RISK AND CONDUCT
MEASURING OUR STRATEGIC PROGRESS
What success looks like
- Doing the right business the right way, without exception.
- Contributing to safe financial systems in the markets in which we operate.
- Resolute compliance with laws and regulations.
- Safeguarding our reputation and protecting it from harm.
How we measure progress
Our risk measures seek to balance our regulatory requirements, which indicate our ability to withstand financial stress and unexpected losses, and our shareholder expectations around risk-adjusted returns. We carefully manage our capital, liquidity and funding levels to support business growth, maintain depositor and creditor confidence, create value for our shareholders and other stakeholders, while also maintaining regulatory compliance. We have three levels of risk appetite which are cascaded from our level 1 measures to more detailed portfolio limits. Our risk appetite is measured and monitored against the limits set at group, legal entity and business unit levels on a monthly basis.
- Common equity tier 1 ratio (CET 1): a measure of solvency that assesses capital strength against our riskweighted assets (RWA).
- Liquidity coverage ratio (LCR): measures our ability to manage a sustained outflow of client funds in an acute stress event over a 30-day period.
- Net stable funding ratio (NSFR): the amount of available stable funding relative to the amount of required stable funding in accordance with Basel III.
- Return on risk-weighted assets (RoRWA): the return we generate based on our average RWA measures our earnings relative to regulatory capital utilisation.
How we measure progress
Our compliance with laws and regulations is non-negotiable. Any contravention comes at a cost of possible damage to our reputation, fines or financial losses. We manage conduct risk in accordance with our conduct governance framework and are guided by our values, ethics and principles. We mitigate risk where possible, and address non-compliance with disciplinary processes and appropriate action. Each business unit and corporate function is responsible for the oversight and monitoring of conduct risk relevant to their business activities.
All business units and corporate functions submit quarterly
conduct and governance dashboards to the group executive
committee, providing a barometer of the prevailing ethical
climate. The dashboards, together with other mechanisms,
enable us to monitor and report regularly on our conduct risk.
- Effectiveness of recruitment processes and employee resourcing.
- Integration of new employees during onboarding and induction.
- Monitoring transparency and effectiveness of our whistleblowing processes.
- Adherence to compliance training requirements.
- Monitoring employee personal conduct.
- Effectiveness of new client product sales.
- Client satisfaction.
- Effectiveness of money laundering prevention practices.
- Information security processes.
- Protecting against cybercrime and fraud.
- Treating customers fairly and conduct of banks.
- Demonstrating the highest standards of ethics and integrity.
- Compliance with laws and regulations.
- Responsible credit provision.
- Management of credit risk.
- Safety and security of client data and assets.
Clients, regulators, legislators and national governments.
- Ensure our risk appetite responds appropriately to changes in our operating environments, and manage our exposures responsibly.
- Embed a culture of ethical behaviour and ensure that we keep doing the right business the right way.
- Ongoing investment in our capabilities to mitigate financial crime and cyber risks.
- In managing our exposures responsibly in line with macroeconomic and socio-political realities, it is sometimes necessary to tighten our risk appetite in lending to vulnerable sectors and clients. This reduces the potential for losses but inhibits client growth and revenue generation.
- We manage the natural tension between client convenience and the speed with which we can fulfil their needs, and the parameters of our mature and continually evolving regulatory, supervisory and control environment.
- The rising cost of compliance, including the training of our people and adaptations to business systems to comply with new and emerging legislation, is always managed to ensure the reputational benefit of being a trusted organisation.
How we performed
We have proactively managed our risk environment ensuring that our mitigation strategies address the identified risks, including exposures to concentrations in all sectors. Our governance process is robust with a well-developed enterprise risk management (ERM) framework supported by focused and mandated committees attended by skilled and accountable experts. We have managed our risk within our approved risk appetite and are sufficiently capitalised.
We continually monitor our progress on managing conduct and culture through the established indicators and internal conduct risk management processes. Where deficiencies are identified, we take immediate mitigating and/or remedial action.
OUR FRAMEWORK FOR MANAGING RISK
Our well-developed ERM framework supports a consistent approach to risk management throughout the group.
The group ERM governance framework sets out our approach to managing risk and capital. The framework consists of governance standards, frameworks and policies and is implemented by board and management governance committees with mandated and delegated authorities. We take a holistic and forward-looking view of the risks we face, continually assessing both current and emerging threats in our operating context.
Our top risks and emerging threats are monitored, managed and mitigated through the three lines of defence model. The business units and corporate functions identify and manage risks within their ambit while the group risk function provides necessary oversight and interrogation. Group internal audit provides independent assurance on the effectiveness of the first and second lines of defence.
We continue to develop and mature our portfolio risk management and stress testing capability to determine the impact of current or emerging stress scenarios and our ability to withstand these risks, and to inform decision-making throughout the group. The results of our tests indicate that the group is well capitalised and able to handle current and emerging stress scenarios should they materialise.
The group ERM framework articulates the significant and mature risks that the group faces. These risks are well understood, embedded and managed on an ongoing basis.
A summary of our key risk types is set out below:
The risk of loss arising out of the failure of obligors to meet their financial or contractual obligations when due. It is composed of obligor risk, concentration risk and country risk.
The risk of legal or regulatory sanction, financial loss or damage to reputation the group may suffer as a result of its failure to comply with laws, regulations, codes of conduct and standards of good practice applicable to its financial services activities.
The uncertainty that obligors (including the relevant sovereign and the group’s branches and subsidiaries in a country) will be able to fulfil obligations due to the group, given political or economic conditions in the host country.
FUNDING AND LIQUIDITY RISK
The risk that an entity or the group, although solvent, cannot maintain or generate sufficient cash resources to meet its payment obligations in full as they fall due, or can only do so at materially disadvantageous terms.
The risk of a change in the market value, actual or effective earnings or future cash flows of a portfolio of financial investments, including commodities, caused by adverse movements in market variables such as equity, bond and commodity prices, currency exchange and interest rates, credit spreads, recovery rates, correlations and implied volatilities in all these variables.
The risk that actual future underwriting, policyholder behaviour and expense experience will differ from that assumed in measuring policyholder contract values and assets, and in pricing products. Insurance risk arises due to uncertainty regarding the timing and amount of future cash flows from insurance contracts.
The risk of loss suffered as a result of the inadequacy of, or failure in, internal processes, people and/or systems or from external events.
The risk of earnings variability resulting in operating revenues not covering operating costs after excluding the effects of market risk, credit risk, structural interest rate risk and operational risk.
The risk of potential or actual damage to the group’s image which may impair the profitability and/or the sustainability of its businesses.
TOP RISKS AND EMERGING THREATS
Our process for identifying top risks and emerging threats reflects the continuous assessment of emerging threats and opportunities based on global trends that may have a bearing on the group’s operating environment. Early identification of these risks positions us to leverage related opportunities and proactively mitigate threats.
Our top risks are identified through our ERM framework and operational risk processes using specialist expertise within the group and across the three lines of defence, and is complemented by external research and thought leadership. This collaborative approach provides a combined risk assurance view, reinforces the effectiveness of our control environment and aligns our responses to support longer-term strategic decision-making to mitigate the impact on our shared value outcomes and reputation.
We ensured that the top risks in 2017 received the attention and resources needed to be adequately mitigated. This scope was broadened in 2018 to focus on emerging threats within our operating context that could meaningfully impact on our business either as a risk or as an opportunity. Our operational and tactical management of the top risks is discussed throughout this report.
Our top risks for 2019 were identified as:
CYBER RISK may lead to financial loss or disruption, destruction, unauthorised or erroneous use of information systems.
BUSINESS DISRUPTION RISK arises from critical system failures and/or business process failures impacting services to and/or provided by the group to its stakeholders.
FRAUD RISK is the unlawful and intentional misrepresentation with the aim of unlawful gain, which causes actual prejudice or which is potentially prejudicial to another.
PEOPLE RISK refers to the negative impacts associated with difficulties attracting and retaining skilled and committed people and failure to enable people to grow and remain relevant in a rapidly evolving world of work.
TECHNOLOGY RISK is associated with the use, ownership, operation, involvement, influence and adoption of technology within the group. It consists of technologyrelated events and conditions that could potentially impact the business, including technology changes, updates or alterations. A key consideration within technology risk is the group’s effective use of technology to achieve business objectives and be competitive.
INFORMATION RISK is the risk of accidental or intentional unauthorised use, access, modification, disclosure, dissemination or destruction of information resources, which may compromise the confidentiality, integrity and availability of information and potentially harm the business.
THIRD-PARTY RISK is introduced due to ineffective management of third-party relationships. The use of thirdparties reduces management’s direct control of activities and may introduce new or increase existing risks, specifically, operational, compliance, reputation, strategic, and credit risks.
CONDUCT AND CULTURE
Our approach to managing conduct risk is designed to ensure that through our actions and behaviours, we deliver fair client outcomes and support the transparency and integrity of the financial markets in which we operate.
Honest and responsible behaviour is an ethical imperative for us to serve our clients and deliver on our commitment to sustainable banking practices and regulatory compliance.
We have developed and implemented a conduct risk framework to embed our culture of doing the right business the right way in the execution of our strategy and business activities. The framework includes a conduct dashboard with performance indicators and metrics that we continue to enhance and deepen. This enables the board and executive management to exercise oversight over conduct risk management throughout the group, and assess and manage potential conduct risks which may arise.
We monitor our performance across the three lines of defence and against our values to strengthen our culture and entrench our values into our day-to-day activities by focusing on personal accountability.
During 2018, we established conduct committees across the group to reinforce a culture of client focus and fair outcomes, as set out in the conduct risk framework. Key achievements of this process included:
- Elevated awareness among senior executives of group culture and conduct challenges.
- Formalisation and clarification of roles and responsibilities for conduct outcomes across the three lines of defence.
- Strengthening of a transparent, safe and open culture in which our people can raise concerns through our whistleblowing and staff grievance processes.
- Monitoring and tracking of mandatory training courses to support a culture of compliance.
- Alignment of human capital processes and procedures with the group’s culture and conduct outcomes.
ASSURING A ROBUST, STABLE AND INTEGRATED CONTROL ENVIRONMENT
The group continues to make progress in developing a combined assurance model, including a shared view of the group’s top risks, between first line business operations, second line risk functions and third line group internal audit.
Our risk, compliance and internal audit functions deliver integrated Africa-wide services across the group to ensure a consistent approach to managing challenging operating environments and the associated threats and opportunities, and that a risk-aware culture is embedded at all levels of business. We experienced an increased willingness to proactively engage audit and risk management functions to support an integrated approach to managing risk and conduct.
Our ongoing and increasingly mature engagement has contributed to an improvement in the group’s risk and control culture indicated by an overall reduction in repeat and overdue audit and compliance monitoring findings.
In instances of unsatisfactory audit outcomes where internal audit has identified areas of weakness in business processes and individual control systems, these are openly communicated without interference. This enables ongoing improvement in our control systems.
Our evaluation of risk culture, as a lead indicator of the control environment, gained traction in 2018. We evaluated factors such as risk awareness, actions taken to remediate known risks and the responsiveness of management to audits.
Key focus areas identified in 2018 by group internal audit as having the potential to impact the effectiveness of the control environment included:
- The new operating model and the extent to which it is being clarified and sustainably embedded throughout the group.
- Digital enablement as a means to strengthen client focus.
- Compliance with regulatory requirements, such as Anti-Money Laundering, Know Your Customer and exchange controls.
With a few exceptions, which management are addressing, the results of our audits indicate that the group’s control environment is generally robust and stable.
Doing the right business the right way
We manage our business and associated risks in a manner that balances the interests of our clients and other key stakeholders with the protection of the group’s long-term sustainability and the stability of the financial systems within which we operate. Our objective to do the right business the right way extends from our compliance with laws and regulations, including the enforcement of measures to combat financial crime, financing of terrorism or other fraudulent practices, to our ethical conduct as individuals and as a financial services organisation. Given the global disruption facing the financial services industry, an implicit link exists between our business activities and our ability to effectively leverage technology.
STRATEGY IN ACTION
- Our strategy of developing relationships with our clients and knowing the sectors and markets they operate in enables us to select winning clients and projects and avoid risk or anticipate it and respond proactively.
- Continued to develop our portfolio risk management and stress testing capability.
- Ongoing research relating to trends arising from global information incidents and threats, and the potential impact they have on our clients will enable us to take preventative action to avoid future losses.
- Building an integrated capability to manage third-party risk, including compliance, and ensure more valuedriven and collaborative third-party relationships, especially as we partner with fintechs to advance digitisation.
- There are robust consequence management processes in place for employees who do not undertake mandatory training.
- Continued to leverage technology to respond to client expectations of digital services and competitive threats posed by new entrants to financial services.
- Improved resilience of IT systems and infrastructure in Africa Regions to enhance client and staff experience.
- Consolidated and aligned IT security across Africa Regions.
ACHIEVED IN 2018
By leveraging innovative technology and new ways of working we are achieving higher levels of agility, flexibility and responsiveness to our markets, which allows us to improve on doing the right business the right way. This is reflected in:
- Reduced turnaround times for short-term insurance claims and lending decisions in PBB and CIB.
- Strengthened and integrated internal fraud risk management in card, TPS and insurance businesses to reduce fraud losses without increasing client friction, aligning to global best practice.
- Transformed the corporate lending process through digitisation to improve client experience, reducing credit decision turnaround time from one month to three days.
- Piloted an integrated portfolio risk management committee in East Africa.
- Increased efficiency in fraud detection and operations resulting in fewer touch points and improved turnaround times for clients.
- Segmented and rationalised vendors to reduce third-party-related incidents.
- Movement of fraud operations into frontline services to support staff and deliver operational efficiencies.
- Strengthened incident management processes to enable faster diagnosis and resolution of major service interruptions.
Our risk strategy instils conscious risk-taking as we pursue our targeted growth opportunities. A strong link between our strategy and our risk appetite underpins our profitability and sustainable growth. Our quantitative and qualitative risk appetite statement sets out the aggregate level and types of risk that we will tolerate to meet our strategic objectives. We regularly review our risk appetite in response to changes in our operating environments and we adopt fit-for-purpose operational risk practices that assist line management in understanding their residual risk and managing their risk profile within risk appetite levels.
We form relationships with our clients by understanding their needs and making responsible offers to them based on their risk profiles. These relationships enable us to build and maintain clients’ trust; they form the foundation of our risk management. We regularly review and amend our risk appetite across segments and products, based on the insights of the group risk function and our in-country risk committees. As a result, we are able to select quality clients or respond proactively to early signs of financial stress or market risk.
The development of our portfolio risk management and stress testing capability has enabled us to decentralise authority and accountability for credit decisions to in-country management teams. Combined with the implementation of digitally enabled solutions, this has improved the turnaround times and consistency of decision-making across all of our business units.
While our overall credit risk performance remains within our risk appetite, we have experienced increasing indebtedness in some of our client segments in South Africa. In particular, the plight of financially distressed clients whose properties were repossessed is a matter of concern.
Financial inclusion and, more specifically, making financial services accessible, continues to be a priority for many of the regulators across the markets in which we operate. Accordingly, there is growing pressure on banks to lower fees and improve digital offerings and the ease of banking.
EMBEDDING COMPLIANCE AWARENESS
Continuous training assists in embedding compliance awareness and practices. Compliance e-learning is available on smart devices and can be completed at a time convenient to employees. The e-learning focuses on behaviour and performance in personal, business and client engagement conduct. During the year, we streamlined compliance training to seven compulsory courses that are available online, with a targeted focus on conduct.
All employees of the group are expected to complete mandatory compliance training, which also includes personal, business and client conduct courses. Consequence management is applied for non-completion of compulsory compliance training. In 2018, 4 760 independent service providers were registered and active on the training system.
The regulatory environment in all of our markets continues to evolve as regulators seek to address new and emerging threats in financial services to protect clients’ assets and ensure they are treated fairly. We are proactive in our response to regulatory changes and use an externally assured operating model to conduct regulatory impact assessments and inform our policy discussions and submissions on regulatory development. We have provided input to the Retail Distribution Review, Consumer Credit Insurance, the Conduct of Financial Institutions Bill, Deposit Insurance, Recovery Resolution Planning, fintech regulation and Twin Peaks implementation.
Supervisory and stakeholder concerns about data, privacy and consumer rights are being addressed through the introduction of regulations such as the Protection of Personal Information Act in South Africa and the EU Global Data Protection Regulation. Information risk and data privacy is a top risk for the group and has driven the introduction of information protection mechanisms. Data leakage prevention systems are in place to control the dissemination of sensitive information along with encryption software that secures our hardware.
Business continuity management processes include specific response measures relating to physical security. In-country security companies provide an on-the-ground response capability that covers country-specific requirements. A country risk-based approach has been adopted in implementing the capabilities required to ensure effective response measures, with increased awareness and adoption by respective country crisis management teams.
Leveraging technology to improve risk management
The relationship between regulation and digitisation is complex and sometimes ambiguous. While digitisation strengthens regulatory control by increasing transparency, auditability and reducing manual errors, there is a concern among regulators that it may fail to protect clients and come at the expense of security compliance, risk management and business continuity.
The risk management and audit teams focus on managing this complexity by embracing the vital role of digitisation in the execution of the group’s strategy and understanding the processes of digitisation to ensure that the associated risks are managed in a manner that protects client data and assets without increasing client friction.
STRATEGY IN ACTION
- Collaboration between CIB and PBB on risk appetite indicators and automation of data management.
- Improved stability of IT systems to match ‘always on’ expectation of our clients.
- Increased use of cloud computing, AI and robotics to automate assurance and governance processes.
- Expansion of digital security capabilities and continuous improvement in fraud detection and response capability, including use of big data in risk profiling.
- Extended insurance cover to include a cybercrime insurance policy covering the group and its subsidiaries.
ACHIEVED IN 2018
- 71% reduction in IT instability incidents across the group, attributable to increased focus on system resilience.
- Our investment in digital fraud detection and prevention capabilities significantly reduced digital fraud cases reported.
- AI was used by the insurance business to detect fraud during claims processing. This improved collaboration between the claims and fraud departments has reduced turnaround times to 48 hours or less.
- Cyber simulations were run in 16 countries to test the preparedness of teams to respond to a large-scale cyber event.
- Practiced incident response is a cornerstone to our risk management preparedness and proved invaluable during the ransomware attempt at Liberty.
- Increased use of cloud computing to manage business activities and provide real-time access to information.
Digitisation is contributing to increased transparency, consistency and efficiency of client service processes, proactive credit limit approvals using data analytics, and faster turnaround times in client service interactions. Adoption of cloud computing, AI, robotics and machine learning technologies is not only enabling increased automation of client services but is also being used to improve financial crime and cyber surveillance capabilities.
However, while digital technology represents a material competitive advantage, it is also a top risk with the potential to incur financial losses and penalties, disrupt our services and erode client trust. The unauthorised access to Liberty clients’ emails and attachments in June 2018 highlighted the extent to which cybercrime can threaten the integrity of our industry and the safety of client information. Liberty took immediate steps to secure its systems and made no concessions to the extortion demands. No financial loss was incurred by Liberty’s clients and it is working with the Information Regulator to ensure compliance. The South African Information Regulator is satisfied with how Liberty dealt with the data breach.
We have increased cyber awareness at board and executive management levels, with independent cyber experts appointed to advise the IT and risk committees. Our cybersecurity strategy has evolved from compliance to intelligence-led, with increased emphasis on detection of malicious activity. We have dedicated specialist cyber incident response teams and are focusing on early detection and rapid response, using intelligence and early warning indicators to mitigate or prevent threats.
We participate in industry cybersecurity initiatives such as the developing Cybercrime Bill, Critical Infrastructure Bill and Open Banking application programme interfaces (APIs) and a common data dictionary. The fostering of relationships through the South African Banking Risk Information Centre and the Financial Services Cyber Incident Team in Africa Regions has been effective in sharing Africa-specific threat intelligence.
Ultimately, our ability to effectively manage the threat of cybercrime depends on the commitment of our people to IT security. We continue to provide awareness and training, including focused interventions for employees considered to be in high-risk areas, to embed a strong risk culture.
Risk management’s role in effective digitisation
Risk management has a critical role to play in digitisation to support the client facing transformation with suitably digital and efficient risk management processes. Being proactive to emerging threats (digital or otherwise) and opportunities will allow us to attain organisational resilience. The group recognises cyber, technology, information and business disruption among the top risks and has allocated substantial resources to mitigate them. We also are active participants in international risk research studies leveraging the learnings of other institutions into our unique environment. The 2018 EY and IIF global bank risk management survey, Accelerating Digital Transformation, corroborates our approach for our digital journey, including how we are:
- Adapting to a fast-evolving risk environment.
- Risk management’s role in identifying opportunities.
- Adopting new technologies and leveraging the power of data and cloud computing to digitise our risk approach.
- Developing resilience to disruptions.
Leveraging our digital capabilities to reduce exposure to risk
2018 was a pivotal year in the closure of our strategic core banking programmes which replaced ageing legacy platforms with modern, digital platforms. This will enable us to rapidly leverage new technologies and continue to develop opportunities to automate and simplify manual processes.
We have recognised an opportunity to leverage our data as pilot projects to automate standardised, data-based and predictable tasks and processes are extended and embedded. These include regulatory reporting on foreign exchange transactions and elements of credit lending to existing business clients to manage credit risk, which combined with the capacity of AI to efficiently scan large quantities of data, can be used to identify patterns, draw conclusions and make predictions that will improve client experience, product costs and service delivery. Experience and intuition remain essential but our ability to triangulate them with data will allow us to predict client needs and offer contextually appropriate solutions in a way that was not possible only a decade ago.
AI has the potential to vastly improve efficiency and productivity for particular processes and harnessing the data analysis capability of AI with human creativity, innovation, experience and empathy will help provide some balance in the ethical considerations of using algorithms to make decisions that deliver fair and equitable results.
PROTECTING OUR CLIENTS AGAINST DIGITAL FRAUD
Our investments in digital fraud prevention yielded a reduction of 81% in digital fraud cases reported. The controls we have in place to ensure the safety of client information and funds are low in friction and maintain the integrity of our clients’ digital interactions with our banking systems. These include:
- Fully implemented fingerprint verification for mobile apps on iOS and Android devices.
- Increasing cybersecurity awareness among clients and training staff in IT security.
- Implemented device profiling on internet banking in Africa Regions.
- Profiling of Wealth vendors to manage potential cyber risk.
- Sharing cyber threat intelligence across Africa through our participation in the South African Banking Risk Information Centre and the Financial Services Cyber Incident Response Team.
The achievement of sustainable future growth will be driven by our ability to ensure that the group’s commitment to doing the right business the right way cascades down through every part of the group, underpinning every client relationship and informing every decision we make.
Our risk and conduct focus in 2019 will be guided by the group’s medium-term priorities:
- Allocate resources to growth opportunities in key sectors within risk appetite.
- Continue to digitally transform risk management processes through leveraging data, simplifying processes, automating workflows and using advanced analytics in decision-making.
- Complete architecture implementation and integrate with decision rights and internal relationships to empower our people.
- Proactive management of regulatory risks and emerging threats through maturing our enterprise risk frameworks.
- Enhance scenario planning to respond to changes in our operating environment.
- Continue to embed conduct risk framework and enhance conduct risk reporting measures and indicators.
- Implementing our third-party risk management enhancements.
- Increasing emphasis on the protection of information throughout its lifecycle
While never losing focus on immediate objectives:
- Always on, always secure
- Brilliant basics front to back
- Doing the right business the right way