RBS 2009 Annual Report Download - page 172

Download and view the complete annual report

Please find page 172 of the 2009 RBS annual report below. You can navigate through the pages in the report by either clicking on the pages listed below, or by using the keyword search tool below to find specific information within the annual report.

Page out of 390

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158
  • 159
  • 160
  • 161
  • 162
  • 163
  • 164
  • 165
  • 166
  • 167
  • 168
  • 169
  • 170
  • 171
  • 172
  • 173
  • 174
  • 175
  • 176
  • 177
  • 178
  • 179
  • 180
  • 181
  • 182
  • 183
  • 184
  • 185
  • 186
  • 187
  • 188
  • 189
  • 190
  • 191
  • 192
  • 193
  • 194
  • 195
  • 196
  • 197
  • 198
  • 199
  • 200
  • 201
  • 202
  • 203
  • 204
  • 205
  • 206
  • 207
  • 208
  • 209
  • 210
  • 211
  • 212
  • 213
  • 214
  • 215
  • 216
  • 217
  • 218
  • 219
  • 220
  • 221
  • 222
  • 223
  • 224
  • 225
  • 226
  • 227
  • 228
  • 229
  • 230
  • 231
  • 232
  • 233
  • 234
  • 235
  • 236
  • 237
  • 238
  • 239
  • 240
  • 241
  • 242
  • 243
  • 244
  • 245
  • 246
  • 247
  • 248
  • 249
  • 250
  • 251
  • 252
  • 253
  • 254
  • 255
  • 256
  • 257
  • 258
  • 259
  • 260
  • 261
  • 262
  • 263
  • 264
  • 265
  • 266
  • 267
  • 268
  • 269
  • 270
  • 271
  • 272
  • 273
  • 274
  • 275
  • 276
  • 277
  • 278
  • 279
  • 280
  • 281
  • 282
  • 283
  • 284
  • 285
  • 286
  • 287
  • 288
  • 289
  • 290
  • 291
  • 292
  • 293
  • 294
  • 295
  • 296
  • 297
  • 298
  • 299
  • 300
  • 301
  • 302
  • 303
  • 304
  • 305
  • 306
  • 307
  • 308
  • 309
  • 310
  • 311
  • 312
  • 313
  • 314
  • 315
  • 316
  • 317
  • 318
  • 319
  • 320
  • 321
  • 322
  • 323
  • 324
  • 325
  • 326
  • 327
  • 328
  • 329
  • 330
  • 331
  • 332
  • 333
  • 334
  • 335
  • 336
  • 337
  • 338
  • 339
  • 340
  • 341
  • 342
  • 343
  • 344
  • 345
  • 346
  • 347
  • 348
  • 349
  • 350
  • 351
  • 352
  • 353
  • 354
  • 355
  • 356
  • 357
  • 358
  • 359
  • 360
  • 361
  • 362
  • 363
  • 364
  • 365
  • 366
  • 367
  • 368
  • 369
  • 370
  • 371
  • 372
  • 373
  • 374
  • 375
  • 376
  • 377
  • 378
  • 379
  • 380
  • 381
  • 382
  • 383
  • 384
  • 385
  • 386
  • 387
  • 388
  • 389
  • 390

Business review continued
RBS Group Annual Report and Accounts 2009170
Operational risk*
All the disclosures in this section (pages 170 to 172) are unaudited and
indicated with an asterisk (*). Operational risk is the potential for
financial loss, damage to reputation, or impact upon customers resulting
from fraud; human error; ineffective or inadequately designed
processes or systems; improper behaviour; or external events.
Operational risk is an integral and unavoidable part of the Group’s
business as it is inherent in the processes it operates to provide
services to customers and generate profit for shareholders.
An objective of operational risk management is not to remove
operational risk altogether, but to manage the risk to an acceptable
level, taking into account the cost of minimising the risk as against the
resultant reduction in exposure. Strategies to manage operational risk
include avoidance, transfer, acceptance and mitigation by controls.
To ensure appropriate responsibility is allocated for the management,
reporting and escalation of operational risk, the Group operates a three
lines of defence model which outlines principles for the roles,
responsibilities and accountabilities for operational risk management.
The three lines of defence model and the Operational Risk Policy
Standards apply throughout the Group and are implemented taking into
account the nature and scale of the underlying business. The standards
provide the direction for delivering effective operational risk
management. They comprise principles and processes that enable the
consistent identification, assessment, management, monitoring and
reporting of operational risk across the Group. The objectives of the
standards are to protect the Group from financial loss or damage to its
reputation, its customers or staff and to ensure that it meets all
necessary regulatory and legal requirements.
The Operational Risk Policy Standards are supported by the following
key operational risk management techniques:
Risk and control assessments: business units identify and assess
operational risks to ensure that they are effectively managed,
prioritised, documented and aligned to risk appetite;
Scenario analysis: scenarios for operational risk are used to assess
the possible impact of extreme but plausible operational risk loss
events. Scenario assessments provide a forward looking basis for
managing exposures that are beyond the Group’s risk appetite;
Loss data management: each business unit’s internal loss data
management process captures all operational risk loss events above
certain minimum thresholds. The data is used to enhance the
adequacy and effectiveness of controls, identify opportunities to
prevent or reduce the impact of recurrence, identify emerging
themes, enable formal loss event reporting and inform risk and
control assessments and scenario analysis. Escalation of individual
events to senior management is determined by the seriousness of
the event. Operational loss events are categorised under the
following headings:
Clients, products and business practices;
Technology and infrastructure failures;
Employment practices and workplace safety;
Internal fraud;
External fraud;
Execution, delivery and process management;
Malicious damage; and
Disaster and public safety.
Key risk indicators: business units monitor key risk indicators against
their material risks. These indicators are used to monitor the
operational risk profile and exposure to losses against thresholds
which trigger risk management actions;
1st line of defence
The Business
Accountable for the ownership and
day-to-day management and control of
operational risk.
Responsible for implementing processes
in compliance with Group policies.
Responsible for testing key controls and
monitoring compliance with Group policies.
2nd line of defence
Operational Risk
Responsible for the implementation and
maintenance of the operational risk
framework, tools and methodologies.
Responsible for oversight and challenge
on the adequacy of the risk and control
processes operating in the business.
3rd line of defence
Group Internal Audit
Responsible for providing independent
assurance on the design, adequacy
and effectiveness of the Group’s system
of internal controls.
Operational risk – three lines of defence model
* unaudited