Operational risks
Operational risks
Operational risks refer to the risk of losses occurring because of the inadequacy or failure of internal processes or as a result of events triggered by employee-related, system-induced or external factors. In contrast to technical risks (e. g. the premium risk), which we enter into in a deliberate and controlled manner in the context of our business activities, operational risks are an indivisible part of our business activities. The focus is therefore on risk avoidance and risk minimisation. As a derivation from our strategic principle “We manage risks actively”, we act according to the following principles in relation to operational risks:
- We integrate operational risk management into the company and its culture.
- We manage operational risks proactively and sustainably.
- We consider events and scenarios that cover that entire spectrum of operational risks.
- We strive for adequate risk minimisation through our actions.
- We manage within defined limits and create transparency through measurements.
With the aid of Self-Assessments for Operational Risks (SAOR) we determine the degree of maturity of our operational risk management and define action fields for improvements. Based on these measurements, limits and thresholds are developed in light of risk indicators and efficiency considerations. One key indicator in this regard is the SAOR-based capital commitment in our internal model.
The assessment is carried out, for example, by evaluating the degree of maturity of the respective risk management function or of the risk monitoring and reporting. The system enables us, among other things, to prioritise operational risks. Within the overall framework we consider, in particular, business process risks, compliance risks, risks associated with sales channels and outsourcing of functions, fraud risks, personnel risks, information technology risks/information security risks and business interruption risks.
Business process risks are associated with the risk of deficient or flawed internal processes, which can arise as a consequence of an inadequate process organisation. We have defined criteria to evaluate the degree of maturity of the material processes, e. g. for the reserving process. This enables us to ensure that process risks are monitored. In cooperation with the process participants, the process owner evaluates the risks of the metaprocess and develops measures for known, existing risks. Data quality is also a highly critical success factor, especially in risk management, because – among other things – the validity of the results delivered by the internal model depends primarily on the data provided. The overriding goal of our data quality management is the sustainable improvement and safeguarding of data quality within the Hannover Re Group. Appropriate management of data quality risks is conditional upon clearly defined roles and associated responsibilities. Within the scope of process-integrated risk monitoring, centralised data quality management is responsible for establishing and maintaining the system and in so doing has the authority to prescribe standards and methods.
Compliance risks are associated with the risk of breaches of standards and requirements, non-compliance with which may entail lawsuits or official proceedings with not inconsiderable detrimental implications for the business activities of the Hannover Re Group. Regulatory compliance, compliance with the company’s Code of Conduct, data privacy and compliance with anti-trust and competition laws have been defined as issues of particular relevance to compliance. The compliance risk also includes tax and legal risks. Responsibilities within the compliance organisation are regulated and documented Group-wide and interfaces with risk management have been put in place. The set of tools is rounded off with regular compliance training programmes.
We transact primary insurance business that complements our reinsurance activities in selected market niches. In so doing, just as on the reinsurance side, we always work together with partners from the primary sector – such as insurance brokers and underwriting agencies. This gives rise to risks associated with such sales channels, although these are minimised through the careful selection of agencies, mandatory underwriting guidelines and regular checks.
Risks associated with the outsourcing of functions can result from such outsourcing of functions, services and/or organisational units to third parties outside Hannover Re. Mandatory rules have been put in place to limit this risk; among other things, they stipulate that a risk analysis is to be performed prior to a material outsourcing. In the context of this analysis a check is carried out to determine, inter alia, what specific risks exist and whether outsourcing can even occur in the first place.
Fraud risks refer to the risk of intentional violations of laws or regulations by members of staff (internal fraud) and/or by externals (external fraud). This risk is reduced by the internal control system as well as by the audits conducted by Internal Auditing on a Group-wide and line-independent basis.
The proper functioning and competitiveness of the Hannover Re Group can be attributed in large measure to the expertise and dedication of our staff. In order to minimise personnel risks, we pay special attention to the skills, experience and motivation of our employees and foster these qualities through outstanding personnel development and leadership activities. Regular employee surveys and the monitoring of turnover rates ensure that such risks are identified at an early stage and scope to take the necessary actions is created.
Information technology risks and information security risks arise, inter alia, out of the risk of the inadequate integrity, confidentiality or availability of systems and information. By way of example, losses and damage resulting from the unauthorised passing on of confidential information, the malicious overloading of important IT systems or from computer viruses are material to the Hannover Re Group. Given the broad spectrum of such risks, a diverse range of steering and monitoring measures and organisational standards, including for example the requirement to conclude confidentiality agreements with service providers, have been put in place. In addition, our employees are made more conscious of such security risks through practically oriented tools provided online in the intranet or by way of training opportunities.
When it comes to reducing business interruption risks, the paramount objective is the quickest possible return to normal operations after a crisis, for example through implementation of existing contingency plans. Guided by internationally accepted standards, we have defined the key framework conditions and – among other measures – we have assembled a crisis team to serve as a temporary body in the event of an emergency. The system is complemented by regular exercises and tests. Regular risk reporting to the Risk Committee and the Executive Board has also been put in place.