Overall risk framework
The Group operates under an enterprise risk management framework that is designed to identify, assess, measure and manage exposure to risk including environmental, social and governance matters. This process is subject to continuous review and development and further work was undertaken in 2007 to enhance the framework.
Risk management
The Board is responsible for the Group's systems of risk management.
Executive management has the responsibility for establishing and implementing appropriate systems and controls in their own areas of remit. The Group Risk Management Framework provides the mechanism through which risk management and control is embedded throughout the Group. Each Group business is required to follow a consistent process to identify, assess, manage and monitor their key risks.
Group risk appetite
The Group has a process for setting risk appetite and for monitoring compliance with this. The Group risk appetite sets business volumes for certain higher risk insurance classes, stipulates loss retention limits, reinsurance protection, targets for credit rating and solvency margins, and other appropriate measures.
There is a formal escalation process for potential or emerging risks that are outside the risk appetite.
Risk framework
The Group has continued to adopt the 'three lines of defence' governance model. The framework for the oversight and management of risk is as follows:
- Management – the first line of defence in setting strategy, performance measurement, establishment and maintenance of internal control and risk management in the business
- Risk assessment – the second line, operating a formal risk management framework within which, the Group policies and minimum standards are set, and objective oversight and challenge of risk management across the Group is achieved. This is provided by the Board Risk Committee, supported by the Group Risk functions, and a Groupwide network of regional risk committees
- Independent assurance – the third line of defence, providing independent and objective assurance of the effectiveness of the Group's systems of internal control established by the first and second lines of defence. This is provided by the Group Audit Committee, supported by Group Internal Audit.
Group risk policy statements
Group risk policy statements set out the minimum standards to be maintained by the Group's operations in order to manage their risks in a way that is consistent with the risk appetite. Business managers are responsible for complying with Group and local risk policies and for managing risk by taking mitigating actions where risks are outside the appetite. The Board Risk Committee's oversight and challenge role includes consideration of risk mitigation.
Compliance with policy statements is mandatory. Policies are subject to regular review in order to reflect changes in circumstances and the risk appetite.
Risk categories
The Group views risks according to the categories outlined below. Additional information is provided in the risk management section of the financial statements. Details of some of the key current practices, tools and other arrangements for each risk category are set out below.
Insurance risk
The Group's general insurance activities are primarily concerned with the pricing, acceptance and management of risks arising from our contracts with customers. The management of the underwriting and claims risks uses a number of key tools, including the review of the performance and management of all the individual insurance portfolios throughout the Group, and the investigation of potential emerging insurance risks.
Further work has been undertaken in 2007 to refine and improve the Portfolio Classification process, designed to provide a more effective method of evaluating individual and overall portfolio performance.
Claims development and reserving levels are closely monitored by Reserve Committees. Each region's Reserve Committee determines a recommended level of outstanding claims reserves, in accordance with the Group Reserving Policy. The Group Reserving Committee considers the reasonableness of these recommendations. It then determines the level of aggregate outstanding claims reserves to be carried by the Group.
Reinsurance risk
The Group's reinsurance strategy and appetite are set and agreed by the Board and published and disseminated via the Group reinsurance policy statement. The Group Reinsurance Credit Committee oversees the implementation of the counterparty credit aspects of this strategy. The reinsurance team monitors and controls reinsurance activity throughout the Group and has responsibility for the purchase of the Group's worldwide programme of treaties. All major treaty purchases are analysed using various sophisticated modelling tools to ensure that the level of cover purchased is capital efficient and aligned with Group risk appetite and strategy.
Operational risk
Operational risk exists in every facet of the organisation, including those areas that are not viewed as 'operating units'. As such, all areas of the Group and its major outsourcing providers are involved in addressing and controlling operational risk.
The Group uses a suite of risk tools to help manage operational risk using a common categorisation of risk. These tools include Risk and Control Self Assessments, Key Risk Indicators, Scenario Analyses, Incident Management and Loss Data.
A series of forward looking key risk indicators is used to assess potential future trends in operational risks, whilst data collected on actual operational risk incidents and 'near misses' captures past experiences. In addition, the use of scenario analyses enables the Group to assess whether certain operational events that have occurred elsewhere could manifest themselves within the Group. When taken together, the tools provide a complementary set of indicators of the Group's operational risk profile.
Credit, market and liquidity risks
The primary sources of credit risk within the Group are investment and treasury activities and reinsurance counterparty risk. Within the investment management and treasury activities, a range of bank counterparty concentration and credit quality limits, together with other controls, are in place to ensure that exposure is managed within the Group risk appetite. New reinsurance cover is placed with reinsurers that are authorised as Approved Reinsurance Counterparties recommended by the Group Reinsurance Credit Committee under criteria approved by the Board Risk Committee.
Market risk arises from the Group's investment portfolios. The Global Asset Management Committee is the management committee that oversees the Group's investment strategy under the oversight of the Investment Committee, and operating within risk limits set by the Board Risk Committee.
The primary source of liquidity risk is the Group's treasury activities. Liquidity risk is considered to be a low risk category. Group liquidity is managed by Group Treasury and each operation is required to maintain a minimum level of cash or cash equivalents or highly liquid assets that can be liquidated within a maximum stated period of time. Contingency funding plans are prepared and monitored to ensure that these minimum levels are met even in stressed conditions.
Regulatory risk
The Group operates in a number of geographical locations with diverse regulatory requirements. The regulatory environment has become more complex and demanding. The Group continues to respond to these developments through its arrangements for regulatory compliance and by ensuring that it maintains open and cooperative relationships with its regulators.