risk mitigation strategy: overcoming crises before … 54 pgs risk... · web viewthe pricing...

Risk Mitigation Strategy: Overcoming crises before they begin

Syed Danish Ali

Table of Contents

1. INTRODUCTION..................................................................................22. PLANNING AND MONITORING RISK............................................................33. CREDIT RISK......................................................................................74. ASSET LIABILITY MANAGEMENT AND MARKET RISK.....................................105. LIFE INSURANCE RISK.........................................................................146. NON-LIFE & HEALTH INSURANCE RISK......................................................197. PRODUCT DESIGN AND PRICING RISK.......................................................258. INFORMATION TECHNOLOGY.................................................................329. RISKS RELATED TO OTHER AREAS...........................................................43


1. INTRODUCTION

1.1.1. This report seeks to develop a suitable and comprehensive response to number of diverse risks for a sample composite takaful company, i.e., the company’s Risk Mitigation Strategy.

1.1.2. The methodology followed in compiling this report has been as follows:

a. During the risk identification exercise, hypothetical existing controls should be evaluated and an assessment of the level of residual risk also made. Where this was not of an acceptable level then the department’s plans to mitigate, the risk should be recorded. Where such plans did not exist, recommendations should be made and agreed as to what needed to be done to reduce the risk to an acceptable level.

b. The above planned steps or recommendations should be taken as a starting point to develop the risk mitigation strategy for each area. These have been expanded on in this report.

c. Certain generic risks not specific to an individual area also exist. These have also been separately incorporated.

1.1.3. This document is structured into the following sections, each dealing with one of the following areas:

i. Planning and Monitoring Riskii. Credit Riskiii. Asset Liability Management and Market Riskiv. Life Insurance Riskv. Non-Life and Health Insurance Riskvi. Product Design and Pricing Risk Controlvii. Information Technology Riskviii. Risk Related to Other Areas


2. PLANNING AND MONITORING RISK

2.1. Introduction

2.1.1. A number of the business areas usually identify issues relating to this as key risks for which existing processes and controls are not adequate and required to be mitigated further.

2.1.2. The table below lists risk mitigation measures that can be identified. These have then been grouped into risk mitigation initiatives which are then discussed later in this section (a separate sub-section dealing with each initiative).

Risk Mitigation Step Identified InitiativeA Strategic Planning Department should be set up to assist the CEO in assessing ground realities and drawing up plans accordingly, also being responsible to ensure that resources being invested in are aligned to realistic business projections as well as the company's overall attitude towards risk.

Implement formal Planning and Monitoring Framework

Communication of business plan to all stakeholders and obtaining commitment to its achievementImplementation of a capital budgeting framework to align strategic plans to individual business unit plans (also repeated below as valid for both initiatives)Regular review and adjustment of annual plan to respond to actual experience such that the adjusted plans are realistic and achievable.

Coordination among pricing, product development, marketing & sales departments should be in place.Detailed financial projections for 10 years including realistic business volumes with a certain product mix, expenses reflecting business volumes (fixed and variable) and product charges based on competitor analysis needs to be in place. This should produce the Shareholders and Takaful fund revenue account and show the emergence of profits as well as ROE for shareholder (including Embedded Value).

Risk Mitigation Step Identified InitiativeThe company should, over a period of time, implement a system where its solvency position is updated as frequent as possible (albeit not with the same level of accuracy as can be measured less frequently), being available on a risk assessment dashboard for top management to view.

Implement a formal Risk Monitoring System

The company should regularly prepare medium term financial position to assess whether its capital is adequate for the next few (usually five) years, and intimate the Board of Directors whenever it feels that this may not be the case.Implementation of a capital budgeting framework to align strategic plans to individual business unit plans (also repeated above as valid for both initiatives)

2.2. Implement a Formal Planning and Monitoring Framework


2.2.1. Given that business managers are likely to be more than tied up in trying to achieve their direct business goals, there is a need for a dedicated function to ensure that all strategic plans (those of direct business departments as well as support functions) are coordinated.

2.2.2. Preparing the plan is also only half the battle. The other half is ensuring that the plan is implemented in practice. This can only be done through very close (and independent) monitoring of to what extents plans for each functional unit (whether direct business departments or supporting functions) are being achieved in practice and taking corrective measures where these are not being achieved.

2.2.3. An important issue is the need to adjust plans when it is clear that the original plans are not going to be achieved. For example, if it is clear that business levels are going to be half those planned, it may be an idea to delay acquisition of planned resources (HR or otherwise) so that idle capacity does not build up.

2.2.4. In order to address the above issues, the company also needs to set up a Strategic Planning and Monitoring Department which will be responsible for the following:

a. In coordination with the Board of Directors and the Chief Executive, define high level strategic planning objectives (such as “achieve x% market share in y years”) both in qualitative and quantitative terms.

b. With assistance from the Company’s actuary and Finance Department, prepare a strategic plan which should include projections (business as well as financial statements) for ten years. This plan should be updated every year and totally revamped every three years.

c. Set high level targets and assumptions for annual business plans (budgets). Prepare and disseminate the annual budgetary planning document based on which individual departments will prepare budgets. Coordinate the compilation of the annual budget into a single coherent short term plan broken down into monthly quantitative targets.

d. Coordinate with the Risk Management function to ensure that the plans being drawn up are within the risk tolerance levels defined by the company.

e. Obtain approval of the CEO and then the Board of the annual budget and disseminate targets to individual departments.

f. Review actual performance against annual budgets. Discuss causes of variances with respective departmental heads and identify corrective


measures if possible. Form a view on whether a change in the original budget estimates is necessary. If required then, after discussion with the CEO, coordinate the effort to make that change along with any consequential changes. Present the changed numbers to the Board.

g. Present a quarterly analysis of performance for presentation to the Board. Record Board decisions and ensure that these are implemented.

h. In all the above apply best practices in benchmarking business performance (SWOT analysis, competitive position models, simulation and other methods).

2.3. Implement a Formal Risk Monitoring System

2.3.1. Once risks have been identified and measures to mitigate these risks to an acceptable level have been implemented, the main task of the Risk Management Department should be to monitor risks regularly in order to ensure that these remain within the company’s risk tolerance.

Preparation of Annual Plansa. Business plans should be prepared independent of any risk tolerance

limits.

b. The maximum capital requirement of each line of business should be calculated as the sum of:

i. Any capital required to support any losses which may be incurred during the year (losses being determined after absorbing support department costs)

ii. Any capital required to support technical reserves and the required solvency margin at the end of the reference period.

c. The above calculations need to determine a worst-case scenario keeping in mind a confidence level of 99.5%.

d. The capital requirements of difference lines of business should then be aggregated to give a company-wide capital requirement. This will be compared with the company’s existing available capital, excluding any inadmissible assets.

e. If available capital exceeds the requirement, then the business plan will be accepted for adoption from a risk management perspective.

Periodic Monitoring


f. The annual planning process each year will not only prepare a financial plan for the year for which the plan is being primarily made, but will also prepare a tentative plan for the following year.

g. After the actual results of each quarter are available, the company will prepare revised plans taking into account the actual position and projecting for the next 12 months. If the result at the end of that 12-month period indicates that available capital may not be enough to cover required capital, then immediate action will be needed to modify plans in order to ensure that the company remains within its risk tolerance limits.


3. CREDIT RISK

3.1. Introduction

3.1.1. Credit risk relates to the risk of not being able to realize (usually due to default by the counterparty) assets at value at which they are recognized in the company’s accounting records, whether these be receivables or investments or other assets. This excludes, however, loss of value due to market fluctuation (which is covered under asset liability risk).

3.1.2. The table below lists risk mitigation measures identified for credit risk. These have then been grouped into risk mitigation initiatives which are then discussed later in this section (a separate sub-section dealing with each initiative).

Risk Mitigation Step Identified InitiativeThe company should (a) carry out a review of the credit status of entities before issuing policies on credit; (b) check for receipt of due premiums before settling claims; (c) check on payment performance before issuing other policies to existing clients; and (d) regularly review receivables.

Implementing a Credit Control Framework

Models can be built that attempt to estimate the transition of rating over time.

Invested Asset Credit Risk

The company concentration of risk should be broken down into sector, locations, policy size and policy type and riders. The company should have a catastrophic cover if the risk is concentrated.

3.2. Implementing a Credit Control Framework

3.2.1. The company’s major credit risk other than investments can emanate from:a. Reinsurers/retakaful operators with whom the company has dealings, the

risk being both with respect to amounts receivables (where reinsurance recoveries on claims exceed reinsurance premiums payable) as well as risk of default in paying future reinsurance recoveries when they fall due.

b. Customers and brokers with respect to contributions which may not be recovered despite the participant being on cover.

Reinsurance Credit Risk3.2.2. Insurer hedge large losses through the use of reinsurance (especially non-

proportional reinsurance for general takaful), therefore the company can face large losses if reinsurance refuses to pay current or future claims to the company. The risk that the receivable from reinsurance may not be there for the claims paid, claims reported to the reinsurer but not paid by the insurer, and claims that have occurred but have yet to be reported to the insurer (IBNR). The takaful company may face


problems from the reinsurer that they have unwillingness to pay some type of claims or only few reinsurers are available to underwrite that risk.

3.2.3. The company should have a mechanism of ceding reinsurance to only those companies which have a credit rating of ‘A’ or above, and should monitor concentration of Reinsurance credit risk. Also, the company should have (but do not usually) models to determine retention as a result of which excessive risks are reinsured which in turn (apart from reducing profits) also increases exposure to credit risk from reinsurers. The following can therefore be recommended:

a. Model, for each class of business, its exposure, so as to determine the optimum reinsurance retention level.

b. Develop a formal acceptance criteria based on credit analysis including rating (for which the current standard of dealing with ‘A’ rated reinsurers are acceptable).

c. Implement procedures for managing reinsurance recoveries to ensure that these are received promptly after payment by the company and also requesting and following up on cash calls for large claims

d. Maintain close relationships with reinsurers, for which a contact plan should be developed and implemented.

e. Limit exposure to a single reinsurer.f. Monitor systemic risk by ascertaining relationships between reinsures to

judge the impact of the failure of a single reinsurer on others.

Other Counterparty Risk3.2.4. The company may face exposure to other counterparty credit risk like relationships

with customers, brokers and other suppliers of goods or services. The company should aggregate these exposures based on different criteria. The company should carry out the review of the credit status of entities before issuing policies on credit. It should check the receipts of premium due before settling claims.

3.2.5. Other practices which should be implemented include the following:a. Monitoring and limiting concentration by sector, location, rating, and

name.b. For all corporate clients to whom contracts are issued on credit,

developing a mechanism for assessing the credit risk of non-rated clients (i.e., preparing an internal rating mechanism based on a review of financial statements)

c. Arrangement of collateralization with brokersd. Regularly Review Receivables


3.3. Invested Asset Credit Risk

3.3.1. Companies usually currently utilize “Traditional Credit Risk Underwriting” approach and only invests in those securities that have minimum of ‘A’ rated credit guarantee from S&P or Moody’s or another rating agency. The regulator can also impose credit concentration limits; internal audit has the responsibility that these limits should be properly adhered to. The company should implement that when there are breaches for the limits.

3.3.2. The companies should plan to move to the modern portfolio based Credit Risk Management as in the long run the above option would not be feasible as the company can hold some risk for better returns. These models hold concentration of credit risk and exposure to risk as well as correlation between each risk category of the portfolio. The company should start collecting data for Portfolio based credit risk mitigation replacing the current method in long run. The following methods are recommended:

a. Action Plan in advance for Credit Risk Migrationb. Monitor and Control Average Credit Rating of the portfolioc. Monitor Actual and Expected Defaultsd. Monitory Loss Recovery in case of default


4. ASSET LIABILITY MANAGEMENT AND MARKET RISK

4.1. Introduction

4.1.1. Risks arising from a mismatch of assets and liability (Asset Liability Management [ALM] Risks) are one of the main risks faced by the insurance companies, this relating to the possibility that the value of liabilities and assets backing those liabilities move in different directions. An associated risk is Market risk which is the possibility of assets depreciating in value (without a similar reduction in value of liabilities).

4.1.2. The companies usually have invested majority of available funds in bank deposits (there is lack of bonds/sukuks issuance in GCC unlike in Malaysia). These provide relatively low return to the companies. Given that bank deposits have a capital guarantee, the companies are not currently exposed to ALM risk. It is, however, losing the opportunity of earning higher returns which it could earn by successfully accepting the risk and managing it.

4.1.3. ALM and Market risk should be covered in the Investment risk register where the following mitigating steps have been identified, the suggested initiatives being indicated in the right-hand column and discussed in sub-sections below.

Risk Mitigation Step Identified InitiativeThe company should invest in sukuks with a tenor equivalent to the average duration of liabilities.

Cash Flow Matching

The company should prepare cash flow projections periodically in order to determine liquidity needs and plan accordingly, regularly monitoring the liquidity position.

and Immunization

The company should invest in currencies in which liabilities are denominated.

Foreign Exchange Risk Management

The company should limit its exposure to individual institutions by prescribing a maximum proportion of its investment portfolio which can be held in securities linked to a separate entity (other than securities with a sovereign guarantee against default)

Managing Concentration Risk


4.2. Matching Assets with Liabilities

4.2.1. Companies do not usually have any formal mechanism for ensuring that assets and liabilities are matched. Some basic mechanisms need to be adopted which are described below.

Cash Flow Matching and Immunization4.2.2. Cash flow matching of asset with liabilities and immunization strategies are the

traditional ways to manage interest rate and market risk. Duration is defined as percentage change in price of bond when interest rate changes by 1%. Duration does not work well for big change in interest rate but can be a good starting point to manage ALM risks.

4.2.3. It is recommended that, in order to monitor its ALM risk exposure, companies prepare basic cash flows for both its assets and liabilities in order to monitor any gap. This should be done monthly for the first year, quarterly for the next two years and annually thereafter. As the company commences writing longer term business it needs to manage interest rate risk with sophisticated modified duration matching or immunization strategies and go on to include those that attempt to deal with second-order risks such as convexity and embedded options for the near future. The company should also invest in sukuks with a tenor equivalent to the average duration of liabilities.

Equity market risk4.2.4. The company will be exposed to equity market risk when the company invests in

assets for higher returns. Equity market component can be measured by volatility as well as return of the asset. Fitting past observations to a log-normal (or normal) distribution, then deriving a confidence-based measure of volatility is the normal procedure for measuring equity market risk. This can be adopted by the company once it has a significant equity portfolio.

4.2.5. Practices which the company may wish to adopt if it does invest in equities include the following:

a. Stress Testing and validating the assumptions.b. Use of fat-tailed distributions like the pareto-levy distributionc. Use of regime switching or stochastic volatility modeling techniquesd. Managing exposure to one entity and broad allocation to industry

4.2.6. These practices should also be implemented for unit linked funds, albeit if the underlying contracts are properly designed there should be no market risk associated with such funds.


Dynamic Financial Analysis4.2.7. Dynamic Financial Analysis is another interest rate risk and equity risk management

technique to target portfolio of securities that fulfills ALM constraints. ALM checkpoints are set in terms of deviations from this portfolio. The risk is then measured using sophisticated financial tools like VaR, EaR CVaR, credit risk constraints and/or deviations in duration, convexity or other risk metrics.

4.2.8. Sound practices involve the following:a. Consider entire financial position of the company over timeb. Consider inter-dependencies due to sophisticated nature of the analysisc. Calculate the expectations and the probability of the range of scenariosd. Consider product design as part of the analysise. Develop Efficient Frontier to analyze risk returnf. Be utilized as an ongoing concerng. Create result in different accounting measuresh. Result in multiple path outcome

Liquidity Risk Management4.2.9. The ALM function should frequently manage insurer liquidity beside measuring and

managing interest rate risk exposure of the company. The company should understand how longer term target and asset mix may impact liquidity. The company should also understand different product features and their requirement for liquidity risk. The company should project its net cash flows, i.e. the difference between cash outflows and inflows. The company may want to ensure that net cash flows are always positive through techniques such as cash flow coverage projections.

4.2.10. Sound Practice in Liquidity Risk Management includes a. Create corporate target for liquidity riskb. Impose constraints on short term buying and sellingc. Understanding the impact of Rating Agencies and Economic Capital on

liquidity riskd. Address how liquidity is managed in the internal organizational levele. Develop an overall contingency plan

4.2.11. Sound practices include stress tests on liquidity, which would include looking at extreme risk scenarios (such as natural catastrophes, market crashes, etc.) to assess the liquidity needs; identifying additional sources of liquidity to cover crisis situations; identifying the order of sale for asset; and setting up backup banking facilities.


Implementation

4.2.12. The company, as already suggested, should start measuring duration of interest rate of asset and liabilities as soon as it moves its assets from deposits to the bond and equity market. By implementing this, the company has a higher return on its assets and therefore higher profitability to the company.

4.3. Foreign Exchange Risk Management

4.3.1. Main consideration here is whether the currency used is floating or pegged. If it is pegged, then foreign risk is minimum until the peg remains and does not break. For floating currencies, same measures as those in analyzing equity returns have to be followed to gauge the risk exposed to foreign exchange movements.

4.4. Managing Concentration Risk

4.4.1. Concentration risk relates to the possibility of a high loss resulting from impairment of a single asset or group of related assets. In order to control this, the company needs to develop a strategy whereby exposure to a single entity or group of related entities is limited. For instance, insuring mainly in one particular region, holding too many investments in one entity, reinsurance recoverables from one reinsurer mainly, investing in unlisted companies etc., revenue generation focused on few large groups and so on.


5. LIFE INSURANCE RISK

5.1. Introduction

5.1.1. Life Insurance Risks are risks faced by the life insurance department for the execution of business and claims. Risks related to product design and pricing are covered separately as the risks related to all three lines of business (general, life and medical) are common.

5.1.2. The table below lists risk mitigation measures identified for life risk. These have then been grouped into risk mitigation initiatives which are then discussed later in this section (a separate sub-section dealing with each initiative).

Risk Mitigation Step Identified InitiativePricing assumptions need to be revisited in the light of decisions taken to ensure that the financials conform to reality within a reasonable toleranceThe regulator should give approval of outside placement until retakaful is available else they can raise this in future. All treaties need to keep this provision so that there is no issue of recapture of existing business as well.

Optimizing Risk Retention and Selection of Reinsurers

Company should have retention analysis carried out by its Appointed ActuaryThe company should have systems to adequately service its clients. 'The Company should create a call center for client complaints. All complaints should be forwarded to Customer Relationship Committee which shall take appropriate action on it.

Implementation of System

Suggest to have the products Shariah approved before product set-up in the system

The company should have a policy enabling that there are no unnecessary delays in approval of claims with a follow up process for requesting any pending information

Authority Limits for Underwriting and Claims

The company's system should have capabilities to send renewal notices to the policyholders, and the company should track information for the renewal cases.The company should carry out surveys about the type of funds offered and whether or not the clients understand the associated risks

Controlling Policyholder Behavior

Suggest to have an independent validation of the research results in key areas such as sales compensation, product values, minimum and average contributions, business persistency.The company needs to monitor actual service levels against standards set up in the Service Level Agreements and ensure compliance.

Create Focus on Service

The company needs to create a service culture separate from that of the other companies.


5.2. Optimizing Risk Retention and Selection of Reinsurers

5.2.1. The primary tool for managing mortality risk is the use of reinsurance. This involves two key decisions – the determination of the basis on which to cede risks (including, most importantly, the determination of retention levels) and the selection of reinsurers. Quota with surplus treaties are mostly used for life insurance/family takaful instead of non-proportional reinsurance.

5.2.2. Purchasing reinsurance usually involves a trade-off between expected cost and reduced risk. As reinsurers seek to make profits, reinsurance recoveries over the long run would usually be less than reinsurance premiums. The company should, therefore, seek to maximize retention but keeping in mind its overall risk tolerance level and the amount of capital available to support retained risks.

5.2.3. The company’s risk retention levels should therefore be determined using suitable actuarial models and should ideally be done by its appointed actuary. The assumptions used and the scenarios assessed should be appropriate. The company should also identify gains and losses from reinsurance and their sources as well as analyze claims volatility both with and without the reinsurance program.

5.2.4. The use of reinsurance reduces pure underwriting risk and moves the risk to credit risk or contract risk. Selection of reinsurers who are financially strong as well as credible is a significant step in mitigating the latter.

5.2.5. The selection process of reinsurer should base on the credit rating, response time, authorization limit along with the cost of reinsurance coverage. Due diligence of reinsurer financial strength and risk concentration is also important. The company should maintain awareness of the degree to which the insurer risk retention strategy relies on third parties to take a portion of the risk written.

5.2.6. As the financial position of even very large organizations can be severely impacted even over a relatively short period of time, the company should carry out an objective evaluation of both existing and potential reinsurers on an annual basis using the criteria set out above.

5.3. Implementation of System

5.3.1. System issues often lead to client complaints and eventually loss of business. It is important, therefore, that a formal process is followed while implementing the software. In particular, the company needs to ensure the following:

a. A gap analysis needs to be carried out by walking through the system and ensuring that all the functionality required to administer products is present. To the extent that the system does not cater to a particular


requirement this should be documented and a clear strategy needs to be formulated as to how this gap will be overcome.

b. The system should be thoroughly tested, the results being documented, before a decision is made to go live. All issues arising need to be logged and resolved. An independent assessment of the system’s stability should be made prior to launch,

5.3.2. Apart from the initial implementation a formal documented process should be followed when launching any new product.

5.4. Authority Limits to Underwriting and Claims

5.4.1. The authority to accept risks on the Company’s behalf should be specifically delegated in the policy manual aligning with Retakaful Guidelines. Limits should be delegated to the Underwriters according to the types of risks and maximum exposure.

5.4.2. The Life insurance department should have clear underwriting standards with training and enforcement processes. The underwriting standards should be monitored with enforcement of compliance. Sound practice for underwriting standards may include:

a. data needed to reach underwriting decisions (such as blood tests or attending physician statement ‘APS’)

b. appropriate use of data in reaching decisions c. authority limits for underwriters and approval of claimsd. Reviewing risk classification decisions, which may be self-review, peer

review, supervisory review, independent internal or external review, and/or reinsurer review.

5.4.3. The company should have standard services levels which should specify, amongst other things, time limits within which various transactions should be completed. Such limits should specify maximum times for (amongst others):

a. Issuing policies which do not require medical examinationb. Issuing policies after receiving all requirementsc. Processing and payment of claims after all requirements are fulfilledd. Responding to incoming corresponding/documents including asking for

further requirements where documents received are not completee. Corporate Cases with good relationship

5.4.4. The company needs to institute a policy enabling so that there are no unnecessary delays in approval of claims with a follow-up process for requesting any pending information. The department plans to introduce a quality control function to review processed claims on a sample basis in order to ensure that all claims paid are valid.


5.5. Controlling Policyholder Behavior

5.5.1. One of the major risks for life insurer is policyholder behavior which could lead to policies being lapsed or surrendered. The financial structure of family takaful contracts involves incurring substantial upfront costs which are recovered over time. Pricing such products involves making assumptions of premium persistency which need to be met in order to actually recover costs. If the company fails to meet persistency targets this could be impacted. Whereas conventional insurers implement measures (such as back end charges) in order to mitigate against this risk, back end charges are not acceptable under takaful principles. It is therefore necessary to implement measures to ensure that premium persistency is maintained at an acceptable level.

5.5.2. The marketing department should ensure that product training is adequate to ensure full disclosure of policy terms to the clients. This can be done by carrying out post sales surveys. The Company shall create a call center for client complaints. All complaints should be forwarded to Customer Relationship Committee which shall take appropriate action on it.

5.5.3. Renewal notices should be sent out and be followed up to ensure receipt as well as to get client feedback by phone, SMS or email. Feedback received should be acted upon, all these activities being monitored in the system.

5.5.4. Sound practices include the following:a. Frequent monitoring of lapse experience b. Communications with policyholder to discourage lapsesc. Controls in the system to avoid business churningd. Disciplined updating of product pricing and costing to reflect actual lapse

experience to prevent creation of future problemse. Declaration that all the material facts are disclosed

5.6. Create Focus on Service

5.6.1. The ability of a financial services company to achieve sustainable high growth depends a great deal on its ability to provide quality service. This also impacts the company’s financial performance, as efficiency leads to reduction in cost which leads both to higher profitability and enhances the company’s ability to provide better value to its customers.

5.6.2. In order to implement an excellence in service culture the company needs to establish service level standards and then continuously measure them. This will almost certainly require implementation of workflow computing so that the time


taken to perform various activities can be measured and improved. Standards will include, for example, the response time to client queries. Client correspondence would be opened and logged at a central point and passed onto the appropriate department where the type of query would be entered. The response would also be system based and would be logged when actually sent out. The lapse time would be compared against the standard to see if it was achieved or not. Some tolerance (say 3% to 5%) would be allowed. Aggregate metrics would be determined by the system and reported against standards.


6. NON-LIFE & HEALTH INSURANCE RISK

6.1. Introduction

6.1.1. Non-Life and health insurance risk essentially relates to the possibility of insured losses net of reinsurance being higher than expected. This section deals with the strategy recommended for mitigating those risks in the non-life and health area which have not already been mitigated to a level acceptable under the company’s risk tolerance levels. The section does not, however, deal with risks related to product design and pricing which are dealt with commonly for all business divisions.

6.1.2. This section covers both non-life and health insurance risks as the mitigation techniques of both of them are common due to both being short term contracts.

6.1.3. The table below lists risk mitigation measures identified. These have then been grouped into risk mitigation initiatives which are then discussed later in this section (a separate sub-section dealing with each initiative).

Risk Mitigation Step Identified InitiativeThe company should continue to follow the current practice but build up data so as to enable using more scientific methods (e.g., the Chain-Ladder method) in the future, always maintaining the percentages specified by the regulator as a minimum.

Strengthen Reserve Determination

Premium deficiency should be periodically assessed and a separate reserve set aside for major classes of business where the results indicate that premiums are not sufficient.The company should upgrade non-life system to latest versions of software in order to ensure that critical business needs are met.

Acquisition and Implementation of a Non-Life IT System

Motor claims should be set up based on a standard by type of claim reported even prior to the survey/ workshop estimates being received, and updated once these are received.The IT system needs to have the capability of processing claims within the system (as opposed to simply recording the eventual decision after the processing has been completed) which should include approval within the system.The department plans to introduce a quality control function to review processed claims on a sample basis in order to ensure that all claims paid are valid.The IT system needs to have the capability of producing statistics relating to the actual time taken to process claims to enable service levels to be monitored.The IT system needs to be developed in coordination of operational heads to meet the requirement of departments.Performance evaluation process and system needs to be developed to facilitate the client servicing.


The IT system should have the capability of automatically accumulating risks from different policies based on a common parameter (vessel/voyage or location)

Risk Mitigation Step Identified InitiativeAll quotes which are given should be generated by the system so that there is an automatic control that these are captured at inception.

Acquire and Implement System

The authority to accept risks on the Company’s behalf should be specifically delegated in the policy manual aligning with Retakaful Guidelines to the Underwriters according to the types of risks and maximum exposure.

Underwriting and Claim Approval Limits

Renewal notices should be sent out and be followed up to ensure receipt as well as to get client feedback by phone, SMS or email. Feedback received should be acted upon, all these activities being monitored.

Strengthening the Renewal Process

Renewal notices should not be automatically sent to cases with adverse loss experience. A facility should also be there to tag and prevent notices being sent out where the client behavior has been undesirable (e.g., late payment of contributions).All renewals should be system based in that all notices should be generated by the system and new policies/endorsements renewing an existing policy should be generated from the system.

As volumes grow, the company may consider separating reinsurance from underwriting so that assessment of the capacity to accept risk is made independent of the underwriter.

Reinsurance

The company needs to monitor actual service levels against standards set up in the Service Level Agreements and ensure compliance.

Create Focus on Service

The company needs to create a service culture separate from that of the other companies.

6.1.4. The table below lists risk mitigation identified for Health Insurance only.

Risk Mitigation Step Identified InitiativeA very detailed cost benefit analysis (for at least 3 to 5 years) should be carried out to develop a mandate for a system, clearly setting out the terms on which the outsourcing would be justified or not (to have TPA or in house claims handling or combination of both). The decision than needs to be reflected in the overall business plan.

Third Party Administrator (Health Insurance)

6.2. Strengthening Reserve Determination

6.2.1. Reserves set aside for non-life and health business include:a. Reserves for claims which have been incurred but have not been paid, this

being further sub-divided into reserves provisions for reported claims and provisions for incurred but not reported claims. The portion for IBNER is generally significant for motor third party and health insurance.

b. Reserves relate to unexpired risk (i.e., the period covered by the policy after the balance sheet date)


6.2.2. For reported claims the company should adopt the following practice:a. Provisions for reported claims should be recorded as and when the claim

is intimated, and updated once the survey is complete. b. All such provisions should be reviewed at least once a quarter and

adjusted where required.c. Any claims which are expected to be paid within one year of the balance

sheet date should be recorded in full without any discounting. Any claims expected to be paid over more than one year shall be recognized after discounting the expected payments to the present using a discount rate based on advice from the company’s actuary.

6.2.3. Provisions for incurred but not reported claims (IBNR) should currently be made on the basis of expected losses less reported losses, expected losses being computed based on industry average loss ratios plus 5%. The company’s computer systems should have the capacity of tracking the development of reported claims with reference to the date on which each claim is incurred so as to be able to throw out data required for adopting the Chain-Ladder method and other scientific methods.

6.2.4. Reported claim estimates should be made by the concerned business department as part of ongoing processes. These should, however, be independently reviewed by internal audit on a periodic basis.

6.2.5. The minimum reserve for unexpired risk should be the net unearned premium reserve. On top of this the company should estimate, independent of the business department, the eventual losses with respect to each major class of business and, if expected losses plus costs of claim settlement are greater than unearned premiums less any deferred commissions, the balance should be provided as a premium deficiency reserve.

6.2.6. Claim handling/ related expenses also need to be recorded separately, so that better estimates of expenses can be reflected in the reserves (for reserves of Allocated loss expenses reserve and unallocated loss expenses reserve) and the pricing basis can be improved.

6.2.7. Recoveries and estimates of reinsurance, salvage and subrogation should be made separately, where required.

6.3. Acquire, Upgrade or Implement Non-Life IT System

6.3.1. Robust and sophisticated IT systems are necessary in order to implement various risk mitigation measures as well as to determine various parameters for mitigating risks.


6.3.2. Prior to acquiring a system, the company needs to ensure that the required functionality, including that required for implementing risk management policies and accumulating data required for monitoring risk tolerance are either present in the system or there is a provision for customization or some work around exists.

6.3.3. The functional requirements need to be developed in coordination of operational heads to meet the requirement of departments.

6.3.4. Once the basic systems are in place the company also needs to consider implementation of business intelligence MIS tools which combine both external and internal data in order to give management an insight as to how the company is performing in comparison with the market, key analysis being possibly presented in the form of a Dashboard for operational heads.

Rating Structure & Risk Classification6.3.5. The Company should set up and implement a risk classification methodology in the

system. The risk classification and structure should be based on a) available data b) geography c) demography d) economic environment. For many lines of business international standards (i.e. ISO) are already available and reinsurers also provide rating structure, the company needs to get benefit from them.

6.4. Underwriting and Claim Approval Limits

6.4.1. The authority to accept risks on the Company’s behalf should be specifically delegated in the policy manual aligning with Retakaful Guidelines to the Underwriters according to the types of risks and maximum exposure.

6.4.2. The company should have fully documented underwriting standards. The company should monitor and enforce compliance to these standards. The underwriting standards should include plan objective(s), strategy, and measurable targets. We would suggest that the limit should be not limited to exposure limits but also by type of risk and terms and conditions allowed.

6.4.3. The company should have a policy enabling that there are no unnecessary delays in approval of claims with a follow-up process for requesting any pending information. The department should have a quality control function to review processed claims on a sample basis in order to ensure that all claims paid are valid. Motor claims should be set up based on a standard by type of claim reported even prior to the survey/ workshop estimates being received, and updated once these are received.


6.5. Strengthening the Renewal Process

6.5.1. Renewal notices should be sent out and be followed up to ensure receipt as well as to get client feedback by phone, SMS or email. Feedback received should be acted upon, all these activities being monitored in system.

6.5.2. Renewal notices should not be automatically sent to cases with adverse loss experience. A facility should also be there to tag and prevent notices being sent out where the client behavior has been undesirable (e.g. late payment of contributions).

6.6. Reinsurance

6.6.1. The company should use catastrophe model to find out concentration limits of the loss. The spreading of risk among various risk categories should also be look into for diversification. The company should have an adequate catastrophic cover for health operations; the usual agreements of quota agreement are not adequate.

6.6.2. The company should determine optimal risk retention levels so as to maximize profitability while ensuring that the risk tolerance limits are not breached. For this purpose, loss patterns (i.e., the frequency and severity of claims) should be modeled, making assumptions about reinsurance cessions (type and extent of reinsurance) and a decision of how much to reinsurance and on what basis being made based on results from the model. The modeling needs to be done by an actuary.

6.6.3. The company should understand that purchasing reinsurance usually involves a trade-off between expected cost and reduced risk. The use of reinsurance reduces pure underwriting risk and moves the risk to credit risk or contract risk.

6.6.4. As volumes grow the company may consider separating reinsurance from underwriting so that assessment of the capacity to accept risk is made independent of the underwriters. The company should have the capability of automatically accumulating risks from different policies based on a common parameter (vessel/voyage or location).

6.7. Create Focus on Service

6.7.1. The ability of a financial services company to achieve sustainable high growth depends a great deal on its ability to provide quality service. This also impacts the company’s financial performance, as efficiency leads to reduction in cost which leads both to higher profitability and enhances the company’s ability to provide better value to its customers.


6.7.2. In order to implement an excellence in service culture the company needs to establish service level standards and then continuously measure them. This will almost certainly require implementation of workflow computing so that the time taken to perform various activities can be measured and improved. Standards will include, for example, response time to client queries. Client correspondence would be opened and logged at a central point and passed onto the appropriate department where the type of query would be entered. The response would also be system based and would be logged when actually sent out. The lapse time would be compared against the standard to see if it was achieved or not. Some tolerance (say 3 to 5%) would be allowed. Aggregate metrics would be determined by the system and reported against standards.

6.8. Third Party Administrator (Health Insurance)

6.8.1. A very detailed cost benefit analysis (for at-least 3 to 5 years) should be carried out to develop a mandate for a system, clearly setting out the terms on which the outsourcing would be justified or not (to have TPA or in-house claims handling or combination of both). The decision than needs to be reflected in the overall business plan.


7. PRODUCT DESIGN AND PRICING RISK

7.1. Introduction

7.1.1. Risks associated with insurance product design emanate from features within products (risks covered, guarantees given, exclusions etc.). Pricing risk basically consists of the risk of the premium not being adequate to meet expected benefits to be paid out under insurance contracts and related costs of acquiring and administering contracts.

7.1.2. The table below lists risk mitigation measures identified for Product Design and Pricing risk. These have then been grouped into risk mitigation initiatives which are then discussed later in this section (a separate sub-section dealing with each initiative).

Risk Mitigation Step Identified InitiativeThe takaful model to be adopted by the company should be documented and approved by the Shariah Board and Board of Directors. The documentation should clearly set out principles relating to the development of the wakala fee structure, frequency and mode of distribution of surplus and accounting policies required to implement the model.

Establish Shariah and Regulatory Principles for Product Development

Shariah principles (not as a part of any product design) such as providing a guarantee, sharing in surplus, Charges structure, Basis for Variation in Risk contribution etc. need to be explicitly approved to avoid the risk of product development not being Shariah compliant and causing delays.

Suggest to take Shariah approval at the start of Product development to avoid the risk of Product features not being Shariah compliant. For example, most Shariah scholars do not allow back-end loaded products therefore it is important to discuss the charging mechanism with the Shariah scholars initially and get their written agreement on it.The basis for determination and distribution of surplus and the Wakala fee structure and any gaps need to be discussed with the Shariah Scholars at the initial stages to avoid any issues later.The company should discuss and finalize a Surplus distribution policy with its Shariah Board and obtain approval from the relevant regulator.Product development needs to consider earlier research as well as experience of operations, marketing and other members before products are designed.Have a written agreement on principles and then permissible design featuresNeed to present the Wakala fees structure and get Shariah approval if it is acceptable to charge any wakala fees from any client or this has to be defined based on certain framework.


Risk Mitigation Step Identified Initiative

The company should make the incentive of the staff in line with market to ensure there is adequate motivation. It is not possible that in the start that company have relatively inexperienced staff and then train, this can only be done when operations are stable. Major concerns about finding the right people and getting visas timely

Establish Market Based Compensation for Staff

The company should not view new products as a threat but as an opportunity, the company should explore the market and offer product accordingly.

Establish Mechanism to Ensure Market Acceptability of Products

Since the product launch is costly, market research update based on this new regulatory change should be done before going on with this product launchNeed to have a Wakala fee structure in place which ensures competitive pricing and adequate margins in the long run.

Suggest to revisit Sales compensation just to ensure that this is still aligned with competitors.

Ensure Sales Compensation is Market Based

Suggest to do detailed financials before final pricing to ensure that planned expenses are covered and profit margins meet overall shareholder expectations. The company should also maintain overhead expense allocation.

Establish a Scientific Pricing Methodology

The Wakala Fee structure needs to be evolved based on Financial Projections of realistic business volumes and expenses for each line keeping in view Shariah approval of permitted fee structure. This should ensure that long term returns objective of shareholders are met through proper financial modeling.The experience assumptions need to be revisited to ensure that the financials conform to reality within a reasonable tolerance. For example, in order to determine the expense assumptions, it is necessary to prepare a business plan and carry out financial projections.

Establish Process to Regularly Review Pricing

The company should keep a record of prices quoted and the eventual price paid by the client for loss cases so that it can track price differentials when business is lost to competitors.Suggest to maintain separate Takaful Fund for each line of business and ensure adequate risk contribution in each fund.

The company should vary its wakala by the size of product, for large corporate cases, the company can give volume/ other discounts on wakala.

Integration of Pricing and Business Administration

The company should not go into the price war but use its brand name and image to get more clients. The company should also look at conventional market with similar products.The clients should be educated that giving claim experience would decrease rates for themThe company should offer wakala discount on large groups.


7.2. Establish Shariah and Regulatory Principles for Product Development

7.2.1. One of the major risks with respect to product development is that the product which is designed may either be rejected by the Company’s Shariah Board or subsequently by the regulator. In the case of the Shariah Board, this could arise as a result of specific product features or specific contract wordings not being considered to be in line with the Shariah. In the case of the regulator, this may be due to regulator implementing some checks which are not set out in the Implementing Regulations.

7.2.2. The redevelopment of products could sometimes impact even product pricing. Apart from an increase in time to market there could also be significant duplication of effort. As a result, measures to reduce the likelihood of objections from the Shariah Board as well as the regulator need to be implemented.

7.2.3. It is therefore recommended that the company should carry out efforts to develop a comprehensive Shariah and Regulatory Principles Document which will then act as a checklist when products are designed. This should be reviewed and approved by the Shariah Board. In the case of regulator, it is unlikely that such approval would be forthcoming but an attempt should be made to talk through such a document informally with the regulator.

7.2.4. In the document, should include, among other things, a detailed description of the Takaful Model, including impact on transactions at a later stage in the policy cycle (e.g., at the stage of claim or surrender of a life policy), the method of determining the wakala fee, the basis of sharing of surplus, permissible charges, etc.

Specific Initiative Re: Health Insurance

7.2.5. Product development needs to consider earlier research as well as experience of operations, marketing and other members before products are designed. Since the product launch is costly, market research update based on this new regulatory change should be done before going on with this product launch

7.2.6. Company should try along with other players to press for an automatic approval process to the regulator or a defined turnaround time such as 30 or 60 days after which product should be deemed to be automatically approved.


7.3. Establish Market Based Compensation for Staff

7.3.1. Compensation level for staff at all levels (including lower levels) needs to be of a level which will enable the company to attract quality personnel. Appropriate compensation levels should be determined through market surveys (possibly conducted by engaging external consultants). Care must be taken to benchmark against those companies whose quality of services are of a level which the company would be comfortable in achieving, recognizing that the company may need to pay slightly higher, given that if it is not currently an established name in the insurance industry.

7.3.2. Over the longer period, the company should implement a suitable induction program for management trainees, whereby personnel with the right aptitude (determined through suitable testing) are inducted and put through a planned training program.

7.4. Establish Mechanism for Market Acceptability of Products

7.4.1. The success or otherwise of a product is dependent upon market acceptability of its features and pricing. As a considerable amount of time and effort goes into design and pricing of a product as well as obtaining Shariah and regulator’s approval, it makes sense to test the acceptability of products as early as possible.

7.4.2. The company’s standard product development framework should include a preliminary stage wherein the following is covered:

a. A brief outline of the target market.b. An outline of the features proposed with an analysis of how it is expected

this will be attractive to the target market.c. The pricing methodology to be followed (aggressive, conservative, etc.)d. An overview of competitive products along with an idea of volumes being

currently sold.e. A discussion on where the company wishes to be in pricing terms in

comparison with competitors.

7.4.3. The preliminary feasibility should be reviewed by the Product Development Committee (PDC) before a go ahead is given for detailed product development.

7.4.4. Where the product being introduced does not exist in the market, a brief survey of the market should be carried out to determine market acceptability.

7.4.5. The pricing carried out should, where competitive products exist, contain a comparison of the product with such competitive products.


7.5. Ensure Sales Compensation is Market Based

7.5.1. Sales of retail products would depend heavily upon the company building a successful sales force which in turn would be dependent upon the attractiveness of the company’s compensation structure with respect to sales personnel. This is especially important in the initial stages when a company would be striving to build its brand with respect to insurance products (the brand already exists with respect to the other top companies).

7.5.2. The company needs to develop a comprehensive sales force compensation structure which:

a. Contains a description of the compensation structure of its sales force including targets, validation criteria, promotion guidelines, incentives, etc., including details of competitions, conventions, etc.

b. Compares the structure with major competitors, explaining how any anomalies are expected to be covered (e.g., lower costs resulting in higher policy values would make the products easier to sell)

c. Determines the overall cost of the structure for pricing purposes.

7.6. Establish a Scientific Pricing Methodology

7.6.1. The pricing of the product should be done by identifying and modeling all risks in the product. The company should use scenario analysis and stress testing depending on the complexity of the risk. The pricing process should be done keeping in line the capital requirement of the product. The company should monitor the actual profitability of the business with the expected profitability.

7.6.2. Sound practice of pricing would include:a. Involvement of top management, product committee, investment

department, the actuary and risk managersb. The company should make sure that the technical inputs are accurate and

the person responsible should have enough market experience for the input

c. track price differentials when business is lost to competitors

7.6.3. A standard pricing methodology should be developed which should include carrying out regular expense studies once the company’s business volumes has stabilized. In the meantime, the expense factors used for pricing purposes should be developed based on projections of business volumes and of expenses, assumptions being made about the point in time where full expense absorption will be deemed to have been achieved.


7.6.4. The company should charge adequate amount for its Takaful Fund. Planned deficit in Takaful Fund is not allowed. If for competitive (health insurance being used as loss fronting business so that these customers eventually buy other profitable policies as well) or other reason the company is writing the risk at a loss, the company should make sure that this loss is not borne by the takaful fund.

7.6.5. The Wakala Fee structure needs to be evolved based on Financial Projections of realistic business volumes and expenses for each line keeping in view Shariah approval of permitted fee structure. This should ensure that long term returns objective of shareholders are met through proper financial modeling.

7.7. Regular Review of Pricing

7.7.1. Pricing assumptions are essentially assumptions which may not work out in practice. The company needs to constantly monitor actual parameters vs. assumptions and, from time to time, determine whether there is a case for reviewing assumptions which must then be done.

7.7.2. For the following parameters, the company’s systems need to have the ability to measure actual numbers:

a. Premium persistency (including renewal ratios for short term business)b. Loss ratios, incidence rates and size of claim distribution for short term

businessc. Expense levels (ideally analyzed and converted to expense factors)

7.8. Integrate Pricing and Business Administration

7.8.1. Pricing for short term business (life, non-life and health) cannot be fixed but needs to reflect the specific circumstances of the covered entity. It is therefore necessary that the pricing be determined not in terms of fixed rates but in terms of a methodology to determine suitable prices based on various parameters (e.g., motor pricing could reflect make/model of vehicle and age of driver), property rates could reflect the overall quality of construction/safety standards, etc.

7.8.2. In the case of Group Life and Group Health, the company should review the experience of large corporate groups and merge the experience and age based rates using suitable credibility factors. The framework for pricing large groups should be different than small groups Group risk management should give final approval on the product's risk/return profile; the valuation framework used to price the product (which should be consistent throughout the group); the risk mitigation techniques to be used (particularly as far as reinsurance is concerned) and on local risk


management activities. More importantly, group risk management should address group risk considerations such as overall risk tolerance, accumulation, concentration, and diversification. Thus, group risk management could veto the launch of the new product if, when accumulated at group level, it represents an unacceptable level of risk.

7.8.3. General insurance quotes should also be given after measuring actual experience, adjusting, if necessary, for any changes in cover or underlying circumstances.

7.8.4. The company’s systems should have the capacity of implementing the above in the normal course of business.


8. INFORMATION TECHNOLOGY

8.1. Introduction

8.1.1. Information technology risk refers to business practices related to information technology related to security and governance of technology.

8.1.2. The table below lists risk mitigation measures identified for Information technology. These have been discussed with separate initiative for each risk, which are then discussed later in (a separate sub-section dealing with each initiative).


The company should establish (a)IT steering committee (b) Members of IT steering committee should appropriately have represented by IT and business unit leadership (c) establish steering committee charter roles, responsibility, decision matrix and ownership of IT steering committee.

Establish IT Governance, Strategy & Organization

The company should establish IT security policy that includes policy of segregation of duties.

Establish Segregation of Duties for critical business processFurther, establish roles and responsibilities that reduce the possibility for a

single individual to compromise a critical process.The company should establish (a)Information System Strategy Plan (ISSP) to achieve business goals (b) align IT infrastructure with business objective and ensure that IT is in use to enhance the business

Establish Information System Strategy Plan (ISSP)

Establish outsourcing policy to meet the service level requirement. Outsourcing policy should cover these areas at the minimum:

Establish Outsourcing Policy

- Availability, reliability and capacity for growth of service - Continuity planning - Security requirement - Roles and responsibilitiesThe company should establish (a) the business continuity planning for the business to avoid any interruption in the critical services. (b) Establish the IT function in the overall organizational structure with a business model contingent on the importance of IT within the enterprise, specifically, its criticality to business strategy and the level of operational dependence on IT.

Establish Formal BCP / DRP

Review and identify the gaps in the current IT security policies, and ensure it’s based on international best practices (i.e. ISo270001, ISACA, NIST etc.). IT security should have a coverage of areas at the minimum:

Establish security Policy Procedure

- Physical Environmental Security - Communications and Operations Management - Access Control - Information Security Incident Management - Business Continuity PlanningRisk Mitigation Step Identified

The company should establish (a) Information security function/role to manage information security within the organization. This role should not be under IT, but report to C-level management.

Initiative

(b) Establish effective information security training programs for internal existing staff.

Establish dedicated Security Roles & Responsibilities and Implement formal

(c) A policy should be developed and implemented to ensure that any new staff hired shall have to take mandatory information security training of the


following at the minimum: security awareness program - Password Management

- Physical security requirement of the organization

- IT usage policy - Information protection and privacyThis role and responsibility towards information protection and privacyThe company should implement following points:(a)Establish physical access control, logical access control and monitoring mechanism for vendors. different (b)VLAN can be established for vendors to segregate the vendors’ activity from the primary network of the organization. (c) Implement a policy to assign temporary accounts to supplier with periodic monitoring

Implement Vendor Monitoring policy

Establish mechanism which assess the tools if they are fulfilling the requirement of monitoring

The company should implement following points Establish policy to use security tools appropriately

(a) Physical security measures must be capable of effectively preventing, detecting and mitigating risks relating to theft, temperature, fire, smoke, water, vibration, terror, vandalism, power outages, chemicals or explosives. Backup air conditioning system should be in place at data center(b) Establish formal procedures for equipment’s maintenance at the company. The Admin department should develop the procedures for maintenance together with IT(c) An Alternate power supply such as a backup generator should be in place to cater for long power outage due to natural disasters etc.

Establish physical security measures within the company(d) According to best practices the Lock and Key mechanism for data centers are

not considered appropriate due to reason that keys can be misplaced easily and copied by unauthorized persons. It is recommended that user should have PIN beside the card to fulfill the requirement of two factor authentications.


Risk Mitigation Step Identified InitiativeThe company should implement following points: Implement Backup

and Recovery policies

(a)Establish, backup policy and procedure to implement the strategy for taking backup of the organization with the compliance of standard.(b)There should be a policy in place for the management of removable media. Further, all media should be stored in a safe, secure environment, in accordance with manufacturers’ specifications.(c)Establish procedure to store offsite all critical backup media, documentation, other IT services necessary for IT recovery and business continuity plans.(d)Establish policy and procedure to take backup of critical business applications periodically as well as after any major change to the systems. Further, back-up media should be regularly tested to ensure that they can be relied upon for emergency use when necessaryThe company should implement following points:(a) Establish password policy and procedure. Further, enforce default password change by the system and default passwords should not be allowed.

Implement Password Management Guidelines(b)The password policy should be based on international standards such as

ISO27001, NIST etc. and should be approved by the board and implementedThe company should implement following points:(a)Establish procedure to ensure that all systems a timely checked for any required fixes / updates etc.

Stability and ACL of critical business applications should be established and monitored

(b)Improve the monitoring mechanism on the company’s network to identify vulnerabilities which could lead to the potential threats.(c)Establish business application access policy on business applications. The access control policy should also be consistent with the organizational access policy.The company should implement following points:

(a)Establish policy and procedures to should cover all stages in the life cycle of user access, from the initial registration of new user to final de registration of users who no longer require access to information system and services.

Account Management Policies and Standards

Implement change management policy

(b)User profile / group configuration policy should be aligned with overall business objective(a)Formal change control procedure that should be documented and enforced in order to minimize the corruption of information system.


Risk Mitigation Step Identified InitiativeThe company should implement following points: Establish preventive

and detective controls on business applications / computer networks

(a)Establish access control as per business needs on business applications(b)Establish state of the art authentication infrastructure (for example Kerberos etc.) on business applications.(c) All Passwords should be saved in encrypted format on critical business applications (Insurance)(d)All business application logs should be periodically reviewed.

(e) Implement DMZ if business application is being published on internet

Access to both internal and external networked services should be controlled. A policy should be formulated concerning the use of networks and network services. This policy should cover these areas at the minimum:

Establish Network Access Controls

- ACL on network- authorization procedure to access the network- procedure to protect access to network connections- network access methods- deployment of hardware base firewalls to maintain segregation and ACL on networksSDLC methodology should be implemented and all documented procedures should be followed and Policy and Procedures should be developed inline.

Establish Project Methodology (SDLC)

All business requirements, QA results and UAT results should be properly documented and signed off by respective HOD and business users

Establish Business controls on business applications (Insurance)

8.2. Establish IT Governance, Strategy & Organization

8.2.1. Without IT Steering Committee, decisions related to IT budgeting, projects approval, monitoring, prioritization and alignment of IT with business technology could not be made properly in any organization.

8.2.2. In order to address the above potential issues, the company should: a. Establish IT steering committee by senior management to oversee the IS

functionb. Members of such a committee may include, amongst others, the chief

executive officer (CEO) or designee, business unit executives, chief financial officer (CFO), chief information officer (CIO)/IT director, chief security officer (CSO), CISO, human resources, legal, risk management, audit, operations and public relations.

c. Establish charter roles, responsibility, decision matrix and ownership of IT steering committee.

d. IT steering committee should play an important factor in ensuring that IS department is in harmony with the company’s mission and objectives.

e. IT steering committee should be involved in:i. Reviewing the long and short range plans of the IS department to

ensure that they are in accordance with the corporate objectives


ii. Review and approve major acquisitions of hardware and software within the limits approved by the board of directors

iii. Approve and monitor major projects and the status of the IS plans and budgets.

iv. Establish priorities, approves standards and procedure and monitor overall IS activities

v. Review adequacy of resources and allocation of resources in terms of time, personnel and equipment

vi. Make decisions regarding centralization vs. decentralizations and assignment of responsibility

8.3. Establish Segregation of Duties for critical business process

8.3.1. In the absence of segregation of duties one person might have excessive control over one or more critical process which could lead to potential risk to the company in term of information misuse.

8.3.2. In order to address the above potential issues that can arise, the company should implement following points. Segregation of duties should be implemented, where appropriate, to reduce the risk of negligent or deliberate system misuse.

a. Establish IT security policy that includes policy of segregation of duties. b. Establish roles and responsibilities that reduce the possibility for a single

individual to compromise a critical process.

8.4. Establish Information System Strategy Plan (ISSP)

8.4.1. Without information system strategy plan in place, IT cannot play an additive role in enhancement of business.

8.4.2. In order to address the above issue, a company should establish Information System Strategy Plan (ISSP) to align IT infrastructure with business objectives to enhance the business objective in an effective manner

8.5. Establish Outsourcing Policy

8.5.1. Absence of outsource policy in a company could lead to the risk of not complying with confidentiality, availability, integrity & regulatory requirement. This could cause the financial and reputational impact to the company.

8.5.2. In order to address the above issues, a company should implement following points. a. Establish outsourcing policy to meet the service level requirement.

Outsourcing policy should cover following areas at the minimum:i. Availability, reliability and capacity for growth of service


ii. Continuity planningiii. Security requirementiv. Roles and responsibilities

8.6. Establish Formal BCP / DRP

8.6.1. Without a formal BCP / DRP, a company may not be able to continue its smooth operations in case of disaster. Also, business recovery will take longer time and efforts that could cause financial, reputational impact.

8.6.2. In order to address the above issues, a company should implement following points.a. Establish the business continuity planning for the business to avoid any

interruption in the critical services. BCP should cover these elements at the minimum based of any standard (for example. BS25999):

i. BCP strategyii. Identification of critical business process based on RTO and RPOiii. Business Impact analysisiv. Detailed risks assessment of critical business process

b. Establish the IT function in the overall organizational structure at a company with a business model contingent on the importance of IT within the enterprise, specifically, its criticality to business strategy and the level of operational dependence on IT.

8.7. Establish Security Policy & Procedures

8.7.1. Absence of formal policies and standards may result in inappropriate and inconsistent configuration of the security system.

8.7.2. In order to address the above issues, a company should implement following points.a. Review and identify the gaps in the current IT security policies, and

ensure it’s based on international best practices (i.e. ISO270001, ISACA, NIST etc.).

b. Formal policies and standards should be in place for the configuration of the third-party security system under review.

c. Establish IT security should have coverage of following areas at the minimum:

i. Physical Environmental Securityii. Communications and Operations Managementiii. Access Controliv. Information Security Incident Managementv. Business Continuity Planning


8.8. Establish dedicated Security Roles & Responsibilities and Implement formal security awareness program

8.8.1. Absence of security department may result in redundant, disintegrated and weak security practices.

8.8.2. In order to address the above issues, a company should implement following points a. Establish Information security function/role to manage information security

within the company. This role should not be under IT, but report to C-level management.

b. Establish effective information security training programs for internal existing staff.

c. Policy should be developed and implemented to ensure that any new staff hired shall have to take mandatory information security training of the following at the minimum:

i. Password Managementii. Physical security requirementsiii. IT usage policyiv. Information protection and privacyv. Role and responsibility towards information protection and privacy

8.9. Implement vendor monitoring policy

8.9.1. Absence of monitoring of vendors respect to their physical and logical access could lead to information disclosure, physical damages, steeling and security breaching.

8.9.2. In order to address the above issues, a company should implement following points:a. Establish physical access control, logical access control and monitoring

mechanism for vendors.b. Different VLAN can be established for vendors to segregate the vendors’

activity from the primary network.c. Implement a policy to assign temporary accounts to supplier with periodic

monitoring

8.10. Establish policy to use security tools appropriately

8.10.1. Third-party security tools are powerful system utilities and their inappropriate use may compromise the integrity of the systems.

8.10.2. Establish mechanism which assesses the tools if they are fulfilling the requirement of monitoring.

8.11. Establish physical security measures


8.11.1. Absence of physical security measures may lead to the risk of physical destruction and security breaches of data center / IT department.

8.11.2. In order to address the above issues, a company should implement following pointsa. Physical security measures must be capable of effectively preventing,

detecting and mitigating risks relating to theft, temperature, fire, smoke, water, vibration, terror, vandalism, power outages, chemicals or explosives.

b. Backup air conditioning system should be in place at data centerc. Establish formal procedures for equipment’s maintenance. The Admin

department should develop the procedures for maintenance together with IT

d. An Alternate power supply such as a backup generator should be in place to cater for long power outage due to natural disasters etc.

e. According to best practices the Lock and Key mechanism for data centers are not considered appropriate due to reason that keys can be misplaced easily and copied by unauthorized persons. It is recommended that user should have PIN beside the card to fulfill the requirement of two factor authentications.

8.12. Implement Backup and Recovery policies

8.12.1. Absence of formal backup and recovery polices, undefined backup schedules, lack of training and appropriate qualification of the staff for the execution of Backup & Recovery may lead to the risk of loss of information which could further cause unavailability of services.

8.12.2. In order to address the above issues, a company should implement following points:a. Establish, backup policy and procedure to implement the strategy for

taking backup with the compliance of standard. b. Backup and restoration policy and procedures should be defined based on

business requirement. c. Each Business Unit should define their Recovery Point Objectives (RPO)

and Recovery Time Objectives (RTO) based on which the overall Backup and Recovery strategy, policy and procedures should be developed.

d. There should be policy in place for the management of removable media. Further, all media should be stored in a safe, secure environment, in accordance with manufacturers’ specifications.

e. Establish procedure to store offsite all critical backup media, documentation, other IT services necessary for IT recovery and business continuity plans.

f. Establish policy and procedure to take backup of critical business applications periodically as well as after any major change to the systems.


Further, back-up media should be regularly tested to ensure that they can be relied upon for emergency use when necessary.

8.13. Implement password management guidelines

8.13.1. Absence of formal policies and procedures of password management could lead to risk of information disclosure and unauthorized access to critical IT systems.

8.13.2. In order to address the above issues, a company should implement following points:a. Establish password policy and procedure. b. Default password change by the system and default passwords should not

be allowed.c. Awareness should be given to end users to adopt the strong passwords for

their systemsd. The password policy should be based on international standards such as

ISO27001, NIST etc. and should be approved by the board and implemented

8.14. Stability of critical business applications should be established and monitored

8.14.1. Absence of mechanism of to update the system of latest fixes and periodic monitoring could lead to the instability of the critical system

8.14.2. In order to address the above issues, a company should implement following points:a. Establish procedure to ensure that all systems a timely checked for any

required fixes / updates etc.b. Improve the monitoring mechanism on network to identify vulnerabilities

which could lead to the potential threats. c. Establish business application access policy on business applications. The

access control policy should also be consistent with the access control policy.

8.15. Account Management Policies and Standards

8.15.1. Absence of formal policies and procedures of user account management could lead to risk of non-standardization of account management operation.

8.15.2. In order to address the above issues, a company should implement following points:a. Establish policy and procedures to should cover all stages in the life cycle

of user access, from the initial registration of new user to final de registration of users who no longer require access to information system and services.


b. User profile / group configuration policy should be aligned with overall business objective

8.16. Implement change management policy

8.16.1. Absence of formal change management policies and procedures could lead to the risk of unauthorized configuration on critical IT systems

8.16.2. Formal change control procedure that should be documented and enforced in order to minimize the corruption of information system.

8.17. Establish preventive and detective controls on business applications / computer networks

8.17.1. Absence of formal policies and procedures access control and authentication mechanism could lead to the information disclosure

8.17.2. In order to address the above issues, a company should implement following points:a. Establish access control as per business needs on business applicationsb. Establish state of the art authentication infrastructure (for example

Kerberos etc.) on business applications.c. All Passwords should be saved in encrypted format on critical business

applications (Insurance) d. All business application logs should be periodically reviewed.e. Implement DMZ if business application is being published on internet.

8.18. Establish Network Access Controls

8.18.1. Absence of access control could lead to the risk of unauthorized access on networks

8.18.2. Access to both internal and external networked services should be controlled. A policy should be formulated concerning the use of networks and network services. This policy should cover these areas at the minimum:

i. ACL on networkii. authorization procedure to access the networkiii. procedure to protect access to network connectionsiv. network access methodsv. deployment of hardware base firewalls to maintain segregation and

ACL on networks

8.19. Establish Project Methodology (SDLC)

8.19.1. Absence of project methodology for in house development such as system development life cycle (SDLC) could lead to risk of not meeting project objectives.


8.19.2. SDLC methodology should be implemented and all documented procedures should be followed and Policy and Procedures should be developed inline.

8.20. Establish Business controls on business applications (Insurance)

8.20.1. Absence of business controls in business applications could lead to the risk of not meeting business objectives.

8.20.2. All business requirements, QA results and UAT results should be properly documented and signed off by respective HOD and business users


9. RISKS RELATED TO OTHER AREAS

9.1. Introduction

9.1.1. Other areas or support functions mainly comprise of accounting and finance functions which should be duly covered as part of the risk management framework. While developing the risk, inventory relating to the various functions, focus should be kept on the underlying controls that are essential for mitigating the normal risks associated with initiating and processing transactions and their recording and reporting.

9.1.2. The areas or support functions covered are separately dealt with in the following sections, a brief about each area’s functional mechanism and existing controls is given first followed by the risk matrix and risk response or risk mitigation strategy.


9.2. Human Resource Management

9.2.1. Considering a Company’s resource requirements, this is an important area which can have significant impact on the successful conduct of operations.

9.2.2. All the hiring should be based on well documented policies and procedures contained in the HR Manual including policies relating to employee compensation and benefits, succession planning, promotions, etc. A formal “Code of Ethics” policy should exist and be implemented, monitored by the Code of Ethics Committee. All employees should be obliged to sign off the Code of Ethics.

9.2.3. Head of HR should be a well experienced person who interacts closely with the Chief Executive and has developed a good team for handling all aspects of HR matters.

9.2.4. All hiring requirements should be identified in advance, specially of key positions, and processes are accordingly triggered. Timely hiring should be ensured by establishing single points of contact for each function and also availing services of head hunting firms.

9.2.5. Manpower planning and budgeting should be formally approved by the Board, hiring should be done accordingly based on the Hiring Plan (which is duly signed off), by dedicated Recruitment Manager ensuring that only required employees are recruited.

9.2.6. Persons fulfilling the qualification and experience criteria and possessing required competencies should be selected through a minimum two stage interview process after careful evaluation and short listing of applications. The procedures in place should ensure recruitment of competent resource objectively and without any bias.

9.2.7. Employment contracts, complying with regulatory and legal requirements, should be formally issued to the employees. The contractual terms and related Company policies should ensure that basic employment conditions, health and safety requirements and labor laws obligations are not violated.

9.2.8. Formal policies and procedures should be developed and implemented for staff appraisals and promotions ensuring transparency and objectivity and to cater to staff training and development requirements. Similarly, employee separation procedures should be in place to ensure amicable and smooth exit at the time of leaving.

9.2.9. Approved “Succession Planning” methodology should be in place. This will also take care of any over reliance on key positions.


9.2.10. Complete data and records of employees should be properly maintained and confidentiality should be ensured through restricted access.

9.2.11. The risk categories, where planned and recommended controls were specified, are summarized/ listed below for reference.


As mandated by the Board, HR Head should review the policies and procedures annually for assessing their adequacy and appropriateness.

Implementation of HR policies and procedures.

Periodic feedback from the functions should be obtained to identify improvement opportunity and course correct. Instilling In-House Headhunting capabilityDiploma graduate Intake program and tie-ups for Corporate Sales.An integrated HR system should be implemented like Customer Relation software (CRM). The segregation of duties within HR for capturing/data entry and processing payroll and other employee related transactions should be done according to the security matrix which will be appropriately designed. Head of HR and Internal Auditor should review the functions to ensure required segregation.

Proper segregation of departmental functions and responsibilities to ensure successful implementation of HR system and confidentiality.

Employee engagement and retention plan should be developed and implemented.

Implementation of HR policies and procedures.

A formal plan for evacuation in case of fire should be documented including the induction of fire wardens. Company plans to conduct periodic fire drills.

Implementation of health and safety regulations in compliance with legal requirements.

Benefits module of the HR system should capture the company assets given to an employee and the benefits availed. This will facilitate the clearance process.

Implementation of HR policies and procedures

9.2.12. Well defined and communicated HR Policies and procedures are important to increase the confidence of employees and helps in maintaining disciple as they are aware of their rights and obligations as employee of the company. Since the policies affects all the employees there is a need for continuous review and improvement. To fulfill this requirement in continuous changing environment, HR departmental head should regularly review HR Policies and Procedures to assess their adequacy and appropriateness.

9.2.13. Proper feedback from different functions and employees should be taken and considered for identifying required improvement in policies and procedures.


9.2.14. Employee retention being a significant matter, the implementation of employee engagement and retention plan should be expedited so that the employee attrition is minimized.

Proper segregation of departmental functions and responsibilities to ensure successful implementation of HR system and confidentiality

9.2.15. Job descriptions of various functions should be very clear and duties/responsibilities should be properly segregated. Written Job descriptions and segregation of duties help in maintaining better control over activities and help in proper implementation of HR Systems.

9.2.16. Integrated HR system should ensure proper segregation of duties among departmental functions, maintenance of leaves records and in making correct deductions from salaries.

9.2.17. Further, the HR System should cater to the needs of record maintenance and essential employee records, advances given to them and Company assets in custody of employee.

9.2.18. Internal auditor needs to review the appropriateness of segregation of duties.

Implementation of health and safety regulations in compliance with legal requirements

9.2.19. Health and Safety of employees is always an important area of management’s attention and should be given due importance. In order to achieve the objectives, the Company’s HR Policies and Procedures should appropriately cater to all the requirements including procedures in case of fire and evacuation plan which is separately catered in Health and Safety regulations.

9.2.20. At a minimum, the Company needs to cater all the legal requirements relating to Health and Safety of employees

Summary

9.2.21. In summary, following risk areas are identified where strategies and controls need to be further developed/improved:

a. Regular feedback of requirements and close monitoring of key positions to ensure timely identification and hiring of ongoing/additional resource requirements.

b. Employee retention plan and strategies for regular monitoring of employees’ grievances and addressing them timely and satisfactorily to control attrition.


c. Succession planning strategies should be quickly developed and immediately implemented specially focusing on key/senior level positions.


9.3. Fixed Assets Management

9.3.1. The function should be adequately managed and controlled by the CFO with the support from Administration and Purchase Committee.

9.3.2. Assets capitalization and assets disposal policies should be in place, duly approved by the Board.

9.3.3. All acquisitions of fixed assets should be made centrally against pre-approved budgets following the Purchase Manual requirements, under the auspices of the Purchase Committee. Board’s prior approval is required for any non-budgeted asset’s acquisition.

9.3.4. All the fixed assets should be fully insured and are well maintained. Physical security controls should be appropriately applied to ensure that assets are not misappropriated or misused.

9.3.5. The Accounts and Finance should exercise appropriate control over fixed assets’ acquisitions, their proper classification and correct recording and maintaining their ownership/supporting documentation. CFO should review all capitalizations on periodic basis and also ensures that any disposals are done in accordance with the defined process.

9.3.6. Amortization/depreciation of assets should be recorded periodically based on the proper assessment of their useful lives and adoption of appropriate methods. Fixed Assets Register should be maintained which is reviewed by the Finance Manager to ensure its regular updating and accuracy of recording.



The Chief Financial Officer should ensure assets capitalization as per the approved policy. CFO should also review the capitalization periodically.It is recommended that the capitalization limit may be enhanced appropriately. Further, category wise capitalization amount limits may be considered to be fixed.

Monitoring compliance with the approved polices and IFRS requirements, review of capitalization limits, following industry best practices and physical control.

The Chief Financial Officer should ensure that the assets to be disposed are as per the policy. CFO should also review the disposal process.Finance Manager may review the transactions on selective basis. Physical verification to be performed at least on annual basis.Physical verification to be performed at least annually.


The company should have a revaluation policy complying with the IFRS requirements.The Purchase Committee should specifically check that all purchases are business oriented.The Company should develop assets coding scheme and properly tag all fixed assets for identification.

Monitoring compliance with the approved polices and IFRS requirements, review of capitalization limits, following industry best practices and physical control

9.3.8. For developing a better control environment and for increased efficiency of processes/functions, employees should be made aware of the adopted policies and procedures. Senior management needs to create a culture of strict adherence to the adopted policies, going by example for creating a better control environment.

9.3.9. IFRS are international standards issued by IFAC; these standards are adopted world over and are easily understandable by general users. The Company needs to adhere to IFRS requirements and revaluation policy of assets needs to be in compliance with IFRS.

9.3.10. Capitalization limit of assets should be set after taking into consideration the effects of Insurance cost, tagging and physical verification cost, recording keeping requirements, physical security requirements and the cost of loss of assets for not booking as Fixed Asset. Hence asset’s capitalization limit is to be set at a point where the benefit of booking the item as asset increases from the related costs. The capitalization limit can be set after taking into consideration the industry best practices, cost of items and the specific category of assets.

9.3.11. The physical count of fixed assets should be conducted at least annually. The assets need to be properly tagged at the time of addition and any change in the location or condition of asset should be recorded on timely basis.

9.3.12. Coding structure of tags should show the asset type, asset category and unique code for identification purpose.

Summary

9.3.13. In summary, the risk areas to be focused and strengthened are:

a. Review of the existing capitalization limit. Separate capitalization limits may be considered to be defined asset category-wise if found feasible/practical.


b. Well defined CAPEX/OPEX classification and orientation of staff about capitalization benchmarks will not only ensure better assets management but will also improve monitoring of specified budgets.

c. Improvement of physical control through proper coding and tagging of the assets and by conducting physical verification regularly and periodically, at-least on annual basis.

d. Fixed assets revaluation policy may be developed, in compliance with IFRS requirements.

9.4. Financial Accounting & Regulatory Reporting Risk

9.4.1. Formal financial accounting and reporting practices should be implemented and followed with adequate controls and monitoring mechanism.

9.4.2. The accounts and finance team, headed by the CFO, should be comprised of professionally qualified persons possessing relevant industry experience.

9.4.3. Formal Business Plan should be developed based on input from all relevant departments. Similarly, budgets should be prepared based on Business Plan. These needs to be approved by the Board and be closely monitored to measure actual achievements and variances and for considering required revisions.

9.4.4. Proper accounting policies and practices should be adopted in accordance with the applicable IFRS requirements. Financial statements and other regulatory reports should be diligently prepared in compliance with the applicable accounting and legal/regulatory requirements based on correct application of the accounting basis and policies adopted. All significant areas (including revenue recognition and its accurate recording, receivables management and related party transactions) should be subject to senior level review and internal audit.

9.4.5. All the financial and regulatory reporting should be subject to review by the CFO/audit committee and the external auditors, periodically.

9.4.6. Regulatory/legal compliance should be formally done and monitored by the Regulatory Compliance department and the Compliance Officer should be responsible to ensure strict adherence to the specified reporting requirements and their time schedule.




The Company should provide regular training to its Finance Staff to ensure that they are up to date with the IFRS, relevant laws and regulations.

Ongoing orientation about IFRS and relevant regulatory /legal compliance.The Company should be required to review the exposure

drafts of new IFRS and get itself prepared before the full applicability of new IFRSThe Company should be developing a disaster recovery site for retaining backups of all data.

To be included in the overall disaster recovery strategy.

Compliance Department should review all related party transactions to ensure that the "arm's length" criteria is respected.

Strict compliance with financial disclosure and regulatory reporting.

Compliance Department should keep a track of the regulatory reporting time schedule to have an independent check of regulatory compliance.

Ongoing orientation about IFRS and relevant regulatory /legal compliance

9.4.8. With the changes in laws, regulations, technologies, standards and best industry practices, even an experienced employee may become less efficient over a period of time. To overcome this, the Company should have an ongoing program for training and development.

9.4.9. The first activity in developing a training program should be to establish the need for training. Accordingly, changes in laws, regulations and IFRS will be recognized and communicated to the relevant staff.

9.4.10. All new employees to be given orientation about the Laws, Regulations and IFRS applicable on the Company.

To be included in the overall disaster recovery strategy

9.4.11. Building up/developing a disaster recovery site is an essential feature of disaster recovery strategy. Running/up-dated backups of all the financial and related data and activities of the Company should be kept so that in case of any disaster the backup facility is available for data recovery and for meeting financial reporting and regulatory compliance.

Strict compliance with financial disclosure and regulatory reporting

9.4.12. Being a regulated industry institution, a takaful Company is subject to strict compliance requirements. The compliance department is, therefore, setup to have an independent check on adherence with the regulatory requirements.

9.4.13. Compliance department needs to validate the “arm’s length” criteria by reviewing the related party transactions separately for checking that the prices charged are


not much different from other normal transactions and any difference is fully justifiable. Further, disclosure of related parties’ transactions in financial statements, as per the requirements of IFRS, should also be ensured.

9.4.14. Compliance department needs to prepare time schedule of regulatory reporting and to keep a regular check for meeting the reporting time schedule.

Summary

9.4.15. To summarize, in view of the functional significance and the risks associated due to the strict regulatory regime, following areas require further attention of the management:

a. Due to rapid changes in financial accounting and reporting requirements internationally, there is a need to keep abreast of the ongoing developments and IFRS requirements to ensure timely adoption of applicable policies and practices.

b. Regular training and orientation of all the concerned staff is essential for ensuring compliance with the applicable legal and regulatory reporting mandate.

c. Regulatory Compliance department should be strengthened to ensure full regulatory compliance and timely reporting.

9.5. Corporate Governance

9.5.1. The Company’s Board of Directors should be comprised of senior level business executives who possess vast experience and industry expertise of managing the functions and operations. All policy guidelines and business strategies should be developed and approved by the Board, commensurate with the industry benchmarks following good governance practices.

9.5.2. Corporate Governance Policy should be in place dealing with all governance matters ensuring legal and regulatory compliance with the Corporate Governance Regulations, including “conflict of interest” and “independence”, as well as adopting good business practices.

9.5.3. Board meetings should be held regularly for addressing business issues and reviewing operational progress. Guide line on matters addressed (and on any issues resolved) is to be passed on to the executives through the Chief Executive for implementation and compliance.

9.5.4. Board members should exercise their powers and discharge their responsibilities in the best interest of the Company without any undue influence.


9.5.5. Shareholders’ rights, as contained in the Regulations, should be respected and information about the Company’s affairs are duly communicated in compliance with the Policy.



A continuous knowledge enhancement program on insurance and risk management may be considered for Board/Audit Committee members.

An ongoing orientation program for keeping the Board members abreast about the industry practices.

The Board sub-committees and the Executive Committee should include members from the Company's senior executives so that key members of the management directly interact with the Board.

Involvement of senior level management and interaction with the Board for ensuring objectivity and better management

An ongoing orientation program for keeping the Board members abreast about the industry practices

9.5.7. To adapt to the ever changing and improving world competition and advancement in technologies and financial and physical products the need of ongoing orientation and training is important feature of improving processes, controls and functions performed.

9.5.8. The Board members as well as senior executives need to update their knowledge of business on continuous basis through orientations and trainings on industry best practices and changed laws/standards.

Involvement of senior level management and interaction with the Board for ensuring objectivity and better management

9.5.9. The senior level management/executive should be involved in the decision-making process of Board for better understanding the wisdom of selected decisions and how the individual decisions work for the overall objectives of the Company.

9.5.10. Through close interaction with the senior executive, the Board will be able to better understand the practical difficulties in implementing their decisions. Senior level managers being experts of their functions can come up with efficient solutions within available resources.


9.5.11. Further, through active involvement with senior executives, the Board will have extended feedback for effective decision making.

Summary

9.5.12. Considering the rapid business developments and market challenges, it is would be advisable that the Board interacts more closely with the senior executives to not only enable efficient dissemination of policy guidelines but also to receive direct feedback of any implementation difficulties as well as operational issues for better management.

9.5.13. In conclusion, this report sought to develop a suitable and comprehensive response to number of diverse risks for a sample composite takaful company, i.e., the company’s Risk Mitigation Strategy. It is hoped that the detail orientation and aspects mentioned here will be of use to any takaful company specifically, and to insurance companies in general.

risk mitigation strategy: overcoming crises before … 54 pgs risk... · web viewthe pricing...

Documents