Interim Measures - Governance, Risk Management and Internal Controls Wayne Savage Chairperson: SAM Governance Task Group SAM Interim Measures Insurance Regulatory Seminar 12 & 18 October 2011
Overview The ongoing financial soundness and stability of an insurer is highly dependent on the quality of its leadership, governance, and management teams, and on its risk management and internal control systems. It is therefore vital that these interim measures prepare insurance and reinsurance companies for the SAM regime. Ideally the interim measures should increase awareness of risk exposures, as well as improve the scrutiny and management of these matters.
Overview Including Risk Policies Internal Control 3 2 Risk Manage -ment Governance 5 Outsourcing Control Functions Including Control Function Heads 4 1 Including of Directors
Governance Objective Adopt and implement a governance framework prudent management and oversight of business adequately protects the interests of policyholders. Proportionate to nature, scale and complexity.
Governance Requirements Org Structure Transparent Segregation Information Flow Compliance Fit & Proper Risk Management System Internal Control System Control Functions Written Policies General Governance Risk Management Investment Reinsurance & Risk Mitigation Outsourcing Internal Controls Remuneration Outsourcing adequately protects the interests of policyholders.
of Directors Requirements over and above the Companies Act, given objective of adequate policyholder protection Composition No specified number of non-exec directors Composition must support objectivity in decision making Appropriate mix to ensure adequate spread and level of knowledge, skills and expertise Chairman independent (and may not have been CEO in last 3 years) Structure Assess and determine need for subcommittees Audit Committee statutory requirement Risk and remuneration committees recommended If elect not to form risk and remuneration committees notify and explain Duties Fit and proper Act in the best interest of policyholders Exercise independent judgement & objectivity If majority of directors are not independent, insurer must explain
of Directors Roles and responsibilities Determine & oversee implementation of strategies Clearly define segregation of duties Oversight over senior management Ongoing monitoring that fit & proper requirements are met Oversight of design and implementation of risk management system Oversee effective implementation of remuneration policy Effective systems and controls for information and communication Appropriate policy and procedures for senior management Regularly monitor and evaluate effectiveness of governance framework May delegate but remains accountable
Risk Management System Objective The risk management system must be capable of supporting the of Directors in its responsibilities with respect to the furtherance of the safe and sound operation of the insurer and the protection of policyholders.
Risk Management System Requirements Material Risks Elements Resources Strategies Policies Procedures Tools processes for contingency planning, business continuity & crisis management Regular review for modification & Improvement - documented & Management reports on material risks, and risk management effectiveness Strategy Objectives Principles Assumptions Risk Appetite Responsibility Adequate for nature, scale and complexity, adapted Strategy should be across all activities, consistent with business strategy
Risk Management Policies Inclusions Definition & Categorisation of Material Risks Acceptable Risk Limits for each type of risk Assignment of specific risk obligations, including for risk escalation and risk mitigation Explicit Sub-Policies Investment policy Reinsurance & Risk Mitigation policy Strategies & procedures for selecting mitigation techniques Cognisant of nature, scale and complexity of risk, and insurer s ability to manage the mitigation technique Remuneration policy addressing excessive/ inappropriate risk taking
Internal Control System Objective The Internal Control System should provide the of Directors with reasonable assurance from a control perspective that the business is being operated consistently with the (a) strategy set by the of Directors, (b) agreed business objectives, (c) agreed policies and processes, and (d) laws and regulations.
Internal Control System Requirements Reasonable assurance of; Key business, IT, and financial policies & procedures Includes financial reporting processes Related risk management & compliance measures in place Develop & implement a compliance plan Secure compliance with this Act Provide for effective & efficient operations Availability & reliability of information
Control Functions General Requirements 1 2 3 4 necessary authority, independence, resources, expertise and access to all relevant employees and information Effectiveness reviews: 1, 2 and 3 reviewed regularly by 4 or objective external 4 reviewed regularly by objective external Regular review across all & Senior Management retain responsibility Registrar may prescribe requirements for any control function
Control Function Heads Conditions Requirements Compliance Must have a head of each area Can head up more than 1 area Registrar intervention: o Not suitable for more than 1 position; o Detract from adequacy of control Regularly report to BoD or committee Communicate to directly and regularly meet with Chairperson of BoD of Committee, in the absence or senior management Submit to registrar own perceived reasons for termination of services Report in writing to BoD any contravention of the act Submit to registrar where BoD is not taking appropriate action
Outsourcing Requirements An insurer that outsources any function or activity must have an outsourcing policy that includes the matters as may be prescribed.
Outsourcing Cannot outsource aspects which may: Materially impair the quality of governance Materially increase risk or affect ability to manage risks and meet legal & regulatory requirements Impair the registrar s ability to monitor compliance with regulatory obligations Undermine continuous, fair & satisfactory service to policyholders Create potential conflicts of interest
Outsourcing Remuneration for outsourcing must: Be reasonable and commensurate with the activity outsourced Not result in double payments (commission or binder fees) Not be structured in a way which may encourage unreasonable or unfair treatment of policyholders Not be linked to monetary value of claims repudiated, not paid, or partially paid
Outsourcing Other requirements Prior to entering an outsource arrangement, notify registrar of: Proposed outsourcing of control function, function usually performed by executive management, or function which may have a material impact on operations or ability to manage risk if disrupted Details of third party provider Key risks associated with the outsourcing, and the risk mitigation strategies put in place Must notify registrar of material developments (e.g. termination, non-performance, etc) with respect to outsourcing BoD & Senior Management retain responsibility
Differences from DD for Final Measures Governance More granular (e.g. succession for CEO & critical positions, independence between key functions, etc) Detailed requirements pertaining to audit committee and senior management, and assessment of Fit & Proper Business Rescue, which focuses on provisions & capital IT governance aligned to King III & CoBIT Risk Management Framework More granular More detailed discussion on remuneration, including definition
Differences from DD for Final Measures Control Functions Detailed guidance for each control function Risk management function includes requirements pertaining to ORSA Outsourcing Proposal for well-defined concept of materiality Must allow insurer and supervisor to access data Manage operational risks, hold capital where necessary Monitor and manage SLA s
Comments received Process Date for commentary closed 30 September 2011 Comments were received from a number of industry participants Comments will be considered, and where required, changes made by end of October 2011
Questions