The Board has ultimate responsibility for the Group’s risk management framework and receives regular reports from the Group CEO on the Group’s risk profile and key risks. Saga’s spread and variety of business operations require risk and internal control issues to be considered at both specialist business level and aggregated Group level. Risk and internal control oversight is provided at all Committees and key concerns are raised to the Audit and Risk Committees and ultimately to the Board if required.
Risk appetites are developed for each main trading company and are informed by Saga Group, particularly where the control activity sits largely within the Group function (e.g. cyber and IT availability).
The Group has an iterative cycle of risk management activities, comprising the following:
- Articulation of the Group risk strategy, aligning to Saga’s business model and strategy.
- Identification of risk appetite at both Group and trading company level, aligned with strategic objectives, and reported against quarterly.
- Review and revision, as necessary, of both Group and business level risk policies.
- Periodic review and update of all risk and control registers, which also inform the top risks of each trading company and Group function and the over-arching principal risks and uncertainties facing the firm.
- Management of material incidents, with a review of key incident metrics at least quarterly, with regular root cause analysis to understand underlying trends.
- Periodic assessment of risk maturity at both a Group and business level.
- Independent oversight of the risk management process by the Group Risk Team and, ultimately, the Board.
All risk data, including risks, controls, control tests and incidents, is captured in an internet-enabled risk portal. This portal enables the production of risk reports for governance meetings.
Saga’s Internal Audit function provides independent assurance on the effectiveness of the risk management procedures at both Group and trading company levels.