SBI - Life Integrated Annual Report 2020/21

RISK MANAGEMENT

Strengthening resilience

As an insurance company, we cover life, health and longevity risks of our policyholders. We invest the premiums received and provide long-term returns to our customers. We have a comprehensive risk management policy which specifies the process for identification, measurement and analysis of our risk exposures; develop risk management strategies and its monitoring. The key focus areas include strategic risk assessment and capital planning; governance; risk universe; and risk awareness.

Along with a robust risk management policy, we have formulated our risk appetite statements at a functional as well as corporate level, and we also carry out ICAAP (Internal Capital Adequacy Assessment Process), which specifies assessment of material risks, estimation of capital requirement and adequacy for maintaining solvency requirements. Our risk management practices are aligned to ISO 31000:2018 standard on Risk Management covering all departments and functions at Corporate Office, Central Processing Centre, Regional and Branch Offices of the Company.

Our risk management process

We carried out a maturity assessment of our cyber security practices through an independent consultant. The assessment was done using NIST framework and evaluated our security posture at a broad level. This would also assist in developing tactical and strategic directions to further mature and strengthen our security program. This would enable us to take a proactive approach to cyber security and thereby prevent unpleasant surprises later. Based on the assessment, we are taking additional steps to further enhance effectiveness and maturity of cyber security practices adopted by the Company.

Key risks and mitigation measures

External factors	Key capitals impacted	Mitigation initiatives	Strategic objectives
Insurance risk includes persistency, morbidity and mortality risk. Significant variation in assumptions vis-a-vis actuals may affect our Company’s growth prospects.		We conduct experience analysis quarterly to ensure that corrective actions can be initiated at the earliest opportunity. We use attractive product features to encourage policyholders to continue with the policy. We have a combination of proactive and reactive interventions to manage persistency We consider approaches like reinsurance, experience analysis, repricing, underwriting & claims control to manage mortality & morbidity risks.
Change in macroeconomic factors like slowdown in global growth, increase in interest rates, inflation, increase in India’s trade deficit, downgrading of India’s credit rating can affect industry and our prospects. Any regulatory action on our Company may have reputational risks.		We have instituted an enterprise risk management framework which details the governance and management of all aspects of risks that we face. We further mitigate market risks by matching assets and liabilities by type and duration and matching cash flows.
Regulatory risks include changes in applicable regulatory or statutory framework, changes in government policy actions and reform measures, non-compliance with various regulations or provisions issued by other authorities. (IRDAI, SEBI, MCA etc.)		We have a robust compliance mechanism to monitor critical compliance risks and communicate relevant regulatory requirements to business functions on a timely basis along with providing the requisite training to ensure adherence to applicable regulations.
Operational risks include disruption of normal business activities through external factors like natural/ manmade disasters or internal factors. Failure of necessary processes and essential systems can hamper business continuity.		We have the requisite business continuity and disaster recovery plans in place which are ISO 22301 certified. We have a Risk Control Self-Assessment (RCSA) system wherein each business unit within the Company is required to identify and assess inherent risks and controls relevant to the risk. A web-based incident reporting process is in place to collect loss incidents to track the extent of operational risk.