E.8. Operating risk and other risks

Operational risk is defined as the potential losses, including opportunity costs, arising from inadequate or failed internal processes, personnel and systems or from external events. The operational risk category includes the compliance risk that is the risk of incurring legal or regulatory sanctions, or material financial losses, or reputational damage rising from failure to comply with laws, regulations and administrative provisions applicable to the Group business. In addition, the financial reporting risk is also considered an operational risk. This is the risk of a transaction error which could entail an untrue and incorrect representation of the situation of the assets, liabilities, profit or loss in the Group’s financial statements.

As part of the ongoing processes of Generali Group, the Group has set some common principles and techniques to manage the Operational Risk:

policies and operating guidelines are in place to establish a consistent framework for Operational Risk management within Generali Group;
assessment methodologies to identify significant risk event types and evaluate their impact on Group objectives;
process of collecting the information on operational losses occurred to validate the results of different assessments and allow for the identification of not yet unidentified risks and control deficiencies;
common methodologies and principles guiding internal audit activities in order to identify the most relevant processes to be audited.

The operational risk management process is based primarily on assessing the risks by experts in different fields of Group operations and collecting information on actually occurred losses. Outputs of these analyses are used to target investment in new or modified controls and mitigation actions in order to keep the level of risks in an acceptable range.

E.8.1. Operating systems and IT security management

Organization of the Parent Company’s IT is based on separating the IT security unit from IT operations and IT development. The rules set by the Parent Company regarding IT risk management and IT security are based on the rules and recommendations contained in ISO/IEC 27001:2013 Information technology – Security techniques – Information security management systems – Requirements and on guidelines and policies created by Generali Group IT Risk and Security (Group IT Security Guideline and Group IT Risk Management Guideline effective from 1 October 2016).

E.8.2. Other risks

In addition to the above mentioned main risk categories, the Group assesses also some other risks which are difficult to measure so their assessment relies on expert estimation:

Reputational Risk, i.e., the risk of potential losses due to a reputational deterioration or to a negative perception of the Group’s or Generali Group’s image among its customers, counterparties, shareholders and Supervisory Authority.
Strategic Risk, i.e., the risk arising from external changes and/or internal decisions that may impact on the future risk profile of the Group or Generali Group.
Contagion Risk, i.e., the risk that problems arising from one of the Generali Group’s local entities could affect the solvency, economic or financial situation of other entities within Generali Group or Generali Group as a whole.

Assessment of these risks is performed on at least a yearly basis as a part of planning process aimied at identification of potential threats to planned business objectives.