Risk governance framework
Prudential’s risk governance framework requires that all of the Group’s businesses and functions establish processes for identifying, evaluating and managing the key risks faced by the Group. The framework is based on the concept of ‘three lines of defence’: risk management, risk oversight and independent assurance.
The diagram above outlines the Group-level framework.
Risk management: As described in the corporate governance report above, primary responsibility for strategy, performance management and risk control lies with the Board, the Group Chief Executive and the chief executives of each business unit.
Risk oversight: Risk exposures are monitored and reviewed by Group-level risk committees, chaired by the Group Chief Risk Officer or the Chief Financial Officer:
- Group Executive Risk Committee: meets monthly to oversee the Group’s risk exposures (market, credit, liquidity, insurance and operational risks) and monitor capital.
- Balance Sheet and Capital Management Committee: meets monthly to monitor the Group’s liquidity and oversee the activities of the Prudential Capital business unit.
- Group Operational Risk Committee: reports to the Group Executive Risk Committee and meets quarterly to oversee the Group’s non-financial risk (operational, business environment and strategic risks) exposures.
The committees’ oversight is supported by the Group Chief Risk Officer, with functional oversight provided by:
- Group Security: develop and deliver appropriate security measures to protect the Group’s staff, physical assets and intellectual property.
- Group Compliance: verify compliance with regulatory standards and inform the Group’s senior management and the Board on key regulatory issues affecting the Group.
- Group Risk: establish and embed a capital management and risk oversight framework and culture consistent with Prudential’s risk appetite that protects and enhances the Group’s embedded and franchise value.
Independent assurance: As described in the corporate governance report above, the Group Audit Committee, supported by Group-wide Internal Audit, provides independent assurance and oversight of the effectiveness of the Group’s system of internal control and risk management.
Principles and objectives
Risk is defined as the uncertainty that Prudential faces in successfully implementing its strategies and objectives. This includes all internal or external events, acts or omissions that have the potential to threaten the success and survival of Prudential.
The control procedures and systems established within the Group are designed to manage, rather than eliminate, the risk of failure to meet business objectives. They can only provide reasonable and not absolute assurance against material misstatement or loss, and focus on aligning the levels of risk-taking with the achievement of business objectives.
Material risks will only be retained where this is consistent with Prudential’s risk appetite framework, i.e.:
- The retention of the risk contributes to value creation.
- The Group is able to withstand the impact of an adverse outcome.
- The Group has the necessary capabilities, expertise, processes and controls to manage the risk.
The Group has five objectives for risk and capital management:
- Framework: design, implement and maintain a capital management and risk oversight framework consistent with the Group’s risk appetite and Risk-Adjusted Profitability (RAP) model.
- Monitoring: establish a ‘no surprises’ risk management culture by identifying the risk landscape, assessing and monitoring risk exposures and understanding change drivers.
- Control: implement risk mitigation strategies and remedial actions where exposures are deemed inappropriate and manage the response to extreme events.
- Communication: communicate the Group risk, capital and profitability position to internal and external stakeholders and rating agencies.
- Culture: foster a risk management culture, providing quality assurance and facilitating the sharing of best practice risk measurement and management across the Group and industry.
The Group Executive Committee and the Board are provided with regular updates on the Group’s economic capital position, overall position against risk limits and RAP. They also receive the annual financial condition reports prepared by the Group’s insurance operations.
The Group Audit Committee is provided with minutes of the Group Operational Risk Committee, and regular updates on financial and operational risk exposures.
Group Head Office oversight functions have clear escalation criteria and processes for the timely reporting of risks and incidents by business units. As appropriate, these risks and incidents are escalated to the various Group-level risk committees and the Board.
Internal business unit routine reporting requirements vary according to the nature of the business. Each business unit is responsible for ensuring that its risk reporting framework meets both the needs of the business unit (for example, reporting to the business unit risk and audit committees) and the minimum standards set by the Group (for example, to meet Group-level reporting requirements).
Business units review their risks as part of the annual preparation of their business plans, and review opportunities and risks against business objectives regularly with Group Head Office. Group Risk reviews, and reports to Group Head Office, on the impact of large transactions or divergences from business plan.