abacus outsourcing policy - insurance€¦ · abacus – outsourcing policy * confidential *...

1

ABACUS LIFE LIMITED

and

ABACUS INSURANCE LIMITED

(hereinafter collectively referred to as

“Abacus”).

OUTSOURCING POLICY

Abacus – Outsourcing Policy *** CONFIDENTIAL ***

of 17

Contents 1. Document History and Information ...................................................................................... 3 2. Policy Governance .............................................................................................................. 4 3. Introduction ......................................................................................................................... 7 4. Policy Application ................................................................................................................ 7 5. Policy Statement ................................................................................................................. 8 6. Selection and Assessment .................................................................................................. 9 7. Critical Functions ............................................................................................................... 13 8. Outsourcing Limitations ..................................................................................................... 13 9. Monitoring of Outsourcing Relationships ........................................................................... 14 10. Reporting to Registrar ....................................................................................................... 14 11. Remunerations .................................................................................................................. 15 12. References ........................................................................................................................ 16 13 Signatories ........................................................................................................................ 16 A1. Appendix 1: Outsourcing Register ..................................................................................... 17 A2. Appendix 2: Minimum Business Case Content .................................................................. 17


of 17

1. Document History and Information

1.1 Document Information

Document owner Chief Risk Officer

Author/Reviewer Abacus

Creation date September 2016

Latest approval date 15 June 2017

Version 1.0

1.2 Document draft history

Date Version Status Reviewers Action/Comment

September 2016 v0.1 Draft To be confirmed To be confirmed

15 June 2017 v0.1 Approved Risk Committee

1.3 Document review history

Date Version Status Reviewers Action/Comment

1.4 Change mechanism

1.4.1 Any requirement for change or clarification should be addressed to the Document

Owner, as defined in this policy, who will log the issue in the Issue Log.

1.4.2 The Risk and Compliance Function shall maintain the Issues Log discussed in

paragraph 1.4.1.

1.4.3 Issues must be collected via the Issues Log until the regular policy review date, at

which point all identified issues with respect to this policy must be considered and

addressed as part of the policy review and update process.

1.4.4 Urgent issues must be addressed as soon as possible and where necessary

through the normal governance process for acceptance before being


of 17

communicated. This shall be at the discretion of the Risk and Compliance

Function.

2. Policy Governance

2.1 The purpose of this document is to:

2.1.1 Provide a policy and framework within which the Board and management can

outsource control functions, management functions and material functions which

would otherwise have been performed by Abacus in-house;

2.1.2 Enable Abacus to comply with the outsourcing requirements of the Financial

Services Board as set out in Directive 159.

2.1.3 Ensure that Abacus has appropriate governance and control over any outsourced

activity;

2.1.4 Enable Abacus to carry out any outsourcing arrangement in such a manner that

will:

2.1.4.1 not impact negatively on their ability to ensure a sustainable and growing

business;

2.1.4.2 will ensure that Abacus will still be in a position to carry out their

obligations as underwriters;

2.1.4.3 protect the interest of policyholders, and as such satisfy and meet all

regulatory requirements, and

2.1.5. Ensure that Abacus will still be able to satisfy customer needs and the fair

treatment of customers, by selecting service providers that have adequate,

acceptable business practices, financial soundness, governance, risk

management, compliance structures; processes and operational efficiencies to

perform outsourced activities based on criteria defined and assessed by Abacus.

2.2 Related Documents

2.2.1 This policy will be applied in conjunction with the following:

Policy Name Relationship

Corporate Governance Framework Governed by

Risk Management Framework Governed by

Risk Management Strategy Referenced

Business Glossary Referenced

2.3 Legislative framework


of 17

2.3.1 Abacus must adhere to certain regulatory requirements of the Financial Services

Board (“FSB”) namely:

2.3.2.1 Long-term Insurance Act No. 52 of 1998 and Short-term Insurance Act

No. 53 of 1998

2.3.2.2 BN 158 of 2015

2.3.2.3 Companies Act No.71 of 2008; and

2.3.2.4 Any other applicable legislation

2.4 Policy governance

2.4.1 The table below outlines the roles and responsibilities of the stakeholders

responsible for governance of this Policy.

Responsibility Structure Interest, Duties and

Responsibilities

Ownership Head of Risk Management and

Compliance Function

The Head of the Risk and

Compliance Management

Function is responsible for

policy ownership. This includes

ensuring that the policy

remains up to date, is effective

within the organisation and that

changes are communicated to

those that are required to

implement the policy

operationally.

Approval Board of Directors The Board must approve this

Policy and the respective

minimum standards. This will

be done through a sub-

committee of the Board,

namely the Risk Committee

(RC)


of 17

Review Risk and Compliance Function;

RC; Senior Management

It is the responsibility of Risk

and Compliance Function,

together with the RC and

Senior Management, to review

this policy on at least an

annual basis. Where

appropriate, the policy must be

adapted in view of any

significant changes in the risk

management system.

Supervision Board of Directors The Board is ultimately

responsible for the application

and requirements of this Policy

but delegates some functions

to Board committees,

management committees,

other forums, managers and

any other persons. This

responsibility will be delegated

to the RC

Operational Implementation The Executive Committees

(“EXCO”) of the respective

insurance entities

The EXCO of the respective

insurance entities are

responsible for operational

implementation of the policy.

Members of the respective

committees are responsible for

understanding the principles of

this policy and ensuring

adequate information is made

available to them to ensure

they are confident that Abacus’

activities is being managed in-

line with the requirements as

set out by this policy.

2.4.2 In the event of a breach of this Policy, the Head of the Risk and Compliance

Function should be notified immediately. The Head of the Risk and Compliance


of 17

Function must then escalate the notified breach appropriately. Issues will be

escalated to EXCO (Executive Committee). After consultation with the EXCO,

significant issues will further be brought to the attention of the RC.

2.5 Terminology and Definitions

2.5.1 Please refer to Abacus’ Business Glossary.

3. Introduction 3.1. Abacus aims to become the best provider of easy and affordable Insurance solutions in

South Africa.

3.2. In order to achieve the abovementioned, it is necessary to apply conscientious, rigorous,

effective and efficient governance and control mechanisms, procedures and structures in

particular when outsourcing function business functions.

3.3. The Abacus Life Limited, Abacus Insurance Limited is referred to in this policy as

“Abacus”.

3.4. Abacus will consider the outsourcing of a function mentioned in paragraph 4 below when

the Board and management is of the opinion that Abacus does not have the required in-

house expertise to fulfil the function and, taking into consideration the size and

complexity of the business, if it is financially more prudent to outsource such function.

4. Policy Application

4.1 This Policy is only applicable to the outsourcing of the following functions:

4.1.1 Control Functions;

4.1.2 Management Functions; and

4.1.3 Material Business Functions.

4.2 Control Function

4.2.1 A control function relates to the following business functions:

4.2.1.1 Risk Management;

4.2.1.2 Compliance;

4.2.1.3 Actuarial; and

4.2.1.4 Internal Audit.


of 17

4.3 Management Function

4.3.1 A management function is a business function usually performed by a Managing

Executive, and includes the day-to-day responsibilities of managing Abacus.

4.4 Material Function

4.4.1 A material function includes any function that has the potential if disrupted, to have

a significant impact on the insurance business operations to manage risk

effectively, including risk to the fair treatment of customers.

4.4.2 For the purpose of this policy, the following business functions will be regarded as

material functions:

4.4.2.1 Information Technology;

4.4.2.2 Human Resources;

4.4.2.3 Treasury;

4.4.2.4 Finance (includes investments);

4.4.2.5 Complaints;

4.4.2.6 Claims.

4.4.2.7 Sales and marketing

4.4.3 Intermediary Services and Binder Functions that are provided by authorised

financial services providers which are deemed to be material will also be subject to

the provisions of this policy.

5. Policy Statement

5.1 The Board of Directors of Abacus have committed to processes of governance, risk

management and controls that are aligned with:

5.1.1 Generally Accepted Good Practice,

5.1.2 the requirements of Solvency Assessment and Management (SAM) supervisory

practices,

5.1.3 the Companies Act,

5.1.4 the King Code of Governance Principles and the King Report on Governance 2009

(King IV),

5.1.5 Directive 159.A.i of Long-term and Short-term Insurance Act,

5.1.6 as well as all applicable insurance and other laws.

5.2 In terms of this policy, outsourcing is defined as an arrangement of any form between

Abacus and a service provider (related or unrelated) by which such a service provider

will perform a process, service or an activity, whether directly or by sub-outsourcing,


of 17

which would otherwise have been performed by Abacus themselves now or in the future.

Regulatory requirements further describe outsourced activities as control, management

or material functions. The realisation of Abacus’ strategic business goals depends on

their management having appropriate governance, risk and control structures and

procedures in place that will support and enable management to create value for all

stakeholders. The governance and control of all outsourcing arrangements is not there

to impede the management of the business, but to assist with the achievement of

organisational objectives.

5.3 Abacus is committed to ensuring that, where outsourcing is undertaken, it is performed

in such a manner that contributes positively to the sustainability and growth of the

business. Abacus views outsourcing as an opportunity to contain costs, improve

customer experience or access specialist expertise that would otherwise not be available

internally. Abacus is fully aware and mindful of the regulatory requirements in respect of

outsourcing, and will therefore ensure such outsourcing is in compliance with relevant

legislation, regulatory and supervisory requirements. Outsourced activities and

arrangements will be conducted in such a manner that the expectations of our

employees, our customers, our shareholders and other stakeholders in terms of due

care, corporate governance and controls are realised.

5.4 The responsibility and accountability for implementation of this Outsourcing Policy rests

with management. The Board of Directors retains accountability and responsibility for the

overall process of governance, risk management and internal controls of risk

management.

5.5 Abacus further commits to transparent reporting in respect of outsourcing to all its

stakeholders via the relevant and applicable governance structures.

6. Selection and Assessment

6.1 Those involved in Abacus selection process must not have any conflicts of interest with

the potential applicants. Should a conflict of interest arise, this must be dealt with in line

with Abacus Risk Management and Conflict of Interest policy.

6.2 Prior to outsourcing any critical function or activity the following must occur:

6.2.1 Risk assessment

6.2.2 Due diligence

6.2.3 Legal agreement in place that ensures sufficient control over outsourcing

arrangements.

6.3 Risk Assessment


of 17

6.3.1 The risks associated with outsourcing arrangements will be treated and dealt with

as prescribed by Abacus’ overall Corporate Governance Framework and Risk

Management Framework insofar as the identification, assessment,

categorisation, mitigation and control of risks associated with outsourcing

arrangements are concerned.

6.3.2 The following categories of risks will be assessed before entering into

outsourcing arrangements, and the vendor will be periodically monitored to

establish if they comply with their contractual obligations

6.3.2.1 Contractual Risk;

6.3.2.2 Strategic Risk;

6.3.2.3 Reputation Risk;

6.3.2.4 Compliance Risk;

6.3.2.5 Operational Risk;

6.3.2.6 Exit Strategy Risk;

6.3.2.7 Access Risk;

6.3.2.8 Concentration and Systemic Risk;

6.3.2.9 Credit Risk; and

6.3.2.10 Any other emerging risk relevant to the particular engagement

6.4 Due Diligence

6.4.1 Due diligence should involve an evaluation of all available information about the

service provider, including but not limited to:

6.4.1.1 The required competence to render the outsourced services;

6.4.1.2 Past experience and competence to implement and support the

proposed activity over the contracted period;

6.4.1.3 Financial soundness and ability to service commitments even under

adverse conditions;

6.4.1.4 Business reputation and culture, compliance, complaints and

outstanding or potential litigation;

6.4.1.5 Security and internal control, audit coverage, reporting and monitoring

environment, business continuity management;

6.4.1.6 External factors like political, economic, social and legal environment of

the jurisdiction in which the service provider operates and other events


of 17

that may impact service performance;

6.4.1.7 Ensuring due diligence by service provider of its employees; and

6.4.1.8 Appropriate Governance, Risk Management, Compliance and Internal

Control structures that support the outsourced functions.

6.4.1.9 The due diligence carried out shall result in a detailed business case

being presented to the Board of Directors for consideration. (The

minimum content included in the business case is outlined in Appendix

2: Minimum Business Case Content)

6.5 Legal Agreement

6.5.1 The terms and conditions governing the contract between Abacus and the

service provider/s must be fully defined in written agreements and vetted by

Abacus’ legal staff and/or advisors on their legal effect and enforceability.

The agreement should be sufficiently flexible to allow Abacus to retain an

appropriate level of control over the outsourced function and provide Abacus

with the right to intervene with appropriate measures to ensure that they are

able to meet their legal and regulatory obligations.

6.5.2 Outsourcing agreements should make provision for the following:

6.5.2.1 Clear definitions and frequency of the activities that are going to be

outsourced including appropriate service and performance standards;

6.5.2.2 Provisions enabling Abacus to access all books, records and information

relevant to the outsourced activity in the service provider;

6.5.2.3 Provisions for monitoring and assessment by Abacus of the activities of

the service provider relating to the outsourced activity, so that any

necessary corrective measure can be taken when required;

6.5.2.4 A termination clause and minimum periods to execute a termination

provision, if deemed necessary, should be included;

6.5.2.5 Controls to ensure customer data confidentiality and service providers'

liability in case of breach of security and leakage of confidential

customer related information;

6.5.2.6 Contingency plans to ensure business continuity;

6.5.2.7 Use of subcontractors:

6.5.2.7.1 Requirements for the approval by Abacus for the use of

subcontractors by the service provider for all or part of an


of 17

outsourced activity;

6.5.2.7.2 The terms and conditions, where applicable, on which the

service provider may sub-contract any of the outsourced

functions and activities.

6.5.2.7.3 That the service provider's duties and responsibilities under

its agreement with Abacus shall remain unaffected by any

sub-contracting.

6.5.2.7.4 The obligations on the service provider to have appropriate

governance, risk management and internal controls in place

to perform the outsourced activity.

6.5.2.8 Provisions for the right of Abacus to conduct audits, on the service

provider, relating to the outsourced services performed for Abacus,

whether by its internal or external auditors, or by agents appointed to act

on its behalf and to obtain copies of any audit or review reports and

findings made on the service provider;

6.5.2.9 Specific duration of the outsourcing contract;

6.5.2.10 Specific the level and standard of service that must be rendered to a

policyholder, where relevant to the insurer;

6.5.2.11 Require the outsourced partner to comply with applicable laws;

6.5.2.12 Specify the rand amount of the remuneration or consideration payable

by the insurer to the person;

6.5.2.13 Provide for the type and frequency of reporting by the other person;

6.5.2.14 Provide for periodic performance reviews of the other person;

6.5.2.15 Specify the other person will take necessary steps to all the Registrar

access to its business and information in respect of the outsourcing;

6.5.2.16 Require that the other person have appropriate governance, risk

management, and internal controls in place to perform outsourced

functions or activity;


of 17

7. Critical Functions

7.1 Functions that are fundamental to carrying out Abacus’ core business are considered to

be critical functions. A Critical Function is defined as a function that is fundamental to

carrying out Abacus’ core business; the failure of which would result in one or more of

the following:

7.1.1 A financial loss of sufficient magnitude to require a draw-down of the capital

adequacy requirement

7.1.2 Failure to meet the contractual obligations to policyholders

7.1.3 A potential loss of license or penalty being imposed by the Regulator; financial or

otherwise

7.2 The Control Functions in the business shall automatically be deemed to be critical

functions.

7.3 The RC shall determine whether or not a function, activity or service is Critical.

7.4 The following must not be considered Critical Functions:

7.4.1 The provision to the Company of advisory services and other services, which do

not form part of the core insurance activities, such as legal advice, the training of

personnel, billing services and the security of premises and personnel;

7.4.2 The purchase of standardised services, including market information services and

the provision of price feeds;

7.4.3 The provision of logistical support, for example, cleaning or catering;

7.4.4 The provision of elements of human resources support, for example, sourcing

temporary employees and processing payroll.

8. Outsourcing Limitations

8.1 Abacus shall not enter into any outsourcing arrangement that may lead to any of the

following:

8.1.1 Breach of any law or regulation, in particular with regard to rules on data

protection;

8.1.2 Material impairment of the quality of the system of governance, and the business’

ability to manage risk;

8.1.3 An undue increase in financial or operational risk to the business;


of 17

8.1.4 Impairment of the ability of the Registrar to monitor Abacus’ compliance with its

obligations;

8.1.5 The service provider not being subject to the same provisions on the safety and

confidentiality of information relating to Abacus or to its policyholders or

beneficiaries;

8.1.6 An undermining of Abacus’ internal best practice standards; potentially

undermining the fair treatment of and the continuous and satisfactory service to

policyholders;

8.1.7 A conflict of interest between the business, the interests of policyholders or the

interests of third party service providers that can’t be avoided or mitigated against;

8.1.8 A potential breach of the Risk Appetite Limits set by the Board. Refer to the Risk

Management Strategy for further details.

9. Monitoring of Outsourcing Relationships

9.1 Abacus shall maintain a competence and ability within the organisation to assess, on an

on-going basis, whether or not the outsourced service providers are delivering according

to their contracts as well as the fair treatment to policyholders.

9.2 The Company Secretary shall maintain an Outsourcing Register to track and monitor the

Critical Outsourcing Arrangements in the business. Refer to Appendix 1: Outsourcing

Register for further details.

9.3 The Outsourcing Register must be reviewed and reported on by the Head of the Risk

and Compliance function to the Board via the RC at least annually or in the instance of

any significant changes.

9.4 The Head of Risk and Compliance Function shall report to the RC at least annually on

the results of the above monitoring process.

10. Reporting to Registrar

10.1 The Risk and Compliance Function shall facilitate communication to the Regulator where

applicable.

10.2 The Risk and Compliance Function must be notified of proposed outsourcing

arrangements and must be provided with the necessary information in a timely manner.

10.3 Abacus shall, by no later than one month prior to the effective date of a contract

governing a Critical Outsourcing Agreement, notify the Registrar of:

10.3.1 The proposed outsourcing;


of 17

10.3.2 Details of the proposed outsourcing service provider; and

10.3.3 The key risks associated with the outsourcing and the risk mitigation strategies

that will be in place to address those risks.

10.4 Abacus shall notify the Registrar after entering into a Critical Outsourcing Agreement,

and must immediately notify the Registrar of any material developments such as

pending termination and material non-performance with respect to the outsourcing

referred to above, for the duration of the outsourcing contract.

10.5 Abacus shall specifically consult with the Regulator prior to entering into a Critical

Outsourcing Agreement with a service provider that conducts its activities outside of the

Regulator’s jurisdiction.

10.6 The written notification of any Critical Outsourcing Agreement must describe the function

or activities outsourced and include who the service provider is. The name of the person

who at the service provider will be responsible for the outsourced function or activities

must also be stated in the written notification.

11. Remunerations

11.1 Any remuneration paid in respect of outsourcing shall:

11.1.1 Be reasonable and commensurate with the actual process, service or activity

outsourced.

11.1.2 Not result in any process, service or activity in respect of which commission or a

binder fee is payable being remunerated again.

11.1.3 Not be structured in a manner that may encourage the unreasonable or unfair

treatment of policyholders.

11.1.4 Not to be linked to the monetary value of insurance claims repudiated, paid, not

paid or partially paid.

12 Ownership of Intellectual Property

12.1. In terms of any outsourcing agreement, ownership of all intellectual property

belonging to Abacus, which includes but is not limited to related documentation,

concepts, policies and procedures, software and data (which includes

policyholder information) remains with Abacus.

12.2. All outsourced agreements must:

Include a clause or clauses safeguarding Abacus in terms of intellectual

property rights and indemnification of Abacus against any abuse thereof as

far as legislation allows.


of 17

Allow for legal action to be taken against the transgressing service provider to

whom the function has been outsourced as applicable.

13 Indemnity and Liability

13.1. Abacus must include liability limitation and general indemnification clauses within

outsourcing agreements.

13.2. These may include protection against litigation, loss of profits fraud and any other

potential risk resulting from the outsourcing agreement.

14 Warrantees, Guarantees and Insurance

14.1. Where applicable, outsourcing agreements must include provisions that the

outsourced partner must carry warrantees, guarantees and/or insurance.

15 Dispute Resolution

15.1. Contracts must make mention of a dispute resolution process which may include

arbitration or any other non-partisan mediation as applicable.

16. References

16.1 The following documents were used in the drafting of this Policy:

Directive 159, Directive on Outsourcing issued by the Financial Services Board;

17 Signatories

Chairperson of the Board Chief Executive Officer Abacus

* *

_______________________ _______________________

FA Patrizi

April 2017

R Griessel

April 2017

* This revised policy was approved at the Risk committee meeting held on 15 June 2017, point 14 Governance matters.


of 17

A1. Appendix 1: Outsourcing Register

A1.1. The Outsourcing Register will at minimum include:

A1.1.1. A description of the function or activity being outsourced;

A1.1.2. The reason for classifying the outsourced function or activity as being critical or

important;

A1.1.3. The service provider;

A1.1.4. The name of the individual responsible for the outsourcing relationship at

Abacus;

A1.1.5. The name of the individual responsible for the Outsourced Critical Function at

the service provider;

A1.1.6. The duration of the agreement;

A1.1.7. Details of risk mitigating measures in the agreement i.e. exit clause;

A1.1.8. The annual budgeted cost of the agreement;

A1.1.9. The location where the original signed outsourced agreement is kept.

A2. Appendix 2: Minimum Business Case Content

A2.1. At a minimum, the business case must also include the following:

A2.1.1. An assessment of the potential impact of multiple outsourcing by the service

provider to a number of other insurers

A2.1.2. A cost-benefit analysis

A2.1.3. An inherent risk assessment

A2.1.4. Suitable strategies for managing the changes in the risk profile of the business

to ultimately ensure that the risk management framework and governance

framework extend to the service provider; including ensuring that appropriate

capital is held relative to these risks.

A2.1.5. A suitable process for managing and monitoring service levels

abacus outsourcing policy - insurance€¦ · abacus – outsourcing policy *** confidential ***...

Documents

abacus outsourcing policy - insurance€¦ · abacus – outsourcing policy * confidential *...