Risk Management Framework
The Group is equipped with a Risk Management Framework, formalised in the policies issued by the Ultimate Parent Company’s Board of Directors as an act of policy and co-ordination, and by the Boards of the individual subsidiaries. The Risk Management Framework pursues the objective of ensuring effective monitoring of risks arising from carrying out the Group's activities by paying special attention to the most significant risks, which are those that can undermine the solvency of the Group and of its Companies or the observance of the corporate goals, including those established by the resolution of Risk Appetite Framework. The main objective of the Risk Management Framework is to guarantee the capability of meeting commitments relating to policyholders, beneficiaries and injured parties and, in more general terms, the various stakeholders.
The Group therefore pursues the objective of maintaining its capital solidity and a satisfactory level of profitability. To this end, the risk management process takes into account the objectives of the Business Plan and the annual budget. This process is divided into the following macro-phases which are carried out recursively:
- identification of the risks and definition of the measurement/assessment methods;
- assessment of current and prospective risks (the Own Risk and Solvency Assessment or “ORSA”) and definition of the Risk Appetite Framework;
- monitoring and control of the risks;
- mitigation of the risks.
The process phases are completed by the associated reporting.
The exposure of each company to the different types of risk is also summarised every six months using the risk map, whose purpose is to form a point where the detailed information collected, monitored and managed comes together to provide a unified and effective representation of the risk position.
When integrated with the other policy processes, the Risk Appetite Framework contributes to guiding the strategic decisions of the Group and its Companies. Accordingly, the Group has adopted a framework structured on three dimensions, namely:
- Risk Appetite: measured and managed by defining Solvency II Ratio bands of fluctuation and thresholds.
- Risk Appetite by type of risk: defined in line with the Risk Appetite level, which is also broken down into risk appetite and respective “soft” and “hard” limits, expressed in terms of SCR or on a qualitative scale;
- Operational limits: declination of Risk Appetite in the daily management of risk through the assignment (and monitoring) of operating limits.
The financial risks for the Cattolica Assicurazioni Group can be attributed to two categories of risk: credit risk and market risk. The features relating to the risks in question are illustrated below.
The main types of exposure falling within this category relate to the exposure in current accounts, vis-à-vis reinsurers and for amounts receivable from intermediaries and insured parties.
The credit risk management process is centred around the appropriate selection of counterparties and integrated into the system of limits aimed at appropriately managing the most significant exposures by assigning limits to the operating units, expressed as capital requirement calculated with the standard formula and classified according to type.
Market risk is the main category of exposure within the types of risk to which the Group is exposed.
Of particular relevance are risks of variation in credit spread, real estate risk and equity risk. Interest rates, currency and concentration risks follow.
Exposure to spread risk is connected to the relevant share of bonds in which the total portfolio is invested, including a portion of corporate issuer securities. Real estate risk is a direct consequence of total exposure to property assets, which is associated with a significant percentage of regulatory capital requirement as of today.
The goal of the Group’s operational Risk Management Framework is to prevent and reduce any losses that may arise when damaging events occur by means of a process that calls for their identification, gauging and mitigation and the systematic diffusion of the risk based culture in daily operations. This approach makes it possible to enhance the internal audit system, improve the efficiency and efficacy of management processes and encourage dialogue with the Board of Directors, Senior Management and the Supervisory Committee of the Group.
There are three types of event to which the Group is mostly exposed, both in terms of number and level of exposure:
- the execution, delivery and management of the processes attributable to events that occur in the daily business operations, also in consideration of the activities that the Group companies have outsourced either to Group companies or to external suppliers,
- fraud connected with settlement and underwriting activities and
- interruption of the operations and malfunctions of the information systems.
The predominant type is the one concerning the execution of processes, while the risks of fraud – despite being inherent to the business and to the insurance industry - are numerically reduced, even though the phenomenon as a whole represents a significant risk. With regard to these risks, there were no material concentrations.
However, the Italian scenario is increasingly astute to cyber risk and business interruption, aligning itself with the international situation, leading to a reassessment of the trend of exposure to such risks as moderately rising. This has also demonstrated the need for the implementation of safety measures for the information technology systems. The main mitigation actions undertaken by the Group are focused precisely in this direction.