abacus outsourcing policy - insurance€¦ · abacus – outsourcing policy *** confidential ***...
TRANSCRIPT
1
ABACUS LIFE LIMITED
and
ABACUS INSURANCE LIMITED
(hereinafter collectively referred to as
“Abacus”).
OUTSOURCING POLICY
Abacus – Outsourcing Policy *** CONFIDENTIAL ***
Page 2 of 17
Contents 1. Document History and Information ...................................................................................... 3 2. Policy Governance .............................................................................................................. 4 3. Introduction ......................................................................................................................... 7 4. Policy Application ................................................................................................................ 7 5. Policy Statement ................................................................................................................. 8 6. Selection and Assessment .................................................................................................. 9 7. Critical Functions ............................................................................................................... 13 8. Outsourcing Limitations ..................................................................................................... 13 9. Monitoring of Outsourcing Relationships ........................................................................... 14 10. Reporting to Registrar ....................................................................................................... 14 11. Remunerations .................................................................................................................. 15 12. References ........................................................................................................................ 16 13 Signatories ........................................................................................................................ 16 A1. Appendix 1: Outsourcing Register ..................................................................................... 17 A2. Appendix 2: Minimum Business Case Content .................................................................. 17
Abacus – Outsourcing Policy *** CONFIDENTIAL ***
Page 3 of 17
1. Document History and Information
1.1 Document Information
Document owner Chief Risk Officer
Author/Reviewer Abacus
Creation date September 2016
Latest approval date 15 June 2017
Version 1.0
1.2 Document draft history
Date Version Status Reviewers Action/Comment
September 2016 v0.1 Draft To be confirmed To be confirmed
15 June 2017 v0.1 Approved Risk Committee
1.3 Document review history
Date Version Status Reviewers Action/Comment
1.4 Change mechanism
1.4.1 Any requirement for change or clarification should be addressed to the Document
Owner, as defined in this policy, who will log the issue in the Issue Log.
1.4.2 The Risk and Compliance Function shall maintain the Issues Log discussed in
paragraph 1.4.1.
1.4.3 Issues must be collected via the Issues Log until the regular policy review date, at
which point all identified issues with respect to this policy must be considered and
addressed as part of the policy review and update process.
1.4.4 Urgent issues must be addressed as soon as possible and where necessary
through the normal governance process for acceptance before being
Abacus – Outsourcing Policy *** CONFIDENTIAL ***
Page 4 of 17
communicated. This shall be at the discretion of the Risk and Compliance
Function.
2. Policy Governance
2.1 The purpose of this document is to:
2.1.1 Provide a policy and framework within which the Board and management can
outsource control functions, management functions and material functions which
would otherwise have been performed by Abacus in-house;
2.1.2 Enable Abacus to comply with the outsourcing requirements of the Financial
Services Board as set out in Directive 159.
2.1.3 Ensure that Abacus has appropriate governance and control over any outsourced
activity;
2.1.4 Enable Abacus to carry out any outsourcing arrangement in such a manner that
will:
2.1.4.1 not impact negatively on their ability to ensure a sustainable and growing
business;
2.1.4.2 will ensure that Abacus will still be in a position to carry out their
obligations as underwriters;
2.1.4.3 protect the interest of policyholders, and as such satisfy and meet all
regulatory requirements, and
2.1.5. Ensure that Abacus will still be able to satisfy customer needs and the fair
treatment of customers, by selecting service providers that have adequate,
acceptable business practices, financial soundness, governance, risk
management, compliance structures; processes and operational efficiencies to
perform outsourced activities based on criteria defined and assessed by Abacus.
2.2 Related Documents
2.2.1 This policy will be applied in conjunction with the following:
Policy Name Relationship
Corporate Governance Framework Governed by
Risk Management Framework Governed by
Risk Management Strategy Referenced
Business Glossary Referenced
2.3 Legislative framework
Abacus – Outsourcing Policy *** CONFIDENTIAL ***
Page 5 of 17
2.3.1 Abacus must adhere to certain regulatory requirements of the Financial Services
Board (“FSB”) namely:
2.3.2.1 Long-term Insurance Act No. 52 of 1998 and Short-term Insurance Act
No. 53 of 1998
2.3.2.2 BN 158 of 2015
2.3.2.3 Companies Act No.71 of 2008; and
2.3.2.4 Any other applicable legislation
2.4 Policy governance
2.4.1 The table below outlines the roles and responsibilities of the stakeholders
responsible for governance of this Policy.
Responsibility Structure Interest, Duties and
Responsibilities
Ownership Head of Risk Management and
Compliance Function
The Head of the Risk and
Compliance Management
Function is responsible for
policy ownership. This includes
ensuring that the policy
remains up to date, is effective
within the organisation and that
changes are communicated to
those that are required to
implement the policy
operationally.
Approval Board of Directors The Board must approve this
Policy and the respective
minimum standards. This will
be done through a sub-
committee of the Board,
namely the Risk Committee
(RC)
Abacus – Outsourcing Policy *** CONFIDENTIAL ***
Page 6 of 17
Review Risk and Compliance Function;
RC; Senior Management
It is the responsibility of Risk
and Compliance Function,
together with the RC and
Senior Management, to review
this policy on at least an
annual basis. Where
appropriate, the policy must be
adapted in view of any
significant changes in the risk
management system.
Supervision Board of Directors The Board is ultimately
responsible for the application
and requirements of this Policy
but delegates some functions
to Board committees,
management committees,
other forums, managers and
any other persons. This
responsibility will be delegated
to the RC
Operational Implementation The Executive Committees
(“EXCO”) of the respective
insurance entities
The EXCO of the respective
insurance entities are
responsible for operational
implementation of the policy.
Members of the respective
committees are responsible for
understanding the principles of
this policy and ensuring
adequate information is made
available to them to ensure
they are confident that Abacus’
activities is being managed in-
line with the requirements as
set out by this policy.
2.4.2 In the event of a breach of this Policy, the Head of the Risk and Compliance
Function should be notified immediately. The Head of the Risk and Compliance
Abacus – Outsourcing Policy *** CONFIDENTIAL ***
Page 7 of 17
Function must then escalate the notified breach appropriately. Issues will be
escalated to EXCO (Executive Committee). After consultation with the EXCO,
significant issues will further be brought to the attention of the RC.
2.5 Terminology and Definitions
2.5.1 Please refer to Abacus’ Business Glossary.
3. Introduction 3.1. Abacus aims to become the best provider of easy and affordable Insurance solutions in
South Africa.
3.2. In order to achieve the abovementioned, it is necessary to apply conscientious, rigorous,
effective and efficient governance and control mechanisms, procedures and structures in
particular when outsourcing function business functions.
3.3. The Abacus Life Limited, Abacus Insurance Limited is referred to in this policy as
“Abacus”.
3.4. Abacus will consider the outsourcing of a function mentioned in paragraph 4 below when
the Board and management is of the opinion that Abacus does not have the required in-
house expertise to fulfil the function and, taking into consideration the size and
complexity of the business, if it is financially more prudent to outsource such function.
4. Policy Application
4.1 This Policy is only applicable to the outsourcing of the following functions:
4.1.1 Control Functions;
4.1.2 Management Functions; and
4.1.3 Material Business Functions.
4.2 Control Function
4.2.1 A control function relates to the following business functions:
4.2.1.1 Risk Management;
4.2.1.2 Compliance;
4.2.1.3 Actuarial; and
4.2.1.4 Internal Audit.
Abacus – Outsourcing Policy *** CONFIDENTIAL ***
Page 8 of 17
4.3 Management Function
4.3.1 A management function is a business function usually performed by a Managing
Executive, and includes the day-to-day responsibilities of managing Abacus.
4.4 Material Function
4.4.1 A material function includes any function that has the potential if disrupted, to have
a significant impact on the insurance business operations to manage risk
effectively, including risk to the fair treatment of customers.
4.4.2 For the purpose of this policy, the following business functions will be regarded as
material functions:
4.4.2.1 Information Technology;
4.4.2.2 Human Resources;
4.4.2.3 Treasury;
4.4.2.4 Finance (includes investments);
4.4.2.5 Complaints;
4.4.2.6 Claims.
4.4.2.7 Sales and marketing
4.4.3 Intermediary Services and Binder Functions that are provided by authorised
financial services providers which are deemed to be material will also be subject to
the provisions of this policy.
5. Policy Statement
5.1 The Board of Directors of Abacus have committed to processes of governance, risk
management and controls that are aligned with:
5.1.1 Generally Accepted Good Practice,
5.1.2 the requirements of Solvency Assessment and Management (SAM) supervisory
practices,
5.1.3 the Companies Act,
5.1.4 the King Code of Governance Principles and the King Report on Governance 2009
(King IV),
5.1.5 Directive 159.A.i of Long-term and Short-term Insurance Act,
5.1.6 as well as all applicable insurance and other laws.
5.2 In terms of this policy, outsourcing is defined as an arrangement of any form between
Abacus and a service provider (related or unrelated) by which such a service provider
will perform a process, service or an activity, whether directly or by sub-outsourcing,
Abacus – Outsourcing Policy *** CONFIDENTIAL ***
Page 9 of 17
which would otherwise have been performed by Abacus themselves now or in the future.
Regulatory requirements further describe outsourced activities as control, management
or material functions. The realisation of Abacus’ strategic business goals depends on
their management having appropriate governance, risk and control structures and
procedures in place that will support and enable management to create value for all
stakeholders. The governance and control of all outsourcing arrangements is not there
to impede the management of the business, but to assist with the achievement of
organisational objectives.
5.3 Abacus is committed to ensuring that, where outsourcing is undertaken, it is performed
in such a manner that contributes positively to the sustainability and growth of the
business. Abacus views outsourcing as an opportunity to contain costs, improve
customer experience or access specialist expertise that would otherwise not be available
internally. Abacus is fully aware and mindful of the regulatory requirements in respect of
outsourcing, and will therefore ensure such outsourcing is in compliance with relevant
legislation, regulatory and supervisory requirements. Outsourced activities and
arrangements will be conducted in such a manner that the expectations of our
employees, our customers, our shareholders and other stakeholders in terms of due
care, corporate governance and controls are realised.
5.4 The responsibility and accountability for implementation of this Outsourcing Policy rests
with management. The Board of Directors retains accountability and responsibility for the
overall process of governance, risk management and internal controls of risk
management.
5.5 Abacus further commits to transparent reporting in respect of outsourcing to all its
stakeholders via the relevant and applicable governance structures.
6. Selection and Assessment
6.1 Those involved in Abacus selection process must not have any conflicts of interest with
the potential applicants. Should a conflict of interest arise, this must be dealt with in line
with Abacus Risk Management and Conflict of Interest policy.
6.2 Prior to outsourcing any critical function or activity the following must occur:
6.2.1 Risk assessment
6.2.2 Due diligence
6.2.3 Legal agreement in place that ensures sufficient control over outsourcing
arrangements.
6.3 Risk Assessment
Abacus – Outsourcing Policy *** CONFIDENTIAL ***
Page 10 of 17
6.3.1 The risks associated with outsourcing arrangements will be treated and dealt with
as prescribed by Abacus’ overall Corporate Governance Framework and Risk
Management Framework insofar as the identification, assessment,
categorisation, mitigation and control of risks associated with outsourcing
arrangements are concerned.
6.3.2 The following categories of risks will be assessed before entering into
outsourcing arrangements, and the vendor will be periodically monitored to
establish if they comply with their contractual obligations
6.3.2.1 Contractual Risk;
6.3.2.2 Strategic Risk;
6.3.2.3 Reputation Risk;
6.3.2.4 Compliance Risk;
6.3.2.5 Operational Risk;
6.3.2.6 Exit Strategy Risk;
6.3.2.7 Access Risk;
6.3.2.8 Concentration and Systemic Risk;
6.3.2.9 Credit Risk; and
6.3.2.10 Any other emerging risk relevant to the particular engagement
6.4 Due Diligence
6.4.1 Due diligence should involve an evaluation of all available information about the
service provider, including but not limited to:
6.4.1.1 The required competence to render the outsourced services;
6.4.1.2 Past experience and competence to implement and support the
proposed activity over the contracted period;
6.4.1.3 Financial soundness and ability to service commitments even under
adverse conditions;
6.4.1.4 Business reputation and culture, compliance, complaints and
outstanding or potential litigation;
6.4.1.5 Security and internal control, audit coverage, reporting and monitoring
environment, business continuity management;
6.4.1.6 External factors like political, economic, social and legal environment of
the jurisdiction in which the service provider operates and other events
Abacus – Outsourcing Policy *** CONFIDENTIAL ***
Page 11 of 17
that may impact service performance;
6.4.1.7 Ensuring due diligence by service provider of its employees; and
6.4.1.8 Appropriate Governance, Risk Management, Compliance and Internal
Control structures that support the outsourced functions.
6.4.1.9 The due diligence carried out shall result in a detailed business case
being presented to the Board of Directors for consideration. (The
minimum content included in the business case is outlined in Appendix
2: Minimum Business Case Content)
6.5 Legal Agreement
6.5.1 The terms and conditions governing the contract between Abacus and the
service provider/s must be fully defined in written agreements and vetted by
Abacus’ legal staff and/or advisors on their legal effect and enforceability.
The agreement should be sufficiently flexible to allow Abacus to retain an
appropriate level of control over the outsourced function and provide Abacus
with the right to intervene with appropriate measures to ensure that they are
able to meet their legal and regulatory obligations.
6.5.2 Outsourcing agreements should make provision for the following:
6.5.2.1 Clear definitions and frequency of the activities that are going to be
outsourced including appropriate service and performance standards;
6.5.2.2 Provisions enabling Abacus to access all books, records and information
relevant to the outsourced activity in the service provider;
6.5.2.3 Provisions for monitoring and assessment by Abacus of the activities of
the service provider relating to the outsourced activity, so that any
necessary corrective measure can be taken when required;
6.5.2.4 A termination clause and minimum periods to execute a termination
provision, if deemed necessary, should be included;
6.5.2.5 Controls to ensure customer data confidentiality and service providers'
liability in case of breach of security and leakage of confidential
customer related information;
6.5.2.6 Contingency plans to ensure business continuity;
6.5.2.7 Use of subcontractors:
6.5.2.7.1 Requirements for the approval by Abacus for the use of
subcontractors by the service provider for all or part of an
Abacus – Outsourcing Policy *** CONFIDENTIAL ***
Page 12 of 17
outsourced activity;
6.5.2.7.2 The terms and conditions, where applicable, on which the
service provider may sub-contract any of the outsourced
functions and activities.
6.5.2.7.3 That the service provider's duties and responsibilities under
its agreement with Abacus shall remain unaffected by any
sub-contracting.
6.5.2.7.4 The obligations on the service provider to have appropriate
governance, risk management and internal controls in place
to perform the outsourced activity.
6.5.2.8 Provisions for the right of Abacus to conduct audits, on the service
provider, relating to the outsourced services performed for Abacus,
whether by its internal or external auditors, or by agents appointed to act
on its behalf and to obtain copies of any audit or review reports and
findings made on the service provider;
6.5.2.9 Specific duration of the outsourcing contract;
6.5.2.10 Specific the level and standard of service that must be rendered to a
policyholder, where relevant to the insurer;
6.5.2.11 Require the outsourced partner to comply with applicable laws;
6.5.2.12 Specify the rand amount of the remuneration or consideration payable
by the insurer to the person;
6.5.2.13 Provide for the type and frequency of reporting by the other person;
6.5.2.14 Provide for periodic performance reviews of the other person;
6.5.2.15 Specify the other person will take necessary steps to all the Registrar
access to its business and information in respect of the outsourcing;
6.5.2.16 Require that the other person have appropriate governance, risk
management, and internal controls in place to perform outsourced
functions or activity;
Abacus – Outsourcing Policy *** CONFIDENTIAL ***
Page 13 of 17
7. Critical Functions
7.1 Functions that are fundamental to carrying out Abacus’ core business are considered to
be critical functions. A Critical Function is defined as a function that is fundamental to
carrying out Abacus’ core business; the failure of which would result in one or more of
the following:
7.1.1 A financial loss of sufficient magnitude to require a draw-down of the capital
adequacy requirement
7.1.2 Failure to meet the contractual obligations to policyholders
7.1.3 A potential loss of license or penalty being imposed by the Regulator; financial or
otherwise
7.2 The Control Functions in the business shall automatically be deemed to be critical
functions.
7.3 The RC shall determine whether or not a function, activity or service is Critical.
7.4 The following must not be considered Critical Functions:
7.4.1 The provision to the Company of advisory services and other services, which do
not form part of the core insurance activities, such as legal advice, the training of
personnel, billing services and the security of premises and personnel;
7.4.2 The purchase of standardised services, including market information services and
the provision of price feeds;
7.4.3 The provision of logistical support, for example, cleaning or catering;
7.4.4 The provision of elements of human resources support, for example, sourcing
temporary employees and processing payroll.
8. Outsourcing Limitations
8.1 Abacus shall not enter into any outsourcing arrangement that may lead to any of the
following:
8.1.1 Breach of any law or regulation, in particular with regard to rules on data
protection;
8.1.2 Material impairment of the quality of the system of governance, and the business’
ability to manage risk;
8.1.3 An undue increase in financial or operational risk to the business;
Abacus – Outsourcing Policy *** CONFIDENTIAL ***
Page 14 of 17
8.1.4 Impairment of the ability of the Registrar to monitor Abacus’ compliance with its
obligations;
8.1.5 The service provider not being subject to the same provisions on the safety and
confidentiality of information relating to Abacus or to its policyholders or
beneficiaries;
8.1.6 An undermining of Abacus’ internal best practice standards; potentially
undermining the fair treatment of and the continuous and satisfactory service to
policyholders;
8.1.7 A conflict of interest between the business, the interests of policyholders or the
interests of third party service providers that can’t be avoided or mitigated against;
8.1.8 A potential breach of the Risk Appetite Limits set by the Board. Refer to the Risk
Management Strategy for further details.
9. Monitoring of Outsourcing Relationships
9.1 Abacus shall maintain a competence and ability within the organisation to assess, on an
on-going basis, whether or not the outsourced service providers are delivering according
to their contracts as well as the fair treatment to policyholders.
9.2 The Company Secretary shall maintain an Outsourcing Register to track and monitor the
Critical Outsourcing Arrangements in the business. Refer to Appendix 1: Outsourcing
Register for further details.
9.3 The Outsourcing Register must be reviewed and reported on by the Head of the Risk
and Compliance function to the Board via the RC at least annually or in the instance of
any significant changes.
9.4 The Head of Risk and Compliance Function shall report to the RC at least annually on
the results of the above monitoring process.
10. Reporting to Registrar
10.1 The Risk and Compliance Function shall facilitate communication to the Regulator where
applicable.
10.2 The Risk and Compliance Function must be notified of proposed outsourcing
arrangements and must be provided with the necessary information in a timely manner.
10.3 Abacus shall, by no later than one month prior to the effective date of a contract
governing a Critical Outsourcing Agreement, notify the Registrar of:
10.3.1 The proposed outsourcing;
Abacus – Outsourcing Policy *** CONFIDENTIAL ***
Page 15 of 17
10.3.2 Details of the proposed outsourcing service provider; and
10.3.3 The key risks associated with the outsourcing and the risk mitigation strategies
that will be in place to address those risks.
10.4 Abacus shall notify the Registrar after entering into a Critical Outsourcing Agreement,
and must immediately notify the Registrar of any material developments such as
pending termination and material non-performance with respect to the outsourcing
referred to above, for the duration of the outsourcing contract.
10.5 Abacus shall specifically consult with the Regulator prior to entering into a Critical
Outsourcing Agreement with a service provider that conducts its activities outside of the
Regulator’s jurisdiction.
10.6 The written notification of any Critical Outsourcing Agreement must describe the function
or activities outsourced and include who the service provider is. The name of the person
who at the service provider will be responsible for the outsourced function or activities
must also be stated in the written notification.
11. Remunerations
11.1 Any remuneration paid in respect of outsourcing shall:
11.1.1 Be reasonable and commensurate with the actual process, service or activity
outsourced.
11.1.2 Not result in any process, service or activity in respect of which commission or a
binder fee is payable being remunerated again.
11.1.3 Not be structured in a manner that may encourage the unreasonable or unfair
treatment of policyholders.
11.1.4 Not to be linked to the monetary value of insurance claims repudiated, paid, not
paid or partially paid.
12 Ownership of Intellectual Property
12.1. In terms of any outsourcing agreement, ownership of all intellectual property
belonging to Abacus, which includes but is not limited to related documentation,
concepts, policies and procedures, software and data (which includes
policyholder information) remains with Abacus.
12.2. All outsourced agreements must:
Include a clause or clauses safeguarding Abacus in terms of intellectual
property rights and indemnification of Abacus against any abuse thereof as
far as legislation allows.
Abacus – Outsourcing Policy *** CONFIDENTIAL ***
Page 16 of 17
Allow for legal action to be taken against the transgressing service provider to
whom the function has been outsourced as applicable.
13 Indemnity and Liability
13.1. Abacus must include liability limitation and general indemnification clauses within
outsourcing agreements.
13.2. These may include protection against litigation, loss of profits fraud and any other
potential risk resulting from the outsourcing agreement.
14 Warrantees, Guarantees and Insurance
14.1. Where applicable, outsourcing agreements must include provisions that the
outsourced partner must carry warrantees, guarantees and/or insurance.
15 Dispute Resolution
15.1. Contracts must make mention of a dispute resolution process which may include
arbitration or any other non-partisan mediation as applicable.
16. References
16.1 The following documents were used in the drafting of this Policy:
Directive 159, Directive on Outsourcing issued by the Financial Services Board;
17 Signatories
Chairperson of the Board Chief Executive Officer Abacus
* *
_______________________ _______________________
FA Patrizi
April 2017
R Griessel
April 2017
* This revised policy was approved at the Risk committee meeting held on 15 June 2017, point 14 Governance matters.
Abacus – Outsourcing Policy *** CONFIDENTIAL ***
Page 17 of 17
A1. Appendix 1: Outsourcing Register
A1.1. The Outsourcing Register will at minimum include:
A1.1.1. A description of the function or activity being outsourced;
A1.1.2. The reason for classifying the outsourced function or activity as being critical or
important;
A1.1.3. The service provider;
A1.1.4. The name of the individual responsible for the outsourcing relationship at
Abacus;
A1.1.5. The name of the individual responsible for the Outsourced Critical Function at
the service provider;
A1.1.6. The duration of the agreement;
A1.1.7. Details of risk mitigating measures in the agreement i.e. exit clause;
A1.1.8. The annual budgeted cost of the agreement;
A1.1.9. The location where the original signed outsourced agreement is kept.
A2. Appendix 2: Minimum Business Case Content
A2.1. At a minimum, the business case must also include the following:
A2.1.1. An assessment of the potential impact of multiple outsourcing by the service
provider to a number of other insurers
A2.1.2. A cost-benefit analysis
A2.1.3. An inherent risk assessment
A2.1.4. Suitable strategies for managing the changes in the risk profile of the business
to ultimately ensure that the risk management framework and governance
framework extend to the service provider; including ensuring that appropriate
capital is held relative to these risks.
A2.1.5. A suitable process for managing and monitoring service levels