YOU ARE HERE:
 

RISK MANAGEMENT

 

Internal control environment

The Board is responsible for the Group's systems for internal control and for reviewing the effectiveness of these systems, whereas the executive management is responsible for implementing these systems of control along with the Board's risk and control policies.

Executive management has implemented systems of internal control which support the effective and efficient operation of the Group and its business units, thereby allowing management to respond to significant risks which might prevent the Group achieving its business objectives. These systems of control are designed to manage rather than eliminate risk and as such provide reasonable but not absolute assurance against material loss or financial misstatement.

The Board has reviewed the effectiveness of the system of internal control during and at the end of the year. This review covered all material controls, including financial, operational and compliance controls and the risk management framework.

The Board is of the view that there is a sufficient ongoing process for identifying, evaluating and managing the significant risks faced by the Group, and that this process has been in place for the year ended 31 December 2007 and up to the date of approval of the 2007 Annual Report. The process accords with the Turnbull guidance set out in 'Internal Control Guidance for Directors on the Combined Code' and is regularly reviewed by the Board.

Internal audit

The Group Internal Audit (GIA) function operates on a decentralised basis, with teams established at all major businesses. Internal audit carries out regular risk-focused reviews of the control environment and reports on these to local executive management. The Director Group Internal Audit has access to all reports issued by each audit team and prepares a report to the Group Audit and Risk Committee. He reports functionally to the Chairman of the Group Audit and Risk Committee and administratively to the Group Risk Director and also enjoys unrestricted access to the Chief Executive and the audit committees of the Group's principal subsidiaries.

The internal audit function has adopted a single audit methodology, aligned to current international standards by Group Risk Services, which is a centralised function responsible for ensuring quality and consistency of risk management practices and internal audit working practices around the Group.

An extensive independent review of internal audit by external experts was carried out in 2007, in keeping with the Institute of Internal Auditors' (IIA) Standards of Professional Practice and GIA was found to be in compliance with the requirements of the IIA.

Categorisation as a Major Retail Group

Old Mutual plc was recategorised as a Major Retail Group by the UK Financial Services Authority for the purposes of regulatory supervision following the Group's acquisition of Skandia during 2006.

Risk governance

The Group's risk governance model is based on three lines of defence. This model distinguishes between functions owning and managing risks, functions overseeing the management of risks, and functions providing independent assurance.

Risk management

Under the first line of defence, the Board sets the Group's risk appetite, approves the strategy for managing risk and is responsible for the Group's system of internal control. Management and staff within each business have the primary responsibility for managing risk, while the Chief Executive, supported by the Group Executive, has overall responsibility for the management of risks facing the Group. Management and staff within the businesses are responsible for the identification, assessment, management, monitoring and reporting of enterprise risks arising within their respective areas.

Risk oversight

The second line of defence is provided by the Group Risk Director supported by subsidiary Chief Risk Officers and their respective Risk functions. In addition, other specialist in-house functions at Company and subsidiary levels, such as Treasury, Actuarial and Legal, provide technical support and advice to operating management to assist them with the identification, assessment, management, monitoring and reporting of financial and non-financial risks. The Group risk function recommends Group Risk Principles to the Board for approval, provides objective oversight and co-ordinates Enterprise Risk Management (ERM) activities in conjunction with other specialist risk-related functions.

Independent assurance

The third line of defence is designed to provide independent objective assurance on the effectiveness of the management of enterprise risks across the Group. This is provided to the Board through GIA, the external auditors and the Group Audit and Risk Committee, supported by Audit and Risk Committees at subsidiaries.

Approach to risk management

The Group derives its approach to risk management and control from a shareholder value perspective. As a result, the risk process is based on an ERM concept, which takes a holistic approach to the managed acceptance of risks on an enterprise-wide basis. This involves identifying the key risks that affect the achievement of the Group's objectives. Risks are assessed on an inherent basis, by establishing the main influences on the risks in the absence of any controls. The residual risk is assessed after identifying the controls in operation. Where the residual level is outside the risk appetite, further controls and action are identified to bring the risks within the risk appetite. Risk management is not limited solely to the downside or risk avoidance, but is about taking risk knowingly and using this for competitive advantage.

In order to meet its ERM objectives, the Group follows a framework which contains the following components:
(i) a robust risk governance structure;
(ii) risk appetites established at Group and subsidiary level;
(iii) Group-wide risk policies and risk language; and
(iv) methodologies that focus on risk identification, risk measurement, risk assessment, action plans, monitoring and reporting. Each component is explained in more detail in the sections below.

A review of the Group's ERM practices and framework was initiated in late 2007. The results will be used to enhance existing practices and to ensure that the Group continues to employ world-class risk management practices.

Risk appetite

The Group's risk appetite defines the Group's willingness to balance risk exposures with reward, and the management and monitoring of those exposures. Risks or events outside the agreed risk appetite are identified and reviewed with remedial action agreed and then are subject to oversight by executive management and agreed by the Group Audit and Risk Committee. The Group's risk appetite encompasses:

  1. volatility and quantum of returns to shareholders;
  2. value for money for customers;
  3. financial strength ratings;
  4. regulatory solvency; and
  5. how risks are monitored and controlled.

Compliance with the risk appetite is monitored through the quarterly business review process.

Group risk principles

Group risk principles have been established for each major risk category to which the Group is exposed. These are designed to provide management teams across the Group with guiding principles and requirements within which to manage risks. Business unit risk policies expand on these principles and contain detailed requirements for the specific business concerned.
Adherence to these principles provides the Board and the Company's stakeholders with assurance that high-level common standards are consistently applied throughout the Group and also contributes to strong governance within the Group.

Risk methodologies

Risk identification

Strategic objectives, reflecting management's choice as to how the Group will seek to create value for its stakeholders, are translated into business unit objectives. Risks (and risk events) that would prevent the achievement of both the strategic and business objectives are then identified. Risk identification is thus part of the annual business planning process as well as an ongoing process.

Risk assessment and measurement

Various means of assessing, categorising and measuring enterprise risks and risk events are used throughout the Group. These include estimating the financial impact and the likelihood of risk occurrence, trend and 'traffic light' assessments and high/medium/low assessments.

Action plans

Action plans to implement the risk management strategy in respect of key risks or to remedy a material breakdown in control are recorded on risk and control logs maintained by each business unit. The expected date of mitigation of the risk is recorded, along with the person responsible for the mitigating action.

Monitoring and control

The Board regularly receives and reviews reports on risks and controls across the Group. These reviews cover all material controls, including financial, operational and compliance controls and risk management systems.

Management teams in each subsidiary and business unit perform annual reviews of the control environment in their business.

Risk monitoring is undertaken at Group, principal subsidiary and business unit level by management, specialised risk management functions, internal audit and subsidiary audit committees. The following are some of the other key processes for risk monitoring used around the Group:

  • the Group Finance Director provides the Board with monthly performance information, which includes key performance indicators;
  • items on risk logs and control logs (which contain details of any control failures) are reported pursuant to an escalation protocol to the appropriate level of management board or committee, where rectification procedures and progress are closely monitored;
  • significant corrective actions are independently monitored for timely completion by internal audit and, as appropriate, by the relevant Audit and Risk Committee;
  • exposure reporting, risk concentrations and solvency and capital adequacy reports are submitted to the relevant credit and capital management committees in the normal course of business. Where exposures are in excess of limits, they are treated in the same way as control breakdowns and reported on the relevant control log for Audit and Risk Committee review.

Reporting

As part of the Board's review process, the Chief Executive of each of the Group's major businesses completes a Letter of Representation at half year and for the full year. This Letter confirms that there has been no indication of any significant business risk occurring, nor any material malfunction in controls, procedures or systems during the reporting period, resulting in loss or reputational damage, which impacts negatively on the attainment of the business's objectives during the year and up to the date of approval of the Annual Report. Exceptions are noted and reported. In addition the Letter confirms that the business unit will continue as a going concern for the year ahead. The collated results of these Letters are reported to the Group Audit and Risk Committee via a Letter of Representation from the Group Chief Executive.
Monthly management reports, reports by the Group Finance Director, risk logs, control logs and exposure reports described under 'Monitoring and control' above also form part of the reporting process.

Management of specific risks

Details of some of the principal risks arising at Group level and in each key subsidiary are contained in the Business Review - Group Finance Director's Report in the Annual Report and Account 2007 (see related links).


Extract from the Annual Report and Accounts 2007 - Directors' Report on Corporate Governance and Other Matters.