Risk Management


Having received the approval from IBSL, the new company – 'Ceylinco Life Insurance Limited' unanchored and launched its new journey from 1 June 2015 with its new Board.

With the opening of a new chapter under the new company – Ceylinco Life Insurance Limited, a new Board Risk Committee has been appointed in order to strengthen the management process. It has started to engage with the risk management process on an advisory and monitoring capacity.

Importance of Risk Management

Risk management is a key component of Ceylinco Life’s management process. Since the Life Insurance companies are sensitive to the fluctuations in macro and micro-environmental factors, it is important to identify and manage the risks caused by these various factors. Effective risk taking and risk management are critical to the overall profitability, competitive market positioning and long term financial viability of the Company. Risks may not necessarily be eliminated, but need to be appropriately managed to achieve the Company’s overall corporate objectives.

Risk Management Framework (RMF)

Risk Management Framework (RMF) of Ceylinco Life helps to ensure that risk is managed across the organisation in an effective manner. The Board of Directors is ultimately responsible for the Company’s governance principles and policies and oversight of the RMF. Following the segregation, a Board Risk Committee was established to assist the Board to oversee the company-wide risk management practices. A comprehensive RMF has been developed which has been reviewed and approved by the Board Risk Committee and the Board of Directors respectively.

The current Risk Management Governing Structure is shown below:

Risk Management Governance Structure


Line management and staff are responsible for day-to-day risk management and decision-making and have primary responsibility for establishing and maintaining an effective control environment with the support and the co-ordination of their respective Sub-committees (first line of defence).

Executive Risk Management Committee with the CRO and Sub-committee heads – are responsible in developing, facilitating and monitoring the risk control framework and strategy effectively (second line of defence).

The Board of Directors, with the assistance of the Board Risk Committee, is responsible for review, approval and oversight of the Company-wide RMF and the risk management policies adopted by the Company. The Board and its Risk Committee will develop and approve the Company’s statement of risk appetite and tolerance and set the tone and culture of the Company vis-à-vis risk. The Board through the CRO and the Executive Risk Committee will oversee and monitor the effective functioning of RMF of the Company. The Board will regularly monitor risk management capabilities within the Company, including communication about escalating risk and crisis preparedness and recovery plans. The Board will also oversee the division of risk-related responsibilities to each Board Committee as clearly as possible and perform a gap analysis to determine that the oversight of any risks is not missed.

The comprehensive RMF developed for Ceylinco Life is based on the International Standard – ISO 31000:2009(E) Risk management – Principles and Guidelines. It addresses, in detail, the risk appetite and tolerance, identification and assessment of material risks, the risk response strategy including internal process and controls, risk reporting and risk maps, maintaining a risk register, monitoring and audit and an ongoing and regular review and update.

Once material risks are identified, each risk event is assessed in terms of its potential impact on the organisation. Assessing the impact of a risk event is split into three steps.

  • Assess the likelihood (or frequency) of a risk event occurring
  • Assess the consequence (or severity) of the risk event, assuming the risk event occurs
  • Assessing the overall resulting impact of the risk event on the organisation reflecting both the consequence and likelihood of the risk event.

The consequences and impact of a risk event may have a number of dimensions, such as a financial impact, a reputational impact, and so on. That is, a risk event may have a ‘footprint’ across more than one risk category. Where this is the case, the overall impact is taken as the worst of the impacts over the risk categories.

Since the impact depends on the assessed likelihood and consequences, they are discussed and then the overall assessment of impact is mentioned in a table known as ‘Risk Impact Table’ as depicted below:

Risk Impact Table


The levels of risk event impact are as follows:

Risk Level Risk Treatment Guidelines
Extreme Requires immediate action as the potential risk exposure could be devastating to the organisation
Very High Requires action very soon (within 3 months), as it has the potential to be damaging to the organisation
High Requires treatment with routine or specific procedures
Medium Continue to monitor and re-evaluate the risk, ideally treat with routine procedures
Low Continue to monitor and re-evaluate the risk

Summary of Risk Categories

Risk Category Strategy and Control
Strategic (E.g. Strategic Plan execution, External opportunity, External threat)  
  • Tracking the effective and efficient development, execution and management of the strategies
  • Carrying out performance evaluation process twice a year
  • Environmental scanning, market research results, other strategic models are considered for decision-making
Insurance and Demographic (E.g. Changes in Mortality and Morbidity, Changes in Policyholder Behaviour, Reinsurance basis risk, Deviation in Experience)  
  • Determination and application of best estimation and assumptions and monitoring of changes of them
  • Assign life fund valuation to Towers Watson and defined benefit plans valuation by Messrs K A Pandit
  • Use Algo Financial Modeler for actuarial analysis
  • Review underwriting limits periodically
  • Monitor non-disclosures, anti-selections, fraudulent claims, high lapse ratios, free look cancellation, changes in types of claims etc.
  • Staff rotation and training
  • Obtain professional advice and service on pricing, reinsurance, etc. (Towers Watson/Munich-re, Milliman actuarial consultants)
  • Achieved 100% level of Tele-Underwriting Process
Regulatory (E.g. Regulatory compliance)  
  • Regular monitoring of compliance activities and risks arising from rules and regulations and report to the Compliance Officer
  • Incorporated comprehensive checklist into the monthly reporting mechanism
  • Regular consultation with in-house legal officers and updating process is established
Operational (E.g. Policyholder services, Internal fraud sales force and Operations staff, Fictitious policies, Circumventing Company policies and authorised limits are few of them, Business Continuity Planning)  
  • Monitor and compare with the set benchmarks
  • Take every reasonable effort to minimise the number and impact of poor policy service incidents
  • Conducting regular branch visits and of branch audits
  • Job rotation and authorisation limits within the approval cycles
  • Close supervision and appoint custodians for processes and assets
  • Perform business intelligence practices
  • Use of Tele-Underwriting Process
  • Perform internal audits and technical audits
  • Maintaining a fidelity guarantee insurance coverage
Financial (E.g. Liquidity Risk, Credit Risk, Market Risk, Investment Concentration Risk)  
  • Investments are reviewed on a weekly basis for decision-making by CEO and other four Directors
  • Ongoing counterparties evaluation (default rating and limits)
  • Maintain comprehensive checklist in order to make sure that all investments are made according to the guidelines issued by the regulators
  • Continuous interest and inflation monitoring process against the yield/real rate
  • Adopt systematic reinvestment system providing higher yield.
  • Maintain overdraft facilities, Repo investments to strengthen the liquidity ratio(For emergency liquidity issues)
  • Perform independent audits by Internal Audit Division on a monthly basis
  • Maintain a custodian agreement with Deutsch Bank for custodian service
ICT (E.g. Data Leakage/Altering, Virus Attack, Infrastructure Vulnerability)  
  • Continuous scanning of IT control environment and strengthen security activities and measures required
  • Performing IT infrastructure assessments periodically and take necessary actions
  • Conduct training and awareness programmes for risk related issues
  • Periodical reviews of agreements, policies and practices
  • Vendor reviews and assessments
  • Disaster recovery site has been established to ensure the Business Continuity in case of an emergency
  • Conduct regular audit reviews (IT audits and internal audits)