Skip Navigation
Investment Proposition
expand this menu item
 Governance
expand this menu item
 Share Price Information
expand this menu item
 Shareholder Information
expand this menu item
 Dividend Information
expand this menu item
 Institutional Investors
expand this menu item
 Presentations
expand this menu item
 News & Events
expand this menu item
 Market Updates
expand this menu item
 Debt Investors
expand this menu item
 Share Buyback Programme Shareholder Meetings Investor Contacts
Home > Investor Centre > Governance > Risk Management

Risk Management


The Board acknowledges its overall responsibility for the Group's system of internal control and for reviewing its effectiveness, whilst the role of executive management is to implement Board policies on risk and control.

Executive management has implemented an internal control system designed to facilitate the effective and efficient operation of the Group and its business units and aimed at enabling management to respond appropriately to significant risks to achieving the Group's business objectives. It should be noted that the system is designed to manage, rather than eliminate, the risk of failure to achieve the Group's business objectives, and can only provide reasonable, and not absolute, assurance against material misstatement or loss.

This system of internal control helps to ensure the quality of internal and external reporting, compliance with applicable laws and regulations, and internal policies with respect to the conduct of business. The Board has reviewed the effectiveness of the system of internal control during and at the end of the year. This review covered all material controls, including financial, operational and compliance controls and risk management systems.

The Board is of the view that there is a sufficient ongoing process for identifying, evaluating and managing the significant risks faced by the Group, and that this process has been in place for the year ended 31 December 2006 and up to the date of approval of this Report. The process accords with the Turnbull guidance set out in 'Internal Control Guidance for Directors on the Combined Code' and is regularly reviewed by the Board.

Approach to risk management

Creating shareholder value is the Group's overriding business objective, and the Group therefore derives its approach to risk management and control from a shareholder value perspective. As a result, the risk process is based on an Enterprise Risk Management (ERM) concept, which takes a holistic approach to managing risks on an enterprise-wide basis. This involves focusing on the identification of the key risks that affect the achievement of Group's objectives. Such risks are firstly understood on an inherent basis, which involves understanding the main drivers to such risks in the absence of any controls. Thereafter there is an assessment of the residual level of risks, taking into account the controls that are in place to manage such risks. Where the residual level is outside the risk appetite, further controls and action are defined to bring the risks within the risk appetite. An important aspect of this approach is the recognition that risk management is not limited solely to the downside or risk avoidance, but is about taking risk knowingly.

In order to meet its ERM objectives, the Group applies the ERM framework issued in September 2004 by COSO (Committee of Sponsoring Organisations of the Treadway Commission). This risk framework contains the following components: (i) a robust risk governance structure; (ii) risk appetites established at Group and subsidiary level; (iii) Group-wide risk policies; and (iv) methodologies that focus on risk identification, risk measurement, risk assessment, action plans, monitoring and reporting. Each component is explained in more detail below.

Risk Governance

The Group's risk governance model is based on three lines of defence. This model distinguishes between functions owning and managing risks, functions overseeing risks, and functions providing independent assurance.

Under the first line of defence, the Board sets the Group's risk appetite, approves the strategy for managing risk and is responsible for the Group's system of internal control. The Group Chief Executive, supported by the Management Board, has overall responsibility for the management of risks facing the Group and is supported in the management of these risks by management at the operating subsidiaries. Management and staff within each business have the primary responsibility for managing risk. They are required to take responsibility for the identification, assessment, management, monitoring and reporting of enterprise risks arising within their respective areas.

The second line of defence comprises, firstly, the Group Chief Executive supported by the Old Mutual Executive and the principal subsidiary and business unit management performing risk monitoring and oversight, and, secondly, the Group Finance Director, Group Head of Risk & Compliance, subsidiary Chief Risk Officers, supported by their respective Finance and Risk functions, and other specialist inhouse functions at Company and subsidiary levels, who provide technical support and advice to operating management to assist them with the identification, assessment, management, monitoring and reporting of financial and non-financial risks. The Group risk function recommends Group Risk Principles to the Board for approval, provides objective oversight and co-ordinates ERM activities in conjunction with other specialist risk-related functions. Group Risk is not, however, accountable for the day-to-day management of financial and non-financial risks.

The third line of defence is designed to provide independent objective assurance on the effectiveness of the management of enterprise risks across the Group. This is provided to the Board through the Group internal audit function, the external auditors and the Group Audit and Risk Committee, supported by audit committees at subsidiaries.

Internal Audit

The Group internal audit function operates on a decentralised basis, with teams established at all major businesses. Reports are submitted directly to the Group Internal Audit Director, who in turn reports to the Chairman of the Group Audit and Risk Committee and the Group Chief Executive. Internal audit carries out regular risk-focused reviews of the control environment and reports on these to local executive management. It also enjoys unrestricted access to the audit committees of the Group's principal subsidiaries.

The internal audit function has recently moved to a single audit methodology, updated and aligned to current international standards by a Professional Practice Unit, which is a centralised function responsible for ensuring quality and consistency of internal audit working practices and staff competency around the Group. The roll-out of this methodology has coincided with the change to the TeamMate™ software, which is now used by all internal auditors across the Group.

The next major review of internal audit by external experts is planned for 2008, in keeping with the IIA Inc standards of professional practice.

Risk Appetite

The fundamental purpose of the Group's risk appetite is to define how much risk the Group is willing to take. Risks or events falling outside the agreed risk appetite are identified for immediate remedial action and subjected to executive management and the Group Audit Committee oversight. The Group's risk appetite encompasses: (i) volatility and quantum of returns to shareholders: (ii) value for money for customers; (iii) financial strength ratings; (iv) regulatory solvency; and (v) how risks are monitored and controlled. Compliance with the risk appetite is monitored through the quarterly business review process.

Group Risk Principles

Group risk principles have been established for each major risk category to which the Group is exposed. These are designed to provide management teams across the Group with guiding principles and requirements within which to manage risks. Business unit risk policies expand on these principles and contain detailed requirements for the specific business concerned.

Adherence to these principles provides the Board and the Company's stakeholders with assurance that high-level common standards are consistently applied throughout the Group and also contributes to how the Group governs itself.

Risk Methodologies

Risk identification
Strategic objectives reflect management's choice as to how the Group will seek to create value for its stakeholders. Strategic objectives are translated into business unit objectives. Risks (and risk events) are then identified that would prevent the achievement of both the strategic and business objectives, i.e. objective-setting is a pre-condition to the risk management process as well as an ongoing process. For this reason, risk identification is part of the annual business planning process as well as an ongoing process. The resultant risks are recorded in a risk log, with details of risk owners, existing controls or actions to mitigate the risks and any associated time frame, and a measure of the residual risk. Where the residual risk is deemed to be outside the risk appetite, it is transferred to a control log for remedial action.

Risk assessment and measurement
Various means of assessing and measuring enterprise risks and risk events are used throughout the Group. These include estimating the financial impact and the likelihood of risk occurrence, trend and traffic light assessments and high/medium/low assessments.

Action plans
Action plans to implement the risk management strategy in respect of key risks or to remedy a material breakdown in control are recorded on risk and control logs maintained by each business grouping.

Monitoring and control
The Board regularly receives and reviews on risks and controls across the Group. These reviews cover all material controls, including financial, operational and compliance controls and risk management systems.

Management teams in each subsidiary and business unit have performed annual reviews of the control environment in their business and have produced reports reflecting appropriate assurances.

Risk monitoring is undertaken at Group, principal subsidiary and business unit level by management, ERM functions, specialised risk management functions, internal audit and subsidiary audit committees.

The following are some of the other key processes of risk monitoring used around the Group:

Reporting
As part of the Board's annual review process, the Chief Executive of each of the Group's major businesses completes a Letter of Representation. This letter confirms that there has been no indication of any significant business risk occurring, nor any material malfunction in controls, procedures or systems during the reporting period, resulting in loss or reputational damage, which impacts negatively on the attainment of the business's objectives during the year and up to the date of approval of the Annual Report. Exceptions are noted and reported. In addition the letter confirms that the business unit will continue as a going concern for the year ahead. The collated results of these letters are reported to the Group Audit and Risk Committee via a Letter of Representation from the Group Chief Executive.

Monthly management reports, reports by the Group Finance Director, risk logs, control logs and exposure reports described under "Monitoring and control" above also form part of the reporting process.

Management of Specific Risks

Detais of some of the principal risks arising each key subsidiary are contained in the Directors Report - Business Review.

Top of page