Group Chief Risk Officer’s report of the risks
facing our business and how these are managed

Our Risk Management Framework is designed to ensure the business remains strong through stress events so we can continue to deliver on our long-term commitments to our customers and shareholders.

Penny James
Group Chief Risk Officer

We continue to operate in a global environment of political uncertainty, although financial markets have remained resilient through the first half of the year. As we position ourselves, we remain mindful of the uncertain environment from a political, economic and social perspective.

As in previous years, we continue to maintain a strong and sustained focus on planning for the possibility of, and ultimately managing, the market volatility and macroeconomic uncertainty arising from the global environment. Our Risk Management Framework and risk appetite have allowed us to successfully control our risk exposure throughout the year. Our governance, processes and controls enable us to deal with the uncertainty ahead in order to continue helping our customers achieve their long-term financial goals.

Our results show that, even in times of such unpredictability, we can generate value for our shareholders by selectively taking exposure to risks that are adequately rewarded and that can be appropriately quantified and managed. We retain risks within a clearly defined risk appetite, where we believe doing so contributes to value creation and the Group is able to withstand the impact of an adverse outcome. For our retained risks, we ensure that we have the necessary capabilities, expertise, processes and controls to appropriately manage the exposure.

In my report, I seek to explain the main risks inherent in our business and how we manage those risks, with the aim of ensuring we maintain an appropriate risk profile.

Risk governance, culture and our risk management cycle

Prudential defines ‘risk’ as the uncertainty that we face in successfully implementing our strategies and objectives. This includes all internal or external events, acts or omissions that have the potential to threaten the success and survival of the Group. Accordingly, material risks will be retained selectively where we think there is value to do so, and where it is consistent with the Group’s risk appetite and philosophy towards risk-taking.

The following section provides more detail on our risk governance, culture and risk management process.

Risk governance

Our risk governance comprises the organisational structures, reporting relationships, delegation of authority, roles and responsibilities, and risk policies that the Group Head Office and our business units establish to make decisions and control their activities on risk-related matters. This encompasses individuals, Group-wide functions and committees involved in managing risk.

Risk committees and governance structure

Our risk governance structure is led by the Group’s Risk Committee, supported by independent non-executives on risk committees of major subsidiaries. These committees monitor the development of the Risk Management Framework, the Group’s risk appetites, limits and policies, as well as its risk culture. We have a comprehensive risk management cycle in place to identify, measure, manage and monitor our risk exposures.

In addition to our risk committees, there are various executive risk forums to ensure risk issues are shared and considered across the Group. These are led by the Group Executive Risk Committee which is supported by a number of specific sub-committees including security and information security where specialist skills and knowledge are required.

Risk Management Framework

The Group’s Risk Management Framework has been developed to monitor and manage the risk of the business at all levels and is owned by the Board. The aggregate Group exposure to the key risk drivers is monitored and managed by the Group Risk function which is responsible for reviewing, assessing and reporting on the Group’s risk exposure and solvency position from the Group economic, regulatory and ratings perspectives.

The Framework requires all our businesses and functions to establish processes for identifying, evaluating and managing the key risks faced by the Group – the ‘risk management cycle’ (see below) is based on the concept of the ‘three lines of defence’, comprising risk taking and management, risk control and oversight, and independent assurance.

A major part of the risk management cycle is the annual assessment of the Group’s risks which are considered key. These key risks range from risks associated with the economic, market, political and regulatory environment; those that we assume when writing our insurance products and by virtue of the investments we hold; and those that are inherent in our business model and its operation. This is used to inform risk reporting to the risk committees and the Board for the year.

Risk appetite, limits and triggers

The extent to which we are willing to take risk in the pursuit of our objective to create shareholder value is defined by a number of risk appetite statements, operationalised through measures such as limits, triggers and indicators. The Group risk appetite is approved by the Board and is set with reference to economic and regulatory capital, liquidity and earnings volatility. The Group risk appetite is aimed at ensuring that we take an appropriate level of aggregate risk and covers all risks to shareholders, including those from participating and third-party business.

We have no appetite for material losses (direct or indirect) suffered as a result of failing to develop, implement and monitor appropriate controls to manage operational risks. Group limits operate within the risk appetite to constrain the material risks, while triggers and indicators provide further constraint and ensure escalation. The Group Chief Risk Officer determines the action to be taken upon all breaches of Group limits.

The Group Risk function is responsible for reviewing the scope and operation of these measures at least annually to determine that they remain relevant. The Board approves all changes made to the Group’s Risk Appetite Framework. We define and monitor aggregate risk limits based on financial and non-financial stresses for our earnings volatility, liquidity and capital requirements.

Earnings volatility

The objectives of the aggregate risk limits seek to ensure that:

• The volatility of earnings is consistent with the expectations of stakeholders;
• The Group has adequate earnings (and cash flows) to service debt, expected dividends and to withstand unexpected shocks; and
• Earnings (and cash flows) are managed properly across geographies and are consistent with funding strategies.

The two measures used to monitor the volatility of earnings are IFRS operating profit and EEV operating profit, although IFRS and EEV total profits are also considered.

Liquidity

The objective is to ensure that the Group is able to generate sufficient cash resources to meet financial obligations as they fall due in business as usual and stressed scenarios. Risk appetite with respect to liquidity risk is measured using a Liquidity Coverage Ratio which considers the sources of liquidity versus liquidity requirements under stress scenarios.

Capital requirements

The limits aim to ensure that:

• The Group meets its internal economic capital requirements;
• The Group achieves its desired target rating to meet its business objectives; and
• Supervisory intervention is avoided.

The two measures used at the Group level are Solvency II capital requirements and internal economic capital requirements. In addition, capital requirements are monitored on local statutory bases.

The Group Risk Committee is responsible for reviewing the risks inherent in the Group’s business plan and for providing the Board with input on the risk/reward trade-offs implicit therein. This review is supported by the Group Risk function, which uses submissions from our local business units to calculate the Group’s aggregated position (allowing for diversification effects between local business units) relative to the aggregate risk limits.

Risk policies

These set out the specific requirements which cover the fundamental principles for risk management within the Risk Management Framework. Policies are designed to give some flexibility so that business users can determine how best to comply with policies based on their local expertise.

There are core risk policies for credit, market, insurance, liquidity and operational risks and a number of internal control policies covering internal model risk, underwriting, dealing controls and tax risk management. They form part of the Group Governance Manual, which was developed to make a key contribution to the sound system of internal control that we maintain in line with the UK Corporate Governance Code and the Hong Kong Code on Corporate Governance Practices. Group Head Office and business units must confirm that they have implemented the necessary controls to evidence compliance with the Group Governance Manual on an annual basis.

Risk standards

The Group-wide Operating Standards provide supporting detail to the higher level risk policies. In many cases they define the minimum requirements for compliance with Solvency II regulations which in some areas are highly prescriptive. The standards are more detailed than policies.

Our risk culture

Culture is a strategic priority of the Board who recognise the importance of good culture in the way that we do business. Risk culture is a subset of broader organisational culture, which shapes the organisation-wide values that we use to prioritise risk management behaviours and practices.

An evaluation of risk culture is part of the Risk Management Framework and in particular seeks to identify evidence that:

• Senior management in business units articulate the need for good risk management as a way to realise long-term value and continuously support this through their actions;
• Employees understand and care about their role in managing risk – they are aware of and openly discuss risk as part of the way they perform their role; and
• Employees invite open discussion on the approach to the management of risk.

Key aspects of risk culture are also communicated through the Code of Conduct and the policies in the Group Governance Manual, including the commitments to the fair treatment of our customers and staff. The approach to the management of risk also is a key part of the evaluation of the remuneration of executives. Risk culture is an evolving topic across the financial services industry and we are working to evaluate and embed a strong risk culture.

The risk management cycle

The risk management cycle comprises processes to identify, measure and assess, manage and control, and monitor and report on our risks.

Risk identification

Group-wide risk identification takes place throughout the year and includes processes such as our Own Risk and Solvency Assessment (ORSA) and the horizon-scanning performed as part of our emerging risk management process.

On an annual basis, a top-down identification of the Group’s key risks is performed which considers those risks that have the greatest potential to impact on the Group’s operating results and financial condition. A bottom-up process of risk identification is performed by the business units who identify, assess and document risks, with appropriate coordination and challenge from the risk functions.

The Group ORSA report pulls together the analysis performed by a number of risk and capital management processes, which are embedded across the Group, and provides quantitative and qualitative assessments of the Group’s risk profile, risk management and solvency needs on a forward-looking basis. The scope of the report covers the full known risk universe of the Group.

The Directors perform a robust assessment of the principal risks facing the Company, through the Group ORSA report and the risk assessments done as part of the business planning review, including how they are managed and mitigated.

Reverse stress testing, which requires us to ascertain the point of business model failure, is another tool that helps us to identify the key risks and scenarios that may materially impact the Group.

Our emerging risk management process identifies potentially material risks which have a high degree of uncertainty around timing, magnitude and propensity to evolve. The Group holds emerging risk sessions over the year to identify emerging risks which includes input from local subject matter and industry experts. We maintain contacts with thought leaders and peers to benchmark and refine our process.

The risk profile is a key output from the risk identification and risk measurement processes, and is used as a basis for setting Group-wide limits, management information, assessment of solvency needs, and determining appropriate stress and scenario testing. The risk identification processes support the creation of our annual set of key risks, which are then given enhanced management and reporting focus.

Risk measurement and assessment

All identified risks are assessed based on an appropriate methodology for that risk. All quantifiable risks which are material and mitigated by holding capital are modelled in the Group’s internal model, which is used to determine capital requirements under Solvency II and our own economic capital basis. Governance arrangements are in place to support the internal model, including independent validation and process and controls around model changes and limitations.

Risk management and control

The control procedures and systems established within the Group are designed to reasonably manage the risk of failing to meet business objectives and are detailed in the Group risk policies. This can only provide reasonable and not absolute assurance against material misstatement or loss. They focus on aligning the levels of risk-taking with the achievement of business objectives.

The management and control of risks are set out in the Group risk policies, and form part of the holistic risk management approach under the Group’s ORSA. These risk policies define:

• The Group’s risk appetite in respect of material risks, and the framework under which the Group’s exposure to those risks is limited;
• The processes to enable Group senior management to effect the measurement and management of the Group material risk profile in a consistent and coherent way; and
• The flows of management information required to support the measurement and management of the Group material risk profile and to meet the needs of external stakeholders.

The methods and risk management tools we employ to mitigate each of our major categories of risks are detailed below.

Risk monitoring and reporting

The identification of the Group’s key risks informs the management information received by the Group risk committees and the Board. Risk reporting of key exposures against appetite is also included, as well as ongoing developments in other key and emerging risks.

Summary risks

The table below is a summary of the key risks facing the Group, which can be grouped into those which apply to us because of the global environment in which we operate, and those which arise as a result of the business that we operate – including risks arising from our investments, the nature of our products and from our business operations.

‘Macro’ risks Some of the risks that we are exposed to are necessarily broad given the external influences which may impact on the Group. These risks include:
Global economic conditions Changes in global economic conditions can impact us directly; for example, by leading to poor returns on our investments and increasing the cost of promises we have made to our customers. They can also have an indirect impact; for example, economic pressures could lead to decreased savings, reducing the propensity for people to buy our products. Global economic conditions may also impact on regulatory risk for the Group by changing prevailing political attitudes towards regulation.
Geopolitical risk The geopolitical environment is increasingly uncertain with political upheaval in the UK, the US and the Eurozone. Uncertainty in these regions, combined with conflict in the Middle East and increasing tensions in east Asia underline that geopolitical risks are truly global and their potential impacts are wide-ranging; for example, through increased regulatory risk. The geopolitical and economic environments are increasingly closely linked, and changes in the political arena may have direct or indirect impacts on our Group.
Digital disruption The emergence of advanced technologies such as artificial intelligence and blockchain is providing an impetus for companies to rethink their existing operating models and how they interact with their customers. Prudential is embracing the opportunities presented by digitisation and is closely monitoring any risks which arise.

Risks from our investments		Risks from our products		Risks from our business operations
Global economic conditions – see above – have a large impact on those risks from our investments. Our fund investment performance is a fundamental part of our business in providing appropriate returns for our customers and shareholders, and so is an important area of focus. Credit risk Is the potential for reduced value of our investments due to the uncertainty around investment returns arising from the potential for defaults of our investment counterparties. Invested credit risk arises from our asset portfolio. We increase sector focus where necessary. The assets backing the UK and Jackson’s annuity business mean credit risk is a significant focus for the Group. Market risk Is the potential for reduced value of our investments resulting from the volatility of asset prices as driven by fluctuations in equity prices, interest rates, foreign exchange rates and property prices. In our Asia business, our main market risks arise from the value of fees from our fee-earning products. In the US, Jackson’s fixed and variable annuity books are exposed to a variety of market risks due to the assets backing these policies. In the UK, exposure relates to the valuation of the proportion of the with-profits funds’ future profits that is transferred to the shareholders (future transfers), which is dependent on equity, property and bond values. M&G invests in a broad range of asset classes and its income is subject to the price volatility of global financial and currency markets. Liquidity risk Is the risk of not having sufficient liquid assets to meet our obligations as they fall due, and incorporates the risk arising from funds composed of illiquid assets. It results from a mismatch between the liquidity profile of assets and liabilities.		Insurance risks The nature of the products offered by the Group exposes it to insurance risks, which are a significant part of our overall risk profile. The insurance risks that we are exposed to by virtue of our products include longevity risk (policyholders living longer than expected); mortality risk (policyholders with life protection dying); morbidity risk (policyholders with health protection becoming ill) and persistency risk (customers lapsing their policies). From our health protection products, increases in the costs of claims (including the level of medical expenses) increasing over and above price inflation (claim inflation) is another risk. The processes that determine the price of our products and reporting the results of our long-term business operations require us to make a number of assumptions. Where experience deviates from these assumptions our profitability may be impacted. Across our business units, persistency and morbidity risks are among the largest insurance risks for our Asia business given our strong focus on health protection products in the region. For the UK and Jackson, the most significant insurance risk is longevity risk driven by their annuity businesses.		Operational risks As a Group, we are dependent on the appropriate and secure processing of a large number of transactions by our people, IT infrastructure and outsourcing partners, which exposes us to operational risks and reputational risks. Information security risk is a significant consideration within operational risk, including both the risk of malicious attack on our systems as well as risks relating to data security and integrity and network disruption. The size of Prudential’s IT infrastructure and network, our move toward digitisation and the increasing number of high profile cyber security incidents across industries mean that this will continue to be an area of high focus. Regulatory risk We also operate under the ever-evolving requirements set out by diverse regulatory and legal regimes (including tax), as well as utilising a significant number of third parties to distribute products and to support business operations; all of which add to the complexity of the operating model if not properly managed. The number of regulatory changes under way across Asia, in particular those focusing on consumer protection means that regulatory change in the region is also considered a key risk. Both Jackson and the UK operate in highly regulated markets. Regulatory reforms could materially impact on our businesses, and regulatory focus continues to be high.

Further risk information

In reading the sections below, it is useful to understand that there are some risks that our policyholders assume by virtue of the nature of their products, and some risks that the Company and its shareholders assume. Examples of the latter include those risks arising from assets held directly by and for the Company or the risk that policyholder funds are exhausted. This report is focused mainly on risks to the shareholder, but will include those which arise indirectly through our policyholder exposures.

Risks from our investments

Market risk

The main drivers of market risk in the Group are:

• Investment risk (including equity and property risk);
• Interest rate risk; and
• Given the geographical diversity of our business, foreign exchange risk.

With respect to investment risk, equity and property risk arises from our holdings of equity and property investments, the prices of which can change depending on market conditions.

The valuation of our assets (particularly the bonds that we invest in) and liabilities is also dependent on market interest rates and exposes us to the risk of those moving in a way that is detrimental for us.

Given our global business, we earn our profits and hold assets in various currencies. The translation of those into our reporting currency exposes us to movements in foreign exchange rates.

Our main investment risk exposure arises from the portion of the profits from the UK with-profits funds which we are entitled to receive; the value of the future fees from our fee-earning products in our Asia business; and from the asset returns backing Jackson’s variable annuities business.

Our interest rate risk is driven in the UK by our need to match our assets and liabilities; from the guarantees of some non unit-linked investment products in Asia; and the cost of guarantees in Jackson’s fixed, fixed index and variable annuity business. The methods that we use to manage and mitigate our market risks include the following:

• Our market risk policy;
• Risk appetite statements, limits and triggers that we have in place;
• The monitoring and oversight of market risks through the regular reporting of management information;
• Our asset and liability management programmes;
• Use of derivative programmes, including, for example, interest rate swaps, options and hybrid options for interest rate risk;
• Regular deep dive assessments; and
• Use of currency hedging.

Investment risk

In the UK business, our main investment risk arises from the assets held in the with-profits funds. Although this is mainly held by our policyholders, a proportion of the funds’ profit (one tenth) is transferred to us and so our investment exposure relates to the future valuation of that proportion (future transfers). This investment risk is driven mainly by equities in the funds, although there is some risk associated with other investments such as property and bonds. Some hedging to protect from a reduction in the value of these future transfers against falls in equity prices is performed outside the funds using derivatives. The with-profits funds’ large Solvency II own funds – estimated at £8.6 billion as at 30 June 2017 (31 December 2016: £8.4 billion) – help to protect against market fluctuations and helps the fund to maintain appropriate solvency levels. The with-profits funds’ Solvency II own funds are partially protected against falls in equity markets through an active hedging programme within the funds.

In Asia, our shareholder exposure to equity price movements results from unit-linked products, where our fee income is linked to the market value of the funds under management. Further exposure arises from with-profits businesses where bonuses declared are broadly based on historical and current rates of return on equity.

In Jackson, investment risk arises from the assets backing customer policies. In the case of spread-based business, including fixed annuities, these assets are generally bonds, and shareholder exposure comes from the minimum returns needed to meet the guaranteed rates that we offer to policyholders. For our variable annuity business, these assets include both equities and bonds. In this case, the main risk to the shareholder comes from the guaranteed benefits that can be included as part of these products. Our exposure to this kind of situation is reduced by using a derivative hedging programme, as well as through the use of reinsurance to pass on the risk to third-party reinsurers.

Interest rate risk

While long-term interest rates in advanced economies have broadly increased since mid-2016 and indications are for further gradual tightening of monetary policy, they remain close to historical lows. Some products that we offer are sensitive to movements in interest rates. We have already taken a number of actions to reduce the risk to the in-force business, as well as re-pricing and restructuring new business offerings in response to these historically low interest rates. Nevertheless, we still retain some sensitivity to interest rate movements.

Interest rate risk arises in our UK business from the need to match cash payments to meet annuity obligations with the cash we receive from our investments. To minimise the impact on our profit, we aim to match the duration (a measure of interest rate sensitivity) of assets and liabilities as closely as possible and the position is monitored regularly. Under the Solvency II regulatory regime, additional interest rate risk results from the way the balance sheet is constructed, such as the requirement for us to include a risk margin. The UK business continually assesses the need for any derivatives in managing its interest rate sensitivity. The with-profits business is exposed to interest rate risk because of underlying guarantees in some of its products. Such risk is largely borne by the with-profits fund itself but shareholder support may be required in extreme circumstances where the fund has insufficient resources to support the risk.

In Asia, our exposure to interest rate risk arises from the guarantees of some non unit-linked investment products. This exposure exists because it may not be possible to hold assets which will provide cash payments to us which match exactly those payments we in turn need to make to policyholders – this is known as an asset and liability mismatch and although it is small and appropriately managed, it cannot be eliminated.

Jackson is exposed to interest rate risk in its fixed, fixed index and variable annuity books. Movements in interest rates can impact on the cost of guarantees in these products, in particular the cost of guarantees may increase when interest rates fall. We actively monitor the level of sales of variable annuity products with guaranteed living benefits, and together with the risk limits we have in place this helps us to ensure that we are comfortable with the interest rate and market risks we incur as a result. The Jackson hedging programme includes hybrid derivatives to protect us from a combined fall in interest rates and equity markets since Jackson is exposed to the combination of these market movements.

Foreign exchange risk

The geographical diversity of our businesses means that we have some exposure to the risk of exchange rate fluctuations. Our operations in the US and Asia, which represent a large proportion of our operating profit and shareholders’ funds, generally write policies and invest in assets in local currencies. Although this limits the effect of exchange rate movements on local operating results, it can lead to fluctuations in our Group financial statements when results are reported in UK sterling.

We retain revenues locally to support the growth of our business and capital is held in the local currency of the business to meet local regulatory and market requirements. We accept the foreign exchange risk this can produce when reporting our Group balance sheet and income statement. In cases where a surplus arises in an overseas operation which is to be used to support Group capital, or where a significant cash payment is due from an overseas subsidiary to the Group, this foreign exchange exposure is hedged where we believe it is economically favourable to do so. Generally, we do not have appetite for significant direct shareholder exposure to foreign exchange risks in currencies outside of the countries in which we operate, but we do have some controlled appetite for this on fee income and on non-sterling investments within the with-profits fund. Where foreign exchange risk arises outside our appetite, currency borrowings, swaps and other derivatives are used to manage our exposure.

Credit risk

We invest in bonds that provide a regular, fixed amount of interest income (fixed income assets) in order to match the payments we need to make to policyholders. We also enter into reinsurance and derivative contracts with third parties to mitigate various types of risk, as well as holding cash deposits at certain banks. As a result, we are exposed to credit risk and counterparty risk across our business.

Credit risk is the potential for reduction in the value of our investments which results from the perceived level of risk of an investment issuer being unable to meet its obligations (defaulting). Counterparty risk is a type of credit risk and relates to the risk of the counterparty to any contract we enter into being unable to meet their obligations, causing us to suffer loss.

We use a number of risk management tools to manage and mitigate this credit risk, including the following:

• Our credit risk policy;
• Risk appetite statements and limits that we have defined on issuers and counterparties;
• Collateral arrangements we have in place for derivative, reverse repo and reinsurance transactions;
• The Group Credit Risk Committee’s oversight of credit and counterparty credit risk and sector and/or name-specific reviews. In the first half of 2017 it has conducted sector reviews in the Asia sovereign sector and continues to review the developments around central clearing;
• Regular deep dive assessments; and
• Close monitoring or restrictions on investments that may be of concern.

Debt and loan portfolio

Our UK business is mainly exposed to credit risk on fixed income assets in the shareholder-backed portfolio. At 30 June 2017, this portfolio contained fixed income assets worth £35.4 billion. Credit risk arising from a further £55.9 billion of fixed income assets is largely borne by the with-profits fund, to which the shareholder is not directly exposed although under extreme circumstances shareholder support may be required if the fund is unable to meet payments as they fall due.

The value of our debt portfolio in our Asia business was £39.1 billion at 30 June 2017. The majority (69 per cent) of the portfolio is in unit-linked and with-profits funds and so exposure of the shareholder to this component is minimal. The remaining 31 per cent of the debt portfolio is held to back the shareholder business.

Credit risk also arises in the general account of the Jackson business, where £38.0 billion of fixed income assets are held to support shareholder liabilities including those from our fixed annuities, fixed index annuities and life insurance products.

The shareholder-owned debt and loan portfolio of the Group’s asset management business of £2.4 billion as at 30 June 2017 mostly belongs to our Prudential Capital (PruCap) operations.

Further details of the composition and quality of our debt portfolio, and exposure to loans, can be found in the IFRS financial statements.

Group sovereign debt

We also invest in bonds issued by national governments. This sovereign debt represented 17 per cent or £14.9 billion of the shareholder debt portfolio as at 30 June 2017 (31 December 2016: 19 per cent or £17.1 billion). 5 per cent of this was rated AAA and 90 per cent was considered investment grade (31 December 2016: 92 per cent investment grade). At 30 June 2017, the Group’s shareholder holding in Eurozone sovereign debt¹ was £844 million. 77 per cent of this relates to German government debt² (31 December 2016: 75 per cent).

The particular risks associated with holding sovereign debt are detailed further in our disclosures on risk factors.

The exposures held by the shareholder-backed business and with-profits funds in sovereign debt securities at 30 June 2017 are given in Note C3.2(f) of the Group’s IFRS financial statements.

Bank debt exposure and counterparty credit risk

Our exposure to banks is a key part of our core investment business, as well as being important for the hedging and other activities we undertake to manage our various financial risks. Given the importance of our relationship with our banks, exposure to the sector is considered a key risk for the Group with an appropriate level of management information provided to the Group’s risk committees and the Board.

The exposures held by the shareholder-backed business and with-profits funds in bank debt securities at 30 June 2017 are given in Note C3.2(f) of the Group’s IFRS financial statements.

Our exposure to derivative counterparty and reinsurance counterparty credit risk is managed using an array of risk management tools, including a comprehensive system of limits.

Where appropriate, we reduce our exposure, buy credit protection or use additional collateral arrangements to manage our levels of counterparty credit risk.

At 30 June 2017, shareholder exposures by rating and sector are shown below:

• 96 per cent of the shareholder portfolio is investment grade rated. In particular, 69 per cent of the portfolio is rated A and above; and
• The Group’s shareholder portfolio is well diversified: no individual sector makes up more than 10 per cent of the total portfolio (excluding the financial and sovereign sectors).

Liquidity risk

Our liquidity risk arises from the need to have sufficient liquid assets to meet policyholder and third-party payments as they fall due. This incorporates the risk arising from funds composed of illiquid assets and results from a mismatch between the liquidity profile of assets and liabilities. Liquidity risk may arise, for example, where external capital is unavailable at sustainable cost, increased liquid assets are required to be held as collateral under derivative transactions or redemption requests are made against Prudential issued illiquid funds.

We have significant internal sources of liquidity, which are sufficient to meet all of our expected cash requirements for at least 12 months from the date the financial statements are approved, without having to resort to external sources of funding. In total, the Group has £2.6 billion of undrawn committed facilities that we can make use of, £2.4 billion of which expire in 2022 and £0.2 billion in 2021. We have access to further liquidity by way of the debt capital markets, and also have in place an extensive commercial paper programme and have maintained a consistent presence as an issuer in this market for the last decade.

Liquidity uses and sources are assessed at a Group and business unit level under both base case and stressed assumptions. We calculate a Liquidity Coverage Ratio (LCR) under stress scenarios as one measure of our liquidity risk, and this ratio and the liquidity resources available to us are regularly monitored and are assessed to be sufficient.

Our risk management and mitigation of liquidity risk include:

• Our liquidity risk policy;
• The risk appetite statements, limits and triggers that we have in place;
• The monitoring of liquidity risk we perform through regular management information to committees and the Board;
• Our Liquidity Risk Management Plan, which includes details of the Group Liquidity Risk Framework as well as gap analysis of our liquidity risks and the adequacy of our available liquidity resources under normal and stressed conditions;
• Regular stress testing;
• Our established contingency plans and identified sources of liquidity;
• Our ability to access the money and debt capital markets;
• Regular deep dive assessments; and
• The access we enjoy to external sources of finance through committed credit facilities.

Risks from our products

Insurance risk

Insurance risk makes up a significant proportion of our overall risk exposure. The profitability of our businesses depends on a mix of factors including levels of, and trends in, mortality (policyholders dying), morbidity (policyholders becoming ill) and persistency (customers lapsing their policies), and increases in the costs of claims, including the level of medical expenses increases over and above price inflation (claim inflation).

The key drivers of the Group’s insurance risks are persistency and morbidity risk in the Asia business; and longevity risk in the Jackson and Prudential UK & Europe businesses.

We manage and mitigate our insurance risk using the following:

• Our insurance and underwriting risk policies;
• The risk appetite statements, limits and triggers we have in place;
• Longevity, morbidity and persistency assumptions that reflect recent experience and expectation of future trends, and industry data and expert judgement where appropriate;
• Reinsurance to mitigate longevity and morbidity risks;
• Appropriate underwriting when policies are issued and claims are received to mitigate morbidity risk;
• The quality of sales processes and initiatives to increase customer retention to mitigate persistency risk;
• Medical expense inflation risk mitigated through product re-pricing; and
• Regular deep dive assessments.

Longevity risk is an important element of our insurance risks for which we need to hold a large amount of capital under Solvency II regulations. Longevity reinsurance is a key tool for us in managing our risk. The enhanced pensions freedoms introduced in the UK during 2015 greatly reduced the demand for retail annuities and further liberalisation is anticipated. Although we have scaled down our participation in the annuity market by reducing new business acquisition, given our significant annuity portfolio the assumptions we make about future rates of improvement in mortality rates remain key to the measurement of our insurance liabilities and to our assessment of any reinsurance transactions.

We continue to conduct research into longevity risk using both experience from our annuity portfolio and industry data. Although the general consensus in recent years is that people are living longer, there is considerable volatility in year-on-year longevity experience, which is why we need expert judgement in setting our longevity basis.

Our morbidity risk is mitigated by appropriate underwriting when policies are issued and claims are received. Our morbidity assumptions reflect our recent experience and expectation of future trends for each relevant line of business.

In Asia, we write significant volumes of health protection business, and so a key assumption for us is the rate of medical inflation, which is often in excess of general price inflation. There is a risk that the expenses of medical treatment increase more than we expect, so the medical claim cost passed on to us is higher than anticipated. Medical expense inflation risk is best mitigated by retaining the right to re-price our products each year and by having suitable overall claim limits within our policies, either limits per type of claim or in total across a policy.

Our persistency assumptions similarly reflect a combination of recent past experience for each relevant line of business and expert judgement, especially where a lack of relevant and credible experience data exists. Any expected change in future persistency is also reflected in the assumption. Persistency risk is mitigated by appropriate training and sales processes and managed locally post-sale through regular experience monitoring and the identification of common characteristics of business with high lapse rates. Where appropriate, we make allowance for the relationship (either assumed or historically observed) between persistency and investment returns and account for the resulting additional risk. Modelling this dynamic policyholder behaviour is particularly important when assessing the likely take-up rate of options embedded within certain products. The effect of persistency on our financial results can vary but mostly depends on the value of the product features and market conditions.

Risks from our business operations

Operational risk

Operational risk is the risk of loss (or unintended gain or profit) arising from inadequate or failed internal processes, personnel and systems, or from external events. This includes employee error, model error, system failures, fraud or some other event which disrupts business processes.

We manage and mitigate our operational risk using the following:

• Operational risk and outsourcing and third-party supply policies;
• Corporate insurance programmes to limit the impact of operational risks;
• Scenario analysis for operational risk capital requirements, which focus on extreme, yet plausible, events;
• Internal and external review of cyber security capability;
• Regular testing of elements of the disaster recovery plan;
• Group and business unit level compliance oversight and testing in respect of adherence with in-force regulations; and
• Regulatory change teams in place assist the business in proactively adapting and complying with regulatory developments.

An important element of operational risk relates to compliance with changing regulatory requirements. The high rate of global regulatory change, in an already complex regulatory landscape, increases the risk of non-compliance due to a failure to identify, correctly interpret, implement and/or monitor regulations. Legislative developments over recent years, together with enhanced regulatory oversight and increased capability to issue sanctions, have resulted in a complex regulatory environment that may lead to breaches of varying magnitude if the Group’s business-as-usual operations are not compliant. As well as prudential regulation, we focus on conduct regulation, including regulations related to anti-money laundering, bribery and corruption, and sales practices. We have a particular focus on these regulations in newer/emerging markets.

The performance of core activities places reliance on the IT infrastructure that supports day-to-day transaction processing. Our IT environment must also be secure and we must address an increasing cyber risk threat as our digital footprint increases – see separate Cyber risk section below. The risk that our IT infrastructure does not meet these requirements is a key area of focus, particularly the risk that legacy IT infrastructure supporting core activities/processes affects business continuity or impacts on business growth.

Addressing these key risks requires change and transformation activities in order for Prudential to meet the expectations of its stakeholders, regulators, customers and shareholders, as well as to maintain market competitiveness in an industry where innovation is steadily accelerating. There are financial and reputational implications if such activities fail (either wholly or in part) to meet their objectives, and even if successful there is a potential to alter Prudential’s operational risk profile. Owing to these factors, the execution and implications of internal change activities is an important area of focus.

As well as the above, other key areas of focus within operational risk include:

• The risk of a significant failure of a third-party outsourcing partner impacting critical services;
• The risk of trading or transaction errors having a material cost across the Group;
• The risk that errors within models and user-developed applications used by the Group result in incorrect or inappropriate transactions being instructed;
• Departure of key persons or teams resulting in disruption to current and planned business activities;
• The risk that key people, processes and systems are unable to operate (thus impacting on the ongoing operation of the business) due to a significant unexpected external event; for example, pandemic, terrorist attack, natural disaster or political unrest; and
• The risk of inadequate or inappropriate controls, governance structures or communication channels in place to support the desired culture and ensure that the business is managed in line with the core business values, within the established risk appetite and in alignment with external stakeholder expectations.

Global regulatory and political risk

Our risk management and mitigation of regulatory and political risk includes the following:

• Risk assessment of the Business Plan which includes consideration of current strategies;
• Close monitoring and assessment of our business environment and strategic risks;
• Board strategy sessions that consider risk themes;
• A Systemic Risk Management Plan that details the Group’s strategy and Risk Management Framework; and
• A Recovery Plan covering corporate and risk governance for managing risks in a distressed environment, a range of recovery options, and scenarios to assess the effectiveness of these recovery options.

On 29 March 2017 the UK submitted formal notification of its intention to withdraw from the EU. The potential outcome of the negotiations on UK withdrawal and any subsequent negotiations on trade and access to major trading markets, including the single EU market, is currently highly uncertain. Following submission of this notification, the UK has a period of two years to negotiate the terms of its withdrawal from the EU. If no formal withdrawal agreement is reached then it is expected the UK’s membership of the EU will automatically terminate two years after the submission of the notification.

The ongoing uncertainty and likelihood of a lengthy negotiation period may increase volatility in the markets where we operate, creating the potential for a general downturn in economic activity and for further or prolonged falls in interest rates in some jurisdictions due to easing of monetary policy and investor sentiment. We have several UK-domiciled operations, including Prudential UK and M&G, and these may be impacted by a UK withdrawal from the EU. However, our diversification by geography, currency, product and distribution should reduce some of the potential impact. Contingency plans were developed ahead of the referendum by business units and operations that may be immediately impacted by a vote to withdraw the UK from the EU, and these plans have been enacted since the referendum result.

The UK’s decision to leave the EU has the potential to result in changes to future applicability of the Solvency II regime in the UK. The European Commission has commenced a review of some elements of the application of the Solvency II legislation with a particular focus on the Solvency Capital Requirement calculated using the standard formula.

National and regional efforts to curb systemic risk and promote financial stability are also underway in certain jurisdictions in which Prudential operates, including the Dodd-Frank Wall Street Reform and Consumer Protection Act in the US, and other European Union legislation related to the financial services industry, such as MiFID2.

There are a number of ongoing policy initiatives and regulatory developments that are having, and will continue to have, an impact on the way Prudential is supervised. These include addressing Financial Conduct Authority (FCA) reviews, ongoing engagement with the Prudential Regulation Authority (PRA), and the work of the Financial Stability Board (FSB) and standard-setting institutions such as the International Association of Insurance Supervisors (IAIS). Decisions taken by regulators, including those related to solvency requirements, corporate or governance structures, capital allocation and risk management may have an impact on our business.

The IAIS’s Global Systemically Important Insurer (G-SII) regime forms additional compliance considerations for us. Groups designated as G-SIIs are subject to additional regulatory requirements, including enhanced group-wide supervision, effective resolution planning, development of a Systemic Risk Management Plan, a Recovery Plan and a Liquidity Risk Management Plan. Prudential’s designation as a G-SII was reaffirmed by the IAIS in November 2016, based on the updated methodology published in June 2016. Prudential is monitoring the development and potential impact of the policy measures and is continuing to engage with the PRA on the implications of the policy measures and Prudential’s designation as a G-SII. The IAIS is intending to review the G-SII designation methodology, including considering the activity based approach to systemic risk assessment in 2019.

We continue to engage with the IAIS on developments in capital requirements for groups with G-SII designation. The regime introduces capital requirements in the form of a Higher Loss Absorption (HLA) requirement. While this requirement was initially intended to come into force in 2019, this has now been postponed to 2022. The HLA is also now intended to be based on the Insurance Capital Standard (ICS), which is being developed by the IAIS as the capital requirements under its Common Framework (ComFrame). This framework is focused on the supervision of Internationally Active Insurance Groups and will establish a set of common principles and standards designed to assist regulators in addressing risks that arise from insurance groups with operations in multiple jurisdictions. As part of this, work is underway to develop a global Insurance Capital Standard that is intended to apply to Internationally Active Insurance Groups.

A consultation on the ICS was concluded in 2016 and the IAIS intends to publish an interim version of ICS in 2017. Further field testing, consultations and private reporting to group-wide supervisors on the interim version of the ICS are expected over the coming years. It is currently planned to be adopted as part of ComFrame by the IAIS in late 2019.

The IAIS’s Insurance Core Principles, which provide a globally-accepted framework for the supervision of the insurance sector and ComFrame evolution, are expected to create continued development in both prudential and conduct regulations over the next two to three years.

In the US, the Department of Labor rule became effective on 9 June 2017 (although some provisions do not come into effect until January 2018), and introduces new fiduciary obligations for distributors of investment products to holders of regulated accounts, which may dramatically reshape the distribution of retirement products. Jackson’s strong relationships with distributors, history of product innovation and efficient operations should help mitigate any impacts.

The US National Association of Insurance Commissioners (NAIC) is currently conducting an industry consultation with the aim of reducing the non-economic volatility in the variable annuity statutory balance sheet and risk management. Following an industry quantitative impact study, changes have been proposed to the current framework; however, these are considered to be at an early stage of development. Jackson continues to be engaged in the consultation and testing process. The proposal is expected to be effective from 2019 at the earliest.

With the new US administration having taken office in January 2017, the potential uncertainty as to the timetable and status of these key US reforms has increased given preliminary indications from Washington. Our preparations to manage the impact of these reforms will continue until further clarification is provided.

In May 2017, the International Accounting Standards Board (IASB) published IFRS 17 which will introduce fundamental changes to the statutory reporting of insurance entities that prepare accounts according to IFRS from 2021. We are currently considering the potential impact of the complex requirements of this standard on the Group which can be expected to, among other things, alter the timing of IFRS profit recognition.

In Asia, regulatory regimes are developing at different speeds, driven by a combination of global factors and local considerations. New requirements could be introduced in these and other regulatory regimes that challenge legal or ownership structures, current sales practices, or could retrospectively be applied to sales made prior to their introduction, which could have a negative impact on Prudential’s business or reported results.

Cyber risk

Cyber risk is an area of increased scrutiny for global regulators after a number of recent high profile attacks and data losses. The growing maturity and industrialisation of cyber-criminal capability, together with an increasing level of understanding of complex financial transactions by criminal groups, are two reasons why risks to the financial services industry are increasing. Developments in data protection worldwide (such as the EU General Data Protection Regulation that is expected to come into force in 2018) may increase the financial and reputational implications for Prudential on a breach of its IT systems.

Given this, cyber security is seen as a key risk for the Group. Our current threat assessment is that, while we are not individually viewed as a compelling target for a direct cyber attack, there have been recent changes to the threat landscape and the risk from untargeted but sophisticated and automated attacks has increased, as has the risk stemming from geopolitical tensions. These have the potential to significantly impact on business continuity, our customer relationship and our brand reputation.

The Board receives periodic updates on cyber risk management throughout the year. The current Group-wide Cyber Risk Management Strategy and the associated Group-wide Coordinated Cyber Defence Plan were approved by the Board in 2016.

The Cyber Risk Management Strategy includes three core objectives: to develop a comprehensive situational awareness of our business in cyberspace; to pro-actively engage cyber attackers to minimise harm to our business; and to enable the business to grow confidently and safely in cyberspace.

The Cyber Defence Plan consists of a number of work-streams, including developing our ability to deal with incidents; alignment with our digital transformation strategy; and increasing cyber oversight and assurance to the Board.

Protecting our customers remains core to our business, and the successful delivery of the Cyber Defence Plan will reinforce our capabilities to continue doing so in cyberspace as we transition to a digital business.

Group functions work with each of the business units to address cyber risks locally within the national and regional context of each business, following the strategic direction laid out in the Cyber Risk Management Strategy and managed through the execution of the Cyber Defence Plan.

The Group Information Security Committee, which consists of senior executives from each of the businesses and meets on a regular basis, governs the execution of the Cyber Defence Plan and reports on delivery and cyber risks to the Group Executive Risk Committee. Both committees also receive regular operational management information on the performance of controls.

Notes

1. Excludes Group’s proportionate share in joint ventures and associates and unit-linked assets and holdings of consolidated unit trust and similar funds.
2. Including bonds guaranteed by the federal government.