As a member of the FTSE 100, we have a responsibility to provide fair, balanced and understandable information to our shareholders and our customers in accordance with the Corporate Governance Code. As a purpose-led organisation, we are also committed to being a force for good for all our stakeholders and wider society.
Our anti-bribery statement
“Strong governance must remain a bedrock for the Group as we continue to grow as a FTSE 100 company, with the aims of both protecting our customers and shareholders and enhancing our performance.”
Articles of Association
Our Articles of Association outline the written rules to which Phoenix Group Holdings plc operates.
We are committed to the highest standards of governance, to ensure we are making the right decisions.
Overall responsibility for sustainability and the Group’s underlying approach to the management of ESG issues is held by the Group’s Chief Executive Officer, Andy Briggs.
In recognition of the importance of sustainability to the long-term success of the Group, the Phoenix Group Board has established a Board Sustainability Committee. Chaired by Karen Green, and comprised solely of non-executive directors, this committee is responsible for the review, challenge and oversight of the Group’s sustainability strategy.
In 2021, the Group established the Enterprise Sustainability Committee with ExCo sponsors for each pillar of activity, which is led by our Director of Corporate Affairs and Investor Relations, Claire Hawkins. This committee is responsible for ensuring the implementation of the overall sustainability strategy.
The responsibility for climate-related impacts and issues is held by the Group Chief Risk Officer, Jonathan Pears to ensure that the risk management framework supports the management of risks, and in the case of financial implications, by the Group Chief Financial Officer, Rakesh Thakrar.
In addition to the Enterprise Sustainability Committee, there are a number of other wider group committees that have had their terms of reference strengthened to support our sustainability strategy.
The Phoenix Group Board is committed to developing and maintaining a diverse Board in the broadest sense including gender, ethnicity, demographics, skills, experience, age, educational and professional background.
In order to ensure that any financial crime matters or occurrences are effectively managed, the Group has a number of policies and practices in operation. The Group’s Financial Crime Prevention policy addresses risks such as money laundering, fraud and bribery. The policy details required controls to mitigate financial crime risks faced.
Adherence to the Financial Crime Prevention policy is managed by the Financial Crime team via assessments of the key controls that make up the policy, as well as themed Financial Crime Reviews and Assurance testing.
Colleagues are required to complete annual computer-based training in financial crime prevention and are also required to complete a Gifts and Hospitality Register which is overseen and managed by the Financial Crime team.
The Group has a zero-tolerance policy towards bribery and corruption in all its forms. The Group Board Risk Committee has oversight of the anti-bribery and anti-corruption programme.
We are committed to acting fairly and ethically in all countries in which we operate and so we shall comply with all anti-bribery and corruption law in all markets and jurisdictions where we do business, including the Bribery Act 2010. We expect the same standards from all third parties who provide services for the Group and its subsidiary companies.
Phoenix is committed to countering bribery and corruption with suitable policies and procedures. We have an anti-bribery programme in place designed to prevent the occurrence of bribery. This includes, for example, an Anti-Bribery policy at Group level, a Code of Ethics for ethical behaviour and general standards, a Group Stewardship Policy which details our stewardship approach, and mandatory training for our employees covering compliance with the Bribery Act.
Further details can be found in the Group’s anti-bribery and anti-corruption policies.
We expect all our employees and third parties to comply with the letter and spirit of the Bribery Act 2010, as enshrined in our key principles above, in the performance of their services for the Group.
We had no bribery and corruption breaches in 2022.
Health and safety risks that are not properly managed could lead to a reduction in earnings and/or value through financial or reputational loss associated with adverse impacts on the health and wellbeing of colleagues, customers and third parties in the workplace.
We operate a Health and Safety policy which helps manage risks and adverse effects across our group. Ours Group Board oversees our effective management of health and safety risks and our Group Chief Executive Officer has overall responsibility for ensuring that any issues are managed. Our Health and Safety team maintains an effective health and safety management system accredited to HSG65. We have a commitment to continually improve our management system incorporating insight from colleagues and long-term targets.
Arrangements are in place to manage onsite facilities across the sites, ensuring the workplace environment is compliant and fit for purpose. We carry out risk and hazard assessments to identify potential harms, and any actions required are recorded and completed. We also prepare for any emergency situations that may arise. We continually assess our progress in reducing risks against our targets.
All colleagues are required to complete annual computer-based health and safety training.
We have procedures in place to identify and manage any reportable incidents. In 2022 we had no reportable incidents.
We recognise that Phoenix may be connected to impacts on people across our many roles and are committed to proactively avoiding and addressing harm that may occur through our operations, in how we support our customers and colleagues and within our supply chain and investment portfolio.
We are ambitious in our desire to lead the way in respecting human rights and recognise our responsibility to do this in accordance with:
We are committed to aligning with the United Nations Guiding Principles on Business and Human Rights (‘UNGPs’), the authoritative global framework on business and human rights, and our ambition is to encourage other organisations to do the same.
Our human rights policy sets out the action we are taking to respect human rights in accordance with the UNGPs.
The Group processes large amounts of personal information every day and we take our data protection responsibilities seriously. The privacy notices on our websites provide full details of the processing activities we undertake across the Group and the rights individuals have regarding their information. We also have an internal Group Data Protection policy which is reviewed annually and documents the risks that need to be managed and the minimum control standards that need to be adhered to, to ensure all personal information is protected and an individual’s right to privacy is observed at all times. This policy is aligned not only to our corporate values, but also to the data protection legislation which applies to the Group. All colleagues are required to complete annual computer-based training to ensure they clearly understand the obligations placed on them. Any breaches can result in disciplinary action, including dismissal.
The policy is owned and overseen by the Group’s Data Protection Officer (‘DPO’), and Board accountability is owned by Jonathan Pears, Group Chief Risk Officer. The DPO is supported by a Data Protection team who advise and support the wider business, including our outsourced partners, on the Group’s obligations and undertake/support Group assurance activities to ensure ongoing compliance with data protection legislation. They also act as a contact point for data protection regulatory bodies, such as the Information Commissioner, and individuals who wish to raise concerns regarding the processing of their personal information. Internal audit perform independent reviews of our approach as part of our three lines of defence model.
Data breaches can occur in the form of a malicious attack or accidental error and can be wide scale or impact one individual. The Group operates a robust process to ensure data breaches are identified, reported and resolved appropriately. Whilst errors occur from time to time, the Group has not experienced any significant or wide-spread data breaches that have compromised the security of the personal information it is custodian of.
Cyber Security remains a Tier 1 threat to the economy of the UK with the scale of threat to the financial industry from cyber-attacks being significant. As a responsible Financial Services provider, we have continued to strengthen and improve our security around customer data, commercial information and our people through the deployment of market leading tools and controls and policy harmonisation. The safety of our customers and our colleagues is paramount. We have enhanced our data leakage controls to reduce the risk of data leaving the organisation or being shared inappropriately. We deploy layered security controls to protect the Company from cyber-related incidents. A Company-wide security programme enables the Group to operate safely and within appetite in a rapidly changing environment.
Our Group Board oversees our effective management of cybersecurity threats with regular updates provided to them by our Chief Information Security Officer. The Chief Operating Officer has regulatory responsibility for ensuring that cybersecurity threats are managed and our Chief Information Security Officer is responsible day to day for leading our in-house Information Security team and suppliers in the delivery of our group’s Cyber management and responding to emerging threats. We have had no significant cyber-related incidents over the last year.
Our cyber security framework is aligned with ISO27001 and our policy is annually reviewed and made available to all colleagues. We have continued to increase colleague awareness of online threats through a mandatory annual training programme; and regular themed ‘spotlight’ campaigns have highlighted cyber security safety in the workplace. A Company-wide programme of phishing simulations along with enhanced technical controls has helped our people recognise these emails and reduce our risk in this area.
We require colleagues to report, via our Governance Management Tool, any information security Incidents, defined as a breach or imminent threat of a breach of our policies or controls and relating to the confidentiality, integrity or availability of information. A high priority incident, including cyber events, incidents and breaches must be notified immediately to our Information security team. These are tracked through our incident management system and a log of any actions taken recorded.
Our approach is subject to external audit on at least an annual basis, and we conduct third-party vulnerability analysis including simulated hacker attacks. Whilst the likelihood of a cyber-attack may be low, our Business Continuity team focuses on ensuring we are able to continue to operate. Our incidence response plans are tested on at least an annual basis.
The Group has a Code of Conduct in place which, along with our suite of risk policies, provides a framework which supports colleagues in acting with integrity, due skill, care and diligence in every action they take.
The Group Board has overall responsibility for our Code, but all colleagues are responsible for complying with it. We provide an annual computer-based training module which contains a copy of our Code that colleagues are asked to read and then complete an attestation to confirm their understanding and compliance. This raises awareness and educates colleagues on a wide range of good ethical business practices and regulatory conduct standards they must adhere to. We take breaches of our Code very seriously and they could result in disciplinary action, including dismissal and/or the reduction or recovery of remuneration.
All employees are also required to complete and pass an annual risk management computer-based training module to embed an effective risk culture and understanding of their roles and responsibilities.
Further details of our Risk Management Framework can be found within our Annual Report.
The Group promotes an open and supportive culture where all individuals are encouraged to speak up about any concerns they may have within our business. We have zero tolerance for the detrimental treatment of individuals who raise concerns.
In the first instance we hope colleagues will voice issues with line management; however, the Speak Up Office is available if for any reason that is not appropriate or preferred. Internally we accept concerns through a number of channels including a secure mailbox; we also partner with an independent third party – Safecall – who have both a hotline and a web form which can accept allegations in all native languages of the jurisdictions we operate in.
We inform our colleagues of our speak up arrangements by various means including employee and manager guides, intranet pages, annual computer-based training and ad hoc promotional campaigns and roundtable discussions. Independent external guidance and support are available to our colleagues from Protect, the UK’s leading whistleblowing charity, who we also work with.
Speak Up is recognised within the Group’s Risk Universe and a Speak Up Risk policy is in place which sets out the minimum controls and standards for the effective management of speak up and is subject to regular assessment and review. The policy is approved by the Group Board Audit Committee who, together with the Phoenix Group Holdings plc Board, receive a bi-annual update on its operation. The policy is sponsored by the Group General Counsel who holds responsibility for its design and implementation.
Under the Senior Managers and Certification Regime, Tim Harris, Life Board Audit Committee Chair, is Phoenix’s Whistleblowers’ Champion. He is responsible for overseeing the integrity, independence and effectiveness of the Company’s policies and procedures on whistleblowing.