Entire Section

  • PIN App2 PIN App2 Management and Control of Risk

    • PIN A2.1 PIN A2.1 Introduction

      • PIN A2.1 Guidance

        1. This Guidance relates to the Rules on management and control of risk contained in PIN chapter 2. It has been prepared to assist directors of Insurers, their Auditors, and others concerned in applying those Rules.
        2. The Rules in PIN chapter 2 require an Insurer to address specific areas of risk, as well as maintain a generally sound risk management system. Insurers have some flexibility in their approach to these requirements.
        3. This appendix provides some general comment on the objectives of the Rules, risk management and control mechanisms. It also provides specific comment on the following selected aspects of the five broad areas of risk identified in PIN section 2.3, that are considered to be of particular relevance to Insurers:
        a. Balance sheet and market risk components:
        i. reserving risk;
        ii. investment risk (including risks associated with the use of derivatives);
        iii. underwriting risk;
        iv. claims management risk;
        v. product design and pricing risk; and
        vi. liquidity management risk;
        b. Credit quality risk;
        c. Non-financial or operational risk components:
        i. business continuity planning risk; and
        ii. outsourcing risk;
        d. Reinsurance risk; and
        e. Group risk.
        4. It is not the purpose of this appendix to provide guidance in areas that are common to all or many Authorised Firms other than Insurers. The principal objective is to address areas that are of specific relevance to Insurers.
        5. The procedures set out in this appendix do not constitute a checklist of necessary procedures. An Insurer cannot assume that implementing all of the procedures set out in this appendix will guarantee that the Insurer complies with the requirements to which it is subject.
        6. Since this appendix is not intended to be prescriptive or exhaustive, it cannot be regarded as a substitute for reading the Rules themselves and taking professional advice. An Insurer should contact the DFSA if there are any areas which it would like to discuss further.

        Derived from DFSA RM06/2004 (Made 16th September 2004). [VER1/09-04]

    • PIN A2.2 PIN A2.2 Objectives of the rules

      • PIN A2.2 Guidance

        1. The objective of the Rules contained in PIN chapter 2 is that Insurers should control their own risks through sound and prudent risk management systems, such as to minimise the likelihood that events, internal or external to the Insurer, cause the Insurer to fail financially or operationally.
        2. The risk management systems required by the Rules should be integrated with the operational processes of a business. Insurers are expected to instil a strong risk control culture throughout their operations, so that material risks and potential problems that emerge can be identified, managed and promptly resolved in the normal course of business operations. The absence of such a control culture is likely to be taken as evidence that more specific control objectives are unlikely to be attained.

        Derived from DFSA RM06/2004 (Made 16th September 2004). [VER1/09-04]

    • PIN A2.3 PIN A2.3 Risk management systems

      • PIN A2.3 Guidance

        1. The Rules require an Insurer to develop, implement and maintain sound and prudent risk management systems, appropriate to the size, business mix and complexity of the Insurer's operations. The responsibility for ensuring compliance lies with the Governing Body and senior management of the Insurer.
        2. The nature and extent of the systems and controls which an Insurer will need to maintain will depend upon a variety of factors including:
        a. the nature, size and complexity of its business;
        b. the diversity of its operations, including geographical diversity;
        c. the volume and size of its transactions; and
        d. the degree of risk associated with each area of its operations.
        3. To enable it to comply with its obligation to maintain appropriate systems and controls, an Insurer should regularly review its management of risk in the context of relevant environmental and operational factors and changes in those factors
        4. The Rules lay down certain minimum processes and procedures that must be maintained by Insurers. These include a written risk management strategy, risk management policies and procedures, and allocated responsibilities and controls.
        5. The risk management strategy should cover not only the identification, assessment, control and monitoring of risks but also contingency plans to deal with the crystallisation of risks or adverse developments in important areas of risk. This will be assisted by stress and scenario testing tailored to the risk characteristics of the Insurer.
        6. While the risk management systems of an Insurer must address all material risks, PIN section 2.3 lays down specific requirements for an Insurer to maintain risk management systems in respect of the following areas:
        a. balance sheet and market risk;
        b. credit quality risk;
        c. non-financial or operational risk;
        d. reinsurance risk; and
        e. Group risk.
        7. An Insurer should have regard to the need for adequate risk management systems at the level of any Group the Insurer is a member of (subject to exemptions for Groups that are intermediate Groups or Groups that are headed by Insurers, in which case the holding company is al subject to the risk management requirements in its own right). The Insurer bears a responsibility to take reasonable actions to ensure that the Group as a whole complies with the risk management requirements of the Rules. Although an Insurer may not be in a position to control the risk management systems of the Group, Group risk management systems are likely to have a material impact on the exposure of the Insurer to risks arising from its membership of the Group.
        8. Further considerations in respect of Group risk generally are contained in PIN section A2.5.
        9. The Rules do not prohibit an Insurer from outsourcing its risk management systems. Where the Insurer is a member of a Group, it may be practicable for some processes to be performed on a Group-wide basis. An Insurer would not normally outsource risk management systems outside the Group. However the Insurer remains responsible under the Rules for the adequacy of its risk management systems, whether or not those processes are outsourced. Senior management cannot delegate their regulatory responsibility for ensuring that the Insurer's risk management systems are adequate. The fact that a system is partially or wholly outsourced would be a factor in the Insurer's assessment of whether the system was adequate. To decide whether any system is adequate, senior management would be expected to have assessed the design and operation of the system, including the design and the operations of controls over outsourcing decisions and monitoring. Because an Insurer must be in a position to demonstrate that it has complied with its regulatory requirements, adequate documentary evidence of these assessments should be maintained.
        10. Further considerations in respect of outsourcing generally are contained in PIN A2.13.
        Derived from DFSA RM06/2004 (Made 16th September 2004). [VER1/09-04]
        [Amended]DFSA RM43/2007 (Made 1st June 2007). [VER14/06-07]

    • PIN A2.4 PIN A2.4 Control mechanisms

      • PIN A2.4 Guidance

        1. An Insurer should have appropriate control mechanisms in place to ensure that the policies and procedures established for risk management are adhered to at all times.
        2. Control mechanisms would normally include:
        a. clearly defined management responsibilities;
        b. adequate segregation of duties;
        c. a risk committee or audit function to establish and maintain the control processes;
        d. a system of approvals, limits, authorisations and reporting lines;
        e. policies to document the Insurer's procedural controls;
        f. activity controls for each division or department;
        g. verifications of activities such as underwriting, pricing and claims management, and reconciliations of relevant data
        h. reviews by Governing Body, senior management and internal audit; and
        i. physical controls.
        3. The directors should monitor the overall effectiveness of the Insurer's risk management systems. Depending on the size and complexity of operations of an Insurer, risk management systems may be monitored on an ongoing or periodic basis. At a minimum there should be periodic internal audits with results being reported directly to the Governing Body and senior management.
        4. Where deficiencies are identified as part of the monitoring process or internal audit, these should be reported in a timely manner to the appropriate management and addressed. Material deficiencies should be reported to the Governing Body and senior management. A material deficiency can result not only from a single deficiency, but also from a number of small deficiencies that, when considered together, amount to a material deficiency.

        Derived from DFSA RM06/2004 (Made 16th September 2004). [VER1/09-04]

    • PIN A2.5 PIN A2.5 Reserving risk

      • PIN A2.5 Guidance

        1. Reserving risk is the risk that Insurance Liabilities recorded by the Insurer, net of reinsurance and other recoveries in respect of those liabilities, will be inadequate to meet the net amount payable when the Insurance Liabilities crystallise. Insurance Liabilities include the liability for claims incurred up to the reporting date, as well as the Premium Liability. In the case of General Insurance, reinsurance recoveries anticipated in respect of those liabilities are generally recognised as a separate asset. In the case of Long-Term Insurance, Insurance Liabilities include also the net value of future Policy Benefits and the effects of reinsurance arrangements are taken into account when these are estimated.
        2. An Insurer's risk management system should therefore include a process for ongoing review and appraisal of the Insurance Liability valuation framework (i.e. assumptions made, reinsurance recoveries estimated etc). In conducting this review, consideration should be given to emerging pricing and claim payment trends.
        3. An Insurer should maintain appropriate systems, controls and procedures to ensure that the provision for Insurance Liabilities is, at all times, sufficient to cover any liabilities that have been incurred, or are yet to be incurred on Contracts of Insurance accepted by the Insurer, as far as can be reasonably estimated.
        4. Appropriate methods should be applied in estimating the provision for Insurance Liabilities, including provisions in respect of individual notified incurred claims. In determining a provision estimation method, managers may consider using alternative approaches before selecting those which may be regarded as most appropriate to the nature of the business.
        5. Appropriate methods should be applied in estimating the amount of the asset in respect of reinsurance recoveries that are expected to arise on crystallisation of the gross Insurance Liabilities. The manner of estimating those assets should be consistent with the manner estimating the gross liabilities, except where there is a sound justification for doing otherwise.
        6. Suitable systems and controls should be put in place to ensure that the selected approaches are applied accurately and on a consistent basis.
        7. Procedures should be in place to review and monitor, on a regular basis, the out-turn of provisions made in previous years for Insurance Liabilities, both gross and net of reinsurance recoveries.
        8. An Insurer is required by PIN chapter 7 to obtain an annual report by an Actuary on the valuation of its Insurance Liabilities and associated assets. The Rules do not require the performance of an actuarial valuation at other times, however an Insurer should consider the use of actuaries or other appropriately qualified and experienced loss reserving specialists to estimate Insurance Liabilities periodically through the year. The Insurer should in any case undertake periodic testing of its reserving processes and the level of its reserves, including continual reassessment of assumptions used, and testing the sensitivity of the valuation of Insurance Liabilities to stress arising from realistic scenarios relevant to the circumstances of the Insurer. Whether in-house or outside experts are used, appropriate procedures should be in place to ensure that the specialist selected possesses the appropriate level of skill and experience and has available the necessary information to carry out the estimation required.
        9. Suitable controls should be in place to ensure that the data used in determining the Insurance Liabilities are extracted from the underlying records accurately and to the necessary level of detail. The level of detail should be sufficient to ensure that the data available to managers in their assessment of Insurance Liabilities covers the whole of its liabilities and exposures under insurance contracts.
        10. Scenario testing should cover a period of several years into the future, particularly in the case of an Insurer carrying on Long-Term Insurance Business.

        Derived from DFSA RM06/2004 (Made 16th September 2004). [VER1/09-04]

    • PIN A2.6 PIN A2.6 Investment risk

      • PIN A2.6 Guidance

        1. Investment risk refers to the possibility of an adverse movement in the value of an Insurer's on-balance sheet assets or certain off-balance sheet obligations. Investment risk derives from a number of sources including market risk (e.g. equity, interest rate and foreign exchange risk), credit quality risk (dealt with separately in this appendix), investment concentration risk and asset and liability mismatch risk (e.g. in terms of currency, maturity, and location). Associated risks include political risk, e.g. the risk of inability to realise assets in a particular location, and the risk of correlation such that a single event has adverse impacts on both assets and liabilities. Investment risk includes risk associated with the use of derivatives and other complex investment instruments, including asset backed securities, credit linked notes and insurance linked notes.
        2. Suitable controls and management information systems should be in place to enable an Insurer to implement an appropriate investment strategy.
        3. Appropriate procedures should be in place to enable an Insurer to monitor the interaction of its assets and liabilities so as to ensure that exposure to equity, interest rate and foreign exchange risk is contained within limits approved by the Insurer. Procedures should include testing of sensitivity to realistic scenarios that are relevant to the circumstances of the Insurer.
        4. Appropriate procedures should be in place to enable an Insurer to monitor the location of its assets and liabilities, so as to ensure that risk of localisation mismatch is contained within limits approved by the Insurer. Procedures should include testing of sensitivity to realistic scenarios, including political risk scenarios that are relevant to the circumstances of the Insurer.
        5. Insurers should remain to the need to consider asset and liability risks on an integrated basis. Systems should not consider only risks taken in isolation, but should consider how even when individual risks are addressed, combinations of circumstances may still expose an Insurer to loss. This is of particular relevance where a single outcome is exposed to more than one risk, for example where assets need to be available not only in a particular location but also in a specific currency.
        6. Appropriate procedures should be in place for assessing the credit-worthiness of counterparties to whom the Insurer is significantly exposed. Further guidance in this area is provided in PIN A2.11.
        7. Appropriate procedures should be in place for setting prudent limits for the Insurer's aggregate exposure to certain categories of asset. Such limits should take account of the suitability of assets covering Insurance Liabilities. They may take account of the Insurer's other assets bearing in mind the possibility that such assets might in future be needed to meet Insurance Liabilities.
        8. The investment strategy should be reflected in clear terms of reference from the Insurer to its investment managers, who should be qualified and competent to carry out their assigned task. The work of the investment managers should be monitored sufficiently closely by management to ensure that the Insurer's strategy is being followed and that the systems are effective.
        9. Insurers should ensure that controls over derivatives and other complex investment instruments have been implemented and are adequate to ensure that risks are properly assessed, regularly reviewed in the light of changing market conditions and experience, and consistent with the overall investment strategy decided upon and approved by the Insurer. In particular senior management and directors of Insurers should:
        a. fully understand the nature of derivatives trading and trading in any other complex investment instruments being undertaken by the organisation and the related risks, and where relevant, are suitably qualified and competent to transact the range and type of transactions being undertaken and understand the nature of the exposures (including both counterparty and market risk) which their use will create;
        b. have documented clearly the objectives and policies for the use of derivatives contracts and other complex investment instruments, and monitor their use (including by way of compliance audits of investment managers) to ensure their use is in line with those objectives and policies. Insurers should ensure that policies are sufficiently clear and precise to ensure that new types of instrument are not dealt in without due prior consideration. They should also define any associated limits on exposures or volumes that are considered appropriate;
        c. have due regard to uncovered transactions in the context of the above controls so that in no circumstances is the Insurer's capital adequacy endangered. Systems should be adequate to prevent exposure to unacceptable, exceptionally volatile risks and to monitor transactions with a frequency commensurate with volatility and risk. The systems should trigger a hedge or close out a transaction whenever adverse movements or events threaten a significant worsening of the Insurer's capital adequacy position;
        d. have ensured that those who have responsibility for the control investments in of derivatives and other complex instruments, are sufficiently independent of the day-to-day operators to ensure effective control;
        e. be capable of analysing and monitoring the risk of all transactions undertaken by the Insurer individually and in aggregate (including interest rate risk, foreign exchange risk, fraud, error, unauthorised access to information and other operational risks);
        f. be provided regularly with appropriate statistics and information on the trading volumes of derivatives contracts by type of product including regular reports of all off-balance sheet transactions, contingencies and commitments;
        g. be satisfied that sufficient systems and controls relevant to derivative products and other complex investment instruments have been put in place, including independent agreement and reconciliation of positions, independent checking of prices, appropriate authorisation where dealing limits have been exceeded, etc; and
        h. have tested adequately and approved valuation models which are used to value open positions and derivative contracts and other complex investment instruments, including controls preventing unauthorised programme amendments. Such models should include appropriate testing of the robustness of the portfolio in changing investment conditions, using realistic scenarios relevant to the circumstances of the Insurer.
        10. Stress and scenario testing should consider the impact of possible deteriorations in investment conditions, including where relevant the impact of simultaneous deteriorations in more than one market. It should also consider effects on liquidity, including where relevant those from an inability to repatriate assets from elsewhere. Where the insurance industry's holdings are large in relation to the turnover of the domestic market, scenario modelling should take account of the possible effect on the market of simultaneous liquidation of assets.
        Derived from DFSA RM06/2004 (Made 16th September 2004). [VER1/09-04]
        [Amended] DFSA RM43/2007 (Made 1st June 2007). [VER5/06-07]
        [Amended] DFSA RM99/2012 (Made 24th July 2012) [VER12/07-12]

    • PIN A2.7 PIN A2.7 Underwriting risk

      • PIN A2.7 Guidance

        1. Underwriting is the process by which an Insurer determines whether and under what conditions to accept a risk. Weaknesses in the systems and controls surrounding the underwriting process can expose an Insurer to the risk of unexpected losses which may threaten the capital adequacy of the Insurer.
        2. The risk management system for underwriting risk should normally include at least the following policies and procedures:
        a. clear identification and quantification of the Insurer's willingness and capacity to accept risk;
        b. clear identification of the classes and characteristics of insurance business that the Insurer is prepared to underwrite including:
        i. geographical areas;
        ii. the types of risk that may be underwritten; and
        iii. criteria for the use of policy exclusions and reinsurance;
        c. formal evaluation processes for the effective assessment of risks underwritten including:
        i. criteria for assessing risk;
        ii. methods for monitoring emerging experience; and
        iii. methods by which emerging experience is taken into account in updating the underwriting process;
        d. appropriate approval authorities and limits to those authorities that are definitive and specific (including controls surrounding any delegations that are given to intermediaries of the Insurer);
        e. concentration limits; and
        f. methods for monitoring compliance with underwriting policies and procedures such as:
        i. minimum standards of documentation;
        ii. internal audit;
        iii. peer review of policies underwritten;
        iv. assessments of brokers' procedures and systems to ensure the quality of information provided to the Insurer is of a suitable standard; and
        v. in the case of reinsurers, audits of ceding companies to ensure that reinsurance assumed is in accordance with treaties in place.

        Derived from DFSA RM06/2004 (Made 16th September 2004). [VER1/09-04]

    • PIN A2.8 PIN A2.8 Claims management risk

      • PIN A2.8 Guidance

        1. Claims management is the process by which Insurers fulfil their contractual obligation to policyholders. An Insurer's duties when a claim is made under a Contract of Insurance may be summarised as:
        a. verify the contractual obligation to pay the claim;
        b. make an assessment of the amount and incidence of the claim liability, including loss adjustment expenses; and
        c. manage the claim settlement process.
        2. The risk management system for claims management risk should normally include at least the following policies and procedures:
        a. clear definition and appropriate levels of delegations of authority;
        b. clear claim settlement procedures, including claim determination and investigation procedures and the criteria for accepting or rejecting claims;
        c. clear and objective loss estimation procedures (including estimation of reinsurance recoveries); and
        d. methods for monitoring compliance with claims management processes and procedures such as:
        i. minimum documentation standards;
        ii. internal audit;
        iii. peer review of claims paid;
        vi. assessment of brokers' procedures and systems to ensure the quality of information provided to the Insurer is of a suitable standard; and
        vii. audits of ceding companies to ensure that the value of claims paid is in accordance with treaties in place.
        3. In establishing and maintaining effective claims handling systems and procedures, senior management of Insurers should consider factors including the following:
        a. appropriate systems and controls should be in place to ensure that all liabilities or potential liabilities notified to the Insurer are recorded promptly and accurately. Accordingly, the systems and controls in place should ensure that a proper record is established for each notified claim;
        b. suitable systems should be in place to identify and quantify, for the key claims handling procedures, timeliness of processing, the effects of processing backlogs and the need for any corrective action;
        c. suitable controls should be maintained to ensure that estimates for reported claims and additional estimates based on statistical evidence are appropriately made on a consistent basis and are properly categorised;
        d. regular reviews of the actual outcome of the estimates made should be carried out to check for inconsistencies and to ensure that procedures remain appropriate. The reviews should include the use of statistical techniques to compare the estimates with the eventual cost of settling the claims, after deducting the amounts al paid at the time the estimates were made;
        e. appropriate systems and procedures should be in place to ensure that claim files without activity are reviewed on a regular basis;
        f. appropriate systems and procedures should be in place to assess the validity of notified claims by reference to the underlying Contracts of Insurance and reinsurance treaties;
        g. suitable systems and procedures should be in place to accommodate the use of suitable experts such as loss adjusters, lawyers, actuaries, accountants etc. as and when appropriate, and to monitor their use; and
        h. there should be suitable systems and procedures in place to identify and handle large or unusual claims, including systems to ensure that senior management are involved from the outset in the processing of claims that are significant because of their size or nature.

        Derived from DFSA RM06/2004 (Made 16th September 2004). [VER1/09-04]

    • PIN A2.9 PIN A2.9 Product design and pricing risk

      • PIN A2.9 Guidance

        1. The pricing of an insurance product involves the estimation of claims and costs arising from that product and the estimation of investment income arising from the investment of premium income attaching to the product. An Insurer may be exposed to significant loss where the claims, costs or investment returns arising from the sale of a product are inaccurately calculated. This risk is particularly acute in the case of Long-Term Insurance, where the Insurer does not have the option to cancel an unprofitable policy, but is also relevant to General Insurance.
        2. The risk management system for product design and pricing should normally include at least the following policies and procedures:
        a. minimum requirements for documentation of pricing and design decisions;
        b. clear identification of product lines that the Insurer is prepared to engage in or has chosen not to engage in;
        c. clearly defined and appropriate levels of delegation for approval of all material aspects of product design and pricing;
        d. processes for assessing specific risks, including risks arising from:
        i. inflation;
        ii. anti-selection (the tendency of poorer risks in a population to seek insurance while better risks self-insure);
        iii. moral hazard (the tendency of insured persons to manage their own risk less effectively, in the knowledge that they are insured);
        iv. changes in mortality and morbidity patterns;
        v. technology changes;
        vi. catastrophes, natural or man-made;
        vii. legal decisions;
        viii. changes in government policy; and
        ix. investment returns;
        e. procedures for limiting risk through, for example, diversification, exclusions and reinsurance;
        f. processes to ensure that policy documentation is adequately drafted to give effect to the proposed level of coverage under the product;
        g. how emerging experience is to be reflected in price adjustments;
        h. how the Insurer's product pricing responds to competitive pressures; and
        i. methods for monitoring compliance with product design and pricing policies and procedures.

        Derived from DFSA RM06/2004 (Made 16th September 2004). [VER1/09-04]

    • PIN A2.10 PIN A2.10 Liquidity management risk

      • PIN A2.10 Guidance

        1. An Insurer should have access to sufficient liquidity to meet all cash outflow commitments to policyholders (and other creditors) as and when they fall due. The nature of insurance activities means that the timing and amount of cash outflows are uncertain. This uncertainty may affect the ability of an Insurer to meet its obligations to policyholders or may require Insurers to incur additional costs through, for example, raising additional funds at a premium on the market or through the sale of assets.
        2. The risk management system for liquidity should normally include at least the following policies and procedures:
        a. procedures to identify and control the level of mismatch between expected asset and liability cash flows under normal and stressed operating conditions (using realistic scenarios relevant to the circumstances of the Insurer);
        b. procedures to monitor the liquidity and realisability of assets;
        c. procedures to identify and monitor commitments to meet liabilities including Insurance Liabilities;
        d. procedures to monitor the uncertainty of incidence, timing and magnitude of Insurance Liabilities;
        e. procedures to identify and monitor the level of liquid assets held by the Insurer; and
        f. procedures to identify and monitor other sources of funding including reinsurance, borrowing capacity, lines of credit and the availability of intra-group funding, and to identify the need for such sources to be made available.
        3. When assessing its liquidity requirements an Insurer should also consider the currency in which the assets and liabilities are denominated, and the locations in which those assets and liabilities are situated or payable.

        Derived from DFSA RM06/2004 (Made 16th September 2004). [VER1/09-04]

    • PIN A2.11 PIN A2.11 Credit quality risk

      • PIN A2.11 Guidance

        1. Credit exposures can increase the risk profile of an Insurer and adversely affect financial viability. Credit exposure includes both on-balance sheet and off-balance sheet exposures (including guarantees, derivative financial instruments and performance related obligations) to single and Related counterparties.
        2. An Insurer's risk management system in respect of credit quality risk will normally be expected to include at least the following policies and procedures:
        a. limits (where relevant, at both an individual and consolidated level) for credit exposures to:
        i. single counterparties and groupings of counterparties that are related to each other;
        ii. entities to which the Insurer is Related;
        iii. single industries; and
        iv. single geographical locations;
        b. processes to monitor and control credit exposures against pre-approved limits;
        c. processes for identifying breaches of limits and for ensuring that breaches of limits are brought within the pre-approved limits within a set timeframe;
        d. processes for reducing or cancelling limits to a particular counterparty where the counterparty is known to be experiencing problems;
        e. processes for approving requests for temporary increases in limits;
        f. processes to review credit exposures (at least annually but more frequently in cases where there is evidence of a deterioration in credit quality);
        g. a management information system that is capable of aggregating exposures to any one counterparty (or group of Related counterparties), asset class, industry or region in a timely manner; and
        h. a process for reporting to the Governing Body and senior management:
        i. significant breaches of limits; and
        ii. large exposures and other credit risk concentrations.
        3. Further guidance in respect of credit quality risk in respect of reinsurance counterparties is contained at PIN A2.14.

        Derived from DFSA RM06/2004 (Made 16th September 2004). [VER1/09-04]

    • PIN A2.12 PIN A2.12 Business continuity planning risk

      • PIN A2.12 Guidance

        1. Disruptions in an Insurer's business can lead to unexpected losses of both a financial and non-financial nature (e.g. data, premises, reputation etc). Disruptions may occur as a result of events such as power failure, denial of access to premises or work areas, systems failure (computers, data, building equipment), fire, fraud and loss of key staff.
        2. An Insurer's risk management system in respect of business continuity planning risk will normally be expected to include at least the following policies and procedures:
        a. processes for identifying:
        i. events that may lead to a disruption in business continuity;
        ii. the likelihood of those events occurring;
        iii. the processes most at risk; and
        iv. the consequences of those events.
        b. a business continuity plan (BCP) describing:
        i. procedures to be followed if business continuity problems arise;
        ii. detailed procedures for enacting the BCP, including manual processes, the activation of an off-site recovery site (if needed) and the person(s) responsible for activating the BCP
        iii. a communications strategy and contact information for relevant staff, suppliers, regulators, market authorities (including exchanges), major clients, the media and other key people;
        iv. a schedule of critical systems covered by the BCP and the timeframe for restoring these systems;
        v. the pre-assigned responsibilities of staff and procedures for training staff on all aspects of the BCP; and
        vi. procedures for regular testing and review of the BCP; and
        c. procedures for backing up important data on a regular basis and storing the information off site.

        Derived from DFSA RM06/2004 (Made 16th September 2004). [VER1/09-04]

    • PIN A2.13 PIN A2.13 Outsourcing risk

      • PIN A2.13 Guidance

        1. Financial firms frequently decide to outsource aspects of their operations to other parties, Related or not. Outsourcing can bring significant benefits to a firm in terms of efficiency, cost reduction and risk management. However, both the process of implementing outsourcing arrangements and the outsourcing relationship itself may expose a firm to additional risk. It is therefore important that firms take care to supervise the conduct of activities that are outsourced. GEN Rule 5.3. requires an Authorised Firm to inform the DFSA about any material outsourcing arrangement.
        2. The activities of outsource contractors have the ability to undermine the risk management activities of Insurers. Insurers should take particular care if outsourcing activities such as underwriting and claims management, where inappropriate performance of the functions can expose the Insurer to serious financial loss, for example through acceptance of inappropriate insurance risks, mis-pricing, failure to obtain appropriate reinsurance cover, or failure to detect invalid claims. These considerations apply to such arrangements as binding authorities and other agencies appointed by Insurers.
        3. In negotiating a contract with an outsource contractor or in assessing an existing agreement, an Insurer should give consideration to matters relevant to risk management, including the following:
        a. setting and monitoring of authority limits and referral requirements;
        b. the identification and assessment of performance targets;
        c. procedures for evaluation of performance against targets;
        d. provisions for remedial action;
        e. reporting requirements imposed on the outsource contractors (including both content and frequency of reports);
        f. the ability of the Insurer and its risk management functions (for example, internal auditors), and its external auditors, to obtain access to the outsource contractors and their records;
        g. protection of intellectual property rights;
        h. protection of customer and firm confidentiality;
        i. the adequacy of any guarantees, indemnities or insurance cover that the outsource contractor agrees to put in place;
        j. the ability of the outsource contractor to provide continuity of business; and
        k. arrangements for change to the outsource contract or termination of the contract.
        4. Insurers should take care to manage the risk that the sound and prudent management of the Insurer's business may be compromised by conflicting incentives in the outsource agreement. In particular, Insurers should consider whether the remuneration structure creates any perverse incentives. For example, an outsource contractor with underwriting authority may have an incentive to accept poorer quality business if remuneration is based on commission (especially if bonuses are given for volume) and remuneration is not affected by the performance of the insurance contracts accepted.
        5. Intra-group outsourcing may be perceived as subject to lower risks than using outsource contractors from outside a Group. However it is not risk-free and an Insurer must still assess the associated risks and make appropriate arrangements for their management.

        Derived from DFSA RM06/2004 (Made 16th September 2004). [VER1/09-04]

    • PIN A2.14 PIN A2.14 Reinsurance risk

      • PIN A2.14 Guidance

        1. Management of reinsurance risk relates to the selection, monitoring, review and control of reinsurance arrangements — that is, where some part of an Insurer's individual or aggregate insurance risks is ceded to other Insurers, whether by a direct Insurer to a reinsurer or by a reinsurer to other reinsurers.
        2. An Insurer should inform the DFSA immediately if there is a likelihood of a problem arising with its reinsurance arrangements that is likely to materially detract from its current or future capacity to meet its obligations, and discuss with the DFSA its plans to redress this situation. Problems that might trigger such a situation could include the insolvency of a reinsurer with a significant share in the Insurer's programme, discovery of exposures without current reinsurance coverage, or exhaustion of reinsurance covers through multiple losses.
        3. Each Insurer is required (by PIN Rule 2.3.5) to maintain a written reinsurance management strategy which must be appropriate to the size and complexity of operations of the Insurer and must define and document the Insurer's objectives and strategy for reinsurance management.
        4. An Insurer's reinsurance management strategy should, at a minimum, include the following elements:
        a. systems for the selection of reinsurance brokers and other reinsurance advisers;
        b. systems for selecting and monitoring reinsurance programmes;
        c. clearly defined managerial responsibilities and controls;
        d. clear methodologies for determining all aspects of a reinsurance programme, including:
        i. identification and management of aggregations of risk exposure;
        ii. selection of maximum probable loss factors;
        iii. selection of realistic disaster scenarios, return periods and geographical aggregation areas; and
        iv. identification and management of vertical and horizontal coverage of the reinsurance programme;
        e. selection of participants on reinsurance contracts, including consideration of diversification and credit worthiness; and
        f. systems for identifying credit exposures (actual and potential) to individual reinsurers or Groups of connected reinsurers on programmes that are al in place.
        5. Senior management should review an Insurer's reinsurance management systems on a regular basis. The review should cover:
        a. the identification and recording of policies underwritten to which reinsurance is attached;
        b. the identification of the dates when an obligation to pay reinsurance premiums arises;
        c. the identification of losses triggering recoveries under reinsurance contracts;
        d. management of the timing of payments to, and collections from, reinsurance counterparties;
        e. the credit standing and capacity of reinsurance counterparties to meet obligations to which they are subject as a result of claims incurred or to which they would become subject in the event of occurrence of losses;
        f. any concentration of reinsurance arrangements with reinsurance counterparties which would create large exposures or detract from diversification benefits in the event of occurrence of losses;
        g. the extent of reliance on reinsurance with related parties, and the accessibility of intra-group funding under a range of realistic conditions; and
        h. the impact of any adverse trends in estimated Insurance Liabilities on the adequacy of the Insurer's reinsurance arrangements, and any implications for the capacity of the Insurer to meet its future policyholder obligations.
        6. Procedures for assessing the credit standing of reinsurance counterparties may include the following:
        a. establishment of a security committee with a specific brief to undertake the procedures;
        b. obtaining appropriate advice from reinsurance brokers;
        c. review of ratings published by ratings agencies;
        d. monitoring of key performance indicators in reinsurers' published reports; and
        e. consideration of general conditions in the relevant reinsurance market.

        Derived from DFSA RM06/2004 (Made 16th September 2004). [VER1/09-04]

    • PIN A2.15 PIN A2.15 Group risk

      • PIN A2.15 Guidance

        1. The senior management of an Insurer remain responsible for its regulatory compliance, including in any areas that are delegated or outsourced to other Group members.
        2. The overall governance, high-level controls and reporting lines within the Group should be clear so far as they affect the Insurer. An Insurer should not, for example, be subject to material control or influence from other Group members that is exercised through informal or undocumented channels.
        3. Reliance upon functions performed at a Group level (for example, Group risk management, capital planning, liquidity and compliance) should be subject to approval and monitoring by senior management of the Insurer.
        4. Where an Insurer relies upon functions that are performed at a Group level the protocols for the performance of those functions should be clear.
        5. Senior management should establish and maintain systems and controls to identify and monitor the effect on the Insurer of its relationship with other members of the Group and the activities of other members of its Group. These systems and controls should include procedures to monitor the following matters:
        a. changes in relationships between Group members;
        b. changes in the activities of Group members;
        c. conflicts of interest arising within the Group; and
        d. events in the Group, particularly those that may affect the Insurer's own regulatory compliance (for example, failures of control or compliance in other Group members).
        6. The Insurer should have in place procedures to insulate the Insurer, so far as practicable, from potentially adverse effects of Group activities (for example, transfer pricing or fronting) or Group events that may expose the Insurer to risk. Such procedures could include requirements for transactions with Group members to be at arm's length, and for maintenance of 'Chinese walls', and development of contingency plans.
        7. Senior management should take reasonable steps to ensure that:
        a. relevant Group members are aware of the Insurer's Group risk management and reporting obligations;
        b. Group capital and Group risk reporting requirements are complied with; and
        c. information in respect of the Group provided to the DFSA is of appropriate quality.

        Derived from DFSA RM06/2004 (Made 16th September 2004). [VER1/09-04]