The governing body governs risk in a way that enables the organisation to sustain and optimise its strategy and objectives.

Exception declaration

All the recommended practices in support of Principle 8 have been implemented.

Specific disclosures

(a) Disclosure in relation to risk:

1. Whether the governing body is satisfied that the risk function, the organisation's risk management system and overall internal control framework are effective and that significant weaknesses in internal controls have been effectively addressed.
   
   The board is satisfied that the risk function, the organisation's risk management system and overall internal control framework are effective and that significant weaknesses in internal controls have been effectively addressed.
   
   The board is ultimately responsible for all risks in the group and the setting of risk appetite. The board has delegated its risk governance responsibility to GRCMC, which has the responsibility to provide independent oversight of the adequacy and effectiveness of the group's ERMF, which covers key, business and operational risks. The ERMF has been developed in accordance with the requirements of the Basel Committee on Banking Supervision (BCBS), the South African Banks Act and the Regulations Relating to Banks, The King Code of Corporate Governance, and the 3LoD Model international concept. GRCMC meets quarterly and receives reports from management, including on the outputs of thematic deep dives as requested by GRCMC.
   
   The ERMF enables the group to identify, assess, measure, manage, monitor, price and control risks and risk appetite, and to relate these to capital requirements to assist in ensuring capital adequacy and sustainability. The ERMF thus promotes sound business behaviour by linking capital adequacy and sustainability with performance measurement and remuneration practices. The fully embedded ERMF covers the group's risk universe and major risk classifications, with board and executive responsibility assigned to each. The risk universe has been allocated to the respective board committees.
   
   The ERMF provides a solid and well-established, tried and tested framework for governance and the management of risk and compliance throughout the group. In addition to providing a foundation, the ERMF demonstrates a simple, yet effective, system covering all lines of defence to ensure that governance, risk and compliance matters are properly dealt with at all levels and that significant matters are timeously and effectively escalated to the appropriate levels of authority. The ERMF also provides for a good flow of information between the lines of defence.
   
   The group's sound risk governance and risk management are underpinned by the 3LoD Model, based on 'function' rather than 'location' in the organisation. The 3LoD Model forms an important part of the ERMF, which provides the structure in which the group operates. If risks taken are not managed and controlled effectively, it can prevent the group from achieving its strategic objectives. The roles and responsibilities of the 3LoD Model provide a structure to consider risk and control to ensure that they are appropriate and managed effectively. The 3LoD Model provides guidance as to the appropriate organisational structure to be implemented, assigning roles and responsibilities to parties that enhance the effective management of risks and controls.
   
   An ERMF refresh is ongoing to ensure that Nedbank has digitally enabled, efficient and effective risk management that adapts to evolving internal and external stakeholder needs and client experience. The Group Operating Policy caters for risk management and governance at the level of operating subsidiaries.