Risk governance is a part of the broader Group system of governance.
The Group system of governance, which includes the internal control and risk management system, consists of the roles and responsibilities of the Administrative, Management or Supervisory Body (AMSB), of the Senior Management and of the Key Functions. It also consists of the policies, administrative and accounting procedures and organizational structures aimed at identifying, evaluating, measuring, managing and monitoring the main risks.
Key elements of the internal control and risk management system are:
- internal control environment;
- internal control activities;
- monitoring and reporting.
To ensure a consistent framework through the Group, the Parent Company sets Group Directives on the System of Governance, complemented by Group Internal Control and Risk Management Policies, which have to be applied by all Group Legal Entities.
The Group system of governance is founded on the establishment of an AMSB and of three lines of defence:
- the Operating Functions (“risk owners”), which represent the first line of defence and have ultimate responsibility for risks relating to their area of responsibility;
- Actuarial, Compliance and Risk Management Functions, which represent the second line of defence;
- Internal Audit, which represents the third line of defence.
Internal Audit together with Actuarial, Compliance and Risk Management Functions represent the “Key Functions”.
The roles and responsibilities of the AMSB and related committees, Senior Management, Key Functions and the interactions among Key Functions are described within the Corporate Governance Report. Key roles within the risk management system are outlined below:
- the AMSB is the ultimate responsible for the System of Governance and must ensure that the Group Legal Entity’s system of governance and internal control and risk management system are consistent with all the applicable regulations. To this end, the AMSB, supported by the Key Functions, reassesses the System of Governance adequacy periodically and at least once a year. The AMSB approves the Group Legal Entity’s organizational set-up, establishes the Key Functions defining their mandate and reporting lines as well as, where appropriate, any support committee, adopts Group Internal Control and Risk Management Policies, performs the duties related to the ORSA, risk concentration and intragroup transactions, approves the ORSA results and based on them defines the risk appetite;
- the Senior Management is responsible for the implementation, maintenance and monitoring of the system of internal controls and risk management, including risks arising from non-compliance with regulations, in accordance with the directives of the AMSB;
- Key Functions are established at Group level and within the operating entities:
- the Risk Management Function supports the AMSB and Senior Management in ensuring the effectiveness of the risk management system and provides advice and support to the main business decision- making processes;
- the Compliance Function grants that the organizational and the internal procedures are adequate to manage the risk to incur in administrative or judiciary fines, economic losses or reputational damages as a consequence of non-compliance with laws, regulations, provisions, and the risk deriving from unfavourable changes in the law or judicial orientation (compliance risk);
- the Actuarial Function coordinates the technical provisions calculation and grants the adequacy of underlying methodologies, models and assumptions, verifies the quality of the related data and expresses an opinion on the overall Underwriting Policy and on the adequacy of reinsurance arrangements;
- the Audit Function verifies business processes and the adequacy and effectiveness of controls in place also proving support and advice.
Heads of Key Functions report to the AMSB.
Group Key Functions collaborate according to a pre-defined coordination model, in order to share information and create synergies. A strong Parent Company coordination and direction for Key Functions is granted by the so called solid reporting lines model established between the head of the Group Key Function and heads of the respective Functions within the operating entities.
Risk Management System
The principles defining the Group risk management system are provided in the Risk Management Group Policy3 which is the cornerstone of all risk-related policies and guidelines. The Risk Management Group Policy covers all risks, on a current and forward-looking basis and is implemented in a consistent manner across the Group.
Generali Group’s risk management process is defined in the following phases:
The purpose of the risk identification is to ensure that all material risks to which the Group is exposed are properly identified. To this end, the Risk Management Function interacts with the main Business Functions in order to identify the main risks, assess their importance and ensure that adequate measures are taken to mitigate them according to a sound governance process. Within this process also emerging risks4 related to new risks and developing trends, characterized by uncertain evolution and often of systemic nature, are considered.
Identified risks are then measured through their contribution to the Solvency Capital Requirement (SCR), complemented by other modelling techniques deemed appropriate and proportionate to better reflect the Group risk profile. Using the same metric for measuring the risks and the capital requirements ensures that each risk is covered by an adequate amount of capital that could absorb the loss incurred if the risk materializes. For SCR calculation purposes 1 in 200 years events are considered.
The SCR is calculated by means of the Group’s PIM5 for financial, credit, life and non-life underwriting risks. Operational risks are measured by means of standard formula, complemented by qualitative risk assessments. The PIM provides an accurate representation of the main risks to which the Group is exposed to, measuring not only the impact of each risk taken individually but also their combined impact on the Group’s Own Funds.
Group PIM methodology and governance are provided in the section C. Solvency Position. Insurance and Re- Insurance Entities not included in the PIM scope calculate the capital requirement based on standard formula, while Other Financial Services (e.g. banking or pension funds) calculate the capital requirement based on their own specific sectoral regimes.
Other risks, for which no SCR is calculated, such as liquidity, reputational, strategic, contagion, emerging and additional Group specific risks (i.e. risks from intragroup transactions, risk concentrations), are evaluated on the basis of quantitative and qualitative techniques, models and additional stress testing or scenario analysis.
Risk management and control
The risks which the Group is exposed to are managed on the basis of the Group Risk Appetite Framework (RAF), defined by the AMSB. The Group RAF defines the level of risk the Group is willing to accept in conducting business and thus provides the overall framework for embedding risk management into business processes. In particular, the RAF includes the statement of risk appetite, the risk preferences, the risk metrics, the tolerance and the target levels.
The purpose of the Group RAF is to set the desired level of risk on the basis of the Group strategy. The Group RAF statement is complemented by qualitative assertions (risk preferences) supporting the decision-making processes as well as by risk tolerances providing quantitative boundaries to limit excessive risk-taking, as well as by a target operating range to provide indications on the solvency level at which the Group aims to operate. Tolerance and target levels are referred to capital and liquidity metrics.
The Group RAF governance provides a framework for embedding risk management into day-to-day and extraordinary business operations and control mechanisms as well as the escalation and reporting to be applied in case of risk tolerance breaches. Should an indicator approach or breach the defined tolerance levels, escalation mechanisms are activated.
The purpose of risk reporting is to keep Senior Management and AMSB aware and informed on the development of the risk profile, the trends of single risks and the breaches of risk tolerances on an ongoing basis.
The ORSA process includes the assessment and reporting of all risks also in a forward-looking view. The ORSA process includes the assessment of all risks, quantifiable and not in terms of capital requirements. Within the ORSA, stress test and sensitivity analyses are also performed to assess the resilience of the solvency position and risk profile to changed market conditions or specific risk factors.
Generali Group applies a Group-wide process, which implies that each Group Legal Entitiy is responsible for the preparation of its own ORSA Report and the Parent Company coordinates the Group ORSA reporting process.
At Group level, the process is coordinated by the Risk Management Function, supported by other Functions for what concerns Own Funds, technical provisions and other risks.
The purpose of the ORSA process is to provide the assessment of risks and of the overall solvency needs on a current and forward-looking basis. The ORSA process ensures an ongoing assessment of the solvency position based on the Strategic Plan and the Group Capital Management Plan.
The Group ORSA Report, documenting main results of this process, is produced on an annual basis. A non-regular ORSA Report can also be produced in case of significant changes of the risk profile.
3 The Risk Management Group Policy covers all Solvency II risk categories and, in order to adequately deal with each specific risk category and the underlying business processes, is complemented by the following risk policies: Group Investment Governance Policy; P&C Underwriting and Reserving Group Policy; Life Underwriting and Reserving Group Policy; Group Operational Risk Management Policy; Liquidity Risk Management Group Policy; other risk-related policies, such as Group Capital Management Policy, Supervisory Reporting & Public Disclosure Group Policy, Group Risk Concentrations Management Policy etc.
4 Major details on emerging risk definition are provided in section D. Risk Profile
5 The PIM use for the SCR calculation at Group level has been approved for the insurance entities in Italy, Germany, France, Austria, Switzerland as well as for the biggest Czech company, ?eská pojiš?ovna a.s. For the other entities, the standard formula is applied. Other financially regulated entities apply local sectorial requirements.