Chapter 10  Ethics, corporate governance and internal controls                                10/7




               It is usual to identify risk at three levels:
               • Internal: the impact of the risk absent of any controls.
               • Appetite/tolerance: the impact of the risk the insurer is prepared to accept.
               • Residual: the impact of the risk after applying mitigation controls.
               The level of impact is a combination of frequency and severity. Residual risk should always be at, or
               lower than, appetite/tolerance, otherwise the controls are not effective.
               The following diagram illustrates a ‘best practice’ risk management framework showing the key features
               of the framework as described in the following sections:

                Figure 10.1: ‘Best practice’ risk management framework


                                       Governance and a risk management framework


                           Risk managment                                  Risk tolerance
                               policy                                       statement

                                                   Feedback loop




                                            Own risk and solvency assessment





                                                   Feedback loop


                                                                           Economic and
                          Continuity analysis
                                                                          regulatory capital


                                                 Role of supervision


               C1A Governance and a risk management framework

               As part of its overall governance structure, an insurer should establish a sound risk management
               framework appropriate to the nature, scale and complexity of its business. The framework should be
               integrated with the insurer’s business operations, reflecting desired business culture and behavioural
               expectations and addressing all reasonably foreseeable material risks in accordance with a properly
               constructed risk management policy.
               The establishment and operation of the risk management framework should be led by the insurer’s
               board and senior management.
               For it to be adequate for capital management and solvency purposes, the framework should have been
               stress tested for a sufficiently wide range of outcomes.

               C1B Risk management policy

               An insurer should have a risk management policy which outlines the way they manage each material
               category of risk, both strategically and operationally, and describes the link with the insurer’s tolerance
               limits, regulatory capital requirements, economic capital and the processes and methods for           Chapter
               monitoring risk.

               C1C Risk tolerance statement                                                                          10
               An insurer should establish and maintain a risk tolerance statement which sets out its quantitative and
               qualitative tolerance levels and defines tolerance limits for each relevant and material category of risk,
               taking into account the relationships between these risk categories.