POL00460604
POL00460604
Anshu Mathur
From: Anshu Mathur
Sent: 21 September 2023 17:54
To: Owen Woodley
Ce: Ben Foat
Subject: Suggestions for RCC Set Up
Hi Owen
Thanks for your time today.
As discussed, I have written below a suggestion for the structure of RCC:
Section 1 - Functional Risk Overview
Commercial
Retail
People
Finance
Technology
This section should provide the RCC with first line opinions on the efficacy of their control environment
supported by relevant MI/Data. The structure of their reporting, and levels of exception reporting would be
pre-agreed with RCC (subject to cyclical re-assessments). The functional updates should be provided by the
respective accountable GE and their GE-1.
Function with key inherent risk would be covered and then once reporting is established, focus can be placed
ona priority basis.
Section 2 - Entity Risk or Cross Functional Risks
Legal & Regulatory
PM (lens)
Inquiry
Etc
Risk which span multiple functions or where responsibility may not be overt should be captured here, and
reported against in a similar fashion to Section 1. This usually takes the longest to mature, embed and agree
suitable MI and data.
Section 3 - Line of Assurance - Perspective on control environment and Culture, Updates on Reviews
performed, thematics identified and actions status.
e Second Line - Group Assurance, Group Compliance, Group Risk, Culture (not sure whether Culture would be
first or second)
e Third line - Group Internal Audit
e External Assurance -— If applicable (usually on request)
This section would provide the members of the objective opinions of the lines of assurance and where
divergence exists with the opinion and views of the first line. Now normally all should be aligned, but then
1
POL00460604
POL00460604
again , this takes time to embed and a new set of ways of working which need to be more collaborative and
collegiate across the 3LOD'ds.
Section 4 - Risk Deep Dives
Owned and presented by the GE accountable owner and not Group risk. The risk deep dives (format pre-
agreed with RCC) should follow a cyclical approach for coverage focussing on those risk first that are out of
tolerance.
Section 5 - Standing Agenda Items
e Emerging risk land scape
e Current issues which may not be captured in Sections above that the members of RCC would like to
discuss or put forward for deep dives in subsequent RCC’s
Outcomes - The 5 sections would then lead to the creation of a control environment dashboard that can be
presented to the GE and ARC, along with suitable commentary. The advantage would be that it would be data
and NI supported, and with a clear audit trail of governance and oversight.
Happy to discuss further, unfortunately these things do excite me.
Regards
Anshu
Anshu Mathur
Group Assurance Director
100 Wood Street
London, EC2V 7ER
postoffice.co.uk