Having received the approval from IBSL, the new company – 'Ceylinco Life Insurance Limited' unanchored and launched its new journey from 1 June 2015 with its new Board.
With the opening of a new chapter under the new company – Ceylinco Life Insurance Limited, a new Board Risk Committee has been appointed in order to strengthen the management process. It has started to engage with the risk management process on an advisory and monitoring capacity.
Risk management is a key component of Ceylinco Life’s management process. Since the Life Insurance companies are sensitive to the fluctuations in macro and micro-environmental factors, it is important to identify and manage the risks caused by these various factors. Effective risk taking and risk management are critical to the overall profitability, competitive market positioning and long term financial viability of the Company. Risks may not necessarily be eliminated, but need to be appropriately managed to achieve the Company’s overall corporate objectives.
Risk Management Framework (RMF) of Ceylinco Life helps to ensure that risk is managed across the organisation in an effective manner. The Board of Directors is ultimately responsible for the Company’s governance principles and policies and oversight of the RMF. Following the segregation, a Board Risk Committee was established to assist the Board to oversee the company-wide risk management practices. A comprehensive RMF has been developed which has been reviewed and approved by the Board Risk Committee and the Board of Directors respectively.
The current Risk Management Governing Structure is shown below:
Line management and staff are responsible for day-to-day risk management and decision-making and have primary responsibility for establishing and maintaining an effective control environment with the support and the co-ordination of their respective Sub-committees (ﬁrst line of defence).
Executive Risk Management Committee with the CRO and Sub-committee heads – are responsible in developing, facilitating and monitoring the risk control framework and strategy effectively (second line of defence).
The Board of Directors, with the assistance of the Board Risk Committee, is responsible for review, approval and oversight of the Company-wide RMF and the risk management policies adopted by the Company. The Board and its Risk Committee will develop and approve the Company’s statement of risk appetite and tolerance and set the tone and culture of the Company vis-à-vis risk. The Board through the CRO and the Executive Risk Committee will oversee and monitor the effective functioning of RMF of the Company. The Board will regularly monitor risk management capabilities within the Company, including communication about escalating risk and crisis preparedness and recovery plans. The Board will also oversee the division of risk-related responsibilities to each Board Committee as clearly as possible and perform a gap analysis to determine that the oversight of any risks is not missed.
The comprehensive RMF developed for Ceylinco Life is based on the International Standard – ISO 31000:2009(E) Risk management – Principles and Guidelines. It addresses, in detail, the risk appetite and tolerance, identification and assessment of material risks, the risk response strategy including internal process and controls, risk reporting and risk maps, maintaining a risk register, monitoring and audit and an ongoing and regular review and update.
Once material risks are identified, each risk event is assessed in terms of its potential impact on the organisation. Assessing the impact of a risk event is split into three steps.
The consequences and impact of a risk event may have a number of dimensions, such as a financial impact, a reputational impact, and so on. That is, a risk event may have a ‘footprint’ across more than one risk category. Where this is the case, the overall impact is taken as the worst of the impacts over the risk categories.
Since the impact depends on the assessed likelihood and consequences, they are discussed and then the overall assessment of impact is mentioned in a table known as ‘Risk Impact Table’ as depicted below:
The levels of risk event impact are as follows:
|Risk Level||Risk Treatment Guidelines|
|Extreme||Requires immediate action as the potential risk exposure could be devastating to the organisation|
|Very High||Requires action very soon (within 3 months), as it has the potential to be damaging to the organisation|
|High||Requires treatment with routine or specific procedures|
|Medium||Continue to monitor and re-evaluate the risk, ideally treat with routine procedures|
|Low||Continue to monitor and re-evaluate the risk|
|Risk Category||Strategy and Control|
|Strategic (E.g. Strategic Plan execution, External opportunity, External threat)||
|Insurance and Demographic (E.g. Changes in Mortality and Morbidity, Changes in Policyholder Behaviour, Reinsurance basis risk, Deviation in Experience)||
|Regulatory (E.g. Regulatory compliance)||
|Operational (E.g. Policyholder services, Internal fraud sales force and Operations staff, Fictitious policies, Circumventing Company policies and authorised limits are few of them, Business Continuity Planning)||
|Financial (E.g. Liquidity Risk, Credit Risk, Market Risk, Investment Concentration Risk)||
|ICT (E.g. Data Leakage/Altering, Virus Attack, Infrastructure Vulnerability)||