Risk Management and Internal Control

The Board is responsible for maintaining and reviewing the effectiveness of our risk management activities from a strategic, financial and operational perspective. These activities are designed to identify and manage, rather than eliminate, the risk of failure to achieve business objectives or to successfully deliver our business strategy.

The risk management process is designed to identify, assess, respond to, report on and monitor the risks that threaten our ability to achieve our business strategy and objectives, within our risk appetite.

We follow the Three Lines of Defence approach to risk management (see diagram below). Risks are owned and managed within the business and reviewed by our businesses at least quarterly. Global governance teams review risks and controls, including those relating to information security, regulatory compliance and business continuity. Global Internal Audit assesses our risks and controls independently and objectively. The results of these reviews feed into our quarterly reporting cycle.

Our risk identification processes follow a dual approach:

  • A bottom-up approach at a business unit or country level. This identifies the risks that threaten an individual business unit activity. To provide visibility of issues across the business, we consolidate these risks at a regional and global level, then escalate to the Risk Management Committees.

Risk categories

Strategic risk
– Country/Political/
– Acquisition
– Competitor
– Business strategy
– Publicity
Operational risk
– Technology
– Information security
– Physical security
– Continuity
– Third party
– People
– Process
Financial risk
– Accounting
– Credit
– Liquidity
– Market
– Currency
Regulatory / Compliance risk
– Regulated activities
– Privacy
– Financial crime


  • A top-down approach at the global level. This identifies the principal risks that threaten the delivery of our strategy. The diagram below summarises our principal risk profile.