• PINS Schedule 1 PINS Schedule 1 Guidance about what should be included in insurer's risk management policy

    (see r 2.3.1 (5))

    Note for sch 1

    This Schedule sets out in detail what the Regulatory Authority expects to see in an insurer's risk management policy. Each Part deals with a risk that the insurer is required to address under r 2.3.1 by first describing the risk and then stating what, in the authority's view, should be included in the policy in relation to the risk.

    Inserted by QFCRA RM/2013-1 and amended by Editorial changes (as from 1st January 2015).

    • PINS S1 PINS S1 Credit risk

      • PINS S1.1 What is credit risk?

        (1) Credit risk is:
        (a) the risk of default by debtors, borrowers and other counterparties; and
        (b) the risk of the loss of value of assets due to deterioration in their credit quality.
        (2) Credit risk results from financial transactions with debtors, borrowers, securities issuers, brokers, policyholders, reinsurers and guarantors.
        (3) Credit risk includes on-balance-sheet and off-balance-sheet exposures from guarantees, derivative contracts and performance-related obligations to counterparties. It can increase the risk profile of an insurer and can adversely affect the insurer's financial viability.
        Inserted by QFCRA RM/2013-1 (as from 1st January 2015).

      • PINS S1.2 Risk management policy — credit risk

        (1) An insurer's risk management policy for credit risk should include:
        (a) a mandate setting out the acceptable range, quality and diversification of credit exposures (including those to reinsurers, brokers and policyholders) and investments;
        (b) limits for credit exposures at individual and consolidated levels to:
        (i) single counterparties and groups of related counterparties;
        (ii) intra-group asset exposures to subsidiaries and related entities;
        (iii) single industries; and
        (iv) single regions;
        (c) a process for approving changes in the credit mandate and changes in limit structures;
        (d) a process for approving requests for temporary increases in limits and a process to ensure excesses are brought within the pre-approved limits within a set timeframe;
        (e) a process for reviewing and, if necessary, reducing or cancelling exposures to a particular counterparty if it is known to be experiencing problems;
        (f) a process to monitor and control credit exposures against pre-approved limits;
        (g) a process to review credit exposures (at least annually, but more frequently if there is evidence of a deterioration in credit quality);
        (h) a management information system that is capable of aggregating exposures to any 1 counterparty (or group of related counterparties), asset class, industry or region in a timely manner; and (i) a process of reporting to the governing body and senior management:
        (i) any breaches of limits; and
        (ii) large exposures and other credit risk concentrations.
        (2) Actual and potential credit exposures to reinsurers arising from current or possible future claims should be included in the insurer's risk management policy.
        Inserted by QFCRA RM/2013-1 and amended by Editorial changes (as from 1st January 2015).

    • PINS S2 PINS S2 Balance sheet and market risk

      • PINS S2.1 What is balance sheet and market risk?

        Balance sheet and market risk includes:

        (a) investment risk;
        (b) asset-liability management risk;
        (c) liquidity risk; and
        (d) derivatives risk.
        Inserted by QFCRA RM/2013-1 (as from 1st January 2015).

      • PINS S2.2 What is investment risk?

        (1) Investment risk is the risk of an adverse movement in the value of an insurer's assets, including off-balance-sheet exposures.
        (2) Investment risk includes:
        (a) equity risk;
        (b) interest rate risk;
        (c) foreign exchange risk;
        (d) credit risk; and
        (e) investment concentration risk.
        (3) Because of the nature of insurance business, there is a close relationship between investment risk and asset-liability management risk.
        Inserted by QFCRA RM/2013-1 (as from 1st January 2015).

      • PINS S2.3 Risk management policy — investment risk

        (1) An insurer's risk management policy for investment risk should include:
        (a) the insurer's investment objective;
        (b) formulation of an investment strategy, including allowable asset classes, strategic asset allocation, asset allocation ranges, benchmarks, risk limits and target currency exposures and ranges;
        (c) a process for how individual asset classes will be managed, including which of those tasks will be done internally and which will be outsourced to investment managers;
        (d) the responsibilities of individuals and committees within the insurer (such as the investment committee and the asset-liability committee) for deciding and implementing the investment strategy, and for monitoring and controlling investment risk, including reporting lines, decision-making powers and delegations;
        (e) a process for the selection of qualified and competent investment managers;
        (f) limits and other restrictions on the actions of investment managers, whether internal or outsourced, and the means by which compliance with those limits are monitored;
        (g) modelling and stress-testing of the effect of the current and alternative investment strategies on financial outcomes and asset-liability management;
        (h) processes for:
        (i) ensuring the continuing appropriateness of the investment strategy, including the timing and nature of strategy reviews;
        (ii) ensuring the continuing appropriateness of the investment implementation process, including the timing and nature of reviews of investment managers and the manager configuration;
        (iii) monitoring compliance with the investment strategy; and
        (iv) making contingency plans to mitigate the effects of deteriorating investment conditions;
        (i) the segregation of duties; and
        (j) performance monitoring and its role in the oversight and control of the investment process.
        (2) For paragraph (1) (b), the investment strategy should be formulated taking account of the investment objective, the insurer's capital position, the term and currency profile of its expected liabilities, liquidity requirements and the expected returns, volatilities and correlations of asset classes.
        Inserted by QFCRA RM/2013-1 (as from 1st January 2015).

      • PINS S2.4 What is asset-liability management risk?

        (1) Asset-liability management risk is the risk of an adverse movement in the relative values of assets and liabilities of an insurer due to changes in general market factors, such as interest rates, inflation and, if relevant, foreign exchange rates.
        (2) The expected payment profile of an insurer's liability portfolios is a crucial part of asset-liability management, because it determines the exposure of the portfolios' value to interest rates. Property business, such as household insurance, is typically short-term. Liability business, such as public liability, is typically long-term. The interest rate sensitivity of assets and liabilities is broadly determined by the timing of cash flows, although that will not always be the case (for example, in the case of floating-rate notes or options).
        (3) Assets and liabilities are well managed if their changes in value in response to market movements are highly correlated. If assets and liabilities are not well managed, the possibility of a reduction in asset value that is not offset by a reduction in liability value, or an increase in liability value that is not offset by an increase in asset value, becomes significant.
        (4) Because of the nature of insurance business, there is a close relationship between investment risk and asset-liability management risk.
        Inserted by QFCRA RM/2013-1 (as from 1st January 2015).

      • PINS S2.5 Risk management policy — asset-liability management risk

        An insurer's risk management policy for investment risk should include details about how:

        (a) the insurer's investment and liability strategies allow interaction between assets and liabilities;
        (b) the correlations between assets and liabilities are taken into account;
        (c) cash outflows to policyholders and other creditors will be met by cash inflows; and
        (d) the valuations of assets and liabilities will change under an appropriate range of scenarios.
        Inserted by QFCRA RM/2013-1 (as from 1st January 2015).

      • PINS S2.6 What is liquidity risk?

        (1) Liquidity risk is the risk of the insurer not having sufficient cash or liquid assets to meet its cash outflows to policyholders and other creditors as they fall due.
        (2) The nature of insurance activities means that the timing and amount of cash outflows are uncertain. This uncertainty may affect the ability of an insurer to meet its obligations to policyholders or require an insurer to incur additional costs through, for example, raising additional funds at a premium on the market or through the sale of assets.
        Inserted by QFCRA RM/2013-1 (as from 1st January 2015).

      • PINS S2.7 Risk management policy — liquidity risk

        An insurer's risk management policy for liquidity risk should include:

        (a) consideration of the level of mismatch between expected asset and liability cash flows under normal and stressed operating conditions;
        (b) the liquidity and realisability of assets;
        (c) commitments to meet insurance and other liabilities;
        (d) the uncertainty of the incidence, timing and magnitude of insurance liabilities;
        (e) the level of liquid assets required to be held by the insurer; and
        (f) other sources of funding, including reinsurance, borrowing capacity, lines of credit and intra-group funding.
        Inserted by QFCRA RM/2013-1 (as from 1st January 2015).

      • PINS S2.8 What is derivatives risk?

        Derivatives risk is the risk from transactions in derivative instruments such as forwards, futures, swaps, options, contracts for differences and other similar instruments.

        Inserted by QFCRA RM/2013-1 (as from 1st January 2015).

      • PINS S2.9 Risk management policy — derivatives risk

        An insurer's risk management policy for derivatives risk should include:

        (a) the insurer's objectives and policies in using derivatives;
        (b) a framework with limits on the use of derivatives consistent with the insurer's risk tolerance;
        (c) appropriate lines of authority and responsibility for transacting derivatives, including trading limits;
        (d) consideration of worst-case scenarios and sensitivity analysis; and
        (e) a process for reporting of scenarios and analysis.
        Inserted by QFCRA RM/2013-1 (as from 1st January 2015).

    • PINS S3 PINS S3 Reserving risk

      • PINS S3.1 What is reserving risk?

        (1) Reserving risk is the risk that the reserves set aside by the insurer for its insurance liabilities (net of reinsurance and other recoveries for those liabilities) will be inadequate to meet the net amount payable when the insurance liabilities crystallise.
        (2) In this Part, insurance liabilities includes:
        (a) the liability for claims incurred up to the reporting date;
        (b) the premium liability; and
        (c) for long-term insurance business — the net value of future policy benefits and reinsurance recoveries anticipated for those liabilities.
        Inserted by QFCRA RM/2013-1 and amended by Editorial changes (as from 1st January 2015).

      • PINS S3.2 Risk management policy — reserving risk

        (1) An insurer's risk management policy for reserving risk should include:
        (a) a process for the ongoing review and appraisal of the insurance liability valuation framework (including the assumptions made and reinsurance recoveries estimated);
        (b) procedures and controls to ensure that the provision for insurance liabilities is, at all times, sufficient to cover any liabilities that have been incurred, or are yet to be incurred, on contracts of insurance accepted by the insurer, as far as can reasonably be estimated;
        (c) the methods to be applied in estimating the provision for insurance liabilities, including provisions for individual notified incurred claims;
        (d) the methods to be applied in estimating the amount of the asset for reinsurance recoveries that are expected to arise on crystallisation of the gross insurance liabilities (the manner of estimating those assets must be consistent with the manner of estimating the gross liabilities, unless there is a sound justification for doing otherwise);
        (e) procedures and controls to ensure that the selected approaches are applied accurately and consistently;
        (f) procedures to review and monitor, on a regular basis, the out-turn of provisions made in previous years for insurance liabilities (gross and net of reinsurance recoveries);
        (g) procedures to ensure that in-house or external specialists selected have the appropriate level of skill and experience and have available the necessary information to carry out the estimation required;
        (h) suitable controls to ensure that the data used in determining the insurance liabilities are extracted from the underlying records accurately and to the necessary level of detail; and
        (i) scenario testing for several years into the future, particularly for an insurer conducting long-term insurance business.
        (2) For paragraph (1) (a), in conducting a review and appraisal of the insurance liability valuation framework, consideration should be given to emerging pricing and claim payment trends.
        (3) For paragraph (1) (c), in determining a provision estimation method, an insurer may consider alternative approaches before selecting those regarded as most appropriate to the nature of the business.
        (4) For paragraph (1) (h), the level of detail of the data used in determining the insurance liabilities should be sufficient to ensure that the data available covers the whole of the insurer's liabilities and exposures under insurance contracts.
        (5) In addition to the actuarial advice an insurer is required to obtain under Chapter 9, an insurer should consider the use of actuaries or other appropriately qualified and experienced loss reserving specialists to estimate insurance liabilities periodically through the year.
        (6) The insurer should undertake periodic testing of its reserving processes and the level of its reserves, including continual reassessment of assumptions used, and testing the sensitivity of the valuation of insurance liabilities to stress arising from realistic scenarios relevant to the circumstances of the insurer.
        Inserted by QFCRA RM/2013-1 and amended by Editorial changes (as from 1st January 2015).

    • PINS S4 PINS S4 Insurance risk

      • PINS S4.1 What is insurance risk?

        Insurance risk is the risk that inadequate or inappropriate underwriting, product design, pricing and claims settlement will expose an insurer to financial loss and consequent inability to meet its liabilities.

        Inserted by QFCRA RM/2013-1 (as from 1st January 2015).

      • PINS S4.2 What is underwriting risk?

        (1) Underwriting risk is the risk arising from the process by which an insurer determines:
        (a) whether or not to accept a risk; and
        (b) the terms and conditions to be applied, and the premium to be charged, if the risk is accepted.
        (2) Weaknesses in underwriting and in its procedures and controls can expose an insurer to the risk of operational losses that may threaten its solvency position.
        Inserted by QFCRA RM/2013-1 (as from 1st January 2015).

      • PINS S4.3 Risk management policy — underwriting risk

        An insurer's risk management policy for underwriting risk should include:

        (a) a statement of the insurer's willingness and capacity to accept risk;
        (b) the nature of insurance business that the insurer is to underwrite including:
        (i) classes of insurance;
        (ii) the areas where it conducts business;
        (iii) the types of risks included and excluded; and
        (iv) the criteria for the use of reinsurance in the different classes of insurance;
        (c) details of the formal risk assessment process in the underwriting of insurance, including:
        (i) the criteria used for risk assessment;
        (ii) the methods for monitoring emerging experience; and
        (iii) the methods by which the emerging experience is taken into consideration in the underwriting process;
        (d) the process for setting approval authorities and the limits to those authorities (including controls surrounding delegations given to intermediaries of the insurer);
        (e) risk and aggregate concentration limits; and
        (f) methods for monitoring compliance with policies and procedures regarding underwriting, such as:
        (i) internal audit (but only if it is established that the internal audit function has the appropriate skills and experience to perform such activities);
        (ii) reviews by area heads or portfolio managers;
        (iii) peer review of policies (including details of the staff responsible for undertaking the peer review, the frequency of such reviews and the reporting arrangements for the results); and
        (iv) in the case of reinsurers — audits of ceding companies to ensure that reinsurance assumed is in accordance with contracts in place.
        Inserted by QFCRA RM/2013-1 and amended by Editorial changes (as from 1st January 2015).

      • PINS S4.4 What is product design risk?

        Product design risk, in relation to an insurance product, means the risk arising from:

        (a) the introduction of a new insurance product; or
        (b) the enhancement or variation of an existing insurance product.
        Inserted by QFCRA RM/2013-1 (as from 1st January 2015).

      • PINS S4.5 Risk management policy — product design risk

        An insurer's risk management policy for product design risk should include:

        (a) the product classes and types of risks in which the insurer chooses to engage;
        (b) setting a business case for new or enhanced products;
        (c) market testing and analysis;
        (d) cost-benefit analysis;
        (e) requirements for limiting risk through measures such as diversification, exclusions and reinsurance (including confirmation that the existing reinsurance will provide protection or new reinsurance protection is being provided);
        (f) processes to ensure that policy documentation is adequately drafted to give legal effect to the proposed level of cover under the product;
        (g) an implementation plan for the product, including milestones;
        (h) clearly defined and appropriate levels of delegation for approval of all material aspects of product design;
        (i) post-implementation review; and
        (j) methods for monitoring compliance with product design policies and procedures.
        Inserted by QFCRA RM/2013-1 (as from 1st January 2015).

      • PINS S4.6 What is pricing risk?

        Pricing risk, in relation to an insurance product, means the risk arising from inaccurately estimating:

        (a) the claims and other business costs arising from the product; and
        (b) the income from the investment of the premium received for the product.
        Inserted by QFCRA RM/2013-1 (as from 1st January 2015).

      • PINS S4.7 Risk management policy — pricing risk

        (1) An insurer's risk management policy for pricing risk should include:
        (a) clearly defined and appropriate levels of delegation for approval of all material aspects of pricing;
        (b) a process for the reflection of emerging experience in price adjustments;
        (c) profit-loss analysis, including monitoring the effect of price movements;
        (d) price discounting authorities;
        (e) a process for the insurer's product pricing to respond to competitive and other external environmental pressures;
        (f) a process for monitoring, and the ability to monitor, deviations of actual price from the technical underwriting pricing;
        (g) methods for monitoring compliance with pricing policies and procedures for proposed pricing variations; and
        (h) the relationship between pricing, product development and investment management so that they are appropriately aligned.
        (2) The Regulatory Authority expects insurers to consider doing the following in relation to pricing insurance products:
        (a) incorporating ongoing actuarial review of, and actuarial involvement in, the pricing process;
        (b) undertaking independent reviews of:
        (i) pricing for schemes; and
        (ii) pricing for larger or more complex risks.
        Inserted by QFCRA RM/2013-1 and amended by Editorial changes (as from 1st January 2015).

      • PINS S4.8 What is claims settlement risk?

        (1) Claims settlement risk is the risk arising from the process by which insurers fulfil their contractual obligations to policyholders.
        (2) The claims settlement process is triggered when a loss occurs and a claims notification is made to the insurer. The process begins with verifying the contractual obligation to pay the claim under the policy, and is followed by:
        (a) an assessment of the amount of the liability (including loss adjustment expenses); and
        (b) the prompt and efficient handling of the claim within the terms of the policy.
        (3) Weaknesses in claims settlement and in its procedures and controls can expose an insurer to additional or increased losses that may threaten its solvency position.
        Inserted by QFCRA RM/2013-1 (as from 1st January 2015).

      • PINS S4.9 Risk management policy — claims settlement risk

        An insurer's risk management policy for claims settlement risk should include:

        (a) clearly defined and appropriate levels of delegation of authority;
        (b) claims settlement procedures and controls, including loss estimation and investigation procedures;
        (c) criteria for accepting or rejecting claims;
        (d) dispute resolution procedures; and
        (e) methods for monitoring compliance with claims settlement procedures, such as:
        (i) internal audit (but only if it is established that the internal audit unit has the appropriate skills and experience to perform such activities);
        (ii) reviews by area heads or portfolio managers;
        (iii) peer review (including details of the staff responsible for undertaking the peer review, the frequency of such reviews and the reporting arrangements for the results);
        (iv) assessments of brokers' procedures and systems to ensure that the quality of information provided to the insurer is of a suitable standard; and
        (v) in the case of reinsurers — audits of ceding companies to ensure that the value of claims paid is in accordance with contracts.
        Inserted by QFCRA RM/2013-1 (as from 1st January 2015).

    • PINS S5 PINS S5 Reinsurance risk

      • PINS S5.1 What is reinsurance risk?

        Reinsurance risk is the risk that the reinsurance cover obtained by the insurer is inadequate.

        Inserted by QFCRA RM/2013-1 (as from 1st January 2015).

      • PINS S5.2 Risk management policy — reinsurance risk

        An insurer's risk management policy for reinsurance risk should include:

        (a) the insurer's objectives (within its risk tolerance) for reinsurance management;
        (b) the process for selection of reinsurance brokers and advisers;
        (c) the processes for prudent and sound selection, management and monitoring of its reinsurance programme;
        (d) managerial responsibilities and controls;
        (e) the methods for determining all aspects of a reinsurance programme, including:
        (i) identification and management of aggregations of risk exposures;
        (ii) selection of probable maximum loss factors;
        (ii) selection of realistic adverse scenarios, return periods and geographical aggregation areas; and
        (iv) identification and management of vertical and horizontal coverage of the programme;
        (f) the process for ensuring that there is accurate and complete reinsurance documentation;
        (g) the selection of participants in reinsurance contracts, including the criteria and procedures to ensure, and monitor, their diversity and creditworthiness;
        (h) the procedures for identifying actual and potential credit exposures to individual reinsurers or groups of connected reinsurers on programmes that are al in place; and
        (i) the processes for entering into a limited risk transfer arrangement.
        Inserted by QFCRA RM/2013-1 (as from 1st January 2015).

    • PINS S6 PINS S6 Operational risk

      • PINS S6.1 What is operational risk?

        (1) Operational risk is the risk of financial loss resulting from:
        (a) inadequate or failed internal processes, people and systems; or
        (b) external events.
        (2) Operational risk includes:
        (a) business continuity risk;
        (b) technology risk;
        (c) outsourcing risk;
        (d) fraud risk;
        (e) legal risk;
        (f) project management risk; and
        (g) any other risks that the insurer, having regard to its strategic plan and business plan, and the nature, scale and complexity of the insurer's business and operating environment, determines should be included.
        Inserted by QFCRA RM/2013-1 (as from 1st January 2015).

      • PINS S6.2 What is business continuity risk?

        (1) Business continuity risk is the risk of unexpected financial and non-financial losses (such as loss of data, premises and reputation) due to disruptions in an insurer's critical business operations.
        (2) Disruptions may occur as a result of power failure, denial of access to work areas, fire, fraud, loss of key staff, failure of computer or data system, destruction of major equipment and security breaches arising from technology risk.

        Note CTRL, rule 7.1.7 (3), requires an insurer to include, in its risk management strategy, contingency planning, business continuity, crisis management and fraud management. Under CTRL, rule 3.1.17, an insurer must review its business continuity procedures at least once every 18 months.
        (3) Critical business operations are the business functions, resources and infrastructure that may, if disrupted, have a material impact on the insurer's business functions, reputation, profitability and policyholders.
        Inserted by QFCRA RM/2013-1 (as from 1st January 2015).
        Amended by QFCRA RM/2021-1 (as from 1st July 2021)

      • PINS S6.3 Risk management policy — business continuity risk

        An insurer's risk management policy for business continuity risk should:

        (a) describe the process for identifying and analysing:
        (i) events that may lead to a disruption in business continuity;
        (ii) the likelihood of those events occurring;
        (iii) the processes most at risk; and
        (iv) the consequences of those events;
        (b) include a plan (business continuity plan or BCP) describing:
        (i) objectives and procedures for crisis management and recovery in order to minimise financial, legal, regulatory, reputational and other material consequences arising from the disruption of its business;
        (ii) procedures to be followed if business continuity problems arise;
        (iii) detailed procedures for carrying out the BCP, including manual processes, the activation of an off-site recovery site (if needed) and the persons responsible for activating the BCP;
        (iv) a communications strategy and contact information for relevant staff, suppliers, regulators, market authorities, major clients, the media and other key staff;
        (v) a schedule of critical systems covered by the BCP and the timeframe for restoring those systems;
        (vi) the pre-assigned responsibilities of staff;
        (vii) procedures for staff awareness and training on all aspects of the BCP; and
        (vii) procedures for regular testing and review of the BCP; and
        (c) procedures for backing up important data on a regular basis and storing the data off site.
        Inserted by QFCRA RM/2013-1 (as from 1st January 2015).

      • PINS S6.4 What is technology risk?

        (1) Technology risk is risk:
        (a) that arises from the use of communication information technology infrastructure; and
        (b) that generates events that may lead to the disruption or damage of an insurer's information systems or data.
        (2) Technology risk is determined by the type and nature of threats targeting and affecting the insurer's environment. Insurers rely heavily on technologies such as the internet and applications. In a highly interconnected and market-driven world, an insurer should have a reliable, flexible, complete and integrated set of operating processes to deal with technology risks.
        Inserted by QFCRA RM/2013-1 (as from 1st January 2015).

      • PINS S6.5 Risk management policy — technology risk

        An insurer's risk management policy for technology risk should include:

        (a) information technology policies and procedures to identify, assess, monitor and manage technology risks;
        (b) arrangements for adequate information technology infrastructure that:
        (i) meet its current and projected business requirements (both under normal circumstances and in periods of stress);
        (ii) ensure data and system integrity, security and availability; and

        Example

        The IT infrastructure is able to keep secure, and protect, personal information and data (including financial and medical data) in accordance with the requirements under the Data Protection Regulations 2005 and any other relevant laws.
        (iii) support integrated and comprehensive risk management;
        (c) the use of appropriate technology to manage adequately the financial, medical and personal information held by an insurer;
        (d) procedures and controls on data security to enable it:
        (i) to report, in a timely manner, security breaches to affected customers and to the Regulatory Authority; and
        (ii) to meet other reporting requirements;
        (e) processes to assess the risks associated with major breaches in data security and to mitigate the effects of such breaches on its resources, operations, environment and operations;
        (f) as part of business continuity planning, measures to be taken in case of breaches of data security; and
        (g) measures that ensure that group structures are not used to circumvent prohibitions on the sharing of personal information.
        Inserted by QFCRA RM/2013-1 (as from 1st January 2015).

      • PINS S6.6 What is outsourcing risk?

        (1) Outsourcing risk is the risk posed to an insurer's business by non-performance, or poor performance, by a service provider of a function transferred to the service provider under a material outsourcing arrangement (within the meaning of CTRL).
        (2) An insurer should not outsource a function if the outsourcing would result in unduly increasing the operational risk of the insurer.

        Note An insurer must assess the risks that a material outsourcing poses to its business (see CTRL, rule 8.2.2 (2) (a)), and the governing body of the insurer must review, at least once every 2 years, the insurer's outsourcing procedures for assessing the feasibility of a proposed outsourcing and the risks that the outsourcing poses to the insurer's business (see CTRL, rule 8.1.3 (4) (a) (i)).
        (3) Financial firms frequently decide to outsource aspects of their operations to other parties, related or not. Outsourcing can bring significant benefits to an insurer in terms of efficiency, cost reduction and risk management. However, the process of implementing outsourcing arrangements and the outsourcing relationship itself may expose an insurer to additional risk. It is therefore important that insurers take care to supervise the conduct of activities that are outsourced.

        Note CTRL, rule 8.2.4 (1) requires an authorised firm to inform the Regulatory Authority before entering into a material outsourcing arrangement.
        (4) The activities of service providers have the ability to undermine the risk management activities of insurers. Insurers should take particular care in the outsourcing of activities such as underwriting and claims settlement, where inappropriate performance of the functions can expose the insurer to serious financial loss, for example through acceptance of inappropriate insurance risks, mis-pricing, failure to obtain appropriate reinsurance cover, or failure to detect invalid claims. These considerations apply to such arrangements as binding authorities and other agencies appointed by insurers.
        (5) Insurers should take care to manage the risk that the sound and prudent management of the insurer's business may be compromised by conflicting incentives in an outsourcing agreement. In particular, insurers should consider whether the remuneration structure creates any perverse incentives. For example, a service provider with underwriting authority may have an incentive to accept poorer quality business if remuneration is based on commission (especially if bonuses are given for volume) but is not affected by the performance of the insurance contracts accepted.
        (6) Intra-group outsourcing may be perceived as subject to lower risks than using service providers from outside a group. However it is not risk-free and an insurer must still assess the associated risks and make appropriate arrangements for their management.
        Inserted by QFCRA RM/2013-1 (as from 1st January 2015).
        Amended by QFCRA RM/2021-1 (as from 1st July 2021)

      • PINS S6.7 Risk management policy — outsourcing risk

        An insurer's risk management policy for outsourcing risk should include:

        (a) a process for negotiating or assessing outsourcing agreements with service providers;
        (b) the setting and monitoring of authority limits and referral requirements;
        (c) the identification and assessment of performance targets;
        (d) the procedures for evaluation of performance against targets;
        (e) the provisions for remedial action;
        (f) the reporting requirements imposed on the service providers (including content and frequency of reports);
        (g) the ability of the insurer and its external auditors to obtain access to the service providers and their records;
        (h) the protection of intellectual property rights;
        (i) the protection of customers' and the insurer's confidentiality;
        (j) the adequacy of any guarantees, indemnities or insurance cover that a service provider agrees to provide;
        (k) the ability of a service provider to provide continuity of business; and
        (l) the arrangements to change, or terminate, outsourcing agreements.
        Inserted by QFCRA RM/2013-1 (as from 1st January 2015).

      • PINS S6.8 What is fraud risk?

        (1) Fraud risk means:
        (a) risk from unauthorised activities such as those that breach the controls, procedures, limits or other restrictions in an insurer's policies and procedures and in legal and regulatory requirements; or
        (b) risk associated with:
        (i) a deceptive act or omission intended to gain advantage for the party committing the fraud or other parties; or
        (ii) an intentional act undertaken for personal gain or to tamper with or manipulate the financial or operational aspects of the business.
        (2) Fraud risk exposes an insurer to financial losses if not managed properly.
        (3) Fraud risk can result from:
        (a) internal sources (such as redirection of premiums); and
        (b) external sources (such as fictitious claims).
        (4) Countering fraud is the concern of individual insurers and intermediaries who need to understand, and minimise their vulnerability to, fraud
        Inserted by QFCRA RM/2013-1 (as from 1st January 2015).

      • PINS S6.9 Risk management policy — fraud risk

        An insurer's risk management policy for fraud risk should include:

        (a) internal controls and mitigation strategies;
        (b) segregation of duties at an operational level and in relation to functional reporting lines;
        (c) financial accounting controls;
        (d) staff training and awareness; and
        (e) appropriate processes for monitoring compliance with the insurer's procedures, controls, limits or other restrictions (such as those placed on investment managers or those making decisions on underwriting).
        Inserted by QFCRA RM/2013-1 (as from 1st January 2015).

      • PINS S6.10 What is legal risk?

        (1) Legal risk is the risk of an insurer being exposed to losses, penalties or reputational damage due to breaches of laws or regulatory obligations, inadequate reinsurance or other contracts, or changes in the laws affecting the insurer.

        Example of inadequate contracts

        Reinsurance contracts that expose the insurer to significant legal risk because:
        (a) the contract is not valid, binding or enforceable;
        (b) the contract does not clearly set out the respective rights and obligations of the parties; or
        (c) a policy document inadequately sets out what exclusions apply.
        (2) Legal risk includes risks arising from:
        (a) fines, penalties or punitive damages from supervisory actions or civil litigation;
        (b) legal costs from litigation; and
        (c) expenses arising from private settlements.
        Inserted by QFCRA RM/2013-1 (as from 1st January 2015).

      • PINS S6.11 Risk management policy — legal risk

        An insurer's risk management policy for legal risk should include:

        (a) processes for ensuring that documentation is accurate and complete;
        (b) processes to ensure that policies are adequately drafted so that the insurer does not have to pay out for risks not priced into the original premium; and
        (c) procedures and controls for ensuring that the insurer complies with all legal, prudential and other regulatory requirements.
        Inserted by QFCRA RM/2013-1 (as from 1st January 2015).

      • PINS S6.12 What is project management risk?

        Project management risk is the risk that projects involving an insurer will not achieve the desired objectives or will have a negative effect on the adequacy of resources.

        Inserted by QFCRA RM/2013-1 (as from 1st January 2015).

      • PINS S6.13 Risk management policy — project management risk

        An insurer's risk management policy for project management risk should include:

        (a) a method for the promulgation of project initiatives including:
        (i) setting a business case for the project;
        (ii) cost-benefit analysis of the project; and
        (iii) stakeholder sign-offs;
        (b) clearly defined and appropriate levels of delegation of authority;
        (c) ongoing monitoring of project objectives and timeframes; and
        (d) post-implementation review.
        Inserted by QFCRA RM/2013-1 (as from 1st January 2015).

    • PINS S7 PINS S7 Concentration risk

      • PINS S7.1 What is concentration risk?

        (1) Concentration risk is the risk of over-reliance on, or excessive exposure to, a type of risk, counterparty, asset class, industry or region as a result of credit, balance sheet and market, reserving, insurance, reinsurance, operational and group risks.
        (2) Concentration risk results from risk exposures with a loss potential that is large enough to threaten the solvency position of an insurer.
        (3) An insurer's exposure to risks should not result in a concentration of risks that could result in losses so large as to threaten its solvency position.
        Inserted by QFCRA RM/2013-1 (as from 1st January 2015).

      • PINS S7.2 Risk management policy — concentration risk

        An insurer's risk management policy for concentration risk should include:

        (a) identification of large risk exposures;
        (b) a description of the way in which large risk exposures are being managed, controlled and mitigated by the insurer;
        (c) a description of any limits put in place by the insurer to control concentration risk;
        (d) identification of on-balance sheet and off-balance sheet exposures to concentration risk;
        (e) risk management procedures in relation to concentration risk; and
        (f) processes to ensure that the insurer's exposures to large potential losses due to concentration risk are in line with its risk tolerance.
        Inserted by QFCRA RM/2013-1 (as from 1st January 2015).

    • PINS S8 PINS S8 Group risk

      • PINS S8.1 What is group risk?

        (1) Group risk is the risk of loss to an insurer as a result of its membership of a group or linkages within a group.
        (2) Group membership can be a source of both strength and weakness for an insurer.
        (3) The purpose of requiring an insurer that is a member of a group to include group risk in its risk management policy is to ensure that the insurer takes proper account of the risks arising from its membership.
        Inserted by QFCRA RM/2013-1 (as from 1st January 2015).

      • PINS S8.2 Risk management policy — group risk

        (1) If an insurer is a branch, or part of a group, the insurer's risk management policy for group risk should:
        (a) include a summary of the group policy objectives and strategies;
        (b) state whether the local risk management strategy is derived wholly or partly from the group-wide risk management strategy;

        Note The governing body of an insurer must know the implications for the insurer of any group-wide risk management strategy (see CTRL, rule 7.1.7 (5)).
        (c) summarise the linkages and significant differences between the local risk management strategy and the group-wide risk management strategy, including differences arising from local business and other conditions;
        (d) outline the procedures and timing for monitoring by, or reporting to, the parent entity or head office;
        (e) describe the approach to reviews of the procedures in paragraph (d);
        (f) include, if applicable, a summary of the group policy objectives and strategies relating to reinsurance;
        (g) summarise the linkages between local and group reinsurance; and
        (h) detail any arrangements relating to the existence of, and accessibility to, intra-group reinsurance.
        (2) If a part of an insurer's risk management policy is controlled by another entity in the group, or by the head office, the risk management policy must describe the arrangement and how it works.
        (3) If the insurer is a branch or is part of an insurance group and the head office or ultimate holding company is outside the QFC, the risk management policy should include a summary of the supervisory arrangements regarding risk management in the jurisdiction where the head office or holding company is located.
        Inserted by QFCRA RM/2013-1 (as from 1st January 2015).
        Amended by QFCRA RM/2021-1 (as from 1st July 2021)

      • PINS S8.3 Specific obligations of group members

        (1) If an insurer is a member of a group, the insurer's senior management should monitor any functions performed for the insurer at the group level.

        Examples

        •    group risk management
        •    capital planning
        •    liquidity
        •    compliance.
        (2) The insurer's senior management should establish and maintain procedures and controls to identify and monitor the effect on the insurer of its relationship with the other members of the group and the activities of those other members.
        (3) The procedures and controls should include procedures to monitor:
        (a) changes in relationships between group members;
        (b) changes in the activities of group members;
        (c) conflicts of interest arising within the group;
        (d) events in the group, particularly those that might affect the insurer's own regulatory compliance (for example, any failure of control or compliance in another group member);
        (e) the effect on it of:
        (i) its relationship with the other members of the group;
        (ii) its membership in the group; and
        (iii) the activities of the other members of the group; and
        (f) the group's compliance with:
        (i) the supervision requirements applicable to it, including systems for the production of relevant data; and
        (ii) group reporting requirements.
        (4) The insurer should have procedures to insulate it, so far as practicable, from the adverse effects of other group activities (for example, transfer pricing or fronting) or group events that might expose the insurer to risk.

        Examples

        Such procedures could include:
        •    a requirement for transactions within the group to be at arm's length
        •    maintenance of “Chinese walls
        •    development of contingency plans.
        (5) The insurer's senior management should take reasonable steps to ensure that:
        (a) other group members are aware of the insurer's management and reporting obligations in relation to group risk;
        (b) group capital and group risk reporting requirements are complied with; and
        (c) information about the group provided to the Regulatory Authority is accurate, and is provided in a timely manner.
        Inserted by QFCRA RM/2013-1 (as from 1st January 2015).