Underpinning our supervisory work programme is the Authority’s risk-based framework. This ensures that our standards are appropriately calibrated to Bermuda’s wholesale and domestic financial markets and that our supervisory resources are applied to those firms which pose the greatest risk. This risk-based approach has been endorsed by a variety of international regulatory and standard setting bodies including, most recently, Bermuda's enhanced commercial insurance regime reaching full equivalence with Solvency II.
The Authority uses a risk-based framework to conduct its supervisory programme, which enables us to:
- Carry out the responsibilities placed on the Authority by various Acts in an effective and efficient manner
- Allocate resources to most pertinent risk areas
- Observe and adhere to international best practices while monitoring and responding to external developments, taking into consideration the nature of the Bermuda market
Risk-based Supervisory Process
Using a risk-based framework allows the Authority to detect problems at an early stage and take regulatory action on a timely basis.
If an entity is noncompliant, the risk-based framework seeks to ensure that it either returns to compliance or its exit from the market is timely and efficiently managed.
The risk-based framework considers four main components when assessing risk:
- Identification of risks
- Assessment of risks
- Prioritisation and resource allocation
- Regulatory response to mitigate risks
The Authority has developed separate risk-based supervisory processes for use in assessing entities, since the risks presented by companies in each category vary. However, the Authority uses core common supervisory tools across sectors for the purposes of risk assessment:
Identifying risk impact groups and prioritisation
This involves categorising firms according to their risk profile and assists in determining the level and frequency of supervision that they will require.
This involves primarily off-site, desk-based review and analysis of financial data and statutory returns received from firms. This work provides an early opportunity to flag any concerns that may result from that analysis for further examination and follow-up action.
As part of its routine supervisory activities, the Authority conducts regular prudential meetings with firms’ senior management; this is in addition to the thorough off-site and on-site assessments and analysis that it undertakes in relation to regulated entities. These meetings ensure that the Authority maintains detailed monitoring of industry developments via building relationships with key management, as well as identifying any specific corporate issues.
Risk Assessment Models
The Authority uses risk-based supervisory models in its assessments of entities in the banking, trust, insurance and investment sectors. These models allow the Authority to analyse the impact and probability of failures among regulated firms, in order to more intensively focus its supervisory resources. The models also provide a framework for conducting on-site supervisory reviews for selected firms.
The Bermuda Solvency Capital Requirement (BSCR) is the Authority’s recently developed risk-based capital model, developed specifically to enhance its capital adequacy framework for the insurance sector. The model takes into account an insurer’s risk profile, reflective of the inherent risk and complexity
of the different lines of business it writes. The capital requirements subsequently placed on a firm will be based on the analysis resulting from application of the model, assisting the Authority in both measuring risk and determining appropriate capitalisation for firms.
Enhanced Monitoring - On-site Programmes
The Authority’s on-site programmes involve supervisory teams conducting additional assessment work within a firm’s premises, which builds on previous analysis. The Authority has conducted on-site reviews on all banks and trust companies, and on a cross-section of investment firms.
In the insurance sector, on-site reviews have been conducted for all Class 4 companies, and selected non-Class 4 commercial re/insurers. The Authority also introduced in 2007 a captive manager on-site programme and a start-up audit programme for newly formed, high-impact commercial re/insurers. The Authority extended the programme during 2008, with special emphasis placed on the domestic insurance market, Segregated Accounts Companies and further on-site supervisory reviews on a wider range of Class 3 insurance companies. The risk-based model will be used to identify the highest-impact Class 3 firms for review.
The Authority’s on-site programmes across all sectors are consistent with international standards, and are continually reviewed to ensure they remain effective with enhancements being applied as deemed necessary.
Based on the results of its assessments the Authority will determine what supervisory actions may be required with respect to a firm’s operations and take specific actions accordingly. This could involve employing enhanced oversight, or requiring changes to be made to a firm’s operations to ensure all regulatory requirements are being met.
Sectoral Risk-based Supervisory Processes
Banking, Trust, Corporate Services & Investment (BTCSI)
To assess the risks inherent in the banking, trust, corporate services providers and investment businesses that the Authority supervises, a six-step programme is used:
- Identifying risk impact groups and prioritisation
- Fundamental monitoring
- Application of the risk model
- Enhanced monitoring
- Reporting and risk mitigation
Identifying risk impact groups and prioritisation
The purpose of the first part of the programme is to point out existing and potential problems in supervised companies and to set priorities for their supervision.
This is achieved through a review of the subject company’s statutory returns and financial statements; the acquisition of prudential information; analysis of recent developments; analysis of market conditions and industry trends; and panel reviews, discussions, etc.
At this stage, potentially problematic information or activity is flagged for review. Such flags indicate potential areas of weaknesses in judging the health and potential of a company under analysis.
Flags are detected by performing:
- financial ratio analysis, which groups ratios into categories based on various facets of a company's finances, such as liquidity, profitability, capital, etc.;
- peer analysis, which permits comparison of firms of different sizes;
- trend analysis, by which financial data and ratios are compared over time to highlight trends and allow an examination of comparative numbers for significant and unexpected changes; and
- stress testing, which allows an assessment of the sensitivity of each company, and of the system as a whole, to interest rate, liquidity, foreign exchange and credit risk exposures.
Risk Model Application
Once the analysis in the first two stages is complete, the Authority’s risk model, CAMLBECOM, is applied.
CAMBELBCOM is a risk assessment model that evaluates nine risk factors including, Capital, Assets, Market risk, Earnings, Liabilities, Business, internal Controls, Organisation, and Management risk.
This stage calls for analysis of the results of the model and an overall assessment of all data captured to this point.
On-site visits are undertaken by the Authority’s supervisory teams to clarify further points arising from the desk-based work. Meetings are scheduled with the risk group in order to update the risk model based on the findings of the on-site work.
Reporting and Risk Mitigation
Written reports are prepared that focus on issues or concerns identified during the risk assessment process and that may warrant corrective attention. Findings are presented to management and group teams for further discussions of issues and follow-up on recommendations.
The Authority has established an overall plan for its supervision of the insurance sector. The plan is flexible, in that it allows for changing or emerging risks, and the appropriate allocation of resources.
The risk-based programme used by the Authority’s Insurance supervision unit is best described in nine phases. These phases are not necessarily sequential as supervision is a dynamic process. The phases are:
- Planning and prioritisation
- Risk impact group
- Fundamental monitoring
- Prudential visits
- Enhanced monitoring
- Composite risk rating;
- Supervisory attention ranking
- Supervisory actions
Planning and Prioritisation
When determining the priorities in the plan and the scope of work for each insurer the factors the Authority considers include: the time elapsed since the last prudential visit and/or the application of the Composite Risk Assessment process; the current risk assessment of the insurer; and cost benefit trade-offs.
On an ongoing basis the supervisory plan may need to be revised and decisions made about the most effective way to respond to changing or emerging risks
Risk Impact Group
Insurers are assigned to groups based on their size, nature and complexity. The Class system used to categorise Bermuda insurance and reinsurance companies is a prime facie indicator of risk impact, but this too varies with developments in the industry and the sector. The Risk Impact Group is one element used in determining the level and frequency of supervision required.
Every insurance and reinsurance company must continue to demonstrate that it satisfies the threshold conditions of its license. To measure this, the Authority performs a base level of primarily off-site monitoring of all insurers known as fundamental monitoring. This includes an annual review of the company’s annual statutory returns, as well as the Authority’s ongoing assessment of other information received, such as published financial statements, corporate press releases, etc.
Fundamental monitoring also includes an annual review of the annual statutory returns, as well as the Authority’s ongoing assessment of other information received.
Either the Authority or the company may initiate visits. The Authority initiates prudential visits to establish or maintain relationships with key management. The meetings begin with senior management, and include other levels of management as necessary to obtain a high-level understanding of the risks the organisation faces.
Topics for discussion may include: corporate strategic initiatives and other significant company developments; current issues facing the industry; other factors of concern to management or the BMA; and follow-up on areas of concern previously identified.
The Authority’s enhanced monitoring process may be conducted off-site and on-site; both are integral at this stage.
Off-site work includes the review of company documents that are publicly available as well as non-public documents and other information derived from requests provided to the Authority.
On-site reviews, when deemed necessary, begin with desk-based work. On-site review work provides an opportunity for corroboration and the clarification of points arising from the desk-based work. On-site work typically involves, but is not limited to, discussions with high level personnel and may include additional work performed at the insurer’s offices, such as interviews, tests and walk-throughs. Reliance may be placed on the work of others such as actuaries, loss reserve specialists and internal/external auditors.
Composite Risk Rating
The Authority summarises all the data gathered in the preceding phases to form a composite risk rating applicable to the company. Although the rating is not considered in isolation, it is a prima facie indicator of the risk level associated with the company.
Supervisory Attention Ranking
The nature and extent of regulatory action required is determined by the Supervisory Attention Ranking, which originates either from the Composite Risk Rating, or from other information brought to the BMA’s attention (such as non-compliance).
Supervisory action may fall into one or more of several categories: fundamental, enhanced, oversight, mandated improvement, or restructuring, depending on all the information to hand. The selection of the classification is guided by particular combinations of risk likelihood (derived from the Composite Risk Rating) and impact (derived from the Impact Group).
The Authority must ultimately make a subjective decision as to the appropriate course of action and appropriate allocation of resources. The greater the level of risk detected, the more supervisory review that is required; such is the fundamental nature of the risk-based approach.
Reports are prepared and reviewed within the Authority that address concerns and issues that may warrant corrective action. Regulatory concerns identified must be addressed within a specified period. Reports are linked to areas of concern identified during earlier stages of the risk-based framework.
The Authority ensures at this final stage that all necessary actions have been taken to complete the risk-based review of the subject company.