Risk Management
At SBI Life, effective risk management is integral to achieving our strategic, business, and operational objectives. Our robust risk management framework, aligned with enterprise risk management (ERM) principles, ensures the identification, assessment and mitigation of risks. This framework is supported by risk appetite statements, integrating risk management with our strategic goals and overall risk appetite.
Scope of enterprise risk management:
Our ERM covers various risk categories such as Strategic Risk, Insurance Risk, Market/Investment Risk, Operational Risk, Information Security and Cyber Risk, Regulatory & Legal Risk, Business Risk and Reputation Risk. This comprehensive approach addresses all critical risks and enables their effective management.
Adherence to international standards:
Our enterprise risk management system is ISO 31000:2018 certified by the British Standards Institution (BSI). This certification applies to all departments and functions across our organisation, reflecting our commitment to international best practices.
ISO 31000:2018
Certified ERM framework
Risk management committees:
To proactively manage risks, SBI Life has established dedicated committees. Recognising the importance of risk management in corporate governance, these committees oversee and mitigate risks at various levels within the organisation.
Our risk management framework is centered around key focus areas to make informed decisions, establish effective oversight and control, identify potential risks within our industry, and raise awareness among employees. These elements are essential to ensure safeguarding of our business, maintain resilience, and uphold our commitment to excellence for our stakeholders.
At SBI Life, we conduct annual risk assessments to identify, analyse, and evaluate key risks. The finalised risks and mitigation plans are presented to the Risk Management Committee (Board). We use standardised risk categories outlined in the SBI Life Risk Management Policy and Internal Capital Adequacy Assessment Process (ICAAP) document. We have established robust asset liability management and strategic asset allocation processes. Our capital budgeting includes a 5-year Capital Rolling Plan that is regularly monitored. Risk assessment and management are integral to these activities.
We have formulated and implemented a risk reporting process to meet our risk governance requirements. We believe that risk management is the responsibility of every employee and is strongly supported by the Board. In line with the regulatory requirements, we have established a Risk Management Committee (RMC) at the Board level. The RMC provides directions on Risk Management & Asset Liability Management. In addition, the RMC of Executives and the Asset Liability Committee (ALCO) meet quarterly to discuss and address ongoing risk management issues.
Our Company is exposed to the following risks in pursuit of our business goals and objectives.
Our Company has put in place adequate safeguard(s) to mitigate these risks. Details of risk exposure and their mitigation are available in the “Risk Exposure & Mitigation” section of the Management Report.
In order to instil a strong risk culture within our Organisation, we provide risk awareness and sensitisation training through workshops, emails, seminars, conferences, quizzes, and case studies. These training sessions cover various topics such as operational risk, fraud monitoring, business continuity, information security and data protection.
Business continuity management
Our Business Continuity Management (BCM) practices are ISO 22301:2019 certified. These activities are carefully planned to include regular testing of business continuity plans in collaboration with relevant departments and functions. Effective planning and continuous testing enable us to maintain core business operations at an acceptable level even in the event of a crisis scenario.
ISO 22301:2019
Certified BCM framework
BCM framework
Strong commitment to information security
We are guided by Information and Cyber security policy. Ensuring robust information security is a top priority for us. Our dedicated Information Security Team (IST), led by our Chief Information Security Officer (CISO), focuses on safeguarding our information assets. Our information security practices are ISO 27001:2013 certified. The Information Security Committee (ISC), chaired by the CISO, diligently oversees all information security initiatives undertaken by the Company. Regular updates on information security activities are shared with the Board Risk Management Committee, ensuring transparency and accountability in our approach.
ISO 27001:2013
Certified information security practices
Data governance framework
As part of our commitment to effective data management and protection, we have implemented a data governance framework. This framework is supported by a Board-approved Data Governance Policy (DGP) that establishes principles and rules for managing and safeguarding data throughout our organisation. The Data Governance Committee oversees data privacy and protection aspects, while a dedicated Data Protection Team, led by the Data Protection Officer, is responsible for planning, organising, directing, and coordinating data governance activities.
Risks identified and their mitigation measures
| Risks | Mitigation initiatives | Key stakeholder impacted |
|---|---|---|
|
Insurance risk includes persistency, morbidity, and mortality risk. Significant variation in assumptions vis-a-vis actuals may affect our Company’s growth prospects. |
We conduct experience analysis on quarterly basis to ensure that corrective actions can be initiated at the earliest opportunity. We use attractive product features to encourage policyholders to continue with the policy. We have a combination of proactive and reactive interventions to manage persistency. We consider approaches like reinsurance, experience analysis, repricing, underwriting and claims control to manage mortality and morbidity risks. |
|
|
Change in macroeconomic factors like a slowdown in global growth, increase in interest rates, inflation. |
We have instituted an enterprise risk management framework that details the governance and management of all aspects of risks that we face. We further mitigate market risks by matching assets and liabilities by type and duration and matching cash flows. |
|
|
Regulatory risks include changes in the applicable regulatory or statutory framework, changes in government policy actions and reform measures, non-compliance with various regulations or provisions issued by other authorities. (IRDAI, SEBI, MCA, etc.) |
We have a robust compliance mechanism and policy to monitor critical compliance risks and communicate relevant regulatory requirements to business functions on a timely basis along with providing the requisite training to ensure adherence to applicable regulations. |
|
|
Operational risks include disruption of normal business activities through external factors like natural/man-made disasters or internal factors. Failure of necessary processes and essential systems can hamper business continuity. |
We have the requisite business continuity and disaster recovery plans in place which are ISO 22301 certified. We have a Risk Control Self-Assessment (RCSA) system wherein each business unit within the Company is required to identify and assess inherent risks and controls relevant to the risk. A web-based incident reporting process is in place to collect loss incidents to track the extent of operational risk. |
|
|
Digital risks include cybersecurity and data privacy risks |
We have a strong risk management framework to identify and assess risks related to cybersecurity and data privacy. Intricately formulated and framed Information and cyber security and Data governance policy. Also, abides to ISO 27001:2013 standards. |
|
|
Other risks includes trends related to climate change, mobility of talent and funds, reskilling for a digital workplace, and demographics |
We have Stakeholders Relationship Committee, CSR Committee and CSR Sub-Committee to formalise our alignment with stakeholder priorities and track and report progress on sustainability matters. The CSR Committee is responsible for overseeing the Company’s CSR programme, ensuring its compliance, and reporting to the Board on a timely basis. The Company also imparts various training programs to ensure that employees are agile to changing requirements. Besides, there are various HR initiatives for employee engagement. |
|
