Skip to main content

Article (3): Effective Risk Management System

C 25/2022 Effective from 30/12/2022
1.A Company's Risk Management system must be designed to operate at all levels to allow for the identification, assessment, monitoring, measuring, controlling, reporting and mitigating of all risks of the Company in a timely manner. It must take into account the probability, potential impact and time horizons of risk. An effective Risk Management system must include the following elements:
 
a.A documented Risk Management strategy, including a clearly defined Risk Appetite statement that is Board-approved, which mustbe in line with the Company's business activities.
 
b.Allocation of responsibilities for managing risks.
 
c.A documented process for the Board's approval for any deviation from the Risk Appetite.
 
d.Policies containing all material risks that the Company is exposed to and the levels of acceptable Risk Limits. The policies describe the obligations of Staff members in dealing with risk, including risk escalation and risk mitigation tools.
 
e.Processes and tools including Stress Testing, scenario analysis and Models for identifying, assessing, measuring, monitoring, controlling reporting and mitigating risks, along with contingency plans.
 
f.Regular reviews of the Risk Management system.
 
g.An effective Risk Management function.
 
2.The Risk Management system must cover, at a minimum underwriting, reserving, asset-liability management, investments, liquidity, reinsurance, concentration of risk, operational risk, risk-mitigation techniques and conduct of business. It must also cover the risks to be included in the calculation of the Solvency Capital Requirement as set out in the Financial Regulations as well as the risks which are not, or not fully, included in the calculation thereof.
 
3.In developing the Risk Management system, the following matters must be taken into consideration:
 
a.The Risk Profile of the Company must be modified according to circumstances, which requires incorporating new risks and updating the information related to risks that are already identified. The changing expectations of policyholders and other stakeholders must be taken into consideration.
 
b.Material changes, specifically that affect the Risk Profile, to the Risk Management system must be approved by the Board, documented and made available to internal audit, external audit and the Central Bank.
 
c.The Risk Management system must incorporate a feedback loop that provides for a process of assessing the effect of changes in risk leading to changes in Risk Management policy, Risk Limits and risk mitigating actions. Within a Group, sufficient coordination between the Parent and its Subsidiaries and Affiliates must be available, as part of their feedback loop
 
4.Where the Central Bank is not the primary regulator of a Company that is part of a Group and any element of its comprehensive approach to Risk Management is controlled or influenced by another entity in the Group, the Company's Risk Management system must specifically take into account risks arising from the Group relationship and clearly identify:
 
a.Linkages and any significant differences between the Company's and the Group's Risk Governance System.
 
b.Whether the Company's Risk Management function is derived wholly or partially from Group Risk Management functions.
 
c.The process for monitoring by, or reporting to, the Group on Risk Management.
 
5.As part of its Risk Management system the Company shall conduct its Own Risk and Solvency Assessment (ORSA) which must be conducted by the Risk Management function. That assessment must include at least the following:
 
a.The overall solvency needs, taking into account the specific risk profile, approved risk tolerance limits and the business strategy of the Company. The Company shall demonstrate the methods used in that assessment.
 
b.The compliance, on an ongoing basis, with the capital requirements, as set out in the Financial Regulations;
 
c.The compliance, on an ongoing basis, with the requirements regarding technical provisions, as laid out in the Financial Regulations;
 
d.The significance with which the risk profile of the Company deviates from the assumptions underlying the Solvency Capital Requirement as laid down in the Financial Regulations. Companies must take an active assessment of whether changes in the standard Model are consistent with their actual exposures;
 
e.The completion of the ORSA which must be an integral part of the business strategy and business planning process and must be taken into account on an ongoing basis in the strategic decisions of the Company and without any delay following any significant change in the Company's Risk Profile;
 
f.The reporting to the Central Bank of the results of each ORSA at the same time as it submits the Company's annual business plan in accordance to the timetable published by the Central Bank.
 
g.The reporting to the Central Bank of any additional requirements concerning (ORSA) which may be imposed pursuant to Regulations/decisions to be issued by the Central Bank in this regard.