Governance

Overall responsibility for sustainability and the Group’s underlying approach to the management of ESG issues is held by the Group’s Chief Executive Officer, Andy Briggs.

The Phoenix Group Board has an established BSC, chaired by Karen Green and comprised solely of NEDs. This committee is responsible for the review, challenge and oversight of the Group’s sustainability strategy.

The Enterprise Sustainability Committee was established with Executive Committee sponsors for each key business area, which is led by our Director of Corporate Affairs and Brand. This committee is responsible for ensuring the implementation of the overall sustainability strategy and meets at least four times a year and supports the Board Sustainability Committee, providing updates on progress against strategy, KPIs and targets. In addition to the Enterprise Sustainability Committee, there are a number of other wider group committees that have had their terms of reference strengthened to support our sustainability strategy.

Individual responsibility for ensuring the appropriate identification, assessment, management and reporting of climate-related financial risks and opportunities that could affect the Group sits with the Group’s CFO and CRO, both appointed as joint Senior Managers responsible for climate-related financial risk under the UK Prudential Regulation Authority’s (‘PRA’) and FCA’s Senior Managers and Certification Regime.  As part of wider financial reporting responsibilities, the Group CFO is responsible for reporting metrics, targets and external disclosures and, as part of wider risk responsibilities, the Group CRO is responsible for ensuring that climate-related risks are incorporated into the existing RMF.

In addition to the Enterprise Sustainability Committee, there are a number of other wider group committees that have had their terms of reference strengthened to support our sustainability strategy.

Managing sustainability risks

The Group’s RMF embeds proactive and effective risk management across the Group. It seeks to ensure that all material risks are identified, assessed, monitored, managed within approved risk appetites and reported through agreed governance routes in line with delegated authorities. The RMF is an enabler to delivering the Group’s risk strategy; to take rewarded risks which are understood, managed effectively and consistent with our Social Purpose and Enterprise Strategy. A key component of the RMF is the Risk Universe, which represents the complete set of risks to which the Group is exposed and is central to the structure and operation of many of our risk management processes. The Group’s Risk Universe includes a category on sustainability covering ESG issues and the Group Board-approved Sustainability Risk Appetite Statement. A Group Sustainability Strategy Risk Policy and a Group Sustainable Investment Risk Policy have been developed to identify key sustainability risks along with controls and mitigations to ensure that the risks operate within Group appetite. Read more about the Group’s RMF in the Annual Report and Accounts.

The Phoenix Group Board is committed to developing and maintaining a diverse Board in the broadest sense including gender, ethnicity, demographics, skills, experience, age, educational and professional background.

Board Diversity Policy

We have a number of policies and practices in place to support effective management of financial crime matters or occurrences. Our Financial Crime Prevention policy addressed risks and required controls relating to money laundering, fraud and bribery. The Group’s Financial Crime Prevention policy addresses risks such as money laundering, fraud and bribery. The policy details required controls to mitigate financial crime risks faced.

Adherence to the Financial Crime Prevention policy is managed by the Financial Crime team via assessments of the key controls that make up the policy, as well as themed Financial Crime Reviews and Assurance testing. We comply with all anti-bribery and corruption law in all markets and jurisdictions where we do business. We expect the same standards from all third parties who provide services for the Group and its subsidiary companies.

Colleagues are required to complete annual computer-based training in financial crime prevention and are also required to complete a Gifts and Hospitality Register which is overseen and managed by the Financial Crime team.

We are committed to countering bribery and corruption with suitable training, policies and procedures in place. We receive approval and support for all of these from Senior Management, and approval of our policy from the Board Risk Committee. 

We comply with all anti-bribery and corruption law in all markets and jurisdictions where we do business. We expect the same standards from all third parties who provide services for the Group and its subsidiary companies. 

Ongoing assessments of changes to financial crime regulation, legislation and identifying emerging risks is a key activity performed. In November 2023, the UK Government passed new legislation through the Economic Crime Corporate Transparency Act. This will make a company criminally liable if it fails to prevent a fraudulent act perpetrated by one of its associated persons and does not have prevention measures in place. Government guidance issued in November 2024 comes into effect on 1st September 2025. Phoenix will assess and undertake the necessary actions to meet the guidance provided.

Financial crime policies

Health and safety risks that are not properly managed could lead to a reduction in earnings and/or value through financial or reputational loss associated with adverse impacts on the health and wellbeing of colleagues, customers and third parties in the workplace.

We operate a Health and Safety policy which helps manage risks and adverse effects across our group. Ours Group Board oversees our approach to health and safety risks and our Group Chief Executive Officer has overall responsibility for ensuring that any issues are managed. Our Health and Safety team maintains an effective health and safety management system accredited to ISO45001 for our UK business. We have a commitment to continually improve our management system.

Arrangements are in place to manage onsite facilities across the sites, ensuring the workplace environment is compliant and fit for purpose. We carry out risk and hazard assessments to identify potential harms, and any actions required are recorded and completed. We also prepare for any emergency situations that may arise. We continually assess our progress in reducing risks against our targets.

All colleagues are required to complete annual computer-based health and safety training.

We have procedures in place to identify and manage any reportable incidents. In 2024 we had no reportable incidents.

We recognise that Phoenix may be connected to impacts on people across our many roles and are committed to proactively avoiding and addressing harm that may occur through our operations, in how we support our customers and colleagues and within our supply chain and investment portfolio. Our Human Rights policy is overseen by our Group Board.

We are ambitious in our desire to lead the way in respecting human rights and recognise our responsibility to do this in accordance with:

• The International Bill of Human Rights
• The International Labour Organisations ('ILO') Core Conventions

Our commitments

• We are committed to aligning with the United Nations Guiding Principles on Business and Human Rights (‘UNGPs’), the authoritative global framework on business and human rights, and our ambition is to encourage other organisations to do the same.
• Aligning with the OECD Guidelines for Multinational Enterprises, a set ofr responsible business conduct standards for multinational enterprises, as well as the OECD guidance on responsible business conduct for institutional investors, where appropriate.
• Conducting Group-wide human rights due diligence at least every three years throughout our business, including our operations, supply chain and investment portfolio.
• Conducting an assessment of our current grievance mechanisms to assess effectiveness and build a system and process to ensure access to remedy for adverse impacts associated with our operations, activities and business relationships.
• Transparently report progress on our human rights activities.
• Update our Human Rights policy at least every three years.

Our human rights policy sets out the action we are taking to respect human rights in accordance with the UNGPs.

Human rights framework diagram

The Group processes large amounts of personal information every day and we take our data protection responsibilities seriously. The privacy notices on our websites provide full details of the processing activities we undertake across the Group and the rights individuals have regarding their information. We also have an internal Group Data Protection policy which is reviewed annually and documents the risks that need to be managed and the minimum control standards that need to be adhered to, to ensure all personal information is protected and an individual’s right to privacy is observed at all times. This policy is aligned not only to our corporate values, but also to the data protection legislation which applies to the Group. All colleagues are required to complete annual computer-based training to ensure they clearly understand the obligations placed on them. Any breaches can result in disciplinary action, including dismissal.

The policy is owned and overseen by the Group’s Data Protection Officer (‘DPO’), and Board accountability is owned by the Group Chief Risk Officer. The DPO is supported by a central Data Protection team that provides advice and oversight and dedicated data protection resource within the business and our outsourced partners, on the Group’s data protection obligations. The team also undertakes and supports the Group assurance activities to ensure ongoing compliance with data protection legislation. It also acts as a contact point for data protection regulatory bodies, such as the Information Commissioner (and other EU supervisory authorities), and individuals who wish to raise concerns regarding the processing of their personal information. Internal audit perform independent reviews of our approach as part of our three lines of defence model.

Data breaches can occur in the form of a malicious attack or accidental error and can be wide spread or impact one individual. The Group operates a robust process to ensure data breaches are identified, reported and resolved appropriately.

Read our Privacy Hub

Our data protection commitments

• You are in control: We understand your data belongs to you and process it transparently.  
• We are transparent: We will explain how we use your data in a clear and jargon-free manner.  
• We keep your data safe: We will protect your data and confidentiality.  
• We do not sell your data: We will never sell your data and will only share it with approved companies that provide you with our products and services.  
• We will use your data ethically and to add value: We will process your personal data to provide you with our services, make you aware of other useful offers and to continuously improve the products and services we provide to you.  
• Your rights: We will support you in exercising your data rights.

The safety of our customers and colleagues is paramount. We have continued to strengthen and improve our security around customer data, commercial information and our people through the deployment of market-leading tools, and controls and policy harmonisation.

Our Group Board oversees the effective management of cybersecurity threats, with regular updates provided to them by our Chief Information Security Officer (‘CISO’). The Chief Operating Officer (‘COO’) has regulatory responsibility for ensuring that cybersecurity threats are managed. The CISO is responsible day-to-day for leading our in-house information security team and suppliers in the delivery of our Group’s cyber management as well as analysing and responding to threats.

A Group-wide security programme enables the Group to operate safely and within appetite in a rapidly changing environment. We have a multi-year Cyber Programme with focuses on data security, secure deployment of cloud solutions, improved access management and continuous improvement of our cyber detect and respond capability. Our cyber security framework is ISO 27001 certified¹ and our Cyber Security Policy is reviewed annually and made available to all colleagues.

Within our Information Security function, we have a Security Assurance Team focusing on external and internal cyber risks and controls through supplier assurance, threat intelligence, vulnerability management and penetration testing.

We have enhanced our colleague education and awareness programme to ensure security culture is embedded within the organisation. This includes educational videos, mandatory training and testing, focused awareness campaigns through various channels, cyber security month and onsite roadshows. We operate a network of information security champions across the business to support and drive cultural change.

We require colleagues to report, via our governance management tool, any information security incidents, defined as a breach or imminent threat of a breach of our policies or controls and relating to the confidentiality, integrity or availability of information. A high-priority incident, including cyber events, incidents and breaches must be notified immediately to our information security team. These are tracked through our incident management system and a log of any actions taken recorded.

Our approach is subject to external audit on at least an annual basis, and we conduct third-party vulnerability analysis, including simulated hacker attacks. Although the likelihood of a cyber-attack is increasing across industries, we aim to reduce this likelihood through our control framework and minimise any business and customer impacts through appropriate cyber resilience planning and testing. Our incident response plans are tested on at least an annual basis.

1. For employees, systems, data and processes for collecting data, processing payments, administration of workplace pension and benefits schemes from our Standard Life House office.

Our Code of Conduct is core to who we are as a business. It reflects our Big Three culture, ambitions, and our brand ethos. It is why we are trusted as an organisation and an employer. Our Code is designed to enable us to fulfil our purpose of helping people secure a life of possibilities. Along with our suite of risk and HR policies, and the laws and regulations of the countries in which we work¹, it provides a framework which supports colleagues in acting with integrity, due skill, care and diligence in every action they take.

Our Code forms an important part of our employment contracts terms and conditions. The Group Board has overall responsibility for our Code, but all colleagues are responsible for complying with it.  We provide an annual computer-based training module which contains a copy of our Code that colleagues are asked to read and then complete an attestation to confirm their understanding and compliance. This raises awareness and educates colleagues on a wide range of good ethical business practices and regulatory conduct standards that they must adhere to, and it supports them to deliver good outcomes for our customers.

If colleagues do not follow our Code, they put themselves, their colleagues and Phoenix at risk. We take Financial and Non-Financial misconduct-breaches of our Code very seriously and they could result in disciplinary action, including dismissal and/or the reduction or recovery of remuneration. If our colleagues have any concerns, or they become aware of a breach of our Code, Phoenix policies and/or a regulatory breach, we encourage them to report this in the first instance, and at the earliest opportunity, to line management. The Speak Up Office is available if for any reason reporting to line management is not appropriate or preferred. Concerns can be raised through a number of channels, including a confidential Speak Up mailbox, or by post or telephone.

1 Our businesses that are outside the UK and Ireland have separate arrangements that incorporate their local laws and regulations.

The Group promotes an open and supportive culture where all individuals are encouraged to speak up about any concerns they may have within our business. We have zero tolerance for the detrimental treatment of individuals who raise concerns.

In the first instance we hope colleagues will voice issues with line management; however, the Speak Up Office is available if for any reason that is not appropriate or preferred. Internally we accept concerns through a number of channels including a secure mailbox; we also partner with an independent third party – Safecall – who have both a hotline and a web form which can accept allegations in all native languages of the jurisdictions we operate in.

We inform our colleagues of our speak up arrangements by various means including employee and manager guides, intranet pages, annual computer-based training and ad hoc promotional campaigns and roundtable discussions. Independent external guidance and support are available to our colleagues from Protect, the UK’s leading whistleblowing charity, who we also work with.

Speak Up is recognised within the Group’s Risk Universe and a Speak Up Risk policy is in place which sets out the minimum controls and standards for the effective management of speak up and is subject to regular assessment and review. The policy is approved by the Group Board Audit Committee who, together with the Phoenix Group Holdings plc Board, receive a bi-annual update on its operation. The policy is sponsored by the Group General Counsel who holds responsibility for its design and implementation.

Under the Senior Managers and Certification Regime, Tim Harris, Life Board Audit Committee Chair, is Phoenix’s Whistleblowers’ Champion. He is responsible for overseeing the integrity, independence and effectiveness of the Company’s policies and procedures on whistleblowing.