The system of internal control includes the management of risks at different levels in the organisation, both operational and strategic.
Strategic risk management aims to identify and manage the most significant risks that may impact a.s.r.’s strategic objectives. Subsequently, the aim is to identify and analyse the risk profile as a whole, including risk interdependencies. The process of strategic risk analysis (SRA) is designed to identify, measure, manage, monitor, report and evaluate those risks that are of strategic importance to a.s.r.:
Through the SRA process, identification of risks is structurally organised through the combined top-down and bottom-up SRA approach. The SRA outcomes are jointly translated into ‘risk priorities’ and ‘emerging risks’, in which the most significant risks for a.s.r. are represented.
Through the SRA process, the likelihood and impact of the identified risks are assessed, taking into account (the effectiveness of) risk mitigating measures and planned improvement actions. Information from other processes is used to gain additional insights into the likelihood and impact. One single risk priority can take multiple risks into account. In this manner, the risk priorities provide (further) insights into risk interdependencies.
As part of the SRA processes, the effectiveness of risk mitigating measures and planned measures of improvement is assessed. This means risk management strategies are discussed, resulting in refined risk management strategies.
The output of the SRA process is translated into day-to-day risk management and monitoring and reporting, both at group level and product line levels. At group level, the risk priorities are discussed in the a.s.r. risk committee and the Audit & Risk Committee. At the level of the product lines, risks are discussed in the BRC’s.
Insights regarding likelihood and impact are evaluated against solvency targets in the SRA process. Based on this evaluation, conclusions are formulated regarding the adequacy of solvency objectives at group and individual legal entity level.
One of the areas within Strategic Risk Management concerns climate change. For a.s.r., climate change is a direct risk, both to its assets and liabilities. In chapter 4.5 Climate change, the relevant climate related risks for a.s.r. are discussed including how these risks are managed. Climate related risks have had no impact on the current accounting and disclosures of a.s.r.'s assets and liabilities.
Operational Risk Management (ORM) involves the management of all possible risks that may influence the achievement of the business goals and that can cause financial or reputational damage. ORM includes the identification, analysis, prioritisation and management of these risks in line with the risk appetite. The policy on ORM is drafted and periodically evaluated under the coordination of ERM. The policy is implemented in the decentralised business entities under the responsibility of the management boards. A variety of risks is covered by ORM policy: IT, outsourcing, project, reporting etc.
With the operational targets as a starting point, each business entity performs risk assessments to identify events that could influence these targets. In each business entity the business risk manager facilitates the periodic identification of the key operational risks. All business processes are taken into account to identify the risks. All identified risks are prioritised and recorded in a risk-control framework.
The risk policies prescribe specific risk analyses to be performed to identify and analyse the risks. For important IT systems, Information Security Analyses (DIVA – Dienstverlening en Informatie Veiligheids Analyse) have to be performed and for large outsourcing projects a specific risk analysis is required.
All risks in the risk-control frameworks are assessed on likelihood of defaults and impact. Where applicable, the variables are quantified, but often judgments of subject matter experts are required. Based on the estimation of the variables, each risk is labelled with a specific level of concern (1 to 4). Gross risks with a level of concern 3 or 4 are considered ‘key’.
For each risk, identified controls are implemented into the processes to keep the level of risk within the agreed risk appetite (level of concern 1 or 2). In general, risks can be accepted, mitigated, avoided or transferred. A large range of options is available to mitigate operational risks, depending on the type. An estimation is made of the net risk, after implementing the control(s). A more effective and efficient approach to managing risks is required driven by increased complexity of processes, data processing and the need for a timely and accurate view on the risk profile. a.s.r. is therefore in the process of shifting towards a more automated approach to manage risks, for example automated controls and data analysis.
The effectiveness of operational risk management is periodically monitored by the business risk manager at each business line or legal entity. For each key control in the risk-control framework a testing calendar is established, based on auditing standards. Each control is tested regularly and the outcomes of the effectiveness of the management of key risks are reported to the management board. Outcomes are also reported to the NFRC and a.s.r. risk committee.
Periodically, yet at least annually, the risk-control frameworks and ORM policies are evaluated to see if revisions are necessary. The risk management function also challenges the business lines and legal entities regarding their risk-control frameworks.
Operational incidents are reported to GRM, in accordance with the operational risk policy. The causes of losses are evaluated in order to learn from these experiences. An overview of the largest operational incidents and the level of operational losses is reported to the NFRC. Actions are defined and implemented to avoid repetition of operational losses.
Through IT risk management, a.s.r. devotes attention to the efficiency, effectiveness and integrity of ICT, including End User Computing applications. The logical access control for key applications used in the financial reporting process remains a high priority in order to enhance the integrity of applications of data. The logical access control procedures also prevent fraud by improving segregation of duties and by conducting regular checks of actual access levels within the applications. Proper understanding of information, security and cyber risks is essential, reason for which continuous actions are carried out to create awareness among employees and management. All of a.s.r.’s security measures are tested frequently. In case of cyber a.s.r. is participating in de DNB Threat Intel Based Ethical Hacking exercise. This exercises test a.s.r. on the highest level of threats with sophisticated attack methods.
Operational management can be disrupted significantly by unforeseen circumstances or calamities which could ultimately disrupt the execution of critical and operational processes. Business Continuity Management enables a.s.r. to continue its daily business uninterruptedly and to react quickly and effectively during such situations.
Critical processes and activities and the tools necessary to use for these processes are identified during the Business Impact Analysis. This includes the resources required to establish similar activities at a remote location. The factors that can threaten the availability of those tools necessary for the critical processes are identified in the Threat Analysis.
a.s.r. considers something a crisis when one or more business lines are (in danger of being) disrupted in the operational management, due to a calamity, or when there is a reputational threat. In order to reduce the impact of the crisis, to stabilise the crisis, and to be able to react timely, efficiently and effectively, a.s.r. has assigned a crisis organisation.
There is a central crisis team led by a member of the board. Each business line has their own crisis team led by the director of the management team. The continuity of activities and the recovery systems supporting critical activities are regularly tested and crisis teams are trained annually. The objective of the training is to give the teams insights into how they function during emergencies and to help them perform their duties more effectively during such situations. The training also sets out to clarify the roles, duties and responsibilities of the crisis teams. One important training scenario used is a scenario that includes cyber threats.
On 1 January 2019 Dutch legislation entered into force that addresses the recovery and settlement of insurance companies ('Wet herstel en afwikkeling van verzekeraars' in Dutch). The objective is that insurance companies and supervisors are better prepared against a crisis and that insurance companies can recover from a crisis without government aid. a.s.r. is obliged to have a Preparatory Crisis Plan ('Voorbereidend Crisisplan' in Dutch) in place that has been approved by DNB. In 2021 a.s.r. established its Preparatory Crisis Plan. a.s.r.’s Preparatory Crisis Plan helps to be prepared and have the capacity to act in various forms of extreme financial stress. The Preparatory Crisis Plan describes and quantifies the measures that can be applied to live through a crisis situation. These measures are tested in the scenario analysis, in which the effects of each recovery measure on a.s.r.’s financial position (solvency and liquidity) are quantified. The required preparations for implementing the measures, their implementation time and effectiveness, potential obstacles, impact on policy holders and operational effects are also assessed. The main purpose of the Preparatory Crisis Plan is to increase the chances of successful early intervention in the event of a financial crisis situation and to further guarantee that the interest of policyholders and other stakeholders are protected.
a.s.r. aims to obtain reasonable assurance regarding the adequacy and accuracy of the outcomes of models that are used to provide best estimate values and solvency capital requirements. To this end, multiple instruments are applied, including model validation. Two times a year a model inventory is performed by the productlines to determine if and when a model (re)validation is required. Triggers for model (re)validation are diverse, e.g. regulation, conversions, analysis of change. Materiality is determined by means of an assessment of impact and complexity. Impact and complexity is expressed in terms of High (H), Medium (M), or Low (L). The model inventories are discussed in the Model Committee.
In the pursuit of reasonable assurance, model risk is mitigated and unacceptable deviations are avoided, against acceptable costs.