Introduction

Managing risk effectively in a diverse and complex organisation such as the Standard Bank Group requires a strong risk management culture. Our culture supports sound commercial decision-making that adequately balances risk and reward.

Risk management approach

The group’s risk management approach is based on a combination of strong risk oversight at group level and independent risk management structures within the business units.

During 2005, the group’s risk management structures, policies and processes were reviewed. The process of updating them is underway. In future all principal risks will be subject to overarching governance standards. All standards are to be applied consistently across the group and owned by the group risk management committee (GRMC), in line with the group’s minimum control requirements for each risk type.

The standards will form an integral part of the group’s governance infrastructure, reflecting the expectations and requirements of the board in respect of key areas of control across the group.

The standards will ensure alignment and consistency in the way that prevalent risk types are managed across the group with regard to:

• identification;
• measurement;
• management and control; and
• reporting of risk.

The standards will underpin the group’s risk governance principles, which are:

• Shareholder value based

  
  The group’s primary objective is to protect and enhance shareholder value. As such, this objective drives the group’s system of internal control.

• Embedded

  
  The culture of the group reflects its appetite for risk. A suitable organisational structure, policies and procedures, and appropriate staff training are in place to enable risk to be managed at all levels of the business.

• Supported and assured

  
  The system of governance and internal control provides management with assurance that risks are being managed appropriately. The board of directors regularly receives and reviews reports on governance and control processes.

• Reviewed

  
  The board of directors undertakes a specific review of the effectiveness of the internal control system and risk management processes at least annually.

Major risk categories

Risks to which the group is exposed can be classified into the following major categories:

• credit risk – arises from customer or counterparty non-performance or default;
• country risk – arises from the uncertainty that obligors in a particular country may not be able to fulfil their obligations to the group because of political or economic conditions in that country;
• liquidity risk – arises if any of the banks in the group have insufficient funds or marketable assets available to fulfil their future cash flow obligations;
• market risk – arises from a decrease in the market value of a portfolio of financial instruments caused by an adverse move in market variables such as equity, bond and commodity prices, currency exchange rates, interest rates and credit spreads, and implied volatilities on all of the above;
• operational risk – results from inadequate or failed internal processes, people and systems or from external events;
• compliance risk – arises from regulatory sanctions, financial loss, or loss to reputation as a result of failure to comply with applicable laws, regulations, codes of conduct and standards of good practice;
• reputational risk – results from damage to the group's image, which may impair its ability to retain and generate business;
• insurance-related risks – are unique to the business of life insurance, including investment and underwriting risks. The group is exposed to insurance-related risks through its effective 30% shareholding in Liberty Life and short-term insurance activities; and
• taxation risk – that the group will incur a financial loss due to an incorrect interpretation and application of taxation legislation or due to the impact of new taxation legislation on existing business.

For financial institutions, a combination of these major risks occurring at the same time would be the most likely cause of significant losses. It is therefore important to ensure a holistic risk management approach – that risk types are not managed in isolation. This approach is followed at a business unit as well as group level.

Risk responsibilities and governance structure

Due to the nature and complexity of, and risk inherent in, the group's activities, a robust risk management structure is in place to ensure adequate oversight. The principal responsibilities set out below extend throughout the group:

• the board of directors reviews and accepts the risk profile appropriate to the group’s growth strategy, and requires that management maintains an appropriate system of internal control. The board delegates risk-related responsibilities to three committees, the group risk management committee, the group audit committee and the group credit committee;
• the director, group risk is responsible for setting a framework that ensures effective risk management and control for all risk types excluding credit and country risk, within the group;
• the director, group credit is responsible for setting a framework that ensures the effective management and alignment of credit risk, including country risk, within the group;
• in each business unit, the heads of risk are responsible for developing and implementing risk policies and procedures specific to their business unit’s risk profile but in compliance with the group’s overarching governance standards, as well as managing risk and risk reporting to relevant committees;
• risk type heads are appointed for each risk area and are responsible for coordinating and managing a specific risk type within their business unit;
• group internal audit independently audits the adequacy and effectiveness of the group's risk management, control and governance processes. The director: group internal audit reports and provides independent assurance to the group audit committee and has unrestricted access to the chief executive and chairman of the board; and
• group compliance is an independent core risk management activity. The director: group compliance reports to the group audit committee and has unrestricted access to the chief executive and chairman of the board.

The group’s governance structure and risk responsibilities matrix is summarised in the diagram below.

Risk appetite and risk tolerance

Risk appetite is the quantum of risk the group is willing to accept in the normal course of business in pursuit of its strategic and financial objectives. Risk taken within “appetite” may give rise to expected losses, but these should be covered by expected earnings.

Risk tolerance is an assessment of the maximum risk the group is willing to sustain for short periods of time. It emphasises the “downside” of the risk distribution, and the group’s capacity to survive unexpected losses. The capacity to take unexpected losses depends on having sufficient capital and liquidity available to avoid insolvency. Risk tolerance typically provides a useful upper boundary for the group’s risk appetite.

The board has delegated its risk-related responsibilities primarily to three committees, the group risk management committee, the group audit committee and the group credit committee, with each committee focusing on different aspects of risk management.

The process to quantify risk appetite is being reviewed and is discussed later in this report.

Basel II

The Basel II Capital Adequacy Framework (Basel II) aims to incentivise banks, through lower capital requirements, to improve their risk management processes.

In June 2004, the Bank of International Settlement released the final version of Basel II. The revisions focused mainly on improving the quantification and management of credit and operational risks, enhancements to the supervisory review process and more extensive risk disclosure.

The South African Reserve Bank (SARB) has announced that the South African implementation date of Basel II will be 1 January 2008, with local banks and the regulator evaluating the impact of the new framework on capital requirements and risk management processes during a parallel run to be conducted for a year prior to implementation (i.e. commencing on 1 January 2007).

The group is currently working towards meeting the “advanced approaches” requirements for all risk categories. The approaches on commencement will be Advanced IRB (Internal Ratings Based) for Personal & Business Banking, Foundation IRB for Corporate & Investment Banking and standardised approach for operational risk. A detailed migration plan for all the entities across the group has been prepared for approval by the SARB. The group’s Basel II programme of initiatives is on track to meet the regulatory timeline of January 2008.

Progress has been significant in aligning Probability of Default (PD) for credit risk rating models with Basel II specifications. Loss Given Default (LGD) and Exposure At Default (EAD) models are being tested and validated by way of initiatives that focus on enhancing the group’s own internal data history by analysing world-wide external data. As LGD significantly impacts the level of capital required under Basel II, much focus is being placed on ensuring that collateral and other credit risk mitigations meet the Basel II eligibility criteria. The group will however be able to leverage off recent investments in sophisticated collateral and collections management systems.

The group’s operational loss database has been in use since 2003. It is being supplemented with risk and control self-assessments and Key Risk Indicators (KRIs) in the identification and monitoring of operational risks in line with Basel II requirements. No significant additional initiatives are required to achieve Basel II market risk compliance for the group. Applications for regulatory approval for internal models for market risk are in progress and other aspects such as changes to regulatory reporting are being addressed.

The implementation of Basel II across the group’s geographically diverse operations is a major challenge, as the group has to meet the requirements of 30 regulators world-wide. Focus has been placed on raising awareness of Basel II even in countries where it will not be adopted. This will enable the group to meet the SARB requirement for group-wide implementation.

The group continues to participate in industry consultations on the development and implementation of Basel II and has 30 representatives involved in 23 SARB Basel II task groups.

Implications of Basel II for the group

Capital

Based on the regulatory and other internal quantitative studies conducted by the group, the overall regulatory capital requirement is expected to remain largely neutral. Changes to the capital requirement within the different portfolios are however observed, i.e. the capital for the Personal & Business Banking portfolio (with regard to credit risk) will be substantially lower but this will be offset by the new capital charge for operational risk, as well as by the increase in the capital requirement for Corporate & Investment Banking in emerging markets. The group continues to assess any potential impact as outstanding areas of uncertainty around the Basel II accord are clarified and continues to participate in the efforts to refine these future capital standards.

Processes and systems

In addition to meeting Pillar 1 (minimum capital) requirements, processes and systems solutions are being implemented to address the Pillar 2 (supervisory review) and Pillar 3 (disclosure) requirements in terms of governance, stress testing and scenario planning, internal capital adequacy assessment, regulatory reporting and disclosure. A leading industry capital calculation solution is being implemented which will leverage off the risk systems investments made by the business entities.

Business benefits

The cost estimate for the Basel II implementation up to January 2008 will be in the region of R250 million. These costs can be attributed mainly to the significant strategic investment in risk IT architecture and solutions and includes a number of projects that would have been initiated regardless of Basel II imperatives. These investments will enable sophisticated portfolio analysis and scenario planning. Direct benefit will be derived from the enhancement of collateral management and collections processes, through the minimisation of credit losses. Other business processes also benefit from the enhanced information availability, for example, new product development, pricing and provisioning.