The risk management process (risk identification, measurement, assessment, monitoring and reporting as well as the management activities) is covered by the internal control system, which ensures process compliance with internal and external regulations and enables its ongoing improvement and appropriateness for the business profile.
The risk identification process begins upon submission of a proposal for insurance product development, acquisition of a financial instrument, changes to the operating process and upon occurrence of any other event that could result in risk. It is continued until expiry of the liabilities, receivables or discontinuation of the related activities.
Risk identification consists of recognition of actual and potential sources of risk as well as estimating the materiality of the potential effect of such risk on the financial condition.
All risks included in the risk catalogue are analyzed in terms of their materiality. Each risk considered material is subject to measurement, which includes definition of risk measures appropriate for the risk type and materiality as well as availability of data. Risk is measured by specialized units, whereas responsibility for development of tools and measurement of risk with a view to determining the risk appetite, profile and limits rests with the Risk Office (“RO”).
The overall risk assessment is reflected on the risk map prepared by the RO and being a systematized visualization of the risk exposure levels.
Risk monitoring and control consist of ongoing analysis of deviations from benchmarks, i.e. limits, thresholds, plans, prior period values as well as recommendations and guidance issued, conducted by dedicated units. Additionally, monitoring includes risk measurement through its calculation and analysis.
Reporting is a process which enables effective risk-related communication and supports risk management at different decision-making levels, from an individual employee to the Supervisory Board. Members of the Management Board in charge of individual business lines receive up-to-date (daily/weekly) reports presenting changes in specific areas which affect the risk level as well as the use of limits aimed at mitigating the market risk.
The governing bodies receive the following information on risk:
- Management Board – quarterly and monthly information concerning the level of insurance, market, credit, concentration and operational risk;
- ALCO members – weekly information concerning the level of market risk as well as up-to-date information on market limits exceeded;
- CRC members – weekly and monthly information on the level of market, credit and concentration risk as well as up-to-date information on market, credit and concentration limits exceeded.
The Supervisory Board receives quarterly information concerning the key ratios related to insurance, market, credit, concentration and operational risk.
Management activities related to individual risk categories have been defined in internal regulations. Depending on the type and nature of risk, the aforesaid activities may include, in particular: risk avoidance, transfer, mitigation, risk level acceptance as well as supporting tools, such as limits, reinsurance programs as well as underwriting policy reviews.