Operational risk

Operational risk management framework
Managing operational risk
Insurance cover
Business resilience
Information risk management
Access to information
Financial crime control
Legal risk
Environmental risk and social risk
Occupational health and safety
Taxation risk
Compliance risk


Operational risk is recognised as a distinct risk category which the group strives to manage within acceptable levels through the promotion of sound operational risk management practices.

Operational risk is defined as the risk of loss suffered as a result of inadequacy of, or a failure in, internal processes, people and systems or from external events. This includes information risk and legal risk, but excludes reputational risk and strategic risk. Operational risk exists in the natural course of business activity.

The group's approach to managing operational risk is to adopt fit for purpose operational risk practices that assist business line management to understand their inherent risk and to reduce their risk profile, in line with the group's risk appetite, while maximising their operational performance and efficiency.

Operational risk management framework

The framework adopted by the group sets out a structured and consistent approach for the management of operational risk across the group. The comprehensive risk management approach involves identifying, assessing, managing, mitigating, monitoring and measuring the risks associated with operations, enabling a comprehensive view, analysis and reporting of the group's operational risk profile.

The group standard defines the minimum requirements for operational risk management and is supported by specific policies and procedures to ensure that operational risk is managed in an appropriate manner, and integrated across the group. Business units implement the group framework, policies and procedures but may customise these to better suit their unique and individual environments.

Both centralised and decentralised operational risk management functions are independent from business line management and work in partnership as the second line of defence. Their role is to monitor, manage and report on risks to ensure operational risk exposure remains within the risk appetite as mandated by senior management and the board. These independent functions are also responsible for developing and implementing the operational risk management framework and for promoting sound and relevant risk management practices across the group. Business line management, as the first line of defence, is ultimately responsible for owning and managing risks resulting from their business activities. The day-to-day management of operational risk is embedded within the business areas in order for the risks to be managed where they arise.

The primary oversight body for operational risk is the group operational risk committee (GORC) which reports to GROC, the GRCMC and ultimately the board. GORC is chaired by the group head of operational risk and includes representation from group functions and business units. GORC is also responsible for the approval of the group level operational risk policies and methodologies.

Executive management defines the operational risk appetite at a business unit and group level. This operational risk appetite supports effective decision-making and is central to embedding risk management in business decisions and reporting.

The objective in managing operational risk is to increase the efficiency and effectiveness of the group's resources, minimise operational losses and exploit opportunities. There has been significant investment in the implementation of improved measurement and management approaches for operational risk, strengthening control, improving customer service, improving process efficiency and minimising operating losses.

The group continues to calculate capital based on a TSA approach in accordance with SARB approval granted in 2008. in addition to TSA, the group has implemented certain advanced practices ensuring that it is in line with risk management leading practice. Core AMA components have been designed during 2010 and are being implemented within the business areas during 2011. This includes the introduction of an increasing level of quantitative methodology to support the management of operational risk based on loss data, scenario analysis and capital modelling. The group is expected to make a formal application to the SARB for the use of the AMA in the fourth quarter of 2011. 

Managing operational risk

Independent monitoring of operational risk occurs through a number of functions within the group's risk divisions, including business continuity and information risk management, legal, group financial crime control and operational risk governance.

Operational risk management forms part of the day-to-day responsibilities of management at all levels. The operational risk management framework includes qualitative and quantitative methodologies and tools to assist management to identify, assess and monitor operational risks and to provide management with information for determining appropriate controls and mitigating measures.

These methodologies and tools include:
- An incident database of operational risk events, including near-misses, categorised according to the Basel II business lines and operational risk event types. The incident data collection process ensures that all relevant operational risk incidents (including loss events, near misses and non-financial impacts) are captured on a centralised database. The flow of information into the incident database is a bottom-up approach. The capture process identifies and classifies all incidents in terms of an incident classification list. This information is used to monitor the state of operational risk, address trends, implement corrective action and manage recovery, where possible. 
A risk and control self-assessment process to analyse business activities and identify operational risks. Risk and control self-assessments are designed to be forward-looking.

Management is required to identify risks that could threaten the achievement of business objectives and, together with the required set of controls and actions, to mitigate the risks as appropriate. This enables development of a risk profile and understanding of the residual risk. Risk assessment incorporates a regular review of identified risks to monitor significant changes. 
Key risk indicators are used across the group to monitor the relevant risks and controls highlighted in the risk and control self-assessment process as well as the scenario analyses. The main purpose is to assist management by providing an early-warning indicator of potential risk exposures and/or a potential breakdown of controls. 
Operational risk reports are produced on both a regular and an event-driven basis. The reports include a profile of the key risks to business units' achievement of their business objectives, relevant control issues, and operational risk incidents. Specific reports are prepared on a regular basis for the relevant business unit committees and for the GORC, GROC and GRCMC. 

Insurance cover

The group's insurance process and requirements are the responsibility of the group insurance committee which maintains adequate insurance to cover key insurable risks. An insurance framework guides the organisation on the optimal use of insurance as a risk transfer mechanism. Operational risk management and insurance management teams collaborate to enhance the mitigation of operational risks.

A comprehensive insurance programme which addresses the diversified requirements of Liberty is in place and is determined after extensive research, investigations and consulting with insurance risk and control experts. The group's financial covers for directors and officers, crime and professional indemnity are underwritten by external parties. 

Business resilience

Business resilience includes business continuity management and crisis management.

Business resilience is defined as the ability of the group's business operations to rapidly adapt and respond to internal or external dynamic changes; opportunities, demands, disruptions or threats; and continue operations with limited impact to the business through proactive management and resilient infrastructure.

Business resilience is primarily focused on developing and maintaining a proactive and holistic response, congruent to the risk appetite of the business line and organisation.

Crisis management is based on a streamlined command and control process for managing the business through a crisis to full recovery. These processes may also be deployed to manage non-operational crises, including business crises, at the discretion of senior management.

Business continuity management is an integral component of the group's risk management framework. The group's business continuity strategy is structured to ensure strong central monitoring and reporting and decentralised execution, and is supported by an entrenched governance process. The group continues to ensure that business continuity is managed in an effective manner through a framework of policies, procedures and tools to identify, assess, monitor, control and report such risks.

The various business units are continually exposed to deployment of updated methodologies as well as testing and training which are relevant to their local business requirement, to ensure increased capability to deal with interruptions to business. This is achieved through active assessment of the changing business environment, reference to and incorporation of updated and emerging best practice standards worldwide, pre-planned simulation and desktop assessments and interrogation of identified risks and threats to operational continuity of the group.

Contingency and recovery plans for core services, key systems and priority business activities have been developed and are revisited as part of existing management processes to ensure that continuity strategies and plans remain relevant. 

Information risk management

Information risk is defined as the risk of accidental or intentional unauthorised use, modification, disclosure or destruction of the group's information resources, which compromises their confidentiality, integrity or availability. information risk management deals with all aspects of information in its physical and electronic forms. It focuses on the creation, use, transmission, storage, disposal and destruction of information.

From a strategic perspective, information risk management is treated as a particular discipline within the operational risk framework. This function is responsible for establishing the framework, and promotes consistent and sound information risk management policies and practices across the group.

Information risk policies and standards have primarily been developed to provide management direction and support for information risk in accordance with business requirements and relevant laws and regulations. The adoption of standards and guidelines is directed by business requirements and practical implications.

Furthermore, ongoing awareness campaigns are conducted to ensure that all employees, contractors and third-party users are aware of information risks, their roles and responsibilities, and are equipped to support the group policies.

The execution of these policies and standards is driven through a network of information security officers embedded within the business lines. This network is functionally overseen by the group chief information security officer. 

Access to information

The Promotion of Access to information Act, 2000 was passed to give effect to the constitutional right of access to information that is held by a private or public body and that is required for the exercise or protection of any rights.

During 2010, the group recorded 22 requests for access to information, of which eleven were granted, three refused and eight withdrawn. The main reasons for the denial of access were that owners of information declined to give consent for access to third parties, requests that fell outside the ambit of the Promotion of Access to information Act, 2000, information to which access was requested being subject to commenced criminal or civil proceedings and requests being relevant to other processes in the group. The withdrawal of requests was at the requester's instance or abandonment of request. 

Financial crime control

The group has a set of values that embraces honesty, integrity and ethics and in this regard, has a zero tolerance approach to fraud and corruption. During 2010, a strong focus was maintained on anti-fraud campaigns which included reviewing and redesigning our internal processes and engaging external stakeholders in the ongoing fight against fraud.

In long-term insurance operations, internal controls implemented with respect to high-risk processes, for example the payment of death and disability claims, are reviewed regularly by management for effectiveness. 

Legal risk

Legal risk arises where:
The group's businesses or functions may not be conducted in accordance with applicable laws in the countries in which it operates. 
The incorrect application of regulatory requirements takes place. 
The group may be liable for damages to third parties.
Contractual obligations may be enforced against the group in an adverse way, resulting from legal proceedings being instituted against it.
Although the group has processes and controls in place to manage its legal risk, failure to manage risks effectively could result in legal proceedings impacting the group adversely, both financially and reputationally. 

Environmental risk and social risk

Environmental and social risk includes both the threat of adverse effects on the natural environment through emissions, wastes and resource depletion, as well as risks to livelihoods, the health and rights of communities, and cultural heritage arising out of business operations and lending activities. In addition, these risks include the threat to assets as a consequence of environmental impacts, such as extreme weather events. The risks fall within the group sustainability management programme, which is mandated to create a consistent approach to environmental and social management by facilitating policy, systems, performance standards, monitoring and assurance within the group's operations and responsible financing.

All business units in South Africa are represented at the safety, health and environmental risk oversight committee. The committee provides oversight and guidance in managing health, safety and environmental systems, addressing issues such as occupational health and safety in building construction and maintenance, and employee occupational health and safety awareness. Similar committees in each business unit support the group. View the governance structure for the reporting of sustainability issues.

During 2010, the group's environmental and social policy has been revised to provide a more comprehensive approach to managing environmental and social risks. This will enable the group to improve the way it identifies and manages risks, reduce its direct environmental footprint and explore financial and non-financial opportunities. The revised policy will be implemented in 2011.

To track and manage environmental-related aspects of our operations such as energy, water, carbon emissions and waste management, the group implemented an environmental management system. Environmental efficiency targets have been set for SBSA using 2009 as a base year. These targets can be found in the environmental report.

During 2010, the group conducted a pilot project in which it expanded environmental and social risk management measures to specific short-term and bridge financing arrangements, corporate loans and export credit finance with a known use of proceeds. Feedback from these initiatives will be used to evaluate the feasibility of formally expanding these measures into other lending areas in Corporate & Investment Banking. In addition to risk management, teams advise on and originate renewable energy projects, carbon financing and Clean Development Mechanism opportunities.

The group also initiated an independent environmental and social risk review of its operations and current environmental and social procedures to streamline the process, identify high-risk areas and to clarify the implementation of a phased system to manage such risks. Following from this, the group completed a set of tools applicable to lending products and appropriate to levels of environmental and social risk and the consequent business risks. These tools will be rolled out within Corporate & Investment Banking during 2011.

The King Code advocates that the board should regularly receive and review a company's sustainability risks and that the integrated report should include the significant risks. Over the past two years, the process of identifying the group's material issues has involved engaging with internal and external stakeholder groups through a number of initiatives, as well as by considering its risk management processes and feedback from sustainability indices and investment analysts. In 2010, material issues were grouped into six broad categories, in consultation with the group executive committee. These categories are:
sustainable long-term financial performance;
governance, regulation and stakeholder engagement;
sustainable and responsible financial services;
socioeconomic development;
a positive and consistent employee experience; and
the environment.
These issues will form the core of the engagement on sustainability issues with the group executive and the board. During 2010 the group executive committee and the directors' affairs committee received updates on important environmental issues, such as climate change. 

Equator Principles

As a signatory to the principles the group must ensure that customers to whom it lends capital evaluate and actively avoid, manage or mitigate the social and environmental impacts of the projects being financed.

Standard Bank’s Equator Principles performance assessment system includes the following four tools:
environmental and social screening and categorisation;
environmental and social appraisal documents;
environmental and social action plan; and
environmental and social monitoring report.
The diagram below shows the integration of Equator Principles in the credit approval process and transaction lifecycle. 

Acid water

During 2010, the threat of underground acid mine water decanting in central Johannesburg came to light with the Department of Water and Environmental Affairs disclosing that measures must be taken to prevent polluted water from reaching the critical level of 150 metres below the surface. Media reports suggested that the group's head office was at risk because it is situated over the historic Ferreira Mine. Desktop studies commissioned by the group have indicated that there is no immediate threat to bank property though the contaminated water poses a significant threat to water quality in the Gauteng area. More detailed studies have been commissioned. In the meantime, the group has reviewed its business continuity plans to ensure it is effectively prepared in the event of a threat actually materialising. 

Business opportunities

Environmental risks such as those of global climate change also create business opportunities and the group is actively pursuing commercial funding products for the uptake of cleaner technology, alternative energy and carbon trading. The group signed a strategic partnership agreement in 2009 with the United Nations Environment Programme's African Carbon Asset Development (ACAD) facility. This partnership has placed the bank in a strategic position to assist in the development of African carbon markets. During 2010, the African Carbon Asset Development facility selected eleven projects on the African continent for targeted grants.

The group has also been active in carbon credit markets since 2003. Carbon is traded through the group's international operation in London which has a broad set of carbon trading capabilities. It also has dedicated specialists in Brazil, China, Nigeria, Singapore and South Africa. In 2010, the group provided carbon financing to projects responsible for a total abatement of approximately 20 million tons (2009: 25 million tons) of greenhouse gases. 

Occupational health and safety

The health and safety of employees, customers and other stakeholders is a priority and the group aims to identify and reduce the potential for accidents or injuries in all its operations. Training of health and safety officers and staff awareness is an ongoing endeavour. Standards that support uniform health and safety requirements across all group operations have been developed and will be rolled out in 2011. 

Taxation risk

Taxation risk is the possibility of suffering unexpected loss, financial or otherwise, as a result of the application of tax systems, whether in legislative systems, rulings or practices, applicable to the entire spectrum of taxes and other fiscal imposts to which the group is subject.

In terms of the group tax policy, the group fulfils its responsibilities under tax law in each of the jurisdictions in which it operates, whether in relation to compliance, planning or client service matters. Tax law includes all responsibilities which the group may have in relation to company taxes, personal taxes, capital gains taxes, indirect taxes and tax administration.

Compliance with this policy is aimed at ensuring that the group: 
pays neither more nor less tax than tax law requires;
continually reviews its existing operations and planned operations in this regard; and 
ensures that, where clients participate in group products, these clients are either aware of the probable tax implications, or are advised to consult with independent professionals to assess these implications, or both. 
The framework to achieve compliance with the group tax policy comprises four elements: 
Identification and management of tax risk;
Human resources policies including an optimal mix of staffing and outsourcing; 
Skills development including methods to maintain and improve managerial and technical competency; and 
Communication of information affecting tax within the group.
Good corporate governance in the tax context requires that each of these elements is in place as the absence of any one of the elements would seriously undermine the others.

The identification and management of tax risk is the primary objective of the group tax function. This objective is achieved by applying a tax risk matrix approach, which measures the fulfilment of tax responsibilities against the specific requirements of each category of tax to which the group is exposed, in the context of the various types of activity the group conducts. 

Compliance risk

Approach to compliance risk management

The group's approach to managing compliance risk is proactive and premised on internationally accepted principles of risk management. These principles are codified in the group's compliance policy and governance standard which are reviewed annually. It is also aligned with other group risk type methodologies. Specialised areas including prudential compliance, taxation, finance and human resources compliance are managed by specific areas of competence within the group.

Group compliance supports business in complying with current and emerging regulatory developments, including money laundering and terrorist financing control, sanctions management, identifying and managing market abuse and mitigating reputational risk. 

Framework and governance

Compliance risk management is an independent core risk management activity overseen by the group chief compliance officer who has unrestricted access to the chief executive of the group and to the chairman of the GAC. The group chief compliance officer reports independently to the GAC.

The group's compliance framework is based on the principles of effective compliance risk management prescribed by the Banks Act as well as international standard setting bodies. A hybrid compliance structure incorporating central compliance and line of business compliance functions is responsible for assisting the group in mitigating compliance risk by maintaining an effective compliance risk management framework, while business unit compliance functions are responsible for assisting senior management in effectively managing the compliance risks faced by the respective businesses. Business unit compliance heads have reporting responsibilities to the group chief compliance officer.

The compliance function is responsible for advising senior management on regulatory developments, as well as legislation impacting new business. In addition, all staff are made aware of their regulatory responsibilities through ongoing awareness programmes. Compliance issues are reported to the various governance committees, with material issues being escalated to relevant board committees. To support legislative requirements and the group's approach to compliance risk management, monitoring is undertaken to ensure adherence to the group compliance policy and standards. 

Regulation and supervision

The group operates in a highly regulated industry and across multiple jurisdictions. Supervision is undertaken by host country regulators as well as various regulatory bodies in South Africa. The group's primary regulator is the Bank Supervision Department (BSD) of the SARB which supervises the group on a consolidated basis. The group chief compliance officer engages with BSD on a regular basis, as well as with regulators in other jurisdictions. In addition to carrying out prudential supervision, BSD is required to approve the establishment of subsidiaries and new overseas branches.

Other South African financial services supervisory bodies include the FSB which regulates the non-banking aspects of the financial services industry in South Africa and prescribes minimum fit and proper criteria for financial advisors and intermediaries. The Financial Intelligence Centre oversees money laundering and terrorist financing control. The National Credit Regulator is responsible for the regulation of the South African credit industry, while there are various regulatory bodies supervising financial markets activity.

International regulators include the UK Financial Services Authority, the Hong Kong Monetary Authority, and the Central Banks of Argentina, Kenya, Nigeria and Uganda.

The details of relevant South African and host country regulators, including key legislation impacting the group's business, are available in the group sustainability report which can be accessed on the group's website.

Regulatory developments are integral to the group's business planning processes. To support open and positive engagement with regulators in South Africa, an oversight committee comprising senior executives provides oversight to ensure a coordinated strategic approach to the group's engagement with the regulatory and legal environment, as well as interfacing with regulators, industry bodies, policy and law makers and other relevant stakeholders with regard to current and upcoming legislation.

In line with market practice and targeted supervisory focus the compliance function focuses on market conduct issues including, but not limited to, market abuse, personal account trading and conflicts of interest. implicit in this is the development of automated systems, as appropriate. 

Money laundering and terrorist financing control

Legislation across the group pertaining to money laundering and terrorist financing control imposes significant requirements in terms of customer identification, record keeping and training, as well as obligations to detect, prevent and report money laundering and terrorist financing. The group is committed to continually improving its control measures including customer activity monitoring tools. The money laundering and terrorist financing control standard and policies are continually reviewed to reflect emerging trends. 

Compliance risk management training

Management and staff are made aware of their responsibilities in terms of current and emerging legislative and regulatory requirements and developments through induction programmes and by way of ongoing training and awareness initiatives. These cover topics as diverse as supervisory focus areas, treating customers fairly, money laundering and terrorist financing, market conduct and health and safety requirements, among others. A programme has also been put in place to enhance senior executives' awareness of their roles and responsibilities in relation to regulatory expectations and the requirements of the King Code.