Governance

Overall responsibility for sustainability and the Group’s underlying approach to the management of ESG issues is held by the Group’s Chief Executive Officer, Andy Briggs.

In recognition of the importance of sustainability to the long-term success of the Group, the Phoenix Group Board has established a Board Sustainability Committee. Chaired by Karen Green, and comprised solely of non-executive directors, this committee is responsible for the review, challenge and oversight of the Group’s sustainability strategy.

In 2021, the Group established the Enterprise Sustainability Committee with ExCo sponsors for each key business area, which is led by our Director of Corporate Affairs and Investor Relations, Claire Hawkins. This committee is responsible for ensuring the implementation of the overall sustainability strategy.

The responsibility for climate-related impacts and issues is held by the Group Chief Risk Officer, Jonathan Pears to ensure that the risk management framework supports the management of risks, and in the case of financial implications, by the Group Chief Financial Officer, Rakesh Thakrar.

In addition to the Enterprise Sustainability Committee, there are a number of other wider group committees that have had their terms of reference strengthened to support our sustainability strategy.

The Phoenix Group Board is committed to developing and maintaining a diverse Board in the broadest sense including gender, ethnicity, demographics, skills, experience, age, educational and professional background.

Board Diversity Policy

In order to ensure that any financial crime matters or occurrences are effectively managed, the Group has a number of policies and practices in operation. The Group’s Financial Crime Prevention policy addresses risks such as money laundering, fraud and bribery. The policy details required controls to mitigate financial crime risks faced.

Adherence to the Financial Crime Prevention policy is managed by the Financial Crime team via assessments of the key controls that make up the policy, as well as themed Financial Crime Reviews and Assurance testing.

Colleagues are required to complete annual computer-based training in financial crime prevention and are also required to complete a Gifts and Hospitality Register which is overseen and managed by the Financial Crime team.

Taking action on financial crime is vital in preventing harm to individuals and society. We are committed to acting fairly and ethically in all countries in which we operate, and to effectively manage any breaches of regulatory or legislative compliance on money laundering, fraud, sanctions bribery and corruption. In order to ensure that any financial crime occurrences are effectively managed, we have embedded a comprehensive Financial Crime Prevention policy and supporting guidance documents.

Adherence to our Financial Crime Prevention Policy is overseen by a dedicated Financial Crime team via assessment of adherence to a suite of financial crime controls that make up the policy, as well as regular themed financial crime reviews and assurance testing.

Colleagues are required to complete annual computer-based training in all aspects of financial crime prevention and are also required to complete a Gifts and Hospitality Register which is overseen and managed by the Financial Crime Team. We are committed to countering bribery and corruption with suitable training, policies and procedures in place. We receive approval and support for all of these from Senior Management, and approval of our policy from the Board Risk Committee.

We comply with all anti-bribery and corruption law in all markets and jurisdictions where we do business. We expect the same standards from all third parties who provide services for the Group and its subsidiary companies.

Health and safety risks that are not properly managed could lead to a reduction in earnings and/or value through financial or reputational loss associated with adverse impacts on the health and wellbeing of colleagues, customers and third parties in the workplace.

We operate a Health and Safety policy which helps manage risks and adverse effects across our group. Ours Group Board oversees our effective management of health and safety risks and our Group Chief Executive Officer has overall responsibility for ensuring that any issues are managed. Our Health and Safety team maintains an effective health and safety management system accredited to ISO45001 for our UK business. We have a commitment to continually improve our management system incorporating insight from colleagues and long-term targets.

Arrangements are in place to manage onsite facilities across the sites, ensuring the workplace environment is compliant and fit for purpose. We carry out risk and hazard assessments to identify potential harms, and any actions required are recorded and completed. We also prepare for any emergency situations that may arise. We continually assess our progress in reducing risks against our targets.

All colleagues are required to complete annual computer-based health and safety training.

We have procedures in place to identify and manage any reportable incidents. In 2023 we had two reportable incidents.

We recognise that Phoenix may be connected to impacts on people across our many roles and are committed to proactively avoiding and addressing harm that may occur through our operations, in how we support our customers and colleagues and within our supply chain and investment portfolio.

We are ambitious in our desire to lead the way in respecting human rights and recognise our responsibility to do this in accordance with:

• The International Bill of Human Rights
• The International Labour Organisations ('ILO') Core Conventions

We are committed to aligning with the United Nations Guiding Principles on Business and Human Rights (‘UNGPs’), the authoritative global framework on business and human rights, and our ambition is to encourage other organisations to do the same.

Our human rights policy sets out the action we are taking to respect human rights in accordance with the UNGPs.

The Group processes large amounts of personal information every day and we take our data protection responsibilities seriously. The privacy notices on our websites provide full details of the processing activities we undertake across the Group and the rights individuals have regarding their information. We also have an internal Group Data Protection policy which is reviewed annually and documents the risks that need to be managed and the minimum control standards that need to be adhered to, to ensure all personal information is protected and an individual’s right to privacy is observed at all times. This policy is aligned not only to our corporate values, but also to the data protection legislation which applies to the Group. All colleagues are required to complete annual computer-based training to ensure they clearly understand the obligations placed on them. Any breaches can result in disciplinary action, including dismissal.

The policy is owned and overseen by the Group’s Data Protection Officer (‘DPO’), and Board accountability is owned by Jonathan Pears, Group Chief Risk Officer. The DPO is supported by a Data Protection team who advise and support the wider business, including our outsourced partners, on the Group’s obligations and undertake/support Group assurance activities to ensure ongoing compliance with data protection legislation. They also act as a contact point for data protection regulatory bodies, such as the Information Commissioner, and individuals who wish to raise concerns regarding the processing of their personal information. Internal audit perform independent reviews of our approach as part of our three lines of defence model.

Data breaches can occur in the form of a malicious attack or accidental error and can be wide scale or impact one individual. The Group operates a robust process to ensure data breaches are identified, reported and resolved appropriately. Whilst errors occur from time to time, the Group has not experienced any material or wide-spread data breaches that have compromised the security of the personal information it is custodian of.

The safety of our customers and colleagues is paramount. We have continued to strengthen and improve our security around customer data, commercial information and our people through the deployment of market-leading tools, and controls and policy harmonisation.

Our Group Board oversees the effective management of cybersecurity threats, with regular updates provided to them by our Chief Information Security Officer (‘CISO’). The Chief Operating Officer (‘COO’) has regulatory responsibility for ensuring that cybersecurity threats are managed. The CISO is responsible day-to-day for leading our in-house information security team and suppliers in the delivery of our Group’s cyber management as well as analysing and responding to threats.

A Group-wide security programme enables the Group to operate safely and within appetite in a rapidly changing environment. We have a multi-year Cyber Programme with focuses on data security, secure deployment of cloud solutions, improved access management and continuous improvement of our cyber detect and respond capability. Our cyber security framework is ISO 27001 certified¹ and our Cyber Security Policy is reviewed annually and made available to all colleagues.

Our approach is subject to external audit on at least an annual basis, and we conduct third-party vulnerability analysis, including simulated hacker attacks. Although the likelihood of a cyber-attack is increasing across industries, we aim to reduce this likelihood through our control framework and minimise any business and customer impacts through appropriate cyber resilience planning and testing. Our incident response plans are tested on at least an annual basis. We have had no significant cyber-related incidents directly impacting Phoenix Group in 2023.

1. For employees, systems, data and processes for collecting data, processing payments, administration of workplace pension and benefits schemes from our Standard Life House office.

The Group has a Code of Conduct in place which, along with our suite of risk policies, provides a framework which supports colleagues in acting with integrity, due skill, care and diligence in every action they take.

The Group Board has overall responsibility for our Code, but all colleagues are responsible for complying with it. We provide an annual computer-based training module which contains a copy of our Code that colleagues are asked to read and then complete an attestation to confirm their understanding and compliance. This raises awareness and educates colleagues on a wide range of good ethical business practices and regulatory conduct standards they must adhere to. We take breaches of our Code very seriously and they could result in disciplinary action, including dismissal and/or the reduction or recovery of remuneration.

All employees are also required to complete and pass an annual risk management computer-based training module to embed an effective risk culture and understanding of their roles and responsibilities.

Further details of our Risk Management Framework can be found within our Annual Report.

The Group promotes an open and supportive culture where all individuals are encouraged to speak up about any concerns they may have within our business. We have zero tolerance for the detrimental treatment of individuals who raise concerns.

In the first instance we hope colleagues will voice issues with line management; however, the Speak Up Office is available if for any reason that is not appropriate or preferred. Internally we accept concerns through a number of channels including a secure mailbox; we also partner with an independent third party – Safecall – who have both a hotline and a web form which can accept allegations in all native languages of the jurisdictions we operate in.

We inform our colleagues of our speak up arrangements by various means including employee and manager guides, intranet pages, annual computer-based training and ad hoc promotional campaigns and roundtable discussions. Independent external guidance and support are available to our colleagues from Protect, the UK’s leading whistleblowing charity, who we also work with.

Speak Up is recognised within the Group’s Risk Universe and a Speak Up Risk policy is in place which sets out the minimum controls and standards for the effective management of speak up and is subject to regular assessment and review. The policy is approved by the Group Board Audit Committee who, together with the Phoenix Group Holdings plc Board, receive a bi-annual update on its operation. The policy is sponsored by the Group General Counsel who holds responsibility for its design and implementation.

Under the Senior Managers and Certification Regime, Tim Harris, Life Board Audit Committee Chair, is Phoenix’s Whistleblowers’ Champion. He is responsible for overseeing the integrity, independence and effectiveness of the Company’s policies and procedures on whistleblowing.