Internal Control & Risk Management System
The internal control and risk management system is the set of company rules, procedures and structures that ensure the effective operation of the Company and enable it to identify, evaluate, measure, manage and monitor the main risks to which it is exposed.
The Internal Control and Risk Management System (ICRMS) is an integrated system that involves the entire organisational structure of the Company and the Group: the corporate bodies and the company structures contribute to its operation in a coordinated and independent way.
The Board of Directors is the leading player in the System, having responsibility for establishing internal control and risk management strategies and policies and guaranteeing their suitability and soundness over time, in terms of completeness, functionality and efficacy. In the Company the other players are: the Risk and Control Committee, the Remuneration Committee, the Board of Statutory Auditors, the Top Management, the Managerial Risk Committees, the Dirigente Preposto (appointed in compliance with the provisions of art. 154-bis of the TUF (Consolidated Law on Finance as of Italian Legislative Decree n.58 of February 24, 1998, amended and supplemented), the heads of operational areas, and the control functions. Group entities implement a coherent system of governance.
The risk management system, defined within the Risk Management Group Policy, establishes the main principles and minimum process requirements to identify, measure, manage, control and report present and forward-looking risks that could arise from the activities performed by Generali Group.
The Policy aims at ensuring a sound and effective management of risks throughout the Group consistently with the risk appetite defined by the Board of Directors, on the basis of Solvency II regulatory framework, as adopted by IVASS and other European National Competent Authorities.
The risk management system at Group level must be adequate for carrying out effective control over the Group’s overall strategic decisions and the balanced management of each GLE. For these purposes, a Group Risk Appetite Framework is adopted.
This Group Policy includes also the principles underlying the Own Risk and Solvency Assessment (ORSA) process.
The risk management framework, regulated by the Policy is founded on the following four processes:
- risk identification,
- risk measurement,
- risk management and control,
- risk reporting (including ORSA Reporting).
ORSA is defined as the set of processes and procedures employed to identify, assess, monitor, manage and report the risks that the Group is facing and will face in the future, as well as the level of Own Funds required to ensure that the Group’s solvency needs are met.
The Internal Control and Risk Management System operates according to a "three lines of defence” approach where the company functions have a clear organizational position and play a defined role:
- The operational department heads (risk owners) have the task of ensuring correct management of risks correlated with the activities performed and introducing suitable controls, in compliance with the organisational structure and the giudelines issued by the Group CEO, to guarantee implementation of the Internal Control and Risk Management Policies issued by the Board. The roles and responsibilities of each organisational unit are established within the system of delegated powers and the policies approved by the Board.
- The risk management, compliance, anti financial crime and actuarial functions are the second line of defence. They guarantee continuous monitoring of the relevant risks applicable to the Company's business and are not in charge of any operational areas. The control functions are established in a form of specific organizational units and report directly to the Board of Directors.
- The audit function is the third line of defence and is responsible for monitoring and evaluating the efficacy and efficiency of the Internal Control and Risk Management System. This Function is characterised by strong independence from the business and a high degree of autonomy; the head of the Function does not depend hierarchically on any head of the operational areas, but is answerable directly to the Board, with direct reporting to its Chairman.
Group Risk Map
The Group Risk Map, being part of the Risk Management Group Policy, includes the main risks listed hereafter:
Financial risks: driven by asset price volatility of financial assets. Financial risks are further split in:
- equity risk deriving from the risk of adverse changes in the market value of the assets or in the value of liabilities due to changes in the level of equity market prices which can lead to financial losses;
- equity volatility risk deriving from changes in the volatility of the markets;
- interest rate risk, defined as the risk of adverse changes in the market value of the assets or in the value of liabilities due to changes in the level of interest rates in the market;
- property risk deriving from changes in the level of property market prices;
- currency risk deriving from adverse changes in exchange rates;
- concentration risk deriving from asset portfolio concentration to a small number of counterparties.
Credit risks: related to invested assets and arising from other counterparties (e.g., reinsurance, cash). Credit risks are further split in:
- spread widening risk, defined as the risk of adverse changes in the market value of debt security assets;
- default risk, defined as the risk of incurring in losses because of the inability of a counterparty to honour its financial obligations.
Insurance life risks: deriving from the Group’s core insurance business in the life and health segments. Insurance life risks are further split in:
- mortality risk, defined as the risk of loss, or of adverse change in the value of insurance liabilities, resulting from changes in mortality rates, where an increase in mortality rates leads to an increase in the value of insurance liabilities. Mortality risk also includes mortality catastrophe risk, resulting from the significant uncertainty of pricing and provisioning assumptions related to extreme or irregular events;
- longevity risk, similarly to mortality, is defined as the risk resulting from changes in mortality rates, where a decrease in mortality rates leads to an increase in the value of insurance liabilities;
- disability and morbidity risks derive from changes in the disability, sickness, morbidity and recovery rates;
- lapse risk is linked to the loss or adverse change in liabilities due to a change in the expected exercise rates of policyholder options. The relevant options are all legal or contractual policyholder rights to fully or partly terminate, surrender, decrease, restrict or suspend insurance cover or permit the insurance policy to lapse. Mass lapse events are also considered;
- expense risk results from changes in the expenses incurred in servicing insurance or reinsurance contracts;
- health risk results from changes in health claims and also includes health catastrophe risk.
Insurance non-life risks: arising from the Group’s insurance business in the Property & Casualty segment. Insurance life risks are further split in:
- pricing and catastrophe risks, deriving from the possibility that premiums are not sufficient to cover future claims, also in connection with extremely volatile events and contract expenses;
- reserving risk, related to the uncertainty of the claims reserves (in a one-year time horizon);
- non-life lapse risk, arising from the uncertainty of the underwriting profits recognised in the premium provisions.
Operational risks: arising from losses due to inadequate or failed internal processes, personnel or systems, or from external events, and including compliance risk and financial reporting risk.
Liquidity risk: deriving from the uncertainty, related to business operations, investment or financing activities, over the ability of the Group and its legal entities to meet payment obligations in a full and timely manner, in a current or stressed environment.
Among other risks are emerging and sustainability risks:
- Emerging risks: arising from new trends or evolving risks, which are difficult to perceive and quantify, although typically systemic. The most important are the environmental trends and climate change, technological changes and digitalization, geopolitical developments and demographics and social changes. For further details on these risks, please refer to the Emerging Risks Booklet;
- Sustainability risks: referring to an environmental, social or governance event or condition that, if it occurs, could cause an actual or a potential negative impact on the value of the investment or on the value of the liability.