Governance and organisation

5.3.3.1

Three lines of defence governance

model

VIVAT Group uses a governance model based on the 'three lines of defence' (3LoD) principle. The 'three lines of defence' model is an organisational structure that contributes to the reinforcement of the risk culture, the assumption of responsibility for managing risks and internal control, and, ultimately, the ongoing optimisation and integrated cooperation of the risk functions.

First line = risk owner

The first line has an operational role, focusing on the primary and operational process of the business activities. Within the policy framework and subject to internal procedures and risk limits, it is the objective of the risk owner to achieve optimum risk/return ratios. Business plans are prepared in the first line.

Management Controls Internal control measures Corporate support departments (HRM, IT & Change, Finance, etc.) Business (Balance Sheet Management, Acceptance, Management, etc)

First line Third line

Internal Audit Management Supervisory Board Audit Committee Risk Committee Senior Management Ex te rn a l A u d it R e g u la to r Financial Control Second line Risk Management Quality Management Compliance

Figure 11: Three lines of defence Second line = risk management

The second line has a managing and accepting role in respect of the transactions proposed by the first line. The second line assesses the actions and transactions in the first line as well as the effectiveness of procedures by means of testing key controls, and is responsible for the

risk profile to be in line with the risk appetite. Risk management processes carried out in correlation with business units are coordinated via the second line. The second line is also responsible for formulating the framework and has an oversight role, and thus shapes

policy. It sets out the policy framework, but leaves the execution of policy to the first line. The second line assesses policy compliance on a regular basis, using risk reports and its own observations. Furthermore, the second line sets the mandates in line with the risk appetite. It also defines basic principles and preconditions for risk models and supports central decision-making bodies. The used data, including models, assumptions and techniques, are validated periodically. Model validation part of the second line. Third line = audit

Group Audit (GA) is responsible for the independently operating audit function with respect to the risk management process. GA does not play any role in determining, implementing or steering the risk policy. GA reports to the chairman of the Executive Board of SNS REAAL and also has a reporting line to the Audit Committee of the Supervisory Board of SNS REAAL and VIVAT Group.

GA follows a systematic audit approach to evaluate and increase the effectiveness of activities in the area of risk management, internal control and governance.

GA provides assurance and proposes improvements (including recommendations) to the Executive Board, Audit Committee and Supervisory Board of SNS REAAL and the management of VIVAT Verzekeringen with regard to the following:

• the governance of the insurer;

• the adequacy and efficiency of the control of the business processes that are designed to support the achievement of the objectives;

• the reliability and adequacy of management information, which is used as the basis for

assessing whether the objectives and components have been achieved;

• the reliability of the provision of financial and other information;

• compliance with relevant legislation and regulations;

• the facts and circumstances in the event of suspicions of fraud;

• the protection of assets;

• in the quarterly report, GA monitors how matters for improvement are followed up. If the follow-up is inadequate, the matter is escalated to the management of VIVAT, the Executive Board and the Audit Committee/Supervisory Board.

5.3.3.2

Organisational structure

The risk management organisation at VIVAT Group comes within the domain of the Chief Risk Officer (CRO). For reasons of efficiency, the CRO's domain includes a number of first-line departments as well as the second-line risk management function. The managers of the respective departments are

hierarchically on the same level, so that the individual first-line and second-line responsibilities are clearly assigned. In addition, VIVAT Group has the following risk committees.

Group level

• Insurer's Risk Committee (IRC)

The IRC is the most senior committee reporting to the management of VIVAT Verzekeringen for risk management purposes. The IRC establishes frameworks for the underlying committees. These frameworks cover the scope of the risk policy, limits applying to the desired risk profile, limits applying to the risk appetite, and a framework for control. The IRC monitors financial and non-financial risks in an integrated way. Its scope encompasses VIVAT Group and all legal entities in which VIVAT has a majority interest.

• Model Governance Committee (MGC)

The MGC decides on the appropriateness of the use of new and amended models to manage the relevant risks. The Asset & Liability Committee (ALCO) coordinates implementation. The MGC comes directly under the IRC in the risk committee structure. The assessment of the quality of models must be performed in the most independent manner possible, and the opinion must not be affected by the operational impact of the models. In addition, the MGC focuses primarily on setting frameworks (within the frameworks set by the IRC) and not so much on optimising returns or the financial impact of decisions. This justifies its high rank in the risk committee structure.

• Financial Committee (FinCo)

The FinCo is responsible for the management of the financial and actuarial accounting systems, consolidation, processes and infrastructure, the ensuing management information, internal/external financial reporting, results and returns, treasury and tax matters. The Financial Committee has a direct escalation line to the Executive Board in respect of

matters that are within the Financial Committee's mandate but not within the IRC's mandate. • Asset & Liability Committee (ALCO)

The ALCO is responsible for the management of all financial risks. It takes decisions on operations and where necessary sets frameworks, within the parameters of the frameworks established by the IRC. Its primary focus is on optimising risk and returns. In the context of its framework-setting role, the ALCO ensures compliance with the frameworks set by the IRC and to the extent necessary it expands on the frameworks. With regard to power and decision-making, the committee has a clear reporting and escalation line to the more senior risk committee.

• Investment Committee (IC)

The IC decides on matters related to the policy on investments for own account of VIVAT Group and all legal entities in which VIVAT Group has a majority interest, in accordance with the relevant frameworks and limits set by the IRC and ALCO. • Actuarial Risk Committee (ARC)

The ARC is responsible for providing advice on the impact of parameters as it relates to for instance rates, models, hedging advice and underwriting risk. The ARC is an advisory body and does not have any decision-making powers. As an advisory body, it has to be consulted on matters that could be affected by underwriting parameters.

• Solvency Reporting Chain Management (SRCM) Solvency Reporting Chain Management advises the FinCo on matters related to the procedure followed for, and optimisation of, the internal and external solvency reports of the insurer and all the supervised entities (including licensed insurers). • Information Board (IB)

The Information Board advises the Financial Committee on matters related to data management. Business unit level

The business units have their own risk committees. Within their mandates, these risk committees make and implement decisions. They do this in accordance with the frameworks set by the risk committee above them, and ultimately by the IRC. The risk committees at business unit level (BU level) are as follows: • Product Market Pricing Committee (PMPC)

The PMPCs are responsible for the formal approval of products. The PMPCs have a direct escalation line to the IRC and its position is directly under the

responsibility of the IRC. Three PMPCs are active in the formal approval of products: each business unit has its own PMPC (Reaal, Zwitserleven and Actiam). The PMPCs are composed of the members of the management of the relevant business unit and risk experts. The Corporate staff needs to be consulted in the preparation of the product approval process.

• Operational Risk & Compliance Committee (ORCC) The ORCCs of the business units (Reaal,

Zwitserleven, ACTIAM), IT and Finance & Risk (combined) are responsible for managing

operational and compliance risks by monitoring the implementation of measures that were introduced for this purpose. The Risk Management Committee (RMC) of ACTIAM performs the role of the

Operational Risk & Compliance Committee of ACTIAM (ORCC AM) with regard to many items on its agenda.