18.1 Risk management and controls Flashcards
Requirements of sound RM as per chapter 5:
Good corporate governance (roles and responsibilities, independent board composition, fit and proper requirements, appropriate risk organisational structure and strategies)
Sound risk management procedures and models (well tested, clearly defined, embedded into business strategy and operation, and fully documented)
Adequate control functions (incl. actuarial function and internal audit function)
Independent audit and monitoring functions
Adequate disclosure and reporting to various stakeholders
GOM for microinsurers
Organisations
1- Framework for GOI
2- Governance of insurers
3- Risk management and internal controls for insurers
3.1- ORSA
3.2- Business continuity management
4- Fitness and propriety of significant owners and key persons
5- Outsourcing by insurers
6- Transfers of business and other significant transactions by insurers
7- Miscellaneous regulatory requirements for insurers
Governance and risk management system requirements
Risk management function
Actuarial function
Risk management strategy and policies
Credit and counterpart risk management
Market risk management
Liquidity risk management
Operational risk management
Insurance risk management
Group risk management
Climate risk management
Other risks
- Risk governance framework as per IA
Must adopt, implement and document effective governance framework (GF)
Framework must provide for prudent management and oversight of business, adequately protecting interests of ph
Must be proportionate to nature, scale and complexity of business and risks
Must incl. effective systems of corporate governance, RM, and internal controls and address prescribed matters
Must have procedures to monitor compliance with requirements
Questionable framework:
Regulator can direct independent review of framework insurer’s cost
Regulator can instruct board or managing execs to strengthen and improve GF
- Risk committee
GOI 2 sect 7.4 requires establishment
Functions set out in detailed section B:
Assist board in developing RM strategy
Assist board evaluate adequacy and effectiveness of RM system
Assist board identify build-up and concentration of risks
Assist board identify and monitor material risks to ensure decision-making capability and reporting accuracy maintained
Facilitate communication between board and senior management on risk-related issues
Facilitate and ensure appropriate segregation of duties between risk management function and operational business lines
Introduce measures to enhance adequacy and effectiveness of RM system
Oversee monitoring of RM on an enterprise-wide and individual business unit basis
- Risk management system
GOI 3 sect 4 has requirements:
Emphasises that effective risk management critical for insurers to honour promises to ph
Must have board-approved, enterprise-wide RM system
System must include:
Risk management strategy
RM policies and related procedures
Tools for assessing, monitoring and mitigating material risks which could affect ability to meet ph obligations
RM strategy must include risk appertite, aligned with RM strategy and business plans
Must establish, maintain and operate within system of effective internal controls designed to ensure RM system operates effectively and with appropriate checks and balances.
To provide appropriate governance over RM system and controls, must establish and adequately resource at least the following functions:
Risk management function
Compliance function
Internal audit function
Actuarial function
GOI 3 sect 2 has roles and responsibilities:
BoD- ultimately responsible for ensuring compliance with principles and requirements of the standard, incl. establishing overall risk appetite and ensuring effective risk management and internal control systems are in place to address key risks
Heads of RM, compliance and actuarial functions- responsible for providing input and expressing opinions to BoD about operations, efficiency and effectiveness of relevant components of risk management and internal control systems
Internal audit or objective external reviewer- regularly review RM and internal control systems and provide assurance to BoD on effectiveness
Auditor- provide assurance to insurer and PA (upon request) that insurer complies with requirements of this standard. Auditor must report any non-compliant issues to board and PA
GOI 3 4.5 mandates formal RMF and sect 11 has roles and responsibilities
Must have effective risk management function capable of assisting board and senior management in developing and maintaining RM system to identify, assess, monitor and mitigate material risks and promote sound risk culture
RMF responsible for providing reasonable assurance that adequate mechanisms and procedures established, implemented and maintained to:
Identify individual and aggregated risks (current and emerging)
Assess, monitor and help manage identified risks effectively
Gain and maintain aggregated view of risk profile
Establish forward-looking asmt of risk profile and financial position, incl. regular stress testing and scenario analyses, against insurer’s risk appetite and limits
RM function must assess appropriateness of RM policies, processes, and controls and effective monitoring
RMF must also:
Regularly provide written reports to snr management, other key control function personnel, and board on insurer’s risk profile, risk exposures and related mitigation actions
Document and report material changes affecting RM system to board to ensure its maintenance and improvement
Have access to and report to board (or designated committee) on strategy of RM function and info on its resources, incl. analysis of appropriateness
GOI 3 4.5d mandates actuarial function
Must have effective actuarial function capable of assisting BoD re matters below
Responsible for expressing opinion to BoD on reliability and adequacy of calcs of insurer’s TPs and M/SCR including on:
Appropriateness of methodologies, underlying models and assumptions used
Sufficiency and quality of data used in actuarial calcs
Best estimates and associated assumptions against experience when evaluating TPs
Accuracy of calculations
Appropriateness and impact of assumed future management actions and effect of risk mitigation instruments
Appropriateness of approx. or judgements used due to insufficient data quality
Also responsible for expressing opinion to BoD on:
Appropriateness of insurer’s A-L, underwriting and reinsurance and other forms of risk transfer policies
Adequacy of reinsurance and other forms of risk transfer arrangements
Furthermore, actuarial function responsible for evaluating and providing advice to BoD, senior management and other control functions (where relevant) on:
Appropriateness of using standardised formula to assess risks, where applicable, explaining why it accurately reflects insurer’s own risk profile, considering board-approved risk appetite (and limits) and business strategy
Development and use of internal models for internal actuarial/financial projections, or for own solvency projections as in ORSA
Insurer’s investment policy
Insurer’s financial soundness position, incl. impact of proposed dividend declarations / payments
Actuarial-related matters in ORSA, such as economic capital requirements, forward-looking projections of financial soundness, stress/sensitivity/scenario testing, and assumed management actions
Internal controls relevant to actuarial matters
Awarding of bonuses / similar benefits to participating ph in accordance with financial management principles
Actuarial soundness of insurance contract t&cs
GOI 3 sect 5
Must be reviewed regularly and updated in light of emerging risks and changing circumstances. Material changes to strat must be approved by BoD, properly justified and documented, w documentation available for review by internal and external audit and PA
In addition to overall risk management strategies, insurers must have following BoD approved policies:
A-L management
Capital management
Concentration
Credit
Fitness and proprietary
IT
Insurance fraud
Investment
Liquidity management
Operational
Outsourcing
Reinsurance and other forms of risk transfer
Remuneration
Underwriting
Sect 6.2 allows combination of policies if specified risks don’t warrant separate policies given nature, scale and complexity of business and risks
Extracts from Attachment 1 of GOI 3
Capital management policy
Provide for internal capital planning process
Set out strat for ensuring adequate capital over time with quantifiable targets (considering ORS, risk profile, risk appetite and regulatory requirements)
Incl. plans for meeting targets and sourcing additional capital
Identify and measure risks causing capital shortfalls
Establish processes and procedures to monitor compliance with capital requirements (incl. triggers)
Set out actions for capital shortfalls
Provided for management and regular review (incl. independent review)
Concentration risk policy
Identify relevant concentration risk sources
Identify strategies to ensure concentration stays within limits
Analyse potential correlations between concentrated exposures
Credit risk policy
Set out approach to identify, assess, monitor, manage and report on credit risk
Identify full range of direct and indirect risk exposures
Identify acceptable range of exposures
Identify methods for quantifying and mitigating risk (incl. credit risk of transferees)
Insurance fraud risk policy
Outline strategies, procedures and controls to deter, prevent, detect, report and remedy fraud
Outline strategies, procedures and controls to manage fraud risk;s impact on financial soundness
Consider industry-wide initiatives
Provide for prompt reporting to regulators
Investment policy
Specify nature, role, and extent of investment activities and ensure compliance with financial soundness standards.
Set out investment strategy (including asset allocation and its relation to ALM)
Establish risk management procedures for complex assets
Consider environmental, social, and governance factors
Adhere to the Prudent Person Principle, i.e.
(a) the insurer invests only in assets and instruments whose risks the insurer can properly identify, assess, monitor, manage, control, and report on. This means insurers should have a thorough understanding of the investments they make and possess the capabilities to handle the associated risks.
(b) assets are invested in a manner appropriate to the nature and duration of the insurer’s liabilities and the best interests of policyholders and beneficiaries. This emphasises that investment decisions should consider the insurer’s financial obligations to its policyholders and should prioritize their interests.
Ensure security, quality, liquidity, and profitability
Limit non-regulated market investments
Ensure diversification
Manage conflicts of interest
Address specific requirements for long-term and guaranteed policies.
Liquidity management policy
Set out approach to identifying, assessing, monitoring, managing, and reporting short-term and long-term liquidity risk, …
… including triggers, action plans, and responsibilities for liquidity stresses
Incl. modelling impact of adverse scenarios (e.g., catastrophes, downgrades, counterparty defaults) …
…and specifically consider liquidity consequences of reinsurance counterparty difficulties and the nature of investments
Operational risk policy
set out approach to identifying, assessing, monitoring, managing, and reporting risk exposures (including risks from inadequate processes, people, systems, or external events).
It should leverage quantitative data on incidents and impacts, …
…and share such data with the industry where possible.
Underwriting policy
Identify nature of insurance business (risk classes + types and exclusions)
Describe formal underwriting risk ast process, incl.
Risk asmt criteria
Methods for monitoring emerging experience and …
…how experience is incorporated into uw
Credit risk:
Exposed to loss if counterparty fails to perform contractual obligations, incl. failure to perform on time or …
Borrower/reinsurer fails to generate adequate cash for payment if interest and/or principal amt
Counterparty risk:
Exposed to loss if counterparty fails to honour obligations
Will bear replacement/cancellation costs of having been defaulted on
Not outlined in GOI 3- aspects in liquidity and reinsurance policy
If material exposure»_space; included in other risk management policies or create separate one
Must have internal systems for monitoring
Enables insurer to restrict exposures to diff counterparties and assets to prudent levels
Ensure exposures sufficiently diversified
Exposure limit must be consistent with:
Regulation
Risk appetite
Capital resources
Monitoring controls must account for:
Counterparty exposure- amt to be lost if counterparty fails to meet obligations
Asset exposure- amt to be lost if A/A class yields less than expected return or significantly reduces in value
Adequacy of diversification in spreading risk
Likelihood of default
Expected loss in event of default
Exposure period
Asset spreading req in regulatory returns:
Must subtract from value of one asset wrt exposures to one asset, counterparty or group of closely related counterparties in excess of prescribed limits
Resulting from market movements causing fluctuations in income from / value of assets / amt of L being worse than expected
Incl in ALM policy and investment policy in GOI 3
Sources: Market values of:
Equities
Commodities
FX rates
Real estate prices
Sources not independent so must consider correlations
Must monitor market risk and impact on solvency more frequently than required by annual investigations
Parts of controls:
Define investment and management decision governance arrangements and authorisation levels
Understand sensitivity of liability cals to market value movements
Outline likely management actions in event of certain movements in key market indicators
Arises from short-term CFs
Must ensure sufficient controls to identify when volatility of claim payments and ph options, incl. circumstances in which they’re likely to be exercised»_space; mismatch between short term CFs
May have to realise loss when mismatch occurs
FSI 1- Risk of loss from inadequate or failed internal processes, people and systems or from external events
Internal systems and controls vary based firm’s scale, complexity & nature of operations
Testing controls challenging w/o actual catastrophic failure, and boundaries between operational risk management and other systems can be blurred
For monitoring, firms assess operational risk profile, identifying acceptable risks and setting risk tolerances
Management information packs provide operational risk statistics, tailored to the firm’s needs and capabilities
Operational risk exposure examples:
Internal and external fraud
Failure to comply with employment law / meet workplace safety stds
Physical asset damage
Business disruptions and system failures
Transactional processing failures
Cyber risk growing concern due to:
Digitalisation
Cloud computing
Remote work
Rising sophistication of cyber threats
Joint Standard 2 of 2024 (Cybersecurity and cyber resilience requirements for financial institutions), by the FSCA and the PA- sets out the minimum requirements and principles for insurers for management of cyber-security and cyber resilience risk
Insurance risk:
Fluctuations in the timing, frequency, and severity of insured events relative to underwriting expectations
Variations in claim settlements, mortality rates, persistency rates, and potential expense overruns
BoD sets business plan and monitoring framework to manage new and existing insurance risk
Documentation on risk policy, defining risk appetite, measurement, monitoring and control strategies
Key policy elements:
Classes and types of risks accepted
Risk acceptance limits in terms of business taken on
Expense level management
Reinsurance strategies
Approach to dealing with discretion
Persistency risk management
Control will provide info on insurance risk and impact on solvency and profitability
Metrics / info to be monitored:
Stmts of firms profits/losses for each business class, incl. analysis of these have arisen and variance analysis from planned/budget
Amount and detail of new business
Amount and detail of lapses / cancellations
Emerging expense and persistency trends
Escalation procedures must be in place for breaches of defined risk limits
Arises when activities of one firm within group impact reputation and financial soundness of diff firms within group
Examples:
GI and LI and financial instability affecting other
More than one insurer carrying out diff activities and operating in diff market segments
Internal loans from one group company to another
Internal reinsurance treaties
Mgmt of firm can’t influence other mgmt. but can monitor exposure to other groups
Must determine if:
Sufficient diversification of risk?
Exposures acceptable?
Group as whole must satisfy GOG which requires:
Controlling company of an insurance group must establish an effective governance framework that provides for sound and …
…prudent management of the insurance group’s business, including …
…adequate protection of the interests of policyholders of insurers that are part of the insurance group
GN 1 of 2024 has guidance on how to apply GOI 3 and 3.1 to climate risk»_space; best practice
Must be proportionate to business
Set out in section 2 of GN1
Political/legislative risk
Tech risk
Environmental
Social
Competition and industry
Catastrophe
