The Board has ultimate responsibility for the Group’s risk management framework and receives regular reports from the Group CEO on the Group’s risk profile and key risks. Saga’s spread and variety of business operations require risk and internal control issues to be considered at both specialist business level and aggregated Group level. Risk and internal control oversight is provided at all Committees and key concerns are raised to the Audit and Risk Committees and ultimately to the Board if required.
Business risk appetites are separately crafted, complementary to Group appetites but customised to reflect the specific needs and characteristics of each business.
The Group has an iterative cycle of risk management activities, comprising the following:
- Identification of risk appetite at both Group and business level, aligned with strategic objectives
- Review and revision, as necessary, of both Group and Business level risk policies
- Periodic review of all risk registers to test for completeness of risk and control capture, effective testing of key control measures, and recording and reporting of any exceptions and overdue actions.
- Review of key risks, controls and incidents at both business and Group level at least quarterly
- Independent oversight of the risk management process by the Group risk team and, ultimately, the Board.
All risk data, including risks, controls, control tests and incidents, is captured in an internet-enabled risk portal. This portal produces risk reports for all governance meetings.
Saga’s Internal Audit function provides independent assurance on the effectiveness of the risk management procedures at both Group and business levels.