Governance

Good governance is about more than just box-ticking.

As a global insurer, good governance practices are essential to our day-to-day business of serving customers and paying claims. This not only means having the appropriate internal controls, policies and procedures, and structures and oversight; it also requires our 3,000+ employees to be accountable for their actions and empowered to raise their hand if something goes wrong. Naturally it also means complying with the laws and regulations that are relevant to our operations.

In 2025 we launched a new global Code of Conduct for our employees, which reflects our commitment to ethical, responsible, and sustainable business practices, as well as our respect for human rights, diversity, and inclusion. It is also a reflection of our culture and identity.

Sustainability oversight in the business

Responsibility for governance ultimately sits with our Board and its committees and we have a framework in place to ensure appropriate oversight. We have a sustainability working group that meets monthly to drive progress, and a sustainability steering committee which meets quarterly to provide strategic oversight and is chaired by our Group CEO.

How we manage risk

Our success depends on how well we understand and manage our exposures across key risk areas including strategic risk, insurance (underwriting and reserve) risk, market risk, credit risk, operational risk and regulatory, legal and tax risks. Our collective risk knowledge informs every important decision we make.

Find out more about the principal risks facing our organisation.

We take an enterprise-wide approach to managing risk. Our risk management framework provides a controlled system for how risk is identified, measured, managed, monitored and reported across the Group. It supports innovative and disciplined underwriting across many different classes of insurance by guiding our appetite and tolerance for risk.

The Group coordinates risk management roles and responsibilities across three lines of defence.

The Group’s ORSA process involves a self-assessment of the risk mitigation and capital resources needed to achieve the strategic objectives of the Group and relevant insurance carriers on a current and forward-looking basis, while remaining solvent, given their risk profiles. The annual process includes multi-disciplinary teams from across the business, such as capital, finance and business planning.

Hiscox Own Risk and Solvency Assessment (ORSA) governance

We are all our first line of defence

Working in a regulated industry means we take staff training seriously. Our Three Lines of Defence model for managing risk means that everyone, at every level of our organisation, has responsibility for risk management on a day-to-day basis. We deliver a year-round programme of internal training, testing, awareness and education on issues such as information security, data privacy and data protection, and how to report an incident. This includes a cyber security awareness month, where we provide hints and tips on what to look out for when it comes to phishing, smishing and other cyber security issues. We perform regular company-wide phishing tests to monitor internal vigilance when it comes to suspicious emails and timely news items on issues such as mobile security during the summer holidays or online shopping security in the run-up to Christmas.

Identifying and addressing emerging risks

Keeping on top of emerging risks and regulations allows us to explore how our business can adapt and respond to change, if necessary, to be able to operate in the medium term. One way we do this is through our emerging risk forum, which assesses risks and opportunities which could potentially affect the business - topics have included demographic change, quantum computing and the impact of geopolitical upheaval. In addition, our Group compliance function and our exposure management groups regularly perform horizon scanning for regulatory change, for example monitoring developments in AI regulation, and recovery and resolution regimes.

Testing our resilience

A regular cycle of stress testing and scenario analysis helps us identify and measure the likelihood and impact of potentially plausible, but extreme, events. Testing our resilience in this way is important to ensure we manage risk well and evolve at the same pace as the risks we cover. We have embedded an internal programme of stress testing, which is performed annually to assess the resilience of the business plan in extreme, adverse scenarios. We participate in regulator-led exercises, most notably the Prudential Regulation Authority's (PRA) General Insurance Stress Test (GIST).

Our stress and scenario testing programme continues to confirm that the Group is able to withstand the considered short-term shocks and has strong controls and mitigation strategies in place across risk types.

Bringing our teams together for cyber crisis simulations and large loss dry runs

We carry out a combination of events with leadership and underwriting teams to ensure our preparedness for reputational issues and large losses. We conduct a series of desktop simulations with country leadership teams to work through operational challenges arising from a range of events.

Policies and disclosures

The small print that helps us get the big things right.

Environmental, social and governance issues (including issues such as tax, anti-bribery and anti-corruption, investor stewardship and climate change) and diversity and inclusion are integrated into both risk assessment and strategy, with responsibility ultimately sitting with the Board and its committees.

Our annual financial condition report (FCR), which is a requirement of the Bermuda Monetary Authority (BMA) for Bermudian insurers and of the UK’s Prudential Regulation Authority (PRA), provides stakeholders with additional information on the financial condition of the company over and above that contained in the annual financial statements.

View our key policies and disclosures