PINS 2.3.1 Contents of insurer's risk management policy

(1) An insurer's risk management policy must at a minimum address the following risks:
(a) credit risk;
(b) balance sheet and market risk (including investment, asset-liability management, liquidity and derivatives risks);
(c) reserving risk;
(d) insurance risk (including underwriting, product design, pricing and claims settlement risks);
(e) reinsurance risk;
(f) operational risk (including business continuity, outsourcing, fraud, technology, legal and project management risks);
(g) concentration risk;
(h) group risk.
(2) The insurer's risk management policy must include the following specific policies:
(a) a policy regarding investment that specifies the nature, role and extent of the insurer's investment activities and how the insurer complies with the investment requirements under these rules;
(b) a policy regarding asset-liability management that specifies the nature, role and extent of asset-liability management activities and their relationship with product development, pricing and investment management;
(c) a policy regarding underwriting that specifies the risks to be accepted by the insurer as part of its insurance business, the processes for underwriting, pricing and claims settlement;
(d) a policy ensuring that any reinsurance contract to which it is a party is finalised (and the material documents supporting the contract are completed):
(i) before the start of reinsurance cover (the start date); or
(ii) as soon as possible after the start date (but in no case later than 60 days after the start date);
(e) a policy regarding procedures for business continuity that enable the insurer to manage any initial disruption of business and to recover critical business operations following such a disruption.
Note For the other matters that, in the Regulatory Authority's view, should be included in the insurer's risk management policy see sch 1, guidance S2.3 (investment risk), S2.5 (asset-liability management risk), S4.3 (underwriting risk), S5.2 (reinsurance risk) and S6.3 (business continuity risk).
(3) The policies of the insurer must be appropriate to the nature, scale and complexity of the insurer's business and the risks to which it is exposed.
(4) The definitions of the various risks must be clearly understood throughout the insurer so that its staff can effectively identify and manage the risks.
(5) Schedule 1 gives guidance about what, in the Regulatory Authority's view, should be included in the insurer's risk management policy.
Amended by QFCRA RM/2013-1 (as from 1st January 2015).
Amended by QFCRA RM/2021-1 (as from 1st July 2021)