Risk Management

Northern Rock's risk management process is designed to maintain and improve the established framework for the identification, control and monitoring of existing and future risks. This approach provides a mechanism for the identification and communication of risks to throughout the business. The approach is co-operative between Group Risk and the business, which ensures that risks are:

identified;
assessed for probability of occurrence;
assessed for impact; and,
responded to where appropriate.

Once the associated probabilities and impacts have been identified, an appropriate response can be developed and implemented.

The actual management of risk is embedded within the business, with responsible individuals being empowered to manage the risks within a framework of policies, procedures and delegated authorities established by the Board and Senior Management. A process of reporting provides evidence of control, supervision and monitoring by the business.

Risk Management Forums
CSR Risk Management continued to be reviewed as an integral part of Corporate Operational Risk Management processes in 2005. A series of Operational Risk Management Forums were held during the year, with the emphasis being placed on exchange of internal and external good practice in the fields of Risk Management within Northern Rock.

The Forums provided us with the ability to raise the importance of CSR related issues within briefing sessions and to assist in the development of a consistent approach (where appropriate) to operational risk management across the business.

The Risk Management Process
This ensures that the management of risk is embedded within the business, ensuring that the Company achieves an acceptable level of risk management, satisfying both corporate objectives and stakeholders.

The process includes the following:

the responsibility for ensuring adequacy of risk management practices resides with the Board and the Board Risk Committee. Responsibility for the identification, management and reporting of risk is delegated to the relevant line management. Comprehensive high level policies, approvals and limits are in place to support this;

monitoring and reporting of risk exposures is integrated into established business reporting processes. Separate and independent reporting is carried out by Group Risk, Internal Audit and Compliance functions; and,

continued development of the business and the environment in which Northern Rock operates requires continual development of the risk management processes. This ensures that Northern Rock not only maintains its existing high standards of risk management but also fully exploits the opportunities that effective risk management can deliver.

Quantification of Risk
Northern Rock has developed a bespoke risk matrix for business risks. Measurement of risk before application of risk response measures assists with the prioritisation and allocation of resource and responsibility. Measurement of risk after application of response measures aids understanding by the business of the impacts associated with the risk it retains.

Response to Risk
The management of risk is achieved by use of a number of techniques, which include:

acceptance of risk within an agreed risk framework;

management, control and good corporate governance;

transfer of the risk to third parties; and,

avoidance of risks considered to be unacceptable.

Group Risk's role in the overall risk management process is to support line management in the selection of the appropriate techniques to deploy in responding to and mitigating risk. This response to risk is intended to reduce risk and uncertainty thereby improving the probability of Northern Rock achieving its strategic objectives, within its risk appetite.

Techniques for the transfer of risk to third parties can include using contract conditions, outsourcing arrangements and contracts of insurance.