Minimum Requirements for Risk Management Frameworks of Licensed Insurers in Fiji

Reserve Bank of Fiji Insurance Supervision Policy Statement No. 8 NOTICE TO INSURANCE COMPANIES LICENSED UNDER THE INSURANCE ACT 1998 MINIMUM REQUIREMENTS FOR RISK MANAGEMENT FRAMEWORKS OF LICENSED INSURERS IN FIJI 1 1.0 Introduction 1.1 This Policy is issued under Section 3(2)(a) and Section 169 of the Insurance Act 1998 as part of the Reserve Bank of Fiji’s standards governing the conduct of insurance business in the Fiji Islands. 1.2 In preparing the requirements of this Policy, reference has been made to the recommendations of the International Association of Insurance Supervisors and other international sound practices. The Reserve Bank of Fiji (Reserve Bank) has also taken into account the nature of licensed insurance companies in Fiji and the level of development of the local insurance industry. 1.3 Risk Management is the process of identifying, assessing, controlling and monitoring inherent risk in the conduct of insurance business. A risk management framework is the totality of systems, structures, processes and people within which the insurer identifies, assesses, mitigates and monitors all internal and external sources of risk that could have a material impact on an insurer’s operations. 2.0 Objective of the Policy 2.1 The objective of the policy is to ensure that each insurer has in place a comprehensive risk management framework that is aligned to the insurer’s strategy and business plans, and commensurate with the size, complexity and nature of its operations. 2.2 This policy has been developed to outline the Reserve Bank’s minimum requirements for the Risk Management Frameworks of insurance companies licensed to conduct insurance business in Fiji. 3.0 Requirements of the Policy Statement 3.1 Risk Management Framework 3.1.1 Each insurer is required to establish an effective risk management framework. The risk management framework (RMF) is the totality of systems, structures, processes and people that address the risk management process. The RMF sets the scope for the entire risk management process and determines how the process can be established and maintained within the institution.

2 3.2 Risk Management Policy 3.2.1 Each insurer is required to develop as part of the RMF, a Risk Management Policy that outlines the institution’s approach to managing risk and the processes involved. 3.2.2 The Risk Management Policy must be documented, easily understood, auditable, accessible to all staff and reflective of the size, complexity and nature of the insurer’s risk profile and exposure. Furthermore, the Risk Management Policy must be approved by the Board or its proxy. 3.2.3 The Risk Management Policy must include: (a) a documented Risk Management Strategy that is approved by the Board; (b) clearly defined management responsibilities and controls; and (c) sound risk management policies and procedures that clearly identify, assess, mitigate and monitor identified risks. 3.3 Risk Management Strategy 3.3.1 At a minimum, the RMS must: (a) clearly identify the individuals responsible for approval and implementation of the risk management policies; (b) detail the policies and procedures for the identification, measurement and assessment of risks; (c) detail the policies and procedures to mitigate and control risks; (d) detail the policies and procedures for monitoring and reporting risks; (e) detail the systems that ensure the timeliness, accuracy and relevance of a management information system; and (f) detail the processes to regularly review the RMF. 3.4 Roles and Responsibilities of Board 3.4.1 The Board or its proxy1 of an insurer is required to: (a) ensure the safety and soundness of the institution; (b) ensure that an appropriate, adequate and effective system of risk management and internal control is established, implemented and maintained by Senior Management; (c) identify and understand the principal risks faced by the institution; (d) ensure that the identified risks are appropriately managed by Senior Management; (e) approve the policies and procedures for the evaluation and management of risks;

1 In the case of branches of foreign insurers, the responsibilities of the Board may be conferred on a Senior Official nominated and approved by the Board. The insurer must ensure that the Reserve Bank is notified of such nominations and any changes made therein. CEO’s are not to be delegated this responsibility.

3 (f) determine the risk profile and appetite of the institution and approve limits commensurate with its risk appetite; (g) review and approve the RMS annually or whenever there are changes in circumstances that could impact on risks; (h) monitor and review the functions of the Board Risk Committee and Audit Committee; (i) ensure that Senior Management instill and document procedures for a strong risk culture within the institution, where there is sufficient communication between levels of management; and (j) ensure that the institution has the necessary resources and management capabilities to work within its risk appetite. 3.4.2 In the case of a foreign insurer, the responsibilities of the Board may be conferred on a head office Board nominated senior official. The Risk Management Policy must outline the reporting arrangements between the senior official, the head office Board and the home supervisor of the insurer’s head office. 3.5 Roles and Responsibilities of Senior Management 3.5.1 The responsibilities of the Senior Management2 include: (a) developing policies and processes that identify, measure, manage and monitor risks faced by the insurer; (b) implementing risk management strategies and policies approved by the Board; (c) reporting to the Board Risk Committee and the Board on the above; (d) monitoring appropriateness, adequacy and effectiveness of the risk management system; and (e) high level decision making, keeping in mind the risk appetite put in place by the Board. 3.6 Roles and Responsibilities of the Board Risk Committee 3.6.1 The Board of a locally incorporated insurer must establish a Board Risk Committee (Risk Committee) that is responsible for monitoring the institution’s compliance with Board approved policies, prudential and legal requirements. Members of the Risk Committee must comprise of a majority of non-executive directors3 and be suitably qualified4 to discharge their responsibilities. The Board must ensure that the independence of the Risk Committee is maintained at all times.

2 Senior Management’ include those persons whose conduct has a significant impact on the sound and prudent management of the insurer’s operations, which include senior managers, senior executives, General Managers /Chief Executive Officer. 3 The Insurance Supervision Policy Statement No.4 defines Non Executive Directors as those not part of the management of the insurer. 4 Members must demonstrate through qualifications and experience, the capacity to successfully undertake the responsibilities of the position.

4 3.6.2 In the case of a foreign insurer, the Risk Management Policy must clearly detail the arrangements of the head office Risk Committee with the branch of the foreign insurer and with its home supervisor. 3.6.3 An insurer may use the services of the Board Audit Committee5 to carry out the functions of the Risk Committee. Each insurer is required to establish separate terms of reference that must be approved by the Board, with respect to the functions of each Committee. Where the Board Audit Committee also acts as the Risk Committee, the insurer must ensure the independence of both functions with respect to its terms of reference. Furthermore, the minutes of meetings or findings of each Committee must be duly documented. 3.6.4 In carrying out their role, the Risk Committee is required at a minimum to: (a) oversee the establishment and implementation of the risk management strategy and the establishment of appropriate control systems to assess its effectiveness; (b) monitor the effectiveness of the internal risk control system; (c) provide recommendations to Senior Management on proposed policies and procedures on risk management processes; (d) recommend for the adoption of risk management processes policies and procedures to the Board; (e) disclose those changes within the organisation that have a material effect on the risk profile; (f) ensure that the risk profile is reviewed and updated regularly; (g) assess the adequacy of the internal risk control system with management and internal and external auditors; (h) ensure the risk management system takes into account all material risks; and (i) assess if Senior Management has controls in place for unusual transactions and any potential transactions that may carry more than an acceptable degree of risk. 3.7 Roles and Responsibilities of the Risk Management Function 3.7.1 The insurer must consider developing a risk management function (function) that is commensurate to the size, nature and diversity of its operations. The function must be independent and have direct access to the Board. 3.7.2 Generally, the role of the function is to assist the Board, the Board Risk Committee and Senior Management in the development, implementation and maintenance of the risk management framework. 3.7.3 The risk management function must include at a minimum:

5 Insurance Policy Statement No.4 on the Corporate Governance of Insurers requires the establishment of the Audit Committee by the Board.

5 (a) co-ordination of the risk management process amongst other business units of the insurer’s operations; (b) providing recommendations on potential risks and their exposures to Board and Senior Management; (c) identifying and analyzing potential risks and the impact of losses to the insurer’s operations; (d) developing risk responses to identified losses that include contingency and business continuity programmes; (e) assist in instilling a risk culture within the insurer’s operations; (f) providing advice on changes in regulatory, legal or market conditions that may impact the insurer’s operations; and (g) providing risk management recommendations that assists strategic planning, decision making and budgeting process of the insurer. 3.7.4 The function may also include ensuring compliance with the insurer’s internal risk management policies and procedures, this policy statement and Fiji’s insurance regulatory and legal requirements. 3.7.5 For smaller scale operations, the function’s responsibilities may be incorporated into a single senior position6 . 3.8 Risk Identification, Assessment and Measurement 3.8.1 An insurer must have in place processes to identify, measure and assess the range of risks that could adversely affect the operations of the insurer. Whilst the risk management systems of an insurer should address all risks, the Reserve Bank of Fiji considers that at a minimum, an insurer must identify and have risk management systems to address the following types of risks: (a) Insurance Risk; (b) Operational Risk; (c) Credit Risk; (d) Investment Risk; (e) Strategic Risk; and (f) any other significant risk to the institution that may arise from time to time. 3.8.2 Each insurer must record in writing the reasons for their selection of measurement techniques7 that enable the assessment and quantification of risks, and the impact on the insurer’s operations. Furthermore, the insurer must detail the procedures that are associated with the measurement technique. 3.9 Risk Mitigation and Controls 3.9.1 An insurer must have appropriate control mechanisms in place to mitigate and control identified risks. The control mechanisms must be

6 The position may be referred to as a Risk Manager, Risk and Compliance Manager, Risk and Compliance Officer. 7 Examples of Risk Measurement Techniques: Self or Risk Assessment, Risk Mapping or Risk Matrix.

6 quantifiable, independent and can be audited. As a minimum, these must include: (a) clearly defined management responsibilities; (b) adequate segregation of duties; (c) establishment and maintenance of the control processes; (d) a system of approvals, limits, authorisations and reporting lines; (e) policies to document the insurer’s procedural controls; (f) activity controls for each division or department; (g) verification of activities such as underwriting, pricing and claims management, and reconciliations; (h) reviews by the Board, Board Risk Committee, Senior Management and Internal Audit; and (i) physical controls that are in place. 3.10 Monitoring and Reporting Risk 3.10.1 An insurer is required to closely assess the quality of the risk management and control systems in place. This could be achieved through ongoing monitoring activities8 , separate evaluation9 , or a combination of both quality assessments. 3.10.2 The insurer must ensure that the selected quality assessment clearly defines the impact of the control mechanisms on the identified risks and the residual risk. Furthermore, the assessment must clearly define the internal and external audits. The insurer is required to record in writing the reason for their choice of quality assessment. 3.10.3 The insurer must report any deficiencies identified as part of the monitoring process, or internal audit to the Board and/or the Risk Committee. 3.10.4 Insurers who are branches of foreign insurers are required to identify in their RMS where responsibility resides for monitoring the risk profile of their operations. Moreover, it must include reporting arrangements between the foreign insurer and their home office operations. 3.10.5 If the insurer is part of a global insurance group, or operates as a foreign insurer, the RMS must include information on the global risk management policy. This may comprise policy objectives and strategies in respect of risk management, but must particularly include the reporting arrangements between Fiji and overseas or home office operations, the monitoring of Fiji operations by the overseas parent or home office and the home regulator’s supervisory arrangements regarding risk management. Where elements of the RMS are controlled by an overseas office, these should be identified and detailed.

8 Ongoing monitoring is conducted on a case-by case basis with the advantage of detecting and correcting deficiencies within the system quickly. 9 Separate evaluation is conducted periodically and is a comprehensive assessment that allows the insurer to assess the system as a whole.

7 3.11 Management Information System 3.11.1 Each insurer is required to have an accurate, informative, and timely Management Information System (MIS) that complements an effective risk management process. The MIS refers to the design, operation of systems and procedures to facilitate the recording, analysis and reporting of information within the institution and to the Reserve Bank. 3.11.2 Reports generated from the insurer’s MIS must be sufficient and provided on a timely basis to the Board for assessment. At a minimum the report must include the financial condition, operating performance and risks of the insurer. 3.11.3 Regular and detailed reports should also be provided to managers who are engaged in the insurer’s daily operations. This would enable risk related decisions to be appropriately recorded and reported to Senior Management and the Board. 3.12 Review of Risk Management Systems 3.12.1 Each insurer must document the policies and procedures for the review of the risk management systems. The Reserve Bank must be consulted in cases where there are institutional or other developments10 relating to the insurer’s operations in Fiji that affect the risk profile of the insurer. 3.12.2 The review must cover the effectiveness of the current risk management policy and include the identification of new and emerging risks. It must be conducted on an annual basis by the Board Risk Committee and or in the case of a foreign insurer, conducted by the internal audit function of the foreign insurer. Subsequently, the findings of the review must be reported to the Board or its proxy. 4.0 Other Requirements of the Policy Statement 4.1 Board Declaration 4.1.1 The Board or its proxy is required to submit to the Reserve Bank of Fiji a declaration stating that: (a) the insurer has sound systems in place that ensures compliance with the Insurance Act 1998, the Insurance Regulations 1998 and Reserve Bank guidelines; (b) the Board is satisfied with the effectiveness of the processes and systems that are in place; (c) the RMF has been developed in accordance with the requirements of this policy and other directives of the Reserve Bank; and

10 Examples of such developments include: establishment of new subsidiaries, major modifications or renovations to the organisation/functions of the insurer or to the Group that the insurer is a part of, which now involves new risks.

8 (d) current copies of the insurer’s Risk Management Policy and the Reinsurance Management Strategy has been lodged. 4.1.2 The declaration must be duly endorsed by the Chairman and at least one other director of the Board and submitted with the Risk Management Policy. 4.2 Strategic Plan 4.2.1 The Reserve Bank of Fiji requires each insurer to develop a three year strategic plan that is approved and driven by the Board. At a minimum the strategic plan must detail the strategic direction of the insurer, the opportunities available in the market, forecasts and the insurer’s proposed results and appropriate benchmarks. The insurer must ensure that the plan is reflective of the size, complexity and nature of the insurer’s operations. 4.2.2 The strategic plan must be submitted to the Reserve Bank 30 calendar days prior to the commencement of the proposed three year plan. The plan must also be submitted upon the request of the Reserve Bank and/or during on-site examinations. Where amendments are made to the strategic plan, a revised copy must be submitted to the Reserve Bank immediately. 4.3 Business Plan 4.3.1 Each insurer is required to develop a 12 month business plan that stems from the institution’s Board approved strategic plan. 4.3.2 Where amendments are made to the business plan, a revised copy must be submitted to the Reserve Bank immediately. Furthermore, the business plan must be submitted upon the request of the Reserve Bank, or during its on-site examinations. 4.3.3 The insurer must ensure that the business plan is reviewed on an annual basis and or, in instances where the insurer alters the core business strategies identified by the current business plan. 4.4 Capital Management Plan 4.4.1 Furthermore, the insurer is required to maintain a three year capital management plan (CMP) that is aligned with the insurer’s Board approved strategic plan. The CMP must be developed by the Senior Management and approved by the Board. The CMP must be submitted to the Reserve Bank 30 calendar days prior to the commencement of the proposed three year plan. Thereinafter, the CMP must be submitted upon the request of the Reserve Bank, or during its on-site examinations.

9 4.4.2 The CMP must identify the strategies that the insurer intends to employ over the three year period, to ensure that capital reserves are above the required minimum capital. Furthermore, the insurer must ensure that the appropriate measures are taken to monitor capital resources. 5.0 Oversight by the Reserve Bank of Fiji 5.1 For the purpose of this Policy, all insurers are required to provide to the Reserve Bank of Fiji its initial Risk Management Policy within 30 days from the date of the implementation of this policy. Each insurer must also provide a copy of the same whenever material changes are made to the Risk Management Policy, and this must be submitted to the Reserve Bank of Fiji within 30 days of Board approval. 5.2 An insurer must adhere to its Risk Management Policy at all times and must advise the Reserve Bank of Fiji in instances where it intends to carry out activities in a manner that would represent a deviation11 from its Risk Management Strategy. Notice of any deviation must be accompanied by Board approval and declaration of the same. This would ensure that the insurer has complied with all the requirements of this policy which is satisfactory to the Board or its proxy. 5.3 The Reserve Bank of Fiji will assess the compliance of each insurer with the requirements of this Policy in the course of its supervision. 6.0 Implementation Arrangements 6.1 This Policy applies to all insurance companies licensed under the Insurance Act 1998. 6.2 The policy will be effective from 01 October 2010 and will be reviewed as deemed necessary. Reserve Bank of Fiji April 2010

11 A deviation is where an insurer engages in new activities or develops new products (that are not consistent with core business strategies identified by the business plan) and enters into unfamiliar markets.