ICP 8 Risk Management and Internal Controls

The supervisor requires an insurer to have, as part of its overall corporate governance framework, effective systems of risk management and internal controls, including effective functions for risk management, compliance, actuarial matters and internal audit.


Systems for risk management and internal controls


8.1
The supervisor requires the insurer to establish, and operate within, an effective and documented risk management system, which includes, at least:
  • a risk management strategy that defines the insurer’s risk appetite;
  • a risk management policy outlining how all material risks are managed within the risk appetite; and
  • the ability to respond to changes in the insurer’s risk profile in a timely manner.


Basic components of a risk management system


8.1.1    

The risk management system is designed and operated at all levels of the insurer to allow for the identification, assessment, monitoring, mitigation and reporting of all risks of the insurer in a timely manner. It takes into account the probability, potential impact and time horizon of risks.

8.1.2    
An effective risk management system should:
  • take into account the insurer’s overall business strategy and business activities (including any business activities which have been outsourced);
  • provide that the insurer’s risk appetite, expressed in a risk appetite statement, be aligned with the insurer’s business strategy and embedded in its day-to-day activities;
  • provide relevant objectives, key principles and proper allocation of responsibilities for dealing with risk across the business areas and business units of the insurer;
  • provide explanations of the methodologies, key assumptions and limitations of risk management; for groups this would include the rationale as to the risk appetite for different individual insurance legal entities within the group;
  • provide a documented process defining the Board approval required for any deviations from the risk management strategy or the risk appetite and for settling any major interpretation issues that may arise;
  • define and categorise material risks (by type) to which the insurer is exposed, at both insurance legal entity and group level where applicable, and the levels of acceptable risk limits for each type of these risk;
  • include documented policies that describe how categories of risks are managed and the specific obligations of employees and the insurer in dealing with risk, including risk escalation and risk mitigation tools;
  • provide suitable processes and tools (including stress testing and, where appropriate, models) for identifying, assessing, monitoring and reporting on risks. Such processes should also cover contingency planning;
  • provide for regular reviews of the risk management system (and its components) to help ensure that necessary modifications and improvements are identified and made in a timely manner; and
  • appropriately address other matters related to risk management for solvency purposes set out in ICP


Scope and embedding of the risk management system


8.1.3    

The risk management system should cover at least the following risks: underwriting and reserving, asset-liability management, investments, liquidity, concentration, operational and conduct, as well as reinsurance and other risk mitigation techniques.

8.1.4    

The risk management system should be aligned with the insurer’s risk culture and embedded into the various business areas and units with the aim of having the appropriate risk management practices and procedures embedded in the key operations and structures.

CF8.1.a    
The group-wide supervisor requires the Head of the IAIG to ensure that the group-wide risk management system encompasses the levels of the Head of the IAIG and legal entities within the IAIG and covers, at least, the:
  • diversity and geographical reach of the activities of the IAIG;
  • nature and degree of risks of individual legal entities and business lines;
  • aggregation of risks from the legal entities within the IAIG that arises at the level of the Head of the IAIG, including cross-border risks;
  • interconnectedness of the legal entities within the IAIG;
  • level of sophistication and functionality of information and reporting systems in addressing key group-wide risks; and
  • applicable laws and regulations of the jurisdictions where the IAIG operates.

CF 8.1.a.1    
The group-wide risk management system should:
  • be integrated with its organisational structure, decision-making processes, business operations, and risk culture;
  • be integrated within its legal entities; and
  • measure the risk exposure of the IAIG against the risk limits on an ongoing basis in order to identify potential concerns as early as possible.

CF 8.1.b    
The group-wide supervisor requires the Head of the IAIG to reflect, in the documentation of its group-wide risk management system, material differences in risk management that may apply to different legal entities within the IAIG and their associated risks.

CF 8.1.c     
The group-wide supervisor requires the Head of the IAIG to ensure that the IAIG has in place policies and processes for promoting a sound risk culture.

CF 8.1.c.1     
Policies and processes for promoting a sound risk culture should include risk management training, address independence, and create appropriate incentives for staff.

CF 8.1.c.2     
The IAIG’s risk culture should support timely evaluation and open communication of emerging risks that may be significant to the IAIG and its legal entities.


Identification and Assessment


8.1.5    

The risk management system should take into account all reasonably foreseeable and relevant material risks to which the insurer is exposed, both at the insurer and the individual business unit levels. This includes current and emerging risks.

8.1.6    

Insurers should assess material risks both qualitatively and, where appropriate, quantitatively. Appropriate consideration should be given to a sufficiently wide range of outcomes, as well as to the appropriate tools and techniques to be used. The interdependencies of risks should also be analysed and taken into account in the assessments.

8.1.7    

The insurer’s risk assessment should be documented including detailed descriptions and explanations of the risks covered, the approaches used, and the key judgements and assumptions made.

8.1.8    

Insurers should have in place adequate processes, controls and systems to assess the risks of new products and carry out a risk assessment before entering into new business lines and products. Significant new or changed activities and products that may increase an existing risk or create a new type of exposure should be approved by Senior Management and/or by the Board.


Monitoring


8.1.9    

The risk management system should include processes and tools for monitoring risk, such as early warnings or triggers that allow timely consideration of, and adequate response to, material risks.


Mitagion


8.1.10    

The risk management system should include strategies and tools to mitigate against material risks. In most cases an insurer will control or reduce the risk to an acceptable level. Another response to risk is to transfer the risk to a third party. If risks are not acceptable within the risk appetite and it is not possible to control, limit or transfer the risk, the insurer should cease or change the activity which creates the risk.


Reporting


8.1.11    

Risks, the overall assessment of risks and the related action plans should be reported to the Board and/or to Senior Management, as appropriate, using qualitative and quantitative indicators and effective action plans. The insurer’s documented risk escalation process should allow for reporting on risk issues within established reporting cycles and outside of them for matters of particular urgency.

8.1.12    

The Board should have appropriate ways to carry out its responsibilities for risk oversight. The risk management policy should therefore cover the content, form and frequency of reporting that it expects on risk from Senior Management and each of the control functions. Any proposed activity that would go beyond the Board-approved risk appetite should be subject to appropriate review and require Board approval.


Risk Management Policy


8.1.13    

The insurer’s risk management policy should be written in a way to help employees understand their responsibilities regarding risk management. It should also reflect how the risk management system relates to the insurer’s overall corporate governance framework and its corporate culture. Regular internal communications and training within the insurer on the risk management policy and risk appetite may help in this regard.

8.1.14    

For insurance groups, a risk management policy addresses the way in which the group manages risks that are material at the insurance group level, including risks that arise from the insurance group being part of a wider group. For an insurance legal entity that is part of a group, the risk management policy of that entity should address management of risks material at the entity level as well as additional risk it faces as a result of its membership in a group, which can encompass the widest group of which the insurance legal entity is a member and not only the entity’s insurance group. Within an insurance group, the head of the group and the legal entities should ensure appropriate coordination and consistency between the head of the group and the legal entities when setting the risk management policy.


Changes to the risk management system


8.1.15    

Both the Board and Senior Management should be attentive to the need to modify the risk management system in light of changes in the insurer’s risk profile as well as other new internal or external events and/or circumstances. The risk management system should include mechanisms to incorporate new risks and new information related to risk already identified on a regular basis. The risk management system should also be responsive to the changing interests and reasonable expectations of policyholders and other stakeholders.

8.1.16    
Material changes to an insurer’s risk management system should be documented and subject to approval by the Board. The reasons for the changes should be documented. Appropriate documentation should be available to internal audit, external audit and the supervisor for their respective assessments of the risk management system.

8.1.17    
As part of its responsiveness to changes in the insurer’s risk profile, the risk management system should incorporate a feedback loop based on appropriate information, management processes and objective assessment. A feedback loop provides a process of assessing the effect of changes in risk leading to changes in risk management policy, risk limits and risk mitigating actions. This may help ensure that decisions made by the Board and Senior Management are implemented and their effects monitored and reported in a timely and sufficiently frequent manner.

8.1.18    
Within an insurance group, there should be sufficient coordination and exchange of information between the head of the insurance group and its insurance legal entities as part of their respective feedback loops to ensure relevant changes in risk profiles can be taken into account.

CF 8.1.d    
The group-wide supervisor requires the Head of the IAIG to:
  • review, at least annually, the group-wide risk management system to ensure that existing and emerging risks as well as changes in the IAIG’s structure and/or business strategy, are taken into account; and
  • identify and make the necessary modifications and improvements in a timely manner.

CF 8.1.d.1    
The Head of the IAIG should assess whether a change occurring in one or more legal entities may affect the IAIG’s risk profile overall, because the impact on a group-wide basis may not be immediately apparent.

8.2

The supervisor requires the insurer to establish, and operate within, an effective and documented system of internal controls.

 


Control functions (general)


8.3

The supervisor requires the insurer to have effective control functions with the necessary authority, independence and resources.


Risk management function


8.4
The supervisor requires the insurer to have an effective risk management function capable of assisting the insurer to:
  • identify, assess, monitor, mitigate and report on its key risks in a timely way; and
  • promote and sustain a sound risk culture.


Compliance function


8.5

The supervisor requires the insurer to have an effective compliance function capable of assisting the insurer to i) meet its legal, regulatory and supervisory obligations and ii) promote and sustain a compliance culture, including through the monitoring of related internal policies.


Actuarial function


8.6

The supervisor requires the insurer to have an effective actuarial function capable of evaluating and providing advice regarding, at least, technical provisions, premium and pricing activities, capital adequacy, reinsurance and compliance with related statutory and regulatory requirements.


Internal audit function


8.7

The supervisor requires the insurer to have an effective internal audit function capable of providing the Board with independent assurance in respect of the quality and effectiveness of the insurer’s corporate governance framework.


Outsourcing of material activities or functions


8.8

The supervisor requires the insurer to retain at least the same degree of oversight of, and accountability for, any outsourced material activity or function (such as a control function) as applies to non-outsourced activities or functions.