ICP 8 Risk Management and Internal Controls

The supervisor requires an insurer to have, as part of its overall corporate governance framework, effective systems of risk management and internal controls, including effective functions for risk management, compliance, actuarial matters and internal audit.

[ + ] 8.0

Introductory Guidance

8.0.1

As part of the overall corporate governance framework and in furtherance of the safe and sound operation of the insurer and the protection of policyholders, the Board is ultimately responsible for ensuring that the insurer has in place effective systems of risk management and internal controls and functions to address the key risks it faces and for the key legal and regulatory obligations that apply to it. Senior Management effectively implements these systems and provides the necessary resources and support for these functions.

8.0.2

In some jurisdictions, risk management is considered a subset of internal controls, while other jurisdictions would see it the other way around. The two systems are in fact closely related. Where the boundary lies between risk management and internal controls is less important than achieving, in practice, the objectives of each.

8.0.3

The systems and functions should be adequate for the insurer’s objectives, strategy, risk profile, and the applicable legal and regulatory requirements. They should be adapted as the insurer’s business and internal and external circumstances change.

8.0.4
The nature of the systems that the insurer has is dependent on many factors. The systems typically include:
  • strategies setting out the approach of the insurer for dealing with specific areas of risk and legal and regulatory obligation;
  • policies defining the procedures and other requirements that members of the Board and employees need to follow;
  • processes for the implementation of the insurer’s strategies and policies; and
  • controls to ensure that such strategies, policies and processes are in fact in place, are being observed and are attaining their intended objectives.
8.0.5

An insurer’s functions (whether in the form of a person, unit or department) should be properly authorised to carry out specific activities relating to matters such as risk management, compliance, actuarial matters and internal audit. These are generally referred to as control functions.

8.0.6

Group-wide risks may affect insurance legal entities within a group, while risks at the insurance legal entity level could also affect the group as a whole. To help address this, groups should have strong risk management and compliance culture across the group and at the insurance legal entity level. Thus, in addition to meeting group governance requirements, the group should take into account the obligations of its insurance legal entities to comply with local laws and regulations.

8.0.7

How a group's systems of risk management and internal controls are organised and operate will depend on the governance approach the group takes, ie, a more centralised or a more decentralised approach (see Issues Paper on Approaches to Group Corporate Governance; impact on control functions). Regardless of the governance approach, it is important that effective systems of risk management and internal controls exist and that risks are properly monitored and managed at the insurance legal entity level and on a group-wide basis.

8.0.8

Additionally, a group’s governance approach will also affect the way in which its control functions are organised and operated. Coordination between the insurance legal entity and group control functions is important to help ensure overall effective systems of risk management and internal controls. Regardless of how the group control functions are organised and operated, the result should provide an overall view of the group-wide risks and how they should be managed.

8.0.9

Supervisors should require the establishment of comprehensive and consistent group governance and assess its effectiveness. While the group-wide supervisor is responsible for assessing the effectiveness of the group’s systems of risk management and internal controls, the other involved supervisors undertake such assessments on a legal entity basis. Appropriate supervisory cooperation and coordination is necessary to have a group-wide view and to enhance the assessment of the legal entities.

[ + ] 8.1
The supervisor requires the insurer to establish, and operate within, an effective and documented risk management system, which includes, at least:
  • a risk management strategy that defines the insurer’s risk appetite;
  • a risk management policy outlining how all material risks are managed within the risk appetite; and
  • the ability to respond to changes in the insurer’s risk profile in a timely manner.
8.1.1

The risk management system is designed and operated at all levels of the insurer to allow for the identification, assessment, monitoring, mitigation and reporting of all risks of the insurer in a timely manner. It takes into account the probability, potential impact and time horizon of risks.

8.1.2
An effective risk management system should:
  • take into account the insurer’s overall business strategy and business activities (including any business activities which have been outsourced);
  • provide that the insurer’s risk appetite, expressed in a risk appetite statement, be aligned with the insurer’s business strategy and embedded in its day-to-day activities;
  • provide relevant objectives, key principles and proper allocation of responsibilities for dealing with risk across the business areas and business units of the insurer;
  • provide explanations of the methodologies, key assumptions and limitations of risk management; for groups this would include the rationale as to the risk appetite for different individual insurance legal entities within the group;
  • provide a documented process defining the Board approval required for any deviations from the risk management strategy or the risk appetite and for settling any major interpretation issues that may arise;
  • define and categorise material risks (by type) to which the insurer is exposed, at both insurance legal entity and group level where applicable, and the levels of acceptable risk limits for each type of these risk;
  • include documented policies that describe how categories of risks are managed and the specific obligations of employees and the insurer in dealing with risk, including risk escalation and risk mitigation tools;
  • provide suitable processes and tools (including stress testing and, where appropriate, models) for identifying, assessing, monitoring and reporting on risks. Such processes should also cover contingency planning;
  • provide for regular reviews of the risk management system (and its components) to help ensure that necessary modifications and improvements are identified and made in a timely manner; and
  • appropriately address other matters related to risk management for solvency purposes set out in ICP
8.1.3

The risk management system should cover at least the following risks: underwriting and reserving, asset-liability management, investments, liquidity, concentration, operational and conduct, as well as reinsurance and other risk mitigation techniques.

8.1.4

The risk management system should be aligned with the insurer’s risk culture and embedded into the various business areas and units with the aim of having the appropriate risk management practices and procedures embedded in the key operations and structures.

CF8.1.a

The group-wide supervisor requires the Head of the IAIG to ensure that the group-wide risk management system encompasses the levels of the Head of the IAIG and legal entities within the IAIG and covers, at least, the:

  • diversity and geographical reach of the activities of the IAIG;
  • nature and degree of risks of individual legal entities and business lines;
  • aggregation of risks from the legal entities within the IAIG that arises at the level of the Head of the IAIG, including cross-border risks;
  • interconnectedness of the legal entities within the IAIG;
  • level of sophistication and functionality of information and reporting systems in addressing key group-wide risks; and
  • applicable laws and regulations of the jurisdictions where the IAIG operates.
CF 8.1.a.1

The group-wide risk management system should:

  • be integrated with its organisational structure, decision-making processes, business operations, and risk culture;
  • be integrated within its legal entities; and
  • measure the risk exposure of the IAIG against the risk limits on an ongoing basis in order to identify potential concerns as early as possible.
CF 8.1.b

The group-wide supervisor requires the Head of the IAIG to reflect, in the documentation of its group-wide risk management system, material differences in risk management that may apply to different legal entities within the IAIG and their associated risks.

CF 8.1.c

The group-wide supervisor requires the Head of the IAIG to ensure that the IAIG has in place policies and processes for promoting a sound risk culture.

CF 8.1.c.1

Policies and processes for promoting a sound risk culture should include risk management training, address independence, and create appropriate incentives for staff.

CF 8.1.c.2

The IAIG’s risk culture should support timely evaluation and open communication of emerging risks that may be significant to the IAIG and its legal entities.

8.1.5

The risk management system should take into account all reasonably foreseeable and relevant material risks to which the insurer is exposed, both at the insurer and the individual business unit levels. This includes current and emerging risks.

8.1.6

Insurers should assess material risks both qualitatively and, where appropriate, quantitatively. Appropriate consideration should be given to a sufficiently wide range of outcomes, as well as to the appropriate tools and techniques to be used. The interdependencies of risks should also be analysed and taken into account in the assessments.

8.1.7

The insurer’s risk assessment should be documented including detailed descriptions and explanations of the risks covered, the approaches used, and the key judgements and assumptions made.

8.1.8

Insurers should have in place adequate processes, controls and systems to assess the risks of new products and carry out a risk assessment before entering into new business lines and products. Significant new or changed activities and products that may increase an existing risk or create a new type of exposure should be approved by Senior Management and/or by the Board.

8.1.9

The risk management system should include processes and tools for monitoring risk, such as early warnings or triggers that allow timely consideration of, and adequate response to, material risks.

8.1.10

The risk management system should include strategies and tools to mitigate against material risks. In most cases an insurer will control or reduce the risk to an acceptable level. Another response to risk is to transfer the risk to a third party. If risks are not acceptable within the risk appetite and it is not possible to control, limit or transfer the risk, the insurer should cease or change the activity which creates the risk.

8.1.11

Risks, the overall assessment of risks and the related action plans should be reported to the Board and/or to Senior Management, as appropriate, using qualitative and quantitative indicators and effective action plans. The insurer’s documented risk escalation process should allow for reporting on risk issues within established reporting cycles and outside of them for matters of particular urgency.

8.1.12

The Board should have appropriate ways to carry out its responsibilities for risk oversight. The risk management policy should therefore cover the content, form and frequency of reporting that it expects on risk from Senior Management and each of the control functions. Any proposed activity that would go beyond the Board-approved risk appetite should be subject to appropriate review and require Board approval.

8.1.13

The insurer’s risk management policy should be written in a way to help employees understand their responsibilities regarding risk management. It should also reflect how the risk management system relates to the insurer’s overall corporate governance framework and its corporate culture. Regular internal communications and training within the insurer on the risk management policy and risk appetite may help in this regard.

8.1.14

For insurance groups, a risk management policy addresses the way in which the group manages risks that are material at the insurance group level, including risks that arise from the insurance group being part of a wider group. For an insurance legal entity that is part of a group, the risk management policy of that entity should address management of risks material at the entity level as well as additional risk it faces as a result of its membership in a group, which can encompass the widest group of which the insurance legal entity is a member and not only the entity’s insurance group. Within an insurance group, the head of the group and the legal entities should ensure appropriate coordination and consistency between the head of the group and the legal entities when setting the risk management policy.

8.1.15

Both the Board and Senior Management should be attentive to the need to modify the risk management system in light of changes in the insurer’s risk profile as well as other new internal or external events and/or circumstances. The risk management system should include mechanisms to incorporate new risks and new information related to risk already identified on a regular basis. The risk management system should also be responsive to the changing interests and reasonable expectations of policyholders and other stakeholders.

8.1.16

Material changes to an insurer’s risk management system should be documented and subject to approval by the Board. The reasons for the changes should be documented. Appropriate documentation should be available to internal audit, external audit and the supervisor for their respective assessments of the risk management system.

8.1.17

As part of its responsiveness to changes in the insurer’s risk profile, the risk management system should incorporate a feedback loop based on appropriate information, management processes and objective assessment. A feedback loop provides a process of assessing the effect of changes in risk leading to changes in risk management policy, risk limits and risk mitigating actions. This may help ensure that decisions made by the Board and Senior Management are implemented and their effects monitored and reported in a timely and sufficiently frequent manner.

8.1.18

Within an insurance group, there should be sufficient coordination and exchange of information between the head of the insurance group and its insurance legal entities as part of their respective feedback loops to ensure relevant changes in risk profiles can be taken into account.

CF 8.1.d
The group-wide supervisor requires the Head of the IAIG to:
  • review, at least annually, the group-wide risk management system to ensure that existing and emerging risks as well as changes in the IAIG’s structure and/or business strategy, are taken into account; and
  • identify and make the necessary modifications and improvements in a timely manner.
CF 8.1.d.1

The Head of the IAIG should assess whether a change occurring in one or more legal entities may affect the IAIG’s risk profile overall, because the impact on a group-wide basis may not be immediately apparent.

[ + ] 8.2

The supervisor requires the insurer to establish, and operate within, an effective and documented system of internal controls.

 

8.2.1

The internal controls system should ensure effective and efficient operations, adequate control of risks, prudent conduct of business, reliability of financial and non-financial information reported (both internally and externally), and compliance with laws, regulations, supervisory requirements and the insurer's internal rules and decisions. It should be designed and operated to assist the Board and Senior Management in the fulfilment of their respective responsibilities for oversight and management of the insurer. Some insurers have a designated person or function to support the advancement, coordination and/or management of the overall internal controls system on a more regular basis.

8.2.2

The internal controls system should cover all units and activities of the insurer and should be an integral part of the daily activities of an insurer. The controls should form a coherent system, which should be regularly assessed and improved as necessary. Each individual control[1] of an insurer, as well as all its controls cumulatively, should be designed for effectiveness and operate effectively.

 

[1] Individual controls may be preventive (applied to prevent undesirable outcomes) or detective (to uncover undesirable activity). Individual controls may be manual (human), automated, or a combination and may be either general or process or application specific.

8.2.3

An effective internal control system requires an appropriate control structure with control activities defined at every business unit level. Depending on the organisational structure of the insurer, business or other units should own, manage and report on risks and should be primarily accountable for establishing and maintaining effective internal control policies and procedures. Control functions should determine and assess the appropriateness of the controls used by the business or other units.  The internal audit function should provide independent assurance on the quality and effectiveness of the internal controls system.[2]

 

[2] This division of responsibilities between business, risk management and compliance and internal audit is typically referred to as the three lines of defense. The business is considered as the first line of defence, the control functions (other than internal audit) as the second line of defence, and internal audit as the third line of defence. The business is deemed to “own” the controls, and the other lines of defence are there to help ensure their application and viability. Whatever approach is used, it is important that responsibilities be clearly allocated to promote checks and balances and avoid conflicts of interest.

8.2.4
An effective internal controls system typically includes :
 
Segregation of duties and prevention of conflicts of interest
  • appropriate segregation of duties and controls to ensure such segregation is observed. This includes, amongst others, having sufficient distance between those accountable for a process or policy and those who check if for such a process or policy an appropriate control exists and is being applied. It also includes appropriate distance between those who design a control or operate a control and those who check if such a control is effective in design and operation;
  • up-to-date policies regarding who can sign for or commit the insurer, and for what amounts, with corresponding controls, such as practice that key decisions should be taken at least by two persons and the practice of double or multiple signatures. Such policies and controls should be designed, among other things, to prevent any major transaction being entered into without appropriate governance review or by anyone lacking the necessary authority and to ensure that borrowing, trading, risk and other such limits are strictly observed. Such policies should foresee a role for control functions, for example by requiring for major matters the review and sign-off by Risk Management or Compliance, and/or approval by a Board level committee;
Policies and processes
  • appropriate controls for all key business processes and policies, including for major business decisions and transactions (including intra-group transactions), critical IT functionalities, access to critical IT infrastructure by employees and related third parties, and important legal and regulatory obligations;
  • policies on training in respect of controls, particularly for employees in positions of high trust or responsibility or involved in high risk activities;
  • a centralised documented inventory of insurer-wide key processes and policies and of the controls in place in respect of such processes and policies, that also may introduce a hierarchy among the policies;
Information and communication
  • appropriate controls to provide reasonable assurance over the accuracy and completeness of the insurer’s books, records, and accounts and over financial consolidation and reporting, including the reporting made to the insurer’s supervisors;
  • adequate and comprehensive internal financial, operational and compliance data, as well as external market information about events and conditions that are relevant to decision making. Information should be reliable, timely, accessible, and provided in a consistent format;
  • information processes that cover all significant activities of the insurer, including contingency arrangements;
  • effective channels of communication to ensure that all staff fully understand and adhere to the internal controls and their duties and responsibilities and that other relevant information is reaching the appropriate personnel;
  • policies regarding escalation procedures;
Monitoring and review
  • processes for regularly checking that the totality of all controls forms a coherent system and that this system works as intended; fits properly within the overall corporate governance framework of the insurer; and provides an element of risk control to complement the risk identification, risk assessment, and risk management activities of the insurer. As part of such review, individual controls are monitored and analysed periodically to determine gaps and improvement opportunities with Senior Management taking such measures as are necessary to address these; and
  • periodic testing and assessments (carried out by objective parties such as an internal or external auditor) to determine the adequacy, completeness and effectiveness of the internal controls system and its utility to the Board and Senior Management for controlling the operations of the insurer.
CF 8.2.a

The group-wide supervisor requires the Head of the IAIG to ensure that the group-wide internal controls system at the group-wide level covers, at least, the:

  • diversity and geographical reach of the activities of the IAIG;
  • intra-group transactions;
  • interconnectedness of the legal entities within the IAIG; and
  • applicable laws and regulations of the jurisdictions where the IAIG operates.
CF 8.2.b

The group-wide supervisor requires the Head of the IAIG to ensure annual testing and assessments carried out by an independent external or internal party to assess the coherence, completeness and effectiveness of the internal controls system within the IAIG and its utility to the IAIG Board and Senior Management.

8.2.5

The Board should have an overall understanding of the control environment across the various entities and businesses, and require Senior Management to ensure that for each key business process and policy, and related risks and obligations, there is an appropriate control.

8.2.6

In addition, the Board should ensure there is clear allocation of responsibilities within the insurer, with appropriate segregation, including in respect of the design, documentation, operation, monitoring and testing of internal controls. Responsibilities should be properly documented, such as in charters, authority tables, governance manuals or other similar governance documents.

8.2.7

The Board should determine which function or functions report to it or to any Board Committees in respect of the internal controls system.

8.2.8
Reporting on the internal controls system should cover matters such as:
  • the strategy in respect of internal controls (such as responsibilities, target levels of compliance to achieve, validations and implementation of remediation plans);
  • the stage of development of the internal controls system, including its scope, testing activity, and the performance against annual or periodic internal controls system goals being pursued;
  • an assessment of how the various business units are performing against internal control standards and goals;
  • control deficiencies, weaknesses and failures that have arisen or that have been identified (including any identified by the internal or external auditors or the supervisor) and the responses thereto (in each case to the extent not already covered in other reporting made to the Board); and
  • controls at the appropriate levels so as to be effective, including at the process or transactional level.
[ + ] 8.3

The supervisor requires the insurer to have effective control functions with the necessary authority, independence and resources.

8.3.1

As part of the effective systems of risk management and internal controls, insurers have control functions, including for risk management, compliance, actuarial matters and internal audit. Control functions add to the governance checks and balances of the insurer and provide the necessary assurance to the Board in the fulfilment of its oversight duties.

CF 8.3.a

The group-wide supervisor requires the Head of the IAIG to ensure that:

  • the tasks and responsibilities of the group-wide control functions, whether located at the level of the Head of the IAIG or within another legal entity of the IAIG, are clearly defined; and
  •  these group-wide control functions do not duplicate, limit or restrict the tasks and responsibilities of control functions at the insurance legal entity level.
CF 8.3.b

The group-wide supervisor requires the Head of the IAIG to ensure that the group-wide control functions:

  • coordinate with the control functions at the insurance legal entity level; and
  • ensure effective group-wide management reporting.
8.3.2

The existence of control functions does not relieve the Board or Senior Management of their respective governance and related responsibilities.

8.3.3

The control functions should be subject to periodic review either by the internal audit function (for control functions other than internal audit) or an objective external reviewer.

8.3.4

The appointment, performance assessment, remuneration, discipline and dismissal of the head of control functions should be done with the approval of, or after consultation with, the Board or the relevant Board committee. For the head of the internal audit function, the appointment, performance assessment, remuneration, discipline and dismissal should be done by the Board, its Chair or the Audit Committee.

8.3.5

The insurer should notify the supervisor of the reasons for dismissals of heads of control functions.

8.3.6

The Board should approve the authority and responsibilities of each control function to allow each control function to have the authority and independence necessary to be effective.

8.3.7

The authority and responsibilities of each control function should be set out in writing and made part of, or referred to in, the governance documentation of the insurer. The head of each control function should periodically review such document and submit suggestions for any changes to Senior Management and the Board for approval, where appropriate.

8.3.8

A control function should be led by a person of appropriate level of authority. The head of the control function should not have operational business line responsibilities.

8.3.9

Insurers should organise each control function and its associated reporting lines into the insurer’s organisational structure in a manner that enables such function to operate and carry out their roles effectively. This includes direct access to the Board or the relevant Board committee.

8.3.10
Notwithstanding the possibility for insurers to combine certain control functions, a control function should be sufficiently independent from Senior Management and from other functions to allow its staff to:
  • serve as a component of the insurer’s checks and balances;
  • provide an objective perspective on strategies, issues, and potential violations related to their areas of responsibility; and
  • implement or oversee the implementation of corrective measures where necessary.
8.3.11

Each control function should avoid conflicts of interest. Where any conflicts remain and cannot be resolved with Senior Management, these should be brought to the attention of the Board for resolution.

8.3.12

Each control function should have the authority to communicate on its own initiative with any employee and to have unrestricted access to information in any business unit that it needs to carry out its responsibilities. The control functions should have the right to conduct investigations of possible breaches and to request assistance from specialists within the insurer, eg legal and internal audit, or engage external specialists to perform the task. The control functions should be free to report to Senior Management or the Board on any irregularities or possible breaches disclosed by its investigations, without fear of retaliation or disfavour from management.

8.3.13

Each control function should have the resources necessary to fulfil its responsibilities and achieve the specific goals in its areas of responsibility. This includes qualified staff and appropriate IT/management information processes. The function should be organised in an appropriate manner to achieve its goals.

8.3.14

The head of each control function should review regularly the adequacy of the function's resources and request adjustments from Senior Management as necessary. Where the head of a control function has a major difference of opinion with Senior Management on the resources needed, the head of the control function should bring the issue to the Board or relevant Board Committee for resolution.

8.3.15

Persons who perform control functions should be suitable for their role and meet any applicable professional qualifications and standards. Higher expectations apply to the head of each control function. Persons who perform control functions should receive regular training relevant to their role to remain up to date on the developments and techniques related to their areas of responsibility.

8.3.16
The Board should grant the head of each control function the authority and responsibility to report periodically to it or one of its committees. The Board should determine the frequency and depth of such reporting so as to permit timely and meaningful communication and discussion of material matters. The reporting should include, among other things:
  • information as to the function’s strategy and longer term goals and the progress in achieving these;
  • annual or other periodic operational plans describing shorter term goals and the progress in achieving these; and
  • resources (such as personnel, budget, etc.), including an analysis on the adequacy of these resources.
8.3.17

In addition to periodic reporting, the head of each control function should have the opportunity to communicate directly and to meet periodically (without the presence of management) with the Chair of any relevant Board committee (eg Audit or Risk Committee) and/or with the Chair of the full Board. The Board should periodically assess the performance of each control function. This may be done by the full Board, by the Chair of the Board, by the relevant Board committee or by the Chair of the relevant Board committee.

CF 8.3.c

The group-wide supervisor requires the IAIG Board to ensure that the group-wide control functions:

  • are not combined, unless exceptional circumstances apply;
  • are subject to periodic review either by the group-wide internal audit function (for control functions other than internal audit) or an independent external party;
  • have unrestricted access and periodically report to the IAIG Board or one of its committees; and ​have access to people and information, on a group-wide or legal entity level, to carry out their responsibilities.
CF 8.3.c.1

The group-wide supervisor should assess on a case-by-case basis whether the exceptional circumstances justify a combination of group-wide control functions on a time-limited basis.

CF 8.3.c.2
When assessing whether to allow for a combination of group-wide control functions, the group-wide supervisor should consider at least whether:
  • the combination would give rise to potential conflicts of interest and how they could be resolved – either for affected individuals and/or the combined group-wide control functions (for example, where one group-wide control function has responsibilities for reviewing another);
  • the individuals in charge of combined group-wide control functions would have the necessary availability or resources to perform efficiently the tasks related to both functions; and
  • the combined group-wide control functions would undermine the ability of either function to fulfil its responsibilities in assisting the IAIG Board and Senior Management in maintaining adequate oversight across the IAIG. This risk is likely to be greater where control functions across different lines of defence are combined.
[ + ] 8.4
The supervisor requires the insurer to have an effective risk management function capable of assisting the insurer to:
  • identify, assess, monitor, mitigate and report on its key risks in a timely way; and
  • promote and sustain a sound risk culture.
8.4.1

A robust risk management function that is well positioned, resourced and properly authorised and staffed is an essential element of an effective risk management system. Within some insurers, and particularly at larger or more complex ones, the risk management function is typically led by a Chief Risk Officer.

8.4.2
The risk management function should have access and provide written reports to the Board as required by the Board, typically on matters such as:
  • an assessment of risk positions and risk exposures and steps being taken to manage them;
  • an assessment of changes in the insurer’s risk profile relative to risk appetite;
  • where appropriate, an assessment of pre-defined risk limits;
  •  where appropriate, risk management issues resulting from strategic affairs such as corporate strategy, mergers and acquisitions and major projects and investments;
  • an assessment of risk events and the identification of appropriate remedial actions.
 
8.4.3

The head of the risk management function should have the authority and obligation to inform the Board promptly of any circumstance that may have a material effect on the risk management system of the insurer.

8.4.4
The risk management function should establish, implement and maintain appropriate mechanisms and activities including to:
  • assist the Board and Senior Management in carrying out their respective responsibilities, including by providing specialist analyses and performing risk reviews;
  • identify the individual and aggregated risks (actual, emerging and potential) the insurer faces;
  • assess, aggregate, monitor and help manage and otherwise address identified risks effectively; this includes assessing the insurer’s capacity to absorb risk with due regard to the nature, probability, duration, correlation and potential severity of risks;
  • gain and maintain an aggregated view of the risk profile of the insurer both at a legal entity and/or group-wide level;
  • establish a forward-looking assessment of the risk profile;
  • evaluate the internal and external risk environment on an ongoing basis in order to identify and assess potential risks as early as possible. This may include looking at risks from different perspectives, such as by territory or by line of business;
  • consider risks arising from remuneration arrangements and incentive structures;
  • conduct regular stress testing and scenario analyses as defined in ICP 16 (Enterprise Risk Management for Solvency Purposes);
  • regularly provide written reports to Senior Management, Key Persons in Control Functions and the Board on the insurer's risk profile and details on the risk exposures facing the insurer and related mitigation actions as appropriate;
  • document and report material changes affecting the insurer’s risk management system to the Board to help ensure that the system is maintained and improved; and
  • conduct regular self-assessments and implement or monitor the implementation of any needed improvements.
CF 8.4.a
The group-wide supervisor requires the Head of the IAIG to ensure that the group-wide risk management function, at least:
  • coordinates and monitors consistent and effective implementation of risk management mechanisms and activities at the group-wide level and at the legal entity level;
  • sets out expectations relating to the group-wide responsibilities and reporting of the risk management function of each legal entity within the IAIG, as applicable;
  • sets policies and processes for effective interaction between the risk management functions of the Head of the IAIG and of the legal entities within the IAIG;
  • assesses the group-wide risk management strategy, which is approved by the IAIG Board, and ensures that this risk management strategy, including supporting processes, is implemented at the group-wide level;
  • annually plans and conducts an assessment of risks at the group-wide level, including those that arise from the legal entity and material business line level; and
  • provides at least quarterly risk management reports to the IAIG Board or one of its committees.
CF 8.4.b

The group-wide supervisor requires the group-wide risk management function to be independent from risk taking activities.

[ + ] 8.5

The supervisor requires the insurer to have an effective compliance function capable of assisting the insurer to i) meet its legal, regulatory and supervisory obligations and ii) promote and sustain a compliance culture, including through the monitoring of related internal policies.

8.5.1

The compliance function has a broader role than merely monitoring compliance with laws, regulations and supervisory requirements; monitoring compliance with internal policies and promoting and sustaining a compliance culture within the insurer are equally important aspects of this control function.

8.5.2

Compliance starts at the top. The Board is ultimately responsible for establishing standards for honesty and integrity throughout the insurer and for creating an effective corporate culture that emphasises them. This should include a code of conduct or other appropriate mechanism as evidence of the insurer’s commitment to comply with all applicable laws, regulations, supervisory requirements and internal policies, and conduct its business ethically and responsibly.

8.5.3

As part of this commitment, the insurer has in place a robust and well positioned, resourced and properly authorised and staffed compliance function. Within some insurers, particularly larger or more complex ones, such a function is typically led by a Chief Compliance Officer.

8.5.4
The compliance function should have access and provide written reports to Senior Management, Key Persons in Control Functions and the Board on matters such as:
  • an assessment of the key compliance risks the insurer faces and the steps being taken to address them;
  • an assessment of how the various parts of the insurer (eg divisions, major business units, product areas) are performing against compliance standards and goals;
  • any compliance issues involving management or persons in positions of major responsibility within the insurer, and the status of any associated investigations or other actions being taken;
  • material compliance violations or concerns involving any other person or unit of the insurer and the status of any associated investigations or other actions being taken; and
  • material fines or other disciplinary actions taken by any regulator or supervisor in respect of the insurer or any employee.
8.5.5

The head of the compliance function should have the authority and obligation to inform promptly the Chair of the Board directly in the event of any major non-compliance by a member of management or a material non-compliance by the insurer with an external obligation if in either case he or she believes that Senior Management or other persons in authority at the insurer are not taking the necessary corrective actions and a delay would be detrimental to the insurer or its policyholders.

8.5.6
The compliance function should establish, implement and maintain appropriate mechanisms and activities including to:
  • promote and sustain an ethical corporate culture that values responsible conduct and compliance with internal and external obligations; this includes communicating and holding training on an appropriate code of conduct or similar that incorporates the corporate values of the insurer, aims to promote a high level of professional conduct and sets out the key conduct expectations of employees;
  • identify, assess, report on and address key legal and regulatory obligations, including obligations to the insurer’s supervisor, and the risks associated therewith; such analyses should use risk and other appropriate methodologies;
  • ensure the insurer monitors and has appropriate policies, processes and controls in respect of key areas of legal, regulatory and ethical obligation;
  • hold regular training on key legal and regulatory obligations particularly for employees in positions of high responsibility or who are involved in high risk activities;
  • facilitate the confidential reporting by employees of concerns, shortcomings or potential or actual violations in respect of insurer internal policies, legal or regulatory obligations, or ethical considerations; this includes ensuring there are appropriate means for such reporting;
  • address compliance shortcomings and violations, including ensuring that adequate disciplinary actions are taken and any necessary reporting to the supervisor or other authorities is made; and
  • conduct regular self-assessments of the compliance function and the compliance processes and implement or monitor needed improvements. 
CF 8.5.a

The group-wide supervisor requires the Head of the IAIG to ensure that the group-wide compliance function at least:

  • coordinates and monitors consistent and effective implementation of compliance mechanisms and activities at the group-wide level and at the legal entity level;
  • sets appropriate policies and processes regarding the legal and regulatory obligations of the IAIG and its legal entities;
  • assesses the material legal and regulatory obligations and compliance risks of the IAIG, and the steps being taken to fulfil or address them, at least annually and as required by the Board;
  • supports the IAIG Board in fostering an effective corporate culture throughout the IAIG;
  • assesses how the IAIG itself is, and the legal entities within the IAIG are, performing against group-wide compliance standards and goals; and
  • provides at least quarterly written reports on its activities to the IAIG’s Board or one of its committees.
[ + ] 8.6

The supervisor requires the insurer to have an effective actuarial function capable of evaluating and providing advice regarding, at least, technical provisions, premium and pricing activities, capital adequacy, reinsurance and compliance with related statutory and regulatory requirements.

8.6.1

A robust actuarial function that is well positioned, resourced and properly authorised and staffed is essential for the proper operation of the insurer. It plays a key role as part of the insurer’s overall systems of risk management and internal controls.

8.6.2
The actuarial function should have access to and periodically report to the Board on matters such as:
  • any circumstance that may have a material effect on the insurer from an actuarial perspective;
  • the adequacy of the technical provisions and other liabilities;
  • distribution of profits to participating policyholders;
  • stress testing and capital adequacy assessment with regard to the prospective solvency position of the insurer; and
  • any other matters as determined by the Board.
8.6.3

Written reports on actuarial evaluations should be made to the Board, Senior Management, or other Key Persons in Control Functions or the supervisor as necessary or appropriate or as required by legislation.

8.6.4
The actuarial function evaluates and provides advice to the insurer on matters including:
  • the insurer’s insurance liabilities, including policy provisions and aggregate claim liabilities, as well as determination of reserves for financial risks;
  • asset liability management with regard to the adequacy and the sufficiency of assets and future revenues to cover the insurer’s obligations to policyholders and capital requirements, as well as other obligations or activities;
  • the insurer’s investment policies and the valuation of assets;
  • an insurer’s solvency position, including a calculation of minimum capital required for regulatory purposes and liability and loss provisions;
  • an insurer’s prospective solvency position by conducting capital adequacy assessments and stress tests under various scenarios, and measuring their relative impact on assets, liabilities, and actual and future capital levels;
  • risk assessment and management policies and controls relevant to actuarial matters or the financial condition of the insurer;
  • the fair treatment of policyholders with regard to distribution of profits awarded to participating policyholders;
  • the adequacy and soundness of underwriting policies;
  • the development, pricing and assessment of the adequacy of reinsurance arrangements;
  • product development and design, including the terms and conditions of insurance contracts and pricing, along with estimation of the capital required to underwrite the product;
  • the sufficiency, accuracy and quality of data, the methods and the assumptions used in the calculation of technical provisions;
  • the research, development, validation and use of internal models for internal actuarial or financial projections, or for solvency purposes as in the ORSA; and
  • any other actuarial or financial matters determined by the Board.
8.6.5

Where required, the actuarial function may also provide to the supervisor certifications on the adequacy, reasonableness and/or fairness of premiums (or the methodology to determine the same) and certifications or statements of actuarial opinion.

8.6.6

The supervisor should clearly define when such certifications or statements of actuarial opinion need to be submitted to the supervisor. When these are required to be submitted, the supervisor should also clearly define both the qualifications of those permitted to certify or sign such statements and the minimum contents of such an opinion or certification.

CF 8.6.a
The group-wide supervisor requires the Head of the IAIG to ensure that the group-wide actuarial function performs an overview of the group-wide actuarial activities, functions and risks emanating from insurance legal entities within the IAIG. This overview includes, at least:
  • risk assessment and management policies and controls relevant to govern the activities of the group-wide actuarial function or financial condition;
  • actuarial concerns related to any insurance legal entity within the IAIG, or the IAIG as a whole, as applicable;
  • the IAIG’s solvency position, based on calculations of group-wide regulatory capital requirements and technical provisions;
  • the IAIG’s prospective solvency position, based on capital adequacy assessments and stress tests, under various scenarios, and their relative impact on assets, liabilities, and actual and future capital levels;
  • the adequacy of the IAIG’s reinsurance arrangements; and
  • actuarial-related risk modelling in the IAIG’s Own Risk and Solvency Assessment (ORSA) and use of internal models.
CF 8.6.b
The group-wide supervisor requires the Head of the IAIG to ensure that the group-wide actuarial function:
  • works with the actuarial functions at the insurance legal entity level to review actuarial information; and
  • provides independent advice and at least annually reports to the IAIG Board or one of its committees on the insurance activities and risks posed to the IAIG.
8.6.7

Some jurisdictions may require an “appointed actuary”, “statutory actuary”, or “responsible actuary” (referred to here as an “Appointed Actuary”) to perform certain functions, such as determining or providing advice on an insurer’s compliance with regulatory requirements for certifications or statements of actuarial opinion. The tasks and responsibilities of the Appointed Actuary should be clearly defined and should not limit or restrict the tasks and responsibilities of other individuals performing actuarial functions.

8.6.8

The insurer should be required to report the Appointed Actuary’s appointment to the supervisor.

8.6.9

The Appointed Actuary should not hold positions within or outside of the insurer that may create conflicts of interest or compromise his or her independence. If the Appointed Actuary is not an employee of the insurer, the Board should determine whether the external actuary has any potential conflicts of interest, such as if his or her firm also provides auditing or other services to the insurer. If any such conflicts exist, the Board should subject them to appropriate controls or choose another Appointed Actuary.

8.6.10

If an Appointed Actuary is replaced, the insurer should notify the supervisor and give the reasons for the replacement. In some jurisdictions, such a notification includes statements from both the insurer and the former Appointed Actuary as to whether there were any disagreements with the former Appointed Actuary over the content of the actuary’s opinion on matters of risk management, required disclosures, scopes, procedures, or data quality, and whether or not any such disagreements were resolved to the former Appointed Actuary’s satisfaction.

8.6.11

In some jurisdictions, the Appointed Actuary also has the obligation to notify the supervisor if he or she resigns for reasons connected with his or her duties as an Appointed Actuary or with the conduct of the insurer’s business and give the reasons for resigning. The Appointed Actuary should also notify the supervisor and provide an explanation if his or her appointment is revoked by the insurer.

8.6.12

The supervisor should have the authority to require an insurer to replace an Appointed Actuary when such person fails to adequately perform required functions or duties, is subject to conflicts of interest or no longer meets the jurisdiction’s eligibility requirements.

[ + ] 8.7

The supervisor requires the insurer to have an effective internal audit function capable of providing the Board with independent assurance in respect of the quality and effectiveness of the insurer’s corporate governance framework.

8.7.1

One of the oversight roles of the Board is to ensure that the information provided by the internal audit function allows the Board to effectively validate the effectiveness of the internal control system.

8.7.2
The internal audit function should provide independent assurance to the Board through general and specific audits, reviews, testing and other techniques in respect of matters such as:
  • the overall means by which the insurer preserves its assets and those of policyholders, and seeks to prevent fraud, misappropriation or misapplication of such assets;
  • the reliability, integrity and completeness of the accounting, financial and risk reporting information, as well as the capacity and adaptability of IT architecture to provide that information in a timely manner to the Board and Senior Management;
  • the design and operational effectiveness of the insurer’s individual controls in respect of the above matters, as well as of the totality of such controls (the internal controls system);
  • other matters as may be requested by the Board, Senior Management, the supervisor or the external auditor; and
  • other matters which the internal audit function determines should be reviewed to fulfil its mission, in accordance with its charter, terms of reference or other documents setting out its authority and responsibilities.
8.7.3

To help ensure objectivity, the internal audit function is independent from management and other control functions and is not involved operationally in the business. The internal audit function’s ultimate responsibility is to the Board, not management. To help ensure independence and objectivity, the internal audit function should be free from conditions that threaten its ability to carry out its responsibilities in an unbiased manner. In carrying out its tasks, the internal audit function forms its judgments independently. If necessary, the internal audit function should consider the need to supplement its own assessment with third party expertise in order to make objective and independent decisions.

8.7.4
The Board should grant suitable authority to the internal audit function, including the authority to:
  • access and review any records or information of the insurer which the internal audit function deems necessary to carry out an audit or other review;
  • undertake on the internal audit function’s initiative a review of any area or any function consistent with its mission;
  • require an appropriate management response to an internal audit report, including the development of a suitable remediation, mitigation or other follow-up plan as needed; and
  • decline doing an audit or review, or taking on any other responsibilities requested by management, if the internal audit function believes this is inconsistent with its mission or with the strategy and audit plan approved by the Board. In any such case, the internal audit function should inform the Board or the Audit Committee and seek their guidance.
8.7.5
The head of the internal audit function reports to the Board (or to any member who is not part of the management) or to the Audit Committee if one exists (or its Chair). In its reporting, the internal audit function should cover matters such as:
  • the function’s annual or other periodic audit plan, detailing the proposed areas of audit focus, and any significant modifications to the audit plan;
  • any factors that may be adversely affecting the internal audit function’s independence, objectivity or effectiveness;
  • material findings from audits or reviews conducted; and
  • the extent of management's compliance with agreed upon corrective or risk mitigating measures in response to identified control deficiencies, weaknesses or failures, compliance violations or other lapses.
8.7.6

In addition to periodic reporting, the head of internal audit should be authorised to communicate directly, and meet periodically, with the head of the Audit Committee or the Chair of the Board without management present.

8.7.7
The audit function should carry out such activities as are needed to fulfil its responsibilities. These activities include:
  • establishing, implementing and maintaining a risk-based audit plan to examine and evaluate alignment of the insurer's processes with their risk culture;
  • monitoring and evaluating the adequacy and effectiveness of the insurer’s policies and processes and the documentation and controls in respect of these, on a legal entity and group-wide basis and on an individual subsidiary, business unit, business area, department or other organisational unit basis;
  • reviewing levels of compliance by employees, organisational units and third parties with laws, regulations and supervisory requirements, established policies, processes and controls, including those involving reporting;
  • evaluating the reliability, integrity and effectiveness of management information processes and the means used to identify, measure, classify and report such information;
  • monitoring that identified risks are effectively addressed by the internal control system;
  • evaluating the means of safeguarding insurer and policyholder assets and, as appropriate, verifying the existence of such assets and the required level of segregation in respect of insurer and policyholder assets;
  • monitoring and evaluating the effectiveness of the insurer's control functions, particularly the risk management and compliance function; and
  • coordinating with the external auditors and, to the extent requested by the Board and consistent with applicable law, evaluating the quality of performance of the external auditors.
8.7.8
In carrying out the above tasks, the internal audit function should ensure all material areas of risk and obligation of the insurer are subject to appropriate audit or review over a reasonable period of time. Among these areas are those dealing with:
  • market, underwriting, credit, liquidity, operational, conduct of business, as well as reputational issues derived from exposure to those risks;
  • accounting and financial policies and whether the associated records are complete and accurate;
  • extent of compliance by the insurer with applicable laws, regulations and supervisory requirements from all relevant jurisdictions;
  • intra-group transactions, including intra-group risk transfer and internal pricing;
  • adherence by the insurer to the insurer’s remuneration policy;
  • the reliability and timeliness of escalation and reporting processes, including whether there are confidential means for employees to report concerns or violations and whether these are properly communicated, offer the reporting employee protection from retaliation, and result in appropriate follow up; and
  • the extent to which any non-compliance with internal policies or external legal or regulatory obligations is documented and appropriate corrective or disciplinary measures are taken including in respect of individual employees involved.
8.7.9

Subject to applicable laws on record retention, the internal audit function should keep records of all areas and issues reviewed so as to provide evidence of these activities over time.

CF 8.7.a
The group-wide supervisor requires the IAIG Board to ensure that the group-wide internal audit function provides independent assessment and assurance to the IAIG Board regarding, at least, the:
  • group-wide policies, processes, and controls;
  • overall means by which the IAIG preserves its assets, and those of policyholders, and seeks to prevent fraud, misappropriation or misapplication of such assets;
  • reliability, integrity and completeness of the accounting, financial, management, information technology systems and risk reporting information;
  • capacity and adaptability of information technology systems to provide information in an accurate and timely manner to the IAIG Board and Senior Management; and
  • design and operational effectiveness of the group-wide risk management and internal controls systems, both individually and overall.
CF 8.7.a.1

The group-wide internal audit function coordinates with the internal audit functions and external auditors of the legal entities within the IAIG when providing assessment and assurance to the IAIG Board.

[ + ] 8.8

The supervisor requires the insurer to retain at least the same degree of oversight of, and accountability for, any outsourced material activity or function (such as a control function) as applies to non-outsourced activities or functions.

8.8.1

Outsourcing should not materially increase risk to the insurer or materially adversely affect the insurer’s ability to manage its risks and meet its legal and regulatory obligations.

8.8.2

The Board and Senior Management remain responsible in respect of functions or activities that are outsourced.

8.8.3

The supervisor should require the Board to have review and approval processes for outsourcing of any material activity or function and to verify, before approving, that there was an appropriate assessment of the risks, as well as an assessment of the ability of the insurer’s risk management and internal controls to manage them effectively in respect of business continuity. The assessment should take into account to what extent the insurer’s risk profile and business continuity could be affected by the outsourcing arrangement.

8.8.4

The supervisor should require insurers which outsource any material activity or function to have in place an appropriate policy for this purpose, setting out the internal review and approvals required and providing guidance on the contractual and other risk issues to consider. This includes considering limits on the overall level of outsourced activities at the insurer and on the number of activities that can be outsourced to the same service provider. Because of the particularly important role that control activities and control functions play in an insurer’s corporate governance framework, the supervisor should consider issuing additional requirements for their outsourcing or dedicating more supervisory attention to any such outsourcing.

8.8.5
Outsourcing relationships should be governed by written contracts that clearly describe all material aspects of the outsourcing arrangement, including the rights, responsibilities and expectations of all parties. When entering into or varying an outsourcing arrangement, the Board and Senior Management should consider, among other things:
  • how the insurer’s risk profile and business continuity will be affected by the outsourcing;
  • the service provider’s governance, risk management and internal controls and its ability to comply with applicable laws and regulations;
  • the service providers’ service capability and financial viability; and
  • succession issues to ensure a smooth transition when ending or varying an outsourcing arrangement.
8.8.6

In choosing an outsourcing provider, the Board or Senior Management should be required to satisfy themselves as to the expertise, knowledge and skills of such provider.

8.8.7

Outsourcing arrangements should be subject to periodic reviews. Periodic reports should be made to management and the Board.

CF 8.8.a

The group-wide supervisor requires the Head of the IAIG to have:

  • a policy which takes into account the potential impact on the IAIG of outsourcing of any material group-wide activity or function, sets out the internal review and approvals required, and provides guidance on the contractual and other risk issues to consider; and
  • written contracts that describe all material aspects of the outsourcing arrangement, including the rights, responsibilities and expectations of all parties.
CF 8.8.b

When choosing a service provider (either internal or external) for a material group-wide activity or function that is to be outsourced, the group-wide supervisor requires the Head of the IAIG to:

  • assess the potential service provider’s ability and capacity to deliver the outsourced activities or functions;
  • perform due diligence on the service provider with respect to explicit or potential conflicts of interest that would jeopardise the fulfilment of the needs of the IAIG; and
  • ensure that the service provider has the necessary resources to perform the outsourced activities or functions in a proper and reliable way, as well as adequate contingency plans in place to deal with emergency situations or business disruptions.
CF 8.8.b.1

Activities or functions may be outsourced to an internal service provider (ie a legal entity which is part of the IAIG) or an external service provider. In the case of an internal service provider, the assessment and due diligence process may be different from the case of an external service provider. For example, if the internal service provider has already been assessed recently, some aspects of the assessment may not need to be repeated. Even though the assessment process used may vary between an internal or external service provider, it should be equally robust.

CF 8.8.c

The group-wide supervisor requires the Head of the IAIG to ensure that outsourcing (either internal or external) of a group-wide activity or function does not impede effective supervision of the Head of the IAIG.

CF 8.8.d

The group-wide supervisor requires the Head of the IAIG to carry out a periodic review of the cumulative risks of outsourced activities and functions and address identified risks.