Ceylinco Life Insurance Limited
INTEGRATED ANNUAL REPORT 2016

STEWARDSHIP

Risk Management

Overview

For Ceylinco Life, risk management is a pivotal process. Ceylinco Life’s business strategy involves decisions aimed at maximising returns, while minimising risks associated with such decisions. Ignorance or mismanagement of risk will result in loss of funds of both policyholders and shareholders and loss of reputation, apart from other undesirable consequences. Risk management, therefore, is an integral part of corporate management at Ceylinco Life and the Company recognises the importance of proactive risk management.

Objectives of Risk Management

The key objectives of risk management for Ceylinco Life are:

  • Inculcation of a risk culture where everyone, at all levels of the organisation, is actively involved in the risk management process
  • Alignment of corporate strategy with associated risks to supplement decision-making from a risk perspective
  • Establishing a comprehensive Risk Management Frameworks which defines ownership and accountability for risk management at all levels of the Company
  • Ensuring continued capability of the Company to add to triple bottom line – profits, people and planet
  • Management of risks within the risk appetite of the Company to provide reasonable assurance on achievement of the Company’s objectives

Risk Management Governance Structure

The Risk Management Governance Structure at Ceylinco Life spans across all levels of the Company.

The line management and staff are responsible for day-to-day risk management and are represented at the Sub-Committee level. The six Sub-Committees, namely the Operations Risk Committee, Financial Risk Committee, Insurance and Demographic Risk Committee, ICT Risk Committee, Business Risk Committee and Regulatory Risk Committee, each meets monthly and ensures timely identification of risks, initiation of controls and reporting to higher level management and the Chief Risk Officer.

The Executive Risk Management Committee, headed by the Chief Risk Officer, meets every two months and is responsible for developing, facilitating and monitoring the control framework and execution of proper risk management strategies.

The Board, with the assistance of the Board Risk Committee, bears the overall oversight responsibility for risk management of the Company. The Board, through the Board Risk Committee, reviews the Company’s portfolio of risk and considers it against the risk appetite.

This Risk Management Governance Structure is based on ISO 31000:2009(E) Risk Management – Principles and Guidelines.


Three Lines of Defense Model for Risk Management

The Risk Management Governance Structure of Ceylinco Life incorporates the Three Lines of Defense Model, which identifies, defines and segregates duties and responsibilities in relation to risk management at Ceylinco Life. This model brings all the key functions into the Risk Management Governance Structure and provides simple but comprehensive clarity on roles and responsibilities in managing risks.

First Line of Defense

The first line of defense includes the departments and island wide branches, represented in the Sub-Committees. They have the ownership, responsibility and accountability for directly assessing, controlling and mitigating risks. Operational management identifies, assesses, controls and mitigates risks, guiding the development and implementation of internal policies and procedures and ensuring that activities are consistent with goals and objectives. Middle level managers design and implement detailed procedures that serve as controls and supervise execution of those procedures by their subordinates. They are also responsible for implementing corrective actions to address process and control deficiencies. The aim is to ensure that risks are managed effectively as close as possible to their sources. Key responsibilities of the first line of defense include:

  • Proactive risk identification, assessment, control and monitoring
  • Collaborative communication to promote a strong risk culture and risk awareness
  • Whistle-blowing to alert others about potential risks
  • Compliance with operational policies and procedures

Second Line of Defense

The second line of defense represents the centralised oversight of the risk management function by the Executive Risk Committee, which builds on and monitors the first line of defense. This line also implements standards, frameworks and policies for each type of risk that the Company is exposed to. The second line of defense is entrusted with responsibility for centralised oversight of risk management including:

  • Implementation of the Risk Management Governance Structure
  • Review and reporting of risks of the departments, branches, products, processes, systems to the Board Risk Committee, as required
  • Identification and assessment of risks and monitoring risks against the Board approved risk appetite
  • Recommending appropriate action to mitigate risks, if any, that have exceeded beyond the tolerance levels

Third Line of Defense

The third line of defense represents the internal audit function. The internal audit function provides the Board of Directors with objective assurance on the effectiveness of risk management at the Company. Assurance is provided through:

  • Monitoring compliance with the Risk Management Governance Structure of the Company
  • Assessment of the effectiveness of the risk management tools and techniques adopted by the Company

The Board, via the Board Risk Committee, will review the Management’s assessment of compliance with the Company’s risk management policies and practices and continually monitor risks and risk management capabilities within the organisation, obtaining reasonable assurance from Executive Risk Committee that all known and emerging risks have been identified and appropriately mitigated or managed.

Risk Management Committees


Committee Priorities Composition Update for 2016
Operations Risk Committee Oversees operational risks related to internal processes and people Senior DGM – Operations,
Senior DGM – Marketing,
Senior AGM – ICT,
Senior Manager – Administration,
Senior Manager – Finance,
Senior Manager – HR  
  • Set up a health and safety audit
  • Reviewed the action plan of the health and safety programme
  • Reduced risks associated with payments through automation of processes
  • Reduced and maintained data entry errors below 6%
Business Risk Committee Oversees strategic business risks and reputational risks Senior DGM – Marketing,
AGM – Customer Relations,
AGM – Agency Administration,
Senior Manager – Customer Services,
Senior Manager – Group Insurance
  • Launched Family Takaful Education plan to improve market share
  • Independent verification about consumer perception through Brand Health Study
  • Ensured positive publicity about the new corporate brand
  • Conducted consumer engagement programmes such as Family Savari, Pranama Scholarships
  • Mass Media awareness campaigns to educate the public about the need
    for life insurance protection and retirement planning
Financial Risk Committee Oversees risks connected with Ceylinco Life’s financial position, in particular liquidity, capital and investments Senior Manager – Portfolio,
DGM – Actuarial,
Senior Manager – Finance
 
  • Shifted to systematic monthly/quarterly risk reviews documented in CAMMS
  • Addressed compliance risk by segregating investments into par and non-par funds
Insurance and Demographic Risk Committee Oversees risks emerging from technical, underwriting, claims and actuarial aspects of life insurance business DGM – Technical,
DGM – Actuarial
  • Identified accumulation of risk exposure for individual life and treated with adequate reinsurance arrangements
  • Reviewed the risk and emerging patterns of chronic kidney disease
Regulatory Risk Committee Oversees risks merging from regulatory requirements and compliance Senior Manager – Legal,
Senior DGM – Operations,
AGM – Agency Administration,
Senior Manager – Finance,
Senior Manager – HR,
Company Secretary
  • Monitored the status of compliance with all compliance requirements
  • Reviewed amendments to Value Added Tax and Income Tax
ICT Risk Committee Oversees broader risks emerging in systems and ICT infrastructure Senior AGM – ICT,
AGM – ICT,
Senior Manager – IT Operations,
Senior Manager – Systems
  • Mitigated the vulnerability of the web server
  • Identified and controlled infrastructure vulnerability
  • Controlled and mitigated vulnerabilities in cyber security
     
     
Executive Risk Committee Implements the risk management framework through six Sub-Committees Chief Risk Officer,
Heads of six Sub-Committees,
Senior Manager – Internal Audit,
Senior Manager – IS Audit
  • Reviewed risks identified by the Sub-Committees
  • Presented key risks to the BoardRisk Committee
  • Reviewed and updated the Business Continuity Plan of the Company
Board Risk Committee Oversees and approves the Company-wide risk management practices to assist the Board in discharging risk management – related responsibilities Three Independent Directors,
Chief Risk Officer
  • Met four times during 2016 to discuss key risks identified by Executive Risk Committee and Sub-Committees
  • Forwarded the Board a Report on risk management during 2016
  • Obtained reasonable assurance from management that all known and emerging risks have been identified and managed

Risk Management Process


The risk management process of Ceylinco Life is continuous and sequential, as depicted in the diagram.

We strongly believe that an ongoing commitment to risk management is necessary in the modern business context and also recognise the importance of improving the risk management process, while ensuring smooth flow of the activities within the process.

Risk Identification


Ceylinco Life continuously scans its internal and external environment to ensure that risks are identified in time. Responsibility for operational risk identification primarily rests with the line management and staff, whereas wider strategic risks are identified at the Sub-Committee and Executive Committee Levels.

Identification of risks takes place in the wider risk landscape of Ceylinco Life. The risk landscape includes business risk, financial risk, regulatory risk, insurance and demographic risk, ICT risk and operations risk.

Risk Recording, Assessment and Rating

In 2016, Ceylinco Life implemented CAMMS Integrated Risk Manager, an integrated software solution for identifying, profiling, recording, assessing and monitoring risks.

Once a risk is identified sufficiently it is recorded in a risk register in CAMMS Risk Manager.

CAMMS risk registers facilitate recording risks in appropriate risk categories assigned to the Sub-Committees. Recording an identified risk in the appropriate risk category is important for assigning specific responsibility for the management of that risk. CAMMS assigns each identified risk to a primary risk owner, who bears the overall responsibility for effective management of the risk.

Each identified risk is assessed in terms of the potential impact it has on the Company. Risk assessment usually involves three steps:

  • Assessment of the likelihood/frequency of the risk occurring Assessment of the consequence of the risk, in the event the risk materialises
  • Assigning an overall rating to the risk, ranging from ‘insignificant’ to ‘catastrophic’, that reflects both the likelihood and the consequence

The overall rating is reflected in a ‘risk impact table’, as shown below:


Risk Response

Considering the overall rating of the risk, the most appropriate response is taken by the risk owner. The response could be ‘avoidance’, ‘acceptance’, ‘mitigation’ or ‘transfer’ of the risk.

Risk mitigation involves design, implementation, maintenance, strengthening and monitoring of controls to reduce the inherent rating of the risk to an acceptable lower residual rating.

CAMMS allows easy identification and recording of risk mitigating controls and assignment of responsibility for the controls.

  Risk Level Risk Treatment
  Extreme Requires immediate action as the potential risk exposure could be devastating to the Company
  Very High Requires action very soon (within 3 months), as the risk has the potential to be damaging to the Company
  High Requires treatment with routine or specific procedures
  Medium Continue to monitor and re-evaluate the risk, ideally with routine procedures
  Low Continue to monitor and re-evaluate the risk

Risk Category Risk Mitigating Strategies in place
Business Risk Threat to market share
  • Innovative marketing campaigns
  • New products offering higher value to customers than competing products
  Consumer Behaviour Risk
  • Independent verification about consumer perception through Brand Health Study
  • Market behaviour analysis through market research, desk research, call centre and sales force
ICT Risk Virus attack
Infrastructure vulnerability
Cyber security
  • Continuous scanning of IT control environment and strengthen security activities and measures as required
  • Advanced firewall filters on data being transmitted
  • Regular virus definitions update
  • Access controls on external devices
  • Regular health checks on the servers
  • Penetration testing and vulnerability assessment
  • Maintenance of a disaster recovery site
  • Conduct regular information system audit reviews
Regulatory Risk Compliance Risk
  • Regular monitoring of compliance activities and risks arising from rules and regulations and reporting to the Compliance Officer
  • Regular consultation with in-house legal officers
  • Compliance audits by the Internal Audit
   
     
Financial Risk Liquidity Risk
  • Ensure interim cash flows and maturity proceeds are notified and collected on time without delay
  • Ensure investments are assessed and made only in sufficiently liquid assets, unless where such increased level of liquidity risk is properly compensated through its expected return
  • Monitor and review the current and future cash flows to assess the exposure to liquidity risk
  • Monitor the current and expected money market liquidity position to ensure that sufficient liquidity or credit lines are available to meet expected funding/lending requirements
  • Verify all the transactions entered/agreed against confirmations to ensure that all the settlements are accounted and funded and to avoid any unexpected cash flows
  Credit Risk
  • Ensure that all maturity and interim cash flows proceeds are collected duly, on time and without any delay
  • Ensure that outright, repurchase and reverse repurchase transactions are entered only with Investment Committee approved counterparties
  • Ensure that proper Investment Committee approval is obtained for all investment transactions
  • Monitor the current exposure to credit risk and compliance with relevant IBSL limits, determinations and guidelines
  Interest Rate Risk
  • Monitor and evaluate the impact of interest rate risk charge to
    the Capital Adequacy Ratio (CAR)
  • Monitor maturities and interim cash flows falling due during next month and make suitable arrangements for reinvestments or recalling
  • Monitor the exposure and the impact of the proprietary trading portfolio to short term interest rate movements and trends
  • Oversee the overall strategy to manage the interest rate risk and to revisit, change or fine-tune the strategy as required
  • Continuous monitoring of the asset and liability position, including the duration, convexity and sensitivity of the same to market interest rate changes
  • Periodic monitoring of the Central Bank’s monetary policy, Government fiscal policy and key economic variables
  Equity Price Risk
  • Monitor the daily movements in the equity portfolio
  • Monitor the SEC/CSE circulars and directives, listed company announcements, corporate actions and other news, which could have an impact on the equity portfolio
  • Periodic monitoring of the Central Bank’s monetary policy, Government fiscal policy, movements in the ASPI and S&P SL 20 and key economic variables that affect current and expected the equity prices
   
     
  Investment Concentration Risk
  • Anticipate, identify, quantify and analyse impact on current and expected levels of investment concentration
  • Ensure that proper limit verifications are documented and available on all investment transactions
  • Monitor the current exposure to approved counterparties individually as well as on a related group basis and ensure compliance with determinations, directions and guidelines issued by the IBSL
  • Monitor the relevant additions/updates and amendments to determinations, directions and guidelines issued by IBSL
  Reinvestment Risk
  • Monitor maturities and interim cash flows, which falls due during next month and make suitable arrangements for reinvestments or recalling
  • Monitor the maturity structure and identify opportunities to optimise the income and manage risk by rebalancing>
  • Invest in zero coupon or lower coupon instrument, which would eliminate or reduce the reinvestment risk
  • Table the upcoming reinvestments and the effected reinvestments at the Weekly Investment Committee meeting for decisions/approval
  Inflation Risk
  • Analyse and recommend to manage the duration of the investment portfolio to ensure that the inflation-adjusted real return is earned and optimised
  • Ensure that the interim cash flows received on inflation linked investments are in line with the agreed inflation benchmarks
  • Monitor the movement of the Central Bank’s monetary policy, Government fiscal policy, international commodity price movements and future inflation expectations to identify the future trends in inflation
Insurance and Demographic Risk Changes in mortality and morbidity Changes in policyholder behaviour Reinsurance basis risk
Deviation in experience
  • Determination and application of best estimates and assumptions and monitoring deviations
  • Independent sign off on statutory valuation of Life Fund by Messrs Towers Watson and defined employee benefit plans by Messrs K A Pandit
  • Use of Algo Financial Modeler for actuarial analysis
  • Review of underwriting limits periodically
  • Continually monitor non-disclosures, anti-selections, fraudulent claims, high lapse ratios, free look cancellation, changes in types of claims etc.
  • Obtain professional advice and service on pricing, reinsurance, etc. (Towers Watson/Munich Re, Milliman Actuarial Consultants)
   
     
Operations Risk People Risk Policyholder Services Risk
  • Proper internal, external and foreign training for staff, leadership development programmes, above industry employee benefits (refer to Employee Capital section)
  • Employee health and safety committees
  • Conducting surprise branch audits
  • Perform internal audits and technical audits
  • High service quality standards and customer relations management

Risk Reporting

Ceylinco Life acknowledges the importance of engaging all employees in the risk management process. The Company uses a bottom-up structure for risk reporting, where individuals can report a risk to their immediate supervisor. The branch staff are also engaged in this reporting structure with the ability to report to the Operations Sub-Committee Head through Branch Accountants. The Sub-Committee Heads report to the Executive Committee and to the Chief Risk Officer, who heads the Executive Risk Committee.

CAMMS can be used to generate periodic risk reports for management, including the Chief Risk Officer.

The Board Risk Committee is presented with the key activities and developments in the Risk Management Framework of the Company at the quarterly meetings. The Board Risk Committee considers the Company’s major risk exposures and reviews the steps taken by the management to monitor and respond to such exposures.

Monitoring and Control

Ceylinco Life monitors each risk regularly to ensure that the mitigating actions are carried out adequately and reviewed for improvements. The controls and mitigation plans are periodically verified through internal audits and systems audits. CAMMS facilitates periodic reviews of risks and their corresponding mitigating controls. It alerts the respective risk owners automatically when a risk review or a risk control review becomes due. Risks are continually reviewed in the context of developments in internal and external environments.