As part of the overall corporate governance framework and in furtherance of the safe and sound operation of the insurer and the protection of policyholders, the Board is ultimately responsible for ensuring that the insurer has in place effective systems of risk management and internal controls and functions to address the key risks it faces and for the key legal and regulatory obligations that apply to it. Senior Management effectively implements these systems and provides the necessary resources and support for these functions.

In some jurisdictions, risk management is considered a subset of internal controls, while other jurisdictions would see it the other way around. The two systems are in fact closely related. Where the boundary lies between risk management and internal controls is less important than achieving, in practice, the objectives of each.

The systems and functions should be adequate for the insurer’s objectives, strategy, risk profile, and the applicable legal and regulatory requirements. They should be adapted as the insurer’s business and internal and external circumstances change.

• strategies setting out the approach of the insurer for dealing with specific areas of risk and legal and regulatory obligation;
• policies defining the procedures and other requirements that members of the Board and employees need to follow;
• processes for the implementation of the insurer’s strategies and policies; and
• controls to ensure that such strategies, policies and processes are in fact in place, are being observed and are attaining their intended objectives.

An insurer’s functions (whether in the form of a person, unit or department) should be properly authorised to carry out specific activities relating to matters such as risk management, compliance, actuarial matters and internal audit. These are generally referred to as control functions.

Group-wide risks may affect insurance legal entities within a group, while risks at the insurance legal entity level could also affect the group as a whole. To help address this, groups should have strong risk management and compliance culture across the group and at the insurance legal entity level. Thus, in addition to meeting group governance requirements, the group should take into account the obligations of its insurance legal entities to comply with local laws and regulations.

How a group's systems of risk management and internal controls are organised and operate will depend on the governance approach the group takes, ie, a more centralised or a more decentralised approach (see Issues Paper on Approaches to Group Corporate Governance; impact on control functions). Regardless of the governance approach, it is important that effective systems of risk management and internal controls exist and that risks are properly monitored and managed at the insurance legal entity level and on a group-wide basis.

Additionally, a group’s governance approach will also affect the way in which its control functions are organised and operated. Coordination between the insurance legal entity and group control functions is important to help ensure overall effective systems of risk management and internal controls. Regardless of how the group control functions are organised and operated, the result should provide an overall view of the group-wide risks and how they should be managed.

Supervisors should require the establishment of comprehensive and consistent group governance and assess its effectiveness. While the group-wide supervisor is responsible for assessing the effectiveness of the group’s systems of risk management and internal controls, the other involved supervisors undertake such assessments on a legal entity basis. Appropriate supervisory cooperation and coordination is necessary to have a group-wide view and to enhance the assessment of the legal entities.