Risks and Risk and Solvency Management
The risk and solvency management framework of the Fennia Group, which includes Fennia Mutual Insurance Company (hereinafter Fennia) and its subsidiaries, Fennia Life Insurance Company (hereinafter Fennia Life) and Fennia Asset Management Ltd (hereinafter Fennia Asset Management), is described in the policy documents approved by the Group companies’ Boards of Directors. The most central of these documents is the risk and solvency management policy, which lays down the general principles for managing both risks and solvency in the Group.
In the Fennia Group, risk management means co-ordinated strategies, processes, principles and measures to identify, measure, monitor, manage and report risks faced by the Group and the Group companies. Solvency management, on the other hand, means strategies, processes, principles and measures to determine and steer the Group’s and the Group companies’ risk-bearing capacity, risk appetite, risk tolerance and restrictions of their essential risks.
Fennia’s Board of Directors, in its capacity as the Board of Directors of the Group’s parent company, is the supreme decision-making body within the Group and bears the responsibility for risk and solvency management and for its integration into the Group’s governance system. It is the responsibility of Fennia’s Board of Directors to ensure that the special characteristics of the companies belonging to the Group and the intra-Group connections (including internal transactions, double capital, transferability of capital and use of capital in general) are taken into consideration appropriately.
The Board of Directors of Fennia Life is responsible for ensuring that the company consistently abides by the Group’s risk and solvency management policy. It is responsible for ensuring that the company has a governance system in place which is adequately organised with regard to the quality, scope and complexity of the operations, including internal control and a risk management system.
The Board of Directors of Fennia Asset Management is responsible for ensuring that the company abides by the Fennia Group’s risk management policy to the extent where the company’s special characteristics do not require deviations from it.
Other Group companies abide by the Fennia Group’s risk and solvency management policy where applicable.
A risk management committee has been set up for the Group’s insurance companies to prepare, steer and co-ordinate tasks related to risk and solvency management and to communicate information. The primary task of this risk management committee is to support Fennia’s and Fennia Life’s Managing Directors in issues related to risk and solvency management. The committee is chaired by Fennia’s Managing Director, and Fennia Life’s Managing Director is a member of the committee.
A separate risk management committee has been set up for Fennia Asset Management. It is chaired by the Managing Director of Fennia Asset Management.
The steering of the risk management system is based on a three-defence-line model, whereby:
- The first defence line, i.e. business and support functions, has the primary responsibility for daily risk management and reporting in accordance with the agreed policy.
- The second defence line is the owner of the risk management framework and is responsible for, among other things, the interpretation, development and planning of and reporting on risk and solvency management, and supports, monitors and assesses the first defence line’s implementation of the risk and solvency management processes.
- The third defence line is in charge of ensuring the effectiveness and efficiency of internal control and risk and solvency management.
In the three-defence-line model, responsibility for risk and solvency management is allocated as follows between the various operators:
The Risk Management function and the Compliance function have been integrated into the Fennia Group’s organisation to ensure their independence from the operational activities, which means that the functions are free from influences that might compromise the objective, equal and independent performance of their tasks. Internal audit is independent of both the first and second defence line operations.
Risk refers to an uncertain event and its consequence, which can be a threat or an opportunity for the company.
The Group’s risk management strategies and processes are divided into the following sub-areas:
1. Risk identification
The business and support functions of the first defence line identify and assess the risks that threaten their operations and objectives, in the context of both the annual planning process and daily operational activities.
2. Risk measurement
During the risk management process, the severity of the risks and their interdependencies are evaluated to the extent that is possible. The objective of risk measurement is to create commensurable indicators for different risks and to improve the comparability of risks. Risk measurement and comparison are necessary as they allow the targeting of risk management measures on the risks that are most essential for the operations. As a general rule, risk measurement is based on the Value-at-Risk method. The Risk Management function co-ordinates the measurement of risk severity and dependency as well as the methods used in measurement.
3. Risk monitoring
The Group carries out quantitative risk monitoring, consisting of various risk indicators, and qualitative risk monitoring, which includes, among other things, monitoring, assessment and possible testing out of management measures that have been planned and decided upon. The first defence line ensures that appropriate risk monitoring is in place and that sufficient information on risks is obtained for their management. The first defence line monitors the management measures that it has planned and decided upon and assesses their effectiveness. The second defence line carries out independent quantitative and qualitative risk monitoring to support the risk management work of the first defence line.
4. Risk management
During the management process, the risks are prioritised and management measures are planned to control or limit the risks. The first defence line, as the risk owner, carries out appropriate risk management and plans the management measures. The second defence line supports, monitors and assesses the management actions undertaken by the first defence line, but, in order to ensure independence, does not participate in making operational decisions. The management instruments used in the various risk areas are described in more detail in sections 3.1–3.10.
5. Risk reporting
The materialisation of risks and their effects as well as near-miss situations are reported within the Group in accordance with the agreed reporting process. The Risk Management and Compliance functions report the risks to the risk management committees and to the relevant Boards of Directors as part of the functions’ regular reporting.
The above-mentioned risk management strategies and processes are applied to all of the risk areas of the risk map drawn up to facilitate risk management, which are:
Insurance risks are related to the insurance company’s core business, insurance.
The most significant insurance risks relate to risk selection, sales steering and risk pricing, i.e. they involve a loss risk resulting from the costs arising from future claims (incl. operating expenses) exceeding the insurance contributions received. Insurance risks also include major loss risks (e.g. disaster risks) and the risk inherent in the adequacy of reinsurance covers.
Insurance risks also include a loss risk arising from an unfavourable change in the value of the technical provisions, i.e. the technical provision risk. Technical provision risks relate to the uncertainty of the assumptions made when calculating the technical provisions and to unfavourable deviations of the estimated claim amounts, operating expenses and their cash flows from the actual expenses.
The actuarial risk factors included in the technical provision risk are, among other things, biometric risks (mortality, longevity, disability and similar risks) and different expiry risks, such as the surrender risk in life insurance.
Certain financial market risks, such as inflation and the discount rate, also apply to the technical provisions.
Insurance operations are based on taking insurance risks, diversifying the risks within the insurance portfolio and managing the risks. The most important instruments for managing the risk inherent in unearned premiums are appropriate risk selection, pricing, insurance terms and conditions, and the acquisition of reinsurance cover.
Risk selection provides guidance to sales and ensures the profitability of insurance operations. Risk selection is managed by statistical study of previous losses, which also provide the basis for pricing. The risk selection guidelines specify the types of risks that can be insured and the maximum permitted sums insured.
The objective of insurance risk pricing is to achieve the desired risk matching: the bigger the risk, the higher the price and vice versa. Pricing requires accurate and adequate information as well as sufficient knowledge about the insured target. Only then can appropriate risk analyses be made and a sufficient level of insurance contributions be decided on.
The importance of insurance terms and conditions is essential when it comes to controlling insurance risks. They determine, for example, the scope of the insurance cover and the restrictions on compensable damages. In managing insurance risk, it is important to exclude undesired risks or to limit them by way of agreements to a desired level.
Certain non-life insurance lines, such as statutory accident insurance and motor liability insurance, are subject to specific legislation, which determines the scope of the insurance cover, preventing any alterations to the insurance terms and conditions in this respect. Certain provisions applicable to statutory accident insurance and motor liability insurance also restrict the insurance company’s liability. In claims pertaining to annuities, the inflation risk and the long-term compensation risks related to medical expenses have been transferred to the pay-as-you-go pool under the joint responsibility of the companies operating in the insurance sector.
In calculating the technical provisions, different quantitative methods are used, which play a key role in the management of the technical provision risk. In addition to the methods used, the sufficiency and quality of the available information and its management essentially affect the nature of the technical provision risk.
In life insurance, legislation restricts the right of a life insurance company to increase premiums or to alter the insurance terms and conditions. Thereby the duration of the contracts affects the biometric risks inherent in the technical provision risk. If the assumptions made turn out to be insufficient and the insurance premiums cannot be adjusted, the technical provisions must be supplemented by an amount equalling the expected loss.
Reinsurance is used to hedge against and manage major losses and loss events. In managing major loss risks, it is important for the structure of the outward reinsurance and the portion of risks/losses remaining under the company’s responsibility to be dimensioned according to the solvency and the insurance liabilities to ensure efficient risk transfer.
The use of reinsurance implies ancillary risks, such as reinsurance availability, price and counterparty risks. In non-life insurance, the reinsurance risk and the related counterparty risk are reduced by only accepting companies with a sufficiently high financial strength rating as reinsurers. Moreover, limits are set on the maximum share of a single reinsurer in any reinsurance programme. In life insurance operations, the use of outward reinsurance is minor and therefore concentrated on a few counterparties.
Quantitative data on risk variables for technical provisions in non-life insurance financial statements
|Impact of change on Fennia’s solvency capital|
|Discount interest||Decrease of 0.1 percentage point||EUR -4 million|
|Inflation risk||Increase of 1%||EUR -6 million|
|Mortality||Average age increase of 1 yr||EUR -10 million|
Financial market risk refers to a risk of loss resulting, either directly or indirectly, from fluctuations in the level and volatility of the values of financial market variables, such as interest rates, equities, real estate, exchange rates and credit margins.
Investment operations and their management play a special role in managing financial market risks. The most significant risks are related to a decline in the value of investments and the poor matching of the investments with the nature of the technical provisions (ALM risk).
The main instruments for managing financial market risks are the appropriate selection of investment instruments, the diversification of investments and the limitation of risks.
A prerequisite for managing financial market risks is to invest assets in property and instruments with risks that can be identified, measured, monitored, managed and reported. In addition, measures are taken concerning new assets and investment instruments prior to their acquisition to ensure that the new assets or investment instruments are manageable and suitable with regard to the business and to risk management.
Sufficient diversification of investments is used to achieve optimal diversification benefits, risk-adjusted returns and asset and liability matching.
A key instrument for managing financial market risks is the use of risk budgeting in solvency management. Allocation restrictions are used to ensure that investment assets have been allocated sufficiently over different asset classes. In addition, more detailed restrictions are determined to ensure sufficient diversification also within asset classes.
Quantitative data on risk variables in Fennia`s investment portfolio
|Impact of change on Fennia’s solvency capital|
|Fixed income investments||Interest rate +1 percentage point||EUR -28 million|
|Equity investments||Change in value -20%||EUR -41 million|
|Real estate investments||Change in value -10%||EUR -30 million|
Quantitative data on risk variables in Fennia Life's investment portfolio
|Impact of change on Fennia’s solvency capital|
|Fixed income investments||Interest rate +1 percentage point||EUR -14 million|
|Equity investments||Change in value -20%||EUR -28 million|
|Real estate investments||Change in value -10%||EUR -11 million|
The counterparty risk takes into account possible losses resulting from the unexpected insolvency of the insurance company’s counterparties.
As with market risks, a prerequisite for managing counterparty risks is to ensure that the counterparties and related risks can be identified, measured, monitored, managed and reported.
Counterparty risks are mainly caused by (the credit margin risk is treated as a financial market risk):
In managing the derivative contract counterparty risk, the counterparty risk is assessed prior to concluding a contract with the counterparty. The ratings given by credit rating agencies are the main tool used in assessing the creditworthiness of issuers and counterparties. To limit the counterparty risk, a minimum level has been determined for creditworthiness and limits have been set on maximum liability per counterparty.
In managing the counterparty risk in reinsurance operations, the counterparty risk has been limited by setting requirements on, among other things, the credit ratings of reinsurers and the maximum amount of liability per reinsurer. As with the derivative contract counterparty risk, the ratings given by credit rating agencies are used as a tool in assessing the creditworthiness of reinsurers.
Counterparty risks also arise from receivables from insurance customers. The counterparty risk arising from premium receivables from customers is usually small, because the non-payment of insurance premiums leads to the cancellation or reduction of the insurance cover.
The objective of managing the customer financing counterparty risk is to limit the negative impacts of counterparty risks arising from customer and other liabilities on profit and loss to an acceptable level. The credit process plays a key role in managing these counterparty risks. In managing the credit process, it is important to ensure the reliability of the counterparties by assessing risks and by categorising the counterparty thereafter according to the internally developed model. Customer financing counterparty risks are reduced by determining customer-specific security and covenant terms and conditions.
Operational risks within the Fennia Group refer to a risk of loss resulting from:
Legal risks are included in operational risks. Strategic and reputation risks have been excluded from operational risks.
The objective of managing operational risks is to reduce the probability of unexpected losses by taking preventive risk management measures. The most effective risk-management measures are targeted at the most serious operational risks, meaning risks that are unlikely to materialise but when they do, they have a major impact on operations.
The Fennia Group’s operational risk management framework is based on collecting data on operational risks from various sources, which include, for example, internal and Compliance audits, risk indicators, scenario-based estimates, data on internal occurrences of damage and near-miss situations, and internal risk mapping. The scenario-based estimates in particular play a key role in the proactive assessment of operational risks. The business and support functions hold primary responsibility for collecting data on operational risks and reporting it to the Risk Management and Compliance functions.
On the basis of the data collected from various sources, a risk profile is created for the operational risks and the necessary reports are produced for the Board of Directors and other internal purposes. In the longer term, systematic risk assessment improves the level of risk management and helps business and support functions to understand and manage operational risks.
Preparedness and contingency plans have been drawn up for the key business and support functions to ensure that key functions can be continued in the event of a crisis.
Within the Fennia Group, operational risks are divided into the following risk classes:
A quantitative method refers to the creation of numerical estimates by applying statistical, economical, financial or other mathematical theories and methods. Quantitative methods also include methods which aim to produce a numerical outcome and which are partly or fully based on subjective expert appraisal.
A quantitative method can be erroneous and/or misleading and lead to unreliable reporting and incorrect conclusions and thus incorrect measures undertaken by Management.
Quantitative method risks are included in operational risks, but due to their special nature and importance and to facilitate their handling, these risks are identified, measured, monitored, managed and reported as their own risk area.
In the management of risks inherent in quantitative methods, the focus is on risks related to:
A guiding principle in managing the risks inherent in quantitative methods is effective questioning of the methods and processes. This means that an independent and expert party critically assesses the methods and processes.
The management of risks inherent in quantitative methods is based on the structure, mathematical theory and logic of each method being well documented and supported as much as possible by scientific research and/or best practices of the insurance sector. In order to be able to identify a method’s strengths and weaknesses, it is important that the mathematical simplifications, numerical methods and approximations and the use of subjective expert appraisal are analysed and documented with sufficient accuracy. The owner and developers of the method must ensure that the various elements of the method function as desired, are suited to the intended purpose and that the method is mathematically correct and the estimated parameters are statistically reliable.
Managing the quality of the data is just as important as managing the structure, theory and logic of the method. Reliability can only be achieved through high-quality data.
The validation of a quantitative method covers processes and procedures which aim to verify that the method is appropriate and reliable and functions in the desired manner. Validation is used to identify possible weaknesses and limitations of the method as well as problems related to its use, and to assess and manage their impacts.
Concentration risk refers to all kinds of risk concentrations involving losses which may be high enough to jeopardise the insurance company’s solvency or financial position. Concentration risks most often arise from investment operations, but they may also arise from insurance operations, and from the combined effect of these.
The management of investment, financial market and counterparty risks is based on diversification, which basically prevents any significant concentration risks. An exception to this rule is the so-called strategic holdings which may lead to major concentration risks.
Insurance operations are based on risk diversification within the insurance portfolio, such that the impacts of a single insurance target under the company’s responsibility can be limited. This risk is managed through, among other things, risk selection guidelines and reinsurance.
Especially in customer financing within investments operations, the investment and insurance operations are assessed from a holistic perspective prior to granting credit in order to be able to assess the joint risk concentrations.
Liquidity risk refers to a risk of not being able to meet future payment obligations or of only being able to meet them through special measures.
Liquidity risk is divided into short- and long-term risk. Short-term liquidity risk refers to risks that are related to asset and liability cash flows lasting less than 4 months (cash management risks). Long-term liquidity risk refers to asset and liability matching risks spanning several years, even decades into the future.
Long-term liquidity risk is managed by maintaining a sufficient liquidity reserve and by liquidity planning. Liquidity reserve is managed by, among other things, the following principles:
When planning liquidity, daily forecasts are created on outgoing payments for the next four months. The objective of short-term liquidity risk management is to ensure that there will be no need to realise investments other than money market investments and that there will be no need to use or realise the short-term liquidity reserve built up by asset managers.
Long-term liquidity risk is monitored and reported as a separate risk; however, it is not managed as a separate risk, but instead as part of interest rate risk management.
Strategic risks refer to risks that are related to the insurance company’s strategy and which result from incorrect business decisions, incorrect or failed implementation of business decisions or from the inability to adjust business operations to changing conditions or so that they are in line with the targeted future state.
Strategy refers to a series of long-term plans and measures used by the insurance company to move from the current state into the desired future state.
Strategic risks entail many different dimensions, and they have been divided into the following groups:
The basis for the management of strategic risks is to identify the strategic risks of the Group and each subsidiary, to observe various weak signals and to assess how different events, trends and scenarios will affect the sustainability of operations and the development of the financial position in both the short and long term.
Reputation risk refers to a risk of damage to the Fennia brand or to the public image of an individual company belonging to the Fennia Group. Reputation risk can also be caused by partners, if their values and/or operating principles differ from those of the Fennia Group.
Reputation risk is usually a consequence of other materialised risks or events, such as the materialisation of operational risks.
The starting point for the management of reputation risk is to identify the possible events that can negatively affect the Group’s or a Group company’s reputation. Reputation risk differs in nature from other risks in that risk events can be based on real events or on events that fully or partly have no basis in reality (for example a baseless rumour). Reputation risks are often preventable or the effect of the events can usually be reduced.
The management of reputation risk is based on overall knowledge and understanding of the business and its restrictions. Reputation risk cannot be managed as a separate risk area; it is rather an extension of the management of operational risks. When the risks affecting reputation risk have been identified, various risk-reducing measures can be implemented within the organisation.
Successful reputation risk management is partly based on clear and well-thought-out external communications. It is important for the message to be correct and communicated to the right recipient by the right emitter.
Reputation risk management also involves compliance with laws, regulations and provisions and operating in accordance with the requirements set by authorities. The public image and reliability of an insurance company may suffer if laws, regulations and provisions and requirements set by authorities are not complied with.
Group risks refer to risks arising from Fennia and its subsidiaries operating in the form of a Group. Group risks can be divided into the following groups:
Transaction risks refer to risks that relate to intra-Group transactions, for example appropriate pricing.
Contagion risks include situations in which the problems faced or the risks taken by one company spread to the other Group companies or to the whole Group. This group also includes risks relating to a loss of moral (moral hazard risks), referring to situations in which a risk intentionally and immorally taken by one company and the resulting loss are transferred to be borne by the parent company or other companies either in part or in full.
Conflict of interest risks arise when the interests of some Group companies or those of the entire Group collide.
Concentration risks arise if a single counterparty becomes too significant on the Group level, even though the risk remains within the permitted limits for single companies.
Risks related to administration result from the fact that some of the operations are organised on the Group level and some on the level of individual companies. The differences in the companies’ administrative systems can lead to co-ordination challenges and additional risks.
The management of group risks is based on a clear Group structure. In complicated ownership patterns, group risks become more important. In addition, appropriate group risk management is based on planning and monitoring business on the level of both the individual companies and the Group. That is the only way to ensure and monitor the development of the group objectives and their achievement.
The management of group risks is also based on consistent and transparent definition and implementation of the entire Group’s internal control system, particularly the risk management system and regulatory compliance monitoring as well as the related reporting procedures. The roles and responsibilities of the various bodies must also be clear and defined from the Group’s perspective.
Risk-bearing capacity refers to the company’s assets that are available for covering losses. Risk appetite refers to the degree of risk the company is willing to take to achieve its business targets; in other words, the extent to which the company is ready to tie its own assets to risk-taking. Risk tolerance refers to the extent to which the company’s assets are allowed to fluctuate when seeking to achieve the business targets.
The objective of risk and solvency management within the Group is to support the achievement of business goals and the continuity of business operations. This is done by ensuring that the risks taken are correctly proportioned in relation to risk-bearing capacity, risk appetite and risk tolerance and by creating conditions for trouble-free operations even in the case of unexpected losses by identifying the threats and opportunities that affect the implementation of the business strategy and the achievement of other targets.
General risk appetite and risk tolerance are managed by setting indicators and target limits for the most significant risks and combined risks (risk budgeting). The set risk-specific restrictions must efficiently limit the risk profile to keep solvency and risk-taking under control and within the permitted limits.
The Solvency II regulations are being finalised and will become valid as of 1 January 2016.
In 2014, the administration and risk management system was developed in line with the upcoming Solvency II directive. The most substantial investments targeted the development and streamlining of technical calculations and internal and external reporting.
The calculation and reporting according to the Solvency II requirements will be finalised in 2015, in addition to which the gradual adaptation of the administration and risk management system to the requirements of the new regulations will be continued by, among other things, taking into use new risk management practices and by providing the entire organisation with training and information.