Machine Translated by Google REF.: Principles of corporate governance and risk management and internal control systems. GENERAL RULE N°3 Q g 20 JUN 2011 To all insurance and reinsurance entities This Superintendency, in use of its legal powers, especially the provisions of letter b) of article 3 of DFL No. 251, of 1931, and letters a) and d) of article 4 of DL No. 3,538, of 1980 , and without prejudice to the provisions of the legislation on corporations and the securities market (Laws 18,046 and 18,045), has resolved to issue the following instructions regarding principles of corporate governance and risk management and internal control systems in insurance entities and reinsurers. I. Introduction. In order to better fulfill its mission as supervisory body of the insurance market in Chile, the Superintendency in recent years has carried out a review process of its supervision systems. Based on the analysis of international experience and recommendations on insurance regulation, especially those of the IAIS (International Association of Insurance Supervisors), OECD (Organization for Economic Cooperation and Development), the World Bank and the International Monetary Fund, the The Superintendence adopted the decision to carry out a modernization process in its supervision approach, considering for this a risk-based supervision model. The effectiveness of the corporate governance of an insurance company is an essential element for its proper functioning. The effective supervision of the business of an insurance company by its board of directors is also important for the maintenance of an efficient regulatory model, allowing the supervisory authority to consider the internal processes of the institution, and better focus the effort of necessary supervision. Additionally, in situations where an insurance company experiences problems, or in which corrective actions are necessary, the role of the board is even more important and requires a significant involvement in the search for solutions, and depending on the nature of the situation, in the adoption of the pertinent corrective actions. In this context, this standard establishes principles and good practices of adequate corporate governance and risk management and internal control systems in insurance companies. Although their implementation may adopt different modalities in the different companies, these principles and good practices will serve as the basis for the evaluation of the quality of corporate governance that the Superintendence will carry out, within the framework of the application of the new supervision model. risk based. The evaluation of the quality of corporate governance will be Machine Translated by Google considered by the Superintendence in the definition of its policies, plans and supervision priorities with respect to each insurer. The principles and concepts of corporate governance indicated in this standard, will be weighted in the evaluation of the Superintendence, according to the reality of each company, recognizing the nature, scope, complexity and profile of its businesses. In this way, and in accordance with what has already been indicated, the application of these principles or concepts may adopt different modalities in each insurer, which will be taken into account by the Superintendency in its evaluation. II. General concepts. Corporate governance, broadly defined, is a system through which an insurer governs itself. This includes among others: • Corporate culture (values, ethics, ease with which employees communicate concerns or report irregularities, etc.); • The corporate structure (board of directors, top management, functions of the business area, etc.); • Policies and essential documentation of internal governance (statutes, rules organizational, codes of conduct, committee mandates, etc.); • The strategy, policies, internal control and risk management procedures, and • The decision- making process and actions linked to the previously mentioned concepts. sefialados. Corporate governance defines roles, responsibilities and accountability. Clarifies who has the duty and power to act on behalf of an insurer and under what circumstances. It sets out the requirements to document decisions and other actions, and to inform stakeholders of the insurer's actions and their rationale. Provides sanctions for non-compliance or for poor surveillance, controls and management. Corporate governance, therefore, deals with the allocation and regulation of power and accountability in insurance companies. In the appointment of directors, minimum requirements of technical and moral suitability should be considered. These requirements point, on the one hand, to the need to have directors who have the professional qualifications and experience necessary to be able to understand complex technical issues related to the insurance business and assess the level of exposure to risk of the company and the quality of its risk management systems. Requirements of integrity and past behavior in business must also be considered, which guarantee a transparent, objective and independent performance by the members of the board of directors, and free from eventual ethical questions. It is important to consider specialized training policies for members of the! directory, so that they are kept informed and updated in relation to the development of the insurance activity. Likewise, specific mechanisms should be considered to evaluate the performance of the board of directors. In this context, it is important to note that the professional profile and experience of the directors are not 2 Machine Translated by Google it must necessarily be homogeneous; What matters is that the board of directors has an adequate combination of knowledge and experience that favors its effectiveness and good performance. collective. These performance evaluation mechanisms should be applied periodically and through them, possible weaknesses or gaps in terms of knowledge and experience that must be corrected for a better management of the company should be identified. Sound governance requires that the insurer's board of directors clearly define the roles, responsibilities and decision-making processes and delegation of functions. This definition must be explicit, and must be included in the organization's formal documents. The delegation of powers defines the role of each unit or function, including the functions of control and risk management, internal audit, compliance and others. It also describes the tasks delegated to the board committees. However, it must be kept in mind that although some powers may be delegated, the board of directors is ultimately responsible for the success or failure of the insurer. The board of directors may delegate some of its tasks to committees, made up of directors and company executives or outside advisors. By allowing a small group of board members to focus and specialize in specific areas, the efficiency of the board can be increased. The board committees are usually the following: audit committee remuneration committee Ethics and/or compliance committee Risk management committee Investment Committee or ALM Technical Committee (including reinsurance) dissemination committee governance committee Human Resources Committee strategic development committee The committees that the board establishes to promote effective governance will depend on the size, nature, complexity, and risk profile of the insurer. The board of directors must clearly define the mandate, authority and responsibilities of each of the established committees, as well as their composition and general work procedures. It must also be ensured that the committees act with sufficient independence, especially with respect to matters in which there may be conflicts of interest. In the following sections, the role and functions of the board of directors and the principles that should guide the company in terms of risk management and control systems, reinsurance, dissemination and transparency, relationship with the insured and interaction with the supervisor will be deepened. 3 Machine Translated by Google III. Role and Functions of the Directory. The board of an insurance company should consider within its functions and responsibilities, at least the following matters: 1. Establish and monitor the adequate implementation of the general strategies and policies of the insurer, including: • Strategic direction and market positioning. • Business lines and the introduction of new products. • Acquisitions and strategic alliances. • Organizational structure. • Intragroup business and transactions (related companies or persons). • Risk management, including the insurer's risk appetite and profile. • Pricing, underwriting, technical reserves and reinsurance. • Internal control systems, including internal audit, compliance, and function actuarial. • Investments, asset and liability management and use of derivative products. • Remuneration and compensation. • Evaluation of capital needs and solvency position. • Customer service and handling of claims and claims. Strategies and policies must be established in writing, and always be subject to prior approval by the board of directors. Likewise, they should be reviewed at least annually and adapted in light of any significant changes in the internal or external environment. 2. Establish and monitor the proper implementation of an internal information system, reliable, complete and timely, which helps the effective decision-making of the board of directors and an adequate monitoring of senior management. The directory to fulfill its function must be well informed about all the relevant variables of! company business. It is the duty of the board of directors to request any information not stipulated in the internal reports of the insurance company, which is deemed necessary to carry out its functions, including having independent external advice to improve decision-making and monitoring thereof. Externally generated reports, such as the report of an external auditor or actuary, provide valuable information to the board and allow it to support its judgments more objectively and independently of the company's senior management. Insurers must develop information systems to monitor the risks to which the insurer is exposed, in an appropriate format, including information from! group to which they belong, if applicable. The essential value of an internal information system depends not only on what is reported, but also on the extent to which board members consider and understand such information, and on the independence and will of the members of the board. board of directors to use and question such information when making their decisions. 4 Machine Translated by Google 3. Approve a code of ethics and standards of conduct considering what is indicated in No. 4 of the Title IV, for the entire organization, which considers, among other topics: • The obligation to comply with the law and regulations. • The obligation to comply with the insurer's strategies and policies. • The effort to avoid conflicts of interest, and if they arise, design a mechanism for their resolution. The members of the board of directors and senior management should avoid carrying out other tasks in which their interests and duties may conflict with their duties to the insurer. • Communication channels to make it easier for employees to report a possible violation of the law or regulations, or potential fraud, both internal and external, with appropriate measures to protect employees who report anomalies from retaliation. • Promote fair treatment for policyholders and company employees. • Establish communication and information mechanisms with the different interest groups, including shareholders, policyholders, employees, supervisory bodies and others, within of! current legal and regulatory framework. 4. Establish remuneration and compensation policies for the company's senior management, consistent with prudent risk management policies, which do not encourage excessive risk taking, and monitor their proper operation and compliance. Also approve the general guidelines for the remuneration policy of the company's employees. Remuneration and compensation policies should consider the following aspects: • Reflect performance over a time horizon, avoiding awards only for short term results. • Reflect both individual performance and insurer performance. • Promote and comply with all laws and regulations applicable to the activity. insurance carrier. • Promote prudent behavior in terms of risks within the company. organization, consistent with the best interest of the shareholders, policyholders and the general public, for example, establishing bonuses or incentives that are related to the risks assumed. 5. Establish selection and evaluation procedures for senior management in compliance with !as functions defined by the directory. To do this, the directory should: • Establish procedures for the appointment and dismissal of executives. The removal of an executive, including the company's actuary, must always be reported to the Superintendency, who may request further information on the matter, both from the insurer and from the removed executive. • Establish qualification and experience requirements appropriate to the responsibilities of each position. Directors must ensure that company executives have 5 Machine Translated by Google the skills, knowledge and professional experience necessary to carry out carry out his work. • Establish mechanisms to regularly evaluate their performance. The evaluation of the performance of senior management should consider aspects such as leadership, teamwork, administration of human resources and prudence in decision-making. The evaluation of the board of directors should also extend to other people who perform relevant functions in the management of the company, even when they are not employees of the company (example: key advisors). The board of directors must maintain a position of independence and authority vis-à-vis the management carried out by senior management. In this sense, it may be convenient that for specific matters, the board of directors can meet without the presence of management, for example, when its performance is evaluated or in meetings with staff or external parties involved in key control functions (for example, auditors). , actuaries). The authority and oversight capacity of the board is strengthened when: • Inside the board, independent points of view are favored and receptive. • Directors have the necessary knowledge and give enough time and dedication to fulfill their duties. • Directors analyze management decisions and demand responsibility for the results, not tending to easily approve its recommendations. IV. Risk Management and Control Functions . It is essential that the insurer properly understand the risks to which the entity is exposed, including sources and types of risks, their interrelationships and potential impact on the business. Therefore, it is important that the insurer has implemented: • Solid and efficient mechanisms for risk identification, evaluation, quantification, control, mitigation and monitoring. • Appropriate systems and procedures that ensure compliance with internal strategies and policies, and with the laws and regulations to which the company is subject. • Appropriate internal controls to ensure compliance with risk management and compliance policies. • An internal audit function capable of reviewing and evaluating the sufficiency and effectiveness of its internal controls, as well as the delivery of reports on its strategies, policies and procedures. It is the responsibility of the company's board of directors to verify that these functions are established and operate effectively, and must supervise their performance. The board should ensure that these functions are independent, have sufficient authority to carry out their responsibilities, and have direct access to the board. To do this, you must review and understand your 6 Machine Translated by Google reports, become familiar with their work, and closely follow the issues that have emerged from their findings. The board of directors can rely on the work of external consultants, such as external auditors, independent actuaries and risk classifiers, in this task. The principles that should govern the development of the aforementioned functions will be analyzed in greater detail below. 1. Risk Management A strong risk management system is a key component of good corporate governance in the insurer. The risk management process helps the insurer to understand the nature and importance of the risks to which it is exposed and to manage them appropriately. Risk management systems are comprised of strategies, processes, and reporting procedures that identify, assess, quantify, control, mitigate, and monitor risks. The insurer must have its risk management systems integrated into its organizational structure, decision-making process, and organizational culture. The risks may arise from direct exposure from its operations or through exposure derived from its membership in a business group. In these cases, the company must be in a position to identify all the significant risks it faces, assess their potential impact, and implement policies to effectively manage and mitigate such risks. Companies should review their policies and practices regularly to ensure that they continue to be appropriate in light of changes in their environment and how these policies and practices have operated. The board of directors is responsible for ensuring that the risk management system is adequate, effective and proportional to the business of the insurer, and overseeing its correct implementation. This includes a regular review of strategies and policies in relation to risk management. In this sense, the directory should: • Have a general understanding of the types of risks to which the insurance company may be exposed and the techniques used to measure and manage these risks. • Review and approve the company's general philosophy and risk tolerance level. • Review and approve the acceptance policies, monitoring, management, and reporting system on all significant risks to which the company is exposed. A risk management policy must be consistent with the overall strategy of the business and consider objectives, basic principles and the designation of those responsible for the processes contemplated. 7 Machine Translated by Google • Require that the administration have a capital management system for the company that allows determining a level according to the risks assumed, and ensure that the capital management strategies are correctly implemented. • Require that the administration have an adequate and timely system of reporting to the board of directors on the risks faced by the institution, the procedures and controls established for said risks, and the general effectiveness of the risk management processes. The board of directors must have an information system that allows it to be promptly informed of any exception to the company's risk policies, and the consequences that such a situation may have for the company. • Ensure that risk management activities within the institution have sufficient independence, resources and authority or powers to carry out their function, that they have access to all information that may be relevant and that they are subject to periodic reviews of its effectiveness. In this regard, it is important that the risk management function has direct access to the company's directory. • Consider in each decision to change the company's business strategies, including corporate strategy, mergers and acquisitions and important projects and investments, an analysis of the risk associated with these decisions and a review of the adjustments in the risk management systems that may be necessary in view of the company's new operating scenario. As already indicated, the proper functioning of the company's risk management system is key to adequate corporate governance. In this regard, some relevant elements that should be taken into account when establishing the risk management function in the insurer are the following: a) Risks to consider. All categories of material risk must be considered, including at least underwriting risk and adequacy of technical reserves, market risk, credit risk, operational risk and liquidity risk. In addition, within the risk analysis, special consideration should be given to the risk associated with investing in complex instruments, particularly derivatives and structured products, the risk arising from inadequate reinsurance policies and non-compliance by the reinsurer, the risk of contagion derived from the insurer's belonging to a business group and reputational risk. b) Subdivision of the function. In the event that it is divided into "sub-functions", for example for the different risk categories, it is necessary to consider that these sub-functions For the purposes of this standard, capital must be understood in a broad context, such as the 1 company's equity. 8 Machine Translated by Google functions report to a common point that aggregates and validates reports, and is capable of forming an overview of the risk management system at the company level. c) Administration of assets and liabilities. Asset-liability management (ALM) involves making business decisions regarding assets and liabilities in a coordinated manner, reflecting the company's exposure to risk derived from its asset and liability position, and the variation of their economic values. Insurers should have written ALM policies and establish the obligations of those who are involved in the asset and liability management process. When new products are introduced, insurers must carefully consider their ALM effect. d) Stress tests. It is good practice to stress test risks and solvency, as well as capital needs. This allows evaluating the insurer's capacity to face a series of possible future events, such as changes in economic conditions, which could have unfavorable effects on its total financial situation. e) Contingency plans and continuity of operations. An insurer should analyze its ability to continue operating and the financial and management resources necessary for this purpose. To this end, the insurer must use appropriate systems, resources and procedures. Contingency plans are developed for the risks to which the insurer believes it may be exposed and that may affect its business continuity. For example, you can develop contingency plans for scenarios of natural disasters, a terrorist attack, a fire, a computer system failure, a pandemic, or the death or disability of key members of management. The continuity management approach and each contingency plan should be communicated to relevant personnel and the necessary training provided to them. Plans should be rehearsed and updated on a regular basis to maximize their relevance and effectiveness. t) Risk Classifications. The information provided by risk classifiers is widely used by insurers in risk management systems, especially for credit risk management and reinsurance. However, to avoid over-reliance on the evaluations of the risk classifiers, the insurer must carry out its own risk evaluations, and not make investments or other relevant decisions for the company, based exclusively on the information provided by these. entities. 2. Internal Control. Internal controls encompass the policies, procedures, culture, tasks, and other aspects of a company that support the achievement of institutional objectives. This facilitates the efficiency of operations, contributes to effective risk management, assists compliance with laws and regulations, and strengthens the ability to respond appropriately to business opportunities. 9 Machine Translated by Google The board of directors is responsible for establishing and monitoring the proper implementation of a good internal control system. As part of its responsibility, the board should regularly, at a high level, review the internal control system to determine that it is working as expected and that it remains that way. Useful inputs for conducting this review include: • Management reports on the operations and financial condition of the institution, the performance of risk management and other control systems during the period under review, and any significant breach of controls, the institution's code of conduct, or laws and regulations. • Opinions of the internal and external auditors, and of the risk classifiers, on the adequacy of the company's control system as a whole and for the individual business activities, and recommendations for its improvement. • Reports on compliance with capital and solvency regulatory requirements, and actuarial reports on the value of insurance liabilities and the current and future solvency position of the insurer. • The audit report of the financial statements and other reports of the external auditor, including the auditor's letter to management. • Specific reports requested by the company's board of directors from internal auditors and outsiders and legal advisors. • Reports or communications from the regulator in relation to compliance with the regulation and the evolution of the company's solvency position. The board should ensure that management takes prompt action to correct any material control issues that emerge from those reviews, that there is a process in place to track progress made to correct deficiencies, and proactively consider whether deficiencies identified in a review area can also appear in others. 3. Internal Audit. Insurers should have a specialized internal audit function that is independent of the operational functions, ideally reporting directly to the company's board of directors. The internal audit allows the board of directors to verify, with reasonable security, the level of adherence to the policies and processes defined by it and the operation and effectiveness of the 10 Machine Translated by Google internal control systems. To be effective, the internal audit function requires adequate resources and competent, well-trained staff. The tasks of the internal audit function include: • Create, implement, and maintain a risk-based audit plan to examine and evaluate the effectiveness of the insurer's reporting systems, internal controls, processes, and procedures. The internal audit plan should be presented to the board for approval. • Ensure that all material areas of the insurer's activity are audited within a reasonable period of time. • Report findings and recommendations based on the results of the work performed and verify subsequent compliance with the recommendations. In order to ensure the independence of the internal audit function, the main findings and recommendations must be reported directly to the board of directors. At a minimum, the internal audit function should report any material shortcomings with respect to compliance with the insurer's internal strategies, policies, and procedures and weaknesses in risk management systems, internal control systems, compliance, and other functions. of control in the company. The internal audit function must make recommendations on how to remedy the weaknesses detected and report the extent to which past audit recommendations have been implemented. The internal audit function and the audit committee must have the power to obtain any relevant information for the performance of their tasks. This includes the timely provision of all necessary information, the availability of all supporting documentation, and the ability and authority to enter and observe inside the relevant activities and processes of the insurer. Those who perform this function must be able to Communicate with any member of the company's staff and executives. The internal audit function must establish its audit plans and perform its tasks objectively and independently of the operational functions. To ensure its independence, the internal audit function should not have other operational functions in the insurer. The company's policies in relation to the internal audit function must be in writing and cover at least the objectives and scope of the internal audit function, its location in the company's hierarchical structure and the responsibilities, competencies or powers granted to the personnel who carry out this function and to the audit committee. Written policies must be subject to approval by the! directory and be reviewed at least annually. 11 Machine Translated by Google 4. Compliance. To ensure compliance with its obligations under applicable laws and regulations, promote an ethical corporate culture, and ensure proper corporate governance, an insurer should always have a compliance function. The compliance function creates, implements, and maintains strategies, policies, procedures, and training programs appropriate to this objective. These efforts must encompass all the personnel and executive plan of the insurer, and must also have the resources and the necessary authority and independence. The activities of this function in an insurer are designed not only to minimize noncompliance, but also to enhance the insurer's ability to make sound decisions that are consistent with the company's legal obligations and ethical values. These activities also contribute to a good relationship with the supervisor and can help reduce the legal risk of the insurer. The tasks of the compliance function include: • Evaluate laws and regulations that may be applicable to the insurer and changes in these that may have an impact on the company's operations. • Perform non-compliance risk analysis. • Ensure compliance with the regulations and policies for the prevention of money laundering and financing of! terrorism. • For the approval of! directory, develop a code of conduct and manage its correct application • Design and administer controls, procedures and policies in the matters pertaining to SU scope. • Create communication and training strategies to raise staff awareness of the importance of the compliance function and ethics, as well as employee awareness and competency in specific areas of legal and regulatory obligations. • Implement mechanisms to promote and facilitate the provision of information by employees about! compliance and potential violations of regulations or legal obligations, of the company's codes of ethics or values, and of potential fraud, both internal and external. These mechanisms must be accompanied by a policy of non-retaliation against employees who report in good faith. 12 Machine Translated by Google • Design forms that help detect, investigate and address any deficiency or violation in compliance, and provide support and training to employees regarding the specific obligations under applicable laws, regulations and procedures. • Regularly review the proper functioning of the compliance system and generate periodic reports for the board regarding its global functioning, as well as regarding specific issues or breaches detected. For the compliance function to operate effectively and to fulfill its purposes, this function must be performed by a high-level executive in the company. It is up to the board of directors to appoint the company's compliance officer and verify that he or she has the authority to examine any problems or potential violations, as well as create the appropriate means to prevent and manage them. The compliance function may be combined with other functions, provided that no conflicts of interest arise and measures are taken to ensure its independence from the operational functions of the business, through additional control procedures. In this sense, the board of directors must ensure that the method for determining the compensation of the compliance officer does not compromise his objectivity and independence. The board may choose to create a compliance committee. Responsibilities of the compliance committee include oversight of the compliance function, reporting to the board on compliance issues, monitoring whistleblowing activities and potential violations, and communicating policies about the importance of compliance to members. of the company's board of directors and personnel. When the insurer creates a compliance committee, this committee must be objective and independent and have the necessary authority to obtain relevant information for the development of its functions. V. Actuarial function. Actuaries have specific roles and functions within the insurer, usually directed to the evaluation of technical risks, the calculation of insurance rates, the definition of risk underwriting and reinsurance policies, and the calculation and analysis of adequacy of technical reserves. Actuaries have an important role regarding the information and advice they provide to the board, so the latter should receive direct information from the actuarial function. In order for the actuarial function to properly fulfill its role in the insurer and provide effective support to the work of the board of directors, the following principles must be considered: a) Qualification of the Actuary. The administration must ensure that those who perform the actuarial function in the insurer meet the minimum qualification requirements to carry out their function, for example, studies and professional qualifications and a minimum number of years of work experience in actuarial functions, in accordance with the insurance business. 13 Machine Translated by Google the company. It is also desirable that actuaries be members of a professional association recognized by the International Association of Actuaries (IAA). Membership in an association recognized by the IAA allows the actuary to be bound by an ethical code of conduct and compliance with minimum requirements regarding knowledge and technical experience. b) Access to information. In order to fulfill his function, it is convenient for the actuary to have access to information on business policies, products and activities of the insurer. Therefore, the actuary should: • To be able to participate in meetings of the board of directors, actuarial committee and senior management, as appropriate, in which matters relevant to their management are discussed. • Have the power to interview personnel in divisions that produce work relevant to the functions of the actuary. c) Independence. The actuary has a key role in evaluating the quality of an insurer's management and must maintain an independent position from the company's operating lines, avoiding potential conflicts of interest. Therefore, when defining the role of the actuary in the insurer, the board of directors should: • Agree on the hiring of the company's actuary. The actuary should be an employee of the insurer, involved and informed about all matters relevant to its business activity. • Establish mechanisms so that the actuary reports directly to the board and his technical opinion is not subject to considerations related to the financial results of the insurer or others outside his duty of objectivity. • Prevent the actuary from performing other functions in the company that may generate conflicts of interest. For example, the actuary should not simultaneously be a finance manager or have business responsibilities such as sales or marketing. • Know and eventually participate in the evaluation of the performance of the actuary, and authorize his dismissal. The board of directors for this purpose can rely on the report of an external actuary. SAW. External audit. It is the responsibility of the board of directors that the financial statements of an insurer adequately reflect the financial situation of the company. The primary role of an external auditor is to express an opinion on whether the financial statement has been prepared in accordance with the applicable financial framework. Because the external auditor is independent of the board and management, this opinion helps establish the credibility of the statements. 14 Machine Translated by Google so that not only supervisors can trust them, but also shareholders, policyholders, risk rating agencies and tax authorities, among others. The involvement of the actuarial function and other functions in the preparation of the insurer's financial statements does not reduce the responsibility of the board of directors to produce reliable financial statements or the responsibility of the external auditor to express an opinion on such financial statements. When auditing the financial statement of an insurer, the external auditor must review the technical reserves established by the actuary, in particular verify that these are based on reliable data and are calculated using an acceptable methodology. Due to the fact that the calculation of these reserves requires specialized knowledge, method and techniques, the audit firms should employ actuaries for this function, which will allow the external auditor to obtain an informed conclusion in relation to the adequacy of the technical reserves of the company. insurance carrier. External auditors need specialized knowledge to audit an insurer's financial statements. Adhering to international auditing standards, and having adequate quality controls and policies to avoid conflicts of interest, helps ensure the quality of external auditors. Effective control of the auditors by the insurer's audit committee also helps ensure the quality of their work. The board of directors must ensure that the company's external auditors have the knowledge, experience and professional teams appropriate to the nature, size and complexity of the insurer's business. The external auditor must act independently and his professional judgment must not be influenced by the company's management or board of directors. The board of directors or its audit committee must permanently ensure the independence of the external auditor and, when necessary, recommend its change to the shareholders' meeting. In this sense, a policy of directing the work teams and the audit firm may be recommended. The board of directors or its audit committee must regularly evaluate the performance of the external auditors, considering, among other aspects: • The definition of the auditing policies of the financial statements. • The scope of the audit plan, that it is appropriate, based on risk, and addresses the main areas of concern, and that it is reviewed with appropriate frequency. • The skills and resources of the auditor, taking into account the risks and complexities of the insurer; • Holding meetings with the external auditor, without the presence of management, to monitor whether there are problems that may be arising between the auditor and the 15 Machine Translated by Google management in the course of the audit and see how these problems can be resolved. • The analysis with senior management and the external auditor of the results of the audit, the financial statements and related documents, the audit report, and any other related information, with special attention to the observations or objections that the external auditor may have , permanently ensuring that the states financial statements accurately reflect the financial position of the insurance company. VII. Reinsurance function. Insurers take risks from their policyholders and as a way to mitigate and manage these risks, they take out reinsurance. Reinsurance reduces the insurer's exposure to risk, stabilizes its financial position, favors a more efficient use of capital, and expands its business capacity. Reinsurance allows the insurer to maintain a prudent risk profile according to its risk tolerance level. Considering the foregoing, the reinsurance function is a fundamental part of the insurer's risk underwriting activity and therefore every insurance company should have a reinsurance policy, approved by its board of directors and appropriate to its risk profile. The reinsurance policy must be consistent with the company's risk underwriting policy. Particular attention should be given in the policy defined by the board of directors to the subscription and reinsurance of catastrophic risks, or insurance contracts that by their nature represent a large risk exposure to the insurer. The board of directors must periodically review the reinsurance policy and especially when there are changes in the company's situation, its risk underwriting strategy, or in the solvency situation of its reinsurers. The reinsurance strategy must consider at least procedures for: • Define the reinsurance program to be contracted, the general limits of net retention or aggregate exposure by type of business and the collateral or safeguard requirements demanded from the reinsurer. • Select reinsurers, including diversification policies and evaluation of the capacity and willingness to meet their contractual obligations (credit risk). This evaluation must be carried out independently of the operation through reinsurance brokers. • Define how the reinsurance programs will be monitored, for example, the applicable reporting and internal control systems. • Ensure that applicable legal and regulatory requirements are met. The board of directors must ensure that there are adequate internal control systems that guarantee that the subscription of risks is carried out in accordance with the defined reinsurance policies and that the planned reinsurance coverage is effectively provided. 16 Machine Translated by Google It is the responsibility of the board of directors that the insurer maintain an adequate system for evaluating the quality of reinsurers. The nature and extent of this evaluation may vary depending on the type and importance of the relationship with the reinsurer. The reinsurer's evaluation can be supported by third parties, such as reinsurance brokers, risk classifiers and specialized publications, but the information that these entities provide does not replace the analysis that the insurer must carry out itself. An overdependence on the information that these entities deliver must be avoided. The basic source of information that should always be analyzed are the financial statements published by the reinsurer and reports issued by its regulators. VII. Relationship with the Controlling Group. The relationship of the company with entities of its controlling group, whether national or foreign, must be transparent and sufficiently disclosed, both internally (executives, employees of the company) as well as externally (Superintendence, external auditors, risk classifiers, policyholders and the general public). The company's board of directors and senior management must have an adequate understanding of the business, operations and risks associated with the company's controlling group, and in particular they must be aware of any risk of contagion from the group to the company. The risk monitoring and control systems must be maintained in the company, in order to be able to timely and independently identify and mitigate the contagion risks derived from the controlling group. The board of directors and senior management of the company is responsible for the stability and good performance of the insurer. The relationship with the controlling group of the company does not reduce nor should it affect the fulfillment of said responsibility. IX. Diffusion and Transparency. Public disclosure to the market contributes to good corporate governance in several ways. On the one hand, it allows the comparison of governance practices, which helps to identify those insurers that use the best practices, and in turn can encourage the market to adopt them, in the event that companies that do not spread the same quantity and quality of information that its competitors were penalized by the market. On the other hand, publicized information showing poor performance or potential poor management or other shortcomings can be used to hold the board and senior management accountable for their decisions and for the insurer's performance. Transparency, in other words, contributes to the company's board of directors being more committed in its decisions to its legitimate stakeholders and, therefore, favors better governance. In order to ensure that all necessary information is being disseminated, as well as any other information that may benefit its stakeholders, the information disseminated 17 Machine Translated by Google it must be timely, reliable, relevant and sufficient. For these purposes, the board of directors must approve and supervise general dissemination strategies and policies, which consider: • Information to be disseminated. • Broadcast media. • Frequency and updating of the information disseminated. • Control process associated with the dissemination, including the means to ensure the its quality and sufficiency. X. Relationship with the Insured. Policyholders are an important part of interest groups. Insurers must consider the interests and rights of policyholders in their corporate governance structures. Striking a balance between the duties of board members to shareholders and to policyholders is a key responsibility of the board of directors. The board must consider policyholders and other creditors in its decisions and definition of policies. The board must provide adequate oversight of the insurer's market conduct activities. The insurer must make a special effort to provide the insured with the information that is pertinent and appropriate to his needs and to do so in an understandable way for him. You should also ensure that the insurance you take out is suitable for your particular situation. Policyholders must have access to adequate consultation and claim mechanisms with the insurer. In this context, insurers must establish specific policies and procedures for this purpose, including the creation of a unit that is responsible for handling customer claims and resolving conflicts. Identification and analysis of policyholder claims should lead insurers to improve their business practices. Policyholders must be well informed and have adequate understanding of the insurance products they contract and the insurer's claims handling procedures. XI. Interaction with the Supervisor. Strong corporate governance is essential to running an insurer, and therefore assessing the quality of such corporate governance is a key component of the supervisory model. An effective corporate governance allows greater security at work and criteria of) the insurer's board of directors, its senior management and control functions, and its risk management. When evaluating the quality of corporate governance in insurance companies, among other matters, the supervisor seeks: • Determine whether the insurer has effectively adopted and implemented sound corporate governance policies and practices. 18 Machine Translated by Google • Analyze the suitability and preparation of the members of the board of directors. • Analyze the performance of the boards (for example, review the minutes of the boards and committees, make inquiries and ask relevant questions, set expectations for supervision). • Regularly assess the quality of insurers' internal reporting, its risk management, audit and control functions. • Evaluate the quality of the financial and technical information of its operations, presented to the Superintendency and the general public. • Assess the effects of the insurer's group structure. • Evaluate the sufficiency of governance processes in the area of administration of crisis and business continuity. • Require vigilance and clear accountability for the relevant functions contracted with third parties (outsourcing), as if said functions were performed internally by the company and subject to normal internal control standards. • Require the insurer to have internal audit functions in place, nature and scope appropriate to the business. This includes ensuring the compliance with all applicable policies and procedures, as well as the review of when the policies, practices and controls of the insurer continue to be sufficient and appropriate for its operation. • Submit to the board of directors and senior management the problems or deficiencies detected through their supervision activities. XII. Validity and application. This rule becomes effective as of this date. Temporary Provision . Insurers must conduct a self-assessment of! degree of adequacy of its current corporate governance structures with respect to the principles established in this standard, and inform the Superintendency whether as a result of this analysis the insurance company will make or not changes in its corporate governance. In the event that you decide to make such adjustments, you must send the plan that you have defined for this purpose together with the aforementioned communication. The aforementioned communication must be sent to this Superintendence no later than December 31, 2011. The self- assessment and, if applicable, the corporate governance adjustment plan must be approved by the company's board of directors. it. FERNANDO COL SUPERINTENS 19