Risk Management Guidelines for Banks, Finance Companies and Insurance Companies

1

RISK MANAGEMENT GUIDELINES FOR BANKS, FINANCE COMPANIES, AND INSURANCE COMPANIES

10 MARCH 2022

2 Contents 1- RISK MANAGEMENT GUIDELINES ............................................................................... 5 1.1 Overview .......................................................................................................................................................5 1.2 Objectives.....................................................................................................................................................5 2- THE DIMENSIONS OF RISK MANAGEMENT ............................................................... 6 2.1 Importance of risk management...............................................................................................................6 2.1 Risk Culture..................................................................................................................................................6 2.2 Risk Strategy, Risk Appetite and Risk Tolerance..................................................................................7 2.3 Risk Governance and organization..........................................................................................................7 2.4 The three-lines-of-defence-model ............................................................................................................8 3- RISK ASSESSMENT ......................................................................................................... 9 4- RISK TREATMENT ........................................................................................................... 10 5- RISK CONTROL AND MONITORING ............................................................................ 11 6- RISK MANAGEMENT FRAMEWORK ............................................................................ 12 6.1 Active Board and Senior Management Oversight............................................................................... 12 6.2 Adequate Policies, Procedures and Limits .......................................................................................... 13 6.3 Adequate Risk Measurement, Monitoring and Management Information Systems (MIS)............ 13 6.4 Adequate Internal Controls ..................................................................................................................... 13 7- CREDIT RISK MANAGEMENT GUIDELINES ............................................................... 15 7.1 Overview ..................................................................................................................................................... 15 7.2 Credit Risk Management Structure........................................................................................................ 15 7.3 Credit strategies ........................................................................................................................................ 15 7.4 Credit Policies and Procedures.............................................................................................................. 16

3 7.5 Limits and Indicators................................................................................................................................ 17 7.6 Credit Granting Process .......................................................................................................................... 18 7.7 Credit administration, measurement, and monitoring processes; .................................................. 19 7.8 Credit Risk Mitigation............................................................................................................................... 20 7.9 Credit Risk Monitoring ............................................................................................................................. 20 7.10 Credit Risk Review.................................................................................................................................. 21 7.11 Classification and Provisioning ........................................................................................................... 22 7.12 Managing Problem Credits.................................................................................................................... 22 8 - LIQUIDITY RISK MANAGEMENT GUIDELINES ......................................................... 24 8.1 Overview ..................................................................................................................................................... 24 8.2 Risk Management Structure.................................................................................................................... 24 8.3 Liquidity Risk Management Strategy..................................................................................................... 25 8.4 Liquidity Risk Management Policies and Procedures........................................................................ 25 8.5 Limits and Early Warning Indicators ..................................................................................................... 26 8.6 Liquidity Risk Measurements, and Management ................................................................................ 26 8.7 Contingency Funding Plans.................................................................................................................... 27 8.8 Foreign Currency Liquidity Management ............................................................................................. 27 9- MARKET RISK MANAGEMENT GUIDELINES ............................................................. 28 9.1 Overview ..................................................................................................................................................... 28 9.2 Risk Management Structure.................................................................................................................... 28 9.3 Risk Management Strategy ..................................................................................................................... 28 9.4 Policies and Procedures.......................................................................................................................... 28 9.5 Limits and Indicators................................................................................................................................ 29 9.6 Measurement and Monitoring ................................................................................................................. 29 9.7 Control of market risk............................................................................................................................... 30 10- OPERATIONAL RISK MANAGEMENT GUIDELINES ............................................... 31

4 10.1 Overview................................................................................................................................................... 31 10.2 Risk Management Structure.................................................................................................................. 32 10.3 Risk Management Strategies ................................................................................................................ 32 10.4 Risk Management Policies and Procedures....................................................................................... 32 10.5 Risk Assessment and Measurement ................................................................................................... 33 10.6 Monitoring and Reporting...................................................................................................................... 34 10.7 Contingency Planning, Business Continuity and Disaster Recovery Plan .................................. 34 10.8 Cyber Risk and Cyber resilience.......................................................................................................... 35 11- THE MANAGEMENT OF INSURANCE RISK ............................................................. 36 11.1 Overview................................................................................................................................................... 36 11.2 Risk Management Structure.................................................................................................................. 36 11.3 Strategies, Policies and Procedures ................................................................................................... 37 11.4 Pricing....................................................................................................................................................... 38 11.4.1 Risk Identification and Measurement ....................................................................................................38 11.4.2 Risk Control and Mitigation .....................................................................................................................38 11.4.3 Risk Monitoring and Review ...................................................................................................................38 11.5 Underwriting ............................................................................................................................................ 39 115.1 Risk Identification and Measurement .....................................................................................................39 11.5.2 Risk Control and Mitigation .....................................................................................................................39 11.5.3 Risk Monitoring and Review ...................................................................................................................40 11.6 Claims Handling ...................................................................................................................................... 40 11.6.1 Risk Identification and Measurement ....................................................................................................40 11.6.2 Risk Control and Mitigation .....................................................................................................................41 11.6.3 Risk Monitoring and Review ...................................................................................................................41 11.7 Reinsurance Management..................................................................................................................... 42 11.7.1 Risk Identification and Measurement ....................................................................................................42 11.7.2 Risk Control and Mitigation .....................................................................................................................42 11.7.3 Risk Monitoring and Review ...................................................................................................................43

5 1- RISK MANAGEMENT GUIDELINES 1.1 Overview This Risk Management Guidelines are issued to provide guidance to the Banks, Insurance and Finance Companies on minimum standards of risk management. These guidelines are not intended to be exhaustive. Relevant regulatory requirements and other applicable industry standards should also be taken into account where appropriate in implementing a risk management framework proportionate to the institution’s size, activity and complexity. 1.2 Objectives The main objectives of the Maldives Monetary Authority (MMA) in issuing these guidelines is to: (i) enhance risk management among financial institutions; (ii) provide minimum standards for risk management organization and practices; (iii) improve financial soundness of individual financial institutions and stability of the overall financial sector; (iv) encourage financial institutions to adopt and implement a sound risk management framework. In addition to guidance on the general principles for sound risk management, these guidelines provide guidance on the management of the main risks that financial institutions may face: Credit Risk, Liquidity Risk, Operational Risk, Market Risk, and Insurance Risk. However, financial institutions should apply those guidelines to all the risks they are exposed to, including new risks such as climate related financial risks.

6 2- THE DIMENSIONS OF RISK MANAGEMENT 2.1 Importance of risk management (i) Taking risk is an integral part of financial intermediation. However, failure to adequately assess and manage risks may lead to losses endangering the soundness of individual financial institutions and affecting the stability of the overall financial system. Weak risk management is often identified along with weak internal governance as an underlying reason of financial the failure of institutions. (ii) There is a strong link between good corporate governance and sound risk management. Risk management is a part of the internal governance involving all areas of the financial institutions. Without proper risk management, the various functions in a financial institution cannot work together to achieve the institution’s objectives. It is an essential part of helping the financial institution grow and promote sustainability and resilience within the financial system. (iii) The setting of an appropriate risk strategy and risk appetite/tolerance levels, a holistic risk management approach and effective reporting lines to the management and supervisory functions, enable financial institutions to take risks knowingly and treat risks where appropriate. 2.1 Risk Culture (i) A sound and consistent risk culture is a key element of effective risk management. (ii) Every financial institution should develop an integrated and institution-wide risk culture, based on a full understanding of the risks it faces and how they are managed, considering risk appetite and tolerance. (iii) The risk culture of a regulated entity should be developed through policies, examples, communication, and training of staff regarding their responsibilities for risk. Every member of the financial institution should be fully aware of his/her responsibility regarding risk management. Risk management should not be confined to risk specialists or to control functions. Business and operational units, under the oversight of the senior management, should be primarily responsible for managing risk on a day-to-day basis, considering risk appetite and risk tolerance, in line with the financial institution’s risk policies and procedures. (iv) Risk culture and its impact on effective risk management should be a major concern for the board of directors and senior management.

7 (v) The board and senior management of the institution set the tone for the desired risk culture. The risk culture can be strengthened through: • Enabling an open and respectful atmosphere in which employees feel encouraged to speak up when observing new or excessive risks; • Clarifying the range of acceptable risks using a risk appetite statement and various forms of communication and training; and, • Aligning incentives with objectives and clarifying how breaches in policies/procedures will be addressed. 2.2 Risk Strategy, Risk Appetite and Risk Tolerance (i) A financial institution’s risk strategy should detail the long-term, medium-term and short-term goals and objectives, as well as how progress toward their achievement is measured. In addition to its business goals, a financial institution should have risk goals and risk strategies which enable it to achieve the desired risk profile. (ii) Risk capacity is the maximum amount of risk a financial institution is able to support considering its available financial resources available. (iii) Risk appetite describes the absolute risks a financial institution is a priori ready to take, considering its exposures and business activities, its business objectives and its obligations to stakeholders. A financial institution should express in a Risk Appetite Statement, both in quantitative and qualitative terms, the potential impact of its risk on its earnings, capital, and funding/liquidity. Ideally, the risk appetite should incorporate both quantitative (e.g., ROA, earnings volatility, credit concentrations, etc.) and qualitative measures (reputational impact, regulatory compliance, etc.). It should also be regularly reviewed in a formal process. (iv) Risk tolerance relates to the maximum amount of risks a financial institution is ready to tolerate above its risk appetite. Risk tolerance is based on the use of series of risk limits that serve as early warning mechanisms to alert management of threats to strategy and objectives. (v) The board of directors of a financial institution has the responsibility to set the strategies and the senior management is responsible for implementing those strategies and communicating them throughout the organization. 2.3 Risk Governance and organization Risk governance refers to the structure, rules, processes, and mechanisms by which decisions about how and by whom risks are taken and implemented. Each financial institution should decide:

8 • at which level the risk management responsibilities lie; • the role, structure, and staffing of the risk management organization; • the ways the board influences risk-related decisions; • the involvement of the board on key risk issues. 2.4 The three-lines-of-defence-model (i) The first line of defence relates to the business and operation units of the financial institution. Financial Institutions should have in place effective processes to identify, assess, measure, monitor, mitigate, and report on their risks and also should operate in accordance with the risk policies and delegated mandates. The business units are responsible for having skills, operating procedures, systems, and controls in place to ensure their compliance with risk policies. (ii) The second line of defence relates to the appropriate Internal Control framework put in place to ensure effective and efficient operations. The risk management function and the compliance function are the second line of defence, both should be fully independent from the first line of control and should cover the whole organization, including the activities of all business, support, and control units. (iii) The third line of defence consists of the financial institution’s internal audit which performs independent periodic reviews of the first two lines of defence, provides assurance and informs the board and senior management of strengths and potential weaknesses in the first two first lines.

9 3- RISK ASSESSMENT Risk assessment is the overall process of risk identification, analysis and evaluation:

1. Risk Identification: In order to manage its risks, an institution should identify existing risks or risks that may arise from both existing and new activities from internal and external factors. Financial institutions should identify the nature, the sources and cost of risks, areas of impact, events, causes and potential consequences. Risk identification should be a continuing process at both transaction and portfolio levels.
2. Risk Analysis: understanding of the risk is essential to make the decisions the most appropriate for risk treatment. Risk analysis involves measuring risk by considering consequences of an unfavorable event and likelihood of such event occurring. Risk analysis should be quantitative and qualitative in nature and be undertaken with varying degrees of detail, depending on the nature of risk, severity of risk; and the information, data and resources available.
3. Risk Evaluation and Measurement: Once risks have been identified and analyzed, they should be measured in order to determine their impact on the institution’s profitability and capital. It is essential to compare the quantity and level or risk with the risk appetite, risk tolerance and the regulatory limits. This can be done using various techniques ranging from simple to sophisticated models. Financial Institutions should periodically test to make sure that the measurement tools it uses are accurate and up-to-date.

10 4- RISK TREATMENT Financial institutions should choose the best option to eliminate or mitigate unacceptable risks. Options could be to: • avoid the risk by deciding not to start or continue with the activity that gives rise to the risk; • accept the risk by making informed decision and having plans for managing and funding the consequences of the risk if it occurs; • reduce the likelihood of the risk through staff training, changing procedures, or by reducing the impact through diversifying credit portfolio, setting up off-site data backup, etc.; • share the risk with another party or parties through insurance, reinsurance, consortium financing, etc.

11 5- RISK CONTROL AND MONITORING

1. Risk Control: After measuring risk and deciding on the manner to treat it, an institution should establish and communicate risk limits through policies, standards, and procedures that define responsibility and authority. Financial institutions may apply various mitigating tools in minimizing exposure to various risks and should have a process to authorize exceptions or changes to risk limits when warranted.
2. Risk Monitoring: Monitoring and review are an essential part of risk management to ensure that measures remain effective. Monitoring and review processes should encompass all aspects of risk management process for the purposes of: • detection of changing risk sources and factors within and outside the institution, • obtaining further information to improve risk assessment, • ensuring that controls are effective and efficient in both design and operation, • analyzing and learning lessons from events, trends etc., and • identifying emerging risks.
3. Financial institutions should have in place an effective management information system (MIS) to monitor risks and facilitate timely review of risk positions and exceptions. Monitoring reports should be frequent, timely, accurate, and informative, and should be distributed to appropriate individuals to ensure action, when needed.

12 6- RISK MANAGEMENT FRAMEWORK A risk management framework encompasses policies, procedures, process/systems, limits and controls, definition of roles and responsibilities of individuals involved in risk management. Financial Institutions should have an independent risk management functions and the size of this function should be commensurate to the size, complexity and risk profile of the institution. The risk management framework should provide adequate, timely, and continuous identification, assessment, measurement, monitoring, mitigation, and reporting of risks posed by its activities at the business line and institution-wide levels. The framework should be comprehensive enough to capture all risks an institution is exposed to and have flexibility to accommodate any change in business activities. Key elements of an effective risk management framework are: (a) active board and senior management oversight; (b) adequate policies, procedures and limits; (c) adequate risk measurement, monitoring and management information systems; (d) comprehensive internal controls. 6.1 Active Board and Senior Management Oversight The introduction of risk management and ensuring its ongoing effectiveness should come from the board and senior management. Boards of directors have ultimate responsibility for the level of risk taken by their institutions. Accordingly, they should define the risk appetite and risk tolerance and set the risk strategies, approve the significant policies of their institutions, including those related to managing and taking risks, and should also ensure that senior management is fully capable of managing the activities that their institutions conduct. While the overall responsibility for risk management is recognized to rest with the board of directors, it is the duty of senior management to transform the strategies into operational policies, procedures, and processes for effective risk management. The senior management should be fully aware of the activities undertaken by the institution that could expose it to various risks. It should possess necessary knowledge and skills to be able to align the risk levels with the board’s strategies through risk assessment and treatment. Top management should be aware of the financial institution’s risk profile on an ongoing basis and should regularly report it to the board or a board level committee for review.

13 6.2 Adequate Policies, Procedures and Limits The board of directors and senior management should formulate and implement risk management policies and procedures to deal with various risks that arise from the financial institution’s business and operational activities. The financial institution’s policies and more detailed procedures should provide guidance for the day-to-day implementation of broad risk strategies, and generally should include limits designed to shield the institution from imprudent and unwarranted risks. These policies and procedures include not only those relevant to specific risk areas like Credit Policy, Liquidity and Funding Management Policy, and Operational Risk Management Policy, but also those related to the overall risk management. 6.3 Adequate Risk Measurement, Monitoring and Management Information Systems (MIS) Effective MIS is necessary for adequate risk monitoring and reporting. When MIS can generate key risk indicators in the form of accessible reports in a timely manner, then risk managers can monitor the risk levels continuously and inform senior management and board as necessary or as required. These reports may include daily or weekly liquidity gap reports, list of loans of significance (troubled, large, maturing, etc.), etc. The MIS should be able to produce reports in accordance with regulatory requirements. In addition to regular reporting, there should be a system to address any exceptions observed. Further, there should be an explicit procedure regarding measures to be taken to address such deviations. 6.4 Adequate Internal Controls Internal control plays a critical role in managing risks of a financial institution. With comprehensive internal control structure in place, management will be better able to contain risks within the level commensurate with the institution’s risk appetite, risk tolerance, and strategy. An effective internal control system enforces the official lines of authority and provides for appropriate separation of duties. A major part of the internal control structure is the establishment of limits such as limits on liquidity, officer limits, and limits on non-performing assets. These limits ensure that the financial institution’s management does not take excessive risks while pursuing business targets. The internal control system should be established to provide reasonable assurance that the institution has adequate and effective operations; safeguards its assets; produces reliable reports; and complies with applicable laws and regulations. Control processes and procedures should include a system for ensuring compliance with policies. Examples of principal elements of a policy compliance assessment include: (a) Top-level reviews of the institution's progress towards the stated objectives; (b) Checking for compliance with management controls;

14 (c) Policies, processes and procedures concerning the review, treatment and resolution of non-compliance issues; and (d) A system of documented approvals and authorizations to ensure accountability to the appropriate level of management. Financial Institutions should have in place adequate internal audit coverage to verify that operating policies and procedures have been implemented effectively. The board (either directly or indirectly through its audit committee) should ensure that the scope and frequency of the audit programme is appropriate to the risk exposures. Audit should periodically validate that the institution’s operational risk management framework is being implemented effectively across the institution. The audit function may provide valuable input to those responsible for operational risk management, but should not itself have direct risk management responsibilities. An effective internal control system also requires existence of appropriate segregation of duties and that personnel are not assigned responsibilities which may create a conflict of interest. Assigning such conflicting duties to individuals, or a team, may enable them to conceal losses, errors or inappropriate actions. Therefore, areas of potential conflict of interest should be identified, minimized, and subjected to careful independent monitoring and review. In addition to segregation of duties, institutions should ensure that other internal practices are in place as appropriate to control the various risks. Examples of these include: (a) Close monitoring of adherence to assigned risk limits or thresholds; (b) Maintaining safeguards for access to, and use of, institution’s assets and records; (c) Ensuring that staff have appropriate expertise and training; (d) Identifying business lines or products where returns appear to be out of line with reasonable expectations e.g. where a supposedly low risk, low margin trading activity generates high returns that could call into question whether such returns have been achieved as a result of an internal control breach; and (e) Regular verification and reconciliation of transactions and accounts.

15 7- CREDIT RISK MANAGEMENT GUIDELINES 7.1 Overview Credit risk is the risk that a borrower or a counterparty will fail to meet their obligations according to the agreed terms resulting in economic loss to the financial institution. Credit risk arises from on-balance sheet claims such as loans and overdrafts as well as off￾balance sheet commitments such as guarantees, letters of credit, and derivative instruments. In the risk profile of the banks and other finance companies, a significant weight is given to the credit risk. Therefore, the financial institutions should put in place robust arrangements to manage and control this risk. The effective management of credit risk is a vital component of a comprehensive approach to risk management. Adequate and appropriate governance, processes, and internal controls should be in place for accepting, managing and monitoring credit risk, on a group and solo basis. This should be in a way that is commensurate with the nature, scale and complexity of the financial institution’s activities. Financial institutions should have sound procedures for valuing their credit exposures, which requires the existence of consistent provisioning policies. Financial Institutions should have a forward-looking perspective to evaluate if the arrangements in place are adequate to cope with the credit risk the institution might be exposed to in the foreseeable future. 7.2 Credit Risk Management Structure Financial institutions should adopt a risk management structure that is commensurate with the size, complexity and diversification of the activities of the institution. It is critical that the institutions facilitate effective management and oversight and proper execution of the credit risk management and control processes. There should be proper segregation of duties with regard to various functions related to credit which should include credit assessment, analysis, approval, disbursement, administration and monitoring. The Credit Risk Management Function of the financial institutions should be independent of the risk-taking units. This function also should be separated from other credit related functions and should be overseen by a Chief Risk Officer, or similar authority or person (second line of defence). 7.3 Credit strategies The primary purpose of a financial institution’s credit strategy is to determine the risk appetite of the institution. Once it is determined the institution could develop a plan to optimize return while keeping credit risk within predetermined limits. The institution’s credit risk strategy should include:

16 (a) the institution’s plan to grant credit based on various client segments and products, economic sectors, geographical location, currency and maturity; (b) target market within each lending segment and level of diversification/concentration; and pricing strategy. In developing the credit strategy, the institutions should give due consideration to their target market and also overall characteristics that the financial institution aims to achieve in its credit portfolio, which should include the levels of diversification and concentration tolerances. The credit procedures should aim to obtain an in-depth understanding of the institution’s clients, their credentials & their businesses in order to fully know their customers. The strategy should provide continuity in approach and take into account the cyclical aspect of the country’s economy and the resulting shifts in composition and quality of overall credit portfolio. While the strategy should be reviewed periodically and amended as deemed necessary, it should be viable in long term and through various economic cycles. 7.4 Credit Policies and Procedures The Board should approve credit policies which should include limits on single borrower and lending to related parties. These policies should also include the conditions and guidelines for the identification, measurement, evaluation, monitoring, reporting, control or mitigation of credit risk. Such policies should be documented, well-defined, consistent with prudent practices and regulatory requirements, and adequate for the nature and complexity of the institution’s activities. At minimum, credit policies should include: (a) roles and responsibilities of units/staff involved in origination and management of credit; (b) the credit approval authority at various hierarchy levels, including the authority for approving exceptions such as credit extensions beyond prescribed limits; (c) general areas of credit in which the institution is prepared to engage in or is restricted from engaging in, such as type of credit facilities, types of borrowers, geographical areas or economic sectors on which the institution may focus on; (d) The general terms and conditions of facility structure, such as pricing, tenure and quantum of financing; (e) the acceptable types of collateral and security documents; (f) detailed and formalized credit evaluation/ appraisal process, administration and documentation; The credit evaluation should include the analysis of borrowers’

17 current and future repayment capacity based on historical financial trends and future cash flow projections, and should include analysis of the financial condition of a borrowing group on a consolidated basis. The analysis also should include adequacy and enforceability of collaterals; (g) concentration limits on single borrowers and groups of related borrowers, particular industries or economic sectors, geographical areas and specific products. Institutions should ensure that their own internal exposure limits comply with any prudential limits or restrictions set by MMA; (h) authority for approval of provision of losses and write-offs; (i) guidelines on management of problem loans; and (j) the credit policy should explicitly provide guidance for internal rating systems including definition of each risk grade; criteria to be fulfilled while assigning a particular grade, as well as the circumstances under which deviations from criteria can take place. The credit policies should be communicated throughout the organization and it should be periodically reviewed and appropriately adjusted to take into account changing internal and external circumstances. In order to implement the institution’s credit policy, it should establish appropriate procedures and processes. These should be documented and have sufficient details to provide staff with operational guidance. Procedures should be established for the implementation of various controls and checks within the credit process, such as completion of credit and legal documents, verification of loan disbursement, implementation of facility limits and follow-up on credit exceptions. The operational procedures should be periodically reviewed and appropriately updated to take into account new activities and products, as well as new lending approaches and changes in systems. 7.5 Limits and Indicators Institutions are expected to develop their own limit structure while remaining within the exposure limits set by the MMA. The size of the limits should be based on the institution’s risk appetite and risk tolerance, the economic conditions and the credit strength of the borrower and the genuine requirement for credit. Limits should also be set for respective products, activities, specific industry, economic sectors and/or geographic regions where possible, to avoid concentration risk. To ensure diversification of risks and limit concentration risk, limits on credit exposures should be set for all relevant activities. They may include: • Limits on exposure to specific activities or type of products, including off-balance sheet products;

18 • Limits on single counterparties and groups of connected counterparties, including other financial institutions, domestic and foreign; • Limits on specific industries and/or economic sectors/ sub-sectors; • Limits on exposure to types of collateral; • Limits on exposures to related parties; • Limits on branches and/or exposures to geographic regions, including other countries; • Limits on the credit that may be granted by approving managers. Establishing exposure limits for single borrowers and group of connected borrowers is an important element of credit risk management. Limits should be reviewed and updated periodically, and at least once a year. In addition, financial institutions should consider the results of stress testing in the overall limit setting and monitoring process. In addition to setting limits, financial institutions should use early warning indicators to signal at an early stage where there is increased exposure to specific components of credit risk, and should respond to these indicators by assessing whether they point to potential problems in credit quality. 7.6 Credit Granting Process Granting of credit should follow predetermined processes: • Assessment: credit proposal assessment should be performed at relevant levels and follow procedures, methodology and operating guidelines that describe the necessary nature and extent of due diligence and collection of relevant supporting documents and information based on the risk profiles. • Review: before submission to the approval person, unit and/or committee, loan proposals should be reviewed and analyzed by a person independent from the initial assessor. • Approval: a designated level of approving authority should make the approval decision, including the approval of specific terms and conditions. • Disbursement: following the notification of the approval decision, disbursement should be made by the designated unit/person, following procedures to ensure that all terms and conditions are verified.

19 • Administration: the credit administration function is responsible for maintaining credit files and ensuring they are kept up to date, and organized in a manner that is easy to review, and also responsible for follow-up on necessary actions (renewal notices, updating information, etc.). Financial institutions should conduct comprehensive assessments of the creditworthiness of its borrowers, including, where relevant, analysis of the borrower’s financial position as reflected in various financial and cash flow statements, past repayment record, management quality and integrity, as well as relevant industry and macroeconomic data. For corporate borrowers, adequate checks on the shareholders and company directors should be conducted. The institution should group related borrowers where appropriate, and conduct credit assessment on a group basis. When participating in loan syndications, the financial Institution should perform its own analysis and review of syndicated terms. The financial institution’s credit assessment should take into account all relevant factors that could influence the prospect for the loan to be repaid according to the terms and conditions. Appropriate consideration should be given to the potential borrower’s other debt obligations and repayment history and an assessment of whether the loan can be expected to be repaid from the potential borrower’s own resources. Adequate checks, including from the credit information bureau, should be done to verify the potential borrower’s credit applications and repayment records. The evaluation and approval of credit should be done according to the guidelines of the institution and granted by the appropriate authority. The credit granting process should aggregate exposures to each borrower or group of related borrowers. Financial institutions should have staff with the experience, knowledge and background to assess credit risks and also allocate adequate resources to ensure that the credit decision process is rigorous, timely and efficient. Financial Institutions should develop and utilise an internal risk rating system in managing credit risk. The rating system should be consistent with the nature, size and complexity of institutions activities. The internal rating system should be devised in a manner to allow accurate determination of the overall characteristics of the credit portfolio, concentrations, problems credits and the adequacy of loan loss reserves. In determining loan loss reserves, institutions should ensure that MMA classifications criteria are the minimum. 7.7 Credit administration, measurement, and monitoring processes; Credit administration function is essentially a back-office function that supports and controls the extension and maintenance of credit. On-going administration of the credit portfolio is a critical part of the credit process. Financial institutions should ensure that there are effective procedures for performing the following credit administration functions:

20 (a) Documentation: Ensure the completeness of documentation (loan and mortgage agreements, guarantees, transfer of title deed of collaterals etc.) in accordance with approved terms and conditions. (b) Credit Disbursement: Ensure that proper approvals are sought to the loan application before entering it to the systems. Disbursements should be done only after the completion of covenants and documentation. In case of any exceptions, necessary approvals should be obtained. (c) Loan Repayment: Communicate with borrowers when the principal or interest payment becomes due. Any exceptions such as non-payment or late payment should be marked and tagged to the management. In case of receipt of payments, proper records and updates should be made. (d) Maintenance of Credit Files: Proper guidelines and standards for maintenance of credit files should be in place. The credit files should include all correspondence with the borrower and also should have sufficient information necessary to assess the financial health of the borrower and capacity to repay. The information should be filed in an organized manner that make reviews easy and efficient. (e) Collateral and Security Documents: Ensure that all security documents are kept in a safe and secure manner with proper controls. Registers for documents should be maintained to keep track of their movement. Adequate procedures should also be maintained to track and review relevant insurance coverage for collateral. Physical checks on collateral documents should be conducted on a regular basis. 7.8 Credit Risk Mitigation Financial institutions may utilise collateral, guarantees and other relevant instruments to assist in mitigating of credit risks. However, collateral and guarantees should not be used as a substitute, either for comprehensive assessment of the borrowers or for complete borrower information. The potential correlation between collateral values and the borrower’s financial condition should be considered especially in asset-based lending. For different types of collateral, specific proportions of financing should be established and it should have a cushion against deterioration in collateral values. Guarantees for credit facilities should be accepted after evaluating the level of coverage that has been provided to the credit quality, legal capacity and strength of the guarantor and ensure the enforceability of guarantee agreements. 7.9 Credit Risk Monitoring Monitoring of credit risk should be performed by the Credit Risk Management function without any influence of the risk-taking units. Financial institutions should have in place proper system for on-going monitoring of their credit risk, with a methodology to adequately classify it at financial institution, portfolio and borrower level. The classification of the credit risk should use quantitative and

21 qualitative criteria, follow a graduation of the different level of inherent risk and with appropriate actions consistent with the level of risk identified. Financial institutions should also monitor the quality of the credit relationships on an on￾going basis and keep updated information on their credit portfolios and should implement measures to monitor credit condition, which should include measures to: (a) ensure that the institution understands the current financial condition of the borrower or counterparty; (b) monitor the borrowers’ repayments and account activities. (c) ensure that all credits are in compliance with existing covenants; (d) ensure that, where applicable, collateral provides adequate coverage relative to the borrower’s current condition; (e) follow up of customer’s utilization of the approved credit lines; (f) ensure that projected cash flows on major credits meet debt servicing requirements; (g) identify and classify potential problem credits on a timely basis. Financial institution should have an effective MIS that captures all on- and off-balance sheet credit exposures. The MIS should be able to aggregate all such credit exposures to a single borrower and also aggregate exposures to groups of accounts under common ownership or control. Such data should be aggregated in an accurate and timely manner, and monitored as part of the institution’s credit risk management process. 7.10 Credit Risk Review Financial Institutions should establish a mechanism to perform regular review of credit. The purpose of such review is to assess the credit administration process, the accuracy of credit rating including adequacy of provisions for losses, and overall quality of the credit portfolio. The credit reviews should be conducted with updated information on the borrower’s financial and business conditions, and also conduct of account. Exceptions noted in the credit monitoring process should be evaluated for impact on the borrower’s creditworthiness. Credit review should also be conducted on a consolidated group basis to factor in the business connections among entities in a borrowing group, and the financial condition should also include a consolidated analysis of the group. All facilities should be subjected to risk review at least quarterly while more frequent reviews should be conducted for new accounts where institutions may not be familiar with the borrower and for classified or adverse rated accounts that have higher probability of defaults.

22 7.11 Classification and Provisioning The financial institution should have in place adequate policies and processes for grading and classification of its assets and establishing adequate provisioning that meets the regulatory requirements and internal policies. The financial institution should maintain adequate documentation to support its classification and provisioning levels. The financial institution should ensure that loans are properly and promptly graded to reflect its assessment of the borrower’s credit quality. The institution should put in place policies to manage upgrading of loans. A restructured loan should only be upgraded after the borrower has fulfilled its revised loan obligation for a reasonable period of time and should be in line with regulatory requirements. Where regulatory loan grading is tied to the institution’s internal risk rating, there should be a proper process to map the internal rating to regulatory rating. The financial institution should also have a reliable and timely collateral valuation system. The valuation system should include factors such as the legal enforceability of claims on collateral, ease of realisation of collateral and current market conditions. Where appropriate, the institution should apply a haircut to the estimated net realisable value of collateral or use the forced sale value of the collateral to provide more realistic estimates. 7.12 Managing Problem Credits Financial institutions should have effective processes and procedures in place to identify problem loans at an early stage when there may be more options available for remedial measures. Classified accounts should be managed under a dedicated remedial process. This process should include the following elements: (a) Review of Collateral and Security Documents: Establish the recoverable amount of loan by updating the values of available collateral with formal valuation. The valuation of collateral should reflect the net realizable value, taking into account prevailing market conditions. Security documents should also be reviewed to ensure the completeness and enforceability of contracts, collateral and guarantee. (b) Formulation of remedial strategies: Depending on the size and age of a problem credit, establish appropriate remedial strategies to revive and recover the credit. Such strategies may include rescheduling and restructuring of payments. Where used as a remedial action it should follow a specific approval process and take into consideration the repayment capacity of the borrower and the interest of the institution. (c) Negotiation and follow-up: After implementing remedial plans, monitor their effectiveness through maintaining regular contact with borrowers and tracking follow-up actions.

23 (d) Review: Problem credits should be subject to more frequent review and monitoring. Such reviews should update the status of the loan accounts and the progress of the remedial plan and these reports should be submitted to senior management on a timely basis. When all efforts fail, financial institutions should write-off loans and liquidate collateral to minimize cost.

24 8 - LIQUIDITY RISK MANAGEMENT GUIDELINES 8.1 Overview Liquidity risk is the potential for loss to an institution arising from either its inability to meet its obligations as they fall due, or to fund its assets without incurring unacceptable cost or losses. Liquidity risk is often triggered by consequences of other financial risks such as credit risk, interest rate risk, foreign exchange risk, etc. For instance, an institution increasing its credit risk due to credit losses due to default of loans may be increasing its liquidity risk as well. For general insurers, even though their policies do not have cash values, as a result of a series of large claims within a short period may still result in liquidity shortfalls. Therefore, when considering liquidity risk, it should capture all risk factors that it is exposed to, and it should manage these risks soundly. Financial Institutions should have adequate strategies to manage its liquidity and funding risks prudently and adequately. Such strategies should take into account the institution’s risk profile, risk appetite as well as market and macroeconomic conditions. The risk management processes that are established to manage liquidity and funding risks should reflect the nature, size and complexity of an institution’s activities. Sound liquidity risk management implemented in measuring, monitoring and controlling liquidity risk is critical to the viability of any institution. Institutions should have a thorough understanding of the factors that could give rise to liquidity risk and put in place mitigating controls. Major cause of liquidity risks are: • Unstable deposits or unexpected withdrawal of deposits • Unplanned expansion of credit • Off-balance sheet liabilities including undrawn loan commitments 8.2 Risk Management Structure For effective liquidity risk management, a financial institution needs an appropriate organizational structure; strategies, policies, and procedures; limits and indicators; and monitoring and reporting mechanisms. In addition, it will need an adequate information system to ensure effective monitoring of its liquidity, including a cushion of unencumbered, high quality liquid assets, to withstand a range of stress events, including those involving the loss or impairment of both secured and unsecured funding sources. The liquidity risk management framework should clearly define tasks and responsibilities. The policies and processes for managing liquidity risk should be approved by the Board,

25 provide comprehensive view of liquidity risk and be consistent with the risk profile of the institution. Based on the size, risk exposure and activities, a financial institution may establish an Asset Liability Committee (ALCO) at management level to oversee liquidity risks. 8.3 Liquidity Risk Management Strategy Financial institution should have liquidity strategies, policies and processes that are customized to its institutional structure, organization, activities, products and customers. The strategy should: • outline the targeted composition of assets and liabilities with clear implications for liquidity risk, and include sound day-to-day and intra liquidity risk management practices; • have in place arrangements to assess liquidity risk profile, risk strategy and risk appetite both in qualitative and quantitative terms and consideration should be given to forward looking components with regard to potential risks and also to changes in the business strategies. • include the actual and targeted liquidity position such as loan to deposit ratio, and maximum liquidity and funding market dependence. • have in place funding strategy that provides diversification in the sources and tenure of funding. Financial institutions should maintain strong relationships with fund providers in order to promote diversification of funding sources. • study the financial institution’s deposit base in relation to diversification, maturity, and structure. It should also identify alternative sources of funding to strengthen its capacity to withstand a variety of severe institution-specific and market-wide liquidity shocks. • outline how to deal with the potential for both temporary and long-term liquidity disruptions. The strategy should take into account the fact that in crisis situations, access to interbank market could be difficult as well as costly. 8.4 Liquidity Risk Management Policies and Procedures The policies and procedures should define and describe the risk management tools that the institution intends to use for assessment, monitoring and control of the liquidity risk Procedures should describe the necessary operational steps and processes to execute the relevant liquidity risk controls. They should be periodically reviewed and updated to take into account new activities, changes in risk management approaches and systems.

26 8.5 Limits and Early Warning Indicators To control its liquidity risk exposure and vulnerabilities, a financial institution should set limits on concentration of funding by counterparty, product type, currency, market, etc. Limits should be used for managing day-to-day liquidity within and across the business lines both under normal and stressed conditions. While assessing how limits would perform under stressed conditions, a financial institution should include measures aimed at ensuring that it can continue to operate in a period of market stress, institution-specific stress and/or a combination of two. A financial institution should also design a set of indicators to aid this process to identify the emergence of increased risk or vulnerabilities in its liquidity risk position or potential funding needs. Such early warning indicators should identify any negative trend and cause an assessment and potential response by management in order to mitigate the institution’s exposure to the emerging risk. Early warnings can be qualitative or quantitative in nature and may include (but not be limited to): • Rapid asset growth funded by unstable large deposits, • Growing concentrations in either assets or liabilities, • Deterioration in quality of credit portfolio, • Significant deterioration in earnings performance or projections, • Increasing retail deposit outflows, • A large off-balance sheet exposure, • Deteriorating third party evaluation (negative rating) about the financial institution and negative publicity, • Unwarranted competitive pricing that potentially stresses the financial institutions. 8.6 Liquidity Risk Measurements, and Management Financial institutions should establish and periodically review funding strategies and effective management of funding risk. The policies and processes should take into account how other risks such as credit, market, operational risk may impact the overall liquidity strategy of the institution. The following should be included: • an analysis of funding requirements under alternative scenarios;

27 • the maintenance of a cushion of high quality, unencumbered, liquid assets that can be used, without impediment, to obtain funding in times of stress; • diversification in the sources (including counterparties, instruments, currencies and markets) and tenor of funding, and regular review of concentration limits; • regular efforts to establish and maintain relationships with liability holders; and • regular assessment of the capacity to sell assets. 8.7 Contingency Funding Plans A Contingency Funding Plan is a set of predefined processes, actions and measures to be taken in case liquidity risks materialize. Financial institutions should have in place robust contingency funding plans to handle liquidity problems and it should be adequately documented. It should set out the institution’s strategy for addressing liquidity shortfalls in a range of stress environments without placing reliance on lender of last resort support. The institution’s contingency funding plan should establish clear lines of responsibility, include clear communication plans including communication with the supervisor and be regularly tested and updated to ensure it is operationally robust. Necessary communications with other entities should also be considered. 8.8 Foreign Currency Liquidity Management Each institution should have in place a measurement, monitoring and control system for its liquidity positions in the major currencies in which the financial institution is active. In addition to assessing its aggregate foreign currency liquidity needs and the acceptable mismatch in combination with its domestic currency commitments, an institution should also undertake separate analysis of its strategy for each currency individually.

28 9- MARKET RISK MANAGEMENT GUIDELINES 9.1 Overview Market risk refers to the risk of losses an institution faces in its on-balance and off-balance sheet positions resulting from movements in market prices, in particular changes in interest rates, foreign exchange rates, credit spreads and commodity and equity prices. Financial Institutions should establish market risk management practices depending on the nature, complexity and diversity of their market activities. Financial institutions should also have robust governance arrangements including a clear organizations structure with well-defined, transparent and consistent lines of responsibility and effective processes to identify measure, manage, monitor, and report the risk financial institution are or might be exposed to. 9.2 Risk Management Structure The organization of the market risk management varies depending on the nature, size and scope of business activities of the financial institution. The structure should be aligned with the risk profile of the institution and the overall risk strategy set by the board defining clear lines of authority and should be approved by the institution's board of directors. It is essential individuals responsible for market risk management are aware of their responsibilities and that are capable of performing their roles in overseeing and managing market risk. Depending on the size, complexity and diversity of their activities, financial institutions should select various methods and methodologies, ranging from simple gap analysis to computerized modeling techniques. 9.3 Risk Management Strategy Financial institutions should develop a sound and well informed strategy to manage market risk based on its risk profile and the level of market risk. It should be approved by the Board and clearly communicated throughout the organization. The following factors should be taken into account when setting its market risk strategy: (a) economic, market liquidity conditions and their impact on market risk; (b) whether the institution has the knowledge required to take positions in specific markets and the ability to identify, measure, evaluate, monitor, report and mitigate the market risk on a timely manner in such markets; (c) the institutions portfolio mix and how it would be affected if more market risk was assumed. 9.4 Policies and Procedures An institution should formulate market risk policies which should be approved by the Board and these policies should reflect the strategy of the institution, including its

29 approach to controlling and managing market risk. The Board should approve any changes and exceptions to these policies. Policies should include clear definitions of roles and responsibilities of individuals and teams performing market risk management functions, including structural balance sheet management, pricing, marketing, management reporting, lines of authority and responsibility for market related decisions. Specific policies and procedures should be put in place for new products and activities. 9.5 Limits and Indicators Financial Institutions should set limits based on portfolio, type of activity, product and strategy to control its market risk exposure and vulnerabilities. Risk- taking units should have procedures for activities, which would assist risk-takers to understand their limits and to ensure they operate within the approved limits. In case such limits are breached, it should be immediately reported to senior management. Different sets of limits should be put in place to cover intraday and overnight exposures. When assessing how limits would perform under stressed conditions, a financial institution should include measures aimed at ensuring that it can continue to operate in a period of market stress, institution-specific stress and/or a combination of two. 9.6 Measurement and Monitoring Measuring market risk is crucial for estimating potential losses to the financial institutions in event of any loss and helps the institution to ensure potential losses resulting from market risk fall within the risk appetite and will not substantially impact capital and earnings. Financial Institutions should: • establish suitable measures for all market risks that are assumed. This includes (a) Interest Rate Risk: Institutions should incorporate risks related to mismatches in the timing of repricing of assets and liabilities and off-balance sheet positions (repricing risk), risks arising from change in interest rates in particular risks arise from changes in the slope and the shape of the yield curve (yield curve risk) and risks arising from hedging exposure to one interest rate with exposure to a rate which reprices under slightly different conditions (basis risk) (b) Foreign Exchange Rate Risk: Institution should capture the risk arising from changes in values or asset￾liability mismatch of these foreign currencies to the domestic currency.

30 • have in place appropriate MIS for accurate and timely identification, aggregation, monitoring, controlling and reporting of market risk and assist in developing market risk reports to the board and senior management; • use different techniques and models to monitor their market risk and should ensure that at any time their exposures fall within their market risk tolerance. To assess the vulnerability of their strategies and positions, stress tests may be conducted. The selection of stress test scenarios should suit the size, complexity and diversity of activities • review and validate the market risk measurement process regularly; it also contributes to ensuring the accuracy of data entered in risk models, validity of risk models and risk measurement calculations, reasonableness of scenarios and assumptions. 9.7 Control of market risk Financial institutions should have in place sound and comprehensive risk management framework and processes to control or mitigate market risk. In order to mitigate market risk exposure, institutions should: • ensure adequate training and segregation of duties among front, middle and back office; • have in place adequate management information system that should generate periodic reports that depict the actual size, return, risk, potential profit or loss etc. of the exposure and such report should be forwarded to board and senior management for review; • have adequate internal controls to ensure proper risk management process and promote effective and efficient operations, reliable financial and regulatory reporting, and compliance with regulatory requirements; • Have in place appropriate contingency plans.

31 10- OPERATIONAL RISK MANAGEMENT GUIDELINES 10.1 Overview Operational Risk is the risk of direct or indirect loss, or damaged reputation resulting from inadequate or failed internal processes, people and systems or external events. Operational risk has always been inherent to financial institutions and exists in all their activities. The major sources for operational risk are: • Inadequate procedures and controls, • External and Internal frauds, • IT related activities and system failures, • Damage to physical assets, • Execution, delivery, and process management; and • Cyber risk In order to effectively managing operational risk financial institutions should: • identify and assess the operational risks inherent in all material products, activities, processes and systems to make sure the inherent risks are clearly understood, • ensure that they have in place an approval process for all new products, activities, processes and systems that fully assesses the operational risk, • have in place effective governance in practice and a decision-making process for operational risk issues, • define operational risk appetite which is consistent with the risk strategy, • have a well-documented and effective organizational framework for operational risk management with an adequate segregation of functions between risk-taking units and operational risk controls units and clear assignment of tasks and responsibilities, • have an independent Operational Risk Management function, • establish an effective reporting system, • establish a contingency planning for addressing failures due to operational risks.

32 10.2 Risk Management Structure Financial institutions should have in place a clear operational risk governance structure with well defined, transparent and consistent lines of responsibility. The governance structure should be commensurate with the nature, size, and complexity of the activities undertaken by the financial institution. The board of directors should approve the implementation of an institution-wide framework to explicitly manage operational risk as a distinct risk to the institution’s safety and soundness. A sound operational risk management structure should rely on three lines of defence: the business line management, an independent Operational Risk Management function, and internal audit. The business line should be responsible for identifying and managing risks inherent in the products, activities, process, and systems for which it is accountable. The Operational Risk Management function is mainly responsible for independent review of processes put in place to control operational risk, and for measurement and reporting of the operational risk. This function should directly report to the Chief Risk Officer of the financial institution. 10.3 Risk Management Strategies Financial institutions’ operational risk strategy should clearly articulate the nature, types, and levels of risk that the institution is willing to take (risk appetite) based on the risk profile of the institution. In formulating the strategy, the board should consider not only the level and complexity of risks inherent in the financial institution’s activities, products, services, and systems, but also the expected outcome of not undertaking certain activities or systems. Institutions’ operational risk strategy should consider forward-looking components in relations to potential risks and also changes in business strategies. 10.4 Risk Management Policies and Procedures Operational risk management policies and procedures should at minimum include all the relevant operational risk areas, establish a minimum set of operating instructions to have an effective risk management. Policies and procedures should be aligned with the overall strategy and should support continuous improvement of risk management. Operational risk policies shall include clearly assigned authority, responsibility, and reporting relationships to encourage and maintain accountability. Policies and procedures should be adequately documented and available to all relevant staff. They should be periodically reviewed by the senior management and updated to ensure it continues to reflect the environment within which the institution operates. Policies should clearly define operational risk and related losses and support the adequate description and classification of operational risk and loss exposure. Policies and procedures should describe the risk assessment tools and how they are used and should provide for a common taxonomy of operational risk terms to ensure consistency of risk assessment, measurement, and reporting across the institution.

33 Policies and procedures should be different for existing and new activities. There should be a process to ensure that any new or changed activity, such as launching a new product, opening a new branch or converting systems, will be evaluated for operational risk prior to its implementation. Financial institutions should establish policies for managing the risks associated with outsourcing activities. Outsourcing of activities can reduce the institution’s risk profile by transferring activities to others with greater expertise and scale to manage the risks associated with specialized business activities. However, an institution’s use of third parties does not diminish the responsibility of the board of directors and management to ensure that the third-party activity is conducted in a safe and sound manner and in compliance with applicable laws. Outsourcing arrangements should be based on robust contracts and/or service level agreements that ensure a clear allocation of responsibilities between external service providers and the outsourcing institution. Furthermore, institutions need to manage residual risks associated with outsourcing arrangements, including disruption of services. 10.5 Risk Assessment and Measurement In assessing and measurement of risk, financial institutions should consider the following: • identifying and assessing the operational risk inherent in all products, activities, processes, and systems. The business line should assess the relevant operational risks in their operations considering both internal and external factors and the second line of defence should challenge the business line's inputs to and outputs. • ensuring an adequate risk management framework is in place based on historical observations and internal assumptions. • systematically tracking and recording all relevant operational risk data, such as frequency, severity, operational risk losses, and other information on individual loss events or near misses. • using Business Process Mapping tools for operational risk assessment: identifying key steps in business processes, activities and organizational functions, can reveal individual risks, risk interdependencies, and areas of control or risk management weaknesses. • conducting scenario analysis to assess operational risk, by obtaining expert opinion of business lines and risk managers to identify potential operational risk events and assessing their potential outcome. • giving special attention to low-frequency high-severity operational risk events (e.g. major fraud, bribery, etc.).

34 10.6 Monitoring and Reporting Senior management should implement a process to regularly monitor operational risk profiles and material exposures to losses. Appropriate reporting mechanisms should be in place at the board level, senior management and business line levels that would facilitate proactive management of operational risk. The reports should be comprehensive, accurate, consistent and actionable across business lines and products. The reporting on operational risk should be adequately structured to meet the needs of the appropriate management levels and of business and control units. Operational risk reports should include: • Monitoring indicators; • Breaches of the financial institution’s risk tolerance level, as well as thresholds and limits; • Details of recent significant internal operational risk events and losses; and, • Relevant external events and any potential impact on the financial institution and capital. 10.7 Contingency Planning, Business Continuity and Disaster Recovery Plan Financial institutions may face partial or complete failure of one or several critical business processes or products with the potential to disrupt the daily business or threaten its existence. Financial institutions should plan the actions to be taken in response to such failures. Contingency Planning refers to the set of predefined processes, actions and measures to be taken in case significant operational risks materialize, to enable the financial institution to face emergency situations. It should be implemented especially for all high-severity operational risks, Business Continuity Management relates to the measures to ensure that critical business processes can be continued in the event of an emergency and the activities necessary to return to business as usual levels. IT continuity management is an integral part of the Business Continuity Management. Financial institutions should establish business continuity and disaster recovery plans that take into account different types of plausible scenarios to which the institution may be vulnerable, commensurate with the size and complexity of its operations. Business Continuity Plans (BCP) should describe how a financial institution will restore time-critical activities and business processes to operational status in the event of an emergency. The BCP should identify all time-critical activities, business processes or resources of the financial institution, determine their maximum tolerable downtimes and

35 define strategies and options for various scenarios relating to each specific area and its processes. The BCP should be reviewed and tested periodically to ensure that they are likely to be effective in case of need. The BCP should also identify the critical business processes that are dependent on external vendors or third parties, for which rapid resumption of service would be most essential. For these processes, financial institutions should identify alternative mechanisms for resuming service in the event of an outage. Particular attention should be paid to the ability to restore electronic or physical records that are necessary for business resumption. Such records should be backed -up at an off-site facility at an adequate distance from the primary operation site to minimize the risk that both primary and back-up records and facilities will be unavailable simultaneously. 10.8 Cyber Risk and Cyber resilience Cyber Risk is the combination of the probability of cyber incidents occurring and their impact and Cyber Resilience is the ability of a financial institution to continue to carry out its missions and activities by anticipating and adapting to cyber threats and by withstanding, containing and rapidly recovering from cyber incidents. Financial Institutions should have in place a proper cyber-security framework for identification (of risk exposure and expected losses), protection (third party security capabilities), detection (assessment of vulnerabilities), response (pre-determined incident response capabilities) and recovery (preparedness and effectiveness of business continuity plans). To strengthen the institution's resilience to cyber-risk, institutions should: (i) incorporate cyber-risk into their governance and risk management framework; (ii) identify their critical information assets; (iii) develop an effective control and response framework for cyber-risk; (iv) promote cyber-security awareness among their staff; and, (v) collaborate with other institutions in strengthening the financial sector cyber￾security.

36 11- THE MANAGEMENT OF INSURANCE RISK 11.1 Overview Insurance risk relates to the likelihood that an insured event will occur, requiring the insurance company to pay a claim, beyond either its original expectation during the pricing of the insurance product, or its risk appetite, such as in the case of natural catastrophes. Some insured events have a much lower insurance risk than others. For example, the expected claim experience from a large portfolio of household contents insurance is more predictable, and thus less risky, than the expected claim payment on single insured risks such as commercial buildings. Similarly, claims with more measurable losses are less risky. For example, the damage to a motor vehicle under an auto insurance is more measurable (and thus less risky) than the medical cost or other liability amount incurred during the same auto accident. Claims that are likely to be paid over a long period of time (such as those resulting from professional indemnity insurance) are riskier than, for example, personal accident insurance. The relative risks are reflected in varying levels of capital which the financial institution needs to hold. The higher the risk, the greater amount of capital required to support those risks. Insurance risks may arise from any of the core activities of an insurance operation: pricing, underwriting, claims handling, and reinsurance. 11.2 Risk Management Structure The financial institution should adopt a risk management structure that is commensurate with its size and the nature of its activities. The organizational structure should facilitate effective management oversight and execution of risk management and control processes. The Board of Directors is ultimately responsible for the sound and prudent management of an insurer. The Board should approve the risk management strategy and risk policies pertaining to core activities that give rise to insurance risk. It should ensure that adequate resources, expertise and support are provided for the effective implementation of the institution’s insurance risk management strategy, policies and procedures. It should also be the approving authority for changes to such policies and ensure that any exceptions should be escalated and approved by it, where necessary. The reasons for these changes and exceptions should be documented. Such documentation should be available to the internal auditor, external auditor and the MMA if requested. The senior management, or a committee comprising members of senior management from both the business operations and control functions, should establish the insurance risk management framework. The framework should cover areas such as approval of business and risk strategy, review of the risk profile, implementation of risk policies

37 approved by the Board, delegation of authority and evaluation of the business processes. Adequate measures to address potential conflicts of interest should be in place. The Financial Institution should establish an insurance risk management function ideally independent from the operational processes, if warranted by the size and complexity of its operations. This function would be primarily responsible for the development of and ensuring compliance with the institution’s insurance risk management policies and procedures. To make this function effective, it should have the requisite authority, and sufficient resources and be able to raise issues directly to the Board or relevant Board Committees. 11.3 Strategies, Policies and Procedures Financial Institutions should have a sound strategy to manage risks arising from its insurance activities. Based on its risk profile, the institution should establish an appropriate insurance risk management strategy, considering the board established risk appetite and internal and regulatory solvency requirements. It should determine its risk tolerance, considering its business objectives and available resources. The entity should periodically review its insurance risk management strategy taking into account its own financial performance, changes to its operations or business objectives, and market developments. The strategy should be properly documented and effectively communicated to all relevant staff. Risk policies should set out the conditions and guidelines for the identification, acceptance, monitoring and management of insurance risks. These policies should explain the relationship of the risk management system to the entity’s overall governance framework and to its corporate culture. The policies should, at a minimum, cover the following: (i) the identification, measurement and communication of key risks to the Board; (ii) the process by which the Board decides on the maximum amount of risk that the insurer is able to take, and the frequency of review of risk limits; (iii) the roles and responsibilities of the respective units and staff involved in acceptance, monitoring and management of insurance risks; (iv) the principles and criteria relating to pricing, underwriting, claims handling and reinsurance management, as well as the approval structure relating to these activities, including authority to approve deviations and exceptions; and (v) the management of concentration risk and exposures to catastrophic events, including limits, reinsurance, portfolio monitoring and stress testing. The financial institution should establish appropriate procedures and processes to implement its insurance risk policies in the form of controls, checks, and monitoring mechanisms. These should be documented and set out in sufficient detail to provide

38 operational guidance to staff. These procedures should be periodically reviewed and updated to take into account new activities, changes in systems and structural changes in the market. Financial institutions should have in place proper and effective reporting systems to satisfy the requirements of the Board with respect to reporting frequency, level of detail, usefulness of information and recommendations to address issues of concern. The head of risk management function should have the authority and obligation to inform the Board promptly of any circumstance that may have a material effect on the risk management system of the entity. 11.4 Pricing 11.4.1 Risk Identification and Measurement • Financial institutions should identify the probable scenarios which may lead to its revenue from premiums and investment income being insufficient to meet the payment of anticipated benefits and expenses. This includes cost of capital and taxes. 11.4.2 Risk Control and Mitigation • Financial institutions should collect adequate data to validate the reasonableness of the underlying assumptions used for the pricing. The base rate, which is also known as the technical rate, should represent the amount required to meet the value of anticipated benefits, expenses, and margins for risks and profit. Data should primarily relate to the insurer’s own historical experience and that of the industry where relevant. These may be supplemented by other relevant internal and external data, and could include trends observed in claims costs and expenses. • Pricing should be done by modelling all identified risks, using appropriate methodologies depending on the complexity of the risks and available data. There should be adequate buffers in the premiums to cushion against the risk that actual experience may turn out to be worse than expected. • Financial Institutions should have clear documentation that the base rate has been approved at the requisite level of authority. The premium rate that the entity eventually charges may be different from the approved base rate after taking into account market and competitive considerations, in which case, appropriate authorization should be obtained and documented. 11.4.3 Risk Monitoring and Review • Financial institutions should analyze the profit and loss of their business. There should be procedures to monitoring emerging trends and changes to the external environment and risk indicators to trigger a pricing review. For example, a trigger may

39 be based on an experience analysis which shows that the key risk driver for a product has deviated significantly from its pricing assumptions. • Financial institutions should also monitor deviations of the final rate from the base rate and review the actual results against the expected benefits and expenses that have been factored into the computation of the base rate to improve on future pricing. Institutions should involve actuaries in the evaluation and provision of advice on product pricing and development matters. 11.5 Underwriting Underwriting is the process by which the financial institution makes an assessment of the risks to be accepted and determines the terms on which the risks would be acceptable. For example, medical and financial condition in the case of a prospective life insurance applicant, or accident history in the case of a prospective motor insurance applicant. The underwriting process generally involves obtaining and managing essential underwriting information on the risks, assessing and accepting risks according to underwriting guidelines and authority levels, and monitoring and reviewing the risks accepted. The entity should involve actuaries in the evaluation and provision of advice on underwriting matters. 115.1 Risk Identification and Measurement • Financial institutions should consider the implications associated with selecting, accepting and retaining risks which may deviate from what was envisaged during the pricing stage. Such risks may include: accepting risks without imposing adequate loading or conditions; accepting risks which should have been declined given the risk tolerance; accepting non-homogeneous risks under the same risk category; inadequate reinsurance protection or inconsistencies between the terms offered under the direct policies and that under the reinsurance outward contracts. 11.5.2 Risk Control and Mitigation • Financial institutions should regularly review the proposal or application form to ensure that the questions (which is the main source of underwriting information) remain clear and pertinent. It is important to remind policyholders and the intermediaries of the need to keep the financial institution informed of material changes in underwriting information for yearly renewable policies where variable premiums are determined during annual underwriting process. • Financial institutions should have an efficient insurance information system in place that links all key information on underwriting, claims and reinsurance. It should ensure that the information captured, including the rationale for the underwriting decision, is up-to-date and accurate to facilitate monitoring of the progress of the underwriting process and validating the quality of the underwriting decision.

40 • There should be clearly documented underwriting guidelines for each of the key types of benefits or products it underwrites so as to provide sufficient guidance to the underwriters. Any significant deviation of the underwriting decision from the guidelines should be duly approved and the rationale for approval properly documented. No risks should be accepted before the necessary reinsurance protection is finalized and effected. 11.5.3 Risk Monitoring and Review • Financial institutions should conduct regular reviews to ensure that the underwriters continue to be competent in the area of their delegated authority and the quality of the underwriting decisions made remains satisfactory. • There should be a systemic method to monitor its accumulation of risks across product types and geographical areas so that the overall risks underwritten are within its reinsurance protection limits and risk appetite. • Financial institutions should conduct audits or checks of underwriting files regularly and monitor risk indicators, such as claims experience or number of complaints relating to underwriting decisions made or the timeliness of the decisions. 11.6 Claims Handling Claims handling is the process by which a financial institution processes and pays claims in accordance to the terms and conditions specified in the insurance contracts. The process generally comprises registering new claims, setting and revising reserves, obtaining essential information to assess, manage and settle the claim, making reinsurance and other recoveries, and reviewing and closing claim files. 11.6.1 Risk Identification and Measurement • Financial institutions should put in place measures to identify the risks associated with poor claims handling and case reserving, which may include: (a) making claim settlement decisions which are not in accordance with the policy terms and conditions, thereby either incurring liability that is not considered in the pricing or failing to fulfill its contractual obligations to policyholders; (b) inefficient handling of claims leading to slow responses or higher cost overheads, thereby impeding its market competitiveness; and (c) setting inadequate reserves or delay in revising case reserves for reported claims, resulting in under provision of claims liabilities and time lag in adjusting premiums for new policies.

41 11.6.2 Risk Control and Mitigation • Financial institutions should have a clear process in place for the notification of claims, which ensure that all claims are reported at the earliest opportunity and that relevant information is captured in its information system in a timely manner. • Financial Institutions should have an efficient information system in place and the information captured in respect of claims should be up-to-date and accurate so that the institution can monitor the progress of the claim handling process and validate the quality of the claim settlement decision. • Financial institutions should review the claims form regularly to ensure that questions remain clear, unambiguous and pertinent to enable the claims staff to form an accurate assessment of the validity of the claim. • Financial institutions should have clearly documented claims handling guidelines for each of the key types of claims to provide sufficient guidance to the claims staff, covering the documents required for verifying the claim, references to warranties or restrictions imposed at acceptance, method for calculating the settlement amount, settlement options, and policies on large or ex-gratia claims. There should also be clear guidelines on when claims should be referred to the reinsurer or other parties such as lawyers for claims support or decision. The claims handling guidelines should be regularly reviewed. • Financial institutions should set case reserves accurately for each claim in a timely manner. The components of case reserves should be captured in sufficient details to provide useful statistics for in-depth analysis. • Financial Institutions should have a clear control process for the payment of large claims, for example, getting official sign-off from a member of the management team and the reinsurer where applicable. • Financial Institutions should establish case reserves accurately for each claim in a timely manner, especially in respect of general insurance business. • Financial Institution should have a clear policy, approved by senior management, with regards to ex-gratia claim payments. The authority to approve such payments should also be clearly specified and the rationale for the approval should be properly documented. 11.6.3 Risk Monitoring and Review • Financial institutions should conduct regular reviews to ensure that the claims assessors continue to be competent in their area of delegated authority and quality of the claims decisions remains satisfactory. It should monitor whether the authority for granting ex-gratia payment is exercised sparingly and appropriately, and review the appropriateness of the limits regularly.

42 • Financial institutions should conduct reviews of claim files regularly. There should be a systematic way to identify files for review and clear guidelines for follow-up actions and closure of files. • Financial institutions should have in place regular claims reporting to senior management to raise awareness of key claim exposures and losses, especially where a single claim, loss event or series of losses could in aggregate have an impact on its balance sheet. 11.7 Reinsurance Management Reinsurance management is an arrangement where a portion of the risks assumed by a direct insurance entity is ceded to other insurance entities. The mechanisms to transfer risks include traditional reinsurance and other alternative risk transfer approaches, such as catastrophe bonds and securitization. 11.7.1 Risk Identification and Measurement • Financial institutions should analyze their risk profile to decide what and how much risks are to be retained, taking into consideration their risk appetite and the availability and cost of reinsurance. Financial Institutions should also be mindful of possible gaps in the reinsurance programme, resulting in more risks being retained than intended. • Another potential material risk is the risk that the reinsurance contract wording does not accurately reflect the intent for the reinsurance cover, or the contract is not legally enforceable. • Financial institutions may also face credit risk arising from potential defaults by its reinsurers. Also Institutions are exposed to liquidity risk in the event of large losses whereby the institutions may have to pay the claims prior to receiving all the reinsurance recoverable. 11.7.2 Risk Control and Mitigation • In designing the reinsurance programme, financial institutions should take into account relevant factors including business plans and strategies; underwriting philosophy and capabilities; size and profile of each line of business; frequency and size of loss by line of business; geographical distribution of the business; and financial strength. • Financial institutions should ensure that their reinsurance contracts cover all applicable lines of business and the limits of cover are adequate. Financial Institutions should assess the impact of likely adverse events through stress testing and realistic disaster scenario analysis to ensure that their catastrophe reinsurance cover can be relied upon to reduce the impact of most conceivable calamities to a magnitude that will not threaten their viability.

43 • Financial institutions should put in place appropriate systems and processes to facilitate achieving contract certainty. • The reinsurance management policy and procedures should spell out clear criteria for the selection of reinsurers and outline the information that is required to assess the financial soundness of a reinsurer. 11.7.3 Risk Monitoring and Review • Financial institutions should ensure that only approved reinsurers are used, and track aggregate exposures to individual reinsurers or groups of related reinsurers against established exposure limits. Financial Institutions should monitor the outstanding balances from their reinsurance counterparties and the credit standing of the reinsurers on their panel on an ongoing basis. • Financial institutions should review whether their reinsurance programme has, over a period of time, supported their business objectives and strategies, and helped to mitigate their losses to within their risk tolerance level.