1 Review findings on the quality of the risk governance of insurers Prudential Supervision Department Reserve Bank of New Zealand February 2015
2 2 Contents Page 1. Summary 2. Introduction 3. Review methodology 4. Risk governance Theme descriptions 5. The findings 6. Conclusions Appendix 1 Summary of assessments across the sample
3 3 1. Summary This report covers the Reserve Bank of New Zealand s findings from a review of the quality of risk governance amongst 17 licensed insurers conducted during the second half of The selection of risk governance as a review topic reflects the reliance we place on insurers having strong risk governance as part of the self-discipline pillar of supervision and that shortcomings in risk governance are widely regarded as having been a significant contributing factor to the recent global financial crisis. The purpose of this report is to make the findings available to all licensed insurers and other interested parties. Overall we are pleased with the quality of risk governance identified during the review. The regulatory regime for insurers in New Zealand under the Insurance (Prudential Supervision) Act ( IPSA ), which includes governance and risk management requirements, is relatively new. It was apparent during the licensing process that a number of insurers have implemented new risk management frameworks in response to IPSA whilst some others appear to have had relatively mature risk frameworks in place at the time of licensing. This review considers the range in quality of risk governance focusing on characteristics which stand out amongst insurers with the stronger frameworks. We reviewed documentation describing risk frameworks and related to their implementation (such as meeting minutes and reports) and conducted interviews with board risk chairs (or equivalent) and CEOs with their risk managers. We were particularly interested in behaviours relating to the implementation of risk frameworks. Findings have been explained under seven headings and summarised in a chart shown in Appendix 1. The findings are: 1.1 Board responsibilities and practice: The responsibility and accountability of boards for risk governance is widely recognised and is generally implemented through a board risk committee. Even where board risk committees exist, boards sometimes struggle with the volume and complexity of material to be considered. Some effective approaches to addressing this issue include appropriate frequency of meetings, utilising technology for managing committee information and meetings and focusing on high quality, concise reports. Strong risk chairs are taking the lead in managing meeting agendas and, along with their risk committee colleagues, in seeking out information about their insurers from sources other than formal reporting lines. 1.2 Firm-wide risk management function: Characteristics of the stronger risk frameworks include that risk information is accessed throughout the business from sources embedded within business units. Some form of independent review of the business exists, commonly an internal audit function but sometimes external sources, particularly for smaller insurers. A general area of weakness is the implementation of robust risk appetite frameworks. Establishing the levels of risk that are acceptable across various business activities is a pre-requisite for being able to measure and manage risk. Subsidiaries using group risk management programmes are encouraged to adapt the programme to suit New Zealand conditions, as some are doing, and this is an example of where we look to local boards to assert their independence to obtain appropriate local outcomes. 1.3 Independent assessment of risk governance framework: Whilst we observed some examples of robust external reviews of board performance, we identified little in the way of robust reviews of risk frameworks. Since licensing, most changes to risk management programmes submitted to us for approval have consisted of relatively minor wording
4 4 changes rather than substantive changes to the framework. We encourage all insurers to regularly review their risk management frameworks. 1.4 Tone from the top: The most significant characteristic of strong risk governance is the tone set by the board and senior management which is then modelled in their behaviours through walking the talk and leading by example. These insurers are developing strong risk cultures based on behavioural outcomes. In contrast, insurers that treat risk as a compliance requirement appear to achieve much weaker outcomes with a focus on generating documentation to evidence that a risk framework exists rather than a focus on outcomes and effectiveness. 1.5 Accountability: The development of a culture in which all staff understand their risk responsibilities and in which behaviour reflects that understanding is a work in progress. Insurers at the stronger end of risk governance generally regard the achievement of risk accountability right through the organisation to front line staff as their main next step. 1.6 Effective communication and challenge: The extent to which communication and challenge exists within the risk committee and wider risk function generally reflects the strength of board independence. Whilst there has been a general strengthening of independence through the licensing process, we would like to see further strengthening, particularly amongst subsidiaries of overseas insurers. 1.7 Incentives: Approaches for incentivising staff in relation to risk management is generally under-developed. An at-risk component of remuneration in relation to risk objectives is becoming the norm for senior management and risk specialists but is in limited use for other staff. Some insurers are starting to use behavioural objectives in performance assessments with indications of attention turning more towards influencing business culture. These are positive developments. Aligning incentive structures to deliver risk governance outcomes is an important element in an effective risk governance framework. Whilst we are encouraged by the overall quality of risk governance and there are some examples of reasonably strong risk governance in place, we also came across examples of weak risk governance combined with a lack of awareness of weaknesses. Each insurer covered by the review has received individual feedback and we encourage all insurers to consider these findings in relation to their own risk governance framework.
5 5 2. Introduction This paper explains the findings from the Reserve Bank of New Zealand s review of risk governance conducted amongst 17 insurers in the second half of Our intention to conduct the review was announced in February 2014 and the following is an extract from the speech 1 in which the announcement was made. On risk control, we are likely to embark on an early thematic review of the quality of risk governance across the sector. Because this is on a single theme across the entire industry, we call it a thematic review. A lesson arising from the global financial crisis is that there were significant shortcomings in risk governance in many financial institutions. In separate analyses of the global financial crisis, both the Financial Stability Board and the Group of Thirty (G30) concluded that the main governance failure leading to the crisis was an inability of many boards to accurately identify and understand the risks inherent in their businesses, and to ensure there were robust structures in place for managing and reporting on these risks. Our upcoming thematic review of risk governance will likely involve a one-off gathering of new information by interviewing the Chair of the Risk Committee or equivalent, reviewing board and risk committee papers and minutes, and reviewing board self-assessments of performance. We expect to review this information alongside existing documentation and knowledge about the risk management framework, including information obtained from the licensing process. Such a review will assess whether a board is providing clear leadership on risk governance through a risk management strategy and risk appetite statement. It would also look at whether there is effective reporting to the board, showing performance against board policies, and whether the board s actions and behaviour promote a prudent approach to risk throughout the insurer. The overall aim of such an exercise is as much about establishing whether the right culture, behaviours and values are in place as it is about processes. Both culture and processes are critical for risk governance to be successful. The existence of strong risk governance is important because of the reliance we place on selfdiscipline as one of the three pillars to our supervisory approach, the other two pillars being market discipline and regulatory discipline. Self-discipline is closely linked with sound governance and our regulatory framework places the responsibility and accountability for an insurance business primarily with the insurer s board and senior management. This review is about establishing how well-placed our reliance on self-discipline is and identifying areas for improvement if aspects of risk governance are found to be lacking. The review was completed by 31 December 2014 with each of the 17 insurers being provided with a feedback letter explaining our assessment of their quality of risk governance and commenting on strengths, weaknesses and areas to consider for improvement where relevant. The purpose of this report is to promote strong quality risk governance across the sector by sharing the findings with all insurers and other interested parties, recognising that the maturity of risk governance frameworks varies between insurers and some have more to learn from this report than others. This report is a result of the constructive approach taken by participants and we would like to thank the 17 insurers for their time and commitment during the review process. 1 A speech delivered to Finity Consulting Directors Forum in Auckland on 19 February 2014, Reserve Bank website, Research and Publications/Speeches/2014
6 6 3. Review methodology Strong risk governance is a combination of good structures, processes and culture. Whilst structures and processes are relatively straightforward to identify and assess, culture is more challenging because it relates to behaviours which are more difficult to measure. We obtained material from insurers in two stages starting with documentation relating to risk governance followed by interviews which focused on the implementation of the risk governance structures and processes and related behaviours. Two interviews were held with each insurer, one with the CEO and relevant executives and the other with the chair of the board risk committee (or equivalent committee). The risk chair interviews included other independent directors at the option of the insurer. The following points describe the issues we wanted to consider in the review which were reflected in the documentation collected and the questions asked during the interviews: The thoroughness and relevance of the insurer s documented description of the risk governance framework. For example, does the description adequately explain the risk governance and risk management structures and accountabilities, reporting lines into the board risk committee (or equivalent committee), risk appetite framework and risk committee structures and does it relate to the business and characteristics of the insurer or is it a box-ticking exercise in compliance. Is the insurer doing what its risk management programme says it should? We looked for information to demonstrate that the risk management programme is genuinely operationalised and embedded in the organisation. We reviewed material such as meeting minutes, reports to the risk committee and board, risk registers, CEO reports and reports from internal and external auditors. Again, we wanted to distinguish between risk governance that appears to be genuinely embedded and risk governance which focuses on providing a paper-trail of compliance. The effectiveness of the risk governance framework and related structures in terms of identifying, reporting and managing risks including discussion of how significant risks have been identified, escalated and managed. We also considered the extent to which boards and management are aligned, for example in terms of a shared understanding of the key risks, how risks are being communicated and managed and views on the maturity of the risk governance framework. Any self-assessments or third-party assessments of governance were also considered. The tone set by the board and senior management in relation to risk is a key driver of how staff throughout the organisation behave. We considered the style of communication within the insurer in relation to risk issues, the level of understanding of risk responsibilities and accountabilities throughout the organisation, attitudes towards the disclosure of risks, including disclosure of mistakes and any links between risk management and remuneration. We also considered the dynamics between boards and management and particularly the level of challenge and pro-activity from the board in relation to driving the risk culture. Early into our assessment of the information collected, it became apparent that there were some general themes and that strong risk governance tended to exist within insurers that have particular characteristics. The findings are explained using a framework that draws on material published by the Financial Stability Board to group the findings into seven main theme descriptions. The headings and related descriptions are shown below.
7 7 4. Risk governance Theme descriptions The Financial Stability Board (FSB) considered the characteristics of effective risk governance frameworks in its 2013 report covering the findings from a thematic peer review on risk governance 2. In its report, the FSB described risk governance as falling into three broad functions; the board, the firm-wide risk management function and the independent assessment of risk governance. The 2013 report was followed by the publication of guidance on assessing risk culture in which included four indicators of sound risk governance; tone from the top, accountability, effective communications and challenge and incentives. We have used these three headings relating to function and four headings relating to behaviours as a framework for considering the findings from this review. The FSB refer to the role of Chief Risk Officer (CRO) and to Risk Appetite Statements in their literature, neither of which are explicit requirements of IPSA. Whilst IPSA does not require licensed insurers to have a CRO, we envisage that each insurer will have a risk management function, however described, which includes staff with specific risk responsibilities. Similarly, we envisage that some form of risk appetite statement exists, however, labelled. Without a risk appetite statement, it is difficult to understand how an insurer can undertake risks which it knows are compatible with its financial goals and other objectives. We regard a risk appetite framework as being a framework which scopes potential risks, quantifies them and establishes the insurer s tolerance for risk-taking in each area and then manages risk-taking within tolerance limits. Risk governance frameworks: Board responsibilities and practices: The board is responsible for ensuring that the firm has an appropriate risk governance framework given the firm s business model, complexity and size which is embedded into the firm s risk culture. How boards assume such responsibilities varies across jurisdictions. Firm-wide risk management function: The CRO and risk management function are responsible for the firm s risk management across the entire organisation, ensuring that the firm s risk profile remains within the risk appetite statement (RAS) as approved by the board. The risk management function is responsible for identifying, measuring, monitoring, and recommending strategies to control or mitigate risks, and reporting on risk exposures on an aggregated and disaggregated basis. Independent assessment of the risk governance framework: The independent assessment of the firm s risk governance framework plays a crucial role in the ongoing maintenance of a firm s internal controls, risk management and risk governance. It helps a firm accomplish its objectives by bringing a disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes. This may involve internal parties, such as internal audit, or external resources such as third-party reviewers (e.g. audit firms, consultants). Risk governance behaviours: Tone from the top: The board and senior management are the starting point for setting the financial institution s core values and expectations for the risk culture of the institution, and their behaviour must reflect the values being espoused. A key value that should be espoused is the expectation that staff act with integrity (doing the right thing) and promptly escalate observed non-compliance within or outside the organisation (no surprises approach). The leadership of the institution promotes, monitors, and assesses the risk culture of the financial institution; considers the impact of culture on safety and soundness; and makes changes where necessary. 2 Thematic Review on Risk Governance, Peer Review Report, Financial Stability Board, 12 February Guidance on Supervisory Interaction with Financial Institutions on Risk Culture, A Framework for Assessing Risk Culture, FSB, 7 April 2014
8 8 Accountability: Relevant employees at all levels understand the core values of the institution and its approach to risk, are capable of performing their prescribed roles, and are aware that they are held accountable for their actions in relation to the institution s risk-taking behaviour. Staff acceptance of risk-related goals and related values is essential. Effective communication and challenge: A sound risk culture promotes an environment of open communication and effective challenge in which decision-making processes encourage a range of views; allow for testing of current practices; stimulate a positive, critical attitude among employees; and promote an environment of open and constructive engagement. Incentives: Performance and talent management encourage and reinforce maintenance of the financial institution s desired risk management behaviour. Financial and non-financial incentives support the core values and risk culture at all levels of the institution. 5. The findings Overall, we are pleased with the quality of risk governance that is apparent amongst the sampled insurers. It was apparent from the licensing process that the maturity of risk governance frameworks varies between insurers with some examples of frameworks that have been in place for several years whilst others have only been implemented recently in response to the requirements of the IPSA. The review identified that our reliance on self-discipline as one of the three pillars of our regulatory approach is generally well-placed. This does not mean that we think the sector has generally reached a level of maturity in regard to risk governance that we would be satisfied to retain. Rather, the quality of risk governance appears to be on the right footing, a work in progress and generally more enlightened than we had anticipated so soon after licensing. Findings have been summarised in the chart in Appendix 1 showing the range of strong to weak assessments across the seven areas of assessment. The chart also includes a comparison of our assessment of progress being made towards full implementation of an effective risk governance framework, along with the self-assessment of board risk chairs and CEOs. It was evident during the review that most insurers regard themselves as on a journey towards stronger risk governance and that the process of review and improvement is ongoing. 5.1 Board responsibilities and practices It is generally recognised and accepted that boards are responsible and accountable for ensuring that an appropriate risk governance framework exists. In most cases, boards are implementing their responsibilities through a board risk committee, often combined to include audit. There are exceptions where no separate board risk committee (or equivalent) exists and where risk governance is retained within the main board, or the board relies on an executive risk committee or the board risk committee of a parent. Whilst the lack of a separate board risk committee was sometimes explained as being due to the small size of the insurance business relative to the size of the parent, we observed that other smaller insurers do have separate board risk committees. In our consideration of the existence, or not, of separate board risk committees we were more interested in the effectiveness and outcomes achieved than the structure. The use of board risk committees appears to be helping boards to retain an appropriate level of ownership of risk governance whilst providing for appropriate time and focus to be given to risk issues. Striking the right balance between retaining board responsibility and accountability and delegating responsibilities is a matter of judgement, particularly in drawing a line between the role of governance and the role of management and some insurers are struggling with this balance. The frequency of board risk committee meetings varies with some committees only meeting twice a year and most meeting quarterly. Directors often referred to the high quantity and complexity of information being presented to board risk committee meetings and the challenges of dealing with this high volume and complexity. Infrequent meetings clearly exacerbate this
9 9 issue as well as necessitating additional meetings or phone conferences to be arranged when urgent matters arise that cannot wait. Regardless of meeting frequency, dealing with the volume and complexity of material going to board risk committee meetings (and main board meetings) was frequently raised as being a challenge. Whilst directors accept that the level of workload goes with the territory, some insurers are more pro-active than others in managing this issue. Examples include that some insurers provide directors with computer technology as a platform for managing documentation and meetings, a requirement for board papers to include a one-page summary and the forward planning of meeting agendas to spread the consideration of particular topics over an annual agenda. This issue relates to the tone set by directors and senior management. We came across some instances where directors are setting very clear expectations in relation to the efficiency of meetings and the sequencing of topics across meetings whilst some other directors are more passive in terms of the quality of information made available to them and the general organisation of their governance role. Directors vary in the extent to which they seek out information independently to formal reporting channels. For example, some risk chairs and directors are in regular and direct contact with people in and around the business, including risk managers, whilst others appear to rely more heavily on formal channels for information. Whilst the way in which directors access information may be a question of personal style, it seemed to us that those directors that made a point of having regular contact with different aspects of the business seemed particularly well informed and engaged. In one instance, we observed a very strong risk governance framework at the parent level but it was relatively weak within the subsidiary. The reason for the weakness appears to be due to the subsidiary utilising the human resources of its parent rather than having separate resources and then not making a sufficient distinction between the governance of the parent and the governance of the licensed insurer. Whilst it may be appropriate to resource the operational activity of a licensed insurer from staff based within the parent, governance needs to be clearly separate from the parent, even if some directors are on the board of the parent and the board of the licensed insurer. The board of the licensed insurer needs to take ownership of the risk governance framework specifically in relation to the licensed insurer and be able to articulate the insurance-related risks of the licensed insurer and relate them to its the risk governance framework. 5.2 Firm-wide risk management function A variety of risk management frameworks are in place and we did not identify any one particular framework that stands out as the best. Stronger risk frameworks have structures which embed risk responsibilities throughout the organisation rather than those which primarily rely on a centralised risk function to cover the whole business. An example is the use of risk champions based in each department of the insurer. Some form of independent review function to the business line, such as internal audit also appears to be an effective way to channel information to the risk committee and board. The existence of and quality of internal audit functions varies across the sample. Some insurers recognise the value of internal audit and the potential for making more use of the information it can provide whereas some other insurers are not using internal audit functions at all. Small size was mentioned as a constraint by some insurers who do not have an internal audit function and who, in some cases, also appear to be light on accessing relevant information generally. In other cases, smaller insurers are using resources such as external auditors and appointed actuaries as well as very targeted commissioning of internal reports to access information relevant to risk management and overcome a lack of internal resources. The existence of more independent channels of risk information to the risk committee appears to be an area that could be strengthened across the sector.
10 10 The management of risk appetite in line with a defined risk tolerance varies and is generally an area of weakness. In many cases, the documented risk appetite framework is not reflected in implementation, particularly in relation to key risks. Some insurers are also vague about what their risk appetite is with contradictions arising between documented risk tolerance and the explanation provided by directors, particularly in relation to tolerances for solvency breaches. Ongoing review of actual risks against risk tolerance is also a general weakness. In a very few cases, the insurer did not have a clearly defined business plan which undermines their ability to establish robust risk governance. Most insurers maintain up-to-date risk registers on which risk monitoring and reporting is based. The quality of risk registers was variable and some were of poor quality because they are not being kept up-to-date. For some subsidiary insurers, the relative maturity of risk governance framework reflects a requirement they have been under for a while to follow group risk management programmes. Insurers vary in the extent to which they adapt group programmes to suit New Zealand conditions and, in general, insurers that have adapted group programmes to suit local conditions appear more satisfied with the outcomes being delivered than those adopting group programmes largely un-changed. 5.3 Independent assessment of the risk governance frameworks Most of the assessments provided to us were assessments of board performance and most of those were self-assessments covering a limited range of topics. Some externally-provided reviews offered comprehensive feedback to boards on a broad range of performance criteria which appeared to us to be a much more worthwhile exercise, providing the feedback is then utilised. Some of the more detailed assessments considered matters such as the strength of the board as a whole, individual director assessments, board organisation and functionality, board leadership and the relationship between the board and senior management. All insurers are required to regularly review their risk management programmes under section 73(2)(d) of IPSA. However, so far, changes submitted to us for approval have tended to be relatively minor wording amendments to risk management documentation rather than significant changes to the risk framework scope or approach. We encourage insurers to conduct a periodic and thorough review of their risk management programme which considers changes in terms of improving the effectiveness of the framework, particularly those that have recently implemented new programmes in response to IPSA requirements. 5.4 Tone from the top: Without exception, the insurers we rated most strongly set the tone from the top through their communication and actions in relation to risk. Strong tone appeared in several ways during the review such as a pro-active risk chair driving the risk agenda and in the language and behaviour of some directors and senior managers who lead by example and communicate expectations in the course of routine interactions. An example of this leadership is a catch-phrase used in one insurer that good news is bad news early which has given a clear signal regarding expectations in relation to communication of risk issues. Directors are taking ownership of information and strategic decisions in strong risk cultures whilst in weaker risk cultures directors tend to receive information and monitor it but are not in the driving seat. In addition to the tone set internally, we observed a variety of external influences on risk culture including regulation, customers, a previous crisis and shareholders. For example, insurers whose customers come from one particular profession or group may have a heightened risk focus on reputational risks to their relationship with the profession or group.
11 11 The influence of a crisis was apparent on the risk culture of some insurers which, in some cases, has left a legacy of we don t want to go there again. In general, risk governance driven by a compliance culture (i.e. to meet IPSA requirements) came across as weaker than risk governance driven by internal factors. Compliance-based risk cultures appear to be more about achieving outcomes which tick the compliance boxes rather than deal to the substance of risk governance. The tone set by some external advisers in their dealings with insurers can also be a significant influence on the quality of risk governance, particularly amongst smaller insurers. 5.5 Accountability The ownership of and accountability for risk issues at all staff levels is a work in progress and has been identified by most of the 17 insurers as an area for development. There is a distinction between formal and informal notification of risk issues and the informal approach tends to be prevalent in smaller insurers where all staff know each other. The challenge articulated by some of the larger insurers, who are more reliant on formal structures to identify risk issues, is to push risk responsibilities right through to frontline staff. Most insurers in the sample appear to have a culture in which mistakes will be owned up to and escalated appropriately. This is where tone from the top is important so that mistakes are, within reason, regarded as part of doing business and are treated as an opportunity to improve how things are done rather than as a reason to punish staff. Several insurers mentioned the learning opportunities that mistakes provide and that there has been a cultural shift away from a blame mentality to a learning response. It was evident that insurers are managing something of a trade-off between holding staff accountable and encouraging prompt and candid disclosures when risk issues are identified, including mistakes. Insurers seem to err on the side of counselling staff and addressing training needs rather than taking a punitive approach to mistakes. 5.6 Effective communication and challenge The effectiveness of communication and challenge in relation to risk issues reflects board composition, the level of independence and, to some extent, corporate structure. Whilst we did not meet full boards, several interviews with the board risk chair included other independent directors. The overall quality of the directors we met was very encouraging. The sense of independence was notably stronger amongst some newer appointments and notably weaker amongst some directors with a long tenure as a director or a long association with the insurer in some other way. In general, we think that boards lack diversity, particularly in terms of the mix of skills. Boards generally appear to be strongly represented in the areas of law, general finance and insurance (although some smaller insurers lack insurance expertise on the board) and generally weaker in the area of risk management. Insurers often comment on the relatively small pool of directors in New Zealand, particularly once independence criteria and the need for insurance knowledge on boards is taken into account. We came across several insurers who have recently appointed high calibre, independent directors whose qualities were evident in the knowledge they had of their insurer (some having gained a lot of knowledge in a short space of time) and their high level of engagement towards the role. Through the licensing process, there was a general strengthening in the independence and robustness of boards and particularly boards of subsidiaries of overseas insurers. Whilst our general experience has been that local subsidiaries are receiving strong support from overseas owners, as evidenced by capital support provided through the Canterbury earthquakes, we would
12 12 like to see the trend of building stronger local boards continue. Some subsidiary insurers clearly have a strong inclination towards achieving a suitable degree of autonomy from the parent and we encourage boards to follow this through when considering outcomes appropriate for local conditions. A general theme we identified from the review, which could apply to any subsidiary, is the potential for influence from the parent to weaken the independence of the New Zealand board. Whilst we recognise that subsidiary boards are, by definition, subordinate to the parent board and must consider the interests of owners, we also expect New Zealand boards to strongly pursue what is in the best interests of the New Zealand operation. From a Reserve Bank perspective, the ability of subsidiary boards to obtain satisfactory outcomes for the New Zealand business in situations where the parent is under stress is yet to be fully tested. 5.7 Incentives Insurers vary in their approaches to incentivising the risk behaviours they want staff to adopt. The larger insurers incorporate risk metrics into staff objectives with only senior management tending to have an at-risk component of remuneration. Some insurers do not have specific risk objectives, but performance assessments take a balanced scorecard approach where risk is not considered as a single item but as being inherent in all aspects of the employee s role. In other cases, behavioural objectives are being used to influence behaviours such as living the culture. Generally, the incentives were much more explicit for senior management and incentives become significantly less formal in lower staff grades. Insurers seem to be in the early stages of recognising the importance of culture and values in terms of their inclusion in performance assessments to better align incentives and this is a work in progress. 6. Conclusions We are encouraged by the quality of risk governance apparent amongst licensed insurers for two reasons. First, overall quality is reasonably good and second, most insurers regard their implementation of risk governance as a work in progress. Consequently, the sector is well-placed for the ongoing improvement that we want to see and which most insurers recognise as necessary. A small minority of insurers have risk governance weaknesses and an inadequate programme of improvement underway and we would like those insurers to review their risk governance frameworks in light of the feedback in this report. The chart in Appendix 1 summarises the findings and shows the relative areas of strength and weakness across the seven topics. The chart shows that a focus on the behavioural aspects of risk governance would appear to benefit most insurers, particularly in the areas of communication and challenge and incentives. Insurers that were involved in the review have been provided with individual feedback and we encourage all insurers to consider the findings from this review in relation to their risk governance frameworks. Thank you again to the insurers involved in this review. We welcome questions prompted by the review or this paper and ask that you direct questions through your supervisor.
13 13 Appendix 1 Summary of assessments across the sample Functional aspects of risk governance Behavioural aspects of risk governance Score 1-10 Board responsibilities and practices Risk management function Independent assessment of risk framework Tone from the top Accountability Communication and challenge Incentives CEO Risk chair RBNZ Strong Average Good Satisfactory Weak
Principles for An Effective Risk Appetite Framework 18 November 2013 Table of Contents Page I. Introduction... 1 II. Key definitions... 2 III. Principles... 3 1. Risk appetite framework... 3 1.1 An effective
Guidance Note: Corporate Governance - Board of Directors March 2015 Ce document est aussi disponible en français. Applicability The Guidance Note: Corporate Governance - Board of Directors (the Guidance
Effective Internal Audit in the Financial Services Sector Recommendations from the Committee on Internal Audit Guidance for Financial Services: How They Relate to the Global Institute of Internal Auditors
Basel Committee on Banking Supervision - Guidelines on the corporate governance principles for banks Basel Committee on Banking Supervision Guidelines on the corporate governance principles for banks (
Guidance on Supervisory Interaction with Financial Institutions on Risk Culture A Framework for Assessing Risk Culture 7 April 2014 Table of Contents Page Background... i Introduction... 1 1. Foundational
CONSULTATION PAPER CP 41 CORPORATE GOVERNANCE REQUIREMENTS FOR CREDIT INSTITUTIONS AND INSURANCE UNDERTAKINGS 2 PROPOSAL 1.1 It is now widely recognised that one of the causes of the international financial
Basel Committee on Banking Supervision Review of the Principles for the Sound Management of Operational Risk 6 October 2014 This publication is available on the BIS website (www.bis.org). Bank for International
Basel Committee on Banking Supervision Consultative document Guidelines Corporate governance principles for banks Issued for comments by 9 January 2015 October 2014 This publication is available on the
Governance Guideline SEPTEMBER 2013 BC CREDIT UNIONS www.fic.gov.bc.ca INTRODUCTION The Financial Institutions Commission 1 (FICOM) holds the Board of Directors 2 (board) accountable for the stewardship
Operational Risk Management - The Next Frontier The Risk Management Association (RMA) Operational risk is not new. In fact, it is the first risk that banks must manage, even before they make their first
GUIDANCE NOTE FOR DEPOSIT-TAKERS Operational Risk Management March 2012 Version 1.0 Contents Page No 1 Introduction 2 2 Overview 3 Operational risk - fundamental principles and governance 3 Fundamental
CRO Forum Paper on the Own Risk and Solvency Assessment (ORSA): Leveraging regulatory requirements to generate value May 2012 May 2012 1 1. Introduction 1.1. Purpose of the paper In this discussion paper
A Guide to Corporate Governance for QFC Authorised Firms January 2012 Disclaimer The goal of the Qatar Financial Centre Regulatory Authority ( Regulatory Authority ) in producing this document is to provide
Consultation document Effective Internal Audit in the Financial A survey of heads of internal audit Services Sector Non Executive Directors (NEDs) and the Management of Risk Draft recommendations to the
Linking Risk Management to Business Strategy, Processes, Operations and Reporting Financial Management Institute of Canada February 17 th, 2010 KPMG LLP Agenda 1. Leading Practice Risk Management Principles
Introduction This module applies to Fannie Mae and Freddie Mac (collectively, the Enterprises), the Federal Home Loan Banks (FHLBanks), and the Office of Finance, (which for purposes of this module are
Introduction CSR / Sustainability Governance and Management Assessment By Coro Strandberg Principal, Strandberg Consulting www.corostrandberg.com June 2015 Companies which adopt CSR or sustainability 1
Understanding and articulating risk appetite advisory Understanding and articulating risk appetite Understanding and articulating risk appetite When risk appetite is properly understood and clearly defined,
Solvency Assessment and Management: Pillar II Sub Committee Governance Task Group Discussion Document 81 (v 3) Governance, Risk Management, and Internal Controls INTERIM REQUIREMENTS CONTENTS 1. INTRODUCTION
Response of the Institute of Business Ethics to the Banking Standards Review consultation Executive Summary Though there were many causes to the banking crisis, failure by banks to live up to ethical values
Guidance consultation 15/1 Risks to customers from performance management at firms Thematic review and guidance for firms March 2015 Contents 1 Approach and findings 2 2 Guidance to firms 8 3 Next steps
The APRA Supervision Blueprint May 2015 www.apra.gov.au Australian Prudential Regulation Authority Contents Introduction 3 Section 1: Principles and approach 4 APRA s mission and supervisory approach 4
Risk Governance PART A OVERVIEW... 1 I. Introduction... 1 II. cope of the Policy... 2 PART B PRINCIPLE OF RIK GOVERNANCE... 3 III. Board practices... 3 IV. enior management oversight... 7 V. Risk management
Corporate Governance Prudential Supervision Department Document Issued: 2 Part 1 Introduction 1. Corporate governance and the Reserve Bank s objectives (1) This document sets out the Reserve Bank of New
1 Internal Audit and supervisory expectations building on progress Speech given by Sasha Mills, Director, Cross Cutting Policy, Bank of England Ernst & Young, London 3 February 2016 2 Introductions Hello,
Integrated Risk Management: A Framework for Fraser Health For further information contact: Integrated Risk Management Fraser Health Corporate Office 300, 10334 152A Street Surrey, BC V3R 8T4 Phone: (604)
www.cudgc.sk.ca MISSION We instill public confidence in Saskatchewan credit unions by guaranteeing deposits. As the primary prudential and solvency regulator, we promote responsible governance by credit
Thematic Review Professional discipline Financial Reporting Council December 2014 Audit Quality Thematic Review The audit of loan loss provisions and related IT controls in banks and building societies
Risk Management Plan 2012-2015 This controlled document shall not be copied in part or whole without the express permission of the author or the author s representative. Revision Date Previous Revision
APPLICATION of KING III CORPORATE GOVERNANCE PRINCIPLES 2013 Application of Corporate Governance Principles This table is a useful reference to each of the principles and how, in broad terms, they have
BOARD OF DIRECTORS MANDATE Board approved: May 7, 2014 This mandate provides the terms of reference for the Boards of Directors (each a Board ) of each of Economical Mutual Insurance Company ( Economical
Policy Statement Financial Services Authority Building a framework for operational risk management: the FSA s observations Feedback on industry practice as we prepare to implement CP142 July 2003 Contents
Bridgend County Borough Council Corporate Risk Management Policy December 2014 Index Section Page No Introduction 3 Definition of risk 3 Aims and objectives 4 Strategy 4 Accountabilities and roles 5 Risk
www.pwc.co.uk/riskassurance UK Corporate Governance Code: Raising the bar on risk management Why this is not business as usual and what you need to do to comply September 2014 The FRC s amendments to the
Aegon Global Compliance GLOBAL Charter COMPLIANCE CHARTER aegon.com The Hague, June 1, 2013 Information sheet Target audience: All employees and management of Aegon companies Issued by: Aegon N.V. Group
Enterprise Risk Management A View Clive Kelly CRO Zurich Insurance plc/zfs Europe (GI) Topics ERM some basics Responsibilities CRO evolution Challenges and priorities Conclusion Introduction 3 Zurich s
Request for feedback on the revised Code of Governance for NHS Foundation Trusts Introduction 8 November 2013 One of Monitor s key objectives is to make sure that public providers are well led. To this
Internal Audit Standards Department of Public Expenditure & Reform November 2012 Copyright in material supplied by third parties remains with the authors. This includes: - the Definition of Internal Auditing
20 th February, 2013 To Insurance Companies Reinsurance Companies GUIDELINES ON RISK MANAGEMENT AND INTERNAL CONTROLS FOR INSURANCE AND REINSURANCE COMPANIES These guidelines on Risk Management and Internal
MARCH 2012 Version 1.10 Strategic Risk Policy Update March 2012 v1.10.doc Document History Current Version Document Name Risk Management Policy Statement and Strategic Framework Last Updated By Alan Till
CEIOPS-DOC-29/09 CEIOPS Advice for Level 2 Implementing Measures on Solvency II: System of Governance (former Consultation Paper 33) October 2009 CEIOPS e.v. Westhafenplatz 1-60327 Frankfurt Germany Tel.
This module should be read in conjunction with the Introduction and with the Glossary, which contains an explanation of abbreviations and other terms used in this Manual. If reading on-line, click on blue
The NHS Foundation Trust Code of Governance www.monitor-nhsft.gov.uk The NHS Foundation Trust Code of Governance 1 Contents 1 Introduction 4 1.1 Why is there a code of governance for NHS foundation trusts?
the role of the head of internal audit in public service organisations 2010 CIPFA Statement on the role of the Head of Internal Audit in public service organisations The Head of Internal Audit in a public
National Occupational Standards Compliance NOTES ABOUT NATIONAL OCCUPATIONAL STANDARDS What are National Occupational Standards, and why should you use them? National Occupational Standards (NOS) are statements
Revised May 2007 Corporate Governance Guideline Table of Contents 1. INTRODUCTION 1 2. PURPOSES OF GUIDELINE 1 3. APPLICATION AND SCOPE 2 4. DEFINITIONS OF KEY TERMS 2 5. FRAMEWORK USED BY CENTRAL BANK
Public Sector Internal Audit Standards Applying the IIA International Standards to the UK Public Sector Issued by the Relevant Internal Audit Standard Setters: In collaboration with: Public Sector Internal
Regulatory February 2014 brief A publication of PwC s financial services regulatory practice Risk governance: OCC codifies risk standards, paving the way for increased enforcement actions The Office of
Review of Financial Planning and Monitoring City of York Council Audit 2008/09 Date Contents Introduction and Background 3 Audit approach 4 Main conclusions 5 Financial Planning Findings 6 Financial Monitoring
From ICAAP/ORSA to ERM: Board and Senior Management Oversight Leon Bloom, Partner, Deloitte & Touche LLP firstname.lastname@example.org Agenda Basel II ICAAP Solvency II ORSA ERM From ICAAP/ORSA to ERM: Governance
Prudential Standard APS 115 Capital Adequacy: Advanced Measurement Approaches to Operational Risk Objective and key requirements of this Prudential Standard This Prudential Standard sets out the requirements
Appendix 1: Performance Management Guidance The approach to Performance Management as outlined in the Strategy is to be rolled out principally by Heads of Service as part of mainstream service management.
1. Introduction In achieving the objectives of transparency, accountability and effective performance for Notion VTec Berhad ( Notion or the Company ) and its subsidiaries ( the Group ), the enhancement
What Every Director Should Know How to get the most from your internal audit Endorsed by Foreword This is the second edition of our flagship governance guide What every director should know. Since we published
Sample risk committee charter 1 Next This sample risk committee charter is based on leading practices observed by Deloitte in the analysis of a variety of materials. It is important to note that the Risk
Message from the Chief Executive of the RCM The Midwifery Leadership Competency Framework has been derived from both the NHS Leadership Qualities Framework and the Clinical Leadership Competency Framework.
Charter of Expectations and Role Profiles Barclays Corporate Secretariat Approved by the Board on 14 November 2013 Table of Contents Page Introduction from Chairman... 3 Chairman Role Profile... 4 Charter
APPLICATION OF THE KING III REPORT ON CORPORATE GOVERNANCE PRINCIPLES Ethical Leadership and Corporate Citizenship The board should provide effective leadership based on ethical foundation. that the company
WOOLWORTHS HOLDINGS LIMITED CORPORATE GOVERNANCE PRINCIPLES 2014 CORPORATE GOVERNANCE PRINCIPLES 2014 CORPORATE GOVERNANCE PRINCIPLES 2014 This table is a useful reference to each of the King III principles
Statement of Principles Bank Registration and Supervision Prudential Supervision Department Document Issued: 2 TABLE OF CONTENTS Subject Page A. INTRODUCTION... 3 B. PURPOSES OF BANK REGISTRATION AND SUPERVISION...
Basel Committee on Banking Supervision Peer review of supervisory authorities implementation of stress testing principles April 2012 Copies of publications are available from: Bank for International Settlements
Remarks by Carolyn G. DuChene Deputy Comptroller Operational Risk at the Bank Safety and Soundness Advisor Community Bank Enterprise Risk Management Seminar Washington, D.C. October 22, 2012 Good afternoon,
EBA Guidelines on Internal Governance (GL 44) London, 27 September 2011 1 Contents I. Executive Summary... 3 II. Background and rationale... 7 1. Importance of internal governance... 7 2. Purpose and scope
AGENDA ITEM 4 TRANSPORT FOR LONDON AUDIT COMMITTEE SUBJECT: STRATEGIC RISK MANAGEMENT PROGRESS REPORT DATE: 3 MARCH 2009 1 PURPOSE AND DECISION REQUIRED 1.1 The purpose of this paper is to update the Audit
INVESTORS IN PEOPLE REVIEW REPORT Lower Farm Primary School Page: 1 of 13 CONTENTS Key Information 3 Assessor Decision 3 Milestone Dates 3 Introduction 4 Assessment Objectives 4 Feedback Against the Assessment
GUIDELINES ON CORPORATE GOVERNANCE FOR LABUAN BANKS 1.0 Introduction 1.1 Good corporate governance practice improves safety and soundness through effective risk management and creates the ability to execute
Guidance note Good practice for Contents: 1 Introduction 2 How the best reports set themselves apart 3 Examples of the best May 2015 1 Introduction An annual report can generate more value if viewed as
THE ROLE OF FINANCE AND ACCOUNTING IN ENTERPRISE RISK MANAGEMENT Let me begin by thanking Baruch College for giving me the opportunity to present this year s prestigious Emanuel Saxe Lecture in Accounting.
Confident in our Future, Risk Management Policy Statement and Strategy Risk Management Policy Statement Introduction Risk management aims to maximise opportunities and minimise exposure to ensure the residents
Culture and channelling corporate behaviour A joint research project by ACCA and the ESRC Culture and channelling corporate behaviour The 2008 global financial crisis demonstrated very clearly how regulation
29 August 2013 Credit Rating Agencies Reducing reliance and strengthening oversight Progress report to the St Petersburg G20 Summit Authorities need to accelerate work to end the mechanistic reliance of
Prudential Practice Guide SPG 220 Risk Management July 2013 www.apra.gov.au Australian Prudential Regulation Authority Disclaimer and copyright This prudential practice guide is not legal advice and users
GETTING IT RIGHT FOR CONSUMERS SECTION 1: OPENING Getting it right for consumers is something we all probably subscribe to but what does it mean for a Central Bank, particularly one with a statutory responsibility
SUPERVISION GUIDELINE NO. 9 ISSUED UNDER THE AUTHORITY OF THE FINANCIAL INSTITUTIONS ACT 1995 (NO. 1 OF 1995) RISK MANAGEMENT Bank of Guyana July 1, 2009 TABLE OF CONTENTS 1.0 Introduction 2.0 Management
Introduction Names like Enron, Worldcom, Barings Bank and Menu Foods are household names but unfortunately as examples of what can go wrong. With these recent high profile business failures, people have
U & D COAL LIMITED A.C.N. 165 894 806 BOARD CHARTER As at 31 March 2014 BOARD CHARTER Contents 1. Role of the Board... 4 2. Responsibilities of the Board... 4 2.1 Board responsibilities... 4 2.2 Executive
Operational Risk Management in a Debt Management Office Based on Client Presentation January 2008 Outline The importance of operational risk management (ORM) International best practice A high-level perspective,