Group Risk Governance Documentation Hierarchy
Swiss Re’s risk governance is defined in the policies and standards that describe the risk management framework and establish risk management practices for the Group and its subsidiaries. The Group risk governance pyramid illustrates the hierarchy within which risk governance documentation is established.
Highest level risk authorities (level 0) are set forth in the Group Bylaws (SRL Bylaws) as well as in the charter for the Group Finance and Risk Committee. These documents outline ultimate authority for risk management within Swiss Re, assigning responsibilities between the Group Board of Directors and the Group EC. More detailed aspects of Swiss Re’s risk governance are outlined in the Group Risk Policy (level 1). This document defines the delegation of risk-taking from the Group Board of Directors to executive management through the risk appetite framework and describes the key risk management principles that apply to all risk taking within Swiss Re. The policy is owned by the Group Board of Directors and is binding for all Swiss Re employees.
The Group Risk Management Standards (level 2) outline how the Group organises and applies its risk management practices, while various category standards (level 3) describe how these practices are implemented for a specific risk category. The final level (level 4) of governance comprises risk management methodology and process documentation.
Group-level risk documents form the basis for all risk governance across Swiss Re. Additional risk governance for Business Units and legal entities is prepared as an addendum to the respective Group or Business Unit document.
In order to ensure clear control, accountability and independent monitoring for all risks, Swiss Re’s risk governance distinguishes between three fundamental roles in the risk-taking process:
- Risk owner — establishes a strategy, and delegates execution and control, retains ultimate responsibility for the outcomes.
- Risk taker — executes an objective within the authority delegated by the risk owner; risk takers are required to provide the respective risk controller with all information required to monitor and control their risks.
- Risk controller — is tasked by the risk owner with independent oversight of risk-taking activities to mitigate potential conflicts of interest between the risk owner and risk taker; risk controllers are responsible for escalating relevant concerns.
Risk-taking activities are typically subject to three lines of control. The first comprises the day-to-day risk control activities by front-line employees (risk takers) in the business as well as in corporate and enabling functions. Independent oversight performed by functions such as Risk Management and Compliance represents the second line of control. The third consists of independent audits of processes and procedures carried out by Group Internal Audit or by external auditors.
Swiss Re applies a Group-wide approach, under which risk takers are responsible for reporting all relevant information on risks they are exposed to or undertake. The identification of risks is an ongoing process to establish transparency around all potentially material risks in order to make those risks controllable and manageable. The recognition of material risks allows for a sound basis for exposure monitoring, risk measurement, monitoring of capital requirements and reporting. All quantifiable risks identified must be reflected in costing, underwriting, reserving, as well as capital and steering models. Based on internal and external information, Swiss Re identifies risks such as:
- Previously unidentified risks
- Known non-material risks that have become material risks
- Known material risks that have changed following a re-assessment or increased understanding of the nature of the risk
- Changes in risk exposure from increased understanding of interdependencies between risks