Chapters Downloads Search
Annual Report 2021
About a.s.r.Operating environmentSustainable value creationBusiness performanceGovernanceFinancial statementsAdditional information
At a glance
Message from the CEO
Value creation model
The story of a.s.r.
Portfolio and execution of strategy
Key trends impacting a.s.r.'s operations
Strategic targets and performance
Material topics
Contribution to the Sustainable Development Goals
Sustainable value creation
Sustainable insurer
Sustainable investor
Sustainable employer
Trustworthy company
Investor community
Role in society
Group and segment performance
Risk management
Compliance
EU Taxonomy Regulation
Climate change
Statements of the Executive Board
Corporate Governance
Supervisory Board report
Remuneration report
Employee participation
Introduction
Consolidated financial statements
Accounting policies
Group structure and segment information
Notes to the consolidated balance sheet
Notes to the consolidated income statement
Other notes
Risk Management
Capital management
Operating result
Company financial statements
Independent auditor's report
Assurance report of the independent auditor
Provisions of the Articles of Association regarding profit appropriation
Report of the Stichting Continuïteit ASR Nederland
Facts and figures
About this report
Glossary
Abbreviations
Materiality analysis and stakeholder dialogue
GRI Content Index
TCFD recommendations
EU Directive: disclosure on non-financial and diversity information
Contact details
Strategic targets and performance 2019-2021Strategic targets 2022-2024
Sustainable products and servicesProduct Approval & Review ProcessIT and the digital strategyPrevention of payment problemsComplaints management
a.s.r. asset managementa.s.r. real estate
Organisational success and employee engagementEmployee Mood MonitorHR policy and strategyWorking conditionsRemunerationBusiness targets and personal targetsEmployee Share Purchase Plan
Socially responsible taxpayerHuman rightsIntegrityEthical reflectionPrivacyPolitical engagementCarbon footprint own operations
a.s.r. foundation
ASR Nederland N.V.Non-life segmentLife segmentAsset Management segmentDistribution and Services segmentHolding and Other segment (including eliminations)
Risk governanceRisk appetiteRisk descriptions
GeneralExecutive BoardSupervisory BoardCorporate Governance Codes and regulations
Meetings of the Supervisory BoardSupervisory Board Committees
IntroductionRemuneration policyExecutive BoardSupervisory Board
General informationImpact of COVID-19Statement of compliance
Consolidated balance sheetConsolidated income statementConsolidated statement of comprehensive incomeConsolidated statement of changes in equityConsolidated statement of cash flows
Changes in presentationChanges in EU endorsed published IFRS standards and interpretations effective in 2021New standards, interpretations of existing standards or amendments to standards, not yet effective in 2021Key accounting policiesOther accounting policies
Group structureSegmented balance sheetSegmented income statement and operating resultNon-life ratiosAcquisitions
Intangible assetsProperty, plant and equipmentInvestment propertyAssociates and joint venturesInvestmentsInvestments on behalf of policyholdersInvestments related to investment contractsLoans and receivablesDerivativesDeferred taxesOther assetsCash and cash equivalentsEquitySubordinated liabilitiesInsurance liabilitiesLiabilities arising from investment contractsEmployee benefitsProvisionsBorrowingsDue to customersDue to banksOther liabilities
Gross insurance premiumsInvestment incomeRealised gains and lossesFair value gains and lossesFee and commission incomeOther incomeNet insurance claims and benefitsOperating expensesImpairmentsInterest expenseOther expensesIncome tax (expense) / gain
Fair value of assets and liabilitiesOffsetting of financial assets and liabilitiesFair value of financial assets categorised into two groups based on business model and SPPI test resultsRelated party transactionsKey management personnel remunerationEmployee Share Purchase PlanContingent liabilities and assetsEvents after the balance sheet dateList of principal group companies and associatesProfit appropriation
Risk management system including the Own Risk and Solvency Assessment Risk Management SystemInsurance riskMarket riskCounterparty default riskLiquidity riskOperational riskStrategic and operational risk management
Capital management objectivesSolvency ratio and a.s.r. ratingsAdditional information
Company balance sheetCompany income statementNotes to the company financial statements
Financial indicatorsCustomer-related indicatorsHuman Resources indicatorsResponsible investor indicatorsInvestor community indicatorsEnvironmental indicatorsSustainability ratings
ContactPublication
Financial statements
Annual Report 2021 Financial statements Risk Management
6.8.7
Strategic and operational risk management

The system of internal control includes the management of risks at different levels in the organisation, both operational and strategic.

6.8.7.1 Strategic Risk Management

Strategic risk management aims to identify and manage the most significant risks that may impact a.s.r.’s strategic objectives. Subsequently, the aim is to identify and analyse the risk profile as a whole, including risk interdependencies. The process of strategic risk analysis (SRA) is designed to identify, measure, manage, monitor, report and evaluate those risks that are of strategic importance to a.s.r.:

Identifying

Through the SRA process, identification of risks is structurally organised through the combined top-down and bottom-up SRA approach. The SRA outcomes are jointly translated into ‘risk priorities’ and ‘emerging risks’, in which the most significant risks for a.s.r. are represented.

Measuring

Through the SRA process, the likelihood and impact of the identified risks are assessed, taking into account (the effectiveness of) risk mitigating measures and planned improvement actions. Information from other processes is used to gain additional insights into the likelihood and impact. One single risk priority can take multiple risks into account. In this manner, the risk priorities provide (further) insights into risk interdependencies.

Managing

As part of the SRA processes, the effectiveness of risk mitigating measures and planned measures of improvement is assessed. This means risk management strategies are discussed, resulting in refined risk management strategies.

Monitoring and reporting

The output of the SRA process is translated into day-to-day risk management and monitoring and reporting, both at group level and product line levels. At group level, the risk priorities are discussed in the a.s.r. risk committee and the Audit & Risk Committee. At the level of the product lines, risks are discussed in the BRC’s.

Evaluating

Insights regarding likelihood and impact are evaluated against solvency targets in the SRA process. Based on this evaluation, conclusions are formulated regarding the adequacy of solvency objectives at group and individual legal entity level.

Climate change

One of the areas within Strategic Risk Management concerns climate change. For a.s.r., climate change is a direct risk, both to its assets and liabilities. In chapter 4.5 Climate change, the relevant climate related risks for a.s.r. are discussed including how these risks are managed. Climate related risks have had no impact on the current accounting and disclosures of a.s.r.'s assets and liabilities.

6.8.7.2 Operational Risk Management

Operational Risk Management (ORM) involves the management of all possible risks that may influence the achievement of the business goals and that can cause financial or reputational damage. ORM includes the identification, analysis, prioritisation and management of these risks in line with the risk appetite. The policy on ORM is drafted and periodically evaluated under the coordination of ERM. The policy is implemented in the decentralised business entities under the responsibility of the management boards. A variety of risks is covered by ORM policy: IT, outsourcing, project, reporting etc.

Identifying

With the operational targets as a starting point, each business entity performs risk assessments to identify events that could influence these targets. In each business entity the business risk manager facilitates the periodic identification of the key operational risks. All business processes are taken into account to identify the risks. All identified risks are prioritised and recorded in a risk-control framework.

The risk policies prescribe specific risk analyses to be performed to identify and analyse the risks. For important IT systems, Information Security Analyses (DIVA – Dienstverlening en Informatie Veiligheids Analyse) have to be performed and for large outsourcing projects a specific risk analysis is required.

Measuring

All risks in the risk-control frameworks are assessed on likelihood of defaults and impact. Where applicable, the variables are quantified, but often judgments of subject matter experts are required. Based on the estimation of the variables, each risk is labelled with a specific level of concern (1 to 4). Gross risks with a level of concern 3 or 4 are considered ‘key’.

Managing

For each risk, identified controls are implemented into the processes to keep the level of risk within the agreed risk appetite (level of concern 1 or 2). In general, risks can be accepted, mitigated, avoided or transferred. A large range of options is available to mitigate operational risks, depending on the type. An estimation is made of the net risk, after implementing the control(s). A more effective and efficient approach to managing risks is required driven by increased complexity of processes, data processing and the need for a timely and accurate view on the risk profile. a.s.r. is therefore in the process of shifting towards a more automated approach to manage risks, for example automated controls and data analysis.

Monitoring and reporting

The effectiveness of operational risk management is periodically monitored by the business risk manager at each business line or legal entity. For each key control in the risk-control framework a testing calendar is established, based on auditing standards. Each control is tested regularly and the outcomes of the effectiveness of the management of key risks are reported to the management board. Outcomes are also reported to the NFRC and a.s.r. risk committee.

Evaluating

Periodically, yet at least annually, the risk-control frameworks and ORM policies are evaluated to see if revisions are necessary. The risk management function also challenges the business lines and legal entities regarding their risk-control frameworks.

Operational incidents

Operational incidents are reported to GRM, in accordance with the operational risk policy. The causes of losses are evaluated in order to learn from these experiences. An overview of the largest operational incidents and the level of operational losses is reported to the NFRC. Actions are defined and implemented to avoid repetition of operational losses.

ICT

Through IT risk management, a.s.r. devotes attention to the efficiency, effectiveness and integrity of ICT, including End User Computing applications. The logical access control for key applications used in the financial reporting process remains a high priority in order to enhance the integrity of applications of data. The logical access control procedures also prevent fraud by improving segregation of duties and by conducting regular checks of actual access levels within the applications. Proper understanding of information, security and cyber risks is essential, reason for which continuous actions are carried out to create awareness among employees and management. All of a.s.r.’s security measures are tested frequently. In case of cyber a.s.r. is participating in de DNB Threat Intel Based Ethical Hacking exercise. This exercises test a.s.r. on the highest level of threats with sophisticated attack methods.

Business Continuity Management

Operational management can be disrupted significantly by unforeseen circumstances or calamities which could ultimately disrupt the execution of critical and operational processes. Business Continuity Management enables a.s.r. to continue its daily business uninterruptedly and to react quickly and effectively during such situations.

Critical processes and activities and the tools necessary to use for these processes are identified during the Business Impact Analysis. This includes the resources required to establish similar activities at a remote location. The factors that can threaten the availability of those tools necessary for the critical processes are identified in the Threat Analysis.

a.s.r. considers something a crisis when one or more business lines are (in danger of being) disrupted in the operational management, due to a calamity, or when there is a reputational threat. In order to reduce the impact of the crisis, to stabilise the crisis, and to be able to react timely, efficiently and effectively, a.s.r. has assigned a crisis organisation.

There is a central crisis team led by a member of the board. Each business line has their own crisis team led by the director of the management team. The continuity of activities and the recovery systems supporting critical activities are regularly tested and crisis teams are trained annually. The objective of the training is to give the teams insights into how they function during emergencies and to help them perform their duties more effectively during such situations. The training also sets out to clarify the roles, duties and responsibilities of the crisis teams. One important training scenario used is a scenario that includes cyber threats.

Preparatory Crisis Plan

On 1 January 2019 Dutch legislation entered into force that addresses the recovery and settlement of insurance companies ('Wet herstel en afwikkeling van verzekeraars' in Dutch). The objective is that insurance companies and supervisors are better prepared against a crisis and that insurance companies can recover from a crisis without government aid. a.s.r. is obliged to have a Preparatory Crisis Plan ('Voorbereidend Crisisplan' in Dutch) in place that has been approved by DNB. In 2021 a.s.r. established its Preparatory Crisis Plan. a.s.r.’s Preparatory Crisis Plan helps to be prepared and have the capacity to act in various forms of extreme financial stress. The Preparatory Crisis Plan describes and quantifies the measures that can be applied to live through a crisis situation. These measures are tested in the scenario analysis, in which the effects of each recovery measure on a.s.r.’s financial position (solvency and liquidity) are quantified. The required preparations for implementing the measures, their implementation time and effectiveness, potential obstacles, impact on policy holders and operational effects are also assessed. The main purpose of the Preparatory Crisis Plan is to increase the chances of successful early intervention in the event of a financial crisis situation and to further guarantee that the interest of policyholders and other stakeholders are protected.

Reasonable assurance and model validation

a.s.r. aims to obtain reasonable assurance regarding the adequacy and accuracy of the outcomes of models that are used to provide best estimate values and solvency capital requirements. To this end, multiple instruments are applied, including model validation. Two times a year a model inventory is performed by the productlines to determine if and when a model (re)validation is required. Triggers for model (re)validation are diverse, e.g. regulation, conversions, analysis of change. Materiality is determined by means of an assessment of impact and complexity. Impact and complexity is expressed in terms of High (H), Medium (M), or Low (L). The model inventories are discussed in the Model Committee.

In the pursuit of reasonable assurance, model risk is mitigated and unacceptable deviations are avoided, against acceptable costs.

6.8.6 Operational risk6.9 Capital management
werken bij a.s.r.privacyverklaringcookieverklaringdisclaimerfraudebeleidmeldpunt digitale kwetsbaarheden © a.s.r.