Elevance Health's risk management processes and execution are managed by a strongly defined governance and risk framework. Varying levels of risk are handled at the appropriate level of management, coordinated among the different risk management functions, and escalated rapidly when appropriate based on well-communicated thresholds.
Formal risk identification and assessment, including emerging risks, are conducted in all areas of accountability (e.g., Information Technology (IT), Sustainability, Information Security, Corporate Security, Compliance, Internal Audit) on an ongoing basis and shared horizontally across the organization as well as vertically to the appropriate stakeholders.
The output of the Company's risk assessments serves as inputs to the Enterprise Risk Management (ERM) program. The ERM program has a formal level of oversight and execution from the Company's Board of Directors, Chief Risk Officer, the Senior Leadership Team, and the Enterprise Risk Council (ERC). Regular coordination is facilitated through a formal Risk Alliance working group (with ESG representation), which includes a standing agenda item of risk identification and prioritization. Identified enterprise risks are assigned formal owners, who have clear responsibilities and accountability, which include defining the appropriate response strategy, identifying relevant metrics and key risk indicators, and monitoring and reporting risks on an ongoing basis. The potential long-term effects of the top enterprise risks are quantified and analyzed against the company's strategies, growth plan, and objectives.
Elevance Health emphasizes a sound risk management culture through corporate governance and is committed to maintaining risk principles that proactively identify, assess, manage, and monitor risk effectively.
The Board of Directors and Senior Leadership Team set the tone for enterprise risk management and how risk is identified, measured, and managed. This includes establishing Elevance Health's risk appetite and tolerance levels. As part of its commitment to continuous improvement, the Company periodically solicits feedback from internal and external contributors on its risk management processes and implements enhancements as appropriate. The Internal Audit department periodically conducts audits of the Company's ERM program to ensure its effectiveness and to detect any areas needing improvement. Furthermore, Elevance Health provides annual risk management and compliance training to all associates, covering the Code of Conduct and other relevant risk and compliance topics. Focused risk management education sessions are also conducted with select departments and risk management functions, and as an integral part of the ERC and Risk Alliance working group meetings, to spread awareness of the programs and improve the quality and effectiveness of the Company's risk management practices and mitigation execution.