© Copyright Allianz SE

Compliance Risk &Maturity Roll-outEuropean Region

Group Legal & Compliance / CIATMunich, February 2017

Internal

CLASSIFICATION: INTERNAL

ALZ.0001.0097.3494

© Copyright Allianz SE2

The Vision…

We jointly bring the Compliance Risk Management to the next levelin line with the Renewal Agenda

We focus on key risks to avoid losses and protect the reputation of Allianz incompliance with Solvency II

We build one integrated platform and approach (ORGS/IRCS)

This enables all of us to assess risk, evaluate programs (maturity), test controldesign and effectiveness and report the results transparently

We want to leverage the expertise knowledge and resources of all levels ofdefense in order to contribute to an effective and best-in-class ComplianceManagement System as a part of an Integrated Risk and Control System

We consider it as success, if the whole compliance community is implementing theconcepts following the processes completely and consistently using ORGS

A Compliance Assurance program is an integral component of astrong Compliance Management and Internal Control System

CLASSIFICATION: INTERNAL

ALZ.0001.0097.3495

© Copyright Allianz SE 08/2018CLASSIFICATION: INTERNAL

3

The new Integrated Risk and Controls System process will be rolledout to the entire Group in a 3-year staggered approach

AZ RiskCatalogue

Risk Scoping

Confirm•significance ofscoped risks

Tailor risk•description ifnecessary

Add•responsibilitiesand document

Control EnvironmentEffectiveness

Key control•identification &documentationand respon-sibilities

Key control•assessment

Identify control•gaps

Control•environmentassessment

Actual RiskAssessment

1-in-20 year•assessment

Reputational•impact

Response/Monitoring

Mitigate the risk•(e.g. action plan)by improvingcontrolenvironment

Accept the risk•

Rational•

KRIs for material•OpRisks

II III IV V

Reporting

Compliance

Ope

ratio

ns Insurance

Market/Credit/LiquidityLegal/ Tax/Other

I

RCSA

ALZ.0001.0097.3496

© Copyright Allianz SE4

PreparationDo pre-

assessmentof 1-in-20

forSignificantrisks and

gatherinformationon controls

ControlEnviron-

ment

Discuss thecontrol

environmentand identifykey controls

Actual Risk

Assess the1-in-20,

reputationalrisk andcontrol

environmenteffective-

ness

Response/Action Plan

Mitigate* orAccept the risk;

if the riskresponse is to

mitigate, definean action plan

Risk scoping

Identify theapplicablerisks & addlocal risks

InherentRisk

Assess theinherent risk

for theapplicablerisks andgeneratethe Shortlist and

Significantrisks

ProgramMaturity

Assess theProgram

Maturity andgenerate the

Risk &MaturityMatrix

AOMMapping

MapShortlisted

risks toAOM

functions(only for

IRCS OEs)

Expert Challenge

CSC memberExpert

challenge discussionon 1,2,3

6 7 8 951 2 43

The Compliance Risk Assessment process is fully integrated into theIRCS

Risk Scoping RCSA Workshops

* Consider the Risk & Maturity Matrix outcome

CLASSIFICATION: INTERNAL

ALZ.0001.0097.3497

© Copyright Allianz SE5

Risk scoping

Identify theapplicablerisks & addlocal risks

InherentRisk

Assess theinherent risk

for theapplicablerisks andgeneratethe Shortlist and

Significantrisks

ProgramMaturity

Assess theProgram

Maturity andgenerate the

Risk &MaturityMatrix

AOMMapping

Mapshortlisted

risks toAOM

functions(only for

IRCS OEs)

51 2 43

Compliance will roll-out only the Risk Scoping part of the IRCSprocess for all OEs in 2017

Risk Scoping – 2017 Compliance Roll-out

Only for RCSA OEs:Follow the RCSA approach in

accordance with the RCSA GuidelineIn the RCSA workshops only focus onsignificant risks instead of the entire

mandatory RCSA catalogue

Expert Challenge

CSC memberExpert

challenge discussionon 1,2,3

CLASSIFICATION: INTERNAL

ALZ.0001.0097.3498

© Copyright Allianz SE

How to prepare for the 2017 Risk Scoping?

Entitycoverage

Review the entitycoverage

flowchart andexcel tool

Document theentity coverage

together with yourlocal RiskFunction

Workbook

Familiarizeyourself with theWorkbook, the

Compliance risksin the Group Risk

catalogue andany local loss

data

Inherentrisk

Contact yourlocal Risk

Function in orderto obtain the

materiality basisfor the inherentrisk assessment

Understand theinherent risk rating

methodology

Maturity

Understand thematurity ratingmethodology

Familiarize yourselfwith the Level 3Descriptions for

Program Maturity

6CLASSIFICATION: INTERNAL

ALZ.0001.0097.3499

© Copyright Allianz SE

Required activities

08/2018CLASSIFICATION: INTERNAL

7

Join a training session and learn about the new process•Participate in Trainings in March

State which entities in your OE submit a combined or individual risk &•maturity assessmentDocument Entity Coverage

Complete risk scoping, inherent risk assessment, program maturity•assessmentCheck the auto-populated Risk & Maturity Matrix in the Dashboard•

Complete Workbook

Complete PowerPoint Template•Complete Risk & Maturity Report

Participate in Expert challenge with your CSC member•Do Expert Challenge

Send Risk & Maturity report to CIAT or Region/Global Line first•Deliver results to CIAT (or

Region/Global Line for combinedsubmission to Group)

ALZ.0001.0097.3500

© Copyright Allianz SE 08/2018CLASSIFICATION: INTERNAL

8

Next Steps

When European Region

March 7th In person training in Munich relating to risk scoping

End of AprilComplete Entity Coverage Calls with Elena and Irene(determining which/how many assessments have to beconducted)

May 19th Complete Entity Coverage Tool, Workbook, draft Risk andMaturity Report for the required entities

June 21st 22nd Discuss draft Risk and Maturity Reports during theEuropean conference in Muncih

May 19th to end ofJuly

Complete follow up calls (“Expert Challenge”) with CIATteam (Elena, Irene, Savoula) and finalize Risk and MaturityReports (replacing Heat Maps)

ALZ.0001.0097.3501

© Copyright Allianz SE

Backup

9CLASSIFICATION: INTERNAL

ALZ.0001.0097.3502

© Copyright Allianz SE

Inherent Risk Rating Matrix

Occurrence probability

Impa

ct(th

ehig

hero

ffin

anci

alim

pact

and

rep.

Risk

)

1 2 3 4 5

1 very low very low very low very low low

2 very low very low low low moderate

3 low low moderate moderate high

4 moderate moderate high high very high

5 high high high very high very high

The Inherent Risk is the§link between:

the probability that a given risküwill occur (on a 1 to 5 scalefrom rare to almost certain),andThe higher of either theüpotential financial impact of therisk or the reputational impact(on a 1 to 5 scale from verylow to very high),

prior to the considerationof any controls in place(i.e. controls are non-existent, improperlydesigned or improperlyexecuted)

10

CLASSIFICATION: INTERNAL

ALZ.0001.0097.3503

© Copyright Allianz SE11

35 Group risks

Applicable risks

Local risks

Shortlist

Significant risks

Mandatory Group Risk Catalogue§

Risks rated moderate or higher§

Additional local risks applicable to the entity§

Risks applicable to the entity based on expert§judgment

Risks rated high and very high, which get an§actual risk assessment

The risk layers

CLASSIFICATION: INTERNAL

ALZ.0001.0097.3504

© Copyright Allianz SE

The Program Maturity Concept

Ten Group Compliance Programs

1. RiskAssessment

and GapAnalysis

2. Policies andProcedures

3. Roles andResponsibilities

4. Awarenessand Training

5. Monitoring,Incidents and

Reporting

Five Elements of each Program

GC

ComplianceOrganisa-

tion SalesCompl.

DataPrivacy

Econ.Sanc-tions

Anti-MoneyLaunde-

ringFATCA

Anti-Fraud

Anti-Corrup-

tion

CapitalMarket

Anti-Trust

12

CLASSIFICATION: INTERNAL

ALZ.0001.0097.3505

© Copyright Allianz SE

Each Program Element must be rated on a 1-5 scale with anindication if the rating is based on a self-assessment

Maturity Level MaturityRating

Independent testof design?

Ad-hoc/ Initial 1 Y/N

Reactive/Repeatable 2 Y/N

Defined 3 Y/N

Managed 4 Y/N

Optimized 5 Y/N

1. RiskAssessment and

Gap Analysis

2. Policies andProcedures

3. Roles andResponsibilities

4. Awareness andTraining

5. Monitoring,Incidents and

Reporting

13

16,55%

22,3%

16,55%

22,3%

22,3%

Each Program Element carries a different weight towards the finalassessment. CLASSIFICATION: INTERNAL

ALZ.0001.0097.3506

© Copyright Allianz SE

Independent Test of Design and implementation status

DEFINITIONA test of the design or implementation status of the local§Compliance Program in an Entity against the GroupCompliance requirements is considered independent if itis performed by someone that is not the Control Owner(i.e. he/she is not responsible for the local Entity programdesign) or not the Risk Owner or Control Performer (i.e.he/she is not responsible for local implementation). GroupCompliance, Internal Audit, External Audit are typicalindependent testers.

PURPOSEThe existence of an independent test of design gives§context to the maturity rating and only indicates whetherthe maturity rating is based on a self-assessment or not

14

CLASSIFICATION: INTERNAL

ALZ.0001.0097.3507

© Copyright Allianz SE

The Key differentiators between the Maturity Levels

Level 1(Ad-hoc/Initial)

Level 2(Reactive/

Repeatable)

Level 3(Defined)

Level 4(Managed)

Level 5(Optimised)

4 5Compliance

processes/activi-ties are in

place,appropriately

designed,complete and

processcontrols tested

foreffectiveness

Complianceprocesses/activities are in place,appropriately

designed,complete, processcontrols tested foreffectiveness and

continuouslyimproved.

.

3

Complianceprocesses/activi

ties are inplace, are

complete andappropriately

designed

2Some

complianceprocesses/activities are in place

but they arebased on a

reactiveenvironmentand may beincomplete.

1Compliance

happens on anad-hoc and asneeded basis.

.

Level 3 + KeyProcess control

testing takesplace

Level 4 + RiskMitigation actionplans are closed

and controlscontinuously

improved

Key Differentiators

15

GC Design isfully in place

(with approveddeviations)

CLASSIFICATION: INTERNAL

ALZ.0001.0097.3508

High Priority Programs:

Program Maturity rating

Inhe

rent

Risk

ratin

g

1 2 3 4 5

5

4

3

2

1

ES

AML

AF

Risk and Maturity Matrix Report

1

Economic SanctionsES

CorruptionAC

Money LaunderingAML

Internal FraudAF

Sales ComplianceSC

Data PrivacyDP

Capital MarketsCM

AntitrustAT

FATCAF

Comment on Compliance Risk/Program StatusRisk & Maturity Matrix Result

ACSC

DP

CM

AT

F

Compliance Organization (Rating and Status comment)[Enter Maturity Rating + Comment on Status]

[OE/Region/Global Line] 2017[Division]

CLASSIFICATION: INTERNAL

ALZ.0001.0097.3509

©Al

lianz

SE20

17

Any questions? Please contact us!

Irene Gürtler

European Regionirene.guertler@allianz.com

+49 89 3800 16192Elena Dimolarova

Risk and Maturityelena.dimolarova@allianz.com+49 89 3800 13106

Savoula Demetriou

CIATsavoula.demetriou@allianz.com+49 89 3800 69516

CLASSIFICATION: INTERNAL

ALZ.0001.0097.3510