Annual Report 2022
6.8.7
Strategic and operational risk management

The system of internal control includes the management of risks at different levels in the organisation, both operational and strategic.

6.8.7.1 Strategic Risk Management

Strategic risk management aims to identify and manage the most significant risks that may impact a.s.r.’s strategic objectives. Subsequently, the aim is to identify and analyse the risk profile as a whole, including risk interdependencies. The process of strategic risk analysis (SRA) is designed to identify, measure, manage, monitor, report and evaluate those risks that are of strategic importance to a.s.r.:

Identifying

Through the SRA process, identification of risks is structurally organised through the combined top-down and bottom-up SRA approach. The SRA outcomes are jointly translated into ‘risk priorities’ and ‘emerging risks’, in which the most significant risks for a.s.r. are represented.

Measuring

Through the SRA process, the likelihood and impact of the identified risks are assessed, taking into account (the effectiveness of) risk mitigating measures and planned improvement actions. Information from other processes is used to gain additional insights into the likelihood and impact. One single risk priority can take multiple risks into account. In this manner, the risk priorities provide (further) insights into risk interdependencies.

Managing

As part of the SRA processes, the effectiveness of risk mitigating measures and planned measures of improvement is assessed. This means risk management strategies are discussed, resulting in refined risk management strategies.

Monitoring and reporting

The output of the SRA process is translated into day-to-day risk management and monitoring and reporting, both at group level and product line levels. At group level, the risk priorities are discussed in the a.s.r. risk committee and the Audit & Risk Committee. At the level of the product lines, risks are discussed in the BRC’s.

Evaluating

Insights regarding likelihood and impact are evaluated against solvency targets in the SRA process. Based on this evaluation, conclusions are formulated regarding the adequacy of solvency objectives at group and individual legal entity level.

Climate change

One of the areas within Strategic Risk Management concerns climate change. For a.s.r., climate change is a direct and indirect risk, both to its assets and liabilities. In chapter 4.7.3 Identified risks and 4.9.2 Climate change, the relevant climate related risks for a.s.r. are discussed including how these risks are managed. Climate change related risks have had no direct impact on the valuation in the current accounting and disclosures of a.s.r.'s assets and liabilities.

6.8.7.2 Operational Risk Management

Operational Risk Management (ORM) involves the management of all possible risks that may influence the achievement of the business goals and that can cause financial or reputational damage. ORM includes the identification, analysis, prioritisation and management of these risks in line with the risk appetite. The policy on ORM is drafted and periodically evaluated under the coordination of ERM. The policy is implemented in the decentralised business entities under the responsibility of the management boards. A variety of risks is covered by ORM policy: IT, outsourcing, project, reporting etc.

Identifying

With the operational targets as a starting point, each business entity performs risk assessments to identify events that could influence these targets. In each business entity the business risk manager facilitates the periodic identification of the key operational risks. All business processes are taken into account to identify the risks. All identified risks are prioritised and recorded in a risk-control framework.

The risk policies prescribe specific risk analyses to be performed to identify and analyse the risks. For IT systems, Information Security Analyses (Dienstverlening en Informatie Veiligheids Analyse) have to be performed and for large outsourcing projects a specific risk analysis is required.

Measuring

All risks in the risk-control frameworks are assessed on likelihood of defaults and impact. Where applicable, the variables are quantified, but often judgments of subject matter experts are required. Based on the estimation of the variables, each risk is labelled with a specific level of concern (1 to 4). Gross risks with a level of concern 3 or 4 are considered ‘key’.

Managing

For each risk, identified controls are implemented into the processes to keep the level of risk within the agreed risk appetite (level of concern 1 or 2). In general, risks can be accepted, mitigated, avoided or transferred. A large range of options is available to mitigate operational risks, depending on the type. An estimation is made of the net risk, after implementing the control(s). A more effective and efficient approach to managing risks is required driven by increased complexity of processes, data processing and the need for a timely and accurate view on the risk profile. a.s.r. is therefore in the process of shifting towards a more automated approach to manage risks, for example automated controls and data analysis.

Monitoring and reporting

The effectiveness of operational risk management is periodically monitored by the business risk manager at each business line or legal entity. For each key control in the risk-control framework a testing calendar is established, based on auditing standards. Each control is tested regularly and the outcomes of the effectiveness of the management of key risks are reported to the management board. Outcomes are also reported to the NFRC and a.s.r. risk committee.

Evaluating

Periodically, yet at least annually, the risk-control frameworks and ORM policies are evaluated to see if revisions are necessary. The risk management function also challenges the business segments and legal entities regarding their risk-control frameworks.

Operational incidents

Operational incidents are reported to GRM, in accordance with the operational risk policy. The causes of losses are evaluated in order to learn from these experiences. An overview of the largest operational incidents and the level of operational losses is reported to the NFRC. Actions are defined and implemented to avoid repetition of operational losses.

ICT

Through IT risk management, a.s.r. devotes attention to the confidentiality, integrity and availability of ICT, including End User Computations. The logical access control for key systems used in the financial reporting process remains a high priority in order to enhance the integrity of applications and data. The logical access control procedures also prevents fraud by improving segregation of duties and by offsetting current and desired access levels within the systems and applications. Proper understanding of information, security and cyber risks is essential and the reason for which continuous actions are carried out to create awareness among employees. All of a.s.r.’s security measures are tested periodically. To increase cyberresilience, a.s.r. is participating in de DNB Threat Intel Based Ethical Red Teaming exercise.

Business Continuity Management

Operational management can be disrupted significantly by unforeseen circumstances or calamities which could ultimately disrupt the execution of critical and operational processes. Business Continuity Management enables a.s.r. to resume its daily business with limited interruptions and to react quickly and effectively during such situations.

Critical processes and activities and the tools necessary to use for these processes are identified during the Business Impact Analysis. The factors that can threaten the availability of those tools necessary for the critical processes are identified in the Threat Analysis.

a.s.r. defines a crisis as: one or more product lines are (in danger of being) disrupted in their operations, due to a calamity, or when there is a reputational threat. In order to manage the crisis, and to be able to react timely, efficiently and effectively, a.s.r. has set up a crisis organisation.

There is a central crisis team led by a member of the board. Each business line has their own crisis team led by the director of the business line. The continuity of activities and the systems supporting critical activities are regularly tested and crisis teams are trained annually. The objective of the training is to give the teams insights in how they function during emergencies and to help them perform their duties more effectively during such situations. Some important training scenarios used are scenarios that include cyber threats.

Preparatory Crisis Plan

On 1 January 2019 Dutch legislation entered into force that addresses the recovery and settlement of insurance companies ('Wet herstel en afwikkeling van verzekeraars' in Dutch). The objective is that insurance companies and supervisors are better prepared against a crisis and that insurance companies can recover from a crisis without government aid. a.s.r. is obliged to have a Preparatory Crisis Plan ('Voorbereidend Crisisplan' in Dutch) in place that has been approved by DNB. In 2021 a.s.r. established its Preparatory Crisis Plan. a.s.r.’s Preparatory Crisis Plan helps to be prepared and supports the organisation in various scenarios of extreme financial stress. The Preparatory Crisis Plan describes and quantifies the measures that can be applied to handle a crisis situation and to resume business. These measures are tested in the scenario analysis, in which the effects of each recovery measure on a.s.r.’s financial position (solvency and liquidity) are quantified. The required preparations for implementing the measures, their implementation time and effectiveness, potential obstacles, impact on clients and operational effects are also assessed. The main purpose of the Preparatory Crisis Plan is to increase the chances of early intervention in the event of a financial crisis situation and to further guarantee that the interest of clients and other stakeholders are protected.

Reasonable assurance and model validation

a.s.r. aims to obtain reasonable assurance regarding the adequacy and accuracy of the outcomes of models that are used to provide best estimate values and solvency capital requirements. To this end, multiple instruments are applied, including model validation. Two times a year a model inventory is performed by the productlines to determine if and when a model (re)validation is required. Triggers for model (re)validation are diverse, e.g. regulation, conversions, analysis of change. Materiality is determined by means of an assessment of impact and complexity. Impact and complexity is expressed in terms of High (H), Medium (M), or Low (L). The model inventories are discussed in the Model Committee.

In the pursuit of reasonable assurance, model risk is mitigated and unacceptable deviations are avoided, against acceptable costs.