Managing risk at IAG
Understanding and managing risk is at the heart of our business, our purpose, and delivering our strategy.
Good risk management is good business management and so we are focused on ensuring our Risk Management Framework is appropriately designed, fully implemented, and effectively operating across our business. We will continue to review, develop, mature, and adapt our risk management processes to be fit for purpose to not only meet regulatory requirements but enable the successful and sustainable delivery of our strategy.
Overview of our Risk Management Framework
Our Risk Management Framework comprises all the frameworks, policies, systems, processes, and structures we use to manage risk. It includes three key documents which the IAG Board reviews and approves each year:
- The Corporate Plan, which details our purpose and strategy, strategic pillars, and the business initiatives needed to deliver our strategy;
- The Group Risk Appetite Statement, which defines how much and what types of risk we are willing to take in pursuit of our strategy; and
- The Group Risk Management Strategy, which describes the key elements of our Risk Management Framework and how we manage risk as an organisation.
How we govern risk
Our Board is ultimately responsible for the Risk Management Framework and the oversight of its operation across the Group. The Board Risk and Audit Committees bring governance, transparency, focus, and independent judgement to meeting this responsibility.
The Group Leadership Team has established an executive-level Risk Committee focused on risk management. This is supported by various subcommittees and specialist risk committees. Each of our Divisions also has a Divisional Risk Committee for overseeing and managing its risks.
Our Three Lines of Defence for managing risk
While we all play a part in managing risk, our responsibilities may differ depending on our roles. At IAG, we use the Three Lines of Defence model to structure risk management responsibilities across the organisation:
- The First Line owns the risks arising from its business activities and is responsible for managing them within risk appetite. It reports on how the management of its risks is tracking to Divisional Risk Committees;
- The Second Line (the risk management function) sets the frameworks and policies for managing risk. It oversees and gives assurance over how the First Line manages risk, challenging and advising as needed. The Second Line reports to the Divisional and Group Leadership Teams as well as the Board Risk Committee on how IAG is managing risk as a Group; and
- The Third Line (the internal audit function) independently assures the effectiveness of the First and Second Lines’ risk management and control practices. It reports the outcomes of its activities to the Board Audit Committee.
Risk Management Framework reviews
IAG regularly reviews its Risk Management Framework to ensure it remains appropriate, supports the delivery of our strategy, and enables us to consistently meet the reasonable expectations of our customers, people, communities, investors, and regulators. These reviews include various First Line self-assessments and independent Second and Third Line assessments. At least every three years, we also commission an independent third party to undertake a comprehensive review of our Risk Management Framework for design suitability and operating effectiveness.
More information about how we manage risk
Our Corporate Governance Statement provides greater detail on how we manage risk.
Our Annual Review and Sustainability Report details our material issues and how we manage related risks and opportunities.
We also publish certain internal policies around ethics and conduct which support our Risk Management Framework.