Integrated risk management

Sanitas has taken measures to ensure an appropriate risk management strategy is in place with regard to all material risks, and has documented this strategy accordingly.  

These measures are based on Article 22 of the Act on the Supervision of Insurance Undertakings (VAG) and Articles 96 and 97 of the Supervision Ordinance Act (AVO). Risk management encompasses the methods and processes used to identify, monitor, evaluate and report risks as well as risk strategy and risk management measures. In accordance with the regulations governing Sanitas Beteiligungen AG, the board of directors is responsible for risk management policy. The executive board issues the necessary directives.

In strategic terms, risk management helps improve the company’s corporate value by ensuring an appropriate balance between risk and profit, which in turn guarantees long-term financial stability. With this in mind, integrated risk management:

  • is integrated into the strategic planning process,
  • is adapted to the specific needs of the Sanitas Group; and
  • acts as a management and monitoring tool, whereby the goal is to create and enhance risk awareness in daily operational business.

Integrated risk management is therefore a fundamental part of corporate governance.

Key elements of integrated risk management

Integrated risk management comprises the following elements:

  • All these measures help to identify, evaluate and control risks. The risk management process comprises: the tools used during the process as well as the principles and guidelines upon which it is based. Controlling and regulatory processes are also associated with the risk management process (e.g. risk control)
  • The most significant risks are monitored constantly. Existing measures and processes that are already operational as well as new measures and projects must be assigned annually to the highest priority risks and assessed periodically (risk reporting).
  • The processes of risk identification, risk assessment and monitoring of any implemented measures (control activities) are supported electronically.
  • Sanitas’ risk management process is aligned with the ISO 31000 standards and divided into the following four methodical phases (risk management control system):
  1. Risk identification: the systematic process of identifying risks and documenting their characteristics. This is the first phase of risk management (risk management control system). Level 1 and 2 risk drivers are also identified for each risk as part of the Sanitas Group’s integrated risk management process in order to identify the cause and effect of risks and any cross-sectional risks.
  2. Risk analysis: involves the analysis and classification of risks in order to quantify the probability of occurrence and the extent of a potential loss. The probability of occurrence is determined for a period of three years (planning period of strategic corporate goals) and the extent of a potential loss with regard to the impact on the Sanitas Group’s invested capital.
  3. Risk navigation: includes the definition of risk navigation measures. This includes measures to accept, avoid, control and transfer specific risks and risk segments.
  4. Risk monitoring/reporting/early warning: in addition to compulsory regulatory guidelines, a bottom-up reporting structure should be implemented to form the basis for the enactment of top-down directives (board of directors) and objectives in line with the Sanitas Group’s risk appetite. As part of the risk reporting process an early warning system should also be implemented to enable the Sanitas Group to make risk information available promptly in an appropriate form where necessary (adverse event reports).