Vitalis Group SA — Risk Management Framework
The enterprise risk-management framework, the risk register and the mitigation measures covering underwriting, market, operational, regulatory and strategic risks.
Section 13 · Business Plan
Risk Management Framework
The enterprise risk-management framework, the risk register and the mitigation measures covering underwriting, market, operational, regulatory and strategic risks.
13.1 Risk Governance
Risk governance follows the three lines of defence model. The first
line — business and operational management — owns risk in the course of
running the business; the second line — independent Risk, Compliance and
Actuarial functions — sets policy, monitors, and challenges; the third
line — Internal Audit — provides independent assurance to the Audit
& Risk Committee of the Board. The Chief Risk Officer reports
administratively to the CEO and functionally to the Audit & Risk
Committee Chair.
13.2 Principal Risks
The principal risks of the Company are categorised into seven groups,
each managed under a formal risk appetite statement approved by the
Board.
| Risk Category | Likelihood | Impact | Net Rating | Owner |
|---|---|---|---|---|
| Insurance underwriting risk | High | High | Critical | CUO |
| Operational and IT risk | Medium | High | High | COO/CTO |
| Regulatory and conduct risk | Medium | High | High | CRO |
| Cyber and data privacy risk | Medium | High | High | CISO |
| Strategic and competitive risk | Medium | Medium | Moderate | CEO |
| Financial and market risk | Medium | Medium | Moderate | CFO |
| Talent and people risk | Medium | Medium | Moderate | CPO |
13.3 Risk Appetite Statement (Summary)
- Solvency. Solvency capital coverage ratio
maintained above 150% under standard formula; intervention below
130%. - Earnings volatility. No single insurance event
to cause more than 20% reduction in annual planned EBITDA at 1-in-25
confidence. - Cyber. No tolerance for unmitigated critical
cyber findings; mean-time-to-resolve below 24 hours. - Conduct. Customer complaints upheld ratio below
1.5% of policies in force; zero tolerance for systemic conduct
failure. - Reputation. Zero tolerance for material breach
of POPIA, FAIS, FICA or sanctions controls.
13.4 Stress and Scenario Testing
The Company performs at least quarterly stress testing against a
defined library of scenarios, including: (i) pandemic claims
acceleration (1-in-50 mortality event); (ii) catastrophic weather event
(1-in-100 KZN-floods equivalent); (iii) cyber data-loss event with
regulatory penalty; (iv) sudden lapse spike (15% above plan); (v)
reinsurer counterparty failure; and (vi) sovereign credit-rating
downgrade affecting investment portfolio.
13.5 Business Continuity and Disaster Recovery
A formal Business Continuity Management System (BCMS) aligned with
ISO 22301 governs operational resilience. Recovery time objectives (RTO)
and recovery point objectives (RPO) are defined for each critical
business service; tested at least annually under realistic simulation.
Primary and secondary data centres are geographically diverse; data is
replicated synchronously for critical services.
Confidential — this business plan is provided to prospective investors and lenders for evaluation purposes only and may not be reproduced or distributed without the written consent of Vitalis Group South Africa (Pty) Ltd.