• PINS S6 PINS S6 Operational risk

    • PINS S6.1 What is operational risk?

      (1) Operational risk is the risk of financial loss resulting from:
      (a) inadequate or failed internal processes, people and systems; or
      (b) external events.
      (2) Operational risk includes:
      (a) business continuity risk;
      (b) technology risk;
      (c) outsourcing risk;
      (d) fraud risk;
      (e) legal risk;
      (f) project management risk; and
      (g) any other risks that the insurer, having regard to its strategic plan and business plan, and the nature, scale and complexity of the insurer's business and operating environment, determines should be included.
      Inserted by QFCRA RM/2013-1 (as from 1st January 2015).

    • PINS S6.2 What is business continuity risk?

      (1) Business continuity risk is the risk of unexpected financial and non-financial losses (such as loss of data, premises and reputation) due to disruptions in an insurer's critical business operations.
      (2) Disruptions may occur as a result of power failure, denial of access to work areas, fire, fraud, loss of key staff, failure of computer or data system, destruction of major equipment and security breaches arising from technology risk.

      Note CTRL, rule 7.1.7 (3), requires an insurer to include, in its risk management strategy, contingency planning, business continuity, crisis management and fraud management. Under CTRL, rule 3.1.17, an insurer must review its business continuity procedures at least once every 18 months.
      (3) Critical business operations are the business functions, resources and infrastructure that may, if disrupted, have a material impact on the insurer's business functions, reputation, profitability and policyholders.
      Inserted by QFCRA RM/2013-1 (as from 1st January 2015).
      Amended by QFCRA RM/2021-1 (as from 1st July 2021)

    • PINS S6.3 Risk management policy — business continuity risk

      An insurer's risk management policy for business continuity risk should:

      (a) describe the process for identifying and analysing:
      (i) events that may lead to a disruption in business continuity;
      (ii) the likelihood of those events occurring;
      (iii) the processes most at risk; and
      (iv) the consequences of those events;
      (b) include a plan (business continuity plan or BCP) describing:
      (i) objectives and procedures for crisis management and recovery in order to minimise financial, legal, regulatory, reputational and other material consequences arising from the disruption of its business;
      (ii) procedures to be followed if business continuity problems arise;
      (iii) detailed procedures for carrying out the BCP, including manual processes, the activation of an off-site recovery site (if needed) and the persons responsible for activating the BCP;
      (iv) a communications strategy and contact information for relevant staff, suppliers, regulators, market authorities, major clients, the media and other key staff;
      (v) a schedule of critical systems covered by the BCP and the timeframe for restoring those systems;
      (vi) the pre-assigned responsibilities of staff;
      (vii) procedures for staff awareness and training on all aspects of the BCP; and
      (vii) procedures for regular testing and review of the BCP; and
      (c) procedures for backing up important data on a regular basis and storing the data off site.
      Inserted by QFCRA RM/2013-1 (as from 1st January 2015).

    • PINS S6.4 What is technology risk?

      (1) Technology risk is risk:
      (a) that arises from the use of communication information technology infrastructure; and
      (b) that generates events that may lead to the disruption or damage of an insurer's information systems or data.
      (2) Technology risk is determined by the type and nature of threats targeting and affecting the insurer's environment. Insurers rely heavily on technologies such as the internet and applications. In a highly interconnected and market-driven world, an insurer should have a reliable, flexible, complete and integrated set of operating processes to deal with technology risks.
      Inserted by QFCRA RM/2013-1 (as from 1st January 2015).

    • PINS S6.5 Risk management policy — technology risk

      An insurer's risk management policy for technology risk should include:

      (a) information technology policies and procedures to identify, assess, monitor and manage technology risks;
      (b) arrangements for adequate information technology infrastructure that:
      (i) meet its current and projected business requirements (both under normal circumstances and in periods of stress);
      (ii) ensure data and system integrity, security and availability; and

      Example

      The IT infrastructure is able to keep secure, and protect, personal information and data (including financial and medical data) in accordance with the requirements under the Data Protection Regulations 2005 and any other relevant laws.
      (iii) support integrated and comprehensive risk management;
      (c) the use of appropriate technology to manage adequately the financial, medical and personal information held by an insurer;
      (d) procedures and controls on data security to enable it:
      (i) to report, in a timely manner, security breaches to affected customers and to the Regulatory Authority; and
      (ii) to meet other reporting requirements;
      (e) processes to assess the risks associated with major breaches in data security and to mitigate the effects of such breaches on its resources, operations, environment and operations;
      (f) as part of business continuity planning, measures to be taken in case of breaches of data security; and
      (g) measures that ensure that group structures are not used to circumvent prohibitions on the sharing of personal information.
      Inserted by QFCRA RM/2013-1 (as from 1st January 2015).

    • PINS S6.6 What is outsourcing risk?

      (1) Outsourcing risk is the risk posed to an insurer's business by non-performance, or poor performance, by a service provider of a function transferred to the service provider under a material outsourcing arrangement (within the meaning of CTRL).
      (2) An insurer should not outsource a function if the outsourcing would result in unduly increasing the operational risk of the insurer.

      Note An insurer must assess the risks that a material outsourcing poses to its business (see CTRL, rule 8.2.2 (2) (a)), and the governing body of the insurer must review, at least once every 2 years, the insurer's outsourcing procedures for assessing the feasibility of a proposed outsourcing and the risks that the outsourcing poses to the insurer's business (see CTRL, rule 8.1.3 (4) (a) (i)).
      (3) Financial firms frequently decide to outsource aspects of their operations to other parties, related or not. Outsourcing can bring significant benefits to an insurer in terms of efficiency, cost reduction and risk management. However, the process of implementing outsourcing arrangements and the outsourcing relationship itself may expose an insurer to additional risk. It is therefore important that insurers take care to supervise the conduct of activities that are outsourced.

      Note CTRL, rule 8.2.4 (1) requires an authorised firm to inform the Regulatory Authority before entering into a material outsourcing arrangement.
      (4) The activities of service providers have the ability to undermine the risk management activities of insurers. Insurers should take particular care in the outsourcing of activities such as underwriting and claims settlement, where inappropriate performance of the functions can expose the insurer to serious financial loss, for example through acceptance of inappropriate insurance risks, mis-pricing, failure to obtain appropriate reinsurance cover, or failure to detect invalid claims. These considerations apply to such arrangements as binding authorities and other agencies appointed by insurers.
      (5) Insurers should take care to manage the risk that the sound and prudent management of the insurer's business may be compromised by conflicting incentives in an outsourcing agreement. In particular, insurers should consider whether the remuneration structure creates any perverse incentives. For example, a service provider with underwriting authority may have an incentive to accept poorer quality business if remuneration is based on commission (especially if bonuses are given for volume) but is not affected by the performance of the insurance contracts accepted.
      (6) Intra-group outsourcing may be perceived as subject to lower risks than using service providers from outside a group. However it is not risk-free and an insurer must still assess the associated risks and make appropriate arrangements for their management.
      Inserted by QFCRA RM/2013-1 (as from 1st January 2015).
      Amended by QFCRA RM/2021-1 (as from 1st July 2021)

    • PINS S6.7 Risk management policy — outsourcing risk

      An insurer's risk management policy for outsourcing risk should include:

      (a) a process for negotiating or assessing outsourcing agreements with service providers;
      (b) the setting and monitoring of authority limits and referral requirements;
      (c) the identification and assessment of performance targets;
      (d) the procedures for evaluation of performance against targets;
      (e) the provisions for remedial action;
      (f) the reporting requirements imposed on the service providers (including content and frequency of reports);
      (g) the ability of the insurer and its external auditors to obtain access to the service providers and their records;
      (h) the protection of intellectual property rights;
      (i) the protection of customers' and the insurer's confidentiality;
      (j) the adequacy of any guarantees, indemnities or insurance cover that a service provider agrees to provide;
      (k) the ability of a service provider to provide continuity of business; and
      (l) the arrangements to change, or terminate, outsourcing agreements.
      Inserted by QFCRA RM/2013-1 (as from 1st January 2015).

    • PINS S6.8 What is fraud risk?

      (1) Fraud risk means:
      (a) risk from unauthorised activities such as those that breach the controls, procedures, limits or other restrictions in an insurer's policies and procedures and in legal and regulatory requirements; or
      (b) risk associated with:
      (i) a deceptive act or omission intended to gain advantage for the party committing the fraud or other parties; or
      (ii) an intentional act undertaken for personal gain or to tamper with or manipulate the financial or operational aspects of the business.
      (2) Fraud risk exposes an insurer to financial losses if not managed properly.
      (3) Fraud risk can result from:
      (a) internal sources (such as redirection of premiums); and
      (b) external sources (such as fictitious claims).
      (4) Countering fraud is the concern of individual insurers and intermediaries who need to understand, and minimise their vulnerability to, fraud
      Inserted by QFCRA RM/2013-1 (as from 1st January 2015).

    • PINS S6.9 Risk management policy — fraud risk

      An insurer's risk management policy for fraud risk should include:

      (a) internal controls and mitigation strategies;
      (b) segregation of duties at an operational level and in relation to functional reporting lines;
      (c) financial accounting controls;
      (d) staff training and awareness; and
      (e) appropriate processes for monitoring compliance with the insurer's procedures, controls, limits or other restrictions (such as those placed on investment managers or those making decisions on underwriting).
      Inserted by QFCRA RM/2013-1 (as from 1st January 2015).

    • PINS S6.10 What is legal risk?

      (1) Legal risk is the risk of an insurer being exposed to losses, penalties or reputational damage due to breaches of laws or regulatory obligations, inadequate reinsurance or other contracts, or changes in the laws affecting the insurer.

      Example of inadequate contracts

      Reinsurance contracts that expose the insurer to significant legal risk because:
      (a) the contract is not valid, binding or enforceable;
      (b) the contract does not clearly set out the respective rights and obligations of the parties; or
      (c) a policy document inadequately sets out what exclusions apply.
      (2) Legal risk includes risks arising from:
      (a) fines, penalties or punitive damages from supervisory actions or civil litigation;
      (b) legal costs from litigation; and
      (c) expenses arising from private settlements.
      Inserted by QFCRA RM/2013-1 (as from 1st January 2015).

    • PINS S6.11 Risk management policy — legal risk

      An insurer's risk management policy for legal risk should include:

      (a) processes for ensuring that documentation is accurate and complete;
      (b) processes to ensure that policies are adequately drafted so that the insurer does not have to pay out for risks not priced into the original premium; and
      (c) procedures and controls for ensuring that the insurer complies with all legal, prudential and other regulatory requirements.
      Inserted by QFCRA RM/2013-1 (as from 1st January 2015).

    • PINS S6.12 What is project management risk?

      Project management risk is the risk that projects involving an insurer will not achieve the desired objectives or will have a negative effect on the adequacy of resources.

      Inserted by QFCRA RM/2013-1 (as from 1st January 2015).

    • PINS S6.13 Risk management policy — project management risk

      An insurer's risk management policy for project management risk should include:

      (a) a method for the promulgation of project initiatives including:
      (i) setting a business case for the project;
      (ii) cost-benefit analysis of the project; and
      (iii) stakeholder sign-offs;
      (b) clearly defined and appropriate levels of delegation of authority;
      (c) ongoing monitoring of project objectives and timeframes; and
      (d) post-implementation review.
      Inserted by QFCRA RM/2013-1 (as from 1st January 2015).