Rule 5: Development Of Sound Risk Management And Internal Control System
6. Brief On The Board Risk Management And Internal Control Frameworks And Systems In The Group
There are multiple functions of governance and control within Gulf Insurance Group, which assist in ensuring that risks have been fully identified and managed appropriately. In addition to ensuring that the internal control is implemented and is efficiently functioning, the term used for this type of coordination approach is called “Integrated Assurance” or “the three lines of defense”.
The concept of “Integrated Assurance” enables management to handle responsibility, while also boosting confidence in ensuring that risks have been identified, and that mitigation procedures have been implemented, according to the table below:
The Board of Directors is primarily responsible for supervising the verification activities, and although each verification function is assigned its specific roles, each of these functions coincide and integrate with one another during the exchange of information, planning process, and other relevant activities.
6.1 Brief On The Group’s Independent Risk Management Department Establishment Requirements
The Group has an independent department for risk management according to its organizational structure. The risk management department primarily works on identifying, measuring, monitoring, and mitigating all types of risks that the Group might face, according to the following examples (but not limited to):
- Developing effective systems and procedures of risk management, so that it can perform its key functions thereof, which is measuring and monitoring all types of Group risks. This process should be conducted periodically and amended as necessary.
- Developing the mechanisms of a periodic reporting system, as they are considered one of the most important methods in the process of risk monitoring and mitigation.
Risk management officers in the Group are independent through their direct affiliation with the Risk Management Committee. Moreover, they have authorities which enable them to execute their roles as efficiently as possible, without being assigned financial powers or authority.
The risk management department has a wide range of competent personnel, with practical skills and technical capabilities aligned with the insurance industry requirements.
6.2 Brief On Applying The Group’s Board Risk Committee Formation Requirements
In addition to what was mentioned in (3.3.2.1), the Risk Management Committee complies with regulatory requirements regarding composition, meetings, and the implementation of their assigned roles and responsibilities (as an example, but not limited to):
- The preparation and revision of risk management policies and strategies before being approved by the Board of Directors and ensuring the execution of these strategies and policies, ones that are consistent with the nature and size of the Group’s activity.
- The provision of sufficient resources and adequate systems for the risk management department.
- The evaluation of systems and mechanisms for identifying, measuring, and monitoring the various types of risk that the Group may be exposed to, identifying any areas of weakness.
- Assisting the Board of Directors in identifying and assessing the acceptable level of risk tolerance, to ensure that the Group does not breach this level after being approved by the Board of Directors.
- Verification that the risk management employees are independent from activities that could result in exposing the Group to risks.
6.3 Brief On The Group’s Internal Control Systems
Following on from the “three lines of defense” methodology applied by the Group, the Group also has internal control systems that cover the its activities. The Group organizational structure takes into consideration the double check concept of the “Four Eyes Principle”, which is as follows:
- Sound identification of authorities and powers.
- Complete segregation of roles and elimination of conflict of interests.
- Double‑checking and monitoring.
- Dual signature.
6.4 Brief On The Group’s Independent Internal Audit Department Establishment Requirements
The Group has an internal audit department that enjoys full technical independence according to the Group’s organizational structure. The Group’s internal audit department is directly affiliated with the Audit Committee and acts according to the Board of Directors.
The Group’s internal audit department prepared reports including a review and evaluation of the Group’s internal control systems, including the following (for an example, but not limited to):
- Oversee the procedures of control and supervision of the efficiency and effectiveness of the internal control systems necessary to protect the Group’s assets, financial statement integrity, as well as its administrative, financial, and accounting operations.
- Compared the development of risk factors within the Group and existing systems in order to evaluate the effectiveness of the daily operations, as well as its ability to encounter unforeseen market changes.
- Evaluated the Executive Management performance in applying internal control systems.