40. Risk management system
The focus of risk management with management structures and defined processes is the attainment of UNIQA’s and its Group companies’ strategic goals.
UNIQA’s Risk Management Guidelines form the basis for a uniform standard at various company levels. The guidelines are approved by the CFRO and the full Management Board and describe the minimum requirements in terms of organisational structure and process structure. They also provide a framework for all risk management processes for the most important classes of risk.
In addition to the Group Risk Management Guidelines, similar guidelines have also been prepared and approved for the Group companies. The Risk Management Guidelines at company level were approved by the Management Board of the UNIQA Group companies and are consistent with UNIQA’s Risk Management Guidelines.
They aim to ensure that risks relevant to UNIQA are identified and evaluated in advance.
Organisational structure (governance)
The detailed setup of the process and organisational structure of risk management is set out in UNIQA’s Risk Management Guidelines. They reflect the principles embodied in the concept of “three lines of defence” and the clear differences between the individual lines of defence.
First line of defence: risk management within the business activity
Those responsible for business activities must develop and put into practice an appropriate risk control environment to identify and monitor the risks that arise in connection with the business and processes.
Second line of defence: supervisory functions including risk management functions
The risk management function and the supervisory functions, such as controlling, must monitor business activities without encroaching on operational activities.
Third line of defence: internal and external auditing
This enables an independent review of the formation and effectiveness of the entire internal control system, which comprises risk management and compliance (e.g. internal auditing).
The relevant responsibilities are shown accordingly in the overview above. In addition, the Supervisory Board at UNIQA Insurance Group AG receives comprehensive risk reports at Supervisory Board meetings.
Risk management process
UNIQA’s risk management process delivers periodic information about the risk profile and enables the top management to make the decisions for the long-term achievement of objectives.
The process concentrates on risks relevant to the company and is defined for the following classes of risk:
- Actuarial risk (property and casualty insurance, health and life insurance)
- Market risk/Asset-Liability Management risk (ALM risk)
- Credit risk/default risk
- Liquidity risk
- Concentration risk
- Strategic risk
- Reputational risk
- Operational risk
- Contagion risk
- Emerging risk
A Group-wide, standardised risk management process regularly identifies, evaluates and reports on risks to UNIQA and its Group companies within these classes of risk.
UNIQA’s risk management process
Risk identification is the starting point for the risk management process, systematically recording all major risks and describing them in as much detail as possible. In order to conduct as complete a risk identification as possible, different approaches are used in parallel, and all classes of risk, subsidiaries, processes and systems are included.
The risk categories of market risk, technical risk and default risk are evaluated at UNIQA by means of quantitative methods either based on the Solvency II standard approach or the partial internal model for property and casualty insurance. Furthermore, risk drivers are identified for the results from the standard approach, and analysed to assess whether the risk situation is adequately represented (in accordance with the Company’s Own Risk and Solvency Assessment (ORSA)). This results in the ECM approach adjusted to the UNIQA portfolio. All other classes of risk are evaluated quantitatively or qualitatively with their own risk scenarios.
The scenario analysis (of UNIQA’s internal and external economic risk situation) is generally a crucial element in the risk management process.
A scenario is a possible internal or external event that has a short-term or medium-term effect on consolidated profit/(loss), the solvency position or sustainability of future results. The scenario is formulated with respect to its inherent characteristic (e.g. the start of Greece’s insolvency) and evaluated in terms of its financial effect on UNIQA. The likelihood that the scenario will actually occur is also assessed.
The limit and early warning system determines risk-bearing capacity (economic equity) and capital requirements based on the risk situation at ongoing intervals, thereby deriving the level of coverage. If critical coverage thresholds are reached, then a precisely defined process is set in motion, the aim of which is to bring the level of solvency coverage back to a non-critical level.
A summary of the largest identified risks is prepared for each UNIQA insurance company and for the UNIQA Group as part of the quarterly reporting process on the basis of detailed risk analysis and monitoring. The reports for each individual UNIQA Group company and the UNIQA Group itself have the same structure, providing an overview of major risk indicators such as risk-bearing capacity, solvency requirements and risk profile. In addition, quantitative and qualitative reporting (in the form of the quantitative reporting templates and the narrative report respectively) is implemented for the UNIQA Group and for all Group companies for which Solvency II reporting is mandatory.
Activities and objectives in 2018
Based on external and internal developments, activities in 2018 focused on the following:
- Establishment of the Shared Service Centre (SSC) Bratislava
- Partial internal model for the market risk
- Revision of the concept for the Internal Control System (ICS)
- Implementation of data protection measures
- Emerging Risk Radar 2018
- Purchase of cyber insurance
UNIQA took a crucial step towards a “shared services” model in the second quarter of this year with the establishment of UNIQA 4WARD as a branch of UNIQA Insurance Group AG. The purpose of this branch located in Bratislava is to overcome resource shortages more effectively and to relieve the strain of the day-to-day work on the local companies. UNIQA 4WARD forms the basis for meeting future additional requirements in good time and based on the requisite quality. In addition to creating a concept for recruiting and employer branding, the main focus this year was on the areas of actuarial services and risk management. A cross-border scoping and design phase resulted in three processes being determined that will be implemented as part of a pilot phase in 2019. The first employees have already undergone a comprehensive training programme in order to enable them to implement these pilot processes successfully.
UNIQA has also worked intensively on the developments to the partial internal model (which was approved at 11 December 2017 for property and casualty insurance). Specifically the model was expanded to include the market risk module. Work on the market risk model had already started in 2017, and this was completed and fully calculated for internal purposes in 2018. The essential changes as compared with the standard formula feature in the modules for interest, spreads and real estate.
The major structural changes in the Group (UIP, TOM) and adjustments in the value chain associated with these resulted in the need to restructure the ICS within the Group and adapt this to the new conditions. As part of the ICS project launched subsequently, an analysis of the current situation was carried out at an initial stage in order to identify the essential action areas. The concept of the “new ICS” was then developed as part of a design phase building on this. The essential reform involves harmonisation of a Group-wide risk catalogue and a focus on the operational risks relevant to the Group and the Group companies. The suitability of the new approach in practice was tested extensively in two pilot tests on selected processes in Austria and Poland.
The entry into force of the General Data Protection Regulation (GDPR) required extensive actions on the part of UNIQA. The high financial risk (with penalties involving fines of €20 million or 4 per cent of annual turnover) as well as the reputational risk in the event of incidents or a failure to comply can be handled in a structured manner through implementation of a data management system (DMS). Data protection is an integral part of the UNIQA organisation and is constantly developed as part of a continuous improvement process. Data protection coordinators are for instance operating in all significant specialist departments with viable data protection processes also in place. A high degree of maturity has been achieved in enforcing the rights of data subjects. Future areas of focus for the implementation project include further development of secure communication channels and the implementation of technical and organisational measures.
Insurance companies are required to operate in a risk landscape that is constantly changing and that features new environmental policy, technological, economic and legal developments as well as their reciprocal dependencies. UNIQA therefore developed a structured process in 2018 which identifies potential emerging risks, assesses their impact on our portfolio, analyses the results and summarises these in a report. The procedure was implemented for the first time this year. Management at UNIQA as well as experts were involved in the process using questionnaires, with the following three emerging risks assessed as the ones most relevant to UNIQA: cyber risk, competition from InsurTech, along with changes to the weather and natural disasters. The emerging risk process will be implemented each year. UNIQA is also a member of the CRO forum which works on the issue as part of a separate working group.
Increasing concerns regarding security risks continue to dominate the discussion in almost all forums of industry and the public sector. UNIQA’s IT systems and applications are also exposed to various security risks. The losses or impaired performance of these can cause serious damage to the company or to individual business lines depending on their importance for our business. The UNIQA Group finalised its cyber insurance policy in 2018 in order to counter this. The policy covers own damage and additional costs caused by malicious attacks, accidental incidents and the loss of personal data. Example costs include investigations by internal and external experts, the restoration of data and repairs to IT systems. Another element covered under the insurance include third-party damage and liability towards third parties for financial loss incurred by them (claims for compensation and costs of defence). Finalisation of the insurance means that UNIQA has taken an important step towards implementing integrated protection for tangible and intangible assets.