Moving towards ‘Risk Based Supervision’ of the Insurance Sector

[For information of internal stakeholders]

I. Background:

1. The role of any insurance regulator is to promote and maintain efficient, fair,
safe and stable insurance markets for the benefit and protection of
policyholders. To create such an environment, it is important that the regulator
puts in place a mechanism where an insurer will take timely preventive and
corrective measures, wherever required.

2. Objectives of the Authority: Insurance Regulatory and Development Authority

of India (herein after referred to as the ‘Authority’) was established in 2000. The
objectives of the Authority are to:

a. To protect the interest of and secure fair treatment to policyholders;

b. To bring about speedy and orderly growth of the insurance industry
(including annuity and superannuation payments), for the benefit of the
common man, and to provide long term funds for accelerating growth of
the economy;
c. To set, promote, monitor and enforce high standards of integrity,
financial soundness, fair dealing and competence of those it regulates;
d. To ensure speedy settlement of genuine claims, to prevent insurance
frauds and other malpractices and put in place effective grievance
redressal machinery;
e. To promote fairness, transparency and orderly conduct in financial
markets dealing with insurance and build a reliable management
information system to enforce high standards of financial soundness
amongst market players;

Page 1 of 14
 f. To take action where such standards are inadequate or ineffectively
enforced; and
g. To bring about optimum amount of self-regulation in day-to-day working
of the industry consistent with the requirements of prudential
regulation

3. In the current scenario, in order to meet its objectives, the Authority is primarily
focusing on compliance based approach for supervision and hence the role of
the supervision is to ensure that insurers comply with the given set of rules,
regulations and Act provisions.

4. In India, over a period of last two decades, the number of entities to be

supervised have increased manifold. The compliance based approach would
need the same yardstick to be applied to all regulated entities regardless of
their size, business model and nature of significant activities. This uniform
approach imposes ever increasing requirement of resources. This approach also
ignores the strengths and weaknesses of the regulated entities.

5. However, the supervisory process needs to be dynamic and should consider

both off-site monitoring and on-site inspections to examine the business of
each insurer; evaluate its condition; risk profile and conduct; the quality and
effectiveness of its corporate governance and its compliance with relevant
legislation and supervisory requirements. Considering the limitations of only
compliance based approach to supervision and the broader objectives of
supervision cast upon the insurance regulators, many jurisdictions have moved
from an approach that is compliance based to one that is risk based.

6. To this end, the Authority has initiated steps to move towards Risk Based
Supervision which will facilitate meeting its objectives cast upon and also enable

Page 2 of 14
 to achieve effective allocation of resources corresponding to the risk profile of
the regulated entities.

II. What is Risk Based Supervision (RBS):

1. Risk Based Supervision is risk oriented; principle based; forward looking,

outcome focused and dependent on sound judgement of identifying and
assessing the risks inherent within the significant activities of the regulated
entity. It requires assessments of ‘risks to viability’ rating of a regulated entity,
updated dynamically, and allows the flexibility to allocate resources based on
the risk profile of a regulated entity.It is based on a comprehensive and
Integrated view on the regulated entity and that of the system.
2. The primary difference between a compliance based approach and the risk
based approach to supervision is that the regulator focuses on the compliance
requirements and the financial situation of the regulated entities at a given
point in time under a compliance based approach. RBS on the contraryis a
dynamic process where the emphasis is more on understanding and
anticipating the possible risks the regulated entity will be facing when executing
its business plan on a holistic basis thus going beyond its current financial
situation, apart from looking into compliance. Also, under RBS, each regulated
entity will be assessed based on its risk profile and the overall risk it carries. This
will enable the regulator to focus more on entities posing higher risk relative to
others. To that extent, the regulator will also be in a position to use its
resources efficiently and achieve effective supervision.

III. IRDAI – RBS Framework:

1. In the recent Financial Sector Assessment Program report of 2017, the IMF and
World Bank have recommended the Authority to move towards a risk based
supervisory approach. Insurance Core Principles of IAIS requires Supervisors to

Page 3 of 14
 adopt ‘risk based approach’ to supervision that uses both off-site monitoring
and onsite inspections to examine the business of each insurer, evaluate its
condition, risk profile, the quality and effectiveness of corporate governance.

2. In the recent times, the international financial spectrum has witnessed trends
towards globalization and consolidation. The stability of financial system has
become a challenge for the regulators globally. Domestically, the insurance
sector had also reached a stage of development over the past two decades to
require a risk based supervisory approach.

3. In this backdrop, the Authority has also examined the need to move towards
the Risk based supervision. IRDAI is in the process of adopting ‘Risk Based
Supervisory Framework’ (hereinafter referred to as RBS or RBSF) for holistic
supervision of insurance sector in India. The Authority would be developing an
overall plan for moving towards ‘RBS’ and prepare an appropriate framework
for holistic supervision, duly incorporating risk assessment mechanism into
insurance supervision.

4. The RBS approach would also aid in eliminating the unintended overlaps and
gaps in current framework wherein each department functions in silos. The RBS
integrates the onsite and offsite functions and enables each of these functions
to interact and complement each other. This would enable holistic approach to
supervision of regulated entities.

5. In an RBSF setup, the regulation and supervision functions of the Authority

would be clearly segregated. While, the regulation function handles the policy
making (framing regulations) and approvals, the supervision function handles
the compliance, risk assessments, strengths/weaknesses of the regulated
entities, overall risk rating and the supervisory action, if any. The supervision
function also provides a feedback mechanism for the regulation function that

Page 4 of 14
 revisits the policies as felt appropriate. Thus, a healthy interaction of the
regulation and supervision functions would be established.

6. The RBS framework also envisages designating ‘Supervisory Managers’ who will
act as single point of contact for a regulated entity. The Supervisory Manager
will be the nodal official who will facilitate all the regulatory and supervisory
activities in respect of an entity. This brings an integrated approach in all
dealings with a given regulated entity.

IV. RBS Framework:

1. The RBS Framework would consider various risks, the insurers pose to
themselves and to the financial system at large. The regulator determines the
supervisory action plan every year comprising the activities of off-site
monitoring, onsite inspections and structured meetings with the entities in
conjunction with specific Supervisory Action Plan.

2. The process of RBS includes:

a. Risk Assessment: Regulated entities carry out various activities to

conduct their business. In conducting various activities, the insurance
companies are exposed to different kinds of risks which are inherent to
the activity being conducted. As such, the risks vary in quantum and
proportion based on the activities undertaken by the regulated entities.
This leads to a situation where certain entities face a higher risk when
compared to others. While the companies with higher risk need greater
supervisory focus, the ones with lower risk may not require the same
level of focus. As can be seen, ‘Risk Assessment’ drives the supervisor
from ‘one size fits all’ approach to ‘risk based’ supervisory approach in
which, ‘Risk Assessment’ forms the basis.

Page 5 of 14
b. Identification of the Significant Activity:

i. The first step in the process of risk based supervision is to

identify various significant activities of an insurance company.
The underlying principle of the Risk Based Supervisory
Framework is that the supervisor should understand the
business, the activities and the entity that they are responsible
for.
ii. Each of the activity of an insurance company needs to be
assessed to identify the significant activities or business units or
key processes that are critical in meeting the objectives and
strategies of the insurance company’s business.
iii. In the process of identifying significant activity, it may be
required to examine the projected business plans, capital
allocations, various functions of the insurance company etc. Out
of all the activities conducted by the insurance company, the
significant activities are identified based on the impact the
activity would have on the functions of the insurance company.
iv. The generally criteria used to identify the significant activity
would include:
1. Total income generated by an activity in relation to total
income generated by other activities; or
2. Total expenses incurred in an activity vis-a-vis the overall
total expenses; or
3. Assets generated by an activity vis-a-vis the total assets;
or
4. Revenue generated by an activity vis-a-vis the total
revenue; or

Page 6 of 14
 5. Net income before tax from an activity vis-a-vis the total
net income before tax; or
6. Risk weighted assets generated from an activity vis-a-vis
the total risk weighted assets; or
7. Internal allocation of capital for the activity vis-a-vis the
total internal allocation of capital; or
8. Reserves held for an activity vis-a-vis the total reserves
held; or
9. Strategic importance of the activity vis-a-vis other
activities or
10. Important Business units or processes
v. The identified significant activities should be those that are
important to achieve the business objectives and strategies of
the insurer. Where required, these significant activities can
further be grouped or sub-divided for appropriate assessment.
Significant activity could be a product, a distribution strategy, a
Line of business, a portfolio, investment activity etc.
c. Assessment of inherent risk in significant activity:
i. Each of the identified significant activities may expose the
insurance company to different kinds of risks. For example, High
sum assured term insurance amongst other risk products may
expose the insurer to high mortality risk, huge guarantee in non-
linked products may expose the insurance company to huge
market risks amongst other risks, motor third party liability
exposure may lead to huge legal risk amongst other risks.
ii. Various kinds of inherent risks the insurance company is exposed
to due to a significant activity needs to be assessed. Insurance
Risk, Market Risk, Operational Risk, Strategic Risk, Credit Risk are
the risks to be considered generally. The risks may further be

Page 7 of 14
 divided to assess the risk effectively and efficiently. For example,
Insurance Risk may further be divided into Product Design Risk,
Pricing Risk, Liability Risk etc.
iii. The risks so assessed at this stage do not consider the size of the
activity or the control mechanisms the insurance companies have
built to manage the risks i.e. the risks are to be assessed ignoring
the risk mitigation measures the insurer has put in place (for
example governance framework, compliance framework, policy
framework etc.) and also the size of the activity.
iv. Accordingly, the level of risk is assigned to each activity. From the
assessment of risks within each significant activity, the supervisor
would evaluate the type of control mechanism that is put in
place by the insurance company to enable it to manage the risks
at an acceptable level. This process requires the supervisor to
evaluate the quality and effectiveness of the control mechanism
with regard to the risks inherent in the activities.
d. Risk Mitigation and Risk Control Mechanism:

i. The control mechanism of an insurance company reflects the

quality of risk management and the operational management on
a day to day basis of the significant activity and reflects the
level/adequacy of corporate oversight and governance
ii. An insurance company carrying out significant activities is
expected to manage the risks inherent within the significant
activity by creating control mechanisms. In order to create such
control mechanism, operational management plays an important
role for the day-to-day management of a significant activity. The
function of operational management is to create appropriate
policy framework, processes, systems, resources with suitable

Page 8 of 14
 experience with appropriate levels of authorization, appropriate
levels of reporting requirements to effectively address the risks
inherent within a significant activity. For example, Board
approved underwriting policy, Board approved claims policy,
Board approved investment policy, standard operating
procedures for each function, appropriate IT systems etc are the
different kinds of policy frameworks put in place by an insurance
company for controlling the risk.
iii. Companies with higher inherent risks and greater control may
fare better than companies with moderate inherent risks but
low/no controls. Controls essentially eliminate or mitigate the
‘risk of failure’. The assessment of controls therefore becomes
critical for the supervisor to understand the robustness of risk
mitigation practices, the effectiveness of corporate governance
and the competence of the operational management. The
greater the control, the better the entity, in terms of net risk.
iv. In assessing the operational management, the supervisor is
required to primarily examine the capabilities of operational
management in terms of identifying and having in place the
mitigating tools for any potential loss that the activity may face.
Insurance companies are required to have capable Board of
Directors and Senior Management to conduct the business. In
insurance companies, Board of Directors are considered to have
the ultimate accountability for the management and oversight of
an insurance company. The Board is also expected to delegate
appropriate responsibilities to the senior management of an
insurance company. The functions that are considered for
assessing the quality of oversight include Board, Senior

Page 9 of 14
 Management, Risk Management, External Audit, Internal Audit,
Compliance, Actuarial and Financial.
v. For each of the significant activity, the supervisor requires to
assess the quality of operational management and the quality of
relevant oversight functions. These assessments are compared to
the requirements that are expected from the quality of risk
management while assessing the levels of inherent risks. A risk
matrix is developed taking into account the inherent risks and
the assessed quality of risk management. The direction of quality
of risk management is also assessed as increasing, stable or
decreasing.
e. Net Risk: For each of the significant activities, the supervisor considers
all the risks inherent and the corresponding control mechanisms in
terms of quality of risk management for that activity and arrives at the
net risk. Hence, the net risk is an assessment of inherent risk after
considering the quality of the risk management.
f. Overall Net Risk: Each significant activity and the risk inherent to it can
have different levels of impact on the operations of the insurance
company. Hence, the contribution of each significant activity on the
overall operations of the insurance company needs to be assessed and
appropriate levels of importance needs to be placed on such significant
activities while assessing the overall net risk. This is similar to assigning
weights. By identifying a significant activity’s importance, the potential
adverse impact of any significant activity can be appropriately
considered in the overall net risk. The overall net risk is arrived at by
combining the net risk of the significant activities after assigning the
relative importance. The overall net risk is rated as very low, low,
medium, high and very high and the direction of the overall net risk is
assessed as decreasing, stable or increasing.

Page 10 of 14
g. Additional Support: The insurance company may have additional
support which can be utilised to absorb the losses arising from overall
net risks if any. The additional support that can be considered are
Earnings, Capital and Liquidity. Earnings, Capital and Liquidity are
assessed separately to understand the additional support they provide
to the safety and soundness of an insurance company and therefore are
considered in arriving at the risk to viability. Earnings, Capital and
Liquidity are rated as strong, above average, acceptable, needs
improvement or weak.
h. Assessment of Risk to Viability:
i. Assessment of risk to viability primarily considers the safety and
soundness of the institution considering the Earnings, Capital and
Liquidity. The risk to viability is assessed as low, moderate,
material, imminent or critical. It also assesses the direction of
insurance company’s ‘risk to viability’ as decreasing, stable or
increasing. The risk to viability is associated with a timeframe.
The timeframe indicates the period for which the particular risk
rating is applicable.
ii. The timeframe indicates the possible volatility in the risk rating
i.e. a longer timeframe is expected for an insurance company
with a stable risk to viability profile whereas shorter time frames
may be assigned for insurance companies with a volatile risk to
viability profile
i. Intervention Mechanism: Risk Based Supervisory Framework is
‘outcome focussed’ and enables the supervisor to rate the insurance
company. Assessing the risk to viability of an insurance company is
followed up by setting up an intervention system. The intervention
system is expected to trigger appropriate supervisory actions depending

Page 11 of 14
 on the ‘risk to viability’ profile of an insurance company. The oversight
mechanism can be divided into the following:
i. lower oversight,
ii. normal oversight,
iii. enhanced oversight,
iv. intensive oversight or
v. warrant restructure.

V. Benefits of RBS:

1. The benefits of adopting an RBS Framework for insurance supervision could be

summarized as under:
a. Structured approach to help assess various risks, both internal to the
entity and external environment;
b. RBS is forward looking and outcome based with due focus on the
responsibility of the Board and Senior Management of the entities to
ensure financial soundness;
c. Facilitates identification of various risks relating to market conduct and
prudential aspects at an early stage so that timely regulatory
intervention is possible depending upon the overall risk profile of the
entity;
d. Enables holistic assessment of a regulated entity;
e. Allows for customization of supervisory approach based on the ‘risk
profile’ of a regulated entity;’
VI. Changes Envisaged within IRDAI:
1. In the process of moving towards RBS, certain changes are envisaged both in
the functioning of the Regulator as well as the regulated entities. This would
include the following:

Page 12 of 14
 a. The regulator and the regulated entities should have well defined
standards of Governance and well documented policies, procedures and
practices in place to outline the responsibilities and accountability, more
clearly;
b. To revisit the organizational structure to align with the requirements of
RBS;
c. Review of risk management culture;
d. Adopting risk based internal audit for the entities;
e. Improved IT and MIS to capture and report various elements required
for risk assessment;
f. Building ‘Compliance Units’ to take prompt corrective actions suggested
by the Regulator from time to time as part of Supervisory Action Plans;
g. Review of skill sets, extensive training and redeployment of staff, talent
retention; etc. as may be necessary to move towards risk assessments in
place of mere compliance.

2. It is intended to roll out the RBS process in a phased manner starting with
insurers and then intermediaries, after running a pilot project on select entities
to test the efficacy and efficiency of the implementation and to identify possible
gaps, if any. In the process, there would be consultation with the industry
players, on an ongoing basis, at different stages of development and
implementation process.

3. Given this backdrop, the insurers and intermediaries are expected toinitiate
steps to lay greater focus on risk of each activity they undertake and to build
framework that enables internal assessment of such risks and corresponding
control mechanism to mitigate such risks within their organization culture.

Page 13 of 14
4. Within IRDAI, an implementation committee has been formed to suggest the
implementation approach for RBSand Organization Restructuring and to achieve
smooth transition, in consultation with Senior Management.

Page 14 of 14