Risk governance is a part of the broader Group internal control and risk management system.
The Group internal control and risk management system is the set of rules, procedures and structures that ensure the effective operation of the company and enable it to identify, manage and monitor the main risks to which it is exposed. Key elements of the system are:
- internal control environment and activities;
- awareness and monitoring;
- reporting duties;
- roles and responsibilities that the Board of Directors (BoD) and its committees, the Senior Management, including the Chief Executive Officer (CEO), also acting as the Director in charge of the internal control and risk management system, and the Chief Financial Officer (CFO), appointed as Manager in charge of the preparation of the company’s financial reports, as well as risk owners and Control Functions must discharge within the internal control and risk management system.
To ensure a consistent framework through the Group, the Parent Company sets Group Directives on Internal Control and Risk Management System, complemented by Group Risk Policies, which have to be applied by all Group companies.
The Group internal control and risk management system is founded on the establishment of three lines of defence:
- the Operating Functions (the “risk owners”), which represent the first line of defence and have ultimate responsibility for risks relating to their area of expertise;
- Actuarial, Compliance and Risk Management Functions, which represent the second line of defence;
- Internal Audit, which represents the third line of defence.
Internal Audit together with Actuarial, Compliance and Risk Management Functions represent the “Control Functions”.
The roles and responsibilities of the BoD and related committees, Senior Management, Control Functions and the interactions among Control Functions are described within the Corporate Governance Report.
Key roles within the risk management system are outlined below:
- the BoD defines, with the Risk and Control Committee’s support, the guidelines of the internal control and risk management system and assesses its adequacy, effectiveness and functioning at least once a year. It also defines, also with the Risk and Control Committee’s support, the organizational set-up, appoints the heads of the Control Functions (also after hearing the opinion of the Board of Statutory Auditors for the appointment of the Internal Audit’s head) and approves their annual activity plans, adopts Group risk policies, approves the ORSA results and based on them defines the risk appetite and tolerance limits;
- the Senior Management is then responsible for executing the defined strategy, implements the internal control system and keeps it suitable and effective;
- Control Functions are established at Group level and within the operating entities:
- the Risk Management Function supports the BoD and Senior Management in ensuring the effectiveness of the risk management system and provides advice and support to the main business decision-making processes;
- the Compliance Function grants the internal control system’s adequateness to manage compliance risks, thus contributing to maintain Group’s integrity and reputation;
- the Actuarial Function coordinates the technical provisions calculation and grants their adequacy of underlying methodologies, models and assumptions, verifies the quality of the related data and expresses an opinion on the overall Underwriting Policy;
- the Audit Function verifies business processes and the adequacy and effectiveness of controls in place.
Heads of Control Functions report functionally to the BoD except the head of Group Audit who reports hierarchically and functionally to the BoD.
Group Control Functions collaborate according to a pre-defined coordination model, in order to share information and create synergies. A strong Parent Company coordination and direction for Control Functions is granted by the so called solid reporting lines model established between the head of the Group Control Function and heads of the respective Functions within the operating entities.
Risk Management System
The principles defining the Group risk management system are provided in the Group Risk Management Policy1 which is the cornerstone of all risk-related policies and guidelines. The Group Risk Management Policy covers all risks, on a current and forward-looking basis and is implemented in a consistent manner across the Group.
Generali Group’s risk management process is defined in the following phases:
The purpose of the risk identification is to ensure that all material risks to which the Group is exposed are properly identified. To this end, the Risk Management Function interacts with the main Business Functions in order to identify the main risks, assess their importance and ensure that adequate measures are taken to mitigate them according to a sound governance process. Within this process, emerging risks are also considered.
The categorization of identified risks follows Solvency II risk categories.
Identified risks are then measured through their contribution to the capital requirement, complemented by other modelling techniques deemed appropriate and proportionate to better reflect the Group risk profile.
Using the same metric for measuring the risks and the capital requirements ensures that each risk is covered by an adequate amount of capital that could absorb the loss incurred if the risk materializes.
The capital requirement is calculated by means of the Group’s PIM2 for financial, credit, life and non-life underwriting risks. Operational risks are measured by means of standard formula, complemented by quantitative and qualitative risk assessments. The PIM provides an accurate representation of the main risks to which the Group is exposed, measuring not only the impact of each risk taken individually but also their combined impact on the Group’s Own Funds.
Group PIM methodology and governance are provided in section Solvency Position.
Liquidity risk and other risks are evaluated based on quantitative and qualitative techniques, models and additional stress testing or scenario analysis.
Risk management and control
The Group RAF defines the level of risk the Group is willing to accept in conducting business and thus provides the overall framework for embedding risk management into business processes.
The purpose of the Group RAF is to set the desired level of risk on the basis of the Group strategy. The Group RAF statement is complemented by qualitative assertions (risk preferences) supporting the decision-making processes as well as by risk tolerances providing quantitative boundaries, limiting excessive risk- taking. These are expressed in terms of hard and soft tolerances. Tolerance levels are set on the basis of capital and liquidity metrics.
The Group RAF governance provides a framework for embedding risk management into day-to-day and extraordinary business operations and control mechanisms as well as the escalation and reporting to be applied in case of risk tolerance breaches. Should an indicator approach or breach the defined tolerance levels, escalation mechanisms are activated. The integration of the Group RAF in the business process is in particular foreseen for the strategic planning process, the strategic asset allocation, the product development process, as well as for extraordinary operations management.
The purpose of risk reporting is to keep Business Functions, Senior Management, BoD and also the Supervisory Authority aware and informed on the development of the risk profile.
The Own Risk and Solvency Assessment (ORSA) process includes the assessment and reporting of all risks on the basis of the Strategic Plan.
The ORSA reporting process is the main risk reporting tool and is coordinated by the Risk Management Function. For what concerns Own Funds, technical provisions and other risks support is given by other accountable Functions.
The purpose of the ORSA process is to provide the assessment of risks and of the overall solvency needs on a current and forward-looking basis. The ORSA process ensures an ongoing assessment of the solvency position based on the Strategic Plan and the Group Capital Management Plan, followed by a egular communication of ORSA results to the Supervisory Authority after BoD approval.
The ORSA process includes the assessment of the risks in scope of the capital requirement, along with ther risks that are not included in the capital requirement calculation. Within the ORSA, stress test and sensitivity analyses are also performed to assess the resilience of the solvency position and risk profile to changed market conditions or specific risk factors.
The Group ORSA Report, documenting main results of this process, is produced on an annual basis, unless a non-regular ORSA Report is produced in case of significant changes of the risk profile.
1The Group Risk Management Policy covers all Solvency II risk categories and, in order to adequately deal with each specific risk category and the underlying business processes, is complemented by the following risk policies: Group Investment Governance Policy; Group P&C and Reserving Policy; Group Life and Reserving Policy; Group Operational Risk Management Policy; Group Liquidity Risk Management Policy; other risk-related policies, such as Group Capital Management Policy, Group Supervisory Reporting and Public Disclosure Policy, Group Risk Concentrations Management Policy etc.
2The Group PIM use for the SCR calculation has been approved for the insurance entities in Italy, France, Germany as well as for the biggest Czech company, Česká pojišťovna a.s. For the other entities, the standard formula is applied. Other financially regulated entities apply local sectorial requirements.