Reserve Bank of New Zealand Risk Management Guidelines for Licensed Insurers

Risk management programme Guidelines Licensed insurers Prudential Supervision Department December 2012

Purpose of this guideline 1 This document sets out the Reserve Bank of New Zealand’s (Reserve Bank) guidelines in relation to the risk management programme licensed insurers are required to have. This programme is required under sections 18 and 73 – 75 of the Insurance (Prudential Supervision) Act 2010 (the Act). 2 The objective of this guide is to clarify how the risk management requirements of the Act should be interpreted and to provide indicative examples of the issues to consider in the risk management programme. This guide should not be regarded as a prescriptive list of issues to address as each insurer will need to identify and address risks specific to their situation and reflect the outcome of such an exercise in documentation. 2 When assessing risk management documentation the Reserve Bank will focus on the substance of the programme and the extent to which there is evidence that the risk management programme is real and is reflected in operational activity. 3 This guideline relates solely to the requirements under the Act and does not cover requirements of other legislation that may also be of relevance to licensed insurers. 4 Nothing in this guide overrides the provisions of the Act. Risk management programme 5 Sections 18 and 73 – 75 of the Act administered by the Reserve Bank require an insurer to have a risk management programme. 6 Section 73(3) of the Act states that the Reserve Bank may issue, in the manner that the Governor thinks fit, guidelines relating to the risk categories referred to in subsection 2(b) that must be referred to in the risk management programme (being guidelines that do not have the force of law). 7 This document provides the guidelines referred to in section 73(3). Requirement for risk management programmes 8 Section 18(1)(c) of the Act states that an applicant for a licence must provide to the Reserve Bank with its application a copy of a risk management programme that complies with section 73. Some general considerations for risk management programmes 9 An insurer’s risk management programme should cover all the activities which expose the insurer to threats to its financial security. The following list is indicative of the overall risk management approach an insurer may want to consider: (a) A documented risk management programme exists describing the insurer’s risk assessment process, documentation, record keeping and procedures for managing the risks; (b) The risk management programme is comprehensive enough to capture all material risks to which the licensed insurer is exposed and must include all risks listed in section 73(2)(b) of the Act (see paragraph 28 for further discussion); (c) The roles and responsibilities for positions in the licensed insurer’s organisation that accept risk and manage risk for the insurer are described; (d) Information flows between operational staff and senior management are prescribed; (e) A system exists to address any exceptions, or observed instances of non-compliance; (f) Contingency plans are included; (g) A process for reviewing risk management systems, policies and procedures on an ongoing basis exists ; and 2

(h) The risk management programme is linked to the licensed insurer’s solvency policy which includes its policy on the amount of capital required to provide a buffer against losses arising from unanticipated events. Use of group risk management programme 10 Section 74(1) of the Act allows for a group risk management programme to be adopted where a licensed insurer is a member of a group of insurers. 11 The Bank will also accept a policy that applies wider than the insurer to other group members, provided that the policy is appropriate in its own right for the insurer. 12 A supplementary document may be required under section 74(2) of the Act where, for any reason, the group policy does not meet the requirements of section 73 of the Act. Use of published risk management models 13 The Act requires an insurer to have procedures for identifying and managing risks and does not endorse a particular methodology or process for risk management. Scope of risk planning - some issues to consider 14 Where possible, an insurer should quantify its exposure to risk. 15 If a risk is not quantifiable and cannot be avoided (for example, some types of operational risk), the insurer should use qualitative measures to identify its exposure to such risks. 16 An insurer should make use of both quantitative measures of risk and qualitative assessments of risk to support its decision making processes. Contingency planning 17 An insurer’s risk management programme should include contingency plans for managing stress events. 18 An insurer’s contingency plans should: (a) address stress events that could materially disrupt an insurer’s business and have a reasonable probability of occurring; (b) include a process to identify possible future stress situations; (c) include plans to manage stress events in a timely and effective manner; (d) include plans for disaster recovery and business continuation; and (e) be workable. Review process for risk management programmes 19 An insurer should review its risk management programme (a) regularly and (b) whenever there is a significant change in its business. 20 A review of a risk management programme should include: (a) a review of the assumptions underlying the risk management programme to ensure that they remain appropriate; (b) an assessment of the rigour and robustness of: (i) the risk management programme’s methodologies for measuring risk; and (ii) the effectiveness of the risk management programme’s internal controls. 21 The results of a review should be reported, as appropriate, to the operational areas of the licensed insurer’s business, its senior management, and its governing body. 3

22 Where problems are identified, necessary changes to the risk management programme should be implemented in a timely way in agreement with the Reserve Bank. Operational considerations Responsibilities of governing bodies and senior management 23 The responsibilities of an insurer’s governing body should include: (a) the solvency, capital adequacy and liquidity of the insurer; (b) establishing risk tolerances for the insurer and defining and communicating risk tolerances in a meaningful way; (c) approving the reporting requirements, policies, procedures and controls for the insurer; (d) monitoring the risk exposures of the insurer to check that they are consistent with established risk tolerances; (e) monitoring the insurer’s compliance with legal requirements and the insurer’s policies and procedures; (f) the insurer’s policy on managing conflicts of interest; and (g) ensuring that any exposures to, and transactions with, related parties are on arm’s length terms and conditions. 24 The responsibilities of an insurer’s senior management should include: (a) ensuring that risks taken are within limits set by the governing body; (b) implementing the policies, procedures, controls and reporting mechanisms set out in the insurer’s risk management programme; and (c) ensuring that the risk management programme includes a requirement that an action that is contrary to an insurer’s policies is reported to senior management and, depending on materiality, to the governing body and a requirement that in such cases corrective measures are triggered. Staff responsibilities and accountability 25 Each area of an insurer’s business should be accountable and responsible for the risks to which it exposes the insurer through its operations. 26 An insurer should ensure that its staff are well trained and have experience appropriate to their roles. 27 An insurer’s operational staff should understand the risks they encounter in conducting their part of the insurer’s business. Risks specified in section 73(2)(b) of the Act 28 The following paragraphs provide explanations of how the risks listed in section 73(2)(b) of the Act should be interpreted. These paragraphs do not prescribe all the issues that an insurer should cover in their risk management report. Insurance risk 29 Each of an insurer’s core activities of product design, pricing, underwriting and claims management exposes the insurer to the risk that the cost of insurance claims is higher than the planned cost. The risk is that an insurer cannot meet its claims liabilities and, given the cyclical nature of insurance business, this needs to be considered over an appropriate timeframe and against appropriate measures of anticipated claims liabilities. 4

30 Insurance business is based on experience and relies on a detailed knowledge of the probability and cost of claims for the risks being underwritten, an understanding of insurance market cycles and market pressures and claims-handling expertise. In general terms, insurance risk is higher in relation to new activities such as the introduction of new insurance products or the introduction of new administration processes because the insurer has less experience in these new areas. 31 The main reasons for insurance risk to arise include: (a) inadequate formulation of controls and guidelines covering insurance processes; (b) inadequate implementation of controls and guidelines covering insurance processes; and (c) unexpected claims outcomes relative to pricing models (including impacts in relation to reinsurance and retention levels). 32 Elements of insurance risk that an insurer could consider for inclusion in its risk management programme are described below. Considerations common to all elements include ongoing risk assessment on each activity, appropriate training for internal staff and relevant external parties, management of legal compliance, ongoing monitoring of the activity/area in relation to the insurer’s profitability and solvency margin and appropriate reporting through to senior management and the governing body. (a) Product design – business case preparation and approval process including market research, cost/benefit analysis, risk identification and assessment, and reinsurance arrangements. (b) Pricing – ongoing actuarial review of pricing and the impact of pricing on insurer profitability and the relevant solvency standard (including the impact of price changes), a process of pricing review to monitor market pressures such as price competition from other insurers, comparisons of actual prices compared with technical prices (e.g. is pricing being used as a discretionary competitive tool), established procedures for price reviews. (c) Underwriting – a documented underwriting guide detailing the insurer’s underwriting processes for each class of insurance and including authority levels, reinsurance arrangements, ongoing monitoring and ongoing training of underwriting staff and other relevant parties such as intermediaries. (d) Claims management – a documented claims management process including claims handling authority levels, claims settlement procedures, ongoing monitoring of compliance with procedures, management of intermediary involvement (i.e. training, communication of claims progress etc) and dispute resolution processes. Credit risk 33 Credit risk is the risk of loss to an insurer arising from a party to a contract or transaction with the insurer not being able to meet its obligations. Credit exposure can include financial transactions with securities issuers, debtors, borrowers, intermediaries, policyholders, reinsurers and guarantors. 34 Elements of credit risk that an insurer could consider for inclusion in its risk management programme include: (a) credit policy - setting out the acceptable range, quality and diversification of credit exposures; 5

(b) concentration risk – the risk arising from an overexposure to a single counterparty, country, industry etc; (c) review process – appropriate systems to monitor credit risks; and (d) timely action - to manage risks when a counterparty is identified as having problems. Liquidity risk 35 Liquidity risk is the risk that an insurer doesn’t have access to cash at the time the need for cash arises. Liquidity risk can arise in relation to liabilities (e.g. claims) and assets (e.g. investments) and examples include: (a) Large claims resulting from a single event or series of contagion events; (b) A loss of confidence in the insurer leading to a run on policies with a surrender value; (c) Liquidity needs arising from an exceptional operational cost or event; and (d) Capital market developments which impact on liquidity during the term of an investment (e.g. the introduction of restrictions on access to managed funds). 36 As part of its risk management programme for liquidity risk, an insurer could: (a) Establish a written liquidity policy; (b) Perform ongoing and robust monitoring of the liquidity position and anticipated liquidity needs; and (c) Perform stress testing using a variety of risk scenarios. Market risk 37 Market risk is the risk of loss arising from adverse movements in market prices or rates (including interest rate, exchange rate, equity and property). 38 Market risk can arise in relation to an insurer’s: (a) on-balance sheet positions; and (b) off-balance sheet positions. 39 Elements of market risk that an insurer might consider include: (a) Selection and management of appropriate measurement tools/methodologies; (b) Documented and monitored investment strategy covering risk tolerance, investment needs and agreed investment strategy; and (c) Ongoing monitoring and reporting on market risk exposures. Operational risk 40 Operational risk includes risks arising from human error, system failures, inadequate procedures and controls and external events. For example, operational risk can arise from: (a) deficiencies in information systems; (b) breaches in internal controls; (c) fraud or other criminal activities; and (d) fires, floods or other external events impacting on the insurer. 41 Operational risk includes, among other things, legal risk (including, for example, an insurer’s exposure to fines, penalties or damages), risks arising from money laundering and regulatory risk. 42 An insurer should consider including processes in its risk management programme to: (a) identify its operational vulnerabilities; and (b) mitigate its operational risk exposure. 6

Concluding comments 43 The Reserve Bank offers this guide in the context of helping an insurer consider their risk management programme in relation to the requirements of the Act. The guide is not intended to be an instruction manual for preparing a risk management programme and an insurer wanting help in relation to establishing a risk management programme should seek professional advice. 7

Website http://www.rbnz.govt.nz/regulation -and -supervision/insurers Email insurance@rbnz.govt.nz Telephone +64 471 3591 Mail Reserve Bank of New Zealand Prudential Supervision – Operational Policy PO Box 2498 WELLINGTON 6140 8