| 1. | The Risk Management system must address the following:
| a. | Identification:
| 1. | All reasonably foreseeable and relevant material risks are taken into consideration.
| | 2. | New activities and products must be subject to risk review and must be approved by the Board, including strategic affairs, such as corporate strategy, mergers, acquisitions, major projects and investments.
|
| | b. | Assessment:
| 1. | Qualitative and quantitative assessments of all reasonably foreseeable and relevant material risks and risk interdependencies for risk and capital management.
| | 2. | Quantification of risk and risk interdependencies using appropriate tools under a sufficiently wide range of techniques for risk and capital management.
| | 3. | As necessary, include the results of Stress Testing to assess the resilience of the Company's total balance sheet against severe but plausible stresses including considerations of macroeconomic stresses.
|
| | c. | Monitoring:
| | | Early warning indicators that enable the appropriate response to all identified material risks. This shall reflect the relationship between the Company's Risk Appetite, Risk Limits, regulatory capital requirements, economic capital and the processes and methods for monitoring risk. A Company must have its own view on how much capital it needs over and above the regulatory capital to fulfill its wider economic needs and manage risks.
| | d. | Mitigation:
| 1. | Strategies and tools are in place to mitigate material risks.
| | 2. | The Company must reduce or control material risks to within Risk Appetite and Risk Limits, or transfer to/share with a third party.
| | 3. | If a Company cannot mitigate or control the risk, then it must cease or change the activity.
|
| | e. | Reporting:
| 1. | Risks and assessments must be reported to the Board using qualitative and quantitative indicators, including ORSA along with effective action plans, at least annually.
| | 2. | The Board is ultimately responsible for risk oversight. The Risk Management policy covers the frequency of reporting. Any deviation from Risk Appetite is subject to Board review and approval.
|
| | f. | Risk Management policies:
| 1. | Must enable Staff to understand their risk responsibilities.
| | 2. | Must explain the relationship between the Risk Management system and how it addresses risks according to the insurer's Risk Appetite and Risk Limits, and the overall corporate governance framework.
| | 3. | Must outline how relevant material risks are managed.
| | 4. | On-going communication and training on risk policies must be conducted.
|
|
|
| 2. | Groups must adopt a strong and consistent Risk Management and compliance culture across the Group and at the entity levels. Coordination between the Group and the Company is required to ensure the overall effectiveness of Risk Management and Internal Controls.
|
| 3. | The Risk Appetite statement is a written articulation of the aggregate level and types of risk that a Company is willing to accept or avoid in order to achieve its business objectives. At a minimum, it must include the following:
| | | a. | For each material risk, the maximum level of risk that the Company is willing to operate within, expressed as a limit in terms of:
| 1. | Quantitative measures expressed relative to earnings, capital, liquidity and other relevant measures as appropriate.
| | 2. | Qualitative statements or limits, as appropriate, particularly for reputation, compliance and legal risks.
|
| | b. | Delineation of any categories of risk that the Company is not prepared to assume.
| | c. | The process for ensuring that the Risk Limits are set at an appropriate level for each risk, considering both the probability of loss and the magnitude of loss in the event that each material risk is realised.
| | d. | The process for monitoring compliance with each Risk Limit and for taking appropriate action in the event that they are breached.
| | e. | The timing and process for review of the Risk Appetite and Risk Limits.
| | f. | Quantitative Risk Limits and metrics must include, but not be limited to:
| 1. | Capital targets beyond regulatory requirements, such as economic capital or capital-at-risk;
| | 2. | Various liquidity ratios and survival horizons;
| | 3. | Earnings volatility;
| | 4. | Value at risk;
| | 5. | Risk concentrations by internal or external rating;
| | 6. | Expected loss, expense, commission and/or combined ratios;
| | 7. | Economic value added; and
| | 8. | Stressed targets of capital, liquidity and earnings.
| | 9. | Underwriting risk, including growth and renewal rates of business, risk retention, balance between lines of business, premium rate adequacy versus technical rates, and claim settlement.
| | 10. | Credit risk, including credit quality of reinsurers, credit quality of investment assets and receivable delay management.
| | 11. | Investment risk, including asset allocations to achieve adequate diversification and target investment returns. This must be linked to the asset-liability management (ALM) policy and investment policy which specifies the nature, role and extent of ALM activities and their relationship with product development, pricing and investment management.
| | 12. | Operational risk, including consideration of risks arising from people, systems, processes as well as cyber security.
|
|
|
|
| 4. | The Risk Management system must include risk policies that cover at least the following areas:
| | | a. | Credit risk;
| | b. | Balance sheet and market risk (including investment, asset-liability management, liquidity and derivatives risks);
| | c. | Reserving risk;
| | d. | Insurance risk (including underwriting, product design, pricing and claims settlement risks);
| | e. | Reinsurance risk;
| | f. | Operational risk (including business continuity, outsourcing, fraud, technology, legal and project management risks);
| | g. | Concentration risk; and
| | h. | Group risk.
|
|
|