Managing risk at IAG

Introduction

Good risk management is good business management and so we are focused on ensuring our Risk Management Framework is appropriately designed, fully implemented, and effectively operating across our business. We will continue to review, develop, mature, and adapt our risk management processes to be fit for purpose to not only meet regulatory requirements but enable the successful and sustainable delivery of our strategy.

Overview of our Risk Management Framework

Our Risk Management Framework is a core part of our governance structure, which includes internal policies, key management processes, and culture. It includes three key documents which the IAG Board reviews and approves each year:

1. The Corporate Plan, which details our purpose and strategy, strategic pillars, and the business initiatives needed to deliver our strategy;
2. The Group Risk Appetite Statement, which defines the levels, boundaries and nature of risk the organisation is willing to accept; and
3. The Group Risk Management Framework and Strategy, which describes the key elements of our Risk Management Framework and how it is implemented, and articulates the strategy to manage risk at IAG. 

How we govern risk

Our Board is ultimately responsible for the Risk Management Framework and the oversight of its operation across the Group.  The Board Risk and Audit Committees bring governance, transparency, focus, and independent judgement to meeting this responsibility.

The Group Leadership Team has established an executive-level Risk Committee to monitor material risk exposures, and the Group's alignment to the risk appetite approved by the Board. This is supported by various subcommittees and specialist risk committees. Each of our Divisions also has a Divisional Risk Committee for overseeing and managing its risks.

Our Three Lines of Accountability for managing risk

While we all play a part in managing risk, our responsibilities may differ depending on our roles. At IAG, we use the Three Lines of Accountability model to structure risk management responsibilities across the organisation:

1. The First Line owns the risks arising from its business activities and must manage them within risk appetite. It reports on how the management of its risks is tracking to Divisional Risk Committees.
2. The Second Line (the risk management function) developes and maintains the frameworks, policies and standards for managing risk. It oversees and gives assurance over how the First Line manages risk, challenging and advising as needed. The Second Line reports to the Divisional and Group Leadership Teams as well as the Board Risk Committee on how IAG is managing risk as a Group. 
3. The Third Line (the internal audit function) gives independent assurances over First and Second Lines’ control effectiveness. It reports on significant audit findings and other audit-related matters to the Board Audit Committee.

Risk Management Framework reviews

IAG regularly reviews its Risk Management Framework to ensure it remains appropriate, supports the delivery of our strategy, and enables us to consistently meet the reasonable expectations of our customers, people, communities, investors, and regulators. These reviews include various First Line self-assessments and independent Second and Third Line assessments. At least every three years, we also commission an independent third party to undertake a comprehensive review of our Risk Management Framework for design suitability and operating effectiveness.

More information about how we manage risk

Our Corporate Governance Statement provides greater detail on how we manage risk.

Our Annual Review and Sustainability Report details our material issues and how we manage related risks and opportunities.

We also publish certain internal policies around ethics and conduct which support our Risk Management Framework.