Control Questionnaire - Insurers and Reinsurers

Saudi Arabian Monetary Agency (SAMA)
Risk Based Supervision

Control Questionnaires
Insurance and Reinsurance
Company:
Questionnaire Submission Date:

Risk Based Supervision
Control Questionnaires
Insurance and Reinsurance
Introduction
The objective of this questionnaire is to understand the current state of internal controls in place at the entity to identify, quan
the purpose of overall risk evaluation at the entity level for the purpose of risk based supervision.
The attached questionnaire covers 10 risk areas which are Market Risk, Counterparty Risk, Non Life Underwriting Risk, Strateg
Outputs, Oversight, Conduct of Business and, Regulatory and AML. Separate tabs are created for each risk areas.
Questions are generally classified in the following four categories:

• Governance and Risk appetite;
• First line controls, controls at business process level;
• Second line controls representing a second layer of controls on the core activities;
• Third line controls designed to examine and assess the effectiveness and efficiency of internal controls
Instructions to fill out Control Questions

1- All questions need to be compulsorily answered.
2- Answer all questions in YES or NO. In case any question is not applicable, select Not Applicable.
3- Blank answers would be treated as NO response for the purpose of further assessment.
4- The answers to the questions should be provided on the basis of existing state of controls.
5- If the reponse to any question is "Not applicable" then a justification would need to be provided in the "Comments" column
6- A question should be answered as YES only if all the requirements mentioned in the question are satisfied, otherwise the an
Control Question:
Has the insurance entity established a Board Risk Committee including Board members in charge, among others, of the Marke
Following are some of the scenarios that shall result in a NO answer:

- Board Risk Committee not established
- Risk Committee established but does not include Board members
- Risk Committee not headed by a Board member
- Risk Committee does not cover market risk
- Risk committee in existence but does not regularly meet
Answer shall be YES if all requirements are satisfied
7- All supporting documents required to support the responses to the questionnaire will need to be submitted by December 3
ate of internal controls in place at the entity to identify, quantify and monitor risks. The information shall be utilized for
pose of risk based supervision.
Risk, Counterparty Risk, Non Life Underwriting Risk, Strategic Risk, Life Underwriting Risk, Operational Risks, Actuarial
. Separate tabs are created for each risk areas.
he core activities;
ess and efficiency of internal controls
pplicable, select Not Applicable.

e of further assessment.
f existing state of controls.
ation would need to be provided in the "Comments" column of each sheet
ts mentioned in the question are satisfied, otherwise the answer should be NO. For instance:
ding Board members in charge, among others, of the Market Risk that meets on a regular basis?
er:
s
the questionnaire will need to be submitted by December 31st 2017

Control questionnaire
Market Risk
S.No.
Governance and Risk Appetite
1.01
1.02
1.03
1.04
1.05
1.06
1.07
1.08
1.09
1.10
1.11
1.12
1.13
1.14
1.15
1.16
1.17
1.18
1.19
1.20
1.21
1.22
1.23
1.24
1st line controls

1.25
1.26
1.27
1.28
1.29
1.30
1.31
1.32
1.33
1.34
1.35
2nd line controls

1.36
1.37
1.38
1.39
1.40
1.41
1.42
1.43
1.44
1.45
1.46
3rd line controls

1.47
1.48
1.49
1.50
1.51
1.52
Market Risk
Control Assessment Questions

Does the insurance entity have a Market Risk policy approved by the designated authority explicitly documented or as pa
of its overall investment policy covering each of the sub-risks and is it reviewed on a regular basis?
Are the Market Risk processes documented for each of the sub-risk categories and is it reviewed on a regular basis by th
designated committee?
Does the insurance entity have a Board of Directors' charter articulating the Board and Senior Management's roles an
responsibilities towards market risk management?
Are the Investment Committee members suitably qualified to get an in-depth understanding of the insurance entity
Market Risk position?
Is there a formal communication process (through MIS or other regular reports) to provide the Board and Seni
Management with regular and sufficient information, for them to assess the nature and level of the insurance entity
Market Risk?
Has the insurance entity established a Board Risk Committee in charge of the Market Risk and does this committee meet o
a regular basis?
Has the insurance entity established a Management Risk Committee that is chaired by the CRO, including the CEO and Hea
of Investments, which has a standing agenda item to monitor Market Risk and does the committee meet on a regular basis
Do the Board Risk Committee and Board Investment Committee regularly review the strategy, policies and processe
for the management of Market Risk?
Does the Board Risk Committee receive regular weekly/ monthly/quarterly reports and any informal communication
appropriate from the Risk Control function and the Chief Risk Officer in relation to Market Risk?
Has the insurance entity defined a Risk Appetite Statement (RAS) within the Risk Appetite Framework (RAF) which
approved, monitored and regularly reviewed by the Board and implemented by Senior Management that includes Mark
Risk metrics?
Does the Board approve appropriate thresholds or limits for specific Market Risks, and an overall risk appetite?
Does the RAF articulate the nature, types and levels of Market Risk that the insurance entity is willing to assume?
Are the insurance entity's activities consistent with the risk limits and risk tolerances established within RAF in relation
Market Risk?
Does the insurance entity have a procedure document in place that provides a brief outline of the roles and responsibiliti
of the key stakeholders and concerned departments for Market Risk management?
Do the Board of Directors review instances of breaches pertaining to regulatory and internal policies, limits along wi
justification notes for any breaches recorded?
Does the Board Risk Committee approve the risk management framework adopted by the insurance entity including ri
categories that explicitly include Market Risk and its sub-risks including interest rate risk, equity risk, property risk, curren
risk, spread risk and liquidity risk and is the framework updated on a regular basis?
Does the Board Risk Committee establish an enterprise risk profile for the insurance entity that explicitly covers monitorin
& reporting on Market Risk and is the profile updated on a regular basis?
Does the Market Risk Committee undertake Market Risk identification, assessment, monitoring, reporting and analys
associated with Treasury Operations (including capital market operations), formulation of policies, setting of risk parameter
overseeing compliance?
Does the Market Risk Committee ensure appropriate internal controls are in place for Market Risk management activities?
Does the Market Risk Committee ensure appropriate systems are in place for tracking, monitoring and reviewing market ri
limits for effective Market Risk management?
Does the insurance entity have a governance framework approved by the designated authority around market risk mod
development, model usage and model validation procedures and are they in line with SAMA requirements?
For any control gap(s) reported by the risk management department during the past 12 months (or any other designate
department) to the Board Risk Committee and Board Investment Committee, is there a documented implementation plan
mitigate the control deficiencies?
Does the insurance entity have a documented terms of reference authorizing the Board Investment Committee f
approving policies on related issues of a more operational nature, including:
a) The criteria for selection of the external investment manager(s).
b) The selection and use of partners and brokers.
c) The nature of custodial arrangements.
d) The methodology and frequency of the performance and investment risk measurement and analysis
Does the insurance entity have an investment policy documented by Board Investment Committee and is th
implementation of the stated investment activities reviewed by the committee on a regular basis? Does the investme
policy contain (but not limited to) the following activities:
a) Reviewing the performance of each asset class.
b) Monitoring the overall risks of the policy.
c) Submitting a performance review report to the Board of Directors.
d) Insurance entity invests only in assets where it can manage/ monitor/ control the risks in an appropriate manner.
1st line controls

Does the insurance entity have a documented investment strategy approved by the designated authority and does it outlin
the Market Risk appetite and tolerance limits cascading to operational limits for monitoring the insurance entity's mark
risk profile at business level?
Is look-through available for investment funds to capture the risk at an instrument type level which arises by virtue of th
investments held by a fund in which a insurer/(re)insurer itself has invested?
Are Market Risk limits monitored on a continuous basis (e.g. on a monthly basis or more frequently)?
Does the insurance entity have stop loss limits in place?
Are there currency-wise limits in place with respect to the net open position?
Does the insurance entity have limits for each counterparty based on the potential future exposure (PFE's)?
Does the insurance entity have procedures defined in its policies that are approved by the designated authority f
identifying shifts / aberrations / deviations from the approved market risk strategy and target markets?
Does the insurance entity perform risk and Control Self Assessment (RCSAs) to capture all the material inherent market ris
and are the subsequent mitigating controls mapped to each of identified risks?
Has the risk identification process been carried out to capture all material market events and documented by the ri
management department since the last audit due to any of the following factors:
- New Business and Change Initiatives
- Control Lapses
- Operational losses
- Infrequent but severe events
- External events
- Changes in SAMA regulations requiring specific methodologies or regulatory disclosure requirements
- Identification of assets which are considered most complex
- Is there a reporting mechanism in place to report critical events to the designated authority?
Is there a process in place to ensure that foreign investment holdings are within the prescribed limits specified by SAMA
its regulations (i.e. capped at 20% of the total investment) and any exceptions identified are reported to the designate
authority for dispensation?
Does the insurance entity take into consideration the investment concentration risks prescribed by SAMA wide i
regulations and monitor/ report/ rebalance for any limit breaches? Concentration in an investment instrument shall n
exceed 50% in one investment instrument.
2nd line controls
Is there a team focusing on Asset Liability Management and/or on Financial Risk Management, independently from th
investments team? Does the ALM team consider the appropriateness (e.g. nature, term, currency, etc.) of the liabilities.
Does the insurance entity have a process in place to maintain a repository of all the applicable SAMA guidelines related
Investments and Market Risk?
Is there a process in place for identifying new guidelines issued, updation of the existing repository and a checklist progra
to ensure compliance to applicable guidelines/ circulars?
Has the insurance entity obtained SAMA’s approval on its most recent investment policy approved by the designate
authority and any material changes that might apply to it?
Are the duties of the risk management function for Market Risk clearly segregated from risk-taking functions in th
insurance entity?
Has a Compliance function (clearly segregated from the investment team) been set up in charge of checking complianc
with the investment regulation?
Does the insurance entity with composite insurance operations, e.g. protection and savings in addition to general an
health activities, have different investment objectives and strategies which are approved by the designated authori
appropriate for both classes of business, as well as different books for each of them?
Does the insurance entity describe its outsourcing policy and maintain control, ownership, and oversight over th
outsourced investment portfolio by following a present delegation matrix?
Is there a documented due diligence mechanism approved by the designated authority for engaging with extern
investment manager(s) and does it ensure that the external entity is professional and reputable and licensed by the Capit
Market Authority (CMA)?
When engaging with external investment manager(s), does the insurance entity obtain a signed outsourcing agreement wi
the external investment manager and submits to SAMA for approval?
Does the risk management department accurately measure the status of market liquidity and report to Senior Manageme
and/ or Board on a quarterly or more frequent basis as required?
3rd line controls
Are all open issues related to the investment function and/or Market Risk from the latest Internal Audit report investigate
and resolved?
Does the Internal Audit work program cover the policy and regulatory compliance aspects related to investment regulation
and is it updated on a regular basis?
Are Internal Audit staff properly trained on the Market risk and are aware of the various aspects related to Market Risk?
Does the Internal Audit function include in its annual plan a review of risk management process and governanc
regarding Investment function and Market Risk?
Has the internal audit function defined a formal training (encompassing trainings as well as instructor based) programme f
ensuring its Investment function and Market Risk resources are up-to-date?
Has the insurance entity implemented all recommendations issued by the Internal Audit function regarding Market Risk an
put in place mitigation plans?
Response Comments
Counterparty Default Risk
S.No.
2.01
2.02
2.03
2.04
2.05
2.06
2.07
2.08
2.09
2.1
2.11
2.12
2.13
2.14
2.15
2.16
2.17
2.18
1st line controls

2.19
2.2
2.2
2.21
2.21
2.22
2.22
2.23
2.23
2.24
2.24
2nd line controls

2.25
2.26
2.27
2.28
2.29
2.3
2.31
3rd line controls

2.32
2.33
2.34
Counterparty Default Risk

Does the entity have in place a counterparty risk policy approved by the designated authority in which risk policies an
processes related to counterparty default risk appropriately documented which is reviewed and updated on a regular basis
Are the responsibilities of the company’s Board and Senior Management regarding counterparty default risk manageme
clearly established in the Board of Directors charter?
Are the Board members suitably qualified to get an in-depth understanding of the company’s counterparty default ri
position?
Management with regular and sufficient information, for them to assess the nature and level of, the insurance entity
counterparty risk?
Has the insurance entity established a designated Risk Committee including Board members in charge, among others, of th
counterparty risk and does this committee meet regularly?
Does the entity have policies and procedures for reinsurance which include the criteria for selection of reinsurers and th
maximum ceding limits per reinsurer by LOB?
Has the company established a designated middle-management committee to support the top management or the Board
Directors in managing counterparty default risks?
Has the Risk Committee a mix of expertise, competencies and experience that, in combination, match the nature of th
counterparty default risk activities?
Does the Board include non-executive members with reinsurance experience?
Does the Board regularly review the strategy, policies and processes for the management of reinsurance an
counterparty default risk?
Does the Risk Committee receive, regularly, formal reports and informal communication as appropriate from the Ri
Control function in relation to counterparty default risk?
Has the Board and the Risk Committee established the nature, the format, the amount and the frequency of the informatio
on reinsurance and counterparty default risk?
Has the company defined a Risk Appetite Framework (RAF) which is approved, monitored and regularly reviewed by th
Board and implemented by Senior Management that includes counterparty default risk?
Does the Board approve appropriate thresholds or limits for specific counterparty default risks, and an overall risk appetite
Are the changes to the risk appetite statement appropriately documented in line with SAMA prescribed guidelines an
counterparty concentration exposure limits? (As defined in the SAMA Circular - Principles for an Effective Risk Appeti
Framework, published date - 14/11/2016)
Does the RAF articulate the nature, types of levels of counterparty default risk that the company is willing to assume?
Is a set of tolerances regarding counterparty default risk regarding counterparty risks such as geographic, industr
government/nongovernment etc. with respect to concentration, minimum credit rating and regulatory limits establishe
and regularly reviewed?
Have risk appetite and tolerances been cascaded to operational limits to monitor the company's counterparty default ri
profile at business level?
1st line controls
Are there structured processes in the risk appetite to monitor operating limits at business process level?
Apart from a set of tolerances or limits, does the RAF include a wide array of measures to monitor the company
counterparty risk profile for example but not limited to counterparty strategy, stress testing, scenario analysis, risk an
performance indicators and comparative analysis?
Are there structured processes to ensure that data on exposure are complete, accurate and appropriate (e.g. updated on
continuous basis)?
Are receivables actually tracked, aged and actively managed?
Has the entity defined a set of standard checks to be filled before authorizing a reinsurer as a counterparty?
Has the entity defined a set of standard checks to be filled before authorizing an agent as a counterparty?
Has the entity defined a set of standard checks to be filled before authorizing a broker as a counterparty?
Has the entity defined a set of standard checks to be filled before authorizing a bank as a counterparty?
Are limits monitored on a continuous basis? (e.g. on a monthly basis or more frequently)
If the company experienced any breach in counterparty default risk limits, was the breach identified in less than 1 week
average?
If the company experienced any breach in counterparty default risk limits, was the breach solved or managed in less than
weeks in average?
2nd line controls
Has the company documented counterparty default risk management process and policies to identify measure, evaluat
monitor, report and control or mitigate all material counterparty default risks on a timely basis?
Has the company established an independent Risk Management Function that ensures the identification, management an
reporting of counterparty default risk?
Are the duties of the risk management function for counterparty default risk clearly documented and segregated from ris
taking functions in the company?
Does the company have information systems that allow a timely identification, aggregation, monitoring and reporting
counterparty default risk exposure to the Board and Senior Management?
Has the company defined a forward-looking stress testing program related to counterparty default risk as an integral part
the risk management process?
For each treaty and facultative, did the Appointed Actuary make an assessment followed by a formal recommendation o
the choice of reinsurance counterparty?
Has a Compliance function been set up in charge of checking compliance with the regulation around counterpartie
receivables and reinsurance?
3rd line controls
Does the internal audit function include in its annual plan a review of risk management and processes regardin
reinsurance and counterparty default risk?
Has the internal audit function defined a formal training programme(encompassing e-training as well as instructor based
for maintaining its resources up-to-date with counterparty default risk management best practices?
While observing the internal audit recommendations, does the company follow the recommendations issued by the intern
audit function regarding counterparty default risk and are mitigation plans in place for the aforementione
recommendations?
Response Comments
Non-life Underwriting
S.No.
3.01
3.02
3.03
3.04
3.05
3.06
3.07
3.08
3.09
3.1
3.11
3.12
3.13
3.14
3.15
3.16
3.17
3.18
3.19
3.2
3.21
3.22
3.23
1st line controls
3.24
3.25
3.26
3.27
3.28
3.29
3.3
3.31
3.32
3.33
3.34
3.35
3.36
3.37
3.38
2nd line controls

3.39
3.4
3.41
3.42
3.43
3.44
3.45
3rd line controls

3.46
3.47
3.48
Non-life Underwriting

Does the entity have in place an underwriting risk policy approved by the designated authority in which risk policies an
processes related to Non - Life Underwriting risks are appropriately documented and is it reviewed on a regular basis?
Are the responsibilities of the company’s Board and Senior Management regarding Non - Life Underwriting ri
management clearly established in the Board of Directors charter?
Are the Board members suitably qualified to get an in-depth understanding of the company’s Non - Life Underwriting ri
position?
Management with regular and sufficient information, for them to assess the nature and level of, the insurance entity's Non
Life Underwriting risk?
Has the insurance entity established a Board Risk Management Committee in charge of the Non - Life Underwriting ris
that meets on a regular basis?
Are technical reserves presented to and approved by the Board of Directors together with an actuarial report?
Does the Appointed Actuary's report to the Board explain why reserves are adequate, set out the key assumptions an
judgements, and highlight the uncertainty around the reserves along with the testing carried out to quantify th
uncertainty?
Are there clear documented processes and policies for calculation, updating and approval of the technical reserves?
Is an actuarial report / opinion taken into consideration within the approval process of any product?
Are there clear processes leading to the approval of a new product, from product design to technical and commerci
pricing?
Are factors such as approach and capability for setting up reserves considered, at the time of product design?
If the company writes Motor products, does the Appointed Actuary submit an annual pricing report to the Company
Management, Board of Directors and SAMA, in accordance with to the guidelines provided by SAMA?
If the company writes Medical Expenses products, does the Appointed Actuary submit an annual pricing report to th
Company's Management, Board of Directors and SAMA, in accordance to the guidelines provided by SAMA?
Has the company established a designated middle-management committee to support the top management or the Board
Directors in managing Non - Life Underwriting risks?
Is the company's Board Risk Committee provided with a mix of expertise, competencies and experience that,
combination, match the nature of the Non - Life Underwriting risk activities?
Does the Board regularly review the strategy, policies and processes for the management of Non - Life Underwritin
risks?
Does the Risk Committee receive regular formal weekly/ monthly/ quarterly reports and any informal communication
appropriate from the Risk Management function and the Chief Risk Officer in relation to Non - Life Underwriting risk?
Board and implemented by Senior Management that include Non - Life Underwriting risks?
Does the Board approve appropriate thresholds or limits for specific Non - Life Underwriting risks, and an overall ri
appetite?
Does the RAF articulate the nature and types of levels of Non - Life Underwriting risk that the company is willing to assume
Is a set of tolerances regarding Non - Life Underwriting risks clearly established and regularly reviewed?
Have underwriting risk appetite and tolerances been cascaded to operational limits to monitor the company's Non - Li
Underwriting risk profile at business level?
Are the company's activities consistent with the RAF in relation to Non - Life Underwriting risk?
1st line controls
Are there structured processes to monitor operating limits at business process level?
Apart from a set of tolerances or limits, does the RAF include a wide array of measures to monitor the company's Non - Li
Underwriting risk profile?
Are product design, pricing structure and product overall plan consistent with each other and is there a process to identi
and assess emerging risks or new types of claim with an appropriate feedback loop to the product design team an
underwriters and actuaries?
Does the company use an established industry software for pricing? Or if bespoke software is used, does the company hav
robust controls in place to validate the calculations?
For catastrophes exposure assessment, are standard industry software used (e.g., RMS), or event loss tables obtained v
brokers?
Does a process exist for the consideration of RDSs (Realistic Disaster Scenarios)?
Is there an automated database linking product design and underwriting processes to ensure that pricing data are granul
and kept up-to-date?
Are all non-life sub risks limits monitored on a continuous basis? (e.g. on a monthly basis or more frequently)
Is there a monitoring process to ensure that commercial prices do not differ from technical prices above the allowe
flexibility range? And are any differences outside of the range have been justified and signed-off?
Are there adequate operational procedures related to how to calculate case reserves and claims reserve and communicatin
and agreeing operational changes with the reserving actuaries?
Is there a separate team, within the underwriting departments, monitoring the Non - Life Underwriting performance an
the Non - Life Underwriting risk limits ?
Does a process exist to ensure standard policy wordings are adhered to by Underwriters while ensuring that there is n
proliferation of bespoke (unapproved) policy wordings?
Are there systematic or manual processes in place to differentiate the various characteristics of the insured risk and/
safety and security measures implemented by the policyholder, while pricing the insured property, motor vehicle or oth
non-life risks?
Does a process exist to ensure the following:
• clear guidance to underwriters for the use of FAC or individual risk reinsurance
• Reinsurance provides back-to-back cover with the portfolio it is protecting and that no difference between insuranc
written and reinsurance cover provided could exist?
• Measure accumulation of exposure at the time of underwriting to ensure no breach of reinsurance terms?
Does a process exist to ensure that premium is earned in line with the underlying exposure, as opposed to level through th
term of the policy, where the exposure is not level through the policy term. E.g. for construction risks?
2nd line controls

Has the company documented Non - Life Underwriting risk management policy aimed to identify, measure, evaluat
monitor, report and control/mitigate all material Non - Life Underwriting risks on a timely basis?
Has the company established an independent Risk Management Function that ensures the identification, management an
reporting of Non - Life Underwriting risk?
Are the duties of the risk management function for Non - Life Underwriting risk clearly documented segregated from ris
taking functions in the company?
Does the company have information systems that allow a timely identification, aggregation, monitoring and reporting
Non - Life Underwriting risk exposure to the Board and Senior Management?
Has the company defined a forward-looking Non - Life Underwriting risk stress testing program as an integral part of the ri
management process?
Has the company established policies, procedures and controls for the use of its Non - Life Underwriting risk assessme
methodologies?
Has a Compliance function (clearly segregated from the Non - Life Underwriting team) been set up in charge of checkin
compliance of Underwriting practices with existing laws, regulations and regulatory circulars?
3rd line controls

Does the internal audit function include in its annual plan a review of risk management and processes regardin
Non - Life Underwriting risks?
for maintaining its resources up-to-date with Non - Life Underwriting risk management best practices?
Looking at the current status of internal audit recommendations, does the company follow the recommendations issued b
the internal audit function regarding Non - Life Underwriting risk and are mitigation plans in place?
Response Comments
Strategic Risk
S.No.
4.01
4.02
4.03
4.04
4.05
4.06
4.07
4.08
4.09
4.1
4.11
4.12
1st line controls

4.13
4.14
4.15
4.16
4.17
2nd line controls

4.18
4.19
4.2
4.21
4.22
4.23
3rd line controls

4.24
4.25
4.26
4.27
Strategic Risk

Are strategic decisions and risk implications discussed in various Board committees before approval (e.g. Board executiv
committee, Risk Committee, other potential Management committees as the ALM Committee)?
Are strategic decisions taken by the Senior Management consistently taking strategic risk implications into consideratio
including emerging risks and competitive changes in its existing markets (e.g. telematics)?
Does the Board requests and discusses sensitivity analyses / stress tests on the key assumptions underlying the plan?
Does the Board of Directors carry out independent review of strategic plan/initiative proposed by Management on a regul
basis?
Management with regular and sufficient information, regarding strategic risks, plans and initiatives being undertaken
manage those risks?
Has the insurance entity established a Board Risk Committee including Board members in charge, among others, of strateg
risks and does the committee meet on a regular basis?
Are the strategic risk policies and processes documented for each of the sub-risk categories and approved by the designate
authority and are they reviewed and updated on a regular basis?
Are the responsibilities of the entity’s Board and Senior Management regarding strategic risk management clear
established in the strategic risk policy ?
Has the entity defined a Risk Appetite Framework (RAF) which includes strategic risks and is monitored and regular
reviewed by the Board on a regular basis and implemented by Senior Management?
Are changes to the strategic plan approved by the Board and based on documented strategic risk considerations?
Has the Board established benchmarks (such as KPIs) for measuring strategic objectives from quantitative and/or qualitativ
aspects?
Does the Board periodically review strategic objectives to monitor the status of their achievement, taking into account th
underlying risks?
1st line controls
Are macro risks (e.g. market and competitive conditions, regulatory conditions, etc.) monitored on a regular basis (e.
quarterly) to decide whether a strategic adjustment is needed?
Are there structured processes approved by the designated authority to monitor strategic limits at business process lev
and reviewed and/or updated on a regular basis?
Is there are formal process to ensure staffing is appropriate in terms of size and skillset of resources required to execute th
strategy?
Does the insurance entity have a governance framework approved by the designated authority around implementation
the initiatives formalized in the strategy plan?
Has the strategic direction been translated into business level objectives and / or targets and are they assigned wi
responsible personnel to ensure that those targets are properly met?
2nd line controls
Does the entity have an independent Risk Management Function as part of its overall risk management framework and
the risk management function actively involved in strategic planning, reviews and decisions, with a focus on identifyin
monitoring and managing strategic risks?
Does the Risk Management function propose forward -looking stress and scenario tests to assess the exposure to strateg
risk and suggest mitigating actions?
Has the company documented risk management policies and processes as part of the risk management framewo
approved by the designated authority to identify, assess, monitor, report and mitigate strategic risk?
Is there a process to challenge and monitor performance and outcome of strategic initiatives vs. the strategic plan?
Is the Head of Compliance involved in strategic decisions to provide input on regulatory and policy evolutions?
Does the CRO ensure consistency of entity’s strategy with other plans such as its capital management plan, ri
management strategy and, where applicable, the wider Group business plan?
3rd line controls
Does the internal audit function include in its annual plan a review of risk management and processes regarding strateg
risk?
Has the internal audit function defined a formal training (encompassing e-trainings as well as instructor based) programm
for ensuring its resources are up-to-date with strategic risk assessment?
Does the company follow the recommendations issued by the internal audit function regarding strategic risk and put
place mitigation plans?
Does the internal audit function performs a validation / follow-up audits to determine whether all observations on strateg
risks have been timely and adequately addressed?
Response Comments
Life Underwriting
S.No.
5.01
5.02
5.03
5.04
5.05
5.06
5.07
5.08
5.09
5.1
5.11
5.12
5.13
5.14
5.15
5.16
5.17
5.18
5.19
5.2
5.21
1st line controls
5.22
5.23
5.24
5.25
5.26
5.27
5.28
5.29
5.3
5.31
2nd line controls

5.32
5.33
5.34
5.35
5.36
5.37
5.38
3rd line controls

5.39
5.4
5.41
5.42
5.43
Life Underwriting

Does the entity have in place an underwriting risk policy in which risk policies and processes related to Life Underwritin
risks are appropriately documented and have been approved by the designated authority and reviewed on a regular basis?
Are the responsibilities of the Company’s Board and Senior Management regarding Life Underwriting risk manageme
clearly established in the Board of Directors charter?
Are the Board Members suitably qualified to get an in-depth understanding of the Company’s Life Underwriting ri
position?
Management with regular and sufficient information, for them to assess the nature and level of the insurance entity's li
underwriting risk?
Has the insurance entity established a Board Risk Committee including Board members in charge, among others, of the Li
Underwriting risk and does the committee meet regularly?
Are reserves presented to and approved by the Board of Directors, together with an actuarial report, in which th
Appointed Actuary explains why reserves are adequate?
Are there clear processes leading to the approval of technical reserves as specified in the policies and procedures f
development and updating of the technical reserves?
Does the Appointed Actuary present an actuarial report for any new product to back up the applied tariff considering i
sustainability and profitability?
Are there clear processes leading to development and approval of new Life products?
Has the company established a designated committee in order to support the Senior Management or the Board of Directo
in managing life underwriting risks?
Does the Board Risk Committee have a mix of expertise, competencies and experience that, in combination, match th
nature of the Life Underwriting risk activities?
Does the Board regularly review the strategy, policies and processes for the management of Life Underwriting risks?
Does the Board Risk Committee receive regularly formal reports and informal communication as appropriate from the Ri
Management function, the Chief Risk Officer and the Appointed Actuary in relation to Life Underwriting risk?
Board and implemented by Senior Management that includes Life Underwriting risks?
Does the Board approve appropriate thresholds or limits for specific Life Underwriting risks, and an overall risk appetite?
Does the RAF articulate the nature and degree of Life Underwriting risk that the Company is willing to assume?
Is a set of tolerances or limits regarding Life Underwriting risks clearly established and regularly reviewed?
Has the Company set up a risk-based metric of capital to be allocated to Life Underwriting risk, aligned with its risk appetite
Have Life Underwriting risk appetite and tolerances been cascaded to operational limits to monitor the Company's Li
Underwriting risk profile at business level?
Are the Company's activities consistent with the RAF in relation to Life Underwriting risk?
Does the Board of Directors monitor complaints in relation to Life products?
1st line controls
Are there structured processes to monitor operating limits at business process level?
Apart from Life Underwriting risk limits, does the RAF include a wide array of measures to monitor the Company's Li
Underwriting risk profile?
Are the Life Underwriting risk limits monitored on a continuous basis (e.g. on a monthly basis or more frequently)?
Are product design, pricing structure and product plan overall consistent with the overall strategy of the entity?
Is there an automated database linking product design and Life Underwriting processes to ensure that pricing data
granular and kept up-to-date?
Is there a monitoring process to ensure that commercial prices do not differ from technical prices above the allowe
flexibility range and any deviations from the allowable range are justified and signed-off?
Are there operational procedures specifying how to calculate reserves?

Is there a separate team, within the Underwriting departments, monitoring the Life Underwriting performance and the Li
Underwriting risk limits?
Has the senior management established explicit processes to prevent mis-selling of Life products?
Is there a formal and documented process to ensure that marketing material and illustrative models for Life products a
kept up to date in relation to actual product features?
2nd line controls

Has the company documented Life Underwriting risk management process and policies to identify, measure, evaluat
monitor, report and mitigate all material Life Underwriting risks on a timely basis?
Has the Company established an independent Risk Management Function that ensures the identification and prop
management of Life Underwriting risks?
Are the duties of the Risk Management Function for Life Underwriting risk clearly segregated from risk-taking functions
the Company as specified in the Enterprise Risk Management Governance Framework ?
Does the Company have IT systems that allow a timely identification, aggregation, monitoring and reporting of Li
Underwriting risk exposure to the Board and Senior Management?
Has the Company defined a forward-looking Life Underwriting risk stress testing program as an integral part of the ri
management process?
Has the Company established policies, procedures and controls for the use of its Life Underwriting risk assessme
methodologies?
Is a Compliance function (clearly segregated from the Life Underwriting team) been set up in charge of checking complianc
of Life Underwriting practices with existing laws, regulations and regulatory circulars?
3rd line controls

Does the Internal Audit function include in its annual plan a review of risk management and processes regarding Li
Underwriting risks?
Has the Internal Audit function defined a formal training programme (encompassing e-training as well as instructor base
for maintaining its resources up-to-date with Life Underwriting risk management best practices?
After receiving the Internal Audit recommendations, does the Company follow the recommendations issued by the intern
audit function regarding Life Underwriting risk? Are mitigation plans in place?
Does the Internal Audit work program covers the policy and regulatory compliance aspects related to Life Underwritin
regulations and circulars?
Is the Internal Audit staff properly trained on Life Underwriting risks and aware of the various aspects related to Li
Underwriting risk?
Response Comments
Operational risk
S.No.
6.01
6.02
6.03
6.04
6.05
6.06
6.07
6.08
6.09
6.1
6.11
6.12
6.13
6.14
6.15
1st line controls

6.16
6.17
6.18
6.19
6.2
6.21
6.22
6.23
6.24
6.25
6.26
6.27
6.28
6.29
6.3
6.31
6.32
6.33
6.34
6.35
6.36
6.37
6.38
6.39
6.4
6.41
6.42
6.43
6.44
2nd line controls

6.45
6.46
6.47
6.48
6.49
6.5
6.51
6.52
3rd line controls

6.53
6.54
6.55
6.56
6.57
Operational risk

Does the insurance entity have a Board of Directors' and Risk Management Committee charter articulating the Board an
Senior management's roles and responsibilities towards operational risk management?
Are the Board members suitably qualified to get an in-depth understanding of the entity’s operational risk position?
Management with regular and sufficient information, for them to assess the nature and level of, the insurance entity
operational risk?
Does the Risk Committee receive regular weekly/ monthly/ quarterly reports and any informal communication
appropriate from the risk management function in relation to operational risk?
Does the Board of Directors review the outcomes of scenario assessments of Operational risk events on a regular basis (
least annually)?
Has the insurance entity established a Board Risk Management Committee in charge of the operational risk that meets on
regular basis?
Does the Risk Management Committee have a mix of expertise, competencies and experience that, in combination, matc
the nature of the operational risk activities?
Does the Board regularly review the strategy, policies and processes for operational risk management?
Does the organizational structure include a number of resources specifically allocated to operational risk management, wi
suitable competencies?
Does the entity have an outsourcing policy approved by the board of directors and are there internal controls in place
monitor the appropriateness and proper execution of the outsourcing policy and outsourcing approval processes?
Does the entity have a Board approved Risk Appetite Framework (RAF) that includes operational risk and is it monitore
regularly reviewed by the Board and implemented by Senior Management?
Are there clearly established and regularly reviewed set of limits regarding operational risk and are any changes made to th
risk appetite statement documented and in line with regulatory guidelines prescribed by SAMA?
Are the entity's activities consistent with the RAF in relation to operational risk?
Does the RAF articulate the nature, types and levels of operational risk that the entity is willing to assume?
Does an information/cyber security function or information/cyber security committee exist at the entity with clear roles an
responsibilities to ensure independent monitoring, enforcement and continuous improvement of information securi
practices, policies and procedures?
1st line controls

Has the entity established an environmental security policy approved by the designated authority, covering th
implementation of the following controls at a minimum (e.g. temperature monitors, fire detection systems, redunda
power supplies, redundant climate control systems)?
Does the entity have a formal process to assess and continuously improve physical and environmental security of da
processing facilities (regardless if data processing facility is managed by the entity or outsourced to a third party servic
provider)?
Has the entity performed a business impact analysis (BIA) exercise of its application systems to be able to understand ho
much loss is incurred over time in the event of a system outage?
Does the entity have Service level agreements approved by the designated authority with defined roles and responsibiliti
between the IT department and all departments which use IT services and are the service level agreements reviewed on
regular basis?
Does the entity record and appropriately classify all issues related to IT systems in a systematic manner and record the tim
required to resolve each such issue (e.g. system outage, cyber security incident, system error/bug)?
Apart from a set of tolerances or limits, does the RAF include a wide array of measures to monitor the entity's operation
and fraud risks profile?
Does the firm carry out stress and scenario testing on operational risk at least annually?
Are there IT systems in place for continuous monitoring of operational risks?
Does the entity have documented standard operating procedures and controls on operational risks for business-as-usu
activities?
Does the entity have documented business continuity management system which covers critical business processes?
Does the entity have a fraud risk management policy approved by the designated authority outlining the potential scenario
for internal and external frauds the entity may be exposed to and guidelines (i.e. prevention controls) for combating them?
Is there a formal mechanism (e-trainings and instructor based) for fraud awareness in place?
Does the entity have detailed procedures documented for all its business processes and formal training (e-learning an
instructor based) sessions for employees to reduce human errors in business activity execution?
Does the entity have automated controls for its critical processes (critical processes as defined by SAMA wide its regulation
such as underwriting/ claims handling systems, including blocking rules and alert messages and are these controls validate
and remediated on a regular basis?
Are the procedures pertaining to claims handling adequately documented and comprehensive to include all condition
requirements (i.e. checklists for required documentation and conditions before processing any claims)?
Are there appropriate systems and procedures to discourage, detect, respond and review external frauds?
Are the guidelines pertaining to underwriting adequately documented to avoid mis-pricing and mis-selling of vario
products?
Does the entity have formal policies and procedures for loss data collection relating to operational risks and is updated on
regular basis?
Has the entity established appropriate policies, procedures and implemented adequate controls pertaining to da
communication over internal and external networks (e.g. data encryption)?
Are underwriting systems and claims systems properly integrated with financial and actuarial systems?
Has the entity established a physical security policy with defined roles and responsibilities (e.g. covering access to asse
and associated facilities limited to authorized users, processes, or devices, etc.)?
Are information and records (data) managed consistently with the organization’s risk strategy to protect the confidentialit
integrity, and availability of information?
Are information system and assets monitored at discrete intervals to identify cyber security events and verify th
effectiveness of protective measures?
Are the organization’s personnel and partners (e.g. agents) provided with cyber security awareness education/training
help them enhance their skills in implementing information security measures?
Does the entity have a human resource policy approved by the designated authority covering code of ethics and standard
for professional conduct for fair and equal treatment of all employees?
Does the human resource team conduct regular surveys to gauge employee satisfaction and is there a mechanism in plac
for addressing employee concerns/ grievances?
Does the entity have a succession plan approved by the board of directors that highlights key sensitive positions an
procedures for limiting key man dependencies?
Are there in place reporting procedures for employees at all organizational levels to communicate operational risks an
events in a clear and timely manner?
Are there in place appropriate systems to guarantee the implementation and monitoring of outsourcing procedures?
2nd line controls

Does the entity have documented operational risk management process and policies to identify measure, evaluate, monito
report and control or mitigate all material operational risks on a continuous and timely basis?
Does the entity have an independent Risk Management Function as part of its overall risk management framework an
does the risk management function ensure all material operational risks are identified, monitored, reported an
remediated?
Are the duties of the risk management function for operational risk clearly segregated from risk-taking functions within th
entity?
Does the entity have information systems that allow a timely identification, aggregation, monitoring and reporting
operational risk exposure to the entity’s Board and Senior Management?
Are there policies and procedures for maintaining information security including physical and electronic records, an
reporting of information security breaches to the senior management?
Have the entity established policies, procedures and controls for applying operational risk assessment methodologies
each business process?
Are there policies and procedures approved by the designated authority to record and report operational losses, potenti
losses and near-miss events?
Are Legal and Compliance functions in charge for the evaluation, approval, periodical review and renewal of outsourcin
contracts?
3rd line controls
Does the internal audit function include in its annual plan a review of risk management and processes regarding operation
and fraud risks?
Has the internal audit function defined a formal training (encompassing e-trainings as well as instructor based) programm
for ensuring its resources are up-to-date with best practices in operational and fraud risk management?
Is there a documented remediation / mitigation plan for closing issues raised by internal audit on operational and frau
risks?
Does the entity timely follow the recommendations issued by the internal audit function on operational and fraud risks?
Do outsourcing contract have clause related to right to audit the outsourcer?

Response Comments
Actuarial Outputs
S.No.
7.01
7.02
7.03
7.04
7.05
7.06
Reserving - Opinion Reporting

7.07
Reserving - Methodology
7.08
7.09
7.1
7.11
7.12
7.13
7.14
7.15
7.16
7.17
7.18
Reserving - Assumptions
7.19
7.2
7.21
7.22
7.23
7.24
7.25
Reserving - Systems and Data

7.26
7.27
7.28
7.29
7.3
7.31
7.32
7.33
7.34
7.35
7.36
7.37
7.38
7.39
7.4
7.41
7.42
Underwriting - Governance and Process

7.43
7.44
7.45
7.46
7.47
7.48
7.49
Underwriting - Methodology
7.5
7.51
7.52
7.53
7.54
7.55
7.56
Underwriting - Assumptions
7.57
7.58
7.59
7.6
7.61
7.62
7.63
Underwriting - System and Data

7.64
7.65
7.66
7.67
7.68
7.69
7.7
7.71
7.72
7.73
7.74
7.75
7.76
Reinsurance - Governance and processes (FCR)

7.77
7.78
7.79
7.8
7.81
7.82
Reinsurance - Opinion Reporting (FCR)

7.83
Reinsurance - Methodology
7.84
7.85
7.86
7.87
7.88
7.89
7.9
7.91
Reinsurance - Assumptions
7.92
7.93
7.94
7.95
Reinsurance - Systems and Data

7.96
7.97
7.98
7.99
7.100
7.101
7.102
7.103
7.104
7.105
7.106
7.107
7.108
Solvency and Financial Position - Governance and Processes

7.109
7.110
7.111
7.112
7.113
Solvency and Financial Position - Opinion Reporting (FCR)

7.114
Solvency and Financial Position - Methodology

7.115
7.116
7.117
Solvency and Financial Position - Assumptions

7.118
7.119
7.120
7.121
Solvency and Financial Position - Systems and Data

7.122
7.123
7.124
7.125
7.126
7.127
7.128
7.129
7.130
7.131
7.132
Other actuarial opinions - Governance and processes
7.133
7.134
7.135
7.136
7.137
7.138
7.139
7.140
Other actuarial opinions - Opinion Reporting

7.141
Other actuarial opinions - Methodology

7.142
7.143
7.144
7.145
Other actuarial opinions - Assumptions

7.146
7.147
7.148
7.149
7.150
7.151
Other actuarial opinions - Systems and Data
7.152
7.153
7.154
7.155
7.156
7.157
7.158
7.159
7.160
7.161
7.162
7.163
Actuarial Outputs

Do all activities leading to reserving actuarial outputs and opinions include a peer review process (independent, be it
internal or external), before it gets submitted to the Board?
Is the level of peer review commensurate to the significance of the piece of work and levels of judgement needed and are
the people undertaking the review adequately qualified and experienced?
Are processes leading to reserving actuarial outputs results and opinions clearly documented, so that they can be easily
understood by independent third parties and is there evidence that the documentation has been regularly reviewed,
updated to reflect any changes and signed-off by the designated authority?
Does the Board of Directors review and approve the report on reserve adequacy which has been written and signed by the
Appointed Actuary and is this evidenced?
If management decides to hold reserves above or below the level recommended by the Appointed Actuary, is there a well-
defined process to arrive at this decision? Is the rationale documented?
Are results analyzed considering as a minimum:

- A review of an Analysis of Change,
- Whether the unexplained in the Analysis of Change is at an acceptable level?
- A reconciliation of results to audited numbers e.g. IFRS Report & accounts?
Reserving - Opinion Reporting

Does the actuarial output include, but not limited to, the following:
- A clear statement on data quality
- A clear statement on the assumptions used and the source of those assumptions
- A clear statement of the methodology used and the basis for selecting it
- A clear summary of results and findings;
- A clear conclusion on the reliability and adequacy of the calculation;
- A statement of any limitations of the process and recommendations to address these;
- The likely drivers of deviation from the derived estimate (key areas of uncertainty);
- A summary of the sensitivity of the derived result to key underlying assumptions;
- An actual versus expected analysis at an appropriate level of granularity to understand the drivers of any material
deviations.
- Whether the previous report's recommendations have been actioned
Reserving - Methodology
Are actuarial methodologies for Life insurance valuation analyses properly documented (so that a knowledgeable third party
would be able to understand and replicate the methodology selected)?
Are actuarial methodologies for Health reserving analyses properly documented (so that a knowledgeable third party would
be able to understand and replicate the methodology selected)?
Are actuarial methodologies for General insurance reserving analyses properly documented (so that a knowledgeable third
party would be able to understand and replicate the methodology selected)?
Did the Appointed Actuary consider a set of different methodologies before choosing the most appropriate one to be used?
Does the reserving documentation include rationale for selecting the methodology chosen from the range of different
methodologies considered and does it include justification for no change if there has been no change?
Have limitations embedded in the selected methodology been considered, estimated, documented and have material
limitations been communicated to key stakeholders?
Has uncertainty (incl. Model risk) embedded in the selected methodology been considered, estimated, documented and has
material uncertainty been communicated to key stakeholders?
Are employed methodologies consistent with standard international actuarial techniques? If not, is the methodology
appropriate to the specific Line of Business and underwriting portfolio?
Are the methodologies selected fit for purpose considering the LoB being modelled and the data availability (incl. any
limitations)?
Is the methodology selected for each LoB consistent from one year to the other and are changes properly documented,
estimated, explained and signed off?
If the company writes any business in which value of liabilities depends on the value of assets (e.g. Life participating
products), is the methodology for setting the economic basis and valuating the connection between assets and liability
appropriate and explicitly included in the reserving analyses and documentation?
Reserving - Assumptions
Are assumptions backing reserving actuarial valuations clearly documented?
If there are any major changes compared to previous year's reserving actuarial valuation, are they clearly documented and
explained?
How actively did the company change valuation assumptions (e.g., are all assumptions updated as part of an annual cycle,
or are there other criteria which would suggest a more or less frequent review? Have sensitivities of the reserves to
assumptions been carried out and explained accurately?
Has the passage from the analysis of empirical data to the modelling of statistical distribution (model calibration) been
properly documented (e.g. even through flow diagrams)?
Did the model calibration phase consider if the empirical data suitably represents the future uncertain dynamics to be
modelled?
Are expert judgments on assumption setting for reserving actuarial valuations clearly documented (e.g. what were they
based on)?
Are judgments on assumption setting for reserving actuarial valuations deemed to be prudent and reasonable?
Reserving - Systems and Data

Is there a data quality framework which aims to ensure that reserving actuarial valuations are based on high quality data?
Does the appointed actuary have easy and timely access to entity's data required for reserving actuarial valuations?
Are data used in reserving actuarial valuations complete?

Are data used in reserving actuarial valuations accurate?
Are data used in reserving actuarial valuations appropriate?
Are external data used in reserving actuarial valuations complete, accurate and appropriate, also considering their use (e.g.
credibility weightings)?
Does the appointed actuary periodically review the appropriateness, completeness and accuracy of data he/ she requires
and uses for reserving valuations?
Does the appointed actuary periodically review the consistency of the data from period to period?
Are the processes related to data extraction, transformation and loading automated, in order to minimize manual errors?
In the data clean-up process, were data understood and analyzed using sound statistical methods? Are such analyses
documented?
Has any judgment employed in the data cleaning process been properly documented?
Have data been signed off by an appropriate authority (e.g., CFO)?
Is there a tolerance threshold for errors in data (e.g., nil or 1%) and is it adequately defined?
Are the actuarial reserving calculations performed using market standard software? (i.e. automated software, potentially
used elsewhere in the market, provided with a strict version control process)
Are data and calculations backing reserving actuarial valuations auditable? Are they documented in such a way that they
can be easily and adequately replicated within a specified tolerance?
Does the actuarial report comply with professional standards of a recognized actuarial body?
Are potential data deficiencies in reserving calculations managed and clearly documented in actuarial reports?
Underwriting - Governance and Process

Does the Board of Directors review and approve pricing reports written and signed by the appointed actuary and is this
evidenced?
If the Company writes Motor business, is pricing approved by the Appointed Actuary and documented in an annual report
submitted to the Board of Directors?
If the Company Writes Health business, is pricing approved by the Appointed Actuary and documented in an annual report
submitted to the Board of Directors?
Do all processes leading to actuarial pricing opinions and assessments include a peer review process?
Are processes leading to pricing clearly documented, so that they can be easily understood by independent third parties and
is there evidence that the documentation has been regularly reviewed, updated to reflect any changes and signed-off by the
designated authority?
Is a pricing adequacy analysis carried out (i.e., comparison between technical v actual price)?
Underwriting - Methodology
Are actuarial methodologies for Life pricing analyses properly documented? (so that a knowledgeable third party would be
able to understand and replicate the methodology selected)
Are actuarial methodologies for Health pricing analyses properly documented? (so that a knowledgeable third party would
be able to understand and replicate the methodology selected)
Are actuarial methodologies for General Insurance pricing analyses properly documented? (so that a knowledgeable third
party would be able to understand and replicate the methodology selected)
Do employed methodologies rely on standard international actuarial techniques? If not, is the methodology appropriate to
the specific LoB and underwriting portfolio?
Was motor pricing performed using statistical methods (GLM, Neural Networks, Random Forest, Other Machine Learning
methods, etc.)?
Are all actuarial opinions related to pricing based on well documented and sound actuarial methodologies?
Underwriting - Assumptions
Are assumptions backing pricing actuarial valuations clearly documented?
Were assumptions used adequately supported by the data available?
If there are any major changes compared to previous year's assumptions in pricing actuarial valuations, are they clearly
documented and explained?
Has the passage from the analysis of empirical data to the modelling of statistical distribution (model calibration) been
properly documented? (incl. inflation assumptions)
Did the model calibration phase consider if the empirical data suitably represents the future uncertain dynamics to be
modelled?
Are expert judgments on assumption setting for reserving actuarial outputs clearly documented (e.g. what were they based
on)?
Are judgments on assumption setting for reserving actuarial outputs deemed to be prudent and reasonable?
Underwriting - System and Data

Is there a data quality framework aiming to ensure that pricing actuarial valuations are based on high quality data?
Does the appointed actuary have easy and timely access to entity's data required for pricing various products?
Are data used in pricing actuarial valuations complete?

Are data used in pricing actuarial valuations accurate?
Are data used in pricing actuarial valuations appropriate?
Are external data used in actuarial pricing assessments complete, accurate and appropriate, also considering their use (e.g.
and uses for pricing valuations?
Does the appointed actuary periodically review the consistency of data from period to period?
documented?
Are the actuarial product pricing calculations performed using an industrialized software? (i.e. automated software,
potentially used elsewhere in the market, provided with a strict version control process)
Are data and calculations backing pricing actuarial valuations auditable? Are they documented in such a way that they can
be easily and adequately replicated within a specified tolerance?
Are potential data deficiencies in pricing calculations managed and clearly documented in actuarial reports?
Reinsurance - Governance and processes (FCR)

Does the Board of Directors take into account an opinion from the Appointed Actuary before approving the company's
reinsurance strategy?
Is the overall reinsurance strategy including retention levels reviewed by the Appointed Actuary?
Do all activities leading to actuarial opinions and assessment on retention level include a peer review process?
Are processes leading to reinsurance actuarial outputs and opinions clearly documented, so that they can be easily
understood by independent third parties and is there evidence that the documentation has been regularly reviewed,
updated to reflect any changes and signed-off by the designated authority?

Reinsurance - Opinion Reporting (FCR)

- A clear staement on the assumptions used and the source of those assumptions
- A clear statement of the methodology used and the basis for selecting it
deviations.
Reinsurance - Methodology
Are actuarial methodologies for Life reinsurance analyses properly documented? (so that a knowledgeable third party
would be able to understand and replicate the methodology selected)
Are actuarial methodologies for Health reinsurance analyses properly documented? (so that a knowledgeable third party
Are actuarial methodologies for General reinsurance analyses properly documented? (so that a knowledgeable third party
Did the actuaries use stochastic simulation methodologies in order to assess and select the optimal retention level and
reinsurance structure?
If reinsurance choices rely on valuations of a reinsurance brokers, was there an appropriate level of challenge performed
towards the broker? Does the company change the broker on a periodic basis (i.e. at least every 5 years)?
Is there internal documented criteria for broker selection? Has it been adhered to?
Do employed methodologies rely on standard international actuarial techniques? If not, is the methodology appropriate to
the specific LoB and underwriting portfolio? (e.g. long vs. short tail LoB modelling)
Are all reinsurance actuarial opinions based on well documented and sound actuarial methodologies?
Reinsurance - Assumptions
Are assumptions backing retention level actuarial valuations clearly documented?
If there are any major changes compared to previous year's assumptions in reinsurance actuarial valuations, are they clearly
documented and explained?
Are expert judgments on retention level actuarial valuations clearly documented (e.g. what were they based on)?
Are judgments on reinsurance actuarial valuations overall deemed to be reasonable?
Reinsurance - Systems and Data

Is there a data quality framework aiming to ensure that retention level actuarial analysis are based on high quality data?
Does the appointed actuary have easy and timely access to entity's data required for reinsurance analyses?
Are data used in retention level actuarial valuations complete?

Are data used in reinsurance actuarial valuations accurate?
Are data used in reinsurance actuarial valuations appropriate?
Are external data used in reinsurance assessments complete, accurate and appropriate, also considering their use (e.g.
Does the appointed actuary periodically review the appropriateness, completeness and accuracy of reinsurance data he/
she requires and uses?
documented?
Are the actuarial calculations for determination of retention levels performed using an industrialized software? (i.e.
automated software, potentially used elsewhere in the market, provided with a strict version control process)
Are data and calculations backing reinsurance actuarial valuations auditable? Are they documented in such a way that they
can be easily and adequately replicated within a specified tolerance?
Are potential data deficiencies in reinsurance calculations managed and clearly documented in actuarial reports?
Solvency and Financial Position - Governance and Processes

Does the Appointed Actuary produce an opinion on the solvency and financial position of the company, which is then
considered and discussed within the Board of Directors?
Do all processes leading to actuarial opinions and assessment on solvency and financial position include a peer review
process?
Are processes leading to actuarial valuations and opinions on solvency and financial position clearly documented, so that
they can be easily understood by independent third parties and is there evidence that the documentation has been
regularly reviewed, updated to reflect any changes and signed-off by the designated authority?

Solvency and Financial Position - Opinion Reporting (FCR)

- A clear statement of the methodology used and the basis for selection it
deviations.
Solvency and Financial Position - Methodology

Are actuarial methodologies for opinions on solvency and financial position properly documented? (so that a
knowledgeable third party would be able to understand and replicate the methodology selected)
Do employed methodologies rely on standard international actuarial techniques? If not, is the methodology actuarially
sound?
Are all actuarial opinions on solvency and financial position based on well documented and sound actuarial methodologies?
Solvency and Financial Position - Assumptions

Are assumptions backing actuarial opinions on solvency and financial position clearly documented?
If there are any major changes compared to previous year's assumptions in solvency and financial position actuarial
calculations, are they clearly documented and explained?
Are expert judgments on solvency and financial position actuarial opinions clearly documented (e.g. what were they based
on)?
Are judgments on solvency and financial position actuarial valuations overall deemed to be reasonable?
Solvency and Financial Position - Systems and Data

Is there a data quality framework aiming to ensure that actuarial analyses on solvency and financial position are based on
high quality data?
Does the appointed actuary have easy and timely access to entity's balance sheet data?
Are data used in actuarial analyses on solvency and financial position complete?
Are data used in actuarial analyses on solvency and financial position accurate?
Are data used in actuarial analyses on solvency and financial position appropriate?
Are external data used for solvency assessments complete, accurate and appropriate, also considering their use (e.g.
Does the appointed actuary periodically review the appropriateness, completeness and accuracy of balance sheet data he/
she requires and uses?
Are data and calculations backing actuarial analyses on solvency and financial position based on an industrialized software?
(i.e. automated software, potentially used elsewhere in the market, provided with a strict version control process)
Are data and calculations backing actuarial opinions on solvency and financial position auditable? Are they documented in
such a way that they can be easily and adequately replicated within a specified tolerance?
Are potential data deficiencies in solvency calculations clearly documented?

Other actuarial opinions - Governance and processes
Does the Board of Directors receive and take into consideration the actuarial opinion before approving the investment
policy, the ALM policy or the related risk appetite and is this evidenced?
Does the company have a tactical asset allocation process which takes actuarial recommendations into account and is
signed off by the Board?
Does the company have a strategic asset allocation process which takes actuarial recommendations into account and is
signed off by the Board?
Does the appointed actuary provide recommendations on formulating, implementing, monitoring and revising strategies
related to assets and liabilities to achieve adequate matching of assets with liabilities?
Do all processes leading to actuarial opinions and assessment on asset allocation and ALM include a peer review process?
Does the process leading to an actuarial opinion on ALM and investments consider the outcome of sensitivity analyses and
stress testing?
Are processes leading to actuarial analyses and opinions on asset allocation and ALM clearly documented, so that they can
be easily understood by independent third parties and is there evidence that the documentation has been regularly
reviewed, updated to reflect any changes and signed-off by the designated authority?
Other actuarial opinions - Opinion Reporting

- A clear statement of the methodology used and the basis for selection it
deviations.
Other actuarial opinions - Methodology

Are all actuarial opinions on asset allocation and ALM based on well documented and sound actuarial methodologies?
Are ALM analyses based on a cash-flow approach (e.g. replicating portfolios) or are they limited to a duration matching
approach (e.g. immunization)?
Have the methodologies leading to ALM and investments opinions taken the Board of Directors-set risk appetite into
account?
Are they properly documented so that a knowledgeable third party would be able to understand and reproduce the
approach followed?
Other actuarial opinions - Assumptions
Are assumptions backing actuarial analyses on asset allocation and ALM clearly documented?
If there are any major changes compared to previous year's assumptions on asset allocation and ALM actuarial calculations,
are they clearly documented and explained?
Are sensitivity analyses and stress testing used in order to calibrate the model used for ALM projections?
Are ALM analyses based on a discount rate which is chosen consistently with reserves analyses and based on a sound and
documented expert judgment?
Are expert judgments on asset allocation and ALM actuarial analyses clearly documented (e.g. what were they based on)?
Are judgments on asset allocation and ALM actuarial analyses overall deemed to be reasonable?
Other actuarial opinions - Systems and Data
Is there a data quality framework aiming to ensure that actuarial analyses on asset allocation and ALM are based on high
quality data?
Does the appointed actuary have easy and timely access to entity's required data for asset allocation and ALM actuarial
calculations?
Are look-through of investment funds available in order to have investment's data at least at asset class granularity level?
Are data used in actuarial analyses on asset allocation and ALM complete?
Are data used in actuarial analyses on asset allocation and ALM accurate?
Are data used in actuarial analyses on asset allocation and ALM appropriate?
Are external data used for actuarial analyses on asset allocation and ALM complete, accurate and appropriate, also
considering their use (e.g. credibility weightings)?
and uses for asset allocation and ALM actuarial analyses?
Are the actuarial calculations for asset allocation and ALM, using an industrialized software? (i.e. automated software,
potentially used elsewhere in the market, provided with a strict version control process)
Are data and calculations backing actuarial analyses on asset allocation and ALM auditable? Are they documented in such a
way that they can be easily and adequately replicated within a specified tolerance?
Are potential data deficiencies in actuarial calculations on asset allocation and ALM managed and clearly documented?
Response Comments
Oversight
S.No.
8.01
8.02
8.03
8.04
8.05
8.06
8.07
8.08
8.09
8.1
8.11
8.12
8.13
8.14
8.15
8.16
8.17
8.18
8.19
8.2
8.21
8.22
8.23
8.24
8.25
8.26
8.27
8.28
8.29
8.3
Senior Management
8.31
8.32
8.33
8.34
8.35
8.36
8.37
8.38
8.39
8.4
8.41
8.42
Risk Management
8.43
8.44
8.45
8.46
8.47
8.48
8.49
8.5
8.51
8.52
8.53
8.54
8.55
8.56
Compliance
8.57
8.58
8.59
8.6
8.61
8.62
8.63
8.64
8.65
Appointed Actuary
8.66
8.67
8.68
8.69
8.7
8.71
8.72
8.73
Internal Audit
8.75
8.76
8.77
8.78
8.79
8.8
8.81
8.82
8.83
8.84
8.85
8.86
8.87
Operational Management
8.88
8.89
8.9
8.91
8.92
8.93
8.94
Oversight

Does the Board of Directors charter document the procedure for nominating and electing the Board Chairman including th
responsibilities assigned to the Chairman?
Has the appointment of Board members and Chairman of the Board been approved by SAMA to act as elected Boa
members and Chairman of the Board?
Has the Board established an Executive committee to extend its oversight, with clear role and responsibilities, direct
reporting to the Board?
Has the Board established a Nomination and Remuneration committee to extend its oversight, with clear role an
responsibilities, directly reporting to the Board?
Has the Board established an Audit committee to extend its oversight, with clear role and responsibilities, directly reportin
to the Board?
Has the Board established a Risk Management Committee to extend its oversight, with clear role and responsibilitie
directly reporting to the Board?
Has the Board established an Investment Committee to extend its oversight, with clear role and responsibilities, direct
reporting to the Board?
Do the members of the Board of Directors and above committees individually and collectively have relevant knowledg
expertise, independence, information access and influence to provide adequate oversight, challenge and fulfil their tas
within the institution?
Is there a Board approved formal code of ethics program complied by all the Board members, Board committees and th
company management? And is the program reviewed on a regular basis?
Does the entity have a conflict of interest policy approved by the Board; clearly defining potential conflict of intere
situations, related parties/ transactions? and does the policy include a formal reporting mechanism to ensure time
reporting of conflict of interest issues?
Does the Board of Directors approve and regularly update the institution’s policies and formal risk assessment framewor
for risk taking, managing, monitoring and mitigating those risks, the institution is or might be exposed to, including tho
posed by the macroeconomic environment in which it operates and in relation to the status of the business cycle?
Does the Board of Directors include in their strategic discussions, the impact on the entity's risk appetite for decision
relating to mergers, acquisitions, and growth in business lines or products?
Do the Board and the Committee charters articulate the composition, qualifications / independence, responsibilities an
authorities of the Board of Directors and its committees?
Are composition and responsibilities of the Board of Directors and committees fully compliant with SAMA regulations an
circulars at a minimum?
Has the Board articulated the procedures for appointment and responsibilities of the Board Secretary?
Does the Nomination and Remuneration committee charter contain talent development and succession plan, as part of i
standing agenda?
Are Board of Directors and Board Committees’ meetings minuted and planned actions formally followed?
Does the Board and Board Committees’ meet regularly (quarterly / semi-annually, as stipulated in the SAMA guidelines)?
Are there mechanisms in place to ensure that decision-making is not dominated by any one individual or small group
individuals in a manner that is detrimental to the interests of the institution as a whole?
Does the Board of Directors ensure that annual business plans are in line with the approved risk appetite of the institution?
Are incentives/disincentives included in the remuneration policy to facilitate adherence to risk appetite?
Does the Board of Directors ensure that risk management and internal audit are sufficiently staffed to provide independe
assurances to the Board of Directors and senior management that they are operating within the approved RAF (Ri
Appetite Framework)?
Does the Board of Directors discuss with Risk Management Committee and senior management for decisions regarding th
establishment and on-going monitoring of risk appetite and risk exposures as well as material changes in the current ri
appetite / risk exposure levels, or regulatory expectations regarding risk appetite / risk exposure?
Have Board of Directors or committee members ever been convicted of a felony undermining his/her or the institution
integrity/ trustworthiness?
Are the Chair of the Board Committees (i.e. Chair of the Risk Committee, Audit Committee, Remuneration and Nominatio
Committee) approved by SAMA?
Does the insurance entity carry out once a year an internal Board effectiveness review?
Does the insurance entity carry out every 3-4 years an external Board effectiveness review ?
Has the insurance entity appointed a Senior Independent Director who is responsible for assessing the performance of th
Board Chairman?
Has the insurance entity put in place a whistle-blower policy and is there an independent Non Executive Direct
responsible for addressing whistleblow cases?
Is there a Terms of Reference for the Board and the Board Committees which clearly outline the matters reserved for th
Board and the Board Committees, the frequency of meetings, the quorum, the membership, the key responsibilities of th
Board and the Board Committees and the matters delegated to other Committees?
Senior Management
Are Senior Management members formally (documented and approved) provided with clear roles and responsibilities, jo
descriptions, authority limits and reporting lines?
Does the Senior Management possess the right skills, knowledge and experience to effectively and prudentially managin
the institution?
Have the Senior management translated the Board's set risk appetite and risk tolerances into a set of operational limits
business / functions' level?
Does the institution regularly check that its management structure is updated, comprehensive and operates smoothly?
Are there clear reporting lines for accountability, oversight and allocation of authority and responsibility among members
the management?
Is the appointment of the senior management approved by SAMA?
Does the management meet regularly, at least monthly?
Has the management formed various committees with clear roles and responsibilities on specific topics?
Are management meeting minuted and planned actions formally followed?

Is there a cohesive and effective cooperation between the management body and the control functions (compliance, aud
risk and appointed actuary), including the attendance of heads of these functions to management meeting?
Does the management body approve and periodically review the strategies and policies for risk taking, managin
monitoring and mitigation of those risks to which it is exposed?
Have Senior management or committees members ever been convicted of a felony undermining his/her or institution
integrity/ trustworthiness?
Risk Management
Is the overall risk management framework appropriate to the scale and complexity of the institution?
Is the Risk Management function formally (documented and approved) provided with specific roles, responsibilities an
structure by the institute's code of corporate governance?
Does the positioning of the risk management function within the organization ensure that it is sufficiently independent?
Is it led by an appointed Chief Risk Officer (CRO)?

Is the appointment of the CRO approved by SAMA?
Does the CRO have the necessary experience and skills and to give the risk perspective significant weight in all materi
business decisions?
Does the risk management function report functionally (with direct access) to the Board of Directors or the Board Ri
Management Committee?
Are there formal discussions on risk management topics in a management committee?
Does the Board of Directors/ risk management committee regularly evaluate (at least once a year) the adequacy of the ri
management function? If so, is this clearly documented?
Is the risk management function equipped with adequate number of trained resources who are competent in ri
management?
Is the risk management function, its processes and internal controls, the quality of the reports submitted to th
management and the Board Risk Management Committee, as well as risk mitigation measures periodically audited b
independent auditors who are trained and competent in risk management?
Does the Board / Risk Management Committee approve and regularly update risk strategy, business strategy, risk appeti
framework, capital plan and internal capital allocation?
Has the institution designed a contingency plan to counter events with severe negative impact on the business?
Does the insurance entity carry out regularly (at least once a year) stress and scenario testing analysis and reverse stre
testing?
Compliance
Is there a compliance function in place that is hierarchically and functionally separated and operates independently fro
any business activity responsibilities?
Is the compliance function led by an appointed compliance officer whose performance management and compensation a
independent from the executive management and is effective in identifying and raising issues?
Is the appointment of the Compliance Officer approved by SAMA?

Is there a compliance charter that sets out the objectives of the compliance function as well as its responsibilities an
competences, guarantees its independence and permanency, and specifies its relations with the other departments an
functions?
Does compliance function have an appropriate direct access to the Board of Directors / Board Audit Committee with a
established process is in place to periodically (at least quarterly) report to the Board of Directors / Board Audit Committee?
Is the senior management responsible for the adequacy of the organization of the compliance function and does it regular
evaluate adequacy?
Is a compliance function appropriately organized not only at group-level but also at individual-subsidiary level where group
compliance officer has responsibility for all of the group's heads of compliance? (The question applies only to KSA insuranc
and financial groups, while it does not apply to foreign insurance and financial groups and KSA non-financial group with a
insurance subsidiary)
Does the compliance function, at least annually, analyze and document the compliance risks of the institution considerin
the scope and complexity of its activities?
Is there an annual and multi-year plan of action for the compliance function which is based on a precise analysis of the ke
risks and is approved by the governing bodies and its implementation is adequately monitored?
Appointed Actuary
Does the insurer's code of corporate governance clearly define role and responsibilities of the appointed actuary?
Does the actuary report functionally to the Board of Directors?

Does the place of the appointed actuary within the organization ensure that he/ she is sufficiently independent?
Is the Actuary independent from Top Management and business processes?

Does the actuary have easy and timely access to the institution’s data?
Is the appointment of the actuary approved by SAMA?
Does the actuary have proven experience in insurance entity's core lines of business?
Has the actuary ever been convicted of a felony undermining his/her or institution's integrity/ trustworthiness?
nternal Audit
Does the position of the internal audit within the organization (hierarchical and functional) enable the function to opera
independently, autonomously and with authority?
Is the internal audit function effective in identifying and raising issues?
Is the internal audit function equipped with adequate number of trained resources who are competent in internal audit?
Does the internal audit function report directly to the Audit Committee in supervisory function?
Is there an annually updated audit plan reviewed and approved by the Audit Committee?
Do the internal audit departments of the institution's subsidiaries and branches report to the parent institution's intern
audit department? (The question applies only to KSA insurance and financial groups, while it does not apply to foreig
insurance and financial groups and KSA non-financial group with an insurance subsidiary)
Does the institution have an internal audit charter and manual duly approved by the Audit Committee that specify th
objective, scope, responsibility, authority, approach and methodology of the internal audit function?
Does the Board of Directors/ Audit committee regularly evaluate (at least once a year) the adequacy of the internal aud
function and are the observations clearly documented?
Does internal audit assess the effectiveness of the implementation, and timely reports material deficiencies of the RAF at a
organization and business levels?
Does internal audit identify whether breaches in risk limits are being appropriately identified, escalated and reported, an
report on the implementation of the RAF to the Board of Directors and senior management as appropriate?
Does internal audit assess the design and effectiveness of risk measurement techniques and Management Informatio
System used to monitor the institution’s risk profile in relation to its risk appetite and enterprise risk management?
Are there any internal and external Quality Assurance Reviews (QAR) undertaken on a regular basis? (i.e. annually f
internal QAR, while once in 5 years for external QAR)?
Has the co-sourced internal auditor (if any) ever been convicted of a felony undermining his/her or institution's integrit
trustworthiness?
Operational Management
Is there an adequate mandate along with key accountabilities and established KPIs for each Line of Business (LOB)?
Does each LOB have adequate processes, controls and technology to carry out their responsibilities?
Does each LOB have adequate resources, in terms of profile and business knowledge?
Does Risk Management have a favourable view of the risk culture of senior management and staff of each LOB?
Has each LOB developed a comprehensive business model with risk limits in line with the institution's enterprise-wide ri
appetite?
Are there financial and risk reports produced within each LOB?
Are the aforementioned financial reports comprehensive and do they clearly highlight key issues such as contr
inefficiencies and mitigating actions to address these?
Response Comments
Conduct of Business
S.No.
9.01
9.02
9.03
9.04
9.05
9.06
9.07
9.08
9.09
9.1
9.11
9.12
Product Development
9.13
9.14
9.15
9.16
9.17
Product Promotion, Disclosure and Sale
9.18
9.19
9.2
9.21
9.22
9.23
9.24
9.25
9.26
9.27
9.28
9.29
9.3
Post-sale servicing and information

9.31
9.32
9.33
9.34
Claims
9.35
9.36
9.37
9.38
9.39
9.4
9.41
9.42
Complaints
9.43
9.44
9.45
9.46
9.47
9.48
Privacy protection
9.49
9.5
9.51
9.52
9.53
9.54
9.55
9.56
Controls
9.57
9.58
9.59
9.6
9.61
Conduct of Business

Do the firm's risk strategy and risk appetite take into account risk of misconduct formally and explicitly?
Is the entity provided with a Complaints committee and/or a Claims committee, set up by the Board or by the Seni
management to oversee complaints and claims management practices, which includes both first line and second lin
management?
Is accountability of Conduct of Business matters clearly specified in the Conduct policy which highlights the three lines
defense (First line of defense - Operational Management, Second line of defense - Risk Management and Complianc
Functions and Third line of defense - Internal Audit), identifies the controls for mitigating the risk identified and key contr
owner for Conduct of Business risk?
Is there a Code of Conduct established by the Board of Directors, which includes fair treatment of customers?
Has the entity issued a Conduct of Business policy that ensures the fair treatment of customers along the product lifecycle?
Is there a regular reporting on Conduct of Business-related indicators and controls to the Board of Directors and the Seni
Management?
Does the Senior Management regularly send appropriate messages to staff, clients and to the public underlying the focus o
Business Conduct? (so called, "Tone from the top")
Does the entity have a policy and a procedure in place to encourage anonymous whistleblowing? (both for employees an
for external parties)
Are conduct practices reflected in performance review systems for employees (e.g. through KPIs)?
What impact does negative conduct have on performance review system for employees?
And does it contribute to the assessment of the employee’s performance and their remuneration?
Are conduct practices reflected in performance review systems for external service providers (e.g. through KPIs)?
Does the Nomination and Remuneration committee guarantee the employee incentive structure is not tied to short ter
target achievement and the absence of conflicts of interest?
Product Development
Are product development procedures defined to ensure that new products are designed in the interest of customer
(please also consider the use of exclusions in the products' structure)
Are there clear procedures and organizational guidelines to ensure that the risk of potential product performance a
identified and mitigated accordingly?
Are Board of Directors and Senior Management responsibilities related to product flaws clearly defined?
In case of outsourcing, does the Insurance Company retain the right of audit – and actually conduct performance audits
brokers, agents, adjusters?
In case of outsourcing, are customer's rights part of that agreement?

Product Promotion, Disclosure and Sale
Are marketing procedures defined to ensure that no misleading information is provided to potential customers?
And is this approved by the designated authority?
Are technical information and data provided in the advertisements clear, understandable and verifiable from th
perspective of the target customer?
Is the advertising material reviewed through a formal process before publication?
And is it signed off from relevant departments such as compliance and legal?
Are investment performance data, investment management fees and information on guaranties clear, understandable an
verifiable from the perspective of the target customer?
Is the pre-contractual information provided to the customer free of charge?
Is the pre-contractual information written in a plain language to let the customer understand all the product features an
risks?
Are entity's contact details, product features and contract terms explicitly stated?
Are there procedures to effectively verify that the entity gathered necessary information on the client before selling
product (e.g. Know Your Customer form)?
Are sale and distribution personnel trained for all product's features and retrained when product features a
updated/amended?
Is the distribution model appropriate for a specific type of product/ customer?
Is there product suitability assessment during the underwriting process?
And are the Board of Directors responsibilities related to mis-selling clearly defined?
Are there in place clear policies, procedures and organizational guidelines related to mis-selling?
And do these make explicit references to SAMA guidelines?
Post-sale servicing and information

In case of changes to the contract's terms or additional requirements, are these explicitly communicated to the customer?
Are there procedures in place to monitor timeliness and quality of customer services?
And do these include the use of e-portals?
For savings/ investment contracts, is there disclosure of costs, both sales (commission) and management expenses?
Regarding saving/ investment contracts, are investment performance details disclosed to the client?
Claims
Does the documentation provided to customers at the time of policy issuance clearly define the steps in the claims proces
including what documentation is required, the processing timing and relevant contacts in case of claim dispute?
Is there an updated claims procedure manual which is kept up-to-date and is there training provided when an upda
occurs?
Is there a dedicated claims handling function with adequate resources and qualified staff?
Are there structures and procedures in order to ensure that claimants are kept up-to-date about claim progress mentionin
timelines for the same?
In case of claim (partial) rejection, is there a standard for documentation on rationales to be provided to the claimant?
Does the entity clearly disclose to claimants what are the contacts and processes regarding how a claim decision could b
appealed/ disputed?
In the claims department, are there controls aimed at avoiding attempts to (1) dissuade p/h from obtaining attorney
services, (2) settle claims for less than the established (fair) amount, (3) deny claims without reasonable reasons and (
transfer claim responsibilities to others?
Complaints
Are there clear policies and processes in place to handle complaints in a timely and fair manner?
Is there an updated complaints management policy approved by the Board of Directors and enforced by the Seni
Management and does it include post-sales survey and formal customer feedback?
Is the entity provided with a dedicated complaints management function, headed by a senior manager and reporting to
senior executive?
Are complaints registered and categorized to identify and address any potential recurring problem or arising legal issue
Are they shared with the Supervisor?
Are complainants kept informed about complaint progress, delays and eventual appeals?
Privacy protection
Have internal processes been established in order to guarantee the fair use of sensitive customer data?
Are outsourced activities monitored to guarantee the proper use of personal information?
In case any outsourcing activity involves a third party to manage customers' confidential data, is privacy protectio
mentioned in the contract with the outsourcer?
Are employees at all organization levels trained to manage customers' personal information while ensuring data protection
Is the entity equipped with an IT architecture which enables the protection of customers sensitive data?
Is there a data retention policy enforced throughout the organization and is this enforced on the IT infrastructure?
Are customers and SAMA timely informed regarding any breach of confidentiality?
Is Conduct of Business reviewed by one or more independent functions (e.g. risk management, compliance) regularly?
Controls
If an independent function is accountable for monitoring the entities' business conduct, does it report directly to the Boa
of Director?
Does the entity have in place a Conduct of Business risk assessment framework to regularly assess its own Conduct
Business profile?
Is there a regular reporting on the outcome of Conduct of Business risk assessments to Board of Directors, Seni
Management and SAMA?
Is a review of Conduct of Business included in the internal audit annual plan?
Is there evidence that a remediation plan related to any Conduct of Business-related audit findings is in place and th
management has been acting on it?
Response Comments
Regulatory and AML
S.No.
10.01
10.02
10.03
10.04
10.05
10.06
10.07
10.08
1st line controls

10.09
10.10
10.11
10.12
10.13
10.14
2nd line controls

10.15
10.16
10.17
10.18
10.19
10.20
10.21
10.22
10.23
10.24
3rd line controls

10.25
10.26
10.27
10.28
10.29
Regulatory and AML

Does the entity have in place a regulatory and AML risk policy in which risk policies and processes related to regulatory an
AML risk appropriately documented and have been approved by the designated authority and is it reviewed on a regul
basis?
Are the responsibilities of the entity's Board and Senior Management regarding regulatory and AML risk manageme
clearly established in the Board of Directors charter ?
Are the Board members suitably qualified to get an in-depth understanding of the entity's regulatory and AML risk position
Management with regular and sufficient information, for them to assess the nature and level of the insurance entity
regulatory and AML risk?
Is managing regulatory and AML/CTF risks a specific responsibility of the Board Risk Committee or of the Audit Committee?
Does the Board Risk Committee or the Audit Committee have a mix of expertise, competencies and experience that,
combination, match the nature of the regulatory and AML risk activities?
Does the Risk Committee receive, regularly, formal reports and informal communication as appropriate in relation
regulatory and AML risk?
Is there an entity-wide Risk Assessment process related to regulatory and AML issues, which is regularly reviewed an
discussed at Board and Senior Management level?
1st line controls

Have processes been defined and procedures properly documented to ensure that regulatory risks are mitigated at eac
business process level as specified in the compliance manual/charter?
Have processes been defined and procedures properly documented to ensure that AML risks are mitigated at each busine
process level as mentioned in the AML policy ?
Is there a sound system to monitor and report suspicious activities taking into consideration all scenarios/triggers used f
identifying high risk or suspicious transactions?
Has the entity defined a structured training program to ensure employees' regulatory and AML awareness?
Are there independent resources (Compliance champions) within the business functions who monitor the compliance
business processes with regulatory and AML constraints?
Are there defined and appropriate escalation processes in place to refer to the compliance and AML functions for an
identified instances of compliance and/or AML breach, by the business functions’ employees?
2nd line controls

Is there a compliance function dedicated to keeping a regulatory mapping / inventory up-to-date?
Is there a structured process aimed at regularly assessing regulatory and AML risks inherent within the entity's business?
Is there a structured process aimed at regularly assessing the controls system and the residual risks related to regulatory an
AML issues as specified in the AML policy and manual ?
Has the entity documented a framework and a methodology to identify measure, evaluate, monitor, report and control
mitigate all material regulatory and AML risks on a timely basis?
Has the entity established an independent and adequately staffed function that ensures the identification and proper
management of regulatory and AML risk?
Are the duties of the regulatory and AML functions clearly segregated from risk-taking functions in the entity as per th
compliance charter?
Does the entity have information systems that allow a timely identification, aggregation, monitoring and reporting
regulatory and AML risk exposure to the entities’ Board and Senior Management?
Is the assessment of regulatory and AML risk based on a forward-looking framework (e.g. looking at exposure futu
potential losses and mitigating factors and is it aligned with insurance entity's business strategy)?
Does the entity perform on a regular basis regulatory and AML risk assessment exercises, and has it established an
documented policies, and procedures for the same?
Does the entity provide the board and SAMA with a regular, clear and full set of reporting documentation related
regulatory and AML risk management? (Including Action plans: development, tracking, ownership and reporting o
progress)
3rd line controls

Does the internal audit function include in its annual plan a review of risk management and processes regarding regulato
and AML risk?
Does the internal audit function include in its annual plan a review of activities and effectiveness of the Compliance functio
(incl. AML)?
Does the audit plan consider the outcomes of the regulatory and AML risk assessment for prioritizing areas to be audited?
for maintaining its resources up-to-date with regulatory and AML risk management best practices?
Does the entity follow the recommendations issued by the internal audit function regarding regulatory and AML risk?
Response Comments

Control Questionnaire - Insurers and Reinsurers

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Control Questionnaire - Insurers and Reinsurers

Uploaded by

Copyright:

Available Formats

Saudi Arabian Monetary Agency (SAMA)

Risk Based Supervision

Questionnaire Submission Date:

Questions are generally classified in the following four categories:

Instructions to fill out Control Questions

Following are some of the scenarios that shall result in a NO answer:

Answer shall be YES if all requirements are satisfied

pplicable, select Not Applicable.

the questionnaire will need to be submitted by December 31st 2017

1st line controls

2nd line controls

3rd line controls

Control Assessment Questions

1st line controls

1st line controls

2nd line controls

3rd line controls

Control Assessment Questions

2nd line controls

3rd line controls

Control Assessment Questions

2nd line controls

3rd line controls

1st line controls

2nd line controls

3rd line controls

Control Assessment Questions

2nd line controls

3rd line controls

Control Assessment Questions

Are there operational procedures specifying how to calculate reserves?

2nd line controls

3rd line controls

1st line controls

2nd line controls

3rd line controls

Control Assessment Questions

1st line controls

2nd line controls

Do outsourcing contract have clause related to right to audit the outsourcer?

Reserving - Opinion Reporting

Reserving - Systems and Data

Underwriting - Governance and Process

Underwriting - System and Data

Reinsurance - Governance and processes (FCR)

Reinsurance - Opinion Reporting (FCR)

Reinsurance - Systems and Data

Solvency and Financial Position - Governance and Processes

Solvency and Financial Position - Opinion Reporting (FCR)

Solvency and Financial Position - Methodology

Solvency and Financial Position - Assumptions

Solvency and Financial Position - Systems and Data

Other actuarial opinions - Opinion Reporting

Other actuarial opinions - Methodology

Other actuarial opinions - Assumptions

Control Assessment Questions

Are results analyzed considering as a minimum:

Reserving - Opinion Reporting

Reserving - Systems and Data

Are data used in reserving actuarial valuations complete?

Underwriting - Governance and Process

Underwriting - System and Data