Risk management in main risk types

Operational risk

The group recognises the significance of operational risk, which is inherent in all areas of our business. Operational risk is managed within acceptable levels through an appropriate level of management focus and resources.

Approach to operational risk management

The aim of the operational risk management function is to provide oversight and control of operational risk across the bank and to ensure that this remains within acceptable levels, based on an operational risk appetite set by the board of directors. The prime responsibility for the management of operational risk remains embedded in line management in order for the risks to be managed where they arise.

To support this, an operational risk management framework has been established to ensure that an integrated and effective risk management approach is applied consistently across the group. This framework exceeds the Basel II minimum requirements for the standardised approach and incorporates the qualitative requirements of the advanced measurement approach (AMA) to ensure a smooth conversion when and if the group decides to adopt AMA. It facilitates the identification and assessment of risks, the control of those risks and the ongoing monitoring and reporting of the operational risk profile.

Independent operational risk functions perform control and oversight, including the setting of appropriate policies, governance standards and tools, which include:

• a centralised operational loss database providing management reports used to identify improvements to processes and controls;
  
• risk and control self-assessment through which existing and potential future risks and their related controls are identified and assessed; and
  
• key risk indicators which measure specific factors to provide an early warning to proactively address potential exposures.
  

The group’s operational risk strategy provides for continuous development to keep abreast of legislative and regulatory requirements. In addition, we continue to develop and enhance our standards, policies, methodologies and systems in line with leading practice.

The group maintains a comprehensive insurance programme to cover losses from fraud, theft and damage to physical assets and professional liability claims.

Whilst all elements of operational risk are managed diligently, key areas requiring specific focus are discussed below.

Business continuity management

Business continuity ensures the availability of all key processes required to support essential activities in the event of an interruption to, or disruption of, business. Within the group, business continuity management has been strengthened through good governance, improved recovery plan quality and advanced levels of testing.

A group-wide simulation was conducted during 2005 and particular attention was given to testing and business continuity management within Personal & Business Banking SA. This programme, together with the 2004 initiatives conducted by Corporate & Investment Banking, has significantly advanced group-wide resilience. Going forward, focus will be placed on longer-term sustainability of recovery, including hard-core testing and the completion of contingency facilities, such as geographically separated processing centres, to enable continued business operations in the event of a disaster.

Information risk management

Information risk is the possibility of loss or damage arising from a breach in the confidentiality, integrity or availability of the group’s information. The group’s information risk management practices play a key role in protecting information from a wide range of threats to ensure business continuity, minimise business damage and to maximise return on investments and business opportunities.

Fraud risk management

Fraud risk management is applied throughout the group and is supported by the group’s forensic services function that operates

under the group internal audit mandate set by the group audit committee. The strategic approach focuses on fraud prevention, detection, investigation and whistle blowing activities. The group maintains a zero-tolerance approach towards fraud and dishonesty.

Risks associated with outsourcing arrangements

The group ensures these risks are adequately managed. This includes a structured approach to ensure:

• alignment of the outsourcing proposal with the group’s business objectives and operating imperatives;
  
• potential risks which could arise from an outsourcing arrangement are identified and addressed;
  
• responsibilities for all outsourcing arrangements are clearly understood;
  
• all outsourcing arrangements comply with regulatory requirements; and
  
• all the outsourcing objectives are achieved.