Terms of Reference for the Risk & Security Committee


The members of the Committee shall be at least three non-executive Directors. The Chair of the Committee shall be appointed by the Board. The Chair of the Committee shall also be a member of the Audit Committee.

The quorum of the Committee shall be two members.


The Secretary of the Company, or his or her nominee, shall be the Secretary of the Committee.


Only members of the Committee have the right to attend the Committee meetings. However, other individuals may be invited to attend all or part of any meeting as and when deemed appropriate by the Board or the Committee.

The CEO and the CFO would ordinarily be members of the Committee. The Committee shall normally require the attendance of the Chief Risk Officer (CRO); the Chief Enterprise Services Officer (CESO); the Group Director Internal Audit; the Group Director Security (GDS); the Chief Information Officer (CIO); and the Chief Information Security Officer (CISO); and for the relevant agenda items, any other executives of the Group necessary to report on relevant risk positions.

Frequency of meetings

Meetings shall be held at least four times a year. Committee members may request additional meetings, if they consider one is necessary.


The Risk & Security Committee's primary functions are:

  • To oversee the sound operation of the Group’s risk management systems, including monitoring risk exposures, risk culture and risk appetite, and considering emerging and unknown risks.
  • To oversee the sound operation of the Group’s physical and non-physical security systems, including monitoring security exposures and security culture, and considering emerging security issues.
  • To oversee the sound operation of the Group’s Crisis and Incident Management Process.
  • To oversee the sound operation of the Group’s second line assurance activity over the first line compliance activity taking place across the Group’s functions and businesses.

The Committee reports on its activities and makes recommendations to the Board.

The Committee is authorised by the Board to investigate any activity within its terms of reference, including any areas of concern as to ethical impropriety. It is authorised to seek any information it requires from any employee and all employees are directed to co-operate with any request made by the Committee.

The Committee is authorised by the Board to obtain outside legal or other independent professional advice and to secure the attendance of outsiders with relevant experience and expertise if it considers it necessary.

In relation to risk, while the Committee has responsibility for reviewing risk positions and the effectiveness of mitigation, discussions aimed at determining the type and amount of risk to be taken and the level of investment in mitigation to bring risk exposures into line with the risk strategy, remain at the level of the full Board.

The Committee is further responsible for coordinating risk oversight among committees of the Board and the full Board, and to prevent any risks that strictly do not fall within the remit of the Audit Committee or any of the other committees of the Board.


To oversee the sound operation of the Company’s risk management systems. This will involve:

  • review of risk identification, assessment and reporting processes;
  • review of the effectiveness of the risk management or control systems, and of the quality of the assurance over such controls (this excludes controls relating to financial reporting risks);
  • reviewing reports from the Group Director Internal Audit on the application of risk management systems and monitoring implementation of agreed actions;
  • overseeing the learning of lessons from past problems or successes and the system for incorporating such lessons into risk management practices;
  • overseeing and advising the Board on the current risk exposures of the Company and on future risk strategy;
  • in conjunction with the Audit Committee, reviewing the Company’s capability to identify and manage new risk types;
  • consideration of the prevailing risk and control culture and risk appetite, including periodically forming a view of attitudes to risk and control; and monitoring the effective application of the Company’s business ethics principles, including compliance with the requirements of the UK Bribery Act and any anti-bribery & corruption legislation applicable in jurisdictions where the Company has its operations;
  • review of the Company’s procedures for the prevention of bribery and corruption; and
  • review and approval, together with the Audit Committee, of the Company’s statements on internal controls and risk management in the Annual Report.

To monitor risk exposures, the Committee will:

  • review reports on significant risk exposures (both “gross” i.e. before mitigation and “net” i.e. post-mitigation), this will include a review of the top-level risk register and of the approach to formulating the full risk register;
  • consider changes and trends in risk exposures, including consideration of external factors influencing the Company’s risk profile;
  • consider how far the estimated risk exposures are being mitigated to the required level in line with the agreed risk strategy;
  • assess periodically, from a risk and internal control perspective, the Group Business Model and strategy, to check that key strategic and financial risks are reflected in the risk strategy and risk register (including consideration of stress-testing or scenario analysis undertaken by management);
  • periodically assess the alignment between the Group’s strategy, its risk strategy and the prevailing risk profile, and report its assessment to the Board; in doing so the Committee shall consider the inter-connectedness of risks;
  • review the steps executive management are proposing to mitigate existing, changing or emerging risks;
  • conduct an initial review of executive management recommendations to the Board relating to risk strategy and the level of investment in mitigation;
  • review and approve the Company’s statements on risk exposures in the Annual report;
  • review and monitor the design, implementation, and application of safety management systems relating to people, products and services (including advisory services);
  • review and monitor the design, implementation, and application of information security, data protection, insider threat and physical security management systems; and
  • review and monitor the design, implementation, and application of the Group’s second line assurance activity over the first line compliance activity taking place across the Group’s functions and businesses.

The Committee shall, in relation to all businesses within the Group, wherever situated, monitor:

  • the effective application of the Group’s business ethics principles;
  • the activities of specific internal functions;
  • international trade control including sanctions (against individuals, organisations or countries) and relevant import and export licensing requirements; and
  • any other internal functions which the Committee may, from time to time, determine falls within the scope of its responsibilities.

The Secretary, or his or her nominee, shall minute the proceedings of all meetings of the Committee.

The minutes of meetings of the Committee shall be circulated to all members of the Board.

Final signed copies of the minutes of the meetings of the Committee should be maintained for the Company’s records, in hard and soft copy where possible.

External audit

The Committee Chair should attend the annual general meeting of the Company to respond to any queries from shareholders on the Committee’s activities.

Reporting Responsibilities

The Committee Chair shall report to the Board on its proceedings after each meeting on all matters within its duties and responsibilities.

The Committee shall make whatever recommendations to the Board it deems appropriate on any area within its remit where action or improvement is needed.

The Committee shall produce a report of its activities and the Company’s risk management and strategy to be included in the Company’s annual report.


The Committee shall give due consideration to laws and regulations, the provisions of the Code and the requirements of the UK Listing Authority and Disclosure Guidance and Transparency Rules.

The Committee shall annually review its terms of reference to ensure their ongoing relevance, and recommend to the Board any changes.

The Committee shall review, on an annual basis, the Committee's effectiveness and recommend to the Board any necessary changes.