Risk management framework

The Group uses an enterprise-wide risk management framework for the identification, assessment, measurement and management of risk, designed to meet its customers’ needs. It seeks to maximise value for shareholders over time by aligning risk management with the corporate strategy, assessing the impact of emerging risks from legislation, new technologies or the market, and developing risk tolerances and mitigating strategies. The framework strengthens the Group’s ability to identify and assess risks; aggregate group wide risks and define the corporate risk appetite; develop solutions for reducing or transferring risk, where appropriate; and exploit risks to gain competitive advantage, thereby seeking to increase shareholder value. The principal elements of the risk management framework are shown below:

The risk management framework above comprises 10 interdependent activities which map to the components of the internal control-integrated framework issued by the Committee of Sponsoring Organisations of the Treadway Commission (COSO).

Lloyds TSB Group business strategy and the desired outcomes for our key stakeholders are used to determine the Group’s high level risk principles and risk appetite measures and metrics for the primary risk types. A key focus in 2007 has been to develop earnings volatility measures to complement existing capital measures for risk appetite. Risk appetite is reviewed annually in line with the overall Group’s appetite and the reward potential of the relevant exposures. Risk appetite is defined, cascaded and monitored.

Group, divisions and business units ensure that there is a process for risk identification of the exposure to each risk type.

The risk appetite is proposed by the group chief executive and reviewed by various governance bodies including the group executive committee and the risk oversight committee. Responsibility for the approval of risk appetite rests with the board. The approved high level appetite and limits are delegated to individual group executive directors by the group chief executive.

The more detailed articulation of the risk principles and distribution of the risk appetite measures amongst the divisions and businesses are subsequently determined by the group chief executive, through consultation with the group business risk committee.

A key component of the risk management framework is the policy framework and accountabilities. The main policy levels are identified below:

• Principles – high level principles for the six primary risk drivers
• High level group policy – policy for the main risk types aligned to the risk drivers
• Detailed group policy – detailed policy that applies across the Group
• Divisional policy – local policy that specifically applies to a division
• Business unit policy – local policy that specifically applies to a business unit

Divisional and business unit policy is only produced by exception and is not necessary unless there is a specific area for which a particular division or business unit requires a greater level of detail than is appropriate for group level policy. The governance arrangements for development of, and compliance with, group, divisional and business unit policy and the associated accountabilities are clearly outlined. All staff are expected to be aware of the policies and procedures which apply to them and their work and to observe the relevant policies and procedures. Line management in each business area has primary responsibility for ensuring that group policies and the relevant local policies and procedures are known and observed by all staff within that area.

Group and divisional risk functions have responsibility for overseeing effective implementation of policy. Group audit provides independent assurance to the board about the effectiveness of the Group’s control framework and adherence to policy. Policies are reviewed at least annually to seek to ensure they remain fit for purpose.

Proportionate control activity strategy is put in place to design mitigating controls, to transfer risk where appropriate and to ensure executives are content with the residual level of risk accepted.

Risk and control assessments are undertaken to assess the effectiveness of current mitigations and whether risks taken are consistent with the Group’s risk appetite (this includes the annual control self assessment exercise).

The impact of risks and issues (including financial, reputational and regulatory capital) are determined through effective risk measurement including modelling and stress testing.

The outcomes of independent reviews (including internal and external audit and regulatory reviews) are integrated into risk management activities and action plans.

Risk reporting is standardised through the use of consistent definitions when reporting, to enable risk aggregation. Divisions monitor their risk levels against their risk appetite seeking to ensure effective mitigating action has been taken where appropriate. Divisional risk reports are reviewed by divisional executive committees to ensure that respective senior management are satisfied with the overall risk profile, risk accountabilities and progress on any necessary mitigating actions. Reporting, including that of performance against relevant limits or policies, is in place at a detailed level appropriate to the exposures concerned and regular information is provided to group risk for review and aggregate reporting. Any significant issues identified in the monitoring process are appropriately reported, and an escalation process is in place to report significant losses to appropriate levels of management. Group risk reports on risk exposures and material issues quarterly to the group asset and liability committee, group business risk committee, group executive committee, risk oversight committee and the board.

At group level a consolidated risk report is produced which is reviewed and debated by the group business risk committee, group executive committee, risk oversight committee and the board to ensure senior management and the board are satisfied with the overall risk profile, risk accountabilities and mitigating actions. During the year the Group’s consolidated risk report was further enhanced to support the ongoing identification, control and effective management of risk.