Group Risk Governance Documentation Hierarchy
Our risk governance is defined in the policies and standards that describe Swiss Re’s risk management framework and establish risk management practices throughout the Group and its subsidiaries over four hierarchical levels (see below).
The top of Swiss Re’s Group Risk Governance Documentation Hierarchy is comprised of risk management related parts of the Corporate Bylaws. The SRL Bylaws establish the ultimate responsibility for risk management activities across the Group by assigning responsibilities between the Group Board of Directors and the Group EC.
The detailed aspects of the Group’s risk governance are defined in the Group Risk Policy (Level 1), Swiss Re’s core Risk Management document. It outlines how the Group organises and applies its risk management practices. The policy is owned by the Group Board of Directors and is binding for all Swiss Re employees.
On Level 2 and 3, the Group Risk Management Standards and the Group Risk Category Standards define the key concepts and tasks that comprise risk governance at the Group or the specific risk category. Level 4 of the Risk Governance Documentation Hierarchy is comprised of risk management related method and process documentation.
Additional governance for Business Units and legal entities is prepared as required and represents an addendum to the respective Group or Business Unit documents.
In order to ensure clear control, accountability and independent monitoring for all risks, our risk governance distinguishes between three fundamental roles in the risk-taking process:
- Risk owner — establishes a strategy, assumes responsibility for achieving the objectives and maintains ultimate responsibility for the outcomes.
- Risk taker — executes an objective within the authority delegated by the risk owner; risk takers are required to provide the respective risk controller with all information required to monitor and control their risks.
- Risk controller — is tasked by the risk owner with independent oversight of risk-taking activities to mitigate potential conflicts of interest between the risk owner and risk taker; risk controllers are responsible for escalating relevant concerns.
Risk-taking activities are typically subject to three lines of control. The first comprises the day-to-day risk management activities by front-line employees (risk takers) in the Business Units as well as in corporate and enabling functions. The second line of control is formed by independent oversight functions, such as Risk Management and Compliance. The third consists of independent audits of processes and procedures carried out by our Group Internal Audit.