Risk management

Strategic risk

The possibility of adverse outcomes resulting from ineffective business plans and strategies, decision‑making, resource allocation or adaptation to changes in the business environment. The Group’s continuing success depends on how well we understand our clients, markets and the various internal and external factors affecting our business, and having a strategy in place to address risks and opportunities arising out of this. Not having the right strategy, or not being responsive to changing market conditions, could have a detrimental impact on profitability, capital position, market share and reputation.

Underwriting risk

The risk that insurance premiums prove insufficient to cover future insurance claims and associated expenses. Likely causes include failing to price policies adequately for the risk exposed, making poor risk selection decisions, allowing insurance exposures to accumulate to an unacceptable level, or accepting underwriting risks outside of agreed underwriting parameters. This includes people, process and system risks directly related to underwriting, and considers emerging external risks such as climate, geopolitical and changing customer trends.

We continue to focus on maintaining and improving, where needed, the quality and balance of our portfolios, strengthening our pricing and risk selections, and growing where the opportunities are commensurate with the risk. During the year, we continued to navigate a set of complex external conditions impacting underwriting risk. These ranged from a continued volatile geopolitical environment (notably, US tariffs and the ongoing conflicts in Ukraine and the Middle East), macroeconomic shifts (with sluggish economic growth in the UK and Europe), emerging societal trends (such as increased propensity to litigation), and the impact of climate change. 

Our active monitoring of economic and social inflation, the impact from supply chain disruptions, the heightened threat of cyber attacks, and emerging litigation trends, has continued to allow Hiscox to respond promptly, ensuring our pricing keeps pace with costs. We continue to monitor and evolve our view of property exposure risks from natural catastrophes influenced by climate change through our set of realistic disaster scenarios (see page 42). Our underwriting exposure remains well within our Board-approved risk appetite levels and, in 2025, our business units have managed the cycle very well.

Reserving risk 

The Group makes financial provisions for unpaid claims, defence costs and related expenses to cover liabilities both from reported claims and from ‘incurred but not reported’ (IBNR) claims. Reserving risk relates to the possibility of unsuitable case reserves and/or insufficient outstanding reserves being in place to meet incurred losses and associated expenses, which could affect the Group’s future earnings and capital.

Credit risk 

There remains a threat of global recession, which could, in turn, increase default risk. There is also the risk of a reinsurance counterparty being subject to a default or downgrade, or that for any other reason they may renege on a reinsurance contract or alter the terms of an agreement. The Group buys reinsurance as a protection, but if our reinsurers do not meet their obligations to us, this could put a strain on our earnings and capital and harm our financial condition and cash flows. Similarly, if a broker were to default, causing them to fail to pass premiums to us or pass the claims payment to a policyholder, this could result in Hiscox losing money.

Market risk

There is the threat of unfavourable or unexpected movements in the value of the Group’s assets or the income expected from them. This includes risks related to investments, for example, losses within a given investment strategy, exposure to inappropriate assets or asset classes, or investments that fall outside of authorised strategic or tactical asset allocation limits.

While the economic environment has remained volatile, returns on our fixed income portfolio remained strong through 2025. The Group also maintains modest exposure to selected non-fixed income investments which provide diversification benefits to the overall portfolio. 

We continue to look at incrementally improving long-term risk and capital-adjusted outcomes through further diversification across the wider investment universe.

Liquidity risk 

The risk of being unable to meet customer or other third-party payment obligations from available resources as they fall due. This could result in higher than expected costs in selling assets or raising money quickly to meet our obligations.

The Group’s liquidity risk appetite is designed to ensure that appropriate cash resources are maintained to meet obligations as they fall due, both in business-as-usual and stressed circumstances. 

This is measured using a liquidity coverage ratio, which compares liquidity sources to stress-tested liquidity requirements. The Group’s liquidity position remains robust and we have access to further liquidity through our revolving credit facility and the debt capital markets if needed.

Regulatory, legal and tax governance

This relates to the risk that the business fails to act, or is perceived to have failed to act, in accordance with applicable legal, regulatory, and tax requirements in all of the jurisdictions where the Group operates. The regulatory, legal and tax environment continues to be complex, with frequent changes in rules and expectations which increase complexity in this area.

We monitor the regulatory, legal and tax compliance landscape for emerging changes to local and international laws and regulations in the jurisdictions in which we operate. Areas of regulatory development that we have continued to work on during the year have included proposed insurer resolution regimes (Bermuda, UK, and Europe), and the EU Digital Operational Resilience Act (DORA). 

In relation to tax developments, 2025 saw the introduction of Bermuda Corporate Income Tax as well as further development of the Global Anti‑Base Erosion Model Rules (Pillar Two). This remains a live issue as the OECD works through the implications of the ‘side-by-side’ approach to Pillar 2, proposed by the USA and the G7 in June 2025, which may lead to further changes. An internal project is progressing on track to ensure that we are able to comply with the incoming Global Minimum Tax rules. 

We invest in proactive engagement with all of our regulators, including through our participation in the annual college of supervisors, hosted by the Bermuda Monetary Authority (BMA), which is an opportunity to update all of our regulators together on strategic developments across the Group.

Operational risk

This is the risk of direct or indirect loss resulting from internal processes, people or systems, or from external events. It includes cyber security risk, which is a constant threat due to the evolution of attack tools and methods, fuelling the ongoing challenge of maintaining the systems and processes necessary to protect the confidentiality, integrity or availability of information and data. Operational risk covers the potential for financial losses, and implications from a legal, regulatory, reputational or customer perspective.

Risks from people, process, systems and external events are closely monitored by senior executives across the business. 

We continue to evolve our operational risk management processes including our defences against, and response to, information security and cyber threats. Our information security policy is updated annually and approved by the Board. The policy sets out the Group’s approach and commitment to information security, including the Group’s requirements for a robust approach to protect, preserve and manage the confidentiality, integrity and availability of the Group’s information assets and information systems (including technology infrastructure). It is supported by a suite of other policies. We also buy insurance against liabilities including but not limited to those related to cyber and information security risks. 

We regularly reassess our information security standards and methodologies to ensure appropriate governance and consistency has been applied to our approach. Our approach to information security risk management extends to third-party providers, so through our procurement and claims teams we ensure third parties receive notification of the security requirements expected of them upon contract signing and at contract renewal. 

Talent and capabilities risk is actively managed. We continue to monitor and adapt our hybrid working policies and practices to ensure that our workforce is equipped with the necessary skills and tools to succeed, and we are pleased to have maintained a high level of employee engagement in 2025 (see page 21). 

2025 saw the acceleration of our transformation journey, which is a key enabler to achieving our ambitious growth plans. Risk management is fundamental to this programme

Climate change-related risk

This relates to the range of complex physical, transition and liability risks arising from climate change. It includes the risk of higher claims as a result of more frequent and more intense natural catastrophes; the financial risks which could arise from the transition to a low-carbon economy; and the risk that those who have suffered loss from climate change might then seek to recover those losses from others who they believe may have been responsible. Climate change-related risk is not considered a stand-alone risk, but a cross-cutting risk with the potential to amplify each existing risk type.