three lines of defence”:

•   Risk management: primary responsibility for strategy, performance and risk management lies with the board, the chief executive and the heads of each division and operating business.

 •   Risk oversight: risk management oversight is provided by the Group Risk and Compliance Committee (“GRCC”) and the head of Group Risk working with counterparts in the divisions and operating businesses and with Group Compliance. This is supplemented by a range of risk related committees at divisional and operating business levels which are described further below.

 •   Independent assurance: independent assurance on the effectiveness of the risk management systems is provided by Group Internal Audit reporting to the Audit Committee.

There are clear reporting lines and defined areas of responsibility at board, divisional and business level. This structure is designed to ensure, amongst other things, that key issues and developments are escalated on a timely basis. The group’s risk management framework requires that all of the group’s divisions and operating businesses establish a process for identifying, evaluating and managing the key risks that they face.

The GRCC is a committee established by the chief executive to assist him in the discharge of his responsibility for the group wide management of risk comprising executives of the group board supported by the head of Group Risk, the head of Group Compliance and the head of Group Internal Audit. It meets monthly and is responsible for:

• recommending for board approval the group’s risk appetite;

• the group’s risk management strategy, approach and policy;

• the approval of group-wide policies in respect of risk management and regulatory compliance; and

• receiving regular reports on significant risk management, regulatory compliance and internal control issues and for monitoring their analysis and resolution.

The heads of Group Risk and Group Compliance report to the chief executive and are responsible for the oversight of risk management and regulatory compliance around the group. The head of Group Internal Audit has a primary functional reporting line to the chairman of the Audit Committee with a secondary reporting line to the chief executive for administrative purposes.

The board considers the principal risks facing the group to comprise reputational, strategic, credit, market, liquidity, operational and regulatory compliance.