SYSC 14
Risk management and associated systems and controls for insurers
SYSC 14.1
Application
- 31/12/2006
SYSC 14.1.1
See Notes
This section applies to an insurer unless it is:
- (1) a non-directive friendly society; or
- (2) an incoming EEA firm; or
- (3) an incoming Treaty firm.
- 01/04/2013
SYSC 14.1.2
See Notes
This section applies to:
- (1) an EEA-deposit insurer; and
- (2) a Swiss general insurer;
only in respect of the activities of the firm carried on from a branch in the United Kingdom.
- 01/04/2013
SYSC 14.1.2A
See Notes
- 01/04/2013
Purpose
SYSC 14.1.3
See Notes
- 01/04/2013
SYSC 14.1.4
See Notes
- 01/04/2013
SYSC 14.1.5
See Notes
- 01/04/2013
How to interpret this section
SYSC 14.1.6
See Notes
- 19/06/2014
SYSC 14.1.7
See Notes
- 19/06/2014
SYSC 14.1.8
See Notes
Appropriate systems and controls for the management of prudential risk will vary from firm to firm. Therefore, most of the material in this section is guidance. In interpreting this guidance, a firm should have regard to its own particular circumstances. Following from SYSC 3.1.2 G, this should include considering the nature, scale and complexity of its business, which may be influenced by factors such as:
- (1) the diversity of its operations, including geographical diversity;
- (2) the volume and size of its transactions; and
- (3) the degree of risk associated with each area of its operation.
- 01/04/2013
SYSC 14.1.9
See Notes
- 01/04/2013
The role of systems and controls
SYSC 14.1.10
See Notes
- 01/04/2013
The prudential responsibilities of senior management and the apportionment of those responsibilities
SYSC 14.1.11
See Notes
Ultimate responsibility for the management of prudential risks rests with a firm's governing body and relevant senior managers, and in particular with those individuals that undertake the firm's governing functions and the apportionment and oversight function. In particular, these responsibilities should include:
- (1) overseeing the establishment of an appropriate business plan and risk management strategy;
- (2) overseeing the development of appropriate systems for the management of prudential risks;
- (3) establishing adequate internal controls; and
- (4) ensuring that the firm maintains adequate financial resources.
- 01/04/2013
The delegation of responsibilities within the firm
SYSC 14.1.12
See Notes
- 01/04/2013
SYSC 14.1.13
See Notes
- 01/04/2013
Firms subject to risk management on a group basis
SYSC 14.1.14
See Notes
- 01/04/2013
SYSC 14.1.15
See Notes
- 01/04/2013
SYSC 14.1.16
See Notes
- 01/04/2013
Business planning and risk management
SYSC 14.1.17
See Notes
- 01/04/2013
SYSC 14.1.18
See Notes
- 01/04/2013
SYSC 14.1.19
See Notes
When establishing and maintaining its business plan and prudential risk management systems, a firm must document:
- (1) an explanation of its overall business strategy, including its business objectives;
- (2) a description of, as applicable, its policies towards market, credit (including provisioning), liquidity, operational, insurance and group risk (that is, its risk policies), including its appetite or tolerance for these risks and how it identifies, measures or assesses, monitors and controls these risks;
- (3) the systems and controls that it intends to use in order to ensure that its business plan and risk policies are implemented correctly;
- (4) a description of how the firm accounts for assets and liabilities, including the circumstances under which items are netted, included or excluded from the firm's balance sheet and the methods and assumptions for valuation;
- (5) appropriate financial projections and the results of its stress testing and scenario analysis (see GENPRU 1.2 (Adequacy of financial resources)); and
- (6) details of, and the justification for, the methods and assumptions used in financial projections and stress testing and scenario analysis.
- 01/04/2013
SYSC 14.1.20
See Notes
The prudential risk management systems referred to in SYSC 14.1.18 R and SYSC 14.1.19 R are the means by which a firm is able to:
- (1) identify the prudential risks that are inherent in its business plan, operating environment and objectives, and determine its appetite or tolerance for these risks;
- (2) measure or assess its prudential risks;
- (3) monitor its prudential risks; and
- (4) control or mitigate its prudential risks.
INSPRU 4.1.63 E is an evidential provision relating to SYSC 14.1.18 R concerning risk management systems in respect of liquidity risk arising from substantial exposures in foreign currencies.
- 01/04/2013
SYSC 14.1.21
See Notes
- 01/04/2013
SYSC 14.1.22
See Notes
A firm's business plan and risk management systems should be:
- (1) effectively communicated so that all employees and contractors understand and adhere to the procedures related to their own responsibilities;
- (2) regularly updated and revised, in particular when there is significant new information or when actual practice or performance differs materially from the documented strategy, policy or systems.
- 01/04/2013
SYSC 14.1.23
See Notes
- 01/04/2013
SYSC 14.1.24
See Notes
- 01/04/2013
SYSC 14.1.25
See Notes
- 01/04/2013
Internal controls: introduction
SYSC 14.1.26
See Notes
- 01/04/2013
SYSC 14.1.27
See Notes
- 01/04/2013
SYSC 14.1.28
See Notes
The precise role and organisation of internal controls can vary from firm to firm. However, a firm's internal controls should normally be concerned with assisting its governing body and relevant senior managers to participate in ensuring that it meets the following objectives:
- (1) safeguarding both the assets of the firm and its customers, as well as identifying and managing liabilities;
- (2) maintaining the efficiency and effectiveness of its operations;
- (3) ensuring the reliability and completeness of all accounting, financial and management information; and
- (4) ensuring compliance with its internal policies and procedures as well as all applicable laws and regulations.
- 01/04/2013
SYSC 14.1.29
See Notes
When determining the adequacy of its internal controls, a firm should consider both the potential risks that might hinder the achievement of the objectives listed in SYSC 14.1.28 G, and the extent to which it needs to control these risks. More specifically, this should normally include consideration of:
- (1) the appropriateness of its reporting and communication lines (see SYSC 3.2.2 G);
- (2) how the delegation or contracting of functions or activities to employees, appointed representatives or, where applicable, its tied agents or other third parties (for example outsourcing) is to be monitored and controlled (see SYSC 3.2.3 G to SYSC 3.2.4 G, SYSC 14.1.12 G to SYSC 14.1.16 G and SYSC 14.1.33 G; additional guidance on the management of outsourcing arrangements is also provided in SYSC 13.9);
- (3) the risk that a firm's employees or contractors might accidentally or deliberately breach a firm's policies and procedures (see SYSC 13.6.3 G);
- (4) the need for adequate segregation of duties (see SYSC 3.2.5 G and SYSC 14.1.30 G to SYSC 14.1.33 G);
- (5) the establishment and control of risk management committees (see SYSC 14.1.34 G to SYSC 14.1.37 G);
- (6) the need for risk assessment and the establishment of a risk assessment function (see SYSC 3.2.10 G and SYSC 14.1.38 G to SYSC 14.1.41 G);
- (7) the need for internal audit and the establishment of an internal audit function and audit committee (see SYSC 3.2.15 G to SYSC 3.2.16 G and SYSC 14.1.42 G to SYSC 14.1.45 G).
- 01/04/2013
Internal controls: segregation of duties
SYSC 14.1.30
See Notes
The effective segregation of duties is an important internal control. In particular, it helps to ensure that no one individual is completely free to commit a firm's assets or incur liabilities on its behalf. Segregation can also help to ensure that a firm's governing body receives objective and accurate information on financial performance, the risks faced by the firm and the adequacy of its systems. In this regard, a firm should ensure that there is adequate segregation of duties between employees involved in:
- (1) taking on or controlling risk (which could involve risk mitigation);
- (2) risk assessment (which includes the identification and analysis of risk); and
- (3) internal audit.
- 01/04/2013
SYSC 14.1.31
See Notes
- 01/04/2013
SYSC 14.1.32
See Notes
- 01/04/2013
SYSC 14.1.33
See Notes
Where a firm outsources a controlled function, such as internal audit, it should take reasonable steps to ensure that every individual involved in the performance of this service is independent from the individuals who perform its external audit. This should not prevent services from being undertaken by a firm's external auditors provided that:
- (1) the work is carried out under the supervision and management of the firm's own internal staff; and
- (2) potential conflicts of interest between the provision of external audit services and the provision of controlled functions are properly managed.
- 01/04/2013
Internal controls: risk management committees
SYSC 14.1.34
See Notes
- 01/04/2013
SYSC 14.1.35
See Notes
Where a firm decides to create one or more risk management committee(s), adequate internal controls should be put in place to ensure that these committees are effective and that their actions are consistent with the objectives outlined in SYSC 14.1.28 G. This should normally include consideration of the following:
- (1) setting clear terms of reference, including membership, reporting lines and responsibilities of each committee;
- (2) setting limits on their authority;
- (3) agreeing routine reporting and non-routine reporting escalation procedures;
- (4) agreeing the minimum frequency of committee meetings; and
- (5) reviewing the performance of these risk management committees.
- 01/04/2013
SYSC 14.1.36
See Notes
- 01/04/2013
SYSC 14.1.37
See Notes
The effective use of risk management committees can help to enhance a firm's internal controls. In establishing and maintaining its risk management committees, a firm should consider:
- (1) their membership, which should normally include relevant senior managers (such as the head of group risk, head of legal, and the heads of market, credit, liquidity and operational risk, etc.), business line managers, risk management personnel and other appropriately skilled people, for example, actuaries, lawyers, accountants, IT specialists, etc.;
- (2) using these committees to:
- (i) inform the decisions made by a firm's governing body regarding its appetite or tolerance for risk taking;
- (ii) highlight risk management issues that may require attention by the governing body;
- (iii) consider risk at the firm-wide level and, within delegated limits, to determine the allocation of risk limits and financial resources across business lines; and
- (iv) consider how exposures may be unwound, hedged, or otherwise mitigated, as appropriate.
- 01/04/2013
Internal controls: risk assessment
SYSC 14.1.38
See Notes
Risk assessment is the process through which a firm identifies and analyses (using both qualitative and quantitative methodologies) the risks that it faces. A firm's risk assessment activities should normally include consideration of:
- (1) its total exposure to risk at the firm-wide level (that is, its exposure across business lines and risk categories);
- (2) capital allocation and the need to calculate risk weighted returns for different business lines;
- (3) the potential correlations that can exist between the risks in different business lines; this should also include looking for risks to which a firm's business plan is particularly sensitive, such as interest rate risk, or multiple dealings with the same counterparty;
- (4) the use of stress tests and scenario analysis;
- (5) whether there are risks inherent in the firm's business that are not being addressed adequately;
- (6) the risk adjusted return that the firm is achieving; and
- (7) the adequacy and timeliness of management information on market, credit, insurance, liquidity, operational and group risks from the business lines, including risk limit utilisation.
- 01/04/2013
SYSC 14.1.39
See Notes
- (1) In accordance with SYSC 3.2.10 G a firm should consider whether it needs to set up a separate risk assessment function (or functions) that is responsible for assessing the risks that the firm faces and advising its governing body and senior managers on them.
- (2) The term 'risk assessment function' refers to the generally understood concept of risk assessment within a firm, that is, the function of setting and controlling risk exposure. The risk assessment function is not a controlled function itself, but is part of the systems and controls function (CF28).
- 01/04/2013
SYSC 14.1.40
See Notes
- 01/04/2013
SYSC 14.1.41
See Notes
- 01/04/2013
Internal audit
SYSC 14.1.42
See Notes
A firm should ensure that it has appropriate mechanisms in place to assess and monitor the appropriateness and effectiveness of its systems and controls. This should normally include consideration of:
- (1) adherence to and effectiveness of, as appropriate, its market, credit, liquidity, operational, insurance, and group risk policies;
- (2) whether departures and variances from its documented systems and controls and risk policies have been adequately documented and appropriately reported, including whether appropriate pre-clearance authorisation has been sought for material departures and variances;
- (3) adherence to and effectiveness of its accounting policies, and whether accounting records are complete and accurate;
- (4) adherence to and effectiveness of its management reporting arrangements, including the timeliness of reporting, and whether information is comprehensive and accurate; and
- (5) adherence to PRA rules and regulatory prudential standards.
- 01/04/2013
SYSC 14.1.43
See Notes
- (1) In accordance with SYSC 3.2.15 G and SYSC 3.2.16 G, a firm should consider whether it needs to set up a dedicated internal audit function.
- (2) The term 'internal audit function' refers to the generally understood concept of internal audit within a firm, that is, the function of assessing adherence to and the effectiveness of internal systems and controls, procedures and policies. The internal audit function is not a controlled function itself, but is part of the systems and controls function (CF28).
- 01/04/2013
SYSC 14.1.44
See Notes
- 01/04/2013
SYSC 14.1.45
See Notes
- 01/04/2013
Management information
SYSC 14.1.46
See Notes
- 01/04/2013
SYSC 14.1.47
See Notes
The role of management information should be to help a firm's governing body and senior managers to understand risk at a firm-wide level. In so doing, it should help them to:
- 01/04/2013
SYSC 14.1.48
See Notes
A firm should consider what information needs to be made available to its governing body and senior managers. Some possible examples include:
- (1) firm-wide information such as the overall profitability and value of a firm and its total exposure to risk;
- (2) reports from committees to which the governing body has delegated risk management tasks, if applicable;
- (3) reports from a firm's internal audit and risk assessment functions (see SYSC 14.1.43 G and SYSC 14.1.39 G), if applicable, including exception reports, where risk limits and policies have been breached or systems circumvented;
- (4) financial projections under expected and abnormal (that is, stressed) conditions;
- (5) reconciliation of actual profit and loss to previous financial projections and an analysis of any significant variances;
- (6) matters which require a decision from the governing body or senior managers, for example a significant variation to a business plan, amendments to risk limits, the creation of a new business line, etc;
- (7) compliance with PRA rules and regulatory prudential standards;
- (8) risk weighted returns; and
- (9) liquidity and funding requirements.
- 01/04/2013
SYSC 14.1.49
See Notes
The management information that is provided to a firm's governing body and senior managers should have the following characteristics:
- (1) it should be timely, its frequency being determined by factors such as:
- (a) the volatility of the business in which the firm is engaged (that is, the speed at which its risks can change);
- (b) any time constraints on when action needs to be taken; and
- (c) the level of risk that the firm is exposed to, compared to its available financial resources and tolerance for risk;
- (2) it should be reliable, having regard to the fact that it may be necessary to sacrifice a degree of accuracy for timeliness; and
- (3) it should be presented in a manner that highlights any relevant issues on which those undertaking governing functions should focus particular attention.
- 01/04/2013
SYSC 14.1.50
See Notes
- 01/04/2013
Record keeping
SYSC 14.1.51
See Notes
SYSC 3.2.20 R requires a firm to take reasonable care to make and retain adequate records. The following policy on record keeping supplements SYSC 3.2.20 R by providing some additional rules and guidance on record keeping. The purpose of this policy is to:
- (1) facilitate the prudential supervision of a firm by ensuring that adequate information is available regarding its past/current financial situation and business activities (which includes the design and implementation of systems and controls); and
- (2) help the PRA to satisfy itself that a firm is operating in a prudent manner and is not prejudicing its safety and soundness or the interests of policyholders.
- 01/04/2013
SYSC 14.1.52
See Notes
- 01/04/2013
SYSC 14.1.53
See Notes
- (1) A firm must make and regularly update accounting and other records that are sufficient to enable the firm to demonstrate to the PRA:
- (a) that the firm is financially sound and has appropriate systems and controls;
- (b) the firm's financial position and exposure to risk (to a reasonable degree of accuracy); and
- (c) the firm's compliance with the rules in GENPRU, INSPRU and SYSC.
- (2) The records in (1) must be retained for a minimum of three years, or longer as appropriate.
- 01/04/2013
SYSC 14.1.54
See Notes
- 01/04/2013
SYSC 14.1.55
See Notes
- 01/04/2013
SYSC 14.1.56
See Notes
- 01/04/2013
SYSC 14.1.57
See Notes
- 01/04/2013
SYSC 14.1.58
See Notes
- 01/04/2013
SYSC 14.1.59
See Notes
- 01/04/2013
SYSC 14.1.60
See Notes
A firm must keep the records required in SYSC 14.1.53 R in the United Kingdom, except where:
- (1) they relate to business carried on from an establishment in a country or territory that is outside the United Kingdom; and
- (2) they are kept in that country or territory.
- 01/04/2013
SYSC 14.1.61
See Notes
- 01/04/2013
SYSC 14.1.62
See Notes
- 01/04/2013
SYSC 14.1.63
See Notes
- 01/04/2013
SYSC 14.1.64
See Notes
- 01/04/2013
Operational risk
SYSC 14.1.65
See Notes
As well as covering other types of risk, the rules and guidance set out in this chapter deal with a firm's approach to operational risk. In particular:
- (1) SYSC 14.1.18 R requires a firm to take reasonable steps to ensure that the risk management systems put in place to identify, assess, monitor and control operational risk are adequate for that purpose;
- (2) SYSC 14.1.19R (2) requires a firm to document its policy for operational risk, including its risk appetite and how it identifies, assesses, monitors and controls that risk; and
- (3) SYSC 14.1.27 R requires a firm to take reasonable steps to establish and maintain adequate internal controls to enable it to assess and monitor the effectiveness and implementation of its business plan and prudential risk management systems.
- 01/04/2013