The impact of Directive 159 on Risk Management

Directive 159 defines outsourcing as "an arrangement of any form between an insurer and another person, whether that person is supervised under any law or not, in terms of which that party performs a function or an activity, whether directly or by sub-outsourcing, which would otherwise be performed by the insurer itself.” When outsourcing a function, an insurer must determine if the outsourcing constitutes a control, management or material function.

 

Some of the factors to consider whether a function is material include:

• the potential impact of the outsourcing agreement on the policyholders, the insurer’s finances, reputation and business operations, particularly where the other person may fail to perform;

• the insurer’s ability to maintain the appropriate internal controls and meet regulatory requirements;

• the degree of difficulty and time associated with replacing the other person, or performing the function in-house.

The insurer’s board of directors and managing executives remain responsible for the company’s insurance business, regardless of any outsourcing. Therefore the insurer must implement measures to manage the risks involved in outsourcing functions.

Instances where an insurer may not outsource functions include: when outsourcing materially increases the risk to the insurer; when outsourcing materially impairs the quality of the insurer’s governance framework, including the managing risks and meeting regulatory obligations; when outsourcing impairs the Registrar’s ability to monitor the insurer’s compliance with regulatory obligations; or when outsourcing compromises the fair treatment of policyholders.

When outsourcing, an insurer must avoid, and where not possible, mitigate conflicts of interest between its business, interests of policyholders, or the business of the other person that performs the outsourcing.

Remuneration must be commensurate to the actual outsourced function. However, a company should not outsource a function where commission or a binder fee is payable, since this will result in double remuneration.

Outsourced functions must not increase the risk of unfair treatment of policyholders, or be linked to the monetary value of insurance claims rejected, not paid, or partially paid.

An insurer that outsources functions must have an outsourcing policy approved by its board of directors, which would set limits on the types and the overall level of outsourced functions, while outlining the extent to which activities can be outsourced to the same person.

The outsourcing policy should give guidance on contractual risks, and outline other risks to assess, monitor and manage when outsourcing. The policy should provide for internal review and approval when a control, management or material function is outsourced.

The policy must stipulate guidelines for managing the outsourcing, as well as a regular review process of any outsourced control, management or material function. It must assess operational risk impact resulting from outsourcing, and any market conduct issues, as well as the fair treatment of customers.

The company should review its outsourcing policy at least annually, and adapt it to significant changes.

The insurer must also ensure that all affected business units and staff are aware of, and comply with the outsourcing policy.

The outsourcing of control, management and material functions, other than a binder function, must be governed by written contracts that describe material aspects of the arrangement, including the rights, responsibilities and service level requirements of all involved.

An insurer must notify the Registrar of the proposed outsourcing at least one month before the effective date of the contract. The notification must note key risks associated with the outsourcing agreement and mitigation strategies to address these risks.

Overall, risk management should form an integral part of organisational and decision-making processes. It should be dynamic so that risk management processes are responsive to change, and provide for continual improvement and reassessment.