The Board is responsible for the Group's system of internal control and reviews its effectiveness at least annually. Such a system is designed to manage rather than eliminate the risk of failure to achieve business objectives and can provide only reasonable and not absolute assurance against material misstatement or loss.

Through the regular meetings of the Board and the schedule of matters reserved to the Board or its duly authorised committees for decision, the Board aims to maintain full and effective control over appropriate strategic, financial, operational and compliance issues. The Board has put in place an organisational structure with clearly defined lines of responsibility and delegation of authority.

The Board considers and approves a strategic plan every two years and approves a budget on an annual basis. In addition, there are established procedures and processes for planning and controlling expenditure and the making of investments. There are also information and reporting systems for monitoring the Group's businesses and their performance.

The Group Risk Management Committee is a management committee formed by the Chief Executive and its purpose is to review the business of the Group in order to ensure that business risk is considered, assessed and managed as an integral part of the business. There is an ongoing process for identifying, evaluating and managing the Group's significant risks. This process was in place for the year to 31 March 2007 and up to the date of this report.

With effect from 1 March 2007, the Group Risk Management Committee's activities were supported by not only the established activities of Investment Committee but also by two new committees: Financial Risk Committee and Operational Risk Committee. Details of the new risk management framework can be found in the Risk management section of the Business review.

The overall internal control process is regularly reviewed by the Board and the Audit and Compliance Committee and complies with the internal control guidance for Directors on the Combined Code issued by the Turnbull Committee. The process established for the Group includes:

Back to top

Policies

• core values, Group standards and Group controls together comprising the Group's high level principles and controls, with which all staff are expected to comply;
• manuals of policies and procedures, applicable to all business units, with procedures for reporting weaknesses and for monitoring corrective action;
• a code of business conduct, with procedures for reporting compliance therewith;

Back to top

Processes

• appointment of experienced and professional staff, both by recruitment and promotion, of the necessary calibre to fulfil their allotted responsibilities;
• a planning framework which incorporates a Board approved strategic plan, with objectives for each business unit;
• formal business risk reviews performed by management which evaluate the potential financial impact and likelihood of identified risks and possible new risk areas;
• the setting of control, mitigation and monitoring procedures and the review of actual occurrences, identifying lessons to be learnt;
• a comprehensive system of financial reporting to the Board, based on an annual budget with monthly reporting of actual results, analysis of variances, scrutiny of key performance measures and regular re-forecasting;
• regular treasury reports to the Board, which analyse the funding requirements of each class of assets, track the generation and use of capital and the volume of liquidity, measure the Group's exposure to interest and exchange rate movements and record the level of compliance with the Group's funding objectives;
• a Group Compliance function whose role is to integrate regulatory compliance procedures into the Group's systems;
• well defined procedures governing the appraisal and approval of investments, including detailed investment and divestment approval procedures, incorporating appropriate levels of authority and regular post investment reviews;

Back to top

Verification

• a Group Risk Assurance and Audit function which undertakes periodic examination of business units and processes and recommends improvements in controls to management;
• the external auditors who are engaged to express an opinion on the annual financial statements;
• an Audit and Compliance Committee which considers significant control matters and receives reports from Group Risk Assurance and Audit and the external auditors and the Group Compliance function on a regular basis.

The internal control system is monitored and supported by a Group Risk Assurance and Audit function which operates on an international basis and reports to management and the Audit and Compliance Committee on the Group's operations. The work of Group Risk Assurance and Audit is focused on the areas of greatest risk to the Group determined on the basis of the Group's risk management process. The external auditors independently and objectively review the approach of management to reporting operating results and financial condition. In co-ordination with Group Risk Assurance and Audit, they also review and test the system of internal financial control and the information contained in the annual financial statements to the extent necessary for expressing their opinion.