RBS 2010 Annual Report Download - page 202

Download and view the complete annual report

Please find page 202 of the 2010 RBS annual report below. You can navigate through the pages in the report by either clicking on the pages listed below, or by using the keyword search tool below to find specific information within the annual report.

Page out of 445

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158
  • 159
  • 160
  • 161
  • 162
  • 163
  • 164
  • 165
  • 166
  • 167
  • 168
  • 169
  • 170
  • 171
  • 172
  • 173
  • 174
  • 175
  • 176
  • 177
  • 178
  • 179
  • 180
  • 181
  • 182
  • 183
  • 184
  • 185
  • 186
  • 187
  • 188
  • 189
  • 190
  • 191
  • 192
  • 193
  • 194
  • 195
  • 196
  • 197
  • 198
  • 199
  • 200
  • 201
  • 202
  • 203
  • 204
  • 205
  • 206
  • 207
  • 208
  • 209
  • 210
  • 211
  • 212
  • 213
  • 214
  • 215
  • 216
  • 217
  • 218
  • 219
  • 220
  • 221
  • 222
  • 223
  • 224
  • 225
  • 226
  • 227
  • 228
  • 229
  • 230
  • 231
  • 232
  • 233
  • 234
  • 235
  • 236
  • 237
  • 238
  • 239
  • 240
  • 241
  • 242
  • 243
  • 244
  • 245
  • 246
  • 247
  • 248
  • 249
  • 250
  • 251
  • 252
  • 253
  • 254
  • 255
  • 256
  • 257
  • 258
  • 259
  • 260
  • 261
  • 262
  • 263
  • 264
  • 265
  • 266
  • 267
  • 268
  • 269
  • 270
  • 271
  • 272
  • 273
  • 274
  • 275
  • 276
  • 277
  • 278
  • 279
  • 280
  • 281
  • 282
  • 283
  • 284
  • 285
  • 286
  • 287
  • 288
  • 289
  • 290
  • 291
  • 292
  • 293
  • 294
  • 295
  • 296
  • 297
  • 298
  • 299
  • 300
  • 301
  • 302
  • 303
  • 304
  • 305
  • 306
  • 307
  • 308
  • 309
  • 310
  • 311
  • 312
  • 313
  • 314
  • 315
  • 316
  • 317
  • 318
  • 319
  • 320
  • 321
  • 322
  • 323
  • 324
  • 325
  • 326
  • 327
  • 328
  • 329
  • 330
  • 331
  • 332
  • 333
  • 334
  • 335
  • 336
  • 337
  • 338
  • 339
  • 340
  • 341
  • 342
  • 343
  • 344
  • 345
  • 346
  • 347
  • 348
  • 349
  • 350
  • 351
  • 352
  • 353
  • 354
  • 355
  • 356
  • 357
  • 358
  • 359
  • 360
  • 361
  • 362
  • 363
  • 364
  • 365
  • 366
  • 367
  • 368
  • 369
  • 370
  • 371
  • 372
  • 373
  • 374
  • 375
  • 376
  • 377
  • 378
  • 379
  • 380
  • 381
  • 382
  • 383
  • 384
  • 385
  • 386
  • 387
  • 388
  • 389
  • 390
  • 391
  • 392
  • 393
  • 394
  • 395
  • 396
  • 397
  • 398
  • 399
  • 400
  • 401
  • 402
  • 403
  • 404
  • 405
  • 406
  • 407
  • 408
  • 409
  • 410
  • 411
  • 412
  • 413
  • 414
  • 415
  • 416
  • 417
  • 418
  • 419
  • 420
  • 421
  • 422
  • 423
  • 424
  • 425
  • 426
  • 427
  • 428
  • 429
  • 430
  • 431
  • 432
  • 433
  • 434
  • 435
  • 436
  • 437
  • 438
  • 439
  • 440
  • 441
  • 442
  • 443
  • 444
  • 445

Risk management: Operational risk* continued
Through the three lines of defence model the Group obtains assurance
that the standards in the GPF are being adhered to. GPF defines
requirements for testing and gathering evidence which demonstrates that
each division and function is appropriately controlled.
GPF is owned and managed by the Group’s operational risk function and
relies upon the operational risk framework for effective implementation
and ongoing maintenance.
Three lines of defence model
To ensure appropriate responsibility is allocated for the management, reporting and escalation of operational risk, the Group operates a three lines of
defence model which outlines principles for the roles, responsibilities and accountabilities for operational risk management.
1st line of defence
The business
2nd line of defence
Operational risk
3rd line of defence
Group Internal Audit
Accountable for the ownership and day-to-day
management and control of operational risk.
Responsible for implementing processes in
compliance with Group policies.
Responsible for testing key controls and
monitoring compliance with Group policies.
Responsible for the implementation and
maintenance of the operational risk framework,
tools and methodologies.
Responsible for oversight and challenge on the
adequacy of the risk and control processes
operating in the business.
Responsible for providing independent
assurance on the design, adequacy and
effectiveness of the Group’s system of internal
controls.
The Group’s Operational Risk Policy Standards (ORPS) are incorporated
in the GPF. They provide the direction for delivering effective operational
risk management and are designed to enable the consistent identification,
assessment, management, monitoring and reporting of operational risk
across the Group.
The three lines of defence model and the ORPS apply throughout the
Group and are implemented taking into account the nature and scale of
the underlying business. The following key operational risk management
techniques are included in the ORPS;
xRisk and control assessments: business units identify and assess
operational risks to ensure that they are effectively managed,
prioritised, documented and aligned to risk appetite;
xScenario analysis: scenarios for operational risk are used to assess
the possible impact of extreme but plausible operational risk loss
events. Scenario assessments provide a forward looking basis for
managing exposures that are beyond the Group’s risk appetite;
xLoss data management: each business unit’s internal loss data
management process captures all operational risk loss events above
certain minimum thresholds. The data is used to enhance the
adequacy and effectiveness of controls, identify opportunities to
prevent or reduce the impact of recurrence, identify emerging
themes, enable formal loss event reporting and inform risk and
control assessments and scenario analysis. Escalation of individual
events to senior management is determined by the seriousness of
the event. Operational loss events are categorised under the
following headings:
- clients, products and business practices;
- technology and infrastructure failures;
- employment practices and workplace safety;
- internal fraud;
- external fraud;
- execution, delivery and process management;
- malicious damage; and
- disaster and public safety.
xNew product approval process: this process ensures that all new
products or significant variations to existing products are subject to a
comprehensive risk assessment. Products are evaluated and
approved by specialist areas and are subject to executive approval
prior to launch; and
xSelf certification process: this requires management to monitor and
report regularly on the internal control framework for which they are
responsible, confirming its adequacy and effectiveness. This
includes certifying compliance with the requirements of Group
policies.
Each business unit must manage its operational risk exposure within an
acceptable level, testing the adequacy and effectiveness of controls and
other risk mitigants (for example, insurance) regularly and documenting
the results. Where unacceptable control weaknesses are identified,
action plans must be produced and tracked to completion. The Group
purchases insurance to provide the business with financial protection
against specific losses and to comply with statutory or contractual
requirements. Insurance is used as a risk mitigation tool in controlling the
Group’s exposures providing protection against financial loss once a risk
has crystallised.
*unaudited
RBS Group 2010200
Business review continued