Our risk landscape is as complex and varied as ever, and we know that risks emerge and develop over time. Effective management of risks is essential to achieve our strategic, business and operational objectives and goals, with a degree of assurance.
The Enterprise Risk Management (ERM) framework helps identify potential events that may affect the Company, manage the associated risks and opportunities, and provide reasonable assurance that our objectives will be achieved.
We have a comprehensive Risk Management Policy for effective and robust risk management and the same is reviewed by the Risk Management of Committee of Board (RMC-B) annually. We take into account the time horizon for risks to potentially materialise, as well as what we can and cannot control.
SBI Life has established dedicated committees to proactively manage risks. We consider risk management to be fundamental to prudent management practice and a significant aspect of corporate governance. The committees oversee risk management at various levels within the organisation and recognise its importance in corporate governance.
Our risk management framework is aimed at informed decisions, establishing effective oversight and control, identifying potential risks within our industry, and raising awareness among employees by focussing on key areas. These elements help safeguard the business, maintain resilience, and remain committed to excellence.
Our ISO 31000:2018 ‘Statement of Compliance’ is certified by the British Standards Institution (BSI) Enterprise Risk Management System. This covers all departments and functions at Corporate Office, Central Processing Centre, Regional & Branch Offices of the Company.
Risk management is considered to be the responsibility of every employee of SBI Life and the same is driven by the Board. The risk management policy ensures a robust risk management framework for its operations. The Risk Management Committee of the Board (RMC-B) is responsible for overseeing the Company’s risk management.
Our key risks are monitored and reported to the Board on a timely basis. There is a defined Board Committee structure and terms of reference for the same is in place. It has formulated Risk Appetite statements at the corporate level, which are reviewed and monitored by the RMC-B and Risk Management Committee of Executives (RMC-E) so as to integrate risk management with strategic business objectives and lay down the overall risk appetite for the organisation.
We conduct various risk assessment activities for identification, assessment, mitigation, monitoring and controlling of the key risks. We also carry out an ICAAP (Internal Capital Adequacy Assessment Process) activity, which details the assessment of material risks, estimation of capital requirement and adequacy for maintaining solvency requirements.
Our Company is exposed to the following broad risk categories in pursuit of its business goals and objectives, which are further split into various risks.
To manage risks effectively, risk management needs to be embedded into the culture of the organisation. To build a robust risk culture, risk awareness and sensitisation training is imparted across the Company through periodic workshops, e-mailers, seminars, conferences, quizzes, and case studies. Topics covered include operational risk, fraud monitoring, business continuity, information security and data protection.
Our dedicated Information Security Team (IST), led by our Chief Information Security Officer (CISO), focusses on safeguarding our information assets. We are guided by Information and Cybersecurity Policy. Chaired by Chief Information Security Officer (CISO), the Information Security Committee (ISC) diligently oversees all information security initiatives. The Board Risk Management Committee receives regular updates on information security activities which ensures transparency and accountability.
Certified Information Security Practices
Overseeing Information Security Initiatives
Being an insurance company, we face and manage several risks. During our Annual Risk Assessment, we identified key risks, along with measures to mitigate them, as given below.
Data privacy risk is the risk of compromise of confidential / customer / employee information. This needs to be monitored closely considering the current global privacy landscape, reliance on third party service providers, reputational impact and regulatory censures related to any data leak incident.
We have implemented Data Loss Prevention (DLP) tool which is integrated with Data Classification tool to monitor data movement under the supervision of Data Protection Officer (DPO). Further, Data Rights Management (DRM) has been implemented to secure sensitive and confidential data that is shared with vendors. Additionally, regular sensitisation and data privacy awareness/campaigns are carried out through digital and physical modes for various stakeholders and employees.
This is the risk of having excessive dependence on one or two specific distribution channels which may also be an indicator of the inability to develop or grow the other channels. There is a significant proportion of the business that is coming in from one channel which can be a material risk, more so if there are any regulatory changes happening or any such factors in the future.
From a mitigation point of view, there is an increased focus on agent recruitment and retention of performing agents along with activation of inactive agents/LMs. Also, continuous effort is being made to improve the training & development programme for sales teams of the various distribution channels. Further, special digital initiatives are being undertaken to simplify and enhance the online selling process to increase the business via e-commerce platform. There is a continued push to partner with more licensed entities across categories to ensure diversification.
Cybersecurity risk is the risk of loss of confidentiality, integrity or availability of data or information systems. This needs to be monitored closely considering the external environment, financial & reputational impact and regulatory censures related to any cyberspace threats such as hacking, ransomware attack, etc.
We undertake various cybersecurity measures, including vulnerability assessment and penetration testing, application security assessments, red team assessments, and phishing simulations. Additionally, a Security Operations Center (SOC) and cyber insurance cover are in place to mitigate the risk of any incidents. Various initiatives are also being taken to enhance user awareness of information security-related aspects.
Surrender risk is the risk of high surrenders which can be in terms of timing (surrenders in the early period of a policy tenure) or high surrender amounts. The surrender ratio has increased in the recent past, which could also be due to the external environment in terms of volatility in the financial markets.
We make extensive use of surrender retention tools for all the products. Additionally, proactive calls are made to policyholders to explain the benefits of continuing with their policies. We also use trackers and analytics for monitoring purposes.
Risk arising due to lack of required talent/skill set consequent to attrition, inadequate succession planning of key positions or inability to recruit. Risk can also arise when organisation's culture is misaligned with organisation's values.
At SBI Life, we adopt various measures to support employee well-being and enhance employee retention. We review the employee benefits offered on a periodic basis. This is done not only from a monetary benefit point of view, but also in terms of life insurance coverage, Mediclaim cover, incentives for acquiring higher qualifications. We allow flexibility to employees through employee friendly policies like the revised work from home policy.
Further, all the risks are monitored through KRIs and discussed with the respective functions and the Senior Management. We have put in place adequate safeguard(s) to mitigate each of the risks and monitor the same on an ongoing basis. An update of this is given to RMC-E and RMC-B on quarterly basis.
In terms of Country Risk, we are operating only in India and hence there is no exposure to other country risk.