The Risk Management function must have responsibility for the following, at a minimum:
a.
Providing risk analysis and performance risk reviews to the Board and Senior Management;
b.
Identifying individual and aggregated risks (actual, emerging and potential) that the Company faces;
c.
Identifying, assessing, monitoring, mitigating, controlling and reporting risks, including the Company's capacity to absorb risk with due regard to the nature, probability, duration, correlation and potential severity of risks;
d.
Gaining and maintain an aggregated view of the Risk Profile of the Company on an entity and/or Group-wide basis;
e.
Assessing the impact of the compensation arrangements and incentives;
f.
Evaluating the internal and external risk environment on an on-going basis in order to identify and assess potential risks as early as possible. This may include looking at risks from different perspectives, such as by geographic region or by line of business;
g.
Establishing a process for conducting forward-looking assessments of the Risk Profile on a regular basis;
h.
Providing periodical reports to the Board, Senior Management and other Control Functions on the Risk Profiles, risk exposures and the necessary mitigation actions; and
i.
Reporting material changes affecting the Risk Management system to the Board along with recommendations to improve the system.
2.
The CRO, or equivalent, must:
a.
Not have a decision-making role in the Company's risk-taking functions, including underwriting or other equivalent function.
b.
Have no revenue-generating responsibilities.
c.
Have no compensation based on the performance of any of the Company's risk-taking functions.
d.
Not be the Chief Executive Officer of the Company, or the head of underwriting or reinsurance, or the head of the compliance or internal audit functions.
e.
Have a direct reporting line to the Board and/or risk committee and appropriate reporting lines to Senior Management.
f.
Have unfettered access directly to the Board's risk committee, including the ability to meet without other Senior Management present.
3.
The Board must ensure that the Risk Management function is properly staffed, resourced and carries out its responsibilities independently and effectively. This includes unrestrained access to all information needed for the Risk Management function to fulfill its duties.