Risk Management

Risk Management System | The Risk Management Policy 

The Risk Report aims at providing adequate disclosure of the risks the Group is exposed to and, more generally, of the system of management and supervision of these risks. In particular, the nature and extent of risks arising from financial instruments and insurance contracts, which the Group is exposed to at the reporting date, are indicated, along with related risk management processes, in compliance with the IFRS 7 requirements, introduced by the Regulation (EC) n. 108 of 11 January 2006. In the context of the risk management system, this Report is part of the reporting processes, aimed at a continuous monitoring of risks at various levels of the operational structure.

Generali Group has developed an Internal Control and Risk Management system, approved by the Board of Directors of the Parent company. These principles apply to all Group companies. It defines the objectives, structure, roles and responsibilities aiming at a coherent and rational approach in the context of the Enterprise Risk Management. The ultimate objective of the Internal Control and Risk Management system of Generali Group is the maintenance of acceptable levels of identified risks in order to optimize the available financial resources required for these risks and, to improve the Group profitability in relation to its risks exposure (risk-adjusted performance).

The Risk Management processes affect the Group as a whole in the countries where it operates, and also individual companies, with a varying depth and level of integration depending on the complexity of the underlying risks; the integration of processes within the Group is fundamental to ensure an efficient risk management system and capital allocation to business units.

In this context, in order to better capture its risk profile, Generali Group has developed an internal approach to determine the available financial resources and the capital requirements for risks which it is exposed to, while maintaining consistency with the basic framework of Solvency II, which is still being defined at European level.

During the year, the Risk Management system has been further improved, in accordance with the plan of activities aiming to fulfill the requirements deriving from the system of prudential supervision known as Solvency II. This development has affected issues related to the assessment of available financial resources and the variety of associated risks, consistently with an economic approach. Changes have also affected organizational aspects and processes related to risk management. Finally, activities aimed at a wider and more transparent disclosure on risks have been carried out.

Within the activities aimed at enhancing the management of compliance risks, the Parent Company has established a specific Anti Money-Laundering Function, aimed at management of related risks while the Compliance Function more generally has the supervision of processes related to management of operations with related parties. Moreover, the framework for monitoring and management of operational risks has been further developed.

The following paragraphs detail aspects related to the implementation of the Risk Management System, with particular reference to governance (including indication of roles and responsibilities) along with the Risk Management Policy approved by the Board of Directors of the Parent Company. Hereafter the definition of the main risks and sub-risks which the Group is exposed to, is given, according to the structure of the Group Risk Map, which has been approved in the context of Risk Management Policy. For each category of risk, a brief description of the methodology applied for the management is given. Thereafter, in compliance with the requirements of IFRS 7, the main quantitative evidence is presented.

The Risk Management System

The Generali Group is exposed to the risks to which any enterprise is exposed to and in particular to the typical risks coming from its insurance activities, such as those related to financial markets movements and those coming from negative development of insurance business activities (both non-life and life)

The Board of Directors (1) adopted the “Internal Control and Risk Management System” and the “Risk Management Policy”, documents aimed at ensuring an effective management of the risk coming from the Company own activity and in particular the most significant ones.
The most significant risks are those whose consequences could undermine the solvency at Group and at Company level or those which could represent a serious obstacle to the achievement of the Company objectives.

In order to guarantee an aligned approach to the risk management, the adoption of these documents is required to all Group insurance entities.

The “Internal Control and Risk Management System” defines the roles and the responsibilities of the governance bodies and the functions involved in the risk management process.
The “Risk Management Policy” defines the principles, the strategies and the processes in place to identify, evaluate, monitor and mitigate all risk in a perspective which consider the effect of the controls in an integrated way.
The risk management relies on the following building blocks:

  • risks governance: to establish an effective organizational structure based on clear definition of risk roles and responsibilities, and on a set of Policies and Guidelines;
  • risk management process, to allow the ongoing management of all risks through the following phases: identification, strategy definition, taking, assessment, monitoring, mitigation and reporting.
  • business support: to increase the effectiveness of the risk management system, guaranteeing at the same time value creation for all stakeholders through the spread of a risk management culture based on shared values. All risk factors affecting the ordinary business are taken into consideration in the decision making process: a risk based approach is applied in particular to the processes related to capital management, reinsurance, asset allocation and new products development. This approach is aimed at optimizing, also trough risk adjusted metrics, the risk/ return ratio and the capital allocation.

(1) Board of Directors is meant to be the Board of Directors of Assicurazioni Geneali SpA (Parent Company).

1.1 - Roles and responsibilities

The risk management is put in place through a specific ongoing process which involves, with different roles and responsibilities, the Board (2), the Top Management and the organizational structures both at Group and Company level, as illustrated in the “Internal Control and Risk Management System”.
The Board of Directors approves the risk management policies and strategies, as well as the risk tolerance levels. The performance targets are defined in coherence with the capital adequacy level.
The Board is moreover committed to the creation of an organizational culture, which ensures a high level of priority to the effectiveness of the risk management and to the compliance with tight controls on operations.
The Board of Directors is informed by the Group CEO, the Managing Director, the Group CRO and, if necessary, also by the other independent control functions, about the group risks exposures, on ongoing basis also through periodical reports concerning the results and the underlying risk profiles. The Board is also informed on extraordinary basis whenever the adoption of mitigation actions is immediately needed.

The Parent Company Top Management (the Group CEO, the Managing Director, the CFO and all officers with strategic responsibilities) is in charge of implementing the risk management policies both at Assicurazioni Generali SpA and at Group level. To this purpose, the Top Management assigns the targets and defines the appropriate capital allocation to all Italian and Foreign Companies. It also ensures the definition of operational limits through guidelines which implementation is under the responsibility of each single Group Company. Moreover the Top Management controls and monitors the risk exposures, including the level of compliance with the assigned tolerance limits, on ongoing basis.

The Group CEO and the Managing Director may propose to the Board of Directors changes to the risk management policies or dedicated actions focused on specific Countries.
To this purposes the Top Management is supported by the Group Risk Committee, which involves the responsible of the technical areas (therefore of the related risks) and the Group CRO. The Committee ensures the evaluation of all different risks in an integrated perspective, which considers both the risk category and the geographical distribution. The Committee evaluates the Group risk exposures, identifies the improvement areas and submits suggestions and recommendations to the Top Management.

The functions involved in the risk management process operate according to the Three Line of Defense approach as outlined in the Internal Control and Risk Management System:

  • The operational structures (Risk Owner) are the first line of defence. The Risk Owners are the ultimate responsible for risks concerning their area and define and update the actions needed to make their risk management effective and efficient. They control the activity of the Risk Takers, who deal directly with the market and the internal and external parties and who define activities and programs from which risks may arise. All the risk management initiatives defined by the Risk Owners address the way Risk Takers undertake risks. Within the first line of defence, there are some operational units (Risk Observers) in charge of constantly monitoring some specific kind of risks, in order to measure and analyze them and to identity suggestions and recommendations to be presented to the Top Management and to the Risk Owners. The Risk Observers are not directly involved in the decisional process of the risk management. Group Control, as an example, can be considered as a Risk Observer.
  • The Group Risk Management and the Group Compliance are the second Line of Defence. The Group Risk Management, whose responsible is the Group Chief Risk Officer, monitors the performance of the risk management system guaranteeing an holistic view of the risks. It also supports the Board of Directors and the Top Management in the definition of the risk management strategy and in the development of the methodologies to identify, evaluate, control, mitigate and report risks. It is in charge of providing the Group Risk Committee, with periodical informative and suggestions. The Group CRO shares the main finding and suggestions with the different Risk Owner at Group level and is in charge of monitoring the risk management activities in all the Countries in which the Group operates. Moreover the Group CRO supports the Group CEO and the Managing Director in the evaluation of the coherence between the developed plans and the adequacy of the achieved results (risk adjusted).
  • The Group Compliance function evaluates the adequacy of the internal processes in place to prevent the compliance risk.
  • The Group Internal Audit is the Third Line of Defence. It is in charge of performing the independent evaluation of the effectiveness both of the Internal Control and Risk Management System and of all the controls in place to guarantee the adequate execution of the processes.

The Group CRO guarantees the implementation of the proper risk-management system according to the regulation and the Board’s resolutions.
The Parent Company risk governance structure has been adopted, at least concerning its essential points, in all the Group Companies taking into account the local specificities and regulations.
Each Company has its own Risk Committee, composed of the CEO (or the General Manager), the responsible of the Technical areas and, where existing, of the responsible of the local Risk Management.
The Committee supports the CEO in the periodical update of the Company risk profile, in relation to the different risk categories, and, in case, in the definition of the proposals to be submitted to the Board.

(2) Board is meant to be the administrative, supervisory or management body according to the local governance.

The Risk Management Policy

The “Risk Management Policy” is the main reference point for all policies and guidelines related to risks.
It is integrated by a set of policies, submitted as well to the Board of Directors’ approval, that guide the management of each single risk.
In this context particular attention has to be paid to the “Life Underwriting Policy”, the “Non-Life Underwriting Policy”, the “Investment Policy” and the “Operational Risk Management Policy”.
These documents have been produced by the Technical structures at Corporate Centre level with the coordination of the Group Risk Management.

These policies have been sent to all the Group Insurance Companies and, keeping into account the local specificities and regulations, have been approved by the Board of each entity.
In order to strengthen the risk taking procedure and the definition of the operational limits, the Parent Company technical structures have prepared a set of Guidelines in order to guide the management of the insurance and investment risks.

These Guidelines require each Group Company to prepare and update on ongoing basis an Operational Limits Handbook (OLH) related to the risk taking activity. The OLH is submitted to the Risk Committee and has to be approved by the Top Management. Moreover each Group Company is required to prepare in accordance with a standard template and send to the Parent Company a reporting, to monitor the level of compliance with the limits and principles.  

2.1 - The Risk Management process

The Risk Management process allows the ongoing identification, evaluation and management of all risks, taking into account the changes in the nature and size of the business and in the market environment.

This process is structured into the following phases: 

  • Risk identification and evaluation methodology definition: to define suitable principles and quantitatively or qualitatively methodologies to identify, classify and evaluate risks;
  • Risk Strategy: to define the Company risk attitude and assign, on consistent and integrated basis risk targets and operating limits to the Operating Units;
  • Risks taking:  to take risks that the Company is willing to accept according to all the Policies and Guidelines which define principles and/ or operating limits that guide the undertaking of risks;
  • Risks assessment: to assess and adequately measure both the risks the Company is exposed to and their potential impacts on the capital;
  • Risk monitoring: to monitor and control the risk exposures, the risk profile, and the implementation of Policies and Guidelines for all relevant levels;
  • Risk mitigation: to identify and implement adequate mitigation initiatives in order to take back  the risk profile within the planned one;
  • Risk Reporting: to develop effective reporting on the Company risk profile and risk exposures, both for internal and external stakeholders and to supervisory authorities.