Governance

Overall responsibility for sustainability and the Group’s underlying approach to the management of ESG issues is held by the Group’s Chief Executive Officer (CEO), Andy Briggs. 

The Standard Life Board consists of an established Board Sustainability Committee (BSC), chaired by Karen Green and comprised solely of Non-Executive Directors (NEDs). This committee is responsible for the review, challenge and oversight of the Group’s sustainability strategy.

The Enterprise Sustainability Committee (ESC) was established with Executive Committee sponsors for each key business area, which is led by our Director of Corporate Affairs and Brand. This committee is responsible for ensuring the implementation of the overall sustainability strategy and supports the BSC, providing updates on progress against strategy, Key Performance Indicators (KPIs) and targets. In addition to the ESC, there are other group committees with sustainability responsibilities within their Terms of Reference.

Individual responsibility for ensuring the appropriate identification, assessment, management and reporting of climate-related financial risks and opportunities that could affect the Group sits with the Group’s Chief Financial Officer (CFO) and Chief Risk Officer (CRO), both appointed as joint Senior Managers responsible for climate-related financial risk under the UK Prudential Regulation Authority’s (‘PRA’) and Financial Conduct Authority (FCA’s) Senior Managers and Certification Regime.  As part of wider financial reporting responsibilities, the Group CFO is responsible for reporting metrics, targets and external disclosures and, as part of wider risk responsibilities, the Group CRO is responsible for ensuring that climate-related risks are incorporated into the existing Risk Management Framework (RMF).
 

The Group’s RMF embeds proactive and effective risk management across the Group. It seeks to ensure that all material risks are identified, assessed, monitored, managed within approved risk appetites and reported through agreed governance routes in line with delegated authorities. The RMF is an enabler to delivering the Group’s risk strategy; to take rewarded risks which are understood, managed effectively and consistent with our Social Purpose and Enterprise Strategy. A key component of the RMF is the Risk Universe, which represents the complete set of risks to which the Group is exposed and is central to the structure and operation of many of our risk management processes. The Group’s Risk Universe includes a category on sustainability covering ESG issues and the Group Board-approved Sustainability Risk Appetite Statement. A Group Sustainability Strategy Risk Policy and a Group Sustainable Investment Risk Policy have been developed to identify key sustainability risks along with controls and mitigations to ensure that the risks operate within Group appetite. Read more about the Group’s RMF in the Annual Report and Accounts.

The Standard Life Board is committed to developing and maintaining a diverse Board in the broadest sense including gender, ethnicity, demographics, skills, experience, age, educational and professional background.

Board diversity policy

We have policies and practices in place to support effective management of financial crime matters or occurrences. The Group’s Financial Crime Prevention policy addresses risks such as money laundering, fraud and bribery and the required controls to mitigate them.

Adherence to the Financial Crime Prevention policy is managed by the Financial Crime team via assessments of the key controls that make up the policy, as well as themed Financial Crime Reviews and Assurance testing. We comply with all anti-bribery and corruption law in all markets and jurisdictions where we do business. We expect the same standards from all third parties who provide services for the Group and its subsidiary companies.

Colleagues are required to complete annual computer-based training in financial crime prevention and are also required to complete a Gifts and Hospitality Register which is overseen and managed by the Financial Crime team.

We are committed to countering bribery and corruption with suitable training, policies and procedures in place. We receive approval and support for all of these from Senior Management, and approval of our policy from the Board Risk Committee. 

Ongoing assessments of changes to financial crime regulation, legislation and identifying emerging risks is a key activity performed. For example, we have taken action to meet the requirements of the UK Economic Crime Corporate Transparency Act. This Act makes a company criminally liable if it fails to prevent a fraudulent act perpetrated by one of its associated persons and does not have prevention measures in place. 

Financial crime policies
 

We operate a Health and Safety policy which helps manage risks and adverse effects across our group. Ours Group Board oversees our approach to health and safety risks and our Group Chief Executive Officer has overall responsibility for ensuring that any issues are managed. Our Health and Safety team maintains an effective health and safety management system accredited to ISO45001 for our UK business. We have a commitment to continually improve our management system.

Arrangements are in place to manage onsite facilities across the sites, ensuring the workplace environment is compliant and fit for purpose. We carry out risk and hazard assessments to identify potential harms, and any actions required are recorded and completed. We also prepare for any emergency situations that may arise. We continually assess our progress in reducing risks against our targets.

All colleagues are required to complete annual computer-based health and safety training.

We have procedures in place to identify and manage any reportable incidents. In 2024 and 2025 we had no reportable incidents.

We recognise that Standard Life may be connected to impacts on people across our many roles. We are committed to proactively avoiding and addressing harm that may occur through our operations, in how we support our customers and colleagues and within our supply chain and investment portfolio. Our Human Rights policy, overseen by our Group Board, sets out the action we are taking to respect human rights. 

Our commitments: 

• Aligning with the United Nations Guiding Principles on Business and Human Rights (‘UNGPs’), the authoritative global framework on business and human rights, and our ambition is to encourage other organisations to do the same. 
• Aligning with the OECD Guidelines for Multinational Enterprises, a set of responsible business conduct standards for multinational enterprises, as well as the OECD guidance on responsible business conduct for institutional investors, where appropriate. 
• Conducting Group-wide human rights due diligence at least every three years throughout our business, including our operations, supply chain and investment portfolio. 
• Continuing to review our grievance mechanism and plan to embed a system and process to ensure access to remedy for adverse impacts associated with our operations, activities and business relationships. 
• Transparently reporting progress on our human rights activities. 
• Updating our Human Rights policy at least every three years. 

For more detail of our commitments, please read our Human Rights Policy.

We also recognise that modern slavery, forced labour, servitude, and human trafficking are severe violations of fundamental human rights. We are committed to driving action across our operations and value chain. For more information please read our Modern Slavery Statement

We process large amounts of personal information every day and take our data protection duties seriously. The privacy notices on our websites provide full details of the processing activities we undertake across the Group and the rights individuals have regarding their information. Our Group Data Protection policy documents risks and minimum control standards that need to be adhered to, to ensure all personal information is protected and an individual’s right to privacy is observed at all times. This policy is aligned to data protection legislation and is reviewed annually.  

The policy is owned and overseen by the Group’s Data Protection Officer (‘DPO’), and Board accountability is owned by the Group Chief Risk Officer. The DPO is supported by a central Data Protection team that provides advice and oversight and dedicated data protection resource within the business and our outsourced partners, on the Group’s data protection obligations. The team also undertakes and supports the Group assurance activities to ensure ongoing compliance with data protection legislation. It also acts as a contact point for data protection regulatory bodies, such as the Information Commissioner (and other EU supervisory authorities), and individuals who wish to raise concerns regarding the processing of their personal information. Internal audit perform independent reviews of our approach as part of our three lines of defence model.

All colleagues are required to complete annual computer-based training to ensure they clearly understand the obligations placed on them. Any breaches can result in disciplinary action, including dismissal.

Data breaches can occur in the form of a malicious attack or accidental error and can be wide spread or impact one individual. The Group operates a robust process to ensure data breaches are identified, reported and resolved appropriately.

Visit the Privacy Hub.

Our data protection commitments for our customers

• You are in control: We understand your data belongs to you and process it transparently.  
• We are transparent: We will explain how we use your data in a clear and jargon-free manner.  
• We keep your data safe: We will protect your data and confidentiality.  
• We do not sell your data: We will never sell your data and will only share it with approved companies that provide you with our products and services.  
• We will use your data ethically and to add value: We will process your personal data to provide you with our services, make you aware of other useful offers and to continuously improve the products and services we provide to you.  
• Your rights: We will support you in exercising your data rights.

The safety of our customers and colleagues is paramount. We continue to strengthen and improve our security around customer data, commercial information and our people through the deployment of market-leading tools, and controls and policy harmonisation.

Our Group Board oversees the effective management of cybersecurity threats, with regular updates provided to them by our Chief Information Security Officer (‘CISO’). The Chief Operating Officer (‘COO’) has regulatory responsibility for ensuring that cybersecurity threats are managed. The CISO is responsible day-to-day for leading our in-house information security team and suppliers in the delivery of our Group’s cyber management as well as analysing and responding to threats.

A Group-wide security programme enables the Group to operate safely and within appetite in a rapidly changing environment. We have a multi-year Cyber Programme focusing on data security, secure deployment of cloud solutions, improved access management and continuous improvement of our cyber detect and respond capability. Our cyber security framework is ISO 27001 certified¹ and our Cyber Security Policy is reviewed annually and made available to all colleagues.

Within our Information Security function, we have a Security Assurance Team focusing on external and internal cyber risks and controls through supplier assurance, threat intelligence, vulnerability management and penetration testing.

We have enhanced our colleague education and awareness programme to ensure security culture is embedded within the organisation. This includes educational videos, mandatory training and testing, focused awareness campaigns through various channels, cyber security month and onsite roadshows. We operate a network of information security champions across the business to support and drive cultural change.

We require colleagues to report, via our governance management tool, any information security incidents, defined as a breach or imminent threat of a breach of our policies or controls and relating to the confidentiality, integrity or availability of information. A high-priority incident, including cyber events, incidents and breaches must be notified immediately to our information security team. These are tracked through our incident management system and a log of any actions taken recorded.

Our approach is subject to external audit on at least an annual basis, and we conduct third-party vulnerability analysis, including simulated hacker attacks. Although the likelihood of a cyber-attack is increasing across industries, we aim to reduce this likelihood through our control framework and minimise any business and customer impacts through appropriate cyber resilience planning and testing. Our incident response plans are tested on at least an annual basis.

¹For employees, systems, data and processes for collecting data, processing payments, administration of workplace pension and benefits schemes from our Standard Life House office.

Our Code of Conduct (Code) is core to who we are as a business. It embodies our Big Three culture, ambitions, and our brand ethos. It is why we are trusted as an organisation and an employer. Our Code is designed to enable us to fulfil our purpose of helping people secure a life of possibilities. Along with our suite of risk and HR policies, and the laws and regulations of the countries in which we work¹, it provides a framework which supports colleagues in acting with integrity, due skill, care and diligence in every action they take.

Our Code forms an integral part of the terms and conditions within our employment contracts. While the Group Board holds overall responsibility for the Code, every colleague is accountable for adhering to it. 

We provide an annual computer-based training module which contains a copy of our Code that colleagues are asked to read and then complete an attestation to confirm their understanding and compliance. This raises awareness and educates colleagues on a wide range of good ethical business practices and regulatory conduct standards that they must adhere to, and it supports them to deliver good outcomes for our customers.

If colleagues do not follow our Code, they put themselves, their colleagues and Standard Life at risk. We take financial and non-financial misconduct-breaches of our Code very seriously. Such violations may lead to disciplinary action, including dismissal and/or the reduction or recovery of remuneration. If colleagues have any concerns, or they become aware of a breach of our Code, Standard Life policies and/or a regulatory breach, we encourage them to report this in the first instance, and at the earliest opportunity, to line management. The Speak Up Office is available if, for any reason, reporting to line management is not appropriate or preferred. Concerns can be raised through several channels, including a confidential Speak Up mailbox, or by post or telephone.

¹Our businesses that are outside the UK and Ireland have separate arrangements that incorporate their local laws and regulations.

We promote an open and supportive culture where all individuals are encouraged to speak up about any concerns they may have within our business. We have zero tolerance for the detrimental treatment of individuals who raise concerns.

In the first instance we hope colleagues will voice issues with line management; however, the Speak Up Office is available if for any reason that is not appropriate or preferred. Internally we accept concerns through a number of channels including a secure mailbox; we also partner with an independent third party – Safecall – who have both a hotline and a web form which can accept allegations in all native languages of the jurisdictions we operate in.

We inform our colleagues of our speak up arrangements by various means including employee and manager guides, intranet pages, annual computer-based training and ad hoc promotional campaigns and roundtable discussions. Independent external guidance and support are available to our colleagues from Protect, the UK’s leading whistleblowing charity, who we also work with.

Speak Up is recognised within the Group’s Risk Universe and a Speak Up Risk policy is in place which sets out the minimum controls and standards for the effective management of speak up and is subject to regular assessment and review. The policy is approved by the Group Board Audit Committee who, together with the Standard Life plc Board, receive a bi-annual update on its operation. The policy is sponsored by the Group General Counsel who holds responsibility for its design and implementation.

Under the Senior Managers and Certification Regime, Tim Harris, Life Board Audit Committee Chair, is Standard Life Whistleblowers’ Champion. He is responsible for overseeing the integrity, independence and effectiveness of the Company’s policies and procedures on whistleblowing.

Speak Up