The R&Q Group and its core businesses take risk, in order to rewards in an informed and controlled manner. This translates into having regard to both potential upside and downside risk, in the context of the overall Group Strategy, that aims to optimise maximise return on equity and shareholder value within the Group’s defined risk appetite. The Board and Senior Management appreciate that ongoing success depends upon its collective understanding and management of the Group’s known Risks and Exposures, at both the management and legal entity level.
A detailed overview of the Group’s Risk Management Approach, Philosophy and Framework can be found in the 2017 Annual Report, under the Strategic Report (pages 11 to 17). A further detailed analysis of Risk Management (Management of Insurance and Financial Risks) can be found in Note 4 to the 2017 Financial Statements.
The “top ten” strategic risks to the Group as a whole and how they are mitigated follows:
1. Management of Strategic Change/Business Development and Growth (Strategic Risk)
- The Group fails to effectively manage both the focus on its core competencies and simultaneous initiatives as it simplifies and streamlines its business model.
- The Group fails to identify and harness new business opportunities.
- The Group fails to raise the necessary capital/funds to finance its business growth.
- The Group’s profitability is impaired following the establishment/acquisition of new business.
- There is a regular and active process for the management of relationships with external stakeholders and in particular, the Investment Community, which involves the Board and key members of the Senior Management Team.
- The Board actively reviews budgets, current strategic priorities and returns on its various investments and initiatives to ensure that the Group continues to focus on core strengths and operates within its predefined Risk Appetite.
- A.M. Best Public ratings for the Group and key strategic risk carrying subsidiaries.
- Active management of cash flow.
- Regular oversight and review of acquisitions pipeline including an initial screening process involving Senior Management.
- Group Capital and Investment Committee approval.
- Establishment of broader based Group Executive Committee.
2. Reputational Risk/Stakeholder Management (Group/Operational Risk)
- Events elsewhere within the Group and individual strategies may be misaligned with the core activities of the Group and/or may have an adverse effect (notably, but not restricted to, reputational) on the organisation as a whole.
- The Group fails to control and monitor internal and external communication, including regarding its wide range of different stakeholders.
- This risk is actively overseen by the Group Board
- All external communications are channelled via the Executive Board
- Business unit plans are scrutinised carefully as part of the annual and ongoing budgeting process to ensure consistency and alignment with the Group’s strategic objectives.
- Regular, ongoing and active process for communications with key stakeholders.
3. Exposure Management (Reserving and Reinsurance) (Insurance/Credit Risk)
- The Group adopts a reserving methodology that produces incorrect reserving.
- The Group fails to assess the quality of its program reinsurers prior to onboarding and/or the reinsurance arrangements fails to “follow the fortunes” of the underlying direct insurance contracts.
- The Group fails to monitor the growing gross underwriting exposures/ reserves and aggregate exposure to reinsurers, following the planned onboarding of new legacy and programme business.
- Internal Actuarial Best Estimates utilised in conjunction with an annual Independent Statement of Actuarial opinion as well as independent actuarial reviews on more significant reserves.
- Board review of actuarial best estimates.
- Reinsurance arrangements are individually scrutinised by Executive Management and adherence to predefined Risk Appetite (rating/collateral etc.) in terms of quality and concentration is closely monitored.
- Active Management of Reinsurance aggregates by the Group Reinsurance Assets Committee.
4. Management of Free Funds (Liquidity Risk)
- The Group fails to implement adequate control over cash flow and liquidity leading to financial shortfalls.
- Dedicated Group Cash Flow/Treasury Management and Invested Assets capability, being further enhanced in 2018, providing focussed effort and a tighter control regime.
- Detailed cash flow reporting and monitoring of adherence to banking covenants.
- Forward-looking monitoring of the Group’s cash flow projecting the likely liquidity position over a twelve month planning horizon, embedded into the Cash flow monitoring mechanism.
- Active and ongoing seeking of alternative financing options for deal funding.
- Ongoing and proactive liaison/relationship management with the Group’s bankers.
5. Capital and Solvency Management (Strategic Risk/Regulatory and Legal/Group Risk)
- The Group/Solo entities is/are not Solvency II (or equivalent, e.g. BMA, MFSA/NAIC etc.) compliant in accordance with local regulatory requirements and expectations.
- The Group actively manages its relationships with all regulators within whose jurisdictions it operates.
- Oversight by, and active involvement of, the Group Actuary.
- Active involvement of Risk Management, Compliance and Internal Audit functions.
- Ongoing and iterative development of a fully integrated Group Capital Model.
6. Investment Returns (Market Risk)
- The Group fails to realise an adequate/optimal return in its investment float under its control and/or experiences a default on investments held.
- Group and subsidiary level Investment Committees (where appropriate) and/or oversight by the relevant Board.
- Dedicated Group Cash Flow, Treasury Management and Invested Assets Function (further development planned for 2018) and embedded Key Risk Indicator to monitor Investment Concentration and returns.
- Asset and Liability matching where relevant.
7. Legislative/Economic and Regulatory Change (Regulatory/Legal Risk/Operational Risk)
- The Group or one of its component parts breaches legal or regulatory requirements of jurisdictions in which it operates.
- The Group fails to implement/adapt to emerging new regulatory/political/legislative changes (for example GDPR, Brexit/Modern Slavery)
- Regular liaison with local management and recruitment of local expertise where needed.
- Active management of relationships with all local regulators where the Group has a presence.
- Internal Working and Steering Groups to analyse interpret and oversee the implementation of all emerging external changes.
- Active oversight by Group Risk Committee.
8. Target Operating Model (Operational Risk)
- The Group fails to embed its new BAU operational structure alongside its expansion and growth initiatives.
- The Group is reliant upon the knowledge and expertise of its key directors and staff and fails to adequately plan for succession.
- The Group fails to manage its expense base following recent core disposals.
- The Group fails to deploy appropriate financial and management reporting mechanisms to inform key business decision.
- Recent realignment of Senior Management responsibilities including creation of a new Head of Operations position.
- Establishment of broader based Group Executive Committee.
- Development of Succession Plans at Group and Business Unit level.
- Development of Reward Strategy commensurate with the Group’s overall strategic objectives.
- Performance Management process.
- Ongoing strategic expense review.
- Proper allocation of costs to relevant entities.
- Development of fit for purpose reporting mechanisms mirroring the new Group Structure.
9. Cyber Risk (Operational Risk)
- The Group fails to properly protect information compromising the confidentiality, availability or integrity of our data.
- The Group fails to keep abreast of increasing regulatory scrutiny in this areas (for example NAIC Model Law).
- Appointment of new Chief Information Security Officer.
- Information Security Governance Structure including Corporate Information Risk Policies, compliance, where practical, with relevant ISO/IEC 27000 series of standards.
- A “lifecycle approach” is adopted to ensure that the process takes account of ongoing business change.
- Cyber Liability insurance.
10. Taxation Risk (Operational Risk/Legal/Regulatory Risk)
- The Group fails to identify its tax exposures arising from emerging UK and overseas legislation (Corporate Criminal Offences Act, FACTA) and/or fails to implement appropriate controls and processes to ensure compliance with all relevant laws.
- Appointment of new Head of Group Tax.
- Tax review of all initiatives and deals.
- Risk assessments against all emerging legislation.