The Hong Kong Insurance Authority (IA) has launched a consultation on a draft Guideline on Enterprise Risk Management (ERM), as part of the qualitative (ie, Pillar 2) requirements under the proposed risk-based capital (RBC) regime.

The proposed RBC regime is aimed at aligning the capital requirements for insurers with the risks to which they are exposed, and strengthening their ERM systems. The IA states that the key objective of the draft ERM guideline is to nurture a strong risk culture in the insurance industry that will be reflected in the values, attitudes and norms of business behaviour.

The consultation period will end on 6 July 2018. The IA aims to finalise the ERM guideline by late 2018 and proposes that it takes effect from 1 January 2020.



The draft guideline takes into account of the latest international standards promulgated by the International Association of Insurance Supervisors, including the relevant Insurance Core Principles.

Due to the diverse nature of authorised insurers, the draft guideline adopts the principle of proportionality such that the requirements may be appropriately applied, taking into account the nature, scale and complexity of an insurer’s business operations.


Unless otherwise specified by the IA, the guideline is intended to apply to all authorised insurers, except:

  • those insurers which have ceased accepting new insurance business and are in the course of running off their liabilities with an insignificant run-off portfolio in Hong Kong;
  • Lloyd’s;
  • captive insurers; and
  • marine mutuals.

Key requirements

The key requirements of the draft guideline include:

  • establishing an ERM framework with sufficient governance to ensure safe and sound operation;
  • having clear and well-documented risk management policies and procedures in place, appropriate for the nature, scale and complexity of the risks associated with the business conducted;
  • having a risk appetite statement which defines the risk capacity and gives guidance to the operational management on the limits of material risks;
  • encompassing regular risk assessment and control activities (including risk identification, quantification, monitoring and reporting, and management review and actions), which include a regular review of current and future risks against the insurer's risk appetite statement and risk limits structure;
  • reviewing the ERM framework regularly to ensure that it is responsive to changes in the risk environment and risk profile;
  • performing an own risk and solvency assessment (ORSA) to assess risk profile, adequacy of risk management, as well as current (and likely future) solvency and liquidity positions (ORSA reports should be submitted annually to the IA within 4 months after each financial year end, and whenever there are material changes to the risk profile);
  • (for authorised insurers that are part of a group) submitting promptly to the IA, as permitted by applicable law, prior written notification of group events and intra-group transactions that are material to the insurer's operations in Hong Kong, together with the expected impact of the events or transactions (examples of notifiable events or transactions are set out in Annex B of the draft guideline).

Three-tier supervisory approach

The IA has proposed a three-tier supervisory approach, to avoid duplication of supervisory oversight on authorised insurers that are members of insurance groups which are already subject to group-wide supervision by their home supervisors. Hence, there are different requirements for:

  • insurance groups that are supervised by the IA as the home regulator;
  • insurance sub-groups that have insurance operations significant to the Hong Kong insurance market or to its whole group; and
  • other insurers that are part of groups supervised by their home supervisors.

The supervisory approach is set out in Annex A of the draft guideline.

Removal of duplication

The IA intends to remove any duplication between the requirements in the draft guideline and those in guideline GL 10 on corporate governance of authorised insurers.


The IA aims to finalise the ERM guideline by late 2018 and implement it on 1 January 2020. Following this timeframe, authorised insurers that will be subject to the guideline will be required to lodge their first ORSA reports for the financial year ended on or after 31 December 2020 within 4 months of the relevant financial year-end.

The IA has specifically stated that boards of directors and senior management of authorised insurers should take ownership in shaping and nurturing a strong risk culture. Authorised insurers that will be subject to the proposed guideline should start considering whether any preparation work will be required for compliance with the guideline, pending its finalisation.