Operational Risk Management in If P&C
The continuity of operational risk management in If P&C is secured through the Operational Risk Committee (ORC), which coordinates the operational risk process. The committee’s task is to give opinions, advice and recommendations to the If Risk Control Committee (IRCC) as well as to report the current operational risk status. The status assessment is based on the self-assessments performed by the organization, reported incidents and other additional risk information. A trend analysis is being performed annually, where the most severe external operational risks are being identified.
The business organization and corporate functions have the responsibility to identify, assess, monitor and manage their operational risks. Risk identification and assessments are performed quarterly. Identified risks are assessed from a severity perspective, encompassing probability and impact. The control status for each risk is assessed using a traffic light system: green – good control of risk, yellow – attention required, red – attention required immediately. Severe risks with control status yellow or red are reported to the ORC.
Incident reporting and analysis are managed differently depending on type of incident. All employees are required to report specified types of incidents via intranet, and others are identified through controls and investigations.
In order to manage operational risks, If P&C has issued a number of different steering documents: Operational Risk Policy, Contingency Plans, Security Policy, Outsourcing Policy, Complaints Handling Policy, Claims Handling Policy, and other steering documents related to different parts of the organization. These documents are being reviewed and updated at least annually. In addition, If P&C has detailed processes and guidelines in order to manage possible external and internal frauds. Internal training on ethical rules and guidelines is a prioritized area.