Fundamental roles for delegated risk-taking
In order to ensure clear control, accountability and independent monitoring for all risks, Swiss Re’s risk governance distinguishes between three fundamental roles in the risk-taking process:
- Risk owner – establishes a strategy, delegates execution and control, and retains ultimate responsibility for the outcomes.
- Risk taker – executes an objective within the authority delegated by the risk owner; risk takers are required to provide the respective risk controller with all information required to monitor and control their risks.
- Risk controller – is tasked by the risk owner with independent oversight of risk-taking activities to mitigate potential conflicts of interest between the risk owner and risk taker; risk controllers are responsible for escalating relevant concerns.
Risk-taking activities are typically subject to three lines of control. The first line comprises the day-to-day risk control activities performed by risk takers in the business as well as in Group functions, including identification of risks and design of effective controls. Independent oversight performed by functions such as Risk Management and Compliance represents the second line of control. The third line consists of independent audits of processes and procedures carried out by Group Internal Audit or by external auditors. This approach is designed to achieve a strong, coherent and Group-wide risk culture built on the principles of ownership and accountability.