Rule – Risk Management for Insurers

dated 30 March, 2015. _____________________________________________________________________________________________ Page 1 of 5 Rule Risk Management for Insurers

Statement of Objectives 1.1. To set out the Cayman Islands Monetary Authority’s (“Authority’s”) rule on Risk Management for insurance companies, (each of the sub-paragraphs of section 5 below referred to as a “Rule,” and collectively, the “Rules”), pursuant to the Monetary Authority Law (“MAL”), and in conformity with applicable international financial standards.

Statutory Authority 2.1. Section 34 of the MAL provides that the Authority may issue rules: (1) After private sector consultation and with the approval of the Governor, the Authority may – (a) issue or amend rules or statements of principle or guidance concerning the conduct of licensees and their officers and employees; … 2.2. This document establishes the Rule on Risk Management for insurance companies and should be read in conjunction with the Rule and Statement of Guidance on Internal Controls, the Statement of Guidance on Asset Management and Investment Strategy, the Statement of Guidance on Corporate Governance, and the Statement of Guidance on Reinsurance Arrangements.

Definition 4.1. A risk management framework consists of structures, processes and people within the insurer that identify, assess, mitigate and monitor all internal and external sources of risk that could have a material impact on an insurer’s operations. 4.2. In this Rule, the “Board” refers to the Board of Directors of an insurer. _____________________________________________________________________________________________ Page 2 of 5

Rules 5.1. The Risk Management Framework 5.1.1 An insurer must establish, implement, and maintain a documented risk framework that is capable of promptly identifying, measuring, assessing, reporting, monitoring and controlling all sources of risks that could have a material impact on its operations in a timely manner. The risk framework should document the probability, potential impact and duration of each risk. 5.1.2 The risk management framework must be appropriate having regards to the size and complexity of the insurer, and the nature of its risk exposures. 5.1.3 The risk management framework by an insurer must include: a) a written risk management strategy approved by the Board, which in the opinion of the Board addresses all material risks to which the Insurer is likely to be exposed based on its business activities (including outsourced business); b) risk management policies and procedures that in the opinion of senior management are adequate to identify, assess, mitigate, control, monitor and report on the material risks to which the Insurer is exposed; and c) clearly identified managerial responsibilities and controls, designed to ensure that the policies and procedures established for risk management are adhered to at all times. 5.1.4 The risk management framework must address the measurement, monitoring and control of all material risks. These risks may include, but are not limited to: a) credit risk; b) insurance underwriting and reinsurance risks; c) investment risk (including use of derivatives); d) market risk (including liquidity risk); e) strategic and tactical risks arising from the business plan; f) concentration risk; g) compliance risk; h) money laundering, terrorist financing and fraud risk; and i) operational risk (including outsourcing and business continuity _____________________________________________________________________________________________ Page 3 of 5 5.1.5 The insurer must document the approach and key assumptions made when measuring risks. Such documentation must describe and explain the risks covered. 5.1.6 The risk management framework must include an appropriate tolerance level or risk limit for material sources of risk. This risk tolerance and risk appetite must be defined by the Board. The tolerance level should take into account the relationships between sources of risk. 5.2. Business Objectives and Risk Management 5.2.1 The Board must adopt a written process for setting, approving and overseeing the implementation of the insurer’s overall business objectives and risk strategies of the insurer, taking into account the long term financial safety and soundness of the insurer as a whole, and the legitimate interests of its stakeholders, including fair treatment of customers. 5.2.2 The business objectives and risk strategies developed by the insurer must coincide with the approved risk appetite and tolerance levels of the insurer. 5.3. Review of the Risk Management Framework 5.3.1 An insurer must regularly review the market environment in which it operates, draw appropriate conclusions as to the risks posed and take appropriate actions to manage adverse impacts of the environment on the insurer’s business. 5.3.2 As appropriate, an insurer must conduct quantitative and qualitative analyses namely stress tests and scenario analysis having regard to the size and complexity of the insurer, and the nature of its risk exposures. 5.3.3 The insurer must implement and communicate to relevant staff an escalation process for reporting on risk issues within established reporting cycles and outside of them for matters of particular urgency. 5.3.4 The risk management framework must include a "feedback loop" which allows the Board and Senior Management to take necessary action in response to changes in the risk profile of an insurer. The feedback loop will also ensure that decisions made by the Board and Senior Management are implemented and their effects monitored to determine whether they are in fact appropriate. _____________________________________________________________________________________________ Page 4 of 5 5.4. Role of the Board of Directors 5.4.1 An insurer’s Board of directors must: a) approve the risk management framework; b) provide oversight of the risk management framework to ensure that policies and processes are implemented effectively; and c) periodically review the risk management framework. 5.5. Insurance Groups 5.5.1 Insurers that are a part of a group structure must ensure that appropriate governance, internal controls and risk management procedures are in place on a group wide basis as well as at the legal entity level. 5.5.2 The Board and senior management of legal entities within an insurance group must ensure material information is disseminated in a timely manner at the legal entity level and group-wide as appropriate. 5.6. Training 5.6.1 An insurer must ensure risk policies and procedures are communicated to senior management and key personnel. An insurer must ensure relevant staff is trained on the risk policies of the insurer on a regular basis. 5.7. Independent Functions 5.7.1 An insurer must ensure that its risk management framework is subject to effective and comprehensive review by an independent function that may include, as applicable, the internal audit, external audit, insurance manager, actuarial and compliance functions. Persons in such functions must have access to and report to the Board. 5.8. Outsourcing 5.8.1 An insurer that outsources functions either externally to third parties or internally to affiliate entities must have oversight and clear accountability for all externally outsourced functions as if these functions were performed internally and subject to the normal standards of internal controls and periodic reviews. 5.8.2 An insurer’s outsourcing provider(s) must be approved by the Board or Senior Management. _____________________________________________________________________________________________ Page 5 of 5 5.9. Capital 5.9.1 An insurer's risk management policy should describe how its risk management links with its management of capital (regulatory capital requirement and economic capital1). 5.10. Captives 5.10.1 The Authority recognizes that some captive structures exist where the captive insurer is an integral part of their parent company’s risk management function. In these cases, the Authority does not expect them to duplicate functions that are already carried out by the parent. The Board should consider and document a risk management function that is appropriate to the nature, scale and complexity of the business.

Enforcement 6.1. Whenever there has been a breach of the Rules, the Authority’s policies and procedures as contained in its Enforcement Manual will apply, in addition to any other powers provided in the Insurance Law and the MAL. 1 “Economic capital” is defined as the capital which results from an economic assessment of the insurer's risks given the insurer’s risk tolerance and business plans.