Operational risk appetite is defined as the quantum and composition of operational risk identified in the Group and the direction in which the Group wishes to manage it.

The Group has developed an impact on earnings approach to operational risk appetite. This involves looking at how much the Group could lose due to operational risk losses at various levels of certainty. In setting operational risk appetite, the Group looks at both impact on solvency and the Group’s reputation, including customer service requirements.

For legal and regulatory risk the Group has minimal risk appetite and seeks to operate to high ethical standards. The Group encourages and maintains an appropriately balanced legal and regulatory compliance culture and promotes policies and procedures to enable businesses and their staff to operate in accordance with the laws, regulations and voluntary codes which impact on the Group and its activities.

The main sources of operational risk within the Group relate to uncertainties created by the changing business, in particular the legal and regulatory environment in which financial firms operate both in the UK and overseas. As a result the most significant operational risk exposures are legal and regulatory.

Legal and regulatory exposure is driven by the significant volume of current legislation and regulation with which the Group has to comply, along with new legislation and regulation which needs to be reviewed, assessed and embedded into day-to-day operational and business practices across the Group as a whole. Further uncertainties arise where regulations are principles-based without the regulator defining supporting minimum standards either for the benefit of the consumer or firms. This gives rise to both the risk of retrospection from any one regulator and also to the risk of differing interpretation by individual regulators.

For legal and regulatory issues there are significant reputational impacts associated with potential censure which drive the Group’s stance on appetites referred to above. There are clear accountabilities and processes in place for reviewing new and changing requirements. Each business has a nominated individual with ‘compliance oversight’ responsibility under FSA rules. The role of such individuals is to advise and assist management to ensure that each business has a control structure which creates awareness of the rules and regulations, to which the Group is subject, and to monitor and report on adherence to these rules and regulations.

Throughout 2008, there was ongoing development of operational risk appetites and metrics to ensure both current and potential future operational risk exposures are understood in terms of both risk and reward potential.

The Group has a comprehensive and consistent operational risk management framework for the timely identification, measurement, monitoring and control of operational risk.

Integral to this operational risk management framework is a hybrid approach to calculating capital to support unexpected losses. The capital model calculations are driven by internal data which captures past losses, and forward looking scenarios which value potential future risk events. External industry-wide data is collected to help with validating scenarios.

The capital model outputs are used to determine the internal capital charge for the Group which is then allocated to the businesses within the Group. Following review and approval of the operational risk management framework and capital model, the FSA has granted the banking businesses within the Group an Advanced Measurement Approach (AMA) Waiver which recognises the embedding of the

operational risk framework across Lloyds TSB Group plc. The waiver allowed the Group to calculate its own regulatory capital charge for operational risk from its capital model with effect from 1 January 2008.

The intention is to extend the same methodology to the insurance businesses within the Group where regulatory capital is currently determined under the ICA requirements.

The Group’s operational risk management framework consists of five key components:

• Identification of the key operational risks facing a business area.
• Evaluation of the effectiveness of the control framework covering each of the key risks to which the business area is exposed.
• Evaluation of the non-financial exposures (e.g. reputational risk) for each of the key risks to which the business area is exposed.
• For material risks identified, an estimate of the exposure to financial losses that could result within the coming financial year, together with an estimate of losses in a stressed environment.
• For material risks identified, an estimate of exposure to high impact, low frequency events through a scenario.

The Group purchases insurance to mitigate certain operational risk events.

Business unit risk exposure is aggregated at divisional level and reported to group risk where a group-wide report is prepared. The report is discussed at the monthly group compliance and operational risk committee. This committee can escalate matters to the chief risk officer, or higher committees if appropriate.

The insurance programme is monitored and reviewed regularly, with recommendations being made to the Group’s senior management annually prior to each renewal. Insurers are monitored on an ongoing basis, to ensure counterparty risk is minimised. A process is in place to manage any insurer rating changes or insolvencies.

The Group has adopted a formal approach to operational risk event escalation. This involves the identification of an event, an assessment of the materiality of the event in accordance with a risk event impact matrix and appropriate escalation.