Operational risks are identified and assessed through the Operational and Compliance Risk Assessment (OCRA) process. Self-assessments to identify, measure, monitor and manage operational risks are performed and reported by the line organization periodically. Identified risks are assessed from a likelihood and impact perspective. The residual risk for each risk is assessed using a traffic light system. The process is supported by an operational risk coordinator network and the results are challenged and aggregated by the Risk Management function. The most significant risks are reported to the Operational Risk Committee (ORC), the Own Risk and Solvency Assessment Committee (ORSA committee) and to the Board of Directors.
A system is implemented for incident reporting procedures and follow up. Incident data is used to analyse risk and severe incidents are tracked to ensure proper actions are taken.
If P&C has issued a number of steering documents which are relevant for the management of operational risk. These include but are not limited to the Operational Risk Policy, Business Continuity Policy and Security and Information Policy. If P&C also has processes and instructions in place to manage the risk of external and internal fraud. Internal training on ethical rules and guidelines is provided to employees on a regular basis. Policies and other internal steering documents are reviewed and updated on a regular basis.