VocaLink considers risk across the whole business, managing it in a way that matches our risk appetite and business strategy. In our tiered risk governance framework (see figure 1) authority is delegated from the Board to the Audit and Risk Committee, and then through Group risk policies applied in each business area.
The VocaLink risk framework (see figure 2) keeps risk management consistent and transparent. We regularly the framework and benchmark it against financial services sector peers. Our risk management process includes:
This establishes ownership and responsibility for risk-taking and controls for all operational areas. In the first line, all risk activities are evaluated and measured against our risk framework and company policies. We take remedial action taken where necessary.
The Chief Risk Officer and compliance functions oversee and challenge the first line. They also oversee regulatory compliance, design the risk control frameworks, risk appetite and policies, and report to executive management and the Audit and Risk Committees.
This provides independent assurance to executive management, customers, shareholders and payment schemes that our enterprise risk management processes are effective. We provide regular risk reporting through internal and external audit reporting, external ISAE 3000 service audits and ISO certifications.
VocaLink is certified to ISO/IEC 27001:2005 Information Security Management System (ISMS) and ISO 22301 Business Continuity Management System. VocaLink remains compliant with the Payment Card Industry Data Security Standard (PCI DSS), in respect of protecting customer transactional data through the provision of ATM services.
The Board of Directors comprises an independent non-executive Chairman, four independent non-executive directors (of which one is the Senior Independent Non-Executive Director), six non-executive shareholder directors, and two executive directors. The Board leads and provides direction for the Executive Management Team by setting strategy, overseeing strategic decisions, and scrutinising the Executive Management Team performance.
During 2015 the Board convened in person on a regular basis, meeting ten times during the reporting year. The Board maintains procedures that allow for the regular review of potential conflicts of interest and the register of directors interests is maintained by the Chief Legal Officer and Company Secretary.