Since 2015 the Generali Group has been part of the ORX (Operational Risk data eXchange association), an organisation set up to share “negative events” among the leading international peers operating in the insurance and banking sector. The aim is to use the information collected to improve internal controls and anticipate emerging trends: the Risk Management Department also shares these data with the Risk Owner to increase the understanding of the phenomenon and improve the overall effectiveness of the long-term evaluations. The Generali Group is also a member of the CRO Forum, an active collaborator of the Cyber Risk working group, whose main goal is to develop risk management techniques in the area of cyber war and terrorism and reference standards for the management of cyber risk.
Finally, we have agreements with the national authorities in the area of IT security (CSIRT Italia), mainly as regards sharing intelligence on threats.
Data centers, disasters & risk assessment
In 2019, Group Operational and IT Risk cooperated with Global Corporate & Commercial functions and CRO functions of every group Legal Entity hosting a data center, in order to define a homogeneous and standardized approach to data center natural disaster risk analysis.
Four pillars make the foundations of the risk assessment process: a common taxonomy to classify risks and related control systems, a shared mitigation measures inventory, a custom qualitative assessment model, and a set of standard reports to collect the residual risks assessments of the data centers.
In order to meet those goals, an assessment was first performed to understand the potential exposure of the data centers to natural disaster risks, including those related to climate change such as floods, storms, hail, tornado and wildfire, taking into consideration the location, the type of catastrophe and the asset value, considering also the expert judgement. Then, the custom model allowed to understand whether the controls in place were up-to-date and appropriate against the above-mentioned risks. Mitigation processes were categorized and mapped to the corresponding risks. Finally, an evaluation of the residual risk for each data center was obtained and summarized in a standardized report.
All locations have been evaluated with low or very low residual risk showing the natural catastrophe resilience of the data centers.
This thorough assessment has brought to light few points of improvements that have already been addressed and are being taken care of.
In Italy the innovativeness of our security awareness programme saw it awarded the “Premio Adriano Olivetti”, an award for innovative education, from among a field of 250 candidates. The goal of the programme is to raise the awareness of all Generali Group employees about potential security risks and to teach them how to confront them correctly using an innovative series of videos. The episodes of this training path, featuring professional actors, are full of engaging scenes.
Cyber Risk Management framework
The Cyber Risk Management framework is an innovative methodology that seeks to manage, understand, measure and mitigate IT security risks. It was acknowledged with the GRC - Governance, Risk and Compliance Excellence Award: developed by Generali, this methodology was presented at the RSA EMEA Summit in London where it faced competition from other participants representing the world’s leading financial institutions.