A fundamental element of the Group's strategy is the effective management of risk in order to protect the Group's depositors, borrowers and shareholders, and to ensure that the Group maintains sufficient capital, liquidity and operational control at all times, and acts in a reputable way. This is reflected in the Group's strategy and values, in particular the 'Sustain' strategy and 'Risk Aware' value, which demonstrate the Group's commitment to protect the reputation, integrity and sustainability of the Group for all of its customers and stakeholders through prudent balance sheet management, investment for growth and robust risk and operational control.
The Group's Chief Risk Officer is responsible for leading the Group's Risk Function, which is independent from the Group's operational and commercial functions. The Risk Function is responsible for ensuring that appropriate risk management processes and controls are in place, and that they are sufficiently robust, so as to ensure that key risks are identified, assessed, monitored and mitigated. The Chief Risk Officer is responsible for providing assurance to the Board that the Group's principal risks are appropriately managed and that it is operating within its risk appetite.
The Group's risk management framework, policies and procedures are regularly reviewed and updated to ensure that they accurately identify the risks that the Group faces in its business activities and are appropriate for the nature, scale and complexity of the Group's business.
Group risk appetite statement
The Group risk appetite statement confirms the risk parameters within which the strategic aims and vision of the Group are to be achieved. The Board has identified risk themes, risk drivers and major risk categories relevant to the business to enable it to produce the following risk appetite statements which underpin the strategy of the Group:
|Risk categories||Risk appetite statement|
|Liquidity||STB's liquidity risk appetite is to ensure that adequate liquidity resources are held to meet its Overall Liquidity Adequacy Requirement ('OLAR') and to meet the minimum Liquidity Coverage Ratio ('LCR').|
|Funding||STB's funding risk appetite is to ensure that the Bank has access to stable funding markets and is not reliant on any single source of funding. STB places no material reliance on wholesale funding markets. Its primary source of funding remains retail deposits from individuals and SME's.|
|Capital||The Group's capital management policy is focused on optimising shareholder value, in a safe and sustainable manner. There is a clear focus on delivering organic growth and ensuring capital resources are sufficient to support planned levels of growth.|
|Interest Rate||STB's interest rate risk appetite is to ensure that under a severe change in rates the impact on earnings and overall value of the Bank remain within agreed thresholds.|
|Operational||Our appetite for Operational Risk is to have well defined, scalable and controlled processes, running on robust and resilient systems, effective delivery of change and business continuity management. STB has a low tolerance for operational losses but understands that losses may occur in the pursuit of its business objectives.|
|Credit||STB is profit and growth oriented whilst seeking to maintain a conservative and controlled risk profile. The Bank manages credit risk through a pricing for risk model which drives a potential return on equity aligned with the Bank's stated target.|
|Conduct||As a result of the way STB conducts our business we seek to avoid negative outcomes by consistently treating our customers fairly. We are straightforward and fair with our customers and seek to achieve excellent customer service standards. Our aim is to be seen as a sound and professional business in the marketplace. We have no appetite for reputational risk arising from the way in which we, or our partners behave.|
|Regulatory||STB seeks to remain compliant with all relevant regulatory requirements.|
The Group risk appetite statement is subject to regular monitoring and review.
Risk management framework
The Group's risk management framework supports decision-making across the Group and is designed to ensure that each risk is managed, monitored and overseen through a dedicated risk-specific committee. The Group operates a 'Three Lines of Defence' model for the management of its risks in which each risk has a defined risk appetite which is controlled and managed through documented policies and frequent reporting, and is overseen by one or more committees as part of the Group's governance process.
The Group's governance structure in respect of risk is summarised in the table below, which sets out for each risk the relevant policy governing the risk, the method of reporting and the responsible committee(s).
|Key control documents||Consumer Credit Risk Policy
Business and Commercial Credit Risk policies
|Treasury Policy and ILAAP||Treasury Policy and ILAAP||Operational Risk Policy and Framework||ICAAP||Conduct Risk Policy||Compliance Manual|
|Reporting||Credit Risk Reports||ALCO and Treasury Reports||ALCO and Treasury Reports||Operational Risk MI and Reporting||ICAAP and other capital reports||Conduct Risk MI and Reporting||Compliance Reports|
|Monitoring committee||Consumer Credit Risk Committee
SME Credit Committee
|ALCO||ALCO||Group and Business Level Operational Risk Committees||ALCO||Customer Focus Committee||Group Compliance and Regulatory Risk Committee|
|Oversight committee||Risk Committee||Risk Committee||Risk Committee||Exco and Risk Committee||Risk Committee||Risk Committee||Risk Committee|
The Three Lines of Defence, when taken together, control and manage risks in line with the Group's risk appetite. The three lines are:
- First Line: the Business Line Managers who own and manage risk;
- Second Line: functions that oversee or specialise in risk management or compliance (Information Security, Operational Risk, Credit Risk, Financial Crime and Compliance Teams); and
- Third Line: Internal Audit.
Each line of defence effectively ensures a robust operational risk framework within the Group. The Group ensures that each line understands its respective responsibilities and those of the other lines, and has the appropriate resource and expertise in order to fulfil its responsibilities.
First Line of Defence - Business Line Managers
As the First Line of Defence, the management and staff of each business unit are responsible and accountable for identifying, assessing, controlling and mitigating risks. They are the owners of the risks and controls that operate within their business.
Each business unit or subsidiary is responsible for the recording and maintenance of its own risks, within the statements of risk appetite, limits, tolerances and thresholds articulated within the risk management framework.
Second Line of Defence - Risk Management function
The role of the Second Line Risk Management function, led by the Chief Risk Officer and including the Credit Risk, Information Security, Operational Risk, Financial Crime and Compliance teams is to support and guide the Group in order to operate within the Statements of Risk Appetite, by assisting the business in assessing and controlling operational risks, and by reporting to the Board and Group Risk Committees on the effectiveness of the controls.
The Second Line of Defence enables the business to adopt a common strategy and approach to operational risk management. It sets bank-wide policies and designs an Operational Risk Management Framework that helps businesses to control risks and that provides consistent insight into the risk profile.
Third Line of Defence - Group Internal Audit
Internal Audit provides the Audit Committee and senior management with comprehensive, independent and objective assurance on the effectiveness of risk governance, risk management, and internal controls in the first and second lines of defence. It reports significant risk exposures and control issues to the Audit Committee.
The scope of this assurance covers a broad range of objectives, including:
- efficiency and effectiveness of operations
- safeguarding of assets
- reliability and integrity of reporting processes
- compliance with laws, regulations, policies, procedures, and contracts.
The remit extends to a number of areas: Group-wide processes; subsidiaries; business units; business processes including customer lifecycle, sales, marketing and operations; and enabling functions such as Finance, HR, Operational Risk, Compliance and IT.
The monitoring and control of risk is a fundamental part of the management process within the Group. The responsibilities of the Board, Board Risk Committee and Audit Committee in this respect are described in the Corporate Governance Report within the Annual Report and Accounts. The following committees also form a key part of the Group's risk management governance structure:
Assets and Liabilities Committee ('ALCO')
The ALCO is a sub-committee of the Risk Committee and is responsible for implementing and controlling the liquidity and asset and liability management risk appetite of the Group, ensuring high level control over the Group's balance sheet and associated risks. The committee sets and controls capital deployment, treasury strategy guidelines and limits and focuses on the effects of future plans and strategy on the Group's assets and liabilities.
Consumer Credit Risk Committee
This committee ensures that there is control of credit and lending decisions and related risks in respect of the Consumer Finance businesses. Retail Finance and Motor Finance are reviewed in alternate months to ensure a detailed analysis is undertaken of the entire portfolio. This committee determines whether the credit strategies and risk polices are working and will make recommendations on any changes required.
SME Credit Committees
The Group operates a Credit Committee structure for its Business Finance operations, with lending authorities approved at the Board Risk Committee. There is no local sales authority with all deals going via the respective Credit Risk functions for manual underwriting and, where required under the mandate, approval at the Group Credit Committee level.
Group Operational Risk Committee
This committee reviews and monitors the adequacy, the implementation and the level of embeddedness of the operational risk management framework across the Group. It recommends and undertakes improvements where required. The committee assesses the operational risks across the Group and recommends, initiates and monitors any further mitigating action that is required.
Group Compliance and Regulatory Risk Committee
This committee reviews and monitors regulatory change with which the Group is required to comply and it provides oversight that appropriate co-ordinated and controlled action is taken to deliver the required changes to an acceptable standard, which achieves compliance in a timely manner. This committee also reviews and approves the compliance risk management framework, the compliance universe and annual monitoring plan, anti-money laundering and financial crime systems of governance and control. It ensures that the Compliance function offers close and continual support to the first line of defence in understanding regulatory requirements and delivery of required outcomes.
Financial Crime Committee
This committee ensures that fraud losses are maintained within risk appetite, that anti money laundering and other Financial Crime related risks are well managed and that all related regulatory responsibilities are complied with.
Customer Focus Committee
This committee reviews and challenges the customer experience delivered by the Group, ensuring that treating customers fairly principles, conduct risk, and customer service excellence requirements are met and good customer outcomes are achieved.
Information Security Management Committee
This committee oversees the Group's management of information, including safeguarding the personal information of its customers.
IT Governance and Risk Committee
This committee reviews and monitors the adequacy and implementation of the Group's IT Strategy and Policies. It also reviews, challenges and assesses the key IT risks across the Group and recommends, initiates and monitors where further mitigating action may be required.
This committee is responsible for reviewing and challenging assumptions used in a number of areas including the Group's forecasting, provision modelling, ICAAP and ILAAP.
Model Governance Committee
This committee challenges and assesses the appropriateness, risks and any weaknesses of the statistical and financial models used to derive data and judgements that are material to the Group's financial statements.