• Home
  • Introduction
    • WHO WE ARE
  • Leadership
  • Value creation
  • Our strategy
  • Accountability
  • Downloads
  • Risk and conduct

    Risk and conduct

    Effective management of risks and our personal, market and societal conduct that reflect the highest standards of ethical and responsible business practice, is how we earn the trust that our stakeholders place in us. Our licence to operate is based on this trust, making compliance with all applicable laws and regulations non-negotiable.


    What success looks like

    Doing the right business, the right way, without exception.
    Contributing to safe financial systems in the markets in which we operate.
    Resolute compliance with laws and regulations.
    Safeguarding our reputation and protecting it from harm.


    How we manage it

    Our risk management systems are robust with a well-developed risk management framework governed by mandated board and management committees with the relevant expertise.

    Our risk measures seek to balance regulatory requirements and shareholder expectations for risk-adjusted returns. We carefully manage our capital, liquidity and funding levels to support business growth, maintain depositor and creditor confidence, and create value for our shareholders and other stakeholders. The risks we take are measured and monitored against the risk appetite set at group level, and risk limits set at legal entity and business line levels on a monthly basis and includes more detailed portfolio limits.


    Proactive management of our risk environment ensured that our mitigation strategies were mostly effective, including our exposures in all sectors. There were no breaches of our approved risk appetite and the group remains sufficiently capitalised.


    CET 1
    2018: 13.5%
    TARGET: 11.0% – 12.5%
    Common equity tier 1 ratio
    is a measure of solvency that assesses capital strength against our risk-weighted assets (RWA).


    2018: 16.0%


    2018: 116.8%
    TARGET: >100%
    Liquidity coverage ratio measures our ability to manage a sustained outflow of client funds in an acute stress event over a 30-day period.


    2018: 118.6%
    TARGET: >100%
    Net stable funding ratio is the amount of available stable funding relative to the amount of required stable funding in accordance with Basel III.


    2018: 3.0%
    Return on risk-weighted assets
    measures the return we generate based on our average RWA, our earnings relative to regulatory capital utilisation.


    How we manage it

    We manage conduct risk in accordance with our conduct governance framework and are guided by our values and code of ethics.

    We monitor our conduct and culture through a combination of leading and lagging conduct risk indicators. Where deficiencies are identified, we take immediate remedial action. Non-compliance is met with disciplinary processes and appropriate action. Each business line and corporate function is responsible for monitoring of conduct risk relevant to its business activities, and for escalating material concerns to the relevant risk governance committees.


    All business lines and corporate functions submit quarterly conduct and governance dashboards to the group executive committee, providing a barometer of the prevailing ethical climate. The dashboards, together with other mechanisms, enable us to monitor and report regularly on conduct risk using predictive and retrospective analysis.

    Our indicators

    • Effectiveness of recruitment processes and employee resourcing.
    • Integration of new employees during onboarding and induction.
    • Transparency and effectiveness of our whistleblowing processes.
    • Adherence to compliance training requirements.
    • Employee personal conduct.
    • Effectiveness of new client product sales.
    • Client satisfaction.
    • Effectiveness of money laundering prevention practices.
    • Information security processes.

    Risk reflections

    The group operates in a constantly changing environment where a complex and interrelated spectrum of existing risks and emerging threats and opportunities influence our business activities and shape our future sustainability.

    During 2019, we navigated external risks like the economic growth slowdown and dislocation in global trade associated with the trade tensions between China and the US; shifting competitive forces as technology companies seek to disintermediate the value proposition of traditional banks; the impact of changing weather patterns on insurance claims and risk modelling; increasing regulatory pressure, which included treating customers fairly and caps on rates and fees; and, the rise of investor and societal activism and expectations for business to manage environmental and social risks. Inside the group, we continued to closely manage conduct risk and the risks associated with digitisation, including cyber risks and privacy concerns.

    Read more about our operating context here.

    Prevalent risks and emerging threats in our operating environment are articulated in the group risk management framework and are managed and monitored as part of day‑to‑day processes.

    Read more about our risk management framework in our risk and capital management report here.

    Our executives, senior management and compliance teams work together to reinforce a compliance culture across the group. Our combined assurance model includes audit, compliance, risk and business management teams, who collaborate to ensure a coordinated approach to providing assurance on whether top risks are being effectively managed throughout the group.

    Read more about our top risks below.

    We benchmark best compliance risk management practices and continuously mature our compliance function to remain abreast of international standards in compliance management and apply enhanced analytics to ensure that these support the delivery of the group’s strategic priorities.


    • Allocate resources to growth opportunities in key sectors within risk appetite.
    • Continue to digitally transform risk management processes through leveraging data, simplifying processes, automating workflows and using advanced analytics in decision-making.
    • Implement a risk digitisation architecture that enables appropriate risk decision rights to empower our people.
    • Proactive management of regulatory risks and emerging threats.
    • Enhance scenario planning to respond to changes in our operating environment.
    • Continue to embed the conduct risk framework and enhance conduct risk reporting measures and indicators.
    • Implement our third-party risk management enhancements.
    • Increase emphasis on the protection of information throughout its lifecycle.


    • In managing our exposures responsibly in line with macroeconomic and socio-political realities, it is sometimes necessary to tighten our risk appetite in lending to vulnerable sectors and clients. This reduces the potential for losses but also inhibits client growth and revenue generation.
    • We manage the natural tension between client convenience and the speed at which we can fulfil their needs, and the parameters of our mature and continually evolving regulatory, supervisory and control environment.
    • The rising cost of compliance, including the training of our people and adapting business systems to comply with new and emerging legislation, is a necessary condition of ensuring we maintain the reputational benefit of being a trusted organisation.
    • Globally, investors and regulators require increased transparency on how businesses are managing non-financial risks, particularly those related to climate change. Our size and footprint places us under constant regulator and other external stakeholder scrutiny. It is, therefore, imperative that we are able to demonstrate that our business activities create measurable value for all our stakeholders in a socially and environmentally responsible manner.


    We take a holistic, forward-looking view of the risks we face, assessing both the prevalent and emerging threats in our operating environment. Our well-developed framework supports a consistent approach to risk and capital management throughout the group.


    Organisational design

    Risks are identified across the whole enterprise, including all business units, corporate functions and legal entities.

    Risk management approach

    Our risk management approach ensures consistent and effective management of risk within our board-approved risk appetite and provides for appropriate accountability and oversight.


    DOCUMENTS, comprising governance frameworks, standards and policies
    Our governance of risk is underpinned by a strong control environment and is defined in our risk governance and management standards and policies.

    Our governance structure enables oversight and accountability through appropriately mandated board and management committees.


    Our risk universe is managed through the risk lifecycle. Our risk measurement process includes rigorous quantification of risks under normal and stressed conditions, up to and including recovery and resolution.


    We leverage the lines of defence to maintain a strong and resilient risk culture.

    Implement an effective risk management system and manage risk through all entity levels
    Facilitate, advise and oversee business on activities within risk management
    Review and report on the adequacy and effectiveness of the risk management system (process, people and technology)

    Risk culture
    Doing the right business, the right way


    Our risk universe represents the risks that are fundamental to our business. We regularly scan our operating environment for changes to ensure that it remains relevant.


    Business risks

    The risk of unexpected earnings variability, as a result of strategic choices and failed strategy execution. This excludes the effects of market risk, credit risk, structural interest rate risk and operational risk.

    Reputation risk

    The risk of potential or actual damage to our image which may impair the profitability and/or sustainability of our business.


    Credit risk

    The risk of loss arising out of the failure of obligors to meet their financial or contractual obligations when due. It is composed of obligor risk, concentration risk and country risk and represents the largest source of risk to which banking entities in the group are exposed.

    Market risk

    The risk of a change in the market value, actual or effective earnings, or future cash flows of a portfolio of financial instruments, including commodities, caused by adverse movements in market variables such as equity, bond and commodity prices, currency exchange and interest rates, credit spreads, recovery rates, correlations and implied volatilities in all of these variables.

    Liquidity and funding risk

    The risk that an entity, although solvent, cannot maintain or generate sufficient cash resources to meet its payment obligations in full as they fall due, or can only do so at materially disadvantageous terms.

    Country risk

    Also referred to as cross-border country risk, is the uncertainty that obligors (including the relevant sovereign, and our branches and subsidiaries in a country) will be able to fulfil obligations due to the group given political or economic conditions in the host country.

    Insurance risk

    The risk that actual future underwriting, policyholder behaviour and expense experience will differ from that assumed in measuring policyholder contract values and in pricing products. Insurance risk arises due to uncertainty regarding the timing and amount of future cash flows from insurance contracts.


    Top risks

    We continually assess and annually identify the top risks that require focused management due to their potential to have a material impact on our strategy.

    Prevalent top risks

    Cyber risk

    The potential destruction, unauthorised or erroneous use of information systems that could result in service disruption, reputation damage and significant financial loss.

    Information risk

    The accidental or intentional unauthorised use, access, modification, disclosure, dissemination or destruction of information resources, which would compromise the confidentiality, integrity and availability. This may result in service disruption, reputational damage and financial loss.

    Technology risk

    The inability to manage, develop and maintain secure, agile technology capability that enables the group to operate efficiently and achieve strategic objectives.

    Business disruption risk

    Losses arising from critical system failures and/or business process failures impacting services provided by us to our stakeholders.

    Third-party risk

    Ineffective management of third-party relationships and the operational, compliance, reputation, strategic and credit risks inherent in the services and products they provide to the group.

    Financial crime risk

    The risk of economic loss, reputational damage and regulatory sanctions arising from any type of financial crime against the group. Financial crime includes fraud, theft, money-laundering, bribery, corruption, tax evasion, terrorist financing and sanctions.

    Compliance risk

    The potential legal or regulatory sanction, financial loss or damage to reputation that the group may suffer as a result of its failure to comply with laws, regulations, codes of conduct, internal policies and standards of good practice applicable to its financial services activities.

    Emerging top risks

    • Increasing exposure to environmental threats, including carbon emissions, climate change and stranded assets.
    • Increased scrutiny on conduct to ensure fair client practices.
    • Expanding use of non-traditional models, including those that affect conduct.

    Other non-financial risks

    Financial accounting risk

    Losses arising due to inadequate management and oversight of internal financial accounting processes.

    Physical assets risk

    The risk of damage to the organisation’s physical assets, client assets, or public assets for which the organisation is liable, and (criminal) injury to the organisation’s employees or affiliates.

    Model risk

    Incorrect or inappropriate use of a model and fundamental errors in models that may produce inaccurate outputs that are not aligned to design objectives and intended business uses.

    Environmental and social risk

    The direct and indirect impact on the environment and society caused by the group that might prevent the group from achieving its strategic objectives.

    People risk

    The challenge or failure to attract and retain skilled, committed people and the inability to enable people to grow and remain relevant in a rapidly evolving workplace.

    Tax risk

    Any event, action or inaction in tax strategy, systems, people, operations, financial reporting, compliance or external events including events that may result in an uncertain tax treatment, which either adversely affects the group’s tax or business objectives or results in an unanticipated or unacceptable level of monetary, financial statement or reputational exposure.

    Legal risk

    The potential adverse consequences arising from non-compliance with legal or statutory responsibilities and/or legal rights not being binding or enforceable.



    Potential impacts
    • Reputation damage or financial loss from compromised client information.
    • Disruption of services impacts client experience and ability to conduct transactions effectively.
    • Evolution of cyber criminals and their sophisticated use of technology increases cyber risk.
    • A multi-channel digital experience requires ongoing technological enhancements to remain relevant, up-to-date and safe from cyber‑attacks.
    • Increased number of devices connected to the network increases security risks.
    • Monitoring platform health and network anomaly detection.
    • Ongoing awareness and training, particularly for high-risk users.
    • Ongoing simplification of IT landscape and move to cloud computing.
    • Intelligence‑led cyber strategies with a risk approach based on learning from attack trends and incidents.


    Potential impacts
    • Reputation impact of transactions not being processed appropriately or timeously.
    • Outages may negatively impact client ability to transact timeously and result in unreliable communication.
    • Complex and aging legacy infrastructure can be prone to failure.
    • Shifting consumer technology preferences are increasing the demand for 24/7 services, increasing the pressure to be relevant.
    • Simplify IT architecture and reduce reliance on legacy technology.
    • Accelerate migration of data to the cloud to drive digital transformation, enhance security and improve system stability.


    Potential impacts
    • Reputation damage or financial loss from compromised client information.
    • Unlawful use of client data could reduce future trust.
    • Increased controls to mitigate information risk may negatively impact on client experience.
    • System outages or disruption of services due to compromised information.
    • Securing the growing amount of available information from being accessed by unauthorised users.
    • Increased reliance on third-parties, like cloud service providers, who have access to information.
    • Upcoming regulations in different jurisdictions relating to privacy and the use of client information.
    • Improve access management controls.
    • Continuously improve user authentication methods.
    • Use predictive risk monitoring and mature data leakage prevention controls.


    Potential impacts
    • Loss of clients due to unsuitable products and services.
    • Increased regulation on conduct principles and standards.
    • Increased costs and documentation requirements from changing regulatory requirements.
    • The volume, pace and scale of regulation together with the uncertain timelines and cost of implementation.
    • Increased regulation across Africa and the transmission of personal information across borders.
    • Dedicated specialists monitor and assess the implications of regulatory developments and engage with stakeholders to understand and constructively influence regulation.
    • Ongoing investment in surveillance and reporting systems, as well as business intelligence.
    • Ongoing compliance and awareness training.


    Potential impacts
    • Reputation damage and financial loss arising from disrupted business services.
    • Disruption of self-service channels together with reduction of physical channels may cause loss of clients due to lack of viable alternatives.
    • Potential leakage of client data during disruptions.
    • Increased demands made on technology and information systems and the increased threat of cyber‑attacks requires resilient ability to withstand disruption.
    • Consumer demand for services that are always available.
    • Migration to cloud services to improve digital capabilities.
    • Dependency on aging infrastructure in Africa.
    • Review IT infrastructure design and align disaster recovery approach for end-to-end resolution.
    • Include business recovery capability at initiation stages of initiatives and product development.
    • Continue to develop proactive monitoring capabilities.


    Potential impacts
    • Service disruptions due to inadequate performance by third parties.
    • Unauthorised sharing of client information and data breaches by or through third parties.
    • Inferior product and service quality.
    • Increased regulatory oversight and focus on third-, fourth- and fifth-party management.
    • Emergence of third-party partnerships and outsourcing as business enablers, particularly FinTechs.
    • Heightened economic and regulatory pressure resulting in increased outsourcing.
    • Implement and embed third-party management framework.
    • Continue to perform appropriate due diligence and background checks on third parties.
    • Ongoing risk management and monitoring of third parties.


    Potential impacts
    • Financial losses to clients or the group due to scams and tactics like phishing.
    • Reputation risk due to data breaches and digital fraud.
    • Improving controls may add friction that negatively impacts on client experience.
    • Increased financial pressure due to ongoing macroeconomic challenges and the sophistication of fraud practices.
    • Improving client experience requires frictionless services and real-time processing, increasing risk.
    • Roll out the universal fraud risk management model, which includes real-time analytics and strong authentication protocols.
    • Ongoing employee and client awareness campaigns.


    Potential impacts
    • Potential loss of clients due to conduct failures or inability to deliver solutions that meet client expectations.
    • Inappropriate products and services and poor sales incentives may drive reckless or unfair lending practices.
    • Complex fee structures may undermine competitiveness and result in loss of clients.
    • Regulators and other industry stakeholders continue to scrutinise conduct, ensuring fair client practices.
    • Increased complexity in regulatory frameworks addressing conduct, including the Conduct of Financial Institutions Bill, the Retail Distribution Review and the Financial Sector Regulation Act’s new Ombud structure.
    • Manage culture and conduct through the conduct risk framework.
    • Enhance metrics for conduct reporting through established governance structures.
    • Invest in culture initiatives and employee training to ensure that good conduct is embedded at all levels of the group.


    Potential impacts
    • Increased costs associated with carbon tax and pricing.
    • Business interruptions due to extreme weather events.
    • A rapid shift in public perception and growing risks associated with investing in fossil fuel projects due to adverse environmental impact.
    • Increased global focus and regulation relating to climate change.
    • Investors require more transparency on ESG performance.
    • Increased consumer demands for low-carbon products and services.
    • Changing weather patterns together with more frequent and severe weather events.
    • Develop a coordinated approach and strategy to adequately address climate change risk and opportunity.
    • Identify and develop metrics to inform decision-making and reporting, including climate change risk stress testing and scenario analysis.


    Potential impacts
    • Financial loss, poor business and strategic decision-making or damage to the group’s reputation.
    • Client risk assessments that are inaccurate or do not reflect changes in client circumstances resulting in incorrect credit scoring and investment decisions, unconscious bias and incomplete client profiles.
    • Models are being expanded from pricing and capital exposure to include business analysis.
    • Regulators are increasingly focused on models that affect conduct.
    • Enhance model risk management practices.
    • Assess the viability of implementing AI and machine learning in models.
    • Invest in relevant skills for the future, such as programming and data science support, and identify potential model choices relevant for specific processes.


    In an evolving regulatory environment, financial services organisations are taking a more strategic view of how to identify, measure and control their non-financial risks. An increasing focus on privacy and consumer protection rights, seen in legislative developments such as the European General Data Protection Regulation (GDPR) and the Final Report of the Australian Royal Commission into Misconduct in the Banking, Superannuation and the Financial Services Industry, influenced our approach to training and engagement with business lines to enhance client centricity while ensuring compliance.



    The scope of banking regulation continues to grow. New financial reforms introduced by the Conduct of Financial Institutions Bill and Conduct Standards for Banks, National Treasury, and the Financial Sector Conduct Authority (FSCA), focus on ensuring financial institutions provide products and services that deliver fair client outcomes. The FSCA will also scrutinise how banks reward employees to establish whether their governance, risk management, remuneration and performance management support a culture of good conduct.

    The group has dedicated board and management committees responsible for the oversight of conduct and culture. Our initiatives aim to strengthen good practice in our culture and entrench our values in our day-to-day activities by focusing on personal accountability. We are guided by our code of ethics and values which shape our conduct and encourage appropriate behaviours that are not harmful to our clients, engender trust and promote a good reputation.

    Exchange control

    Cross-border payments may be used to facilitate illicit flows of funds or to evade tax. The group has control measures in place to ensure that cross-border funds serve a legitimate purpose. We participate in a forum of multiple regulators and other stakeholders to design strategies that strengthen the fight against the flow of illicit cross-border funds.

    Financial crime

    The group has policies, processes and controls in place to mitigate against various types of financial crime, including money laundering, terrorist financing, corruption and tax evasion. These are designed to comply with legislation in all jurisdictions in which we operate, while also taking into account the recommendations of various financial crime standards setting bodies like the Financial Action Task Force. Anti-Money Laundering and Combating the Financing of Terrorism (AML/CFT) legislation in the countries in which we operate evolves constantly, and the group's operations align their AML/CFT risk management and compliance programmes as these changes occur.

    In South Africa, we signed the South African Anti-Money Laundering Integrated Taskforce charter. The taskforce will promote the exchange of AML information between banks and competent authorities, with the intention of effectively combating financial crime through increased collaboration.

    Some group entities, including SBSA, were issued with administrative sanctions relating to AML/CFT deficiencies. These findings are being remediated, with programmes of work overseen by senior executives.


    We have a privacy office to help group entities to comply with their data privacy obligations. Our international entities review and customise the group’s data privacy policy and standards in line with in-country legislative requirements. Our data privacy consent and notification framework supports the free flow of information, allowing each entity to align itself with one consistent commitment to clients to protect their information. To assess the risk posed by GDPR legislation, an impact assessment was conducted across the group to identify business areas impacted by GDPR legislation. The affected business areas will adjust their current data privacy risk management plans to cater for specific GDPR role requirements.



    We form relationships with our clients by understanding their needs and making responsible offers to them based on their risk profiles. Building and maintaining trust-based relationships with our clients form the foundation of our risk management.

    We regularly review and amend our risk appetite across segments and products, based on the insights of the group risk function and our in-country risk committees. As a result, we are able to select quality clients and respond proactively to early signs of financial stress or market risk.

    We support our business lines in delivering personalised services and leveraging client value chains to deliver exceptional client experiences enabled by modern digital technologies. In doing so, we remain cognisant of key issues affecting financial services clients, including inappropriate advice and non-transparent or unnecessarily complex products or pricing structures. We are using AI, predictive analytics, machine learning and robotic process automation to provide effective risk management that matches the group’s risk appetite. To enable innovative client solutions, our compliance, IT, risk and business teams collaborate to embed compliance while removing friction from the process as far as possible.

    During the year, we managed our risks within our board-approved risk appetite. Our credit portfolio was well-controlled and stressed sectors are closely monitored. We continued to enhance and embed our group and subsidiary recovery plans in line with new international developments, while ensuring that they align to relevant regulatory requirements in the countries in which we operate.

    Our capital and liquidity positions remained sound. We continue to develop and mature our portfolio risk management and stress testing capability to determine the impact of current or emerging stress scenarios and our ability to withstand these risks, and to inform decision-making throughout the group. Stress testing, which considers both likely and remotely possible scenarios, was conducted to assess our potential need for capital and liquidity. The results of our tests indicate that the group is able to handle current and emerging stress scenarios should they materialise. Our risk capital adequacy ratios are well above regulatory minimum requirements.

    We have measures in place to mitigate the impact of fraud on our clients and operations. We continuously improve these measures and in 2019 we implemented a solution to enable a quicker and more efficient response to card fraud reported by our clients. Front-line employees are now able to take the call and, using a single screen, block the card, identify the fraudulent transactions, automatically perform a client refund based on pre-defined rules and open a fraud case for investigation. Our response time for refunds has reduced from two weeks to two days, and the average call time is down from 30 minutes to five minutes.

    We focused on several key initiatives in the year to ensure that our employees are adequately supported and empowered to do the right business, the right way. We undertook the following initiatives:

    • An integrated speak-up whistleblowing awareness campaign.
    • Delivered training interventions for all group employees on:

      - Data privacy and information risk to protect clients’ personal information throughout processing activities.
      - Conduct course to familiarise new employees with the group’s conduct risk framework.
      - Tax evasion, sexual harassment, social media and ethics awareness.

    All employees are required to undertake annual mandatory compliance training courses, including on the group’s code of ethics. Employees must also complete mandatory business, personal and client conduct training annually, with a minimum pass mark set at 80%. Regular training ensures our people understand our expectations in terms of ethics and conduct.

    Read more here.

    By leveraging innovative technology and new ways of working we are continuously improving our agility, flexibility and responsiveness to our markets. This allows us to keep doing the right business, the right way. However, while digital technology represents a material competitive advantage, it remains a top risk with the potential to incur financial loss and reputation damage.

    Our cloud technology and data initiatives are critical to ensuring strategic delivery. We manage the risks of digitisation through a deep understanding of digital processes, ensuring that client data and assets are protected without increasing client friction. Our focused approach to support business and operational resilience will aid in addressing the system stability challenges we may face during high risk periods and allow us to deliver ‘always on, always secure’ services.

    Measures are being put in place to support opportunity management and ensure that we are agile enough to adopt new technologies such as cloud computing.

    During 2019, we reviewed several innovative new processes and services to ensure the appropriate level of protection for client data and assets, including:

    • PBB’s digitisation of key branch activities to facilitate its branch reconfiguration in South Africa.
    • New digital innovations for PBB and CIB to originate lending and account opening online.
    • PBB’s new MyMo account enables account opening on digital devices.
    • Wealth’s new insurance app that uses telematics to reward good driving behaviour.
    • The My360 app provides Wealth clients with a full view of their financial portfolio in one place, covering more than 20 000 global financial institutions.

    Technology availability and innovation is at the centre of our initiatives, allowing us to focus on delivering digitisation and automation, keeping our digital channels secure and support the group’s strategic migration to the cloud. During the year, we deepened understanding of our non-financial risks to clarify our risk management oversight. Overall, our non-financial risk profile remained well within our risk appetite and was resilient in an operating environment with a wide range of economic, political, social, and regulatory uncertainties. Together with our activities to simplify our non-financial risk landscape, we digitised a number of related risk activities, maximising the use of data and exploring the potential of machine learning, AI and real-time predictive analytics, to create efficiencies in risk profile management.

    We are automating our conduct dashboard to provide forward-looking information on conduct risk trends for improved decision-making. By leveraging data analytics, we will be able to improve our ability to proactively identify, manage, minimise and mitigate conduct risks that may arise from our business activities.

    Ensuring an ethical culture

    As new regulations governing client treatment take effect, conduct risk grows in prominence. Our conduct risk framework and policy are designed to ensure that we embed our culture of doing the right business, the right way in the execution of our strategy and business activities. In practice, we aim to deliver fair client outcomes and support the transparency and integrity of the financial markets in which we operate. We continue to embed conduct risk management into our existing processes, procedures and practices and continuously develop and design tools to help improve our focus on good client outcomes.

    During the year, the following initiatives relating to ethical culture were undertaken:

    • Continued to strengthen our control environment, promote good business practices and reinforce appropriate behaviours aligned to the group’s values.
    • Used periodic diagnostics and metrics to measure and identify areas for improvement.
    • Increased accountability in the first line of defence through communication campaigns and conduct training.
    • Strengthened the second line of defence by developing tools and methodologies to help improve oversight and monitoring of conduct risks.
    Read more here.

    We continued to focus on delivering integrated Africa-wide risk management services across the group to ensure a consistent approach to dealing with challenging operating environments and the associated threats and opportunities.

    To facilitate an integrated approach to risk and compliance and ensure we meet current and global regulatory developments, we align compliance risk management processes across the group. We regularly conduct self-assessments against best practice compliance risk management strategic approaches in the public domain and consider if our compliance risk management practices are appropriate for an integrated financial services group.

    During the year, we matured our combined risk assurance processes with the onboarding of additional internal assurance providers and focused on an improved risk-based approach to current risks. We also used risk analytics to better link top risks to operational risk data, thereby improving integrated risk management.

    The group continued to see a reduction in the number of severe IT outages, however, the impact of these has increased. To manage the risk associated with IT outages, an ‘always on’ programme has been formalised with dedicated responsible executives and teams to support the deliver, with weekly updates provided to the group executive committee. The group IT function is accountable to the group executive committee and also provides monthly updates on the effectiveness of technology and information management processes. In addition, regular reviews are performed by internal audit and an annual external audit review is performed. The group technology strategy will continue to focus on accelerating the adoption of cloud-based technology, focus on ensuring IT system stability and enhance client digital capabilities and experiences.

    In 2019, internal audit identified the following as having the potential to impact the effectiveness of the control environment:

    • Implementing a holistic non-financial risk approach to understanding the impact of risks on the control environment.
    • Balancing the impact of new controls with increased client friction.

    We leverage the three lines of defence model to build and maintain a strong risk culture, where resilience is a priority for effective risk management across the group. We focus on a range of drivers to enhance the group’s risk culture, with emphasis on doing the right business, the right way. Our employees are empowered to act with confidence, drive meaningful behavioural changes and place the client at the centre of everything they do.

    We engage regularly with our stakeholders to ensure reputational risk matters that are cross-business or jurisdictional follow a similar decision-making process across the group.

    Embedding environmental and social risk processes

    Global societal expectations about the roles and responsibilities of business continue to increase. We are committed to driving sustainable and inclusive economic growth across Africa, and ensuring that our business activities create net positive SEE impacts. Effective environmental and social risk management plays a critical role in fulfilling this commitment.

    Our environmental and social risk assessment process is based on international best practice. Our environmental and social risk governance standard and policy sets out the principles under which we identify, measure, manage and report on environmental and social risk. We regularly review our governance structures to ensure the appropriate oversight and management of environmental and social risk, including climate change risk.

    In 2019, we tabled a minority shareholder resolution at our AGM on the financing of coal mining and coal-fired power generation and exposure to climate change risk. We recognise the risks posed by a changing climate, together with the environmental impacts of coal-fired power, as material concerns for our stakeholders. We have subsequently developed and published policies governing new investment in coal-fired power stations and new investment in coal mining.

    The development of a climate related risk strategy is underway, aligned with the TCFD guidelines. We are collecting and assessing data, and ensuring that we consider the African context, in meaningful scenario planning and stress testing that is appropriate for our complex business and geographical presence.

    Read more in our ESG report


    As we continue to manage our risks and opportunities in a rapidly changing financial services environment, we will ensure that the group’s commitment to doing the right business, the right way cascades through every part of our organisation, underpinning every client relationship and informing every decision we make. This will support our commitment to create sustainable value for all our stakeholders.

    Our priorities include:

    • Ongoing alignment to group architecture and decision rights.
    • Deliver value-based risk management clearly linked to achieving our financial outcomes.
    • Actively monitor stressed portfolios at a group level.
    • Continue to enhance our scenario analysis and stress testing against our strategic objectives.
    • Focus on further embedding the management of multiple non-financial risks.
    • Continue to leverage data as an asset and develop intuitive risk management through technology.