Numerous internal policies, guidelines and operating procedures exist in VIG to ensure compliance with applicable regulatory requirements and voluntary commitments, to promote a culture of integrity and to ensure ethically correct conduct, as well as to actively manage material risks and opportunities. Examples include the Code of Business Ethics, the VIG sustainability programme and Group-wide policies and guidelines on the compliance management system, data protection, the prevention of money laundering and terrorist financing, risk management, Fit & Proper, information security and procurement.
Details on individual key governance documents are described in chapter ESRS 2 MDR‑P “Policies adopted to manage material sustainability matters”.
Disclosure Requirement G1-1– Corporate culture and business conduct policies
VIG has a number of policies relating to business conduct. The Code of Business Ethics reflects the values and guardrails of VIG and provides guidance to all employees for their actions and decisions (see also the introductory table under ESRS G1 “Business conduct”). Building on these principles, VIG fosters an appropriate corporate culture through a variety of initiatives. In addition to defining fundamental principles for cooperation, this includes promoting employee engagement, offering training and development opportunities, introducing incentive schemes, fostering open communication and promoting diversity and inclusion. In addition, onboarding is used as an important time to familiarise new employees with the corporate culture. Other actions include the social engagement of VIG to the communities in their respective countries, the conduct of employee surveys and the continuous improvement of working conditions and related initiatives. Some actions are explained in more detail below.
Communication channels
Complete, reliable information is needed to make sound strategic decisions. VIG therefore has experts who provide the Managing Board and local company management with in-depth analyses to support them in their decision-making. Various channels of communication ensure the necessary exchange between individual Group companies and VIG Holding.
CO3
CO3 stands for “Collaboration”, “Cooperation” and “Communication” and is a department that strengthens cooperation and communication within the Group. CO3 thus fosters the corporate culture in VIG and provides strategic input for the positioning of VIG. Cooperation is based, among other things, on the VIG Group Policy Media Strategy and Press Relations.
Values and cohesion
VIG respects the cultures and traditions of the various countries and markets in which it offers its insurance services, and it is committed to equal opportunities in the recruitment and development of its employees. This commitment is underlined by VIG’s diversity strategy and the appointment of a Diversity Advisor at VIG Holding. VIG regularly organises workshops, conferences and cross-departmental and cross-company projects that encourage employees to network and communicate effectively. These initiatives promote a positive working environment, strengthen trust and improve overall team dynamics. VIG is aware that investing in team building not only increases morale, but also productivity and innovation. Further information can be found under ESRS S1-1 “Policies related to own workforce of the company”.
Compliance management system
The main component of the provisions made for managing the material risk of non-compliance with regulatory requirements is the Group-wide compliance management system, which includes at least all (re-)insurance companies, asset management companies and pension funds, provided VIG Holding (directly or indirectly) holds more than 50% of the shares. Non-insurance companies are integrated into the compliance management system of the controlling insurance company based on their individual risk situation. The Group-wide compliance management system, together with the Code of Business Ethics, forms the core of the overall concept for ensuring ethical and legally compliant conduct in internal operations and in relationships with customers, business partners, shareholders and the general public. The compliance management system also provides for mechanisms for reporting perceived conduct that is potentially in conflict with regulatory and ethical requirements as well as voluntary commitments. The Group-wide compliance management system is continuously being evaluated and developed further. Further information on the Code of Business Ethics, the Group Policy Compliance Management System and other individual compliance-related governance documents can be found in chapter ESRS 2 MDR‑P “Policies adopted to manage material sustainability matters”.
Like the Group itself, the Compliance organisation also has a decentralised structure. It is represented by the Group Compliance Committee, which consists of the local compliance officers and the head of Compliance (incl. AML) of VIG Holding. Compliance representatives are appointed in all (re-)insurance companies, asset management companies and pension funds. These individuals are responsible for establishing, supporting and developing the local compliance management system. The tasks of the compliance representatives include monitoring the legal environment and recommending necessary actions, identifying and assessing compliance risks, taking actions to prevent breaches, advising employees and the members of the local managing boards and/or local supervisory boards, performing compliance audits, monitoring existing procedures and handling compliance incidents. Beyond these duties, the local compliance represenatives also have comprehensive regular and ad hoc reporting obligations to the local managing board and/or supervisory board and Compliance (incl. AML) of VIG Holding. This includes the annual compliance report as well as ad hoc reports on regulatory audits and the results thereof, precisely defined compliance incidents, and conflicts of interest involving certain groups of persons. The local compliance representatives are assisted, supported, steered and monitored by Compliance (incl. AML) of VIG Holding.
Reporting breaches
Internal and external persons can report any observations of misconduct to predefined functions, in particular the compliance representatives both at the level of the individual VIG companies and at the level of VIG Holding.
In VIG, process specifications for handling whistleblowers are implemented in local governance documents and in accordance with the local legal framework. VIG companies based in the EU are subject to the requirements of the EU Whistleblower Directive and the corresponding national implementation, which prescribes the establishment of internal reporting channels and the protection of whistleblowers. Accordingly, all insurance companies of the Group with their registered office in the EU have corresponding internal reporting channels. Outside the EU as well, all but four insurance companies have established relevant processes (see ESRS 2 MDR‑P “Policies adopted to manage material sustainability matters”). In addition, a large proportion of non-insurance companies with more than ten employees have implemented measures regarding whistleblowing in accordance with local laws. In most of the companies concerned, reports are received by the compliance representatives. In the majority of cases, those employees who are responsible for receiving reports have been informed about or completed training on the legal requirements, specifically with regard to whistleblowing, including in all insurance companies located in the EU. The most frequently offered reporting channels are dedicated email mailboxes and face-to-face meetings; some companies have set up their own whistleblowing portals. To this end, all insurance companies within the EU have implemented measures to protect whistleblowers from retaliation, in accordance with legal requirements set out in the EU Whistleblower Directive. In line with the Austrian Whistleblower Protection Act (Hinweisgeber:innenschutzgesetz), which implemented the EU Whistleblower Directive in Austria, VIG Holding has set up the VIG Whistleblower Portal as an internal reporting channel to allow for secure and confidential reporting – at any time and anonymously – of perceived violations of the statutory provisions named in the Whistleblower Protection Act. Perceived violations in other legal areas can be reported to a dedicated email mailbox (whistleblowing@vig.com) and by post to Compliance (incl. AML) of VIG Holding, for the attention of the VIG Compliance Officer.
Information on this can be found both on the Intranet and on the VIG website. Regardless of the chosen reporting channel, all reports will reach Compliance (incl. AML) of VIG Holding. Their validity is then reviewed in compliance with the provisions of confidentiality, employee protection, and data protection. Every incoming report is evaluated by a VIG Holding committee, consisting of members from Compliance (incl. AML), General Secretariat & Legal, Human Resources and Internal Audit, regardless of whether it concerns a subsidiary or VIG Holding, and follow-up actions are recommended if necessary. The follow-up actions are taken in accordance with the process specifications of the Internal Audit department.
In addition to setting up specific internal reporting channels in accordance with the respective national requirements for whistleblowing, all (re-)insurance companies, asset management companies and pension funds within the EU have set up reporting channels within the framework of the compliance management system that employees can use to report concerns about conduct that may be illegal or that contravenes the Code of Business Ethics. Corresponding reports or incidents are investigated by an independent body.
Business conduct training
In VIG, the planning and implementation of training on business conduct topics is the responsibility of the respective VIG company. The scope, target group, frequency and format of such trainings are therefore structured differently in the VIG companies. All (re-)insurance companies, asset management companies and pension funds within the EU, as well as the majority of these companies outside the EU, have corresponding policies. Most of these companies conduct these trainings as part of the onboarding process for new employees. VIG Holding continued its extensive range of training programmes on compliance topics during the reporting year. New employees were required to complete a general compliance training as well as trainings the prevention of market abuse and on international sanctions. Additionally, there was also a mandatory compliance e-learning programme. This included modules on data protection, information security, code of conduct, anti-corruption and money laundering prevention. For more details on training and the prevention of corruption and bribery, as well as on the functions most at risk within an organisation in this regard, see chapter ESRS G1-3 “Prevention and detection of corruption or bribery”.
Disclosure Requirement G1-3 – Prevention and detection of corruption or bribery
The aim of an effective compliance management system (see ESRS G1-1 “Corporate culture and business conduct policies”) is to ensure compliance with all regulatory requirements applicable to an undertaking or group, as well as internal standards and voluntary commitments. This includes, in particular, the provisions on the prevention of corruption and bribery, on the handling of potential conflicts of interest, on procurement principles, on money laundering prevention and on compliance with international sanctions. The mechanisms for reporting breaches also extend to these legal areas. The relevant measures for the prevention and detection of corruption and bribery are embedded in the compliance management system and are therefore also included in Group policies and guidelines (see also ESRS G1-1 “Corporate culture and business conduct policies”).
Incidents of corruption and bribery are compliance incidents that must be reported directly by VIG (re-)insurance companies, asset management companies and pension funds to Compliance (incl. AML) of VIG Holding accordingly. Reports of perceived incidents of corruption and bribery are handled in accordance with the locally defined responsibilities and in accordance with local statutory regulations (see also ESRS G1-1 “Corporate culture and business conduct policies”). All (re-)insurance companies, asset management companies and pension funds within the EU have issued internal instructions for handling perceived or confirmed incidents of corruption and bribery. These include conducting investigations in cases of suspicion, whereby the functions tasked with carrying out the investigation are separate from the chain of management involved in the allegation. Both Compliance and Internal Audit – departments that are usually involved in receiving reports and processing perceived incidents of corruption and bribery – have a direct reporting line within the relevant VIG companies to the local managing board and are responsible only to the local managing board.
In addition, the Group Guideline Prevention of Money Laundering and Terrorist Financing is important in this context. This guideline is based on the requirements of the 4th and 5th EU Anti-Money Laundering Directives and applies to those VIG companies that are required to comply with anti-money laundering and anti-terrorist financing regulations on account of European or national requirements. VIG supports international efforts to prevent the abuse of the financial system for the purposes of money laundering and terrorist financing. Accordingly, the (re-)insurance companies, asset management companies and pension funds that are subject to EU or national regulations on the prevention of money laundering and terrorist financing must identify their customers in accordance with the know-your-customer principle (KYC) and verify their identity, check the origin of funds, monitor the business relationships and, if necessary, submit reports of suspicions to the competent authorities. Anti-money laundering officers play a key role in this. The function of the anti-money laundering officers must be set up in such a way that they are responsible to the Managing Board and report directly to the Managing Board – without any intermediate levels. The VIG Guideline International Sanctions provides for the mandatory screening of customers, business partners, payment recipients and employees against relevant sanction lists before concluding contracts and making payments. A sanction screening tool procured for the Group is used for this purpose. This tool is also used to screen for the status of a politically exposed person in relation to anti-money laundering procedures. The tool also contains information on negative media reports and criminal prosecution.
In the context of actions to prevent corruption and bribery, a Group-wide guideline for managing conflicts of interest was implemented in the reporting year. Further details are provided in ESRS 2 MDR‑P “Policies adopted to manage material sustainability matters”. Additionally, in the Group Policy Compliance Management System, there is also an ad hoc reporting obligation to Compliance (incl. AML) of VIG Holding for (potential) conflicts of interest identified by VIG companies with regard to members of the Supervisory Board, members of the Managing Board and holders of governance or key functions. A guideline on conflicts of interest has also been implemented for VIG Holding in accordance with Group requirements, which requires employees to identify conflicts of interest and avoid them in coordination with the respective managers. If this is not possible, they must define and implement appropriate actions for handling the relevant conflicts of interest together with the managers. If a conflict of interest cannot be avoided or adequately handled, a report must be made to Compliance (incl. AML) of VIG Holding.
Non-insurance companies are integrated into the compliance management system of the controlling insurance company based on their individual risk situation, as described in G1-1 “Corporate culture and business conduct policies”. Against this background, the processes described above for preventing corruption and bribery have been implemented in some non-insurance companies on a risk basis or – based on the identified risk exposure – not implemented. However, all non-insurance companies conduct their business in accordance with the 15 guardrails of the Code of Business Ethics, including “Prevention of corruption and bribery”. One non-insurance company plans to implement additional actions in this area in the coming year.
The measures to prevent, detect and investigate reports of corruption and bribery are communicated in various ways, with most (re-)insurance companies, asset management companies and pension funds using their internal communication channels, documents or training courses for this purpose. The 15 guardrails of the Group-wide Code of Business Ethics (see ESRS 2 MDR‑P “Policies adopted to manage material sustainability matters”) are available on the website (https://group.vig/en/cobe).
As described under ESRS G1-1 “Corporate culture and business conduct policies”, the planning and implementation of training programmes is the responsibility of the VIG companies. In their annual compliance plans and compliance reports, which are sent to the local managing board and Compliance (incl. AML) of VIG Holding, the local compliance representatives provide information on respective actions and their implementation. Almost all (re-)insurance companies, asset management companies and pension funds in the EU offer training on corruption and bribery, usually as part of a more comprehensive training concept. Such trainings are usually offered as part of onboarding or annually; computer-based solutions are used for the most part.
At VIG Holding the subject of corruption and bribery is addressed in the mandatory general compliance training during onboarding and as part of an e-learning programme. At VIG, Managing Board members and managers one level below the Board are considered to be at-risk functions in any case, i.e. functions that are most at risk within the company in relation to corruption and bribery. Other roles and functions may be included in this definition locally. The percentage of these functions, based on all consolidated VIG companies with more than ten employees, who completed training on corruption and bribery in the reporting year is 64.8%.
In VIG companies, the majority of managing board members and some supervisory board members of the consolidated Group companies were included in the training programmes in the reporting year. In addition, within the (re-)insurance companies, asset management companies and pension funds, reporting on the prevention of corruption and bribery is carried out as required via annual compliance reports to the local managing board and, in some cases, to the local supervisory board. Each year, during a Supervisory Board meeting, the VIG Holding Managing Board provides information to the Supervisory Board of VIG Holding on the precautions taken to combat corruption in VIG Holding.
MDR-A – Actions and resources in relation to material sustainability matters
As an insurance group, VIG operates in a highly regulated environment and contributes to the further development of this legal framework as a member of insurance associations or sector-independent industry associations. The aim is to contribute to practical, market-oriented and effective regulation through industry expertise and practical knowledge. VIG implemented comprehensive actions to manage material impacts and risks. These are described in particular under Disclosure Requirement ESRS G1-1 “Corporate culture and business conduct policies” and ESRS G1-3 “Prevention and detection of corruption and bribery”. Material topics relating to IT security have also been identified in ESRS S4 “Consumers and end-users”. The actions taken are described in ESRS S4-4 “Taking action on material impacts on consumers and end-users, and approaches to managing material risks and pursuing material opportunities related to consumers and end-users, and effectiveness of those actions”. The characteristics and scope of the actions taken with regard to the risk of non-compliance with regulatory requirements in terms of whistleblowing systems and training on business conduct and anti-corruption are described in ESRS G1-1 “Corporate culture and business conduct policies” and ESRS G1-3 “Prevention and detection of corruption and bribery”. Actions taken with regard to the risk of reputational damage resulting from business relationships with companies that employ inadequate or irresponsible business practices include the integration of environmental, social, governance and human rights aspects into investment processes and minimum safeguard checks in underwriting.
As described in ESRS G1-1 “Corporate culture and business conduct policies”, VIG pursues a continuous improvement process for the actions taken, which takes into account the respective local requirements in accordance with the decentralised management approach. The time horizon for the continuous implementation of these actions ranges from short term to long term. The whistleblower systems are available on an ongoing basis, i.e. without any time restrictions. Training programmes are offered on an ongoing basis in accordance with the relevant policies, and the policies are reviewed annually and adapted if necessary.