It is of great importance to a.s.r. that risks within all business segments are timely and adequately controlled. In order to do so, a.s.r. implemented a RM framework based on internationally recognised and accepted standards (such as COSO ERM and ISO 31000 RM principles and guidelines). Using this framework, material risks that a.s.r. is, or can be, exposed to, are identified, measured, managed, monitored, reported and evaluated. The RM framework is both applicable to a.s.r. group and the underlying (legal) business entities.
7.8.1.1Risk Management Framework
The figure shows the RM framework as applied by a.s.r.
Risk Management framework
The RM framework consists of risk strategy (including risk appetite), risk governance, systems and data, risk policies and procedures, risk culture, and RM process. The RM framework contributes to achieving the strategic, tactical and operational objectives as set out by a.s.r. The overall effectiveness of the RM framework is evaluated as part of the regular internal review of the system of governance.
Risk strategy (incl. risk appetite)
Risk strategy is defined to contain at least the following elements:
Strategic, tactical and operational objectives that are pursued;
The risk appetite in pursuit of those strategic, tactical and operational objectives.
a.s.r.’s risk strategy aims to ensure that decisions are made within the boundaries of the risk appetite, as stipulated annually by the EB and the MB (see chapter Risk strategy and risk appetite).
Risk governance
Risk governance can be seen as the way in which risks are managed, through a sound risk governance structure and clear tasks and responsibilities, including risk ownership. a.s.r. employs a risk governance framework that entails the tasks and responsibilities of the Risk Management organisation and the structure of the Risk committees (see chapter Risk governance).
Systems and data
Systems and data support the RM process and provide management information to the risk committees and other relevant bodies. a.s.r. finds it very important to have qualitatively adequate data, models and systems in place, in order to be able to report and steer correct figures and to apply risk-mitigating measures timely. To ensure this, a.s.r. has designed a policy for data quality and model validation in line with Solvency II. Tools, models and systems are implemented to support the RM process by giving guidance to and insights into the key risk indicators, risk tolerance levels, boundaries and actions, and remediation plans to mitigate risks (see chapter Systems and data).
Risk policies and procedures:
Risk policies and procedures are part of the a.s.r. policy house. Policy documents are submitted for approval to the relevant (risk) committee in accordance with the applicable governance. Policies are evaluated annually, tested against internal and external market developments, and changes in laws and regulations, and updated as necessary in accordance with the governance defined in the policy.
Each risk policy must include at least:
The scope within a.s.r. to which the policy applies.
A demonstrable and consistent link with relevant laws and regulations and/or strategy.
Key requirements to achieve the policy’s objectives.
The risk categories to which the policy line applies
Description of the method for controlling the risk.
Specific risk tolerances and limits within the relevant risk categories in accordance with the risk appetite statements.
The frequency and content of regular stress tests and the circumstances that would justify ad-hoc stress tests.
The processes and reporting procedures applied.
Exceptions and Escalations.
The classification of risks within a.s.r. is performed in line with, but is not limited to, the Solvency II risks. Each risk category consists of one or more policies or procedures that explicates how risks are identified, measured and controlled within a.s.r. (see chapter Risk policies and procedures).
Risk culture
An effective risk culture is one that enables and rewards individuals and groups for taking risks in an informed manner. It is a term describing the values, beliefs, knowledge, attitudes and understanding about risk. All the elements of the RM framework combined make an effective risk culture.
Within a.s.r. risk culture is an important element that emphasises the human side of Risk Management. The MB has a distinguished role in expressing the appropriate norms and values (tone at the top). a.s.r. employs several measures to increase the risk awareness and, in doing so, the risk culture (see chapter Risk culture).
Risk management process
The RM process contains all activities within the RM processes to structurally 1) identify risks; 2) measure risks; 3) manage risks; 4) monitor and report on risks; and 5) evaluate the risk profile and RM framework. At a.s.r., the RM process is used to implement the risk strategy in the steps mentioned. These five steps are applicable to the risks within the company to be managed effectively (see chapter Risk Management process).
Based on the integration of Aegon NL, the beneficial elements from Aegon’s Risk Management (RM) framework are incorporated into the a.s.r. RM framework. The main developments in 2024 include the integration and refinement of risk appetite, risk management policies and procedures, control frameworks and reports, as well as the redesign and standardisation of the Governance, Risk, and Compliance (GRC) tooling Cerrix.
7.8.1.1.1Risk management strategy and risk appetite
a.s.r.’s risk strategy aims to ensure that decisions are made within the boundaries of the risk appetite, as stipulated annually by the EB and the MB.
Risk appetite is defined as the level and type of risk a.s.r. is willing to bear in order to meet its strategic, tactical and operational objectives. The risk appetite is formulated to give direction to the management of the (strategic) risks. The risk appetite contains a number of qualitative and quantitative risk appetite statements and is defined for both financial (FR) and non-financial risks (NFR). The statements highlight the risk preferences and limits of the organisation and are viewed as key elements for the realisation of the strategy. The statements and limits are defined at both group level and at legal entity level and are determined by the a.s.r. risk committee and approved by the SB.
The statements are evaluated yearly to maintain alignment with the strategy. Since 2024, we have adopted a new, more detailed taxonomy for non-financial risks consisting of two levels. This means that in each risk report, risk colours are assigned to both level 1 risks and level 2 risks. The risk taxonomy at level 1 has remained largely the same, however the number of risk categories at this level (generic level) has changed from 8 to 6. The risk categories "Sustainability" and "Outsourcing" have been moved to level 2. The level 2 risk categories have been introduced. This second level provides more depth and substantiation of the ‘main categories’ (19 risks in total).
The NFR statements have not changed compared to 2023. The year 2024 focused on data collection and reporting of non-financial risks according to the new taxonomy. FR statements have not been changed at a.s.r. group level.
| | | |
|---|---|---|
| 1a | ASR Nederland N.V. places long-term value creation at the forefront of its (strategic) operations and ensures that all stakeholders’ interests (customer, society, employee, investors) are met in a balanced and sustainable way. | NFR |
| 1b | ASR Nederland N.V. acts in accordance with the a.s.r. sustainability objectives and sufficiently manages its sustainability risks. | NFR |
| 1c | ASR Nederland N.V. provides customers with a digital environment that handles matters easily and quickly, whereby the customer data quality is in order. | NFR |
| 2a | ASR Nederland N.V. has effective and controlled (business) processes. | NFR |
| 2b | ASR Nederland N.V. manages its internal and external outsourcing in a controlled and effective manner. | NFR |
| 3 | ASR Nederland N.V. processes information safely (in accordance with availability, confidentiality and integrity requirements) and is cyber threat resilient. | NFR |
| 4 | ASR Nederland N.V. has controlled projects (in terms of timeliness, budget and/ or quality). | NFR |
| 5a | ASR Nederland N.V. has reliable financial reports, whereby IFRS and Solvency II data quality is in order. | NFR |
| 5b | ASR Nederland N.V. maintains a moderate risk appetite for losses resulting from modelling incidents, including events such as flawed and/or inadequately documented methods, model design and development, assumptions and expert judgment; poor data quality; coding errors; inappropriate use of models; or misinterpretation of model results. | NFR |
| 6a | ASR Nederland N.V. meets the legitimate expectations and interests of its stakeholders and puts customer interests first in its proposition. a.s.r. therefore offers products and services that are cost-efficient, useful, safe and understandable for customers, distribution partners, society and a.s.r. By acting with integrity, a.s.r.'s reputation is protected and strengthened. | NFR |
| 6b | ASR Nederland N.V. only wants to do business with relationships who are honest and reliable. a.s.r. therefore does not enter into or continue a business relationship with parties involved in crimes, socially undesirable acts and/or unethical behavior, including money laundering and terrorist financing. a.s.r. takes appropriate measures to guarantee its sound and controlled business operations and thus protect and strengthen its reputation. | NFR |
| 6c | ASR Nederland N.V. handles personal data with care, including those of its customers. a.s.r. processes personal data lawfully, fairly and transparently, taking into account the principles of purpose limitation, data minimization, accuracy and storage limitation and taking measures to ensure the integrity and confidentiality of personal data. By taking appropriate measures, a.s.r. maintains a sound and ethical operational management and thus protects and strengthens its reputation. | NFR |
| 7 | ASR Nederland N.V. has a minimum SCR ratio of 120%. | FR |
| 8 | ASR Nederland N.V. remains within the bandwidth of periodically reassessed market risk budgets. | FR |
| 9 | ASR Nederland N.V. has at least a single A rating and therefore holds an AA rating in accordance with the S&P Capital Model. | FR |
| 10 | ASR Nederland N.V. assesses the amount of dividend payments against the current and expected future solvency ratio and economic outlook. Dividend payments are in line with the conditions laid down in the capital and dividend policy of ASR Nederland N.V. | FR |
| 11 | ASR Nederland N.V. has a maximum financial leverage ratio of 40%. Financial leverage ratio = Debt / (Debt + Equity). | FR |
| 12 | ASR Nederland N.V. has a maximum double leverage ratio of 135%.Double leverage ratio = Total value of associates / (equity attributable to shareholders + hybrids and subordinated liabilities). | FR |
| 13 | ASR Nederland N.V. has a minimum interest coverage ratio of 4. Interest coverage ratio = EBIT operational / interest expense. | FR |
| 14 | a. ASR Nederland N.V. is capable of releasing liquidities worth up to € 2 billion over a 1-month period following stress. b. ASR Nederland N.V. remains capable of meeting its collateral requirements in the event of an (instant) increase of 3% interest rate. | FR |
| 15 | ASR Nederland N.V. generates a robust and high-quality operational ROE, i.e. pursues an overall ROE > 12% and seeks an ROE > 10% for individual investment decisions, where in exceptional cases an ROE > 8% is accepted. | FR |
| 16 | ASR Nederland N.V. (excl. ASR Ziektekosten) has a maximum combined ratio of 99%. The management target is 96%. | FR |
| 17 | ASR Nederland N.V. has a total SCR market risk which will be a maximum of 50% of the total risk. | FR |
7.8.1.1.2Risk governance
a.s.r.’s risk governance can be described by:
risk ownership;
the implemented three lines model and associated (clear delimitation of) tasks and responsibilities of key function holders; and
the risk committee structure to ensure adequate decision making.
Risk ownership
The EB has the final responsibility for risk exposures and management within the organisation. Part of the responsibilities have been delegated to persons that manage the divisions where the actual risk-taking takes place. Risk owners are accountable for one or more risk exposures that are inextricably linked to the department or product line they are responsible for. Through the risk committee structure, risk owners provide accountability for the risk exposures.
Three lines model
The risk governance structure is based on the ‘three lines’ model. The three lines model consists of three lines with different responsibilities with respect to the ownership of controlling risks. The table below provides insight in the organisation of the three lines model within a.s.r.
Positioning of key functions
Within the risk governance, the key functions (compliance, risk, actuarial and audit) are organised in accordance with Solvency II regulation. They play an important role as countervailing power of management in the decision-making process. The four key functions are independently positioned within a.s.r. In all the risk committees one or more key functions participate. The second line report to the CRO, which is a member of the management board. All key functions have direct communication lines with the EB and can escalate to the chairman of the Audit & Risk Committee of the SB. Furthermore, the key functions have regular meetings with the supervisors of the Dutch Central Bank (DNB) and / or The Dutch Authority for the Financial Markets (AFM).
Group Risk Management
GRM is responsible for the execution of the RM function (RMF) and the Actuarial Function (AF). The department is led by the RMF holder. At year-end GRM consists of the following four sub-departments:
Operational Risk Management;
Financial Risk Management;
Model Validation;
Methodology.
Operational Risk Management
Operational Risk Management (ORM) is responsible for second-line strategic and operational (including IT) RM and the enhancement of the risk awareness for a.s.r. and its subsidiaries. The responsibilities of ORM include the development of risk policies and procedures, the annual review and update of the risk strategy (risk appetite), the coordination of the SRA process leading to the risk priorities and emerging risks and Own Risk and Solvency Assessment (hereafter: ORSA) scenarios and the monitoring of the non-financial risk profile. For the management of operational risks, a.s.r. has a solid Risk-Control framework in place that contributes to its long-term solidity. The quality of the framework is continuously enhanced by the analysis of operational incidents, periodic risk assessments and monitoring by the RMF. ORM actively promotes risk awareness at all levels to contribute to the vision of staying a socially relevant insurer.
Financial Risk Management
Financial Risk Management (FRM) is responsible for the second line financial RM and supports both the AF and RMF. An important task of FRM is to be the countervailing power to the EB and management in managing financial risks for a.s.r. and its subsidiaries. FRM assesses the accuracy and reliability of the market risk, counterparty risk, insurance risk and liquidity risk, risk margin and best estimate liability. As part of the AF, FRM reviews the technical provisions, monitors methodologies, assumptions and models used in these calculations, and assesses the adequacy and quality of data used in the calculations. Furthermore, the AF expresses an opinion on the underwriting policy and determines if risks related to the profitability of new products are sufficiently addressed in the product development process. The AF also expresses an opinion on the adequacy of reinsurance arrangements. Other responsibilities of financial RM are e.g. support monitoring Solvency II compliancy (e.g. changes in Solvency II regulation), updating policies on valuation and risk, activities related to the DNB, assessment of the ORSA (financial parts), assessment of strategic initiatives.
Model Validation
Model Validation (MV) is responsible for performing validation activities or having them carried out in accordance with the drawn up annual model validation plan. MV is responsible for supervising compliance with the model validation policy, discussing and challenging the (draft) validation reports and advising the Model Committee. The MV is a separate sub-department within GRM. The MV is part of the RMF and operates independent of the AF.
Methodology
Methodology is responsible for establishing methodologies for Partial Internal Model (hereafter: PIM). The Methodology department is responsible for setting up the internal model, including documentation and maintenance of the documentation. It also handles continuous education by: (1) updating training materials; (2) providing training sessions; (3) assessing the suitability of training levels. Additionally, it analyses the functioning of the internal model, periodically calibrates the internal model parameters, monitors the suitability of the internal model, and conducts annual comparisons of PIM and SF results.
Compliance
The responsibilities of Compliance include the development of compliance policies and procedures, the annual review and update of the compliance risk strategy (risk appetite) and the monitoring of the non-financial risk profile concerning compliance risks. An important task of Compliance is to be the countervailing power to the EB and other management in managing compliance risks for a.s.r. and its subsidiaries. The mission of the compliance function is to enhance and ensure a controlled and sound business operation.
As second line, Compliance encourages the organisation to comply with relevant rules and regulations, ethical standards and the internal standards derived from them (‘rules’) by providing advice and formulating policies. Compliance supports the first line in the identification of compliance risks and assesses the effectiveness of RM on which Compliance reports to the relevant risk committees. In doing so, Compliance uses a compliance risk and monitoring framework. In line with RM, Compliance also creates further awareness to comply with the rules and desired ethical behaviour. Compliance coordinates interaction with regulators in order to maintain effective and transparent relationships with those authorities.
Audit
The Audit department, the third line, provides an independent opinion on governance, risk and management processes, with the goal of supporting the EB and other management of a.s.r. in achieving the corporate objectives. To that end, Audit evaluates the effectiveness of governance, risk and management processes, and provides pragmatic advice that can be implemented to further optimise these processes. In addition, senior management can engage Audit for specific advisory projects.
Risk committee structure
a.s.r. has established a structure of risk committees with the objective to monitor the risk profile for a.s.r. group, its legal entities and its business lines in order to ensure that it remains within the risk appetite and the underlying risk tolerances and risk limits. When triggers are hit or likely to be hit, risk committees make decisions regarding measures to be taken, being risk-mitigating measures or measures regarding governance, such as the frequency of their meetings. For each of the risk committees a statute is drawn up in which the tasks, composition and responsibilities of the committee are defined. In the first half of 2024 the committee structure was further rationalised, which led to the elimination of the separate committees for Aegon entities.
Audit & Risk Committee
The Audit & Risk Committee was established by the Supervisory Board to gain support, among other things, in the following matters:
Assessment of the risk appetite proposal and quarterly monitoring of the risk profile;
Assessment of the annual report, including the financial statements of a.s.r.;
The relationship with the independent external auditor, including the assessment of the quality and independence of the independent external auditor and the proposal by the SB to the AGM to appoint the independent external auditor;
The performance of the audit function, compliance function, the AF and the RMF;
Compliance with rules and regulations; and
The financial position.
The Audit & Risk Committee has four members of the SB, one of whom acts as the chairman.
a.s.r. risk committee
The a.s.r. risk committee monitors a.s.r.’s overall risk profile on a quarterly basis. At least annually, the a.s.r. risk committee determines the risk appetite statements, limits and targets for a.s.r. This relates to the overall a.s.r. risk appetite and the subdivision of risk appetite by financial and non-financial risks. The risk appetite is then submitted to the a.s.r. Audit & Risk Committee, which advises the SB on the approval of the risk appetite. The a.s.r. risk committee also monitors the progress made in managing risks included in the risk priorities and emerging risks of the EB.
All members of the MB participate in the a.s.r. risk committee, which is chaired by the CEO. The involvement of the EB ensures that risk decisions are being addressed at the appropriate level within the organisation. In addition to the EB, the Key Functions (Risk management, Compliance, Internal audit, Actuarial function) are members of the Committee.
Non-Financial Risk Committee
The Non-Financial Risk Committee (NFRC) discusses, advises and decides upon non-financial risk policies and procedures. The most relevant non-financial risk policies are approved by the a.s.r. risk committee. The NFRC monitors a.s.r.’s overall non-financial risk profile, in particular whether non-financial risks of a.s.r. and the business entities are managed adequately and whether the risk profile stays within the agreed risk limits. If the risk profile exceeds the limits, the NFRC takes mitigating actions. The NFRC reports to the a.s.r. risk committee. The NFRC is chaired by a member of the EB. The NFRC discusses the most important risks from the underlying non-financial risk committees (Business Risk Committee (BRC).
Financial Risk Committee
The Financial Risk Committee (FRC) discusses, advises and decides upon financial risk policies. The most relevant financial risk policies are approved by the a.s.r. risk committee. The FRC monitors that financial risks of a.s.r. and the business entities are managed adequately and monitors that the risk profile stays within the agreed risk limits. If the risk profile exceeds the limits, the NFR takes mitigating actions. The FRC reports to the a.s.r. risk committee. The Chairman of the FRC is the CFO. In mid-2024, the committee structure was further rationalised. The FRC now oversees the financial risk for all entities, leading to the dissolution of the separate committees for Aegon entities.
Credit and Participation Committee Distribution & Services
In the Credit and Participation Committee Distribution & Services (hereafter: CPC D&S), acquisition, credit, and combined participation and credit proposals (D&S proposals) within the scope of the Distribution and Services segment of a.s.r. (D&S segment) are assessed. The CPC D&S is authorised to decide on proposals with a total investment between € 2 million and € 7.5 million. The management of D&S is independently authorised for decisions up to € 2 million. Decisions on proposals above € 7.5 million are reserved for the Board of Directors, with advice from the CPC D&S. The chair of the CPC D&S is the CFO of a.s.r.
Product Approval and Review Process Board
The Product Approval & Review Process Board (PARP Board) is responsible for the final decision-making process around the introduction of new products and adjustments in existing products. The committee evaluates if potential risks in newly developed products are sufficiently addressed. New products need to be developed in such a way that they are cost efficient, reliable, useful and secure for our clients. New products also need to have a strategic fit with a.s.r.’s mission to be a solid and trustful insurer. In addition, the risks of existing products are evaluated, as requested by the PARP as a result of product reviews. The PARP Board is chaired by the managing Director of Services.
Sustainability Committee
The Sustainability Committee (hereafter: SC) aims to review and advise on central and decentralised draft policies related to sustainability before these policies are submitted for approval to the Board of Directors or the competent committee. Additionally, dilemmas, complications, and conflicting interests in the field of sustainability (including ESG and CDD/KYC) that arise at a.s.r. and/or one of the (sub)committees are discussed. The chair of the SC is the Director of Communications.
Central Investment Committee
In addition to the risk committee structure, the Central Investment Committee (CIC) monitors tactical decisions and the execution of the investment policy. It takes investment decisions within the boundaries of the strategic asset allocation as agreed upon in the FRC. The CIC bears particular responsibility for investment decisions exceeding the mandate of the investment department. The CIC is chaired by the CFO.
7.8.1.1.3Systems and data
GRC tooling is implemented to support the RM process by giving guidance and insight into the key risk indicators, risk tolerance levels, boundaries and actions and remediation plans to mitigate risks. The availability, adequacy and quality of data and IT systems is important in order to ensure that correct figures are reported and risk mitigating measures can be taken in time. It is important to establish under which conditions the management information that is submitted to the risk committees has been prepared and which quality safeguards were applied in the process of creating this information. This allows the risk committees to ascertain whether the information is sufficient to base further decisions upon.
a.s.r. has a Data Quality policy in place to support the availability of correct management information. This policy is evaluated on an annual basis and revised at least every three years to keep the standards in line with the latest developments on information management. The quality of the information is reviewed based on the following aspects, based on Solvency II:
completeness (including documentation of accuracy of results)
adequacy
reliability
timeliness
Adherence to this policy is ensured by the three lines model. With a Central Data Office, additional measures are taken to increase maturity in data management practices.
The data risk governance and committee structure in place ensures that ownership and decision making regarding assumptions and the plausibility of the results is effectively organised.
The information involved tends to be sensitive. To prevent unauthorised persons from accessing it, it is disseminated using a secure channel or protected files. a.s.r.’s information security policy contains guidelines in this respect.
a.s.r.’s information security policy is based on relevant laws and market standards, like ISO 2700x, COBIT 2019, NIST Cybersecurity framework, SOC2 principles, PCI DSS, COSO, BS 25999, ISO 31000, ITIL. These standards describes best practices for the implementation of information security. For the Digital Operational Resilience Act (hereafter: DORA), important changes in 2024 per DORA pillar are:
ICT Risk Management: a strengthened, centralised, and top-down approach has been adopted through an IT Risk Framework for ICT governance and risk management. Best practice controls are now mandatory and implemented via comply-or-explain principles.
Incident Management: IT incident monitoring has been intensified with a new process to promptly notify and report major DORA incidents to regulators. There is now more focus on business continuity rather than solely IT continuity.
Digital Resilience: focus on the critical and important business functions, with controls formalised or adjusted as necessary to comply with DORA.
Management of Third-Party Risk: concentration risks and critical suppliers have been identified. Reporting has been improved, and a processing register along with mandatory reporting templates have been implemented. Where necessary, contracts with third-party suppliers have been revised.
ICT Information Sharing: information exchange between a.s.r., other financial institutions, and regulators has been improved, with active contributions to collaborations.
From 2025, a.s.r. meets the DORA regulations, and DORA will be part of a.s.r.'s information security policy.
There are technical solutions for accomplishing this, by enforcing a layered approach (defence-in-depth) of technical measures to avoid unauthorised persons to compromise a.s.r. data and systems. In this perspective, one may think of methods of logical access management, intrusion detection techniques, in combination with firewalls are aimed at preventing hackers and other unauthorised persons from accessing information stored on a.s.r. systems. Nevertheless, confidential information can also have been committed to paper. On top of technical measures a.s.r. implemented physical measures and measures that help create the desired level of awareness of personnel as part of the information security environment. The resilience of these measures is actively tested.
When user defined models (e.g. spreadsheets) are used for supporting the RM framework, the ‘a.s.r. Standard for End user computing’ defines and describes best practices in order to guard the reliability and confidentiality of these tools and models. a.s.r. recognises the importance of sound data quality and information management systems.
The management of IT and data risks of the implemented tools, models and systems (including data) is part of the Operational (IT) RM.
7.8.1.1.4Risk policies and procedures
a.s.r. has established guidelines, including policies that cover all main risk categories (market, counterparty default, liquidity, underwriting, strategic and operational). These policies address the accountabilities and responsibilities regarding management of the different risk types. Furthermore, the methodology for risk measurement is included in the policies. The content of the policies is aligned to create a consistent and complete set. GRM maintains the risk policies, Compliance maintains the compliance policies and both GRM and Compliance monitor the proper implementation in the business. New risk policies or updates of existing risk policies are approved by the risk committees as mentioned previously. a.s.r. has drawn up an integrated policy calendar which includes all risk related documents. This guarantees that policies are drawn up and reassessed in a timely manner and that tasks and responsibilities are clear.
a.s.r. employees gain risk management knowledge and skills through the implementation of risk management policies, procedures and practices and the execution and testing of controls within business processes for sound and controlled business operations. Training courses that cover the main risk-related topics, presentations, workshops, gamification and the use of governance, risk & compliance tooling also contribute to this. Courses include, for example, sustainability risk specifically ESG factors to better understand and identify material risks. In addition, risk management employees keep their knowledge and skills up to date through training courses - including in the context of permanent education - that cover specific risk-related topics.
7.8.1.1.5Risk culture
Risk awareness is a vital component of building a sound risk culture within a.s.r. that emphasises the human aspect in the management of risks. In addition to gaining sufficient knowledge, skills, capabilities and experience in RM, it is essential that an organisation enables objective and transparent risk reporting in order to manage them more effectively.
The MB clearly recognises the importance of RM and is therefore represented in all of the major group level risk committees. Risk Management is involved in the strategic decision-making process, where the company’s risk appetite is always considered. The awareness of risks during decision-making is continually addressed when making business decisions, for example by discussing and reviewing risk scenarios and the positive and / or negative impact of risks before finalising decisions.
It is very important that this risk awareness trickles down to all parts of the organisation, and therefore management actively encourages personnel to be aware of risks during their tasks and projects, in order to avoid risks or mitigate them when required. The execution of risk analyses is embedded in daily business in, for example, projects, product design and outsourcing.
In doing so, a.s.r. aims to create a solid risk culture in which ethical values, desired behaviours and understanding of risk in the entity are fully embedded. Integrity is of the utmost importance at a.s.r.: this is translated into a code of conduct and strict application policies for new and existing personnel, such as taking an oath or solemn affirmation when entering the company, and the ‘fit and proper’ aspect of the Solvency II regulation, ensuring that a.s.r. is overseen and managed in a professional manner.
Furthermore, a.s.r. believes it is important that a culture is created in which risks can be discussed openly and where risks are not merely perceived to be negative and highlight that risks can also present a.s.r. with opportunities. Risk Management (both centralised and decentralised) and Compliance are positioned as such, that they can communicate and report on risks independently and transparently, which also contributes to creating a proper risk culture.
7.8.1.1.6Risk management process
The RM process typically comprises of five important steps: 1) identifying; 2) measuring; 3) managing; 4) monitoring and reporting; and 5) evaluating. a.s.r. has defined a procedure for performing risk analyses and standards for specific assessments. The five different steps are explained in this chapter.
Identifying
Management should endeavour to identify all possible risks that may impact the strategic, tactical and operational objectives of a.s.r., ranging from the larger and / or more significant risks posed on the overall business, down to the smaller risks associated with individual projects or smaller business lines. Risk identification comprises of the process of identifying and describing risk sources, events, and the causes and effects of those events.
Measuring
After risks have been identified, quantitative or qualitative assessments of these risks take place to estimate the likelihood and impact associated with them. Methods applicable to the assessment of risks are:
Sensitivity analysis
Stress testing
Scenario analysis
Expert judgments (regarding likelihood and impact)
Portfolio analysis
Managing
Typically, there are four strategies to managing risk:
Accept: risk acceptance means accepting that a risk might have consequences, without taking any further mitigating measures.
Avoid: risk avoidance is the elimination of activities that cause the risk.
Transfer: risk transference is transferring the impact of the risk to a third party.
Mitigate: risk mitigation involves the mitigation of the risk likelihood and / or impact.
RM strategies are chosen in a way that ensures that a.s.r. remains within the risk appetite tolerance levels and limits.
Monitoring and reporting
The risk identification process is not a continuous exercise. Therefore, risk monitoring and reporting are required to capture changes in environments and conditions. This also means that RM strategies could, or perhaps should, be adapted in accordance with risk appetite tolerance levels and limits.
Evaluating
The evaluation step is twofold. On the one hand, evaluation means risk exposures are evaluated against risk appetite tolerance levels and limits, taking (the effectiveness of) existing mitigation measures into account. The outcome of the evaluation could lead to a decision regarding further mitigating measures or changes in RM strategies. On the other hand, the RM framework (including the risk management processes) is evaluated by the RM function, in order to continuously improve the effectiveness of the RM framework as a whole.
7.8.1.2a.s.r.’s risk categories
a.s.r. is exposed to a variety of risks. Aegon life and Aegon spaarkas use a PIM to calculate the solvency position. a.s.r. is currently in the process of expanding the PIM to a.s.r. life. In 2024, the Internal Model Approval Process (IMAP) for a.s.r. life has started. The project aims to implement the expanded model for FY 2025, subject successful completion of the project and approval by DNB. Introduction of PIM to a.s.r. life results in a positive outlook for FY 2025.
As a result of PIM, the risk universe of Aegon life and Aegon spaarkas is therefore different and captures all material risks that the company is exposed to. The emerging risk process ensures that the risk universe will remain up to date. An overview of Aegon life and Aegon spaarkas risk universe is provided in the following graph.
For the other insurance entities there are six main risk categories that a.s.r. recognises, as described below and furhter explained in the following risk paragraphs. The most important risks from the risk universe for the PIM entities are explained within these six risk categories used for the Solvency II Standard Formula (SF). In addition, a.s.r. recognises sustainability risks arising from environmental, social or governance (ESG) events or conditions. These risks can be financial and non-financial and can be both strategic and operational. This means that all six main risk categories that a.s.r. recognises can be affected by sustainability risks. In chapter 6 of the annual report and in the paragraph climate change, a.s.r. briefly describes how a.s.r. identifies, measures and manages climate risks and opportunities for its business.
a.s.r. is working on integrating the different risk categories into a single overarching risk taxonomy. This harmonised overarching taxonomy will consist of both the Solvency II SF risk categories and the risk categories from the PIM and is expected to be implemented in 2025.
Insurance risk
Insurance risk is the risk that premium and / or investment income or outstanding reserves will not be sufficient to cover current or future payment obligations, due to the application of inaccurate technical or other assumptions and principles when developing and pricing products. a.s.r. recognises the following insurance risks:
Life insurance risk
Health insurance risk
Non-life insurance risk
Market risk
The risk of changes in values caused by market prices or volatility of market prices differing from their expected values. The following types of market risk are distinguished:
Interest rate risk
Equity risk
Property risk
Spread risk
Currency risk
Concentration risk / market concentration risk
Counterparty default risk
Counterparty default risk is the risk of losses due to the unexpected failure to pay or credit rating downgrade of counterparties and debtors. Counterparty default risk exists in respect of the following counterparties:
Reinsurers
Consumers
Intermediaries
Counterparties that offer cash facilities
Counterparties with which derivatives contracts have been concluded
Healthcare providers
Zorginstituut Nederland
Liquidity risk
Liquidity risk is the risk that a.s.r. is not able to meet its financial obligations to policyholders and other creditors when they become due and payable, at a reasonable cost and in a timely manner.
Operational risk
Operational risk is the risk of losses caused by weak or failing internal procedures, weaknesses in the action taken by personnel, weaknesses in systems or because of external events. The following subcategories of operational risk are used:
Process
Information technology
Project
Reporting & Model
Integrity
Strategic risk
Strategic risk is the risk of a.s.r. or its business lines failing to achieve the objectives due to incorrect decision-making, incorrect implementation and / or an inadequate response to changes in the environment. Such changes may arise in the following areas:
Macro-economic
Geopolitical instability
Climate change and energy transition
Cyber and information security
Regulation
Biodiversity
Social tensions
Pandemics
Strategic risk may arise due to a mismatch between two or more of the following components: the objectives (resulting from the strategy), the resources used to achieve the objectives, the quality of implementation, the economic climate and / or the market in which a.s.r. and / or its business lines operate.
7.8.1.3Climate change & Biodiversity
In addition to the six main categories, a.s.r. recognises sustainability risks arising from environmental, social or governance (ESG) events or conditions. These risks can be financial and non-financial and can be both strategic and operational. This means that all six main risk categories that a.s.r. recognises can be affected by sustainability risks.
Climate-related risks are divided into physical, transition and reputational risks. Physical risks arise from more frequent and severe climate events. Physical risks can be acute, such as extreme weather events, or chronic when they arise from gradual changes such as water shortages or rising temperatures. Transition risks result from the process of adjustment towards a climate-neutral society. The failure to appropriately address these adjustments can result in reputational risk.
Technical provisions
The net impact of climate change and biodiversity loss on the current Solvency II Technical Provisions or SCR estimation is considered to be limited. In the previous years several assessments have been performed that substantiate this. E.g. the impact of sustainability factors on the portfolio has been assessed. Based on the portfolio characteristics and product features the potential adverse effect on the value of liabilities has been assessed. In addition an assessment is made to identify the impact of sustainability factors to the prudential risks. Based on these and other analysis the limited net impact is confirmed. For the Life and Pension business the impact of climate change on life expectancy is considered to be limited. Increased inflation caused by social or geopolitical factors is adequately valued in the liabilities. The inflation sensitivity of the technical provisions is hedged with inflation swaps and inflation bonds. The Non-life business is characterised by a short contract boundary, most premiums can therefore yearly be adjusted to the gradually impact of climate change.
In 2024 the double materiality assessment was finalised, including the financial materiality assessment (see section 6.1.4.3). The double materiality assessment did not result in different conclusions regarding the scope of the Actuarial Function (AF). The material financial risks that were identified are related to climate change, biodiversity loss and consumers and/or end-users. These risks are related to future developments (medium- and long term horizons) and are not directly related to the current Solvency II Technical provisions. E.g. the future development of climate change does not have impact on current frequency and severity of events. The AF has continuously attention for developments of ESG risks and the potential impact on the technical liabilities, the reinsurance contracts and pricing- and underwriting policies.
Based on the assessments a.s.r. does not consider ESG to have impact on the method or results of current Solvency II Technical Provisions or SCR estimation. The ESG risks are expected to be within the limits of the Solvency II Capital Requirement. This conclusion is applicable to both the a.s.r. and Aegon portfolios.
Reference is made to section 6.1.3.4 for more information how a.s.r. identifies, measures and manages climate risks and opportunities for its business.
Risk assessments
Transition risks apply in particular to investments and financing. The scenario analysis for transition risks is performed by considering the proposal from the Strategic Asset Allocation (SAA) 2024 under four climate scenarios. The dynamically managed market risk budgets are resilient to the climate impact with regard to the development of the SII ratio over the coming 20 years.
The ORSA assesses the overall solvency needs of a.s.r. in the context of the strategic plans making allowance for the current and expected solvency positions, the risk appetite and solvency targets. Physical climate risks are mainly associated with the Non-life portfolio and adequately priced in the products. Physical climate risks (a major storm and major flood) are assessed in the ORSA combined business scenario’s for the Non-life portfolio. Within life and health insurance, the impact is mainly in the longer term and was not quantified in the standard ORSA horizon of 5 years. Therefore, since the ORSA 2023, a.s.r. introduced a climate scenario with a horizon of 10 years. Starting point for this climate scenario is the failed transition, which is the most negative scenario from the SAA study. In addition a.s.r. Real estate, Non-Life, Health and Disability are exposed to physical climate risk.
As part of the CSRD project a.s.r. started the double materiality assessment in 2023 and finalised the assessment in 2024. This assessment led to identification of material sustainability topics that are included in the Sustainability Statements (chapter 6). Furthermore, a.s.r. is in the process of integrating the risk management activities related to CSRD sustainability reporting in its existing integrated risk management framework and governance. In 2024 risks have been identified and controls have been determined to ensure the correctness, completeness and timeliness of the sustainability reporting in particular with respect to newly disclosed items. The aforementioned risks and controls have been included in the reporting manuals which have been drafted at the level of each individual product line. Furthermore, a governance structure has been in place for addressing sustainability matters, including reporting. a.s.r. is in the process of integrating the risk management activities related to CSRD sustainability reporting in its existing integrated risk management framework and governance. By having this fully integrated it will enhance organisational efficiency, strengthen reliable reporting, and ensure compliance with the regulatory requirements.
Overall, climate risks as a result of climate change and the energy transition are incorporated into a.s.r.’s risk appetite and part of the regular risk management processes such as the annual group-wide SRA process. Material climate risks identified in the SRA process, including storms and floods, are incorporated into the scenario analysis of the ORSA and quantified by the business actuary teams.