Group Internal Audit West Register June 2011 Global Restructuring Group To: From: Audit Team: gmup ms co uk/gla West Register Group Internal Audit Executive Summary Global Restructuring Group (GRG) is responsible for managing the Group’s material exposure to wholesale problem debt. West Register Property (WR) is the vehicle used by GRG to acquire property assets from distressed situations, where GRG determine taking ownership to be the best course of action to maximise the Bank’s ultimate recovery. WR’s objective is to maximise investment returns by managing their property portfolio by collecting rental receipts and making payments and disbursements when due. WR seeks to exit properties via a future commercial sale in order to extract maximum economic value when market conditions permit. This can often result in a capital gain in relation to the original property acquisition transaction and may represent upside return to the Bank. WR management is primarily Great Britain (GB) based but also has operations in EMEA, Asia Pacific, Americas1, and Ulster Bank. Following the economic downturn and the property market fall, WR has seen rapid growth in the size of the property portfolio it manages. WR now manages 177 cases (circa 6,500 properties) with a total value of £2.3bln as 31 Dec 20102. Whilst WR is only equivalent to 3% by value of the total GRG portfolio of £65.1bln3, the WR risk profile has increased due to the growth in the number of properties the team is managing and the additional overseas locations that WR now operates from. In February, the Head of GRG appointed an experienced Interim Global Head of WR to lead and provide management oversight to the Global WR team. At this stage a global operating model for WR did not exist. The new Interim Global Head of WR took up his position at the same time as we started this audit in March. Therefore when concluding we have recognised the Interim Global Head of WR is in the process of defining and implementing a global operating model and consolidating the WR portfolios. The objective of this audit was to assess whether the key controls used by WR to mitigate the risks inherent in managing its portfolio of properties are fit for purpose, operating effectively and sustainable. We also reviewed WRs plans to roll out its operating model and WR (GB) Policy & Procedures globally, to assess timelines and suitability. The scope of our audit also included Citizen Financial Group’s (CFG’s) portfolio of Other Real Estate Owned (OREO) assets which are also maintained on the Bank’s books and records. The full scope of this audit is set out in Appendix 1. Rating summary4 Control Environment Management Control Approach 1 1 2 2 3 3 4 4 5 5 We have rated WR’s Control Environment (CE) as a Level 3 (Needs Improvement), reflecting the two Significant issues we have identified during our audit. The issues we have identified relate to weaknesses in WR’s governance and oversight of its global property portfolio. WR does not have a global operating model for its overseas jurisdictions. For instance, the GRG Real Estate Recoveries (RER) team currently manage the German property portfolio (valued as at the end of 2010 at £1.394bn5 and representing 65% of WR’s global portfolio) outside of a defined WR operating model and policy & procedures. WR Asia Pacific (APAC), Americas, Ireland and Germany do not have established policies and procedures, defined reporting lines, and defined roles and responsibilities including staff objectives specific to WR. The overseas WR offices report into their local Heads of GRG which represents a failure 1 Americas – CFG OREO (Other Real Estate Owned) As per Q4 GRG Strategic Property Group Committee papers 3 GRG data from GRG MANCO pack as at 31 January 2011 (note: the GRG portfolio does not include the WR portfolio) 4 A full definition of the Control Environment & Management Control Approach Ratings can be found in Appendix 3 5 Source: Q4 GRG Strategic Property Group Committee papers 2 11RIS017 Page 2 www.group.rbs.co.uk/gia West Register Group Internal Audit to segregate duties and establish a defined reporting line into the Interim Global Head of WR. WR does not have adequate management information (MI) to allow senior management to effectively monitor the total global WR property portfolio. Further GRG management have not defined the roles, responsibilities and interrelationships between the Strategic Property Group Committee (SPGC), the APP (Asset Purchase Proposal) Committee and the WR Germany Advisory Board. We reviewed 20 GB cases. We found the WR (GB) controls to be adequate and effective, and that the case managers are complying with the WR (GB) policies and procedures, rolled out in April 2011. GIA consider the WR (GB) policies and procedures are fit for purpose and suitable for rolling out globally, subject to local requirements. We reviewed 9 overseas cases (2 in Frankfurt, 5 CFG OREO properties and 1 each in APAC and Ireland) and found jurisdictional differences exist in ownership and Asset Management. WR needs to capture these differences in its global policies and procedures to ensure that the operating model in each location complies with local regulations. Our CE rating also recognises the actions the Head of GRG has taken to manage the growth of the WR property portfolio. He appointed an Interim Global Head of WR, in March 2011, to lead the Global WR team and provide strategic overview of the portfolio. The Interim Global Head of WR is looking to strengthen the governance framework and roll out an operating model for WR globally. A consistent global operating model and policies and procedures that reflect local regulatory and legal requirements, is key to WR senior management having effective oversight and management of the WR global portfolio. We have rated WR’s Management Control Approach (MCA) as Level 3 (Needs Improvement), to reflect that additional work is required by WR senior management to enhance WR’s framework for identifying risk and weaknesses in internal controls globally. The roll out of a global operating model and governance framework will allow management to pro-actively identify and manage control deficiencies such as those we have raised in this audit. WR GB currently submits its risk report to the GRG RCC monthly, which the RCC members review and discuss on a quarterly basis. As part of the global operating model WR need to update this report to cover the global WR portfolio so that senior management have oversight of global WR issues. We have raised the following Significant issues: • Lack of operating model for overseas WR jurisdictions. GRG does not have an effective operating model and established adequate policies and procedures; to manage WR Property cases under WR control in overseas (non GB) jurisdictions. As a result, WR management cannot consistently and effectively manage its portfolio of non GB property investments in order to maximise upside potential for the Bank. • GRG and WR management have weaknesses in the governance and oversight of the WR property portfolio. WR does not have adequate or complete MI which reports the total global WR property portfolio by value and number of cases in each jurisdiction. Further GRG management have not defined the roles, responsibilities and interrelationships between the Strategic Property Group Committee (SPGC), the APP (Asset Purchase Proposal) Committee and the WR Germany Advisory Board. This increases the risk that senior management lack effective governance and oversight of the WR property portfolio. As a result, WR senior management does not have effective oversight of the property portfolio and may make inconsistent or inappropriate decisions over asset acquisition, case management and disposals. This may lead to financial loss as a result of sub-optimal decision-making. 11RIS017 Page 3 www.group.rbs.co.uk/gia West Register Group Internal Audit Summary of audit Issues raised Issue Control Issue Major Significant 1. Lack of operating model for overseas WR jurisdictions X 2. Weaknesses in the governance & oversight of the WR property portfolio X 11RIS017 Page 4 Important www.group.rbs.co.uk/gia Group Internal Audit West Register Control Issues 6 1. Lack of operating model for overseas West Register (WR) jurisdictions Impact: Significant Global Restructuring Group (GRG) does not have an effective operating model and established adequate policies and procedures, to consistently manage the WR Property cases under WR control in overseas (non Great Britain “GB”) jurisdictions. As a result, WR management cannot effectively manage its portfolio of non GB property investments in order to maximise upside potential for the Bank. 7 While WR GB senior management has established a GB operating model and policies and procedures we have 8 identified weaknesses and inconsistent practices to WR GB in the APAC (Asia Pacific), Americas , Ireland, and the Germany office within EMEA (Europe, Middle East and Africa). In addition, WR teams and resources are still to be recruited in Americas, Ireland and APAC. During our audit we identified the following: 9 • WR APAC, Americas , Ireland and Germany do not have established polices and procedures, defined WR roles and responsibilities, reporting lines into the Interim Global Head of WR and WR objectives within individual personal development plans. The overseas WR offices report into their local Heads of GRG which represents a failure to segregate duties and establish a defined reporting line into the Interim Global Head of WR. For example the Head of GRG has confirmed the Head of GRG, Germany Hub should manage the GRG controlled property portfolio and the staff responsible for the WR property portfolio should report to the Interim Global Head of WR. We found that the Germany office had yet to implement this segregation of duties in Germany with both portfolios continuing to report to the Head of GRG Germany. • Jurisdictional differences exist in ownership and asset management in Americas and Germany. These include restrictions in institutional real estate ownership in US to no more than 5 years. In Germany a number of risks (Health & Safety, Insurance and Environmental) are the responsibility of External Asset Manager (EAM) supported by PI (Professional Indemnity) cover. RER Germany are not monitoring the renewal of PI cover is on time, that it includes these risks or that cover amount is sufficient. WR should perform a gap analysis to capture these differences in the localised policies and procedures they plan to roll out to ensure that the operating model is fit for purpose and that the offices comply with local regulations. • In Germany no Asset Purchase Proposal (APP) Committee is in place for approvals/disposals. Instead GRG management has set up an Advisory Board for ongoing monitoring/approvals/disposals. (The Head of GRG approved the Pegasus deal before GRG formed the Advisory Board.) Citizens Financial Group (CFG) GRG has not adopted an APP process. Instead, CFG GRG management has established and follows a formalized foreclosure bid process to manage the required due diligence. The APP process is required to ensure WR management decisions over asset acquisition, case management and disposal are made consistently and appropriately reducing the risk of financial loss as a result of sub-optimal decision-making. • CFG OREO and WR Germany have not established an SCR process. In America CFG does not include OREO assets as part of the SCR process. Instead, OREO management uses the Asset Disposition Plan (ADP) to guide ongoing management and sale of real estate property. WR Germany uses the quarterly Advisory Board meetings to review the owned property portfolio and also relies on the annual credit review process to review the cases. However, the annual review for Pegasus (over 90% of German portfolio value) is overdue by 7 months. • WR Germany and OREO assets disposed of within CFG do not obtain Know Your Customer (KYC) clearance for asset sales from the GRG KYC team in respect of sanctions screening. Failure to obtain KYC clearance may lead to financial loss and regulatory censure as a result of not complying with Anti-Money 6 See Appendix 4 for Issue Classification Matrix. WR (GB) Policy & Procedures Manual – Issued April 2011 8 Americas – CFG OREO (Other Real Estate Owned) 9 CFG OREO follows documented OREO policies and procedures. 7 11RIS017 Page 5 www.group.rbs.co.uk/gia Group Internal Aud Laundering (AML) regulations issue has arlsen owing to the growth ln overseas West Register lransaclions and the Interim Global Head of WR not helng appointed unlil March 2011 Issue Owner interim Global Head or West Register Agreed Action Plan Overall Due Date: 15 December 2011 WR Opemling Model: - Policy Procedures - Role Proliles Objectives outside WRGB - Reporting Requirements - Oversight Responsibilities . The GE policy and procedures manual to be circulated to the respective areas with a gap analysis being undertaken so that all relevant areas are amended so that practices are relevant to local regulations. Local tor each WR to be in place by to December 2011. . Role profiles and obyectives in place tor all WR staff (globally), . Reporting requirements tor gtobat locations to be established with reporting via the enhanced SPEC pack . Oversight otthe WR jurisdictions via the weekly catl meetings between Global Head otWR and Heads or local WR jurisdictions Reporting Lines into Global Head or West Register-- he WR team in Germany repotting to -- has now been separated rrom the restructuring team. - repon to the interim Global Head orWR until the permanent role holder is appointed in treland as Ulster bank is a separate Legal entity--wilt continue to report to_ with a matrix line to the Global Head otWR APP in Germany-- All requests tor approval to acquire or sell assets are how routed through the APP torum. The APP terms or Reterence was approved at the SPGC meeting on 27 May 2011 are case and WK Germany process-- The SCR secretariat in the UK has arranged an SCR panel through which the non UK cases (excluding CFG Oreo) will be heard Art SCR date tor CFG cases is to be arranged. For CFG OREO, GIA will awall an update (mm the new Global Head 0! WR after 17 Oclober. WR Germany and OREO assets disposed of within CFG do not obtain Know Your Customer (KYC) clearance for asset sales from the GRG KYC team in respect of sanctions screening -- The GRG policy team is updating the guidance in respect or KYC requirements tor sales or assets Prime Group Policy: ldenlilying and Managing Our Credit Risk Prime Group Policy Standard: Group Credit Governance Reporting and Audit Entity affected by this Issue: Global Restructuring Group RES N. .lmpact tYeslNo): No Country to which this Issue relates: Americasi APAC. Ireland, Europe (Germany) Issue also relevant to. WA Issue also relevant to. WA 11R|Sfl17 Page 6 Group Internal Audit 2. Weaknesses in the governance oversight of the WR property portfolio West Register and Impact: Significant Global Restructuring Group (GRG) and West Register (WR) management have weaknesses in the governance and oversight of the WR property portfolio. WR does not have adequate or complete Management Information (MI) which reports the total global WR property portfolio by value and number of cases in each jurisdiction. Further GRG management have not defined the roles, responsibilities and interrelationships between the Strategic Property Group Committee (SPGC), the APP (Asset Purchase Proposal) Committee and the WR Germany Advisory Board. This increases the risk that senior management lack effective governance and oversight of the WR property portfolio. As a result, WR senior management does not have effective oversight of the property portfolio and may make inconsistent or inappropriate decisions over asset acquisition, case management and disposals. This may lead to financial loss as a result of sub-optimal decision-making. We reviewed the last two quarters GRG Strategic Property Group Committee (SPGC) MI and found limited management reporting on the global WR portfolio and also inconsistencies in reporting. During our audit we identified the following: § GRG senior management relies on the SPGC pack to oversee the global WR property portfolio. This pack includes details of both the WR property and the GRG controlled property portfolios. GIA were unable to differentiate between the two portfolios to understand which assets are part of the WR portfolio and which assets are part of the GRG real estate portfolio. For example, section 4 GRG Controlled Property (WR UK Portfolio) appears to be a mix of reporting on both, with WR Asset Purchase Proposal (APP) reporting and reporting of Project Blade – a GRG controlled portfolio. § The MI in the SPGC pack focuses on top 5 or top 10 cases only. No MI contained a detailed portfolio breakdown on the global portfolio by case/value. This limits the Interim Global Head of WRs oversight of the entire WR property portfolio and to understand the risk in each portfolio in each jurisdiction. § Inconsistency of reporting of WR Property GB portfolio between SPGC pack and WR Property UK Report. Assets under management £667m (WR Property UK Report, Jan 2011 report, page 8) v £409m (GRG WR portfolio value per the GRG SPGC pack, 28 Feb Committee, page 14). This misleading portfolio information is a result of differences in reporting of the WR JV (joint venture) and wholly owned subsidiary portfolios. We also reviewed the Terms of Reference (TOR) for the SPGC, the WR (GB) Policy and Procedures and the GRG RER (Real Estate Recovery) property management processes. During our audit we identified the following: § The Head of GRG needs to update the SPGC TOR to include membership of Interim Global Head of WR, to include sub-committees such as the APP Committee and the (WR Germany) Advisory Board, and to include and define applicable WR locations within its remit. This will ensure interlinks, mandates and approval authorities between the committees are explicitly defined and committee members are aware of their roles and responsibilities. § The WR (GB) Policy & Procedures Manual (April 2011) states that the APP Committee is a sub-committee of the SPGC and operates under defined operating guidelines/delegated authority from the SPGC. However, the APP Committee does not have a TOR to reflect this. As a result, no one has defined the delegated authorities for the APP Committee which could lead to GRG making unauthorised decisions. § The Advisory Board in Germany meets quarterly to review the owned property portfolio. No Terms of Reference for the Advisory Board exists and it does not formally report through to the SPGC. This lack of oversight may lead to inappropriate strategy decisions. This issue has arisen owing to the growth in overseas West Register transactions and the Interim Global Head of WR not being appointed until March 2011. The recently appointed Interim Global Head of WR is in the process of establishing an effective governance framework, including a consolidated MI system to track, record and report the complete property portfolio. 11RIS017 Page 7 www.group.rbs.co.uk/gia Group Internal Aud Issue Owner Inlerim Global Head olWesl Register Agreed Action Plan Overall Due Date: 15 December 2011 Stmtegic Property Group Committee pack-- The composition or tne pack has been amended sinoe tne audil commenced and is now clearer in terms or asset oreakdown and oonroiio reporling. runner improvemenls are oeing implemented and the conlent oi the pack will continue to develop to give grealer clarity on tne WR portrolio ior all slakeholders, Due date Due date 30 October 201 1 (me next quarter meeting date) SPGC and APP Terms ofReference-- The SPGC TOR to he updaled Io include the membership 0! the Global Head ofWRi Io include sub-commillees such as Ihe APP committee and [he (WR Germany) Advisory Board and lo include and define applicable WR iocalions within the committees remit, A new APP TOR was approved at [he 27 May 2011 SPGC meeting and amendments will conlinue Id be made as slafl changes require. Nexl revision due al SPGC meeting on 27 July, Due date 15 December 2011 Advisory Board Terms of Reference -- The advisory ooard is ror lhe Pegasus portrolio and not a generic advisory ooard The point is correct tnal lnere is no agreed Terms or Reierenoe atlnougn this is being prepared and will lie completed by mid August, Due date 15 August 2011 Prime Group Policy: and Managing Our Credit Risk Prime Group Policy Standard: Group Credit Governance Reporting and Audit Entity affected by this Issue: Giobai Reslrucluring Group RES N. .lmpact 1YeslNo): No Country to which this Issue relates: GB. Americas APAC. Ireland, Europe (Germany) Issue also relevant to. WA Issue also relevant to. WA 11R|Sfl17 Page 8 Group Internal Audit West Register Scope Appendix 1 Global Restructuring Group (GRG) is part of Restructuring and Risk Division and is responsible for managing the Group’s material exposure to wholesale problem debt. West Register Property (WR) is the vehicle used by GRG to acquire property assets from distressed situations where taking ownership is determined by GRG to be the best course of action to maximise the Bank’s ultimate recovery. The property acquisition transactions normally involve a forgiveness of debt and the properties acquired become wholly owned investments of the Bank. RBSG is therefore responsible for any risks and rewards associated with the portfolio of West Register properties. WR’s objective is to maximise investment returns by managing its property portfolio by collecting rental receipts and making payments and disbursements when due. WR seeks to exit properties via a future commercial sale in order to extract maximum economic value when market conditions permit. This can often result in a capital gain in relation to the original property acquisition transaction and may represent upside return to the Bank. WR management is primarily UK based but also has operations in EMEA, Asia Pacific, Americas, Citizens and Ulster. Following the economic downturn and property market fall out WR has grown exponentially. WR now manages 177 cases (circa 6,500 properties) with a total value of £2.3bln as 31 Dec 201010. Whilst WR is only equivalent to 3% by value of the total GRG portfolio of £65.1bln11, the WR risk profile has increased due to the growth in the number of properties it is managing and the additional overseas locations that it now operates from. WR management has recently been strengthened with the appointment of an Interim Global Head of WR who is in the process of rolling out a revised and updated operating model and procedures throughout its locations. The objective of this audit was to assess whether the key controls used by WR to mitigate the risks inherent in managing the portfolio of properties are fit for purpose, effective and sustainable. We also reviewed the plans to roll out the global WR operating model, to assess timelines, suitability and consistency with WR (GB) Policy & Procedures. Our audit covered the key controls relating to. • Governance including, roles and responsibilities, objective setting, property performance management and training. Management oversight including WR and GRG committee structures. • Asset Purchase Proposal evaluation and bid submission, including asset purchase proposal and Asset Protection Scheme (APS) approvals and bid letters. • Asset Acquisition including obtaining legal title, buildings Insurance, pre-completion checks and post completion requirements. • Finance & Payments including invoice approvals, payment approvals, bank and general ledger reconciliations, rental income and receipts, management accounts review and fair value accounting. • Asset Management including, Strategic Credit Reviews (SCR), facility amendment process, ongoing property maintenance and Health & Safety. • Disposals including, WR approvals, APS approvals and KYC (Know Your Customer). We recognise that WR is still embedding its operating model across the globe and have reflected this in our conclusions as appropriate. We have excluded the core GRG processes applicable to the banking/ debt book as we cover these during separate audits of the debt portfolio. 10 11 As per Q4 GRG Strategic Property Group Committee papers GRG data from GRG MANCO pack as at 31 January 2011 11RIS017 Page 9 www.group.rbs.co.uk/gia Group Internal Au West Reg ler Additional Circulation The Final Report has also been circulated lo. Appendix 2 Name Title I Business Area Nathan Bostook Head ol Restructuring and Risk Derek Saoh Global Head Chiel Operating Officer' GRG Head ol Audit Risk and Strategic Projects Head ol GRG Citizens Head ol GRG Legal Head ol GRG North America Deputy Head ol Finanoe' GRG Head ol GRG Ulster Director, SIG 8. WR Property (Asia)' GRG Head GRG EMEA Chiel Risk Officer' Non Core Division and APS Senior Director' GRG Germany Head 13le Property GRG Head ol GRG Germany CFG, Chiel Risk Officer Head ol GRG Asia Pacific Head pl Audit RBS NV Page 10 Group Internal Audit West Register Control Environment and Management Control Approach Ratings Appendix 3 Both the Control Environment (CE) and Management Control Approach (MCA) are rated on a scale of one to five (Strong, Acceptable, Needs Improvement, Weak and Unacceptable). The ratings definitions are described below. GIA consider these definitions in order to determine the appropriate rating for an individual Audit Report and the Audit Opinion at Reporting Entity, Division or Functional level. Level Control Environment Ratings Definitions 1 Strong • • • • • Business processes are in place to identify all material risks All material risks within the business are appropriately mitigated and are managed in line with Group Policies and stated risk appetite. The design of internal controls is adequate and sustainable in addressing all risks and the controls operate as intended. There are no systemic control failures and no material control issues. Business processes adhere in all material respects to policies, standards and procedures. 2 Acceptable • • • • • Business processes are in place to identify all material risks Most material risks within the business are appropriately mitigated and are managed in line with Group Policies and stated risk appetite. The design of internal controls is adequate, with the controls operating as intended, in addressing most material risks. There are no systemic control failures. Business processes adhere, in most material respects to policies, standards and procedures. 3 Needs Improvement • • • • • Business processes are in place to identify most material risks in the business Many material risks within the business are appropriately mitigated and are managed in line with Group Policies and stated risk appetite. The design of internal controls requires improvement and/or the controls require improvement, if they are to operate as intended. There are some material control issues but these have not led to systemic control failures across the business area(s). Business processes require improvement if they are to adhere in all material respects to policies, standards and procedures. 4 Weak • • • 11RIS017 Business processes are in place but are not sufficient to control and/or mitigate material risks in the business. The design of internal controls is inadequate and not sustainable in addressing many material risks and/or the controls do not operate as intended. There are material control issues and these may lead to a systemic control failure. Page 11 www.group.rbs.co.uk/gia Group Internal Audit West Register • Business processes do not adhere to policies, standards and procedures in many material areas. • Business processes are not in place to control and/or mitigate most material risks in the business. The design of internal controls is neither adequate nor sustainable in addressing risks. The controls neither operate as intended nor are sustainable. There are systemic control failures and material control issues. Many business processes do not adhere to policy, standards and procedures. 5 Unacceptable • • • • Management Control Approach (MCA). The MCA rating provides a measure of the overall approach taken by management towards internal control within each Reporting Entity, Division or Function. The factors described below indicate a Strong MCA rating. Control Framework and Governance • Management has created a framework within which to manage their risks and internal controls. • Effective governance over the results of these activities exists through management supervision and Risk Committees. Risk and Control Identification and Assessment • Management has established effective and sustainable processes to identify risks and evaluate the adequacy and effectiveness of controls in businesses processes. • These self-assessment processes incorporate the Group’s Policy Framework and support the Control Environment Certification Process (CEC) sign-offs. • Weaknesses in control identified through the assessment and testing are recorded and evaluated appropriately. Corrective Action Plans • Weaknesses in control identified as a result of the above processes are: • Subject to action plans that are on track; • Closed in an appropriate timeframe or accepted where appropriate, for the risks involved subject to governance; • Considered for broader relevance across the business and action is taken where necessary. Reporting and Escalation • Weaknesses in control identified are escalated to line management and reported on using the appropriate mechanism. 11RIS017 Page 12 www.group.rbs.co.uk/gia Group Internal Audit Issue Classification Matrix Impact Financial Actual or potential impact on the Group’s reporting of: • financial performance; • regulatory capital; Appendix 4 rd Customer (inc. employees and 3 parties) Reputation (inc. regulatory & legal) Actual or potential adverse impact on the rd Group’s customers, employees or 3 parties, resulting from inadequate or failed internal processes, people and systems, or from external events. Actual or potential adverse impact on the reputation of the Group in the global external environments. This includes views held by bodies that regulate any part of the Group's businesses or activities. • financial position; or • Risk Weighted Assets (RWAs) arising from an internal control breakdown that results in an erroneous loss or gain and / or a financial misstatement. Discloseable E Discloseable I For use by SOX 404 Executive Steering Committee Discloseable External (i.e. in Annual Report and Accounts): Trigger point – above £350m for financial performance; qualitative assessment for financial position. Discloseable Internal (i.e. to Group Audit Committee): Trigger point – above £70m and below £350m for financial performance; above £250m for financial position. All Discloseable issues are assessed for financial impact only. Trigger point is the threshold indicating whether an issue has potential to be Discloseable Internal / External. Further quantitative and qualitative analysis is required to conclude on each issue that exceeds a trigger point. Actual or potential impact on: • • Financial performance / regulatory capital > £10m; or Financial position / RWAs >£100m. • Major adverse impact on a division’s rd customers, employees, or 3 parties (measured by volume or otherwise, and taking into account nature of impact). • Failure or deteriorating performance of rd one of the Group’s 3 party suppliers, that also meets another Major level Financial / Customer / Reputational impact. • Loss of key system or business capability outside of the businesses defined Recovery Point and / or Recovery Time Objectives. Major Actual or potential impact on: • • Significant 11RIS017 Financial performance / regulatory capital: between £1m & £10m Financial position / RWAs: between £40m & £100m. • Significant adverse impact on a division’s rd customers, employees, or 3 parties (measured by volume or otherwise, and taking into account nature of impact). • Failure or deteriorating performance of rd one of the Group’s 3 party suppliers, that also meets another Significant level Financial / Customer / Reputational impact. • Loss of key system or business capability within the defined Recovery Point and / or Recovery Time Objectives that also meet another Significant level Financial / Customer / Reputational impact. Page 13 • Actual or high likelihood of formal censure by any of the Group’s Regulators. • Actual or high likelihood of: (i) claim(s) being brought by / against the Group for material breach of contract and / or damages > £10m; or (ii) Group being unable to comply with legal requirements without incurring costs > £10m. • Actual or high likelihood of concerted, widespread or recurrent adverse coverage of the Group or a specific event in national or international media. • Actual or high likelihood of adverse impact on the Group’s reputation with any of its Regulators. • Actual or high likelihood of: (i) claims(s) being brought by / against the Group for material breach of contract and / or damages between £1m & £10m; or (ii) Group being unable to comply with legal requirements without incurring costs of between £1m & £10m. • Actual or high likelihood of individual adverse coverage in national media that Group Communications consider to be of material concern to the Group. www.group.rbs.co.uk/gia Group Internal Audit Impact Classification Matrix - continued Actual or potential impact on: Important • Financial performance / regulatory capital: between £100k & £1m; or • Financial position / RWAs: between £4m & £40m. Appendix 4 • Important adverse impact on a division’s rd customers, employees, or 3 parties (measured by volume or otherwise, and taking into account nature of impact). • Failure or deteriorating performance of rd one of the Group’s 3 party suppliers, that also meets another Important level Financial / Customer / Reputational impact. 11RIS017 Actual or high likelihood of tarnishing the Group’s reputation with any of its Regulators. • Actual or high likelihood of: (i) claims(s) being brought by / against the Group for material breach of contract and / or damages of between £100k & £1m; or (ii) Group being unable to comply with legal requirements without incurring costs of between £100k & £1m. Loss of key system or business capability within the defined Recovery Point and / or Recovery Time Objectives • Actual or high likelihood of adverse that also meet another Important level comment in local media that Group Financial / Customer / Reputational Communications consider to be of impact. material concern to the Group. Actual or potential adverse financial, customer or reputational impact, which does not meet the minimum threshold for Important classification. • Minor • Page 14 www.group.rbs.co.uk/gia