enterprise risk management
governance of risk management
At Ceylinco Life, the Board of Directors retains overall accountability for the governance of risk and is committed to effective risk management in pursuit of our strategic objectives. It is the responsibility of the Board, in conjunction with the Board Risk Management Committee, to review the Company’s portfolio of risks and assess them against the risk appetite (refer to Pages 259-260 for the Report of the Board Committee Level Board Risk Management Committee) Risk management is inextricably linked to our strategy and control is exercised by way of a governance framework.
The Executive Risk Committee, headed by the Chief Risk Officer, is responsible for developing, facilitating and monitoring the control framework and execution of proper risk management strategies.
The line management and staff are responsible for day-to-day risk management and are represented at the Sub-Committee level. The six Sub Committees, namely the Operational Risk Committee, Financial Risk Committee, Insurance and Demographic Risk Committee, ICT Risk Committee, Business Risk Committee and Regulatory Risk Committee, ensure timely identification of risks, implementation of controls and reports to the Chief Risk Officer and higher-level management.
CEYLINCO LIFE’S APPROACH TO RISK MANAGEMENT
Our Enterprise Risk Management (ERM) is based on ISO 31000:2018 framework. This enables us to proactively identify events and circumstances relevant to our corporate objectives (risks and opportunities) and assess them in terms of consequence and likelihood. We then determine an appropriate risk response strategy, implement it and monitor progress so that it will contribute to our value creation process. The ultimate result of this approach is an integrated, organizational-wide effort towards risk management.
An Independent Risk Unit
This ensures separation between the units that originate risk and those that control or supervise the risk.
Linking Risk Appetite to Strategy
Our Board-approved risk appetite statement serves as the point of reference in strategy setting for ensuring that strategies remain within defined appetite levels.
Inculcalting a Risk Culture
We embrace a set of attitudes, values and beliefs towards risk and this is engrained into all processes through a top-down approach across the hierarchy.
A Comprehensive Approach to Risk
Our Sub-Committee structure facilitates management of a diverse range of risks. We also understand inter-relationships between such risks and take an overall view.
RISK MANAGEMENT PROCESS
The risk management process of Ceylinco Life is continuous and sequential, as depicted in the diagram. We strongly believe that an on-going commitment to risk management is necessary in the modern business context and recognize the importance of improving the risk management process, while ensuring the smooth flow of the activities within the process.
Risk Appetite
Risk Appetite refers to the aggregate amount and type of risk Ceylinco Life is willing to accept in the pursuit of its objectives, before action is deemed necessary to reduce it. We have defined a “Risk Appetite Statement” which serves as a guidance in our risk management process. We have established appetite levels in the broad categories of risks identified in our ERM framework.
Risk Register
The Company uses an electronic risk register. Risks are identified, discussed and updated in the register at SubCommittee meetings. The risk register also serves as the basis for generating risk heat maps and for risk escalations to the higher management.
Risk Universe
We determine our key risks through a review process in relation to our strategy and objectives, in the context of the external and internal environment. Key risks include those risks that could have a direct potential impact on the achievement of strategic priorities, reputation and delivery of key business plans. Such risks also have a material impact on our ability to create value.
The subsequent sections of this Risk Management Report provide an overview of the Company’s approach to managing the key internal and external risks listed above. While monitoring the impact on the capitals, the Company assesses each risk according to their likelihood of occurrence, the scale of impact on the organisation, and the overall change in risk ranking year-on-year.
RISK PROFILE IN 2024
Likelihood and Impact (residual):
Ranking:
INSURANCE RISK
1.1. Underwriting Risk
Capitals Impacted:
Financial / Social & Relationship / Intellectual
REGULATORY RISK
2.1. Compliance risk
Capitals Impacted:
Financial / Human / Intellectual
FINANCIAL RISK
3.1. Investment Concentration Risk
Capitals Impacted:
Financial / Human / Intellectual
Tax Legislation Risk
Capitals Impacted:
Financial / Social & Relationship
MAPPING OUR RISKS
In line with the above assessment, the Company mapped its key risks as follows.
IDENTIFICATION OF ESG RISKS AND OPPORTUNITIES
Ceylinco Life is aware that social, environmental, and governance aspects can lead to risks as well as bring new opportunities for the business. Owing to this, Ceylinco Life undertakes the regular identification and evaluation ESG risks and opportunities in order to gain greater precision in defining the organisation’s strategy, objectives and actions that are to be implemented. This mechanism also ensures that such risks and opportunities can be reported to the Board of Directors for their consideration and integration into the Corporate Risk Map, in line with the provisions of the Risk Management Policy.
CEYLINCO LIFE’S APPROACH TO ESG RISK MANAGEMENT
- ESG Risk Identification will be linked to the Sub-committee level as this is the usual point at which risks are identified.
- Each sub-committee will consider ESG risks in its proceedings.
- If any new ESG risk is identified, it is assessed and recorded in CAMMS with the Chief Risk Officer’s approval.
- Controls and actions will be assigned to respective Heads of Department.
- Monitoring will also take place at the sub-committee meetings.
- Critical ESG risks will be reported to the BRMC and BOD.
During the year under review, with the rising impact of climate change and its associated risks, the Company focused solely on
climate-related disclosures, with the aim of incorporating other environmental, social, and governance risks in the year ahead.
Defining ESG Risks
ESG risks are any environmental, social, or governance issues that could affect a Company. At Ceylinco Life, the Company’s risks align with its key ESG strategic pillars.
Why are ESG Risks Important?
Sustainability initiatives at corporations appear to drive better financial performance due to mediating factors such as improved risk management and more innovation. Therefore Ceylinco Life has linked financial performance into the ESG risk management framework.
LOOKING AHEAD
The recent developments in the external business environment have prompted the Company to relook at business continuity planning and reinforce disaster preparedness and business resilience. A special emphasis will be placed on IT disaster recovery and adopting more effective business continuity practices. Cyber security will remain a key focus and, given the increase in the number and sophistication of cyber-attacks against business entities, we will continue to invest in our IT security capabilities.
Increased attention will be placed on maintaining market leadership, prudently managing the risks which impact the value of our investments in the context of the ongoing financial crisis in the country, mitigating risks from changing business dynamics and compliance with changes in laws and regulations.
We will also be conducting user trainings and drills as part of our ongoing BCP review. A complete data protection management programme together with a privacy policy will be deployed to ensure compliance with the new Personal Data Protection Act. A revision to the existing data classification process will be planned to be in line with this Act.
RISK MANAGEMENT HIGHLIGHTS 2024
1. Regular Testing of Disaster Recovery Plans
We conducted tests on our disaster recovery plans on 8 September 2024. The main objective of the tests was to evaluate how effectively the critical applications could be operated from the DR site. Learning outcomes from each drill were used as feedback for improving subsequent drills. The IS Audit Department served as an independent observer of each drill conducted.
2. Migration of SAP to the Cloud
One of the core applications of the Company, SAP, which is used for accounting, reporting and financial asset management, was migrated to the cloud in March 2024. This is expected to bring down maintenance costs and improve flexibility and scalability, while offering enhanced security and compliance.
3. Personal Data Protection Program
With the support of an external consultant, the Company commenced a special project in July 2024 to make sure it complies with the requirements of the Personal Data Protection Act No. 9 of 2022. The project kicked off with a few awareness sessions for identified departments and a gap analysis has been completed. As the key outcome of the project, a data protection management programme, will be established.
4. ESG Risk Discussions
In 2024, we started identifying ESG risks at the Sub-Committee level. At each monthly meeting of the six SubCommittees, members can raise any ESG risks that they have identified to the attention of the Committee. Identified risks, based on criticality, are escalated to the Executive Risk Committee and the Board Risk Management Committee.
5. Signing Escrow Agreement For Critical Applications
We continued to enter into escrow agreements with vendors of critical applications. In such arrangements, the codes of the application are entrusted to the independent escrow agent. This ensures that the Company will have less issues in future system modifications in the event of non-availability of the vendors who originally developed the applications. This also involves testing by the Company’s IT team to ensure that changes in the coding are properly updated with the escrow agents.