Legislative Compliance Management Insurance Industry Workshop 1 2 November 2005 Bangkok, Thailand

1. Legislative Compliance ManagementInsurance Industry Workshop 1 � 2 November 2005 Bangkok, Thailand

2. Legislative Compliance Management Discussion Points Legislative Compliance Management Overview Supervisory Framework Key Compliance Management Controls Role of the Board Role of Senior Management Role of Compliance Oversight Functions Role of Internal Audit/Independent Review Functions

3. Legislative Compliance Management Regulatory Guideline conveys expectations regarding controls through which insurance companies manage regulatory risk inherent in their activities worldwide

4. Legislative Compliance Management Regulatory Risk consolidated risk of non-compliance with applicable regulatory requirements governing legislation regulations/regulatory directives other legislation, regs/regulatory directives worldwide

5. Legislative Compliance Management Definition �the set of key controls through which an insurance company manages regulatory risk� Essential to an insurance company�s well being provides a means by which the company satisfies itself that it is in compliance with all governing legislation

6. Legislative Compliance Management Regulators� expectations insurance companies will establish/maintain an enterprise � wide framework of regulatory risk management controls controls must include oversight by functions (groups/individuals) independent of the activities they oversee Not �one size fits all� � regulatory risk management approaches should consider size, complexity, geographical location(s), structure and ownership

7. Legislative Compliance Management Key Component of Risk-Based Supervision focus on significant activities assessment of the level of risk, including regulatory risk considers impact of risk mitigation by evaluating quality of risk management well managed companies relative to their risks will require less supervision

8. Legislative Compliance Management Key Component of Risk-Based Supervision (cont�d) two levels of risk management: day-to-day controls operational management includes policies procedures, processes, appropriate staffing independent oversight risk management control functions Board Senior management Internal audit Risk management Compliance Financial analysis

9. Legislative Compliance Management Control framework to mitigate regulatory risk should: include enterprise � wide definition of regulatory risk outline the process through which regulatory risk is to be identified/assessed outline key controls through which regulatory/risk is managed/mitigated include operational/independent oversight

10. Legislative Compliance Management Control framework to mitigate regulatory risk should (cont�d): define and clearly communicate respective oversight roles/responsibilities have clear lines of responsibility and control methodology should include a mechanism for holding individuals accountable

11. Legislative Compliance Management Key Legislative Compliance Management Controls Identification Assessment, Communication and Maintenance of Applicable Regulatory Requirements methodology required to identify, assess, communicate and maintain knowledge of applicable regulatory requirements ensure appropriate individuals have the information they need to manage regulatory risk effectively current/accurate reflect new/changing requirements and those applicable to new/changing products, activities, corporate structure

12. Legislative Compliance Management Key Legislative Compliance Management Controls Compliance Procedures on a day-to-day basis should be incorporated into and maintained in relevant business operations should include monitoring and reporting procedures

13. Legislative Compliance Management Key Legislative Compliance Management Controls Monitoring Procedures should regularly monitor adherence to controls established in business operations should evaluate effectiveness of controls and compliance management framework should monitor material exposures to regulatory risk

14. Legislative Compliance Management Key Legislative Compliance Management Controls Monitoring Methodology should include verification of key elements of info reported up through those with day-to-day compliance responsibilities to senior management and board should extend to significant remediation activities

15. Legislative Compliance Management Key Legislative Compliance Management Controls Reporting Procedures to ensure that sufficient pertinent/timely info about regulatory risk management effectiveness is communicated to senior management/board reports to include significant results of monitoring and findings of compliance oversight, internal audit, other independent review functions

16. Legislative Compliance Management Key Legislative Compliance Management Controls Reporting Procedures (cont�d) content/frequency of reports should be approved by CCO � must be sufficient to enable CCO, senior management and board to discharge compliance responsibilities often include regular formal/informal meetings between functions/management groups

17. Legislative Compliance Management Key Legislative Compliance Management Controls Compliance Oversight Function Reports to Board CCO must report material compliance issues to board on timely basis normal course reports � regular basis as approved by board � no less than annual material results of enterprise wide compliance oversight material weaknesses, non-compliance, related remedial action plans, material exposures to regulatory risk significant legislative/regulatory developments, industry compliance issues, emerging trends and regulatory risks � to assist board in decisions or strategic direction and controls

18. Legislative Compliance Management Key Legislative Compliance Management Controls Internal Audit or Other Independent Review Functions Reports to the Board should include: scope/results of compliance related reviews significant recommendations for correcting deficiencies management�s undertakings with respect to remedial action

19. Legislative Compliance Management Key Legislative Compliance Management Controls Internal Audit or Other Independent Review Functions Reports to the Board (cont�d) should contain sufficient pertinent info for board to assess compliance framework provided on a rotational or other regular basis as board considers appropriate

20. Legislative Compliance Management Key Legislative Compliance Management Controls Documentation expectation by regulator of adequate documentation (from operational management/independent risk management) to demonstrate how regulatory risk is managed to support flow of reports to senior management/board and to support board�s periodic reassessment of the compliance framework

21. Legislative Compliance Management Key Legislative Compliance Management Controls Regular Review and Improvement regulator�s expectation that key controls and methodology will be reviewed and updated regularly in order to address new/changing regulatory risks produces activities and corporate structure

22. Legislative Compliance Management Role of Board of Directors Approval of legislative compliance management framework/see that it is established and maintained Obtain sufficient info to address material issues Establish thresholds for the type, content and frequency of reports To monitor remediation progress in respect of material problems

23. Legislative Compliance Management Role of Board of Directors To periodically reassess effectiveness of legislative compliance management framework Ensure framework is subject to internal audit/other independent review and validated as appropriate Ensure material findings/recommendations are brought to its attention and that they are acted upon

24. Legislative Compliance Management Role of Senior Management To implement the legislative compliance management framework approved by board To ensure appropriate policies/procedures are developed/applied effectively by qualified individuals To ensure all staff understand their responsibilities for complying with such policies/procedures

25. Legislative Compliance Management Role of Senior Management To ensure that significant recommendations concerning issues of non-compliance or control improvements oversight/internal audit/other independent review are acted upon in a timely fashion

26. Legislative Compliance Management Role of Compliance Oversight Function To ensure that key day-to-day legislative management controls are sufficiently robust to control compliance and where significant issues arose, escalate them to senior management/board Function should be independent

27. Legislative Compliance Management Role of Compliance Oversight Function Responsibility for compliance oversight should be assigned to senior management � designated (at least functionally as CCO) CCO should have sufficient stature/authority and mandate, resources and access to CEO/board Appropriate skills/knowledge of business/regulatory environments essential to CCO effectiveness

28. Legislative Compliance Management Role of Internal Audit & Other Independent Review Function To validate effectiveness of and adherence to legislative compliance management framework by risk-based testing as board seems appropriate Scope of work to include consideration of material regulatory risks and corresponding controls

29. Legislative Compliance Management Role of Internal Audit & Other Independent Review Function Review function should be independent, have appropriate skills and a good knowledge of business/regulatory environments Significant review findings/recommendations should be reported to business operations management, senior management, board Actions taken in response to significant recommendations should be monitored

30. Thank-you