It is of great importance to a.s.r. that risks within all business lines are timely and adequately controlled. In order to do so, a.s.r. implemented a Risk Management framework based on internationally recognised and accepted standards (such as COSO ERM and ISO 31000 risk management principles and guidelines). Using this framework, material risks that a.s.r. is, or can be, exposed to, are identified, measured, managed, monitored, reported and evaluated. The framework is both applicable to a.s.r. group and the underlying (legal) business entities.
The figure below is the risk management framework as applied by a.s.r.
The Risk Management (RM) framework consists of risk strategy (including risk appetite), risk governance, systems and data, risk policies and procedures, risk culture, and risk management process. The RM framework contributes to achieving the strategic, tactical and operational objectives as set out by a.s.r.
Strategic objectives that are pursued;
The risk appetite in pursuit of those strategic objectives.
a.s.r.’s risk strategy aims to ensure that decisions are made within the boundaries of the risk appetite, as stipulated annually by the EB and the SB (see chapter Risk strategy and risk appetite).
Risk governance can be seen as the way in which risks are managed, through a sound risk governance structure and clear tasks and responsibilities, including risk ownership. a.s.r. employs a risk governance framework that entails the tasks and responsibilities of the risk management organisation and the structure of the Risk committees (see chapter Risk governance).
Systems and data support the risk management process and provide management information to the risk committees and other relevant bodies. a.s.r. finds it very important to have qualitatively adequate data, models and systems in place, in order to be able to report and steer correct figures and to apply risk-mitigating measures timely. To ensure this, a.s.r. has designed a policy for data quality and model validation in line with Solvency II. Tools, models and systems are implemented to support the risk management process by giving guidance to and insights into the key risk indicators, risk tolerance levels, boundaries and actions, and remediation plans to mitigate risks (see chapter Systems and data).
Define the risk categories and the methods to measure the risks;
Outline how each relevant category, risk area and any potential aggregation of risk is managed;
Describe the connection with the overall solvency needs assessment as identified in the ORSA, the regulatory capital requirements and the risk tolerances;
Provide specific risk tolerances and limits within all relevant risk categories in line with the risk appetite statements;
Describe the frequency and content of regular stress tests and the circumstances that would warrant ad-hoc stress tests.
The classification of risks within a.s.r. is performed in line with, but is not limited to, the Solvency II risks. Each risk category consists of a policy that explicates how risks are identified, measured and controlled within a.s.r. (see chapter Risk policies and procedures).
An effective risk culture is one that enables and rewards individuals and groups for taking risks in an informed manner. It is a term describing the values, beliefs, knowledge, attitudes and understanding about risk. All the elements of the RM framework combined make an effective risk culture.
Within a.s.r. risk culture is an important element that emphasises the human side of risk management. The EB has a distinguished role in expressing the appropriate norms and values (tone at the top). a.s.r. employs several measures to increase the risk awareness and, in doing so, the risk culture (see chapter Risk culture).
The risk management process contains all activities within the RM processes to structurally 1) identify risks; 2) measure risks; 3) manage risks; 4) monitor and report on risks; and 5) evaluate the risk profile and risk management framework. At a.s.r., the risk management process is used to implement the risk strategy in the steps mentioned. These five steps are applicable to the risks within the company to be managed effectively (see chapter Risk Management process).
a.s.r.’s risk strategy aims to ensure that decisions are made within the boundaries of the risk appetite, as stipulated annually by the EB and the SB.
Risk appetite is defined as the level and type of risk a.s.r. is willing to bear in order to meet its strategic, tactical and operational objectives. The risk appetite is formulated to give direction to the management of the (strategic) risks. The risk appetite contains a number of qualitative and quantitative risk appetite statements and is defined for both financial (FR) and non-financial risks (NFR). The statements highlight the risk preferences and limits of the organisation and are viewed as key elements for the realisation of the strategy. The statements and limits are defined at both group level and at legal entity level and are determined by the a.s.r. risk committee and approved by the SB.
The statements are evaluated yearly to maintain alignment with the strategy. The NFR statements have been strengthened in 2021, but not materially changed. FR statements have not been changed at a.s.r group level.
|1||ASR Nederland N.V. places long-term value creation at the forefront of its (strategic) operations and ensures that all stakeholders’ interests are met in a balanced and sustainable way.||NFR|
|2||ASR Nederland N.V. acts in a sustainable and (socially) responsible manner.||NFR|
|3||ASR Nederland N.V. has effective and controlled (business) processes, whereby the customer data quality is in order.||NFR|
|4||ASR Nederland N.V. has reliable financial reports, whereby IFRS and Solvency II data quality is in order.||NFR|
|5||ASR Nederland N.V. manages its internal and external outsourcing in a controlled and effective way.||NFR|
|6||ASR Nederland N.V. processes information safely (in accordance with availability, confidentiality and integrity requirements) and is cyber threat resilient.||NFR|
|7||ASR Nederland N.V. has controlled projects (in terms of timeliness, budget and/ or quality).||NFR|
|8||ASR Nederland N.V. and those working for or on behalf of a.s.r. act in accordance with applicable laws and regulations, self-regulation, and ethical and internal standards. a.s.r. meets the legitimate expectations and interests of its stakeholders and puts the customer's interests at the heart of its proposition. a.s.r. therefore provides products and services that are cost-efficient, useful, safe and understandable for customers, distribution partners, society and a.s.r. itself. Acting with integrity protects and strengthens a.s.r.'s reputation.||NFR|
|9||ASR Nederland N.V. has a minimum SCR ratio of 120%.||FR|
|10||ASR Nederland N.V. remains within the bandwidth of periodically reassessed market risk budgets.||FR|
|11||ASR Group (including ASR Nederland N.V., ASR Levensverzekering N.V. and ASR Schadeverzekering N.V.) has at least a single A rating and therefore holds an AA rating in accordance with the S&P Capital Model.||FR|
|12||ASR Nederland N.V. assesses the amount of dividend payments against the current and expected future solvency ratio and economic outlook. Dividend payments are in line with the conditions laid down in the capital and dividend policy of ASR Nederland N.V.||FR|
|13||ASR Nederland N.V. has a maximum financial leverage ratio of 40%. Financial leverage ratio = Debt / (Debt + Equity).||FR|
|14||ASR Nederland N.V. has a maximum double leverage ratio of 135%.Double leverage ratio = Total value of associates / (equity attributable to shareholders + hybrids and subordinated liabilities).||FR|
|15||ASR Nederland N.V. has a minimum interest coverage ratio of between 4 and 8. Interest coverage ratio = EBIT operational / interest expense.||FR|
|16||a. ASR Nederland N.V. is capable of releasing liquidities worth up to € 1 billion over a 1-month period following stress.|
b. ASR Nederland N.V. remains capable of meeting its collateral requirements in the event of an (instant) increase of 3% interest rate.
|17||ASR Nederland N.V. generates a robust and high-quality operational ROE, i.e. pursues an overall ROE > 12% and seeks an ROE > 10% for individual investment decisions, where in exceptional cases an ROE > 8% is accepted.||FR|
|18||ASR Nederland N.V. (excl. ASR Ziektekosten) has a maximum combined ratio of 99%.||FR|
|19||ASR Nederland N.V. has a total SCR market risk which will be a maximum of 50% of the total risk.||FR|
Risk strategy aims to ensure that management decisions lead to a risk profile that remains within the risk limits. The risk strategy entails all processes to identifying, assessing and managing risks and opportunities. Through a combined top-down and bottom-up Strategic Risk Analysis (SRA) approach, the most important strategic risks are identified. For each of the strategic risks an estimation of the likelihood and impact is made to prioritise the risks. The main strategic risks are translated into ‘risk priorities’ and ‘emerging risks’ at group level and are monitored throughout the year. Important changes in risk priorities and emerging risks are reported to the a.s.r. risk committee and the Audit & Risk Committee. Output from the SRA, combined with the risk appetite statements, provides insight into the strategic risk profile of a.s.r. and underlying legal entities. The entire risk profile is monitored in the relevant risk committees.
the implemented three lines of defence model and associated (clear delimitation of) tasks and responsibilities of key function holders; and
the risk committee structure to ensure adequate decision making.
The EB has the final responsibility for risk exposures and management within the organisation. Part of the responsibilities have been delegated to persons that manage the divisions where the actual risk-taking takes place. Risk owners are accountable for one or more risk exposures that are inextricably linked to the department or product line they are responsible for. Through the risk committee structure, risk owners provide accountability for the risk exposures.
The risk governance structure is based on the ‘three lines of defence’ model. The ‘three lines of defence’ model consists of three defence lines with different responsibilities with respect to the ownership of controlling risks. The model below provides insight in the organisation of the three lines of defence within a.s.r.
Within the risk governance, the key functions (compliance, risk, actuarial and audit) are organised in accordance with Solvency II regulation. They play an important role as countervailing power of management in the decision-making process. The four key functions are independently positioned within a.s.r. In all the risk committees one or more key functions participate. None of the functions has voting rights in the committees, in order to remain fully independent as countervailing power. All functions have direct communication lines with the EB and can escalate to the chairman of the Audit & Risk Committee of the SB. Furthermore, the key functions have regular meetings with the supervisors of the Dutch Central Bank (DNB) and / or The Dutch Authority for the Financial Markets (AFM).
Enterprise Risk Management;
Financial Risk Management;
Enterprise Risk Management (ERM) is responsible for second-line strategic and operational (including IT) risk management and the enhancement of the risk awareness for a.s.r. and its subsidiaries. The responsibilities of ERM include the development of risk policies, the annual review and update of the risk strategy (risk appetite), the coordination of the SRA process leading to the risk priorities and ORSA scenarios and the monitoring of the non-financial risk profile. For the management of operational risks, a.s.r. has a solid Risk-Control framework in place that contributes to its long-term solidity. The quality of the framework is continuously enhanced by the analysis of operational incidents, periodic risk assessments and monitoring by the RMF. ERM actively promotes risk awareness at all levels to contribute to the vision of staying a socially relevant insurer.
Financial Risk Management (FRM) is responsible for the second line financial risk management and supports both the AF and RMF. An important task of FRM is to be the countervailing power to the EB and management in managing financial risks for a.s.r. and its subsidiaries. FRM assesses the accuracy and reliability of the market risk, counterparty risk, insurance risk and liquidity risk, risk margin and best estimate liability. As part of the AF, FRM reviews the technical provisions, monitors methodologies, assumptions and models used in these calculations, and assesses the adequacy and quality of data used in the calculations. Furthermore, the AF expresses an opinion on the underwriting policy and determines if risks related to the profitability of new products are sufficiently addressed in the product development process. The AF also expresses an opinion on the adequacy of reinsurance arrangements. Other responsibilities of financial risk management are e.g. monitoring Solvency II compliancy (e.g. changes in Solvency II regulation), updating policies on valuation and risk, activities related to the DNB (National Supervisor), assessment of the ORSA (financial parts), assessment of strategic initiatives.
The Model Validation (MV) department is responsible for performing validation activities or having them carried out in accordance with the drawn up annual model validation plan. MV is responsible for supervising compliance with the model validation policy, discussing and challenging the (draft) validation reports and advising the Model Committee. The MV is a separate sub-department within GRM. The MV is part of the RMF and operates independent of the AF.
Compliance is responsible for the execution of the compliance function. An important task of Compliance is to be the countervailing power to the EB and other management in managing compliance risks for a.s.r. and its subsidiaries. The mission of the compliance function is to enhance and ensure a controlled and sound business operation.
As second line of defence, Compliance encourages the organisation to comply with relevant rules and regulations, ethical standards and the internal standards derived from them (‘rules’) by providing advice and formulating policies. Compliance supports the first line in the identification of compliance risks and assesses the effectiveness of risk management on which Compliance reports to the relevant risk committees. In doing so, Compliance uses a compliance risk and monitoring framework. In line with risk management, Compliance also creates further awareness to comply with the rules and desired ethical behavior. Compliance coordinates interaction with regulators in order to maintain effective and transparent relationships with those authorities.
The Audit department, the third line of defence, provides an independent opinion on governance, risk and management processes, with the goal of supporting the EB and other management of a.s.r. in achieving the corporate objectives. To that end, Audit evaluates the effectiveness of governance, risk and management processes, and provides pragmatic advice that can be implemented to further optimise these processes. In addition, senior management can engage Audit for specific advisory projects.
a.s.r. has established a structure of risk committees with the objective to monitor the risk profile for a.s.r. group, its legal entities and its business lines in order to ensure that it remains within the risk appetite and the underlying risk tolerances and risk limits. When triggers are hit or likely to be hit, risk committees make decisions regarding measures to be taken, being risk-mitigating measures or measures regarding governance, such as the frequency of their meetings. For each of the risk committees a statute is drawn up in which the tasks, composition and responsibilities of the committee are defined.
Assessment of the risk appetite proposal and quarterly monitoring of the risk profile;
Assessment of the annual report, including the financial statements of a.s.r.;
The relationship with the independent external auditor, including the assessment of the quality and independence of the independent external auditor and the proposal by the SB to the AGM to appoint the independent external auditor;
The performance of the audit function, compliance function, the actuarial function and the risk management function;
Compliance with rules and regulations; and
The financial position.
The Audit & Risk Committee has three members of the SB, one of whom acts as the chairman.
The a.s.r. risk committee monitors a.s.r.’s overall risk profile on a quarterly basis. At least annually, the a.s.r. risk committee determines the risk appetite statements, limits and targets for a.s.r. This relates to the overall a.s.r. risk appetite and the subdivision of risk appetite by financial and non-financial risks. The risk appetite is then submitted to the a.s.r. Audit & Risk Committee, which advises the SB on the approval of the risk appetite. The a.s.r. risk committee also monitors the progress made in managing risks included in the Risk Priorities of the EB.
All members of the EB participate in the a.s.r. risk committee, which is chaired by the CEO. The involvement of the EB ensures that risk decisions are being addressed at the appropriate level within the organisation. In addition to the EB, the Key Functions (Risk management, Compliance, Internal audit, Actuarial function) are members of the Committee.
The Non-Financial Risk Committee (NFRC) discusses, advises and decides upon non-financial risk policies. The most relevant risk policies are approved by the a.s.r. risk committee. The NFRC monitors that non-financial risks are managed adequately and monitors that the risk profile stays within the agreed risk limits. If the risk profile exceeds the limits, the NFRC takes mitigating actions. The NFRC reports to the a.s.r. risk committee. The NFRC is chaired by a member of the EB.
The Financial Risk Committee (FRC) discusses and decides upon financial risk policies. The most relevant financial risk policies are approved by the a.s.r. risk committee. The FRC monitors and controls financial risks (market, insurance (life and non-life) and counterparty default risk). The FRC also monitors whether the risk profile stays within the risk limits. If the risk profile exceeds these limits, the FRC takes mitigating actions. The FRC reports to the a.s.r. risk committee. The Chairman of the FRC is the CFO.
The Capital, Liquidity and Funding Committee (CLFC) is a subcommittee of the FRC. As such, the CLFC prepares and assesses the technical analysis of capital, liquidity and funding positions, rating policy, rating model reporting, and treasury activities. The Chairman of the CLFC is the Director of Group Asset Management.
The model committee (MC) is a subcommittee of the FRC and is responsible for the execution and update of the model validation policy and the approval of validation of existing or newly developed models. The MC receives all required information for the validation of models (e.g. model documentation and validation reports) prepared by the Model Validation (MV) department that assures the quality of the validation process. The chairman of the MC is the Director of Finance, Risk and Performance Management (FRPM).
The business lines manage and control their risk profile through the Business Risk Committees (BRC). The BRC’s monitor that the risk profile of the business lines stays within the risk appetite, limits and targets, as formulated by the EB. The BRC reports to the FRC and the NFRC. The Chairman of the BRC is the Managing Director of the business line.
In addition to the risk committee structure, the Central Investment Committee (CIC) monitors tactical decisions and the execution of the investment policy. It takes investment decisions within the boundaries of the strategic asset allocation as agreed upon in the FRC. The CIC bears particular responsibility for investment decisions exceeding the mandate of the investment department. The CIC is chaired by the Director of Group Balance Sheet Management (GBSM).
The Product Approval & Review Process Board (PARP Board) is responsible for the final decision-making process around the introduction of new products and adjustments in existing products. The committee evaluates if potential risks in newly developed products are sufficiently addressed. New products need to be developed in such a way that they are cost efficient, reliable, useful and secure for our clients. New products also need to have a strategic fit with a.s.r.’s mission to be a solid and trustful insurer. In addition, the risks of existing products are evaluated, as requested by the PARP as a result of product reviews. The PARP Board is chaired by the managing Director of the business line Health.
GRC tooling is implemented to support the risk management process by giving guidance and insight into the key risk indicators, risk tolerance levels, boundaries and actions and remediation plans to mitigate risks. The availability, adequacy and quality of data and IT systems is important in order to ensure that correct figures are reported and risk mitigating measures can be taken in time. It is important to establish under which conditions the management information that is submitted to the risk committees has been prepared and which quality safeguards were applied in the process of creating this information. This allows the risk committees to ascertain whether the information is sufficient to base further decisions upon.
completeness (including documentation of accuracy of results)
Adherence to this policy is ensured by the three lines of defence risk governance model. With a new Central Data Office and a Data Quality Improvement Programme, additional measures are taken to increase maturity in data management practices.
The preparatory body or department checks the assumptions made and the plausibility of the results, and ensures coordination with relevant parties. When a preparatory body has established that the information is reliable and complete, it approves and formally submits the document(s) to a risk committee.
The information involved tends to be sensitive. To prevent unauthorised persons from accessing it, it is disseminated using a secure channel or protected files. a.s.r.’s information security policy contains guidelines in this respect.
a.s.r.’s information security policy is based on market standards, like ISO 2700x, COBIT 2019, NIST Cybersecurity framework, SOC2 principles, PCI DSS, COSO, BS 25999, ISO 31000, ITIL en PMF. These standards describes best practices for the implementation of information security.
Information availability refers to the degree to which the information is at hand as soon as the organisation needs it, meaning, for instance, that the information should be retrievable on demand and that it can be consulted and used at the right time;
The integrity, i.e. reliability, of information is the degree to which it is up-to-date, complete and error-free;
‘Confidential use’ refers to the degree to which the information is available to authorised persons only and the extent to which it is not available to unauthorised persons.
Nevertheless, confidential information can also have been committed to paper. In addition to technical measures there are physical measures and measures that helps the right awareness of personnel as part of the information security environment. The resilience of this approach is actively tested.
The management of IT and data risks of the implemented tools, models and systems (including data) is part of the Operational IT risk management.
a.s.r. has established guidelines, including policies that cover all main risk categories (market, counterparty default, liquidity, underwriting, strategic and operational). These policies address the accountabilities and responsibilities regarding management of the different risk types. Furthermore, the methodology for risk measurement is included in the policies. The content of the policies is aligned to create a consistent and complete set. The risk policy landscape is maintained by GRM and Compliance. These departments also monitor the proper implementation of the policies in the business. New risk policies or updates of existing risk policies are approved by the risk committees as mentioned previously.
Risk awareness is a vital component of building a sound risk culture within a.s.r. that emphasises the human aspect in the management of risks. In addition to gaining sufficient knowledge, skills, capabilities and experience in risk management, it is essential that an organisation enables objective and transparent risk reporting in order to manage them more effectively.
The EB clearly recognises the importance of risk management and is therefore represented in all of the major group level risk committees. Risk Management is involved in the strategic decision-making process, where the company’s risk appetite is always considered. The awareness of risks during decision-making is continually addressed when making business decisions, for example by discussing and reviewing risk scenarios and the positive and / or negative impact of risks before finalising decisions.
It is very important that this risk awareness trickles down to all parts of the organisation, and therefore management actively encourages personnel to be aware of risks during their tasks and projects, in order to avoid risks or mitigate them when required. The execution of risk analyses is embedded in daily business in, for example, projects, product design and outsourcing.
In doing so, a.s.r. aims to create a solid risk culture in which ethical values, desired behaviours and understanding of risk in the entity are fully embedded. Integrity is of the utmost importance at a.s.r.: this is translated into a code of conduct and strict application policies for new and existing personnel, such as taking an oath or promise when entering the company, and the ‘fit and proper’ aspect of the Solvency II regulation, ensuring that a.s.r. is overseen and managed in a professional manner.
Furthermore, a.s.r. believes it is important that a culture is created in which risks can be discussed openly and where risks are not merely perceived to be negative and highlight that risks can also present a.s.r. with opportunities. Risk Management (both centralised and decentralised) and Compliance are positioned as such, that they can communicate and report on risks independently and transparently, which also contributes to creating a proper risk culture.
The risk management process typically comprises of five important steps: 1) identifying; 2) measuring; 3) managing; 4) monitoring and reporting; and 5) evaluating1. a.s.r. has defined a procedure for performing risk analyses and standards for specific assessments. The five different steps are explained in this chapter.
Management should endeavour to identify all possible risks that may impact the strategic objectives of a.s.r., ranging from the larger and / or more significant risks posed on the overall business, down to the smaller risks associated with individual projects or smaller business lines. Risk identification comprises of the process of identifying and describing risk sources, events, and the causes and effects of those events.
Expert judgments (regarding likelihood and impact)
Accept: risk acceptance means accepting that a risk might have consequences, without taking any further mitigating measures.
Avoid: risk avoidance is the elimination of activities that cause the risk.
Transfer: risk transference is transferring the impact of the risk to a third party.
Mitigate: risk mitigation involves the mitigation of the risk likelihood and / or impact.
Exploit: risk exploitation revolves around the maximisation of the risk likelihood and / or increasing the impact if the risk does happen.
Risk management strategies are chosen in a way that ensures that a.s.r. remains within the risk appetite tolerance levels and limits.
The risk identification process is not a continuous exercise. Therefore, risk monitoring and reporting are required to capture changes in environments and conditions. This also means that risk management strategies could, or perhaps should, be adapted in accordance with risk appetite tolerance levels and limits.
The evaluation step is twofold. On the one hand, evaluation means risk exposures are evaluated against risk appetite tolerance levels and limits, taking (the effectiveness of) existing mitigation measures into account. The outcome of the evaluation could lead to a decision regarding further mitigating measures or changes in risk management strategies. On the other hand, the risk management framework (including the risk management processes) is evaluated by the risk management function, in order to continuously improve the effectiveness of the risk management framework as a whole.
a.s.r. is exposed to a variety of risks. There are six main risk categories that a.s.r. recognises, as described below.
Life insurance risk
Health insurance risk
Non-life insurance risk
Interest rate risk
Concentration risk / market concentration risk
Counterparties that offer cash facilities
Counterparties with which derivatives contracts have been concluded
Liquidity risk is the risk that a.s.r. is not able to meet its financial obligations to policyholders and other creditors when they become due and payable, at a reasonable cost and in a timely manner.
Climate change and energy transition
Strategic risk may arise due to a mismatch between two or more of the following components: the objectives (resulting from the strategy), the resources used to achieve the objectives, the quality of implementation, the economic climate and / or the market in which a.s.r. and / or its business lines operate.