Title: Legislative Compliance Management Insurance Industry Workshop 1 2 November 2005 Bangkok, Thailand
1Legislative Compliance ManagementInsurance
Industry Workshop 1 2 November 2005 Bangkok,
Thailand
Kim Norris Managing Director International
Advisory Group www.osfi-bsif.gc.ca
2Legislative Compliance Management
- Discussion Points
- Legislative Compliance Management
- Overview
- Supervisory Framework
- Key Compliance Management Controls
- Role of the Board
- Role of Senior Management
- Role of Compliance Oversight Functions
- Role of Internal Audit/Independent Review
Functions
3Legislative Compliance Management
- Regulatory Guideline
- conveys expectations regarding controls through
which insurance companies manage regulatory risk
inherent in their activities worldwide
4Legislative Compliance Management
- Regulatory Risk
- consolidated
- risk of non-compliance with applicable regulatory
requirements - governing legislation
- regulations/regulatory directives
- other legislation, regs/regulatory directives
worldwide
5Legislative Compliance Management
- Definition
- the set of key controls through which an
insurance company manages regulatory risk - Essential to an insurance companys well being
- provides a means by which the company satisfies
itself that it is in compliance with all
governing legislation
6Legislative Compliance Management
- Regulators expectations
- insurance companies will establish/maintain an
enterprise wide framework of regulatory risk
management controls - controls must include oversight by functions
(groups/individuals) independent of the
activities they oversee - Not one size fits all regulatory risk
management approaches should consider size,
complexity, geographical location(s), structure
and ownership
7Legislative Compliance Management
- Key Component of Risk-Based Supervision
- focus on significant activities
- assessment of the level of risk, including
regulatory risk - considers impact of risk mitigation by evaluating
quality of risk management - well managed companies relative to their risks
will require less supervision
8Legislative Compliance Management
- Key Component of Risk-Based Supervision (contd)
- two levels of risk management
- day-to-day controls
- operational management
- includes policies procedures, processes,
appropriate staffing - independent oversight
- risk management control functions
- Board
- Senior management
- Internal audit
- Risk management
- Compliance
- Financial analysis
9Legislative Compliance Management
- Control framework to mitigate regulatory risk
should - include enterprise wide definition of
regulatory risk - outline the process through which regulatory risk
is to be identified/assessed - outline key controls through which
regulatory/risk is managed/mitigated - include operational/independent oversight
10Legislative Compliance Management
- Control framework to mitigate regulatory risk
should (contd) - define and clearly communicate respective
oversight roles/responsibilities - have clear lines of responsibility and control
methodology should include a mechanism for
holding individuals accountable
11Legislative Compliance Management
- Key Legislative Compliance Management
- Controls
- Identification Assessment, Communication and
Maintenance of Applicable Regulatory Requirements - methodology required to identify, assess,
communicate and maintain knowledge of applicable
regulatory requirements - ensure appropriate individuals have the
information they need to manage regulatory risk
effectively - current/accurate
- reflect new/changing requirements and those
applicable to new/changing products, activities,
corporate structure
12Legislative Compliance Management
- Key Legislative Compliance Management
- Controls
- Compliance Procedures
- on a day-to-day basis should be incorporated into
and maintained in relevant business operations - should include monitoring and reporting procedures
13Legislative Compliance Management
- Key Legislative Compliance Management
- Controls
- Monitoring Procedures
- should regularly monitor adherence to controls
established in business operations - should evaluate effectiveness of controls and
compliance management framework - should monitor material exposures to regulatory
risk
14Legislative Compliance Management
- Key Legislative Compliance Management
- Controls
- Monitoring Methodology
- should include verification of key elements of
info reported up through those with day-to-day
compliance responsibilities to senior management
and board - should extend to significant remediation
activities
15Legislative Compliance Management
- Key Legislative Compliance Management
- Controls
- Reporting Procedures
- to ensure that sufficient pertinent/timely info
about regulatory risk management effectiveness is
communicated to senior management/board - reports to include significant results of
monitoring and findings of compliance oversight,
internal audit, other independent review functions
16Legislative Compliance Management
- Key Legislative Compliance Management
- Controls
- Reporting Procedures (contd)
- content/frequency of reports should be approved
by CCO must be sufficient to enable CCO, senior
management and board to discharge compliance
responsibilities - often include regular formal/informal meetings
between functions/management groups
17Legislative Compliance Management
- Key Legislative Compliance Management
- Controls
- Compliance Oversight Function Reports to Board
- CCO must report material compliance issues to
board on timely basis - normal course reports regular basis as approved
by board no less than annual - material results of enterprise wide compliance
oversight - material weaknesses, non-compliance, related
remedial action plans, material exposures to
regulatory risk - significant legislative/regulatory developments,
industry compliance issues, emerging trends and
regulatory risks to assist board in decisions
or strategic direction and controls
18Legislative Compliance Management
- Key Legislative Compliance Management
- Controls
- Internal Audit or Other Independent Review
Functions Reports to the Board - should include
- scope/results of compliance related reviews
- significant recommendations for correcting
deficiencies - managements undertakings with respect to
remedial action
19Legislative Compliance Management
- Key Legislative Compliance Management
- Controls
- Internal Audit or Other Independent Review
Functions Reports to the Board (contd) - should contain sufficient pertinent info for
board to assess compliance framework - provided on a rotational or other regular basis
as board considers appropriate
20Legislative Compliance Management
- Key Legislative Compliance Management
- Controls
- Documentation
- expectation by regulator of adequate
documentation (from operational
management/independent risk management) to
demonstrate how regulatory risk is managed to
support flow of reports to senior
management/board and to support boards periodic
reassessment of the compliance framework
21Legislative Compliance Management
- Key Legislative Compliance Management
- Controls
- Regular Review and Improvement
- regulators expectation that key controls and
methodology will be reviewed and updated
regularly in order to address new/changing
regulatory risks produces activities and
corporate structure
22Legislative Compliance Management
- Role of Board of Directors
- Approval of legislative compliance management
framework/see that it is established and
maintained - Obtain sufficient info to address material issues
- Establish thresholds for the type, content and
frequency of reports - To monitor remediation progress in respect of
material problems
23Legislative Compliance Management
- Role of Board of Directors
- To periodically reassess effectiveness of
legislative compliance management framework - Ensure framework is subject to internal
audit/other independent review and validated as
appropriate - Ensure material findings/recommendations are
brought to its attention and that they are acted
upon
24Legislative Compliance Management
- Role of Senior Management
- To implement the legislative compliance
management framework approved by board - To ensure appropriate policies/procedures are
developed/applied effectively by qualified
individuals - To ensure all staff understand their
responsibilities for complying with such
policies/procedures
25Legislative Compliance Management
- Role of Senior Management
- To ensure that significant recommendations
concerning issues of non-compliance or control
improvements oversight/internal audit/other
independent review are acted upon in a timely
fashion
26Legislative Compliance Management
- Role of Compliance Oversight Function
- To ensure that key day-to-day legislative
management controls are sufficiently robust to
control compliance and where significant issues
arose, escalate them to senior management/board - Function should be independent
27Legislative Compliance Management
- Role of Compliance Oversight Function
- Responsibility for compliance oversight should be
assigned to senior management designated (at
least functionally as CCO) - CCO should have sufficient stature/authority and
mandate, resources and access to CEO/board - Appropriate skills/knowledge of
business/regulatory environments essential to CCO
effectiveness
28Legislative Compliance Management
- Role of Internal Audit Other Independent
- Review Function
- To validate effectiveness of and adherence to
legislative compliance management framework by
risk-based testing as board seems appropriate - Scope of work to include consideration of
material regulatory risks and corresponding
controls
29Legislative Compliance Management
- Role of Internal Audit Other Independent
- Review Function
- Review function should be independent, have
appropriate skills and a good knowledge of
business/regulatory environments - Significant review findings/recommendations
should be reported to business operations
management, senior management, board - Actions taken in response to significant
recommendations should be monitored
30