Risk management
We have a robust approach to risk management to support positive client outcomes.
We continue to optimise our risk management processes across the Group, leveraging technology where there is a specific opportunity to do so. Work is progressing well in the integration of the acquired firms into the established risk management framework. The work over the previous year has seen the greater use of data and evidence- based risk analysis and reporting, which has led to richer risk discussion and focused management action. We remain mindful of the current geopolitical and macroeconomic uncertainties, and continue to monitor these closely both as an Executive and a Risk and Compliance Committee (“RCC”). Risk management framework The Group’s risk management framework (“RMF”) supports the management of risks and opportunities across the Group. It can be summarised by the following diagram.
The Board has delegated the responsibility for establishing, operating and monitoring the system of risk management and controls on a day-to-day basis to the Chief Risk Officer (“CRO”), supported by the ERMC, chaired by the CRO, together with the Investment Committee, chaired by an external adviser to the Investment Committee. Each committee has a Terms of Reference in place, which setts out responsibilities, membership and escalation routes. Risk culture: We promote a risk culture that encourages the ownership and management of risk. Risk management is the responsibility of everyone. All individuals have responsibility for understanding and managing risks under their control and stewardship. Management has additional responsibility for maintaining the systems of internal control and reviewing their effectiveness. These responsibilities are clearly apportioned and documented in job descriptions, role profiles and performance objectives. The organisation of the business supports individuals performing these roles and reinforces responsibilities through the development of a pervasive risk management and compliance culture, and a reward and incentive scheme, which encourages desired behaviours that are communicated and demonstrated through the ‘tone from the top’. Risk appetite: The objective of the Group’s risk appetite framework is to ensure that the Board and senior management are properly engaged in agreeing and monitoring the Group’s appetite for risk and setting acceptable boundaries for business activities and behaviours. The risk appetite categories are reviewed by the ERMC and RCC, and are approved by the Board on an annual basis. KRIs are mapped to the risk appetite categories, with KRI tolerances aligned to risk appetite. The KRIs and tolerances are subject
to an annual approval process by the ERMC, RCC and Board. Risk identification: The Group adopts a top-down and bottom-up approach to the identification of risks. The ERMC and RCC have identified the principal risks that could impact the ability of the Group to meet its strategic objectives. In addition, the Group maintains a bottom-up operational Group risk register, mapped to the Group’s risk appetite categories. Risk assessment and management: All risks included in the Group risk register are scored according to probability and impact, and are assessed on an inherent basis (before the impact of controls) and on a residual basis (after the impact of controls). Where risks are classed as outside the Group’s risk appetite, actions must be taken to bring the risk back within appetite. Risk and control self-assessment (“RCSA”): The Group’s bottom-up assessment of risk is managed through the RCSA process, which supports a comprehensive understanding of risks and controls in place at the operational and business process level. The RCSA process enables the risk and control owners to identify any omissions in the risk environment and
to close any control gaps or weaknesses as necessary. Risk reporting: Risk reporting is presented to the ERMC and RCC. This includes details of underlying KRIs mapped to the risk appetite categories, breaches, risk events and emerging risks. Policy governance framework: This provides minimum standards for managing the key risks that the Group faces. Each Group policy has an Executive Committee-level owner, who is ultimately accountable for the design, implementation and maintenance of the policy. Internal Capital Adequacy and Risk Assessment (“ICARA”): The Group conducts an ICARA process to ensure that it has appropriate systems and controls in place to identify, monitor and, where proportionate, reduce all potential material harms that may result from the ongoing operation of its business. The Group holds financial resources (capital and liquidity) in excess of our minimum regulatory requirements. The ICARA is reviewed and challenged by the ERMC and the RCC and approved by the Board.
Risk governance
Risk culture
Risk appetite
Risk assessment and management
Risk identification
The Group operates a Three Lines of Defence (“3LoD”) model:
Risk and control self-assessment
Risk reporting
Board
Internal capital adequacy and risk assessment
Policy governance framework
Risk and Compliance Committee (“RCC”)
Audit Committee
Executive Risk Management Committee (“ERMC”)
Risk governance: The Board is ultimately responsible for the Group’s risk management framework but has delegated certain responsibilities to the RCC, a sub-committee of the Board.
First line of defence Business areas
Second line of defence Risk and compliance
Third line of defence Internal audit
54 Brooks Macdonald Group plc Annual Report and Accounts 2025 Brooks Macdonald Group plc 54
Made with FlippingBook - professional solution for displaying marketing and sales documents online