Office of the Superintendent of Financial Institutions (OSFI) - Enterprise-wide Risk Management (ERM) Michele Bridges, Managing Director of Finance and Corporate Planning Financial Management Institute November 23, 2010
What is OSFI? The Office of the Superintendent of Financial Institutions (OSFI) is an independent agency of the Government of Canada established in 1987. OSFI supervises and regulates federally registered banks, insurers, trust and loan companies and private pension plans that are subject to federal oversight. - 2 -
OSFI s Mission Statement We are the primary regulator of federal financial institutions and pension plans. Our mission is to safeguard policyholders, depositors and pension plan members from undue loss. We advance and administer a regulatory framework that contributes to public confidence in a competitive financial system. We also provide actuarial services and advice to the Government of Canada. We are committed to providing a professional, high quality and cost effective service. - 3 -
About OSFI Approximately 550 employees. Offices located in Ottawa, Toronto, Montréal, and Vancouver. Office is comprised of the following sectors: Supervision, Regulation, Corporate Services, and the Office of the Chief Actuary. Superintendent (Julie Dickson) is the head of OSFI. The OCA is headed by the Chief Actuary, and all other sectors are headed by an Assistant Superintendent. - 4 -
ERM Overview What is risk? Risk is any event that could impair our ability to achieve our objectives. Risk and could Future oriented words External and internal (i.e. operational risks) Objectives Need to be clear about objectives Objectives cascade down - 5 -
ERM Overview (continued) Imagine if you will 1. Both top-down and bottom-up communication exercises (Senior management communicates its concerns to staff as well as an annual deep-dive exercise where staff provide input to detailed risk assessments) 2. Staff meet to agree on their concerns. 3. Concerns are consolidated. 4. Some risks are not adequately controlled. 5. Close control gaps. = ERM - 6 -
ERM Overview (continued) ERM Framework Conceptually ERM is quite straight forward. Devil is in the detail of implementation. ERM framework built through understanding key ERM concepts. - 7 -
ERM Overview (continued) Why implement ERM? Our environment Rapid and complex change. Infinite choices of where to commit resources, but scarce resources. Informal methods don t cut in any more. ERM Benefits Better prioritization of work and resources allocation. (i.e. better planning) Basis for improved reporting. Better management. - 8 -
ERM Overview (continued) Why implement ERM? (Continued) Government of Canada Compliance Treasury Board Secretariat risk management related policies and guidelines: Integrated Risk Management Implementation Guide Integrated Risk Management Framework Policy on Active Monitoring Risk Management Policy Policy on Internal Control TBS Management Accountability Framework (MAF) departments and agencies rated on their risk management practices. - 9 -
ERM at OSFI Implementation Timeline ERM was rolled out at OSFI in June 2005. Then: Annual formal risk assessments. Bottom up approach. Executive oversaw process but no direct involvement. Now: Quarterly risk assessments. Top down approach. Bimonthly discussions with Executive Committee. At annual planning meeting Executive agrees on ERM results prior to finalizing OSFI priorities. - 10 -
ERM at OSFI (Continued) OSFI ERM Management Policy Prescribes the scope and effective date of the policy. Outlines the roles and responsibilities of: Superintendent and Executive Committee The Risk Management Function Assistant Superintendents Sector Risk Coordinators, and Internal Audit OSFI ERM Framework Sets out risk management process including details on performing risk assessments. Approach is now more dynamic and top down and includes bimonthly discussions with Executive Committee on risks. - 11 -
ERM at OSFI (Continued) Roles in ERM Risk Coordinators conduct risk assessments and document results in Sector and Divisional Risk Registers: Supervision Sector Regulation Sector Corporate Services Sector Office of the Chief Actuary Audit & Consulting Services OSFI ERM Risk Coordinator rolls-up Risk Registers to OSFI-wide ERM Overview. Executive Committee & Audit Committee - Review ERM results. - 12 -
Which areas of OSFI are subject to risk assessments? Program Activity Architecture (PAA as required by Treasury Board) is used in determining the key business lines that are subject to risk assessments. Separate risk registers are required for each of the three sectors, plus the OCA and A&CS divisions. Risk assessments are performed at the business line level or lower levels within a business line at the discretion of the Assistant Superintendent. - 13 -
How are risks consolidated? OSFI Risk Consolidation OSFI Consolidated Risk Summary Sector Consolidation Office of the Chief Actuary Audit & Consulting Services Regulation Sector Supervision Sector Corporate Services Sector Activity / Sub-Activity Consolidation Rule Making Approvals Supervisory Support Accounting Legislative Accounting Risk Registers Actuarial Segregated Funds Actuarial Capital Capital Models Capital Other Other Compliance - 14 -
Update Process Risk assessments are completed on a quarterly basis March update involves a more detailed review. Update considers addition of new risks or removal of risks that are no longer relevant/significant. Each sector is responsible for determining the best approach (i.e. who to involve) in performing the update. Updated risk reports are submitted to OSFI s Risk Coordinator. Office wide summary is prepared for Executive and for Audit Committee (summary for Audit Committee is apprised of a more limited set of risks, consistent with its mandate). - 15 -
Six Elements in OSFI s Risk Management Process 1. Define the objectives 2. Identify the risks 3. Identify the key controls 4. Assess the risks 5. Develop and implement action plans 6. Documentation - 16 -
1. Define Objectives Objectives are key to the ERM process. Consider the risks that could impair the achievement of objectives for a particular business line or activity. Objectives must be clearly stated, understood and up-to-date. - 17 -
2. Identification of Risks Risk identification is key. Consider those risks that could impact the ability to achieve objectives. Focus is on top 5 7 risks. Risk Identification & Assessment (ERM) SWOT Performance Measures Risk ID & Assess. Executive Planning Meeting Environmental Scan Emerging Risk Cttee ERM Risk Register Update - 18 -
2. Identification of Risks (continued) OSFI s Risk Inventory External Risks Economic conditions Financial industry environment Legal environment Catastrophic events Internal (Operational) Risks People Skills Allocation of resources Governance Processes Strategic and business planning Information/MIS Organization structure Key Internal Processes Key Business Line Processes Other key processes Legal decisions Relationship Management Stakeholders Direct and indirect influencers Systems Effectiveness of systems Security of systems Culture Core values Change management - 19 -
3. Identify Key Controls Identify and document key controls. Controls are activities, resources, systems and people that help mitigate, transfer or avoid risks. Control activities: Are the policies and procedures that help ensure that management s risk responses are carried out. Occur throughout the organization, at all levels and in all functions. Controls can be preventive, detective or corrective in nature. - 20 -
4. Assessment of Risks A. Inherent Risk = [Impact + Likelihood]/2 The quantification of a risk, which is determined by considering the impact of the risk on the organization s ability to achieve its objectives, and the degree of likelihood of the risk occurring within a given timeframe. B. Risk Direction Concluding, on a subjective basis, on whether the residual risk (i.e. inherent risk after considering the effect of current controls) is stable, increasing or decreasing. - 21 -
4. Assessment of Risks (Continued) C. Control Comprehensiveness Rating the comprehensiveness of controls in place to mitigate the risk. A 5-point control comprehensiveness assessment scale can aid in assessing five control characteristics, namely: Extensiveness of control structure Awareness of controls (by employees) Documentation of controls Internal review of controls Independent review of controls - 22 -
4. Assessment of Risks (Continued) D. Risk Tolerance The level of residual risk you are willing to accept after considering the level of controls and the risk versus reward trade-off. Potentially Over Controlled Controls in place to mitigate the risk are excessive and could be reduced in the interests of efficacy Acceptable Controls in place to mitigate the risk are acceptable there is no control gap Cautionary Controls in place to mitigate the risk are at a minimum level and may need to be enhance in the future there may be a control gap Potentially Under Controlled Controls in place to mitigate the risk are likely inadequate and should probably be enhances there is likely a control gap - 23 -
5. Develop and Implement Action Plans Develop action plans (aka mitigation strategies) to address unacceptable gaps. Monitor progress status against these action plans. Action plans can feed into priorities/ strategic planning process. - 24 -
6. Documentation Documentation of OSFI s risk management process is standardized across the office. Risk register is used to document the six steps. Where a sector has several business lines, a risk register is prepared for each line. The Sector Risk Coordinator prepares a risk consolidation of all risk registers prepared in the sector. Each Assistant Superintendent is required to sign off on their respective risk consolidation. - 25 -
Risk Register - Example - 26 -
Applying ERM Results Used by staff and management to support decision making. ERM is incorporated as an integral part of OSFI planning discussions and exercises. Used as a key input into strategic, operational and financial planning. ERM inputs throughout the planning process to help identify, quantify, and include risk information when developing strategic priorities and business plans. ERM is formally incorporated into the Planning Model and Integrated Planning Cycle. - 27 -
Applying ERM Results Why Integrate with Planning? Structured approach to provide essential information in forming corporate objectives and actions, and setting priorities such that risks are effectively managed. Including HR and IM/IT Strategies and Plans. Planning based on risk-sensitive information provides: Better prioritization of work. Better support of decision-making throughout planning process. Supports more comprehensive reporting ( Risk Profile section of Report on Plans and Priorities, Departmental Performance Report and Annual Report). Supports the Audit Committee in delivering its mandate. Can provide substantiated justification for greater resource requests in risk areas. - 28 -
Contacts www.osfi-bsif.gc.ca Michele Bridges: Managing Director, Finance and Corporate Planning Phone: (613) 991-4607 Email: michele.bridges@osfi-bsif.gc.ca Sharon Nitschke: Manager, Policy Initiatives and Corporate Coordination Phone: (613) 990-8798 Email: sharon.nitschke@osfi-bsif.gc.ca Katie Brown: Manager, Corporate Planning and Performance Measurement Phone: (613) 949-8935 Email: katie.brown@osfi-bsif.gc.ca - 29 -