Operational risks refer to the risk of losses occurring because of the inadequacy or failure of internal processes or as a result of events triggered by employee-related, system-induced or external factors. In contrast to underwriting risks (e. g. the reserve risk), which we enter into in a deliberate and controlled manner in the context of our business activities, operational risks are an indivisible part of our business activities. The focus is therefore on risk avoidance and risk minimisation.
With the aid of the Self-Assessment for Operational Risks we determine the maturity level of our operational risk management system and define action fields for improvements. The assessment is carried out, for example, by assessing the maturity level of the respective risk management function or of the risk monitoring and reporting. The system enables us, among other things, to prioritise operational risks and is used to calculate the capital commitment in our internal capital model.
Within the overall framework of operational risks we consider, in particular, business process risks (including data quality), compliance risks, outsourcing risks, fraud risks, personnel risks, information / IT security risks and business interruption risks.
Business process risks are associated with the risk of deficient or flawed internal processes, which can arise as a consequence of an inadequate process organisation. We have defined criteria to evaluate the maturity level of the material processes, e. g. for the reserving process. This enables us to ensure that process risks are monitored. In cooperation with the process participants, the process owner evaluates the risks of the metaprocess and develops measures for known, existing risks. Data quality is a highly critical success factor in this regard, especially in risk management, because – among other things – the validity of the results delivered by the internal capital model depends primarily on the data provided.
Compliance risks are associated with the risk of breaches of standards and requirements, non-compliance with which may entail lawsuits or official proceedings with not inconsiderable detrimental implications for the business activities of the Hannover Re Group. Regulatory compliance, compliance with the company’s Code of Conduct, data privacy and compliance with anti-trust and competition laws have been defined as issues of particular relevance to compliance. The compliance risk also extends to tax and legal risks.
We use sanctions screening software on parts of the Hannover Re Group’s portfolio to filter out individuals who are subject to sanctions on account of a criminal or terrorist background. Suitable steps are taken if such individuals are identified. Business partners are also screened in this way.
Responsibilities within the compliance organisation are regulated and documented Group-wide and interfaces with risk management have been put in place. The set of tools is rounded off with regular compliance training programmes.
Outsourcing risks can result from the outsourcing of functions, services and / or organisational units to third parties outside Hannover Re. Mandatory rules have been put in place to limit this risk; among other things, they stipulate that a risk analysis is to be performed prior to a material outsourcing. In the context of this analysis a check is carried out to determine, inter alia, what specific risks exist and whether outsourcing can even occur in the first place.
In selected market niches we transact primary insurance business that complements our reinsurance activities. In so doing, just as on the reinsurance side, we always work together with partners from the primary sector – such as insurance brokers and underwriting agencies. This gives rise to risks associated with such distribution channels, although these are minimised through the careful selection of agencies, mandatory underwriting guidelines and regular checks.
Fraud risks refer to the risk of intentional violations of laws or regulations by members of staff (internal fraud) and / or by externals (external fraud). This risk is reduced by the internal control system as well as by the audits conducted by Group Auditing on a Group-wide and line-independent basis.
The proper functioning and competitiveness of the Hannover Re Group can be attributed in large measure to the expertise and dedication of our staff. In order to minimise personnel risks, we pay special attention to the skills, experience and motivation of our employees and foster these qualities through outstanding personnel development and leadership activities. Regular employee surveys and the monitoring of turnover rates ensure that such risks are identified at an early stage and scope to take the necessary actions is created.
Information technology risks and information security risks arise, inter alia, out of the risk of the inadequate integrity, confidentiality or availability of systems and information. By way of example, losses and damage resulting from the unauthorised passing on of confidential information, the malicious overloading of important IT systems or from computer viruses are material to the Hannover Re Group. Given the broad spectrum of such risks, a diverse range of steering and monitoring measures and organisational standards, including for example the requirement to conclude confidentiality agreements with service providers, have been put in place. In addition, our employees are made more conscious of such security risks through practically oriented tools, including for example information campaigns and training activities.
When it comes to reducing business interruption risks, the paramount objective is the quickest possible return to normal operations after a crisis, for example through implementation of existing contingency plans. Guided by internationally accepted standards, we have defined the key framework conditions and – among other measures – we have assembled a crisis team to serve as a temporary body in the event of an emergency. The system is complemented by regular exercises and tests. In general terms, regular risk reporting to the Risk Committee and the Executive Board takes place in this regard.