Risk management

Taking risks is an integral part of doing business and demands a consistent and transparent assessment of opportunities and threats, aimed at growth and continuity of the company. The management of VIVAT has established frameworks for strategy, culture and risk governance with the aim of ensuring an adequate, efficient assessment.

VIVAT seeks to have an open culture in which risks can be discussed, employees feel a responsibility to share information on risks and active (or even proactive) risk management is appreciated. The management of VIVAT and the Insurer's Risk Committee, which is responsible for setting the framework, ensure that the desired culture and level of risk awareness are made concrete in identifiable aspects, such as desirable behaviour, the details of the risk appetite or assessment criteria.

Integrated Control Framework

The Integrated Control Framework (ICF) sets out how responsibilities are allocated within VIVAT and describes the accountability procedures. This framework forms the basis for controlling the business processes. The managing boards of the business units are responsible for day-to-day operations within these frameworks and every year they draw up operational plans, which are subject to the approval of the management of VIVAT . Further information about the ICF is contained in the VIVAT annual report (VIVAT NV).

In Control Statements

VIVAT has in place a procedure to assess, on a semi-annual basis, the way in which, and extent to which, the managing boards of each business unit and the corporate support departments manage essential risks. The procedure focuses on the discussion of risks in business operations and the measures taken to manage these risks that takes place between different layers of management. The In Control Statements that are periodically issued by the business units provide crucial input for this procedure. The outcome of this procedure contributes to the responsibility statements that are included in the VIVAT annual report.

Risk Appetite

Our risk appetite is the extent to which we are prepared to accept risks in the pursuit of our objectives. We determine our risk appetite, as an integrated part of our overall business operations, at least once a year. Our risk appetite is limited by our risk capacity, which specifies the maximum amount of risk we can accept at consolidated level, given our capital and liquidity position and any restrictions due to funding agreements or requirements imposed by regulators. The risk appetite is subsequently translated into practical risk objectives.

ORSA

VIVAT performs an Own Risk and Solvency Assessment (ORSA) at least once a year. The management of VIVAT uses the ORSA to verify the amount of capital required and may decide on management actions to bring the capital into line with the risk profile and risk appetite. The combination of the business strategy, risk appetite, solvency position and continuous evaluation produces input for management's discussion on the amount of capital required.

Risk Committees

VIVAT has a number of risk committees, which are responsible for monitoring pre-defined risk focus areas. The work of the risk committees includes discussing various risk reports and policy. The aforementioned Insurer's Risk Committee is the most senior committee reporting to the statutory board for risk management purposes. The Insurer's Risk Committee establishes frameworks for the underlying committees and monitors financial and non-financial risks in an integrated manner. Further information about the risk committees and their responsibilities within the organisation can be found in the annual report.

Three Lines of Defense

VIVAT uses a governance model based on the three-lines-of-defence (3LoD) principle. The 3LoD model is a governance structure that contributes to the reinforcement of the risk culture, the assumption of responsibility for managing risks and internal control, and, ultimately, the ongoing optimisation and integrated cooperation of the risk functions.

• First line (risk owner)

The first line has an operational role, focusing on the primary and operational process of the business activities. Within the policy framework and subject to internal procedures and risk limits, it is the objective of the risk owner to achieve the best possible risk/return ratios. Business plans are prepared in the first line.

• Second line (risk management)

The second line has a controlling and accepting role in respect of the transactions proposed by the first line. The second line assesses the actions and transactions in the first line as well as the effectiveness of procedures y means of testing key controls, and is responsible for ensuring that the risk profile matches the risk appetite. The second line is responsible for formulating the framework and has an oversight role, and thus shapes policy. It sets out the policy framework, but leaves the execution of policy on risk and capital management to the first line.

• Third line (audit)

Group Audit (GA) is responsible for the independently operating audit function with respect to the risk management process. GA does not play any role in determining, implementing or steering the risk policy. GA helps VIVAT to achieve its objectives by following a systematic audit approach to evaluate and increase the effectiveness of activities in the areas of risk management, internal control and governance.