Our business is fundamentally about how we identify, mitigate and manage risks for QBE and for our customers. In 2018, we have stepped up our efforts to ensure that our risk management practices and systems remain robust, independent and aligned with global best practice. We have reduced our risk profile at the same time as we have been improving our underwriting discipline and we have strengthened our approach to environmental, social and governance risks across our business.
From our Group CRO
During 2018, Group Risk Management has partnered with the business to ensure appropriate governance and oversight of a number of strategic activities. We have worked with the transaction teams to ensure the successful divestment of the Latin American division and other less material disposal transactions; I have attended many of the cell reviews, which include challenging each cell to ensure there is a clear plan of attack to achieve target performance; and we have also worked with the underwriting and claims teams on the development of the new Global Underwriting Standards and Global Claims Standards as part of the Brilliant Basics initiative. In addition, we have worked alongside management in Asia Pacific Operations to support the remediation of a number of underperforming portfolios. Having joined QBE during 2018, I have been pleased to see the strong engagement of the Risk function by our front‑line businesses.
Australia has seen a number of major regulatory developments this year, including The Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry. In addition, the Australian Prudential Regulation Authority (APRA) requested that the largest financial institutions, including QBE, perform a self‑assessment against the final report from the APRA led Prudential Inquiry into the Commonwealth Bank of Australia, covering governance, accountability and culture. A large part of my time has naturally been spent helping develop our response to these major industry-wide regulatory challenges. On a more routine front, we have reviewed our enterprise risk management framework to ensure that it continues to be fit for 2019 and beyond. Key elements of the new framework are discussed below.
Our Risk Management Strategy (RMS) describes our approach for managing risk and the key elements of the Enterprise Risk Management (ERM) Framework that give effect to this strategy. The Group Board is responsible for ensuring that an effective RMS is established, maintained and implemented across QBE and that risks are managed in accordance with the ERM Framework. The RMS is reviewed on an annual basis, and results are reported to the Group Board Audit Committee and Group Board Risk & Capital Committee. The RMS sets out our risk governance including how responsibilities are allocated across board and management committees and management, the processes for monitoring and the regular reporting required.
QBE’s ERM framework is applied across the Group and provides a sound foundation for reducing uncertainty and volatility in business performance. It is supported by frameworks for each material risk class: strategic risk, insurance risk, credit risk, market risk, liquidity risk, operational risk and compliance risk.
Our ERM Framework
Strategic objectives and business plan
Risk management is embedded in our business planning process, which focuses on our strategic objectives over a three-year horizon. We assess material risks and mitigation strategies and perform Group-wide stress testing to develop actions to increase the likelihood of achieving our business plan and objectives and staying within our risk appetite and tolerance.
Strategic planning, risk appetite and capital management
Our strategic planning process considers factors such as market conditions, prior years’ results, business objectives, operational initiatives, financial targets and risk appetites, which inform our annual business plan.
Our Risk Appetite Statement (RAS) sets out the nature and level of risk that the Group Board and Group Executive Committee are willing to take in pursuit of our business objectives. The RAS is used to support risk-based decision making by clearly defining our appetite (what we should do) and tolerance (what we can do), and is cascaded, as appropriate, into the operating divisions.
Our Capital Management Plan ensures QBE maintains adequate capital to achieve balance between our strategic planning aspirations and our risk appetite. QBE uses several capital management tools to support the assessment of risk and allocation of capital including:
- QBE’s Economic Capital Model – an internal model, developed to measure overall exposure to risk as well as exposure to each of our main categories of risk. The model provides a quantitative base for us to understand, monitor and manage our exposures. We also use the model to make better business decisions, assess economic capital requirements and measure performance on a risk-adjusted basis.
- Analysis of regulatory and rating agency capital models – to better understand how regulatory and rating agencies assess the impact of our strategic decisions on our risk profile and capital requirements, we conduct financial modelling analysis with reference to the requirements of the various capital environments in which QBE operates.
- Bespoke risk assessment tools – we use catastrophe models, scenario analysis, stress tests and reverse stress tests to evaluate business plans and support our capital plan.
Another key capital management tool is QBE’s Internal Capital Adequacy Assessment Process (ICAAP). The ICAAP is supported by both the Economic Capital Model and scenario analysis, and is used to:
- manage the capital held by QBE;
- monitor the risk profile against appetite;
- ensure the risks taken by QBE are commensurate with required returns;
- allocate capital to operating entities for planning and performance monitoring purposes; and
- analyse alternative reinsurance options and regulatory and rating agency submissions.
Our Group Reinsurance Management Strategy sets out our approach to reinsurance as part of our overall approach to risk and capital management.
Risk governance, monitoring and reporting
As previously mentioned, the Group Board is responsible for ensuring that an effective RMS is established, maintained and implemented across QBE.
Risk monitoring and reporting are embedded across the Group, supported by the three lines of defence:
- The business, our first line of defence, generates risk exposure and is accountable for identifying, owning and controlling risks, and for ensuring that accepted risks are within the Group’s risk appetite.
- Group Risk and Group Compliance functions provide independent oversight and challenge, by establishing and maintaining Group-wide minimum standards and policies.
- Internal audit provides independent assurance to assist the Group Board in discharging its responsibility for sound and prudent management of QBE, by providing an objective review of the effectiveness and integrity of the RMS.
Risk identification, measurement, stress testing and mitigation
QBE adopts a robust risk identification, measurement and mitigation process to support the ERM Framework.
These processes are outlined within each material risk policy and include key activities to manage risk such as the Risk and Control Self-Assessment process, incident and issue management process, emerging risk forums, stress testing and scenario analysis, cell reviews, performance monitoring, and targeted risk reviews.
Risk management systems
QBE utilises Group-wide risk management systems to facilitate the recording, measurement, aggregation, monitoring and reporting of material risks to Group and key stakeholders. These systems enable the analysis of QBE’s material risks, which helps us to better understand the risk environment and support risk‑based decision making.
People and culture
QBE is committed to, and supports, a strong risk culture. We recognise the importance of risk awareness and risk culture as being instrumental in the effectiveness of QBE’s ERM Framework and an informal control mechanism for the organisation. We are currently focusing on achieving greater alignment between risk culture, the wider organisational culture, which we call our QBE DNA, and conduct risk, as well as further embedding Group-wide accountability for risk culture through remuneration and reward. We have embedded expected risk behaviours in our QBE DNA which are used in our people processes across the Group. They are also included in our Code of Ethics and Conduct which is applicable to all directors, employees and other representatives across the Group. For more information please refer to the 2018 Sustainability Report.
As a global insurance group, QBE is subject to oversight by many prudential regulatory regimes around the world, as well as extensive legal and regulatory requirements and obligations, industry codes, and business and ethical standards across our business activities. To manage the regulatory and compliance risk we face as a global organisation, we combine local expertise with a globally consistent compliance framework and consider regulatory risk as part of our strategic risk class. We continue to monitor regulatory developments in each of the markets in which the Group operates.
Emerging risks are also considered as part of our strategic risk class. Our emerging risk forums operate at a divisional level with overall coordination by the Global Emerging Risks Forum which identifies and analyses emergence and maturity of each risk, as well as monitoring and reporting on emerging risks. Over the year, the emerging risks forums have reviewed a range of emerging risks, including autonomous vehicles, big data, nanotechnology and cyber risks.
Climate-related risks, which are considered as an existing strategic risk for us, are managed by the Climate Change Working Group and ESG Risk team. We discuss these in the climate change action plan section.