With the growing sophistication of the UK Corporate Governance Code and significantly heightened investor and regulator risk governance expectations, the SVG Capital Board has adopted a revised approach to risk governance with the following objectives:
- Increase certainty/reduce uncertainty that the Company’s objectives will be achieved while operating within management and the Board’s risk appetite and tolerance.
- Ensure risk assessments clearly link the Company key strategic objectives, risks, risk treatments, and Key Performance Indicators (KPIs).
- Ensure the Company’s risk culture continues to be appropriate.
- Increase the direct, visible involvement of the Company’s Board and management in assessing and managing risks of all types to the Company’s top objectives.
- Meet and exceed the governance requirements in the UK Corporate Governance Code.
- Seek to improve our external risk governance communications.
SVG Capital’s risk governance approach and framework
The risk governance approach the Company has implemented is based on a customised “Five Lines of Assurance” process. The Company opted for the Five Lines of Assurance approach to elevate the key roles played by SVG Capital’s Board and senior management and better achieve the risk governance objectives listed above.
In accordance with AIFMD requirements, the Company has put in place a risk framework that is reviewed by the Board on a periodic basis. This framework includes limits to mitigate various risks including, for example, financing risk which is assessed through cash flow modelling and stress testing. The Risk Management Committee reviews reports prepared to ensure compliance with the risk limits set out in the framework. The Group’s Chief Risk Officer has oversight responsibility for this process.
How the approach links strategy to risks and KPIs
Investors and regulators are increasingly interested in how companies assess risks to their key strategic objectives and core social responsibility objectives. The approach used by SVG Capital starts with the Company’s strategic objectives. Full risk assessments are completed on the objectives in the Company’s “Objective Register” using a rigorous and consistent approach that identifies threats to the objective and treatments of those risks. A residual risk status is created for each objective and these residual risk status reports are ultimately reviewed by the Board at least once a year. The approach draws on the core elements of the ISO 2009 international risk management standard 31000, but goes beyond the ISO standard to focus the attention of decision makers on current performance and the acceptability of the current residual risk status.
All significant risks to objectives are considered in combination. This approach ensures senior management and the Board have current information to continuously assess whether the current risk treatments are resulting in a level of retained risk that is within the Company’s and the Board’s risk appetite and tolerance.
The Board agrees the level of risk that it is prepared to take in achieving the Company’s strategic goals on an annual basis. As a private equity investor, the Company accepts some level of investment risk in order to achieve its targeted returns, but stipulates that a disciplined approach to asset allocation is taken. There is very low tolerance for financing risk with the aim to ensure that even under the most severe stress scenario, the Company is likely to meet its financial obligations as they fall due. Similarly, there is low risk tolerance with respect to legal and regulatory risk, but the Company accepts a certain degree of operational risk, for example in areas such as staff retention.
Board oversight of risk culture
A key objective of the new risk governance framework is to build and maintain a robust and supportive risk culture that fosters sound decision making. In 2015, SVG Capital’s Board commissioned an independent assessment of SVG Capital’s risk culture. The assessment was completed using criteria developed by the Financial Stability Board in its April 2014 guidance to national regulators (extracted below).
The overall conclusion of the independent audit presented to the Board in late 2015 was that SVG Capital’s risk culture was appropriate for the Company. Following the assessment, it was recommended that each Group employee sign a Group code of conduct which has now been done. The audit confirmed that the Board was receiving materially reliable consolidated reports on the true risk status linked to the Company’s strategic objectives.
Tone from the top: The board and senior management are the starting point for setting the financial institution’s core values and expectations for the risk culture of the institution, and their behaviour must reflect the values being espoused. A key value that should be espoused is the expectation that staff act with integrity and promptly escalate observed non-compliance within or outside the organisation. The leadership of the institution promotes, monitors, and assesses the risk culture of the financial institution; considers the impact of culture on safety and soundness; and makes changes where necessary.
Accountability: Relevant employees at all levels understand the core values of the institution and its approach to risk, are capable of performing their prescribed roles, and are aware that they are held accountable for their actions in relation to the institution’s risk-taking behaviour. Staff acceptance of risk-related goals and related values is essential.
Effective communication and challenge: A sound risk culture promotes an environment of open communication and effective challenge in which decision-making processes encourage a range of views; allow for testing of current practices; stimulate a positive, critical attitude among employees; and promote an environment of open and constructive engagement.
Incentives: Performance and talent management encourage and reinforce maintenance of the financial institution’s desired risk management behaviour. Financial and non-financial incentives support the core values and risk culture at all levels of the institution.
Source: Financial Stability Board, ‘Guidance on Supervisory Interaction with Financial Institutions on Risk Culture: A Framework for Assessing Risk Culture,’ 7 April 2014, page 3.
Board oversight of risk management, internal audit and external audit
The September 2014 revisions to the UK Corporate Governance Code significantly elevated expectations related to Board oversight of risk management processes and internal and external audit. The Board has contracted the services of an independent risk adviser to provide regular reports to the Board on the effectiveness and maturity of the Company’s risk management framework and its overall governance framework. These reviews are done using guidance developed by the Global Institute of Internal Audit linked to International Professional Practices Framework (IPPF) standards 2110 and 2120.
The Board also has heightened responsibility under the provisions of the September 2014 revision to the UK Corporate Governance Code to oversee the effectiveness of the Company’s external auditor Ernst & Young. The SVG Capital Board was provided with training on board oversight of the external audit processes in November 2015 at its annual offsite board meeting. Meetings were held by the chair of the Company’s Audit Committee, Stephen Duckett, with Ernst & Young to assess the likely effectiveness of its annual SVG Capital audit process in March 2016. The SVG Capital Board is satisfied that the process used by Ernst & Young meets existing external audit standards. In conducting its review the SVG Capital Board has referred to the oversight of the FRC of Ernst & Young and representations made to them by the Ernst & Young audit partner they met with.
Adequacy of risk and audit oversight
The Board, at least, annually, conducts a review of the adequacy of the Company’s systems of risk management and internal control processes and is responsible for those systems and for reviewing their effectiveness. Due to its size and nature, it has not recently been considered necessary for the Company to have an internal audit function. Regular dialogue has been maintained with the external auditor and the independent risk management services provider and the Board takes into account the assurance derived from their work. The Board annually reviews the benefits of an internal audit function and how it might best be provided.
The Board has conducted a review in accordance with the UK Corporate Governance Code and believes that the combination of the Company’s risk management and governance framework described in the Company’s risk management policy and summarised above, risk assessment training provided to key management personnel, reviews and feedback provided by the Company’s independent adviser combined with the work done by Ernst & Young, the Company’s external auditor, are appropriate to the Company’s business as an investment company and adequate. This review was carried out as part of the Board evaluation process, details of which can be found on page 31 of the Accounts.
The Board is satisfied that there is an ongoing process for identifying, evaluating and managing the principal risks faced by the Company; the systems have been in place for the year under review and up to the date of approval of the Annual Report and Accounts; the systems are regularly reviewed by the Board; and the systems accord with FRC guidance on this area.
The Board considers that adequate risk mitigation risk treatments/controls exist over the financial reporting process. An experienced team is responsible for preparing the financial reporting for the Company and ensuring that financial information is accurate, complete, reconciled and reviewed by senior members of staff, and that transactions and balances are recognised and measured on a consistent basis and in accordance with accounting policies and financial reporting standards. Management personnel responsible for the integrity and reliability of the Company’s financial statements have completed formal risk assessments on the objective of publishing financial disclosures that are fair, balanced and understandable. These risk assessments have been reviewed by the Company’s risk adviser and the Board. Although the Board believes that it has a robust framework of risk management and internal control over financial reporting in place, this can only provide reasonable and not absolute assurance against material financial misstatement or loss and is designed to manage, not eliminate, risk.
Principal risks and uncertainties
The Companies Act and FRC require companies to disclose the principal risks and uncertainties the Company faces.
‘Principal risks and uncertainties’ are defined by the Board as risks with the highest overall potential to affect the achievement of the Company’s business objectives. These objectives include: ensuring the ability to meet liabilities as they fall due and meet liabilities in full; and achieving target returns. Principal risks relating to delivery of these objectives are described on page 25 of the Accounts, along with other principal risks identified in relation to other key objectives. Further information on risk factors is set out in note 27 to the Accounts.