Risk management is an integral component of prudential management and good corporate governance. It represents a modern approach to business management under a competitive market environment in which businesses and technology are constantly evolving. This dynamism creates risks which may hinder the company in achieving its business objectives.
Muang Thai Life Assurance PCL. (MTL) recognizes the importance of an effective risk management system. The company has established a well-defined governance structure to manage the risk of the company in accordance with international practices to best protect the interest of all stakeholders. The risk management activities aim to promote risk awareness throughout the organization and to enhance our capabilities to manage risk effectively; allowing the company to achieve its objectives in line with its mission and vision.
MTL has set the guideline for managing risks as follows:
1) Risk Governance Structure: MTL has established the governance structure that support effective risk management. Risk management function is independent from other work functions. MTL has clearly specified roles and responsibilities includes reporting process that support risk culture in the organization.
2) Risk Identification: MTL has a process of identifying the risks that the company is exposed to. The Risk Appetite and Risk Tolerance is determined by its ability to manage these risks.
3) Risk Assessment: MTL has used and developed several tools to measure and evaluate the risks faced by the company.
4) Risk Response: MTL has established guidelines and procedures to respond to the risks. As part of risk response, MTL may consider avoiding certain risks that we feel we cannot manage effectively. On the other hand, MTL may consider using risk management tools or strategies to mitigate or transfer the risks.
The guidelines and procedures to respond to the risks must be consistent with the nature of the business and the availability of personnel and information systems of the company.
5) Monitoring and Report: MTL has structured the risk reporting system to facilitate consistent and accurate risk information flow from risk monitoring persons to senior management and the Board of Director.
6) Risk Management of Core Activities: MTL has established the risk management process for the core activities defined by Office of Insurance Commission that is consistent with the risks and complexity of the company. The process should be able to reflect the underlying risk, measure the risk appropriately, efficiently manage the risks, and monitor and control the risks from these core activities.
Risk appetite defined as the aggregate level and types of risk the company is willing to assume within its risk capacity to achieve its strategic objectives and business plan.
Risk appetite plays a key role in maximizing return on capital invested by the shareholders as it acts as a driver for allocation of capital to identified risks. Among other things, risk appetite plays an important part in supporting risk assessment, monitoring and control activities. It does this by helping staff to aware of risks they are associated with, understand the relative significance of the risks faced by the organization and thereby better prioritizes risk monitoring and control activities.
Specifically, risk appetite plays two roles in supporting the business objectives and risk management activities of an organization:
1) It is a decision making and resource allocation tool. Risk appetite helps determine the degree of control that needs to be applied to a particular risk.
2) It establishes a benchmark for an organization to monitor a particular risk.
MTL’s risk appetite statement has been approved and regularly reviewed by the Board of Director. There are both quantitative and qualitative statements for the key risks.
In addition, risk tolerance has been defined as acceptable level of variation which cascade down from risk appetite in order to be a boundary of risk for operational level which is defined within context of risk appetite, core activities, and company’s objective. As the capital management is highly associated with the risk management, the capital adequacy is therefore considered as a part of the company's risk appetite and risk tolerance.
The management of risk is the management of resources and various processes to ensure that the amount of risk taken during business operation is in line with the defined risk appetite set out by the company.
An effective risk management system must be able to identify, assess, respond and monitor the risks faced by the business. It is most important that this system be aligned with the objectives of the company. MTL manage the top 10 risks as specified in appendix 3.
Risk management has been established at MTL, including the risk management in the core activities defined by Office of Insurance Commission:
MTL applies the following process for risk management.
1) Risk Identification
Risk identification sets out to identify an organization’s exposure to uncertainty, both financial and non-financial exposure, as well as the sources of the exposure.
Risk identification should be approached in a methodical manner to ensure that all significant activities within the organization have been identified. Identified risks must be reviewed on a regular basis or when there are material changes of the risk factors.
MTL uses the risk taxonomy as follows;
1.1 Strategic Risk
Corporate planning risk is the risk that arises when a specific strategy is chosen. Even though comprehensive planning process (including research, analysis and evaluation process) have been effectively applied and managed, there are risks caused by the changes in the competitive landscape and operating environment which may render the chosen strategy ineffective.
Moreover, the basis of this risk can also arise from failure of conformity to a standardized policy and the invalidity of initial assumptions due to limitation and/or misinterpretation of data (either external or internal sources).
Strategic implementation risk is the risk resulting from failure to execute the defined strategy and deliver the business plans according to the original objectives without significant deviation from the agreed quality, timeline and/or budget.
1.2 Operational Risk
Operational Risk is the risk of loss resulting from failed, inadequate or inappropriate internal processes, people, systems and/or external events which impact to company operation or financial statement. This definition excludes strategic and reputational risk.
Operational risk includes information technology risk which refers to risks that may arise from use of IT in business which may have an impact on the Company’s systems or operations, which include risks arising from cyber threats. The loss incurred may materially affect the operations, the customers’ perception, and the reputation of the company. Therefore, MTL believes in the importance of developing a systematic risk management framework of the organization by taking into consideration the magnitude, the variety and the complexity of the operations to develop and foster a sound method to manage the enterprise risk management.
Though well-planned control system has been implemented in organization, there are still many unpreventable risks such as accidents, natural disasters, fire, flood, acts of terrorism and epidemics. Business Continuity Management (BCM) is the vital tool used to reduce the severity of such events. BCM will ensure that if any disruption to the Critical Business Functions occurs, MTL can continue to operate or can recover the operations within an appropriate timeframe which may help mitigate the negative impacts to the business, the legal standing or the good corporate image.
1.3 Insurance Risk
Insurance risk is the risk from fluctuation of claim frequency, claim severity or time of claim occurrence that deviate from the pricing and reserving assumptions. Key assumptions include mortality rate, lapse rate, expenses and interest rate. Insurance risk consists of Life and Health Insurance Risk and Catastrophic Risk related to extreme or exceptional events.
These roles and responsibilities will be taken by Actuarial Division and Integrated Risk Management Department. Actuarial Division will analyze and review the relevant events and cooperate with the Integrated Risk Management Department to report to ALCO and Risk Management Committee respectively for acknowledgement and setting up the appropriate resolution.
Reinsurance is another tool that the company uses to manage and reduce the severity of the loss.
1.4 Investment Risk
Investment risk comprises of market risk, credit risk, and liquidity risk.
Market risk means the risk of loss or of adverse change in the financial situation resulting, directly or indirectly, from fluctuations in the level and in the volatility of market prices of assets, liabilities and financial instruments.
The following risks are considered the major causes of market risk.
• Interest rate risk: risk of losses resulting from movements in interest rates. To the extent that future cash flows from assets and liabilities are not well matched, movements in interest rates can have an adverse impact on a company.
• Equity, commodity, and real estate risks: risk of losses resulting from movements of market values of equities, commodities, and real estate. To the extent a company makes capital investments, including stocks, commodity, and real estate, a company has probabilities to expose to sustained declines in market values
• Currency risk: risk of losses resulting from movements in exchange rates. To the extent that cash flows, assets and liabilities are denominated in different currencies, currency movements can have an adverse impact on a company.
• Related credit risk: Market risk and credit risk are correlated. In the case of change in issuer’s credit rating or change in market perception of issuer’s credit risk, credit spread might be adjusted and cause changes in present value of asset.
Credit risk is the risk of financial loss resulting from default or movement in the credit quality of issuers of securities, debtors, counterparties, or intermediaries, to whom the company has an exposure. Credit risk includes;
• Counterparty default risk: risk that a company will not receive, or receives delayed, or partially, the cash flows or assets to which it is entitled because a party with which the company has a bilateral contract defaults on one or more obligations.
• Concentration risk: risk of increased exposure to losses due to concentration in a geographical area, economic sector, counterparty, or connected parties.
Liquidity risk can be separated into trading liquidity risk and funding liquidity risk.
• Trading liquidity risk: Trading liquidity risk arises when the position of assets to be liquidated is large when compared to the depth of the market or there is a market disruption that reduces the ability to liquidate asset.
• Funding liquidity risk: Funding liquidity risk is concerned with current and future maintenance of appropriate levels of cash and liquid assets, particularly in the context of the demands for liquidity that are imposed by a company’s liability profile.
Moreover, there is reputation risk which is the risk that public recognize negative image or lost confidence of the company and may affect to company’s revenue and/or company’s capital in present and future. Reputation risk may arise as a result of occurrence of the risks mentioned above.
The company also considers significant changes from both internal and external environment that leads to emerging risk which is the risk that have not occurred before or company may not experience it. Thus, it is difficult to assess the possibility and impact of the emerging risks.
2) Risk Assessment
Risk assessment involves comparing the level of risk found during the analysis process with previously established risk criteria, and deciding whether these risks require treatment. The result of risk assessment is a prioritized list of risk that requires further action. Therefore, this step determines the level of response required for each risk. The tools using for risk assessment are depends on type of that risk.
3) Risk Response
Risk response is the process of dealing with risk. Company respond to risk based on cost and benefit consideration. The alternative of risk response can be risk avoidance, risk reduction, risk transfer and risk acceptance. It is often either not possible or cost-effective to implement all treatment strategies. MTL aims to choose and prioritize risks, and implement the most appropriate combination of the available options to treat the risks. Risk response shall be in alignment with risk appetite and risk tolerance.
4) Risk Monitoring and Review
The company consistently monitors and reviews the risks to ensure that they do not exceed the risk appetite set up by the Board and the risks are within the pre-defined limits. The monitoring and review phase provides management through reporting mechanisms and the assurance that the policies and the related controls are applied properly.
MTL has formed a risk governance structure, supported by identifying roles, responsibilities and authority hierarchy, which will foster the risk culture throughout the company. The followings describe the roles and responsibilities under MTL risk governance structure.
1) Board of Directors (BOD)
The Board of Directors as leaders of the company plays an important role in its founding the organization to success by placing the appropriate policies and strategies to enhance the competitiveness of the company. This means the growth of the organization, the added value in the long term to the shareholders, and the responsibility for policy holders. The BOD must have the vision, and is responsible for discussions of business strategies and oversees the company’s operations to be aligned within the laws and regulations governing the business.
The MTL Board of Directors determines the governance structure of the Company. In order to operate efficiently and to give appropriate attention and consideration to matters, the BOD may delegate authority to its Committees to carry out tasks. The BOD and Committees are supplied in a timely manner with information in a form and of a quality appropriate to enable them to discharge their duties.
The BOD appoints the Risk Management Committee to be its advisory body on risk governance and risk management issues. However, the BOD is ultimately responsible for ensuring that sound and comprehensive risk management, which adheres to applicable regulation, is developed within the company and for ensuring compliance with the policy. The BOD is responsible for approving and reviewing the Business Plan, Risk Management Framework, Risk Management Policy and other risk-related policies, such as the Policy of Investment in Other Businesses, and Risk appetite. The BOD is also responsible for monitoring the risk management process and ensuring that the process adheres to all applicable regulations. BOD shall operate the Company to have efficient internal control and audit system.
The BOD is also responsible for alignment between business strategies, risk management framework and the Company’s capital adequacy and financial stability.
Meetings of the BOD shall be held with the minimum frequency of once per three months.
2) Risk Management Committee (RMC)
The MTL Risk Management Committee is appointed by the Board of Director. The Risk Management Committee oversees the overall risks of the company and make sure that the company possesses efficient and effective risk management and that the risk management process is at appropriate level. The Risk Management Committee has the duty to advise the Board of Directors on risk management issues and is responsible to ensure identifying, assessing, response, monitoring and reporting risk levels for the attention of the Board of Directors. Moreover, The Risk Management Committee is responsible for all activities defined in Charter of Risk Management Committee.
The Risk Management Committee shall hold meeting at least every three months.
3) Audit Committee (AC)
The MTL Audit Committee is appointed by the Board of Director. The Audit Committee is authorized to review and evaluate the company’s internal control and to ensure that the company has set up internal control, internal audit, and risk management systems that are suitable, effective and in accordance with the international framework.
The Audit Committee shall hold meetings at least every three months
4) Investment Committee (IC)
The MTL Investment Committee is appointed by the Board of Director. IC is responsible for determining and presenting Investment Policy Statement (IPS), Policy for Real Estate Business, Investment Management Guideline (IMG) and Investment Procedure annually to be approved by the Risk Management Committee (RMC) and Board of Directors (BOD).
IC is responsible for approval of the Investment Plan, control and monitoring investment and real estate business of the Company that complies with relevant laws and is in-line with IPS and risk management policy, determine investment target and return on investment as a part of corporate budget to be approved by BOD, and report performance to the BOD regularly.
The IC is also in charge of good corporate governance, transparency, and precaution against conflict of interest regarding investment transaction and real estate business of the Company, while ensuring adequate work systems, human resources, and data.
5) Executive Committee (EXCOM)
The Executive Committee is appointed under the recommendation of the President and the approval of the BOD. The Executive Committee shall hold a position as if they are the BOD among the Management.
Besides the assignments from the BOD, Executive Committee shall be granted from the BOD the authorities to cooperate with the Management regarding all aspects of the Company’s business as usual, to cooperate with the Management to implement according to the business plan and budget, to consider the matters designated by the BOD, to consider matters which are business as usual of the Company that the Management refers to Executive Committee, and to consider other matters that are not business as usual of the Company and/or outside the business plan and budget that has been approved in advance, where such matter must have material impact on the financial status and profitability or reputation of the Company.
Meetings of the Executive Committee shall be held no less frequency than once every 2 weeks.
6) Asset-Liability Committee (ALCO)
ALCO has been formally established as a committee of the president and CEO. The members of the committee are to be appointed by the President and CEO.
The ALCO ensures that the assets and the liabilities are managed in a consistent and complementary manner. The committee has the duty to advise the president and CEO on the management of company’s asset and liability given the associated risks. The committee helps foster closer communication and coordination between the Investment Division and Actuarial Division and ensures a clear delineation of lines of authority and responsibilities for managing ALM risks.
The meeting of the ALCO shall be held at least every three months.
7) Operational Risk Management Committee (ORMC)
ORMC has the duty to monitor and review operational risk management policy to develop and to support risk management to mitigate loss from failure or inadequate of process, people, system or external events, to improve efficiency of operation. ORMC has the duty to review business continuity management policy and well prepare of business continuity. ORMC has the duty to provide consultant, recommendation, approve and follow up risk guideline and the improvement of operational risk management system throughout the organization. ORMC can establish sub-committee or working team upon consideration.
The meeting of the Operational Risk Management Committee will be held once every3 months.
8) Product Development Sub-Committee (PDC)
The members of the PDC are to be appointed by the President and CEO. The PDC is responsible for monitoring, analyzing and evaluating the market movement in terms of product development by considering both local and international’s competitors. PDC is responsible for developing and improving product design to match with the competition situation in the market, determining a master plan for the product development in short, medium and long terms, and also determining target and monitoring the selling results of insurance product.
The meeting of the PDC will be held once per a month.
9) Enterprise Risk Management Division
Enterprise Risk Management Division is responsible for identifying, analyzing, assessing, managing, and monitoring corporate risks, and submitting reports to the Risk Management Committee and other related committees including of related rules and regulations.
The Enterprise Risk Management Division is accountable for coordinating with the Risk Management Committee, the Operational Risk Management Committee, and the Asset-Liability Committee. The Enterprise Risk Management Division may participate in other meetings when it sees appropriate and provide consultations to other committees or departments on request or when it sees necessary to ensure the appropriate risk management of the company.
10) Managements and all employees
All employees have responsibilities to operate business in alignment with company’s strategy, risk management framework, and risk appetite. All employees shall comply risk management process and report risk management performance as specified in risk management policy and related regulations.
The managements shall ensure that employees understand risk management process and able to apply in their works.