Risk management

Risk management

As a Group we have a robust and embedded risk management strategy which aims to maximise return on equity within a defined risk appetite. The Group’s success is dependent on how well we understand and manage our exposures to principal risks.

Principal risks

The principal risks facing the organisation are described below.

The possibility of adverse outcomes that may result from strategic initiatives taken or not taken by the Group. This may include business expansion or contraction, mergers and acquisitions, negative impact to reputation or brand, or failure of the Board to provide adequate oversight of the business or make appropriate business decisions.

What is the risk? Why do we have it? How is it managed?

Strategy evolution and execution
This is the risk of ineffective business plans and strategies, decision making, resource allocation or adaptation to changes in the business environment.

The Group’s continuing
success depends on:
i) how well we understand
our clients, markets and the various internal and external factors affecting our business; and ii) having a strategy in place to address risks and opportunities arising out of this. Not having the right strategy could have a detrimental impact on profitability, capital position, market share and reputation.

Setting the right course and long-term strategic objectives at a high level is essential for the long-term success of the Group. This is especially important because some strategic initiatives require multi-year commitment and execution.

Hiscox is to balance the underwriting of high-margin, volatile, complex global risks with comparatively stable, local specialist retail products.

Each of the businesses pursues its strategic objectives as set out by the business unit leadership teams and approved by the relevant Board through the operating plan process. In addition, the Executive Committee sets out a common set of strategic objectives for the Group that cut across businesses and functions. These are based on the collective understanding of internal challenges and priorities, as well as external factors.

Furthermore, various Hiscox emerging risk forums collate and assess information, both external and internal, on potential emerging themes, risks and opportunities. Each have a different purpose and focus but these processes link together to form an enterprise wide view. This year, topics have included the unknown extent of economic downturn, the consequences of increased digitalisation and connectivity and other potential sources of systemic risks.  Additional consideration has been placed on items that have already emerged but are constantly evolving, assessing the impact of these on our business and the markets in which we operate, such as the evolving nature of cyber risks, climate change and Covid-19. Stress testing and scenario analysis help identify possible dependencies and correlations between risks, which could impact on the Group’s strategy.

The risk that insurance premiums will not be sufficient to cover future insurance claims and associated expenses. It also encompasses people, process and system risks directly related to underwriting, such as human error in paying invalid claims or misquoting premium prices.

What is the risk? Why do we have it? How is it managed?

This is the risk of failing to price policies adequately, or making poor risk selection decisions. 

Hiscox competes against major international insurance and reinsurance groups. At times, competitors may choose to underwrite risk at prices below the break-even technical price. Prolonged periods in which premium levels are low or competition is intense are likely to have a negative impact on the Group’s financial performance.

Accepting risks below their technical price is detrimental to the industry. It can drive market rates down to a point where underwriting losses mount, insurers’ capital is reduced and some businesses fail. Customers could receive poor service and the industry could suffer negative publicity.

We operate in open, aggressively competitive markets in which barriers to entry for new players are relatively low. Competitors may choose to differentiate themselves by undercutting their rivals. As a result, capacity levels in these markets rise and fall,  causing prices to go up and down, creating volatile market cycles.

We adapt our desire to write certain lines of business according to market conditions and the Group’s overall risk appetite. We reject business unlikely to generate underwriting profits and regularly monitor pricing levels, producing detailed monthly reports on how pricing and exposures are developing.

This allows us to quickly identify and control any problems created by deteriorating market conditions. Hiscox frequently acts as the lead insurer in the co-insurance programmes needed to cover high-value assets, so we have some ability to set market rates.

The Group rewards its staff for producing profit not revenue. This helps to maintain underwriting discipline in soft markets.

Pricing policies have been developed for each legal entity and class of business. In addition, some classes of business maintain more detailed technical underwriting guidelines.
Pricing adequacy is assessed via the peer review process. All underwriters and classes of business are subject to peer review.

All underwriters and classes of business are also subject to independent review. In addition, the Group Chief Underwriting Officer commissions a series of independent portfolio reviews, including file reviews, providing a formal critique of the underwriting approach and strategy for classes of business or products that are typically either new, unproven or have recently missed budget.

What is the risk? Why do we have it? How is it managed?

Underwriting exposure management

This is the risk that insurance exposures accumulate to an unacceptable level, are not fully understood or materialise unexpectedly.
Hiscox insures individual customers, businesses and other insurers for damage caused by a range of catastrophes, both natural (for example, hurricanes or earthquakes) and man-made (for example, terrorism), which can cause heavy underwriting losses that materially impact the Group’s earnings and financial condition if they occur. 

The Group buys reinsurance protection to manage catastrophe risk and reduce the volatility that major losses could have on our financial position. If the Group’s reinsurance protection were proven to be inadequate or inappropriate, it could significantly affect our financial condition.

Underwriting large, volatile and complex risks can be potentially costly, but can also create strong returns over the medium to long term. The scope and type of protection we buy may change from year to year depending on the extent and competitiveness of cover available in the market.

The Group underwrites catastrophe risk in a carefully controlled manner. Our strategy of creating and maintaining a diversified portfolio, both by product and geography, helps limit our overall catastrophe exposure.
The Group’s business plan is underpinned by a clearly-defined appetite for underwriting risk. We closely monitor our risk exposure to maximise the expected risk-return profile of our entire portfolio and offset any potential losses from more volatile accounts. Peer review assesses whether or not risks are in line with underwriting appetite.

Underwriters are incentivised to make sound decisions that are aligned with the Group’s strategic objectives and risk appetite, and clear limits are placed on their underwriting authority. In response to legal developments, policy wordings are regularly reviewed to ensure that, as far as possible, exposure to those risks identified in the policy at the time of issue is maintained.

Our modelling resources are tailored to support insurance and reinsurance plans and ensure that exposure matches expectations. Risk aggregation and modelling resources are shared across the Group. 

Comprehensive stress and scenario testing is performed to assess our potential exposure to certain catastrophes.
We buy reinsurance to reduce our risk exposure and mitigate the impact of catastrophes based on a clear outwards reinsurance strategy and centralised reinsurance programme that enables us to minimise gaps in coverage across the business and get the right deal by leveraging our size. Decisions about the type and amount of reinsurance we buy are supervised by a dedicated reinsurance purchasing team using modelling techniques. Oversight is provided by a number of key committees, including the reinsurance purchase group.

What is the risk? Why do we have it? How is it managed?

Authority breach

This is the risk of accepting underwriting risks outside of agreed underwriting parameters or where authority limits have been breached.

Hiscox assigns underwriting parameters based on a number of factors, including level of experience and skill of the individual.

These parameters are in place for all relevant Hiscox employees and those that fall under a third-party delegated authority.

Accepting risks outside of agreed underwriting appetite, regardless of source, can result in unplanned or misunderstood underwriting exposures.

Underwriter authority letters (UALs) are in place for all underwriters and reviewed at least annually. The underwriting control function maintains records of the UALs. Potential breaches of UALs are monitored periodically and escalated where necessary to senior management. Material underwriting breaches are reported to the nominated Director and relevant division management team, and there can be significant consequences for individuals who breach their underwriting authority.

Peer reviews and technical underwriting reviews assess whether or not UALs are adhered to.

With respect to parties with delegated underwriting authority, authorities granted by Hiscox are closely controlled through strict underwriting guidelines, contractual restrictions and obligations. A Group-wide delegated authority policy sets out clear standards and principles for managing the delegation of authority to external third parties. We vet all third parties prior to appointment and monitor and audit them regularly.

The risk of unsuitable case reserves (for example, over- or under-reserving) and/or insufficient technical reserves in place to meet incurred losses and associated expenses.

What is the risk? Why do we have it? How is it managed?

Claims Reserve risk

The risk of unsuitable case reserves (e.g. over- or under-reserving) and/or insufficient technical reserves in place to meet incurred losses and associated expenses.

The Group makes financial provisions for unpaid claims,
defence costs and related expenses to cover liabilities both from reported claims and from ‘incurred but not reported’ (IBNR) claims. Insufficient reserves could affect the Group’s future earnings and capital.

When underwriting risks, we estimate both the likelihood of claims occurring and their cost. Our actual claims experience could exceed our expectations, requiring us to increase our levels of reserves held.

The provisions we make to pay claims reflect our own experience and the industry’s view of similar business. They are also influenced by loss payments, pending levels of unpaid claims, historic trends in reserving patterns and potential changes in rates arising from market or economic conditions. Provisions are set above the actuarial best estimate to reduce the risk that actual claims may exceed the amount we have set aside. 

Our provision estimates are subject to rigorous controls and review by all areas of the business, as well as by independent actuaries. The relevant boards approve the amount of the final provision, on the recommendation of dedicated reserving committees.

The risk of loss or adverse financial impact due to default by counterparties to which Hiscox is exposed.

What is the risk? Why do we have it? How is it managed?

Counterparty Default – Reinsurer 

The risk of default or downgrade of reinsurance counterparty, causing them to renege on their reinsurance contract(s) or altering the terms of agreement.
The Group buys reinsurance to protect us, but if our reinsurers were unable to meet their obligations to us it could put a strain on our earnings and capital, and harm our financial condition and cash flows.

We cover clients against a range of catastrophes and protect ourselves through reinsurance. We face credit risk when we seek to recover sums from our reinsurers.

We buy reinsurance only from companies we believe to be strong. A dedicated Reinsurance Credit Committee, a subcommittee of the Group Credit Committee, must approve the use of every reinsurer, based on an assessment of their financial strength, trading record, payment history, outlook, organisational structure and external credit ratings.

Our credit exposures to these companies are closely monitored, as are the companies themselves, so we can quickly identify any potential problems. We consider public information, our experience of the companies, their behaviour in the marketplace and consultants’ and rating agencies’ analysis.

What is the risk? Why do we have it? How is it managed?

Counterparty Default – Broker

This is the risk of  default of a broker counterparty, causing them to renege on or altering the terms of agreement

If a broker defaults, causing them to fail to pass premiums to us or fail to pass the claims payment on to a policyholder, this can result in us losing money.

A significant portion of our business is written through brokers. We face credit risk when money is transferred to and from brokers for  premiums or claims.

We monitor our exposure to brokers on an ongoing basis and have continued dialogue with our core brokers to quickly identify and resolve any credit issues that arise. Such monitoring takes into account a number of factors, which can include credit rating, financial position, financial performance, payment history and market factors.

In the case of some large losses, we pay policyholders directly to reduce broker credit risk on material transactions.

The threat of unfavourable or unexpected movements in the value of Hiscox’s assets and/or the income expected from them.

What is the risk? Why do we have it? How is it managed?

Investment Risk

This is the risk of a loss over a 12 month period for a given investment strategy, or the exposure to inappropriate assets/asset classes, or operating outside of authorised Strategic Asset Allocation/Tactical Asset Allocation limits    

Money received from our clients in premiums, and the capital on our balance sheet, is invested until it is needed to pay claims or other liabilities. These funds can be exposed to investment risk.

The investment of the Group’s assets generates an investment return. Our investment portfolio is exposed to a number of risks including, but not limited to, changes in interest rates, credit spreads and equity prices.

Our objective is to maximise risk-adjusted investment returns in the prevailing financial, economic and market conditions, without creating undue risk to the Group’s capacity to underwrite. Funds held for reserves are invested primarily in high-quality bonds and cash. To reduce foreign exchange risk, these are usually maintained in the currency of the original premiums for which they were set aside. As many of our insurance and reinsurance liabilities have short time spans, we do not aim to match exactly the duration of our assets and liabilities.

The Group’s fixed-income fund managers operate within clear guidelines as to the type and nature of bonds in which they can invest. These prioritise the need to pay claims while providing sufficient flexibility to enhance returns.

A proportion of funds is allocated to riskier assets, principally equities and hedge funds. By taking a long-term view on these assets, we seek to achieve the best possible risk-adjusted returns. Within our risk assets, we make an allocation to less volatile, absolute return strategies, which balance our desire to maximise returns with the need to ensure capital is available to support our underwriting throughout any downturn in financial markets.

What is the risk? Why do we have it? How is it managed?


The risk that the Group is unable to meet cash requirements from available resources within appropriate/required timescales.

A failure of our liquidity strategy could leave us unable to meet cash requirements to pay liabilities to customers or other creditors when they fall due. We might also incur high costs in selling assets or raising money quickly in order to meet our obligations. 

Such a failure could have a material adverse effect on the Group’s financial condition and cash flows.


If a catastrophe occurs, the Group may be faced with large, unplanned cash demands. This could be exacerbated by having to fund a large number of claims pending recovery from our reinsurers.

Although our investment policies stress the conservation of principal and liquidity, our investments are subject to market-wide risks and fluctuations.

The Group’s investment policy recognises the demands created by our underwriting strategy, so that some investments may need to be sold before maturity or at short notice. A high proportion of our investments are in liquid assets, which reduces the risk of losses being incurred if a quick sale is needed. Funds held for reserves are invested primarily in high-quality, short duration bonds and cash so the Group can meet its aim of paying valid claims quickly.

The Group’s cash requirements can normally be met through regular income streams: premiums, investment income, existing cash balances or by realising investments that have reached maturity. Our primary source of inflows is insurance premiums, while our outflows are largely expenses and payments to policyholders through claims. We forecast our cash flow for the week, month, quarter, or up to three years ahead, depending on the source.
To identify potential issues, we run stress tests to estimate the impact of a major catastrophe on our cash position. We also consider the impact on our liquidity of other adverse events occurring, such as an economic downturn and declining investment returns.

The Group maintains extensive borrowing facilities with a range of major international banks. This further reduces the risk of not having sufficient liquidity to meet our obligations as they fall due.

The risk of direct or indirect loss resulting from internal processes, people or systems, or external events.

What is the risk? Why do we have it? How is it managed?

Data Security

Failure to implement or maintain the systems and processes necessary to protect the confidentiality, integrity or availability of information and data.

Cyber security risk is a subset of information security risk and is the threat to the Group posed by the higher maturity of attack tools and methods, the increased exposure and the increased motivation of attackers.

As well as causing financial losses, information and cyber security risks can have legal, regulatory and reputational consequences.


Our business is based on trust from customers and partners, and that trust depends on our ability to keep their information secure.

We operate in a world in which the volume of sensitive data and the number of connected devices and applications have increased exponentially, while cyber attacks are increasingly frequent and sophisticated.
Our business depends on the confidentiality, integrity and timely availability of the information and data we maintain, own and use.

The information security group, which is chaired by the Chief Financial Officer and attended by the information security risk owners, manages the risk in line with the Group’s risk appetite, supported by experts from around the business. 

The Group employs dedicated information security resources to advise on information security design and standards, and conduct assurance activities. Our defensive capabilities include industry standard monitoring with additional protection for specific, highly confidential information. 

The Group invests in a rolling programme that deploys and evolves systems, policies and procedures to mitigate internal and external threats to our IT infrastructure. We conduct Group-wide mandatory training on information and cyber security, which is also mandatory for all third parties and contractors.

Our stress testing and scenario analysis considers the impact and likelihood of information security exposures and assesses management actions, including response plans.

What is the risk? Why do we have it? How is it managed?

Information technology and systems failure

This is the risk associated with a major IT, systems or service failure and the impact it could have on our business.


Our information technology and systems are critical to conducting business and providing continuity of service to our clients, including supporting underwriting and claims processes.

We have dedicated IT resources that support the Group’s technology needs and oversee critical systems and applications.

Our stress testing and scenario analysis considers the impact and likelihood of an IT or systems failure and assesses how management actions could be taken to mitigate the risk.

A formal disaster recovery plan is in place to deal with workspace recovery and the retrieval of communications, IT systems and data should a major incident occur. These procedures would enable us to quickly move the affected operations to alternative facilities. The plan is tested regularly and includes simulation tests.

What is the risk? Why do we have it? How is it managed?

Project risk and change management

This is the risk that projects and/or change initiatives are not delivered to plan, budget or specification, or that the risks inherent in projects, or the interdependencies across projects, are not appropriately managed.

Where this occurs, there may be not only direct financial losses, but also indirect losses through distraction risks and inefficiencies.

We operate in an ever-changing environment, with technological advancements, customer behaviour and external expectations evolving rapidly in recent years. To remain relevant, we must continue to evolve how we conduct our business.

All major programmes have dedicated project governance structures to oversee their delivery of the programme, including risk management aspects. Programme sponsors also provide updates to the Boards and Risk Committees as appropriate. 

Heads of change in business units and for the Group provide portfolio-level oversight of risks, issues and resource needs across projects. This includes the evolution of project governance and the coordination of best practice guidance.

The programme assurance office is a second line function that provides oversight across all major programmes. It provides senior management with an independent view of the progress, risks and issues within the programmes, as well as the linkages between them.
Specialist resource is used to augment project resources, either in a contractor or advisory capacity, as needed.

The risk of financial loss, regulatory censure, additional taxation, reputational damage and/or other adverse impact as a result of non-compliance with all relevant regulatory, legislation and tax requirements in all relevant jurisdictions.

What is the risk? Why do we have it? How is it managed?

Regulatory, legal and tax governance

Regulatory risk is the risk of failing to act in accordance with relevant regulatory requirements in all relevant jurisdictions or deterioration in the quality of relationship with one or more regulators.

Legal risk is the risk of failing to act in accordance with relevant legal requirements in all relevant jurisdictions.

Tax governance risk is the risk of failing to act in accordance with relevant taxation laws or adapt to changes in taxation.

We operate in a global environment and insurance is a highly-regulated financial industry. There may be times when the regulatory, legal or tax landscapes undergo significant change that directly impacts our business. For example, local country tax authorities are evolving their approach and expectations with regards to the transparency and nature of the tax base.

The Group understands that sound, prudent regulation is key to the stability and sustainability of the insurance market and wider financial markets. We continuously monitor new regulation and review our internal processes to facilitate compliance. Our approach is to combine local expertise with a globally consistent framework to manage regulatory, legal and tax change and provide effective compliance with the various and evolving requirements.

For more on our approach to risk management, see our latest annual report.