BaFin

Topic Risk management Circular 3/2009 - Minimum Requirements for Risk Management in Insurance Undertakings (MaRisk VA)

Date: 22.01.2009

Please note: The MaRisk VA have been repealed as of 1 January 2016.

On this page:

Circular on Minimum Requirements for Risk Management in Insurance Undertakings (Mindestanforderungen an das Risikomanagement VA - MaRisk VA) Notations to the requirements

1. Objectives of the Circular

1 This Circular details the regulations of section 64a and section 104s of the Insurance Supervision Act (Versicherungs-aufsichtsgesetzVAG) in conjunction with Article 9 of Directive 2002/87/EC (Financial Conglomerates Directive) and provides a flexible, hands-on framework for risk management of the undertakings, groups and financial conglomerates under supervision. The Circular provides a binding interpretation for the supervisory authority of sections 64a and 104s VAG, thus ensuring consistent application to all undertakings/groups. It is based on the approach that the managers of an insurance undertaking must develop a risk awareness, which must be actively supported and kept up at all times. To enable supervisors to assess the risk-oriented behaviour of undertakings, minimum requirements have been established, taking into account the fragmented nature of the industry and undertaking-specific circumstances. These requirements facilitate a more quantifiable, qualifiable and manageable assessment of risk management processes by the Supervisory Authority and, likewise, a more quantifiable, qualifiable and manageable development of such processes by the insurance undertakings. The Circular is comprised of the principle-based requirements and the notations to the requirements. For purposes of clarity and to facilitate targeted reading, the most important administrative interpretations that provide a basis for supervision are contained in the left column.

The notations section of this Circular contains in addition to general comments notations on the requirements as well as examples of applying the regulations in practice.

The examples cited are of a non-binding nature and intended as an aid, especially for small undertakings, in establishing and operating a principle-based risk management system. The Supervisory Authority considers a functioning risk management system to be material for improving policyholder protection. With regard to minimum requirements aimed at an evaluation based on economic criteria (mainly section 7.3.1°(2) on risk-bearing capacity and section 7.2.2°(2) concerning provisioning), the Circular is to be understood in such a way that it requires undertakings to examine whether their current risk management can be improved by setting up appropriate functions and processes. It is expected that undertakings must implement these criteria as soon as a new risk-oriented solvency regime has been introduced at European or national level.

This applies to institutions for occupational retirement provision (IORPs) only when it has been decided that they too must implement new solvency rules. Until then, these institutions are not required to use current value accounting, particularly when implementing the rules concerning limits, solvency capital and other quantitative measurements described below.

2 With the Circular, the Supervisory Authority sets out the supervisory minimum requirements for risk management of the mentioned undertakings, groups of undertakings and/or corporate groups. Risk management, within the meaning of this Circular, includes the definition of an appropriate risk strategy consistent with the chosen business strategy, adequate organisational and operational rules, the establishment of an appropriate internal risk treatment and control system, as well as the establishment of an internal auditing system and the implementation of internal controls. Management is to adequately and regularly inform the supervisory body – to the extent that a supervisory body is required under company law or was voluntarily created – of the risk situation. The minimum requirements set out in this Circular do not prevent insurance undertakings from setting higher standards. The Circular was designed focusing on principles, e.g. it is up to the undertakings or the groups to decide within the framework of the minimum requirements which concrete form of risk management is appropriate for them given the undertaking-specific risks, the nature and scale of the business and the respective business model they have selected. The Supervisory Authority reviews and assesses the adequacy of risk management under the proportionality aspect (see no 4.1 below).

3 If at the level of the individual undertaking, the insurance group or the financial conglomerate the minimum requirements are not met, pursuant to section 81 (2) sentence 1 and (1) sentence 2 in conjunction with section 64a or pursuant to section 104s VAG, the Supervisory Authority is authorised to issue orders it deems appropriate and necessary to the responsible undertakings and individuals to establish sound administrative procedures. Violations of other provisions relating to sound administrative procedures could also result in supervisory action. This applies, for example, to section 91 (2) of the German Stock Corporation Act (Aktiengesetz - AktG) and to sections 104d, 104e (4) VAG.

2. Scope

1 The scope of this Circular covers the following undertakings subject to supervision:

- primary insurers and reinsurers domiciled in Germany, together with their domestic and foreign branches in the EU/EEA,

- pension funds,

- insurance undertakings within the meaning of section 105 VAG,

- reinsurance undertakings within the meaning of section 121i VAG,

- insurance undertakings within the meaning of section 110d VAG,

- insurance holding companies pursuant to section 1b (1) VAG which are superordinated entities of an insurance group,

- mixed financial holding companies that pursuant to section 104q (3) sentence 8 VAG were identified to be superordinated financial conglomerate entities of a financial conglomerate in which the insurance sector is predominantly represented.

Care must be taken to ensure that adequate risk management exists also at group or conglomerate level as part of sound administrative procedures.

To achieve equal treatment of individual companies, insurance groups and financial conglomerates, the requirements for sound administrative procedures, in particular for risk management, are uniformly interpreted.

It may be helpful to note that at group level an analogous implementation is sufficient, e.g. in relation to the organisational and operational rules.

2 For simplicity's sake, this Circular uses henceforth the term “undertaking” as a synonym for all entities listed in section 2 (1).

3. Relationship of the Circular to other regulations

1 The special regulations concerning the organisational and operational structure that apply based on other circulars, in particular in the areas of investments and reinsurance, remain unaffected by this Circular. This applies – also in the case of revision and replacement by successive circulars - to

- Circular R 3/2000 (VA) part A III of 19.10.2000 concerning derivative financial instruments,

- Circular R 3/99 parts A II 2 and 3 of 09.10.1999 concerning structured products, Circular R 1/2002 part B of 12.04.2002 concerning asset-backed securities and credit-linked notes,

- Circular R 7/2004 (VA) part B of 20.08.2004

- Circular R 15/2005 (VA) part IX of 20.08.2005 concerning the investment of restricted assets,

- BaFin announcement of 14.09.2005 on the use of financial instruments (VerBaFin 11/2005),

- Guidelines on the solvency of insurance undertakings R 4/2005 (VA) of 01.03.2005,

- Guidelines on the supervision of reinsurance undertakings R 6/2005 (VA) of 02.06.2005,

- Circular R 9/2007 (VA) part A concerning guidelines on risk management in the intermediaries sector,

- Circular R 1/1997 concerning guidelines for ceding undertakings on how to check the capacity and willingness of reinsurance undertakings to settle losses.

2 The circulars issued for the purpose of prevention of money laundering also remain unaffected to the extent that they apply to insurance undertakings.

4. Principle of proportionality

1 Compliance with the requirements set out in sections 64a and 104s VAG and the Minimum Requirements specified in this Circular shall take into account the principle of proportionality. The principle of proportionality states that the requirements must always be met taking the undertaking-specific risks, the nature and scale of the business operations as well as the complexity of the undertaking’s business model into account. The Supervisory Authority therefore assumes that the requirements set out in this Circular can be met by all undertakings.

The principle of materiality is to be taken into account in applying the principle of proportionality. In this case, the principle of materiality means that only material risks are to be considered. For a definition of materiality see 5.1

The requirements stated in this Circular are to be met by all undertakings, also by those that fall below the de minimis thresholds under EU directives. The means of fulfilling these requirements may be different for each undertaking due to reasons of proportionality. The undertaking must justify any deviations, for example deviations from the group standard (burden of proof).

2 Risk management assessments must take into account the particular features of institutions for occupational retirement provision. Institutions for occupational retirement provision operate, as a rule, on a limited scale and their business model is less complex.

5. Risks

1 The requirements of the Circular refer to risk management of the material risks described in the following paragraph. Risk is understood as the possibility of non-achievement of an explicitly formulated or implicitly resultant goal. All risks identified by management, which can have a sustainably negative impact on the undertaking’s financial position, performance or cash flows are considered material. In order to assess whether or not a risk should be deemed material, management must obtain an overview of the undertaking’s overall risk profile. The definition of material risks is the result of the undertaking-specific risk identification processes (7.3.2.1), the risk analysis and risk evaluation (7.3.2.2) and the scaling of materiality the undertaking applies. The undertakings must implement effective control and monitoring measures to ensure that there will be no material errors which could cause the undertaking to accept unreasonably high risks. Appropriate arrangements are to be implemented for risks that are not considered material.

The term ‘risk’ is defined in relation to its effects. It should be interpreted in connection with the objectives to be achieved. Both positive and negative slippage is possible. Negative slippage usually manifests itself as loss. Nonetheless, the function of an effective risk management system is to deal with both entrepreneurial opportunities and risks. This Circular focuses on negative slippage.

In a first step, risk evaluation should always be qualitative. The undertaking is to consider both the on- and off-balance sheet effects of risks. The latter frequently results from risks that are difficult to allocate but must nevertheless be captured and processed, e.g. risks of special purpose entities for which the undertaking is liable, or which may have a negative impact on the undertaking’s financial position, performance or cash flows. A quantitative assessment should be performed only after the undertaking has classified the risk as material in its reference framework.

2 From a regulatory point of view, the minimum risk categories to be taken into account by the undertaking are: Risk categorisation represents a reduction in complexity. The Supervisory Authority expects undertakings to address at least the risks listed in this Circular in their risk reports to be submitted under section 55c VAG. Undertakings may employ risk categories different from those suggested in the Circular, provided all the risks described in the notation section are taken into account.
underwriting risk Underwriting risk refers to the risk that the costs of claims and benefits actually paid may deviate from the expected costs accidentally or owing to error or change of circumstances.
market risk Market risk refers to the risk resulting directly or indirectly from fluctuations in the level and/or volatility of market prices for assets, liabilities and financial instruments. It comprises currency risk and interest rate risk.
credit risk (including country risk) Credit risk is the risk arising from default of or fluctuations in the creditworthiness (credit spread) of security issuers, counterparties and other debtors against whom insurance and reinsurance undertakings have claims.
operational risk Operational risk is the risk of losses due to inadequate or failed internal processes or as a result of employee or system error or from external events. Operational risk also comprises legal risks, however not strategic risks and reputational risks.
liquidity risk Liquidity risk is the risk that an undertaking is not in the position to meet financial obligations as they fall due for lack of fungibility.
concentration risk Concentration risk refers to the risk arising from the undertaking assuming single or highly correlated risks with significant loss exposure and/or potential defaults.
strategic risk Strategic risk is the risk resulting from strategic business decisions. Strategic risk also includes the risk that results from business decisions that are not adapted to a changed economic environment. Strategic risk, as a rule, is a risk that emerges in conjunction with other risks. But it can also emerge as an individual risk.
reputational risk Reputational risk is the risk that arises from possible damage to an undertaking’s reputation as a consequence of negative public perception (e.g. among clients, business partners, shareholders or the authorities). Like strategic risk, reputational risk, as a rule, is a risk that emerges in conjunction with other risks. But it can also emerge as an individual risk.

6. Overall responsibility of management

1 All managers – irrespective of internal rules regarding areas of responsibility – are responsible for ensuring that the undertaking has sound administrative procedures (section 64a (1) sentence 2 and section 104s sentence 3 VAG). Overall responsibility of management means that all managers are informed of the risks their undertaking is exposed to, can judge the main impacts on the undertaking and must take the measures necessary to limit them; that is, all managers are responsible for implementing and further developing a functioning risk management system. Responsibility for risk management decisions (decisions on acceptance and handling of material risks) lies with management and may not be delegated. The option of transferring responsibility for current execution of individual administrative procedures to one or more members of management remains unaffected by this regulation unless otherwise provided for by other statutory regulations.

7. Elements of adequate risk management

1 Undertakings must set up a risk management system that contains the elements listed in section 64a (1) sentence 4 VAG. The essential elements of risk management are not independently juxtaposed but dovetailed to form a consistent and interlocking whole (holistic approach), making it possible to deal effectively with undertaking-specific risks. The holistic approach requires that the risk strategy appropriate for the overall risk profile be implemented from the top down in operational day-to-day business to the degree necessary and that risks of operational day-to-day business in turn be reported from the bottom up, so that an overall risk profile can be developed.

7.1 Risk strategy

1 Determining the business strategy and the resultant adequate risk strategy lies in the non-delegable overall responsibility of management and is to be documented by them. By business strategy, the Supervisory Authority understands the undertaking’s business orientation, its goals and planning over an appropriate time horizon, whereas by risk strategy it understands the description of dealing with the risks resulting from the business strategy. The business strategy is not the object of audits by the Supervisory Authority or the internal auditing department. The risk strategy, in contrast, is subject to auditing by the Supervisory Authority. The Supervisory Authority assesses the risk strategy against the backdrop of the business strategy as a consistency check. In particular, the risk strategy presents the effects of the business strategy on the undertaking’s risk situation and describes how existing risks are dealt with and the undertaking’s ability to bear newly emerging risks. The manner in which the board of management documents its risk strategy is at the undertaking’s discretion. In addition to a summarised version in one document (e.g. for a group), the strategy can also be presented in several documents, provided that there is a consistent interrelationship between the various documents.

2 The risk strategy is to describe the risks resulting from the business strategy and should be designed in such a way that it dovetails smoothly with the functional risk treatment. The risk strategy must address:

- the type of risk (which risks should be taken on in the first place?),

- the risk tolerance (what amount of risk is chosen?),

- the origin of risk (from where does the risk originate?),

- the time horizon of the risks (which risks in which time period are to be dealt with under the existing risk coverage?) and

- the risk-bearing capacity.

Sustainable business expectations are to be included in the business strategy (e.g. type of the business, targeted volume, profit forecast, and costs). The resultant risks are presented in the risk strategy concerning their impact on the financial position, performance and cash flows of the undertaking as well as the resultant guidelines for dealing with risk. It is critical that the expectations/risks are defined at operational level so that employee guidelines for risk management are established in the day-to-day business.

Origin need not necessarily be understood geographically; it could also refer to a class of insurance.

3 If new business areas are taken on or new capital market, insurance or reinsurance products are introduced, an evaluation of their impact on the overall risk profile must be made. The same applies to significant changes in market parameters and risk assessments. Changes in the risk strategy may be necessary if the overall risk profile changes substantially. The management of the undertaking must review this on an ongoing basis. Involving the responsible actuary in accordance with his supervisory function may be considered. Changes in the overall risk profile should not be restricted to investment parameters only but should include the impact of changes in risk assessment in general and, in particular, in relation to new types of risk (such as, for instance, terrorism, pandemics and asbestos exposure risks).
4 Management is to review the business strategy as well as the risk strategy at least once each financial year, making adjustments if necessary. The strategies are to be reported to the undertaking’s supervisory body for discussion ‑ if there is such a body.

As a general rule, the risk strategy is to be reported to each member of the supervisory body. If the supervisory body has formed a responsible committee for this purpose, the risk strategy can also be reported to this committee for discussion. This is subject to the prerequisite that a corresponding resolution has been passed on the establishment of the committee, and that the chairperson of the committee makes a report to the entire supervisory body on a regular basis. Furthermore, each member of the supervisory body must be given the right to view the risk strategy at any time.

Especially for purposes of preventing strategic risks, the Supervisory Authority recommends that management conduct a critical quality analysis (“strategy audit”) at least once a year of its actions and decisions or present in writing the grounds for deeming such an audit unnecessary. The strategy audit could, for example, be performed in cooperation with internal audit or the supervisory body.

7.2 Organisational framework

1 To implement sections 64a and 104s VAG, the undertaking must ensure that business operations that involve material risks are carried out on the basis of internal company guidelines. These guidelines are to take into account the strategic limits of the business activities as well as the limits defined by law and the undertaking’s memorandum and articles of association, and they must determine the organisational framework conditions under which the company operates, which applies in particular to the

- organisational structure

- operational structure, including

a) integration of new business areas and new capital market, insurance or reinsurance products,

b) internal resources and incentive systems,

c) organisational development;


- the implementation of an appropriate internal risk treatment and control system, including

a) a risk-bearing capacity concept,

b) risk identification, analysis, evaluation, treatment and monitoring,

c) an internal communications structure,

d) meaningful reporting;

- responsibilities and functions of the internal audit function,

- internal controls,

- decisions on outsourcing within the meaning of section 5 (3) no. 4 VAG,

- contingency planning,

- appropriate information and documentation.

2 Materially significant individual decisions and instructions by the management levels below corporate management that violate internal policy guidelines are to be justified in writing, documented and presented to management for their information. This does not refer to the individual decisions taken in operational day-to-day business but decisions on matters that are of material significance to the undertaking and which are taken by the management levels determined by the organisational structure.

7.2.1 Organisational structure

1 The organisational structure of the undertaking is to be geared to supporting the undertaking’s most important strategic goals. In principle, there must be a clear separation of incompatible functions, up to and including the management level. The persons responsible for building up risk positions may not at the same time, even indirectly, be simultaneously entrusted with their monitoring and control. A function is the administrative capacity to assume specific tasks. Unless otherwise provided for, defining a specific function does not prevent the undertaking from freely deciding how this function is to be organised in practice.
2 If completely separating incompatible functions would place an unreasonable burden on an undertaking due to its size, avoidance of conflicts of interest must be adequately ensured by other means. In the process, consistency with the chosen risk strategy must be ensured. As a general rule, the principle of separation of functions, for example between functional risk treatment and the risk control function, must be observed up to and including management level. To function properly, separation of functions must take into account the hierarchical structures. In companies where a separation of functions and personnel is not possible due to the low number of employees, joint performance of two intrinsically incompatible functions may be permitted on an exceptional basis if accompanying measures (transparency through clear documentation, reporting lines separate from functional authority structures, “four eyes” principle) ensure that no conflicts of interests arise.
3 Duties and responsibilities within the organisational structure must be clearly defined and coordinated with each other. When determining responsibilities, the following requirements for successive staff members performing the same function(s) must be complied with: The definitions used for the functions are not mandatory. An undertaking may have its own individual system. In particular, deviations in the terms describing the required functions in risk management are permitted; the decisive factor is the content of the function. The required functions are not to be equated with the competent business units.

a) Management is responsible for

- defining uniform guidelines for risk management, taking internal and external requirements into account,

- determining business and risk strategy,

- determining risk tolerance and observing the risk-bearing capacity,

- setting material risk-strategy requirements,

- continuous monitoring of the risk profile and establishing an early warning system as well as providing solutions for material risk-relevant ad hoc problems.

Risk tolerance is dependent on the individual risk-acceptance level of management, which is reflected in the undertaking’s risk strategy. The risk-bearing capacity can, in contrast, be objectively determined and constitutes the upper limit.

Risk strategy requirements can be determined concerning e.g. risk profile, risk capital and definition of risk limits.

Material ad hoc problems relevant to risk could be, for example, when limits are exceeded.

b) The independent risk control function coordinates and is responsible for

- identification, analysis and evaluation of risks, at least at the aggregate level,

- development of methods and processes for risk evaluation and monitoring,

- risk reporting on identified and analysed risks and determining risk concentrations,

- recommendation of limits,

- monitoring limits and risks at aggregate level, monitoring measures to limit risk,

- assessing planned strategies under risk aspects,

- evaluating new products as well as the current product portfolio in terms of risk,

- validating any risk evaluations performed by the business units.

Individuals or business units performing this function must be able to carry out their tasks objectively and independently. The risk control function need not necessarily be at management level. To enable it to perform its duties, the risk control function must be granted a full, unlimited right to information.

Immediate reporting to the independent risk control function is necessary if material deficiencies have been identified or there has been serious financial damage or there is a reasonable suspicion that irregularities have occurred.

The supervisory body – if one exists – may contact the independent risk control function directly for additional information. This option is limited by the statutory or contractually agreed information rights and obligations the supervisory body is subject to.

The risk control function is independent if it is not responsible for risk acceptance or risk treatment at an operational level (see 7.3.2.4 (3)). The independent risk control function is also responsible for company-wide, uniform aggregation and plausibility checks of risks, risk reporting, and proposing risk mitigation measures to management, in a coordinated procedure that is part of overall coordination for management. Coordinated procedure is to be understood as, for example, decision-making authority over determining formats, content, interfaces, methods, software usage etc.

The independent risk control function must be obliged to report to the entire management. This is to be ensured, in particular, if a member of management holds the independent risk control function directly.

The special reporting obligations that apply to investment, e.g. from investment risk management to the risk control function, remain unaffected.

If the supervisory body wishes to make use of its right to direct information, it is advisable to provide a generally accepted information order without considering the individual case. This way it is made clear that the access to information was not based on a lack of confidence in management.

c) The operating business units are responsible for implementing the identification, analysis and, in particular, the treatment of all material risks in their area. The business units are free to subdivide the limits specified for them by management. The tasks, responsibilities, representation rules and competencies of the business unit when dealing with risks are to be defined and documented.
d) The internal audit function independently reviews all business units, processes, procedures and systems following their own procedure and objectively focusing on risk. In this way, it is able to detect risks, hazards and deficiencies at an early stage and report them to management. The concrete responsibilities of internal audit are set out in
7.4 Internal auditing, on page 36.

7.2.2 Operational structure

1 The operational structure is to support the main functions of the organisational structure in line with the risk strategy. The operational structure enables all responsibilities and all business processes that involve material risks to be determined. The operational structure is to be clearly defined. Appropriate responsibilities are to be defined for all business processes that involve material risks including the transfer of data and results.

The operational structure requires adequate personnel resources. Staffing must be based, among other things, on internal requirements, business activities and the risk situation. Employees must be so trained that they can identify risks and address them appropriately.

All business processes which carry material risk, and their interfaces, are to be treated in such a way that they support the business goals and keep deviations from these to a minimum.
2 All business processes dealing with operations that involve material risks are to be adequately managed and monitored. Such business processes include, at a minimum, the underwriting business, provisioning, investment management (including asset liability management) and ceded reinsurance management.

- Underwriting business

Management of underwriting business comprises – if appropriate – at a minimum the product design, premium rating, sales and underwriting policies, risk assessment and claims management, as well as market and competition risks.

As a rule, the underwriting business is managed on the basis of risk acceptance criteria and underwriting guidelines. These must contain business rules (type and geographical origin of the business) as well as personal, quantitative underwriting limits. Exclusions must be clearly set out. Premium rates should be determined on the basis of adequate information about all risks. The premium rating is to be adequately documented. If significant run-off losses are incurred in an insurance class, the undertaking must be able to justify the calculated premium rates. The Supervisory Authority recommends that risk-related key figures be used for the management of individual procedural steps (e.g. lapse rate, number of breaks of underwriting guidelines).

- Provisioning

The valuation of technical provisions is undertaken for accounting purposes pursuant to section 341e-h of the German Commercial Code (Handelsgesetzbuch - HGB. It also currently serves as the basis for solvency purposes. Currently, a market-consistent, actuarial calculation of technical provisions for solvency purposes is not legally required. The Supervisory Authority expects all undertakings, with the exception of institutions for occupational retirement provision, to examine whether their current risk management could be significantly improved by setting up risk-adequate processes for the creation of a statistical database and the definition and computerisation of appropriate valuation procedures. If this is the case, the undertaking should initiate the conversion to a market-consistent actuarial valuation of technical provisions as an integral part of its risk management. Such risk-adequate processes must also determine the responsibilities in the undertaking and ensure adequate quality assurance.

- Investment management (including asset liability management)

The special regulations and reporting requirements of the Circular specified in 3 (1) apply.

- Ceded reinsurance management

The special regulations and reporting requirements of the Circular specified in 3 (1) apply. Both primary insurers and reinsurers must additionally take into account the requirements of the Finite Reinsurance Ordinance (Finanzrückversicherungsverordnung - FinRVV).

For the purposes of ceded reinsurance management, the undertaking should answer in particular the following questions:

- What is the acceptable retention per business type and how is it determined (on the basis of individual risk or aggregated risks to the extent possible)?

- Does the reinsurance contract take into account the possibility of multiple events within a coverage period, if necessary?

- Which exclusions are contained in the reinsurance contracts? Do they correspond to the exclusions in the primary insurance contracts? How are any remaining risks covered?

- How are alternative risk transfer instruments used, both in the area of reinsurance market products (e.g. finite reinsurance), and in the area of capital market products (e.g. securitisation, derivatives, hedging)?

- At what intervals are controls carried out to ensure that the liabilities of special purpose entities are fully funded?

7.2.2.1 New business areas and capital market, insurance and reinsurance products

1 The risks of new business areas or new capital market, insurance and reinsurance products are to be examined in advance for their impact on the undertaking’s overall risk profile. The assessment of the expected impact on the overall risk profile is to be adequately documented. Management must officially release new products prior to their application or sale. A final report, for example, could be included at the end of a product development process which contains the general characteristics, pricing and product design, expected profitability results as well as their sensitivity to deviations from assumptions. Options and guarantees in the products are of particular interest. In all cases, the decision-making process and the findings of the final report are to be adequately documented.
2 New business areas are to be integrated into the undertaking’s existing risk management system based on their risk content. Appropriate adaptation of the organisation as well as of risk treatment and control processes is to be ensured. The adaptation of the organisation as well as of the risk treatment and control processes should be carried out in such a way that any changes in the undertaking’s risk situation brought about by new business areas are made sufficiently transparent. This is to be adequately documented and brought to the attention of the risk control function.

7.2.2.2 Incentive systems and resources

1 The structure of incentive systems and in particular of remuneration schemes, as well as the allocation of financial, personnel, material and technical resources must be in line with the undertaking’s individual risk strategy. Changes in strategy must be taken into account. Incentive systems must be structured in such a way that any possibility of manipulation is precluded. Negative incentives (such as conflicts of interest or the building up of disproportionately high risk positions) are to be avoided. Remuneration schemes must ensure that the variable component is based on the long-term performance of the undertaking. In addition, they must take appropriate account of the material risks including the relevant time horizons. The structure of the incentive systems of individual business units is to take due account of the overall performance of the undertaking. Note: No. 1 of item 7.2.2.2 of the MaRisk VA is repealed by Circular 23/2009 (VA) dated 21 December 2009.
2 The appropriateness of the means available to the business units is to be evaluated and adequately documented in terms of the risks that are taken on and subject to risk treatment by the persons responsible for those units, with a view to the risk strategies and the internal company guidelines provided. Means made available include budgets, qualified personnel and technical equipment. The responsible person is, for example, the head of the organisational unit. Example: If weekly reporting from all business units is anchored in the internal company guidelines but the IT systems only allow monthly reporting for technical reasons, management should be informed.
3 The IT systems (hardware and software components) and the related IT processes must ensure the integrity, availability, authenticity and confidentiality of data. To this end, the IT systems and the related IT processes have to be based on established standards as a general principle. The suitability of these systems and processes has to be assessed on a regular basis by the employees responsible for the technical and professional aspects of the relevant processes and systems.

Standards for IT systems:

These standards include, among others, the Basic IT Protection Manual of the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik - BSI) and the ISO 17799 international security standard of the International Standards Organisation. The use of established standards does not mean that standard software or hardware has to be used. As a general rule, the undertakings may also use proprietary software.

4 The IT systems have to be tested before they are used for the first time and after any material changes have been made. They have to then be approved by both the staff responsible for the relevant processes and the staff responsible for the systems. As a general rule, the production and testing environments have to be kept separate.

Changes to IT systems:

Any assessments to determine whether or not changes can be classified as material are to be based not on the scope of the changes, but on the potential impact of the change on the functionality of the IT system in question.

Acceptance by staff responsible for the relevant systems and processes:

When accepting IT systems, the staff responsible for the relevant processes and systems focus on the suitability and appropriateness of the IT systems for the specific situation of the respective undertaking. Any certificates already issued by third parties may be taken into account during the acceptance process, although they cannot replace it entirely.

5 Development of and changes to technical specifications (e.g. the adjustment of parameters) have to involve both the staff responsible for the relevant processes and the staff responsible for the systems. As a general rule, the user may not be involved in the decision on the technical approval.
6 All software used by the undertaking (whether internal or external) must comply with the requirements of this Circular.

7.2.2.3 Organisational development

1 The organisational framework and the internal risk treatment and control system must be adapted to the changes in the environment within an appropriate period of time. Guidelines on organisational development must be set up to this end.

7.3 Internal risk treatment and control system

7.3.1 Risk-bearing capacity concept and limiting

1 Based on the undertaking-specific overall risk, a risk-bearing capacity concept is to be prepared, which sets out the risk taking potential (i.e. the total capital available to cover potential losses or any other item able to absorb potential losses) and how much of this risk-taking potential is to be used for the coverage of all material risks the undertaking has taken on. Compliance with the regulatory capital adequacy requirements constitutes the lower limit for the required risk-bearing capacity. Moreover, undertakings must examine whether the regulatory required capital resources are sufficient to address their current overall risk and their strategic goals.

Thus, an adequate risk-bearing capacity describes in the narrower sense of the term the capacity of an undertaking to absorb losses resulting from identified risks, without that posing a threat to the undertaking’s survival. The risk-bearing capacity concept should therefore always consider various requirement levels. These include at a minimum:

1) compliance with regulatory requirements as a minimum requirement,

2) third-party assessments, e.g. rating agencies,

3) the undertaking’s internal objectives,

4) accounting purposes.

The Supervisory Authority will also take the results of third-party assessments into account for the evaluation it conducts, in order to be able to draw conclusions about potential impacts on the undertaking’s risk management concerning items 1) and 3), provided these assessments are based on extensive information.

2 As part of strategic considerations, management is to determine the target earnings and capital and obtain an overview of the undertaking’s overall risk profile based on an economic evaluation – to the extent this is technically possible. On this basis, that share of risk taking potential that will in fact be employed to cover risks is to be set out in the risk-bearing capacity plan, in accordance with the management’s risk propensity. Undertakings must adhere to the applicable regulatory requirements in determining the amount of regulatory own funds required. If an undertaking wants to report risk taking potential in excess of this amount, it can apply criteria other than the regulatory criteria for this portion.
3 The methods and assumptions in drawing up the risk-bearing capacity concept are to be documented and clearly explained. Assumptions include, for example, the time horizon of risk measurement and consideration of economic cycles; methods include, e.g., the treatment of diversification effects.
4 Management must justify and document the assumptions used for determining the risk-taking potential. The determined amount is to be taken into account in the business strategy management pursues to achieve its target earnings and capital, and is to be set out when defining the target risk limits.
5 Based on risk-bearing capacity, a consistent system of risk limits is to be installed, which breaks down the risk limits set by management in line with the limits defined in the risk strategy into the undertaking’s most important managing organisational units. The limit utilisation level is to be set out in the form of risk ratios, which can be quantitative as well as qualitative. Risk ratios are to be aggregated at the corporate level and compared with the share of risk-taking potential to be used to cover the risks. During the financial year, the actual risk coverage is to be regularly controlled using risk ratios and the control result periodically reported to management. Reporting must be independent, that is, it may not be performed by persons who employ these risk ratios in their operational activities. The limits selected must be consistent with the risk strategy determined by management and the share of risk-taking potential to be used to cover the risks.

Limits are instruments for implementing the chosen strategy taking the risk-bearing capacity into account. They enable decision-makers of the managing organisational unit to deliberately assume only those risks that are consistent with the undertaking’s risk-bearing capacity concept. Limiting can be made at the level of organisational units, products, premium rates and risk types. Management must explain to what extent risk treatment can be performed at the relevant level and why the allocation methods used are best suited to achieving the risk strategy defined by it.

In this context, “periodically” is interpreted as a function of risk. It is at the discretion of the undertaking to determine who is to perform the independent reporting to management.

6 As a rule, limits must exist for all relevant levels of risk treatment and for all risks listed in section 5, if applicable. Limits are to be chosen on the basis of counterparty and - to the extent this is possible – class, and may thus vary at the various levels. Management bears the responsibility for adequately determining and setting the undertaking’s main limits. Limits should be of a quantitative nature – to the extent this is technically possible. A quantitative limiting of all risks taken on in conducting business (e.g. operational risks) is not always possible, particularly for small and medium-sized undertakings. In such cases, processes and qualitative rules on organising risk limits can be implemented. These might be, for example, instructions, contingency plans, and training sessions.
7 The undertaking must ensure that all transactions which incur risks are counted towards the corresponding limits and that the business unit is informed promptly and in detail of the limits relevant to it and of their current level of utilisation. To ensure risk-bearing capacity at all times, the quantitative limits should be “self-consuming” to the extent possible, that is, losses must be counted towards the corresponding limit in addition to the risks of existing transactions. This may result in the limit being used only once and even being used up. If in cases of exception a limit is completely consumed by losses, no further transactions can be concluded on this limit. Instead, management must decide anew in this case whether a further limit can be issued or whether the corresponding business activity is adjusted to meet the limit.
8 Compliance with the limits shall be monitored. Reports must be made on any instances in which limits are exceeded, as well as of any measures taken as a result. Explanations for the limits having been exceeded as well as the resultant measures are to be included in the report. Internal company guidelines should set out who must be informed, at what time and in what manner in case a limit is exceeded and what consequences result from the limit being exceeded (escalation procedure).

Limits are derived from the risk-bearing capacity; their utilisation is to be continuously controlled by the independent risk control function on the basis of appropriate risk ratios and the result periodically reported to management. If, in case of an exception, the prescribed limits are exceeded, the risks taken on in this area are normally to be reduced in line with a procedure defined by management. The period of time and the amount by which the predefined limit was exceeded (e.g. amount, length of time limit was exceeded) are to be reported to management. Examples of potential limitations:

- underwriting risks: limitations through, e.g. VaR limits, deductibles, underwriting limits, cumulative budgets/cumulative limits (particularly with natural hazards or in credit insurance business), reinsurance limits,
- market risks: limitations through, e.g. VaR limits, limits that result from the ALM process, limits of share price risk,
- credit risks: limitations through, e.g. VaR limits, counterparty / issuer / spread limits, liquidity planning / limits,
- operational risks: limitations through, e.g., insurance policies.

7.3.2 Risk control process

7.3.2.1 Risk identification

1 All risks are to be consistently defined by the undertaking and to be recorded and classified throughout the undertaking (i.e. in all operational processes and at all functional and hierarchical levels) in a structured, timely and systematic manner. Internal and external factors, which influence the risk (so-called risk-drivers), as well as reference values, which are affected by the risk (so-called key reference figures), are to be defined. In addition, the risk causes are to be specified and materiality thresholds for risk assessment must be defined. Therefore, risk identification requires all material risk drivers which may influence the undertaking’s risk situation and – if relevant to the undertaking and mathematically possible – all interdependencies among risk drivers to be recorded on a regular basis. If possible, risk definitions should not overlap.

This new risk identification process goes deeper than that required under the German Control and Transparency in Business Act (Gesetz zur Kontrolle und Transparenz im Unternehmensbereich - KonTrag). The aim is no longer simply to prevent risks that threaten the existence of the undertaking, but to develop a comprehensive basis for the measurement of all risks. To this end, it is important to identify and record all risks, as unidentified risks cannot be influenced by risk management. Risk drivers should take account of internal factors such as

- internal structure (organisational and operational structure),

- different business activities and complexity of the business

and external factors such as

- sector-specific changes,

- changes in capital markets,

- new or revised legal and regulatory requirements,

- technical development.

Possible key reference figures are, for example, own funds, premium income or different income amounts. Reverence values should be chosen so as to reflect the impact of the risks on the undertaking’s financial position, performance and cash flows.

Examples of methods of risk identification are:

- structured assessments (e.g. business plan risk assessment),

- scenario analyses (defined scenarios using various confounders),

- checklists,

- standardised questionnaires,

- trend analyses,

- expert evaluations/workshops,

- interviews,

- the Delphi method.

To achieve an as complete as possible risk identification, it is advisable to use a combination of the above mentioned methods and processes, adjusted to the specific risk profile of the undertaking.

2 Risk identification must begin already during the strategic planning process and is to be adjusted to the overall risk profile of the undertaking. It is to be repeated on a regular basis, but at least once a year. If the undertaking changes its strategies or objectives, the results of the risk identification process are to be promptly examined and, if necessary, adjusted to reflect the changes in the framework conditions.

The results of the risk identification process should be systematically recorded in a risk description, risk catalogue or risk register. The records should comply with the requirements of the persons or groups for which they are intended in terms of content, form and timing, and should provide, at a minimum, detailed information on:

- risk type,

- the responsible business unit/s,

- risk drivers (e.g. share prices),

- key reference figures,

- possible interactions and correlations with other risks,

- measures already initiated or ongoing,

- foreseeable future risks.

At the minimum, data recording should take place once a year, followed by a semi-annual review. Depending on circumstances and priorities, additional deviation reports and requirement reports can be prepared.

3 Risk identification must be conducted in all of the undertaking’s business units.

7.3.2.2 Risk analysis and evaluation

1 Building on the results of the risk identification, the undertaking shall analyse and evaluate the risks. Only risks identified during risk identification are taken into account, unidentified risks are disregarded. As a rule, risk analysis and evaluation must lead to a qualitative and quantitative assessment of potential and actual slippage from targets owing to individual risks, as well as to the overall risk. In addition, the evaluation of potential slippage shall, as a rule, be based on the relevant risk driver.
2 Risk analysis is to classify the identified risks, ranked by relevance, into the risks categories previously defined by the undertaking. In addition, risk analysis should show the reference values applied and the correlations between the identified risks. To analyse and evaluate a risk, the risk levels and the probability of their occurrence, as well as the correlation between the material risks within a specified time horizon are to be assessed, subject to the type of risk (in particular the extent to which it can be quantified) and the available database. If no database suitable for such assessment is available, it must be established.

Building on prioritisation on the basis of risk relevance and classification according to risk categories and reference values, the undertaking can decide on the method it wants to apply for risk evaluation.

As a rule, suitable random variables and corresponding probability distributions are to be determined. The probability function is defined by determining the distribution of random variables on the basis of previous data. On request, the background for the assessment is to be explained. The explanation can be based either on empirical or analytical methods. The probability of occurrence in percent is to be assessed by experts if mathematical/statistical procedures cannot be used to determine the probability function, owing to the data available, the risk type or other factors.

Risk evaluation follows the determination of the probability of occurrence. Applicable methods are, e.g., the fault tree analysis, the sensitivity analysis or the ABC analysis.

3 The risk evaluation method and evaluation frequency must be appropriate to the risk and allow the aggregation of results. The undertaking must develop a consistent data requirement for material risks. The data are to be collected on the basis of the requirements of risk treatment and in line with the business and risk structure of the undertaking. The methods and processes used for the risk analysis and evaluation are to be specifically defined for each risk category (see section 5). Risk analysis and evaluation may be performed on the basis of qualitative or quantitative methods, such as e.g. questionnaires, stress tests and scenario analyses. It may be necessary to distinguish between gross and net evaluation. Gross evaluation refers to an assessment of the risk situation before applying risk reducing measures, whereas net evaluation takes existing risk reducing measures into account.
4 The time horizon for risk evaluation must be in line with the planning horizon defined by the undertaking, to enable consistent management of the measures to be taken. It is to be ensured that the time horizon can be adjusted to new circumstances, if necessary. For reasons of comparability, the minimum time horizon recommended by the Supervisory Authority is one year. The time horizon for the calculation of the required solvency margin may differ from that for the risk capital employed by the undertaking for risk treatment.
5 Risk evaluation is to be based on meaningful and consistent key figures. Key figures are to be understood not only as ratios but also as absolute values. Consistent key figures are those that have a uniform basis and a consistent logic, since otherwise a meaningful aggregation would not be possible.
6 To develop appropriate measures and strategies for risk treatment, the risks are to be prioritised and categorised, based on the evaluation results. As a rule, appropriate risk treatment measures must be developed for all material risks. The order in which material risks are processed can be based on a ranking list (A-risks, B-risks, C-risks, D-risks), depending on the impact of the risks on the undertaking. Visualisation can be performed in the form of, e.g., risk maps.
7 The undertaking’s overall risk is to be defined based on the evaluation of the individual risks. In so doing, accumulations/concentrations and interdependencies, both within and between the individual risks, are to be taken into account. Risks can be aggregated at a given date according to business units and/or risk types. Undertakings may set themselves the goal of determining a complete probability distribution of the overall risk, but this is not necessarily required for risk treatment purposes.
8 In a first step, risk evaluation should always be qualitative. A quantitative assessment should be performed only after the undertaking has classified the risk as material in its reference framework. An exclusively qualitative assessment is to be performed only for those risk types for which a quantitative assessment is impossible or economically unreasonable. Undertakings that decide on an exclusively qualitative assessment must give detailed reasons for their decision.
9 The result of the risk analysis and evaluation is the proof of all risks assumed by the undertaking and the available risk capital. It must be ensured that management is informed about the undertaking’s current overall risk profile and any potential losses that could arise from the relevant individual risks, and that it is in a position to take appropriate risk treatment or risk adjustment measures. The comments and recommendations for action by management are to be promptly communicated to the business units. The risk analysis and evaluation results in determining (net) risk positions, which are to be actively influenced by the ensuing risk treatment measures. These measures aim to reduce the probability of occurrence (e.g. by internal controls) or limit the amount of loss (e.g. by risk transfer).

7.3.2.3 Risk treatment

1 Risk treatment is a part of the risk management process. Risk treatment refers to risk handling measures. Risk treatment thus comprises the process of developing and implementing strategies and concepts aimed at either deliberately accepting, or avoiding or limiting identified and analysed risks. Risk handling measures include concrete actions to avoid, limit, transfer and accept risks. Concrete actions would include for example increased controls to reduce the probability of risk occurrence or the increase of reinsurance cover to limit the amount of loss. Data, models and procedures can be used to map dynamic, path-dependent management rules, for example in risk treatment processes. These are rules that react to interactions between the sub-processes themselves and with the process as a whole. Management rules should represent an analysis opportunity and suggest alternative courses of action; however they are no substitute for a management decision. The implemented rules are to be explained and documented by management.
2 Risk treatment based on the risk strategy is performed by the business units which have P&L responsibility. As a rule, responsibility for risk exposure can be measured on the indirect and direct responsibility for generating profit.
3 As part of risk management, strategic risk objectives are to be broken down for all relevant business units into operationally measurable sub-objectives, which are to be determined in a manner consistent with the organisational and operational structure of the undertaking. Risk ratios are to be used to check the target and result scores. It must be ensured that relevant control metrics exist for all levels of risk treatment and that they are consistent with each other and the risk parameters determined at each separate level of aggregation. When there are several levels of risk treatment, control metrics are to be meaningfully aggregated. In this context, reference is made to risk objectives that are in line with the business objectives.
4 The control metrics must be adequate for the respective organisational unit which assesses the risks under observation, but must also be comparable within the undertaking. The control metrics must be reflected in the risk report. The undertaking must be able to reasonably explain the mode of operation of these metrics and the background to their use.

The structuring of, e.g., investment or (re)insurance transactions with the aid of control metrics is largely dependent on the undertaking’s organisational and operational structure.

The “objects” of risk treatment must be defined in a forward-looking manner. Every number determined only makes sense if it can be assigned to a clear responsibility within the functional risk treatment system. For example, it is irrelevant to perform an analysis, broken down by class of insurance, e.g. general accident, household, fire, etc., if every person responsible for a customer group is authorised to decide on the premium rates for his specific support area. The Supervisory Authority will, for example, also compare control metrics from the management accounting report and the personnel department with the risk report in order to check to what extent the control metrics as well as the organisational and operational structure support achievement of the objectives set.

5 The net evaluation is to be applied for risk treatment processes. Comparing the existing net risk position (actual) with the desired net risk position (target) will determine the action needed to improve existing risk treatment measures or for additional measures. The recommendations for action are to be consistent with the risk strategy. A comparison should be made between the risk position that the undertaking is to take on in accordance with a resolution/specification made by management (if necessary, in the form of a limit), and the actual risk position. Emerging risks are to be analysed ex-post and compared with the findings of the ex-ante risk analyses and assessments at regular intervals, but at least on a yearly basis. Breaches of limits (even short-term) must be reported to the business units immediately.
6 If a significant change in the overall risk profile or, from the point of view of the undertaking, a significant concentration of individual risks is identified, the responsible business units are to identify the risk drivers and to recalculate the risk ratios after measures have been taken. Critical limits are to be set as thresholds when using risk ratios. If they are exceeded, or even if there are adverse developments, clear reporting channels are to be defined and documented or management is to take care of the matter. In a further step, when certain criteria combinations or risk ratios are met, reference is to be made to potential countermeasures/risk treatment measures, up to and including contingency plans.

An analysis of the causes is a prerequisite for an adequate definition of risk ratios. The effectiveness of the risk ratios is in turn influenced by how frequently they are measured. Continuously updated information on the justifiable maximum values of (settled) loss ratios and combined ratios for each insurance class would be, for example, a risk ratio by which could be determined whether added value could be achieved, i.e. the costs of capital are covered.

Traffic light systems could serve to visualise risk ratios.

7.3.2.4 Risk monitoring

1 Monitoring all risks that have been identified and analysed includes control of:

- risk profile,

- limits,

- implementation of the risk strategy,

- risk-bearing capacity,

- risk-relevant methods and procedures,

- risk handling.

Regular monitoring of indentified, analysed and assessed risks is a main prerequisite for being able to discover and rectify deficiencies in implementing the risk strategy and in the risk-relevant methods and processes. This includes an adequate documentation process.
2 Risk monitoring must occur regularly and should be based on the individual overall risk profile of an undertaking as well as on the frequency and type of changes in the business environment.
3 Risk monitoring is to be performed by the independent risk control function and does not comprise any risk treatment functions.

7.3.3 Internal company communication and risk culture

1 Undertakings must ensure adequate internal communication of all material risks. This is the responsibility of management and the managerial staff and requires an adequate risk culture within the undertaking, which heightens the risk awareness of all employees involved with risks, creates sufficient risk transparency and promotes internal dialogue on risk management issues.

For the Supervisory Authority, risk culture refers to the way in which undertaking-specific risks are dealt with. In this respect, risk culture is shaped by the relevant corporate culture. The decisive factor is that the undertaking-specific risk culture is systematically established and actually practiced from the top level down. A significant component of such a risk culture is the communication of risks. For example, part of a practiced risk culture is also the creation of incentive systems for reporting claims/losses or the appointment of a risk officer to whom claims/losses can be (anonymously) reported. In addition, a practiced risk culture ensures quick adjustment to changed framework conditions thus preventing or limiting risks before they arise.

In performing their day-to-day business, all employees must act risk-consciously in line with the undertaking-specific risk management system. To this end, it is especially required that the direct superiors also be adequately informed of all material risks so that they can provide an initial risk treatment. This approach is based on the idea that the one who is closest to the risk (e.g. the broker with whom the policy is entered into or the broker’s superior) is also the one who has the initial influence in managing and controlling the risk.

The undertaking must ensure that the persons concerned do not suffer any disadvantages by reporting information on risks. It is up to the individual undertakings whether they maintain a culture of open communication and protect those concerned, for example, by labour law provisions, or guarantee anonymity in reporting.

7.3.4 Risk reporting

1 With the exception of the undertakings specified in section 64a (5) VAG, all undertakings must have a meaningful risk reporting system in accordance with the provisions of section 64a (1) sentence 4 no. 3d) VAG. As part of risk reporting, management is to obtain, at appropriate intervals, reports on the overall risk profile and information on the degree to which the risk management objectives set out in the risk strategy were achieved (target-actual comparison) and the extent to which the limits set for the risks are utilised. The risk report must be prepared in accordance with the provisions of section 64a (1) no. 3d VAG. Moreover, it must be ensured in a suitable manner that second-tier management receives the information required for its respective area of responsibility from the risk report. All contractual relationships with insurance special purpose entities must also be included in risk reporting. The report should include the name, the home country of the insurance special purpose entity, and the extent of risk transferred as well as the terms for the transfer of risk, at a minimum. Information already communicated in previous reports may be repeated in the current report, provided no relevant changes have taken place in facts and circumstances. This information may be accompanied by the remark: “no change from previous reports”. Since risk aspects must be addressed within the context of income and expense aspects, these should also be included in the risk report, to the extent necessary for understanding risk aspects.
2 In addition, the reporting must also detail any changes in risk identification, analysis and assessment methods if these have an impact on the undertaking’s financial position. The changes addressed here include changes related to both the past and the future.
3 If necessary, the risk reporting must include notes on the consequences of significant internal changes, risk treatment measures implemented or changes to the business policy. The business units are to develop potential alternatives for risk treatment measures and inform the persons responsible for the operational business about these alternatives in a timely manner.
4 The risk report must be written clearly and concisely and must contain both a description and an assessment of the risk situation. Undertakings are to assess the current and, if known to them, future risk situation.
5 Causes and impacts of surprising and extreme developments and events are to be described.
6 The frequency of risk reporting must be adapted to the significance of the risks and take account of the organisational and operational structure. Regular risk reporting must be performed at least once a year. Ad hoc reports are required for special situations. If the implementation of recommendations for action is very time-consuming, e.g. in a specific business unit, risk reporting should take this into account by providing sufficient lead time.
7 Management must be able to explain the risk report at any time. For those risks that management has assumed intentionally, it must be able to explain what alternative courses of action were available at the time the decision was made and why the preferred option was chosen. The alternative courses of action and the measures actually taken are to be documented for the supervisory bodies. For second-tier management, the obligation refers to their respective areas of responsibility.

7.3.5 Quality assurance, internal risk treatment and control system

1 The data, models and procedures applied in the internal risk treatment and control system and any necessary modifications are to be validated and documented systematically and in a manner that is transparent for knowledgeable third parties. Each undertaking must individually define and approve its validation process. The validation process is to demonstrate the ongoing usefulness, adequacy, quality, completeness and validity of the data, models and procedures applied.

7.4 Internal auditing

1 With the exception of the entities named in section 64a (5) VAG, every undertaking must have an operational internal audit function as an essential component of sound administrative procedures. The internal audit requirements refer to a function; that is, the undertakings must have an audit function although it need not be an independent organisational unit. The internal audit function may also be outsourced. Particularly for small undertakings, the internal audit function does not have to be active throughout the entire year. The Supervisory Authority assumes that employees of internal audit possess the required knowledge of national and international standards (e.g. German Institute for Internal Auditing - Deutsches Institut für Interne Revision (IIR) and The Institute of Internal Auditors (IIA)) and apply them accordingly.
2 The internal audit must refer to all significant administrative procedures, particularly also risk management activities. The activities of the internal audit function must be based on a comprehensive audit plan which it shall update on a yearly basis. Audit planning must be risk-oriented. Audit planning, audit methods and quality must be reviewed and developed further on an ongoing basis. Audit planning, as well as any major adjustments to it, must be approved by management.
3 The internal audit function must perform its duties in an objective and independent manner. Moreover, it must have sufficient and appropriately qualified personnel. In order to enable it to perform its duties, the internal audit function must be granted a full, unlimited right to information and auditing. The internal audit function is subject solely to instructions from management. Independent audit departments established in group companies have a duty to provide information to the group audit function. This does not affect the provisions of the general company law. As part of the group’s risk management, the group audit function shall supplement the activities of the internal audit function of the group companies.

The Supervisory Authority interprets the terms below as follows:

- Independence

The internal audit function must perform its duties in an autonomous, independent fashion. In particular, it must be ensured that the internal audit is not subject to any instructions with regard to its audit planning, reporting and evaluation activities. Management’s right to order additional audits does not conflict with the autonomy and independence of the internal audit function.

- Separation of functions

As a general rule, members of staff employed in the internal audit function may not be entrusted with tasks which are not related to auditing. They may not, under any circumstances, perform tasks which are not consistent with auditing activities. Provided that the internal audit function maintains its independence, it may provide advisory support to management or other business units of the undertaking within the scope of its duties.

As a general rule, members of staff employed in other organisational units of the undertaking may not be entrusted with internal audit tasks. This does not, however, rule out justified situations in which other employees may, due to their particular expertise, conduct activities for the internal audit function on a temporary basis.

- Information and audit right

In order to enable it to perform its duties, the internal audit function must be granted a full, unlimited right to information at any time. In this respect, the internal audit function must be immediately provided with the requested information, the required documents and an opportunity to review the undertaking’s activities, processes and IT systems.

The internal audit function has an unlimited right to audit. The internal audit function of the group extends at a minimum to all affiliated undertakings within the meaning of section 271 (2) HGB.

- Internal audit subordinated to management

The internal audit function is an instrument of management. It is under management’s direct control and must report to it. The internal audit function can also be subject to the direct control of an individual member of management, who should, if possible, be the chairperson of the management body.

4 Complete or partial outsourcing of the internal audit function to external service providers or to another group company within the meaning of section 18 of the German Stock Corporation Act (AktiengesetzAktG) is permissible on the basis of a written agreement (see section 8 of this Circular). When outsourcing to external service providers, the undertaking must be convinced that the external partner has sufficient knowledge and sufficient capacity to ensure that auditing is properly performed. In the event that the audit function is outsourced, management must appoint an audit officer who will ensure that internal auditing is performed correctly. The audit officer should be either a manager or an employee with sufficient knowledge and the required degree of independence. The tasks of the internal audit function can be fully performed by the group audit function if the required information rights and directing powers of management and the reporting requirements of group auditing are contractually set out. The audit plan is to be drawn up by the audit officer in cooperation with the external partner. As appropriate, the audit officer shall prepare the audit report together with the external partner and shall review whether the deficiencies identified have been remedied in a timely manner. As a general rule, internal audit duties are to be performed by employees of the undertaking. Internal audit activities may be transferred to external service providers if this is acceptable from a risk point of view. In case of outsourcing within the group, the Supervisory Authority expects the outsourcing undertaking to also appoint an audit officer.

5 Management is to set out the duties, responsibilities, organisational involvement, powers and reporting requirements of the individuals entrusted with the internal audit function as well as the principles of independence, separation of functions and the obligation to provide full information to the internal audit function in internal company guidelines.

In addition, all organisational units must inform the internal audit function without delay if material deficiencies have been identified or there has been serious financial damage or there is a reasonable suspicion that irregularities have occurred.

6 The internal audit function must be informed immediately of any management directives and resolutions that could be relevant to its activities. The internal audit function must be informed in good time of any changes which could have a significant impact on the organisation, procedures and financial position of the undertaking.
7 The internal audit function must prepare a written report on each audit in a timely manner and, as a general rule, submit this report to the responsible management members. In particular, the report must include a description of the subject of the audit and the findings, including any planned measures where appropriate. The results of the audit must be assessed; material deficiencies are to be highlighted. In the event of serious deficiencies, the report must immediately be submitted to management. All managers must be informed immediately in the event that the audit results in severe findings against managers. The undertaking must define what constitutes material/serious deficiencies.
8 The internal audit function must promptly prepare an overall report of all of the audits performed in the course of the financial year and provide this report to all members of management. The overall report must provide information on material deficiencies identified, their classification, the measures taken and the status of their remedy. The internal audit function and the independent risk control function must regularly exchange information on significant risk-related matters and developments. The important contents of the discussions are to be documented.

The criteria by which the internal audit function is to classify its findings are, for example, the severity of the findings, the business units affected and the type of findings.

9 The internal audit function must perform appropriate assessments to ensure that any deficiencies discovered in the course of the audit are remedied within the required period and document the remedial action appropriately. In the event that deficiencies are not remedied within the required period, an escalation procedure to management is to be established.

7.5 Internal controls

1 To ensure the proper functioning of all components of risk management, appropriate control functions are to be installed. The functioning of the controls is to be verified at least once a year. Control weaknesses are to be evaluated and promptly eliminated.

8 Outsourcing of functions and services within the meaning of section 64a (4) VAG

1 The partial or complete outsourcing of functions or services may only be undertaken in accordance with the principles set forth in section 64a (4) VAG. Moreover, this circular must be followed. Outsourcing in accordance with section 5 (3) no. 4 VAG occurs when, through an agreement, all or a significant part of distribution, portfolio management, claims administration, accounting, investment or asset management or internal auditing of an insurance undertaking is permanently transferred to another undertaking. Outsourcing of services refers to outsourcing of other functions that are not covered by section 5 (3) no. 4 VAG. As a general rule, all activities and processes may be outsourced, as long as the soundness of administrative procedures set forth in section 64a VAG is not affected. Outsourcing may not result in the responsibility of managers being delegated to the external service provider. Management functions may not be outsourced.
2 On the basis of a risk analysis, the undertaking shall determine on its own responsibility what activities and processes are suitable for outsourcing from a risk point of view. This shall be the basis for an undertaking’s decisions on outsourcing. The relevant business units are to be involved in the preparation of the risk analysis. Within the framework of its duties, the internal audit function must also be involved. If material changes occur in the risk situation, the risk analysis is to be modified and, if necessary, the outsourcing is to be stopped.

From the point of view of the Supervisory Authority, the following criteria are to be taken into account and form part of the contractual outsourcing agreement:

- services to be performed by the company to which the activity is outsourced must be specified and where appropriate delineated;

- information and audit rights of the internal audit function as well as of external auditors must be determined;

- information and audit rights as well as the controlling options of the Supervisory Authority must be ensured;

- the rights to issue instructions must be clearly defined;

- there must be rules that ensure that data protection provisions are taken into account;

- appropriate periods of notice must be specified;

- it must be ensured that the company to which the activity is outsourced complies with insurance supervisory requirements;

- the outsourcing undertaking must inform the undertaking of developments that affect the proper performance of outsourced activities and processes.

3 The risks associated with outsourcing are to be identified, analysed and evaluated, and treated in an appropriate manner. The performance of the outsourced activities and processes is to be properly monitored. This applies in particular to operational risks. Monitoring also includes regular assessments consistent with established criteria of the services of the outsourcing provider. The undertaking must determine clear responsibilities for monitoring and management. If the undertaking intends to terminate the outsourcing agreement, it must take measures to ensure the continuity and quality of the outsourced activities and processes after the agreement has been terminated. It must be ensured that in the event of termination the organisational structure allows the outsourced functions to be smoothly reintegrated, without the quality of the activities and processes being affected.
4 The requirements for outsourcing activities and processes are also to be observed in subcontracting outsourced activities and processes.

9. Contingency planning

1 Undertakings must prepare for disturbances and for emergency and crisis situations (contingency planning), when continuity of the most important processes and systems is no longer ensured and normal organisational/decision-making structures are no longer sufficient to deal with them.

The aim of contingency planning is to continue the business activity using defined processes and to protect individuals and tangible property as well as assets for the purposes of value creation.

Significant elements of contingency planning are, in addition to maintaining business continuity or business recovery plans, also determining communication channels for emergencies. Contingency planning does not have to cover every activity in the undertaking but only significant activities. Every undertaking is to specifically set forth in internal company guidelines which organisational disruptions, e.g. failure of IT systems, under what circumstances are to be considered material for the undertaking.
2 Contingency plans are to be regularly reviewed for effectiveness and suitability.
3 Contingency plans must be made available to the business units involved. Developing business-related contingency plans is the responsibility of each business unit involved, supported by a central function.

10. Information und documentation

1 Complete and accurate information essential to the functionality of risk management must be available to the decision-makers. How the undertaking is to be managed is to be determined in line with the corporate strategy. The requirements set out in section 64a (3) VAG apply concerning documentation. Documentation includes all material formulas, parameters, models, procedures, actions, determinations, decisions and, where applicable, justifications along with deficiencies identified and the resultant conclusions. Material changes made during the year to the risk strategy are to be recorded and communicated within the undertaking in a timely manner. The documentation must be comprehensible and verifiable for third-party experts.

A variety of data and information from different corporate functions and academic disciplines can be used for risk management in insurance undertakings, such as:

- sales,

- internal and external accounting,

- corporate planning, business development and company valuation,

- data storage and backup,

- asset Management, including capital market information,

- premium rating, product development, actuarial function,

- claims management,

- underwriting portfolio management,

- mathematical/statistical procedures.

The documentation should provide a systematic overview of risks, processes and key controls. From the Supervisory Authority’s point of view, the documentation requirements presented here do not represent a conclusive list for the risk report to be prepared in accordance with section 55c VAG, but rather name the areas that are to be documented at a minimum.



Did you find this article helpful?

We appreciate your feedback

* Mandatory field

Additional information

Please note:Ger­man ver­sion is bind­ing

This translation is furnished for information purposes only and may refer to an older version of the text. The original German text is binding in all respects.