5.4.3Identified risks

The risks identified are clustered into:

  • Strategic risks;

  • Emerging risks;

  • Financial risks;

  • Non-financial risks.

5.4.3.1Strategic risks

In 2024, a.s.r.’s risk priorities were:

  • (Geo)political instability and economic uncertainty;

  • Climate change and biodiversity loss;

  • Risks related to cyber/information security;

  • Risks related to the integration of Aegon NL;

  • Risks related to Artificial Intelligence;

  • Consequences of legislation and regulations, supervision and legalisation of society.

5.4.3.1.1(Geo)political instability and economic uncertainty

Geopolitical tensions have led to conflicts between countries, ranging from sanctions and protectionist measures to wars, terrorist attacks, and cyber threats. These include the conflicts in the Middle East and the war in Ukraine.

The political landscapes in Western countries are also becoming less predictable. This brings a risk of reduced budgetary fiscal discipline. Demographic developments (ageing population, migration) can lead to labour market shortages, resulting in wage increases. The aforementioned factors can impact general economic development, particularly interest rates, inflation, and investment returns. The monetary policy of central banks also influences this.

a.s.r. monitors and assesses relevant developments for possible risks, and implements appropriate control measures:

  • In the annual Strategic Asset Allocation (SAA) study, a.s.r. examines several possible economic scenarios (including deflation and stagflation) for the future development of the balance sheet and solvency. In the interim, follow-up analyses can be carried out. If necessary, this results in adjustments to the investment policy, in order to reduce solvency risks. Actions are monitored by the Central Investment Committee;

  • In the Preparatory Crisis Plan, recovery measures are identified which can be applied in various economic scenarios;

  • Managing market risk budgets provides automatic adjustments to the investment portfolio;

  • Depending on economic developments, the interest rate hedge or the inflation hedge can be adjusted, taking into account the indirect effects from other asset classes;

  • Depending on the level and duration of inflation premium increases can be implemented to offset inflation.

5.4.3.1.2Climate change and biodiversity loss

Climate change and biodiversity loss affect insurable risks and investments. Climate and biodiversity related risks are divided into physical and transition risks. Physical risks can be acute, such as extreme weather events (climate) or deforestation (biodiversity), or chronic, when they arise from gradual changes such as water shortages, rising temperatures or rising sea levels (climate), or decline in the quality of air, water and soil (biodiversity). The transition requires changes in legislation and regulations, adapted supervision and technological developments, and it results in changes in customer preferences or needs and market changes.

In addition to physical and transition risks, there is a reputational risk if a.s.r. fails to achieve its objectives or communicates overly assertive sustainability claims. In 2024, and earlier, a.s.r. has nuanced sustainability claims in various areas to align with current societal expectations, including adjusting fund names and investment policies.

a.s.r. monitors and assesses relevant developments for possible risks and implements appropriate control measures:

  • In order to identify key developments and anticipate them in a timely manner, a.s.r. business units have assigned responsibilities in governance and participate in various collaborations and alliances. a.s.r. performed a double materiality assessment in 2023 and 2024. See section 6.1.4.3. Climate change and biodiversity loss are both recognised as material risks, but they also provide opportunities; see section 6.1.4.4. Note that financial risks related to climate change and biodiversity loss occur only in the medium- and long-term horizons.

  • Climate change and biodiversity loss are taken into account in the investment’s portfolio, and the products and services that a.s.r. develops and offers. To mitigate transition risks, a.s.r. cooperates with several research institutes, reinsurers, other insurers, and experts to gain as much knowledge as possible about new technologies and solutions. These alliances enable a.s.r. to determine the right price and conditions to insure these risks responsibly.

  • Climate change and biodiversity loss are increasingly prominent in questions from stakeholders, ESG benchmarks and ratings. In order to continue to adequately address the risks related to mitigation and adaptation of climate change and biodiversity loss, a.s.r. continuously monitors its policy and mitigating measures and adjusts those where necessary.

5.4.3.1.3Risks related to cyber/information security

Technological development brings both opportunities and threats. Through the ongoing digitalisation and automation the IT risks related to cyber threats and information security remain persistently high at a.s.r. and its (IT) suppliers. This is partly due to the complexity and possible impact of cyberattacks.

Over the past year, geopolitical tensions and, consequently, cyber threats have increased. So far, this heightened threat has not led to targeted actions against insurers. Indirect damage from, for example, attacks on critical infrastructure cannot be ruled out, such as sabotage – including the destruction of undersea cables (internet infrastructure) – and the spread of disinformation and misinformation through the manipulation of social media. Cyber risks develop due to the increased use of new technologies, such as artificial intelligence (AI) in deepfake technology.

a.s.r. monitors and assesses relevant developments for possible risks and implements appropriate control measures:

  • a.s.r. has implemented a system of measures based on international standards. a.s.r. actively monitors the threat landscape and invests in prevention, detection, and response skills and technology to strengthen its cyber resilience, ensuring customers can rely on a.s.r.’s secure digital services. a.s.r. has a test program in which various security tests are conducted, including recent ART tests in 2024. ART stands for Advanced Red Teaming and is conducted based on Threat Intelligence. The test simulates the tactics, techniques, and procedures of real hacker groups and focuses on critical functions and underlying systems of the institution. Findings from these tests are followed up as part of the regular security roadmap of a.s.r.

  • a.s.r. provides a framework for the desired control of business continuity through its Business Continuity Management (BCM) Policy. a.s.r. has a system of measures and provisions in place to ensure the continuity of (critical) business operations, even when these are carried out by outsourcing partners. With the help of BCM, a.s.r. prepares for (and manages) any potential calamity that could threaten business continuity, as well as mitigating the impact on business continuity. Important measures taken include backup and restore, and an emergency scenario for telephony (customer contact). In the event that a.s.r. is hit by a severe, all-encompassing ransomware attack, business continuity can be restored with an 'offline backup'.

  • a.s.r. deploys an information security awareness programme, to improve employee awareness and behaviour regarding information security. Specific tools such as gamification and phishing campaigns are used to enhance the necessary mindset and skillset.

  • a.s.r. is actively involved in partnerships with financial institutions and public governing bodies, such as the Dutch Association of Insurers (Verbond van Verzekeraars), the National Cyber Security Centre (NCSC), the Digital Trust Centre (DTC), Insurance-ISAC, Insurance-CERT, and the DNB Threat Intel Based Ethical Red-team (TIBER-NL) programme. The aim is to share information to improve the financial sector’s resilience to cyber risks.

5.4.3.1.4Risks related to the integration of Aegon NL

The integration of Aegon NL has an impact on a.s.r.’s strategy, organisation, processes, systems, products, services and suppliers. In addition, attention is given to the further development of a common culture. For the progress that has been made in the integration of Aegon NL see section 'At a glance'.

From a strategic perspective, the focus is on the swift and successful integration of Aegon NL. Knab was sold in 2024. For Aegon Life, Spaarkas and a.s.r. a Partial Internal Model (PIM) is used. Through the combination, a.s.r. has acquired the knowledge and experience and will also bring the a.s.r. Life businesses to this PIM. This offers the opportunity to further optimise capital efficiency.

In 2024, the integration of P&C, Disability and several staff departments was completed. The management of integration risks went well in 2024. For 2025, the integration of Individual life, Pensions, Mortgages, and the staff departments Group Finance and D&IT will continue. The integration is expected to be completed by 2026. The Aegon brand will continue to be used for life, pension and mortgage products until mid-2026 at the latest. a.s.r. relies on the successful execution of the merger based on current experiences and progress.

Unforeseen financial and non-financial risks may arise due to possible (cumulative) risks and the complexity of the integration, for example, in the areas of insurance and financial systems, the reporting process, and cyber/information security. Additionally, there is a risk of financial loss due to lower (intended) synergy benefits.

a.s.r. monitors and assesses relevant developments for potential risks and implements appropriate control measures:

  • a.s.r. conducted a risk analysis prior to the acquisition of Aegon NL and took mitigating measures where necessary before the closing of the transaction.

  • The responsibility for steering the integration lies with the management board in collaboration with the executive board. The Integration Management Office (IMO) supports the steering groups, monitors overall progress, and ensures coordination and adjustments through the steering groups.

  • The Value Office is responsible for additional coordination and monitoring of achieving the stated synergy objectives. The responsibility for the execution of the integration lies with the business units. The role of first and second-line Risk and Compliance functions is secured in the governance.

  • HR supports the business units in managing personnel risk with retention measures and the rollout of a culture programme. HR also monitors the outcomes of eMood®.

5.4.3.1.5Risks related to artificial intelligence

Artificial Intelligence (AI) offers opportunities to process large amounts of data, create new content, and make faster and better decisions. AI impacts the entire value chain of a.s.r., including customer service, claims handling, and risk management. AI improves the quality and efficiency of a.s.r.'s services. This contributes to increasing productivity and enhancing a.s.r.'s competitive position.

It is important for a.s.r. to stay informed about AI developments and to integrate AI into the business strategy while managing the associated risks. Effective use of AI requires among others good governance, trained employees, and reliable data. a.s.r. must continuously adapt to changing AI regulations, which necessitates ongoing monitoring and adjustment of AI systems.

a.s.r. monitors and assesses relevant developments for potential risks and implements appropriate control measures:

  • a.s.r. applies proven technology and has formulated ambitious goals for specific business units regarding AI developments. a.s.r. develops generic use cases where possible and fosters a culture of innovation.

  • a.s.r. collaborates with (new) partners and experts where possible to share knowledge and experience and effectively apply AI developments.

  • a.s.r. has a modern IT landscape for AI initiatives and a generic process to ensure the controlled, phased, and managed rollout of models, safeguarding privacy, information security, and ethical frameworks.

  • a.s.r. mitigates data-related risks through data governance and quality policies. a.s.r. actively seeks datasets that can help and improves internal housekeeping.

  • The development of products where solidarity is an integral part of product development and monitoring the impact of AI on insurability.

5.4.3.1.6Consequences legislation and regulation, supervision and legalisation of society

a.s.r. faces new and/or amended laws and regulations with which it must comply. Examples include Solvency II, sustainability requirements (such as through the CSRD and EU Taxonomy Regulation), financial reporting standards and the Future Pensions Act (Wet toekomst pensioenen - WTP). In addition, new or renewed cyber and information security requirements are introduced, as well as data-focused legislation, including the Digital Operational Resilience Act (DORA) and the European Artificial Intelligence Act (AI Act). An increase in legislation and regulations in the data, cyber and information security fields is ongoing with the potential future Financial Data Access (FiDA) Regulation and the European Digital Identity (EUDI) Regulation. In addition, a.s.r. must continuously ensure that its websites remain accessible to its customers. Many new regulations need to be interpreted and implemented within a short period of time, and not all regulations are final yet. Developments affect a.s.r.’s capital requirement and solvency position. The Solvency II ratio is expected to benefit due to the recently published amendments to the Solvency II Directive that will take effect in 2027.

Additionally, the regulatory environment in the financial sector is becoming increasingly stringent and data-driven. In general the implementation and continuous tightening of control measures to comply with laws and regulations leads to continuous pressure on the organisation.

Additionally, political decisions can influence the strategic direction of a.s.r. These developments lead to more personal responsibility and choices for citizens. This places greater demands on providers to support and guide their customers (digitally) in this regard, also digitally.

To mitigate the risk, a.s.r. monitors and assesses relevant developments for possible risks and implements appropriate control measures:

  • On themes, programmes and/or projects are set up to ensure sound implementation.

  • Depending on the consequences of legislation and regulations, supervisory climate and juridification of society, and thus the impact on a.s.r. through factors such as higher internal costs, premium increases or exclusions may be implemented to offset these consequences.

  • To continue meeting data requests and reporting obligations from laws and regulations, a.s.r. invests in data environments, such as data warehouses, dedicated data teams, and data (control) processes to ensure data quality.

5.4.3.2Emerging risks

In 2024, the emerging risks identified for a.s.r. were:

  • Changes in society;

  • New pandemics and infectious diseases;

  • Quantum computing.

Note: a.s.r.’s emerging risks are new or existing risks with a potentially major impact on the achievement of the strategic objectives, in which the level of risk is hard to define. Therefore, a net risk score is not applicable.

5.4.3.2.1Changes in society

A lack of social cohesion poses a risk. Society shows fragmentation (increasing tensions), polarisation (social division), and individualisation (decrease in solidarity). Social dynamics of the changing welfare state (social system) also play a role. There are circumstances that make some people more adaptable to these changes than others. Changes in society are intensifying, and the long-term consequences are inherently uncertain and potentially large. Causes include:

  • Demographic developments, including urbanisation, ageing, more singles and single-parent families and migration. Moreover, inequality can also be triggered by government intervention.

  • Financial developments, including increasing disparities between rich and poor, resulting in greater political uncertainty, like populism.

  • Social developments, including increasing differences between the theoretically educated and the more practically educated, and changes in income security through contract forms and jobs. In addition, conspiratorial thinking is on the rise.

The role insurers have in society is changing, as these new developments impact the way an insurer invests, markets its products and delivers its services. An insurer is required to complete supporting processes and systems and meet the data-driven requirements of customers and regulators in light of this changing society.

a.s.r. monitors and assesses relevant developments for possible risks and implements appropriate control measures:

  • a.s.r. periodically monitors the progress of claims and determines what impact the company has on the changing society through its investments, products and services. To identify developments and anticipate them in a timely manner, a.s.r.’s business units have formulated responsibilities in governance and participate in various collaborations.

  • a.s.r. continuously improve processes, systems, products and services, including insurability and insurance rates, and data quality for data-driven applications.

5.4.3.2.2New pandemics and infectious diseases

The impact of the COVID-19 pandemic on a.s.r.’s strategic objectives, operational processes and financial performance has proved to be relatively limited. There is a risk that society will face new, impactful infectious diseases or changing patterns of infectious disease in the future. There is also another uncertainty in zoonoses (infectious diseases that can pass from animals to humans), which can lead to new diseases or variants of known diseases that can be harmful to health. Possible causes of future outbreaks include climate change and population growth. People may also experience long-term symptoms after infection. Future pandemics and emerging infectious diseases are inevitable, and the long-term consequences are inherently uncertain and potentially large.

a.s.r. monitors and assesses relevant developments for possible risks and implements appropriate control measures:

  • a.s.r. has developed policies and procedures, measures and steering information to manage the impact of new pandemics. These resources and the lessons learned from the COVID-19 pandemic provide input for managing the impact of any new pandemic. A crisis organisation has been set up within a.s.r. and will be activated when necessary.

  • a.s.r. contributes to the government’s approach by following basic measures to prevent any spread of disease. In a broader sense, strategic developments such as continuously strengthening the physical and mental fitness of employees and encouraging exercise and a healthy lifestyle among customers and employees (via a.s.r. Vitality) contribute to increasing the resilience of a.s.r. and its environment.

  • In exceptional situations, the government can activate Article 33 of the Health Insurance Act (Zorgverzekeringswet - ZVW) (disaster scheme), which reduces or eliminates the risk for health insurers. This scheme was also activated during the COVID-19 pandemic.

5.4.3.2.3Quantum computing

Quantum computing is revolutionising computations by offering substantially more computing power, impacting applications like scenario analyses, AI models and cryptographic encryption. Experts estimate that by 2030, quantum computers could be powerful enough to break current cryptographic standards.

On 3 December 2024, the General Intelligence and Security Service (Algemene Inlichtingen- en Veiligheidsdienst - AIVD) released an updated handbook to prepare organisations for the quantum computing threat. The AIVD identifies post-quantum cryptography (PQC) as the most promising solution to mitigate compromising information security.

a.s.r. monitors and assesses relevant developments for possible risks and implements appropriate control measures. a.s.r.'s security standard has been adjusted accordingly, and PQC will be applied wherever possible, in line with legislation. The General Data Protection Regulation (GDPR) states that cryptography must take into account the state of the art, and Digital Operational Resilience Act (DORA) requires the application of 'leading practices and standards' for cryptography.

5.4.3.3Financial risks

In addition to strategic and non-financial risks, a.s.r. has recognised several financial risks. In 2024, the most relevant of these were:

  • Economic uncertainty;

  • Solvency II.

5.4.3.3.1Economic uncertainty

Currently, financial risks arise in particular from the war in Ukraine and Middle East (see section 5.4.3.1.1for a description of the risk '(Geo)political instability'). High(er) inflation may persist longer than initially expected. Central banks have raised interest rates to limit inflation. Lower consumer and investor confidence could hurt the economy. For residential property, there are court cases relating to the indexation of the rent as included in standard contracts (in line with the Council for Real Estate (Raad voor Onroerende Zaken – ROZ) standards), which is market practice and applied in a.s.r.'s portfolio. Based on the verdict of the Dutch Supreme Court, a.s.r. does not expect a material risk on the valuation of the property portfolio.

5.4.3.3.2Solvency II

On January 8, 2025, the amendments to the Solvency II Directive have been published in the Official Journal of the European Union. The changes contained in the amended Directive must be incorporated into national legislation by 29 January 2027, and become applicable to insurers as of 30 January 2027.

The amendments consist of various changes to the Solvency II framework, affecting most notably the liability discount curve, the risk margin and the volatility adjustment (VA), the Dynamic volatility Adjustment (DVA) and the long term impact of the climate change transition plan on the SII requirements. The amendments to the Solvency II Directive will require amendments to the Solvency II Delegated Regulation and/or the introduction of additional delegated acts and guidelines, to be developed by EIOPA.

In addition to the revisions to the Solvency II Directive, an agreement was reached on the Insurance Recovery and Resolution Directive (IRRD). The IRRD provides for recovery and resolution a framework for insurance companies at European level and to be implemented by EU member states, comparable to the Act on Insurance Recovery and Resolution, currently in force in the Netherlands.

See section 7.8 for more details on the financial risk management.

5.4.3.4Non-financial risks

In addition to strategic and financial risks, a.s.r. has recognised several non-financial risks. In 2024, the most relevant of these were:

  • Outsourcing;

  • Data quality;

  • Artificial Intelligence;

  • Model risk;

  • Financial Reporting;

  • Sustainability regulations and reputational risks;

  • Unit linked insurance.

See section 7.8.1.1.6 for more information about the process of identifying, measuring, managing, monitoring, reporting and evaluating those risks.

5.4.3.4.1Outsourcing

Outsourcing risk continues to be relevant for a.s.r., especially in view of risks relating to cybercrime and dependence on suppliers. The risks related to outsourcing are managed and reported as part of the overall operational risk profile. An outsourcing framework is in place to define responsibilities, processes, risk assessments and mandatory controls. a.s.r. collaborates with a service provider to collect and validate supplier information. The insight obtained from this database supports the implementation of regulatory developments for suppliers, such as CSRD and DORA.

5.4.3.4.2Data quality

For a.s.r., adequate management of data quality and consequently generation and reporting of reliable information is of the utmost importance. This allows internal and external stakeholders (for example, customers, investors and supervisors) to make well informed decisions, and it mitigates the risk of financial losses, inaccurate risk assessments and reputational damage eroding the trust and loyalty of external stakeholders. In addition, robust data management contributes to a.s.r.’s ambition to further develop the use of AI.

Currently, the primary data management initiatives focus on data management enhancements related to Environmental, Social and Governance (ESG) data, financial data (partial internal model, IFRS and Solvency II) and master customer data. a.s.r. manages data quality by taking mitigating actions.

5.4.3.4.3Artificial Intelligence (AI)

AI implementation leads to several operational risks. Key risks include data quality issues, which can lead to inaccurate predictions, and model risk, where AI models may produce biased or unpredictable results. Cybersecurity threats and regulatory compliance challenges also pose significant concerns, which are mitigated by maintaining an AI repository to track implementation status and risk exposure, and incorporating AI Act specifics into the policy framework.

Additionally, the integration of AI with existing processes and IT can be complex, addressed through a centralised AI development process that incorporates privacy, safety, and ethics, and an awareness program for all parties involved in AI systems. To ensure robustness and quality assurance for dependable and safe AI use, a.s.r. subjects all AI systems with ethical risks to an ethical framework as part of the binding self-regulation from the Dutch Association of Insurers.

5.4.3.4.4Model risk

Model risk remains a key focus area for a.s.r., particularly given the potential for adverse consequences arising from decisions based on inaccurate or misused model outputs. Models play a crucial role in determining values and risk metrics. A model is defined as a quantitative method, system or approach that applies statistical, economic, financial or mathematical theories, techniques and assumptions to process input data into quantitative estimates. It combines data and various tools, and generates output.

Model risk can result in financial loss, suboptimal business and strategic decisions or reputational damage for a.s.r. To mitigate these risks, a.s.r. has implemented comprehensive model risk policies and procedures.

5.4.3.4.5Financial reporting

In 2024 a.s.r. remained dedicated to further strengthening its internal control framework to ensure robust financial reporting and compliance with regulatory requirements. Currently, the focus is to optimise these processes to further improve reliability by enhancing the internal control framework. These measures are designed to bolster the integrity of a.s.r.’s financial reporting and align with best practices in internal control management.

5.4.3.4.6Sustainability regulations and reputational risks

a.s.r. operates under a comprehensive and evolving number of sustainable public disclosure requirements. Starting from reporting year 2024 a.s.r. is required to report conform the CSRD. The CSRD requires a.s.r. to publicly provide information on material sustainability topics, including its climate change transition plan. A climate change transition plan will be legally required for a.s.r. when the Corporate Sustainability Due Diligence Directive (CSDDD) starts at the end of July 2027. The CSDDD will also legally require a.s.r. to conduct additional due diligence regarding sustainable matters in its upstream supply chain and its own operations.

Several operating entities within a.s.r. (financial market participants) are subject to product-level and entity-level disclosure requirements under the Sustainable Finance Disclosure Regulation (SFDR).

Climate change and biodiversity loss also create reputational risks. Litigation in relation to the transition to a low-carbon economy is on the rise. This includes complaints and/or litigation on transition planning and holding companies responsible for reducing greenhouse gas emissions as well as complaints and/or litigation in relation to sustainability claims and targets, including greenwashing and mis-selling claims. There is a risk that a.s.r. may also become subject to claims and/or litigation in this regard. a.s.r. closely monitors these developments and takes action if and where needed.

5.4.3.4.7Dutch unit-linked products

Compensation schemes

Since the end of 2006, individual unit-linked life insurance products (beleggingsverzekeringen) have received negative attention in the Dutch media, from the Dutch Parliament, the Dutch Authority of the Financial Markets (Autoriteit Financiële Markten – AFM), consumers and consumer protection organisations. In 2008, a.s.r. reached an outline agreement with five consumer protection organisations to offer compensation to unit-linked policyholders in case the cost charge and/or risk premium charge exceeds a defined maximum. A full agreement on implementation of the compensation scheme was reached in 2012 (a.s.r. compensation scheme). In July 2009, Aegon reached an agreement with Stichting Verliespolis and Stichting Woekerpolis to reduce charges and risk premiums for customers of its unit-linked insurance policies in the Netherlands (Aegon compensation scheme). These agreements of a.s.r. and Aegon have been fully executed. 

Settlement of 29 November 2023

a.s.r. reached a final settlement on 29 November 2023 regarding unit-linked life insurance customers of a.s.r. affiliated to the consumer protection organisations Consumentenclaim, Woekerpolis.nl, Woekerpolisproces, Wakkerpolis and Consumentenbond. The reason to settle was driven by an initiative to resolve long-lasting and historical disputes concerning unit-linked life insurances and decisions of the Court of Appeal of The Hague regarding unit-linked insurance products initiated by the above mentioned claim organisations. All collective proceedings of the consumer protection organisations against a.s.r. will be terminated. The settlement involves approximately 250 million. The settlement applies to all a.s.r. products of customers affiliated to one of the above consumer protection organisations. It was also agreed that no new lawsuits will be filed. The settlement is not an acknowledgement of too high costs, risk premiums and/or charges, nor is it a reliable estimate of the contingent liability as previously disclosed.

On 19 February 2025 it was announced that the agreement that was reached in November 2023 with the five customer protection groups is final. More than 90% of the affiliated customers have accepted a personal offer. As a result, the collective actions that these consumer protection organisations have initiated in the past, will be cancelled once the settlement has been fully executed. Also, these consumer protection organisations will not initiate new claims against a.s.r. In 2023, a.s.r. made an additional provision of 50 million for an arrangement for unaffiliated customers that have not previously received compensation. The provision recognised by a.s.r. to finalise the unit-linked life insurance claims amounts to € 300 million as a result of the settlement offer made in 2023, in addition to the € 36 million recognised in the insurance liabilities as remaining portion of the previous agreements, provided for in previous years.

With the recent settlement with the consumer protection organisations and the additional provision for unaffiliated customers, a.s.r. has taken big steps in resolving the unit-linked life insurance file and limiting the risks involved. By finalising this settlement, the risks regarding the unit-linked insurance file have been significantly reduced. Only a limited number of individual legal proceedings are currently pending.