7. Duties Related to Risk Management and Internal Controls
C 24/2022 STA
1.
The Board approved Risk Governance Framework must incorporate a “three lines of defense” approach including Senior Management of the business lines, the functions of risk management, actuarial and compliance, and an independent and effective internal audit function. In the case of a Takaful Company, independent and effective internal Shari`ah Control and internal audit functions must be in place.
2.
The Risk Governance Framework may vary with the specific circumstances of the Company, particularly its risk profile, size, business mix and complexity. Companies must incorporate the minimum requirements specified in the Central Bank Regulations and Standards on risk management and internal controls.
3.
The internal controls framework must contain the following elements, at a minimum:
a.
Empowering Senior Management according to the organisational structure, commensurate to the nature of the Company, which clearly defines lines of communication and responsibilities for each unit in the Company.
b.
Segregation of duties, along with separation between managing risks and supervising the management of such risks.
c.
Written procedures accredited by the Board for applying and reviewing information technology strategies, in a manner that guarantees the provision of information to decision makers in a timely manner, along with a crisis management strategy.
4.
A Company shall set up a documented internal control system approved by its Board in line with the Company’s business and volume, and it shall be supported by information systems that ensure the accuracy of such information. This system shall be reviewed periodically by the internal audit, external audit and actuarial auditors to ensure its compliance with the legal framework in force and to assess its effectiveness and adequacy.
5.
The internal auditor shall assess the effectiveness and adequacy of the internal controls system and the company’s operations, to make sure that the Company operates in compliance with the legal framework and within the strategic objectives of the Company. A report in this regard along with the relevant recommendations must be submitted to the audit committee.
6.
Governance requirements for risk management and internal controls are contained in separate Regulations issued by the Central Bank.