Risk Management Regulation for Pensionskassen 2019

All English translation of the authentic German text is unofficial and serves merely information purposes. The official wording in German can be found in the Austrian Federal Law Gazette (Bundesgesetzblatt; BGBl.). All translations have been prepared with great care, but linguistic compromises had to be made. The reader should also bear in mind that some provisions of these laws will remain unclear without certain background knowledge of the Austrian legal and political system. Please note that these laws may be amended in the future and check occasionally for updates. Risk Management Regulation for Pensionskassen 2019 (Pensionskassen-Risikomanagementverordnung 2019 – PK-RiMaV 2019) Full title Regulation of the Financial Market Authority (FMA) on minimum standards for the risk management of Pensionskassen 2019 (PK-RiMaV 2019; Risk Management Regulation for Pensionskassen 2019) Original Version: Federal Law Gazette II No. 331/2018 Preamble/Promulgation clause Based on Article 21a para. 5 of the Pensionskassengesetz (PKG; Pensionskasse Act), published in Federal Law Gazette no. 281/1990, last amended by Federal Act published in Federal Law Gazette I no. 81/2018, the following shall be determined by Regulation: Text General Provisions Article 1. (1) This Regulation shall determine requirements for risk management pursuant to Article 21a paras. 1 to 4 PKG, which cover the entirety of the risk management system, risk management processes and the risk management function and which must be implemented by the management board as a permanent process in the form of a continual process. (2) The management board of the Pensionskasse shall ensure that risk management is conducted by persons who are suitably professionally qualified to do so, and that adequate technical resources are made available for the purpose of risk management. (3) The provisions of this Regulation shall apply on a consolidated basis for syndicated investment and risk sharing groups. Risk Management Function Article 2. (1) The risk management function established pursuant to Article 21a para. 1 PKG shall in particular perform the following tasks:

1. Provision of assistance to the management board for the implementation of the risk management system;
2. Monitoring of the risk management system;
3. Monitoring the risk profile of the Pensionskasse and the investment and risk sharing groups and
4. Reporting about risk exposures, which in addition to key figures must also contain an assessment of the risk situation and the measures that have been conducted and are planned (Article 21a para. 3 PKG). (2) The risk management function must be involved in material strategic decisions. These shall in any case include decisions about the measures listed in Article 3 no. 1. (3) Potential conflicts of interest of the risk management function must be identified. Where conflicts of interest exist, they are to be described and mitigating measures documented accordingly. The risk management function is to be established in such a manner that conflicts

All English translation of the authentic German text is unofficial and serves merely information purposes. The official wording in German can be found in the Austrian Federal Law Gazette (Bundesgesetzblatt; BGBl.). All translations have been prepared with great care, but linguistic compromises had to be made. The reader should also bear in mind that some provisions of these laws will remain unclear without certain background knowledge of the Austrian legal and political system. Please note that these laws may be amended in the future and check occasionally for updates. of interest are avoided that are associated with the asset investment activities. The risk management function is to be organisationally separated from the performance of asset investment activities. (4) Pensionskassen shall prescribe regulations regarding deputisation for the function holders in the risk management function that ensure that the absence or leaving of the company of responsible persons does not lead to significant disruptions to the risk management process. Risk Management System Article 3. Pensionskassen shall ensure that the determination, implementation and maintaining of a risk management system established pursuant to Article 21a paras. 2 to 4 PKG shall in any case cover the following:

1. a clearly defined risk strategy, which is especially consistent with a) the Pensionskasse’s general business strategy, b) the principles of the investment policy pursuant to Article 25a PKG; c) the investment guidelines pursuant to Article 25 para. 4 PKG, d) the business plans pursuant to Article 20 para. 1 PKG, e) the risk bearing capacity and risk appetite pursuant to Article 4, and f) the results of the Own Risk Assessment pursuant to Article 22a PKG;
2. guidelines passed by the management board pursuant to Article 21a para. 5 PKG, which guarantee compliance with this Regulation;
3. tasks, responsibilities, decision-making processes and escalation processes that are clearly defined and coordinated with one another;
4. implementation with the help of IT systems. Such IT systems in any case include information systems in relation to financial market data. The IT systems and IT processes used for risk management must ensure the integrity, authenticity as well as confidentiality of the data and shall be regularly reviewed with regard to their effectiveness;
5. documentation, from which the observance of the requirements set forth in Article 21a PKG as well as this Regulation is comprehensible for third party experts;
6. the reporting procedure and processes, which guarantee that information about the material risks to which the bearers of the risk are exposed is available to the responsible persons in the Pensionskasse; and
7. the regular reviewing of the effectiveness of the risk management system and adapting them where required. Risk Analysis Article 4. (1) Within the scope of the risk assessment pursuant to Article 21a para. 3 no. 1 PKG the risks must be systematically and promptly identified by investment and risk-sharing group (IRG), by sub-IG and by security-oriented investment and risk sharing group (security￾oriented IRG) from the perspective of the bearers of the risk, in particular the beneficiaries (entitled and recipients), the employer and the Pensionskasse. In so doing risks arising from outsourcing and IT systems must also be taken into account. (2) The risks identified pursuant to para. 1 shall be classified with regard to their significance. The reciprocal effects between the various risks shall be taken into account. (3) Pensionskassen shall ensure that the risk management in particular takes into account the following risks with regard to the investment:
8. market risks;
9. interest rate risks;

All English translation of the authentic German text is unofficial and serves merely information purposes. The official wording in German can be found in the Austrian Federal Law Gazette (Bundesgesetzblatt; BGBl.). All translations have been prepared with great care, but linguistic compromises had to be made. The reader should also bear in mind that some provisions of these laws will remain unclear without certain background knowledge of the Austrian legal and political system. Please note that these laws may be amended in the future and check occasionally for updates. 3. credit risks including sovereign and issuer risks; 4. currency risks; 5. risks arising from the use of derivatives, securitisations and similar obligations; 6. liquidity risks; 7. environmental, social and governance (ESG) risks and 8. the associated risk concentrations and reciprocal effects. (4) Pensionskassen shall estimate the risk bearing capacity for material risks for all risk bearers pursuant to para. 1. In so doing the impacts of unfavourable events must be quantified across a suitable period of observation. The risk bearing capacity is to be estimated in qualitative form for other non-quantifiable risks. (5) The risk appetite is to be determined based on the risk bearing capacity. It must be decided in this context whether risks may be incurred or avoided, mitigated or transferred. (6) When identifying the risk bearing capacity and the risk appetite aspects of asset-liability management are to be taken into consideration. In particular, these include

1. in relation to the Pensionskasse: the provision for administrative expenses, the amount and potential developments of material cost items, the obligations arising from guarantees, operational and technical expenses, reinsurance and other risk-mitigation techniques, and
2. in relation to the investment and risk sharing groups, the sub-IGs and security-oriented IRGs: the amount of and potential developments in the volatility reserve, reinsurance, the amount of and potential developments of further provisions as well as shortfalls, the amount of and potential developments in the technical result, as well as the liquidity profile that is to be expected. Risk Assessment Article 5. (1) Within the scope of the risk assessment pursuant to Article 21a para. 3 no. 1 PKG Pensionskassen shall assess all risks that are categorised as material pursuant to Article 4 para. 2. The reciprocal effects between the various risks shall be taken into account. The frequency of risk assessments must take into account, the nature, scope and potential developments of risks. (2) The Pensionskasse shall use risk models for its risk assessments, with the help of which statements on the respective risk situation and risk development can be derived. The risk assessment shall occur in accordance with the risk bearing capacity and risk appetite pursuant to Article 4 paras. 4 and 5 and shall be incorporated into the risk management process. (3) Risk Models shall be checked at least once a calendar year with regard to their suitability. In the case of material changes to a risk model, then the calculations are to be performed in parallel at least once using the previous and adjusted model assumptions. (4) Scenario analyses and stress tests are to be conducted regularly, which not only consider more or less probable scenarios, but also exceptional scenarios and which are tailored to the respective bearers of the risk. Risk Controlling Article 6. (1) Pursuant to Article 21a para. 3 no. 2 PKG the results of the risk analysis and risk assessment shall be taken into consideration in the risk controlling. (2) Limits are to be determined for material risk in accordance with the risk appetite determined pursuant to Article 4 para. 5. Risk Monitoring Article 7. (1) The risk management measures taken shall be monitored. For the purpose of risk monitoring pursuant to Article 21a para. 3 no. 2 PKG, Pensionskassen shall regularly

All English translation of the authentic German text is unofficial and serves merely information purposes. The official wording in German can be found in the Austrian Federal Law Gazette (Bundesgesetzblatt; BGBl.). All translations have been prepared with great care, but linguistic compromises had to be made. The reader should also bear in mind that some provisions of these laws will remain unclear without certain background knowledge of the Austrian legal and political system. Please note that these laws may be amended in the future and check occasionally for updates. perform comparisons of target and actual figures between the actual situation and then risk situation defined on the basis of the risk strategy pursuant to Article 3 no. 1, and to make appropriate adjustments. (2) The limits determined pursuant to Article 6 para. 2 are to be monitored on an ongoing basis within the scope of the risk management system while avoiding conflicts of interest. (3) Processes and appropriate measures to be deployed in the event of limits being exceeding shall be defined in advance. In the event of a limit being exceeding, compliance with the measure deployed shall be documented. (4) Early-warning mechanisms shall help in guaranteeing that changed risk situations, reduced risk bearing capacity as well as imminent over-running of limits are recognised in a timely fashion and necessary measures derived from them. Entry Into Force and Expiry Article 8. This Regulation shall enter into force on 1 January 2019.