Discovery Limited: Enterprise Risk Management Policy

Discovery Limited
Enterprise Risk Management Policy

Contents
1 Introduction ................................................................................................................................................................ 3
1.1 Purpose ............................................................................................................................................................. 3
1.2 Scope................................................................................................................................................................. 4
1.3 Discovery Limited Board Statement ................................................................................................................. 4
2 Policy Principles .......................................................................................................................................................... 4
2.1 Approach to Risk Management ........................................................................................................................ 4
2.2 General Risk Management Principles ............................................................................................................... 5
2.3 Risk Taxonomy .................................................................................................................................................. 5
3 Governance Structures ............................................................................................................................................... 7
3.1 Discovery Limited Board ................................................................................................................................... 8
4 Roles & Responsibilities .............................................................................................................................................. 9
4.1 First Line of Defence ......................................................................................................................................... 9
4.2 Second Line of Defence .................................................................................................................................. 10
4.3 Third Line of Defence ...................................................................................................................................... 13
5 Compliance with the Policy ...................................................................................................................................... 14
Discovery Limited is the licensed controlling company of the designated Discovery Insurance Group. Registration number: 1999/007789/06. Companies in the Group are licensed insurers and
authorised financial services providers.
Discovery Enterprise Risk Management Policy Page 2 of 14

1 Introduction
The Enterprise Risk Management (ERM) Policy (the Policy) sets out the high-level philosophy and guiding principles for
effective risk management to ensure that risks which could significantly impact the ability of Discovery Limited
(comprising of its local and international operations, collectively referred to as the Group) to meet its objectives are
identified, measured, monitored, managed, priced, mitigated, communicated and reported. One of the key objectives
of this Policy is to ensure high quality management of risk exposures appropriate to the nature and scale of the universe
of risks faced by the Group. The Policy defines the principles and the approach to risk management as well as the roles
and responsibilities of the day-to-day risk and control environment.
1.1 PURPOSE
The Group defines risk as the probability of an event materialising which could have a negative or positive impact on
achievement of the Group’s objectives. Risks include ‘emerging risks’ which are defined as a condition, situation or trend
that develop in a way that could significantly impact the Group’s strategy, financial strength, competitive position or
reputation within the next five years. By identifying and proactively addressing these risks and opportunities, the Group
is able to protect and create value for its stakeholders, through greater risk transparency, increased organisational
effectiveness and improved business decision making.
ERM provides a framework for managing these risks, which typically involves:
 Identifying particular events or circumstances relevant to the Group’s objectives (risks and opportunities);
 Measuring them in terms of impact and likelihood;
 Monitoring the risks against the limits set and capital available;
 Managing risks by developing risk mitigation strategies and action plans where necessary;
 Providing the Discovery Limited Board and senior management with oversight of the risks faced by the Group
through a regular risk reporting process;
 Applying risk management techniques consistently across the Group; and
 Integrating risk management and measurement into business processes.
The objective of ERM is to align business strategy, risk strategy, capital management, business processes, people and
technology in order to evaluate and manage business opportunities, uncertainties and threats in a structured and
disciplined manner. By linking risk capital values to the actual risk-taking activities, the Group is able to assess the
projected and historical performance of these activities in proportion to the capital required to support them.
This process assists in ensuring that the Group considers risk and capital implications when making strategic and
operational decisions. The development of a pro-active approach to risk management (i.e. using risk data to prevent
losses rather than continually responding to the negative implications of unforeseen risks that have materialised)
provides:
 Increased consistency in the measurement, treatment and communication of risks within the Group;
 Enhanced reporting and analysis of risks faced by the Group;
 Improved focus, attention and perspective to risk data which will be used in the calculation of regulatory and
economic capital across the Group;
 Increased alignment to the Group strategy;
 Enhanced quantitative and metrics-based assessment methodology;
 Efficiency and effectiveness of activities related to all assurance matters; and
 Cost-effective management and monitoring of risks.

1.2 SCOPE
This Policy is the Group’s overarching enterprise risk management policy and operational risk policy. It enables the
Group to establish a comprehensive set of risk management methodologies which align with best practice standards
and regulatory requirements in terms of governance and risk management.
This Policy is applicable to all of the Group’s local and international subsidiary operations where the Group has
management control and includes:
a) All staff, first line business and senior management;

b) The Group Risk Management (GRM) function; and
c) All assurance and governance structures across the Group.
If a business entity wishes to deviate from this Policy, a separate document stating the exceptions and deviations and
the reasons thereof, will need to be reviewed for approval. Thereafter, the relevant business entity specific Risk
Committee or Risk Executive Committee and the Group Chief Risk Officer (CRO) recommendations will be considered.
Finally, the Group CRO and the Discovery Limited Risk and Compliance Committee (RCC) will consider these exceptions
for approval.
1.3 DISCOVERY LIMITED BOARD STATEMENT
The Group is committed to being an organisation with a high-quality ERM capability which covers all its activities and
contributes to growth in economic value of shareholder assets and the protection of policyholder and member benefits.
This is achieved by:
 Fostering an environment where consideration of risk is embedded in the Group’s culture, business planning,
decision making and day to day business activities;
 Being risk-conscious, risk-confident and risk-selective. Risks are considered appropriate if they are well understood,
generate the required risk adjusted return (either financially or otherwise) and support the Group’s objectives. The
Group actively seeks to assume appropriate risks, against the background of a clearly articulated risk appetite and
business strategy;
 Seeking to treat, tolerate, terminate and/ or transfer those risks for which the Group has little or no appetite or
where the expected risk adjusted return is inadequate;
 Seeking to exploit those risks for which the Group has more appetite or where the expected risk adjusted return is
adequate;
 Actively communicating the effectiveness and business benefits of risk management to all stakeholders;
 Continually developing and enhancing the Group’s ERM capability in a manner that yields business benefit;
 Being able to provide reasonable and independent assurance to the Group’s senior management and the Discovery
Limited Board; and
 Ensuring that the various assurance providers are effectively coordinated and integrated to aid effective decision
making.
2 Policy Principles
The minimum ERM principles to be followed by the Group are set out below.
2.1 APPROACH TO RISK MANAGEMENT
Within the Group, ERM encompasses the following components:

 Setting and aligning risk appetite and strategy – The Discovery Limited Board and senior management consider
the Group’s risk appetite when evaluating strategic alternatives, setting related objectives, and developing
mechanisms to manage related risks.
 Enhancing risk response decisions – ERM provides the rigour to identify and select among alternative risk
responses, such as risk avoidance, reduction, sharing, and acceptance.
 Reducing operational surprises and losses – By gaining enhanced capability to identify risks and establish
responses, the Group is able to reduce surprises and associated unexpected costs or losses.
 Identifying and managing multiple and cross-enterprise risks – The Group faces a myriad of risks affecting different
parts of the organisation. ERM facilitates an effective response to the interrelated impacts as well as the integrated
responses to enterprise-wide risks.
 Seizing opportunities – By considering a full range of risks, the Discovery Limited Board and senior management
are able to identify and proactively seize opportunities.
 Optimising capital allocation – By obtaining robust risk information, management is able to effectively assess
overall capital needs and enhance capital allocation.
2.2 GENERAL RISK MANAGEMENT PRINCIPLES
The ten risk management principles on which ERM is based consist of:
1 Risk Strategy – A strategy must be in place for managing risk across the Group which includes the consideration of
the inter-relationships and correlations between risks.
2 Risk Governance Structures – Risk governance structures must be in place to ensure that all applicable statutory
and regulatory requirements and risk management standards are met.
3 Responsibility and Accountability – Responsibility and accountability for risk management must be clearly
assigned, documented and communicated throughout the Group with the aim of fostering an open and transparent
risk culture that encourages best practice risk management behaviour.
4 Risk Appetite – Risk appetite statements must reflect the nature and level of risk the Group is willing to take in
order to achieve specific business objectives.
5 Risk Management Processes – Risk management processes and procedures must be in place to ensure risks and
controls are identified, managed, monitored and reported on a consistent and coordinated basis across all lines of
assurance.
6 Risk Response and Mitigation – Risk-specific response and mitigation plans, including business continuity and crisis
management plans, must be in place at all times with clear criteria set for when such plans are invoked.
7 Risk Monitoring – The level of risk exposure must be actively monitored against the limits set and/ or the capital
available with clear accountability assigned for the identification, monitoring and management of risk and, where
necessary, the escalation of risk-related issues.
8 Stress and Scenario Analysis – The resilience to risk events must be tested under both normal and stressed
conditions, including developing an understanding of the severity of an event that would cause a breach in risk
appetite and tolerance limits, capital requirements and/ or result in insolvency.
9 Risk Reporting – Risk reporting must be accurate, relevant and timely to support the management of risks, meet
the needs of all relevant internal and external stakeholders and, where required, meet the specific reporting needs
of the separate legal entities and the Group.
10 Non–Compliance – Processes must be in place to ensure that non-compliance with this Policy is identified,
escalated and remedied promptly.
2.3 RISK TAXONOMY
In order to apply the ten principles described in section 2.2, the Group has defined a universe of risks (the Discovery
Limited Risk Taxonomy) which classifies risks into categories. In this structure the broader risk categories are grouped
as level one risks. Under these level one risks, are more detailed level 2 risks. The following eight level one risk types
have been defined as part of the Discovery Limited ERM Framework:

Risk Type Definition
The risk that the Group will have lower than anticipated profits or experience a loss rather than
Business Risk making a profit. The risk is influenced by numerous factors, including sales volume, unit pricing/
margin, competition and the overall economic climate.
The risk of loss arising from the failure of counterparties to meet their debt obligations owed to the
Credit Risk
Group for any reason when due.
Insurance The risk that an insured event will occur, resulting in the payment of a claim. This risk is influenced
Risk by a number of factors including the occurrence of claims, catastrophe events and reinsurance cover.
The risk that the Group, though solvent and profitable on a balance sheet basis, either does not have
Liquidity Risk the cash (or near cash) resources or the ability to liquidate its assets to meet its obligations to
policyholders, debtors and/ or capital providers (as they fall due).
The risk that, as a result of market movements, the Group may be exposed to fluctuations in the
Market Risk value of or income from its assets and financial instruments, and the amount of its liabilities relative
to expected.
Operational The risk of loss resulting from inadequate or failed internal processes, people, systems and/ or
Risk external events.
The risk of an adverse financial impact, reputational damage, a breakdown of the regulatory
Regulatory
relationship or regulatory sanction being imposed as a result of non-compliance to emerging and/ or
Risk
existing regulatory requirements.
The risk of the current and prospective impact on earnings or capital resulting from an inappropriate
Strategic Risk or defective strategy. The risk arises from the Group's inability to implement appropriate business
plans, strategies or decisions. It also relates to the Group's lack of responsiveness to industry changes.

3 Governance Structures
The following depiction provides an overview of the Group governance structure including the governance structures of the business entities where the Group has management control. The
Discovery Limited Board Charter sets out the scope and responsibilities of the Discovery Limited Board in respect of the business entities within the Group:
Discovery Limited Board
Discovery Limited Remuneration Discovery Limited Social & Ethics Discovery Limited Risk & Discovery Limited Actuarial Discovery Limited Audit
Committee Committee Compliance Committee Committee Committee
Discovery Limited TCF

Subcommittee
Other Boards and Committees: Discovery Health,

Discovery Bank Board Discovery Insure Board Discovery Life / Invest Board Discovery Holdings Europe Limited Board
Discovery Vitality, Vitality Group etc.
Discovery Bank Discovery Bank Discovery

Discovery
Information Risk & Capital Insure Finance Vitality Life Vitality Health
Insure Actuarial
Technology Management & Risk Limited Board Limited Board
Committee
Committee Committee Committee
Discovery Bank Discovery Bank

Group External Group Internal
Directors' Audit &
Remuneration Remuneration
Affairs Compliance
Committee Committee
Committee Committee
Group
Group Risk
Technology
Committee
Committee
Group Audit Nomination

Committee Committee
VitalityHealth VitalityLife
Actuarial Actuarial
Committee Committee
These committees only reflect the statutory/ legislatively required structures. In instances where a business entity has established separate governance structures in addition to the Group
governance structures, the business entity should ensure that the responsibilities defined below are included in the terms of reference of the relevant committee structures.

3.1 DISCOVERY LIMITED BOARD
The Discovery Limited Board is ultimately responsible for risk management across the Group. The Discovery Limited
Board may delegate some of the activities or tasks associated with its own roles and responsibilities to a delegated
committee or senior management within the Group which includes inter alia the following:
 The governance of risk;

 Approval of the levels of the risk appetite and tolerance limits;
 Ensuring an appropriate risk management plan is designed, implemented and monitored;
 Providing oversight in respect of the design and implementation of sound risk management and internal controls
systems and functions;
 Ensuring that risk assessments are performed on a continual basis;
 Ensuring risk frameworks and methodologies are implemented to increase the probability of anticipating
unpredictable risks;
 Ensuring that management considers and implements appropriate risk responses;
 Ensuring continual risk monitoring by management;
 Ensuring that the risk management process is effective by receiving assurance from the 1st, 2nd and 3rd lines of
defence in a coordinated manner; and
 Ensuring there are processes in place enabling complete, timely, relevant, accurate and accessible risk disclosure
to relevant stakeholders.
In order to establish adequate governance across the Group, the Discovery Limited Board has established the following
sub-committees:
1 Discovery Limited RCC, the terms of reference for this committee are defined in the Discovery Limited RCC Terms
of Reference (ToR). This committee reviews all enterprise-wide risk assessments (including business resilience),
control evaluations and mitigation plans on a regular basis. Risk assessments and action plans will form part of this
broader ERM review;
2 Discovery Limited Actuarial Committee, the terms of reference for this Committee are defined in the Discovery
Limited Actuarial Committee ToR;
3 Discovery Limited Audit Committee, the terms of reference for this Committee are defined in the Discovery Limited
Audit Committee ToR. Its responsibility in terms of risk management includes, but is not limited to:
o Reviewing the effectiveness of internal controls surrounding the risk management process and the reliability
and accuracy of the financial information provided to management and other users of financial information;
o Reporting on significant findings from Group Internal Audit (GIA) reviews and the extent of management
implementation of recommendations;
o Reporting on any significant deficiencies and material weaknesses in the design or operation of internal
controls in the risk reporting process;
o Reviewing the scope of work (risk analysis and audit plan) of the external and internal auditors confirming
reliance placed on Risk Management Reports and how and how this has been validated; and
o Ensuring an effective Combined Assurance programme is implemented.
4 Discovery Limited Remuneration Committee, the terms of reference for this Committee are defined in the Discovery
Limited Remuneration Committee Charter; and
5 Discovery Limited Social and Ethics Committee, the terms of reference for this Committee are defined in the
Discovery Limited Social and Ethics Committee Charter.
6 Discovery Limited TCF Subcommittee, the terms of reference for this Committee are defined in the Discovery
Limited TCF Subcommittee ToR.

4 Roles & Responsibilities
The Group has adopted the ‘Three Lines of Defence‘ governance model. The model clearly separates business
management from governance and control structures. A depiction of the ‘Three Lines of Defence’ is shown below:
While the model above depicts the structure for the Group, all regulated entities with then Group (including Discovery
Bank, Discovery Life, Discovery Insure and the UK entities) must establish equivalent structures to satisfy the three lines
of defence model.
4.1 FIRST LINE OF DEFENCE
Line functions that own and manage risk and associated risk taking. It involves management oversight, including strategy
implementation, performance measurement, and risk and control management (including assessing the security risk
impact to the organisation as a whole, within the various Discovery companies in the Group). This line of defence has
direct involvement, as the executing leg, and will therefore offer limited assurance coverage.
4.1.1 MANAGEMENT OF OPERATIONS
Operational managers own and manage risks. They are also responsible for implementing corrective actions to address
process and control deficiencies.

4.1.2 FIRST LINE RISK MANAGEMENT
Risk management functions established within each business entity and who report to business entity management are
referred to as First Line Risk Management. First Line Risk Management responsibilities are detailed in the Discovery
Limited Enterprise Risk Management Framework.
4.1.3 MANAGEMENT EXECUTIVE COMMITTEES
The Executive Committees and their sub-committees (inclusive of management committees) are regarded as first line.
4.1.4 QUALITY ASSURANCE
The Group places a lot of focus on quality processes and as such the Quality Assurance structure is positioned within
the first line of defence (for certain Group business entities, such as Discovery Health).
4.1.5 GROUP FORENSICS
Group Forensics is mandated to investigate all aspects pertaining to fraud, abuse of benefits, misconduct or unethical
behaviour.
4.1.6 INFORMATION SECURITY OFFICE
The Information Security Office is mandated with identifying, developing, implementing, and maintaining processes and
standards across the Group to reduce information risks including cyber security, privacy and information governance.
Risk identification is a key element within the ISO function and through collaboration with the various Group risk officers
needs to be managed to an acceptable level. These risks need to be adequately identified, documented and reported
to the various levels in the Group.
4.2 SECOND LINE OF DEFENCE
The second line of defence functions comprise GRM, Group Compliance and the Group Actuarial Function. These are
functions independent of day-to-day management that provide a level of assurance to the Discovery Limited Board with
regards to the adequacy and effectiveness of the overall risk management system. These functions have the authority
to communicate with any employee and obtain unrestricted and timeous access to any records required to carry out
their responsibilities.
4.2.1 GRM
GRM is a function independent of day-to-day management. Its primary responsibilities include:
 Assisting the Group to identify, assess, monitor, and mitigate its material risks, and promote a sound risk culture;
and
 Assisting the Discovery Limited Board and senior management to develop and maintain the Group’s risk
management system, including promptly informing the Discovery Limited Board of any circumstance that may have
an adverse material effect on the risk management system of the Group.
It is a centralised risk management function and is headed up by the Group CRO, who reports, functionally, directly to
the Group Chief Executive. The Group CRO is responsible for reporting to the Discovery Limited Executive Committee,
the Discovery Limited RCC, the Discovery Limited Audit Committee, the Discovery Limited Actuarial Committee and the
Discovery Limited Board on all risk related matters across the Group.

In certain instances, where a business entity has not established a First Line Risk Management function, GRM will assist
the business entity in carrying out its first line roles and responsibilities with regard to risk identification, assessment
and reporting.
Key responsibilities of GRM are:
 GRM coordinates and challenges risk information and ensures the establishment of appropriate risk reporting
procedures and feedback provided to the Discovery Limited Board;
 Coordinating risk management activities across the Group;
 Set the standards and policies relating to risk management activities across the Group;
 Assist the business entities by facilitating the identification of risks across the Group. This is performed through
evaluating the internal and external risk environment on an on-going basis in order to identify risks as well as
emerging risks as early as possible. This may include analysis of risks from a different perspective, such as by
territory or by line of business;
 Assess, challenge, aggregate, monitor and assist the Group in mitigating identified risks effectively. This includes
assessing the Group’s capacity to absorb risk with regards to the nature, probability, duration, correlation, and
potential severity of risks;
 Perform independent risk reviews to enable the provision of risk assurance to the Discovery Limited Board;
 Regularly report to senior management, key persons in control functions and the Discovery Limited Board on the
Group’s risk profile. This includes details of the risk exposures faced, risk incidents that have occurred as well as the
related mitigating actions required;
 Recommend the Group’s risk appetite to the Discovery Limited Board for approval. This includes the cascading of
risk limits to an appropriate level of detail, and monitoring the actual risk exposure against the Discovery Limited
Board approved appetite;
 Gain and maintain an aggregated view of the risk profile of the Group;
 Conduct the Own Risk and Solvency Assessment (ORSA) process on at least an annual basis which includes oversight
of the integration between risk and capital management across the Group;
 Conduct regular stress testing and scenario analyses, including that of extreme events with low probability but high
potential impact;
 Develop and maintain an information feedback mechanism amongst the three lines of defence. This enables GRM
to take necessary actions in a timely manner in response to changes in the Group’s risk profile;
 Conduct regular assessments of the risk management system and ensure all necessary improvements are
implemented;
 Document and report material changes affecting the risk management system to the Discovery Limited Board to
ensure that it is maintained and improved;
 Coordinate and facilitate business continuity management which involves planning and preparing the Group so that
it maintains business operations in the event of disruption. The planning involves the identification of risks and
threats, the creation of response structures and plans to address incidents and crises. Tests are done annually to
ensure plans and procedures in place are effective. The goal of testing is the continuous improvement of the
business continuity management capabilities and readiness by ensuring that lessons learnt are integrated into
prevention, mitigation, planning, training, and future tests; and
 Coordinate Combined Assurance activities across the Group.
GRM’s responsibilities are described in more detail in the Discovery Limited ERM Framework.
In certain instances, where a business entity has established a separate Second Line Risk Management function, GRM
will:
 Establish a feedback mechanism between the two functions in order to ensure consistency in terms of the risk
methodology used and reporting thereof;
 Monitor the performance of the Second Line Risk Management function in relation to the implementation of risk
policies, including this Policy;
 Review, challenge and validate (where necessary) the risk information produced; and
 Ensure that the information reported meets the requirements specified in this Policy and the Discovery Limited
ERM Framework.

Key responsibilities of the business entity Second Line Risk Management functions are:
 Coordinate and challenge risk information and ensure the establishment of appropriate risk reporting procedures
and feedback is provided to the relevant business entity governance structures and GRM;
 Coordinate risk management activities across the business entity;
 Set business-specific standards and policies (in alignment with Group standards and policies) relating to risk
management activities across the business entity;
 Assist the business entity by facilitating the identification of risks. This is performed through evaluating the internal
and external risk environment on an on-going basis in order to identify risks as well as emerging risks as early as
possible. This may include analysis of risks from a different perspective, such as by territory or by line of business;
 Assess, challenge, aggregate, monitor and assist the business entity in mitigating identified risks effectively. This
includes assessing the business entity’s capacity to absorb risk with regards to the nature, probability, duration,
correlation, and potential severity of risks;
 Perform independent risk reviews to enable the provision of risk assurance to the relevant business entity
governance structures;
 Regularly report to senior management, key persons in control functions and the relevant governance structures
on the business entity’s risk profile. This includes details of the risk exposures faced, risk incidents that have
occurred as well as the related mitigating actions required;
 Recommend the business entity’s risk appetite to the relevant governance structures for approval. This includes
the cascading of risk limits to an appropriate level of detail, and monitoring the actual risk exposure against the
approved appetite;
 Conduct the ORSA process on at least an annual basis which includes oversight of the integration between risk and
capital management;
 Conduct regular stress testing and scenario analyses, including that of extreme events with low probability but high
potential impact;
 Develop and maintain an information feedback loop amongst the three lines of defence. This enables the risk
function to take necessary actions in a timely manner in response to changes in the business entity’s risk profile;
 Conduct regular assessments of the risk management system and ensure all necessary improvements are
implemented;
 Document and report material changes affecting the risk management system to GRM to ensure that it is
maintained and improved; and
 Coordinate Combined Assurance activities across the business entity.
4.2.2 GROUP COMPLIANCE
Group Compliance ensures that the Group is able to meet its regulatory obligations and promotes a corporate culture
of compliance and integrity. Further details surrounding the principles, roles and responsibilities of Group Compliance
are defined in the Discovery Limited Group Compliance Policy. The compliance risk view is an integral part of the
integrated Group risk profile. The Group Compliance Function has access to and reports to the Discovery Limited Board
(via the Discovery Limited RCC) on matters such as:
 Implementing a risk-based monitoring plan to monitor compliance with internal controls, legal obligations and
regulatory obligations in respect of South African domiciled entities;
 The key regulatory risks the Group faces and the actions being taken to address them;
 Performance of the various local business entities and the shared services of the Group against compliance
standards and regulatory requirements;
 Compliance issues involving management or persons in positions of major responsibility within the Group;
 Material compliance violations or concerns involving any other person or applicable operational business area of
the Group;
 Material fines or other disciplinary actions taken by a regulator or supervisor in respect of the Group or any
employee;
 Assessing the appropriateness of policies, processes, and controls in key areas of legal, regulatory and ethical
obligations, as well as the effective monitoring thereof;
 Reporting or facilitating the reporting of compliance shortcomings or non-compliance to the relevant regulators;
 Reporting to the Board through the Discovery Limited RCC; and

 Any regulatory changes that will impact the Group.
4.2.3 GROUP ACTUARIAL FUNCTION
The Group Actuarial Function is required to provide assurance to the Discovery Limited Board regarding the accuracy of
the calculations and the appropriateness of the methodology and assumptions underlying the insurance technical
provisions and the capital requirements across the Group. In addition, the Group Actuarial Function has responsibilities
regarding certain elements of the risk management policies, reinsurance arrangements and pricing and product
development across the Group. The Group Actuarial Function performs this role with the support from the business
entity actuarial functions and Actuarial Committees.
The Group Actuarial Function performs the regulated roles of actuarial function for the Group and actuarial function for
Discovery Life. The Group Actuarial Function does not perform the regulated actuarial function role and has no direct
oversight responsibilities for the activities of Discovery Insure or the United Kingdom operations as this is performed by
entity actuarial functions. However, the Group Actuarial Function keeps abreast of actuarial matters relevant to the
actuarial function of the Group and performs an advisory role through attendance of the Discovery Insure, VitalityHealth
and VitalityLife Actuarial Committees.
The Group Actuarial Function is responsible for:

 Expressing an opinion to the Discovery Limited Board on the reliability and adequacy of the calculations of the
insurer’s technical provisions, and minimum and solvency capital requirements, including on:
o The appropriateness of the methodologies and underlying models used and assumptions made;
o The sufficiency and quality of the data used in actuarial calculations;
o Best estimates and associated assumptions against experience when evaluating technical provisions;
o The accuracy of the calculations;
o The appropriateness of and impact of assumed future management actions and the effect of risk mitigation
instruments; and
o The appropriateness of approximations or judgments used in the calculations due to insufficient data of
appropriate quality.
 Expressing an opinion to the Discovery Limited Board on:
o The appropriateness of the Discovery Limited Asset Liability Matching (ALM) and Investment Management
Policy, the Discovery Limited Reinsurance and Other Forms of Risk Transfer Policy and underwriting policies.
o The adequacy of reinsurance and other forms of risk transfer arrangements.
 Evaluating and providing advice to the Discovery Limited Board, senior management and other second line of
defence functions (where relevant) on:
o The appropriateness of the standard formula to assess its risks and why it is an accurate reflection of the risk
profile.
o The financial soundness, including the impact of any proposed dividend declaration or payment.
o The development and use of models for the ORSA calculations and the actuarial-related matters in the ORSA
(including financial soundness, assumed management actions, stress testing and scenario analysis).
o The internal controls relevant to actuarial matters.
o The actuarial soundness of the terms and conditions of insurance contracts.
4.3 THIRD LINE OF DEFENCE
The Group’s Internal Audit Functions (South Africa, United Kingdom and Discovery Bank) and External Audit, make up
the third line of defence and are independent assurance functions. The third line of defence needs to ensure:
 Regular review of the systems for risk management and internal controls and provide assurance to the Board that
the systems are effective;
 Provision of independent assurance on the effectiveness of certain Group policies and frameworks;
 Provision of independent assurance to the Discovery Limited Board regarding the adequacy and effectiveness of
internal controls within the Group;
 Independent monitoring of compliance with certain Group policies and frameworks;

 Testing of implementation of certain Group policies and methodologies; and
 Independent review of compliance with relevant laws, regulations and accounting standards.
The third line of defence provides feedback on their activities and recommendations for improvement to senior
management and Executive Committees, but reports directly to the Discovery Limited Board through the Discovery
Limited Audit Committee. This is in order to ensure complete independence from management and unbiased reporting
to the Discovery Limited Board, on the effectiveness of governance, risk management and internal control within the
Group. The third line may place some reliance on the activities of the first and second lines if it is satisfied that robust
processes are being followed (valid source for key indicator measurements for example) and such reliance will not
impact the third line audit mandate.
5 Compliance with the Policy

The Group views any non-compliance to this Policy as well as any non-compliance with its obligations in terms of
legislation in a serious light. Any deliberate action by an employee to contravene the above will be subject to disciplinary
action or termination of employment.
Compliance with this Policy will be monitored by the Discovery Limited RCC. Any breach of, or non-compliance with this
Policy must be communicated to the Policy owner and/ or GRM as soon as reasonably practical. The Policy owner, with
input from key stakeholders, will consider the appropriate action(s) required. If agreement on the appropriate action(s)
cannot be reached, the matter will be escalated to the chair of the Discovery Limited RCC. The chair of the Discovery
Limited RCC will decide whether the breach or non-compliance is sufficiently material to be escalated further, and if so,
to which person/ committee/ Discovery Limited Board.
All instances of non-compliance with this Policy will be included within the regular risk reporting process. GIA performs
a review of the effectiveness of GRM as part of its audit plans; this incorporates the Group’s compliance with the Policy.
Findings of non-compliance by GIA should, over and above the normal reporting process, be raised at the Discovery
Limited Audit Committee.

Discovery Limited: Enterprise Risk Management Policy

Uploaded by

Copyright:

Available Formats

Discovery Limited: Enterprise Risk Management Policy

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Discovery Limited: Enterprise Risk Management Policy

Uploaded by

Copyright:

Available Formats

Discovery Limited

Enterprise Risk Management Policy

Discovery Enterprise Risk Management Policy Page 2 of 14

Discovery Enterprise Risk Management Policy Page 3 of 14

a) All staff, first line business and senior management;

1.3 DISCOVERY LIMITED BOARD STATEMENT

2.1 APPROACH TO RISK MANAGEMENT

Within the Group, ERM encompasses the following components:

Discovery Enterprise Risk Management Policy Page 4 of 14

2.2 GENERAL RISK MANAGEMENT PRINCIPLES

2.3 RISK TAXONOMY

Discovery Enterprise Risk Management Policy Page 5 of 14

Discovery Enterprise Risk Management Policy Page 6 of 14

Discovery Limited Board

Discovery Limited TCF

Other Boards and Committees: Discovery Health,

Discovery Bank Discovery Bank Discovery

Discovery Bank Discovery Bank

Group Audit Nomination

Discovery Enterprise Risk Management Policy Page 7 of 14

 The governance of risk;

Discovery Enterprise Risk Management Policy Page 8 of 14

4.1 FIRST LINE OF DEFENCE

4.1.1 MANAGEMENT OF OPERATIONS

Discovery Enterprise Risk Management Policy Page 9 of 14

4.1.3 MANAGEMENT EXECUTIVE COMMITTEES

4.1.4 QUALITY ASSURANCE

4.1.5 GROUP FORENSICS

4.1.6 INFORMATION SECURITY OFFICE

4.2 SECOND LINE OF DEFENCE

GRM is a function independent of day-to-day management. Its primary responsibilities include:

Discovery Enterprise Risk Management Policy Page 10 of 14

Key responsibilities of GRM are:

Discovery Enterprise Risk Management Policy Page 11 of 14

4.2.2 GROUP COMPLIANCE

Discovery Enterprise Risk Management Policy Page 12 of 14

4.2.3 GROUP ACTUARIAL FUNCTION

The Group Actuarial Function is responsible for:

4.3 THIRD LINE OF DEFENCE

Discovery Enterprise Risk Management Policy Page 13 of 14

5 Compliance with the Policy

Discovery Enterprise Risk Management Policy Page 14 of 14

You might also like