ZURICH GROUP'S ENTERPRISE RISK MANAGEMENT FRAMEWORK
At the heart of Zurich's ERM framework is a governance process with clear responsibilities for taking, managing, monitoring, and reporting risks. (See Exhibit 14.1.) Zurich articulates the roles and responsibilities for risk management throughout the organization, from the board of directors and the chief executive officer (CEO) to its businesses and functional areas. In fact, each business and functional or project team will have someone designated as a risk owner to be responsible for identifying and addressing relevant risk exposures and to help embed ERM further in the business unit and build a more open, positive risk culture.
One of the key elements of Zurich's ERM framework is to foster transparency by establishing risk reporting standards throughout the organization. Zurich regularly reports on its risk profile, current risk issues, adherence to its risk policies, and improvement actions both at a local and on a senior management level. Zurich has procedures in place for the timely referral of risk issues to senior management and the board of directors. Various governance and control functions coordinate
Exhibit 14.1 Zurich Risk Management Framework
to help ensure that objectives are being achieved, risks are identified and appropriately managed, and internal controls are in place and operating effectively.
Risk Governance Approach at Zurich with Three Lines of Defense
Zurich uses a "three lines of defense" model to help ensure governance and control. (See Exhibit 14.2.) This model consists of the following:
1. The first line of defense in the business or functional areas involves the employees making day-to-day business decisions like underwriting, managing projects, developing information technology (IT) solutions, or managing human capital issues.
2. The second line of defense is Group Risk Management, which oversees the company's efforts to apply appropriate risk identification and governance processes and provides tools and frameworks to manage decisions. Group Risk Management also coordinates very closely with the Compliance and Legal departments, Business Continuity Management, IT, Procurement, and other areas, to encourage better coordination across various silos to build an enterprise lens on risk management.
3. The third line of defense is the independent internal audit function, which is responsible for verifying the functionality of the ERM and internal controls framework.
To support the governance process, Zurich relies on documented policies and guidelines. The Zurich Risk Policy is its risk governance document; it specifies Zurich's risk tolerance, risk limits and authorities, reporting requirements,
Exhibit 14.2 Zurich Risk Governance Overview
procedures to approve any exceptions, and procedures for referring risk issues to senior management and the board of directors. The limits are specified per risk type, reflecting the willingness and ability to take risks, considering issues such as earnings stability, economic capital adequacy, financial flexibility and liquidity, franchise value, and reputation. Zurich's strategic direction and operational plan seeks to achieve a reasonable balance between risk and return, and to be aligned with economic and financial objectives.
An important element of Zurich's ERM framework is a well-balanced and effectively managed remuneration program. This includes a groupwide remuneration philosophy and robust short- and long-term incentive plans, with strong governance and links to the business planning, performance management, and risk policies. Based on Zurich's Risk Policy, the board establishes the structure and design of the remuneration arrangements so that they do not encourage inappropriate risk taking.
As an ongoing process, adherence to requirements stated in the Zurich Risk Policy is assessed. Zurich regularly enhances its Risk Policy to reflect new insights and changes in the environment and to reflect changes to the risk tolerance. For example, the Zurich Risk Policy was recently updated and strengthened for various areas, including actuarial reserving in General Insurance, reinsurance, receivables, operational risk management, and particularly outsourcing and business continuity management. Related procedures and risk controls were also strengthened or clarified for these areas.
Exhibit 14.3 Zurich's Core Assessment and Assurance Functions
Integrated Assessment and Assurance
Integrated Assessment and Assurance (IAA) is a coordinated view from the Assurance functions to provide greater confidence that risks are identified, those risks are appropriately managed, and mitigation actions are implemented and controls are operating effectively. The Assessment and Assurance functions include Group Risk Management, Group Compliance, and Group Audit. (See Exhibit 14.3.) Close coordination is also maintained with Group Legal, External Audit, and management's review functions such as underwriting or claims reviews and actuarial peer reviews.
Internal Control Framework
Swiss law prescribes the existence of an Internal Control System (OR 728a) to all "listed companies" and "companies of economic significance." Zurich Insurance Group was one of the early firms to pioneer the industry with the establishment of its internal control system in 2004. The framework is of core importance in ensuring that company objectives are adhered to and that risks are controlled. The board of directors wants to have positive assurance that an effective internal control system is embedded in the business processes.
Zurich's Internal Control Framework (ICF) provides to the board the requested global overview of the risks in each business unit and how they are controlled. The evidence of these controls and its documentation serve as proof of the ICF's existence for regulatory and auditing purposes. Zurich's three lines of defense help ensure that the Internal Control Framework is enabled.