ENTERPRISE RISK MANAGEMENT
Mitigating impacts, building resilience
At SBI Life, our comprehensive risk management framework leads us to identify, assess and mitigate existing as well as emerging risks. The key focus areas include strategic risk assessment and capital planning, governance, risk universe and risk awareness.
We have also formulated our risk appetite statements and carry out ICAAP (Internal Capital Adequacy Assessment Process), which specifies the assessment of material risks, estimation of capital requirement and adequacy for maintaining solvency requirements.
The Enterprise Risk Management at SBI Life encompasses all risks including Strategic Risk, Insurance Risk, Investment / Market Risk, Reputation Risk and Operational Risks like Fraud Risk, Information & Cyber Security Risk, Compliance Risk, Business Continuity Risk, etc.
Our risk management practices are aligned to ISO 31000:2018 standard on Risk Management covering all departments and functions at Corporate Office, Central Processing Centre, Regional and Branch Offices of the Company.
The Company has various Committees’ to manage the risks faced by it. The Company considers risk management to be fundamental to prudent management practice and a significant aspect of Corporate Governance. The Risk Management framework at SBI Life is depicted in the following diagram-
Information Security Framework
Information and Cyber Security Policies & Procedures
Awareness
- Acceptable Usage Practices
- Technical aspects of IS
- Secure Coding Practices
- Secure Configuration Practices
- IS Requirements of SBIL for outsourced vendors
Log Monitoring (SOC), Firewall Rule Base & Processes
Technical
- Configuration/Firewall Rule
- VA/PT
- App Sec Testing/SCD
- Secure Network Architecture
- Password Compliance
- End Point Security
Non Technical
- Branch Assessment
- Vendor Risk Management
Regulatory Compliance ISO 27001-ISMS Sustenance
Information security is a critical area for us. We have a fully functional Information Security Team (IST) headed by Chief Information Security Officer (CISO). Our information security practices are ISO 27001:2013 certified. The Information Security Committee (ISC), convened by the CISO, oversees all information security related activities that are carried out by the Company. Update of information security activities are presented to the Board Risk Management Committee on a regular basis.
Business Continuity Management Framework
Leadership & Strategy, Culture & Behaviours, Preparedness & Management Risk
Board Risk Management Commitee, Internal Risk Management Committee, BCM Steering Committee
Internal Audit/ External Audit ISO 22301:2012
Collaboration with functions. Disaster Recovery, Alternate site testing, table top testing and Creating awareness
Identification of Critical Processes for the Company. Prioritizing critical process and critical applications.
BCMS Manual/ Industry Interactions/ Special Interest Group
Our Business Continuity Management (BCM) practices are ISO 22301:2019 certified. BCM activities are planned in such a manner that testing of the business continuity plans is regularly done in coordination with the concerned department / function. It has led us to successfully continue our essential / critical processes even during the lockdowns due to Covid-19. Adequate Work from Home (WFH) connections were extended to Employees to continue the operations of the Company.
The key focus areas of the aforesaid Risk Management frameworks are:
a. Strategic Risk Assessment
We carry out strategic risk assessment annually to identify, analyse and assess our key risks. The top risk is identified and presented to the Risk Management Committee (Board) along with the risk mitigation plan. There is an established asset-liability management process, along with strategic asset allocation based on matching liabilities to different asset classes and maturities. As part of our capital budgeting activities, we have a five-year Capital rolling plan that is regularly monitored. In addition, risk categories have been standardized to ensure a complete assessment and has stated in the SBI Life Risk Management Policy and Internal Capital Adequacy Ratio Assessment Process (ICAAP). These documents are reviewed annually by the Risk Management Committee.
b. Governance
We have formulated and implemented a risk reporting process to manage our risk governance requirements. In accordance with the IRDA Corporate Governance guidelines, SBI Life has set up Risk management Committee (RMC) at the Board level. Risk Management Committee (RMC) of Executives and Asset Liability Committee (ALCO) is convened to discuss the ongoing risk management issues. These Committees meet on a quarterly basis.
c. Risk Universe
We are exposed to Strategic Risk, Business Risk, Insurance Risk, Investment Risk, Operational Risk, Information and Cyber Risk and Regulatory and Legal Risks in pursuit of its business goals and objectives. We have adequate safeguard(s) to mitigate these risks.
Details of risk exposure and their mitigation is available in the “Risk Exposure & Mitigation” section of the Management Report.
d. Risk Awareness
We have a robust risk management culture. We provide risk awareness and sensitisation training to our people through periodic Workshops, E-mailers, Seminars, Conferences, Quizzes, and Case studies. Topics covered includes operational risk, fraud monitoring, business continuity, information security, data protection.
Risk Awareness Day
1st September of every year is celebrated as “Risk Awareness Day” wherein customized messages / emailers / audio visuals are broadcasted to enhance the risk awareness levels among employees.
Computer Security Day
30th November of every year is observed as ‘Computer Security Day.’ This occasion is used to create awareness in respect of information and cyber security in the Company.
Data Protection Day
28th January of every year is celebrated as ‘Data Protection Day’ and used to sensitise employees on data privacy and protection.
Data Governance Framework
We are currently implementing a data governance framework. As a first step, a Data Governance Policy (DGP) was developed and approved by the Board of Directors. This policy sets out a set of principles and rules for managing and protecting data across your organization. Our Data Governance Committee oversees aspects of data protection. The data protection team, led by the Data Protection Officer, is responsible for planning, organizing, directing, and coordinating data governance activities across the company.
Prominent risks and the mitigation initiatives:
Insurance risk includes persistency, morbidity, and mortality risk. Significant variation in assumptions vis-a-vis actuals may affect our Company’s growth prospects.
Mitigation Initiatives
- We conduct experience analysis quarterly to ensure that corrective actions can be initiated at the earliest opportunity.
- We use attractive product features to encourage policyholders to continue with the policy.
- We have a combination of proactive and reactive interventions to manage persistency.
- We consider approaches like reinsurance, experience analysis, repricing, underwriting and claims control to manage mortality and morbidity risks.
Key Capital Impacted
Strategic objectives
Reputation risk includes negative public opinion resulting in threat to the profitability or sustainability of the business. It can adversely affect Company's profitability and valuation.
Mitigation Initiatives
- The Company has a structured process for identifying and managing risks emerging from reputational and other external events. Such events are discussed in the Risk Events Monitoring committee, which meets on a quarterly basis. Events impacting the reputation are also monitored through the Corporate Risk Appetite statement.
Key Capital Impacted
Strategic objectives
Change in macroeconomic factors like a slowdown in global growth, increase in interest rates, inflation, increase in India’s trade deficit, and downgrading of India’s credit rating can affect the industry and our prospects. Any regulatory action on our Company may have reputational risks.
Mitigation Initiatives
- We have instituted an enterprise risk management framework that details the governance and management of all aspects of risks that we face.
- We further mitigate market risks by matching assets and liabilities by type and duration and matching cash flows.
Key Capital Impacted
Strategic objectives
Operational risks include disruption of normal business activities through external factors like natural/manmade disasters or internal factors. Failure of necessary processes and essential systems can hamper business continuity.
Mitigation Initiatives
- We have the requisite business continuity and disaster recovery plans in place which are ISO 22301 certified.
- We have a Risk Control SelfAssessment (RCSA) system wherein each business unit within the Company is required to identify and assess inherent risks and controls relevant to the risk.
- A web-based incident reporting process is in place to collect loss incidents to track the extent of operational risk.
Key Capital Impacted
Strategic objectives
Regulatory risks include changes in the applicable regulatory or statutory framework, changes in government policy actions and reform measures, non-compliance with various regulations or provisions issued by other authorities. (IRDAI, SEBI, MCA etc.)
Mitigation Initiatives
- We have a robust compliance mechanism to monitor critical compliance risks and communicate relevant regulatory requirements to business functions on a timely basis along with providing the requisite training to ensure adherence to applicable regulations.
Key Capital Impacted
Strategic objectives
Digital risks include cybersecurity, and data privacy risks
Mitigation Initiatives
- We have a strong risk management framework to identify and assess risks related to cybersecurity and data privacy.
Key Capital Impacted
Strategic objectives
Expanding geographical presence through a robust distribution network
Profitable growth through efficient cost discipline
Building customer value proposition
Expanding our digital footprint
Developing a skilled workforce
Human Capital
Financial Capital
Manufactured Capital
