Risk management as an element of internal control
Internal control is a process that aims to ensure:
- the achievement of the goals and objectives set;
- economical and efficient use of resources;
- sufficient management of operations-related risks;
- reliability and correctness of financial and other management information;
- compliance with laws and regulations;
- compliance with the decisions of the Board and other bodies and with internal rules, regulations and practices.
Risk management is an element of internal control and involves the identification, assessment, limitation and control of risks arising from and closely connected with the company's business operations. Internal control is a management tool that helps the company to function efficiently, economically and reliably.
Varma is managed in a professional manner and in accordance with sound and cautious business principles. The company has established written procedures and quantitative and qualitative targets for its core functions. Varma's risk management plan takes into account what the Board of Directors decides on the content and organisation of internal control, on implementation of the internal control sectors and principles and on the joint guidelines for the internal control of the Group.
The Board of Directors follows a charter, which defines its core tasks and operating principles. As part of the company's internal control function, the Board deals with such matters as the company's risks, financial reporting, strategy, basic strategies connected with organisational development and management, budgets, investments, pension insurance business, operational plans, and development projects.
Risk management – organisation, responsibilities, supervision and reporting
The Board of Directors annually outlines a risk management plan and a contingency plan that cover all operations and assesses whether the company's internal control is appropriately arranged. The Board of Directors' Audit Committee supervises financial and other reporting and the status of internal control, e.g. by tracking the work in progress of internal and external auditing and by reviewing a variety of audit reports. The President and CEO monitors the company's risks in accordance with the principles laid down in the risk management, investment and contingency plans approved by the Board of Directors.
The Executive Group monitors the company's internal control and risk management processes and maintains and develops guidelines for risk management and emergency planning.
Risks are reported to the Board of Directors quarterly. The company's supervisory auditor and the person in charge of the internal audit take part in the meetings of the Audit Committee.
Managers are responsible for organising internal control, risk management, the legal compliance function and good governance in their areas. This ensures that internal control is fully integrated into company operations. The detailed plans and guidelines of each department supplement the plans and principles approved by the Board of Directors. Risk-taking limits and the indicators used are laid down and monitored separately by each function. Each function is responsible for implementing operational plans and budgets, and for operating efficiency, the supervision of outsourced operations and preparing for unsettled conditions. Information Management provides the expertise for the development, maintenance, project management, infrastructure and risk management of systems that are the responsibility of Business Operations. The targets, responsibilities and means of data security management are defined in the data security policy approved by the IT Executive Group. Information Management maintains a separate recovery plan relating to IT disruption.
The function responsible for preparing and implementing investment decisions (Investment Operations) and the supervisory and reporting function (Financial Administration and Actuaries) have been separated. The decision-making powers and the maximum limits for investments are presented as separate risk limits in the investment plan. The risk control function, which is independent of the Investment Operations, is responsible for monitoring investment risks in accordance with the limits set by the Board of Directors, including a financial-theory- and risk-theory-based assessment of investment risks and the reporting of results. Financial Administration is involved in reviewing the changes in the investment plan and in the implementation process of new investment products, and controls mainly through random inspections the solvency classification of investments and instrument pricing.
The Chief Financial Officer is responsible for the independent monitoring of investment positions and risks. The Financial Administration reports monthly to the Board of Directors on observations relating to investment risk management.
If necessary, any major problems observed are reported to the management, compliance officer and the Board of Directors.
Investment risks and the impacts their realisation would have on Varma's risk-bearing capacity are monitored in a monthly report by the officer responsible for investment risk management in the Actuaries function. The Actuaries function also reports to the Board of Directors on Varma's risk level in relation to the risk level of the earnings-related pension system.
Investment management is responsible for arranging the handling of the investment portfolio and operative investment risk management. The risk management function of Investment Operations monitors the trends in the portfolio position vis-à-vis the risk limits defined in the investment plan and the basic allocation, and reports on them on a daily basis. Adherence to authorisations and allocation and investment assignments are monitored by the Investment Operations on a daily basis.
The Financial Administration coordinates the identification and management of operational risks in different departments. It also prepares a summary of the risk assessments drawn up by the departments. The Chief Financial Officer is in charge of monitoring operational risks.
The compliance officer reports to the Board of Directors on compliance with the insider guidelines. In order to manage the risks relating to malpractice, Varma emphasises the continuous observing of ethical operating principles and applies different control methods for protection against malpractice risks. Each department bears responsibility for managing risks relating to malpractice. Varma has specific guidelines in place to prevent money laundering and the financing of terrorism.
Varma complies with the Finnish Corporate Governance Code for listed companies where applicable.
Goals and general risk management principles
Risk management aims to secure the rights of pensioners and policyholders. Risks relating to the company's operations are identified, assessed, limited and supervised, taking a long-term perspective. Risk management ensures that if risks are realised, they will not cause significant financial losses, or endanger Varma's customer service and other services, the continuity of operations, the attainment of the company's business targets, or affect trust in the company. Varma applies efficient and reliable processes both internally and when co-operating with its partners.
In order to ensure efficient risk management, the company relies on, among other things, the careful preparation of decisions, use of experts, risk insurance, detailed job descriptions, approval routines, decentralisation of functions and tasks, physical control, data protection and security, personnel training, planning process, maintenance of different backup arrangements, distribution of necessary information and limiting access to confidential information to those who need it. As tasks, power of decision and responsibility are divided, no one person is allowed to deal with a single matter throughout the handling chain, whereupon potentially dangerous combinations have been separated. Actions are subject to independent supervision and approval mechanisms. Personnel are not allowed to participate in the preparation of or decision-making on a matter concerning themselves, their family or friends.
When agreeing on the terms of outsourcing, Varma's responsibility for the outsourced functions, e.g. for conforming to regulations, continuous and disturbance-free business operations and contingency planning, are taken into account. The function in charge of outsourcing must take into consideration clear contracts and processes, supervision of the outsourced activities and risks relating to the outsourcing.
Varma observes good insurance principles and treats all policyholders in a fair manner. All business transactions with policyholders are on market terms. Particular attention is paid to transactions covering the financing of a policyholder's operations, real estate and other transactions, and leases.
Varma's business risks are related to:
- the earnings-related pension system,
- client base development, and
The company's main operating sectors are pension services, insurance services, client services, and investment operations, including their support functions. Essential risks are related to investments, information technology, the networked operation of the pension system, adjusting the control system and operating models to the rapidly changing economic situation and to the efficient implementation of legislative changes.
Other major risks include costs related to the structure of the earnings-related pension system, risks related to the choice of technology, and the project and implementation stage of new projects, contractual and counterparty risks, as well as risks related to the functioning and financial success of the partnership network.
Varma's most important operational requirement is to manage all pension and insurance transactions correctly and on time.
Financially the most important risks are those concerning investments and solvency.
Other risks are those connected with management information, corporate image, functional shortcomings and/or incorrect use of information systems, incorrect handling of information, incorrect interpretation of provisions and regulations, incorrect handling of investments, the company's physical operating environment, efficient use of resources, and disturbances in the European payment system.
The pension system may also be affected by risks connected with its structure and functioning, and the country's economy. These are discussed in more detail in the section Other risks.
Varma has one head office, one operational area (Finland), a simple group structure, statutory products, a small number of staff relative to its turnover, and a low number of transactions relative to its investment volume. Varma analyses its risks from bottom to top and from top to bottom so that it can ensure that all company risks are comprehensively covered from different perspectives.
Pension insurance risks include:
- the management of the complex information systems that maintain the production of services,
- risks related to the functioning of the centralised earnings registers and outsourced services, and
- possible errors in the processing and payment of pensions or in the calculation and collection of insurance contributions.
With online services expanding, malfunctions in the company's internal systems and the public infrastructure will affect the production of services.
The TyEL component of the earnings-related pension system functions on a partially funded basis. Around one fifth of the pensions paid each year is previously funded, while the remaining part is a pooled component, which is covered by an annually collected insurance contributions. The funded parts of the pension are the responsibility of individual pension institutions, while the pooled components are the joint responsibility of all the pension institutions.
The provision for pooled claims contained in the technical provision acts as a buffer for jointly managed insurance business. The amount of the provision for pooled claims in the entire earnings-related pension system is estimated to correspond to nearly a year's PAYG pension expenditure. The clearing system eliminates the effects caused by the varying development of the pension insurance institutions' active insurance portfolios. Thus the cost of the pooled components presents no risk for the individual pension institution.
Basic pensions under the Self-employed Persons Pensions Act YEL are financed in full by the insurance contributions collected annually in accordance with the pay-as-you-go system and by the State's contribution and do not present a risk for the individual pension institution.
The level of earnings-related pension cover is based on a defined benefit pension scheme, and is therefore not based directly on the return on funded pension assets. Earnings-related pension benefits are secured for the insured and pensioners by a statutory joint and several liability for bankruptcy that applies to all earnings-related pension insurance institutions. The costs of pension provision are borne by employers and employees together. The Ministry of Social Affairs and Health annually confirms the common calculation bases concerning the technical provisions for earnings-related pension insurance companies. The calculation bases include issues such as actuarial assumptions used in the calculation of technical provisions, for example, mortality and disability incidence rate. Under the TyEL act, the technical bases must be secure and, should the base for technical provisions prove insufficient for all earnings-related pension insurance institutions, the technical provisions can be supplemented with a clearing system.
The risks of Varma's insurance business are linked to the sufficiency of the insurance contributions collected and the technical provisions accumulated from them in relation to the pensions that are the company's responsibility. Because common calculation bases can be changed annually, and the clearing system acts as a buffer for all insurance risks concerning earnings-related pension insurance institutions, the risk for an individual pension institution lies in its deviation from the average of the pension system.
The equalisation provision, which contains a risk-theory-based lower and upper limit, helps the companies to prepare for fluctuations in their annual insurance business results. Varma's equalisation provision under TyEL was approximately EUR 1,071 million at the end of 2011, which is about 6.1 per cent of the total payroll of the insured. The corresponding risk components included in TyEL contributions totalled approximately 4.0 per cent of the total payroll in 2012.
The greatest fluctuation in the insurance business relates to disability pensions. In terms of the disability and unemployment pension component, the amount of Varma's equalisation provision corresponds to the funded pension expenditure of more than three years.
Technical provisions are calculated per person and insurance during the spring following the financial year in an annual calculation, after employers have provided the required earnings data. The Finnish Centre for Pensions carries out the clearing in the autumn following the financial year, at which time the remaining components of the technical provisions can be calculated. The calculation of the technical provisions in the Financial Statements is based on estimates.
According to the annual calculation, the structure of Varma's technical provisions on 31 December 2011 was as follows:
Neither the age structure of the employees insured by Varma nor the employers’ size or lines of business deviate significantly from the average for all earnings-related pension institutions, and the company’s equalisation provision is somewhat higher than the average. Thus Varma carries no risk relating to an atypical insurance portfolio.
Risk management in insurance business applies insurance technique analyses. Insurance risks are analysed using, for example, risk assumption analysis (mortality, disability intensity), financial statements and business result analysis (insurance technique, distribution of responsibility) and, for example, when compiling statistics on contribution losses and disability pension expenditure. In drawing up the financial statements, in particular the estimate of the insured’s payroll may deviate from the final sum. This is reflected in the company’s premium income and the amount of technical provisions, but hardly affects the company’s result.
Until 31 December 2012, the risks involved in the assets covering technical provisionserminology/" class="glossary-link">technical provisions, i.e. primarily investment risks, were provided for by the solvency capital, whose amount was monitored in relation to the technical provisions and the limits calculated on the basis of investment allocation and other limits. Thus, solvency capital provided the company with a buffer for years in which the return on the assets covering the technical provisions was below the interest credited on technical provisions.
Some regulations related to investment operations and solvency were amended for a fixed period of time in the latter part of 2008. The legislation was extended to 31 December 2012. Until then, the EMU buffers, as they are called, included in the provision for pooled claims were used temporarily to support solvency capital, and the minimum solvency capital limit was lower.
As of the beginning of 2013, the earlier solvency capital and the equalisation provision were combined to form a new buffer, which will be used to carry the risks related to both investments and insurances. The calculation of the solvency limit was also adjusted, and in future it will take into account the insurance risk. At the turn of the year, Varma’s solvency capital remained at the same level as when calculated according to the temporary legislation. The changes raised the solvency limit by about 0.7 percentage points.
A part of the interest credited on technical provisions (10%) is determined retroactively and is based on the pension-insurance companies’ actual equity returns. An equity-linked provision for current and future bonuses, which is between -10 per cent and +5 per cent of the technical provisions, helps the insurance companies to carry the risks involved. If a pension institution’s equity returns differ from the average, it must employ its solvency capital to carry the risks that this involves. When the average equity return is calculated, the weight of the largest pension institutions is limited to 15 per cent.
The following table presents the allocation of investments and certain other items according to solvency group at year-end.
Market risk is the fluctuation of the value of investments. The greatest market risk is that involved in equities. Other market risks are the interest rate risk, foreign currency risk, and the value change risk of real estate objects. Interest rate risk can be realised as a price risk, and early repayment of capital as a reinvestment risk.
Inflation risk is the decrease of the real value or return of assets.
Credit risk is a danger of loss caused by the inability of the counterparty to honour its commitment.
Liquidity risk is the realisation of cash flow at a different amount than expected. A risk is also constituted by investments that cannot be converted into cash at all or can only be converted at a major loss. In the management of liquidity, any guarantee engagements must also be taken into account. Liquidity disturbances in the banking system are also mirrored in Varma's liquidity.
The model risk is constituted by the risks involved in risk measurement. In measurement it is necessary to make assumptions and simplifications concerning calculation methods and calculation materials, which may deviate from reality. There may also be risks related to the valuation of investments, and some of the investments' values are available with a delay.
Investment risk management makes use of calculation assumptions and the regulations governing technical provisions and solvency, among other things. Management of investment risks involves the determination of acceptable risk levels for different investment categories within the framework approved by the Board of Directors, continuous risk measurement using selected methods (different indicators used in risk management, market information and analyses, computer applications), comparison with acceptable levels, and reporting. Risk management also involves adaptation of the investment portfolio so that a correct risk/return ratio can be maintained. The nature of technical provisions and their return requirement are also taken into account when the time span and liquidity of investments are considered.
The investment plan approved by the Board of Directors defines, among other things, the following:
- the general security goals set for investments,
- the general principles for investment allocation,
- the return, diversification and liquidity goals of investments,
- the criteria for using derivative contracts, and
- the principles for arranging foreign currency business.
At least once a year, the Board of Directors assesses the status and outlook of Varma's operating environment, the investment risks in terms of changes in value, expected returns, security, and the foreign currency business, and the company's short-term and long-term risk-bearing capacity and the development of the company's solvency position.
The basic allocation of the investment portfolio laid down in the investment plan approved by the Board of Directors also lays down the basic level for the total portfolio risk. The investment portfolio may differ from the basic allocation within the allocation limits specifically defined in the investment plan.
Varma aims to maximise the yield expectation at the selected total risk level, which means that investments will have optimum profitability to the extent allowed by the company's risk-bearing capacity. Active risk targets have been laid down for different asset classes and items within which Varma is making active investment efforts to produce returns above the market index. The portfolio's realised market risks, active risks and returns generated by active investments are regularly monitored and reported in the Investment Operations.
Varma's investment portfolio's structure by asset class and returns by asset class for 2012 are presented in the Notes to the Financial Statements.
Geographical allocation of investments in listed equities:
Direct investments in real estate according to purpose of use:
The vacancy rate of business premises was 6.2 (5.4) per cent.
Bonds according to credit rating:
Loans by type of security are presented in the Notes to the Financial Statements under Loan receivables.
Furthermore, Varma takes into account the corporate responsibility principles of investment allocation, and the share ownership principles in which, among other factors, high-quality governance and the operational transparency of domestic and foreign companies are important selection criteria in making investment decisions.
The market risk of investments, mainly equities, constitutes the biggest risk relating to the result and solvency. The VaR (Value-at-Risk) figure, which measures the total risk of Varma's investments, stood at EUR 1,076 million (1,551) at year-end 2012. The figure indicates the greatest possible fall in the market value of the company's investment portfolio in ordinary market conditions over a period of one month at a probability of 97.5%.
The total risk relating to investments is adjusted to the company's risk-bearing capacity in such a way that the company's solvency position is not endangered. The maximum risk level is measured such that even after a 25% drop in the value of listed equity investments and certain hedge fund investments, the solvency capital still exceeds the minimum solvency capital (=2/3 of the solvency limit; however, 2 per cent of the technical provisions when the temporary act is effective) by at least the amount of the VaR and is in any case always at least at the solvency limit. The restrictions that apply to different investment categories are also taken into account when calculating the assets covering the technical provisions.
The different maximum limits of investments are presented as separate risk limits in the investment plan. The diversification of the investment portfolio is based on allocation that takes into account the return correlations of asset classes.
Investment risks can be abated and eliminated, for example,
- by diversifying investments by asset class and item,
- by analysing the investment portfolio and items,
- by avoiding risk concentrations,
- by limiting the amount of unlisted securities,
- through a securing guarantee policy,
- through careful valuation practices,
- by integrating assets and liabilities,
- by using derivatives,
- by applying adequate and on-time supervision and monitoring arrangements, and
- by minimising counterparty risks.
The risk limits and authorisations laid down in the investment plan are monitored by the Investment Operations both before and after assignments. In addition to analyses of investment markets, Varma monitors matters such as investment duration, classification and liquidity. In real estate investments, Varma pays special attention to technical and location risks, among others.
New investment instruments with return and risk profiles that are significantly different from the instruments contained in Varma's present portfolio are examined by the Investment Committee and are also presented to the Board of Directors before being applied. The realised risks of the investment instruments with return and risk profiles that differ from those normally used are examined regularly. Following the examination, the investment instruments are given a solvency classification that is in accordance with their actual risk.
The table below shows how falls in equity prices and real estate values and increases in interest rates would affect return and solvency figures in the financial statements.
The investment diversification requirement is a central part of the company's technical provisions and solvency regulations. When the solvency limit is calculated and the assets covering the technical provisions are listed, investments are categorised into solvency groups. Under the regulations, euro-denominated derivative authorisations and the permitted maximum loss must be determined, and derivative contracts must be classified in risk-lowering and other than risk-lowering contracts. Varma's largest individual corporate risk position is its equity ownership, which has a market value of EUR 1,194 million, in Sampo Plc.
The Board of Directors decides on the principles concerning the use of derivative contracts and the principles for the solvency classification of investments. Based on a proposal by the Chief Investment Officer, the CEO decides on the risk classification of investments and an independent investment risk management function will give an opinion on the proposals. Solvency classification is reviewed on a regular basis. The Board of Directors receives an independent monitoring report on the adherence to the classification criteria, and on the use of derivative contracts and the impact this has on the solvency limit.
Operational risks entail
- a danger of loss,
- a threat to the continuity of operations, or
- a diminishing of trust in the company,
caused either by the company's internal processes or by unanticipated external events.
Operational risks are related to processes and methods, information systems, possible malpractice, property damage and staff competence.
The company makes every effort to eliminate any defects in its supervision systems that would permit unintentional or intentional errors or misuse concerning such matters as insurance or claims handling, investments, reporting, payment transactions, register details, data processing, division of work, partners' operations, or documentation.
Operational risks are charted on a regular basis. The potential impacts and likelihood of identified risks are assessed on a risk-specific basis, and the risks are linked to strategic aims and processes. Identified risks are compiled into a risk chart in which risks are classified on the basis of an overall evaluation and in accordance with their potential to threaten Varma's success and the goals approved by the Board of Directors. Overall consideration of the impacts of the risks and deciding on measures take place in accordance with Varma's standard planning and decision-making system. A continuity plan is drawn up for functions that may involve substantial risks. The preparation of the plan is at the discretion of the line management.
The economic development of the coming years will be characterised by the current euro crisis, increasing government budget deficits and a slowdown in overall global economic demand. The structural challenges for the Finnish economy are the sharp growth in public spending caused by the ageing of the population, the dwindling workforce, and especially the declining industrial activity in our country.
The escalation of the Finnish structural challenges in the current economic situation increase the risk that the financing balance of the earnings-related pension system will weaken in the long term and medium term, especially if the pension reform of 2017 does not achieve the goals set for an economically and socially sustainable pension system. The current economic crisis also adds to the risk of cost-increasing regulation in the earnings-related pension sector.
In order to control the risks, Varma is co-operating closely with its stakeholders and other players in the field and is developing its processes so that it can react to any changes in the earnings-related pension system on time.
Varma's preparation for unsettled and exceptional circumstances
Principal threat types and their concomitant special circumstances related to pension payments and funding include serious perturbations in the infrastructure required by the networked operating model, citizens' health and income security, and society's economic capacity. Due to the distributed management of pension cover, there is a lot of co-operation within the earnings-related pension system. This increases mutual dependency and vulnerability. The internationalisation of information technology services and bank services creates challenges for contingency operations.
Contingency operations secure critical activities in exceptional circumstances and normal activities in seriously disturbed conditions. Also in exceptional circumstances or when threatened by them, Varma will fulfil its statutory and contractual obligations as comprehensively and for as long as possible. In co-operation with other players, banks, authorities, and the service security organisation, priority will be given to securing services connected with citizens' income security.
Varma has a recovery plan for situations where IT is disrupted and a contingency plan approved by the Board of Directors, which is supplemented by detailed plans prepared by different functions. A contingency unit, which the managers of core functions belong to, coordinates the activities in possible contingencies.
The contingency unit is responsible for preparing the contingency plan, for preparing for unsettled situations, for preparing and maintaining other plans (such as the recovery plan and the security and rescue plan) and instructions based on it, for managing unsettled situations, for contingency actions, for building, maintaining and testing contingency systems, and for taking into account the experiences gained from drills organised within the sector in the company's operations. The members of the contingency unit, in their own area of responsibility, take care of emergency planning, construction and testing of backup systems, providing timely information and securing data storage.
Significant risks in exceptional circumstances include
- the payment of pensions is jeopardised,
- the financing of pensions and liquidity management become more difficult,
- the implementation of processes during exceptional circumstances does not happen quickly enough,
- bank systems, investment trading systems or other societal infrastructures fail to work,
- the earnings-related pension systems, telecommunication lines or co-ordination within the sector fail to work,
- our own IT applications or networks fail to work, stoppage of services provision,
- counterparty risks and the invalidity of contracts under exceptional circumstances, and
- risks related to the availability of data at the onset of a crisis.
Varma participates in operational drills together with other pension insurance institutions, insurance companies, banks and financial players.
Internal auditing operates in accordance with the principles defined in the professional standards of internal auditing. It comprises independent and objective assessment, securing and consulting activities whose purpose is to support the organisation in achieving its goals by producing assessments and development proposals concerning the status of risk management and other internal controls. The organisational status, tasks, responsibilities and powers of the internal audit are laid down in the instructions approved by the Board of Directors. The areas to be audited are set out in an annual audit plan approved by the Board of Directors after it has been heard by the Executive Group and the Audit Committee. The audit observations are reported to the company management, the Audit Committee and the Board of Directors. The internal audit is organised under the supervision of the CEO.
Control by authorities
In addition to laws and decrees, Varma's operations are governed by the instructions and regulations of the Financial Supervisory Authority. Varma provides the Financial Supervisory Authority with information and reports on a regular basis or as required. The supervising authority carries out appropriate inspections related to administration, solvency, investment operations and operational risks, among other things.