Both BaFin and the insurers under its supervision are largely in agreement when it comes to the most significant risks for the insurance industry. The development of interest rates, of inflation, the war in Ukraine, cyber risks and the significant amount of uncertainty in general surrounding the assessment of the risk situation: these are the main unpredictable factors that the insurance sector has to deal with at the moment.

BaFin’s expectations for insurers are clear when it comes to these risks: they must make use of the processes provided for by law – e.g. regular review of the system of governance – in this difficult environment in order to determine on a regular basis whether the business organisation in general and the risk management system in particular are appropriate for their business strategy. This includes performing a fundamental analysis in this respect. If necessary, insurers must make adjustments that can have an impact on the risk management system, business strategy and risk appetite.

It is clear that the management board is responsible for ensuring proper business organisation – which also includes effective risk management – and this responsibility cannot be delegated elsewhere. This also applies to insurance groups, where responsibility lies with the management of the ultimate parent undertaking. Management must proactively and critically examine how business is organised. It is not enough to simply react when issues arise. Of course, insurers can apply the principle of organisational freedom as far as business organisation is concerned, but they must still comply with the minimum legal requirements in this regard. In addition, the business organisation must be suitable for the selected business model.

Insurance groups must implement their risk management system consistently across the whole group. This system must include all business activities, regardless of whether these are carried out within or outside the EU and whether or how these are regulated. In order to make risk management effective, it is also particularly important, from a supervisory perspective, to set up a system that ensures proper and prompt risk reporting from subsidiaries to the ultimate parent undertaking, including its management board. In this context, the ORSA process, i.e. the process for own risk and solvency assessments, is a key tool for good risk management because, in this process, every group of undertakings must supplement the regulatory risk assessments with their own holistic assessment of risks.

In future, BaFin will particularly focus on the suitability of the risk management systems of insurance groups in addition to the key aspects outlined above. The group’s business activities will be the benchmark for assessing the adequacy and effectiveness of the business organisation, including the risk management system. BaFin will of course apply the principle of proportionality. However, this also means that the more extensive and complex the risk profile of a group is, the more requirements apply to the group’s business organisation.

If BaFin identifies serious shortcomings, it will work to ensure that these are resolved and will use the entire range of tools available under the German Insurance Supervision Act (Versicherungsaufsichtsgesetz – VAG). Such tools include the issuance of administrative acts and their publication as soon as they have become final and binding. BaFin may also consider the option of imposing capital add-ons if there are business organisation shortcomings. If the identified shortcomings have been resolved, BaFin will of course withdraw the capital add-ons it has imposed.