3.1.1. Core obligations

(1) A Takaful Operator must establish, document and implement a Risk Management Strategy that is appropriate to the nature, scale and complexity of its business.

(2) The Risk Management Strategy of the Takaful Operator must be appropriate to the specific features of the Takaful model adopted by it for conducting its Takaful Business and all associated Shari’ah compliance obligations.

(3) A Takaful Operator must not intentionally deviate in a material way from its Risk Management Strategy unless such deviation has been

(a) approved by its Governing Body in accordance with TRR 3.1.5 (Approval of Risk Management Strategy) below; and

(b) notified to the AFSA in accordance with TRR 3.1.6 (Notification of the AFSA) below.

3.1.2. Contents of Risk Management Strategy

A Takaful Operator’s Risk Management Strategy must:

(a) provide for the identification and quantification of material risks under a sufficiently wide range of outcomes using techniques which are appropriate to the nature, scale and complexity of the risks it bears;

(b) include a Risk Management Policy that complies with TRR 3.1.3 (Contents of Risk Management Policy);

(c) include a Risk Tolerance Statement that complies with the requirements of TRR 3.1.4 (Contents of Risk Tolerance Statement);

(d) be supported by accurate documentation;

(e) describe how the Takaful Operator will:

1. (i) ensure that relevant staff have an awareness of risk issues and the accessibility of the Risk Management Strategy; and
2. (ii) instil an appropriate risk culture; and

(f) include a business continuity plan for ensuring that critical business operations can be maintained or recovered in a timely fashion in the event of disruption.

(g) be responsive to changes in its risk profile; and

(h) incorporate a feedback loop, based on appropriate and good quality information, management processes and objective assessment, which enables it to take the necessary action in a timely manner in response to changes in its risk profile.

3.1.3. Contents of Risk Management Policy

A Takaful Operator’s Risk Management Policy must:

(a) describe how all relevant and material categories of financial and non-financial risk are monitored, measured and managed, both in the Takaful Operator’s business strategy and its day-to-day operations, including at least the following risks:

1. (i) Shari’ah non-compliance risk
2. (ii) risks arising from segregation of Takaful funds
3. (iii) credit risk;
4. (iv) balance sheet and market risk (including investment, asset-liability management, liquidity and derivatives risks);
5. (v) reserving risk;
6. (vi) Takaful risk (including underwriting, product design, pricing and claims settlement risks);
7. (vii) reinsurance risk;
8. (viii) operational risk (including business continuity, outsourcing, fraud, technology, legal and project management risks);
9. (ix) concentration risk;
10. (x) risks relating to use of Retakaful
11. (xi) group risk.

(b) describe the relationship between the Takaful Operator’s tolerance limits, regulatory capital requirements, economic capital and the processes and methods for monitoring risk;

(c) include the following specific policies:

1. (i) a policy regarding investment that specifies the nature, role and extent of the Takaful Operator’s investment activities and how the Takaful Operator complies with the investment requirements under these Rules;
2. (ii) a policy regarding asset-liability management that specifies the nature, role and extent of asset-liability management activities and their relationship with product development, pricing and investment management;
3. (iii) a policy regarding underwriting that specifies the risks to be accepted by the Takaful Operator as part of its Takaful business, the processes for underwriting, pricing and claims settlement;
4. (iv) a policy ensuring that any Contract of Retakaful / reinsurance to which it is a party is finalised (and the material documents supporting the contract are completed) before the start of reinsurance cover (the start date), or as soon as possible after the start date (but in no case later than 60 calendar days after the start date);
5. (v) a policy towards risk retention, risk management strategies including Retakaful and the use of Shari’ah-compliant hedging techniques;
6. (vi) a policy regarding procedures for business continuity that enable the Takaful Operator to manage any initial disruption of business and to recover critical business operations following such a disruption.

3.1.4. Contents of Risk Tolerance Statement

A Takaful Operator’s Risk Tolerance Statement must:

(a) set out its overall quantitative and qualitative risk tolerance levels;

(b) define risk tolerance limits which take into account all relevant and material categories of risk and the relationships between them.

3.1.5 Approval of Risk Management Strategy

(1) A Takaful Operator’s Risk Management Strategy must be approved by its Governing Body.

(2) Any change to or deviation from a Takaful Operator’s Risk Management Strategy must be approved by its Governing Body.

(3) In giving its approval to a Risk Management Strategy, or to any amendment to or deviation from a Risk Management Strategy, the Governing Body of a Takaful Operator must be satisfied that:

• (a) the strategy and any changes to it mitigate and control the risks included in the Takaful Operator’s Risk Management Policy; and
• (b) the Risk Management Policy is appropriate and gives reasonable assurance that all material risks facing the Takaful Operator are prudently and soundly managed having regard to the nature, scale and complexity of the Takaful Operator’s business.

3.1.6. Notification of the AFSA

(1) A Takaful Operator must give to the AFSA a copy of its Risk Management Strategy, and any subsequently amended version of that strategy, within 10 business days after its approval.

(2) A Takaful Operator must notify the AFSA of any material deviation from its Risk Management Strategy at least 10 business days before the deviation.