Risk Governance

Risk governance is a part of the broader Group internal control and risk management system.

The Group internal control and risk management system is the set of rules, procedures and structures that ensure the effective operation of the company and enable it to identify, manage and monitor the main risks to which it is exposed. Key elements of the system are:

  • Internal control environment and activities;
  • Awareness and monitoring;
  • Reporting duties;
  • Roles and responsibilities that the Board of Directors (BoD) and its committees, the Senior Management, including the Chief Executive Officer (CEO), also acting as the Director in charge of the internal control and risk management system, and the Chief Financial Officer (CFO), appointed as Manager in charge of the preparation of the company’s financial reports, as well as risk owners and Control Functions must discharge within the internal control and risk management system.

To ensure a consistent framework through the Group, the Parent Company sets Group Directives on Internal Control and Risk Management System, complemented by Group Risk Policies, which have to be applied by all Group companies.
The Group internal control and risk management system is founded on the establishment of three lines of defence:

  • The Operating Functions (the “risk owners”), which represent the first line of defence and have ultimate responsibility for risks relating to their area of expertise;
  • Actuarial, Compliance and Risk Management Functions, which represent the second line of defence;
  • Internal Audit, which represents the third line of defence.

Internal Audit together with Actuarial, Compliance and Risk Management Functions represent the “Control Functions”.

The roles and responsibilities of the BoD and related committees, Senior Management, Control Functions and the interactions among Control Functions are described within the Corporate Governance Report. Key roles within the risk management system are outlined below:

  • The BoD defines, with the Risk and Control Committee’s support, the guidelines of the internal control and risk management system and assesses its adequacy, effectiveness and functioning at least once a year. It also defines the organizational set-up, appoints the heads of the Control Functions and defines their mandates, adopts Group risk policies, approves the ORSA results and based on them defines the risk appetite and tolerance limits;
  • The Senior Management is then responsible for executing the defined strategy, implements the internal control system and keeps it suitable and effective;
  • Control Functions are established at Group level and within the operating entities:
    • The Risk Management Function supports the BoD and Senior Management in ensuring the effectiveness of the risk management system and provides advice and support to the main business decision-making processes;
    • The Compliance Function grants the internal control system’s adequateness to manage compliance risks, thus contributing to maintain Group’s integrity and reputation;
    • The Actuarial Function coordinates the technical provisions calculation and grants their adequacy of underlying methodologies, models and assumptions, verifies the quality of the related data and expresses an opinion on the overall Underwriting Policy;
    • The Audit Function verifies business processes and the adequacy and effectiveness of controls in place.

Heads of Control Functions report functionally to the BoD except the head of Group Audit who reports hierarchically and functionally to the BoD.

Group Control Functions collaborate according to a pre-defined coordination model, in order to share information and create synergies. A strong Parent Company coordination and direction for Control Functions is granted by the so called solid reporting lines model established between the head of the Group Control Function and heads of the respective Functions within the operating entities.

Risk Management System

The principles defining the Group risk management system are provided in the Generali Group Risk Management Policy1 which is the cornerstone of all risk-related policies and guidelines. The Risk Management Policy covers all risks the company is exposed to, on a current and forward-looking basis. Generali Group’s risk management process is defined in the following phases:

Group Risk Management System

The purpose of the risk identification is to ensure that all material risks to which the Group is exposed are properly identified. To this end, the Risk Management Function interacts with the main Business Functions in order to identify the main risks, assess their importance and ensure that adequate measures are taken to mitigate them according to a sound governance process. Within this process, emerging risks are also considered.
The categorization of identified risks is consistent with Italian regulation (IVASS Reg. n.20/2008) and reflects the risk categories foreseen by Solvency II.
Identified risks are then measured through their contribution to the capital requirement, complemented by other modelling techniques deemed appropriate and proportionate to better reflect the Group risk profile. Using the same metric for measuring the risks and the capital requirements ensures that each risk is covered by an adequate amount of capital that could absorb the loss incurred if the risk materialized.

The capital requirement is calculated by means of the Group’s PIM for financial, credit, life and non-life underwriting risks. Operational risks are measured by means of EIOPA Standard Formula, complemented by quantitative and qualitative risk assessments. The PIM provides an accurate representation of the main risks to which the Group is exposed, measuring not only the impact of each risk taken individually but also their combined impact on the Group’s Own Funds.

PIM methodology and governance are provided in section Solvency Position.

Risks not included in the capital requirement calculation, such as liquidity risk and other risks are evaluated based on quantitative and qualitative techniques, models and additional stress testing or scenario analysis.
The Group RAF defines the level of risk the Group is willing to accept in conducting business and thus provides the overall framework for embedding risk management into business processes.
The purpose of the RAF is to set the desired level of risk on the basis of the Group strategy. The RAF statement is complemented by qualitative assertions (risk preferences) supporting the decision-making processes as well as by risk tolerances providing quantitative boundaries, limiting excessive risk-taking. These are expressed in terms of hard and soft tolerances.
The RAF governance provides a framework for embedding risk management into day-to-day and extraordinary business operations and control mechanisms as well as the escalation and reporting to be applied in case of risk tolerance breaches.

Tolerance levels are set on the basis of capital and liquidity metrics. Should an indicator approach or breach the defined tolerance levels, escalation mechanisms are activated.
The purpose of risk monitoring and reporting is to keep Business Functions, Senior Management, BoD and also the Supervisory Authority aware and informed on the development of the risk profile, on the risk trends and on the breaches of risk tolerances.

Under Solvency II, the Own Risk and Solvency Assessment (ORSA) is the main risk reporting process and is coordinated by the Risk Management Function. Its purpose is to provide the assessment of risks and of the overall solvency needs on a current and forward-looking basis. The ORSA process ensures an ongoing assessment of the Solvency Position based on the Strategic Plan and the Group Capital Management Plan, followed by a regular communication of ORSA results to the Supervisory Authority after BoD approval.
The ORSA process includes the assessment of the risks in scope of the capital requirement, along with other risks that are not included in the capital requirement calculation. Within the ORSA, stress test and sensitivity analyses are also performed to assess the resilience of the Solvency Position and risk profile to changed market conditions or specific risk factors.
The ORSA Report, documenting main results of this process, is produced on an annual basis. In addition to this, non-regular ORSA Reports are produced when the risk profile has changed significantly.

1The Group Risk Management Policy covers all Solvency II risk categories and, in order to adequately deal with each specific risk category and the underlying business processes, is complemented by the following risk policies:
- Group Investment Governance Policy;
- Group P&C and Reserving Policy;
- Group Life and Reserving Policy;
- Group Operational Risk Management Policy;
- Group Liquidity Risk Management Policy;
- Other risk-related policies, such as Group Capital Management Policy.