For UNIQA, risk management is a core area of expertise that makes a vital contribution to the business controlling process. UNIQA's risk management is focused on attainment of the strategic goals: it supports the financial sustainability of UNIQA with the ability to meet all future short-term and long-term obligations of customers, employees and shareholders. In addition, UNIQA was the first insurance company in Austria who established risk management as a separate executive portfolio at holding-company level.
As a basis for risk management, a UNIQA Group risk-management policy has been created, and approved by the Management Board. Its purpose is to identify, assess and control the main short-term and long-term risks to which the UNIQA Group is exposed, and the associated solvency requirement.
In addition, this policy defines the organisational structure within the risk-management process. It reflects the idea of the three lines of defense. The three lines of defense model explains and sets out the systematic approach to corporate risks, thus forming a functional control and monitoring system within companies:
First Line of Defense:
This is formed by operational management, i.e. the risk bearers. The responsible person for business activities must establish and practise an appropriate control environment aimed at ensuring a sound balance between risks and risk capacity. Risks associated with business and its processes are identified, assessed and quantified.
Second Line of Defense:
This serves the purpose of monitoring and supporting operational management. The operational controls are carried out here. The Risk management function and supervisory staff, such as Controlling, must monitor business activities or define a maximum risk to which a company can be exposed. However, reporting of risks within the entire company and to the CEO also takes place in this line of defense, along with checking of compliance with statutory regulations.
Third Line of Defense: internal and external auditing
The final line of defense comprises independent review of the entire internal control system, including risk management and compliance, and assists the Management Board and Supervisory Board in final monitoring and control of existing potential risks. Internal auditing is one example.
The risk-management process focuses on risks relevant to the company and is defined by the following risk categories:
- Insurance-related risk (property/accident insurance, health insurance, life assurance)
- Market risk/ALM (asset liability mismatch) risk
- Credit risk/default risk
- Liquidity risk
- Concentration risk
- Strategic risk
- Reputation risk
- Operational risk
- Contagion risk
- Emerging risk
For these risk categories, the risks to which the UNIQA Group and its subsidiaries are exposed are regularly managed according to the following process cycle: