Good governance is about more than just box-ticking.

As a global insurer, good governance practices are essential to our day-to-day business of serving customers and paying claims. This not only means having the appropriate internal controls, policies and procedures, and structures and oversight; it also requires our 3,000+ employees to be accountable for their actions and empowered to raise their hand if something goes wrong. Naturally it also means complying with the laws and regulations that are relevant to our operations.

Sustainability oversight in the business

Responsibility for governance ultimately sits with our Board and its committees and we have a framework in place to ensure appropriate oversight. We have a sustainability working group that meets monthly to drive progress, and a sustainability steering committee which meets quarterly to provide strategic oversight and is chaired by our Group CEO.


How we manage risk

Our success depends on how well we understand and manage our exposures across key risk areas including strategic risk, insurance (underwriting and reserve) risk, market risk, credit risk, operational risk and regulatory, legal and tax risks. Our collective risk knowledge informs every important decision we make.


Find out more about the principal risks facing our organisation.

We take an enterprise-wide approach to managing risk. Our risk management framework provides a controlled system for how risk is identified, measured, managed, monitored and reported across the Group. It supports innovative and disciplined underwriting across many different classes of insurance by guiding our appetite and tolerance for risk.

Risk governance


The Group coordinates risk management roles and responsibilities across three lines of defence.

Three lines of defence model


The Group’s ORSA process involves a self-assessment of the risk mitigation and capital resources needed to achieve the strategic objectives of the Group and relevant insurance carriers on a current and forward-looking basis, while remaining solvent, given their risk profiles. The annual process includes multi-disciplinary teams from across the business, such as capital, finance and business planning.

Hiscox Own Risk and Solvency Assessment (ORSA) governance


We are all our first line of defence

Working in a regulated industry means we take staff training seriously. Our Three Lines of Defence model for managing risk means that everyone, at every level of our organisation, has responsibility for risk management on a day-to-day basis. We deliver a year-round programme of internal training, testing, awareness and education on issues such as information security, data privacy and data protection, and how to report an incident. This includes a cyber security awareness month, where we provide hints and tips on what to look out for when it comes to phishing, smishing and other cyber security issues. We perform regular company-wide phishing tests to monitor internal vigilance when it comes to suspicious emails and timely news items on issues such as mobile security during the summer holidays or online shopping security in the run-up to Christmas.

Identifying and addressing emerging risks

Keeping on top of emerging risks and regulations allows us to explore how our business can adapt and respond to change, if necessary, to be able to operate in the medium term. One way we do this is through our emerging risk forum, which assesses risks and opportunities which could potentially affect the business - topics have included climate change, data regulation and the impact of changes in governments. In addition, our Group compliance function and our exposure management groups regularly perform horizon scanning for regulatory change, for example monitoring general insurance value measures, the 2021 transition from LIBOR and Solvency II enhancements.

Testing our resilience

A regular cycle of stress testing and scenario analysis helps us identify and measure the likelihood and impact of potentially plausible, but extreme, events. Testing our resilience in this way is important to ensure we manage risk well and evolve at the same pace as the risks we cover. We have embedded an internal programme of stress testing, which is performed annually to assess the resilience of the business plan in extreme, adverse scenarios. We participate in regulator-led exercises, most notably the Prudential Regulation Authority's (PRA) General Insurance Stress Test (GIST), part of which was carried out in conjunction with the Bermuda Monetary Authority (BMA).
The scenario in 2019 required us to examine climate and cyber events as new scenarios alongside the traditional scenarios which include a deterioration in the economic environment. This confirmed that the Group is able to withstand the considered short-term shocks and has strong controls and mitigation strategies in place across risk types.

Bringing our teams together for cyber crisis simulations and large loss dry runs

We carry out a combination of events with leadership and underwriting teams to ensure our preparedness for reputational issues and large losses. In 2019 this included a three-day cyber large loss training exercise (CLLTE), which brought together over 50 participants across 14 locations to test our response to a market-changing cyber loss event, put us under pressure and challenge our plans. We also conducted a series of desktop simulations with country leadership teams to work through operational challenges arising from a reputational event.

London Market Looks Ahead Report

Helping build resilience across our industry

Hiscox led a consortium of London insurance market organisations and associated entities in an exercise to simulate a serious disaster resulting in extraordinary global insurance losses of around US$200 billion. The aim was to test how the world’s pre-eminent insurance market would respond in a worst-case scenario catastrophe. The events chosen reflect the changing nature of risk; a highly-destructive hurricane, an unprecedented cyber event, one of the largest stock market declines, and a major reinsurer default with consequent delays in reinsurance payments. We published the results and recommendations for improving industry resilience in our white paper.

Policies and disclosures

The small print that helps us get the big things right.

Environmental, social and governance issues (including issues such as tax, anti-bribery and anti-corruption, investor stewardship and climate change) and diversity and inclusion are integrated into both risk assessment and strategy, with responsibility ultimately sitting with the Board and its committees.

Our annual financial condition report (FCR), which is a requirement of the Bermuda Monetary Authority (BMA) for Bermudian insurers and of the UK’s Prudential Regulation Authority (PRA), provides stakeholders with additional information on the financial condition of the company over and above that contained in the annual financial statements.

View our key policies and disclosures