Proactively Managing Risks to Build Lasting Trust

Our consistent, collaborative and forward-looking risk management elevates risk awareness across all levels of the organisation. A robust Enterprise Risk Management (ERM) Framework identifies, evaluates and mitigates internal and external risks, and is supported by risk appetite statements and integrating risk management for achieving strategic, business and operational objectives.

Our risk landscape is as complex and varied as ever, and we know that risks emerge and develop over time. Effective management of risks is essential to achieve our strategic, business and operational objectives and goals, with a degree of assurance.

The Enterprise Risk Management (ERM) framework helps identify potential events that may affect the Company, manage the associated risks and opportunities, and provide reasonable assurance that our objectives will be achieved.

We have a comprehensive Risk Management Policy for effective and robust risk management and the same is reviewed by the Risk Management of Committee of Board (RMC-B) annually. We take into account the time horizon for risks to potentially materialise, as well as what we can and cannot control.

Risk Management Committees

SBI Life has established dedicated committees to proactively manage risks. We consider risk management to be fundamental to prudent management practice and a significant aspect of corporate governance. The committees oversee risk management at various levels within the organisation and recognise its importance in corporate governance.

Our risk management framework is aimed at informed decisions, establishing effective oversight and control, identifying potential risks within our industry, and raising awareness among employees by focussing on key areas. These elements help safeguard the business, maintain resilience, and remain committed to excellence.

Committed to International Best Practices

Our ISO 31000:2018 ‘Statement of Compliance’ is certified by the British Standards Institution (BSI) Enterprise Risk Management System. This covers all departments and functions at Corporate Office, Central Processing Centre, Regional & Branch Offices of the Company.

Risk Identification and Monitoring

Risk management is considered to be the responsibility of every employee of SBI Life and the same is driven by the Board. The risk management policy ensures a robust risk management framework for its operations. The Risk Management Committee of the Board (RMC-B) is responsible for overseeing the Company’s risk management.

Our key risks are monitored and reported to the Board on a timely basis. There is a defined Board Committee structure and terms of reference for the same is in place. It has formulated Risk Appetite statements at the corporate level, which are reviewed and monitored by the RMC-B and Risk Management Committee of Executives (RMC-E) so as to integrate risk management with strategic business objectives and lay down the overall risk appetite for the organisation.

Risk Assessment

We conduct various risk assessment activities for identification, assessment, mitigation, monitoring and controlling of the key risks. We also carry out an ICAAP (Internal Capital Adequacy Assessment Process) activity, which details the assessment of material risks, estimation of capital requirement and adequacy for maintaining solvency requirements.

Identifying, Managing and Monitoring Risks

  • Risk Register
  • Risk and Control Self-Assessment (RCSA)
  • Incident Reporting (Loss Data Collation)
  • Fraud Monitoring
  • Business Continuity Management (BCM)
  • Risk Analytics
  • Predictive Risk Models
  • Key Risk Indicators (KRI)

Risk Universe

Our Company is exposed to the following broad risk categories in pursuit of its business goals and objectives, which are further split into various risks.

Key Risk Categories

  • Strategic and Business Risk: Distribution, Product, New Business, Surrender and Reputation Risk
  • Insurance Risk: Mortality, Reinsurance, Pricing, Persistency, Expense Risk
  • Investment Risk: Credit, Liquidity, Market, ALM and Interest Rate Risk
  • Operational Risk: Business Continuity, Fraud, Market Conduct, Process, Third Party and People & Culture Risk
  • Information & Technology Risk: Data Privacy, Cybersecurity and IT System & Infrastructure Risk
  • Regulatory & Legal Risk: Reporting & Disclosure, Regulatory Guidelines and Legal Risk

Risk Awareness

To manage risks effectively, risk management needs to be embedded into the culture of the organisation. To build a robust risk culture, risk awareness and sensitisation training is imparted across the Company through periodic workshops, e-mailers, seminars, conferences, quizzes, and case studies. Topics covered include operational risk, fraud monitoring, business continuity, information security and data protection.

Promoting Risk Awareness Amongst Employees

  1. Risk Awareness Day: 1st September is celebrated as “Risk Awareness Day” wherein customised messages, emailers and audio visuals and various activities are undertaken to enhance risk awareness levels among employees.
  2. Computer Security Day: 30th November is observed as "Computer Security Day" to create awareness about information and cybersecurity aspects.
  3. Data Privacy Day: 28th January is celebrated as ‘Data Privacy Day’ and used to sensitise employees on data privacy and protection.
  4. Cyber Jaagrookta (Awareness) Diwas: Cyber Jaagrookta Diwas is observed on first Wednesday of every month, as per the circular issued by the Ministry of Home Affairs. The purpose of this initiative is to spread awareness for prevention of cyber crimes through different mediums.

Information Security – a Top Priority

Our dedicated Information Security Team (IST), led by our Chief Information Security Officer (CISO), focusses on safeguarding our information assets. We are guided by Information and Cybersecurity Policy. Chaired by Chief Information Security Officer (CISO), the Information Security Committee (ISC) diligently oversees all information security initiatives. The Board Risk Management Committee receives regular updates on information security activities which ensures transparency and accountability.

ISO 27001:2013

Certified Information Security Practices

Overseeing Information Security Initiatives

Key Risks and their Mitigation Measures

Being an insurance company, we face and manage several risks. During our Annual Risk Assessment, we identified key risks, along with measures to mitigate them, as given below.

Risks

Data privacy risk is the risk of compromise of confidential / customer / employee information. This needs to be monitored closely considering the current global privacy landscape, reliance on third party service providers, reputational impact and regulatory censures related to any data leak incident.

How We are Mitigating the Risk

We have implemented Data Loss Prevention (DLP) tool which is integrated with Data Classification tool to monitor data movement under the supervision of Data Protection Officer (DPO). Further, Data Rights Management (DRM) has been implemented to secure sensitive and confidential data that is shared with vendors. Additionally, regular sensitisation and data privacy awareness/campaigns are carried out through digital and physical modes for various stakeholders and employees.

Key Stakeholders Impacted

Employees

Partners

Customers

Regulators

Shareholders

Risks

This is the risk of having excessive dependence on one or two specific distribution channels which may also be an indicator of the inability to develop or grow the other channels. There is a significant proportion of the business that is coming in from one channel which can be a material risk, more so if there are any regulatory changes happening or any such factors in the future.

How We are Mitigating the Risk

From a mitigation point of view, there is an increased focus on agent recruitment and retention of performing agents along with activation of inactive agents/LMs. Also, continuous effort is being made to improve the training & development programme for sales teams of the various distribution channels. Further, special digital initiatives are being undertaken to simplify and enhance the online selling process to increase the business via e-commerce platform. There is a continued push to partner with more licensed entities across categories to ensure diversification.

Key Stakeholders Impacted

Customers

Employees

Partners

Risks

Cybersecurity risk is the risk of loss of confidentiality, integrity or availability of data or information systems. This needs to be monitored closely considering the external environment, financial & reputational impact and regulatory censures related to any cyberspace threats such as hacking, ransomware attack, etc.

How We are Mitigating the Risk

We undertake various cybersecurity measures, including vulnerability assessment and penetration testing, application security assessments, red team assessments, and phishing simulations. Additionally, a Security Operations Center (SOC) and cyber insurance cover are in place to mitigate the risk of any incidents. Various initiatives are also being taken to enhance user awareness of information security-related aspects.

Key Stakeholders Impacted

Employees

Partners

Customers

Regulators

Shareholders

Risks

Surrender risk is the risk of high surrenders which can be in terms of timing (surrenders in the early period of a policy tenure) or high surrender amounts. The surrender ratio has increased in the recent past, which could also be due to the external environment in terms of volatility in the financial markets.

How We are Mitigating the Risk

We make extensive use of surrender retention tools for all the products. Additionally, proactive calls are made to policyholders to explain the benefits of continuing with their policies. We also use trackers and analytics for monitoring purposes.

Key Stakeholders Impacted

Customers

Employees

Partners

Shareholders

Risks

Risk arising due to lack of required talent/skill set consequent to attrition, inadequate succession planning of key positions or inability to recruit. Risk can also arise when organisation's culture is misaligned with organisation's values.

How We are Mitigating the Risk

At SBI Life, we adopt various measures to support employee well-being and enhance employee retention. We review the employee benefits offered on a periodic basis. This is done not only from a monetary benefit point of view, but also in terms of life insurance coverage, Mediclaim cover, incentives for acquiring higher qualifications. We allow flexibility to employees through employee friendly policies like the revised work from home policy.

Key Stakeholders Impacted

Customers

Employees

Further, all the risks are monitored through KRIs and discussed with the respective functions and the Senior Management. We have put in place adequate safeguard(s) to mitigate each of the risks and monitor the same on an ongoing basis. An update of this is given to RMC-E and RMC-B on quarterly basis.

In terms of Country Risk, we are operating only in India and hence there is no exposure to other country risk.