3. Risk Management Strategy
3.1. Risk Management Strategy
3.1.1. Core obligations
(1) An Insurer must establish, document and implement a Risk Management Strategy that is appropriate to the nature, scale and complexity of its business.
(2) An Insurer must not intentionally deviate in a material way from its Risk Management Strategy unless such deviation has been
- (a) approved by its Governing Body in accordance with PINS 3.1.5 (Approval of Risk Management Strategy) below; and
- (b) notified to the AFSA in accordance with PINS 3.1.6 (Notification of the AFSA) below.
3.1.2. Contents of Risk Management Strategy
An Insurer’s Risk Management Strategy must:
- (a) provide for the identification and quantification of material risks under a sufficiently wide range of outcomes using techniques which are appropriate to the nature, scale and complexity of the risks it bears;
- (b) include a Risk Management Policy that complies with PINS 3.1.3 (Contents of Risk Management Policy);
- (c) include a Risk Tolerance Statement that complies with the requirements of PINS 3.1.4 (Contents of Risk Tolerance Statement);
- (d) be supported by accurate documentation;
- (e) describe how the Insurer will:
- (i) ensure that relevant staff have an awareness of risk issues and the accessibility of the Risk Management Strategy; and
- (ii) instil an appropriate risk culture; and
- (f) include a business continuity plan for ensuring that critical business operations can be maintained or recovered in a timely fashion in the event of disruption.
- (g) be responsive to changes in its risk profile; and
- (h) incorporate a feedback loop, based on appropriate and good quality information, management processes and objective assessment, which enables it to take the necessary action in a timely manner in response to changes in its risk profile.
3.1.3. Contents of Risk Management Policy
An Insurer’s Risk Management Policy must:
- (a) describe how all relevant and material categories of financial and non-financial risk are monitored, measured and managed, both in the Insurer’s business strategy and its dayto-day operations, including at least the following risks:
- (i) credit risk;
- (ii) balance sheet and market risk (including investment, asset-liability management, liquidity and derivatives risks);
- (iii) reserving risk;
- (iv) insurance risk (including underwriting, product design, pricing and claims settlement risks);
- (v) reinsurance risk;
- (vi) operational risk (including business continuity, outsourcing, fraud, technology, legal and project management risks);
- (vii) concentration risk;
- (viii) group risk.
- (b) describe the relationship between the Insurer’s tolerance limits, regulatory capital requirements, economic capital and the processes and methods for monitoring risk;
- (c) include the following specific policies:
- (i) a policy regarding investment that specifies the nature, role and extent of the Insurer’s investment activities and how the Insurer complies with the investment requirements under these rules;
- (ii) a policy regarding asset-liability management that specifies the nature, role and extent of asset-liability management activities and their relationship with product development, pricing and investment management;
- (iii) a policy regarding underwriting that specifies the risks to be accepted by the Insurer as part of its insurance business, the processes for underwriting, pricing and claims settlement;
- (iv) a policy ensuring that any Contract of Reinsurance to which it is a party is finalised (and the material documents supporting the contract are completed) before the start of reinsurance cover (the start date), or as soon as possible after the start date (but in no case later than 60 calendar days after the start date);
- (v) a policy regarding procedures for business continuity that enable the Insurer to manage any initial disruption of business and to recover critical business operations following such a disruption.
3.1.4. Contents of Risk Tolerance Statement
An Insurer’s Risk Tolerance Statement must:
- (a) set out its overall quantitative and qualitative risk tolerance levels;
- (b) define risk tolerance limits which take into account all relevant and material categories of risk and the relationships between them.
3.1.5. Approval of Risk Management Strategy
(1) An Insurer’s Risk Management Strategy must be approved by its Governing Body.
(2) Any material change to or deviation from an Insurer’s Risk Management Strategy must be approved by its Governing Body.
(3) In giving its approval to a Risk Management Strategy, or to any amendment to or deviation from a Risk Management Strategy, the Governing Body of an Insurer must be satisfied that:
- (a) the strategy and any changes to it mitigate and control the risks included in the Insurer’s Risk Management Policy; and
- (b) the Risk Management Policy is appropriate and gives reasonable assurance that all material risks facing the Insurer are prudently and soundly managed having regard to the nature, scale and complexity of the Insurer’s business.
3.1.6. Notification of the AFSA
(1) An Insurer must give to the AFSA a copy of its Risk Management Strategy, and any subsequently amended version of that strategy, within 10 business days after its approval.
(2) An Insurer must notify the AFSA of any material deviation from its Risk Management Strategy at least 10 business days before the deviation.