Skip to main content
Back Custom print Text Only Rich Text Print / Save as PDF
Download Original PDF

  • Risk Management Regulation

    • Part 1: Introduction

      • Purpose

        1. This Code presents the general principles and minimum standards that should be met by insurance and reinsurance companies, including branches of foreign insurance and reinsurance companies, and insurance related service providers to manage their risks.
        2. The objective of This Code is to promote high standards of risk management.
        3. This Code must be read in conjunction with the Law on Supervision of Cooperative Insurance Companies and its Implementing Regulations, especially articles 12, 20, 21, 24, 37, 42, 46, 47, 49, 60, 61, 62, 68, 72, and 76.

      • Definitions

        1. The term “Companies” in This Code is intended to include: insurance and reinsurance companies, and insurance related service providers including insurance brokerages, insurance agencies, reinsurance brokerages, and reinsurance agencies. The rest of the terms used in This Code shall have the same meaning as per article one (1) of the Implementing Regulations.
        2. Risk management is defined1 as the process whereby the insurer's management takes action to assess and control the impact of past, present and potential future
          events that could be detrimental to the insurer. These events can impact both the asset and liability sides of the insurer's balance sheet, and the insurer's cash flow.

         

         

         

         

         

         

        1 Source IAIS guidance paper on investment risk management, October 2004

         

      • Scope and Exemptions

        This Code applies to insurance and reinsurance companies, and insurance related service providers including insurance brokerages, insurance agencies, reinsurance brokerages, and reinsurance agencies.

      • Compliance Measures

        1. Companies must establish appropriate internal controls and procedures to ensure and monitor compliance with This Code, including the compliance of all contracted parties, in particular when there is clear evidence of a breach in the regulation.
        2. Companies must maintain adequate records to demonstrate compliance with This Code, including but not limited to the risk strategy and the organizational structure implemented.

      • Non-Compliance

        1. Non-compliance with the requirements set forth in This Code will be deemed a breach of the Law on Supervision of Cooperative Insurance Companies and its Implementing Regulations and licensing conditions and may subject companies to enforcement action.

      • Structure of This Code

        1. The risk management requirements are outlined in Parts 2 and 3 of This Code:

          a) Part 2 - General Requirements, which are principle-based.

          b) Part 3 - Risk Management Standards, which stipulate the risk management requirements companies must adhere
          to in order to combat all categories of risk.

    • Part 2: General Requirements

      • Risk Management Strategy

        1. Companies should have a comprehensive risk management strategy to understand and manage the types of risk arising from their core business operations.

          The strategy should consider the impact of market conditions and available expertise on inherent risks to which the company is exposed. Consideration should not be limited to the risks associated with one class of business but should extend to risks from all other classes.

        2. Companies should periodically review and update the risk management strategy by taking into account developments that are internal and external to the company.

      • Responsibilities of Management

        1. The company's Board of directors and the senior management are responsible for assessing the risks to which the company is exposed and mitigating and monitoring those risks on a continuous basis. Therefore, the Board should:
          1. Understand the risks associated with the company's activities.
          2. Design a risk management strategy which is consistent with the company's commitments to shareholders and with regulatory requirements.
          3. Approve the risk management policies in writing.
          4. Ensure the implementation and effective operation of risk management control systems.
          5. Question senior management on risk management processes and give priority to discussions and actions dealing with risk management issues.
          6. Re-evaluate the company's tolerance for, and exposure to, risk on a regular basis (e.g., through stress testing exercises).

      • Organizational Structure

        1. Companies should clearly define responsibilities of senior managers and establish levels of authority and powers of delegation.

          In addition, companies should design a reporting structure that ensures management is provided with all information necessary to manage risk.

          Management should be further supported by appropriately experienced personnel, appropriate control systems and up-to- date information technology.

          The role of the company's senior management with regard to risk

          management should include:

          1. Clearly understanding the risk management policies and procedures of the company.
          2. Ensuring activities of the company are conducted within the framework of approved policies and systems.
          3. Keeping the Board advised of any breach of the risk management practices.
        2. The company should assign at least 2 (two) risk management officers, one for general and health insurance and one for protection and savings insurance. The company should make sure that its risk management officers are independent from its underwriting officers.

      • Policies and Control Systems

        1. Companies should establish (in writing) adequate policies and control systems to measure risk tolerances, aggregate exposure limits, and mitigate and monitor risks. These policies and control systems must include but not be limited to:
          1. Clear identification of the staff positions with delegated responsibility for managing specific risks.
          2. Adequate systems for measuring risk.
          3. Effective internal controls, including separation of operations and internal audit.
          4. Comprehensive management information systems that ensure timely monitoring and reporting of risk exposure.

      • Contingency Plan

        1. Companies should design a contingency plan to counter events with severe negative impact on their businesses. This plan should:
          1. Identify early risk warning signals.
          2. Outline detailed course of action in the event of a negative outcome.
          3. Establish roles and responsibilities for every prescribed action.
          4. Assess the likely impact of every outlined course of action.
          5. Establish the reporting procedure as well as the internal and external notification.

      • Documentation and Review

        1. Companies should design processes for the documentation and review of systems and for the maintenance of control procedures. The effectiveness of the implementation of risk management systems should be thoroughly documented and provided to SAMA upon request.

      • Reporting

        1. The company should provide SAMA with an annual report detailing its risk management plan and its implementation steps as part of the annual financial reports submitted to SAMA at the end of the year.
           

          The report should address the following risk management systems:

          1. Written policies and procedures, and internal control mechanisms in place.
          2. Annual review of the implementation effectiveness of the risk management policies and procedures by the Board.

          The report must be signed by both the chief executive officer (CEO) and the chairman of the Board.

    • Part 3: Risk Management Standards

      • Section A :Risk Identification

        The list that follows summarizes the most common categories of risk

        • Product Development Risk

          1. Product development risk is the risk associated with the changes made on an existing product in order to meet customer needs and make the product more marketable in a competitive environment. These changes might affect the product coverage and liabilities which would cause risk. When dealing with product development risks, the company should:
            1. Perform an actuarial review and get an actuarial approval for selling the new product, especially for Protection and Savings products.
            2. Ensure that the new product is compliant with regulatory requirements.
            3. Report any change in the risk profile and/ or insured behavior from the date of launching of the new product.

        • Underwriting Risk

          1. Underwriting risk is the risk associated with evaluating and accepting insurance risk. When dealing with underwriting risk, companies must:
            1. Ensure policies are worded clearly and that no room for interpretation is given.
            2. Ensure that the application is filled out by the insured in its entirety.
            3. Ensure that the premium charged reflects the policy cost including hidden costs such as advertising and regulatory fees.
            4. Have underwriting guidelines defining the responsibility of departments dealing with underwriting activity (e.g., sales department, claim handling department, reinsurance department, etc.).
            5. Reinsure a part of its risk as per Article 40 of the Implementing Regulations before selling any product in order to minimize and control overall risk and enhance risk tolerance.
            6. Review periodically the adequacy of insurance policies, underwriting guidelines, as well as the underwriting process to make sure that each department is operating efficiently.

        • Claim Handling Risk

          1. Claim handling risk is the risk associated with paying claims to policyholders based on the policy coverage. When dealing with claim handling risks the company should:
            1. Review closely decisions dealing with claims to make sure they are taken in accordance with policy coverage. This will minimize additional cost in the future associated with inappropriate decisions.
            2. Periodically assess, claim handling processes and guidelines, to enhance their efficiency and quality.
            3. Define and implement a process for claim settlements with reinsurance companies to facilitate transactions dealing with claims.
            4. Define and implement appropriate reserving mechanisms.

        • IT Risk

          1. IT risk is the risk of error or failure of the business operation due to risk or error associated with the technology (IT). When dealing with IT risk, the company should:
            1. Have an adequate IT system to safeguard the integrity and security of data.
            2. Audit periodically and update the IT system, and maintain disaster recovery plans.
            3. Use reliable and original software.
            4. Have effective up-to-date anti-virus software installed on all computer terminals and servers.
            5. Maintain all financial and other sensitive information in a physically secured environment.
            6. Store backup copies of all their data.

        • Pricing Risk

          1. Product pricing risk is the risk resulting from the process by which the company attempts to identify the adequate premium rate. When dealing with pricing risk, the company should:
            1. Take into consideration all potential risks using the proper methodologies when setting the price of a product.
            2. Evaluate the business's profits and losses to identify the effects associated with modifying the premium rate, if any, on the reported earning. In case of emergence of new trends, the company should initiate a process for price assessment (i.e., repricing).
            3. Involve actuaries when setting product prices.

        • Liquidity Risk

          1. Liquidity Risk is the risk associated with the inability to liquidate the asset quickly enough without sacrificing a portion of the asset value. Liquidity Risk is likely to occur when holding excessive long term assets against the insurance company's liabilities. When dealing with liquidity risk, the company should:
            1. Use stress-testing to recognize potential liquidity shortages and confront them.
            2. Use scenario analysis techniques, which simulate base, worse and best case scenarios, to identify techniques in dealing with liquidity shortages if they ever arise.
            3. Monitor the rise in policy cancellations which is an important indicator of a liquidity problem.
            4. Use sound asset-liability management practices in order to limit the company's exposure to shortages in liquidity.
            5. Use a variety of techniques, such as lines of credit, to obtain quick access to cash should the need arise.

        • Credit Risk

          1. Credit risk is the risk associated with uncertainty in the counterparty's ability to meet its obligations. A history of payment delay of a particular client as well as the overall status of the economy are indicators of credit risk. When dealing with credit risk, the company should:
            1. Ask the counterparty to provide adequate collateral.
            2. Enforce a strict timeline for collecting payments.
            3. Put limits on the quality and quantity of credit provided or investments made.
            4. Review periodically the company's policy for granting credit, in an effort to
              identify any weakness in the policy itself and intervene if necessary.

        • Interest Rate Risk

          1. Interest rate risk is the risk that the value of the investment would change due to a change in the interest rate.
            1. The main categories of interest rate risk would be:
            2. Basis risk: occurs when the yields on the insurance company's investments differ from yields on its liabilities.
            3. Curve risk: occurs when the yields on the short term investments differ from the yields on long term investments.
            4. Reinvesting risk: occurs when the company is forced to reinvest its assets at a lower rate and/or to repay its liabilities at a higher rate.
            5. A company should analyze the effects of the change in the interest rate on its income statement. The decline in profits or the rise in losses threatens the stability of the company's position and result in weakening its capital adequacy as well as reducing market confidence in the company.

        • Corporate Governance Risk

          1. Corporate Governance Risk is the risk associated with the rules dictating how rights and responsibilities are shared between the various stakeholders in the company, primarily managers, directors, shareholders, and other financial stakeholders. (For more information please refer to the Code of Corporate Governance Regulation)
             

        • Currency Exchange Risk

          1. Currency exchange risk is the risk associated with an investment's value changing due to changes in currency exchange rates, thus affecting export/ import businesses as well as international investments. When dealing with currency exchange risk, the company should take the following measures:
            1. Position limit: setting a maximum amount to a particular currency allowed to be carried during regular trading hours in order to limit a position.
            2. Loss limit: setting stop-loss levels under the conditions of a loss limit in order to avoid non-sustainable losses.

        • Reinsurance Risk

          1. Reinsurance risk is the risk associated with transferring part of the risk to another company. Reinsurance risk appears when the reinsurer fails to meet its obligations. (For more information please refer to the Reinsurance Regulation)

        • Reputation Risk

          1. Reputation risk is the risk associated with negative public opinion about the company. This affects the institution's ability to establish new relationships or services or continue servicing existing relationships thus exposing the company to financial loss, or a decline in its customer base which impacts earnings and capital. When dealing with reputation risk, the company should exercise caution in dealing with its customers and the community.
             

        • Country risk

          1. Country risk is the risk associated with the occurrence of changes in the business environment of a country thus affecting profitability of businesses conducted in it. Country risk stems from:
            1. Macroeconomic mismanagement where authorities may pursue unsound monetary and fiscal policies which may lead to inflation, higher interest rates, recession, etc.
            2. War or political instability.
            3. Labor unrest which may lead to higher costs or work stoppages.

        • Non-Compliance Risk

          1. The non-compliance risk is the risk arising from violation of laws, rules, and regulations. When dealing with noncompliance risk the company should:
            1. Ensure it is in compliance with all applicable laws and regulations governing its activities.
            2. Provide adequate attention to the operating circulars as well as procedures and rules of the payment systems.
            3. Ensure sound and appropriate contractual relationships with customers and counterparties.

      • Section B: Risk Measurement

        • Impact and Probability

          1. Companies should measure risk by assessing:
            1. Its impact, thus measuring its severity and the potential harm that could occur to the business activity as a result.
            2. Its probability, i.e., likelihood of its occurrence. The higher the probability the more risk the company incurs.
               
          2. The company should measure the impact of its risks by assessing and scaling the quality of the different factors specific to each type of risk using different severity levels. In the case of non-quantifiable risks, the company should undertake a qualitative assessment appropriate to the type of risk in question.

        • Risk Evaluation

          1. The estimated risks should be compared against the insurer's risk criteria to decide on the priority to be assigned to address each of the risks and the appropriate responses.

          • Measurement Process

            1. The company should use numerous business activities to aggregate risk impact and probability, and obtain a complete risk assessment map. The risk measure process consists of the following steps:
              1. Group similar and related risks into homogeneous categories.
              2. Determine risk drivers or variables that affect the probability and impact of identified risks.
              3. Determine the root cause or source of risk.
              4. Assess trade-offs, interdependencies, and timing of identified risks.
              5. Estimate risk factor or risk exposure.
              6. Multiply probability of occurrence or likelihood with the consequence or impact (in financial terms) if the risk occurred.
              7. Determine risk impact by assessing the risk factor with the relative risk timeframe for action.
              8. Rank and prioritize risks.

      • Section C: Risk Mitigation

        1. The company should implement necessary measures to mitigate the identified risks, including setting appropriate standards and assigning limits to staff that are commensurate with their experience and competence level.

          Mitigation strategies can be fivefold:

          1. Avoid: the company refrains from performing tasks that might carry potential risk.
          2. Retain: the company accepts the loss when it occurs.
          3. Reduce: the company reduces the severity of its losses.
          4. Transfer: the company causes another party to accept the risk, typically by contract or by hedging (e.g., reinsurance).
          5. Exploit: the company makes good use of the risk it is retaining to gain indirect financial benefits (e.g., through advertisement).

      • Section D: Risk Monitoring

        • Effective Monitoring

          1. The company should have an effective monitoring structure to ensure that risk standards and limits are complied with as intended and that any deviation is duly documented and approved. The company should establish clear procedures to investigate non-compliances with the intent of preventing such incidents from recurring. The consequences for non-compliance with established limits should be clarified and pre-determined by control committees and internal oversight functions. Such committees should include but not be limited to Risk committee, Investment committee, Claims settlement committee, Reinsurance committee, Remuneration committee, and Internal audit function. The role and scope of work of each committee is defined in the Code of Corporate Governance.

        • Review

          1. The company should annualy review whether it has correctly assessed the impact and probability of material risks and effectively mitigated or treated the risks, including identification of lessons learned.