6. Risk report
6.2 Risk management system
The focus of risk management with management structures and defined processes is the attainment of UNIQA’s and its subsidiaries’ strategic goals.
UNIQA’s Risk Management Guidelines form the basis for a uniform standard at various company levels. The guidelines are approved by the Group CFRO and the full Management Board and describe the minimum requirements in terms of organisational structure and process structure. They also provide a framework for all risk management processes for the most important classes of risk.
In addition to the Group Risk Management Guidelines, similar guidelines have also been prepared and approved for the Company's subsidiaries. The Risk Management Guidelines at subsidiary level were approved by the Management Board of the UNIQA subsidiaries and are consistent with UNIQA’s Risk Management Guidelines.
They aim to ensure that risks relevant to UNIQA are identified and evaluated in advance. If necessary, proactive measures are introduced to transfer or minimise the risk.
Intensive training on the content and utilisation of these guidelines is required in order to ensure that risk management is incorporated in everyday business activities. Extensive informative and training measures have therefore been taken since 2012; they will be continued in the future and extended to additional target groups.
Organisational structure (governance)
The detailed set-up of the process and organisational structure of risk management is set out in UNIQA’s Risk Management Guidelines. They reflect the principles embodied in the concept of “three lines of defence” and the clear differences between the individual lines of defence.
First line of defence: risk management within the business activity
Those responsible for business activities must develop and put into practice an appropriate risk control environment to identify and monitor the risks that arise in connection with the business and processes.
Second line of defence: supervisory functions including risk management functions
The risk management function and the supervisory functions, such as controlling, must monitor business activities without encroaching on operational activities.
Third line of defence: internal and external auditing
This enables an independent review of the formation and effectiveness of the entire internal control system, which comprises risk management and compliance (e.g. internal auditing).
Group Management Board and Group functions
The UNIQA Insurance Group AG Management Board is responsible for establishing the business policy objectives and determining the associated risk strategy. The core components of the risk management system and the associated governance are enshrined within the UNIQA Group Risk Management Policy adopted by the Management Board.
The function of Chief Financial and Risk Officer (CFRO) is a separate area of responsibility at the Group Management Board level. This ensures that risk management is represented on the Group Management Board. The CFRO is supported in the implementation and fulfilment of risk management duties by the Group Actuarial and Risk Management unit.
A central component of the risk management organisation is UNIQA’s risk management committee, which carries out monitoring and initiates appropriate action in relation to the current development and the short and long-term management of the risk profile. The risk management committee establishes the risk strategy, monitors and controls compliance with risk-bearing capacity and limits, and therefore plays a central role in the management process implemented under UNIQA’s risk management system.
UNIQA insurance company
In the UNIQA insurance companies, the CRO function has also been established at the Management Board level, with the functions of the risk manager at the next level down. A consistent, uniform risk management system has therefore been set up throughout the Group.
As at Group level, each of the UNIQA insurance companies has its own risk management committee, which forms a central element of the risk management organisation. This committee is responsible for the management of the risk profile and the associated specification and monitoring of risk-bearing capacity and limits.
The Supervisory Board at UNIQA Insurance Group AG receives comprehensive risk reports at Supervisory Board meetings.
Risk management process
UNIQA’s risk management process delivers periodic information about the risk profile and enables the top management to make the decisions for the long-term achievement of objectives.
The process concentrates on risks relevant to the Company and is defined for the following classes of risk:
- Actuarial risk (property and casualty insurance, health and life insurance)
- Market risk/Asset-Liability Management risk (ALM risk)
- Credit risk/default risk
- Liquidity risk
- Concentration risk
- Strategic risk
- Reputational risk
- Operational risk
- Contagion risk
- Emerging risk
A Group-wide, standardised risk management process regularly identifies, evaluates and reports on risks to UNIQA and its subsidiaries within these classes of risk.
Risk identification is the starting point for the risk management process, systematically recording all major risks and describing them in as much detail as possible. In order to conduct as complete a risk identification as possible, different approaches are used in parallel, and all classes of risk, subsidiaries, processes and systems are included.
The risk categories of market risk, technical risk, counterparty default risk and concentration risk are evaluated at UNIQA by means of a quantitative method based on the standard approach of Solvency II and the ECM approach. Furthermore, risk drivers are identified for the results from the standard approach and analysed to assess whether the risk situation is adequately represented (in accordance with the Company’s Own Risk and Solvency Assessment (ORSA)). All other classes of risk are evaluated quantitatively or qualitatively with their own risk scenarios.
The scenario analysis (of UNIQA’s internal and external economic risk situation) is generally a crucial element in the risk management process.
A scenario is a possible internal or external event that has a short-term or medium-term effect on consolidated profit or loss, the solvency position or sustainability of future results. The scenario is formulated with respect to its inherent characteristic (e.g. the start of Greece’s insolvency) and evaluated in terms of its financial effect on UNIQA. The likelihood that the scenario will actually occur is also considered.
Limits/early warning indicators
The limit and early warning system determines risk-bearing capacity (available equity according to IFRS, economic capital) and capital requirements on the basis of the risk situation at ongoing intervals, thereby deriving the level of coverage. If critical coverage thresholds are reached, then a precisely defined process is set in motion, the aim of which is to bring the level of solvency coverage back to a non-critical level.
A quarterly report on the solvency situation, together with a monthly risk report on the biggest risks identified, are prepared for each UNIQA insurance company and for the UNIQA Group on the basis of detailed risk analysis and monitoring. The reports for each individual UNIQA subsidiary and the UNIQA Group itself have the same structure, providing an overview of major risk indicators such as risk-bearing capacity, solvency requirements and risk profile. In addition, quantitative and qualitative reporting (in the form of the quantitative reporting templates and the narrative report respectively) is implemented for the UNIQA Group and for all subsidiaries for which Solvency II reporting is mandatory.
Activities and objectives in 2016
Based on external and internal developments, activities in 2016 focused on the following:
- Preparation of the reporting requirements in accordance with Solvency II
- Merger of the operational UNIQA insurance companies in Austria in the course of the Group mergers
- Preparation of other new regulatory requirements
With the entry into force of Solvency II, Risk Management has been working on setting up the new reporting required under Pillar III. Part of the reporting requirements from Directive 2009/138/EC of the European Parliament from 25 November 2009 (Solvency II) relates to the Solvency and Financial Condition Report (SFCR), which aims to make an insurance company's solvency and financial position transparent for market participants. The report includes quantitative and qualitative information on the company's business activities (economic framework), the governance system (organisational structure, internal control system, compliance, internal audit and actuarial function), UNIQA’s risk profile, the valuation methods for solvency purposes and on capital management (own funds, solvency capital requirements, etc.) in the company. The aim is to enable the reader of the report to gain a clear picture of the company's financial position based on this comprehensive information.
In addition to the SFCR, the insurance company is also required to provide a fully comprehensive supervisory report known as the Regular Supervisory Report (RSR). The first time that this Report will be provided to the supervisory authority is for the valuation date of 31 December 2016; it differs from the SFCR essentially by the inclusion of details on the results, the business planning periods and projections, as well as details on the remuneration of members of the Management Board.
The Quantitative Reporting Templates (QRTs) are a further essential part of the reporting: these include purely quantitative statements on an insurance company, and are reported to the supervisory authorities in accordance with the filing rules of the European Insurance and Occupational Pensions Authority (EIOPA). A distinction is made here between quarterly and annual reports, which are provided both for individual companies as well as for the Group. UNIQA has invested in technical service programmes to support implementation of proper and timely reporting, and these also meet the corresponding requirements.
One of the substantial risk management topics in 2016 involved activities related to the merger of the UNIQA insurance companies operating in Austria into the company UNIQA Österreich Versicherungen AG (“AT merger”). These activities resulted in the need to implement an ad-hoc Own Risk and Solvency Assessment (“ad-hoc ORSA”). The appropriateness of the Solvency II standard formula for the new company was tested in this ad-hoc ORSA, and a review took place on whether all material risks had been captured in the risk management process. Solvency planning was also completed for the planning period, with this planning exposed to multiple stress scenarios. The “AT merger” also gave rise to a need to alter the partial internal model for casualty/property insurance, resulting in postponement of the regulatory application process to 2017.
From a regulatory point of view, 2016 was characterised primarily by Solvency II and its entry into force on 1 January 2016. Following wide-ranging points of criticism related to harmonisation, setting of parameters and different national interpretations, the European Commission had already launched the “SII Review Process”, appointing EIOPA to analyse and elaborate on the critical topics as part of this. EIOPA is required to submit “technical advice” to the European Commission by 31 October 2017. There is explicit emphasis on the calibration of natural catastrophe cover, the flat-rate real estate shock and the reduced reporting timelines. EIOPA itself plans to reinforce its efforts over the next three years to harmonise the implementation of supervisory law throughout Europe, additional improvements to product-related consumer protection and safeguarding the financial stability of insurance (see Strategic Work Plan 2017–2019).
There is a focus currently on issues surrounding the Insurance Distribution Directive (IDD) and the Regulation on insurance-based investment products (PRIIPs Regulation) with reference to promoting the Digital Single Market and developing the consumer protection provisions related to financial services for private customers. The IDD officially came into force at the start of the year and now has to be implemented in national law by 22 February 2018. For the implementation process, further essential details will be defined at level 2 by delegated acts related to product monitoring and inspection, conflicts of interest, incentives and an assessment of suitability and fitness for purpose along with reporting obligations to customers. EIOPA has launched a comprehensive consultation process in connection with this and also initiated the consultation on technical standards for a mandatory product information document (PID) for non-life products.
As of 31 December 2016 the PRIIPs Regulation requires insurance companies to create a pre-contractual information document (the Key Information Document – KID). At the present time this covers all life insurance products that have a maturity or surrender value. In terms of the format for the KID, Regulatory Technical Standards (RTS) have been developed at level 2 by the ESA (collaboration between the three European supervisory authorities EIOPA, EBA and ESMA), and these were accepted by the European Commission on 30 June 2016. The RTS were subject to massive criticism from the insurance industry as a result of errors and the short deadline for implementation, and were rejected by the European Parliament on 14 September 2016. A postponement term of twelve months, which had already been publicised beforehand, was agreed by the College of Commissioners on 9 December 2016.
At the European level, EIOPA is currently considering plans to subject the UFR (Ultimate Forward Rate) to an annual recalculation. The current fixed value of 4.2 per cent was determined in 2010 within the scope of Omnibus II, and EIOPA no longer believes that this is appropriate for current conditions. EIOPA is proposing a change to the calculation methodology and a gradual reduction (max. 20 basis points) in annual steps. This procedure is now being increasingly questioned by the European insurance industry, primarily based on legal conditions. A decision is expected in March 2017.