Risk Management

The risk management system is the set of processes and tools used to support the risk management strategy of the Unipol Group; it provides adequate understanding of the nature and significance of risks to which the Company is exposed. The risk management system allows the to have a single point of view and a holistic approach to risk management, and it is an integral part of the management of the business.

The architecture of the Internal Control and Risk Management System is based on the three lines of defence, within which the fundamental Functions have well-defined and independent roles:

• the first line of defence is the operating structures; they are the primary bodies responsible for the risk management process and must ensure compliance with the adopted procedures for implementing the process and compliance with the established risk tolerance level, designed to ensure that operations run smoothly;
• the second line of defence is responsible for compliance with the operational limits assigned to the various functions, and is composed of control functions, including the Risk Area, which are distinct from the operational ones;
• the third line of defence is entrusted to the Internal Audit function, which verifies the completeness, functionality, adequacy and reliability of the Internal Control and Risk Management System, including the first two lines of defence.

The Internal Audit function independently performs an Audit Plan based on a risk-based approach, with the goal of ensuring adequate coverage, in terms of audits performed on business processes according to their relevance.

Finally, IVASS – the Italian supervisory authority – supervises the sound and prudent management of individual companies and insurance groups and does so through capital, financial and technical inspections.

In the risk management system, the Risk Area is responsible for identifying, measuring, assessing and monitoring on an ongoing basis the current and prospective risks to which the Company is or may be exposed and its interdependencies, at an individual and aggregate level.

The risk management system is described in the Group’s policies and further developed in the “Risk Management Policy”, the “Current and Forward-looking Risk Assessment Policy”, the “Operational Risk Management Policy” and the “Group-level Risk Concentration Policy”. Key components of the risk management system are the policies that outline the principles and guidelines on (i) management of specific risk factors, (ii) management of a risk in a specific process, (iii) mitigation of a risk, and (iv) management of the risk measurement models.

Currently, the main risks [1] to which the Company is exposed are Non-Life and Health Underwriting Risks, which are mitigated using outward reinsurance, and Market Risks, which are mitigated through various measures, such as the use of financial transactions with derivative financial instruments.

The Risk Area is in charge of the design, implementation, development and maintenance of the risk measurement and control system. Among these, special relevance is given to the development and the use of instruments to calculate the capital required against the risks identified and specifically the Internal Model. Within the Company, the responsibility for the design and implementation of the Internal Model is separate from the responsibility for its validation.

Risk exposure is assessed quarterly, with flexibility for more frequent recalibration as needed by the Company. Notably, in Q1 2024, IVASS authorized significant updates to our risk assessment methodologies, by accepting major change model adjustments, accompanied by a review of associated processes.

The Risk Area actively contributes to insurance product development, especially in initial phases of design and construction. It plays a crucial role in analysing product adequacy, encompassing pricing, risk identification, and scenario analysis. Additionally, the Risk Area oversees post-sales monitoring of technical risks arising from our products.

The Risk Area also contributes to fostering a risk culture across the Company, by the means of training courses, information and reporting processes, and generally by supporting the businesses in their decision-making processes. In 2023, 9,046 Unipol Group employees participated in both synchronous and asynchronous courses on Risk Management.