2019 Integrated Report

CORPORATE GOVERNANCE REPORT | 57 The risk management system comprises the following components: ~ ~ Aclearlydefinedanddocumented riskmanagement strategy, which considers the overall business strategy and business activities. ~ ~ Documented procedures which clearly define the decision-making processes within the framework of the risk management system. ~ ~ An adequate written overall risk management policy and component policies, consistent with the risk management strategy. ~ ~ Appropriate processes, procedures, and tools for identifying, measuring, monitoring, managing, and reporting (including communication and escalation mechanisms) on all material risks. ~ ~ Reports to inform senior management, the Group Risk Committee, and the boards of directors and trustees on all material risks faced by the PPS Group and on the effectiveness of the risk management system itself. ~ ~ Processes for ensuring adequate contingency planning, business continuity, and crisis management. The detailed particulars of the risk management system are set out in the PPS Group Enterprise Risk Management Framework. INTERNAL CONTROL SYSTEM The internal control system consists of the totality of strategies, policies, procedures, and controls to assist the boards of directors, trustees and managing executives in the fulfilment of their oversight and management responsibilities. The PPS Group has adopted a Five Lines of Assurance model, supported by a combined assurance framework, to facilitate and ensure effective governance across all processes and functions. The internal control system provides the boards of directors, trustees, and managing executives with reasonable assurance from a control perspective that the business is operated consistently within the following parameters: ~ ~ Business objectives of the PPS Group. ~ ~ Strategy determined by the boards of directors and trustees. The detailed particulars of the strategic planning process are set out in the Strategic Planning and Capital Allocation Framework. ~ ~ Key business, information technology and financial policies and processes, as well as related risk management policies and procedures, determined by the boards of directors and trustees. ~ ~ Applicable laws and regulations. The internal control system comprises the following components: ~ ~ Appropriate segregation of duties, and controls to ensure that segregation is observed. ~ ~ Appropriate controls for all key business processes and policies, including for major business decisions. ~ ~ End-to-end control processes for complex business activities. ~ ~ Controls to provide reasonable assurance over the fairness, accuracy, reliability and completeness of the insurers’ financial and non-financial information. ~ ~ Board-approved delegations of authority, (these are reviewed regularly by the PPS Group boards). ~ ~ Controls at the appropriate levels, including at the procedural or transactional levels, and at the legal entity or business unit levels. ~ ~ Regular monitoring of all controls to ensure they remain effective. ~ ~ An inventory of all key policies and procedures, and the controls in respect of each policy and procedure. ~ ~ Training in respect of relevant components of the system of internal controls, particularly for employees in positions of trust or responsibility, or who carry out activities that involve significant risk. CONTROL FUNCTIONS In terms of the Prudential Standard GOI 3 Risk Management and Internal Controls, insurance companies must have certain control functions in place and these must be adequately resourced. The following four key control functions are in place within the two PPS Group insurance companies: ~ ~ Risk management. ~ ~ Actuarial. ~ ~ Compliance. ~ ~ Internal audit. The control functions are structured to include the necessary authority, independence, resources, expertise, access to the boards and all relevant employees, as well as information to enable them to exercise their authority and perform their responsibilities. The performance of the control functions is reviewed periodically by the PPS Group boards or relevant committee/s. The control functions are required to complete regular self- assessments of their respective functions. The roles and responsibilities of the control functions are documented and reviewed on an annual basis and are approved by the PPS Group boards. The control functions must avoid conflicts of interest and where conflict arises, it will be brought to the attention of the PPS Group boards.