2023 annual report
7.8.1Risk management system

It is of great importance to a.s.r. that risks within all business segments are timely and adequately controlled. In order to do so, a.s.r. implemented a RM framework based on internationally recognised and accepted standards (such as COSO ERM and ISO 31000 RM principles and guidelines). Using this framework, material risks that a.s.r. is, or can be, exposed to, are identified, measured, managed, monitored, reported and evaluated. The RM framework is both applicable to a.s.r. group and the underlying (legal) business entities.

7.8.1.1 Risk Management Framework

The figure below is the RM framework as applied by a.s.r.

Risk Management framework

The RM framework consists of risk strategy (including risk appetite), risk governance, systems and data, risk policies and procedures, risk culture, and RM process. The RM framework contributes to achieving the strategic, tactical and operational objectives as set out by a.s.r. The overall effectiveness of the RM framework is evaluated as part of the regular internal review of the system of governance.

Risk strategy (incl. risk appetite)

Risk strategy is defined to contain at least the following elements:

  • Strategic, tactical and operational objectives that are pursued;

  • The risk appetite in pursuit of those strategic, tactical and operational objectives.

a.s.r.’s risk strategy aims to ensure that decisions are made within the boundaries of the risk appetite, as stipulated annually by the EB and the SB (see chapter Risk strategy and risk appetite).

Risk governance

Risk governance can be seen as the way in which risks are managed, through a sound risk governance structure and clear tasks and responsibilities, including risk ownership. a.s.r. employs a risk governance framework that entails the tasks and responsibilities of the RM organisation and the structure of the Risk committees (see chapter Risk governance).

Systems and data

Systems and data support the RM process and provide management information to the risk committees and other relevant bodies. a.s.r. finds it very important to have qualitatively adequate data, models and systems in place, in order to be able to report and steer correct figures and to apply risk-mitigating measures timely. To ensure this, a.s.r. has designed a policy for data quality and model validation in line with Solvency II. Tools, models and systems are implemented to support the RM process by giving guidance to and insights into the key risk indicators, risk tolerance levels, boundaries and actions, and remediation plans to mitigate risks (see chapter Systems and data).

Risk policies and procedures:

Risk policies and procedures contain at least:

  • Define the risk categories and the methods to measure the risks;

  • Outline how each relevant category, risk area and any potential aggregation of risk is managed;

  • Describe the connection with the overall solvency needs assessment as identified in the ORSA, the regulatory capital requirements and the risk tolerances;

  • Provide specific risk tolerances and limits within all relevant risk categories in line with the risk appetite statements;

  • Describe the frequency and content of regular stress tests and the circumstances that would warrant ad-hoc stress tests.

The classification of risks within a.s.r. is performed in line with, but is not limited to, the Solvency II risks. Each risk category consists of one or more policies or procedures that explicates how risks are identified, measured and controlled within a.s.r. (see chapter Risk policies and procedures).

Risk culture

An effective risk culture is one that enables and rewards individuals and groups for taking risks in an informed manner. It is a term describing the values, beliefs, knowledge, attitudes and understanding about risk. All the elements of the RM framework combined make an effective risk culture.

Within a.s.r. risk culture is an important element that emphasises the human side of RM. The EB has a distinguished role in expressing the appropriate norms and values (tone at the top). a.s.r. employs several measures to increase the risk awareness and, in doing so, the risk culture (see chapter Risk culture).

Risk management process

The RM process contains all activities within the RM processes to structurally 1) identify risks; 2) measure risks; 3) manage risks; 4) monitor and report on risks; and 5) evaluate the risk profile and RM framework. At a.s.r., the RM process is used to implement the risk strategy in the steps mentioned. These five steps are applicable to the risks within the company to be managed effectively (see chapter Risk Management process).

7.8.1.1.1 Risk management strategy and risk appetite

a.s.r.’s risk strategy aims to ensure that decisions are made within the boundaries of the risk appetite, as stipulated annually by the EB and the SB.

Risk appetite is defined as the level and type of risk a.s.r. is willing to bear in order to meet its strategic, tactical and operational objectives. The risk appetite is formulated to give direction to the management of the (strategic) risks. The risk appetite contains a number of qualitative and quantitative risk appetite statements and is defined for both financial (FR) and non-financial risks (NFR). The statements highlight the risk preferences and limits of the organisation and are viewed as key elements for the realisation of the strategy. The statements and limits are defined at both group level and at legal entity level and are determined by the a.s.r. risk committee and approved by the SB.

The statements are evaluated yearly to maintain alignment with the strategy. The NFR statements have been strengthened in 2023, but not materially changed. FR statements have not been changed at a.s.r. group level. An additional update took place in 2023 due to the merger with Aegon.

Risk appetite statement ASR Nederland N.V. 2023
1ASR Nederland N.V. places long-term value creation at the forefront of its (strategic) operations and ensures that all stakeholders’ interests (customer, society, employee, investors) are met in a balanced and sustainable way.NFR
2ASR Nederland N.V. acts in accordance with the a.s.r. sustainability objectives and sufficiently manages its sustainability risks.NFR
3ASR Nederland N.V. focuses on customer and has effective and controlled (business) processes, whereby the customer data quality is in order.NFR
4ASR Nederland N.V. has reliable financial reports, whereby IFRS and Solvency II data quality is in order.NFR
5ASR Nederland N.V. manages its internal and external outsourcing in a controlled and effective manner.NFR
6ASR Nederland N.V. processes information safely (in accordance with availability, confidentiality and integrity requirements) and is cyber threat resilient.NFR
7ASR Nederland N.V. has controlled projects (in terms of timeliness, budget and/ or quality).NFR
8aASR Nederland N.V. meets the legitimate expectations and interests of its stakeholders and puts customer interests first in its proposition. a.s.r. therefore offers products and services that are cost-efficient, useful, safe and understandable for customers, distribution partners, society and a.s.r. By acting with integrity, a.s.r.'s reputation is protected and strengthened.NFR
8bASR Nederland N.V. only wants to do business with relationships who are honest and reliable. a.s.r. therefore does not enter into or continue a business relationship with parties involved in crimes, socially undesirable acts and/or unethical behavior, including money laundering and terrorist financing. a.s.r. takes appropriate measures to guarantee its sound and controlled business operations and thus protect and strengthen its reputation.NFR
8cASR Nederland N.V. handles personal data with care, including those of its customers. a.s.r. processes personal data lawfully, fairly and transparently, taking into account the principles of purpose limitation, data minimization, accuracy and storage limitation and taking measures to ensure the integrity and confidentiality of personal data. By taking appropriate measures, a.s.r. maintains a sound and ethical operational management and thus protects and strengthens its reputation.NFR
9ASR Nederland N.V. has a minimum SCR ratio of 120%.FR
10ASR Nederland N.V. remains within the bandwidth of periodically reassessed market risk budgets.FR
11ASR Nederland N.V. has at least a single A rating and therefore holds an AA rating in accordance with the S&P Capital Model.FR
12ASR Nederland N.V. assesses the amount of dividend payments against the current and expected future solvency ratio and economic outlook. Dividend payments are in line with the conditions laid down in the capital and dividend policy of ASR Nederland N.V.FR
13ASR Nederland N.V. has a maximum financial leverage ratio of 40%. Financial leverage ratio = Debt / (Debt + Equity).FR
14ASR Nederland N.V. has a maximum double leverage ratio of 135%.Double leverage ratio = Total value of associates / (equity attributable to shareholders + hybrids and subordinated liabilities).FR
15ASR Nederland N.V. has a minimum interest coverage ratio of between 4 and 8. Interest coverage ratio = EBIT operational / interest expense.FR
16a. ASR Nederland N.V. (excluding Aegon entities) is capable of releasing liquidities worth up to 1 billion over a 1-month period following stress.
b. ASR Nederland N.V. (excluding Aegon entities) remains capable of meeting its collateral requirements in the event of an (instant) increase of 3% interest rate.
FR
17ASR Nederland N.V. generates a robust and high-quality operational ROE, i.e. pursues an overall ROE > 12% and seeks an ROE > 10% for individual investment decisions, where in exceptional cases an ROE > 8% is accepted.FR
18ASR Nederland N.V. (excl. ASR Ziektekosten) has a maximum combined ratio of 99%.FR
19ASR Nederland N.V. has a total SCR market risk which will be a maximum of 50% of the total risk.
20ASR Nederland N.V. maintains a moderate risk appetite for losses resulting from modelling incidents, including events such as flawed and/or inadequately documented methods, model design and development, assumptions and expert judgment; poor data quality; coding errors; inappropriate use of models; or misinterpretation of model results1.NFR

Risk strategy aims to ensure that management decisions lead to a risk profile that remains within the risk limits. The risk strategy entails all processes to identifying, measuring and managing risks and opportunities. Through a combined top-down and bottom-up Strategic Risk Analysis (SRA) approach, the most important strategic risks are identified. The main strategic risks are translated into ‘risk priorities’ and ‘emerging risks’ at group level and are monitored throughout the year. Important changes in risk priorities and emerging risks are reported to the a.s.r. risk committee and the Audit & Risk Committee. Output from the SRA, combined with the risk appetite statements, provides insight into the strategic risk profile of a.s.r. and underlying legal entities. The entire risk profile is monitored in the relevant risk committees.

7.8.1.1.2 Risk governance

a.s.r.’s risk governance can be described by:

  • risk ownership;

  • the implemented three lines of defence model and associated (clear delimitation of) tasks and responsibilities of key function holders; and

  • the risk committee structure to ensure adequate decision making.

Risk ownership

The EB has the final responsibility for risk exposures and management within the organisation. Part of the responsibilities have been delegated to persons that manage the divisions where the actual risk-taking takes place. Risk owners are accountable for one or more risk exposures that are inextricably linked to the department or product line they are responsible for. Through the risk committee structure, risk owners provide accountability for the risk exposures.

Three lines of defence

The risk governance structure is based on the ‘three lines of defence’ model. The ‘three lines of defence’ model consists of three defence lines with different responsibilities with respect to the ownership of controlling risks. The model below provides insight in the organisation of the three lines of defence within a.s.r.

Positioning of key functions

Within the risk governance, the key functions (compliance, risk, actuarial and audit) are organised in accordance with Solvency II regulation. They play an important role as countervailing power of management in the decision-making process. The four key functions are independently positioned within a.s.r. In all the risk committees one or more key functions participate. The second line report to the CRO, which is a member of the management board. All functions have direct communication lines with the EB and can escalate to the chairman of the Audit & Risk Committee of the SB. Furthermore, the key functions have regular meetings with the supervisors of the Dutch Central Bank (DNB) and / or The Dutch Authority for the Financial Markets (AFM).

Group Risk Management

GRM is responsible for the execution of the RM function (RMF) and the Actuarial Function (AF). The department is led by the RMF holder. At year-end GRM consists of the following four sub-departments:

  • Enterprise Risk Management;

  • Financial Risk Management;

  • Model Validation & Model Risk;

  • Methodology.

Enterprise Risk Management

Enterprise Risk Management (ERM) is responsible for second-line strategic and operational (including IT) RM and the enhancement of the risk awareness for a.s.r. and its subsidiaries. The responsibilities of ERM include the development of risk policies and procedures, the annual review and update of the risk strategy (risk appetite), the coordination of the SRA process leading to the risk priorities and emerging risks and ORSA scenarios and the monitoring of the non-financial risk profile. For the management of operational risks, a.s.r. has a solid Risk-Control framework in place that contributes to its long-term solidity. The quality of the framework is continuously enhanced by the analysis of operational incidents, periodic risk assessments and monitoring by the RMF. ERM actively promotes risk awareness at all levels to contribute to the vision of staying a socially relevant insurer.

Financial Risk Management

Financial Risk Management (FRM) is responsible for the second line financial RM and supports both the AF and RMF. An important task of FRM is to be the countervailing power to the EB and management in managing financial risks for a.s.r. and its subsidiaries. FRM assesses the accuracy and reliability of the market risk, counterparty risk, insurance risk and liquidity risk, risk margin and best estimate liability. As part of the AF, FRM reviews the technical provisions, monitors methodologies, assumptions and models used in these calculations, and assesses the adequacy and quality of data used in the calculations. Furthermore, the AF expresses an opinion on the underwriting policy and determines if risks related to the profitability of new products are sufficiently addressed in the product development process. The AF also expresses an opinion on the adequacy of reinsurance arrangements. Other responsibilities of financial RM are e.g. monitoring Solvency II compliancy (e.g. changes in Solvency II regulation), updating policies on valuation and risk, activities related to the DNB, assessment of the ORSA (financial parts), assessment of strategic initiatives.

Model Validation & Model Risk

Model Validation (MV) is responsible for performing validation activities or having them carried out in accordance with the drawn up annual model validation plan. MV is responsible for supervising compliance with the model validation policy, discussing and challenging the (draft) validation reports and advising the Model Committee. The MV is a separate sub-department within GRM. The MV is part of the RMF and operates independent of the AF.

Methodology

Methodology is responsible for establishing methodologies for PIM (Aegon and a.s.r. group) and Standard Formula (SF: Aegon entities).

Compliance

Compliance is responsible for the execution of the compliance function. An important task of Compliance is to be the countervailing power to the EB and other management in managing compliance risks for a.s.r. and its subsidiaries. The mission of the compliance function is to enhance and ensure a controlled and sound business operation.

As second line of defence, Compliance encourages the organisation to comply with relevant rules and regulations, ethical standards and the internal standards derived from them (‘rules’) by providing advice and formulating policies. Compliance supports the first line in the identification of compliance risks and assesses the effectiveness of RM on which Compliance reports to the relevant risk committees. In doing so, Compliance uses a compliance risk and monitoring framework. In line with RM, Compliance also creates further awareness to comply with the rules and desired ethical behavior. Compliance coordinates interaction with regulators in order to maintain effective and transparent relationships with those authorities.

Audit

The Audit department, the third line of defence, provides an independent opinion on governance, risk and management processes, with the goal of supporting the EB and other management of a.s.r. in achieving the corporate objectives. To that end, Audit evaluates the effectiveness of governance, risk and management processes, and provides pragmatic advice that can be implemented to further optimise these processes. In addition, senior management can engage Audit for specific advisory projects.

Risk committee structure

a.s.r. has established a structure of risk committees with the objective to monitor the risk profile for a.s.r. group, its legal entities and its business lines in order to ensure that it remains within the risk appetite and the underlying risk tolerances and risk limits. When triggers are hit or likely to be hit, risk committees make decisions regarding measures to be taken, being risk-mitigating measures or measures regarding governance, such as the frequency of their meetings. For each of the risk committees a statute is drawn up in which the tasks, composition and responsibilities of the committee are defined.

Risk committee structure
Audit & Risk Committee

The Audit & Risk Committee was established by the Supervisory Board to gain support, among other things, in the following matters:

  • Assessment of the risk appetite proposal and quarterly monitoring of the risk profile;

  • Assessment of the annual report, including the financial statements of a.s.r.;

  • The relationship with the independent external auditor, including the assessment of the quality and independence of the independent external auditor and the proposal by the SB to the AGM to appoint the independent external auditor;

  • The performance of the audit function, compliance function, the AF and the RMF;

  • Compliance with rules and regulations; and

  • The financial position.

The Audit & Risk Committee has four members of the SB, one of whom acts as the chairman.

a.s.r. risk committee

The a.s.r. risk committee monitors a.s.r.’s overall risk profile on a quarterly basis. At least annually, the a.s.r. risk committee determines the risk appetite statements, limits and targets for a.s.r. This relates to the overall a.s.r. risk appetite and the subdivision of risk appetite by financial and non-financial risks. The risk appetite is then submitted to the a.s.r. Audit & Risk Committee, which advises the SB on the approval of the risk appetite. The a.s.r. risk committee also monitors the progress made in managing risks included in the risk priorities and emerging risks of the EB.

All members of the MB participate in the a.s.r. risk committee, which is chaired by the CEO. The involvement of the EB ensures that risk decisions are being addressed at the appropriate level within the organisation. In addition to the EB, the Key Functions (Risk management, Compliance, Internal audit, Actuarial function) are members of the Committee.

Non-Financial Risk Committee

The Non-Financial Risk Committee (NFRC) discusses, advises and decides upon non-financial risk policies. The most relevant non-financial risk policies are approved by the a.s.r. risk committee. The NFRC monitors that non-financial risks of a.s.r. and the OTSO’s are managed adequately and monitors that the risk profile stays within the agreed risk limits. If the risk profile exceeds the limits, the NFRC takes mitigating actions. The NFRC reports to the a.s.r. risk committee. The NFRC is chaired by a member of the EB. The NFRC discusses the most important risks from the underlying non-financial risk committees (Business Risk Committee (BRC) and for Aegon the Risk & Audit Committee (RAC).

Financial Risk Committee

The Financial Risk Committee (FRC) discusses, advises and decides upon financial risk policies. The most relevant financial risk policies are approved by the a.s.r. risk committee. The FRC monitors that financial risks of a.s.r. and the OTSO’s (excl. Aegon Life and Aegon Spaarkas) are managed adequately and monitors that the risk profile stays within the agreed risk limits. If the risk profile exceeds the limits, the NFR takes mitigating actions. The FRC reports to the a.s.r. risk committee. The Chairman of the FRC is the CFO.

Risk Capital Committee Aegon Life

The Risk Capital Committee (RCC) oversees Aegon Life's financial risks, capital and associated expected returns. The aim is to maintain a strong liquidity and capital position at Aegon Life NV, in support of the Aegon Life strategy. The RCC has the mandate to make decisions regarding the Partial Internal Model with an impact between 20 million and 200 million. The chairman of the RCC is the CFO.

Central Investment Committee

In addition to the risk committee structure, the Central Investment Committee (CIC) monitors tactical decisions and the execution of the investment policy. It takes investment decisions within the boundaries of the strategic asset allocation as agreed upon in the FRC. The CIC bears particular responsibility for investment decisions exceeding the mandate of the investment department. The CIC is chaired by the CFO.

Product Approval and Review Process Board

The Product Approval & Review Process Board (PARP Board) is responsible for the final decision-making process around the introduction of new products and adjustments in existing products. The committee evaluates if potential risks in newly developed products are sufficiently addressed. New products need to be developed in such a way that they are cost efficient, reliable, useful and secure for our clients. New products also need to have a strategic fit with a.s.r.’s mission to be a solid and trustful insurer. In addition, the risks of existing products are evaluated, as requested by the PARP as a result of product reviews. The PARP Board is chaired by the managing Director of Services.

7.8.1.1.3 Systems and data

GRC tooling is implemented to support the RM process by giving guidance and insight into the key risk indicators, risk tolerance levels, boundaries and actions and remediation plans to mitigate risks. The availability, adequacy and quality of data and IT systems is important in order to ensure that correct figures are reported and risk mitigating measures can be taken in time. It is important to establish under which conditions the management information that is submitted to the risk committees has been prepared and which quality safeguards were applied in the process of creating this information. This allows the risk committees to ascertain whether the information is sufficient to base further decisions upon.

a.s.r. has a Data Governance and Quality policy in place to support the availability of correct management information. This policy is evaluated on an annual basis and revised at least every three years to keep the standards in line with the latest developments on information management. With the adoption of the Aegon partial internal model a.s.r. explores the added value of implementing (part) of the Aegon Data governance and Quality policy into its own framework. The quality of the information is reviewed based on the following aspects, based on Solvency II:

  • completeness (including documentation of accuracy of results)

  • adequacy

  • reliability

  • timeliness

Adherence to this policy is ensured by the three lines of defence risk governance model. With a Central Data Office and a Data Quality Improvement Programme, additional measures are taken to increase maturity in data management practices.

The preparatory body or department checks the assumptions made and the plausibility of the results and ensures coordination with relevant parties. When a preparatory body has established that the information is reliable and complete, it approves and formally submits the document(s) to a risk committee.

The information involved tends to be sensitive. To prevent unauthorised persons from accessing it, it is disseminated using a secure channel or protected files. a.s.r.’s information security policy contains guidelines in this respect.

a.s.r.’s information security policy is based on relevant laws and market standards, like ISO 2700x, COBIT 2019, NIST Cybersecurity framework, SOC2 principles, PCI DSS, COSO, BS 25999, ISO 31000, ITIL. These standards describes best practices for the implementation of information security.

There are technical solutions for accomplishing this, by enforcing a layered approach (defence-in-depth) of technical measures to avoid unauthorised persons to compromise a.s.r. data and systems. In this perspective, one may think of methods of logical access management, intrusion detection techniques, in combination with firewalls are aimed at preventing hackers and other unauthorised persons from accessing information stored on a.s.r. systems. Nevertheless, confidential information can also have been committed to paper. On top of technical measures a.s.r. implemented physical measures and measures that help create the desired level of awareness of personnel as part of the information security environment. The resilience of these measures is actively tested.

When user defined models (e.g. spreadsheets) are used for supporting the RM framework, the ‘a.s.r. Standard for End user computing’- in addition to the general information security policy - defines and describes best practices in order to guard the reliability and confidentiality of these tools and models. a.s.r. recognises the importance of sound data quality and information management systems.

The management of IT and data risks of the implemented tools, models and systems (including data) is part of the Operational IT RM.

7.8.1.1.4 Risk policies and procedures

a.s.r. has established guidelines, including policies that cover all main risk categories (market, counterparty default, liquidity, underwriting, strategic and operational). These policies address the accountabilities and responsibilities regarding management of the different risk types. Furthermore, the methodology for risk measurement is included in the policies. The content of the policies is aligned to create a consistent and complete set. The risk policy landscape is maintained by GRM and Compliance. These departments also monitor the proper implementation of the policies in the business. New risk policies or updates of existing risk policies are approved by the risk committees as mentioned previously. a.s.r. has drawn up an integrated policy calendar which includes all risk related documents. This guarantees that policies are drawn up and reassessed in a timely manner and that tasks and responsibilities are clear.

7.8.1.1.5 Risk culture

Risk awareness is a vital component of building a sound risk culture within a.s.r. that emphasises the human aspect in the management of risks. In addition to gaining sufficient knowledge, skills, capabilities and experience in RM, it is essential that an organisation enables objective and transparent risk reporting in order to manage them more effectively.

The EB clearly recognises the importance of RM and is therefore represented in all of the major group level risk committees. Risk Management is involved in the strategic decision-making process, where the company’s risk appetite is always considered. The awareness of risks during decision-making is continually addressed when making business decisions, for example by discussing and reviewing risk scenarios and the positive and / or negative impact of risks before finalising decisions.

It is very important that this risk awareness trickles down to all parts of the organisation, and therefore management actively encourages personnel to be aware of risks during their tasks and projects, in order to avoid risks or mitigate them when required. The execution of risk analyses is embedded in daily business in, for example, projects, product design and outsourcing.

In doing so, a.s.r. aims to create a solid risk culture in which ethical values, desired behaviours and understanding of risk in the entity are fully embedded. Integrity is of the utmost importance at a.s.r.: this is translated into a code of conduct and strict application policies for new and existing personnel, such as taking an oath or solemn affirmation when entering the company, and the ‘fit and proper’ aspect of the Solvency II regulation, ensuring that a.s.r. is overseen and managed in a professional manner.

Furthermore, a.s.r. believes it is important that a culture is created in which risks can be discussed openly and where risks are not merely perceived to be negative and highlight that risks can also present a.s.r. with opportunities. Risk Management (both centralised and decentralised) and Compliance are positioned as such, that they can communicate and report on risks independently and transparently, which also contributes to creating a proper risk culture.

7.8.1.1.6 Risk management process

The RM process typically comprises of five important steps: 1) identifying; 2) measuring; 3) managing; 4) monitoring and reporting; and 5) evaluating1. a.s.r. has defined a procedure for performing risk analyses and standards for specific assessments. The five different steps are explained in this chapter.

Identifying

Management should endeavour to identify all possible risks that may impact the strategic, tactical and operational objectives of a.s.r., ranging from the larger and / or more significant risks posed on the overall business, down to the smaller risks associated with individual projects or smaller business lines. Risk identification comprises of the process of identifying and describing risk sources, events, and the causes and effects of those events.

Measuring

After risks have been identified, quantitative or qualitative assessments of these risks take place to estimate the likelihood and impact associated with them. Methods applicable to the assessment of risks are:

  • Sensitivity analysis

  • Stress testing

  • Scenario analysis

  • Expert judgments (regarding likelihood and impact)

  • Portfolio analysis

Managing

Typically, there are four strategies to managing risk:

  • Accept: risk acceptance means accepting that a risk might have consequences, without taking any further mitigating measures.

  • Avoid: risk avoidance is the elimination of activities that cause the risk.

  • Transfer: risk transference is transferring the impact of the risk to a third party.

  • Mitigate: risk mitigation involves the mitigation of the risk likelihood and / or impact.

RM strategies are chosen in a way that ensures that a.s.r. remains within the risk appetite tolerance levels and limits.

Monitoring and reporting

The risk identification process is not a continuous exercise. Therefore, risk monitoring and reporting are required to capture changes in environments and conditions. This also means that RM strategies could, or perhaps should, be adapted in accordance with risk appetite tolerance levels and limits.

Evaluating

The evaluation step is twofold. On the one hand, evaluation means risk exposures are evaluated against risk appetite tolerance levels and limits, taking (the effectiveness of) existing mitigation measures into account. The outcome of the evaluation could lead to a decision regarding further mitigating measures or changes in RM strategies. On the other hand, the RM framework (including the risk management processes) is evaluated by the RM function, in order to continuously improve the effectiveness of the RM framework as a whole.

7.8.1.2 a.s.r.’s risk categories

a.s.r. is exposed to a variety of risks. Aegon life and Aegon spaarkas use a Partial Internal Model (PIM). The risk universe of Aegon life and Aegon spaarkas is therefore different and captures all material risks that the company is exposed to. The emerging risk process ensures that the risk universe will remain up to date. An overview of Aegon life and Aegon spaarkas risk universe is provided below.

Risk universe

For the other insurance entities there are six main risk categories that a.s.r. recognises, as described below. In addition, a.s.r. recognises sustainability risks arising from environmental, social or governance (ESG) events or conditions. These risks can be financial and non-financial and can be both strategic and operational. This means that all six main risk categories that a.s.r. recognises can be affected by sustainability risks. In chapter 2.5.3 Environmental, social and governance of the annual report, a.s.r. briefly describes how a.s.r. identifies, measures and manages climate risks and opportunities for its business.

Insurance risk

Insurance risk is the risk that premium and / or investment income or outstanding reserves will not be sufficient to cover current or future payment obligations, due to the application of inaccurate technical or other assumptions and principles when developing and pricing products. a.s.r. recognises the following insurance risks:

  • Life insurance risk

  • Health insurance risk

  • Non-life insurance risk

Market risk

The risk of changes in values caused by market prices or volatility of market prices differing from their expected values. The following types of market risk are distinguished:

  • Interest rate risk

  • Equity risk

  • Property risk

  • Spread risk

  • Currency risk

  • Concentration risk / market concentration risk

Counterparty default risk

Counterparty default risk is the risk of losses due to the unexpected failure to pay or credit rating downgrade of counterparties and debtors. Counterparty default risk exists in respect of the following counterparties:

  • Reinsurers

  • Consumers

  • Intermediaries

  • Counterparties that offer cash facilities

  • Counterparties with which derivatives contracts have been concluded

  • Healthcare providers

  • Zorginstituut Nederland

Liquidity risk

Liquidity risk is the risk that a.s.r. is not able to meet its financial obligations to policyholders and other creditors when they become due and payable, at a reasonable cost and in a timely manner.

Operational risk

Operational risk is the risk of losses caused by weak or failing internal procedures, weaknesses in the action taken by personnel, weaknesses in systems or because of external events. The following subcategories of operational risk are used:

  • Sustainability

  • Business process

  • Financial reporting

  • Outsourcing

  • Information technology

  • Project risks

Strategic risk

Strategic risk is the risk of a.s.r. or its business lines failing to achieve the objectives due to incorrect decision-making, incorrect implementation and / or an inadequate response to changes in the environment. Such changes may arise in the following areas:

  • Macro-economic

  • Geopolitical instability

  • Climate change and energy transition

  • Cyber and information security

  • Regulation

  • Biodiversity

  • Social tensions

  • Pandemics

Strategic risk may arise due to a mismatch between two or more of the following components: the objectives (resulting from the strategy), the resources used to achieve the objectives, the quality of implementation, the economic climate and / or the market in which a.s.r. and / or its business lines operate.

7.8.1.3 Climate change

In addition to the six main categories, a.s.r. recognises sustainability risks arising from environmental, social or governance (ESG) events or conditions. These risks can be financial and non-financial and can be both strategic and operational. This means that all six main risk categories that a.s.r. recognises can be affected by sustainability risks.  

Climate-related risks are divided into physical, transition and reputational risks. Physical risks arise from more frequent and severe climate events. Physical risks can be acute, such as extreme weather events, or chronic when they arise from gradual changes such as water shortages or rising temperatures. Transition risks result from the process of adjustment towards a climate-neutral society. The failure to appropriately address these adjustments can result in reputational risk.

Technical provisions

The net impact of climate change on the current Solvency II Technical Provisions or SCR estimation is considered to be limited. A qualitative assessment has been performed in 2022 by the Actuarial Function and discussed with the business lines. For the Life and Pension business the impact of climate change on life expectancy is considered to be limited. Increased inflation caused by social or geopolitical factors is adequately valued in the liabilities. The Non-life business is characterised by a short contract boundary, most premiums can therefore yearly be adjusted to the gradually impact of climate change.

The Group Business Actuary performed a portfolio assessment of the impact of sustainability factors (ESG). Bases on the portfolio characteristics and product features the potential adverse effect on the value of liabilities has been assessed. In addition an assessment of the impact of sustainability factors to the prudential risks has been finalised in 2023. These analysis confirms the limited net impact.

The Actuarial Function has continuously attention for developments of ESG risks and the potential impact on the technical liabilities, the reinsurance contracts and pricing- and underwriting policies. In 2023 the double materiality assessment was conducted, including the financial materiality assessment (see chapter 6.1.1.1). The Aegon portfolios were also included in the update of the assessment at the end of 2023. The double materiality assessment did not result in different conclusions regarding the scope of the Actuarial Function.

Based on the assessments a.s.r. does not consider ESG to have impact on the method or results of current Solvency II Technical Provisions or SCR estimation. The ESG risks are expected to be within the limits of the Solvency II Capital Requirement. This conclusion is applicable to both the a.s.r and Aegon portfolios.

Reference is made to chapter 6.2.1.3 for more information how a.s.r. identifies, measures and manages climate risks and opportunities for its business.

Risk assessments

Transition risks apply in particular to investments and financing. The scenario analysis for transition risks is performed by considering the proposal from the Strategic Asset Allocation (SAA) 2023 under three climate scenarios. The dynamically managed market risk budgets are resilient to the climate impact with regard to the development of the SII ratio over the coming 20 years.

The ORSA assesses the overall solvency needs of a.s.r. in the context of the strategic plans making allowance for the current and expected solvency positions, the risk appetite and solvency targets. Physical risks are mainly associated with the Non-life portfolio and adequately priced in the products. Physical risks (a major storm and major flood) are assessed in the ORSA combined business scenario’s for the Non-life portfolio. Within life and health insurance, the impact is mainly in the longer term and not quantified in the standard ORSA horizon of 5 years. Therefore, a.s.r. introduced in the ORSA 2023 a climate scenario with the horizon of 10 years. Starting point for this climate scenario is the failed transition, which is the most negative scenario from the SAA study. In addition a.s.r. Real estate, Non-Life, Health and Disability are exposed to physical climate risk.

As part of the CSRD project a.s.r. performed the double materiality assessment in 2023. This assessment led to identification of material sustainability topics that will be included in future sustainability reporting.

Overall, climate risks as a result of climate change and the energy transition are incorporated into a.s.r.’s risk appetite and part of the regular risk management processes such as the annual group-wide SRA process. The risk appetite has been strengthened in 2023 by adding sufficiently management of the sustainability risks. Material climate risks identified in the SRA process, including storms and floods, are incorporated into the scenario analysis of the Own Risk and Solvency Assessment (ORSA) and quantified by the business actuary teams.

  • 1Based on COSO ERM en ISO 31000.