RISK FRAMEWORK
Key elements (unaudited)
Our Risk Framework sets out how we manage and
control risk. It is based on the following key elements which we
describe in more detail in the next pages:
|
|
|
|
|
|
|
|
Section
|
|
Content
|
|
|
How we define risk
|
|
We describe each of our key risk
types.
|
|
|
How we approach risk – our culture
and principles
|
|
We describe our risk culture and explain how
we make it a day-to-day reality across our business.
|
|
|
Our risk governance
structure
|
|
We describe how we consider risk in all our
business decisions as part of our organisational structure, and the
responsibilities of our people and our committees.
|
|
|
Our internal control
system
|
|
We describe our internal control system and
how it helps us manage and control risk.
In 2017, we updated our Risk Framework to
ensure it remains comprehensive and to improve our focus on key
risk issues:
|–
|
|We introduced
two new committees:
|
|–
|
|The Board
Responsible Banking Committee, which reviews risks relating to
conduct, compliance, competition, financial crime and legal
matters. It also provides advice, oversight and challenge to
maintain a supportive risk culture throughout the
business.
|
|–
|
|The Incident
Accountability Committee, which considers, calibrates and agrees
any appropriate individual remuneration adjustments recommended by
the Business Accountability Forum and presents recommendations to
the Board Remuneration Committee.
|–
|
|We now include
legal risk as a risk type on its own. This reflects its importance
and enables us to give it a higher level of focus.
|–
|
|We transferred
responsibility for reputational risk to the Chief Legal and
Regulatory Officer (CLRO) from the Chief Risk Officer
(CRO).
|–
|
|We merged the
management of conduct and regulatory risk to take advantage of the
synergies between these risk types. This is aligned to the approach
used by Banco Santander.
How we define risk (unaudited)
Risk is any uncertainty about us being able
to achieve our business objectives. It can be split into a set of
key risk types, each of which could affect our results and our
financial resources. Our risk types are:
|
|
|
|
Key risk
types
|
|
Description
|
Credit
|
|
The risk of loss due to the default or credit
quality deterioration of a customer or counterparty to which we
have provided credit, or for which we have assumed a financial
obligation.
|
Market
|
|
Trading market risk – the risk incurred
as a result of changes in market factors that affect the value of
positions in the trading book.
Banking market risk – the risk of loss
of income or economic value due to changes to interest rates in the
banking book or to changes in exchange rates, where such changes
would affect our net worth through an adjustment to revenues,
assets, liabilities and off-balance sheet exposures in the banking
book.
|
Liquidity
|
|
The risk that we do not have sufficient
liquid financial resources available to meet our obligations as
they fall due, or we can only secure such resources at excessive
cost.
It is split into three types of
risk:
– Funding or structural liquidity
risk – the risk that we may not have sufficient liquid assets
to meet the payments required at a given time due to maturity
transformation.
– Contingent liquidity risk
– the risk that future events may require a larger than
expected amount of liquidity, that is the risk of not having
sufficient liquid assets to meet sudden and unexpected short-term
obligations.
– Market liquidity risk –
the risk that assets we hold to mitigate the risk of failing to
meet our obligations as they fall due, which are normally liquid,
become illiquid when they are needed.
|
Capital
|
|
The risk that we do not have an adequate
amount or quality of capital to meet our internal business
objectives, regulatory requirements, market expectations and
dividend payments, including AT1 coupons.
|
Pension
|
|
The risk caused by our contractual or other
liabilities with respect to a pension scheme (whether established
for our employees or those of a related company or otherwise). It
also refers to the risk that we will need to make payments or other
contributions with respect to a pension scheme due to a moral
obligation or for some other reason.
|
Conduct
and
regulatory
|
|
Conduct risk – the risk that our
decisions and behaviours lead to a detriment or poor outcome for
our customers. It also refers to the risk that we fail to maintain
high standards of market behaviour and integrity.
Regulatory risk – the risk of financial
or reputational loss, or imposition or conditions on regulatory
permission, as a result of failing to comply with applicable codes,
regulator’s rules, guidance and regulatory
expectations.
|
Other key risk
types
|
|
Operational risk – the risk of loss due
to inadequate or failed internal processes, people and systems, or
external events. Our top three key operational risks
are:
– Cyber risk
– Third party supplier
management
– Process and change
management.
Financial crime risk – the risk that we
are used to further financial crime, including money laundering,
sanctions evasion, terrorist financing, bribery and corruption.
Failure to meet our legal and regulatory obligations could result
in criminal or civil penalties against Santander UK or individuals,
as well as negatively affecting our customers and the communities
we serve.
Legal risk – the risk of an impact
arising from legal deficiencies in contracts; failure to take
appropriate measures to protect assets; failure to manage legal
disputes appropriately; failure to assess or implement the
requirements of a change of law; or failure to comply with law or
regulation or to discharge duties or responsibilities created by
law or regulation.
Model risk – the risk that the results
of our models may be inaccurate, causing us to make sub-optimal
decisions, or that a model may be used inappropriately.
Strategic risk – the risk of
significant loss or damage arising from strategic decisions that
impact the long-term interests of our key stakeholders or from an
inability to adapt to external developments.
Reputational risk – the risk of damage
to the way our reputation and brand are perceived by the public,
clients, government, colleagues, investors or any other interested
party.
Enterprise wide risk is the aggregate view of
all the key risk types described above.
How we approach risk – our culture
and principles (unaudited)
The complexity and importance of the
financial services industry demands a strong risk culture. We have
extensive systems, controls and safeguards in place to manage and
control the risks we face, but it is also crucial that everyone
takes personal responsibility for managing risk. Our risk culture
plays a key role in our aim to be the best bank for our people,
customers, shareholders and communities. It is vital that everyone
in our business understands that. To achieve this, our people have
a strong, shared understanding of what risk is, and what their role
is in helping to control it. We express this in our Risk Culture
Statement:
|
|
|
|
|
|
Risk Culture Statement
|
|
|
Santander UK will only take risks that it
understands and will always remain prudent in identifying,
assessing, managing and reporting all risks. We proactively
encourage our people to take personal responsibility for doing the
right thing and to challenge without fear. We ensure decisions and
actions take account of the best interests of all our stakeholders
and are in line with The Santander Way.
The Board reviews and approves our Risk
Culture Statement every year. The CEO, CRO and other senior
executives are responsible for promoting our risk culture from the
top. They drive cultural change and increased accountability across
the business. We reinforce our Risk Culture Statement and embed our
risk culture in all our business units through our Risk Framework,
Risk Certifications and other initiatives. This includes
highlighting that:
|–
|
|It is
everyone’s personal responsibility to play their part in
managing risk
|–
|
|We must
Identify, Assess, Manage and Report risk quickly and
accurately
|–
|
|We make risk
part of how we assess our people’s performance and how we
recruit, develop and reward them
|–
|
|Our internal
control system is essential to make sure we manage and control risk
in line with our principles, standards, Risk Appetite and
policies.
We use Risk Certifications to confirm how we
manage and control risks in line with our Risk Framework and within
our Risk Appetite. As an example, every year, each member of our
Executive Committee confirms in writing that they have managed risk
in line with the Risk Framework in the part of the business for
which they are responsible. Their certification lists any
exceptions and the agreed actions taken to correct them. This is a
very tangible sign of the personal accountability that is such a
key part of our risk culture.
Making change happen: I AM Risk –
everyone’s personal responsibility for managing
risk
I AM Risk continues to play a key part in our
aim to be the best bank for our people, customers, shareholders and
communities. Our I AM Risk approach aims to make sure our
people:
|–
|
|Identify
risks and opportunities
|–
|
|Assess
their probability and impact
|–
|
|Manage
the risks and suggest alternatives
|–
|
|Report,
challenge, review, learn and ‘speak up’.
We use I AM Risk in our risk certifications,
policies, frameworks and governance, and in all our risk-related
communications. We also include it in mandatory training and
induction courses for our staff, in our codes of conduct and in
rewards and incentives. We embed the behaviours we want to
encourage in key processes and documents.
I AM Risk is how we make risk management part
of everyone’s life as a Santander employee, from how we
recruit them and manage their performance to how we develop and
reward them. It is also how we encourage people to take personal
responsibility for risk, speak up and come up with ideas that help
us change. To support this, our learning website includes short
films, factsheets and discussion boards.
As part of I AM Risk, we include mandatory
risk objectives for all our people – from our Executive Risk
Control Committee to branch staff. The Santander Way Steering
Committee coordinates all our culture initiatives under the
sponsorship of the CEO.
In 2017, we made good progress with
continuing to embed personal accountability for managing risk
across the business. For all new and existing employees, we
enhanced our mandatory risk training and we ensured that the
updated performance management risk objectives were used across the
business. In our most recent employment engagement survey, 94% of
employees acknowledged their personal responsibility for risk
management and 97% of employees confirmed that they are aware of
how to escalate and report potential risks. This demonstrates how
we are successfully embedding risk management in our
culture.
LOGO
Our risk governance
structure
We are committed to the highest standards of
corporate governance in every part of our business. This includes
risk management. For details of our governance, including the Board
and its Committees, see the ‘Governance’ section of
this Annual Report.
The Board delegates certain responsibilities
to Board Level Committees as needed and where appropriate. Our risk
governance structure strengthens our ability to identify, assess,
manage and report risks, as follows:
|–
|
|Committees: A number of Board and Executive
committees are responsible for specific parts of our Risk
Framework
|–
|
|Roles with
defined risk management responsibilities: Senior roles with
specific responsibilities for risk
|–
|
|Risk
organisational structure: We have ‘three lines of
defence’ built into the way we run our business.
Committees
The Board Level Committee responsibilities
for risk are:
|
|
|
|
Board Level Committee
|
|
Main risk responsibilities
|The
Board
|
|
– Has overall responsibility for
business execution and for managing risk
|
|
|
– Reviews and approves the Risk
Framework and Risk Appetite.
|Board Risk
Committee
|
|
– Assesses the Risk Framework and
recommends it to the Board for approval
|
|
|
– Advises the Board on our
overall Risk Appetite, tolerance and strategy
|
|
|
– Oversees our exposure to risk
and our strategy and advises the Board on both
|
|
|
– Reviews the effectiveness of
our risk management systems and internal controls.
|Board Responsible Banking
|
|
– Responsible for culture and
operational risks relating to conduct, compliance, competition,
financial crime and legal matters
|Committee
|
|
– Reviews reports from the CLRO
on the adequacy and effectiveness of the compliance
function
|
|
|
– Ensures that adequate and
effective control processes are in place to identify and manage
reputational risks
|
|
|
– Oversees our reputation and how
this impacts our brand and market positioning.
The Executive Level Committee
responsibilities for risk are:
|
|
|
|
Executive Level Committee
|
|
Main risk responsibilities
|Executive
Committee
|
|
– Reviews and approves business
plans in line with our Risk Framework and Risk Appetite before they
are sent to the Board to approve
|
|
|
– Receives updates on key risk
issues managed by CEO-level committees and monitors the actions
taken.
|
Executive Risk Control
Committee
|
|
– Reviews Risk Appetite proposals
before they are sent to the Board Risk Committee and the Board to
approve
|
|
– Ensures that we comply with our
Risk Framework, Risk Appetite and risk policies
|
|
|
– Reviews and monitors our risk
exposures and approves any corrective steps we need to
take.
|Asset and
Liability
|
|
– Reviews liquidity risk appetite
proposals before they are sent to the Board to approve
|Committee
(ALCO)
|
|
– Ensures we measure and control
structural balance sheet risks, including capital, funding and
liquidity, in line with the policies, strategies and plans set by
the Board
|
|
|
– Reviews and monitors the key
asset and liability management activities of the business to ensure
we keep our exposure in line with our Risk Appetite.
|Pensions
Committee
|
|
– Reviews pension risk appetite
proposals before they are sent to the Board to approve
|
|
|
– Approves actuarial valuations
and reviews the impact they may have on our contributions, capital
and funding
|
|
|
– Consults with the pension
scheme trustees on the scheme’s investment
strategy.
|Capital
Committee
|
|
– Puts in place risk control
processes, reporting systems and processes to make sure capital
risks are managed within our Risk Framework
|
|
|
– Reviews capital adequacy and
capital plans, including the Internal Capital Adequacy Assessment
Process (ICAAP), before they are sent to the Board to
approve.
|Incident
Accountability Committee
|
|
– Considers, calibrates,
challenges and agrees any appropriate individual remuneration
adjustments recommended by the Business Accountability
Forums
|
|
|
– Presents recommendations to the
Board Remuneration Committee.
|Executive Credit Approval
Committee
|
|
– Approves corporate and
wholesale credit transactions which exceed levels delegated to
lower level approval forums or individuals.
|
Executive Investment
Approval Committee
|
|
– Approves equity type investment
transactions which exceed levels delegated to lower level approval
forums or individuals.
Roles with risk management
responsibilities
Chief Executive Officer
The Board delegates responsibility for our
business activities and managing risk on a day-to-day basis to the
CEO. The main risk responsibilities of the CEO are to:
|–
|
|Propose our
strategy and business plan, put them into practice and manage the
risks involved
|–
|
|Ensure we have
a suitable system of controls to manage risk and report to the
Board on it
|–
|
|Foster a
culture that promotes ethical practices and social
responsibility
|–
|
|Ensure all our
staff are aware of the policies and corporate values approved by
the Board.
Chief Risk Officer
As the leader of the Risk Division, the CRO
oversees and challenges risk activities, and ensures new lending
decisions are made within our Risk Appetite. The CRO reports to the
Board through the Board Risk Committee, and also reports to the CEO
for operational purposes. The CRO also reports functionally to the
global CRO for the Banco Santander group. The main responsibilities
of the CRO are to:
|–
|
|Propose a Risk
Framework to the Board (through the Board Risk Committee) that sets
out how we manage the risks from our business activities within our
approved Risk Appetite
|–
|
|Advise the CEO,
the Board Risk Committee and Board on our Risk Appetite linked to
our strategic business plan and why it is appropriate
|–
|
|Reassure the
Board and our regulators that we identify, assess and measure risk
and that our systems, controls and delegated authorities to manage
risk are adequate and effective
|–
|
|Advise the CEO,
Board Risk Committee, the Board and our regulators on how we manage
key risks and escalate issues or breaches of Risk
Appetite
|–
|
|Ensure that our
culture promotes ethical practices and social
responsibility
|–
|
|Ensure that our
policies and corporate values approved by the Board are
communicated so that our culture, values and ethics are aligned to
our strategic objectives
|–
|
|Ensure an
appropriate governance structure is in place to make effective
credit decisions.
The CRO is accountable for the control and
oversight of credit, market, liquidity, capital, pension,
strategic, operational and model risk. The CLRO is accountable for
the control and oversight of legal, conduct and regulatory,
reputational and financial crime risk, and is responsible for
reporting on these risks to the CRO to provide them with a holistic
enterprise wide view of all risks.
Chief Legal and Regulatory Officer
The CLRO is accountable for the control and
oversight of legal, conduct and regulatory, reputational and
financial crime risk. The CLRO reports relevant matters to the
Board Responsible Banking Committee (BRBC), the Board Risk
Committee and the Board. The main responsibilities of the CLRO are
to:
|–
|
|Propose a Risk
Framework for legal, conduct and regulatory, reputational and
financial crime risk to the Board (through the Board Risk Committee
and the CRO) that sets out how we manage these risks in line with
our Risk Appetite
|–
|
|Advise the CRO,
CEO, the Board Risk Committee and the Board on our risk appetite
for legal, conduct and regulatory, reputational and financial crime
risk, linked to our strategic business plan and why it is
approved
|–
|
|Reassure the
CRO, the BRBC, the Board and our regulators that we identify,
assess and measure legal, conduct and regulatory, reputational and
financial crime risk appropriately and that our systems, controls
and delegated authorities to manage risk are adequate and
effective
|–
|
|Advise the CRO,
CEO, the Board Risk Committee, the BRBC, the Board and our
regulators on how we manage key legal, conduct and regulatory,
reputational and financial crime risks and escalate any issues or
breaches of our Risk Appetite
|–
|
|Ensure that our
culture promotes ethical practices and social responsibility and
contributes to the management of reputational risk
|–
|
|Ensure that our
policies and corporate values approved by the Board are
communicated so that our culture, values and ethics are aligned to
our strategic objectives.
|–
|
|Provide an
assessment on Legal, Conduct & Regulatory, Reputational
and Financial Crime risks to the CEO, CRO, BRC, BRBC, Board and our
regulators on how these risks are being managed in the Santander UK
Group and escalate to the CRO, BRC and Board any issue or breach of
appetite.
Chief Financial Officer
The main risk responsibilities of the CFO are
to:
|–
|
|Deliver the
strategy approved by the Board, in line with the authority
delegated to him by the CEO
|–
|
|Manage the
day-to-day operations of their business division, in line with
agreed business plans, delegating appropriate authority
prudently
|–
|
|Manage and
control effectively in line with the relevant risk types and
activity framework relevant to the CFO Division
|–
|
|Demonstrate an
awareness and understanding of the main risks facing the CFO
Division and how to manage the risks involved. The key risk types
being:
|
|–
|
|Interest Rate
Risk and Forex Risk in the banking book: these risks are managed
within the Risk Appetite and limits approved by the
Board
|
|–
|
|Liquidity Risk:
these risks are managed within the Risk Appetite and limits
approved by the Board
|
|–
|
|Pension Risk:
oversight of the management of the Pension Scheme by the Trustee
and agreement with them to manage Pension Scheme assets and
liabilities to minimise volatility in IAS19 funding levels and
negative impact on capital. To agree investment strategy with the
Trustee to manage risk of additional cash contributions being
required because of poor investment performance
|
|–
|
|Capital Risk:
the capital position of the UK group and legal entities is managed
in accordance with the Capital Risk Appetite and regulatory
requirements
|–
|
|Carries out
appropriate contingency planning and balances risk impact with
delivery of business as usual
|–
|
|Promotes and
embeds a risk awareness culture within CFO Division and actively
encourages people to speak up and challenge without
fear.
Chief Internal Auditor
The Chief Internal Auditor (CIA) reports to
the Board through the Board Audit Committee, and also reports to
the CEO for operational purposes. The CIA also reports functionally
to the CIA of Banco Santander SA. The main responsibilities of the
CIA are to:
|–
|
|Ensure the
scope of Internal Audit covers all activities (including outsourced
activities) at a legal entity level
|–
|
|Design and use
an audit system that identifies key risks and evaluates
controls
|–
|
|Develop an
audit plan to assess existing risks that involves producing audit,
assurance and monitoring reports
|–
|
|Carry out all
audits, special reviews, reports and commissions that the Board
Audit Committee asks for
|–
|
|Monitor
business activities regularly by consulting with internal control
teams and our External Auditors
|–
|
|Develop and run
internal auditor training that includes regular skills
assessments.
Risk organisational structure
(unaudited)
We use the ‘three lines of
defence’ model to manage risk. This model is widely used in
the banking industry and has a clear set of principles to put in
place a cohesive operating model across an organisation. It does
this by separating risk management, risk control and risk
assurance.
The diagram below shows the reporting lines
to the Board with respect to risk:
LOGO
Internal control system
(unaudited)
Our Risk Framework is an overarching view of
our internal control system that helps us manage risk across the
business. It sets out at a high level the principles, minimum
standards, roles and responsibilities, and governance for internal
control.
LOGO
|
|
|
|
|
|
|
|
Category
|
|
Description
|
|
|
Risk Frameworks
|
|
Set out how we should manage and control risk
for:
– The Santander UK group (overall
framework)
– Our key risk types (risk type
frameworks)
– Our key risk activities (risk
activity frameworks).
|
|
|
Risk Management
Responsibilities
|
|
Set out the Line 1 risk management
responsibilities for Business Units and Business Support
Units.
|
|
|
Strategic Commercial Plans
|
|
Plans produced by business area at least
annually that describe the forecasted objectives, volumes and risk
profile of new and existing business, within the limits defined in
our Risk Appetite and policies in place.
|
|
|
Risk Appetite Statement
|
|
Defines the type and the level of risk that
we are willing and able to take on to achieve our business plans.
The policies set out what action we must (or must not) take to make
sure we stay within our Risk Appetite.
Risk Control Units set overarching policies.
Business and Business Support Units have operational policies,
standards and procedures that put these policies into practice. We
expect all our people to manage risk within their own work by
complying with these policies, standards and procedures.
|
|
|
|
|
|
Delegated
Authorities/Mandates
|
|
Define who can do what under the authority
delegated to the CEO by the Board.
|
|
|
Risk Certifications
|
|
Business Units, Business Support Units or
Risk Control Units set out how they have managed and/or controlled
risks in line with the risk frameworks and within Risk
Appetite.
They are completed at least once a year. They
also explain any action taken. This process helps ensure people can
be held personally accountable.
RISK APPETITE (unaudited)
How we control the risks we are prepared
to take
When our Board sets our strategic objectives,
it is important that we are clear about the risks we are prepared
to take to achieve them. We express this through our Risk Appetite
Statement, which defines the amount and kind of risk we are willing
to take. Our Risk Appetite and strategy are closely linked and our
strategy must be achievable within the limits set out in our Risk
Appetite.
The principles of our Risk
Appetite
Our Risk Appetite Statement lists ten
principles that we use to set our Risk Appetite.
|–
|
|We always aim
to have enough financial resources to survive severe but plausible
stressed economic and business conditions, as well as a very severe
stress that would consume capital
|–
|
|We should be
able to predict how our income and losses might vary – that
is, how volatile they are. That applies to all our risks and lines
of business
|–
|
|Our earnings
and dividend payments should be stable, and in line with the return
we aim to achieve
|–
|
|We are an
autonomous business, so we always aim to have strong capital and
liquidity resources
|–
|
|The way we fund
our business should be based on diverse sources and duration of
funding. This helps us to avoid relying too much on wholesale
markets
|–
|
|We set controls
on large concentrations of risk, such as to single customers or
specific industries
|–
|
|There are some
key risks we take, but for which we do not actively seek any
reward, such as operational, conduct and regulatory, financial
crime, legal and reputational risk. We take a risk-averse approach
to all such risks
|–
|
|We comply with
all regulations – and aim to exceed the standards they
set
|–
|
|Our pay and
bonus schemes should support these principles and our risk
culture
|–
|
|We always aim
to earn the trust of our people, customers, shareholders and
communities.
How we describe the limits in our Risk
Appetite
Our Risk Appetite sets out detailed limits
for different types of risk, using metrics and qualitative
statements.
Metrics
We use metrics to set limits on losses,
capital liquidity, and concentration. We set:
|–
|
|Limits for
losses for our most important risks, including credit, market,
operational and conduct risk
|–
|
|Capital limits,
reflecting both the capital that regulators expect us to hold
(regulatory capital) and our own internal measure (economic
capital)
|–
|
|Liquidity
limits according to the most plausible stress scenario for our
business
|–
|
|Concentration
limits, to determine the maximum concentration level that we are
willing to accept.
These limits apply in normal business
conditions, but also when we might be experiencing a far more
difficult economic environment. A good example of this might be
when the UK economy is performing much worse than we expected. We
refer to conditions such as this as being under stress.
There is more on economic capital and stress
scenarios later in this section.
Qualitative statements
For some risks we also use qualitative
statements that describe in words the appetite we want to set. For
example, in conduct risk, we use them to describe our Risk Appetite
for products, sales, after-sales service, and culture. We also use
them to prohibit or restrict exposure to certain sectors, types of
customer and activities.
How we set our Risk Appetite, and stay
within it
We control our Risk Appetite through our Risk
Appetite Framework. Our Board approves and oversees our Risk
Appetite Statement every year. This ensures it is consistent with
our strategy and reflects the markets in which we operate. Our
Executive Risk Control Committee is responsible for ensuring that
our risk profile (the level of risk we are prepared to accept) is
consistent with our Risk Appetite Statement. To do this they
monitor our performance against our Risk Appetite, business plans
and budgets each month. We also use stress testing to review how
our business plan performs against our Risk Appetite Statement.
This shows us if we would stay within our Risk Appetite under
stress conditions. It also helps us to identify any adverse trends
or inconsistencies.
We embed our Risk Appetite by setting more
detailed risk limits for each business unit and key portfolio.
These are set in a way so that if we stay within each detailed
limit, we will stay within our overall Risk Appetite. When we use
qualitative statements to describe our appetite for a risk, we link
them to lower-level key risk indicators, so that we can monitor and
report our performance against them.
We provide a programme of communication and
training for our staff which helps ensure that Risk Appetite is
well understood.
STRESS TESTING (unaudited)
Stress testing helps us understand how
different events and economic conditions could affect our business
plan, earnings and risk profile. This helps us plan and manage our
business better.
Scenarios for stress
testing
To see how we might cope with difficult
conditions, we regularly develop challenging scenarios that we
might face. We consult a broad range of internal stakeholders,
including Board members, when we design and choose our most
important scenarios. The scenarios cover a wide range of outcomes,
risk factors, time horizons and market conditions. They are
designed to test:
|–
|
|The impact of
shocks affecting the economy as a whole or the markets we operate
in
|–
|
|Key potential
vulnerabilities of our business model
|–
|
|Potential
impacts on specific risk types.
We describe each scenario using a narrative
setting out how events might unfold, as well as a market and/or
economic context. For example the key economic factors we reflect
in our ICAAP scenarios include house prices, interest rates,
unemployment levels and the size of the UK economy. One scenario
looks at what might happen in a recession where the output of the
economy shrinks by around 5%, unemployment reaches over 9%, and
house prices fall by around 30% in a context of high inflation and
interest rates rising rapidly. We use a comprehensive suite of
stress scenarios to explore sensitivities to market risk, including
those based on historic market events.
How we use stress testing
We use stress testing to estimate the effect
of these scenarios on our business and financial performance,
including:
|–
|
|Our business
plan, and its assessment against our Risk Appetite
|–
|
|Our capital
strength, through our ICAAP
|–
|
|Our liquidity
position, through our Internal Liquidity Adequacy Assessment
Process (ILAAP)
|–
|
|Impacts on
other risk types.
We use a wide range of models, approaches and
assumptions. These help us interpret the links between factors in
markets and the economy, and our financial performance. For
example, one model looks at how changes to key macroeconomic
variables such as unemployment rates might affect the number of
customers who might fall into arrears on their mortgage.
Our stress testing models are subject to a
formal review, independent validation and approval process. We
highlight the key weaknesses and related model assumptions in the
approval process for each stress test. In some cases, we overlay
expert judgement onto the results of our models. Where this is
material to the outcome of the stress test, the approving
governance committee reviews it.
We take a multi-layered approach to stress
testing to capture risks at various levels. This ranges from
sensitivity analysis of a single factor to a portfolio, to wider
exercises that cover all risks across our entire business. We use
stress testing outputs to design action plans that aim to mitigate
damaging effects.
We also conduct reverse stress tests. These
are tests in which we identify and assess scenarios that are most
likely to cause our business model to fail.
Board oversight of stress
testing
The Executive Risk Control Committee approves
the design of the scenarios in our ICAAP. The Board Risk Committee
approves the stress testing framework. The Board reviews the
outputs of stress testing as part of the approval processes for the
ICAAP, the ILAAP, our Risk Appetite and regulatory stress
tests.
Regulatory stress tests
We take part in a number of external stress
testing exercises. These can include stress tests of the UK banking
system conducted by the PRA. We also contribute to stress tests of
Banco Santander.
For more on capital and liquidity stress
testing, see the ‘Capital risk’ and ‘Liquidity
risk’ sections.
HOW RISK IS DISTRIBUTED ACROSS OUR
BUSINESS (unaudited)
Economic capital
As well as assessing how much regulatory
capital we are required to hold, we use an internal Economic
Capital (EC) model to measure our risk.
We use EC to get a consistent measure across
different risk types. EC also takes account of how concentrated our
portfolios are, and how much diversification there is between our
various businesses.
As a consequence we can use EC for a range of
risk management activities. For example, we can use it to help us
compare requirements in our ICAAP or to get a risk-adjusted
comparison of income from different activities.
Regulatory capital – risk-weighted
assets
The table below shows the proportion of our
regulatory capital risk-weighted assets we held in different parts
of our business at 31 December 2017 and 2016. It is split
between credit, market and operational risk against which we hold
regulatory capital.
LOGO
2017 compared to 2016
The distribution of risk across our business
was broadly unchanged in the year. The largest category continued
to be credit risk in Retail Banking, which accounted for most of
our risk-weighted assets. This reflects our business strategy and
balance sheet. Market risk arises primarily as part of our trading
book activities in Global Corporate Banking. Our operational risk
capital requirements remained small and were concentrated in our
Retail Banking activities.