Professional Documents
Culture Documents
Control Questionnaire - Insurers and Reinsurers
Control Questionnaire - Insurers and Reinsurers
Company:
Introduction
The objective of this questionnaire is to understand the current state of internal controls in place at the entity to identify, quan
the purpose of overall risk evaluation at the entity level for the purpose of risk based supervision.
The attached questionnaire covers 10 risk areas which are Market Risk, Counterparty Risk, Non Life Underwriting Risk, Strateg
Outputs, Oversight, Conduct of Business and, Regulatory and AML. Separate tabs are created for each risk areas.
Control Question:
Has the insurance entity established a Board Risk Committee including Board members in charge, among others, of the Marke
7- All supporting documents required to support the responses to the questionnaire will need to be submitted by December 3
ate of internal controls in place at the entity to identify, quantify and monitor risks. The information shall be utilized for
pose of risk based supervision.
Risk, Counterparty Risk, Non Life Underwriting Risk, Strategic Risk, Life Underwriting Risk, Operational Risks, Actuarial
. Separate tabs are created for each risk areas.
he core activities;
ess and efficiency of internal controls
ding Board members in charge, among others, of the Market Risk that meets on a regular basis?
er:
s
S.No.
Governance and Risk Appetite
1.01
1.02
1.03
1.04
1.05
1.06
1.07
1.08
1.09
1.10
1.11
1.12
1.13
1.14
1.15
1.16
1.17
1.18
1.19
1.20
1.21
1.22
1.23
1.24
1.26
1.27
1.28
1.29
1.30
1.31
1.32
1.33
1.34
1.35
1.37
1.38
1.39
1.40
1.41
1.42
1.43
1.44
1.45
1.46
1.49
1.50
1.51
1.52
Saudi Arabian Monetary Agency (SAMA)
Control questionnaire
Market Risk
Are the Market Risk processes documented for each of the sub-risk categories and is it reviewed on a regular basis by th
designated committee?
Does the insurance entity have a Board of Directors' charter articulating the Board and Senior Management's roles an
responsibilities towards market risk management?
Are the Investment Committee members suitably qualified to get an in-depth understanding of the insurance entity
Market Risk position?
Is there a formal communication process (through MIS or other regular reports) to provide the Board and Seni
Management with regular and sufficient information, for them to assess the nature and level of the insurance entity
Market Risk?
Has the insurance entity established a Board Risk Committee in charge of the Market Risk and does this committee meet o
a regular basis?
Has the insurance entity established a Management Risk Committee that is chaired by the CRO, including the CEO and Hea
of Investments, which has a standing agenda item to monitor Market Risk and does the committee meet on a regular basis
Do the Board Risk Committee and Board Investment Committee regularly review the strategy, policies and processe
for the management of Market Risk?
Does the Board Risk Committee receive regular weekly/ monthly/quarterly reports and any informal communication
appropriate from the Risk Control function and the Chief Risk Officer in relation to Market Risk?
Has the insurance entity defined a Risk Appetite Statement (RAS) within the Risk Appetite Framework (RAF) which
approved, monitored and regularly reviewed by the Board and implemented by Senior Management that includes Mark
Risk metrics?
Does the Board approve appropriate thresholds or limits for specific Market Risks, and an overall risk appetite?
Does the RAF articulate the nature, types and levels of Market Risk that the insurance entity is willing to assume?
Are the insurance entity's activities consistent with the risk limits and risk tolerances established within RAF in relation
Market Risk?
Does the insurance entity have a procedure document in place that provides a brief outline of the roles and responsibiliti
of the key stakeholders and concerned departments for Market Risk management?
Do the Board of Directors review instances of breaches pertaining to regulatory and internal policies, limits along wi
justification notes for any breaches recorded?
Does the Board Risk Committee approve the risk management framework adopted by the insurance entity including ri
categories that explicitly include Market Risk and its sub-risks including interest rate risk, equity risk, property risk, curren
risk, spread risk and liquidity risk and is the framework updated on a regular basis?
Does the Board Risk Committee establish an enterprise risk profile for the insurance entity that explicitly covers monitorin
& reporting on Market Risk and is the profile updated on a regular basis?
Does the Market Risk Committee undertake Market Risk identification, assessment, monitoring, reporting and analys
associated with Treasury Operations (including capital market operations), formulation of policies, setting of risk parameter
overseeing compliance?
Does the Market Risk Committee ensure appropriate internal controls are in place for Market Risk management activities?
Does the Market Risk Committee ensure appropriate systems are in place for tracking, monitoring and reviewing market ri
limits for effective Market Risk management?
Does the insurance entity have a governance framework approved by the designated authority around market risk mod
development, model usage and model validation procedures and are they in line with SAMA requirements?
For any control gap(s) reported by the risk management department during the past 12 months (or any other designate
department) to the Board Risk Committee and Board Investment Committee, is there a documented implementation plan
mitigate the control deficiencies?
Does the insurance entity have a documented terms of reference authorizing the Board Investment Committee f
approving policies on related issues of a more operational nature, including:
a) The criteria for selection of the external investment manager(s).
b) The selection and use of partners and brokers.
c) The nature of custodial arrangements.
d) The methodology and frequency of the performance and investment risk measurement and analysis
Does the insurance entity have an investment policy documented by Board Investment Committee and is th
implementation of the stated investment activities reviewed by the committee on a regular basis? Does the investme
policy contain (but not limited to) the following activities:
a) Reviewing the performance of each asset class.
b) Monitoring the overall risks of the policy.
c) Submitting a performance review report to the Board of Directors.
d) Insurance entity invests only in assets where it can manage/ monitor/ control the risks in an appropriate manner.
Are Market Risk limits monitored on a continuous basis (e.g. on a monthly basis or more frequently)?
Does the insurance entity have stop loss limits in place?
Are there currency-wise limits in place with respect to the net open position?
Does the insurance entity have limits for each counterparty based on the potential future exposure (PFE's)?
Does the insurance entity have procedures defined in its policies that are approved by the designated authority f
identifying shifts / aberrations / deviations from the approved market risk strategy and target markets?
Does the insurance entity perform risk and Control Self Assessment (RCSAs) to capture all the material inherent market ris
and are the subsequent mitigating controls mapped to each of identified risks?
Has the risk identification process been carried out to capture all material market events and documented by the ri
management department since the last audit due to any of the following factors:
- New Business and Change Initiatives
- Control Lapses
- Operational losses
- Infrequent but severe events
- External events
- Changes in SAMA regulations requiring specific methodologies or regulatory disclosure requirements
- Identification of assets which are considered most complex
- Is there a reporting mechanism in place to report critical events to the designated authority?
Is there a process in place to ensure that foreign investment holdings are within the prescribed limits specified by SAMA
its regulations (i.e. capped at 20% of the total investment) and any exceptions identified are reported to the designate
authority for dispensation?
Does the insurance entity take into consideration the investment concentration risks prescribed by SAMA wide i
regulations and monitor/ report/ rebalance for any limit breaches? Concentration in an investment instrument shall n
exceed 50% in one investment instrument.
2nd line controls
Is there a team focusing on Asset Liability Management and/or on Financial Risk Management, independently from th
investments team? Does the ALM team consider the appropriateness (e.g. nature, term, currency, etc.) of the liabilities.
Does the insurance entity have a process in place to maintain a repository of all the applicable SAMA guidelines related
Investments and Market Risk?
Is there a process in place for identifying new guidelines issued, updation of the existing repository and a checklist progra
to ensure compliance to applicable guidelines/ circulars?
Has the insurance entity obtained SAMA’s approval on its most recent investment policy approved by the designate
authority and any material changes that might apply to it?
Are the duties of the risk management function for Market Risk clearly segregated from risk-taking functions in th
insurance entity?
Has a Compliance function (clearly segregated from the investment team) been set up in charge of checking complianc
with the investment regulation?
Does the insurance entity with composite insurance operations, e.g. protection and savings in addition to general an
health activities, have different investment objectives and strategies which are approved by the designated authori
appropriate for both classes of business, as well as different books for each of them?
Does the insurance entity describe its outsourcing policy and maintain control, ownership, and oversight over th
outsourced investment portfolio by following a present delegation matrix?
Is there a documented due diligence mechanism approved by the designated authority for engaging with extern
investment manager(s) and does it ensure that the external entity is professional and reputable and licensed by the Capit
Market Authority (CMA)?
When engaging with external investment manager(s), does the insurance entity obtain a signed outsourcing agreement wi
the external investment manager and submits to SAMA for approval?
Does the risk management department accurately measure the status of market liquidity and report to Senior Manageme
and/ or Board on a quarterly or more frequent basis as required?
3rd line controls
Are all open issues related to the investment function and/or Market Risk from the latest Internal Audit report investigate
and resolved?
Does the Internal Audit work program cover the policy and regulatory compliance aspects related to investment regulation
and is it updated on a regular basis?
Are Internal Audit staff properly trained on the Market risk and are aware of the various aspects related to Market Risk?
Does the Internal Audit function include in its annual plan a review of risk management process and governanc
regarding Investment function and Market Risk?
Has the internal audit function defined a formal training (encompassing trainings as well as instructor based) programme f
ensuring its Investment function and Market Risk resources are up-to-date?
Has the insurance entity implemented all recommendations issued by the Internal Audit function regarding Market Risk an
put in place mitigation plans?
Response Comments
Saudi Arabian Monetary Agency (SAMA)
Control questionnaire
Counterparty Default Risk
S.No.
Governance and Risk Appetite
2.01
2.02
2.03
2.04
2.05
2.06
2.07
2.08
2.09
2.1
2.11
2.12
2.13
2.14
2.15
2.16
2.17
2.18
2.2
2.21
2.21
2.22
2.22
2.23
2.23
2.24
2.24
2.26
2.27
2.28
2.29
2.3
2.31
2.33
2.34
Saudi Arabian Monetary Agency (SAMA)
Control questionnaire
Counterparty Default Risk
Are the responsibilities of the company’s Board and Senior Management regarding counterparty default risk manageme
clearly established in the Board of Directors charter?
Are the Board members suitably qualified to get an in-depth understanding of the company’s counterparty default ri
position?
Is there a formal communication process (through MIS or other regular reports) to provide the Board and Seni
Management with regular and sufficient information, for them to assess the nature and level of, the insurance entity
counterparty risk?
Has the insurance entity established a designated Risk Committee including Board members in charge, among others, of th
counterparty risk and does this committee meet regularly?
Does the entity have policies and procedures for reinsurance which include the criteria for selection of reinsurers and th
maximum ceding limits per reinsurer by LOB?
Has the company established a designated middle-management committee to support the top management or the Board
Directors in managing counterparty default risks?
Has the Risk Committee a mix of expertise, competencies and experience that, in combination, match the nature of th
counterparty default risk activities?
Does the Board include non-executive members with reinsurance experience?
Does the Board regularly review the strategy, policies and processes for the management of reinsurance an
counterparty default risk?
Does the Risk Committee receive, regularly, formal reports and informal communication as appropriate from the Ri
Control function in relation to counterparty default risk?
Has the Board and the Risk Committee established the nature, the format, the amount and the frequency of the informatio
on reinsurance and counterparty default risk?
Has the company defined a Risk Appetite Framework (RAF) which is approved, monitored and regularly reviewed by th
Board and implemented by Senior Management that includes counterparty default risk?
Does the Board approve appropriate thresholds or limits for specific counterparty default risks, and an overall risk appetite
Are the changes to the risk appetite statement appropriately documented in line with SAMA prescribed guidelines an
counterparty concentration exposure limits? (As defined in the SAMA Circular - Principles for an Effective Risk Appeti
Framework, published date - 14/11/2016)
Does the RAF articulate the nature, types of levels of counterparty default risk that the company is willing to assume?
Is a set of tolerances regarding counterparty default risk regarding counterparty risks such as geographic, industr
government/nongovernment etc. with respect to concentration, minimum credit rating and regulatory limits establishe
and regularly reviewed?
Have risk appetite and tolerances been cascaded to operational limits to monitor the company's counterparty default ri
profile at business level?
1st line controls
Are there structured processes in the risk appetite to monitor operating limits at business process level?
Apart from a set of tolerances or limits, does the RAF include a wide array of measures to monitor the company
counterparty risk profile for example but not limited to counterparty strategy, stress testing, scenario analysis, risk an
performance indicators and comparative analysis?
Are there structured processes to ensure that data on exposure are complete, accurate and appropriate (e.g. updated on
continuous basis)?
Are receivables actually tracked, aged and actively managed?
Has the entity defined a set of standard checks to be filled before authorizing a reinsurer as a counterparty?
Has the entity defined a set of standard checks to be filled before authorizing an agent as a counterparty?
Has the entity defined a set of standard checks to be filled before authorizing a broker as a counterparty?
Has the entity defined a set of standard checks to be filled before authorizing a bank as a counterparty?
Are limits monitored on a continuous basis? (e.g. on a monthly basis or more frequently)
If the company experienced any breach in counterparty default risk limits, was the breach identified in less than 1 week
average?
If the company experienced any breach in counterparty default risk limits, was the breach solved or managed in less than
weeks in average?
2nd line controls
Has the company documented counterparty default risk management process and policies to identify measure, evaluat
monitor, report and control or mitigate all material counterparty default risks on a timely basis?
Has the company established an independent Risk Management Function that ensures the identification, management an
reporting of counterparty default risk?
Are the duties of the risk management function for counterparty default risk clearly documented and segregated from ris
taking functions in the company?
Does the company have information systems that allow a timely identification, aggregation, monitoring and reporting
counterparty default risk exposure to the Board and Senior Management?
Has the company defined a forward-looking stress testing program related to counterparty default risk as an integral part
the risk management process?
For each treaty and facultative, did the Appointed Actuary make an assessment followed by a formal recommendation o
the choice of reinsurance counterparty?
Has a Compliance function been set up in charge of checking compliance with the regulation around counterpartie
receivables and reinsurance?
3rd line controls
Does the internal audit function include in its annual plan a review of risk management and processes regardin
reinsurance and counterparty default risk?
Has the internal audit function defined a formal training programme(encompassing e-training as well as instructor based
for maintaining its resources up-to-date with counterparty default risk management best practices?
While observing the internal audit recommendations, does the company follow the recommendations issued by the intern
audit function regarding counterparty default risk and are mitigation plans in place for the aforementione
recommendations?
Response Comments
Saudi Arabian Monetary Agency (SAMA)
Control questionnaire
Non-life Underwriting
S.No.
Governance and Risk Appetite
3.01
3.02
3.03
3.04
3.05
3.06
3.07
3.08
3.09
3.1
3.11
3.12
3.13
3.14
3.15
3.16
3.17
3.18
3.19
3.2
3.21
3.22
3.23
1st line controls
3.24
3.25
3.26
3.27
3.28
3.29
3.3
3.31
3.32
3.33
3.34
3.35
3.36
3.37
3.38
3.41
3.42
3.43
3.44
3.45
3.47
3.48
Saudi Arabian Monetary Agency (SAMA)
Control questionnaire
Non-life Underwriting
Are the responsibilities of the company’s Board and Senior Management regarding Non - Life Underwriting ri
management clearly established in the Board of Directors charter?
Are the Board members suitably qualified to get an in-depth understanding of the company’s Non - Life Underwriting ri
position?
Is there a formal communication process (through MIS or other regular reports) to provide the Board and Seni
Management with regular and sufficient information, for them to assess the nature and level of, the insurance entity's Non
Life Underwriting risk?
Has the insurance entity established a Board Risk Management Committee in charge of the Non - Life Underwriting ris
that meets on a regular basis?
Are technical reserves presented to and approved by the Board of Directors together with an actuarial report?
Does the Appointed Actuary's report to the Board explain why reserves are adequate, set out the key assumptions an
judgements, and highlight the uncertainty around the reserves along with the testing carried out to quantify th
uncertainty?
Are there clear documented processes and policies for calculation, updating and approval of the technical reserves?
Is an actuarial report / opinion taken into consideration within the approval process of any product?
Are there clear processes leading to the approval of a new product, from product design to technical and commerci
pricing?
Are factors such as approach and capability for setting up reserves considered, at the time of product design?
If the company writes Motor products, does the Appointed Actuary submit an annual pricing report to the Company
Management, Board of Directors and SAMA, in accordance with to the guidelines provided by SAMA?
If the company writes Medical Expenses products, does the Appointed Actuary submit an annual pricing report to th
Company's Management, Board of Directors and SAMA, in accordance to the guidelines provided by SAMA?
Has the company established a designated middle-management committee to support the top management or the Board
Directors in managing Non - Life Underwriting risks?
Is the company's Board Risk Committee provided with a mix of expertise, competencies and experience that,
combination, match the nature of the Non - Life Underwriting risk activities?
Does the Board regularly review the strategy, policies and processes for the management of Non - Life Underwritin
risks?
Does the Risk Committee receive regular formal weekly/ monthly/ quarterly reports and any informal communication
appropriate from the Risk Management function and the Chief Risk Officer in relation to Non - Life Underwriting risk?
Has the company defined a Risk Appetite Framework (RAF) which is approved, monitored and regularly reviewed by th
Board and implemented by Senior Management that include Non - Life Underwriting risks?
Does the Board approve appropriate thresholds or limits for specific Non - Life Underwriting risks, and an overall ri
appetite?
Does the RAF articulate the nature and types of levels of Non - Life Underwriting risk that the company is willing to assume
Is a set of tolerances regarding Non - Life Underwriting risks clearly established and regularly reviewed?
Have underwriting risk appetite and tolerances been cascaded to operational limits to monitor the company's Non - Li
Underwriting risk profile at business level?
Are the company's activities consistent with the RAF in relation to Non - Life Underwriting risk?
1st line controls
Are there structured processes to monitor operating limits at business process level?
Apart from a set of tolerances or limits, does the RAF include a wide array of measures to monitor the company's Non - Li
Underwriting risk profile?
Are product design, pricing structure and product overall plan consistent with each other and is there a process to identi
and assess emerging risks or new types of claim with an appropriate feedback loop to the product design team an
underwriters and actuaries?
Does the company use an established industry software for pricing? Or if bespoke software is used, does the company hav
robust controls in place to validate the calculations?
For catastrophes exposure assessment, are standard industry software used (e.g., RMS), or event loss tables obtained v
brokers?
Does a process exist for the consideration of RDSs (Realistic Disaster Scenarios)?
Is there an automated database linking product design and underwriting processes to ensure that pricing data are granul
and kept up-to-date?
Are all non-life sub risks limits monitored on a continuous basis? (e.g. on a monthly basis or more frequently)
Is there a monitoring process to ensure that commercial prices do not differ from technical prices above the allowe
flexibility range? And are any differences outside of the range have been justified and signed-off?
Are there adequate operational procedures related to how to calculate case reserves and claims reserve and communicatin
and agreeing operational changes with the reserving actuaries?
Is there a separate team, within the underwriting departments, monitoring the Non - Life Underwriting performance an
the Non - Life Underwriting risk limits ?
Does a process exist to ensure standard policy wordings are adhered to by Underwriters while ensuring that there is n
proliferation of bespoke (unapproved) policy wordings?
Are there systematic or manual processes in place to differentiate the various characteristics of the insured risk and/
safety and security measures implemented by the policyholder, while pricing the insured property, motor vehicle or oth
non-life risks?
Does a process exist to ensure the following:
• clear guidance to underwriters for the use of FAC or individual risk reinsurance
• Reinsurance provides back-to-back cover with the portfolio it is protecting and that no difference between insuranc
written and reinsurance cover provided could exist?
• Measure accumulation of exposure at the time of underwriting to ensure no breach of reinsurance terms?
Does a process exist to ensure that premium is earned in line with the underlying exposure, as opposed to level through th
term of the policy, where the exposure is not level through the policy term. E.g. for construction risks?
Has the company defined a forward-looking Non - Life Underwriting risk stress testing program as an integral part of the ri
management process?
Has the company established policies, procedures and controls for the use of its Non - Life Underwriting risk assessme
methodologies?
Has a Compliance function (clearly segregated from the Non - Life Underwriting team) been set up in charge of checkin
compliance of Underwriting practices with existing laws, regulations and regulatory circulars?
Looking at the current status of internal audit recommendations, does the company follow the recommendations issued b
the internal audit function regarding Non - Life Underwriting risk and are mitigation plans in place?
Response Comments
Saudi Arabian Monetary Agency (SAMA)
Control questionnaire
Strategic Risk
S.No.
Governance and Risk Appetite
4.01
4.02
4.03
4.04
4.05
4.06
4.07
4.08
4.09
4.1
4.11
4.12
4.14
4.15
4.16
4.17
4.19
4.2
4.21
4.22
4.23
4.25
4.26
4.27
Saudi Arabian Monetary Agency (SAMA)
Control questionnaire
Strategic Risk
Are strategic decisions taken by the Senior Management consistently taking strategic risk implications into consideratio
including emerging risks and competitive changes in its existing markets (e.g. telematics)?
Does the Board requests and discusses sensitivity analyses / stress tests on the key assumptions underlying the plan?
Does the Board of Directors carry out independent review of strategic plan/initiative proposed by Management on a regul
basis?
Is there a formal communication process (through MIS or other regular reports) to provide the Board and Seni
Management with regular and sufficient information, regarding strategic risks, plans and initiatives being undertaken
manage those risks?
Has the insurance entity established a Board Risk Committee including Board members in charge, among others, of strateg
risks and does the committee meet on a regular basis?
Are the strategic risk policies and processes documented for each of the sub-risk categories and approved by the designate
authority and are they reviewed and updated on a regular basis?
Are the responsibilities of the entity’s Board and Senior Management regarding strategic risk management clear
established in the strategic risk policy ?
Has the entity defined a Risk Appetite Framework (RAF) which includes strategic risks and is monitored and regular
reviewed by the Board on a regular basis and implemented by Senior Management?
Are changes to the strategic plan approved by the Board and based on documented strategic risk considerations?
Has the Board established benchmarks (such as KPIs) for measuring strategic objectives from quantitative and/or qualitativ
aspects?
Does the Board periodically review strategic objectives to monitor the status of their achievement, taking into account th
underlying risks?
1st line controls
Are macro risks (e.g. market and competitive conditions, regulatory conditions, etc.) monitored on a regular basis (e.
quarterly) to decide whether a strategic adjustment is needed?
Are there structured processes approved by the designated authority to monitor strategic limits at business process lev
and reviewed and/or updated on a regular basis?
Is there are formal process to ensure staffing is appropriate in terms of size and skillset of resources required to execute th
strategy?
Does the insurance entity have a governance framework approved by the designated authority around implementation
the initiatives formalized in the strategy plan?
Has the strategic direction been translated into business level objectives and / or targets and are they assigned wi
responsible personnel to ensure that those targets are properly met?
2nd line controls
Does the entity have an independent Risk Management Function as part of its overall risk management framework and
the risk management function actively involved in strategic planning, reviews and decisions, with a focus on identifyin
monitoring and managing strategic risks?
Does the Risk Management function propose forward -looking stress and scenario tests to assess the exposure to strateg
risk and suggest mitigating actions?
Has the company documented risk management policies and processes as part of the risk management framewo
approved by the designated authority to identify, assess, monitor, report and mitigate strategic risk?
Is there a process to challenge and monitor performance and outcome of strategic initiatives vs. the strategic plan?
Is the Head of Compliance involved in strategic decisions to provide input on regulatory and policy evolutions?
Does the CRO ensure consistency of entity’s strategy with other plans such as its capital management plan, ri
management strategy and, where applicable, the wider Group business plan?
3rd line controls
Does the internal audit function include in its annual plan a review of risk management and processes regarding strateg
risk?
Has the internal audit function defined a formal training (encompassing e-trainings as well as instructor based) programm
for ensuring its resources are up-to-date with strategic risk assessment?
Does the company follow the recommendations issued by the internal audit function regarding strategic risk and put
place mitigation plans?
Does the internal audit function performs a validation / follow-up audits to determine whether all observations on strateg
risks have been timely and adequately addressed?
Response Comments
Saudi Arabian Monetary Agency (SAMA)
Control questionnaire
Life Underwriting
S.No.
Governance and Risk Appetite
5.01
5.02
5.03
5.04
5.05
5.06
5.07
5.08
5.09
5.1
5.11
5.12
5.13
5.14
5.15
5.16
5.17
5.18
5.19
5.2
5.21
1st line controls
5.22
5.23
5.24
5.25
5.26
5.27
5.28
5.29
5.3
5.31
5.33
5.34
5.35
5.36
5.37
5.38
5.4
5.41
5.42
5.43
Saudi Arabian Monetary Agency (SAMA)
Control questionnaire
Life Underwriting
Are the responsibilities of the Company’s Board and Senior Management regarding Life Underwriting risk manageme
clearly established in the Board of Directors charter?
Are the Board Members suitably qualified to get an in-depth understanding of the Company’s Life Underwriting ri
position?
Is there a formal communication process (through MIS or other regular reports) to provide the Board and Seni
Management with regular and sufficient information, for them to assess the nature and level of the insurance entity's li
underwriting risk?
Has the insurance entity established a Board Risk Committee including Board members in charge, among others, of the Li
Underwriting risk and does the committee meet regularly?
Are reserves presented to and approved by the Board of Directors, together with an actuarial report, in which th
Appointed Actuary explains why reserves are adequate?
Are there clear processes leading to the approval of technical reserves as specified in the policies and procedures f
development and updating of the technical reserves?
Does the Appointed Actuary present an actuarial report for any new product to back up the applied tariff considering i
sustainability and profitability?
Are there clear processes leading to development and approval of new Life products?
Has the company established a designated committee in order to support the Senior Management or the Board of Directo
in managing life underwriting risks?
Does the Board Risk Committee have a mix of expertise, competencies and experience that, in combination, match th
nature of the Life Underwriting risk activities?
Does the Board regularly review the strategy, policies and processes for the management of Life Underwriting risks?
Does the Board Risk Committee receive regularly formal reports and informal communication as appropriate from the Ri
Management function, the Chief Risk Officer and the Appointed Actuary in relation to Life Underwriting risk?
Has the company defined a Risk Appetite Framework (RAF) which is approved, monitored and regularly reviewed by th
Board and implemented by Senior Management that includes Life Underwriting risks?
Does the Board approve appropriate thresholds or limits for specific Life Underwriting risks, and an overall risk appetite?
Does the RAF articulate the nature and degree of Life Underwriting risk that the Company is willing to assume?
Is a set of tolerances or limits regarding Life Underwriting risks clearly established and regularly reviewed?
Has the Company set up a risk-based metric of capital to be allocated to Life Underwriting risk, aligned with its risk appetite
Have Life Underwriting risk appetite and tolerances been cascaded to operational limits to monitor the Company's Li
Underwriting risk profile at business level?
Are the Company's activities consistent with the RAF in relation to Life Underwriting risk?
Does the Board of Directors monitor complaints in relation to Life products?
1st line controls
Are there structured processes to monitor operating limits at business process level?
Apart from Life Underwriting risk limits, does the RAF include a wide array of measures to monitor the Company's Li
Underwriting risk profile?
Are the Life Underwriting risk limits monitored on a continuous basis (e.g. on a monthly basis or more frequently)?
Are product design, pricing structure and product plan overall consistent with the overall strategy of the entity?
Is there an automated database linking product design and Life Underwriting processes to ensure that pricing data
granular and kept up-to-date?
Is there a monitoring process to ensure that commercial prices do not differ from technical prices above the allowe
flexibility range and any deviations from the allowable range are justified and signed-off?
Has the Company established an independent Risk Management Function that ensures the identification and prop
management of Life Underwriting risks?
Are the duties of the Risk Management Function for Life Underwriting risk clearly segregated from risk-taking functions
the Company as specified in the Enterprise Risk Management Governance Framework ?
Does the Company have IT systems that allow a timely identification, aggregation, monitoring and reporting of Li
Underwriting risk exposure to the Board and Senior Management?
Has the Company defined a forward-looking Life Underwriting risk stress testing program as an integral part of the ri
management process?
Has the Company established policies, procedures and controls for the use of its Life Underwriting risk assessme
methodologies?
Is a Compliance function (clearly segregated from the Life Underwriting team) been set up in charge of checking complianc
of Life Underwriting practices with existing laws, regulations and regulatory circulars?
After receiving the Internal Audit recommendations, does the Company follow the recommendations issued by the intern
audit function regarding Life Underwriting risk? Are mitigation plans in place?
Does the Internal Audit work program covers the policy and regulatory compliance aspects related to Life Underwritin
regulations and circulars?
Is the Internal Audit staff properly trained on Life Underwriting risks and aware of the various aspects related to Li
Underwriting risk?
Response Comments
Saudi Arabian Monetary Agency (SAMA)
Control questionnaire
Operational risk
S.No.
Governance and Risk Appetite
6.01
6.02
6.03
6.04
6.05
6.06
6.07
6.08
6.09
6.1
6.11
6.12
6.13
6.14
6.15
6.17
6.18
6.19
6.2
6.21
6.22
6.23
6.24
6.25
6.26
6.27
6.28
6.29
6.3
6.31
6.32
6.33
6.34
6.35
6.36
6.37
6.38
6.39
6.4
6.41
6.42
6.43
6.44
6.46
6.47
6.48
6.49
6.5
6.51
6.52
6.54
6.55
6.56
6.57
Saudi Arabian Monetary Agency (SAMA)
Control questionnaire
Operational risk
Are the Board members suitably qualified to get an in-depth understanding of the entity’s operational risk position?
Is there a formal communication process (through MIS or other regular reports) to provide the Board and Seni
Management with regular and sufficient information, for them to assess the nature and level of, the insurance entity
operational risk?
Does the Risk Committee receive regular weekly/ monthly/ quarterly reports and any informal communication
appropriate from the risk management function in relation to operational risk?
Does the Board of Directors review the outcomes of scenario assessments of Operational risk events on a regular basis (
least annually)?
Has the insurance entity established a Board Risk Management Committee in charge of the operational risk that meets on
regular basis?
Does the Risk Management Committee have a mix of expertise, competencies and experience that, in combination, matc
the nature of the operational risk activities?
Does the Board regularly review the strategy, policies and processes for operational risk management?
Does the organizational structure include a number of resources specifically allocated to operational risk management, wi
suitable competencies?
Does the entity have an outsourcing policy approved by the board of directors and are there internal controls in place
monitor the appropriateness and proper execution of the outsourcing policy and outsourcing approval processes?
Does the entity have a Board approved Risk Appetite Framework (RAF) that includes operational risk and is it monitore
regularly reviewed by the Board and implemented by Senior Management?
Are there clearly established and regularly reviewed set of limits regarding operational risk and are any changes made to th
risk appetite statement documented and in line with regulatory guidelines prescribed by SAMA?
Are the entity's activities consistent with the RAF in relation to operational risk?
Does the RAF articulate the nature, types and levels of operational risk that the entity is willing to assume?
Does an information/cyber security function or information/cyber security committee exist at the entity with clear roles an
responsibilities to ensure independent monitoring, enforcement and continuous improvement of information securi
practices, policies and procedures?
Does the entity have a formal process to assess and continuously improve physical and environmental security of da
processing facilities (regardless if data processing facility is managed by the entity or outsourced to a third party servic
provider)?
Has the entity performed a business impact analysis (BIA) exercise of its application systems to be able to understand ho
much loss is incurred over time in the event of a system outage?
Does the entity have Service level agreements approved by the designated authority with defined roles and responsibiliti
between the IT department and all departments which use IT services and are the service level agreements reviewed on
regular basis?
Does the entity record and appropriately classify all issues related to IT systems in a systematic manner and record the tim
required to resolve each such issue (e.g. system outage, cyber security incident, system error/bug)?
Apart from a set of tolerances or limits, does the RAF include a wide array of measures to monitor the entity's operation
and fraud risks profile?
Does the firm carry out stress and scenario testing on operational risk at least annually?
Are there IT systems in place for continuous monitoring of operational risks?
Does the entity have documented standard operating procedures and controls on operational risks for business-as-usu
activities?
Does the entity have documented business continuity management system which covers critical business processes?
Does the entity have a fraud risk management policy approved by the designated authority outlining the potential scenario
for internal and external frauds the entity may be exposed to and guidelines (i.e. prevention controls) for combating them?
Is there a formal mechanism (e-trainings and instructor based) for fraud awareness in place?
Does the entity have detailed procedures documented for all its business processes and formal training (e-learning an
instructor based) sessions for employees to reduce human errors in business activity execution?
Does the entity have automated controls for its critical processes (critical processes as defined by SAMA wide its regulation
such as underwriting/ claims handling systems, including blocking rules and alert messages and are these controls validate
and remediated on a regular basis?
Are the procedures pertaining to claims handling adequately documented and comprehensive to include all condition
requirements (i.e. checklists for required documentation and conditions before processing any claims)?
Are there appropriate systems and procedures to discourage, detect, respond and review external frauds?
Are the guidelines pertaining to underwriting adequately documented to avoid mis-pricing and mis-selling of vario
products?
Does the entity have formal policies and procedures for loss data collection relating to operational risks and is updated on
regular basis?
Has the entity established appropriate policies, procedures and implemented adequate controls pertaining to da
communication over internal and external networks (e.g. data encryption)?
Are underwriting systems and claims systems properly integrated with financial and actuarial systems?
Has the entity established a physical security policy with defined roles and responsibilities (e.g. covering access to asse
and associated facilities limited to authorized users, processes, or devices, etc.)?
Are information and records (data) managed consistently with the organization’s risk strategy to protect the confidentialit
integrity, and availability of information?
Are information system and assets monitored at discrete intervals to identify cyber security events and verify th
effectiveness of protective measures?
Are the organization’s personnel and partners (e.g. agents) provided with cyber security awareness education/training
help them enhance their skills in implementing information security measures?
Does the entity have a human resource policy approved by the designated authority covering code of ethics and standard
for professional conduct for fair and equal treatment of all employees?
Does the human resource team conduct regular surveys to gauge employee satisfaction and is there a mechanism in plac
for addressing employee concerns/ grievances?
Does the entity have a succession plan approved by the board of directors that highlights key sensitive positions an
procedures for limiting key man dependencies?
Are there in place reporting procedures for employees at all organizational levels to communicate operational risks an
events in a clear and timely manner?
Are there in place appropriate systems to guarantee the implementation and monitoring of outsourcing procedures?
Does the entity have an independent Risk Management Function as part of its overall risk management framework an
does the risk management function ensure all material operational risks are identified, monitored, reported an
remediated?
Are the duties of the risk management function for operational risk clearly segregated from risk-taking functions within th
entity?
Does the entity have information systems that allow a timely identification, aggregation, monitoring and reporting
operational risk exposure to the entity’s Board and Senior Management?
Are there policies and procedures for maintaining information security including physical and electronic records, an
reporting of information security breaches to the senior management?
Have the entity established policies, procedures and controls for applying operational risk assessment methodologies
each business process?
Are there policies and procedures approved by the designated authority to record and report operational losses, potenti
losses and near-miss events?
Are Legal and Compliance functions in charge for the evaluation, approval, periodical review and renewal of outsourcin
contracts?
3rd line controls
Does the internal audit function include in its annual plan a review of risk management and processes regarding operation
and fraud risks?
Has the internal audit function defined a formal training (encompassing e-trainings as well as instructor based) programm
for ensuring its resources are up-to-date with best practices in operational and fraud risk management?
Is there a documented remediation / mitigation plan for closing issues raised by internal audit on operational and frau
risks?
Does the entity timely follow the recommendations issued by the internal audit function on operational and fraud risks?
S.No.
Governance and Risk Appetite
7.01
7.02
7.03
7.04
7.05
7.06
Reserving - Methodology
7.08
7.09
7.1
7.11
7.12
7.13
7.14
7.15
7.16
7.17
7.18
Reserving - Assumptions
7.19
7.2
7.21
7.22
7.23
7.24
7.25
7.27
7.28
7.29
7.3
7.31
7.32
7.33
7.34
7.35
7.36
7.37
7.38
7.39
7.4
7.41
7.42
7.44
7.45
7.46
7.47
7.48
7.49
Underwriting - Methodology
7.5
7.51
7.52
7.53
7.54
7.55
7.56
Underwriting - Assumptions
7.57
7.58
7.59
7.6
7.61
7.62
7.63
7.65
7.66
7.67
7.68
7.69
7.7
7.71
7.72
7.73
7.74
7.75
7.76
7.78
7.79
7.8
7.81
7.82
Reinsurance - Methodology
7.84
7.85
7.86
7.87
7.88
7.89
7.9
7.91
Reinsurance - Assumptions
7.92
7.93
7.94
7.95
7.97
7.98
7.99
7.100
7.101
7.102
7.103
7.104
7.105
7.106
7.107
7.108
7.111
7.112
7.113
7.116
7.117
7.119
7.120
7.121
7.123
7.124
7.125
7.126
7.127
7.128
7.129
7.130
7.131
7.132
Other actuarial opinions - Governance and processes
7.133
7.134
7.135
7.136
7.137
7.138
7.139
7.140
7.143
7.144
7.145
7.148
7.149
7.150
7.151
Other actuarial opinions - Systems and Data
7.152
7.153
7.154
7.155
7.156
7.157
7.158
7.159
7.160
7.161
7.162
7.163
Saudi Arabian Monetary Agency (SAMA)
Control questionnaire
Actuarial Outputs
Are processes leading to reserving actuarial outputs results and opinions clearly documented, so that they can be easily
understood by independent third parties and is there evidence that the documentation has been regularly reviewed,
updated to reflect any changes and signed-off by the designated authority?
Does the Board of Directors review and approve the report on reserve adequacy which has been written and signed by the
Appointed Actuary and is this evidenced?
If management decides to hold reserves above or below the level recommended by the Appointed Actuary, is there a well-
defined process to arrive at this decision? Is the rationale documented?
Reserving - Methodology
Are actuarial methodologies for Life insurance valuation analyses properly documented (so that a knowledgeable third party
would be able to understand and replicate the methodology selected)?
Are actuarial methodologies for Health reserving analyses properly documented (so that a knowledgeable third party would
be able to understand and replicate the methodology selected)?
Are actuarial methodologies for General insurance reserving analyses properly documented (so that a knowledgeable third
party would be able to understand and replicate the methodology selected)?
Did the Appointed Actuary consider a set of different methodologies before choosing the most appropriate one to be used?
Does the reserving documentation include rationale for selecting the methodology chosen from the range of different
methodologies considered and does it include justification for no change if there has been no change?
Have limitations embedded in the selected methodology been considered, estimated, documented and have material
limitations been communicated to key stakeholders?
Has uncertainty (incl. Model risk) embedded in the selected methodology been considered, estimated, documented and has
material uncertainty been communicated to key stakeholders?
Are employed methodologies consistent with standard international actuarial techniques? If not, is the methodology
appropriate to the specific Line of Business and underwriting portfolio?
Are the methodologies selected fit for purpose considering the LoB being modelled and the data availability (incl. any
limitations)?
Is the methodology selected for each LoB consistent from one year to the other and are changes properly documented,
estimated, explained and signed off?
If the company writes any business in which value of liabilities depends on the value of assets (e.g. Life participating
products), is the methodology for setting the economic basis and valuating the connection between assets and liability
appropriate and explicitly included in the reserving analyses and documentation?
Reserving - Assumptions
Are assumptions backing reserving actuarial valuations clearly documented?
If there are any major changes compared to previous year's reserving actuarial valuation, are they clearly documented and
explained?
How actively did the company change valuation assumptions (e.g., are all assumptions updated as part of an annual cycle,
or are there other criteria which would suggest a more or less frequent review? Have sensitivities of the reserves to
assumptions been carried out and explained accurately?
Has the passage from the analysis of empirical data to the modelling of statistical distribution (model calibration) been
properly documented (e.g. even through flow diagrams)?
Did the model calibration phase consider if the empirical data suitably represents the future uncertain dynamics to be
modelled?
Are expert judgments on assumption setting for reserving actuarial valuations clearly documented (e.g. what were they
based on)?
Are judgments on assumption setting for reserving actuarial valuations deemed to be prudent and reasonable?
Does the appointed actuary have easy and timely access to entity's data required for reserving actuarial valuations?
In the data clean-up process, were data understood and analyzed using sound statistical methods? Are such analyses
documented?
Has any judgment employed in the data cleaning process been properly documented?
Have data been signed off by an appropriate authority (e.g., CFO)?
Is there a tolerance threshold for errors in data (e.g., nil or 1%) and is it adequately defined?
Are the actuarial reserving calculations performed using market standard software? (i.e. automated software, potentially
used elsewhere in the market, provided with a strict version control process)
Are data and calculations backing reserving actuarial valuations auditable? Are they documented in such a way that they
can be easily and adequately replicated within a specified tolerance?
Does the actuarial report comply with professional standards of a recognized actuarial body?
Are potential data deficiencies in reserving calculations managed and clearly documented in actuarial reports?
Is the level of peer review commensurate to the significance of the piece of work and levels of judgement needed and are
the people undertaking the review adequately qualified and experienced?
Are processes leading to pricing clearly documented, so that they can be easily understood by independent third parties and
is there evidence that the documentation has been regularly reviewed, updated to reflect any changes and signed-off by the
designated authority?
Is a pricing adequacy analysis carried out (i.e., comparison between technical v actual price)?
Underwriting - Methodology
Are results analyzed considering as a minimum:
- A review of an Analysis of Change,
- Whether the unexplained in the Analysis of Change is at an acceptable level?
- A reconciliation of results to audited numbers e.g. IFRS Report & accounts?
Are actuarial methodologies for Life pricing analyses properly documented? (so that a knowledgeable third party would be
able to understand and replicate the methodology selected)
Are actuarial methodologies for Health pricing analyses properly documented? (so that a knowledgeable third party would
be able to understand and replicate the methodology selected)
Are actuarial methodologies for General Insurance pricing analyses properly documented? (so that a knowledgeable third
party would be able to understand and replicate the methodology selected)
Do employed methodologies rely on standard international actuarial techniques? If not, is the methodology appropriate to
the specific LoB and underwriting portfolio?
Was motor pricing performed using statistical methods (GLM, Neural Networks, Random Forest, Other Machine Learning
methods, etc.)?
Are all actuarial opinions related to pricing based on well documented and sound actuarial methodologies?
Underwriting - Assumptions
Are assumptions backing pricing actuarial valuations clearly documented?
Were assumptions used adequately supported by the data available?
If there are any major changes compared to previous year's assumptions in pricing actuarial valuations, are they clearly
documented and explained?
Has the passage from the analysis of empirical data to the modelling of statistical distribution (model calibration) been
properly documented? (incl. inflation assumptions)
Did the model calibration phase consider if the empirical data suitably represents the future uncertain dynamics to be
modelled?
Are expert judgments on assumption setting for reserving actuarial outputs clearly documented (e.g. what were they based
on)?
Are judgments on assumption setting for reserving actuarial outputs deemed to be prudent and reasonable?
Does the appointed actuary have easy and timely access to entity's data required for pricing various products?
In the data clean-up process, were data understood and analyzed using sound statistical methods? Are such analyses
documented?
Are the actuarial product pricing calculations performed using an industrialized software? (i.e. automated software,
potentially used elsewhere in the market, provided with a strict version control process)
Are data and calculations backing pricing actuarial valuations auditable? Are they documented in such a way that they can
be easily and adequately replicated within a specified tolerance?
Are potential data deficiencies in pricing calculations managed and clearly documented in actuarial reports?
Is the level of peer review commensurate to the significance of the piece of work and levels of judgement needed and are
the people undertaking the review adequately qualified and experienced?
Are processes leading to reinsurance actuarial outputs and opinions clearly documented, so that they can be easily
understood by independent third parties and is there evidence that the documentation has been regularly reviewed,
updated to reflect any changes and signed-off by the designated authority?
Reinsurance - Methodology
Are actuarial methodologies for Life reinsurance analyses properly documented? (so that a knowledgeable third party
would be able to understand and replicate the methodology selected)
Are actuarial methodologies for Health reinsurance analyses properly documented? (so that a knowledgeable third party
would be able to understand and replicate the methodology selected)
Are actuarial methodologies for General reinsurance analyses properly documented? (so that a knowledgeable third party
would be able to understand and replicate the methodology selected)
Did the actuaries use stochastic simulation methodologies in order to assess and select the optimal retention level and
reinsurance structure?
If reinsurance choices rely on valuations of a reinsurance brokers, was there an appropriate level of challenge performed
towards the broker? Does the company change the broker on a periodic basis (i.e. at least every 5 years)?
Is there internal documented criteria for broker selection? Has it been adhered to?
Do employed methodologies rely on standard international actuarial techniques? If not, is the methodology appropriate to
the specific LoB and underwriting portfolio? (e.g. long vs. short tail LoB modelling)
Are all reinsurance actuarial opinions based on well documented and sound actuarial methodologies?
Reinsurance - Assumptions
Are assumptions backing retention level actuarial valuations clearly documented?
If there are any major changes compared to previous year's assumptions in reinsurance actuarial valuations, are they clearly
documented and explained?
Are expert judgments on retention level actuarial valuations clearly documented (e.g. what were they based on)?
Does the appointed actuary have easy and timely access to entity's data required for reinsurance analyses?
In the data clean-up process, were data understood and analyzed using sound statistical methods? Are such analyses
documented?
Are the actuarial calculations for determination of retention levels performed using an industrialized software? (i.e.
automated software, potentially used elsewhere in the market, provided with a strict version control process)
Are data and calculations backing reinsurance actuarial valuations auditable? Are they documented in such a way that they
can be easily and adequately replicated within a specified tolerance?
Are potential data deficiencies in reinsurance calculations managed and clearly documented in actuarial reports?
Are processes leading to actuarial valuations and opinions on solvency and financial position clearly documented, so that
they can be easily understood by independent third parties and is there evidence that the documentation has been
regularly reviewed, updated to reflect any changes and signed-off by the designated authority?
Do employed methodologies rely on standard international actuarial techniques? If not, is the methodology actuarially
sound?
Are all actuarial opinions on solvency and financial position based on well documented and sound actuarial methodologies?
If there are any major changes compared to previous year's assumptions in solvency and financial position actuarial
calculations, are they clearly documented and explained?
Are expert judgments on solvency and financial position actuarial opinions clearly documented (e.g. what were they based
on)?
Are judgments on solvency and financial position actuarial valuations overall deemed to be reasonable?
Are data and calculations backing actuarial opinions on solvency and financial position auditable? Are they documented in
such a way that they can be easily and adequately replicated within a specified tolerance?
Do all processes leading to actuarial opinions and assessment on asset allocation and ALM include a peer review process?
Is the level of peer review commensurate to the significance of the piece of work and levels of judgement needed and are
the people undertaking the review adequately qualified and experienced?
Does the process leading to an actuarial opinion on ALM and investments consider the outcome of sensitivity analyses and
stress testing?
Are processes leading to actuarial analyses and opinions on asset allocation and ALM clearly documented, so that they can
be easily understood by independent third parties and is there evidence that the documentation has been regularly
reviewed, updated to reflect any changes and signed-off by the designated authority?
Are ALM analyses based on a cash-flow approach (e.g. replicating portfolios) or are they limited to a duration matching
approach (e.g. immunization)?
Have the methodologies leading to ALM and investments opinions taken the Board of Directors-set risk appetite into
account?
Are they properly documented so that a knowledgeable third party would be able to understand and reproduce the
approach followed?
Other actuarial opinions - Assumptions
Are assumptions backing actuarial analyses on asset allocation and ALM clearly documented?
If there are any major changes compared to previous year's assumptions on asset allocation and ALM actuarial calculations,
are they clearly documented and explained?
Are sensitivity analyses and stress testing used in order to calibrate the model used for ALM projections?
Are ALM analyses based on a discount rate which is chosen consistently with reserves analyses and based on a sound and
documented expert judgment?
Are expert judgments on asset allocation and ALM actuarial analyses clearly documented (e.g. what were they based on)?
Are judgments on asset allocation and ALM actuarial analyses overall deemed to be reasonable?
Other actuarial opinions - Systems and Data
Is there a data quality framework aiming to ensure that actuarial analyses on asset allocation and ALM are based on high
quality data?
Does the appointed actuary have easy and timely access to entity's required data for asset allocation and ALM actuarial
calculations?
Are look-through of investment funds available in order to have investment's data at least at asset class granularity level?
Are data used in actuarial analyses on asset allocation and ALM complete?
Are data used in actuarial analyses on asset allocation and ALM accurate?
Are data used in actuarial analyses on asset allocation and ALM appropriate?
Are external data used for actuarial analyses on asset allocation and ALM complete, accurate and appropriate, also
considering their use (e.g. credibility weightings)?
Does the appointed actuary periodically review the appropriateness, completeness and accuracy of data he/ she requires
and uses for asset allocation and ALM actuarial analyses?
Does the appointed actuary periodically review the consistency of data from period to period?
Are the actuarial calculations for asset allocation and ALM, using an industrialized software? (i.e. automated software,
potentially used elsewhere in the market, provided with a strict version control process)
Are data and calculations backing actuarial analyses on asset allocation and ALM auditable? Are they documented in such a
way that they can be easily and adequately replicated within a specified tolerance?
Are potential data deficiencies in actuarial calculations on asset allocation and ALM managed and clearly documented?
Response Comments
Saudi Arabian Monetary Agency (SAMA)
Control questionnaire
Oversight
S.No.
Governance and Risk Appetite
8.01
8.02
8.03
8.04
8.05
8.06
8.07
8.08
8.09
8.1
8.11
8.12
8.13
8.14
8.15
8.16
8.17
8.18
8.19
8.2
8.21
8.22
8.23
8.24
8.25
8.26
8.27
8.28
8.29
8.3
Senior Management
8.31
8.32
8.33
8.34
8.35
8.36
8.37
8.38
8.39
8.4
8.41
8.42
Risk Management
8.43
8.44
8.45
8.46
8.47
8.48
8.49
8.5
8.51
8.52
8.53
8.54
8.55
8.56
Compliance
8.57
8.58
8.59
8.6
8.61
8.62
8.63
8.64
8.65
Appointed Actuary
8.66
8.67
8.68
8.69
8.7
8.71
8.72
8.73
Internal Audit
8.75
8.76
8.77
8.78
8.79
8.8
8.81
8.82
8.83
8.84
8.85
8.86
8.87
Operational Management
8.88
8.89
8.9
8.91
8.92
8.93
8.94
Saudi Arabian Monetary Agency (SAMA)
Control questionnaire
Oversight
Has the Board established an Investment Committee to extend its oversight, with clear role and responsibilities, direct
reporting to the Board?
Do the members of the Board of Directors and above committees individually and collectively have relevant knowledg
expertise, independence, information access and influence to provide adequate oversight, challenge and fulfil their tas
within the institution?
Is there a Board approved formal code of ethics program complied by all the Board members, Board committees and th
company management? And is the program reviewed on a regular basis?
Does the entity have a conflict of interest policy approved by the Board; clearly defining potential conflict of intere
situations, related parties/ transactions? and does the policy include a formal reporting mechanism to ensure time
reporting of conflict of interest issues?
Does the Board of Directors approve and regularly update the institution’s policies and formal risk assessment framewor
for risk taking, managing, monitoring and mitigating those risks, the institution is or might be exposed to, including tho
posed by the macroeconomic environment in which it operates and in relation to the status of the business cycle?
Does the Board of Directors include in their strategic discussions, the impact on the entity's risk appetite for decision
relating to mergers, acquisitions, and growth in business lines or products?
Do the Board and the Committee charters articulate the composition, qualifications / independence, responsibilities an
authorities of the Board of Directors and its committees?
Are composition and responsibilities of the Board of Directors and committees fully compliant with SAMA regulations an
circulars at a minimum?
Has the Board articulated the procedures for appointment and responsibilities of the Board Secretary?
Does the Nomination and Remuneration committee charter contain talent development and succession plan, as part of i
standing agenda?
Are Board of Directors and Board Committees’ meetings minuted and planned actions formally followed?
Does the Board and Board Committees’ meet regularly (quarterly / semi-annually, as stipulated in the SAMA guidelines)?
Are there mechanisms in place to ensure that decision-making is not dominated by any one individual or small group
individuals in a manner that is detrimental to the interests of the institution as a whole?
Does the Board of Directors ensure that annual business plans are in line with the approved risk appetite of the institution?
Are incentives/disincentives included in the remuneration policy to facilitate adherence to risk appetite?
Does the Board of Directors ensure that risk management and internal audit are sufficiently staffed to provide independe
assurances to the Board of Directors and senior management that they are operating within the approved RAF (Ri
Appetite Framework)?
Does the Board of Directors discuss with Risk Management Committee and senior management for decisions regarding th
establishment and on-going monitoring of risk appetite and risk exposures as well as material changes in the current ri
appetite / risk exposure levels, or regulatory expectations regarding risk appetite / risk exposure?
Have Board of Directors or committee members ever been convicted of a felony undermining his/her or the institution
integrity/ trustworthiness?
Are the Chair of the Board Committees (i.e. Chair of the Risk Committee, Audit Committee, Remuneration and Nominatio
Committee) approved by SAMA?
Does the insurance entity carry out once a year an internal Board effectiveness review?
Does the insurance entity carry out every 3-4 years an external Board effectiveness review ?
Has the insurance entity appointed a Senior Independent Director who is responsible for assessing the performance of th
Board Chairman?
Has the insurance entity put in place a whistle-blower policy and is there an independent Non Executive Direct
responsible for addressing whistleblow cases?
Is there a Terms of Reference for the Board and the Board Committees which clearly outline the matters reserved for th
Board and the Board Committees, the frequency of meetings, the quorum, the membership, the key responsibilities of th
Board and the Board Committees and the matters delegated to other Committees?
Senior Management
Are Senior Management members formally (documented and approved) provided with clear roles and responsibilities, jo
descriptions, authority limits and reporting lines?
Does the Senior Management possess the right skills, knowledge and experience to effectively and prudentially managin
the institution?
Have the Senior management translated the Board's set risk appetite and risk tolerances into a set of operational limits
business / functions' level?
Does the institution regularly check that its management structure is updated, comprehensive and operates smoothly?
Are there clear reporting lines for accountability, oversight and allocation of authority and responsibility among members
the management?
Is the appointment of the senior management approved by SAMA?
Does the management meet regularly, at least monthly?
Has the management formed various committees with clear roles and responsibilities on specific topics?
Does the management body approve and periodically review the strategies and policies for risk taking, managin
monitoring and mitigation of those risks to which it is exposed?
Have Senior management or committees members ever been convicted of a felony undermining his/her or institution
integrity/ trustworthiness?
Risk Management
Is the overall risk management framework appropriate to the scale and complexity of the institution?
Is the Risk Management function formally (documented and approved) provided with specific roles, responsibilities an
structure by the institute's code of corporate governance?
Does the positioning of the risk management function within the organization ensure that it is sufficiently independent?
Does the Board / Risk Management Committee approve and regularly update risk strategy, business strategy, risk appeti
framework, capital plan and internal capital allocation?
Has the institution designed a contingency plan to counter events with severe negative impact on the business?
Does the insurance entity carry out regularly (at least once a year) stress and scenario testing analysis and reverse stre
testing?
Compliance
Is there a compliance function in place that is hierarchically and functionally separated and operates independently fro
any business activity responsibilities?
Is the compliance function led by an appointed compliance officer whose performance management and compensation a
independent from the executive management and is effective in identifying and raising issues?
Is the senior management responsible for the adequacy of the organization of the compliance function and does it regular
evaluate adequacy?
Is a compliance function appropriately organized not only at group-level but also at individual-subsidiary level where group
compliance officer has responsibility for all of the group's heads of compliance? (The question applies only to KSA insuranc
and financial groups, while it does not apply to foreign insurance and financial groups and KSA non-financial group with a
insurance subsidiary)
Does the compliance function, at least annually, analyze and document the compliance risks of the institution considerin
the scope and complexity of its activities?
Is there an annual and multi-year plan of action for the compliance function which is based on a precise analysis of the ke
risks and is approved by the governing bodies and its implementation is adequately monitored?
Appointed Actuary
Does the insurer's code of corporate governance clearly define role and responsibilities of the appointed actuary?
nternal Audit
Does the position of the internal audit within the organization (hierarchical and functional) enable the function to opera
independently, autonomously and with authority?
Is the internal audit function effective in identifying and raising issues?
Is the internal audit function equipped with adequate number of trained resources who are competent in internal audit?
Does the internal audit function report directly to the Audit Committee in supervisory function?
Is there an annually updated audit plan reviewed and approved by the Audit Committee?
Do the internal audit departments of the institution's subsidiaries and branches report to the parent institution's intern
audit department? (The question applies only to KSA insurance and financial groups, while it does not apply to foreig
insurance and financial groups and KSA non-financial group with an insurance subsidiary)
Does the institution have an internal audit charter and manual duly approved by the Audit Committee that specify th
objective, scope, responsibility, authority, approach and methodology of the internal audit function?
Does the Board of Directors/ Audit committee regularly evaluate (at least once a year) the adequacy of the internal aud
function and are the observations clearly documented?
Does internal audit assess the effectiveness of the implementation, and timely reports material deficiencies of the RAF at a
organization and business levels?
Does internal audit identify whether breaches in risk limits are being appropriately identified, escalated and reported, an
report on the implementation of the RAF to the Board of Directors and senior management as appropriate?
Does internal audit assess the design and effectiveness of risk measurement techniques and Management Informatio
System used to monitor the institution’s risk profile in relation to its risk appetite and enterprise risk management?
Are there any internal and external Quality Assurance Reviews (QAR) undertaken on a regular basis? (i.e. annually f
internal QAR, while once in 5 years for external QAR)?
Has the co-sourced internal auditor (if any) ever been convicted of a felony undermining his/her or institution's integrit
trustworthiness?
Operational Management
Is there an adequate mandate along with key accountabilities and established KPIs for each Line of Business (LOB)?
Does each LOB have adequate processes, controls and technology to carry out their responsibilities?
Does each LOB have adequate resources, in terms of profile and business knowledge?
Does Risk Management have a favourable view of the risk culture of senior management and staff of each LOB?
Has each LOB developed a comprehensive business model with risk limits in line with the institution's enterprise-wide ri
appetite?
Are there financial and risk reports produced within each LOB?
Are the aforementioned financial reports comprehensive and do they clearly highlight key issues such as contr
inefficiencies and mitigating actions to address these?
Response Comments
Saudi Arabian Monetary Agency (SAMA)
Control questionnaire
Conduct of Business
S.No.
Governance and Risk Appetite
9.01
9.02
9.03
9.04
9.05
9.06
9.07
9.08
9.09
9.1
9.11
9.12
Product Development
9.13
9.14
9.15
9.16
9.17
Product Promotion, Disclosure and Sale
9.18
9.19
9.2
9.21
9.22
9.23
9.24
9.25
9.26
9.27
9.28
9.29
9.3
9.32
9.33
9.34
Claims
9.35
9.36
9.37
9.38
9.39
9.4
9.41
9.42
Complaints
9.43
9.44
9.45
9.46
9.47
9.48
Privacy protection
9.49
9.5
9.51
9.52
9.53
9.54
9.55
9.56
Controls
9.57
9.58
9.59
9.6
9.61
Saudi Arabian Monetary Agency (SAMA)
Control questionnaire
Conduct of Business
Is there a Code of Conduct established by the Board of Directors, which includes fair treatment of customers?
Has the entity issued a Conduct of Business policy that ensures the fair treatment of customers along the product lifecycle?
Is there a regular reporting on Conduct of Business-related indicators and controls to the Board of Directors and the Seni
Management?
Does the Senior Management regularly send appropriate messages to staff, clients and to the public underlying the focus o
Business Conduct? (so called, "Tone from the top")
Does the entity have a policy and a procedure in place to encourage anonymous whistleblowing? (both for employees an
for external parties)
Are conduct practices reflected in performance review systems for employees (e.g. through KPIs)?
What impact does negative conduct have on performance review system for employees?
And does it contribute to the assessment of the employee’s performance and their remuneration?
Are conduct practices reflected in performance review systems for external service providers (e.g. through KPIs)?
Does the Nomination and Remuneration committee guarantee the employee incentive structure is not tied to short ter
target achievement and the absence of conflicts of interest?
Product Development
Are product development procedures defined to ensure that new products are designed in the interest of customer
(please also consider the use of exclusions in the products' structure)
Are there clear procedures and organizational guidelines to ensure that the risk of potential product performance a
identified and mitigated accordingly?
Are Board of Directors and Senior Management responsibilities related to product flaws clearly defined?
In case of outsourcing, does the Insurance Company retain the right of audit – and actually conduct performance audits
brokers, agents, adjusters?
Are there procedures in place to monitor timeliness and quality of customer services?
And do these include the use of e-portals?
For savings/ investment contracts, is there disclosure of costs, both sales (commission) and management expenses?
Regarding saving/ investment contracts, are investment performance details disclosed to the client?
Claims
Does the documentation provided to customers at the time of policy issuance clearly define the steps in the claims proces
including what documentation is required, the processing timing and relevant contacts in case of claim dispute?
Is there an updated claims procedure manual which is kept up-to-date and is there training provided when an upda
occurs?
Is there a dedicated claims handling function with adequate resources and qualified staff?
Are there structures and procedures in order to ensure that claimants are kept up-to-date about claim progress mentionin
timelines for the same?
In case of claim (partial) rejection, is there a standard for documentation on rationales to be provided to the claimant?
Does the entity clearly disclose to claimants what are the contacts and processes regarding how a claim decision could b
appealed/ disputed?
In case of outsourcing, does the Insurance Company retain the right of audit – and actually conduct performance audits
brokers, agents, adjusters?
In the claims department, are there controls aimed at avoiding attempts to (1) dissuade p/h from obtaining attorney
services, (2) settle claims for less than the established (fair) amount, (3) deny claims without reasonable reasons and (
transfer claim responsibilities to others?
Complaints
Are there clear policies and processes in place to handle complaints in a timely and fair manner?
Is there an updated complaints management policy approved by the Board of Directors and enforced by the Seni
Management and does it include post-sales survey and formal customer feedback?
Is the entity provided with a dedicated complaints management function, headed by a senior manager and reporting to
senior executive?
Are complaints registered and categorized to identify and address any potential recurring problem or arising legal issue
Are they shared with the Supervisor?
In case of outsourcing, does the Insurance Company retain the right of audit – and actually conduct performance audits
brokers, agents, adjusters?
Are complainants kept informed about complaint progress, delays and eventual appeals?
Privacy protection
Have internal processes been established in order to guarantee the fair use of sensitive customer data?
Are outsourced activities monitored to guarantee the proper use of personal information?
In case any outsourcing activity involves a third party to manage customers' confidential data, is privacy protectio
mentioned in the contract with the outsourcer?
Are employees at all organization levels trained to manage customers' personal information while ensuring data protection
Is the entity equipped with an IT architecture which enables the protection of customers sensitive data?
Is there a data retention policy enforced throughout the organization and is this enforced on the IT infrastructure?
Are customers and SAMA timely informed regarding any breach of confidentiality?
Is Conduct of Business reviewed by one or more independent functions (e.g. risk management, compliance) regularly?
Controls
If an independent function is accountable for monitoring the entities' business conduct, does it report directly to the Boa
of Director?
Does the entity have in place a Conduct of Business risk assessment framework to regularly assess its own Conduct
Business profile?
Is there a regular reporting on the outcome of Conduct of Business risk assessments to Board of Directors, Seni
Management and SAMA?
Is a review of Conduct of Business included in the internal audit annual plan?
Is there evidence that a remediation plan related to any Conduct of Business-related audit findings is in place and th
management has been acting on it?
Response Comments
Saudi Arabian Monetary Agency (SAMA)
Control questionnaire
Regulatory and AML
S.No.
Governance and Risk Appetite
10.01
10.02
10.03
10.04
10.05
10.06
10.07
10.08
10.10
10.11
10.12
10.13
10.14
10.17
10.18
10.19
10.20
10.21
10.22
10.23
10.24
10.26
10.27
10.28
10.29
Saudi Arabian Monetary Agency (SAMA)
Control questionnaire
Regulatory and AML
Are the responsibilities of the entity's Board and Senior Management regarding regulatory and AML risk manageme
clearly established in the Board of Directors charter ?
Are the Board members suitably qualified to get an in-depth understanding of the entity's regulatory and AML risk position
Is there a formal communication process (through MIS or other regular reports) to provide the Board and Seni
Management with regular and sufficient information, for them to assess the nature and level of the insurance entity
regulatory and AML risk?
Is managing regulatory and AML/CTF risks a specific responsibility of the Board Risk Committee or of the Audit Committee?
Does the Board Risk Committee or the Audit Committee have a mix of expertise, competencies and experience that,
combination, match the nature of the regulatory and AML risk activities?
Does the Risk Committee receive, regularly, formal reports and informal communication as appropriate in relation
regulatory and AML risk?
Is there an entity-wide Risk Assessment process related to regulatory and AML issues, which is regularly reviewed an
discussed at Board and Senior Management level?
Are there independent resources (Compliance champions) within the business functions who monitor the compliance
business processes with regulatory and AML constraints?
Are there defined and appropriate escalation processes in place to refer to the compliance and AML functions for an
identified instances of compliance and/or AML breach, by the business functions’ employees?
Is there a structured process aimed at regularly assessing the controls system and the residual risks related to regulatory an
AML issues as specified in the AML policy and manual ?
Has the entity documented a framework and a methodology to identify measure, evaluate, monitor, report and control
mitigate all material regulatory and AML risks on a timely basis?
Has the entity established an independent and adequately staffed function that ensures the identification and proper
management of regulatory and AML risk?
Are the duties of the regulatory and AML functions clearly segregated from risk-taking functions in the entity as per th
compliance charter?
Does the entity have information systems that allow a timely identification, aggregation, monitoring and reporting
regulatory and AML risk exposure to the entities’ Board and Senior Management?
Is the assessment of regulatory and AML risk based on a forward-looking framework (e.g. looking at exposure futu
potential losses and mitigating factors and is it aligned with insurance entity's business strategy)?
Does the entity perform on a regular basis regulatory and AML risk assessment exercises, and has it established an
documented policies, and procedures for the same?
Does the entity provide the board and SAMA with a regular, clear and full set of reporting documentation related
regulatory and AML risk management? (Including Action plans: development, tracking, ownership and reporting o
progress)
Has the internal audit function defined a formal training programme(encompassing e-training as well as instructor based
for maintaining its resources up-to-date with regulatory and AML risk management best practices?
Does the entity follow the recommendations issued by the internal audit function regarding regulatory and AML risk?
Response Comments