RISK AND CAPITAL MANAGEMENT REPORT 2019 Standard Bank … This risk and capital management report covers the Standard Bank Group’s (the group or SBG) financial services activities

Stan

dard

Ban

k G

rou

pR

ISK

AN

D C

AP

ITAL M

AN

AG

EM

EN

T R

EP

OR

T 2

019

Standard Bank Group

RISK AND CAPITAL MANAGEMENT REPORT 2019

CONTENTS

RISK AND CAPITAL MANAGEMENT REPORT 2 Our reporting suite 4 About this report 5 Board responsibility 6 Risk reflections10 How we manage risk16 Strategic risks18 Non-financial risks26 Financial risks50 Capital management

ANNEXURES58 Annexure A – Key metrics59 Annexure B – Linkages between financial

statements and regulatory exposures

61 Annexure C – Credit risk94 Annexure D – Market risk95 Annexure E – Funding and liquidity risk98 Annexure F – Capital management104 Annexure G – SBSA118 Annexure H – Regulatory and legislative

developments impacting the group

123 Annexure I – Restatements

ibc Contact and other details

1STANDARD BANK GROUPRisk and capital management 2019

OUR REPORTING SUITE

REPORTING TO SOCIETY PLATFORMThe report to society (RTS) explains how we contribute to the group’s ability to achieve its purpose through our SEE impacts. Our environmental, social and governance (ESG) report provides an overview of the processes and governance structures the group has in place to support our commitment to do the right business, the right way. The reporting to society suite in our online platform also includes our South African transformation report.

Our clients, employees and society

more broadlyRTS

RISK AND CAPITAL MANAGEMENT REPORT Sets out the group’s approach to risk management, including our risk universe.

Our shareholders, debt providers and

regulators

GOVERNANCE AND REMUNERATION REPORTDiscusses the group’s governance and remuneration priorities, as well as the group’s remuneration policy and implementation report.

The invitation to the annual general meeting (AGM) and notice of resolutions to be tabled is sent separately to shareholders and is available online.

Our shareholders, debt providers and regulators

ANNUAL INTEGRATED REPORTProvides a holistic assessment of our ability to create sustainable value in the short, medium and long term.

ANNUAL FINANCIAL STATEMENTS Sets out the group’s full audited annual financial statements, including the report of the group audit committee.

Our shareholders, debt providers and regulators

GOV REM

AFS

INTENDED READERS

THIS REPORT

Primarily investors but relevant to all our stakeholders

2

RCM

AIR

SUBSIDIARY ANNUAL REPORTSTo account to their stakeholders, our subsidiaries produce their own annual reports and audited annual financial statements, which are available on their respective websites.

• The Standard Bank of South Africa (SBSA)

• Liberty

• Other subsidiary reports, including legal entities in Africa Regions.

Our subsidiary stakeholders

How to navigate our reportsThe following icons refer readers to information across our suite of reports:

Refers readers to information elsewhere in this report.

Refers readers to information in our other reports, which are available online.

AIR GOV REM

RCM AFS RTS

Key frameworks applied

The International Integrated Reporting Framework

Companies Act, 71 of 2008, as amended (Companies Act)

Johannesburg Stock Exchange (JSE) Listings Requirements

King IV Report on Corporate Governance for South Africa 2016*

IFRS

South African Banks Act, 94 of 1990 (Banks Act)

Basel Committee on Banking Supervision’s public disclosure framework

CDP (previously Carbon Disclosure Project)

United Nations (UN) Sustainable Development Goals (SDGs)

Assurance

Certain information extracted from audited reports

Unmodified audit opinion expressed by KPMG Inc. and PricewaterhouseCoopers Inc.

Selected information assured by PricewaterhouseCoopers Inc.

* Also known as the King Code and King IVTM. Copyright and trademarks are owned by the Institute of Directors in Southern Africa NPC and all of its rights are reserved.

INTENDED READERS

At the time of writing this report COVID-19 had begun spreading more rapidly across the world. Its impact on our communities and business activities is still being quantified. We intend to include these impacts in our strategy and short- and long-term budget plans.


All our reports and latest financial results presentations, booklets and SENS announcements are available online, together with financial and other definitions, acronyms and abbreviations used. We urge our stakeholders to make use of our reporting site at https:// reporting.standardbank.com/ to assist in the reduction of our carbon footprint.

ABOUT THIS REPORTThis risk and capital management report covers the Standard Bank Group’s (the group or SBG) financial services activities and other interests. Certain information pertains to the group’s results, which includes our interest in Liberty and our other banking interests, and has been denoted as such.

The SBG pillar 3 risk tables can be found in annexures A to F of this report and the 2019 governance and remuneration report. SBSA pillar 3 tables and other financial risk disclosures can be found in annexure G of this report. Pillar 3 table references (OV1, CR1 etc.) have been included in the table headings for ease of use. Basel III Committee on Banking Supervision (BCBS) pillar 3 requirements only apply to banking operations.

REMA: Remuneration policy

GOV/REM page 55 – 62.

REM1: Remuneration awarded during the financial year

GOV/REM page 100.

REM2: Special payments

GOV/REM page 100.

REM3: Deferred remuneration

GOV/REM page 101.

All amounts are in rand millions unless otherwise stated.

• 2019 refers to the 12 months ended 31 December 2019

• 3Q19 refers to the nine months ended 30 September 2019

• 1H19 refers to the six months ended 30 June 2019

• 1Q19 refers to the three months ended 31 March 2019

• 2018 refers to the 12 months ended 31 December 2018.

Risk-related IFRS disclosure can be found in annexure C of the group and the Standard Bank of South Africa (SBSA) audited annual financial statements.

The main features of regulatory capital instruments (CCA) can be found on our website: reporting.standardbank.com

All disclosures in this report are unaudited.

4

BOARD RESPONSIBILITYOur board of directors (the board) has the ultimate responsibility for the oversight of risk.

In the instances where we have incurred losses, breached risk appetite or were fined by our regulators, the board is satisfied that management

has taken appropriate remedial action.

For the period under review, the board is satisfied that:

Our risk, compliance, treasury and capital management, and group internal audit (GIA) processes operated effectively.

Our business activities have been managed within the board-approved risk appetite.

We are adequately funded and capitalised to support the execution of our strategy.

Basel pillar 3 disclosure

Our disclosure policy incorporates the pillar 3 disclosure requirements as set out by the BCBS.

Key elements of this policy include:

The board is satisfied that this report has been prepared in accordance with our disclosure policy and that an appropriate control framework has been applied.

GUIDING PRINCIPLES FOR PILLAR 3 DISCLOSURE

FREQUENCY OF REPORTING

GOVERNANCE PROCESSES

INTERNAL CONTROLS AND PROCEDURES


RISK REFLECTIONS

We are proud to report that we continue to keep the promise to our

clients and communities in and across Africa – we do the right

business, the right way.

David HodnettChief risk officer

Our robust risk management throughout the year continued to maintain the trust of our stakeholders and support our purpose of driving growth, financial inclusion and economic activity across Africa. We live this principle of growth through advancing our clients’ interests. Enhancing the dignity of our communities is what earns the trust of our clients and gives us the licence to operate as the leading African financial services group.

Our environmentThe banking regulatory environment continues to become more complex and extensive. Regulators are adopting broad regulations including the Conduct of Financial Institutions Bill (COFI), retail distribution review (RDR), and recovery and resolution planning guidelines.

In SA, the economy is still struggling to emerge from the bottom of the business cycle. Electricity supply and drought risks present the need for public sector fiscal consolidation.

Growth for southern and central African countries (except Zambia and Zimbabwe) is projected at 3 – 4%. The Zambian and Zimbabwean economies remain challenged, although the extended downturn provides hope that solutions could be found in 2020, and lay the foundation for recovery.

Strong growth is expected to continue in East Africa and West Africa (excluding Nigeria) at levels of 5 – 6%. This is consistent with other high growth emerging markets. Growth of up to 2.5% is projected for Nigeria. Low inflation, manageable external debt to GDP positions, and relative political stability support the growth projections.

The services sector continues to provide growth opportunities for our business. In other sectors with slower growth rates, we continue to defend our sector positions by tightening our risk appetite and reducing concentration in vulnerable sectors. We also manage the risk of financing infrastructure growth initiatives (especially in the energy sector) at a transaction, client, sector and country level.

Politics and geopoliticsIn 2019, elections took place in 20 African countries, increasing the risk of policy uncertainty in Ghana, Tanzania, Côte d’Ivoire, Ethiopia, Lesotho, Namibia and Malawi. Zambian and Ugandan elections are planned for 2021.

Over the past year, our regulators have increased the focus on new global fintech developments to ensure that regulatory frameworks are aligned to these developments. International standard setting bodies are evaluating the implications of the post-crisis reforms as well as the progress made by the G20 member countries in the adoption of the international standards. In line with this, the global Financial Stability Board (FSB) conducted a review of the South African Resolution Framework and we provided input to a number of the evaluations.

The outlook for global economic growth is threatened by the coronavirus outbreak (COVID-19), trade policy uncertainty, geopolitical tensions, structurally low productivity growth, aging demographics in advanced economies and stressed economic conditions in several key emerging market countries.

GDP growth

2019*%

2020projections*

%

World 2.9 3.3Africa Sub-Saharan 3.3 3.5 Nigeria 2.3 2.5 South Africa 0.3 0.8

* Source: International Monetary Fund.

The overall outlook for economic growth for Africa is mixed, therefore a diversified country footprint is important. Growth in SA and other southern African countries remains weak, while growth in Namibia, Lesotho, eSwatini and Angola is modest.

Common equity tier I ratio (CET I):a measure of solvency that assesses capital strength against our risk-weighted assets (RWA).

14.0%CET I RATIO1

2018: 13.5%

1 Including phased-in unappropriated profit.

6

Outside of Africa, political dissatisfaction and a trend towards nationalism in some developed economies are driving protectionist policies, which contradicts the prospect of open trade within Africa. Middle East and US and China tensions increase the potential for volatility in commodities that are important drivers of export growth for several countries where we operate.

Tough economic conditions in SA, Zimbabwe and other countries increase the risk of protest action and social unrest. Security and terrorism risks are expected to remain isolated to specific pockets in countries across our footprint, including Nigeria, Kenya and Mozambique. As the leading provider of financial services in Africa, there is increasing pressure to play a larger societal role in support of economic development goals.

TechnologyTechnological advancement provides us with an opportunity to serve our clients better by managing data and risks more effectively, but also increases exposure to cyber threats and other operational risks. The digital and cashless banking movement is also a source for social concerns about financial exclusion.

CompetitionReduced entry costs in the financial services sector are increasing the threat of new entrants and substitutes. This puts pressure on pricing models and revenue. Intense competition from digital banks, fintechs and mobile service providers increases the importance of proactive and effective strategic risk management.

EnvironmentWeather pattern changes have become more severe, impacting our clients and therefore our business practices. As a result we have integrated environmental, and social risks into our risk appetite and transaction approval processes.

How we managed risk in 2019

We want to do valuable things for our clients in a digital way, delivering a seamless universal financial services proposition.

We managed our risks well and within board-approved risk appetite, which sets out the aggregate level of risk we are willing to accept in order to achieve our strategic objectives. Our credit portfolio was well-controlled and stressed sectors are closely monitored.

RCM page 27.

Our credit loss ratio (CLR) was 0.68%, supported by a 5% growth in loans and advances. Our relatively modest increase in credit impairments, despite a weak economic environment in SA, is a testament to the diversification of our portfolio and our robust and proactive risk management. Our watchlist of early arrears and vulnerable exposures increased materially during the year, but sound underlying facility structures coupled with strong concentration risk management and early action helped us manage this risk effectively. The banking book equity portfolio performed well and without material write-downs.

The overall Personal & Business Banking (PBB) SA book performed within risk appetite. Private households, agriculture, manufacturing and financial intermediation sectors experienced the highest growth in 2019.

There was a focus on proactively growing the book in Africa Regions in line with risk appetite, despite the challenging economic environment hindering credit growth. In Africa regions, private households, mining, manufacturing, and finance, real estate and other business services experienced the highest growth in 2019.

The Corporate & Investment Banking (CIB) book has been exposed to several idiosyncratic risks, especially in SA, with a few clients with high gearing levels coming under pressure due to the prolonged economic slowdown. We have concerns about a number of our presence markets where there is continued sovereign weakness and we are moderating our risk appetite appropriately.

Our capital and liquidity positions remained sound and within or above board-approved ranges throughout the year. They were conservatively managed, considering both likely and remotely possible needs for capital and liquidity. Our capital adequacy ratio is 16.7% (phased-in, including unappropriated profits) in compliance with Basel III and well above regulatory minimum requirements.

119.5%NSFR

2018: 118.6%

Net stable funding ratio (NSFR):the amount of available stable funding (ASF) relative to the amount of required stable funding (RSF) in accordance with Basel III.

138.4%LCR

2018: 116.8%

Liquidity coverage ratio (LCR):measures our ability to manage a sustained outflow of client funds in an acute stress event over a 30-day period in accordance with Basel III.


RISK REFLECTIONS HOW WE MANAGED RISK IN 2019 CONTINUED

During 2019, we continued to enhance and embed our group and subsidiary recovery plans through the annual recovery planning process and further developed our monitoring capability of relevant early warning indicators.

In 2019, we identified the following top risks:

PREVALENT FINANCIAL RISKS WITH SOUND RISK MANAGEMENT PRACTICES

Risks Risk category Mitigation

Inadequate cross business line client concentration exposure management. This is specific to large exposures from the economic climate, corporate failures and regulatory requirements

Credit and equity concentration risk

Robust counterparty concentration risk framework that supports risk teams and the relevant governance committees.

Adverse outcomes as a result of risk positions from trading on behalf of clients in illiquid markets

Market risk Our market risk management framework limits the size of market risk exposures.

Net interest income reduction from an adverse change in interest rates

Interest rate risk in the banking book (IRRBB)

Comprehensive framework for identifying, measuring, monitoring, managing and reporting IRRBB.

PREVALENT NON-FINANCIAL RISKS WITH SOUND RISK MANAGEMENT PRACTICES


Volume, pace and scale of regulation, coupled with uncertain timelines and cost of implementation creates challenges in staying abreast of regulations

Compliance risk A comprehensive capital investment programme on surveillance, reporting systems and business intelligence is scheduled for the short- to medium-term.

Ability to withstand disruption from cyber, social and political threats on technology and information

Business disruption risk

A programme has been initiated to evolve to an end-to-end client approach. Appropriate investment has been secured.

Accountability for the conduct and delivery of third-, fourth- and fifth-parties

Third-party risk Developed a third-party risk management toolkit to enhance this capability across all our entities.

Increased financial pressure and sophisticated practice by fraudsters

Fraud risk Prioritised rollout of the universal fraud risk management model, real-time analytics and stronger authentication.

Increased scrutiny on conduct to ensure fair client practices.

Conduct risk A review of areas with increased levels of conduct risk exposure has been initiated.

Technology evolution may lead to vulnerabilities that can be exploited.

Cyber risk Key programmes have been implemented to monitor the health of our platforms and detect network anomalies.

Client demand for 24/7 services places pressure on technology assets

Technology risk Key programmes have been prioritised including simplifying our architecture and eliminating unsupported and end-of-life technology.

Increasing regulations for maintaining information and declining tolerance for compromising confidential or secret information

Information risk Implemented stronger authentication, predictive risk monitoring and data leakage prevention controls.

8

LOOKING AHEADWhile economic conditions are expected to remain challenging in certain countries, our geographical footprint and the nature of our business provides diversity. Growth is expected to be strong in over half the economies in our footprint, but other economies remain weak. The slowed growth in the Chinese economy will impact the levels of foreign direct investments in Africa.

Our portfolio is vulnerable to a combination of macro, sector and specific risks that we will manage effectively to deliver profitable growth.

We closely monitor risk developments through our annual process of identifying and assessing top and emerging risks with our business line leaders and board, to ensure that appropriate risk management responses are triggered timeously.

ISSUES THAT ARE GROWING IN PROMINENCE


Increasing exposure to environmental threats including carbon emissions, climate change and stranded assets.

Environmental and social risk

We are collaborating with the task force on climate-related financial disclosures pilot programme to develop our capacity to collect and analyse data and report according to the task force’s guidelines and related industry standards.

We have published policies governing new investment in coal-fired power stations and coal mining.

Expanding use of non-traditional models including those that affect conduct

Model risk The evolution of model risk is receiving attention through a newly formed working group and the appointment of a head of model risk.

Significant regulatory and legislative developments will continue to impact us. The Basel III finalisation standards, to be adopted internationally over the next eight years, seek to restore credibility in the calculation of RWA and improve the comparability of capital ratios across the banks. These reforms result in changes to most of the current RWA calculation approaches and will have a direct impact on capital requirements, as well as business models. The complexity of the revisions requires significant implementation effort including extensive additional data and reporting requirements1.

1 BCBS239 risk data and risk reporting.

NOTE:

At the time of writing this report COVID-19 had begun spreading more rapidly across the world. Its impact on our communities and business activities is still being quantified, and this will change the economic growth projections stated in this report. We intend to include these impacts into our strategy and short- and long-term budget plans.

In 2020, we will enhance our risk management system in the following areas:

• alignment to changes in the operating model

• integration of efficient risk management process within client journeys and payment ecosystems

• value-based enterprise risk management that is linked to financial outcomes

• active monitoring of distressed portfolios at an enterprise level

• stress testing of strategic objectives

• ongoing simplification of non-financial risks tools

• increased use of data models and cloud technology for intuitive risk management and agile decisions that best serve our client.


HOW WE MANAGE RISK

PROCESS

RISK GOVERNANCE DOCUMENTS

Governance frameworks, standards and policies

Top risks identification process

Assess & measure

Manage

Report

Identify

STRUCTURE

Standard Bank Group board

Board committees

Direct reporting lineIndirect reporting line

Chief executive

Group executive committee

Group risk oversight committee

Group risk and capital management

committee

Group technology and information committee

Group audit committee

Group model approval committee

Group remuneration committee

Group social and ethics committee

CIB model approval committee

PBB model approval committee

Risk management programme

Organisational design

Group strategy

Risk management committees • CIB credit governance • PBB credit governance • Group asset and liability committee (ALCO) • Group compliance committee • Group country risk management • Group equity risk committee • Group internal financial control

governance committee • Group operational risk committee • Group sanctions andclient risk

review committee • Group stress testing and risk

appetite committee • Group recovery and resolution

planning committee

Risk reporting

Risks are reported and discussed in the risk governance structures and executive management committees. Risk reports are prepared for the board committees, the regulator and other stakeholders on a regular basis.

Our risk culture reflects our vision, mission and ethics. The board and executive team have set a tone of doing the right business, the right way, and ensuring we earn the trust of customers and stakeholders with every decision we make.

Risk culture

Primary committee

RISK UNIVERSE

Financial risks

Credit risk

Country risk

Market risk

Insurance risk

Funding and liquidity risk

Emerging risks

Climate change risk T 1

Non-traditional models risk T 2

Strategic risks

Business risk

Reputation risk

1 Climate change risk is managed within environmental and social risk.2 Non-traditional models risk is managed within model risk

10

Recovery and resolution planning

RCM page 15. RCM page 98.

Stress testing

RCM page 14.

Risk appetite

RCM page 14. RCM page 15.

Capital management

Risk data aggregation and risk reporting

HOW WE MANAGE RISK

CO

MB

INE

D A

SS

UR

AN

CE

1

Facilitate risk and capital management activities at an enterprise level and within different business units and entities

2

Provide assurance on the adequacy and effectiveness of the risk management programme

The second line of defence directs the definition of the enterprise-wide risk management programme. They facilitate execution of risk lifecycle activities and provide expert advice, guidance and support to the first line of defence management team. Together with the board they have oversight of the implementation and effective execution of risk and returns decisions within the set risk appetite and target strategy.

The first line of defence proactively identifies, assesses and measures applicable risk scenarios in order to arrive at risk appetite decisions. They manage day-to-day transaction- and portfolio-level risk decisions within the risk appetite and implement mitigation controls to reduce the adverse impact of taking risks in pursuit of strategic objectives.

The third line of defence provides independent and objective assurance to the board and senior management on the adequacy and effectiveness of the control environment and the risk management programme. They have an independent reporting line to the board to assist in discharging their risk oversight responsibilities.

DIRECT, CONTROL AND OVERSIGHT: RISK, COMPLIANCE MANAGEMENT FUNCTIONS AND THE BOARD

RISK ADVISORY AND ASSURANCE: GROUP INTERNAL AUDIT

GOVERNANCE: THREE LINES OF DEFENCE

3

RISK OWNERSHIP: BUSINESS UNIT AND LEGAL ENTITY MANAGEMENT

Design and implement an effective risk management programme across the enterprise

RISK UNIVERSE

Non-financial risks

Business disruption risk T

Financial accounting risk Compliance risk*

Cyber risk T Tax risk Conduct risk T

Technology risk T Third-party risk T Financial crime risk T

Information risk T People risk Physical assets risk

Model risk Legal risk Environmental and social risk

* Regulatory impact risk is a top risk managed within compliance risk.

T Top risk


HOW WE MANAGE RISK CONTINUED

Our risk management approach ensures consistent and effective management of risk and provides for appropriate accountability and oversight. Risk management is enterprise wide, applying to all entity levels and is a crucial element in the execution of our strategy. Our risk universe represents the risks that are core to our financial services business. We organise these into strategic, financial and non-financial risk categories and annually identify top risks. The top risks require focused management because they represent material impacts to the strategy. We regularly scan the environment for changes to ensure that our risk universe remains relevant.

The risk universe is managed through the lifecycle from identification to reporting. Our assessment process includes rigorous quantification of risks under normal and stressed conditions up to, and including, recovery and resolution. The annual recovery planning process facilitates proactive consideration by senior management and the board of appropriate actions that could be taken in the event of severe stress. The recovery plan process enhances our ability to make timely, well-informed decisions to mitigate the risk and impact should a severely adverse scenario arise.

Risk exposures are managed through different techniques and are monitored against a risk appetite that supports our strategy. We manage and allocate capital efficiently to grow shareholder value while ensuring that regulatory capital requirements are met.

Risk information is subject to strong data and reporting controls. It is integrated into all business reporting and governance structures. Our governance structure enables oversight and accountability through appropriately mandated board and management committees. The three lines of defence model is leveraged to maintain a strong risk culture with an emphasis on doing the right business, the right way.

This is all underpinned by a control environment defined in our risk governance and management standards and policies.

Through the embedding of our values and ethics policies, compliance training and whistle-blowing programmes, our employees are empowered to act with confidence, drive meaningful behavioural changes and place the client at the centre of everything they do.

RISK GOVERNANCEOur risk management system is governed by:

Governance committeesGovernance committees are in place at both a board and management level. These committees have mandates and delegated authorities that are reviewed regularly. Members have the requisite skills and expertise to manage risk.

The board subcommittees that are responsible for the oversight of the risk management system comprise the group risk and capital management committee (GRCMC), the group audit committee (GAC), the group technology and information committee (GTIC), the group model approval committee (GMAC), the group remuneration committee (REMCO) and the group social and ethics committee (GSEC).

GRCMC comprises the chairman of the board and chairs of six other board subcommittees. This common membership provides an enterprise-wide and integrated view of financial, non-financial, social, economic and environmental issues that impact the risk and control environment. Their responsibilities include:

• setting the direction for how our risk and capital management should be approached and addressed

• reviewing and approving the risk appetite statement for our banking activities

• reviewing risk management reports and monitoring our risk profile

• evaluating and agreeing the opportunities and associated risks that we should be willing to take.

GAC comprises seven independent non-executive directors, including the GTIC and REMCO chairmen. Their responsibilities include:

• monitoring and reviewing the adequacy and effectiveness of accounting policies, financial and other internal control systems and financial reporting processes

• providing independent oversight of our assurance functions, with particular focus on combined assurance arrangements, including external audit, internal audit, compliance, risk and internal financial control functions

• reviewing the independence and effectiveness of the group’s external audit, internal audit and compliance functions

• assessing our compliance with applicable legal, regulatory and accounting standards and policies in the preparation of fairly presented financial statements and external reports.

The chairman of the GAC meets regularly with the group chief compliance and data officer, the group financial director and the group chief audit officer to ensure the independence of the second and third lines of defence functions.

GTIC comprises four independent non-executive directors, one non-executive directors, and two executive directors. Their responsibilities include:

• reviewing and providing guidance on matters related to IT strategy, budget, operations and policies

• reviewing assessment of IT risks and controls, including disaster recovery, business continuity and security

• overseeing significant IT investments and expenditure

• overseeing the governance of technology and information in a manner that support our strategic objectives.

12

GMAC comprises a non-executive director, both executive directors, the chief executives of PBB and CIB and the group chief risk officer. Their responsibilities include:

• reviewing models designed to quantify and manage our risk exposure

• evaluating and approving risk models used to calculate regulatory capital demand

• approving models based on an assessment of their materiality.

REMCO comprises only non-executive directors with six being classified as independent. It assists the board in ensuring fair and responsible remuneration. Their responsibilities include:

• developing a remuneration philosophy and policy statement for disclosure to enable a reasonable assessment by stakeholders of reward practices and governance processes

• reviewing and approving the risk-adjusted remuneration governance standards

• considering and recommending the approval of the remuneration report

• considering shareholders feedback and recommendations in respect of our remuneration policy and implementation.

GSEC comprises three independent non-executive directors, two non-executive directors, and two executive directors. Their responsibilities include:

• ensuring the development of appropriate policies and being the social conscience, recognising that stakeholder perceptions affect our reputation

• guiding and monitoring social, ethical, economic, environmental, transformation and consumer relationship initiatives in line with relevant legislation, codes and regulation

• monitoring our approach to conduct through a culture-led strategy, to embed culture and conduct, and manage conduct risk

• considering our sustainability programmes and strategy, specifically the direct and indirect environmental impact of these programmes

• reviewing annual corporate social investment spend and activities across our operations, specifically giving consideration to aligning the focus of programmes across the group.

Management committeeThe group risk oversight committee is a subcommittee of the group executive committee which provides group-level oversight of all risk types and assists the GRCMC in fulfilling its mandate. As is the case with the GRCMC, the group risk oversight committee calls for and evaluates in-depth investigations and reports based on its assessment of our risk profile and impact of external factors. The group risk oversight committee is chaired by the group chief risk officer.

Governance documentsThe enterprise risk management governance framework is approved by the GRCMC. It informs the specific risk type standards, frameworks and policies which are approved by executive committees and the relevant board subcommittee. The critical steps for risk management are defined to ensure common practices across the group.

Business line and legal entity policies are aligned to the governance documents and are applied within their governance structures.

Three lines of defence

The board discharges its oversight responsibilities for risk management through independent assurance activities performed by second and third line. The board has the following mandate:

• ensuring that the appropriate tone for risk is set by executive management

• ensuring that the risk and capital management is effective, including our:

– risk, compliance, treasury and capital management, and GIA processes

– risk appetite

– capital adequacy to support strategy execution.

Effective first line risk management responsibilities include:

• defining the risk and control culture, and risk appetite

• identifying and assessing risks and emerging threats

• designing and implementing appropriate controls

• balancing risk and return with every business decision

• allocating capital optimally for maximum returns

• performing self-assessments on the control environment

• escalating material events that breach risk appetite through the governance structure

• ensuring appropriate risk disclosure to shareholders and regulators.

Effective second line risk management responsibilities include:

• defining the risk and capital management framework and policies

• facilitating risk management activities through the process lifecycle

• facilitating the capital requirements calculations for all applicable risk types

• challenging management’s day-to-day risk decisions

• monitoring and providing expert advice on emerging threats

• monitoring that risk decisions are being taken in line with the risk culture and appetite, and reporting breaches

• managing the interface with regulators regarding industry policy advocacy and risk and compliance matters

• compiling risk disclosures as per regulatory requirements

• reviewing compliance with risk standards

• performing independent reviews on specific risk and control areas.

Effective third line risk management responsibilities include:

• providing assurance through a risk-based audit plan that assesses and reports on the quality of controls and risk management practices

• periodically reviewing the design adequacy of the risk management framework, the level of compliance with policies and standards, and the completeness and reliability of the risk assessment and reporting process.


HOW WE MANAGE RISK CONTINUED

Risk cultureWe leverage the three lines of defence model to build and maintain a strong risk culture. We focus on multiple drivers to enhance our risk culture and emphasise doing the right business the right way. Our values and ethics are embedded through policies, compliance training and whistle-blowing programmes. Employees are empowered to act with confidence, drive behavioural changes that place the client at the centre of everything they do.

As an important institution within our economy, the deep obligation to develop our society is entrenched in our business practices, including compliance with laws and regulations. We promote and reward responsible risk taking that results in sustainable growth. Each business is responsible for monitoring behaviour that is contrary to our ethos and taking disciplinary action in line with our conduct risk management standards. Inappropriate risk decisions are monitored as part of performance management and escalated to REMCO.

RISK APPETITE AND STRESS TESTINGRisk appetite is an expression of the amount or type of risk we are willing to take in pursuit of our financial and strategic objectives, reflecting our capacity to sustain losses and continue to meet our obligations as they fall due, under both normal and a range of stress conditions.

Stress testing is a key management tool within the group and is used to evaluate the sensitivity of the current and forward risk profile relative to different levels of risk appetite.

The key to our long-term sustainable growth and profitability lies in the strong link between our risk appetite and our strategy, and the desired balance between risk and return.

Group stress testing and risk appetite committee

Stress testing activities are undertaken during the assessment phase to determine the risk appetite at a group level. This is cascaded to business units, risk types and legal entities levels. We test risk scenarios at group, legal entities and portfolio levels to support normal stress conditions up to severe stress scenarios to inform our recovery plans.

Portfolio management is performed at a group level across and within business units, risk types and legal entities to ensure that existing and emerging exposure concentration in countries, sectors, obligors and other risk areas are effectively managed.

Risk appetiteRisk appetite guides strategic and operational management decisions and is reviewed annually. Our level one risk appetite statements are:

• Capital position: We aim to have a strong capital adequacy position measured by regulatory and economic capital adequacy ratios. We manage our capital levels to support business growth, maintain depositor and creditor confidence, create value for shareholders and ensure regulatory compliance. Each banking subsidiary must further comply with regulatory requirements in the countries in which we operate.

• Funding and liquidity management: We maintain a prudent approach to liquidity management in accordance with the applicable laws and regulations. The competitive environment in which each banking subsidiary operates is also taken into account. Each banking subsidiary must manage liquidity on a self-sufficient basis.

• Earnings volatility: We aim to have sustainable and well-diversified earning streams in order to minimise earnings volatility through business cycles.

• Reputation: We have no appetite for compromising our legitimacy or for knowingly engaging in any business, activity or relationship which could result in foreseeable damage to our reputation or our sustainability.

• Conduct: We have no appetite for unfair client outcomes arising from inappropriate judgement and conduct in the execution of business activities, or wilful breaches of regulatory requirements. We strive to meet clients’ expectations for efficient and fair engagements by doing the right business the right way, thereby upholding the trust of our stakeholders.

Level two risk appetite is cascaded into risk types. Level three risk appetite consists of risk type based limits.

Stress testing and scenario planning Fit-for-purpose stress testing programmes ensure appropriate coverage of the different risks.

During 2019, the following key risks were identified and used as shock/stress factors to perform our stress testing exercises:

• rising geopolitical volatility leading to an increased risk of trade wars and de-globalisation

• the unsettled social and political environment

• capital outflows from emerging market economies

• increased sovereign debt stress in some African countries

• sovereign risk arising from elections in certain countries including policy changes specific to individual African countries

• ongoing threat of cyber crime

• subdued economic environment in key markets

• increased competition from new market entrants and digital disruption

• potential impact of climate change.

Stress testing results support a number of business processes, including:

• strategic and financial planning

• informing the setting of risk appetite and portfolio management at a group, business unit and legal entity level

14

• the internal capital adequacy assessment process (ICAAP), including capital planning and management, and the setting of capital buffers

• liquidity planning and management

• identifying and proactively mitigating risks through actions such as reviewing and changing limits, limiting exposures, and hedging

• facilitating the development of risk mitigation or contingency plans, including recovery plan and resolution planning, across a range of stressed conditions

• supporting communication with internal and external stakeholders, including industry-wide stress tests performed by the regulator.

Stress testing programmeOur stress testing programme uses one or a combination of stress testing techniques, including scenario analysis, sensitivity analysis and reverse stress testing to address stress testing for different purposes.

Groupwide macroeconomic stress testingMacroeconomic stress testing is conducted across all major risk types on an integrated basis for a range of economic scenarios varying in severity from mild to very severe but plausible macroeconomic shocks. The impact, after consideration of mitigating actions, on the income statement, balance sheet and capital demand and supply is measured against our risk appetite.

A specifically designed macroeconomic stress test is performed for the group and SBSA at least once a year and targets our risk profile, geographical presence and strategy.

Group and SBSA macroeconomic stress testing results are presented at a board level to consider whether our risk profile is consistent with our risk appetite buffer. Groupwide macroeconomic stress testing results are submitted as part of the annual ICAAP.

Business model stress testingBusiness model stress testing utilises the reverse stress testing technique to explore vulnerabilities in a particular strategy or business model. The outcome does not necessarily target business or bank failure, but rather seeks to inform what could have a severe impact given a plausible, but in most cases highly improbable, event within a given set of circumstances and assumptions.

Risk type stress testingRisk type stress tests are performed for individual risk types and take the form of a scenario or sensitivity analysis.

Ad hoc and deep-drill stress testingAdditional ad hoc stress testing at the group, legal entity, business line, sector or risk type level may be required from time-to-time for risk management or planning purposes. It informs management of risks that may not yet be part of routine stress testing or where the focus is on a specific portfolio or business unit.

Supervisory stress testsFrom time-to-time, a regulator may call for the group or a legal entity to run a supervisory stress test or common scenario with prescribed assumptions and methodologies. The regulator may use these to assess the financial stability of the entire financial sector, or for targeted stress tests where they may have a specific concern on an asset class or other potential stress event.

Recovery plan stress testingRecovery plan stress testing is performed annually on plausible but highly unlikely events to verify the effectiveness of the recovery options. Systemic, group-specific, combination events, as well as velocity scenarios are considered.

Recovery and resolution planningRecovery and resolution planning is a global regulatory reform introduced by the FSB to improve international financial stability and reduce the likelihood of the failure of systemically important financial institutions. The recovery plan identifies management actions which can be adopted during periods of severe stress to ensure the survival of our business and the sustainability of the economy within which we operate. Should these actions prove to be inadequate, the resolution plan sets out the approach for unwinding in an orderly manner and minimising the impact on depositors and tax payers.

Since 2012, and in line with international developments, 11 out of 20 host country regulators have issued requirements to develop recovery plans. An independently facilitated group stress simulation exercise will be conducted in 2020 to assess the appropriateness and feasibility of our potential response strategy, escalation procedures and early warning indicators.

Risk reportingRisk exposures are reported on a regular basis to the board and senior management through our governance committees. Risk reports are compiled at business unit level and are aggregated to the enterprise level for escalation through the governance structures based on materiality.

Risk management reports comply with standards set out by BCBS239.

Group insurance programmeThe group insurance programme is designed to protect against loss resulting from our business activities. It is used as a strategic risk transfer mechanism, serving as an operational risk mitigant by transferring residual insurable risks to conventional insurance markets. This cover is reviewed annually.

Group insurance committee

The principal insurance policies in place are the group crime and professional indemnity, cyber, and group directors’ and officers’ liability policies. In addition, we have fixed assets and liabilities coverage for our office premises and business contents, third-party liability for visitors to our premises, and employer’s liability. Our business travel policy provides cover for staff when travelling on behalf of the group.


Business risk 17

Reputation risk 17

STRATEGIC RISKS

16

BUSINESS RISKThe risk of unexpected earnings variability, as a result of strategic choices and failed strategy execution as well as unexpected external factors. This excludes the effects of market risk, credit risk, structural interest rate risk and operational risk.

HighlightsWe deliver simple, relevant and holistic solutions to our clients through their channel of choice. This is enabled through our strategic focus on leveraging digital platforms to deliver complete solutions and create exceptional experiences for our clients.

The strategic priorities and delivery time frames have been cascaded to the business lines and corporate functions for execution.

In executing our strategy, we always remember that the purpose of digitisation is to enable us to meet human needs, to further human aspirations, and become more profitable and sustainable by doing so.

Approach to managing business riskBusiness risk is categorised as a strategic risk. Strategic risk is the risk that our future business plans and strategies may be inadequate to prevent financial loss or protect our competitive position and shareholder value.

Business risk is usually caused by:

• poor choice of strategy in the form of products, market segments, channels and cost structures

• external factors, pressures from unexpected economic, technology and competition changes, decreased demand, increased competition or cost increases

• group-specific causes, such as the decision to absorb costs or losses to preserve reputation and operational efficiency.

We mitigate business risk in a number of ways, including:

• reviewing the strategy, and business unit and legal entity plans

• performing extensive due diligence during the investment appraisal process, in particular for new acquisitions and joint ventures

• detailed analysis of the business case for, and financial, operational and reputational risks associated with, disposals

• applying new product processes per business line through which the risks and mitigating controls for new and amended business-products and -services are evaluated

• stakeholder management to ensure favourable outcomes from external factors beyond our control

• monitoring the profitability of product lines and client segments

• maintaining tight control over our cost base, including the management of our cost-to-income ratio, which allows for early intervention and management action to reduce costs

• being alert and responsive to changes in market forces

• a strong focus in the budgeting process on achieving headline earnings growth while containing cost growth; and building contingency plans into the budget that allow for costs to be significantly reduced in the event that expected revenues do not materialise

• increasing the ratio of variable costs to fixed costs which creates flexibility to reduce costs during an economic downturn

• applying stress testing techniques to assess the resilience of our planned earnings under macroeconomic downturn conditions.

Group asset and liability committee

REPUTATION RISKThe risk of potential or actual damage to our image which may impair the profitability and sustainability of our business.Reputation is defined as what stakeholders, including our staff, clients, investors, counterparties, regulators, policymakers, and society at large, believe about us . Analysts, journalists, academics and opinion leaders also determine our reputation. Our reputation can be harmed by an actual or perceived failure to fulfil the expectations of stakeholders due to a specific incident or from repeated breaches of trust.

Reputational harm can adversely affect our ability to maintain existing business, generate new business relationships, access capital, enter new markets, and secure regulatory licences.

HighlightsSafeguarding and proactively managing our reputation is of paramount importance. During 2019, we responded to changing client behaviour and the continued migration of transactions to digital platforms by reconfiguring our branch footprint and closing 90 branches. The impact on our reputation was compounded by system outages and downtime in SA and Africa Regions, which severely inconvenienced our clients and undermined their trust in us.

We recognise the risks posed by a change in climate and are committed to driving sustainable economic growth across Africa. We continue to monitor our exposures and the reputation risk associated with coal-fired power stations and coal mining.

The financial services industry globally is often the target of crime syndicates. Clients are vulnerable to their phishing attacks and, despite our continual investment in anti-phishing and device profiling, the reputation risk from such attack remains significant.

Approach to managing reputational riskWe manage reputation risk from tactical and reactive, as well as strategic and proactive perspectives. Our crisis management processes are designed to minimise the reputational impact of such events or developments. Crisis management teams are in place both at executive and business line level. This includes ensuring that our perspective is fairly represented in the media. In addition, more attention is given to leveraging opportunities to proactively improve our reputation among influential stakeholders through external stakeholder engagements, advocacy, sponsorships and corporate social initiatives.

Group risk oversight committee

Our code of ethics is an important reference point for all of our employees. The group ethics officer and group chief executive are the formal custodians of the code of ethics.


Cyber risk 19

Information risk 20

Technology risk 20

Third-party risk 21

Business disruption risk 21

Model risk 22

Legal risk 22

Compliance risk 23

Conduct risk 23

Environmental and social risk 24

People risk 24

Financial crime risk 25

NON-FINANCIAL RISKS

18

The risk of inadequate or failed processes, people or systems that make up business operations as a result of changes in internal or external factors. The definition excludes strategic and financial risks. These risks are complex, difficult to anticipate, oversee and monitor. They evolve rapidly and could have financial or non-financial implications for the group.

CYBER RISKThe potential destruction, unauthorised or erroneous use of information systems that could result in service disruption, reputation damage and significant financial loss.

Year in brief Our exposure to cyber risk is a consequence of increased digitisation, growing sophistication of cyber attacks and ageing systems. These threats provide a potential gateway to cyber attacks which may result in financial losses, data breaches and service disruption. We constantly identify and mitigate exploitable vulnerabilities. In 2019, we focused on advancing and elevating our ATM and network security by migrating end-of-life systems and legacy networks, enhancing network access controls and implementing a trust model for mobile solutions.

Significant investments were made to accelerate security capabilities to predict, prevent, detect and respond to cyber incidents. We also certified the Africa shared core banking platform against the ISO27001 standard. These efforts and other key controls allowed us to successfully detect and mitigate several attempted cyber attacks, resulting in no material client-impacting incidents for the year.

Focus areas for 2020 We will continue to strengthen resilience against cyber attacks and minimise the impact to our clients and operations. We also plan to implement adaptive cyber security methods that use artificial intelligence to dynamically shift tactics, and detect and remove threats as quickly as possible.


TDespite disruptive technologies, cyber threats, skills shortages, and the constantly evolving geopolitical risks, our overall non-financial risk (NFR) profile remained well within risk appetite.

During 2019, the group began a transition to managing an expanded list of risk types beyond the Basel specified operational risk events. This change in focus has enabled better risk management oversight while complementing the Basel approach. Globally, many institutions are making this transition.

To create efficiencies and enable effective risk oversight, our key initiatives were geared towards simplifying the NFR landscape, digitising risk activities, maximising the use of data and exploring the potential of machine learning, artificial intelligence and real-time predictive analytics.

Top risksThe top risks managed under the non-financial risk category are technology risk, cyber risk, information risk, business disruption risk, third-party risk, climate change risk (managed within environmental and social risk), people risk, financial crime risk, regulatory impact risk (managed within compliance risk), non-traditional models risk (managed within model risk) and conduct risk.

Approach to managing non-financial risksWe manage NFR under the umbrella of operational risk. Our approach adopts fit-for-purpose risk practices, well-established governance processes which are supported by a comprehensive escalation and reporting processes that assist line management to understand and manage their risk profile within risk appetite. Our NFR management function forms part of the second line of defence, is an independent team and reports to the group chief risk officer.

ReportingRobust risk management reporting and escalation procedures require business line and compliance heads to report on the status of risk management to the group head of operational risk and/or the group chief compliance officer, who escalates significant matters to group management, executive and independent board committees. These matters include key and emerging risk exposures, risk management activities, regulatory interaction and legislative developments.

Group operational risk committee


NON-FINANCIAL RISKS CONTINUED

INFORMATION RISKThe accidental or intentional unauthorised use, access, modification, disclosure, dissemination or destruction of information resources, which may compromise the confidentiality, integrity and availability of information. This may result in service disruption, harm to our clients, reputation damage and financial loss.

Year in brief Threats are becoming increasingly sophisticated. Attack methods to access and abuse information are constantly evolving. Data sharing tools have become part of our day-to-day activities. Misuse or breaches of data can result in reputation damage, regulatory penalties, financial loss and a loss of trust from our clients.

In 2019, the information risk management approach was simplified to increase the effectiveness of risk management activities and adoption of controls like tokenisation of information, enhanced logical and privilege account access management and alignment to data security standards.

We remain committed to a zero tolerance for compromising confidential or secret information and there were no material incidents recorded for the year.

Focus areas for 2020 We will continue to consider and take risk preventative action based on industry and global threats and incidents reports. In addition, other controls will be continuously adapted in line with changes in information processing mechanisms. We also plan to improve our data leakage prevention rules, which inhibit dissemination of sensitive information, and to enhance endpoint encryption tools and anti-malware systems.


T

TECHNOLOGY RISKThe inability to manage, develop and maintain secure, agile technology capability that enables the group to operate efficiently and achieve strategic objectives.

Year in brief We create value by delivering relevant and complete digital solutions that meet the needs of our clients. Our client demands now include a 24/7 banking service, making technology a key dependency for service delivery and consistent availability. We reported IT outages in SA and Africa Regions earlier in 2019, but through sustained efforts, high availability was achieved and maintained in the latter part of the year.

We continued working towards a simple technology landscape that will enable us to manage IT changes in response to business changes in an agile and efficient manner. We also invested in the sourcing of new talent and development of existing employees with IT skills that support our digital and data strategic objectives.

Migrating our IT platforms to the cloud is a critical component to our strategic journey to a fully digital organisation, which we continued to adapt to best serve our multi-faceted clients. We have established strategic relationships with prominent and reputable cloud service providers, and a cloud business council to fast-track this migration.

Focus areas for 2020 In 2020, we will continue to simplify the IT landscape. This will include reducing and consolidating systems as well as improving the quality of our platforms. We continue to explore more opportunities to optimise transaction processing activities through the use of robotic process automation, application programming interfaces and AI. We aim to further accelerate the execution of our secure cloud migration strategy to enhance our competitive advantage. We will continue to follow a privacy-by-design approach when processing our clients’ information.


T

20

THIRD-PARTY RISKIneffective management of third-party relationships and the operational, compliance, reputation, strategic and credit risks inherent in the services and products they provide to the group.

Year in brief We leverage relationships with third-parties to enhance our service offerings and partner with fintechs to take advantage of disruptive technologies. These relationships improve our operational efficiency and client experience. We started optimising our third-party risk management processes in 2019 to address inconsistent controls and regulatory compliance resulting from increased reliance on third-parties.

This included the development of a new third-party management framework and a third-party risk life-cycle management tool that includes a stringent due diligence process and enables regular analysis and risk profiling of our top suppliers to direct risk mitigation efforts.

Focus areas for 2020 Leveraging third-party disruptive technologies through our strategic relationships will remain a key element of our digital journey. We aim to continue implementing and optimising the third-party management framework, processes and tool across the group.


T

BUSINESS DISRUPTION RISKThe risk of losses arising from critical system failures and or business process failures impacting services to and or provided by us to our stakeholders.

Year in briefThe sub-Saharan operating environment is awash with operational challenges, the most notable being the inconsistent availability of electricity in southern Africa. This, coupled with our current complex legacy architecture, increases the risk of disruption to services. As we aim to be have 24/7 availability to our clients, our business resilience capability ensures that we can optimally recover services. We are focused on improving our time to recover in line with our clients’ expectations. Mitigation during the year included revising business resilience methods from conventional best practice and organisational silos, to the coverage of full client value chain. This was supplemented by the establishment of an always-on exco subcommittee with specific intent on operational resilience. Crisis simulations remain a key control in preparing staff for the eventuality of business disruption and the resultant recovery.

Focus areas for 2020Our focus in 2020 is to continue building the value chain resilience capability for sustainability and to improve our disaster recovery readiness through addressing resilience gaps.


T


MODEL RISKIncorrect or inappropriate use of a model and fundamental errors in a model that may produce inaccurate outputs that are not aligned to design objective and intended business uses.

Year in brief Globally, the use of models is expanding as a result of newly available data from increased digitisation and access to external data sources. This is a shift away from traditional pricing and capital risk models to non-traditional risk classification and analysis models.

There is more emphasis on reducing the risks of bias, inappropriate design and incorrect context application of models. The risk arising from the use of non-traditional models is also topical with local and international regulators.

In 2019, a model risk work group was formed under the enterprise data office and a models specialist was appointed to expand the use of non-traditional models across the group and guide the management of associated risks. The scope of model risk management also broadened to include return on equity pricing models.

Focus areas for 2020 In 2020, we will embed the principles of model risk management and enhance the current capability for non-traditional model management to include the tools and enhanced risk management reports.

Group model approval committee

LEGAL RISKThe potential adverse consequences arising from non-compliance with legal or statutory responsibilities and legal rights not being binding or enforceable.

Year in brief We are exposed to legal judgements across the countries where we operate. In 2019, we received an unexpected adverse judgement in Nigeria relating to a claim by Longterm Global Capital against our Nigerian subsidiary Stanbic IBTC. This judgement is being appealed. A critical revision of our legal capabilities across all the markets was conducted in 2019 to effectively manage the risk going forward.

Focus areas for 2020 The recent judgement in favour of the National Credit Regulator regarding accrual of legal fees in the client’s account is evidence of the SA judiciary and legislature focus on the protection of consumer rights. This trend will be incorporated into our risk assessments, risk scenarios measurement, and risk appetite decision.


NON-FINANCIAL RISKS CONTINUED22

COMPLIANCE RISKPotential legal or regulatory sanctions, financial loss or damage to reputation that the group may suffer as a result of its failure to comply with laws, regulations, codes of conduct, internal policies and standards of good practice applicable to its financial services activities.

Year in brief Compliance with all applicable laws and regulations is non-negotiable. Domestic and international regulatory trends and developments are monitored regularly to adopt laws and regulations applicable to our jurisdictions within prescribed deadlines. This has necessitated an investment in a digital solution that support compliance risk management activities by analysing insights and new regulatory requirements and matching these to relevant business processes.

Focus areas for 2020 Our recently developed digital solution will be rolled out in 2020. It will shift our process from advisory to an active-co-owner approach. The long-term goal is to provide independent oversight of the compliance control framework. We intend to use the solution for real-time residual compliance risk views in the medium-term.

Group audit committee

CONDUCT RISKThe potential that inappropriate execution of business activities may cause harm to our group, our clients and the markets where we operate

Year in brief Our principle of doing the right business the right way is embodied in our ethical conduct as individuals and as a financial services organisation. Globally, regulators are working toward clearly defining key responsibilities to hold us individually accountable for fair client outcomes. In SA, the National Treasury released a policy paper and the Financial Sector Conduct Authority (FSCA) released the COFI Bill and the conduct standard for banks, requiring financial institutions to improve their cultures.

In 2019, we continued to make ethically sound decisions, and used our annual performance process to align individual rewards to the desired ethical behaviour.

Focus areas for 2020 Conduct risk management will be enhanced further through automated monitoring of declarations related to conflicts of interest, outside business interests, gifts and entertainment as well as personal account trading. A real-time engine that uses predictive models will be developed to interrogate our transactions and compare these to declared details.


T


ENVIRONMENTAL AND SOCIAL RISKThe potential negative consequences that may result from our impacts, direct or indirect, on the natural environment or communities/society, which could include financial, legal and reputational consequences

Year in brief We aim to minimise and mitigate negative impacts arising from our business activities on society and the environment. We’ve reviewed our governance structures to ensure appropriate oversight and management of environmental and social risk, including climate-related risk. We are collecting and assessing data and using models to inform our approach to managing climate change risk. We have published policies governing investment in coal-fired power stations and coal mining. We are a founding signatory of the UN principles for responsible banking. Our newly established sustainable finance business unit is working with our clients to develop bespoke solutions to help them achieve their social and environmental goals.

Focus areas for 2020 In 2020, we will continue to minimise our negative impacts and increase our positive impacts on people and the environment. In line with the UN principles for responsible banking, we will set targets where we can have the most significant impacts. We will analyse our lending and investment portfolio to identify concentrations of exposure to climate-related risks, in line with the task force on climate-related disclosures recommendations.


PEOPLE RISKThe challenge or failure to attract and retain skilled, committed people and inability to enable people to grow and remain relevant in a rapidly evolving work place.

Year in brief We want to shape a workforce that is ready to meet our clients’ needs, now and in the future. During the year, we identified risks relating to scarce and in-demand skills, shifting skillsets, a spike in emigration and the impact of digitisation on our people.

We are building a working environment that encourages and enables high performance for our purpose of driving Africa’s growth. Digital recruitment strategies were initiated to attract the right talent and to shorten our time to hire. A range of specialised in-house learning academies and programmes were deployed with a focus on building scarce skills, specifically in areas where demand exceeds supply in our local markets. A range of talent engagement and retention initiatives were deployed to ensure that our people feel valued, engaged and ready to embrace new ways of working.

Focus areas for 2020 In 2020, we will continue to improve our methods for attracting, retaining and progressing our employees’ careers. A new digital learning solution will be rolled out to enhance access to skills development across the group to meet the demands of our workforce requirement for future skills and career aspirations of our employees.


NON-FINANCIAL RISKS CONTINUED24

FINANCIAL CRIME RISKThe risk of economic loss, reputation damage and regulatory sanction arising from any type of financial crime against the group. Financial crime includes fraud, theft, money laundering, bribery, corruption, tax evasion, terrorist financing and sanctions.

Year in brief Our clients trust in our ability to keep their assets safe and abide by regulations. This makes financial crime risk a top risk focus area.

Phishing and the change-of-banking-details scam were prevalent threats that impacted our clients in 2019. We managed these threats through client awareness and education initiatives as well as interventions by industry bodies. We constantly review fraud prevention and detection capabilities to ensure they remain fit-for-purpose, and we modify fraud rules on an ongoing basis to minimise client risk exposure.

In 2019, the SARB Prudential Authority (PA) imposed a R30m financial penalty against SBSA for reporting suspicious and unusual transactions outside of the prescribed reporting period. The SARB PA noted that the administrative penalty did not indicate that SBSA was guilty of facilitating transactions involving money laundering or the financing of terrorism.

Focus areas for 2020 In 2020, we will accelerate the use of robotics automation in high traffic processing areas. We will partner and collaborate on the collection of data insights to proactively identify fraud threats. We will continue to apply a layered approach to protect our clients against fraudsters, including applying machine learning to fraud prevention solutions and adopting stronger multifactor authentication methods.


OTHER Financial accounting risk relates to losses arising due to inadequate management and oversight of internal financial accounting processes.

Tax risk is the risk of failing to meet tax payments, filing requirements and/or the risk of uncertain tax treatment.

Physical assets risk is the risk of loss or damage to facilities and/or physical assets from natural disaster or other events.

Year in brief Financial accounting, tax and physical assets risk types are inherent in our operations. We identified and assessed risks associated with these risk types and found no significant risk that required management focus at the enterprise level.


T


Credit risk 27

Country risk 34

Market risk 37

Insurance risk 42

Funding and liquidity risk 46

FINANCIAL RISKS

26

CREDIT RISK

YEAR IN BRIEFOur gross loans and advances grew by 5% in 2019 with CLR increasing to 0.68% (2018: 0.56%).

The PBB loans and advances to customers portfolio grew by 6% (PBB SA: 5.4% and PBB Africa Regions: 6.2%) in 2019 to R686bn, with a corresponding increase in CLR from 0.81% in 2018 to 0.89% in 2019. Stage 3 impairment charges increased by 7.4% from R5.9bn to R6.3bn. Much of this increase was driven by the mortgage lending portfolio due largely to the continued delays to legal foreclosures in SA. Credit losses were exacerbated by the weak environment in SA, leading to higher write-offs in some product categories. The PBB SA portfolio grew across most products but particularly in personal unsecured lending (up 9.4%) and business lending (up 7.7%).

Although CIB loans and advances to customers increased by 7% to R425bn, overall exposure (including off-balance sheet items and exposures to banks) remained flat, reflecting the current difficult lending environment. Growth was muted in the key sectors of financial institutions, consumer and diversified industrials, evidencing the continued strain being experienced by the consumer market. There was some positive growth in the power, infrastructure and sovereign sectors and we continue to support infrastructure developments across our presence markets. We adjusted our outlook in certain markets and sectors to reflect prevailing economic and regulatory trends.

CIB CLR increased to 0.32% (2018: 0.15%) in line with advances growth but also driven by waning risk grades in some sectors, a deteriorating corporate environment in SA and a material unexpected loss in our Africa Regions portfolio. Non-performing loans increased from 1.96 % to 2.06% of the loan book, following a number of significant new names moving into non-performing status, offset by a number of write-offs of long outstanding items where no further recovery is anticipated.

As part of ongoing enhancement of credit risk management, our large exposure framework was developed, mapping connected exposures for counterparty groups spread across business units and geographies. We also reassessed our methodology for calculating credit earnings-at-risk. Data quality processes were refined as part of BCBS239 requirements, yielding more robust assurance around the metrics used for key decision-making.

In response to the global emphasis on environmental and social risk, work continues on measuring and reporting on carbon intensities in the group portfolio.

FOCUS AREAS FOR 2020

In a climate expected to deliver marginal improvements in economic growth, our focus will be portfolio specific. A priority for PBB will be the response to changes in the external environment, including the regulatory landscape and the competitive offerings of other financial institutions.

In the PBB SA portfolio, creative client-centric credit solutions that leverage real-time decision-making technology are being built to meet increased expectations for product and service customisation. Digital skills and capability development will focus on automating the decision-making credit environment. We will continue to drive improved collections and early proactive interventions with distressed clients. Client level risk appetite will be refined to align closer with the needs of the client.

In the PBB Africa Regions portfolio, focus will be on digitising unsecured lending product offerings, improving and simplifying client access to trade and foreign exchange markets and optimising collections capabilities.

In the CIB portfolio, focus will be on high quality clients, sectors and markets in presence countries where there is clear evidence of improving economic conditions and changes in legislation that create new opportunities for lending and investment. Risk appetite will continue to be proactively adjusted as required, in order to reflect opportunities.

A prudent lending approach to SA corporates will be maintained. This is in light of the weak business climate and aligned to a risk appetite that favours clients with strong cash flows and low levels of gearing.

Credit risk rating models will be reviewed and refined as necessary. We will continue our focus on regulatory changes, such as for large exposures which may impact the management of counterparty concentrations.

In general, there will be an elevated focus on sustainable financing to support environmental and social risk initiatives and management of climate-related risks in country, counterparty credit risk and concentration risk.

The risk of loss arising out of the failure of obligors to meet their financial or contractual obligations when due. It is composed of obligor risk, concentration risk and country risk and represents the largest source of risk to which our banking entities are exposed.


FINANCIAL RISKS CREDIT RISK CONTINUED

BANKING OPERATIONSApproach to managing and measuring credit riskOur credit risk is a function of our business model and arises from wholesale and retail loans and advances, underwriting and guarantee commitments, as well as from the counterparty credit risk (CCR) arising from derivative and securities financing contracts entered into with clients and trading counterparties. To the extent that equity risk is held on the banking book, it is also managed according to the credit risk governance framework, but ultimate approval authority rests with the equity risk committee.

Credit risk is managed through:

• maintaining a culture of responsible lending and a robust risk policy and control framework

• identifying, assessing and measuring credit risk across the group, from an individual facility level through to an aggregate portfolio level

• defining, implementing and continually re-evaluating risk appetite under actual and stressed conditions

• monitoring our credit risk exposure relative to approved limits

• ensuring that there is expert scrutiny and approval of credit risk and its mitigation independently of the business functions.

Credit and concentration limits are embedded in operations and monitored against approved risk appetite thresholds. All primary lending credit limits are set and exposures measured on the basis of risk-weighting in order to best estimate exposure at default (EAD).

Pre-settlement CCR inherent in trading book exposures is measured on a potential future exposure (PFE) basis, modelled at a defined level of confidence using approved models and controlled within explicit approved limits for the counterparties concerned.

GovernanceThe credit governance process relies on both individual responsibility and collective oversight, supported by comprehensive and independent reporting. This approach balances strong corporate oversight at a group level, with participation by the senior executives of the group and our business units in all significant risk matters.

CIB credit governance committee | PBB credit governance committee | equity risk committee | intragroup exposure committee | group model approval committee | PBB model approval committee | CIB model approval committee

These governance committees have explicit delegated authority, which is reviewed regularly. Their mandates include responsibility for credit and concentration risk decision-making, and delegation thereof to credit officers and subcommittees within defined parameters.

Credit risk models and key aspects of rating systems are validated by an independent central validation function.

Approved regulatory capital approachesWe have approval from the SARB to adopt the advanced internal ratings-based (AIRB) approach for most credit portfolios in SBSA. We have adopted the standardised approach for our Africa Regions portfolios and for some of our less material subsidiaries and portfolios.

We have approval from the SARB to adopt either the market-based or the probability of default (PD)/loss given default (LGD) method for material equity portfolios. The latter is applied to equity held on the banking book.

Standardised approachThe calculation of regulatory capital is based on a risk-weighting and the net counterparty exposures after recognising a limited set of qualifying collateral. The risk-weighting is based on the exposure characteristics and, in the case of corporate, bank and sovereign exposures, the external agency credit rating of the counterparty. Regulatory capital for the credit risk arising from the owner-occupied sub-component of the commercial property finance portfolio in SA was calculated on the standardised approach.

For bank and certain corporate asset class credit exposures on the standardised approach we make use of the ratings of two regulatory-approved external credit assessment institutions, Fitch and Moody’s.

With respect to sovereign credit exposures subject to the standardised approach (particularly in the Africa Regions) reference is also made to the export credit ratings issued by the Organisation for Economic Co-operation and Development. We apply issuer ratings to calculate risk-weights and will only apply an issuer-specific rating in the event that it invests in a particular issue that has an issue-specific assessment.

The credit rating scale on page 29 is aligned to our master rating scale. In the case of obligors for which there are no credit ratings available, exposures are classified as unrated for calculating regulatory capital requirements.

Internal ratings-based approachUnder the internal ratings-based (IRB) approach, the calculation of regulatory capital is based on an estimate of EAD and a risk-weighting. The risk-weighting is based on asset class, and estimates of PD, LGD, and maturity. Under the AIRB approach all the parameters need to be estimated internally, while only PD is estimated internally under the foundation IRB approach, with EAD, LGD and maturity being prescribed by the regulator.

Credit risk model development is conducted independently within the second line risk function. All IRB models are managed under model development and validation policies that set out the requirements for model governance structures and processes, and the technical framework within which model performance and appropriateness is maintained. The models are developed using internal historical default and recovery data. In low-default portfolios, internal data is supplemented with external benchmarks and studies. Models are subjected to validation to demonstrate the reliability of the model’s output.

28

Model validation takes place when a model is first designed and annually thereafter, when there are material changes to the model or when rating systems are replaced or enhanced. Models are assessed frequently to ensure ongoing appropriateness as business environments and strategic objectives change and are recalibrated annually using the most recent internal data. Any changes to models or to model outputs are controlled through access rights and are subject to approval at the relevant business unit or group governance committee.

Ongoing overall SA supervisory approval of the approach taken to model our exposure to credit risk on the IRB approach, as well as for all credit risk models used for regulatory capital purposes, is obtained primarily by way of an annual self-assessment. The assessment addresses all aspects of model design, the rating structure and criteria for ratings, the assessment horizon, integrity of the rating process, governance of rating overrides, maintenance of data, stress tests for capital adequacy, integrity of estimates used and validation of the models.

The technical aspects of model usage, develop

Documents

RISK AND CAPITAL MANAGEMENT REPORT 2019 Standard Bank … This risk and capital management report covers the Standard Bank Group’s (the group or SBG) financial services activities