Enterprise Management Policy Adopted by the AMP Limited Board on 2 February 2017 AMP s promise is to help people own tomorrow. To achieve this promise, risks must be managed effectively within the Board s Appetite to meet the reasonable expectations of key stakeholders, in particular to safeguard AMP s capital, profitability, liquidity and reputation. s faced by AMP are often interlinked, and if not properly managed, may prevent AMP from achieving its strategic objectives. The Enterprise Management (ERM) framework governs the management of risk across the Group and covers: the roles and responsibilities for risk governance; the link between risk appetite and strategy; the risk process; and the systems and culture that support risk management at AMP. Taxonomy AMP can only effectively manage risk based on what is identified and measured. To ensure there is appropriate coverage of risks, AMP has adopted a taxonomy and aggregation structure that governs how risk is identified, measured and reported. AMP faces individual risks that are aggregated into risk types. The impacts of individual risks or aggregate risk types are measured against four dimensions. The amount of impacts on these four dimensions is limited by the Appetite Statement. dimensions Capital Adequacy Earnings Stability Liquidity Measurement Metrics Regulatory Capital Economic Capital 1 Profit-at- Embedded Value at (Wealth protection portfolio) 2 Cashflows Dividends Description This reflects AMP s level of protection/buffer against significant losses in tail events that could lead to insolvency/default or emergency balance sheet restitution This constrains excessive volatility of earnings and guards against surprises that lower the predictability of returns to shareholders Reflects AMP s level of protection against a period of prolonged funding stress and ensures the group can meet its cash obligations without having to resort to an asset fire sale 1 Measurement is under consideration. 2 Measurement is under consideration.
Enterprise Management policy dimensions Measurement Metrics Description Reputation Reputation Scorecard 3 Shareprice Media Net Promoter System Reflects the extent to which AMP is willing to accept unexpected failure to meet customer, advisor, shareholder, regulator or employee expectations. This dimension is difficult to quantify but can be a substantial threat to a AMP s overall reputation and hence long-term value Type Layer 1 Strategic Type Layer 2 Poor business decisions Insufficient capacity to execute Changes in environment Description of risk of loss or forgone value associated with strategic decisions and competitive positioning of the business and our ability to respond in a timely manner to changes in the regulatory, customer or competitive landscape. Credit Market Insurance Credit default risk Counterparty credit risk Securitisation Equity risk Interest rate risk Currency risk Commodity risk Inflation risk Volatility risk Credit spread risk Basis risk Infrastructure Retail or commercial property (listed or unlisted) Mortality risk Morbidity risk Expense risk Policyholder behaviour risk Longevity risk of loss or forgone value due to non-payment of a contractually required payment by a counterparty. of loss or forgone value due to adverse movements in market prices and investment values. This may be due to economic changes or events that have an impact on large portions of the market. of loss or forgone value due to increased morbidity/mortality rates, longevity, expense and changes to policyholder behaviour. Liquidity Funding liquidity risk Trading liquidity risk of loss or forgone value due to an inability to fund or trade liquidity risk at a given period to meet debt obligations at a reasonable price. 3 Measurement is under consideration. [Version 02.2017] Page 2
Enterprise Management policy Type Layer 1 Concentration Operational Type Layer 2 Credit concentration Market correlation Insurance Pandemic / Catastrophe Single name, cross risk type concentration Internal fraud and unauthorised activity External fraud Employment practices and workplace safety Clients, products and business practices Damage to physical assets Business disruption Execution, delivery and process management Description of risk of loss due to a series of exposures with the potential to produce large enough losses. It may arise in the form of credit concentration, market correlation, cross risk types, pandemic, which may have been accumulated over time. of loss or forgone value resulting from inadequate or failed internal processes, people and systems or from external events. Enterprise Management Principles AMP has adopted the following principles for effective management of risk: AMP maintains an ERM framework that enables risks to be identified, measured, managed and reported in a structured and consistent manner across the business AMP maintains an ERM framework that enables AMP to demonstrate it meets applicable legislative and regulatory requirements, rules, codes and ethical standards, as well as internal policies and procedures. AMP operates and manages risk within an appropriate governance structure. AMP promotes a culture of risk awareness and management in all aspects of its products, practices and processes. AMP s strategy is aligned to the Board s risk appetite to ensure the nature and amount of risk taken to achieve the strategy are within risk appetite. AMP will take informed risks within risk appetite to create sustainable value. Enterprise Management Requirements 1. The AMP Limited, AMP Bank, AMP Life, AMP Superannuation Limited, NM Superannuation Limited and AMP Capital Appetite Statements and Management Strategies, must be documented, approved and reviewed by the Board on at least an annual basis. 2. AMP must consider whether the resulting risk of management and operational decisions are within risk appetite. AMP must have the ability to demonstrate that the appropriate ERM [Version 02.2017] Page 3
Enterprise Management policy framework and associated policies, procedures, and controls have been embedded and managed effectively within risk appetite. 3. Appropriate risk specialists must be engaged to provide objective and effective challenge of key business decisions and activities. 4. Breaches of the Board s Appetite Statement must be escalated in a timely manner to the Board. 5. Material risks must be assessed, measured and analysed to ensure risks are being managed appropriately. 6. All areas of AMP and its employees must conduct all business within the boundaries of the regulatory and legislative environment within which they operate. Procedures must be in place to monitor compliance with obligations and breaches must be managed and reported to the relevant Regulator. 7. AMP must maintain a forward-looking stress and scenario testing program to assess the impact of likely and rare scenarios. 8. AMP must actively manage its aggregate risk exposures and intra-group transactions with material exposures escalated and reported to the relevant Committees for assessment and action if required. 9. Where AMP relies on Models to support critical business decisions, processes must be in place to demonstrate the ongoing accuracy, robustness and stability of the models. 10. Significant change must be managed to ensure associated risks are adequately identified and managed. 11. A risk culture that supports creation of sustainable value for customers and shareholders while managing risk effectively. 12. The appropriateness of the design and implementation of the ERM framework is subject to periodic internal and external review Roles and Responsibilities for Management is governed at AMP by the Board, Senior Management and a Three Lines of Defence model. The model is designed to provide assurance to Management and the Board that risks are identified, managed and reported effectively. Business the 1 st line of defence Employees in the 1 st line are responsible for owning and managing risks in their business area. Key activities include: Develop and implement processes (including controls and control testing) that meet the requirements of the ERM framework. Monitor and review the business environment to identify, measure, understand, escalate and report on risks and issues, incidents and changes in the business. Provide timely reporting and escalation of relevant information to Senior Management, Committees and Boards. Enterprise Management Team the 2 nd line of defence Employees in the 2 nd line are responsible for providing advice related to risk management and perform independent review and challenge of business decisions and practices. Key activities include: Design risk framework and facilitate the implementation of the framework. [Version 02.2017] Page 4
Enterprise Management policy Independently and effectively challenge and review material business decisions from a risk and return perspective. Report on all material risks to senior management and the Boards Internal Audit the 3 rd line of defence Employees in the 3 rd line of defence provide independent assurance and challenge with respect to the effectiveness of the ERM framework and internal controls as executed by 1 st and 2 nd line. Board and Board Committee The Board and Board Committees are required to provide oversight and direction with regard to risk management in the business. This includes: Being informed of the key risks in the business and their impact on achieving the strategy. Providing guidance to Management on appropriate risk management actions to align to and achieve the strategy. Monitor and review the effectiveness of the ERM framework. Set the Appetite and Management Strategies and approve relevant policies. Compliance and Review Breaches of this policy may lead to disciplinary action being taken against an employee, including dismissal in serious cases. The AMP Limited Board will review this policy periodically to determine whether the policy remains effective in ensuring AMP meets its risk management obligations. All amendments to this policy must be approved by the Board, other than amendments required as a result of changes to position titles, AMP s organisational structure or AMP branding which may be approved by the Group Chief Officer. [Version 02.2017] Page 5