Life Insurance (prudential standard) determination No. 9 of 2012
Prudential Standard LPS 220 Risk Management
Life Insurance Act 1995
I, Ian Laughlin, delegate of APRA:
(a) under subsection 230A(5) of the Life Insurance Act 1995 (the Act) REVOKE Life Insurance (prudential standard) determination No. 2 of 2007, including Prudential Standard LPS 220 Risk Management made under that Determination; and
(b) under subsection 230A(1) of the Act DETERMINE Prudential Standard LPS 220 Risk Management, in the form set out in the Schedule, which applies to all life companies, including friendly societies.
This instrument takes effect on 1 January 2013.
Dated: 30 November 2012
In this Determination:
APRA means the Australian Prudential Regulation Authority.
friendly society has the meaning given in section 16C of the Act.
life company has the meaning given in the Dictionary to the Act.
Prudential Standard LPS 220 Risk Management comprises the 8 pages commencing on the following page.
Prudential Standard LPS 220
Objective and key requirements of this Prudential Standard
This Prudential Standard sets out the requirements for a life company to maintain a risk management framework and strategy that is appropriate to the nature and scale of its operations.
The ultimate responsibility to maintain the risk management framework and strategy rests with the Board of directors of the life company or, in the case of an eligible foreign life insurance company, with the Compliance Committee.
A life company’s systems, processes, structures, policies and people involved in identifying, assessing, mitigating and monitoring risks are referred to in this Prudential Standard as the risk management framework.
The key requirements of this Prudential Standard include that a life company must:
· maintain a risk management framework which is aligned with the life company’s internal capital adequacy assessment process and includes:
(a) a documented Risk Management Strategy;
(b) sound risk management policies and procedures;
(c) clearly defined managerial responsibilities and controls; and
(d) a documented business plan;
· ensure that its risk management framework is subject to effective and comprehensive review; and
· submit a Risk Management Declaration to APRA on an annual basis.
1. This Prudential Standard is made under paragraph 230A(1)(a) of the Life Insurance Act 1995 (the Act).
2. This Prudential Standard applies to all life companies including friendly societies (together referred to as life companies) registered under the Act.
3. This Prudential Standard applies to life companies from 1 January 2013.
4. Nothing in this Prudential Standard prevents a life company from applying a risk management framework, Risk Management Strategy (RMS) or business plan that is also used in a related company, provided that the risk management framework, RMS or business plan has been approved by the life company for its purposes and meets the requirements of this Prudential Standard.
5. Terms that are defined in Prudential Standard LPS 001 Definitions appear in bold the first time they are used in this Prudential Standard.
The role of the Board
6. The Board of directors (the Board) is ultimately responsible for the risk management framework of the life company. The Board must ensure that a life company has, at all times, a risk management framework to prudently manage the risks arising in the life company and the risks to the policy owners of the statutory funds.
7. The Board is responsible for the risk management framework whether or not risk management and business operations are outsourced or are part of a corporate group.
8. The Board must approve a written RMS for the life company and must be satisfied that the RMS complies with this Prudential Standard.
9. The Board must be notified of any material deviation from the life company’s RMS.
Risk management framework
10. For the purposes of this Prudential Standard, the risk management framework is the totality of systems, structures, policies, processes and people within the life company that identify, assess, mitigate and monitor all internal and external sources of risk that could have a material impact on the life company’s operations.
11. A life company’s risk management framework must, at a minimum, include:
(a) an RMS;
(b) risk management policies, controls and procedures which identify, assess, monitor, report on and mitigate all material risks, financial and non-financial, likely to be faced by the life company having regard to such factors as the size, business mix and complexity of the life company’s operations;
(c) a written business plan , that is approved by the Board prior to its adoption and at any time that it is materially revised. The business plan must be reviewed by the life company at least annually;
(d) clearly defined managerial responsibilities and controls for the risk management framework; and
(e) a review process to ensure that the risk management framework remains effective.
12. The material risks referred to in subparagraph 11(b) must, at a minimum, include:
(a) asset risk, including asset and liability mismatch risk;
(b) asset concentration risk;
(c) operational risk;
(d) insurance risk, including insurance concentration risks; and
(e) strategic and tactical risks that arise out of the life company’s business plan.
13. The risk management framework must consider all risks that are relevant to a life company’s individual statutory funds. The assessment of whether a risk is material must be considered at the level of the individual statutory funds as well as for the life company as a whole. A life company may also conduct business other than life insurance business external to the life company's statutory funds. The risk management framework must reflect the range of business conducted by the life company and the effects that business conducted by the life company outside of the statutory funds may have on the life insurance business.
Risk Management Strategy
14. The RMS is a high level document which documents:
(a) the life company’s strategy for managing risk;
(b) the extent and circumstances under which the life company is prepared to accept risk; and
(c) the key elements of the risk management framework which give effect to the strategy for managing risk.
15. A life company’s RMS must, at a minimum:
(a) detail the life company’s approach to the matters listed in paragraph 14;
(b) identify the policies and procedures dealing with the following risk management matters, including the date when each policy or procedure was last revised, the date that it is next due for revision and the position responsible for its maintenance:
(i) the processes for identifying and assessing material risks;
(ii) the process for establishing and implementing mitigation and control mechanisms for material risks;
(iii) the process for the monitoring and reporting of risk issues (including communication and escalation mechanisms);
(iv) the mechanisms in place for monitoring and ensuring continual compliance with all prudential requirements;
(v) the life company’s approach to management of capital; and
(vi) the life company’s approach to business continuity management (refer to Prudential Standard CPS 222 Business Continuity Management) and outsourcing (refer to Prudential Standard CPS 231 Outsourcing);
(c) describe the relationships within the risk management framework between the Board, Board committees and senior management;
(d) identify those positions with managerial responsibility for the risk management framework, and set out their roles and responsibilities;
(e) describe the approach to ensuring relevant staff have an awareness of the risk management framework and instilling an appropriate risk culture across the life company; and
(f) describe the process by which the risk management framework (including the RMS) is reviewed and the intended coverage and timing for these reviews.
16. The RMS must describe the life company’s entire approach to risk management. To this end, if the life company is a subsidiary within a corporate group, or an Eligible Foreign Life Insurance Company (EFLIC), where any element of the life company’s risk management framework is controlled by, influenced by, or subject to approval by another entity in the group, or by its head office, the RMS must also summarise:
(a) the group (or head office) policy objectives and strategies;
(b) whether the life company’s RMS is derived wholly or partially from the group (or head office) risk management arrangements;
(c) the linkages and significant differences between the life company RMS and group (or head office) risk management arrangements including relevant life company business and other conditions; and
(d) the process for monitoring by, or reporting to, the group or head office. A summary of the key procedures, the frequency of reporting and the approach to reviews must be provided.
Integration of risk management framework and Internal Capital Adequacy Assessment Process
17. Under Prudential Standard LPS 110 Capital Adequacy (LPS 110), a life company is required to have an Internal Capital Adequacy Assessment Process (ICAAP). An ICAAP involves an integrated approach to capital and risk management for a life company, aimed at ensuring that the capital held is adequate in the context of the risk profile and risk appetite of that life company. A life company’s ICAAP must be developed having regard to its risk management framework.
18. A life company is not required to duplicate content between its ICAAP summary statement or ICAAP report required under LPS 110 and its RMS. Cross-references are appropriate to facilitate integration between the two documents.
Review of risk management framework
19. The life company must ensure that its risk management framework is subject to effective and comprehensive review by operationally independent, appropriately trained and competent persons. The frequency and the scope of the review should be appropriate to the life company, having regard to such factors as the size, business mix and complexity of the life company’s operations and the extent of any change to its business profile or its risk appetite.
20. The review of the risk management framework must include:
(a) a review of the RMS, to ensure that:
(i) the strategy for the management of risk remains appropriate to the company’s business, its policyholder profile and its financial circumstances; and
(ii) the RMS accurately documents the life company’s risk management framework;
(b) a review of the policies and processes described in subparagraph 11(b); and
(c) a review of the people and functions involved in risk management.
21. The Appointed Actuary must include an assessment of the suitability and adequacy of the risk management framework as part of the Financial Condition Report required under Prudential Standard LPS 320 Actuarial and Related Matters.
22. Life companies must implement satisfactory internal audit procedures and/or external audit arrangements to ensure compliance with, and the effectiveness of, the risk management framework.
23. Where there are institutional, operational or other developments that materially affect the life company’s risk profile, the life company must assess whether any amendments to, or a review of, its risk management framework (including the RMS) are necessary to take account of the change.
24. In the event that a life company:
(a) is aware of a material breach of, or material deviation from, the risk management framework; or
(b) discovers that the risk management framework did not adequately address a material risk
the life company should notify APRA as soon as practicable.
Risk Management Declaration
25. The Board must provide APRA with a declaration on risk management (Risk Management Declaration), relating to each financial year of the life company, signed by two directors or, in the case of an EFLIC, two members of the compliance committee. This declaration must satisfy the requirements set out in Attachment A to this Prudential Standard.
26. The Risk Management Declaration must be submitted to APRA on, or before, the day that the life company’s annual regulatory financial statements are required to be submitted to APRA.
27. If the Board qualifies the Risk Management Declaration, the qualified Risk Management Declaration must include a description of any material deviation from the life company’s risk management obligations, and the steps taken, or proposed to be taken, to remedy those breaches.
Adjustments and exclusions
28. APRA may, by notice in writing to a life company, adjust or exclude a specific requirement in this Prudential Standard in relation to that life company.
Determinations made under previous prudential standards
29. An exercise of APRA’s discretion (such as an approval, waiver or direction) under a previous version of this Prudential Standard continues to have effect as though exercised pursuant to a corresponding power (if any) exercisable by APRA under this Prudential Standard.
Risk Management Declaration
The Board must (by the time provided for in paragraph 26 of this Prudential Standard) provide APRA with a Risk Management Declaration stating that, to the best of its knowledge and belief, having made appropriate enquiries:
(a) the life company has systems in place for the purpose of ensuring compliance with the Act, the Life Insurance Regulations 1995, prudential standards, reporting standards, the Financial Sector (Collection of Data) Act 2001, authorisation conditions, directions issued by APRA pursuant to the Act and any other requirements imposed by APRA under law;
(b) the Board is satisfied with the efficacy of the processes and systems surrounding the production of financial information at the life company;
(c) the life company has in place an RMS, developed in accordance with the requirements of this Prudential Standard, setting out its approach to risk management; and
(d) the systems that are in place for managing and monitoring risks, and the risk management framework, are appropriate to the life company, having regard to such factors as the size, business mix and complexity of the life company’s operations.
 Refer to Subsection 3(3) of the Act.
 For the purposes of this Prudential Standard, a reference to the Board, in the case of an Eligible Foreign Life Insurance Company (EFLIC), is a reference to the Compliance Committee. Section 16ZF of the Act requires an EFLIC to establish and operate a Compliance Committee. Refer to Attachment B of Prudential Standard CPS 510 Governance (CPS 510) for further information.
 A ‘corporate group’ comprises more than one company, where the companies are related bodies corporate within the meaning of section 50 of the Corporations Act 2001.
 Conflicts of interest may also create material risks for life companies. These are dealt with in CPS 510.
 Requirements for outsourcing and business continuity management are contained in Prudential Standard CPS 231 Outsourcing and Prudential Standard CPS 232 Business Continuity Management respectively.
 Refer to Prudential Standard LPS 110 Capital Adequacy for requirements on the Internal Capital Adequacy Assessment Process (ICAAP) for a life company. Refer also to paragraphs 17 and 18 which include additional detail regarding the interaction between the risk management framework and a life company’s ICAAP.