Vitalis Group SA — Risk Management Framework

The enterprise risk-management framework, the risk register and the mitigation measures covering underwriting, market, operational, regulatory and strategic risks.

Vitalis Group SA Business PlanSection 13 › Risk Management Framework

Section 13 · Business Plan

Risk Management Framework

The enterprise risk-management framework, the risk register and the mitigation measures covering underwriting, market, operational, regulatory and strategic risks.

13.1 Risk Governance

Risk governance follows the three lines of defence model. The first
line — business and operational management — owns risk in the course of
running the business; the second line — independent Risk, Compliance and
Actuarial functions — sets policy, monitors, and challenges; the third
line — Internal Audit — provides independent assurance to the Audit
& Risk Committee of the Board. The Chief Risk Officer reports
administratively to the CEO and functionally to the Audit & Risk
Committee Chair.

13.2 Principal Risks

The principal risks of the Company are categorised into seven groups,
each managed under a formal risk appetite statement approved by the
Board.

Risk Category Likelihood Impact Net Rating Owner
Insurance underwriting risk High High Critical CUO
Operational and IT risk Medium High High COO/CTO
Regulatory and conduct risk Medium High High CRO
Cyber and data privacy risk Medium High High CISO
Strategic and competitive risk Medium Medium Moderate CEO
Financial and market risk Medium Medium Moderate CFO
Talent and people risk Medium Medium Moderate CPO

13.3 Risk Appetite Statement (Summary)

  • Solvency. Solvency capital coverage ratio
    maintained above 150% under standard formula; intervention below
    130%.
  • Earnings volatility. No single insurance event
    to cause more than 20% reduction in annual planned EBITDA at 1-in-25
    confidence.
  • Cyber. No tolerance for unmitigated critical
    cyber findings; mean-time-to-resolve below 24 hours.
  • Conduct. Customer complaints upheld ratio below
    1.5% of policies in force; zero tolerance for systemic conduct
    failure.
  • Reputation. Zero tolerance for material breach
    of POPIA, FAIS, FICA or sanctions controls.

13.4 Stress and Scenario Testing

The Company performs at least quarterly stress testing against a
defined library of scenarios, including: (i) pandemic claims
acceleration (1-in-50 mortality event); (ii) catastrophic weather event
(1-in-100 KZN-floods equivalent); (iii) cyber data-loss event with
regulatory penalty; (iv) sudden lapse spike (15% above plan); (v)
reinsurer counterparty failure; and (vi) sovereign credit-rating
downgrade affecting investment portfolio.

13.5 Business Continuity and Disaster Recovery

A formal Business Continuity Management System (BCMS) aligned with
ISO 22301 governs operational resilience. Recovery time objectives (RTO)
and recovery point objectives (RPO) are defined for each critical
business service; tested at least annually under realistic simulation.
Primary and secondary data centres are geographically diverse; data is
replicated synchronously for critical services.

Confidential — this business plan is provided to prospective investors and lenders for evaluation purposes only and may not be reproduced or distributed without the written consent of Vitalis Group South Africa (Pty) Ltd.