Annual Report 2015

Enterprise Wide Risk Management

VocaLink considers risk across the whole business, managing it in a way that matches our risk appetite and business strategy. In our tiered risk governance framework (see figure 1) authority is delegated from the Board to the Audit and Risk Committee, and then through Group risk policies applied in each business area.




The VocaLink risk framework (see figure 2) keeps risk management consistent and transparent. We regularly the framework and benchmark it against financial services sector peers. Our risk management process includes:

  • A clearly defined, Board-approved risk appetite statement with supporting risk policies
  • Risk management processes that incorporate control identification, assessments and personal ownership
  • Risk registers that are informed by independent control assurance carried out by internal audit, external audit and third-party assurance providers
  • Risk event/incident management processes
  • Risk reporting
  • The use of risk measurement, assessment and data capture tools.




Three Lines of Defense

First line

This establishes ownership and responsibility for risk-taking and controls for all operational areas. In the first line, all risk activities are evaluated and measured against our risk framework and company policies. We take remedial action taken where necessary.

Second line

The Chief Risk Officer and compliance functions oversee and challenge the first line. They also oversee regulatory compliance, design the risk control frameworks, risk appetite and policies, and report to executive management and the Audit and Risk Committees.

Third line

This provides independent assurance to executive management, customers, shareholders and payment schemes that our enterprise risk management processes are effective. We provide regular risk reporting through internal and external audit reporting, external ISAE 3000 service audits and ISO certifications.

VocaLink is certified to ISO/IEC 27001:2005 Information Security Management System (ISMS) and ISO 22301 Business Continuity Management System. VocaLink remains compliant with the Payment Card Industry Data Security Standard (PCI DSS), in respect of protecting customer transactional data through the provision of ATM services.

Key Areas of Focus

Error loading Partial View script (file: ~/Views/MacroPartials/Priority List.cshtml)

Corporate Governance

The Board of Directors comprises an independent non-executive Chairman, four independent non-executive directors (of which one is the Senior Independent Non-Executive Director), six non-executive shareholder directors, and two executive directors.  The Board leads and provides direction for the Executive Management Team by setting strategy, overseeing strategic decisions, and scrutinising the Executive Management Team performance. 

During 2015 the Board convened in person on a regular basis, meeting ten times during the reporting year.  The Board maintains procedures that allow for the regular review of potential conflicts of interest and the register of directors interests is maintained by the Chief Legal Officer and Company Secretary.  

Back to the top of the page