E.8. Operating risk and other risks

Operational risk is defined as the potential losses, including opportunity costs, arising from inadequate or failed internal processes, personnel and systems or from external events. The operational risk category includes the compliance risk that is the risk of incurring in legal or regulatory sanctions, or material financial losses, or reputational damage rising from failure to comply with laws, regulations and administrative provisions applicable to the Group business. In addition, the financial reporting risk is also considered an operational risk. This is the risk of a transaction error which could entail an untrue and incorrect representation of the situation of the assets, liabilities, profit or loss in the Group’s financial statements.

As part of the on-going processes of Generali Group, the Group has set some common principles and techniques to manage the Operational Risk:

policies and operating guidelines are in place establishing consistent framework of Operational Risk management within Generali Group;
assessment methodologies to identify significant risk event types and evaluate their impact on Group objectives;
process of collecting the information on operational losses occurred to validate the results of different assessments and allow for identification of not yet identified risks and control deficiencies;
common methodologies and principles guiding internal audit activities in order to identify the most relevant processes to be audited.

The operational risk management process is based primarily on assessing the risks by experts in different fields of Group operations and collecting information on actually occurred losses. Outputs of these analyses are used to target investment in new or modified controls and mitigation actions in order to keep the level of risks in acceptable range.

E.8.1. Operating systems and IT security management

The Parent Company’s IT Organisation is based on separating the IT security unit from IT operations and IT development. The rules set by the Company regarding IT risk management and IT security are based on the rules and recommendations contained in ISO/IEC 27001:2005 Information Technology – Security techniques – Information security management systems – Requirements.

E.8.2. Other risks

In addition to above mentioned main risk categories, Group assesses also some other risks which are difficult to measure so their assessment relies on expert estimation:

Reputational Risk, i.e. the risk of potential losses due to a reputational deterioration or to a negative perception of Group’s or Generali Group’s image among its customers, counterparties, shareholders and Supervisory Authority.
Strategic Risk, i.e. the risk arising from external changes and/or internal decisions that may impact on the future risk profile of the Group or Generali Group.
Contagion Risk, i.e. the risk that problems arising from one of the Generali Group’s local entities could affect the solvency, economic or financial situation of other entities within Generali Group or Generali Group as a whole.
Emerging Risk, i.e. the new risks due to internal or external environmental, social or technological changes that may increase Group’s or Generali Group’s risk exposure or require defining a new risk category.

Assessment of these risks is performed at least on yearly basis as a part of planning process aiming at identification of potential threats to planned business objectives.