Principal risks & uncertainties

The Group’s approach to risk is documented in our Risk and Assurance Framework and this contains our risk appetite statements. These are determined by the Group Combined Board and set out the boundaries of risk taking that the Group can operate within to achieve its aims.

Risk management policies and procedures are based on an integrated cycle of activity that includes:

• Setting and understanding the risk context – internal and external,
• Risk assessment – risk identification, risk analysis and risk evaluation,
• Risk response – tolerate, treat, terminate, or transfer,
• Risk monitoring and review and
• Risk consultation and communication.

Regular risk reports are provided to the Group Combined Board, Executive Board and Audit and Risk Committee. The Audit and Risk Committee also receives an assessment of the level of assurance provided by each of the three lines of defence; direct control and self-assessment, internal oversight and challenge and external audit, highlighting any areas of concern and the mitigating activities underway to address these. The key strategic risks are subjected to regular scenario stress testing of their financial impacts on our Financial Plan.

The following table gives an overview of the principal risks the Group has faced over the last 12-month reporting period and summarises the key controls in operation and mitigating actions that have taken place or are underway.

The Group recognises that as the business evolves so must its risk management framework. To ensure that we continue to enhance and leverage our risk management capabilities the Group will transition to an enterprise-wide risk management approach over the next 12 months.