Prioritizing Risk Management
Thailand's insurance regulatory body, the Office of Insurance Commission (the OIC), is tightening regulations in a bid to further strengthen and stabilize the industry. The new enterprise risk management notifications (Notifications on Rules, Procedures, and Conditions for Prescribing the Minimum Requirements of Risk Management for Insurance Companies, B.E. 2560 (2017) or the ERM Notifications), prioritize Risk Management by providing clear guidelines for insurance companies to comply with, calling for insurance operators to foster a culture of awareness among employees on the significance of the practice.
The new ERM Notifications will soon replace the existing notifications of the same name. The ERM Notifications were approved by the OIC, announced on the Royal Gazette on 1 September 2017, and will come into force on 28 February 2018.
These new ERM Notifications introduce many requirements to reflect the new concept of enterprise risk management, which require all functions of insurance companies to take risk management schemes into account and regard them as a priority. The key requirements of the ERM Notifications are summarized below.
1. Risk management framework
Insurance companies are required to prepare a written risk management framework as approved by the board of directors. The framework must be submitted to the OIC within 30 days from the ERM Notifications’ effective date.
2. Risk management culture
Insurance companies must focus on building a risk management culture within the organization and carry out the business in such a way that allows risk management to be part of all employees' actions. At a bare minimum:
a. the direction, policy and guidelines should be determined to carry out risk management, and their objectives and benefits should be conveyed to employees;
b. training should be provided to employees to inform them of any potential risk and its impact; and
c. risk management should be applied to the business decision-making process, business oversight, and internal control.
3. Duties of the directors
The directors of insurance companies are required to ensure that all requirements under the ERM Notifications are complied with. It is their duty to:
a. consider and approve the risk management framework and policy and the three-year business operation plan;
b. determine the business strategy in accordance with the risk management framework and policy; and
c. oversee the company's business operation by: (i) managing the company's risk management level; (ii) preparing a risk management summary report as considered by the risk management committee and approved by the board of directors at least once per quarter; (iii) revisiting the risk management framework and policy at least once a year, or each time a significant event occurs, which may substantially affect the company's financial stability; and (iv) support the operation of the risk management committee.
4. Risk management committee
4.1 A risk management committee is required to be established, consisting of at least five members, with the primary goal of supervising risk management operations, including proposing a risk management policy for the board of directors’ approval and assessing the efficiency of the company’s risk management enforcement schemes. The committee must hold a meeting each quarter to review risk management performance, and submit a report to the board of directors.
4.2 Branches of foreign insurance companies may provide evidence to the satisfaction of the OIC that the foreign insurance companies already have a risk management committee in place, which may oversee the branch's compliance with the ERM Notifications.
4.3 The following items shall also be fulfilled:
a. submit the minutes of the shareholders meeting or the board of directors meeting resolving to appoint the risk management committee to the OIC within 30 days; and
b. submit the risk management committee charter within 30 days from the appointment date of the risk management committee or from any substantial amendment to this charter.
For companies which already have a risk management committee, the foregoing documents shall be submitted to the OIC within 30 days from the effective date of the ERM Notifications.
4.4 If a risk management committee member resigns or is replaced, it must be reported to the OIC within 30 days from the effective date of the resignation or replacement.
5. Risk management unit
5.1 A risk management unit is required to be established. Its main missions are to support the board of directors and the committee in any activities with respect to risk management, and facilitate the determination and management of potential risks. The risk management unit must submit reports on risk status and risk management measures to the risk management committee at least once a quarter.
5.2 The head of the risk management unit is required to be appointed, and the appointment must be reported to the OIC within 30 days from the appointment date. The head of the risk management unit is required to report the risk status and risk management conduct to the executives and the risk management committee at least once per quarter. This report must include any failure to comply with the risk management framework or policy, risk limits, and incidence reports which substantially affects the company's business operation.
6. Risk management process
6.1 Insurance companies are required to prepare risk registration in a table format, showing a list of risks encountered by a company, causes, effects, and handling measures of the risks. This shall be revisited on an annual basis, or when there are substantial changes to the cause of the risk. The risk registration shall include, at a bare minimum, the details, cause, type, risk owner, risk index, risk management measures, and risk management surveillance. The risk shall be listed as a top 10 risk according to the company's three-year business operational plan.
6.2 Insurance companies are also required to have a risk management reporting system in place as follows:
a. a summary report for the risk status and risk management conduct, as considered by the risk management committee and approved by the board of directors at least once per quarter;
b. a summary report of the annual audit results, as proposed to the risk management committee and the board of directors for consideration at least once per year;
c. a risk management report as presented to the board of directors once per year; and
d. a report on significant situations that may significantly affect the company’s financial stability.
The foregoing reports shall be made available for OIC inspection at all times.
7. Stress test
If the OIC proposes potential events which could affect the existence of an insurance company, the insurance industry, or the stability of a financial entity which may significantly affect an insurance company, the OIC may order all or some insurance companies to launch a stress test to assess the impact of these potential events.
8. Other obligations
In addition to the above, the ERM Notifications also obligate insurance companies to set up a reliable information technology system to support risk management schemes. The system must provide secure storage space for storing data and be able to perform data recovery when needed.
Insurance companies are urged to familiarize themselves with the new regulatory changes to ensure compliance in order to help safeguard their business from various unforeseen disruptive threats. When the new ERM Notifications come into effect on 28 February 2018, we will continue to closely monitor the impact the regulations have on the insurance industry as a whole.