Management shall ensure that internal regulations are in place which support and complement the requirements set here.

Transcription

1 GROUP POLICY ON RISK MANAGEMENT AND INTERNAL CONTROL 1. Purpose This group policy sets out requirements for risk management and internal control in Gjensidige, and defines the basic principles, processes, roles and responsibilities. Risk management and internal control should assist the Group in achieving its goals, as well as provide adequate confidence that the business operates within its board-approved risk appetite. 2. Scope/target Management shall ensure that subsidiaries adopt this Group policy adjusted for any locally required adaptations. All companies in Gjensidige are required to ensure business operates within the relevant local legal requirements applicable to risk management and internal control. In the event that the local regulations are less strict than this policy, the requirements of this Group policy shall apply. Management shall ensure that internal regulations are in place which support and complement the requirements set here. 3. Responsibilities The Board s responsibilities The Board has overall responsibility for ensuring that Gjensidige has established appropriate and effective processes for risk management and internal control, including ensuring: that there is a clear separation of responsibilities between the Board and the executive management, specified in approved instructions for the Board and the Group CEO; that the separation of roles and responsibilities between the control functions in the second line and between the control functions in the second and third line is clearly defined in instructions; that Gjensidige has a clearly defined risk appetite, including capitalization requirements set out in its capital management policy, which are consistent with the strategic and financial targets, and which are reviewed on a regular basis; that all significant risks are appropriately addressed, with adequate attention to independent monitoring, and consistent with the overall risk appetite; adopting policies in key risk areas and obtaining information that they are complied with. The Board shall, at least once a year, ensure that significant risks are identified, assessed and managed continually in a systematic manner, and that the risk is, or will be, acceptable and within established limits. The Board shall ensure the establishment of independent control functions with responsibility for internal audit, risk management and compliance with requirements established pursuant to law or regulation (compliance). Gjensidige's insurance undertakings shall also have independent control functions with responsibility for actuarial tasks. Group CEO s responsibilities The Group CEO shall implement the guidelines the Board provides in relation to risk management and internal control. The Group CEO shall ensure that risk management and internal control are implemented, documented, monitored and followed up in an appropriate manner in accordance with this policy.

2 The Group CEO shall establish the necessary governing documents detailing how Gjensidige s risk management and internal control shall be carried out in practice. The Group CEO shall continually assess and monitor changes in Gjensidige s risk exposure and ensure that it is within the risk appetite determined by the Board. The Board shall be informed of significant changes or breaches. The Group CEO shall issue instructions for risk management, compliance and actuarial functions, including detailed descriptions and requirements for the responsibilities and duties applicable to the function. Risk management function The risk management function is responsible for monitoring Gjensidige's system of risk management and internal control as well as ensuring its development as necessary. The function shall have an overview of the risks Gjensidige is or may be exposed to, and the implications these may have for the solvency of the Group. The function must be independent of the operational business and is headed by the CRO. The Group CEO shall appoint the CRO, and fix his/her remuneration. The CRO shall not be dismissed without the approval of the Board. The function shall on an annual basis initiate and organize a systematic and comprehensive process for evaluating risk and internal control. In addition, the function facilitates Gjensidige's self-assessment of risk and solvency (ORSA), and is also responsible for the design, operation, use, documentation and validation of Gjensidige's internal model. The risk management function shall have access to all information relevant to the exercise of the function. There shall be appointed risk managers in all companies where the risk management function is a legal requirement. Compliance function The compliance function shall assist Gjensidige in avoiding government sanctions, financial loss or loss of reputation as a result of non-compliance with external and internal regulations. The function must be independent of business operations and is headed by the CRO. The function shall, based on its annual compliance plan, identify, assess, advise, monitor and report on compliance risk in Gjensidige. The compliance function shall have access to all information relevant to the performance of the function. There shall be appointed compliance officers in every company where the compliance function is a legal requirement. Actuarial function The actuarial function shall have primary responsibility for technical provisions in Gjensidige. The function must be independent of the operational activities. The Group CEO shall appoint the head of the function and determine its remuneration. The Chief Actuary may not be dismissed without the approval of the Board. The function is responsible for the data, methodology and assumptions for calculations of technical provisions are appropriate. In addition, the actuarial function shall assess and ensure the adequacy of the technical provisions. The actuarial function shall have access to all information relevant to the exercise of the function. There shall be appointed one actuarial function in every company where this is a legal requirement.

3 Internal audit Gjensidige shall have an internal audit function. Group Internal Audit is an independent, objective assurance and advisory function. The mandate is established by the Board. Internal Audit's work shall be based on a risk and materiality assessment, and be performed within the scope of the annual internal audit and resource plan approved by the Board. Internal audit shall assist the business in achieving its objectives by adopting a systematic, disciplined approach to assess the status and recommend measures to improve the effectiveness and appropriateness of the established processes for risk management, internal controls and corporate governance. The Board shall issue detailed instructions for the internal audit function and requirements as to its organization, responsibilities and duties. 4. Requirements for internal control system Internal control shall contribute to: Effective and efficient operations Reliable and accessible management information and accurate external reporting Compliance with internal and external regulations Reduction of losses and the protection of assets. Governing documents The Board approves the Group's overall strategy, risk appetite, group policies and other governing documents for significant risk and business areas. The Group CEO is responsible for the implementation of all Board approved group policies and may at his own initiative approve additional governing documents within the authority delegated by the Board. Management of the governing documents shall be regulated in separate guidelines. Organization, authorities and routine descriptions All business areas shall have an appropriate and documented organizational structure, reporting lines and delegations of authority. There shall be routine descriptions for all essential tasks. Values, skills and remuneration All employees shall have a job description and the necessary expertise to perform the tasks detailed therein. There shall be documented ethical guidelines and all employees should be familiar with these. There shall be a documented personnel policy that lays the basis for creating a healthy risk culture, a working environment that provides the basis for a healthy and meaningful work situation and which has a strategic and systematic focus on Health, Safety and Environmental issues. There must be a documented instruction for dealing with threats, threatening behavior and violence from customers. There must be a documented policy for the remuneration scheme, and this should include incentives that contribute to good management and control of risk, as well as counteract possible conflicts of interest. Group information security policy shall define Gjensidige's attitude, overall objectives and requirements for information security to ensure the management and control of information.

4 There shall be established a whistleblowing channel, both internally and externally, enabling anonymous reporting. There must be a documented policy for the performance of an assessment of the adequacy of the Board, senior executives and key personnel. Risk assessment and control procedures Managers in all significant areas shall continually evaluate the internal control. Managers must decide whether actual events, internal changes or changes in external circumstances indicate that the risk exposure has changed, and consider the need to put into action. All significant risks must be subject to control and maintained at an acceptable level. Control activities shall be established for material risks to ensure that procedures are followed. Risk assessments and control procedures shall be documented. The regulations/instructions relating to the identification, evaluation, control and reporting of risks relevant to internal control process, should be elaborated in a separate governing document. Adverse incidents Processes shall be established to identify, record, analyze and report on adverse incidents. Regulations/instructions relating to the registration, escalation and reporting of adverse incidents should be detailed in a separate governing document. Quality in external and internal reporting Processes shall be in place to ensure that internal management information and external reporting is reliable, adequate and relevant. External reporting should satisfy laws and regulations and market requirements. There shall be governing documents for financial and other investor information. 5. Requirements for the risk management system Risk management is a tool to ensure that the Group's risk profile at all times lies within the Board approved risk appetite. The risk management system shall include as a minimum the following elements: Risk universe The risk universe shall provide an overview over the types of risk Gjensidige may be exposed to. The risk universe shall be reviewed by the Board on an annual basis. Risk appetite and risk limits Risk appetite shall, at the highest level, define the Group's willingness to take risks. Risk appetite should be broken down into risk limits that indicate possible exposure to the various risk types, and which make it possible to operationalize risk appetite at divisional and subsidiary level and further down in the organization where necessary. Risk appetite shall be reviewed by the Board on an annual basis. Requirements for managing risk areas Regulations/instructions shall be established for the management of each of the risk areas included in the risk universe.

5 These provisions shall stipulate how business within each risk area identifies, evaluates, measures, controls, reports and manages risks. It shall be mandatory to establish clarity in roles and responsibilities within and between Gjensidige's three lines of defense, and to ensure that the necessary tools and standards for effective risk management are in place. Gjensidige shall have risk strategies in all critical areas of risk. Risk strategies shall ensure that the business manages risks in line with approved risk limits, so that the total risk exposure is in accordance with Gjensidige's overall risk appetite. 6. Management and control of the different risks There shall be governing documents in all risk areas. These documents regulate how to manage the various risk areas. Business and strategic risk The risk area includes factors such as the inability to establish and implement business plans and strategies, arrive at decisions, allocate resources or respond to changes in the environment. The most important tool for controlling the business and strategic risk is a robust strategy process, ORSA processes and subsequent management of objectives and results. Assessment of strategic risk shall be based on the corporate strategy and business plans. Gjensidige shall on an annual basis conduct a strategic review process, either entailing a complete review of the strategy or an update to the existing strategy. The strategy shall be approved by the Board. Group strategy, business plans in the individual business areas, risk appetite and the assessments made of the risk and capital situation through the ORSA process shall be consistent. The Group CEO shall adopt governing documents for the implementation of M&A activities. Insurance risks Insurance risk is risk related to insurance contracts, i.e. the risk that actual premium income and/or claims expenses are materially different from the anticipated results. Gjensidige is exposed to insurance risk in both its general and life insurance. The policy for underwriting shall be reviewed on an annual basis and approved by the Board. The policy should clarify requirements for roles and responsibilities, as well as provide basic principles for management, control and reporting within product and tariff development, risk selection and determination of the terms and price for individual risks. Furthermore, the policy setting requirements for other governing documents within underwriting. This also includes requirements for the delegation of authority from the chief executive. There shall be clarity in the requirements for risk targets and risk limits, which are integral parts of Gjensidige's risk appetite for insurance operations. This also includes the insurance risk the business is willing to take on book, and which insurance risk is to be avoided. New product approval shall follow a consistent process including a risk assessment of the product. The limit for the maximum retention level shall be defined in the capital management policy, and must be approved annually by the Board. There shall be established a reinsurance strategy, which sets the framework for the Group's reinsurance program. There shall be a governing document that sets out the group's methods and principles for calculating, aggregating and reporting premium and claims provisions, provisions for credit risk on reinsurance and other technical provisions. Financial risk Financial risk includes exposure to financial risk factors such as interest rates, inflation, exchange rates, credit spreads, real estate and stock prices.

6 This also includes interdependencies between factors - asset-liability management - and correlation risk. Also to be included are credit / counterparty risk, concentration risk and liquidity risk. Policy for investment operations is to be reviewed on an annual basis and approved by the Board. It will set requirements for other governing documents in the investment management area. This policy shall include a coherent authorization structure (financial authorizations) from the Board via the CEO and CFO to the CIO. Each company shall adopt their governing documents for investment activities within the framework of the Group s policy for investment activities. The investment Strategy shall be reviewed annually and approved by the Board. The investment strategy will set overall objectives and risk limits for investment activities. Gjensidige's risk appetite is defined by the capital allocated to investment activities and requirements for minimum earnings. Furthermore, limits shall be established in the investment strategy for each of the market risks mentioned above as well as the limit for mismatch between assets and liabilities (ALM risk). The Group shall at all times maintain a credit policy approved by the Group CEO. For determination of credit limits the CFO may use the Credit Committee as an advisory body. The Board of Gjensidige Bank shall on an annual basis approve credit limits and the requirements for the credit process. The Group shall at all times have a liquidity policy approved by the CEO. Operational risk and compliance risk Operational risk is defined as a potential event or circumstance that may arise from business operations and may result in an economic impact and / or loss of reputation. Operational risk may be due to human error, weaknesses in systems, errors in processes, as well as external events. Compliance risk is a part of operational risk and is defined as the risk that Gjensidige incurs government sanctions, financial loss or loss of reputation as a result of failure to comply with laws, external regulations and internally approved regulations. The Board provides guidance for managing operational risk through approval of this policy, as well as through the risk appetite defined by the Board. The regulations/instructions related to operational risk management shall be elaborated in a separate governing document. 7. Reporting and control Group CEO shall annually confirm to the Board that the regulations/instructions of this policy are adhered to. This must at least include an assessment of the risk situation in light of the risk limits, report on the risk management processes, describes the Group's most significant risks and an assessment of whether the internal control has been conducted in a satisfactory manner. Group CEO shall ensure a quarterly reporting to the Board of trends and developments in the Group's most significant risks and the actual risk profile for each of the risk areas set up against the risk appetite and risk limits. The risk profile shall also be reported annually through the ORSA report. The compliance function shall at least annually report to the Board on compliance risk. The risk management function shall report to the Board on the internal model's function, proposed improvements and on the status of any improvements. The actuarial function shall at least annually report to the Board on all its activities. The report should point out areas where action is needed to align the technical provisions to Solvency II principles.

7 Appendix: Risk universe Risk Areas (Risk Categories) Risk Types Business and Strategic Risks Intangible asset risk Competition: new competitors/market changes Competition: Regulatory changes Competition: Implementation of strategic decisions M&A: integration and profitability of new businesses Non-life and health insurance risks: Premium risk Non-life and health insurance risks: Reserve risk Non-life and health insurance risks: Catastrophe risk Non-life and health insurance risks: Lapse risk Life insurance risks: Mortality risk Insurance Risks Life insurance risks: Longevity risk Life insurance risks: Disability morbidity risk Life insurance risks: Lapse risk Life insurance risks: Expense risk Life insurance risks: Catastrophe risk Reinsurance mismatch risk Financial Risks Market risk - Interest rate risk Market risk: Equity risk Market risk: Property risk Market risk: Currency risk Market risk: Spread risk Market risk: Concentration risk Market risk: Correlation Risk Counterparty risk Liquidity risk Pension liabilities for own employees Bank financing / liquidity risk Bank credit risk Operational and Compliance Risks Internal fraud External fraud Employment conditions and safety Business practices Damage to physical assets Business disruptions and system failures Process and routine errors Compliance risk Breach of internal / external rules

8 The main underlying governing documents; Group strategy ORSA policy M&A policy Capital management policy Policy for investment operations, investments strategy and related governing documents Functional descriptions for the control functions UW policy and related governing documents Instructions for the management of operational risk Instructions for the registration, escalation and reporting of incidents Guidelines for the review of the remuneration scheme Policy and procedure for the processing of personal data Group policy for Board self-assessment Policy and Instructions handling of fraud and irregularities Group Information security policy Anti-money laundering instructions Guidelines for claims' settlement Group policy for inside information Outsourcing Policy Group procurement policy Mandate for Risk Control Committee ( GRC ) Guideline for governing documents Instructions for Group Audit and Audit Director, and annual plan Policy for technical provisioning Ethical guidelines