Risk Management Policy

Risk management is a core part of RGA’s governance framework and is applied across all business activities.  The purpose of this policy is to ensure that RGA identifies, assesses, monitors, and manages risks that could affect the achievement of its objectives, service delivery, employees, clients, or reputation.

Scope

This policy applies to:

  • All RGA employees, contractors, and consultants
  • All RGA business units, projects, and operational activities, including data platform and analytics services
  • All risks that could impact strategic, operational, financial, legal, compliance, or reputational outcomes

Policy Statement

RGA is committed to:

  • Proactively identifying and evaluating risks across the business
  • Implementing appropriate controls to mitigate risk exposure
  • Promoting a culture of risk awareness and accountability among all employees
  • Ensuring compliance with legal, regulatory, and contractual obligations

Responsibilities

  • Board / Senior Management: Provide oversight of the risk management framework, approve risk appetite, and review high-level risks regularly
  • Risk Management Lead / Manager: Maintain the risk register, facilitate risk assessments, and report emerging risks to senior management
  • Employees and Contractors: Identify, report, and manage risks within their areas of responsibility

The company Director has overall responsibility for ensuring compliance with this policy

Risk Identification and Assessment

RGA maintains a structured approach to identifying and assessing risks:

  • Risks are classified by type (strategic, operational, financial, compliance, reputational) and rated by likelihood and impact
  • Risk registers are maintained at both corporate and project levels
  • Emerging risks, including those related to technology, cyber, supply chain, and client operations, are reviewed regularly

Risk Mitigation and Monitoring

RGA implements mitigation measures proportional to the risk, including:

  • Policies, procedures, and controls for operational and compliance risks
  • Staff training and awareness programmes
  • Regular review and monitoring of high-risk areas
  • Escalation and reporting mechanisms for critical risks

Review and Continuous Improvement

  • Risk registers and controls are reviewed at least annually or following significant changes in business operations, technology, or external environment
  • Lessons from incidents or near-misses are incorporated into the risk management framework
  • Continuous improvement ensures that risk management practices remain effective and aligned with business objectives

Compliance

Compliance with this policy is mandatory. Failure to comply may result in disciplinary action. This policy supports RGA’s broader governance, ethical, and compliance commitments, including anti-bribery, modern slavery, and business continuity obligations.

signature

Approved By:   R Gauldie, Director

5th February 2026