The risk management system is designed and operated at all levels of the insurer to allow for the identification, assessment, monitoring, mitigation and reporting of all risks of the insurer in a timely manner. It takes into account the probability, potential impact and time horizon of risks.

• take into account the insurer’s overall business strategy and business activities (including any business activities which have been outsourced);
• provide that the insurer’s risk appetite, expressed in a risk appetite statement, be aligned with the insurer’s business strategy and embedded in its day-to-day activities;
• provide relevant objectives, key principles and proper allocation of responsibilities for dealing with risk across the business areas and business units of the insurer;
• provide explanations of the methodologies, key assumptions and limitations of risk management; for groups this would include the rationale as to the risk appetite for different individual insurance legal entities within the group;
• provide a documented process defining the Board approval required for any deviations from the risk management strategy or the risk appetite and for settling any major interpretation issues that may arise;
• define and categorise material risks (by type) to which the insurer is exposed, at both insurance legal entity and group level where applicable, and the levels of acceptable risk limits for each type of these risk;
• include documented policies that describe how categories of risks are managed and the specific obligations of employees and the insurer in dealing with risk, including risk escalation and risk mitigation tools;
• provide suitable processes and tools (including stress testing and, where appropriate, models) for identifying, assessing, monitoring and reporting on risks. Such processes should also cover contingency planning;
• provide for regular reviews of the risk management system (and its components) to help ensure that necessary modifications and improvements are identified and made in a timely manner; and
• appropriately address other matters related to risk management for solvency purposes set out in ICP

The risk management system should cover at least the following risks: underwriting and reserving, asset-liability management, investments, liquidity, concentration, operational and conduct, as well as reinsurance and other risk mitigation techniques.

The risk management system should be aligned with the insurer’s risk culture and embedded into the various business areas and units with the aim of having the appropriate risk management practices and procedures embedded in the key operations and structures.

The risk management system should take into account all reasonably foreseeable and relevant material risks to which the insurer is exposed, both at the insurer and the individual business unit levels. This includes current and emerging risks.

Insurers should assess material risks both qualitatively and, where appropriate, quantitatively. Appropriate consideration should be given to a sufficiently wide range of outcomes, as well as to the appropriate tools and techniques to be used. The interdependencies of risks should also be analysed and taken into account in the assessments.

The insurer’s risk assessment should be documented including detailed descriptions and explanations of the risks covered, the approaches used, and the key judgements and assumptions made.

Insurers should have in place adequate processes, controls and systems to assess the risks of new products and carry out a risk assessment before entering into new business lines and products. Significant new or changed activities and products that may increase an existing risk or create a new type of exposure should be approved by Senior Management and/or by the Board.

The risk management system should include processes and tools for monitoring risk, such as early warnings or triggers that allow timely consideration of, and adequate response to, material risks.

The risk management system should include strategies and tools to mitigate against material risks. In most cases an insurer will control or reduce the risk to an acceptable level. Another response to risk is to transfer the risk to a third party. If risks are not acceptable within the risk appetite and it is not possible to control, limit or transfer the risk, the insurer should cease or change the activity which creates the risk.

Risks, the overall assessment of risks and the related action plans should be reported to the Board and/or to Senior Management, as appropriate, using qualitative and quantitative indicators and effective action plans. The insurer’s documented risk escalation process should allow for reporting on risk issues within established reporting cycles and outside of them for matters of particular urgency.

The Board should have appropriate ways to carry out its responsibilities for risk oversight. The risk management policy should therefore cover the content, form and frequency of reporting that it expects on risk from Senior Management and each of the control functions. Any proposed activity that would go beyond the Board-approved risk appetite should be subject to appropriate review and require Board approval.

The insurer’s risk management policy should be written in a way to help employees understand their responsibilities regarding risk management. It should also reflect how the risk management system relates to the insurer’s overall corporate governance framework and its corporate culture. Regular internal communications and training within the insurer on the risk management policy and risk appetite may help in this regard.

For insurance groups, a risk management policy addresses the way in which the group manages risks that are material at the insurance group level, including risks that arise from the insurance group being part of a wider group. For an insurance legal entity that is part of a group, the risk management policy of that entity should address management of risks material at the entity level as well as additional risk it faces as a result of its membership in a group, which can encompass the widest group of which the insurance legal entity is a member and not only the entity’s insurance group. Within an insurance group, the head of the group and the legal entities should ensure appropriate coordination and consistency between the head of the group and the legal entities when setting the risk management policy.

Both the Board and Senior Management should be attentive to the need to modify the risk management system in light of changes in the insurer’s risk profile as well as other new internal or external events and/or circumstances. The risk management system should include mechanisms to incorporate new risks and new information related to risk already identified on a regular basis. The risk management system should also be responsive to the changing interests and reasonable expectations of policyholders and other stakeholders.

The internal controls system should ensure effective and efficient operations, adequate control of risks, prudent conduct of business, reliability of financial and non-financial information reported (both internally and externally), and compliance with laws, regulations, supervisory requirements and the insurer's internal rules and decisions. It should be designed and operated to assist the Board and Senior Management in the fulfilment of their respective responsibilities for oversight and management of the insurer. Some insurers have a designated person or function to support the advancement, coordination and/or management of the overall internal controls system on a more regular basis.

The internal controls system should cover all units and activities of the insurer and should be an integral part of the daily activities of an insurer. The controls should form a coherent system, which should be regularly assessed and improved as necessary. Each individual control[1] of an insurer, as well as all its controls cumulatively, should be designed for effectiveness and operate effectively.

[1] Individual controls may be preventive (applied to prevent undesirable outcomes) or detective (to uncover undesirable activity). Individual controls may be manual (human), automated, or a combination and may be either general or process or application specific.

An effective internal control system requires an appropriate control structure with control activities defined at every business unit level. Depending on the organisational structure of the insurer, business or other units should own, manage and report on risks and should be primarily accountable for establishing and maintaining effective internal control policies and procedures. Control functions should determine and assess the appropriateness of the controls used by the business or other units.  The internal audit function should provide independent assurance on the quality and effectiveness of the internal controls system.[2]

[2] This division of responsibilities between business, risk management and compliance and internal audit is typically referred to as the three lines of defense. The business is considered as the first line of defence, the control functions (other than internal audit) as the second line of defence, and internal audit as the third line of defence. The business is deemed to “own” the controls, and the other lines of defence are there to help ensure their application and viability. Whatever approach is used, it is important that responsibilities be clearly allocated to promote checks and balances and avoid conflicts of interest.

• appropriate segregation of duties and controls to ensure such segregation is observed. This includes, amongst others, having sufficient distance between those accountable for a process or policy and those who check if for such a process or policy an appropriate control exists and is being applied. It also includes appropriate distance between those who design a control or operate a control and those who check if such a control is effective in design and operation;
• up-to-date policies regarding who can sign for or commit the insurer, and for what amounts, with corresponding controls, such as practice that key decisions should be taken at least by two persons and the practice of double or multiple signatures. Such policies and controls should be designed, among other things, to prevent any major transaction being entered into without appropriate governance review or by anyone lacking the necessary authority and to ensure that borrowing, trading, risk and other such limits are strictly observed. Such policies should foresee a role for control functions, for example by requiring for major matters the review and sign-off by Risk Management or Compliance, and/or approval by a Board level committee;

• appropriate controls for all key business processes and policies, including for major business decisions and transactions (including intra-group transactions), critical IT functionalities, access to critical IT infrastructure by employees and related third parties, and important legal and regulatory obligations;
• policies on training in respect of controls, particularly for employees in positions of high trust or responsibility or involved in high risk activities;
• a centralised documented inventory of insurer-wide key processes and policies and of the controls in place in respect of such processes and policies, that also may introduce a hierarchy among the policies;

• appropriate controls to provide reasonable assurance over the accuracy and completeness of the insurer’s books, records, and accounts and over financial consolidation and reporting, including the reporting made to the insurer’s supervisors;
• adequate and comprehensive internal financial, operational and compliance data, as well as external market information about events and conditions that are relevant to decision making. Information should be reliable, timely, accessible, and provided in a consistent format;
• information processes that cover all significant activities of the insurer, including contingency arrangements;
• effective channels of communication to ensure that all staff fully understand and adhere to the internal controls and their duties and responsibilities and that other relevant information is reaching the appropriate personnel;
• policies regarding escalation procedures;

• processes for regularly checking that the totality of all controls forms a coherent system and that this system works as intended; fits properly within the overall corporate governance framework of the insurer; and provides an element of risk control to complement the risk identification, risk assessment, and risk management activities of the insurer. As part of such review, individual controls are monitored and analysed periodically to determine gaps and improvement opportunities with Senior Management taking such measures as are necessary to address these; and
• periodic testing and assessments (carried out by objective parties such as an internal or external auditor) to determine the adequacy, completeness and effectiveness of the internal controls system and its utility to the Board and Senior Management for controlling the operations of the insurer.

The Board should have an overall understanding of the control environment across the various entities and businesses, and require Senior Management to ensure that for each key business process and policy, and related risks and obligations, there is an appropriate control.

In addition, the Board should ensure there is clear allocation of responsibilities within the insurer, with appropriate segregation, including in respect of the design, documentation, operation, monitoring and testing of internal controls. Responsibilities should be properly documented, such as in charters, authority tables, governance manuals or other similar governance documents.

The Board should determine which function or functions report to it or to any Board Committees in respect of the internal controls system.

• the strategy in respect of internal controls (such as responsibilities, target levels of compliance to achieve, validations and implementation of remediation plans);
• the stage of development of the internal controls system, including its scope, testing activity, and the performance against annual or periodic internal controls system goals being pursued;
• an assessment of how the various business units are performing against internal control standards and goals;
• control deficiencies, weaknesses and failures that have arisen or that have been identified (including any identified by the internal or external auditors or the supervisor) and the responses thereto (in each case to the extent not already covered in other reporting made to the Board); and
• controls at the appropriate levels so as to be effective, including at the process or transactional level.

The compliance function has a broader role than merely monitoring compliance with laws, regulations and supervisory requirements; monitoring compliance with internal policies and promoting and sustaining a compliance culture within the insurer are equally important aspects of this control function.

Compliance starts at the top. The Board is ultimately responsible for establishing standards for honesty and integrity throughout the insurer and for creating an effective corporate culture that emphasises them. This should include a code of conduct or other appropriate mechanism as evidence of the insurer’s commitment to comply with all applicable laws, regulations, supervisory requirements and internal policies, and conduct its business ethically and responsibly.

As part of this commitment, the insurer has in place a robust and well positioned, resourced and properly authorised and staffed compliance function. Within some insurers, particularly larger or more complex ones, such a function is typically led by a Chief Compliance Officer.

• an assessment of the key compliance risks the insurer faces and the steps being taken to address them;
• an assessment of how the various parts of the insurer (eg divisions, major business units, product areas) are performing against compliance standards and goals;
• any compliance issues involving management or persons in positions of major responsibility within the insurer, and the status of any associated investigations or other actions being taken;
• material compliance violations or concerns involving any other person or unit of the insurer and the status of any associated investigations or other actions being taken; and
• material fines or other disciplinary actions taken by any regulator or supervisor in respect of the insurer or any employee.

The head of the compliance function should have the authority and obligation to inform promptly the Chair of the Board directly in the event of any major non-compliance by a member of management or a material non-compliance by the insurer with an external obligation if in either case he or she believes that Senior Management or other persons in authority at the insurer are not taking the necessary corrective actions and a delay would be detrimental to the insurer or its policyholders.

• promote and sustain an ethical corporate culture that values responsible conduct and compliance with internal and external obligations; this includes communicating and holding training on an appropriate code of conduct or similar that incorporates the corporate values of the insurer, aims to promote a high level of professional conduct and sets out the key conduct expectations of employees;
• identify, assess, report on and address key legal and regulatory obligations, including obligations to the insurer’s supervisor, and the risks associated therewith; such analyses should use risk and other appropriate methodologies;
• ensure the insurer monitors and has appropriate policies, processes and controls in respect of key areas of legal, regulatory and ethical obligation;
• hold regular training on key legal and regulatory obligations particularly for employees in positions of high responsibility or who are involved in high risk activities;
• facilitate the confidential reporting by employees of concerns, shortcomings or potential or actual violations in respect of insurer internal policies, legal or regulatory obligations, or ethical considerations; this includes ensuring there are appropriate means for such reporting;
• address compliance shortcomings and violations, including ensuring that adequate disciplinary actions are taken and any necessary reporting to the supervisor or other authorities is made; and
• conduct regular self-assessments of the compliance function and the compliance processes and implement or monitor needed improvements. 

A robust actuarial function that is well positioned, resourced and properly authorised and staffed is essential for the proper operation of the insurer. It plays a key role as part of the insurer’s overall systems of risk management and internal controls.

• any circumstance that may have a material effect on the insurer from an actuarial perspective;
• the adequacy of the technical provisions and other liabilities;
• distribution of profits to participating policyholders;
• stress testing and capital adequacy assessment with regard to the prospective solvency position of the insurer; and
• any other matters as determined by the Board.

Written reports on actuarial evaluations should be made to the Board, Senior Management, or other Key Persons in Control Functions or the supervisor as necessary or appropriate or as required by legislation.

• the insurer’s insurance liabilities, including policy provisions and aggregate claim liabilities, as well as determination of reserves for financial risks;
• asset liability management with regard to the adequacy and the sufficiency of assets and future revenues to cover the insurer’s obligations to policyholders and capital requirements, as well as other obligations or activities;
• the insurer’s investment policies and the valuation of assets;
• an insurer’s solvency position, including a calculation of minimum capital required for regulatory purposes and liability and loss provisions;
• an insurer’s prospective solvency position by conducting capital adequacy assessments and stress tests under various scenarios, and measuring their relative impact on assets, liabilities, and actual and future capital levels;
• risk assessment and management policies and controls relevant to actuarial matters or the financial condition of the insurer;
• the fair treatment of policyholders with regard to distribution of profits awarded to participating policyholders;
• the adequacy and soundness of underwriting policies;
• the development, pricing and assessment of the adequacy of reinsurance arrangements;
• product development and design, including the terms and conditions of insurance contracts and pricing, along with estimation of the capital required to underwrite the product;
• the sufficiency, accuracy and quality of data, the methods and the assumptions used in the calculation of technical provisions;
• the research, development, validation and use of internal models for internal actuarial or financial projections, or for solvency purposes as in the ORSA; and
• any other actuarial or financial matters determined by the Board.

Where required, the actuarial function may also provide to the supervisor certifications on the adequacy, reasonableness and/or fairness of premiums (or the methodology to determine the same) and certifications or statements of actuarial opinion.

The supervisor should clearly define when such certifications or statements of actuarial opinion need to be submitted to the supervisor. When these are required to be submitted, the supervisor should also clearly define both the qualifications of those permitted to certify or sign such statements and the minimum contents of such an opinion or certification.

Some jurisdictions may require an “appointed actuary”, “statutory actuary”, or “responsible actuary” (referred to here as an “Appointed Actuary”) to perform certain functions, such as determining or providing advice on an insurer’s compliance with regulatory requirements for certifications or statements of actuarial opinion. The tasks and responsibilities of the Appointed Actuary should be clearly defined and should not limit or restrict the tasks and responsibilities of other individuals performing actuarial functions.

The insurer should be required to report the Appointed Actuary’s appointment to the supervisor.

The Appointed Actuary should not hold positions within or outside of the insurer that may create conflicts of interest or compromise his or her independence. If the Appointed Actuary is not an employee of the insurer, the Board should determine whether the external actuary has any potential conflicts of interest, such as if his or her firm also provides auditing or other services to the insurer. If any such conflicts exist, the Board should subject them to appropriate controls or choose another Appointed Actuary.

If an Appointed Actuary is replaced, the insurer should notify the supervisor and give the reasons for the replacement. In some jurisdictions, such a notification includes statements from both the insurer and the former Appointed Actuary as to whether there were any disagreements with the former Appointed Actuary over the content of the actuary’s opinion on matters of risk management, required disclosures, scopes, procedures, or data quality, and whether or not any such disagreements were resolved to the former Appointed Actuary’s satisfaction.

In some jurisdictions, the Appointed Actuary also has the obligation to notify the supervisor if he or she resigns for reasons connected with his or her duties as an Appointed Actuary or with the conduct of the insurer’s business and give the reasons for resigning. The Appointed Actuary should also notify the supervisor and provide an explanation if his or her appointment is revoked by the insurer.

The supervisor should have the authority to require an insurer to replace an Appointed Actuary when such person fails to adequately perform required functions or duties, is subject to conflicts of interest or no longer meets the jurisdiction’s eligibility requirements.