Nimbus Direct Insurance — Risk Management Framework

The enterprise risk-management approach, the risk-appetite statement, and the principal risks and mitigation across underwriting, market, operational, regulatory and strategic risks.

Nimbus Direct Insurance Business PlanSection 12 › Risk Management Framework

Section 12 · Business Plan

Risk Management Framework

The enterprise risk-management approach, the risk-appetite statement, and the principal risks and mitigation across underwriting, market, operational, regulatory and strategic risks.

12.1 Enterprise Risk Management Approach

Nimbus’s Enterprise Risk Management (ERM) framework is designed to
identify, measure, monitor and respond to risks across all material
categories, in alignment with Prudential Authority Prudential Standards
GOI 3 (Risk Management and Internal Controls), GOI 3.1 (Risk Management
— Risk Categories), and IAIS Insurance Core Principle 8. The ERM
Framework operates through five reinforcing components: (1) Risk
Strategy, (2) Risk Appetite, (3) Risk Identification & Assessment,
(4) Risk Monitoring & Reporting, and (5) Risk Response.

12.2 Risk Appetite Statement (Summary)

The Board will adopt and annually review a formal Risk Appetite
Statement. Indicative limits include:

Risk Category Appetite / Tolerance Trigger Action
Solvency Capital Coverage (SCR) Target ≥ 150%; Minimum ≥ 130% Capital actions plan; restricted dividend
Combined Ratio (12-month rolling) Target ≤ 95%; Tolerance ≤ 102% Pricing review within 30 days
Loss Ratio (motor) Target ≤ 60%; Tolerance ≤ 68% Underwriting tightening
Catastrophe single-event net loss ≤ ZAR 30M after reinsurance Reinsurance review and risk-grid recalibration
Investment portfolio drawdown (12m) ≤ 8% across insurance funds ALCO review; tactical re-allocation
Operational loss events (annual) < ZAR 25M aggregate Root-cause analysis; control remediation
Cyber security incidents (Tier 1+) Zero tolerance Immediate CIRT activation; regulator notification

12.3 Principal Risks & Mitigation

Underwriting Risk

The largest single risk category. Mitigants: (i) the four-layer
pricing architecture (Section 9.2); (ii) the reinsurance programme
(Section 5.4); (iii) the catastrophe risk management approach (Section
9.5); (iv) monthly underwriting committee review of segment-level loss
ratios; (v) automatic price-adjustment triggers when loss ratios deviate
materially from plan.

Reserving Risk

Risk that technical provisions are inadequate for ultimate claim
cost. Mitigants: chain-ladder and Bornhuetter-Ferguson methodologies,
IFRS 17 risk adjustment at 75th percentile, quarterly Actuarial Function
review, annual external peer review, prudent assumption setting with
explicit margins for adverse deviation in newer lines.

Market & Investment Risk

Investment portfolio drawdown risk. The Nimbus investment policy
emphasises capital preservation: at Year 1, 75% of insurance funds will
be invested in money-market and short-duration government bonds, 15% in
investment-grade corporate bonds, 10% in JSE Top 40 equity ETF. The
Asset-Liability Committee (ALCO) meets monthly to review duration,
liquidity, and asset-liability mismatch.

Credit & Counterparty Risk

Concentration on reinsurer counterparties is monitored under the SAM
counterparty default risk module. Reinsurance treaties are diversified
across multiple Tier 1 counterparties (Munich Re S&P AA-, Swiss Re
AA-, Hannover Re AA-, Africa Re A) with explicit limits on
per-counterparty exposure.

Liquidity Risk

Mitigated through a Liquidity Risk Management Policy requiring (i)
cash and money-market instruments ≥ 30% of total assets at all times,
(ii) a Contingency Funding Plan, and (iii) quarterly liquidity stress
tests covering scenarios including catastrophe event, mass-lapse event,
and reputational shock.

Operational Risk

Includes fraud, systems failure, third-party failure, and people
risk. Mitigated through: (i) a formal Operational Risk Management
Framework with risk-control self-assessments, loss event database, key
risk indicators; (ii) business continuity planning with annual
exercises; (iii) vendor risk management framework (Section 8.4); (iv)
workforce planning and succession framework.

Cyber & Information Security Risk

Material and growing risk given the digital-first business model.
Mitigated through: ISO 27001 certification, NIST CSF v2.0 alignment,
multi-factor authentication, zero-trust network architecture, weekly
threat-intelligence reviews, quarterly penetration testing, annual
red-team exercises, cyber insurance covering up to ZAR 200 million of
first- and third-party loss.

Regulatory & Compliance Risk

Mitigated through the three-lines-of-defence model (Section 10.4),
proactive regulator engagement, dedicated regulatory-change monitoring,
and a Compliance Programme aligned to PA, FSCA, NBFIRA, FIC, and POPIA
requirements.

Strategic Risk

Risk of strategic missteps, competitor response, or macro-environment
change. Mitigated through quarterly strategy review by the Executive
Committee, annual scenario planning, and a defined
competitive-intelligence function within the Marketing team.

12.4 Stress Testing

The Company will conduct formal stress tests at least annually as
part of the ORSA process, covering at minimum:

  • Severe combined ratio scenario (1-in-20-year loss experience
    across motor and property).
  • Catastrophe scenario (1-in-200-year event).
  • Market shock scenario (equity market down 30%, bond yields up
    200bps).
  • Combined adverse scenario (concurrent insurance and market
    stress).
  • Reverse stress test (identification of the scenario that would
    render the business model unviable).

Confidential — this business plan is provided to prospective investors and lenders for evaluation purposes only and may not be reproduced or distributed without the written consent of Nimbus Direct Insurance Group (Pty) Ltd.