Key risks and mitigations
Integrity and good conduct are central to our culture and approach to risk management.
The Group is exposed to a variety of risks as a result of its business activities. As such, active and effective risk management is a core competence and we actively monitor the potential impact of current and emerging risks. The Group places significant focus on the integrity and good conduct of employees and the risk management framework is underpinned by a strong ethical culture. This section explains how we control and manage the risks in our business. It outlines key risks, how we mitigate them and our assessment of their potential impact on our business in the context of the current environment.
The Board is accountable for risk and oversight of the risk management process. It considers the most significant risks facing the Group and also uses quantitative exposure measures, such as stress tests, where appropriate. Non-executive oversight of the risk management process with respect to standards of integrity, risk management and internal control is exercised through the Audit and Risk Committee.
It is the responsibility of all employees to uphold the control culture of Schroders and we therefore embed risk management within all areas of the business. Members of the GMC have risk management responsibility for their respective business areas and we expect individual behaviours to mirror the culture and core values of the Group.
The Group Chief Executive and the GMC, as the principal executive committee with responsibility for the monitoring and reporting of risk and controls, regularly review the key risks facing the Group.
The executive oversight of risk is delegated by the Group Chief Executive to the Chief Financial Officer. The Chief Financial Officer has responsibility for the risk and control framework of the Group and independent monitoring and reporting of risks and controls is supported by the Group Head of Risk.
The Chief Financial Officer chairs the Group Risk Committee (GRC). The GRC meets ten times a year and is attended by the heads of the control functions; Group Risk, Compliance, Legal and Internal Audit. Chief Operating Officers from across the business, senior managers from Distribution and Wealth Management and other GMC members regularly attend. The GRC supports the Chief Financial Officer and the GMC in discharging their risk management responsibilities. The GRC reviews and monitors the adequacy and effectiveness of the Group’s risk management framework, including relevant policies and limits. It also reviews trends and exceptions in the most significant risk exposures. The GRC and the Wealth Management Audit and Risk Committee (WMARC) receive reports in respect of risk for Wealth Management.
Lines of defence
The first line of defence against undesirable outcomes is the business operations themselves and respective line managers across Investment, Product, Distribution, Wealth Management and Infrastructure. Business heads take the lead role with respect to identifying potential risks and implementing and maintaining appropriate controls.
Line management is supplemented by the control and oversight functions including: Group Risk, Compliance, Legal and Governance, Finance, Tax and Human Resources which form the second line of defence. This is supplemented by the compliance monitoring programme, which reviews the effective operation of our processes in meeting regulatory requirements.
Group Internal Audit provides retrospective, independent assurance over the operation of controls and forms the third line of defence. The internal audit programme includes reviews of risk management processes and recommendations to improve the control environment; supplemented by external assurance from the Group’s auditors.
Schroders also maintains insurance cover with a broad range of policies covering a number of insurable events.
Lines of defence Overview
We have continued to develop our UK Conduct framework and strengthen our management information and reporting in this key area. We have further enhanced our global oversight of financial crime risk management, our market abuse surveillance tools and a number of our compliance policies in the context of the ever tougher regulatory environment.
The Group Risk operating model has been reviewed and we have strengthened our risk capabilities through the following:
- Recruitment of regional heads of risk in the US, continental Europe and Asia Pacific and particular focus on strengthening our operational risk capability outside the UK
- The development of a Group Risk hub in Hong Kong
- Enhancement of the Group Policy Framework which has been aligned to our material risks and supplemented with policy summaries to increase business awareness and engagement
- Formalisation of our risk appetite statement with supporting measures and metrics.
The Information Security Risk Oversight Committee, Technology Risk Committee and Group Pricing Committee have been added as sub-committees of the GRC. Cyber-crime continues to be at the forefront of industry concerns so we continue to make progress in this area. The Information Security Risk Oversight Committee has set out its strategic aims for 2017, which include: increasing the level of protection across the business; better agility to detect cyber risks; and improved response and recovery to cyber crisis.
Risk Control Assessment process
Further developments have also been made to the Risk and Control Assessment (RCA) process to embed this in the business amongst the first line of defence. RCAs are prepared by line management to identify and assess key operational risks at least annually and when significant changes occur. Associated controls are assessed with regard to their design and performance and line management are required to enhance controls where risks exceed appetite.
The ongoing RCA process is integral to our Risk Management Framework. The RCA cycle is detailed in the diagram above.
In accordance with the UK Corporate Governance Code, the Directors have carried out a robust assessment of the key risks facing the Group and expect Schroders plc will continue to be viable for the next five years.
This assessment has been made in consideration of the business model, expected future performance, solvency and liquidity. Our prospects have been assessed in line with the strategic business planning and forecasting period which has a five-year horizon.
The Directors review financial forecasts and key risks regularly. Key risks, together with the mitigation of these risks, are detailed in this ‘Key risks and mitigations’ section. Within this section, we have outlined the Strategic risks facing the Group. The Board considers the options available to us to mitigate these risks when executing the Group strategy to ensure our ongoing viability is sustained. The business strategy is outlined in chapter Strategy.
Stress testing from a capital and liquidity perspective has been performed on the Group’s business plan and is integral to the Group’s Internal Capital Adequacy Assessment Process (ICAAP) and Internal Liquidity Adequacy Assessment Process (ILAAP). Our stress testing considers a number of scenarios which include a range of factors that would lead to either outflows of our AUM or deterioration in the value of assets as a result of a market downturn. The Group also considers the impact of fee attrition where our margins may be compressed, all of which would negatively impact our revenues.
Our scenarios take into account material operational risk events that may occur, such as compliance failings, regulatory fines or sanctions or technology failures which would impact our operations. We recognise that such events would lead to reputational damage which could result in net outflows of assets, which are also factored into our testing.
Having reviewed the results of the above, we have concluded that we are appropriately capitalised should any of the above scenarios be realised and that our ongoing viability would be sustained.
The Directors’ current, reasonable expectation is that Schroders plc will be able to continue in operation, meeting its liabilities as they fall due, over a viability horizon of five years.