1. An Insurer should have appropriate control mechanisms in place to ensure that the policies and procedures established for risk management are adhered to at all times.
2. Control mechanisms would normally include:
a. clearly defined management responsibilities;
b. adequate segregation of duties;
c. a risk committee or audit function to establish and maintain the control processes;
d. a system of approvals, limits, authorisations and reporting lines;
e. policies to document the Insurer's procedural controls;
f. activity controls for each division or department;
g. verifications of activities such as underwriting, pricing and claims management, and reconciliations of relevant data;
h. reviews by Governing Body, senior management and internal audit; and
i. physical controls.
3. The directors should monitor the overall effectiveness of the Insurer's risk management systems. Depending on the size and complexity of operations of an Insurer, risk management systems may be monitored on an ongoing or periodic basis. At a minimum there should be periodic internal audits with results being reported directly to the Governing Body and senior management.
4. Where deficiencies are identified as part of the monitoring process or internal audit, these should be reported in a timely manner to the responsible member of the management or appropriate management body and addressed. Material deficiencies should be reported to the Governing Body and senior management. A material deficiency can result not only from a single deficiency, but also from a number of small deficiencies that, when considered together, amount to a material deficiency.