GOVERNANCE AND RISK MANAGEMENT DIRECTIVE PRESENTED BY TOGAREPI

GOVERNANCE AND RISK MANAGEMENT DIRECTIVE PRESENTED BY TOGAREPI PUPURAI HEAD – INSURANCE AND MICRO INSURANCE IPEC

PRESENTATION OUTLINE § Preamble § Objectives of the Directive § Three Lines of Defense § Inadequate Risk Management § Systems of Governance § Outsourcing § Treating Customers Fairly § The Role of the Regulator § Question & Answer Session EFFECTIVE DATE - 01 MAY 2017 COMPLIANCE DATE - 01 JAN 2018

PREAMBLE • IPEC has the mandate to protect the rights, benefits and other interests of policyholders in terms of Section 5(a) of the Insurance Act (Chapter 24: 07). • The Directive is issued in terms of Section 6 (c) of the Insurance Act which empowers the Commissioner to formulate standards for the conduct of insurance business • This directive is meant to provide minimum guidelines to ensure that insurers have effective systems of risk management including governance structures, internal controls and oversight EFFECTIVE DATE - 01 MAY 2017 COMPLIANCE DATE - 01 JAN 2018

OBJECTIVES OF THE DIRECTIVE 1. To outline the minimum IPEC expectations and requirements for shareholders, Board and management control functions of insurers. 2. To ensure underwriters are managed in a sound and prudent manner: § With systems to identity, assess, monitor and mitigate risks § Ensure the insurer has sound appropriate governance practices and internal procedures EFFECTIVE DATE - 01 MAY 2017 COMPLIANCE DATE - 01 JAN 2018

THREE LINES OF DEFENSE MODEL Adopted: Positioning the Internal Audit Function within the solvency II framework; Ludovic Bardon et al…

THREE LINES OF DEFENCE MODEL…CONT’D • First Line : Operational management in its various functions is responsible and accountable for managing and mitigating risk faced by an insurer. This will include internal risk control measures. • Second line: This deals with the risk management function which in the main facilitates and monitor the implementation of risk management practices. Risk control, Compliance and Actuarial functions are key. • Third Line: Internal Audit Function-through a risk based approach gives comfort to the insurer’s Board and management on the effectiveness of risk management efforts. The audit function looks also at the manner in which 1 st and 2 nd lines of defense operate. The audit functions should cover all functional areas and communicate such finding to senior management and the board. EFFECTIVE DATE - 01 MAY 2017 COMPLIANCE DATE - 01 JAN 2018

INADEQUATE RISK MANAGEMENT

SYSTEM OF GOVERNANCE The system of corporate governance of an insurer should- • promote the development, implementation and effective oversight of policies that clearly define and support the objectives of the insurer; • define the roles and responsibilities of persons accountable for the management and oversight of an insurer by clarifying who possesses legal duties and powers to act on behalf of the insurer and under which circumstances; • set requirements relating to how decisions and actions are taken including documentation of significant or material decisions, along with their rationale; • provide sound remuneration practices which promote the alignment of remuneration policies with the long-term interests of insurers to avoid excessive risk taking; • provide for communicating with the Commission, as appropriate, matters relating to the management and oversight of the insurer; and • provide for corrective actions to be taken for non-compliance or weak oversight, controls or management. (Adopted from Insurance Core Principles). EFFECTIVE DATE - 01 MAY 2017 COMPLIANCE DATE - 01 JAN 2018

SYSTEM OF GOVERNANCE Main focus should be on the following: • Shareholding structure- deals with significant ownership and control >10% • IPEC shall approve any significant ownership in an insurance company • Composition and Governance of the Board of Directors-for our purpose it means: • Non-executive- one who is not involved in daily running of the insurer and has not done so during the past 2 years. • Independent director- non executive who has no vested interest or conflict of interest deemed material by IPEC • Board Charter • Fiduciary duties of Directors EFFECTIVE DATE - 01 MAY 2017 COMPLIANCE DATE - 01 JAN 2018

CORPORATE GOVERNANCE AND RISK MANAGEMENT ISSUES IN INSURANCE ENTITIES • Suitability of persons - Shareholders, board members, senior management, accountants, auditors and actuaries must be fit and proper We expect to work with various professional boards like ICAZ to rid the industry of unethical practitioners. • Fitness and Propriety - The assessment of fitness and propriety is an ongoing process and is not limited to the point of appointment. • Board Composition - The main issues include composition of the boards, allocated powers to committees such as Audit, Risk, Finance and Human Resources EFFECTIVE DATE - 01 MAY 2017 COMPLIANCE DATE - 01 JAN 2018

CORPORATE GOVERNANCE AND RISK MANAGEMENT ISSUES IN INSURANCE ENTITIES…. . CONT’D • Shareholder Changes - Changes in control (shareholding) including mergers need approval by the Commissioner • Internal controls must be adequate for the nature and scale of business • Information and Disclosure - Reporting on corporate governance activities and compliances is expected timeously whenever is necessary. • Conflict of Interest – arising mainly from failure to separate ownership and control of the firms. EFFECTIVE DATE - 01 MAY 2017 COMPLIANCE DATE - 01 JAN 2018

SHAREHOLDING STRUCTURE § Maximum shareholding thresholds for individuals and their close relatives § Directors and executives of insurers should not have significant ownership and control § Limit of control of various players along the distribution channel – to retain independence in the placement of business § Nominee companies and family trusts no longer allowed to hold shareholding in insurers EFFECTIVE DATE - 01 MAY 2017 COMPLIANCE DATE - 01 JAN 2018

BOARD AND SENIOR MANAGEMENT § Directors and Senior management should be fit and proper § Composition of the Board – At least five directors, majority should be non-executive and majority of non-executive directors should be independent. § There should be a documented Board Charter to guide operation of the board. EFFECTIVE DATE - 01 MAY 2017 COMPLIANCE DATE - 01 JAN 2018

BOARD AND SENIOR MANAGEMENT Duties of Directors Ø act in good faith, honestly and reasonably; Ø exercise due care and diligence; Ø act in the interests of the insurer and policyholders, putting those interests ahead of his/her own interests; Ø exercise independent judgment and objectivity in his/her decision making, taking due account of the interests of the insurer and policyholders; Ø not use his/her position to gain undue personal advantage or cause any detriment to the insurer EFFECTIVE DATE - 01 MAY 2017 COMPLIANCE DATE - 01 JAN 2018

BOARD AND SENIOR MANAGEMENT § The Governance and Risk Management Board Committees to include, at a minimum, the following: - – Audit Committee. – Risk Management Committee; and – Nomination and Remuneration Committee. EFFECTIVE DATE - 01 MAY 2017 COMPLIANCE DATE - 01 JAN 2018

RISK MANAGEMENT SYSTEM § The risk management framework should at least, include the following: a) a fit and proper policy; b) A remuneration policy; and c) a policy on management of all risks such as market risk, credit risk, legal and compliance risk and Money Laundering and Terrorism Financing risk. EFFECTIVE DATE - 01 MAY 2017 COMPLIANCE DATE - 01 JAN 2018

CONTROL FUNCTIONS § Insurers required to have the following Governance and Risk control functions: § a) Risk Management b) Actuarial c) Compliance d) Internal Audit e) Accounting-IFRS 17 All control functions should have authority, independence, resources, expertise and access to the board of directors and all information required to perform its duties. EFFECTIVE DATE - 01 MAY 2017 COMPLIANCE DATE - 01 JAN 2018

RISK MANAGEMENT FUNCTION § The Function should perform the following duties: a) Identify, assess, report, and monitor risks facing the insurer, taking into account the relationships between the risks. b) Have a consolidated view of risks, taking into account relationships between business units. c) Where an insurer is part of a group, address risks due to an insurer being part of the group. EFFECTIVE DATE - 01 MAY 2017 COMPLIANCE DATE - 01 JAN 2018

RISK MANAGEMENT FUNCTION …CONT’D d) Perform appropriately designed and calibrated stress tests and scenario analyses at least once every 12 months. e) Recommend ways of improving the risk management system to senior management and the board. f) Implement, or oversee the implementation, of changes to the risk management system. g) Assist senior management and the board in setting up risk appetites, tolerances, and limits. h) At least once every 12 months, perform regular asset-liability management checks. i) Regularly report to senior management and board. EFFECTIVE DATE - 01 MAY 2017 COMPLIANCE DATE - 01 JAN 2018

COMPLIANCE FUNCTION § The duties of the function are to: a) Develop, implement, and maintain an effective risk-based compliance program. b) Actively promote a compliance culture. c) Ensure compliance with legal, regulatory, and contractual obligations. d) Identify, assess, and report key legal and regulatory obligations and associated risks. e) In case of non-compliance, ensure that appropriate remedial action is taken timely. EFFECTIVE DATE - 01 MAY 2017 COMPLIANCE DATE - 01 JAN 2018

COMPLIANCE FUNCTION …CONT’D f) In case of material non-compliance with regulatory requirements, report the noncompliance to the Commission. g) Ensure timely and appropriate training on key legal and regulatory obligations for all employees who need such training. h) Ensure that an effective Whistleblower Program is in place. i) At least once a year, prepare a report to the board EFFECTIVE DATE - 01 MAY 2017 COMPLIANCE DATE - 01 JAN 2018

ACTUARIAL FUNCTION § The function should perform the following duties: a) Approve the design and pricing of new insurance products. b) Regularly review the design and pricing of the insurance portfolio. c) Regularly compare and analyse actual insurance claims against expected levels. d) Attest the reliability and adequacy of reported reserves and required capital. This includes approving critical assumptions, methodologies applied, and the accuracy of calculations. EFFECTIVE DATE - 01 MAY 2017 COMPLIANCE DATE - 01 JAN 2018

ACTUARIAL FUNCTION …CONT’D a) Develop, implement, and maintain an Asset-Liability Management (ALM) program and assess ALM risks. b) Approving bonuses awarded to participating insurance policies. c) Approving dividends paid to shareholders. d) Assess the level and management of insurance, market, and credit risks. e) Review the appropriateness, and adequacy of the insurer’s reinsurance arrangements. f) Proper calculation of reserves EFFECTIVE DATE - 01 MAY 2017 COMPLIANCE DATE - 01 JAN 2018

INTERNAL AUDIT § The audit function shall perform the following functions: a) Develop, execute, and maintain an effective risk-focused audit plan. b) Assess both the adequacy and effectiveness of the insurer's internal controls and related documentation. c) Review the nature and extent of compliance with Board-approved and management -approved policies and controls. d) Evaluate the reliability and integrity of information used for internal and external reporting. EFFECTIVE DATE - 01 MAY 2017 COMPLIANCE DATE - 01 JAN 2018

OUTSOURCING § The board and senior management of an insurer retain ultimate responsibility for the effective management of risks arising from outsourcing. § Due care to be given to the capacity of service providers § The relationship with a service provider should be governed by a service level agreement EFFECTIVE DATE - 01 MAY 2017 COMPLIANCE DATE - 01 JAN 2018

TREATING CUSTOMERS FAIRLY (TCF) § An insurer must render services honestly, fairly, with due skill, care, and diligence, and in the interest of the policyholder and the integrity of the insurance industry. § An insurer must establish and maintain effective and adequate processes to: ü Help customers fully understand the features, benefits, risks, and costs of the financial products they buy ü Minimise the sale of unsuitable products by encouraging best practice before, during and after a sale. EFFECTIVE DATE - 01 MAY 2017 COMPLIANCE DATE - 01 JAN 2018

TCF - OUTCOMES § An insurer should consistently delivers the following Consumer Outcomes to their customers throughout the product life cycle and throughout the product value chain: a) Customers’ Confidence - Customers can be confident they are dealing with firms where the fair treatment of customers is central to the corporate culture. b) Suitable Design and Delivery - Products and services marketed and sold in the insurance market are designed to meet the needs of identified consumer groups and are targeted accordingly. EFFECTIVE DATE - 01 MAY 2017 COMPLIANCE DATE - 01 JAN 2018

TCF – OUTCOMES…CONT’D c) Clear and Adequate Disclosure - Customers provided with clear information and are kept appropriately informed before, during and after the point of sale. d) Suitable Advice - Where customers receive advice, the advice is suitable and takes account of their circumstances. e) Product performance against expectations - Products perform as the insurer has led customers to expect, and service is of an acceptable standard and as they have been led to expect. EFFECTIVE DATE - 01 MAY 2017 COMPLIANCE DATE - 01 JAN 2018

TCF – OUTCOMES…CONT’D f) Claims, complaints, and changes - Customers do not face unreasonable postsale barriers or delays imposed by companies to change product, switch providers, submit a claim or make a complaint. Claims should be processed fairly, professionally, and without unnecessary delays. EFFECTIVE DATE - 01 MAY 2017 COMPLIANCE DATE - 01 JAN 2018

CURRENT MALPRACTICES IN THE MARKET - TCF ISSUES § Delay in settlement of third party claims because “the beneficiary is not my policyholder”; § Cash in lieu of service for funeral policies should be in line with policy wording; § Inadequate disclosures in the policy wording e. g. no disclosures on how surrender value is determined, no disclosure of sum insured in funeral policies EFFECTIVE DATE - 01 MAY 2017 COMPLIANCE DATE - 01 JAN 2018

CURRENT MALPRACTICES IN THE MARKET - TCF ISSUES § Lapsing of life policies after 3 years without any paid up status; § Delay in settlement of claims without any interest accruing, at times claims settled in instalments; § Compulsory insurance policies on loans without the borrower’s consent or the borrower is not furnished with terms and conditions on the policy; EFFECTIVE DATE - 01 MAY 2017 COMPLIANCE DATE - 01 JAN 2018

CURRENT MALPRACTICES IN THE MARKET - TCF ISSUES § No complaints handling procedures in place in some players; § Short claim notification periods; § Repudiation of claims based on non-material misrepresentation; and § Short term life policies with premiums almost similar to long term products yet the risk is different. EFFECTIVE DATE - 01 MAY 2017 COMPLIANCE DATE - 01 JAN 2018

THE ROLE OF THE REGULATOR § IPEC’s responsibilities in governance and risk management are as follows: • Establish rules for governance and risk management practices of insurance companies • Authorizing/licensing participants - these must be reliable, properly managed, adequately capitalized and have the skills to transact business without destabilizing the market. EFFECTIVE DATE - 01 MAY 2017 COMPLIANCE DATE - 01 JAN 2018

THE ROLE OF THE REGULATOR…CONT’D • Regular financial and statistical monitoring of players • On-site and offsite surveillance of authorized market participants to assess accuracy of information and compliance with regulations. • IPEC’s view in corporate governance are as follows: • The commission implores insurers to appreciate the multiplicity of risks they face and how these can be worsened by laxity in Corporate Governance. • It is also important for regulated entities to realize that what they hold are mainly public funds hence the need for prudent governance and risk management structures in their operations to ensure financial soundness. EFFECTIVE DATE - 01 MAY 2017 COMPLIANCE DATE - 01 JAN 2018

THE ROLE OF THE REGULATOR…CONT’D • Ensuring that regulated firms have Board approved policies and/manual not limited to the following: Compliance Policies and Procedures Manual Underwriting and Claims Policies and Procedures Investment Policies and Procedures AML and CFT Policies and Procedures Complaints Handling Manual ICT Policies Treating Customers Fairly Policies (TCF) Disaster Recovery Policies and Procedures Human Resources Policies and Procedures Risk Management Policies and Procedures Reinsurance Manual Business Continuity Policies EFFECTIVE DATE - 01 MAY 2017 COMPLIANCE DATE - 01 JAN 2018

QUESTIONS EFFECTIVE DATE - 01 MAY 2017 COMPLIANCE DATE - 01 JAN 2018