Through our risk management activities, we seek to identify and assess major risks that could affect our businesses. We include considerations of ESG risks, such as the impact of climate change, human capital management and cybersecurity threats.

Board Oversight of Risk

Our Board, directly and through its committees, plays an active role in the oversight of our company’s risk management. The subject of risk management is a recurring agenda item at Board and Committee meetings. The Board and/or its Committees regularly receive reports from management on capital, investments, and operations, including the risks associated with each and the steps management is taking to manage those risks. The Board also discusses with management our business strategy, risk appetite and appropriate levels of risk.

The Board’s committees are assigned oversight responsibility for particular areas of risk. For example, the Audit Committee receives, at least annually, a Companywide Risk Assessment which considers operational, financial, legal, compliance, cyber and reputational risks, as well as climate risk and sustainability matters. The Compensation/Nominating & Governance Committee oversees risk related to corporate governance, succession planning, environmental stewardship, sustainability and corporate social responsibility. The Finance Committee oversees the risks related to managing our investment portfolio. Full Board meetings and individual Committee meetings are scheduled so as not to overlap, and all Directors are encouraged to attend all committee meetings, allowing for every Director to participate and provide guidance regarding any risk concerns.

Our Board is comprised of Directors with a broad range of skills, experience and perspectives to provide effective oversight. The majority of our Directors have direct risk assessment and risk management experience.

Frameworks and Methodologies

We utilize two primary frameworks to assess risk and establish risk-related goals and responsibilities.

Our Internal Audit team’s annual Companywide Risk Assessment for our Audit Committee culminates in a tiered, grid-based risk scorecard. This comprehensive assessment covers commercial risks relating to our operating businesses and M&A activity, regulation, investments, cybersecurity, natural catastrophes, human resources and various other categories.

In addition, we use the Institute of Internal Auditors’ Three Lines of Defense framework to identify business unit goals and responsibilities with respect to risk management. Our “first line of defense” is comprised of cross-functional managers who develop, implement and maintain internal control procedures on a day-to-day basis. Our “second line of defense” is comprised of our senior executives and executive steering committees – such as our IT Steering Committee and our Investment Committee – which set risk management standards and monitor compliance. Our “third line of defense” is comprised of our Internal Audit team, which provides comprehensive assurance at a high level of independence and objectivity within the organization.

Cybersecurity and Business Continuity

The confidentiality, integrity and availability of our data are areas of increasing focus in our management of risk. In addition to its Companywide Risk Assessment, our Internal Audit team also conducts an annual Network Security Assessment, which covers our parent company and significant operating subsidiaries.

White Mountains maintains a robust set of parent company cybersecurity policies and procedures. Our User Information Security Policy, which is included in our Employee Handbook and acknowledged annually by employees, establishes user security requirements to protect our business records and information. This policy is reinforced through mandatory periodic information security training for employees. Our Administrator User Security Policy establishes standards for the administration of controls necessary to protect, detect and respond to security threats. Our Cybersecurity Incident Response Plan outlines steps to address potential cybersecurity incidents.

Maintaining the security of our networks and data is an important priority across our entire organization. We regularly assess our security measures using the Center for Internet Security Controls framework, and some of our subsidiaries also use the ISO 27001 framework to benchmark controls. In addition, our businesses comply with cybersecurity and privacy regulations where applicable to them, including the New York Department of Financial Services, the California Consumer Privacy Act, the UK Data Protection Act, and the UK General Data Protection Regulation, with their compliance evaluated through both internal and government audits.

We also are committed to maintaining the privacy of our customers and others who interact with us. Our parent company privacy policy is outlined here. It is important to note that our parent company, as well as several of our operating businesses, maintain no customer data. Those of our operating subsidiaries that do maintain customer data have robust privacy policies as dictated by their operational parameters, locations and regulatory requirements.

Finally, the White Mountains parent company and its significant operating companies maintain business continuity and/or disaster recovery plans to ensure that business can resume promptly and efficiently in the event of any significant short-term or long-term business disruption.

Investment Portfolio Monitoring

Risk management plays a critical role in the management and monitoring of our investment portfolio. The White Mountains Investment Guidelines curb our risk exposure by dictating concentration limits, liquidity parameters, and other limitations and prohibitions on our investment activities. Our investment team monitors our compliance with these guidelines in real time and reports a set of standardized internal risk metrics to senior management and our Board on a regular basis. We also review quarterly shock scenario analyses of our investment portfolio.