E.8. Operational risk and other risks

Operational risk is defined as the potential loss arising from inadequate or failed internal processes, personnel and systems or from external events. The operational risk category includes the compliance risk and financial reporting risk. The compliance risk is the risk of incurring of legal or regulatory sanctions, material financial losses or reputational damage arising from failure to comply with laws, regulations and administrative provisions applicable to the Company business. The financial reporting risk is also considered as an operational risk. This is the risk of a transaction error which could entail an untrue and incorrect representation of situation of the assets, liabilities, profit or loss in the company’s financial statements.

As a part of the ongoing processes of Generali Group, the Company has set some common principles and techniques to manage the Operational Risk:

policies and operating guidelines are in place establishing consistent framework of Operational Risk management within Generali Group;
assessment methodologies to identify significant risk event types and evaluate their impact on Company objectives;
process of collecting the information on operational losses occurred to validate the results of different assessments and allow the identification of not yet identified risks and control deficiencies;
common methodologies and principles guiding internal audit activities in order to identify the most relevant processes to be audited.

The operational risk management process is based primarily on assessing the risks by experts in different fields of Company operations and collecting information on actually occurred losses. Outputs of these analyses are used to target investment in new or modified controls and mitigation actions in order to keep the level of risks in acceptable range.

E.8.1. Operating systems and IT security management

Organisation of the Company’s IT is based on separating the IT security unit from IT operations and IT development. The rules set by the Company regarding IT risk management and IT security are based on the rules and recommendations contained in ISO/IEC 27001:2013 Information technology – Security techniques – Information security management systems – Requirements and on guidelines and policies created by Generali Group IT Risk and Security.

E.8.2. Other risks

In addition to above mentioned main risk categories, Company assesses also some other risks which are difficult to measure so their assessment relies on expert estimation:

Reputational Risk, i.e. the risk of potential losses due to a reputational deterioration or to a negative perception of Company’s or Generali Group’s image among its customers, counterparties, shareholders and Supervisory Authority.
Strategic Risk, i.e. the risk arising from external changes and/or internal decisions that may impact on the future risk profile of the Company or Generali Group.
Contagion Risk, i.e. the risk that problems arising from one of the Generali Group’s local entities could affect the solvency, economic or financial situation of other entities within Generali Group or Generali Group as a whole.
Emerging Risk, i.e. the new risks due to internal or external environmental, social or technological changes that may increase Company’s or Generali Group’s risk exposure or require to define a new risk category.

Assessment of these risks is performed at least on yearly basis as a part of planning process aiming at identification of potential threats to planned business objectives.