Risk management

Strategic risk

The possibility of adverse outcomes resulting from ineffective business plans and strategies, decision-making, resource allocation or adaptation to changes in the business environment. The Group’s continuing success depends on how well we understand our clients, markets and the various internal and external factors affecting our business, and having a strategy in place to address risks and opportunities arising out of this. Not having the right strategy could have a detrimental impact on profitability, capital position, market share and reputation.

We consider strategic risks in a holistic way, to better prepare our business for emerging threats, shifting trends, and opportunities in the environment in which we operate. During 2023, we have remained vigilant to potential adverse impacts of economic, geopolitical, social, technological and regulatory developments on our Group strategy. Our Group strategy was refreshed during 2021, with clarity of focus on consistent delivery from our big-ticket businesses, accelerated growth in retail digital and balanced growth in retail traded. The Group strategy remains unchanged with a strong focus on execution throughout 2023. 

The external environment remains complex and uncertainties persist, but our robust strategy means that despite the external headwinds there is still tremendous opportunity for Hiscox in each of our chosen segments.

Underwriting risk

The risk that insurance premiums prove insufficient to cover future insurance claims and associated expenses. Likely causes include failing to price policies adequately for the risk exposed, making poor risk selection decisions, allowing insurance exposures to accumulate to an unacceptable level, or accepting underwriting risks outside of agreed underwriting parameters. This includes people, process and system risks directly related to underwriting, and considers emerging external risks such as climate, geopolitical and changing customer trends.
 

We continue to focus on maintaining and improving, where needed, the quality and balance of our portfolios, strengthening our pricing and risk selections, and growing where the opportunities are commensurate with the risk. 

During the year, we continued to navigate a set of complex external conditions impacting underwriting risk. These ranged from the more volatile geopolitical environment (notably, the Russia/Ukraine conflict and more recently the conflict in Israel and the Gaza Strip), macroeconomic shifts (particularly inflationary pressures in most Western economies), emerging societal trends (such as increased propensity to litigation), and the continued potential impact of climate change. 

Our active monitoring and enhanced view of economic and social inflation, impact from supply chain disruptions, the heightened threat of cyber attacks, and emerging litigation trends, has continued to allow Hiscox to respond promptly, ensuring our pricing keeps pace with costs. We continue to monitor and evolve our view of property exposure risks from natural catastrophes influenced by climate change through our set of realistic disaster scenarios (see annual report pages 38 to 39). Our underwriting exposure remains well within our Board-approved risk appetite levels. 

We also continue to invest in the underwriters of the future through our award-winning faculty of underwriting training academy, which was first rolled out in 2022 to help manage and mitigate underwriting talent risks.

Reserving risk 

The Group makes financial provisions for unpaid claims, defence costs and related expenses to cover liabilities both from reported claims and from ‘incurred but not reported’ (IBNR) claims. Reserving risk relates to the possibility of unsuitable case reserves and/or insufficient outstanding reserves being in place to meet incurred losses and associated expenses, which could affect the Group’s future earnings and capital.

Credit risk 

There remains an increased threat of global recession, particularly given central bank interest rate response to inflation, which could, in turn, increase default risk. There is also the risk of a reinsurance counterparty being subject to a default or downgrade, or that for any other reason they may renege on a reinsurance contract or alter the terms of an agreement. The Group buys reinsurance as a protection, but if our reinsurers do not meet their obligations to us, this could put a strain on our earnings and capital and harm our financial condition and cash flows. Similarly, if a broker were to default, causing them to fail to pass premiums to us or pass the claims payment to a policyholder, this could result in Hiscox losing money.

Market risk

There is the threat of unfavourable or unexpected movements in the value of the Group’s assets or the income expected from them. This includes risks related to investments – for example, losses within a given investment strategy, exposure to inappropriate assets or asset classes, or investments that fall outside of authorised strategic or tactical asset allocation limits.

Whilst the economic environment has remained volatile, the rises in inflation and accelerated interest rate increases, which drove mark-to-market investment losses on our bond investment portfolio during 2022, have now led to higher returns during 2023. 

The Group also maintains modest exposure to selected non-fixed income investments which provide diversification benefits to the overall portfolio. We continue to look at incrementally improving long-term risk and capital-adjusted outcomes through further diversification across the wider investment universe.

Liquidity risk 

The risk of being unable to meet customer or other third-party payments as they fall due. This could result in high costs in selling assets or raising money quickly to meet our obligations.

The Group’s liquidity risk appetite is designed to ensure that appropriate cash resources are maintained to meet obligations as they fall due, both in business-as-usual and stressed circumstances. This is measured using a liquidity coverage ratio, which compares liquidity sources to stress-tested liquidity requirements. 

The Group’s liquidity position remains robust, with around $1 billion of fungible liquidity at 31 December 2023 (including $600 million of undrawn committed facilities). The Group has access to further liquidity through the debt capital markets.

Regulatory, legal and tax governance

This relates to the risk that the business fails to act, or is perceived to have failed to act, in accordance with applicable legal, regulatory, and tax requirements in all of the jurisdictions where the Group operates. The regulatory, legal and tax environment continues to be complex, with frequent changes in rules and expectations which increase complexity in this area.

We monitor the regulatory, legal and tax compliance landscape for emerging changes to local and international laws and regulations in the jurisdictions in which we operate. 

Regulatory developments during the year have included several ongoing developments in relation to Solvency II (for example, Bermuda Solvency II equivalence status and proposed changes to the application of Solvency II in the UK), as well as the FCA Consumer Duty impacting our UK entities. Our embedded sanctions management processes, supported by the compliance team, have continued to ensure our business can respond quickly and adhere to changes in the sanctions landscape, as was seen during 2022 following the Russian invasion of Ukraine. 

In relation to tax developments, 2023 saw the continued movement towards implementation of the OECD’s Global Anti-Base Erosion Model Rules (Pillar Two) at a local level; and in December 2023, Bermuda enacted a new corporate income tax, effective 2025. Our preparations for the incoming rules have included working with expert advisors and industry bodies such as the ABI and the ABIR to ensure industry-specific issues are identified and addressed, as well as working transparently and collaboratively with our key tax authority stakeholders. 

We invest in proactive engagement with all of our regulators, including through our participation in the annual college of supervisors, hosted by the BMA, which is an opportunity to update all of our regulators together on strategic developments across the Group.

Operational risk

The risk of direct or indirect loss resulting from internal processes, people or systems, or from external events. This includes cyber security risk, which is the threat posed by the higher maturity of attack tools and methods and the increased motivation of cyber attackers, in conjunction with a failure to implement or maintain the systems and processes necessary to protect the confidentiality, integrity or availability of information and data. Operational risk also covers the potential for financial losses, and implications from a legal, regulatory, reputational or customer perspective, for example, major IT, systems or service failures.

Risks from people, process, systems and external events are closely monitored by senior executives across the business. Ongoing competition and retention of talent, heightened threat of cyber attacks and continued growth in hybrid working practices are all examples of risks affecting the operational risk landscape. 

We continue to evolve our operational risk management processes including our defences against, and response to, information security and cyber threats. Our information security policy is updated annually and approved by the Board. The policy sets out the Group’s approach and commitment to information security, including the Group’s requirements for a robust approach to protect, preserve and manage the confidentiality, integrity and availability of the Group’s information assets and information systems (including technology infrastructure). It is supported by a suite of other policies including our acceptable use policy, encryption policy, access control policy, data classification policy, and third-party security policy. We also buy insurance against liabilities including but not limited to those related to cyber and information security risks. 

We regularly reassess our information security standards and methodologies to ensure appropriate governance and consistency has been applied to our approach. For example, a maturity assessment facilitated by an independent external third party was conducted in 2022, and another maturity assessment involving both our internal audit team and an independent external third party will take place in 2024. Our approach to information security risk management extends to third-party providers, so through our procurement and claims teams we ensure third parties receive notification of the security requirements expected of them upon contract signing and at contract renewal. 

2023 also saw a continued focus on Group-wide crisis management response planning, which included performing a series of cyber crisis simulations to test and enhance the response plans that are embedded across business areas and functions including business continuity plans, surge plans, people plans and communication plans. 

The organisation has also established an enterprise portfolio management (EPM) capability during 2023, aimed at strengthening operational maturity and controls in relation to the Group’s change agenda over the next two to three years. 

Talent and capabilities risk is also being actively managed. We continue to monitor and adapt our hybrid working policies and practices and ensure that our workforce is equipped with the necessary technology to enable this. In the second half of 2023, we also completed a ‘ways of working’ review. These measures have continued to be successful in addressing the associated operational risks and we are pleased to have maintained a high level of employee engagement in 2023 (see annual report pages 7 and 47). 

Climate change-related risk

This relates to the range of complex physical, transition and liability risks arising from climate change. It includes the risk of higher claims as a result of more frequent and more intense natural catastrophes; the financial risks which could arise from the transition to a low-carbon economy; and the risk that those who have suffered loss from climate change might then seek to recover those losses from others who they believe may have been responsible. Climate change-related risk is not considered a stand-alone risk, but a cross-cutting risk with the potential to amplify each existing risk type.