Risk governance is a part of the broader Group internal control and risk management system.
The Group internal control and risk management system is the set of rules, procedures and structures that ensure the effective operation of the company and enable it to identify, manage and monitor the main risks to which it is exposed. Key elements of the system are:
- Internal control environment and activities;
- Awareness and monitoring;
- Reporting duties;
- Roles and responsibilities that the Board of Directors (BoD) and its committees, the Senior Management, including the Chief Executive Officer (CEO), also acting as the Director in charge of the internal control and risk management system, and the Chief Financial Officer (CFO), appointed as Manager in charge of the preparation of the company’s financial reports, as well as risk owners and Control Functions must discharge within the internal control and risk management system.
To ensure a consistent framework through the Group, the Parent Company sets Group Directives on Internal Control and Risk Management System, complemented by Group Risk Policies, which have to be applied by all Group companies.
The Group internal control and risk management system is founded on the establishment of three lines of defence:
- The Operating Functions (the “risk owners”), which represent the first line of defence and have ultimate responsibility for risks relating to their area of expertise;
- Actuarial, Compliance and Risk Management Functions, which represent the second line of defence;
- Internal Audit, which represents the third line of defence.
Internal Audit together with Actuarial, Compliance and Risk Management Functions represent the “Control Functions”.
The roles and responsibilities of the BoD and related committees, Senior Management, Control Functions and the interactions among Control Functions are described within the Corporate Governance Report. Key roles within the risk management system are outlined below:
- The BoD defines, with the Risk and Control Committee’s support, the guidelines of the internal control and risk management system and assesses its adequacy, effectiveness and functioning at least once a year. It also defines the organizational set-up, appoints the heads of the Control Functions and defines their mandates, adopts Group risk policies, approves the ORSA results and based on them defines the risk appetite and tolerance limits;
- The Senior Management is then responsible for executing the defined strategy, implements the internal control system and keeps it suitable and effective;
- Control Functions are established at Group level and within the operating entities:
- The Risk Management Function supports the BoD and Senior Management in ensuring the effectiveness of the risk management system and provides advice and support to the main business decision-making processes;
- The Compliance Function grants the internal control system’s adequateness to manage compliance risks, thus contributing to maintain Group’s integrity and reputation;
- The Actuarial Function coordinates the technical provisions calculation and grants their adequacy of underlying methodologies, models and assumptions, verifies the quality of the related data and expresses an opinion on the overall Underwriting Policy;
- The Audit Function verifies business processes and the adequacy and effectiveness of controls in place.
Heads of Control Functions report functionally to the BoD except the head of Group Audit who reports hierarchically and functionally to the BoD.
Group Control Functions collaborate according to a pre-defined coordination model, in order to share information and create synergies. A strong Parent Company coordination and direction for Control Functions is granted by the so called solid reporting lines model established between the head of the Group Control Function and heads of the respective Functions within the operating entities.
Risk Management System
The principles defining the Group risk management system are provided in the Generali Group Risk Management Policy1 which is the cornerstone of all risk-related policies and guidelines. The Risk Management Policy covers all risks the company is exposed to, on a current and forward-looking basis. Generali Group’s risk management process is defined in the following phases:
The capital requirement is calculated by means of the Group’s PIM for financial, credit, life and non-life underwriting risks. Operational risks are measured by means of EIOPA Standard Formula, complemented by quantitative and qualitative risk assessments. The PIM provides an accurate representation of the main risks to which the Group is exposed, measuring not only the impact of each risk taken individually but also their combined impact on the Group’s Own Funds.
PIM methodology and governance are provided in section Solvency Position.
Risks not included in the capital requirement calculation, such as liquidity risk and other risks are evaluated based on quantitative and qualitative techniques, models and additional stress testing or scenario analysis.
Tolerance levels are set on the basis of capital and liquidity metrics. Should an indicator approach or breach the defined tolerance levels, escalation mechanisms are activated.
Under Solvency II, the Own Risk and Solvency Assessment (ORSA) is the main risk reporting process and is coordinated by the Risk Management Function. Its purpose is to provide the assessment of risks and of the overall solvency needs on a current and forward-looking basis. The ORSA process ensures an ongoing assessment of the Solvency Position based on the Strategic Plan and the Group Capital Management Plan, followed by a regular communication of ORSA results to the Supervisory Authority after BoD approval.
1The Group Risk Management Policy covers all Solvency II risk categories and, in order to adequately deal with each specific risk category and the underlying business processes, is complemented by the following risk policies:
- Group Investment Governance Policy;
- Group P&C and Reserving Policy;
- Group Life and Reserving Policy;
- Group Operational Risk Management Policy;
- Group Liquidity Risk Management Policy;
- Other risk-related policies, such as Group Capital Management Policy.