Operational Risk Management in Mandatum Life
The objective of operational risk management in Mandatum Life is to enhance the efficiency of internal processes and decrease negative impact on Mandatum Life. The aim is to minimize operational risks subject to cost-benefit considerations.
Business units are responsible for the identification, assessment and management of own operational risks, including organizing adequate internal control. Operational Risk Committee (ORC) monitors and coordinates risk management issues regarding operational risks within Mandatum Life, such as policies and recommendations concerning operational risk management. The committee ensures that risks are identified and internal control and risk management have been organized in a proper way. The committee also analyses deviations from operational risk management policies and monitors operational risks identified in the self-assessments as well as the occurred incidents. The committee meets at minimum three times a year. Significant observations on operational risks are submitted to the Risk Management Committee and Board of Directors on a quarterly basis.
Operational risks are identified in Mandatum Life through several different sources and methods:
- Self-assessment process is used to map and evaluate the major operational risks and their probabilities and significance, including an evaluation of internal controls and sufficiency of instructions. Self-assessment is conducted annually.
- Analysis of incidents: Realized operational risks and near misses reported by the business units are collected and analyzed by ORC. Each business unit is responsible for ensuring that the occurred incidents and near misses are reported to the ORC.
- Follow-up of the external environment is included in the annual strategy process, where the key trends of Mandatum Life’s business environment are identified. External events are also monitored continuously and the company reacts to these as soon as possible (e.g. changes in taxation or laws).
The most significant operational risks for Mandatum Life identified in the operational risk self-assessment process include, among others, the following: changes in the external operating environment, IT, especially aging IT systems, manual phases in processes, loss of key personnel, miss-selling and false information to customers.
In order to limit operational risks, Mandatum Life has approved a number of policies including e.g. Internal Control Policy, Compliance Policy, Security Policies, Continuity Plan, Procurement and Outsourcing Policy, Complaints Handling Policy and a number of other policies related to ongoing operative activities. Deviations against different policies are followed up independently in each business unit and reported to Compliance Officer and ORC.
Internal control system in processes aims at preventing and identifying negative incidents and minimizing their impact. In addition, would there be an operational risk event or a near miss, this must be analyzed and reported to ORC.