Through our risk management activities, we seek to identify and assess major risks that could affect our businesses. We include considerations of ESG risks, such as the impact of climate change, human capital management and cybersecurity threats.
Board Oversight of Risk
Our Board, directly and through its committees, plays an active role in the oversight of our company’s risk management. The subject of risk management is a recurring agenda item at Board and Committee meetings. The Board and/or its Committees regularly receive reports from management on capital, investments, and operations, including the risks associated with each and the steps management is taking to manage those risks. The Board also discusses with management our business strategy, risk appetite and appropriate levels of risk.
The Board’s committees are assigned oversight responsibility for particular areas of risk. For example, the Audit Committee receives, at least annually, a Companywide Risk Assessment, which covers all operations. This assessment considers operational, financial, legal, compliance, cyber, ethical and reputational risks, as well as climate risk and sustainability matters. The Compensation/Nominating & Governance Committee oversees risk related to corporate governance, succession planning, environmental stewardship, sustainability and corporate social responsibility. The Finance Committee oversees the risks related to managing our investment portfolio. Full Board meetings and individual Committee meetings are scheduled so as not to overlap, and all Directors are encouraged to attend all committee meetings, allowing for every Director to participate and provide guidance regarding any risk concerns.
Our Board is comprised of Directors with a broad range of skills, experience and perspectives to provide effective oversight. The majority of our Directors have direct risk assessment and risk management experience.
Frameworks and Methodologies
We utilize two primary frameworks to assess risk and establish risk-related goals and responsibilities.
Our Internal Audit team’s annual Companywide Risk Assessment for our Audit Committee culminates in a tiered, grid-based risk scorecard. This comprehensive assessment covers commercial risks relating to our operating businesses and M&A activity, regulation, investments, cybersecurity, natural catastrophes, human resources and various other categories.
In addition, we apply the Institute of Internal Auditors’ Three Lines Model to identify business unit goals and responsibilities with respect to risk management. The White Mountains Board establishes structures and processes for governance, delegates responsibilities to management for achieving company objectives, and sets the company’s risk appetite. Our “first line” is comprised of cross-functional managers who develop, implement and maintain internal control procedures on a day-to-day basis. Our “second line” is comprised of our senior executives and executive steering committees – such as our IT Steering Committee and our Investment Committee – which set risk management standards, provide expertise and monitor compliance. Our “third line” is comprised of our Internal Audit team, which provides comprehensive assurance and advice at a high level of independence and objectivity within the organization. All three lines are aligned on overall company objectives and communicate regularly with one and other, our external assurance providers and the White Mountains Board, as deemed appropriate.
Cybersecurity and Business Continuity
The confidentiality, integrity and availability of our data are areas of increasing focus in our management of risk. In addition to its Companywide Risk Assessment, our Internal Audit team also conducts an annual Network Security Assessment, which covers our parent company and significant operating subsidiaries. We also engage external cybersecurity network penetration specialists to perform comprehensive testing on the resilience of our network defenses – across our holding company and significant operating companies – at least annually.
White Mountains maintains a robust set of parent company cybersecurity policies and procedures. Our User Information Security Policy, which is included in our Employee Handbook and acknowledged annually by employees, establishes user security requirements to protect our business records and information. This policy is reinforced through mandatory periodic information security training for employees. Our Administrator User Security Policy establishes standards for the administration of controls necessary to protect, detect and respond to security threats. Our Cybersecurity Incident Response Plan outlines steps to address potential cybersecurity incidents.
Maintaining the security of our networks and data is an important priority across our entire organization. We regularly assess our security measures using the Center for Internet Security Controls framework, and some of our subsidiaries also use the ISO 27001 framework to benchmark controls. In addition, our businesses comply with cybersecurity and privacy regulations where applicable to them, including the New York Department of Financial Services, the California Consumer Privacy Act, the UK Data Protection Act, and the UK General Data Protection Regulation, with their compliance evaluated through both internal and government audits.
Finally, the White Mountains parent company and its significant operating companies maintain business continuity and/or disaster recovery plans to ensure that business can resume promptly and efficiently in the event of any significant short-term or long-term business disruption.
Investment Portfolio Monitoring
Risk management plays a critical role in the management and monitoring of our investment portfolio. The White Mountains Investment Guidelines curb our risk exposure by dictating concentration limits, liquidity parameters, and other limitations and prohibitions on our investment activities. Our investment team monitors our compliance with these guidelines in real time and reports a set of standardized internal risk metrics to senior management and our Board on a regular basis. We also review quarterly shock scenario analyses of our investment portfolio.