Risk management

We have an established risk management methodology which seeks to identify, prioritise and mitigate risks, underpinned by a ‘three lines of defence’ model comprising an internal control framework, internal monitoring and independent assurance processes.

The Board considers that risk management and internal control are fundamental to achieving the Group's strategic objectives. Principal and emerging risks are identified both ‘top-down’ by the Board and the Executive Committee and ‘bottom-up’ through the Group’s global business units (GBUs) and central functions. Senior executives are responsible for the strategic management of the Group’s principal and emerging risks, including related policy, guidelines and processes, subject to Board oversight.

Not all the risks identified as part of our risk management processes are considered principal risks. Principal risks are individual risks, or a combination of risks, which could result in circumstances that might threaten the Group’s reputation or business model, its future performance, solvency or liquidity. As with all businesses operating in a dynamic environment, some risks may not yet be known, whilst other low-level risks could become material in the future.

Further information on risk management is available on pages 43 to 47 of the 2024 Annual Report.