Financial Information and Risk Management

I

Risks and Assessment by the Management Body

Risks and Assessment by the Management Body

Risk Management Framework

The Company’s Risk Management Framework includes the strategies, policy models, processes, and reporting procedures required to identify, measure, manage, monitor and report the risks to which the Company is or may be exposed.

It is the responsibility of the Board of Directors to identify the risk management principles and standards to be applied throughout the company, to update the risk policies depending on the changes in the operating conditions, and to establish and operate an effective risk management system and relevant processes. The Board is also ultimately responsible for monitoring the risk level of the Company, controlling the situation against these limits by establishing risk limits, and putting the necessary measures into practice.

The tools required for determining, measuring, managing, monitoring, and reporting of risks vary according to the type of the risk. There are five risk classes: such as Insurance risks, Financial risks, Compliance risks, Operational risks, and Strategic risks.

Aksigorta is aware of the importance of effective and controlled business processes in the risk management process. A robust internal control system was established and implementation procedures regarding the internal control function were determined in order to ensure the protection of the Company’s assets and to make sure that the activities are carried out effectively and efficiently in compliance with the laws, relevant legislation, internal policies and insurance customs.

Aksigorta is exposed to business risk in relation to its operations in the non-life insurance sector. Likewise, the Company also faces financial risks related to its operations, such as loan, market, and liquidity risks. Operational risks are related to the management of all risks, as they occur as a result of errors in humans, processes and technology used. Strategic risks are associated with changes in strategic planning, sector, competitive environment and technological changes. Sustainability risks, on the other hand, are assessed as strategic risks.

Emerging risks are the result of new trends that may pose a threat or risk to the company. These trends are ambiguous by nature, making it challenging to measure them and perform an impact analysis. The emerging risks inventory is regularly reviewed in light of global and local researches in the insurance industry.

Information on Risk Management Policies by Risk Type

Risk Management Framework Policy

Aksigorta’s risk management strategy, implemented risk management system, and risk governance approach across the Company, as well as the roles and responsibilities for risk management are established in the Risk Management Framework Policy and approved by the Board of Directors.

The basic objectives of this policy are determining the basic principles and standards of the risk management systems and processes, implementing such systems and processes, and complying with the determined risk limits. The Company’s Risk Management Framework Policy defines the risk management roles and responsibilities of the Early Detection of Risk Committee under the Board of Directors, the Investment Committee under the Board of Directors, and the General Manager. The said policy also explains the role of each level in the triple line of defense model and the functioning of the delegation of authority in Aksigorta.

The activities covered by the Risk Management Framework Policy are carried out within the framework defined by the insurance legislation and the other relevant legislation to which the Company is subject.

Insurance Risk Policy

The Company is exposed to insurance risk because of the financial loss that might arise if the premiums collected for the risks undertaken or the provisions set aside for these risks are insufficient. Insurance risk is managed through underwriting risk appetite, pricing strategy, risk assessment models and reinsurance agreements.

The company has adopted a central risk assessment policy. This policy is carried out within the framework of predetermined activities and limits, with actuarial models and statistical analyses used in the assessment and pricing processes.
The policy underwriting strategy of the Company is based on the most effective risk assessment at the stage of policy issuance, as well as the most accurate distribution of assumed risks based on their types, sizes, industries, and geographical regions.

The Company enters into reassurance contracts for excess of loss, quota share, surplus, and catastrophic guarantees to manage insurance risk. The Company has surplus agreements in fire, transportation, engineering and general accident branches, and annual quota share contracts with a certain proportional turnover rate in the motor, professional liability, electronic devices, machinery breakdown, mandatory bus passenger, cyber risks, credit, health, and individual accident branches. Also, there are Risk & CAT, Transportation and Optional Financial Liability Non-Proportional Reassurance contracts that protect the net risks our company holds.

Credit Risk Policy

The credit risk means the negative financial impacts that may be caused by the fluctuations in credit quality, such as third party default, rating changes, and movements in the credit spreads.

Our Company’s total credit risk is arising from insurance activities such as: the investment activities in banks and finance corporations, purchasing made for its operations, reinsurance companies, and receivables from insured customers.

Credit risk is managed with the limit framework defined for the companies and organizations involved in the transactions made. The credit limit framework is supported with an Escalation Framework to report larger and/or riskier transactions to the Senior Management.

Market Risk Policy

The Company is exposed to interest rate risk on financial investments in general and credit risk on insurance receivables. Changes in market interest rates cause fluctuations in the prices of financial instruments, forcing the Company to manage interest rate risk effectively. The primary risk to which the available-for-sale financial assets in the Company’s portfolio are exposed is the damage that will result from a decrease in the actual values of financial assets due to changes in market interest rates.

Also, the Company is exposed to currency risks due to changes in foreign exchange rate resulting from the conversion of its foreign exchange denominated and foreign exchange indexed assets and liabilities into Turkish Lira.

Market risk components the Company faces, like the interest risk and currency risks, are regularly measured and reported via stress tests and scenario analyses.

Liquidity Risk

The liquidity risk means the risk arising from failure to meet the Company’s liabilities at maturity and cost-effectively.

The Company’s investment strategy approved by the Board of Directors has been established considering the liquidity conditions of the Company and the band widths (lower and upper limits) movable during the management of assets for investment and asset management and especially taking into account the potential liquidity profile of the liabilities.

Operational Risk Policy

Operational risk is the loss that may arise due to uncontrolled business processes, human or system errors, or external factors. It is essential to evaluate the probability of the operational risks and the level of impact they will create, and take the necessary measures accordingly. The first line of defense aims to manage operational risk by effective follow-up and process control.

In line with this purpose, the Operational Risk Control Management (ORCM) Framework is applied within the Company. Efficiency and adequacy of controls and implementation of action plans are the responsibility of the first line of defense, and these processes are monitored and reported by the Internal Control, Risk Management and Compliance units. Aksigorta aims to keep the operational risk at the lowest level that is commercially reasonable. Through operational risk management, Aksigorta aims to achieve the following:

  • Reducing fluctuations in financial performance by minimizing material losses arising from operational risks,

  • Improving customer experience and continuously protecting customer confidence,

  • Increasing employee satisfaction,

  • Protecting and enhancing Aksigorta’s reputation,

  • Establishing strong and positive relationships with regulatory bodies in the sector.

Information on Risk Management and Internal Control System

As per the Law on Insurance No 5684, Article 4 and the Regulation on Internal Systems in Insurance and Private Pension Industries, insurance companies must set up an effective internal control system to ensure that the Company’s assets are protected; that its activities are conducted in accordance with the requirements of the Law and related other legislation, with in-company policies and with established insurance industry practices; and in such a way as to be both effective and productive; and that the accounting and financial reporting system as well as all systems used in the provision of the main services are secure, coherent, and capable of providing timely access to information.

Risk management is the Company’s main means of avoiding undesirable outcomes in the pursuit of its targets and ensuring the continuity of its activities. The Risk Management Department’s functions are to identify, measure and monitor the risks to which the Company is exposed, to ensure that actions are taken to keep the risks within the limits determined as per the risk appetite and report such actions. Within this scope, it ensures that the business decisions are taken in a risk-based approach and the resources are used efficiently, so that the expectations of the entire Company and its business partners, including customers and shareholders, are met at the highest level.

The general risk level to be assumed for each type of risk, as well as the maximum risk limits allocated to management and their implementation procedures are specified in the policies which have been approved by the Board of Directors.

In order to monitor incurred risks and to provide control, the Company established and operates a structure of internal systems complying to the scope of its activities as specified by the legislation. In this approach, dubbed “the triple defense line,” the division of authority and responsibility is as follows:

Line of Defense Officials, Authorities and Duties

1. Line of Defense: Company Management

Identifying, assessing, managing and reporting risks in an effective and risk-oriented manner, and ensuring compliance with company policies. Establishing and maintaining an effective internal control system

2. Line of Defense: Risk Management, Internal Control and Compliance Directorate

Supporting the Company management in identifying, assessing, managing and reporting risks, overseeing compliance with Company policies and correcting any noncompliance; in short, assisting in the functioning of Aksigorta’s Risk Management Framework. Providing an acceptable assurance regarding the following subjects: Company assets are protected with internal control structure; its activities are carried out effectively, efficiently and in compliance with laws and other relevant legislation, in-house policies and rules of the Company, insurance business customs; the accounting and financial reporting systems are functioning reliably; the integrity of all systems used in the provision of services, and timely attainability of the information.

3. Line of Defense: Internal Audit Directorate

Assuring the Board of Directors about the effectiveness of the Company’s risk management and internal control mechanism from an impartial and independent viewpoint.

Risk Management, Internal Control and Compliance Directorate

It was structured in accordance with the Regulation on Internal Systems of Insurance and Private Pension Sectors issued in the Official Gazette dated November 25, 2021, and numbered 31670. Pursuant to Article 48/8 of the Regulation on the Internal Systems in Insurance and Private Pension Sectors, internal system functions can be structured jointly within the insurance group. Within this scope, the internal systems of Aksigorta A.Ş., AgeSA Hayat ve Emeklilik A.Ş., and Medisa A.Ş. are structured jointly to the extent permitted by the legislation. 25 Kasım 2021 tarih ve 31670 sayılı Resmi Gazete’de yayımlanan Sigortacılık ve Özel Emeklilik Sektörlerinde İç Sistemlere Dair Yönetmelik hükümlerine uygun bir şekilde yapılandırılmıştır. Sigortacılık ve Özel Emeklilik Sektörlerinde İç Sistemlere Dair Yönetmelik md. 48/8 uyarınca, sigorta grubu nezdinde ortak biçimde iç sistem fonksiyonları yapılandırılabilmektedir. Bu kapsamda Aksigorta A.Ş., AgeSA Hayat ve Emeklilik AŞ. ve Medisa A.Ş.’nin iç sistemleri, mevzuatın izin verdiği ölçüde birlikte yapılandırılmıştır.

It is aimed to provide assurance to the Board of Directors through risk management and internal control activities on:  

  • Ensuring compliance with legal obligations and the Company’s risk management policies and risk appetite limits,

  • Establishment and effective operation of a control framework in order to identify all structural risks exposed and to ensure that risks are managed within specified tolerance limits,

  • Designing and implementing actions to take risks within tolerance limits and reporting these risks transparently.

The reports which include the risk monitoring, assessment, management activities, and internal control activities are submitted to the Board of Directors and the Early Detection of Risk Committee regularly.

Internal Control Directorate

Internal control activities are primarily the responsibility of the business units that perform them. The Internal Control Directorate is responsible for providing support in the design of the processes carried out or controls made by these units, evaluating the adequacy and effectiveness of said processes and controls, and monitoring the effectiveness of the internal control function.

The Internal Control Directorate targets to make contributions under the following categories through its operations:

  • Implementation of the Internal Control Regulation determined by the Board of Directors,

  • Implementation of a robust and reliable control framework by creating strong and effective internal control awareness,

  • Implementation and supervision of the control framework to ensure that operational risks are managed within the determined risk appetite,

The activities carried out by the Internal Control Directorate during the year are summarized below:

  • In line with the Annual Internal Control Plan, continuous review activities were carried out on the Company’s controls and the results of the review were published in the Aksigorta Internal Control Report every quarter.

  • Claims, Technical Evaluation, Actuarial Pricing, Agencies and Finance teams’ were reviewed with the relevant business units in order to activate the Company’s existing control environment.

  • The results of the internal control activities carried out by the business units are monitored through the IRM- GRC application, and all determinations and findings are tracked depending on the relevant risks.

  • In order to monitor Aksigorta’s compliance with legislation and regulations, work to update the control points defined in the IRM application continued during the year. Newly designed compliance controls were implemented in the IRM system.

  • Significant legislative changes concerning our Company’s field of activity were monitored, and compliance projects and actions were closely followed.

The following activities related to the execution of the Internal Control function were reported to the Insurance and Private Pension Regulation and Supervision Agency:

  • a) Report on business processes, in which the organization’s business processes and the changes made to them throughout the year are defined, as well as the existing work flow charts and the changes made to them during the year.

  • b) Information systems report on the structure of information systems, service procurements within information systems, measures taken to maintain business continuity, planned and executed studies on these issues and relevant tests performed.

  • c) Report on the controls performed during the year within the internal control function and their results.

The relevant reports were submitted to the Agency in April 2024.

Risk Management Directorate

The Directorate is responsible for ensuring the adequacy and effectiveness of the risk management function across the Company. The Company ensures that the design and effectiveness of the control framework is aligned with its risk appetite and that risks to business plans, projects, and other critical business decisions are assessed.

Risk management policies and implementation procedures need to adapt to changing conditions. Within this scope, the Risk Management Directorate regularly evaluates the adequacy of the relevant policies by utilizing the outputs of the internal control system and the internal audit system and submits the necessary revisions to the Board of Directors for approval.

Risk Management Framework documents are reviewed annually and approved by the Board of Directors. Operational Risks are managed under the supervision of the Early Detection of Risk Committee of the Board of Directors.

The findings obtained as a result of the second line of defense supervision activities are regularly presented to the Early Risk Detection Committee of the Board of Directors through management reports (CRO Report, Internal Control Report, etc.).

Operational risk management has become a part of the decision-making mechanism in the business processes with the introduction of the Operational Risk and Control Management Framework (ORCM) methodology applied for the management of operational risks and controls.

The activities carried out by the Risk Management Directorate during the year are summarized below:

  • The results of risk management and internal control activities carried out by business units are monitored through the GRC/IRM application, and all determinations, findings, and risk events are tracked depending on the relevant risk and/or legislation.

  • Trainings were organized to increase the level of knowledge and awareness of employees regarding the reporting of risk/loss events to the Risk Management Department by business units with the standard flow determined through the IRM-GRC application.

  • Internal and residual risk assessments were carried out for the Company risks included in the risk catalogue.

  • A workshop was organized in October 2024 with the participation of all our managers to evaluate emerging risks, and the emerging risk inventory was presented to the Management for their evaluation.

  • Efforts were made to create the Company’s model inventory according to the Model Risk methodology.

  • UW metrics and limits were reviewed to ensure effective monitoring and management of UW risk.

  • Support was given to project studies aiming to strengthen the control environment in the Company’s Corporate UW processes.

The following activities related to the execution of the Risk Management function were reported to the Insurance and Private Pension Regulation and Supervision Agency in accordance with the Regulation and within the relevant timeframe:

  • a) Information on risk management policies and changes made in these policies during the year, as well as information on risk limits and changes made in these limits during the year

  • b) Capital adequacy impact analysis report, which measures the long-term impacts of the risks assumed and exposed on capital adequacy and Company continuity

  • c)  Results of monitoring and tracking activities carried out during the year as part of the execution of the risk management function

The relevant reports were submitted to the Agency in April 2024.

Actuarial Supervision Unit

The Actuarial Supervision Unit is responsible for monitoring the Company’s general pricing policy, portfolio profitability, the actuarial adequacy of reinsurance agreements, the adequacy and reliability of technical provisions, and the development and change of the risk level of the Company’s portfolio, as well as reporting the measures deemed necessary to senior management and the Early Detection of Risk Committee.

The unit consists of two people as of the end of 2024 and outsources the accountable actuarial service from a contracted external organization. The unit’s staff are provided with training programs to develop their professional knowledge, skills and abilities in the field of actuarial services, and they are supported and encouraged to take actuarial exams.

In 2024, within the scope of IFRS 4 obligations, quarterly control activities were carried out regularly, reinsurance performance and analyses were closely monitored, and actuarial adequacy analyses were performed.

The Actuarial Supervision Unit also submits the following periodic reports to the Insurance Regulation and Supervision Agency:

  • a) Actuarial Report, the scope of which is determined by the institution,

  • b) Tariff profitability determination report and summary report on the proposals made during the year to ensure tariff profitability,

  • c) Report on the actuarial methods applied and the models and assumptions used by the Company and the changes made in these models and assumptions during the year and their justifications,

  • d) Periodic reports on the operations carried out during the year as part of the execution of the actuarial function.

The relevant reports were submitted to the agency in April 2024.

Information Technologies and Information Security Risks Management

Information Technology (IT) risk is the potential for losing automation systems, networks, or other critical IT resources, which can adversely affect business processes. With technology becoming a part of business processes, effective management of information technologies and information security risks are among the Company’s primary goals.

Information Technologies and Information Security risks are handled within business risks management and managed with reference to the internationally accepted Information Security Standards (Cobit, ISO27001).

The main risk areas that are addressed within the Information Technologies risks and for which the levels of control targets adapted to the Company are tracked are being summarized below:

  • IT Management and Strategy Risk

  • IT Architecture Risk

  • Business Continuity Risk

  • Supplier Management Risk

  • Service Management and Resilience Risks

  • Change Management Risk

  • Development and Adaptation Risk

  • Malicious Service Interruptions

  • Hackers and Cyber Criminals

  • Malicious Internal Resources

  • Monitoring activities are carried out for information technologies and information security risks, and scheduled reporting is made to the management. During 2024, the results of the surveillance activities carried out to effectively manage the above-mentioned risks were regularly evaluated,

  • They were shared with relevant administrations through the “Information Technologies Monitoring Report,”

  • In line with the KVKK technical legislation control targets, “KVKK Technical Measures” evaluation activity was carried out,

  • In order to improve the Company’s Security Framework, support was provided for the work carried out within the scope of ISO27001.

Legal Department, Compliance and Physical Damage

  • All processes regarding legal questions and issues that have arisen or may arise as a result of the Company’s services and practices during its daily operations were examined as per legal regulations, and opinions were given.

  • Correspondence sent by official institutions and addressed to the Company was reviewed and shared with the relevant departments of the Company. The departments were consulted regarding possible sanctions and risks, and preventive and regulatory actions were taken. Response letters were drawn up according to the Company’s official correspondence rules, and official institutions were contacted as and when necessary.

  • All changes in legislation that are significant and fall into our Company’s activity area have been closely monitored, and all required actions have been taken to comply with legislation. The legislation which the Company is required to comply with has been incorporated into the “Legislation Checklist” developed by our Company within the IRM (GRC) system. The relevant business units adopted this legislation and were requested to submit their statements of compliance. In addition, newly enacted legislation was monitored daily and relevant units were informed about the regulations and changes brought by the legislation. Regular additions were made to the Legislation Checklist, and business units were allowed to submit their statements of compliance through the system.

  • All contracts that need to be concluded regarding the processes to which our Company is a party were reviewed. In addition, contracts that were due renewal were legally reviewed and evaluated in the most appropriate manner for the Company’s current situation and conditions, and the renewal processes were completed. Support was provided to the consultancy requests submitted by different departments of the Company regarding ongoing contracts. In order to streamline the workflows of our departments working with the same/similar type of purchasing and service procurement processes, more than twenty draft contracts were drawn up based on the requirements of departments and the content of the relevant work.

  • Pursuant to the Law No. 6698 on the Protection of Personal Data, activities were carried out to increase the awareness of all departments of our Company by following the current developments regarding the issues that the Company is obliged to and the applications made by the relevant persons were responded as per the legislation. Efforts to ensure compliance with the new regulations that came into force on 01.06.2024 upon the amendments to the Personal Data Protection Law were revised and completed in a way that would affect all channels, departments and products of the Company, and the signing processes of “standard contracts” for data transfer abroad began. Similarly, support was provided to all teams in awareness-raising activities and consultancy processes regarding the obligations to which our Company is subject due to the Competition Law. In addition, within the scope of the Personal Data Protection Law, control was added to the IRM system through the work carried out with the Internal Control and Compliance teams, and regular reporting of control results by the relevant units was ensured.

  • Application, objection, and trademark processes on the intellectual and industrial rights owned by the Company were followed up, and mechanisms in accordance with legal processes were executed to prevent possible damages to our Company in this regard.

  • Legal support was provided for the projects initiated by different departments within the Company to ensure that new products, new services, business partnerships, and arrangements were created in accordance with the legislation.

  • Within the scope of MASAK compliance, the project designed has been completed, and related processes have been transferred to a digital environment with the purchased software application in order to effectively monitor sanction decisions, institutions, and persons subject to sanctions. In addition, a project initially launched to profile the policyholders in the active portfolio according to risk criteria is continuing.

  • In 2024, our Company’s Claims and Law Department pursued a high number of lawsuits in different departments for material, physical, liability, subrogation, and receivables lawsuits and concluded settlements in many files by conducting settlement studies.

  • Within the scope of the control framework creation work carried out by Internal Control together with the Compliance team, compliance controls were reviewed and added to the IRM (GRC) system.

  • The compliance monitoring activity carried out as per the Regulation on Information in Insurance Contracts enabled planning of actions in response to the issues and improvements identified.

Information on Outsourced Service Procurement

In order to improve service quality and maximize customer satisfaction, our Company may procure support services from external companies within the scope of the “Regulation on Insurance Support Services.” In this regard, support services continued to be procured from various companies in 2024 in the service areas needed and in accordance with the relevant legislation.

Notable Changes in Regulations – 2024

On 12.03.2024, the Law No. 7499 Amending the Code of Criminal Procedure and Certain Laws (Law) was published, which introduced significant amendments to the Law on the Protection of Personal Data No. 6698 (KVKK). With these amendments, important regulations regarding the processing of special personal data and the transfer of processed personal data abroad came into force and the scope of the misdemeanors regulated in the KVKK was expanded. With these amendments:

  • The distinction between data on health and sexual life under special personal data and other special personal data was removed and the legal grounds permitting the processing of special personal data were expanded.

  • The way was paved for the transfer of personal data abroad in accordance with the international standards to be set out by the Board, and the process of transferring data abroad was also facilitated with new mechanisms and permissions.

The Guide on Transfer of Personal Data Abroad (Guide) was published by the Personal Data Protection Authority (Authority). The Guide describes the processes regarding the transfer of personal data abroad by detailing the application principles and procedures to be followed in connection with the comprehensive changes made in Article 9 of the KVKK titled “Transfer of Personal Data Abroad.”

SEDDK has introduced regulations regarding the cancellation of traffic policies in the event of sale of an insured vehicle and also the policies that can be used as reference through the Circular on Amendments to the Circular No. 2019/9 regarding the Implementation of Compulsory Motor Vehicle Liability Insurance (2024/30) (“Circular”). With the amendments, the period of the policies that can be taken as a reference in the preparation/renewal of the traffic insurance policies was reduced from 30 days to 14 days. In addition, with the new amendments, validity of traffic policies will end with the transfer of the ownership of a vehicle and not pass over from the previous owner to the new owner of the vehicle. This means that the new owner is obliged to get a traffic policy at the time of sale, and if the sale does not take place for any reason, the policy is cancelled from the beginning upon the buyer’s request and full refund is made without any deduction.

Through the Regulation Amending the Regulation on Measurement and Assessment of Capital Adequacy of Insurance, Reinsurance and Pension Companies published in the Official Gazette dated 31.12.2024 (Regulation), changes were made to the coefficients regarding the calculation of capital adequacy (regarding receivables from public institutions and the Turkish Savings Deposit Insurance Fund companies) and the reporting periods regarding the measures were shortened. In addition, it is necessary to calculate capital adequacy every quarter and comply with the ratio in each calculation period, and the administrative measures included in the regulation will be applied to all results in March, June, September and December. Previously, calculations were made in December and measures were implemented based on the ratio determined in December. However, it has been changed to March, June, September and December.

The “Regulation Amending the Regulation Amending the Financial Reporting for Insurance, Reinsurance and Pension Companies,” “Communiqué on Amendments to the Communiqué on the Presentation of Financial Statements of Insurance, Reinsurance and Pension Companies,” and “Communiqué on Amendments to the Communiqué on the Insurance Uniform Chart of Accounts and Prospectus” were published in the Official Gazette dated 27.12.2024 and numbered 32765. It is understood that the fundamental change introduced within the scope of the relevant legislation is the change of the effective date determined for the financial reporting standard from 1/1/2025 to 1/1/2026.

Aksigorta A.Ş.
bilgi@aksigorta.com.tr
+90 216 280 88 88
444 27 27