• NEDBANK GROUP OVERVIEW
• » Group profile
• » Company structure
• » Operational footprint
• » Board of directors
• » Group executive committee
• » History
• » About Old Mutual
• » Old Mutual/Nedbank Group agreement
• » BEE deal
• KEY STATISTICS
• » 2011 highlights
• » Group strategy
• » Review of 2011
• » Strategic focus areas for 2012
• » Objectives for 2012 and beyond
• BANKING ENVIRONMENT
• » Credit ratings
• » Risk and balance sheet management
• » Enterprise governance and compliance
• » Code of banking practice
• » Industry regulators
• » Policies and procedures
• » Relevant website links

• Business profile
• Nedbank Capital
• Nedbank Corporate
• Nedbank Retail and Business Banking
• Nedbank Wealth

• Eight-year review
• 2011 Annual report
• Quarterly trading update
• Interim results
• Annual results
• Financial archives
• Financial group companies
• Pillar III disclosure
• Definitions

• INVESTOR INFORMATION
• » Fact sheet
• » Investment case
• » Shareholders' analysis
• » Shareholders' diary
• » AGM
• » Analyst coverage
• » Presentations
• » Circulars
• » Dividends
• » Dividend calculator
• » New investors
• » Chairman's report
• » Chief Executive's report
• » Chief Operating Officer's report
• SHARE PRICE INFORMATION
• » Stock market information
• » Share price details
• SHAREHOLDER SERVICES
• » ADR programme
• » Advisors
• » IR contacts

• Introduction
• Economic review
• Budget comments
• Interest rate and rand comments
• Economic research
• Guide to the economy
• Economic updates
• Economic updates – archive
• Weekly economic monitor
• Weekly economic monitor – archive
• Economic forecasts
• Economic data
• Economic contacts
• Economic mailing list

• Sustainable development performance review
• Stakeholder engagement
• Sustainability credentials
• Carbon neutrality
• Nedbank Sustainability Outlook
• Economic sustainability
• Environmental sustainability
• Social sustainability
• Cultural sustainability
• Corporate responsibility
• Assurance statement
• Climate change position statement
• Integrated report 2011
• GRI Indicator Table
• GRI FSSS
• Sustainability archives
• Transformation report
• Ethics and corporate accountability
• Share your views
• Sustainability contacts

• Media releases
• SENS news
• SENS news archive
• Market, share & currency news
• Today's top stories
• Photo gallery
• Media contacts

• Careers@Nedbank
• CA @ Nedbank
• Apply for a job at Nedbank
• Nedbank Graduate programme
• Nedbank Financial Planning

• Contact details
• Map to offices
• Nedbank Foundation contact details
• Administration details
• Nedbank branch codes

» 2011 highlights

» Performance highlights

» 2011 recognition

» Group strategy

» Investment case

» Stakeholder overview

» Group overview

» Operational overview

» Risk and balance sheet management review

» Enterprise governance and compliance review

» Financial results

OPERATIONAL RISK

Nedbank Group was granted SARB approval in December 2010 for the use of the AMA, and now calculates its operational risk regulatory capital requirements using partial and hybrid AMA.

The AMA Operational Risk Management Framework was approved by the board’s Group Risk and Capital Management Committee. The AMA methodologies contained therein have already been rolled out and embedded in the businesses, including for the purposes of economic capital and the ICAAP.

Nedbank Group Limited was granted approval in December 2010 by the SARB for the use of the AMA to manage operational risk. This approval allowed Nedbank to calculate its operational risk capital requirements using partial and hybrid AMA with effect from 31 December 2010. The Nedbank AMA Operational Risk Management Framework was approved by the board’s Group Risk and Capital Management Committee and the AMA methodologies contained therein have been rolled out and are now embedded across the group.

OPERATIONAL RISK STRATEGY, GOVERNANCE AND POLICY

Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. This definition includes legal, but excludes strategic and reputational risk. Legal risk includes, but is not limited to, exposure to fines, penalties or punitive damages resulting from supervisory actions, as well as private settlements. Operational risk is not typically taken in pursuit of an expected return, but exists as part of the normal course of business at all levels. The main sources of operational risk include:

FINANCIAL CRIME
Fraud risk management

Nedbank Group follows a multipronged approach in addressing and eradicating financial crime. In 2010 key aspects of this approach included:

• Close cooperation with law enforcement by rendering all possible assistance to see to the successful prosecution of offenders.
• Client and staff education in printed and electronic media.
• A substantial increase in the number of investigators.
• Continued focus on proactive, early detection of financial crime both against the bank and its clients.
• The introduction of new technologies such as biometric client authentication for the prevention of identity theft.
• The creation of a dedicated capacity for the combating of home loans crime to address the increased onslaught.
• Additional measures to combat new types of crime, specifically in the area of online fraud.

 

Internal fraud and dishonesty

Nedbank Group maintains a policy of zero tolerance of any dishonesty committed by staffmembers. Altogether 234 staff members were dismissed as a result of internal investigations in 2010, which is a decrease of 15,8% compared with 2009.

Assessment of fraud risk

The risk of internal and external fraud is evaluated on several levels:

• Risk control self-assessments are conducted on an ongoing basis to ensure that the appropriate controls are in place and monitored effectively. Where controls are lacking, action plans are formulated and implemented to ensure that the risk of fraud is within the accepted risk appetite of the group.
• Fraud key risk and control indicators have been developed and are monitored, tracked and reported on in accordance with the Operational Risk Management Framework (ORMF).
• Facilitated fraud risk assessments are undertaken as outlined in the International Standards for Auditing 240 (ISA 240).
• New products and all processes related to their use are evaluated to ensure that all aspects of fraud risk, legal risk and regulatory risk (such as the anti-money-laundering requirements) are considered.

Due-diligence investigations

Due-diligence investigations are performed at the outset of any business relationship with clients, partners, vendors, agents/ intermediaries and joint ventures. In addition, an ongoing assessment of the commercial, political, social and security environment where business is undertaken or likely to be undertaken is done. Social, economic and governmental changes in a country can create an environment that reduces security and increases the risk to the group’s assets: staff, premises and information and, consequently, its ability to continue to do business.

 

Internal and external whistleblowing reporting lines

Security and fraud incidents can be reported, around the clock, through an internal reporting line, which is supported by an external, independently managed whistleblowing hotline, available to staff and clients. The facility also extends to Nedbank Africa subsidiaries in Namibia, Swaziland, Lesotho, Malawi and Zimbabwe. An ethics panel has been established for the appropriate handling of reports of a sensitive or serious nature.

In 2010 1 497 anonymous tipoffs were received (2009: 1 114).

 

Online fraud

During 2010 the group undertooks various initiatives to protect its clients from online fraud, including participation in a concerted media campaign with the rest of the banking sector to educate consumers about online safety. Free software to all internet banking clients to protect them from phishing attacks was provided by Nedbank and a sophisticated phishing response infrastructure was created, which led to the successful prevention of 89,6% of all phishing losses.

Cybercrime risk

Nedbank Group has taken note of the current and expected impact of cybercrime on the banking industry and its clients and has established an extensive internal digital forensic capability to deal with this risk effectively. The group also provides training and awareness in digital forensics at tertiary institutions and to the law enforcement community in South Africa.

Security risk

In 2010 a concerted focus on staff and client safety saw a 90% decrease in robbery incidents against 2009 figures. Robberies and burglaries remain a threat and these are mitigated, managed and monitored by highly sophisticated technology in a joint operations centre. Biometric doors at branch entrances, automated roller shutter doors, a well-implemented cash management system and improved response to incidents are critical in the management of security risk. A guard tracking device, digital video recorder live camera streaming and a security analysis management system are all scheduled for implementation in 2011.

Relations with the South African Police Services (SAPS) and National prosecuting authority were strengthened for the banking sector under the facilitation of South African Business Intelligence Centre.

Cooperation with the criminal justice system

In addition to the day-to-day cooperation with law enforcement in the fight against crime, in 2010 Nedbank Group reported 522 suspicions of corruption and/or fraud in excess of R100 000 to the SAPS in terms of section 34 of the Prevention and Combating of Corrupt Activity Act. The group was also able to assist the SAPS in its investigations by responding to 3 163 subpoenas.

Nedbank Group considers financial crime to be a major operational risk that leads to significant losses, and it is for this reason that the group pursues a vigorous policy of mitigating the risk through active risk management

Legal risk

Legal risk arises from the necessity that the group conduct its activities in conformity with the business and contractual legal principles applicable in each of the jurisdictions where the group conducts its business. The possibility of a failure to meet these legal requirements may result in unenforceable contract disputes, litigation, fines, penalties or claims for damages or other adverse consequences.

COMPLIANCE AND REGULATORY RISK

Compliance and Regulatory risk is the risk of legal or regulatory sanctions, material financial loss, or loss to reputation that the group may suffer as a result of its failure to comply with laws, regulations, rules, related self-regulatory organisation standards, and codes of conduct applicable to its banking and other activities.

Compliance and regulatory risk has become increasingly significant and there continues to be considerable demand for the group to comply with various new and amended regulatory requirements. However, the group remains committed to the highest regulatory and compliance standards, especially due to the increasing scale and complexity of laws and regulations.

The Enterprise Governance and Compliance function that forms part of the second line of defence risk management model assists the Group in managing compliance and regulatory risk. The objective of compliance and regulatory risk management is to ensure that legal and regulatory requirements to which the business is or will be subject to are identified and complied with.

MONEY LAUNDERING, TERRORIST FINANCING AND SANCTIONS RISK MANAGEMENT

Nedbank Group does not associate, in any way, with money- laundering activities or terrorist financing. Clearly defined policies and procedures ensure compliance with all statutory requirements and regulatory obligations or, in the absence of these, that agreed standards are met. The group takes a proactive approach by endeavouring to identify any business relationships or applications for business relationships or transactions with individuals, entities and countries targeted in financial sanctions legislation.

The Business Risk Management Forum (BRMF), a Group Executive subcommittee, chaired by the Chief Risk Officer, is mandated to provide strategic direction for, and monitor the effective implementation of, anti-money-laundering (AML), combating the financing of terrorists (CFT) and sanctions compliance initiatives throughout the group. The Executive Steering Committee of the Money Laundering Control Programme, a subcommittee of the BRMF, ensures the internationalisation and operational implementation of AML, CFT and sanctions compliance.

Nedbank Group Risk maintains a close and transparent working relationship with the Financial Intelligence Centre (FIC), attends bimonthly meetings with the FIC, regular meetings with the SARB and JSE Limited and the Financial Services Board to ensure compliance with their requirements and obtain clarification, where necessary.

At 31 December 2010 a total of 4 387 503 client records were reflected on Nedbank Group’s Client Information System as having been verified. Of the 123 090 non-verified client records 105 946 have been restricted, with 17 144 records currently being restricted. The number of non-verified, not yet restricted records equates to 0,31% of the total number of records, which compares well with the BRMF-approved risk threshold of 0,5%.

Training for AML and CFT remains a high priority. For the 24 months to 31 December 2010 a total of 21 255 of the selected 29 699 employees completed the awareness training for AML and CFT.

Nedbank Group’s e-learning training intervention for CFT and related activities, which was first implemented in 2009, was recognised by the FIC as ‘innovative and a first of its kind in South Africa’.

Annual directors’ training programmes for money-laundering, terrorist financing and sanctions risk management were developed in 2010 and presented to the Group Risk and Capital Management Committee on 19 October 2010 in compliance with SARB, FIC and international requirements.

INFORMATION AND TECHNOLOGY RISK

Technology risk stems from risks associated with misalignment with business strategy, uncoordinated or an inefficient information technology (IT) strategy, project failure to deliver desired change, data protection, information privacy, effects of physical disasters on information systems, IT outsourcing, IT performance and information systems governance. The Group Technology Cluster manages information and technology risk through the Technology Management Policy.

In addition to the abovementioned existing regulations, Nedbank is providing input into energy, water and climate-change-related regulatory developments, including the Integrated Resource Plan 2010; the National Climate Change Response Green Paper 2010; Reducing Greenhouse Gas Emissions: The Carbon Tax Option; the Strategy for a Developmental Green Economy for Gauteng; the Integrated Energy Plan for the Republic of South Africa; the Long- term Mitigation Scenarios – Technical Report and the Renewable- energy Feed-in Tariff – Phase I and II.

BUSINESS CONTINUITY MANAGEMENT

Business continuity management (BCM) aims at ensuring resilient group business activities emergencies and disasters. The BCM function provides overall guidance and direction, monitors compliance with regulatory and best-practice requirements and facilitates regular review of BCM practices.

 

PEOPLE RISK

People risk is the risk associated with inadequacies in human capital and the management of human resources, policies and processes resulting in the inability to attract, manage, motivate, develop and retain competent resources, with concomitant negative impact on the achievement of strategic group objectives. The group vigorously manages people risk through Group Human Resources at the central and business clusters.

To minimise the exposure to operational risk that arises as a consequence of the group’s financial risk-taking initiatives within credit, market and operating activities, Nedbank Group has implemented and embedded an ORMF, which contains AMA- compliant methodologies, policies and guidelines to facilitate a consistent and worldclass approach to operational risk management.

Personnel integrity management

Nedbank Group minimises people risk by ensuring that controls are incorporated into the recruitment and selection processes of all employees, including contractors, temporary employees and consultants. This process aims to minimise the group’s vulnerability to fraud, embezzlement, theft, corruption and mismanagement of job responsibilities. It also cultivates a culture of business ethics and integrity in keeping with Nedbank Group’s values and endorses the Code of Good Banking Practice that states that ‘Banks will conduct their business with uncompromising integrity and fairness so as to promote complete trust and confidence in the banking industry’.

The Financial Advisory and Intermediary Services Act, 37 of 2002, determines the ‘fit and proper’ requirements that are applicable to all financial service providers, key individuals, representatives and compliance officers. Nedbank ensures screening of these persons every 24 months to ensure the highest level of honesty and integrity. All new appointments of directors or executive directors, as required by the Banks Act, 94 of 1990, are screened to comply with the requirements of honesty and integrity. This also reduces the potential for conflicts of interest.

Business clusters act as the first line of defence and are responsible for the identification, management, monitoring and reporting of operational risk. Operational risk is reported and monitored through the divisional and cluster enterprisewide risk committees and overseen by the Group Operational Risk Committee (GORC) and the board’s Group Risk and Capital Management Committee. The Group Operational Risk Management (GORM) Division, within the Group Risk Cluster, acts as the second line of defence in the Nedbank enterprise risk management framework.

The primary responsibilities of GORM are to develop, maintain and champion the Group Operational Risk Management Framework, policies and enablers to support ORM in the business as well as the implementation of the Basel II and regulatory requirements and international best practice for ORM.

Specialist functions in Group Risk, for example Forensic Services, Business Continuity Planning, Group Legal and Corporate Insurance, also assist businesses with specialist advice, policies and standard setting. Pervasive operational risk trends are monitored and reported on to the enterprisewide risk committees and, where appropriate, to GORC and to the Board Risk and Capital Management Committee.

Group Internal Audit, being the third line of defence, provides assurance to GORC.

Specialist functions in Group Risk, for example Forensic Services, Business Continuity Planning, Group Legal and Corporate Insurance, also assist businesses with specialist advice, policies and standard setting. Pervasive operational risk trends are monitored and reported on to the enterprisewide risk committees and, where appropriate, to GORC and to the Board Risk and Capital Management Committee.

Group Internal Audit, being the third line of defence, provides assurance to GORC.

OPERATIONAL RISK MEASUREMENT, PROCESSES AND REPORTING SYSTEMS

The primary operational risk measurement processes in the group are risk and control self-assessments, internal loss data collection processes and governance, the tracking of KRIs, external loss data, scenario analysis and capital calculation, which are designed to function in an integrated and mutually reinforcing manner.

INTERNAL LOSS DATA COLLECTION AND KEY RISK INDICATOR TRACKING

The internal loss data collection process and KRI tracking are backward-looking and enable the monitoring of trends and the analysing of the root causes of loss events. Operational risk losses are reported on in the Nedbank Internal Loss Data Collection System. KRIs are designed to be both forward- and backward-looking in the sense that they function not only as early-warning indicators, but also as escalation triggers where set risk tolerance levels have been exceeded.

BOUNDARY EVENTS

Boundary events are those losses and near misses that manifest themselves in other risk types, such as credit and market risk, but have relevance to operational risk because they emanate from operational breakdowns or failures. Boundary events are often identified by credit and market risk management, and are included in credit risk loss databases and operational risk capital calculations respectively.

Material credit risk events caused by operational failures in the credit processes are flagged separately in the Internal Loss Data Collection System. In line with the Banks Act and Basel II requirements, holding of capital related to these events remains in Credit Risk. These events are included as part of the ORMF to assist in the monitoring, reporting and management of the control weaknesses and causal factors within the credit process.

Material market risk events caused by operational failures in the market risk processes are also flagged separately in the Internal Loss Data Collection System. The capital holding thereof is included in operational risk capital.

EXTERNAL LOSS DATA

The purpose of using external data is to incorporate infrequent yet relevant and potentially severe operational risk exposures into the measurement model. The group currently incorporates the effects of external data in the operational risk capital calculation model indirectly in conjunction with the scenario analysis process.

SCENARIO ANALYSIS

Scenario analysis is also a required element of AMA and is defined in the ORMF as one of the data sources for operational risk modelling and measurement, and serves as the main input for unexpected loss estimation. Scenario analysis is conducted in a disciplined and structured way using expert judgement to estimate the operational risk exposure of the group. Scenario analysis focuses on solvency and aims to identify the major operational risks that can negatively affect the solvency of the group.

BUSINESS ENVIRONMENT AND INTERNAL CONTROL FACTORS

The group takes into account business environment and internal control factors during the conduct of risk and control self- assessments. Consideration of business environment and internal control factors enables the group to take into account any changes in the external and internal business environment, consider inherent risks as a result of any changes in the business environment and then design appropriate controls.

REPORTING

A well-defined and embedded reporting process is in place. Risk profiles, loss trends and risk mitigation actions are reported to and monitored by the risk governance structures of the group.

INSURANCE OBTAINED TO MITIGATE THE BANK’S EXPOSURE TO OPERATIONAL RISK

The group has a well-structured insurance programme for its financial and non-financial risks to mitigate its operational and fraud exposures. The group has an insurance operation that reports to the Group Chief Risk Officer and is responsible for the design and management of the principle insurance programmes addressing the group operational risk exposures. This function is responsible for ensuring that the cover purchased for the group is up to date with the best coverage available within the insurance markets and relevant to the group operating environment. The Group Insurance Division also ensures that cover is purchased where required to meet any statutory or regulatory requirements. The primary insurance policies that cover exposures to operational risk include comprehensive crime and professional indemnity.

OPERATIONAL RISK GOVERNANCE STRUCTURE

The diagram below depicts the operational risk governance structure:

 

	Return to top