An insurance company shall establish suitable risk management policies and procedures, which shall be passed by the board of directors and be regularly reviewed.
An insurance company shall establish an independent risk management task force and regularly report to the board of directors; upon identifying a significant risk exposure that might adversely affect its financial or business status or compliance with applicable acts and regulations, it shall take immediate and adequate countermeasures and submit a report to the board of directors.

The risk management mechanisms of an insurance company shall include the following principles:
1. Identifying and evaluating the acceptable scope of risks based on the business scale, product characteristics, and overall economic conditions.
2. Risks that must be considered include market risks (including interest rate risks), credit risks, liquidity risks, operational risks, insurance risks, asset liability matching risks, and other risks. Related risk management mechanisms shall also be established.
3. The management must regularly review the risk management mechanism and the own risk and solvency assessment (ORSA) mechanisms in accordance with relevant laws and regulations, self-regulatory guidelines, and actual economic conditions, and adopt appropriate strategies
An insurance company shall consider the nature, scale, and complexity of its business risks based on its risk management framework and develop ORSA operation processes that are suitable for its organizational structure and risk management system.

The risk management mechanisms established by an insurance company shall include at least the following matters:
1. The risk management framework shall include risk governance, risk management organizational framework and duties, risk identification, risk measurement, risk response, risk monitoring and information, communication, and documentation.
2.The risk management mechanisms shall incorporate the business management and corporate culture of the insurance company, which adopts qualitative and quantitative technologies in accordance with the risk management policies it established to manage relevant risks that can be reasonably anticipated by the insurance company.
3. The insurance company shall set its risk appetite and specify the risk level it is willing to accept to attain strategic objectives and business plans. It must also set main risk limits for regular monitoring and management.