GRG Risk & Control Committee

Control Environment Certification
Assessment of the Robustness of the Internal Control Environment for:
Global Restructuring Group (GRG) H1-2013
In line with requirements and definitions set out in the Control Environment Certification supporting guidance, I
certify that the internal control environment has been assessed against the following key factors:
•
•
•
•
•
•

The adequacy and effectiveness of the control environment across the business;
Compliance with the Group Policy Framework and key divisional/functional policy standards;
Compliance with the Internal Control over Financial Reporting (SOX 404) regulatory requirements;
Compliance with the requirements of the UK Corporate Governance Code section on Risk Management
and Internal Controls (section C.2); and
The adequacy and effectiveness of the risk and control frameworks and assurance processes to ensure
the business operates within risk appetite; and
The risk and control culture of the business

Following consideration of the above factors the robustness of the Internal Control Environment for the
business area(s) under my control has been assessed as follows:

Control Environment Rating
Self-assessed rating of the robustness of the internal control
environment, including supporting frameworks and compliance with
relevant Group and Regulatory requirements.

Current
Rating
H1-2013

Previous
Rating
H2-2012

3 (6-12
months)

3 (6-12
months)

When assessing the above I confirm that the following information has been taken into account:
•

Output of relevant Governance, Risk and Control committees (RCC), or equivalent;

•

Content of Risk & Control Reporting and completed Risk Assessments;

•

Coverage and results of the assurance activities underpinning the assessment of:
o Compliance with the requirements of Internal Control over Financial Reporting (SOX 404), with any
control weaknesses classified as either a Significant Deficiency or Material Weakness noted in the
commentary below;
o Compliance with the Group Policy Framework and relevant local policies and policy standards, with
commentary to support the assessments provided in the supporting appendix;
o The effectiveness of the operational controls implemented in addition to Group Policy Framework
requirements;

•

Consider any relevant MI from internal or external service providers where the relationship is managed by
my business;

•

Processes, systems and training in place to enable compliance with the Group/Divisional Policies and
supporting policy standards;

•

Accountability is clearly understood and ratings are supported by appropriate evidence that is readily
available.

Signed:

Name:

Derek Sach

Date:

Title:

Head of Global Restructuring
Group

Control Environment Certification
This document is classified as CONFIDENTIAL

Page 1 of 13

 GRG Risk & Control Committee

COMMENTARY
Summary Commentary
The overall Control Environment for GRG for H1 2013 remains at a 3 (6-12 months) rating. Whilst good
progress continues to be made in terms of enhancing the overall control environment through the continued
rollout of the Conduct and Operational Risk frameworks as well as the Group Policy Framework, the key
drivers for maintaining the same rating and time horizon to a 2 rating are as follows; the increased operational
risk profile associated with the range of change initiatives in progress across GRG; the challenging Regulatory
landscape and requirements and the associated ongoing activities to become compliant with these
requirements; the ongoing initiatives to enhance data quality; the capital management activities to ensure
present requirements are adhered to and future changes are understood and translated into a compliant set of
processes. Project Jones (the GRG Target Support model project) is most noteworthy in terms of people and
process re-design related risks albeit recognising that the changes once implemented will result in there being
a more efficient and effective and standardised operational support model; the activities required to achieve
policy compliance particularly in relation to Records Management and Information Security standards still
requires significant focus.
The CEC process itself for H1 2013 remains aligned to Group requirements in terms of coverage and
challenge processes. Divisional Policy Standard Owners (DPSO’s) are now substantially in place for GRG and
for this CEC cycle the GRG DPSO’s have been involved in terms of reviewing and challenging the underlying
GRG business and functions policy standard assessments. We have also just agreed a service model with
CBD and CSS to support GRG becoming compliant with the 11 key DPSO policies.
At a detailed level the key drivers for the 3 rating (6-12 months) are as follows:
GRG wide projects - there are a number of initiatives underway and progressing for which risk issues are
recorded where appropriate which have the potential to impact the control environment. These include
Projects Jones/Cycle/Renew, KYC remediation, AML Change Programme (agreeing the responsibility matrix),
Capital Management, Data Quality and Loss Data Capture.
Project Jones - During H1 2013 GRG commenced a project to review its operating model insofar as it
encompasses relationship manager support activities (specifically, operational support of customer
relationships), business management, and all tasks (including Change, customer support and First Line of
Defence (“FLOD”) currently undertaken in COO. Following an analysis and design phase the GRG Steering
Group agreed on a model to be implemented during the remainder of 2013. The model can be described as
RM Support (both local and at a central location) and it is being designed with the intention of improving and
enhancing the overall process and control infrastructure. There are a range of implementation related risks
associated with Jones ranging from process and control re-design, the people risks associated with the
proposed operating model and regional build out and the risks around maintaining a robust control
environment during the implementation phase.
West Register have launched Real Estate Asset Management (REAM) which provides an expanded range of
services focused upon optimising the value of real estate from distressed situations. The new platform seeks
to establish a model by which the team’s expertise and experience can be leveraged to manage assets from
across a wider spectrum of scenarios, not just through ownership (although ownership through the West
Register vehicles will remain a viable option). The services available to GRG Relationship Managers are as
follows: Advisory – A REAM Asset Manager will provide the RM with real estate advice to help inform
restructuring decisions; Consensual Deleverage – A REAM Asset Manager will work with the RM and
borrower to develop a mutually agreeable sales strategy which may include some asset management
initiatives en route; Contractual Asset Management – A REAM Asset Manager will work with an Insolvency
Practitioner to create and implement an asset management plan that will maximise the Bank’s recovery.
Market Underwriting; A REAM Asset Manager will participate in the external market by formulating bids on
behalf of the West Register entities. This model gives rise to a range of legal, regulatory and operational
related risks which have been assessed as part of the REAM NPRA. The associated new processes and
model will need a period of embedding.
AML/KYC Phase 1 High Risk remediation cases have been completed, de-scoped or approved as an
exception. This activity was completed by 31 March 2013. Phase 2 is now underway which incorporates all
Rosetta cases (High, Medium or Low risk – 40% complete as at 30/6/13) that were not included in Phase 1
and all residual High Risk cases that were not originally in scope.

Control Environment Certification
This document is classified as CONFIDENTIAL

Page 2 of 13

 GRG Risk & Control Committee

The key focus areas of the Capital Management programme include supporting the GRG business to
understand the capital impact of restructures and understanding the impacts of future regulatory and credit
model changes including CRD4. Continued development of the now embedded capital management
information continues as does the capital education and data quality programmes.
The GRG MI & DQ Programme is underway to deliver a strategic infrastructure for GRG MI and Reporting.
The initial phase of the project was to deliver a revised portfolio methodology which aligns the Risk and
Finance view - this was implemented for March month end reporting. The new Portfolio methodology will now
be used going forward. Delivery of a strategic MI and Reporting infrastructure is underway, with the first “drop”
due to be delivered by the end of July. At the centre of this is the development and delivery of a new GRG
specific Data Store. This Data Store will hold all key data that is important to GRG for MI and Reporting
purposes. The DQ workstream is underway with 2 key priorities: first to ensure full compliance with the Group
Data Quality policy and second to pro-actively address remediation of our key data attributes.
The Loss Data programme is currently focused on validating the 2013 Default Closures to ensure we remain
on track to meet our Pillar 3 requirements. The continued challenge here is to ensure that we have adequate
and suitably skilled resources in place. Project Jones will enhance the overall process through the creation of
dedicated Loss Data Collection roles.
GRG are impacted by the Bank-wide past business review and redress exercise into the sale of interest rate
hedging products (Project Rosetta). The Bank has given an undertaking to the FCA that it will not foreclose on
or adversely vary loan facilities without customer consent during the period of the review. GRG customers
represent approximately 20% of the Rosetta population. Furthermore there is a risk that conflicts may arise
between the Bank's Policies (most notably, AML/KYC, Credit Risk Mitigation and Problem Credit
Management) and the terms of the FCA undertaking as they relate to a moratorium on recoveries and litigation
processes, as well as impacting the ability to restructure debt. GRG has established a dedicated team to
ensure compliance with the Undertaking and liaise with the Project team. The Project team is independent of
GRG. The methodology in relation to the conduct of the review has been agreed with the FCA and the formal
review is in the early stages of commencement.
Second line of defence - Significant progress has been made in terms of the continued build out of the second
line of defence Risk function. There has been positive delivery across a number of key Risk driven initiatives.
Please see the Risk section on page 12 for detailed commentary.
GPF - Positive steps have been taken to implement the Group Policy Framework within GRG with the
appointment of Divisional Policy Standard Owners (DPSO) for all of the Policy Standards. GPF
implementation is tracked through the implementation of a DPSO tracking tool and progress is reported to
GRG OPCO and GRG RCC on a monthly basis. As at the end of H1 2013 the policy standard Gap Analyses
are complete and where complete action plans have been developed and Issues raised with a view to closing
any identified gaps. Individual assurance approaches and risk appetite statements per policy standard are
being worked on. Service model now also in place with CBD and CSS to support GRG in becoming compliant
with the 11 key DPSO policies.
In summary there remains a significant amount of work required across the key GRG projects and change
initiatives, most notably Project Jones, and in relation to the GRG control framework with the continued
implementation of the Conduct risk, Operational risk and GPF frameworks in order for GRG to be able to
consider moving to a 2 rating - at this point then we are targeting a 6-12 month timeframe for a change in
rating.
GRG Businesses and Functions
GRG UK The Control Environment Certificate for GRG UK is based on an assessment of the control
environment for Business Restructuring Group (“BRG”), UK Corporate (“UKC”) and Recoveries and Litigation
(“R&L”) with evidence provided by:
• First Line of Defence Assurance / Credit Quality Assurance reviews
• GIA audits, and
• Operational Risk Assessments
GRG UK’s overall self-assessment has changed to “3 (6-12 months)” recognising that, notwithstanding
evidence that GRG UK continues to strengthen its governance to manage its risks, there are significant
Control Environment Certification
This document is classified as CONFIDENTIAL

Page 3 of 13

 GRG Risk 5. Conirol Comminse

a: RBS

 

change and regulaiory programmes io implemeni during ihe remainder ol ihe year and which are unlikely io
be lully embedded and neW conirols iesied belore 2014. These relaie lo: (1) Proyeci Rosana (Swap 
selling): (2) Proieci Jones (GRG operaiional suppori modell; (3) Proiecis Cycle Renew (BRG and 
operaiing models respeciively): (4) embedding Poniolio Managemeni in UKC: and (Si embedding
robusi processes and MI requlred io ensure lull compliance wiih ihe Conduci Risk lramework.

Enhanced risk managemeni and oversighi
in January 2013 a member ol siali was appoinied io provide a local poini lor GRG managemeni ol is

risk lramework including coordinaiing aciiviiy Wiih ihe GHG Operaiional Risk, Compliance and Policy teams
and improving issue managemeni. Risk, iinancial and people managemeni oversighi is subjeci io senior
managemeni scruiiny each monih ai a GHG UK Forum creaied during 01, and ihis locus has improved ihe
consisiency ol issue managemeni such ihai emerging issues ideniilied are raised, acied upon and closed on a
iimely basis. Seven Phase ll risk assessmenis are ekpecied io be dralied by ihe end ol June 2013team, combined wiih enhanced managemeni inlormaiion (including ihrough business
selirassurance), has resulied in signilicani lmprovemems in daia qualiiy and excess managemeni iogeiher
wiih reduced incidence ol overdue reviews, which are now well wiihin iolerance.

Change head ds
When amalgamaied, ihe various change projecis impaciing GHG UK businesses (iogeiher Wiih ihe

ol ihe Conduci Risk lrameworki represeni a heighiening ol operaiional and HR risk ihroughoui
ihe course ol including ihe need io ensure changes do noi adversely alleci business as usual
(or amended) conirols, In some insiances businesses are impacied by more ihan one maior proyeci;
moreover, ii is all iorecasi io occur wiihin a reasonably shon space ol time (by end H2 2013i and will require a
period ol up io SIX monihs io demonsiraie ihai ii is lully embedded. Deiails ol ihese proiecis are included in
ihe nexi seciion, and ii is againsi ihe background oi ihis volume ol change ihai GHG UK has sellrassessed iis
raiing as 3 (5712 monihs). Where possible risk is by ihe governance and resource
provided io each proyeci, and ior Proyecis Jones Cycle ihere is common programme managemeni io ensure
consisiency and appropriaie oversighi.

Chanqes that impact GHG prolile and control lramework

GHG Target Suppon Model ("Prniect Jones")
During H1 2013 GHG commenced a proieci io review is operaiing model insolar as ii encompasses
relaiionship manager suppori operaiional suppori ol cusiomer business
managemeni, and all asks (including cusiomer suppori and Line ol Delence currenily
underlaken in C00. PolloWing an analysis and design phase ihe GRG Sieering Group agreed on a model io
be implemenied during ihe remainder ol 2013. The model can be described as RM Supporl (boih local and ac
a ceniral locaiion) and ii is being designed Wiih ihe inieniion ol improving and enhancing ihe overall process
and conirol inlrasiruciure. The ol Proyeci Jones impacis GHG UK in ihe lolloWing ways.
Firsily, siall who are currenily locaied Wiihin GHG UK businesses are in scope ior iransler io ihe new suppori
model, ihereby increasing risk oi engagemeni and or iurnover issues. Secondly, processes and conirols Will
need io be reviewed and revised where appropriaie, leading io risk on business as usual
Finally FLOD aciiviiy Will need io be revised io ensure ihai aciiviiy previously underiaken ihrough
selirassurance is undenaken as eilicienily and elieciively as possible. Pending lull ihere
remains a risk ihai assurance ol conirols will nor be iimely or eiieciive. Proyeci Jones is lully supponed by
GHG Change and subjeci io normal proyeci governance and resource. GRG UK businesses are represenied
ai all siages io ensure ihai ihe change risk is managed and and iraining and suppori is being
provided io senior leaders io manage ihe personnel impaci, The FLOD iimeiable has been dralied ior ihe
remainder ol 2013 (including regulaiory requiremenis) and selHesImg Will coniinue where ii is being
underlaken ai preseni uniil such iime as ihe neW FLOD model is implemenied.

 

 

Cuntml Environment Cenifi alion Page 4 0| 13
documenl IS as 

GRG Risk 8. Control Committee
RPS

Swap mis-selling ("Project Rosella")GHG UK has been impacted by the past business review
and redress exercise into the sale ol interest rate hedging products (Project Rosetta), The Bank has given an
Undenaklng to the FCA that it not loreclose on or adversely vary loan lacilities Without customer consent
during the period oi the review. GHG customers represent approximately 20% oi the Rosella
population. Furthermore there is a risk that conllicts may arise between the Bank's Policies (most notably,
Credit Risk Mitigation and Problem Credit Management) and the terms oi the FCA underlakmg as they relate
to a moratorium on recoveries and litigation processes, as well as impacting the ability to restructure debt,
GHG has established a dedicated team to ensure compliance the Undertaking and liaise the Proiect
team. The Project team ts independent ol GRG. The methodology in relation to the conduct ol the review has
been agreed the FCA and the iormal review is in the early stages oi commencement,

 

 

Conduct Towards our Customers: Vulnerable Customers and Complaint Handling
assessments have been completed lor all currently available chapters Within the Conduct Risk policies.
ERG and deal the Small to Medium sized business marKet and whilst there is no specilic GHG policy
in respect oi Vulnerable Customers (although this is currently tn progress). GRG UK is ellective through local
management oversight and escalation ol concerns or incidents to GHG Compliance, When a divisional policy
is available it Will be reviewed to identity any additional training and communication needs.

since 04 2012 all complaints across UK businesses in GRG have been managed via Corporate Banking
Division's Customer Complaint Centre which is accountable lor the recording oi. and timely response
10' the complaint. Quantitative data suggests that the 000 is handling GRG's complaints in a timely manner,
however recently a number oi process and qualitative issues have emerged, These matters have been
escalated to the Head oi the and will be managed closely.

EU Divestment
since Samander UK Withdrew lrom the purchase ol the Divested business have been
established within the GRG proiect team as the HESG Deal Team implements a revised strategy. The GHG
position is managed through a GRG proiect implementation board which comprises oi representatives ol the
attected businesses in addition to lunctional and proyect support. which in turn is represented on the R856
Divestment Directorate sponsored by RBSG Mam Board. The situation is closely monitored by GRG DpCo.
and issues that allect the GRG UK businesses are escalated through that lorum to GRG ManCo and' it
necessary, RESG Divestment Directorate.

 

 

Cuntrol Environment Cenificalion Page 5 0H3
This document is as 

GRG Risk 3. Control Committee

3% RBS

Phase 2 oi the Risk Assessment, together with the work currently being undenaken witnin GHG in respect ot
the Anlerribery and Corruption legislation has, however, that SIG are not currently complying with
the Procurement and Contract Management policy standards when it engages third party suppliers such as
tinancial advisers and third party consultants (il does comply in respect oi legal advisers and also in respect oi
the supplier ot its equity database eVenturei. Typically it will be the customer who Will engage with these
parties as a result ot which volumes are not high and we do not believe this is a issue tor SIG. We
are, however, undenaking a iact tind in relation to direct adviser appointments to agree a process moving
lorward to ensure compliance with these standards.

Oversight ot the SIG equity poniolio has continued to be strengthened via the ongoing embedding oi the
Company Secretariat ("Co Sec"i tunction. in addition to ensuring oversight ot the cases within the Co Sec
porttolio, including "Olher Upsides" the transter ot these cases has also enabled PMs to more proactively
manage their remaining porttolio cases. in addition lull implementation ot the CAP process has now taken
place tor UK Corporate cases within SIG, with the introduction ot combined CAP reviews (to replace SCR and
Equin Reviewi during June 2013. Although there remains a vacancy tor SIG in the us, the porttolio is
tairly small tolloWing the transier ot 3 cases to the Quoted Porttolio Team in London as lPOs are expected to
take place shonly. A review ot the operating model with regard to Ulster Bank (ior Pol Cases) is being
undenaken to determine the best way torward iollowing advice irom us Tax that the approval ior equity
upsides needs to be made/documented in Pot to ensure UB receives the optimum tax position, although this
is not expecled to see a change to current processes. The potential loss ot regulatory consolidation
exemplion remains a concern but SIG continue to work With GCA and GRG Finance to understand the
position and consider ways to mitigate the impact moving iorward.

GHG Finance's concerns in respect oi upsides which are accounted ior as LAH (Loans and Receivables) have
been discussed and are being addressed via the implementation ot new processes to ensure that ttiey are
recorded within 

The SIG team has a high prolile in the market. and are acknowledged as having a specialist skill set which is
attractive to both other banks and private equity/hedge tunds. with recruitment activity levels increasing, and
approaches already tiaving been made. there is a risk oi tiigti periormers leaving the business.

Real Estate Restructuring (RER) The current sellrassessed rating is a a 'lmprovlng'. A rating was
torecast in the H2 2012 CEC, however whilst there has been improvements made with the closure
oi all three oi the 'Signliicam' orbit risk issues raised by CIA, there is still ongoing work to remediate the last
remaining 'lmporlam' GIA point.

HER were reviewed by CQA at the end oi 2012 which raised a number oi 'imponanl' iindings. From this iour
new PER risk issues have been raised and reported into orbit H1 2013.

1. Dan lntegrity shortcomings around LGD's.
2. incorrect recording ot Provision i Stressed Loss on RMP.

3. Monitoring oi annual review due dates and overdues.

4. Absence ot a consistent approach to monitoring covenant and intormation compliance

With continued improvements made to REH controls it is recognised that there needs to be a period oi
bedding down to ensure the processes implemented are satistactory and allow the business to be able to
identity risk and resolve them in a timely manner. We propose to close out the above risk issues within the
agreed timetrame ot 15m July and 15th October 2013.

The close out oi a oi the 4 GIA issues, and enhancements made to REH's management and governance
structure, suggests that PER has turned a corner in Management Control, and although we coniirm that the a
rating is appropriate tor the business as at Ht 2013, we believe there is a good argument tor a 2 rating once
the tinal GIA issue is tully closed out. in addition, PEP continues to target a 2:2 rating by YE 2013 through a
combination ot embedding GHG wide processes and creating Real Estate solutions.

Key proyects/initiatives impacting the REH control environment are as iollows:

Plo'ecl Isobel

 

Conlrol Environment Cenifi alion Page 6 0| 13
This documenl is Classilled as 

GRG Risk 5. Conirol Comminee

a: RBS

 

The impaci on HER lollowing completion oi ihe Project lsobel iransaciion has been iar greaier than initially
envisaged, This is as a result oi ihe business requirement io manage the Proiect lsobel swap and
subsequeni provisioning process. REH has responsibility lor the risk and delaulted swaps, provisioning and
provides Senior Director at MANCO and The process involves considerable challenge
lrom Non Core and Blackstone io align swap siraiegy to lsobel obyectives. Bigger cases (Empire. Barchesierl
require iranche resourcing and eihical walls.

There is ongoing review around resourcing in RER. albeii iwo or three key people remain lsobel specialists in
ihe ieam. ln Noanore ramp down and changes io their operating model Will require a rerlhink oi how
HER manages lsobel. REH have recommended to ihe GRG Executives lor the lsobel Swap portlolio to be
brought into ihe team to allow lor greaier visibility on impairmenis across ihe book allowing us in address last
minuie provisions due io Blacksione selling an assei, however ihere has been some resistance irom GHG
Credii bui the debaie is siill ongoing.

 

ch remediation programme
HER coniinues to work closely With ihe GHG KYC Team as pan oi the ongoing work io remediaie all high,

medium and low risk we cases. The appropriaie sysiems have been implemented and imbedded in REH
wiih all 'Phase 1' cases iully compliani which means ihey are either been remediaied or have a sanctioned
posiponement/deadlock. HEH's internal process has been lunher ratilied by GIA signro" on risk issue relaiing
io REH ch,

Progeny Database
The 1.5 prolecl aims io deliver a sirategic daia reposiiory and MI iool lor ihe managemeni oi RESG

and Noanore property globally. This Will ultimately demonsirate compleie understanding and
managemeni oi iis propeny exposure and problem propeny portlolio to boih ekiernal and iniernal
stakeholders. The RA ieam have been involved heavily in the design oi ihe sysiem and daia enablement
which has impacted on siall resource, however all deadlines and iraining have been compleied on schedule.

Pro cl Rosetta
Proieci Hosetia is a SEQ wide managing ihe FCA review inio ihe misrsellmg oi lnteresi Raie

Hedging Producis. This has resulied in additional and delivery oi iniormation across the REH
portlolio. A number oi our clients have been direcily impacied. and the HM's impacted have lollowed ihe
directives as sei by the FCA,

HER has also been impacied by inadequate record managemeni due to the volume oi tiles in irom lron
Mouniain which could noi be securely locked away overnight.

West Register is declaring a CEO rating ol 3 lor ihe H1 2013 period; ihis raiing has remained stable. The
business has a number oi in place to ensure ihai all maierial risks are ideniilied and managed Wiihin
appetiie. Alihough noi in the sense, the business ellectively employees three lines oi delence. This
approach not only ensures that risks are and managed, but ensures thai the rationale by which ihe
business sell evaluates is challenged and iested.

 

A break down OI Ihese i Ilalives acmss each slage ol the 'rlsk Iliecycle' is illuslraled below,

     

Hisk Assessmeni lnit iives ldeniil
Operaiional Risk Assessmeni
Conduct Risk Assessmeni
Commercial (Propenyl Risk Assessment
Healih Saleiy Risk Assessmeni
Conirol Environmeni Ceriilicaiion (CEC)

 

Cuntml Environment Cenifi alion Page 7 0| 13
This document IS as 

GRG Risk 5. Conirol 

3% RBS

 

Governance and Oversiqht Siruciure lManannQ and Remediaiino Issues)
Risk and Conirols 
Issues Managemeni Forum
Assei Purchase (APP) Commitiee
Straiegy and Credit Review
Global Healih Saiety Coordinaior

Testth and Challenge Exlerhal Evaluallon
GRG RISK

Group lniernal Audll
Group Assurance
Divisional Policy Standard Owners

 

GHG Ireland (GRGI) In assessing ourselves as a 3 railng GRGI are conscious oi oiher areas in UEG having
seli assessed as 4 and have careiully considered our in ihe wider UBG coniext. as well as
benchmarking ourselves againsi GHG globally. The main drivers lor ihe UBG position are continued
weakness in IT Coniinuiiy plans TOM resiruciure and concerns in relailon io ouisourcing arrangemenis in
place. Other conirlbuiing laciors lo the UBG 4 ratings include the uncertain ouicome ol Fliness Probiiy
reviews on the Business and ihe lack ol skilled resources io deliver ihe improvement plans in iandem
wiih dealing wiih TOM restructures.

GHGI are In a betler stiIIDn olher comparable UEG buslness unlls In each 07 Ihese areas as noled
below:

- IT continuity undoubtedly this is a concern lor UBG and does impact GRGI. However. our
handling ol ihe summer's iechnical incident demonstraies a conlrol environmenl within ihe
Business ihat can reaci and deal with signilicant challenges, We were able io quickly implement a
robusi incident managemeni lramework, slaved close io our cusiomer base and came ihrough ihe
incideni wlih minimal lmpaci on lhe Business. This is evidenced ihrough a very low level at
complainis and claims arising ihrough ihe redress programme and the iaci ihat operational and
credli losses arising as a resuli oi ihe incident were small.

- TOM GHGI reslruclure Is due tn complete In early 2013 and Impact 07 a ol 5 FFE Is
much less Ihan In conlexl Di Dther UB unlls,

- Outsourcing 7 Although the Credii process lor large exposures is managed in GHG UK all
iransaciions are sublecl io local approval by a UBG approved oliiclal. There are no oiher maierlal
outsourcing arrangemenis in place in GHGL oiher than IT systems.

- in GRGI is unlikely to have any maierlal impaci on ihe Business as ihe vasi maionty oi GHGI
stall have been as and Proper lor role. We do iace similar challenges on a resource
gap io deliver ihe improvement/overhaul plans ihai we have pui in place and also io ensure ihe
Finance area is adequaiely resourced to meei their expanding dellverables bui we do have it
wilhin our own gill io address this quickly wilhin our current approved headcounl number ol 403.

Having considered ihe wider UBG challenges and balanced these againsi ihe core GHG case managemeni
processes which are working ellectively wilhin GHGI we are satislied thai, on balance, a Conirol Environmeni
raiing ol 3 ls approprlaie.

GHGI managemeni recognise thai luriher largeted acllons are required io improve lis conlrol environmenl
raiing io 'Acceplable'. GRGI has plans in place io coniinue io enhance and embed iis risk managemeni
approach. address and remediaie ouisianding conlrol issues. continue to rlghi size the business io manage
remaining growih in ihe book and meei lis ongoing regulaiory requiremenls.

 

Cuntml Environment Cenilicalion Page 8 0| 13
This document IS as 

GRG Risk 5. Conirol 
I35

GHGI has esiablished governance conirols consisieni with other GHG BAU conirol lrameworks. has
esiablished a number ol lit ior purpose conirols with which to manage cases across iis enlarged portlolio
including Straiegic Credii Reviews periodic credit reviews, cash ilow completion and excess
moniioring. GRGI also implemenied its Credit Operating Model in 2012 wiih a dedicaied ieam in UK reviewing
all cases over ?20m. Decisions on lacilities under this level are made locally and inere is also a Credit
Oversignt process in place io provide regular review.

 

GHG EMEA Over ihe pasi 3.5 years signilicani progress has been made to develop and improve ine GRG
EMEA operaiing model and control environmeni. On ihe back oi GIA and assurance iesiing reviews several
aciions were iaken io risks and close control gaps. Examples ol that include the implemeniation oi a
middle oliice lunction, embedding ine excess managemeni process, ol a KYC process and
ol legacy cases, improvemeni oi Ml and key risk indicaiors, (Credl! stewardshipi iraining oi RMs io
improve daia quality and understanding oi our risk models, eic.

anoughoui 2012, Credit Quality Assurance (CQA) iesis were completed in nearly all GHG EMEA couniries,
including the Neinerlands, Germany, Turkey, Romania, UAE and Spain, and Operational Risk assurance iesis
were compleied in Turkey and Romania. No major or signilicant lindings have come out ol ihese reviews. For
inis year an Operaiional Risk assurance iesi oi ine Amsterdam oliice is scneduled lor July, and inese resulis
will be taken inio accouni in tne H2 cenilicaie.

in January oi inis year, risk assessmenis ol 3 key processes in EMEA were completed and signed oil by ihe
business and GRG Risk. On the back ol ihese assessments 3 issues were raised in Orbit. Strong progress is
being made in addressing ihe issues and during ihis lirsi hall, 2 issues were closed, Another 16 prioriiy 2 and
3 risk assessmenis nave been compleied in June, and will be signed oll early July.

Km 7 Tne iopic has been high on the priority lisi again inis iirsi six months and will be a key prioriiy ior ai
leasi ihe remainder ol ihe year. The Triion proyect has ollicially been closed, whilsi noi all cases have been
reviewed yei. A new programme called PR2013 nas kicked oli io relocus ihe programme on the next priority
cases. Since January 55 EMEA cases were reviewed and anoiner 57 cases were lully exited irom ihe bank's
sysiems. Currently 18 cases are ouisianding ior reviews and 23 cases siill have to be exiied. All these cases
are carelully iracked through a posiponemeni process, which is overseen by ine GRG C00. The execuiion oi
exits is noi wiihin the conirol ol GRG: inis rocess is lull mana ed ine exit team.

IB Middle Ollice suppon 7 Discussions are iaking place wiih ine lB Middle Ollice to offshore pres
sanciion (such as setiing up lacilitiesi io India. A iorm has been creaied by ihe MO thai snould be
compleied by RMs io insiruct MO in lndia. Concerns have been raised by the GRG EMEA COO ieam ihai
compleiion oi ihis iorm will be llmerconsumlng and a signilicani siep back lrom how we operaie ioday. A
meeiing is being scheduled to agree ihe approacn.

 

Loss Data 7 New loss data aciions are addressed by COO ieam immediaiely. Curreni issues are: I) COD
Team sends email io Team Leaders/Country Heads io iollow up and approve aciions as soon as possible a we
see some delay in Team Leaders/Couniry Heads approving these aciions and il) GHG COO Loss Data Team
has a backlog (230 ol wnich 160 EMEA) in compleiing oiher loss daia aciions a iiemp) siall has
been hired in ine ieam io reduce ihis backlog by year end.

Unicorn 7 Russia migraiion has been compleied on 31 May 2013, leaving Romania as tne iinal GRG couniry
io be migraied io in September 2013. Run down ol the iail is managed iignily ihrough ine NV Tail
Commitiee oi wnich ine GRG EMEA COO is a member.

 

Cuntrol Environment Cenifi alion Page 9 0| 13
document IS as 

GRG Risk & Control Committee

GRG Americas The overall self-assessed rating of the robustness of the internal control environment for GRG
Americas remains at 2, consistent with the previous rating of 2 in H2 2012.
The 2 rating reflects a low number of outstanding Orbit risk issues; significant progress made to close risk
issues; proactive risk management; positive Assurance Testing, CQA reviews and regulatory exam feedbacks;
and continued enhancements to the regional control environment and operating practices.
The Latin America Portfolio is a subset of the overall GRG Americas portfolio and has been rated
independently for historical reasons. Previously in H2 2012, Latin Americas was rated 3 separately given a
large number of incomplete KYC reviews and poor data quality issue. Substantial progress was made to
address these two issues in second half year. Both issues were closed at the end of 2012.
Following the return of the non-distressed LatAm cases to the line, only 5 LatAm cases remain under GRG
Americas management with the level of exposure relatively small. While overall risk is minimal, it should
however be noted that there remains some residual business risks associated with the portfolio (e.g. Brazil
country risk and the lack of Portuguese speaking RM resource). Thus, the self-assessed rating of internal
control environment for LatAm is 2 for H1 2013, consistent with overall GRG Americas rating.
GRG Asia Pacific GRG Asia works with various departments within the bank and relies on their
functions/services including: Group Legal, M&IB regulatory/compliance/operational risks, non-core finance,
core finance, CEM, operations and middle office, Business Continuity Team, and RDDM Team. While there
have been high levels of reliance on these functions, there have not been any significant issues raised with
regards to the day-to-day activities nor risk/control environment.
Risk management processes and internal controls are acceptable in identifying, addressing and mitigating
material risks. Controls are operating satisfactorily with no material deficiencies noted. There is an acceptable
control environment with adherence to policies, standards, and procedures.

GRG COO There has been a significant amount of progress made on a number of objectives within the COO
function during H1 2013 whilst facing increasing pressures from a capacity and headcount perspective.
Although we continue to make good strides with regards to our top risks, issues management, risk
assessments and DPSO activities our overall CE self assessment rating remains a 3 (Needs Improvement).
This rating acknowledges that a number of key activities still require further development, in particular, there is
much more work to do in order to ensure most of our material risks are appropriately mitigated and are
managed in line with Group Policies such as Information Security and Records Management. We continue to
work with CBD and M&IB to understand who has accountability and responsibility for the different aspects to
AML so that GRG have absolute clarity as to what we activities we need to perform. In addition, the second
phase of our Risk Assessment programme needs to be completed and further progress needs to be made
with regards to the KYC remediation, Loss Data Collection BAU activities and the MI&DQ Programme. Project
Jones is being designed to help improve all of these aspects, and move us towards a CE of 2.
In summary, the aspiration of the COO function over the next 6 to 12 months is to reach a 2 level
(Acceptable), however, before we can consider rating ourselves at this level we need to deliver on some of our
key control priorities for 2013 which are outlined within this certification document.

GRG Finance has self-assessed an overall control environment rating of 3 for H1 2013 (3 for H2 2012). This
has been determined after full consideration of the risk and control environments for each of the five Finance
st
units (as detailed below), and key metrics and supporting data at 31 May 2013, and is despite the completion
of ProApp roll-out for GRG globally, apart from GRGI which is now in course. No material risks or issues have
been identified in the period, however, the rating is unchanged from H2 2012 and the key factors that underpin
this overall rating are:
• Manually intensive requirements of the provisions processes in GRGI;
• Improvement in business processes and controls required in GRGI;
• Outstanding appointment of a Head of Finance in GRGI (interim is in place to August 2013);
• Under resourcing in GRGI, with 2 vacancies currently;
• Provisions Control to close two Addressing Issues on ProApp re Target Operating Model and Control
st
Framework. The target completion date for these is 31 July 2013.

Control Environment Certification
This document is classified as CONFIDENTIAL

Page 10 of 13

 GRG Risk & Control Committee

GRG Risk The overall rating for the GRG Risk function Control Environment remains a level 3. Significant
progress has been made during H1 2013 in terms of the Risk function completing delivery of a number of key
Risk framework and project related activities. There remains more to do in terms of implementation of the
Conduct Risk and Operational Risk frameworks as well as the continued implementation of GPF across GRG.
The GRG Credit Risk team is now well embedded and is acting as the second line of defence for cases above
£20 million representing approximately c.70% of the value of the overall portfolio. Executive approval has
recently been received for the establishment of a locally based credit sanctioning team in GRGI – we intend to
implement in H2.
Effective from 1st June 2013 the Non Core Compliance and Non Core Operational Risk teams have moved
across to GRG Risk. This will enable an increasing resource focus on GRG as the Non Core Division
continues its wind down activity for the remainder of 2013 whilst ensuring that the Non Core Risk function
continues to be able to meet its delivery and operational requirements.
Significant progress has been made during H1 2013 with respect to the implementation of the Conduct Risk
Framework (being driven by Group) across GRG. Positive progress has continued during H1 2013 to address
and close the Operational Risk framework gaps and (most notably) Issue Management processes have been
significantly enhanced and as a result the past due issues trend has materially reduced from 15 past dues at
the end of February 2013 to 4 as at the end of May 2013. In terms of Policy and Process the Head of GRG
Policy & Process has continued to address the various GPF implementation requirements with a current focus
on policy standard assurance approaches. The Wholesale Credit Control Framework (CCF) forms and integral
part of the CEC H1 2013 return through the undertaking of a robust, comprehensive and consistent
assessment of the credit control environment across GRG. A material amount of work has been undertaken in
reviewing the GRG CCF and benchmarking to the minimum standards set out by Group Credit Risk.
Within the Risk function processes are in place for managing headcount and budget as well as managing the
delivery of the Risk Operational Plan. The Risk function has continued in H1 2013 to drive through a number
of enhancements to the divisional GRG RCC to improve visibility of risk profile across GRG as well as
enabling more focused discussion on the mitigation and status of these risks.
To a great extent the timing of a rating upgrade to a “2” rating for GRG Risk will be driven progress made to
complete rollout the Compliance, Operational Risk and Policy and Procedures frameworks and key
deliverables as well as continuing to ensure that there is a robust oversight approach and framework in place
for GRGI. At this point we expect this timeline will be between 6-12 months.

Citizens GRG Citizens portfolio currently consists of $1.87 billion in net book balance with 1541 customers.
Year to date 2013 migrations have amounted to $256.2 million and 109 customers. For the H1 2013 CEC, our
overall rating remains a 2 (Acceptable). This rating is supported by compliance with the Tier 1 policy
standards, the low level of open issues assigned to GRG Citizens, as well as the fact that the quarterly control
testing performed has not identified any material issues related to our key controls. We currently have six open
rd
important rated issues which pertain to a 3 party vendor review.
Divested The Divestment of RBS England & Wales, NatWest Scotland did not complete in 2012 as expected
when Santander withdrew from the sale in October 2012. Since that time the planning assumption has been to
prepare the Divested business to be able to operate as a stand alone entity that could be sold or floated. Work
is progressing on identifying what will be required to segregate all systems and processes. As part of this
process Divested GRG have been fully engaged in the Target Operating Model workstreams. Once in place it
is envisaged that all Risk functions will be managed by the Divested COO for GRG. Until that time GRG
Divested business remains wholly reliant on the shared services of GRG Retain for all central, operational and
risk functions. The risk and control governance for the Divested business is aligned with that of GRG Retain,
with risks being identified and appropriately managed. The overall rating of this Certificate reflects that of GRG
UK. The rating was marked a 3 in H2 2012 due to the amount of Gap Analysis that needed to be completed
and the unknown extent of actions that would needed to be carried out. The rating continues for H1 2013 due
to the improved Issue/Operational Risk management being counterbalanced by the amount of project change
hitting the business over the next six months. We are included in GRG RCC and IRM monthly which ensures
we are included in discussions around the identification and management of Risks that apply to Divested
GRG.

Control Environment Certification
This document is classified as CONFIDENTIAL

Page 11 of 13

 GRG Risk & Control Committee

Group Policy Standard Assessment Status
Summary of Effectiveness Results by Number of Policy Standards
Tier One
Division / Business

GRG

Tier Two

Effective
or N/A

Not
Effective

14

9

Effective
or N/a
8

Not
Effective
6

The relatively high overall number of Policy Standards reported as Ineffective for the Division is a reflection
of the detailed work carried out over the last year by the various GRG DPSOs around identification of gaps
against policy standards and work to agree with Group Policy Standard Owners and embed a risk based
assurance approach. This however masks a significant advancement in the understanding of the Control
Environment within the division. Closing these gaps will remain a key focus with the majority due for
completion by the end of 2013.
The main areas of non-compliance are highlighted below:
All Compliance related Policy Standards have been marked as Ineffective, reflecting a number of
findings from the detailed Group-led gap analysis and risk assessment activity undertaken by all GRG
businesses in H1 2013 and the fact that assurance activities remains to be tailored and completed on
a number of chapters.
This includes:
•

The Conduct Towards our Customers policy standard and the Vulnerable Customer
Chapter (around assurance activities; need to build a compliant Vulnerable Customer
process) and Complaint Handling Chapters (assurance activities to be tailored and
completed) in particular;

•

The Corporate Conduct Policy Standard, as GRG continue to have material issues logged
in ORBIT in relation to non compliance with AML/Sanctions - remediation is still in progress,
and significant gaps around Anti Bribery and Corruption in particular; assurance work is
planned in H2 2013.

•

The Market Conduct Policy Standard, where new significant issues have been raised
around Conflict of Interest (encompassing assurance, the absence of Restricted List policy,
need to introduce periodic review of Trigger transaction lists by Compliance and need to
improve record keeping of Conflicts) and Handling Confidential Information (encompassing
the drawing of a GRG Policy and keeping business procedures abreast of regulatory
changes).

•

The Employee Conduct Policy Standard, as issues have been uncovered in the Personal
Account Dealing review with significant changes required and several issues found around
Training and Competence.

•

Re Information Security and Record Management Policy Standards, high level gap
analyses conducted in Q4 2012 identified a significant amount of non compliance across GRG.
To address these, CBD, working with GBS (CSS) have, in terms of resource, infrastructure and
experience agreed to support GRG in becoming policy compliant. A service proposal has been
agree in principle by GRG Op CO and ManCO with a more detailed action plan in the process
of being developed. Compliance is targeted during 2014.

•

In the case of the Group Data Quality Policy Standard, relevant ORBIT issues emerging from
the Gap Analysis have been raised, a Management Information & Data Quality workstream set
up to address the non-compliance and other DQ and local remediation initiatives launched; the

Control Environment Certification
This document is classified as CONFIDENTIAL

Page 12 of 13

 GRG Risk & Control Committee

division continues working on its KPIs for its Key Data Elements. Compliance is expected by the
year end.
•

In the case of Contract Management, gaps have been identified and an overall plan to reach
compliance by the end of 2013 is being discussed with the GPSO, including clarifying which
contracts are in scope for GRG, introducing procedures (e.g. completion of SIA, etc), and the
use of template for contracts.

•

IT Continuity: the overall rating has been marked as “Ineffective” reflecting gaps in the IT
Continuity requirements relating to GRG developed applications and the fact that testing
schedules and operational procedures to be invoked during IT continuity tests and during a
disaster still need definition.

•

Substantiation and Reconciliation: the policy standard has been effectively implemented in
most areas other than: the management of Re Accounts where segregation controls
requirements are not always respected (with a GRG-wide solution being developed as part of
the GRG’s Target Operating Model project); a specific issue around controls around the
valuation of the AA Genco assets; and current limitations of the ProApp model.

•

Operational Risk: GRG is yet to roll out Scenario Analysis and some aspects of the Risk
assessment standard (notably trigger event management); planned for H2 2013.

•

Fraud Prevention: GRG has completed its gap analysis against this standard with gap areas
now essentially closed; the ineffective rating stems from the fact that GRG has yet to agree a
risk based assurance approach with the Group Policy Standard Owner. Compliance is expected
in H2 2013.

•

Payment Security: whilst most Policy Controls are outside the remit of GRG to influence, the
Policy Standard has been marked as ineffective reflecting that GRG has yet to confirm that
bespoke processes employed are fully compliant with Policy and proposed assurance approach
under review by the Group Policy Standard owner. Compliance is expected in H2 2013.

Appendix 1
GRG Business and Functions CEC Ratings H1 2012, H2 2012, H1 2013
GRG UK
Real Estate
Restructuring
GRG Ireland
Risk
EMEA
Americas/Citizens
West Register
COO
Finance
SIG
Asia Pacific
Divested

H1 2012
3
3

H2 2012
3
3

H1 2013
3
3

4
3
2
2
3
3
2
2
2
2

3
3
2
2
3
3
3
2
2
3

3
3
2
2
3
3
3
2
2
3

Control Environment Certification
This document is classified as CONFIDENTIAL

Page 13 of 13