Old Mutual Group Policy Suite

1. Details

Title Group Policy for Loss Event Management

Subject Matter Expert Gavin Cookman, Head of ERM

Date Produced / Version 13th November 2008 / Version 1.1

Audience Old Mutual Group and Business Units

2. Summary
The objective of this document is to provide the mandatory minimum standards for Loss Event Management
across the Old Mutual Group. Loss event management is the process through which internal and external
losses are identified, quantified, classified, trends analysed and lessons learned.

Ownership of the policy rests with the Group Risk and Capital Committee (“GRCC”) on behalf of the Old
Mutual plc Board. The policy should be reviewed annually by Group Risk to ensure it reflects the current
practice within the Old Mutual Group, and to benchmark against international best practice.

3. Scope
In Scope: This policy is applicable to the management of losses incurred within the Old Mutual
Group and Business Units, including both expected and unexpected losses. It covers the
non-financial risk types, as defined in the Group Risk Categorisation Model, which are
considered to be Strategic, Operational, Compliance and Human Resources risk.
Out of Scope: The financial risk categories which are: Business, Underwriting, Liquidity, Market and
Credit risks. These risk categories may be brought in scope at a later date.

4. Risks controlled by this Policy

This policy covers Strategic, Operational, Compliance and Human Resources Risk.

5. Mandatory requirements
Internal Loss Data

a) Ownership and Accountability

Accountability for identifying and recording losses (both expected and unexpected) associated with business
processes rests with managers responsible for those business processes. Oversight for that loss recording
rests with the Business Unit risk functions. The Business Unit should document fully their processes,
including governance, for recording losses. Within the Business Units, the second line of defence challenge
will be carried out by the risk functions, and the third line by Internal Audit. At a Group level the second and
third line of defences will be performed by Group Risk and Group Internal Audit respectively.

-1-
 b) Identification

Each Business Unit should ensure that their business processes facilitate prompt identification and recognition
of expected and unexpected loss events in each risk category. This should include any near misses where a
risk materialising does not result in an actual loss.

A loss event and near miss is as defined in the “Internal Loss Guidelines” and “External Loss Guidelines”
issued by Group Risk.

The CROs in the Business Units should work with the line managers to put in place a process to identify those
losses occurring in their business. It would be expected that line managers will identify a majority of the
losses.

As soon as they are identified, loss events should be entered in the Internal Loss Database for review.

Loss events should be mapped back to the Group Risk Categorisation Model.

Losses identified should be cross-checked to other sources, including: Internal Audit reports, Compliance
reports, other Management Information and reviews.

Any near misses should also be identified and recorded in the Internal Loss Database.

c) Data Capture

Loss events and near misses should be recorded in the Group Loss Database for a Business Unit if it involves
an actual or potential financial impact of more than £5,000, or any material non-compliance of any legal or
regulatory requirement. For multiple occurrences of the same loss, eg complaints, the loss should be
recorded if the total figure over one month exceeds £5,000. The Business Unit may wish to set a lower
threshold for recording losses in their own database.

The Group Loss Database is owned by Group Risk. The information that should be captured is defined in the
Internal Loss Data Guidelines issued by Group Risk. The standards and data collected will be reviewed and
refined at least annually, by Group Risk.

The Business Unit should ensure that an owner is allocated to each loss event recorded in the database and
the resulting management actions.

The Business Unit should ensure that all employees are aware of these requirements.

d) Loss or Near Miss Monitoring

Each Business Unit should regularly monitor losses and near misses, ensuring that the appropriate
management actions are taken to prevent, or reduce the likelihood of future occurrences resulting in a loss.

Particular attention should be paid to management actions where the loss incurred or near miss is close to, or
exceeds the risk appetite for that risk type, or is over £50,000.

As part of the review of the loss, the assessment of the associated risk or control should be reconsidered and

-2-
 updated accordingly.

It is the responsibility of the owner allocated to the loss to monitor the status of the loss or near miss event
through its lifecycle. The owner should provide regular updates to the management of the Business Unit and
Group Risk to keep them informed of progress to prevent a recurrence.

e) Escalation

Each Business Unit should have in place the appropriate escalation procedures, including thresholds to notify
management of a loss event to ensure they are aware of significant events and understand which ones
require their attention.

f) Risk Appetite

The Old Mutual Group appetite for each risk category will be defined by the GRCC, and ratified by the Old
Mutual plc Board. Business Units should operate within the risk limits allocated to them. Performance against
those limits should be regularly monitored and any losses incurred checked against the exposure calculated,
and used to define assumptions for future risk appetite calculations.

As appropriate, Business Units should consider allocating risk appetite and hence monitoring losses against
the level 2 risk categories as defined in the Group Risk Categorisation model.

g) Analysis and Learning

Business Units should have in place a process to provide senior management with the appropriate reports, as
a minimum showing aggregated total losses by risk and division and losses above the threshold set by
Business Units from their Internal Loss Database.

For operational risk, Business Units should have in place a process to reconcile the losses incurred and
recorded with the appropriate accounting information.

Business Units should analyse on a regular basis the loss data collected to identify trends and issues.

Business Units should ensure that internal loss data is included as a guide when quantifying their risks,
particularly for risk exposure and economic capital purposes, including in the identification of their operational
risk scenarios.

External Loss Data

Group Risk will be responsible for regularly receiving and processing updates for the external loss database
from the provider, and cascading the updated database to Business Units.

Business Units should use the data in the external loss database as a guide to current management actions in
their risk assessment. This should include the quantification of risk, the identification of emerging risks,
control effectiveness reviews in areas where peers incur losses and a sense check on the scenarios
designed.

Business Units should regularly review the external loss database for new trends for losses in other

-3-
 companies, and review their own risk assessment in light of those.

Group Risk should review the external losses for trends that affect the Old Mutual Group and facilitate the
appropriate management actions to reduce the risk of the Group experiencing similar losses.

The information in the external loss database should be used in conjunction with the internal loss database
and management experience and expertise.

For more detail see the External Loss Database Guidelines.

6. Policy Breaches
Breaches of this policy must be reported to Group Risk in accordance with Group risk reporting requirements
and the Group Escalation Policy.

7. Supporting Materials
Materials Where located
External Loss Database Guidelines Sharepoint <link>
Internal Loss Database Guidelines
Group Risk Minimum Standards Guidance
Group Risk Categorisation Model

8. Contact point for queries or guidance

Jason Baker (Group Risk) Jason.baker@omg.co.uk +44 207 002 7261

Appendix A – Definitions
Expected (or day to day) losses – losses that occur that are anticipated and have been included in the
Business Plans and budgets for the year in which they happen. Typical examples would be ex-gratia
payments for complaints and recruitment costs for key staff lost.

Unexpected losses – losses that occur that were not anticipated and therefore not included in the Business
Plans and budgets. These may have been identified as part of the risk exposure work but not thought
sufficiently likely for that year to be included in Business Plans and budgets.

-4-