Risk management is an integral component of prudential management and good corporate governance. It represents a modern approach to business management under a competitive market environment in which businesses and technology are constantly evolving. This dynamism creates risks which may hinder the company in achieving its business objectives.
Muang Thai Life Assurance PCL. (MTL) recognizes the importance of an effective risk management system. The company has established a well-defined governance structure to manage the risk of the company in accordance with international practices to best protect the interest of all stakeholders. The risk management activities aim to promote risk awareness throughout the organization and to enhance our capabilities to manage risk effectively; allowing the company to achieve its objectives in line with its mission and vision.
MTL has set the guideline for managing risks as follows:
1) Risk Governance Structure: MTL has established the governance structure that support effective risk management. Risk management function is independent from other work functions. MTL has clearly specified roles and responsibilities includes reporting process that support risk culture in the organization.
2) Risk Identification: MTL has a process of identifying the risks that the company is exposed to. The Risk Appetite and Risk Tolerance is determined by its ability to manage these risks.
3) Risk Assessment: MTL has used and developed several tools to measure and evaluate the risks faced by the company.
4) Risk Response: MTL has established guidelines and procedures to respond to the risks. As part of risk response, MTL may consider avoiding certain risks that we feel we cannot manage effectively. On the other hand, MTL may consider using risk management tools or strategies to mitigate or transfer the risks.
The guidelines and procedures to respond to the risks must be consistent with the nature of the business and the availability of personnel and information systems of the company.
5) Monitoring and Report: MTL has structured the risk reporting system to facilitate consistent and accurate risk information flow from risk monitoring persons to senior management and the Board of Director.
6) Risk Management of Core Activities: MTL has established the risk management process for the core activities defined by Office of Insurance Commission that is consistent with the risks and complexity of the company. The process should be able to reflect the underlying risk, measure the risk appropriately, efficiently manage the risks, and monitor and control the risks from these core activities.
1) To ensure that various risks related to business operations of the company will be managed systematically and within the risk appetite and risk tolerance set by the company.
2) To encourage the risk awareness throughout the organization
3) To develop knowledge and skills, and to continually increase the effectiveness of the risk management process
MTL values sustainable growth and therefore places much important on company’s risk management. MTL has linked risk management to as many activities as possible to ensure that MTL has prudent operation and appropriate risk management in place with consideration of both current risks and future risks according to company’s strategy, objectives and business plan, in order to prepare proper risk management plan .
MTL realizes that challenging goals come with risks. MTL consequently takes into account possible risks while developing business plan, in addition to determining business trends and directions, company’s target, and projects to fulfill the goals. Those risks not only affect the successfulness of the goals, but also the capital adequacy ratio required by the OIC. Therefore, business plan, such as, growing sales, product development, product pricing, underwriting process, customer service, investment, and other activities must be related to the target capital adequacy ratio. In addition, MTL studies impact from business operation and conducts stress testing to evaluate possible impact to capital adequacy under different circumstances.
It is important that all relevant persons and business units understand well on their duties and realize that there are risks involved in their activities. To perform any business project, the business unit should consider the availability of the system, expertise of personnel, as well as stability and liquidity of the company, and diversification of the risks. Therefore, they must be able to identify the risks they are facing or will face in the future. The risks should then be quantified and prioritized in order to determine the level of response required for each risk and plan for the risk treatments. The risks must be regularly reviewed and monitored to ensure that the risks company is facing or is possible to face in the future are managed properly and in a timely manner. Risk and Control Self-Assessment (RCSA), Key Risk Indicators (KRIs), and Loss Event Data (LED) are the major tools used in the risk management process of 6 core activities. Duration, sensitivity analysis, stress test, and cash flow monitoring are important tools for asset-liability management.
MTL has continually developed risk management tools to improve risk management process of the company.
The risks of unexpected series of events occurring recently and during the past years have put an emphasis on an important of business continuity management (BCM). BCM is considered an integral part of MTL’s risk management to ensure that MTL is able to operate during an emergency period. This will lead to the trust of customers which is the important factor contributing to the sustainable growth of the company.
Risk appetite defined as the aggregate level and types of risk the company is willing to assume within its risk capacity to achieve its strategic objectives and business plan.
Risk appetite plays a key role in maximizing return on capital invested by the shareholders as it acts as a driver for allocation of capital to identified risks. Among other things, risk appetite plays an important part in supporting risk assessment, monitoring and control activities. It does this by helping staff to aware of risks they are associated with, understand the relative significance of the risks faced by the organization and thereby better prioritizes risk monitoring and control activities.
Specifically, risk appetite plays two roles in supporting the business objectives and risk management activities of an organization:
1) It is a decision making and resource allocation tool. Risk appetite helps determine the degree of control that needs to be applied to a particular risk.
2) It establishes a benchmark for an organization to monitor a particular risk.
MTL’s risk appetite statement has been approved and regularly reviewed by the Board of Director. There are both quantitative and qualitative statements for the key risks.
In addition, risk tolerance has been defined as acceptable level of variation which cascade down from risk appetite in order to be a boundary of risk for operational level which is defined within context of risk appetite, core activities, and company’s objective. As the capital management is highly associated with the risk management, the capital adequacy is therefore considered as a part of the company's risk appetite and risk tolerance.
The management of risk is the management of resources and various processes to ensure that the amount of risk taken during business operation is in line with the defined risk appetite set out by the company.
An effective risk management system must be able to identify, assess, respond and monitor the risks faced by the business. It is most important that this system be aligned with the objectives of the company. MTL manage the top 10 risks.
Risk management has been established at MTL, including the risk management in the core activities defined by Office of Insurance Commission:
MTL applies the following process for risk management.
1) Risk Identification
Risk identification sets out to identify an organization’s exposure to uncertainty, both financial and non-financial exposure, as well as the sources of the exposure.
Risk identification should be approached in a methodical manner to ensure that all significant activities within the organization have been identified. Identified risks must be reviewed on a regular basis or when there are material changes of the risk factors.
MTL uses the risk taxonomy as follows;
1.1 Strategic Risk
Strategic Risk is the risk that arises from (1) the consequent of choosing to execute a particular strategy, and (2) the failure associated with the strategy implementation. According to MTL Risk Taxonomy, strategic risks can be classified into corporate planning risk, and strategic implementation risk.
- Corporate Planning Risk
Corporate planning risk is the risk that arises from strategy selection, failure to conform with standardized policy, and invalid initial assumptions and misinterpretation of data due to limited access to information. Corporate planning risk is unavoidable even though the planning process is fully equipped with thorough research, analysis, and full evaluation process because the uncertainty arises from changes in both the market competition and the operating environment which diminishes the strategy’s effectiveness.
- Strategic Implementation Risk
Strategic implementation risk is another component of strategic risk. The risk is caused by inability to implement the defined strategy and failure to deliver expected outcomes including agreed quality, timeline and budget of the business plan.
1.2 Operational Risk
Operational Risk is the risk of loss resulting from failed, inadequate or inappropriate internal processes, people, systems and/or external events which impact to company operation or financial statement. This definition excludes strategic and reputational risk.
Operational risk includes information technology risk which refers to risks that may arise from use of IT in business which may have an impact on the Company’s systems or operations, which include risks arising from cyber threats. The loss incurred may materially affect the operations, the customers’ perception, and the reputation of the company. Therefore, MTL believes in the importance of developing a systematic risk management framework of the organization by taking into consideration the magnitude, the variety and the complexity of the operations to develop and foster a sound method to manage the enterprise risk management.
Though well-planned control system has been implemented in organization, there are still many unpreventable risks such as accidents, natural disasters, fire, flood, acts of terrorism and epidemics. Business Continuity Management (BCM) is the vital tool used to reduce the severity of such events. BCM will ensure that if any disruption to the Critical Business Functions occurs, MTL can continue to operate or can recover the operations within an appropriate timeframe which may help mitigate the negative impacts to the business, the legal standing or the good corporate image.
1.3 Insurance Risk
Insurance risk is the risk from fluctuation of claim frequency, claim severity or time of claim occurrence that deviate from the pricing and reserving assumptions. Key assumptions include mortality rate, lapse rate, expenses and interest rate. Insurance risk consists of Life and Health Insurance Risk and Catastrophic Risk related to extreme or exceptional events.
These roles and responsibilities will be taken by Actuarial Division and Integrated Risk Management Department. Actuarial Division will analyze and review the relevant events and cooperate with the Integrated Risk Management Department to report to ALCO and Risk Management Committee respectively for acknowledgement and setting up the appropriate resolution.
Reinsurance is another tool that the company uses to manage and reduce the severity of the loss.
1.4 Investment Risk
Investment risk comprises of market risk, credit risk, and liquidity risk.
- Market Risk
Market risk means the risk of loss or of adverse change in the financial situation resulting, directly or indirectly, from fluctuations in the level and in the volatility of market prices of assets, liabilities and financial instruments.
The following risks are considered the major causes of market risk.
• Interest rate risk: risk of losses resulting from movements in interest rates. To the extent that future cash flows from assets and liabilities are not well matched, movements in interest rates can have an adverse impact on a company.
• Equity, commodity, and real estate risks: risk of losses resulting from movements of market values of equities, commodities, and real estate. To the extent a company makes capital investments, including stocks, commodity, and real estate, a company has probabilities to expose to sustained declines in market values
• Currency risk: risk of losses resulting from movements in exchange rates. To the extent that cash flows, assets and liabilities are denominated in different currencies, currency movements can have an adverse impact on a company.
• Related credit risk: Market risk and credit risk are correlated. In the case of change in issuer’s credit rating or change in market perception of issuer’s credit risk, credit spread might be adjusted and cause changes in present value of asset.
- Credit Risk
Credit risk is the risk of financial loss resulting from default or movement in the credit quality of issuers of securities, debtors arising from lending, car hire purchase, aval or an issue of contract of guarantee to any project, counterparties, or intermediaries, to whom the company has an exposure. Credit risk includes;
• Counterparty default risk: risk that a company will not receive, or receives delayed, or partially, the cash flows or assets to which it is entitled because a party with which the company has a bilateral contract defaults on one or more obligations.
• Concentration risk: risk of increased exposure to losses due to concentration in a geographical area, economic sector, counterparty, or connected parties.
- Liquidity Risk
Liquidity risk can be separated into trading liquidity risk and funding liquidity risk.
• Trading liquidity risk: Trading liquidity risk arises when the position of assets to be liquidated is large when compared to the depth of the market or there is a market disruption that reduces the ability to liquidate asset.
• Funding liquidity risk: Funding liquidity risk is concerned with current and future maintenance of appropriate levels of cash and liquid assets, particularly in the context of the demands for liquidity that are imposed by a company’s liability profile.
Moreover, there is reputation risk which is the risk that public recognize negative image or lost confidence of the company and may affect to company’s revenue and/or company’s capital in present and future. Reputation risk may arise as a result of occurrence of the risks mentioned above.
The company also considers significant changes from both internal and external environment that leads to emerging risk which is the risk that have not occurred before or company may not experience it. Thus, it is difficult to assess the possibility and impact of the emerging risks.
2) Risk Assessment
Risk assessment involves comparing the level of risk found during the analysis process with previously established risk criteria, and deciding whether these risks require treatment. The result of risk assessment is a prioritized list of risk that requires further action. Therefore, this step determines the level of response required for each risk. The tools using for risk assessment are depends on type of that risk.
3) Risk Response
Risk response is the process of dealing with risk. Company respond to risk based on cost and benefit consideration. The alternative of risk response can be risk avoidance, risk reduction, risk transfer and risk acceptance. It is often either not possible or cost-effective to implement all treatment strategies. MTL aims to choose and prioritize risks, and implement the most appropriate combination of the available options to treat the risks. Risk response shall be in alignment with risk appetite and risk tolerance.
4) Risk Monitoring and Review
The company consistently monitors and reviews the risks to ensure that they do not exceed the risk appetite set up by the Board and the risks are within the pre-defined limits. The monitoring and review phase provides management through reporting mechanisms and the assurance that the policies and the related controls are applied properly.
The following tools and techniques are example of those which have been used in MTL’s risk management process of the core activities;
1) Risk and Control Self-Assessment (RCSA)
RCSA is a tool used to extract risk information from risk owners to identify and assessment the impact of risk. The main purposes of RCSA are to allow systematic reviewing of the root causes of risks and to effectively direct remedial action. RCSA enables the systematic identification of risks that may occur.
2) Key Risk Indicator (KRIs)
KRIs are early warning indicators that provide capability to indicate severity of a specific risk during a specific period of time. KRIs not only reflect risks incurred in the past (Lagging Indicators), but also indicate possible loss in the future (Leading Indicators) resulting from severity of each risk factor. Good risk indicators can help the company to manage the risks and prevent those risks from occurring.
3) Loss Event Data (LED)
Loss Event Data gives detail of losses in the past. Efficient loss data collection enables the company to analyze and monitor risks more efficiently. Loss data collection consists of information on event of loss incidents, event types, causes and loss amount, severity, responsible business unit and risk control/ mitigation actions.
4) Profit Test
Insurance Profit Testing is a modern approach to actuarial calculations carried out using cash flow techniques; typically, profit tests generate expected profit signatures of particular tranches of business on the basis of premium rates assumptions with the goal to keep the profitability in acceptable bounds.
5) Experience Analysis
Experience Analysis is an analysis technique that uses company's historical data such as mortality, lapse and expenses to predict future expected value of the company.
6) Stress Test
Stress tests are a necessary tool for insurance management. Such tests should be a fundamental element of an insurer’s overall risk management framework and capital adequacy determination. Stress tests are appropriate tools for insurers to use in assessing the risks to which they are subject and in ascertaining their own limits on the risks that they are prepared to take. They should help the insurer in making decisions as to whether, and what, action is needed to ensure that it is not taking undue risks.
The company has considered key risk factors, which may impact to business operating or capital adequacy, for stress test.
The stress tests are conducted and reported to related committees on a regular basis. Related committees may require IRM to conduct stress tests based on specified scenarios and to report the results as well.
7) Sensitivity Analysis
A sensitivity analysis is a technique used to determine how different values of an independent variable will impact a particular dependent variable under a given set of assumptions.
8) Credit Rating
Credit ratings from the rating agencies such as S&P, Moody’s, or Fitch Ratings are crucial determinant for credit risk assessment, and can be used in estimating the probability of default. Credit ratings should be taken into account when company's activities expose it to credit risk.
9) Cash Flow Monitoring
MTL monitors the cash flows to ensure that there are the sufficient of funds to meet its contractual and regulatory obligations at all times.
10) Duration and Duration Gap
Duration is a factor sensitivity indicating a fixed income portfolio's first order (linear) sensitivity to the parallel shifts in the spot yield curve. In other words, duration is a measure of change in the value of portfolio due to change in interest rates.
Duration gap is used to monitor and assess risk resulting from asset and liability mismatch. It is the difference between duration of asset and liability.
11) Value at Risk (VaR)
VaR is a widely used risk measure of the risk of loss on a specific portfolio of financial assets. VaR is measured and monitored by risk types, such as interest rate risk, equity risk, credit risk, as well as at the aggregate level. VaR is the worst expected loss over a target horizon such that there is a low, pre-specified probability that the actual loss will be larger. Therefore, VaR involves two quantitative factors, the time horizon and the confidence level.
MTL has formed a risk governance structure, supported by identifying roles, responsibilities and authority hierarchy, which will foster the risk culture throughout the company. The followings describe the roles and responsibilities under MTL risk governance structure.
1) Board of Directors (BOD)
The Board of Directors as leaders of the company plays an important role in its founding the organization to success by placing the appropriate policies and strategies to enhance the competitiveness of the company. This means the growth of the organization, the added value in the long term to the shareholders, and the responsibility for policy holders. The BOD must have the vision, and is responsible for discussions of business strategies and oversees the company’s operations to be aligned within the laws and regulations governing the business.
The MTL Board of Directors determines the governance structure of the Company. In order to operate efficiently and to give appropriate attention and consideration to matters, the BOD may delegate authority to its Committees to carry out tasks. The BOD and Committees are supplied in a timely manner with information in a form and of a quality appropriate to enable them to discharge their duties.
The BOD appoints the Risk Management Committee to be its advisory body on risk governance and risk management issues. However, the BOD is ultimately responsible for ensuring that sound and comprehensive risk management, which adheres to applicable regulation, is developed within the company and for ensuring compliance with the policy. The BOD is responsible for approving and reviewing the Business Plan, Risk Management Framework, Risk Management Policy and other risk-related policies, such as the Policy of Investment in Other Businesses, and Risk appetite. The BOD is also responsible for monitoring the risk management process and ensuring that the process adheres to all applicable regulations. BOD shall operate the Company to have efficient internal control and audit system.
The BOD is also responsible for alignment between business strategies, risk management framework and the Company’s capital adequacy and financial stability.
Meetings of the BOD shall be held with the minimum frequency of once per three months.
2) Risk Management Committee (RMC)
The MTL Risk Management Committee is appointed by the Board of Director. The Risk Management Committee oversees the overall risks of the company and make sure that the company possesses efficient and effective risk management and that the risk management process is at appropriate level. The Risk Management Committee has the duty to advise the Board of Directors on risk management issues and is responsible to ensure identifying, assessing, response, monitoring and reporting risk levels for the attention of the Board of Directors. Moreover, The Risk Management Committee is responsible for all activities defined in Charter of Risk Management Committee.
The Risk Management Committee shall hold meeting at least every three months.
3) Audit Committee (AC)
The MTL Audit Committee is appointed by the Board of Director. The Audit Committee is authorized to review and evaluate the company’s internal control and to ensure that the company has set up internal control, internal audit, and risk management systems that are suitable, effective and in accordance with the international framework.
The Audit Committee shall hold meetings at least every three months
4) Investment Committee (IC)
The MTL Investment Committee is appointed by the Board of Director. IC is responsible for determining and presenting Investment Policy Statement (IPS), Policy for Real Estate Business, Investment Management Guideline (IMG) and Investment Procedure annually to be approved by the Risk Management Committee (RMC) and Board of Directors (BOD).
IC is responsible for approval of the Investment Plan, control and monitoring investment and real estate business of the Company that complies with relevant laws and is in-line with IPS and risk management policy, determine investment target and return on investment as a part of corporate budget to be approved by BOD, and report performance to the BOD regularly.
The IC is also in charge of good corporate governance, transparency, and precaution against conflict of interest regarding investment transaction and real estate business of the Company, while ensuring adequate work systems, human resources, and data.
5) Product Governance Committee (PGC)
The MTL Product Governance Committee (PGC) is appointed by the Board of Director. The PGC is responsible for ensuring suitable price and product development process.
The PGC is responsible for developing new products in term of competitiveness according to the market condition.
The PGC is also responsible for controlling the new product process aligns with the company strategy and regulatory requirement from Office of Insurance Commissioner (OIC).
The meeting of the PGC shall be held at least once per a month.
6) Executive Committee (EXCOM)
The Executive Committee is appointed under the recommendation of the President and the approval of the BOD. The Executive Committee shall hold a position as if they are the BOD among the Management.
Besides the assignments from the BOD, Executive Committee shall be granted from the BOD the authorities to cooperate with the Management regarding all aspects of the Company’s business as usual, to cooperate with the Management to implement according to the business plan and budget, to consider the matters designated by the BOD, to consider matters which are business as usual of the Company that the Management refers to Executive Committee, and to consider other matters that are not business as usual of the Company and/or outside the business plan and budget that has been approved in advance, where such matter must have material impact on the financial status and profitability or reputation of the Company.
Meetings of the Executive Committee shall be held no less frequency than once every 2 weeks.
7) Asset-Liability Committee (ALCO)
ALCO has been formally established as a committee of the CEO. The members of the committee are to be appointed by the CEO.
The ALCO ensures that the assets and the liabilities are managed in a consistent and complementary manner. The committee has the duty to advise the CEO on the management of company’s asset and liability given the associated risks. The committee helps foster closer communication and coordination between the Investment Division and Actuarial Division and ensures a clear delineation of lines of authority and responsibilities for managing ALM risks.
The meeting of the ALCO shall be held at least every three months.
8) Operational Risk Management Committee (ORMC)
ORMC has the duty to monitor and review operational risk management policy to develop and to support risk management to mitigate loss from failure or inadequate of process, people, system or external events, to improve efficiency of operation. ORMC has the duty to review business continuity management policy and well prepare of business continuity. ORMC has the duty to provide consultant, recommendation, approve and follow up risk guideline and the improvement of operational risk management system throughout the organization. ORMC can establish sub-committee or working team upon consideration.
The meeting of the Operational Risk Management Committee will be held once every3 months.
9) Enterprise Risk Management Division
Enterprise Risk Management Division is responsible for identifying, analyzing, assessing, managing, and monitoring corporate risks, and submitting reports to the Risk Management Committee and other related committees including of related rules and regulations.
The Enterprise Risk Management Division is accountable for coordinating with the Risk Management Committee, the Operational Risk Management Committee, and the Asset-Liability Committee. The Enterprise Risk Management Division may participate in other meetings when it sees appropriate and provide consultations to other committees or departments on request or when it sees necessary to ensure the appropriate risk management of the company.
10) Managements and all employees
All employees have responsibilities to operate business in alignment with company’s strategy, risk management framework, and risk appetite. All employees shall comply risk management process and report risk management performance as specified in risk management policy and related regulations.
The managements shall ensure that employees understand risk management process and able to apply in their works.
The Company recognizes the importance of creating a culture of risk management within the organization. The risk management direction is set in accordance with the risk management framework, risk management policy, and other business control policies. The policies are communicated to relevant staffs in order to build awareness and value of risk management.
The Company provides training for staffs to ensure that they have proper knowledge, be careful, and well recognizes the risks associated with their responsibilities, the organization, and/or the person involved. The Company also promote the exchange of information within the organization.
The Company integrated risk management into business decision making processes including corporate governance and internal control.
Other Policies