
Principal risk Description Risk commentary
Credit Risk
Trend – stable
The risk of loss
resulting from default
in obligations due
from, and/or changes
in the credit standing
of, issuers of securities,
counterparties or any
debtors to which the
Group is exposed.
The Group monitors its key counterparties,
specifically the security of the issuers within its
investment portfolio and that of its reinsurance
counterparties.
To manage credit risk, we set credit limits for
each material counterparty and actively monitor
credit exposures, whilst also considering new
future exposures. With respect to reinsurance
counterparty credit risk, our exposures are
mainly held with reinsurers with high credit
ratings. Reinsurance is only purchased from
reinsurers that hold a credit rating of at least A–
for short tail reinsurance and the majority of
long tail reinsurance is to be purchased from
reinsurers rated A+ or above.
Exceptions to the above or strategic
reinsurance arrangements are assessed on a
case-by-case basis and follow clearly defined
internal credit risk processes.
Finally, we also have well defined criteria to
determine which customers and brokers are
offered and granted credit.
Operational Risk
Trend – stable
Operational risk is the
risk of loss due to
inadequate or failed
internal processes or
systems, including
from human error or
from external events.
Risks relating to this
category include,
technology and
infrastructure, change,
cyber, operational
disruption, financial
reporting, and
procurement and
outsourcing.
Our approach is to manage our operational
risksproactively, to mitigate potential customer
harm, regulatory or legal censure, financial,
reputational, or environmental, social,
governance ("ESG") impacts. This is principally
achieved through robust control, and the
Groupis continuing to strengthen its control
environment through various improvement
initiatives across the business. This includes
implementation of a new Risk & Control Self-
Assessment process, facilitated by a new Chief
Controls Office function in the first line, ensuring
greater consistency in control assessment and
testing. Material progress has been made
in2024, with further embedding to continue
into2025.
Technology and infrastructure risk is defined
asthe risk of loss resulting from inadequate
orfailed information technology processes
through strategy, design, build or run
components internally or externally provisioned.
This includes IT resilience and cyber security.
Changes to our technology environment follow
an industry standard service management
framework that provides risk assessment,
planning, testing and validation prior to
production with ongoing control and
performance monitoring.
Change risk is defined as the risk of failing to
manage the change portfolio and associated
change initiatives, within desired scope, time,
cost, quality and Group risk appetite, leading
toa failure to deliver strategic benefits, good
customer outcomes and possibly causing
business disruption. The Group’s Transformation
Management Office (“TMO”) is responsible for
implementing and embedding changes to
further mature our organisational change
portfolio management, delivery capability, and
associated control environment.
Cyber risk arises from inadequate internal and
external cyber security, where failures impact
the confidentiality, integrity and availability
ofour data. The Group’s Chief Information
Security Officer is responsible for ensuring the
appropriate cyber security policies and controls
are in place and operating effectively.
Operational disruption risk is the risk of
failing to deliver products and services at an
acceptable predefined level following
disruptive events. The Group’s Operational
Resilience Framework sets out requirements
for maintaining resilience which includes,
identifying Important Business Services
("IBS"), setting tolerances, and regularly
assessing the Group’s ability to remain
within these tolerances during disruptions.
The Group has planned mitigations in the
event of a disruptive event and monitors a
suite of IBSs. All IBSs undergo scenario
testing, as per regulatory guidelines, to
identify vulnerabilities and develop suitable
mitigations.
Financial reporting risk is defined as the risk
of material misstatement, misrepresentation
or untimely delivery of external or internal
financial information, including regulatory
financial information, resulting in
inappropriate movements in share price,
reputational damage, poor decision making/
planning in relation to finance,
tax,investment, strategy and capital, or
regulatory fines. During the Group's half year
results preparation, a miscalculation was
identified within the Group's audited
Solvency II Own Funds for the year ended
2023 as announced on 23 August 2024.
TheGroup has taken action to strengthen
the control environment in relation to
thespecific area where the miscalculation
occurred.
Procurement and outsourcing is the risk of
an outsourcing arrangement that is deemed
critical or material failing to deliver the
service provision in question to the expected
levels. The Group adheres to a defined
framework for the appointment and
management of suppliers, outsourcing
arrangements and Intra-Group relationships.
The Group manages its suppliers through
ongoing oversight and assurance.
41 | Direct Line Group Annual Report and Accounts 2024 Strategic Report / Governance / Financial statements