Operational risks refer to the risk of losses occurring because of the inadequacy or failure of internal processes or as a result of events triggered by employee-related, system-induced or external factors. In contrast to underwriting risks (e. g. the reserve risk), which we enter into in a deliberate and controlled manner in the context of our business activities, operational risks are an indivisible part of our business activities. The focus is therefore on risk avoidance and risk minimisation. As a derivation from our strategic principle “We manage risks actively”, we act according to the following principles in relation to operational risks:
- We integrate operational risk management into the company and its culture.
- We manage operational risks proactively and sustainably.
- We consider events and scenarios that cover the entire spectrum of operational risks.
- We strive for appropriate risk reduction through our measures.
- We manage within defined limits and create transparency through measurements.
With the aid of the Self-Assessment for Operational Risks we determine the maturity level of our operational risk management system and define action fields for improvements. The assessment is carried out, for example, by assessing the maturity level of the respective risk management function or of the risk monitoring and reporting. The system enables us, among other things, to prioritise operational risks and is used inter alia to calculate the capital commitment in our internal model.
The change in risk capital in the period under review can be attributed primarily to the increased business volume and the resulting higher exposure for operational risks.
Within the overall framework of operational risks we consider, in particular, business process risks, compliance risks, risks associated with sales channels and outsourcing of functions, fraud risks, personnel risks, information technology risks / information security risks and business interruption risks.
Business process risks are associated with the risk of deficient or flawed internal processes, which can arise as a consequence of an inadequate process organisation. We have defined criteria to evaluate the maturity level of the material processes, e. g. for the reserving process. This enables us to ensure that process risks are monitored. In cooperation with the process participants, the process owner evaluates the risks of the metaprocess and develops measures for known, existing risks. Data quality is also a highly critical success factor, especially in risk management, because – among other things – the validity of the results delivered by the internal model depends primarily on the data provided. The overriding goal of our data quality management is the sustainable improvement and safeguarding of data quality within the Hannover Re Group.
Compliance risks are associated with the risk of breaches of standards and requirements, non-compliance with which may entail lawsuits or official proceedings with not inconsiderable detrimental implications for the business activities of the Hannover Re Group. Regulatory compliance, compliance with the company’s Code of Conduct, data privacy and compliance with anti-trust and competition laws have been defined as issues of particular relevance to compliance. The compliance risk also extends to tax and legal risks. Responsibilities within the compliance organisation are regulated and documented Group-wide and interfaces with risk management have been put in place. The set of tools is rounded off with regular compliance training programmes.
In selected market niches we transact primary insurance business that complements our reinsurance activities. In so doing, just as on the reinsurance side, we always work together with partners from the primary sector – such as insurance brokers and underwriting agencies. This gives rise to risks associated with such sales channels, although these are minimised through the careful selection of agencies, mandatory underwriting guidelines and regular checks.
Risks associated with the outsourcing of functions can result from such outsourcing of functions, services and / or organisational units to third parties outside Hannover Re. Mandatory rules have been put in place to limit this risk; among other things, they stipulate that a risk analysis is to be performed prior to a material outsourcing. In the context of this analysis a check is carried out to determine, inter alia, what specific risks exist and whether outsourcing can even occur in the first place.
Fraud risks refer to the risk of intentional violations of laws or regulations by members of staff (internal fraud) and / or by externals (external fraud). This risk is reduced by the internal control system as well as by the audits conducted by Group Auditing on a Group-wide and line-independent basis.
The proper functioning and competitiveness of the Hannover Re Group can be attributed in large measure to the expertise and dedication of our staff. In order to minimise personnel risks, we pay special attention to the skills, experience and motivation of our employees and foster these qualities through outstanding personnel development and leadership activities. Regular employee surveys and the monitoring of turnover rates ensure that such risks are identified at an early stage and scope to take the necessary actions is created.
Information technology risks and information security risks arise, inter alia, out of the risk of the inadequate integrity, confidentiality or availability of systems and information. By way of example, losses and damage resulting from the unauthorised passing on of confidential information, the malicious overloading of important IT systems or from computer viruses are material to the Hannover Re Group. Given the broad spectrum of such risks, a diverse range of steering and monitoring measures and organisational standards, including for example the requirement to conclude confidentiality agreements with service providers, have been put in place. In addition, our employees are made more conscious of such security risks through practically oriented tools provided online in the intranet or by way of training opportunities.
When it comes to reducing business interruption risks, the paramount objective is the quickest possible return to normal operations after a crisis, for example through implementation of existing contingency plans. Guided by internationally accepted standards, we have defined the key framework conditions and – among other measures – we have assembled a crisis team to serve as a temporary body in the event of an emergency. The system is complemented by regular exercises and tests. In the previous year, for example, we compiled a leaflet on correct behaviour in the event of a business interruption; this condenses in compact form the key information that all employees need to know (e. g. information channels in a crisis situation). Regular risk reporting to the Risk Committee and the Executive Board has also been put in place.