YOU ARE HERE | Strategic overview / Our strategy / Principal risks / The process
Print this pageAdd to print basketView print basketGlossaryBookmark this page

The process

Objectives and strategic goals

The Group considers four types of risk when identifying potential events that could affect the delivery of business objectives and strategic goals. Risks are considered in the context of:

  • Longer term strategic and emerging threats;
  • Medium term challenges associated to business change programmes;
  • Shorter term risks triggered by the changing external environment; and
  • Shorter term risks in relation to internal operations.

Identify and evaluate

The nature of the risk is fully understood and evaluated by considering the impact and likelihood. Tools and techniques have been developed to understand the relative priority of risk at varying levels throughout the Group. The output is then used as a basis for determining the order in which risks should be managed.

Review and agree

It is the responsibility of senior management teams and Sector Boards across the Group to review, challenge and agree the risk profile for their area of responsibility and start to consider how to allocate resource effectively to manage risk.

Decide response method

The most appropriate means of response (terminate, reduce, accept, or pass-on) is identified, where necessary taking into consideration the outcome of any cost benefit analysis, to ensure the activity giving rise to the risk is managed within justifiable and tolerable levels and in line with the overall Group appetite.

Develop and implement actions

Existing controls are documented along with any further action plans and delivery dates to treat the risk appropriately. Processes are established to ensure clear action ownership and to monitor progress to help ensure the risk responses are carried out effectively.

Review risk status

The businesses are responsible for reviewing and updating their risk profiles on a quarterly basis to ensure the Group has clear visibility of what its risks are and how they are being responded to.

Reporting and governance

The Board is responsible for risk management and delegates tasks to the Audit Committee, Group Risk Management and Group Audit Services. In addition to the quarterly reviews conducted by the businesses, Group Risk Management consolidates and aggregates all risks identified across the Group to create the Group Risk Profile. This is presented to the Audit Committee on a half-yearly basis for review and is also closely monitored by the Group Risk Management team to ensure that progress in relation to management of risk is sound and effective.

As the responsibility for managing risk clearly resides within the businesses, the Audit Committee invite the individual senior management teams to present and discuss their risk profile on a rotational basis. Additionally, the Group Risk Management team reports on progress of the development and implementation of the framework.

Group Audit Services play a key role in ensuring that the businesses adhere to the risk management framework. They review and test the evaluation of reported risks, ensuring that identified controls are operating effectively and that actions have been validated to appropriately mitigate risks reported.