The Office of Insurance Commission (OIC) has released draft Notifications—applicable to both life and non-life insurance companies—which introduce provisions on internal risk management in insurance companies.
Under these provisions, life and non-life insurance companies must:
- Establish a risk committee. At least one member must be a director, while the others may be company executives or a qualified person with an understanding of the risks involved in operating a business. The risk committee must meet and provide reports to the board of directors on a quarterly basis. Foreign insurers can fulfill the requirements without establishing a local risk committee by using a risk committee that was established at the company’s headquarters or regional office.
- Establish a risk management function. Outsourcing this function is permissible subject to requirements under the Notifications. The key responsibility is to manage and monitor enterprise risks and produce status reports on all risks to the company.
- Appoint a risk officer. The company must report the appointment or withdrawal of the risk officer to the OIC within 30 days of the appointment.
- Submit a risk management framework and policy. These must be submitted to the OIC annually.
- Submit a three-year business plan. This must be submitted to the OIC annually. The business plan includes areas such as potential risks arising from the three-year business plan and the top ten recorded risks to the company.
- Arrange training sessions for employees. The training sessions should integrate risk management culture into the company’s day-to-day business operations.
In addition, the audit committee has extra responsibilities that include monitoring and evaluating the company’s overall risk management function. The audit committee can make recommendations to the manager or officer to oversee activities effectively.
An internal audit unit must inspect other internal departments’ operations to ensure that they are following the risk management framework and policy. The internal audit unit must report the results to the audit committee or the board of directors.
The OIC may require companies to conduct “stress tests” on a case-by-case basis.
The draft Notifications are in the process of public hearing. They are expected to be implemented at the end of 2016.