What is risk?
Risk can be defined as the possibility that objectives will not be achieved. For example this includes the possibility that target funding levels are not met and that expected investment returns do not materialise.
USS’s risk framework
Risk is inherent in all businesses and USS is no exception. In performing its duties in relation to the administration of the Scheme and the management of its investments, USS must contend with a wide range of different risks. These include investment, funding, actuarial, legal, regulatory, operational and reputational risks.
USS has a comprehensive framework for managing these risks. This framework includes a dedicated Group Risk team, along with risk management processes, policies and governance arrangements. Together these ensure that risks are effectively identified, monitored, reported and managed across the business. The Group Risk team is independent of USS front-line businesses and its head, the Chief Financial Risk Officer, reports directly to USS’s Group Chief Executive officer (CEO). The team’s remit is to coordinate and oversee risk management activities across USS, in particular to:
- Assist the different business lines in managing risk by providing risk information, tools, analysis and insights.
- Provide assurance to stakeholders through independent oversight, challenge and monitoring.
The risk team operates as part of a “three lines of defence” approach to risk management, which is made up of:
- The first line of defence: This comprises the various USS business divisions. They are the owners of the risks they take in the course of their operations.
- The second line of defence: This includes the Group Risk, Legal and Compliance teams.
- The third line of defence: This includes the independent functions of the internal and external auditors.
This approach to risk management is embedded throughout USS via three key elements:
- Risk appetite
- Risk management processes
- Risk governance.
Risk appetite is at the heart of USS’s approach to risk management. It expresses the desired or target level of risk that USS is prepared to accept in the pursuit of its objectives. Taking on too much risk, or indeed too little risk, can result in the failure to achieve objectives.
Risk appetite is set by the Trustee and is expressed in terms of a series of statements for each risk type, linked where possible to quantitative metrics that provide a measure of the tolerance, or operating limits, for different risks.
Risk management processes
USS has implemented risk management processes to identify, measure, monitor and report risks across the business. These processes are supported by a risk-aware culture, which is reinforced by employee training and communications, and subject to audit by the third line.
Effective risk governance starts with clear roles, responsibilities and delegations. USS combines these with specific policies, business standards and risk committees.
For risk management to be effective it is important that the roles and responsibilities of all those involved are defined unambiguously and in accordance with the “three lines of defence” model. The trustee board of directors has primary responsibility for the group’s risk management framework, but delegates the day-to-day activities associated with this responsibility. For example, the board delegates (within well-defined parameters) the responsibility for risk management in respect of the Scheme’s investment activity to USS’s subsidiary, USS Investment Management Ltd.
Both the CEOs of USS Ltd and USS Investment Management are responsible for risk management within their legal entities and have established risk committees to review and monitor the effectiveness of internal control and risk management systems. The Group Risk Committee was established by the USS CEO to oversee risk management across the Group. The USS Investment Management Risk Committee is responsible for overseeing the risks that are owned by the USS board.
Risk owners in the business are responsible for identifying and managing risks, enforcing risk management policies in their areas of responsibility and escalating risk issues promptly to the appropriate risk oversight functions.
The risk oversight functions comprising the second line include:
- Within the Group Risk team:
- A funding strategy team addressing funding, solvency and covenant risks
- An investment risk and performance team
- An operational risk team covering high level business and operational risks, which also takes the lead on enterprise risk management
- An information security and cyber risk team.
- Within the Group General Counsel team:
- A governance team
- A legal team covering investment and non-investment legal risks
- A regulatory compliance team.
USS’s Internal Audit team also has an independent reporting line into the Group CEO.
It audits the policy, framework, and operation of risk management across USS and provides assurance to the Audit Committee on the effectiveness of these arrangements.