Risk Management System
Described below is the system and the risk and capital management processes; the latter are used to recognise the basic types of risks, which the Triglav Group faces.
The objective of the comprehensive risk management system, a fundamental part of the governance system in the Triglav Group, is to ensure the achievement of the Group’s strategic objectives, its mission and vision. The underlying documents of this system are the Risk Underwriting and Management Strategy (hereinafter: the Strategy) and the Risk Appetite Statement (hereinafter: the Risk Appetite) of Zavarovalnica Triglav and the Triglav Group. They define the main strategic elements of the system and represent the basis for subordinate risk management documents, policies, methodologies and instructions.
The Strategy clearly defines a comprehensive risk management system within the Triglav Group and the guidelines for underwriting particular risk types, quantified in the Risk Appetite. This strategic document quantitatively defines the level to which the Group is able and willing to expose itself in individual risk segments, taking into account its strategic objectives and capital strength. On the basis of these documents, the internal risk management documents of several subsidiaries in the Group were revised.
The risk management system of the Group is based on the “Three Lines of Defence” model.
The first line of defence consists of the Management Board and the business functions, which actively manage concrete business risks through their business decisions and are primarily responsible for risk identification and underwriting.
The second line of defence is composed of business functions and decision-making bodies forming the risk management system, which includes exposure identification, measurement and monitoring as well as the exposure limit system.
The third line of defence includes the internal audit function. This function executes and is in charge of the processes and activities connected to regular efficiency reviews of the internal control environment in individual functional areas. Moreover, it is responsible for the effectiveness of the risk management system.
The key functions in Zavarovalnica Triglav are organised as independent organisational units, which carry out their duties and responsibilities independently from one another and from the other organisational units of the Company. All four key functions cooperate with one another and regularly exchange information necessary for their operation. They are performed at the Company level and provide for the transfer of minimum standards in their respective area to the subsidiaries of the Group. At least the tasks, responsibilities, processes and reporting obligations of every key function are regulated in detail in their internal documents.
The three lines of defence in risk management
The risk management chart according to the “Three Lines of Defence” model
The risk management function is in charge of providing support to the decision-making bodies and other functions in effective implementation of the risk management system, exercising control over the risk management system, monitoring the general risk profile, developing risk measurement methodologies and risk valuation models, performing the underlying risk analyses, reporting on risk exposures, and undertaking capital adequacy valuation using the standard Solvency II formula and other capital models. In accordance with the Solvency II legislation, the risk management function also performs own risk and solvency and financial standing assessment and prepares risk disclosures for publication.
The compliance function operates within the internal control system in line with the adopted policy. It monitors compliance of the Company’s operations with the regulations and any other commitments and informs the Management and Supervisory Boards thereof. Furthermore, the compliance function assesses the compliance risks of the Company’s operations and the potential impact of any changes in the legal environment on the operations, advises on coordination, as well as assesses the appropriateness and effectiveness of the procedures and measures to adapt the Company’s operations to changes in the legal environment.
The actuarial function primarily coordinates and calculates the insurance technical provisions:
- to ensure the appropriateness of the methods and models used as well as the assumptions made in the calculation of insurance technical provisions;
- to assess the appropriateness, sufficiency and quality of data required for the calculation of insurance technical provisions;
- to verify the appropriateness of the overall underwriting risk policy; to express an opinion whether the amount of the premium of individual products is sufficient to cover all the obligations arising from these insurance contracts; to examine the adequacy of reinsurance.
Furthermore, the actuarial function actively participates in the introduction and implementation of the risk management system, particularly in the development, application and monitoring of the appropriateness of capital requirement calculation models and in conducting own risk and solvency assessment. It performs its duties in accordance with the applicable legal provisions, its policy and standards. In the context of the second line of defence, the main task of actuarial function holders is to regularly monitor the implementation of the actuarial function in the area for which it is responsible and to inform the Supervisory Board and the Management Board of any major findings, as set out in the internal document.
The internal audit function performs constant and comprehensive control over the operations of the Company by increasing the benefits for the operations. This is achieved by assessing the adequacy and effectiveness of the Company’s governance, risk management and control procedures in an impartial, systematic and methodical manner and by making recommendations for their improvement. Apart from that, the internal audit function provides advice in agreement with the Management Board and the management of functional areas, cooperates with external auditors and the other supervisory bodies, monitors the implementation of internal and external auditors’ recommendations, participates in the performance of internal audits in other Group members, maintains the quality and provides for continuous development of internal auditing in Zavarovalnica Triglav, as well as transfers the know-how and good practices to other Group members. The internal audit function periodically reports on its activities and findings to the Management Board, the Audit Committee and the Supervisory Board. In their work, internal auditors must be impartial and must avoid any conflict of interest. Furthermore, they are not allowed to perform any development and operational tasks that could cause a conflict of interest and weaken their objectivity, nor do they decide on activities in the areas subject to internal auditing. The Internal Audit Department is in charge of the internal audit business processes.
Within the scope of their powers and responsibilities, the Supervisory Board gives consent to the Management Board with respect to written rules of the risk management system at the highest level, which includes discussing and giving approval to the Strategy, the Risk Appetite and other most important subordinate internal policies. The Supervisory Board is regularly briefed on the Company’s risk profile at its sessions.
The Management Board is legally bound to set up a comprehensive and effective risk management system that reduces the occurrence of unpredictable consequences. Furthermore, the Management Board strives for the Company’s optimal profitability or profitability of its operations based on the adopted Risk Appetite.
The business functions in Zavarovalnica Triglav and individual subsidiaries are responsible for risk underwriting and identification in their work area in accordance with the guidelines of the Management Board, as well as for risk management within the allowed exposure limits. The Triglav Group seeks to establish an integrated risk management system, whose organisational characteristic is that it is reflected in all business processes as a culture. Its goal is to identify all the risks arising in the operations of the Group by type of risk, business function, process, activity and employee. The risk management system is continually adapted to both the operations of the Group and the external environment. Its foundation was designed to provide a competitive advantage and generate added value, as the core activity of the Group is connected with underwriting the risks of the insured in return for the insurance premium and with additional risks arising from investing activities.
The second line of defence of the risk management system includes committees and other bodies, the Risk Management Department, the Non-Life Insurance Development and Actuarial Department, the Life Insurance Development and Actuarial Department and the Compliance Office. The main purpose of the committees is to provide support for the Management Board in the performance of regular monitoring, coordination and information activities related to risk management.
The decision-making bodies participating in the integrated corporate risk management process and the three lines of defence
* Risk underwriting (see the figure) is treated as a phenomenon or the occurrence of risks in the operations of the Company.
The Management Board appoints the committees, which have an advisory role, or grants them certain decision-making rights. The competences and powers of the committees are defined in the respective rules of procedure approved by the Management Board. The committees are an integral part of the risk management system of the Company and can be involved in the matters related to the risk management system, insurance products, etc. at the level of both Zavarovalnica Triglav and the Triglav Group.
The Risk Management Committee’s main task is to assist the Management Board in assessing exposure to business risks, identifying major risks and weaknesses in the internal control environment of the Company, controlling risk exposure and verifying whether risk exposure is compliant with the Risk Appetite, as set out in the Strategy of the Triglav Group and the Business Plan of Zavarovalnica Triglav. Apart from that, the Committee assists in risk identification and management as well as in fostering the risk culture by individual areas within the Company and the Group. The Committee also verifies the efficiency of the risk management functions and ensures that the Company not only has an appropriate infrastructure but also adequate resources and systems that allow for a satisfactory level of business risk management. The Risk Management Department is in charge of the setting up and continuous operation of the integrated risk management system in accordance with the requirements of the Strategy, the guidelines and decisions of the Risk Management Committee and any other decision-making bodies, as well as regulatory requirements and internal policies. Moreover, the Risk Management Department is the administrator of key processes of the risk management function at the level of both Zavarovalnica Triglav and the Triglav Group. The Department prepares risk exposure analyses and proposes risk management measures based on their results. In addition to the Risk Management Committee, the Risk Management Department provides support to other committees at the second line of defence of the risk management system.
The Assets and Liabilities Committee is the committee whose key goal is the creation of a balanced asset and liability management strategy of the Company, aimed at achieving the strategic objectives in line with the applicable legal and implementing regulations, by taking into account the Risk Appetite, risk exposure limits and any other restrictions that affect the asset and liability management process.
The Insurance Committee is an integral part of the Company’s and subsidiaries’ risk management systems, which monitors and identifies non-life underwriting risks and develops the non-life underwriting risk management system. The basic purpose of the Committee is to monitor and optimise the level and concentration of assumed risks and to propose limits or an optimal transfer of assumed risks to reinsurance, taking into account both the Risk Appetite of the Group and the risks arising from counterparty exposure in the event of transfer of non-life underwriting risks. The Non-Life Insurance Development and Actuarial Department and the Life Insurance Development and Actuarial Department are the administrators of key processes of the actuarial function. Furthermore, the actuarial departments actively participate in the implementation of the risk management system, particularly in the development, application and monitoring of the appropriateness of capital requirement calculation models and in conducting own risk assessment.
The Operational Risk Committee supervises the establishment of an appropriate, integrated operational risk management system and its operation, approves internal documents related to operational risk management, monitors the business continuity system, the recovery system, the information protection management system, the data quality management system, the prevention, detection and investigation system of external and internal fraud and unauthorised activities, as well as approves the outsourcing system and the operational (human resource) risk management system. The Committee also monitors the recommendations of the Internal Audit Department and their realisation, which affects the structure of the operational risk management system.
The Compliance and Ethics Committee deals with important or more complex issues related to ensuring compliance of the Company’s operations with regulations, internal rules and any other commitments of the Company, as well as with the views of the supervisory or any other state bodies. Moreover, the Committee discusses the issues involving ethical dilemmas or those related to codes or other ethical standards, which could have a significant impact on the reputation of the Company. The Compliance Office is the holder of the compliance function processes.
In Group members, the risk management system is established based on its structure in the controlling company in line with the principles laid down in the Minimum Risk Management Standards, taking into account the size, complexity and business profile of a particular subsidiary.
The Triglav Group applies the following two concepts to its risk management model:
- risk management at the level of an individual subsidiary or the parent company and
- centralised risk management at the Group level.
This means that risk management for individual subsidiaries of the Group takes place in subsidiaries themselves. Risk management at the Group level is executed by the Risk Management Department of Zavarovalnica Triglav in cooperation with the Subsidiary Management Department, the holding company Triglav INT and the subsidiaries. Particularly important are effective communication and quality exchange of data and information (time availability, methodological consistency, accounting verifiability, integrity).
The Risk Management Department plays the main role in the Group’s subsidiaries in the performance of tasks, coordination and introduction of both the risk management system and the risk management culture. The tasks of the risk management function include the calculation of capital requirements and own risk assessment. Complex and integrated processes and organisational units demand efficient operation of the committees at the second line of defence in the execution of tasks. The central role is played by the Risk Management Committee.
The risk management system of the Group is set up to ensure timely identification of all major risks. There is a standardised set of procedures, which provides for the understanding of the consequences of realised potential risks, the effects of interdependence of risks and the risk management methods of individual risks. The main building blocks of comprehensive risk management in the Company are the Strategy of the Triglav Group and the Business Plan of Zavarovalnica Triglav.
First, through the annual own risk and solvency assessment (ORSA), the most important events that could materially impact the achievement of objectives in the future are identified on the basis of the strategic objectives of the Company. The events that could have a negative impact on the performance of the Company are identified already in the strategic planning process for a specific period, especially those affecting the achievement of the planned key indicators and guidelines in the Risk Appetite.
Taking into account the restrictions in the Risk Appetite, the identified events having a material impact on strategic and business objectives represent the risks, which are then appropriately classified, assessed and analysed, particularly by impact and probability of occurrence. Based on the analysis, the Management Board adopts a decision on the risk management method (accept, transfer, mitigate or avoid). The catalogue is updated if new assumed risks arising from business decisions are identified. Furthermore, control activities are undertaken, which involve risk monitoring, measuring, management as well as adaptation of the reporting system. It is important that all employees involved in the comprehensive risk management system are kept informed and the process conclusions and results documented.
Risk management process of Zavarovalnica Triglav and the Triglav Group
The findings are included in the regular risk report, the Own Risk and Solvency Assessment Report and the Solvency and Financial Condition Report (SFCR), which will be published separately as of 2017. The Company also documents any deficiencies identified in the risk management system cycle, including proposals for improvements, and prepares measures and recommendations for its upgrade.
Prevention activities in risk management are based on the following two approaches: decomposition (e.g. product) and diversification (e.g. investment) of individual risk types. In risk exposure, the limit system is also used.
The goal of the asset-liability management process is to ensure an optimal return on investments with respect to the nature of insurance liabilities and the acceptable level of risks. Thus, the result of such an optimisation are the investment policies of guarantee funds and asset backing liabilities, which specify the strategic asset allocation for every investment portfolio. These policies are approved by the Assets and Liabilities Committee. In addition to the underwriting and financial risks, the Company identifies and manages a range of other risks, such as operational and non-financial risks. The Triglav Group strives for a comprehensive management of both systematic and unsystematic risks.
At any given time, the Triglav Group and Zavarovalnica Triglav must have sufficient capital, which allows them to assume a specific, measurable quantity of acceptable risks for the Group or the Company. Capital is the first criterion for assessing the solvency of an insurance undertaking. The primary goal of capital management is to guarantee the required and suitable capital adequacy level on both a consolidated and individual basis. In setting the level of acceptable risk, generation of appropriate profit for owners has to be ensured. In 2015 as well as in previous years, the Company was a safe and profitable financial institution, having an adequate capital level.
As required by the applicable legislation (the Insurance Act (ZZavar-1), the Commission Delegated Regulation (EU) 2015/35), the amount of available capital is measured regularly to make sure it is in line with the regulatory capital requirements for individual insurance subsidiaries and for the Group. Insurance subsidiaries of the Triglav Group maintain a surplus of available capital in excess of the capital requirements for their core business and for covering potential losses, as laid down in local legislation. This surplus provides protection against losses due to unforeseen unfavourable events and capital requirements. In addition to current capital adequacy levels, the Company plans and assesses the future capital and capital adequacy levels. In doing so, it monitors the effects of the environment on capital adequacy and provides for optimal capital allocation of Zavarovalnica Triglav, individual Group members and the Triglav Group. In order to evaluate solvency needs, the capital adequacy ratios of insurance-technical provisions for each insurance company in the Group are regularly monitored.
Capital adequacy is an essential part of the credit rating. Decisions concerning capital management are supported by the results of the capital models, based on which the credit ratings are assigned. The Company’s and the Group’s capital adequacy models are assessed by the credit rating agencies Standard & Poor (hereinafter: S&P) and A.M. Best. Credit rating is discussed in greater detail in Section Credit rating in the Triglav Group and Zavarovalnica triglav.
Risk means the inability to correctly predict future events or the inability to fully control the actual events in relation to the expected. The external factors cause deviations from the planned activities, which impact performance. Moreover, risk is the inability to predict future business results with certainty. Risk is therefore the probability that the actual business result will be different than expected.
The main risk types are described below, whereas the risk management methods are described in greater detail in Section 2.
The basis for defining the risk appetite is identification of risks assumed by the Company and the Group. The risk identification process is ongoing, involving all functional areas in accordance with their respective powers and responsibilities. Its purpose is to ensure the inclusion of all risk types in the risk management system, to set up the risk exposure measurement process and to achieve uniform risk management and understanding at all management levels of the Company.
In its operations, the Company assumes the following major risks in accordance with the legislation and its business model:
- Underwriting risk is the risk of loss or of adverse change in the value of insurance liabilities, due to inadequate pricing and provisioning assumptions taken into account in the calculation of insurance technical provisions. Through risk underwriting, the Company is exposed to the premium risk, the risk of insurance technical provisions and the catastrophe risk.
- Financial risks comprise primarily market risk, liquidity risk and credit risk.
- Market risk is the risk of loss or of adverse changes in the financial situation of an insurance undertaking, resulting from fluctuations in the level and in the volatility of market prices of assets, liabilities and financial instruments. These include interest risk, equity risk, real property price risk, credit spread risk and concentration risk.
- Liquidity risk is the risk that the Company is unable to realise its investments and other assets in order to settle its financial obligations when they fall due or the obligations arising from major losses.
- Credit risk is the risk of loss due to a counterparty’s default. The Company is exposed to the credit risk primarily through investing in debt securities and performing its insurance operations (the reinsurance credit risk, the credit risk of receivables).
- Operational risk is the risk of loss arising from inadequate or failed internal processes (or products), personnel or systems, or from external events and their impact.
- In terms of performance of the Company, the major non-financial risks include strategic risks, the reputation risk, and legal risks.
- Strategic risk is the risk of loss due to adverse business decisions, improper implementation of adopted strategic decisions and insufficient responsiveness to changes in the business environment.
- Reputation risk is the risk of loss arising from a negative image held regarding the insurance undertaking by its clients, business partners, the public, investors, owners and supervisors.
- Legal risks mean the possibility of loss arising from non-performance of contractual obligations by the counterparty by reason of established legal deficiencies or inconsistencies in a contractual document or legal restrictions in particular business environments, which were unknown or insufficiently taken into account at the time of conclusion of the transaction.
Overview of main risks
Future challenges in risk management
The performance of the Company depends on a number of external, global and long-term factors. In order to ensure sustainable and profitable growth, great attention in the strategy is paid to constant improvement of the risk management system. In the strategic planning process, potential risks are recorded, whose impact on the achievement of the planned objectives may be examined through various scenarios in the own risk and solvency assessment process (ORSA).
In this respect, the key future challenges of the Triglav Group are to raise the minimum standards of key risk management, measurement and reporting in the Group’s subsidiaries and to improve the own risk and solvency assessment process in every insurance subsidiary to the level of Zavarovalnica Triglav, taking into account the size, complexity and business profile of individual subsidiaries.