Operational risk
Operational risk may arise from the following sub-categories:
Business continuity: unavailability of premises, systems and/or critical processes;
Internal fraud: any act or omission, by an internal staff member with or without collusion with
an external party, made with dishonest or potentially illegal intent, to obtain a benefit or
advantage, for one’s self or any other person;
External fraud: any act or omission, by a third party, made with dishonest or potentially illegal
intent, to obtain a benefit or advantage, for one’s self or any other person;
Cyber security: risk of loss or detriment to IAG and its customers as a result of actions
committed or facilitated through the use of networked information systems;
Technology: failure to develop, deploy, maintain and operate, and recover stable and reliable
technology services;
Compliance: failure or inability to comply with the applicable laws, regulations or codes
excluding failure of staff to adhere to internal policies/procedures;
People and safety: inadequate capabilities and/or capacity, retention, inappropriate
behaviours, and/or workplace safety;
Information management: inadequate protection of IAG's information in accordance with its
value and sensitivity;
Execution and delivery: inadequate processes and/or failure of staff to adhere to
policies/procedures; failures relating to project management and change programs; and
Supply and distribution chain: delivery failure of service provider/third party; disputes with
service provider/third party.
C. RISK MANAGEMENT CATEGORIES AND RISK MITIGATION
I. Strategic risk
Strategic risk is managed by the IAG Executive team with Board oversight. Key elements in management of strategy and strategic risk
include the strategic planning program and associated oversight arrangements. Progress against strategic priorities is regularly
considered. Strategic risks are included in IAG’s enterprise risk profile as appropriate.
II. Insurance risk
A key risk from operating in the general insurance industry is the exposure to insurance risk arising from underwriting general
insurance contracts. The insurance contracts transfer risk to the insurer by indemnifying the policyholders against adverse effects
arising from the occurrence of specified uncertain future events. There is a risk that the actual amount of claims to be paid in relation
to contracts will be different to the amount estimated at the time a product was designed and priced. The Consolidated entity is
exposed to this risk as the price for a contract must be set before the losses relating to the product are known. As such, the insurance
business involves inherent uncertainty. The Consolidated entity also faces other risks relating to the conduct of the general insurance
business including financial risks and capital risks (refer to the capital management note).
A fundamental part of the Group's overall risk management approach is the effective governance and management of the risks that
impact the amount, timing and certainty of cash flows arising from insurance contracts. IAG has an appointed Chief Underwriting
Officer to assist it to provide further oversight and management of insurance risk.
Insurance activities primarily involve the underwriting of risks and the management of claims as well as the product design, product
pricing, reserving and concentration risk (refer below). A disciplined approach to risk management is adopted rather than a premium
volume or market share orientated approach. IAG believes this approach provides the greatest long term likelihood of being able to
meet the objectives of all stakeholders, including policyholders, lenders, regulators and shareholders.
The level of risk accepted by IAG is formally documented in its Insurance Business Licences. Each operating division has an insurance
licence, or licences. The licences are reviewed annually or more frequently if required.
a. INSURANCE PROCESSES
The key processes to mitigate insurance risk include the following:
i. Acceptance and pricing of risk
The underwriting of large numbers of less than fully correlated individual risks, across a range of classes of insurance businesses in
different regions, reduces the variability in overall claims experience over time. Business divisions are set underwriting criteria
covering the types of risks they are licensed to underwrite. Maximum limits are set for the acceptance of risk both on an individual
contract basis and for classes of business and specific risk groupings. Management information systems are to be maintained that
provide up to date, reliable data on the risks to which the business is exposed at any point in time. Efforts are made, including plain
language policy terms, to ensure there is no misalignment between policyholders' perceived payment when a policy is initially sold and
actual payment when a claim is made.
Statistical models that combine historical and projected data are used to calculate premiums and monitor claims patterns for each
class of business. The data used includes historical pricing and claims analysis for each class of business as well as current
developments in the respective markets and classes of business. All data used is subject to rigorous verification and reconciliation
processes. The models incorporate consideration of prevailing market conditions.
54 IAG ANNUAL REPORT 2015
