2. Systems of Risk Management and Internal Controls
1.
A Company must establish, implement and maintain systems of Risk Management and Internal Controls that enable it to identify, assess, measure, monitor, control, mitigate and report on risk. Systems of Risk Management and Internal Controls will vary with the specific circumstances of the Company, particularly the Risk Profile, nature, scale and complexity of its business and structure.
2.
The Board is responsible for the implementation of an effective Risk Culture and Internal Controls across the Company and its Subsidiaries, Affiliates and international branches, where applicable. The Board approved systems of Risk Management and Internal Controls must incorporate a "three lines of defense" approach which includes the business lines being the first line, Control Functions of Risk Management, compliance and actuarial, being the second line and an independent and effective internal audit function as the third line.
a.
Business line management - must take the responsibility of identification and control of risks. The business line management must :
1.
Manage and identify risks arising from the activities of the business line;
2.
Ensure that activities are within the Company's Risk Appetite, Risk Management policies and limits;
3.
Design, implement and maintain effective system of Internal Controls; and
4.
Monitor and report on business line risks.
b.
Risk Management, actuarial and compliance functions- must take responsibility for setting standards and challenging business lines. The following must be adhered to:
1.
The Risk Management function must establish Company-wide, or if applicable, Group-wide risk and control strategies and policies, provide oversight and independent challenge of business lines' accountabilities, develop and communicate risk and control procedures, and monitor and report on compliance with Risk Appetite, policies and Risk Limits.
2.
The Compliance function must assess Company-wide adherence to requirements, develop and communicate compliance policies and procedures, measure, monitor and report on compliance with Central Bank laws and other relevant laws, corporate governance and Internal Controls rules, Regulations and policies to which the Company is subject.
3.
The actuarial function must provide advice on technical provisions, premium and pricing activities, capital adequacy, reinsurance and compliance with related statutory and regulatory requirements, at a minimum.
c.
Internal audit function has the duty of providing independent assurance. The function is responsible to the following matters, at a minimum:
1.
Independently assess the effectiveness and efficiency of the Internal Controls, Risk Management and governance systems and processes.
2.
Independently assess the effectiveness of business line management in fulfilling their mandates and managing risks.
3.
The Risk Management and Internal Controls systems must be comprised of the following at a minimum:
a.
Strategies setting out the approach of the Company to dealing with specific areas of risk and regulatory obligations in accordance with the Company's nature, Risk Profile, scale and complexity.
b.
Policies defining the procedures and other requirements that members of the Board and Staff need to follow in order to ensure consistency in approach.
c.
Process for the implementation of the Company's strategies and policies in order to ensure completeness in approach.
d.
Controls to ensure that strategies, policies and processes are in fact in place, are being observed and are attaining their intended objectives in order to ensure adequacy and appropriateness in approach.