Internal control & risk management
The internal control and risk management system is the set of company rules, procedures and structures that ensure the effective operation of the Company and enable it to identify, manage and monitor the main risks to which it is exposed.
The Internal Control and Risk Management System (ICRMS) is an integrated system that involves the entire organisational structure of the Company and the Group: the corporate bodies and the company structures contribute to its operation in a coordinated and independent way.
The Board of Directors is the leading player in the System, having responsibility for establishing internal control and risk management strategies and policies and guaranteeing their suitability and soundness over time, in terms of completeness, functionality and efficacy. In the Company the other players are: the Risk and Control Committee, the Board of Statutory Auditors, the Top Management, the CFO, the CRO, the heads of operational areas and the four control functions. In the group there is a similar governance.
The risk management system, defined within the Group Risk Management Policy, updated annually by the Board of Directors, sets out the guiding principles and minimum requirements of the process to identify, evaluate, manage and monitor risks to which the Group is exposed to, on current and forward looking basis.
The Policy ensures effective management of risks throughout the Generali Group, in line with the Group Risk Appetite Framework defined by the Board of Directors of the Parent company.
The main processes, procedures and responsibilities set out in this Policy are aimed at ensuring sound management of risks to preserve the stability and solvency of the Group under extreme conditions, using synergies, best practices, and specific skills developed within the Group.
Group companies are required to adopt this Policy, with due consideration of local specificities and regulatory requirements.
The risk management process, regulated by the Policy includes the following main phases:
- risk identification,
- risk measurement,
- risk management and control,
- risk reporting (including also ORSA Report).
Own Risk and Solvency Assessment (ORSA) is defined as the set of processes and procedures used to identify, assess, monitor, manage and report the risks on a current and forward-looking basis, as well as the level of own funds required to ensure that the firm's solvency needs are met.
The Internal Control and Risk Management System operates according to a "three lines of defence” approach where the company functions have a clear position and play a well-defined role:
- The operational department heads (risk owners) have the task of ensuring correct management of risks correlated with the activities performed and introducing suitable controls, in compliance with the organisational structure and the giudelines issued by the Group CEO, to guarantee implementation of the Internal Control and Risk Management Directives issued by the Board. The roles and responsibilities of each organisational unit are established in the ambit of the system of delegated powers and the policies approved by the Board which, apart from some exceptions, are applicable at Group level.
- The group risk management, group compliance and actuarial functions are the second line of defence. They meet the need to guarantee continuous monitoring of the most significant risks to the Company's business and have no operational duties and are solely devoted to guarantee effective risk control. To ensure that the said functions have the necessary independence, their heads report functionally directly to the Board.
- The group internal audit is the third line of defence and is responsible for monitoring and evaluating the efficacy and efficiency of the Internal Control and Risk Management System. This Function is characterised by strong independence from the business and a high degree of autonomy; the head of the Function does not depend hierarchically on any head of the operational areas, but is answerable directly to the Board, with direct reporting to its Chairman.
The Group Risk Map approved by the Board of Directors of Assicurazioni Generali identifies the main risks listed hereafter:
|Group Risk Map|
|Risks covered by the Partial Internal Model|
|Internal Model||Standard Formula|
|Financial risks||Credit risks||P&C underwriting risks||Life underwriting risks||Operational risks||Non-quantifiable risks|
|Interest rates||Enlargement of spread||Pricing||Catastrophe mortality||Liquidity|
|Interest-rate volatility||Credit default||Reserving||Non-Catastrophe mortality||Strategic|
|Share prices||Counterparty default||Catastrophes||Longevity||Reputational|
|Share volatility||P&C redemptions||Morbidity / Invalidity||Emerging|
|Illness Claim||Risk interdependence*|
*Risks significant only at Group level.
Financial risk encompasses risks deriving from unexpected movements in interest rates, equity, property and exchange rates or increases in interest rate and equity volatility that may have an adverse impact on the economic or financial results. It considers losses arising from an excessive concentration in a single counterparty.
Credit risk refers to possible losses arising from the default or failure of counterparties to meet their payment obligations (default risk), or from the changes in value resulting from movements in their credit ratings or from the widening of the credit spreads (spread widening risk).
Non-Life insurance risk refers to the uncertainty as to the occurrence, amount and timing of insurance liability events. This includes the following sub-risks:
- Reserving risk relates to the uncertainty of the claims reserves run-off with respect to their average expected value, over a one-year time period. Specifically, it considers the possibility that actuarial reserves are not sufficient to meet future obligations towards policyholders.
- The lapse risk relates to the uncertainty of the option exercise rates in the calculation of technical provisions for non-life obligations.
- Pricing risk and catastrophe risk relate to the premium underwritten being insufficient to cover actual future claims, expense and extreme events.
Life & Health underwriting risk includes biometric risks embedded in life and health policies deriving from the uncertainty in the expected future claims payout. This uncertainty relates to assumptions regarding mortality, longevity, morbidity and disability rates. The category also includes risks deriving from the uncertainty relating to the expected value of lapses and expenses.
Operational risk refers to risks of losses arising from inadequate or failed internal processes, personnel and systems or from external events.
The operational risk category includes the compliance risk that is the risk of incurring in legal or regulatory sanctions, or material financial losses, or reputational damage rising from failure to comply with laws, regulations and administrative provisions applicable to the Company business. In addition, the financial reporting risk is also considered an operational risk. This is the risk of a transaction error which could entail an untrue and incorrect representation of the situation of the assets, liabilities, profit or loss in the company's financial statements, in the yearly and half-yearly consolidated financial statements and in any other financial release.
In addition to the previous categories, other so called non quantifiable risks are considered, for which there is no specific capital requirement. These are:
- Liquidity risk: refers to the risk that the Company will not be able to efficiently meet both expected and unexpected cash flow requirements. Liquidity risk may arise due to insufficient future cash flows to meet expected and unexpected cash obligations or to the illiquidity of assets held to meet the cash requirements.
- Strategic risk refers to the risk arising from external changes and/or internal decisions that may impact on the future risk profile of the company or of the Group.
- Reputational risk is the risk of potential losses due to a reputational deterioration or to a negative perception of Company's or Group's image among its customers, counterparties, shareholders and Supervisory Authorities.
- Contagion risk is the risk deriving from belonging to the group, i.e. the risk that problems arising from one of the Group's Local Entity could affect the solvency, economic or financial situation of the Generali Group.
- Emerging and ESG-related risks: new risks deriving from an evolving internal and external context. They may lead to an increase in exposure to risks already taken into account in the Risk Map or may require the introduction of a new risk category. Emerging risks are such if they have long-term consequences and an uncertain development over time, if they determine impacts that are potentially serious but difficult to quantify and are largely systemic and often linked to ESG (Environmental, Social and Governance) factors.
Within this category, particular significance can be attributed to risks deriving from climate change or generated by an excessive increase in greenhouse gas emissions that cause progressive global warming, which in turn determines an intensification of catastrophic events and changes in specific economic conditions. Risks deriving from climate change can be grouped into three categories:
- Physical risks, resulting from increasingly destructive catastrophic events due to climate change, such as storms, floods, heat waves and rising seas;
- Transition risks, resulting from the transition to an economy with a lower environmental impact with the aim of reducing or eliminating net greenhouse gas emissions;
- Risks related to controversies, arising from legal cases for environmental damage resulting from inadequate plans for mitigation and adaptation to climate change and / or due to the erroneous or lacking information on environmental standards adopted by companies.