Overview of OSFI

1
Overview of OSFIs Risk Based Supervisory
FrameworkOSFI International Advisory
GroupIAIS-FSI-ASSAL Training SeminarRegional
Seminar on Capital Adequacy and Risk-based
Supervision6 11 May 2007Rio de Janeiro,
Brazil
Ralph Lewars Senior Advisor, International
Advisory Group
2
(No Transcript)
3
Supervisory Framework

• Objective
• to provide an effective process to assess the
  safety and soundness of regulated FIs
• Achieved by evaluating FIs
• risk profile
• financial condition
• risk management processes
• compliance with applicable laws and regulations

4
Supervisory FrameworkDiscussion Points

• Key Principles Overview
• Inherent Risk Assessment
• Assessment of the Quality of Risk Management
  Control Functions
• Assessment of
• Net Risk and Overall Net Risk
• Capital and Earnings
• Composite Risk

5
Supervisory Framework Key Principles

• Applies to all FIs
• Consolidated Supervision
• Risk Focused
• Reliance on Oversight Functions
• Conduct Benchmarking Studies, peer
  group and ratio analyses
• Use of Specialists

6
Supervisory Framework Key Principles

• Timely Reporting
• Intervention Commensurate with Risk Profile of
  the Institution
• Not all areas of the institution will be reviewed
  each year
• Provide Supervisory Ratings to FIs
• Reliance on External Auditors and Appointed
  Actuaries
• Exercise of Sound Judgment

7
FINANCIAL INSTITUTION RISK MATRIX AS AT FINANCIAL INSTITUTION RISK MATRIX AS AT FINANCIAL INSTITUTION RISK MATRIX AS AT FINANCIAL INSTITUTION RISK MATRIX AS AT FINANCIAL INSTITUTION RISK MATRIX AS AT FINANCIAL INSTITUTION RISK MATRIX AS AT FINANCIAL INSTITUTION RISK MATRIX AS AT
Significant Activities Materiality Inherent Risks Quality of Risk Management Quality of Risk Management Net Risk Direction Of Risk
Activity 1 Activity 2 Activity 3 Etc Credit Market Liquidity Insurance Operational Legal Regulatory Strategic Operational Management Board Oversight Senior Management Risk Management Internal Audit Compliance Financial Analysis
Overall Rating
Capital Earnings
Composite Rating Direction of Risk Time Frame
8
Defining the Significant Activity A Quick review

• Determined by business objectives
• Defined by such factors as
• line of business (Auto, liability, property)
• target markets
• products or services
• enterprise-wide process or unit
• Asset/Liability Management, Investment
  Management, Information Technology
• Geographic unit e.g. U.K. operations.
• Subsidiary
• Unique to each institution

9
Supervisory Framework Materiality of Activities

• Materiality is in relation to the context of the
  institution.
• Materiality of an activity is in terms of the
  current and/or future impact on the institutions
  capital and earnings.

10
Supervisory Framework Materiality of Activities

• Examples of Quantitative Criteria
• Premium income represented by the activity
• Asset represented by the activity
• Revenue by activity compared to total revenue
• Net income before tax for the activity compared
  to total net income before tax
• Internal allocation of capital to the activity

11
Steps in the Thought Process

• Key principles
• understand nature/characteristics of the activity
• identify factors that can increase/decrease the
  level of risk
• consider the effect of industry environmental
  conditions, as well as experience, on the
  activity

12
Steps in the Thought Process

• Focus on the primary inherent risk
• Determine the starting point for like
  activities
• Consider nature/characteristics of the activity
  at the FI
• Ask yourself where does inherent risk lie in
  the activity Im reviewing?

13
Supervisory Framework Inherent Risk Categories

• Inherent Risk is intrinsic to a business activity
  and arises from exposures and uncertainty from
  potential future events or changes in business or
  economic conditions. (S.F., s.4.2)
• Due to the specific nature of the business
  activity the institution engages in, and
  uncertainty of future events (that might impact
  that activity)
• Exists in all business activities
• Risk Categories are
• Credit Market
• Insurance Operational
• Liquidity Legal and
• Strategic Regulatory
• Sub-categories may be considered under each
• 
  

14
Approach to Inherent Risk Assessment

• All downside, no consideration of upside
• In OSFIs Supervisory Framework, risk is not a
  measure of potential reward or an evaluation of
  relative risk/reward

15
Supervisory Objectives of Identifying and
Assessing Inherent Risks

• Understand nature and extent of risks
• OSFIs expectations regarding the nature and
  extent of the mitigants (Operational
  Management/Risk Management Control Functions)
  expected to be in place to manage the risk
• Identify areas of focus
• Support assessments of capital adequacy and risk
  profile of the institution (composite rating)

16
Key Concepts in Assessing Inherent Risks

1. Assessment is primarily qualitative
2. Use informed judgment
3. No regard to mitigation
4. No regard to size of the activity
5. Dynamic, forward-looking, continuous

17
Key Concepts in Assessing Inherent Risks

• Assessment is Qualitative
• Inherent risk in itself is not financial in
  nature, but could result in a financial impact on
  an institution
• Therefore
• Our assessment of inherent risk is primarily
  qualitative, i.e. not numerical, but is
  considered as high (H), Above Average (AA),
  Moderate (M), or low (L)

18
Key Concepts in Assessing Inherent Risks

• Use Informed Judgment,
• based on
• A sound understanding of the
• environment
• industry (to identify inherent risk factors) and

19
Key Concepts in Assessing Inherent Risks

• Use Informed Judgment,
• based on
• A sound understanding of the (contd)
• institution (to define significant activities and
  their characteristics at this specific
  institution, e.g. product design, target market,
  distribution channel)

20
Key Concepts in Assessing Inherent Risks

• Mitigation
• Inherent Risk is assessed without factoring in
  the institutions risk management processes and
  controls for the activity
• WHY?
• Because we are assessing the true inherent risk
  intrinsic to the activity

21
Key Concepts in Assessing Inherent Risks

• Size of Activity
• Inherent Risk is assessed without regard to
  size of the significant activity relative to
  the size of the institution or its capital
• WHY?
• Because inherent risk is the risk intrinsic to an
  activity

22
Key Concepts in Assessing Inherent Risks

• The assessment of Inherent Risk is
• Dynamic
• Forward-looking
• Continuous
• Systematic

23
Approach to Assessing Inherent Risk

• Define the significant activity (SA)
• Identify and assess the risks inherent in that
  SA
• without considering the impact of mitigation
  provided by the institutions risk management
  processes and controls

24
Identification of the Primary Inherent Risk

• e.g. Ontario Auto

25
Starting Point

• Consider where along the industry risk spectrum
  the activity typically lies
• e.g. Auto
• what is the level of inherent insurance risk
  that would be assigned on average to most Auto
  insurance business activities undertaken in the
  industry?

26
Starting Point

of FIs
Automobile
Above Average
High
Low
Moderate
27
Starting Point Insurance Risk
28
Life Products Inherent Risks

• Long
• Length of
• Contract
• Short

29
Non-Life Products Inherent Risk

• High
• Complexity
• of Product
• Low

30
Inherent Risk Guidance Insurance Risk
Non-Life
HIGH Environmental Liability Aviation (Hull/liability) Professional liability Product Liability Marine (hull/cargo/liability)
ABOVE AVERAGE General liability Auto-liability personal accident Business Interruption Commercial Property Hail Fidelity Bonds Surety Bonds
31
Inherent Risk Guidance Insurance Risk
Non-Life
MODERATE Accident Sickness Mortgage Insurance Credit Boiler machinery Warranty
LOW Personal Property Automobile- Other Title Legal Expense
32
Inherent Risk Guidance Insurance Risk Life
HIGH Long-term care ( non- cancellable) Universal life (index/equity-linked) Individual disability income (non-cancellable) Segregated fund guarantees
ABOVE AVERAGE Critical Illness Long-term care (guaranteed renewal) Individual disability income (guaranteed renewal) Group Long-term disability
33
Inherent Risk Guidance Insurance Risk Life
34
Inherent Risk Guidance Insurance Risk

• Consider factors that can drive Inherent
  Insurance Risk higher or lower
• Nature complexity of policies (types of
  risks,complexity of products, options,
  limits,exclusions, policyholder behavior)
• Predictability of loss experience severity,
  frequency, catastrophes, business cycle
• Competition (price/product features)
• Concentrations (line of business, diversification
  of risks relative to size of policies
• New market/industry/products

35
Inherent Risk Rating

• Once the primary inherent risk has been assessed,
  consider other inherent risk categories
  (incidental risks)
• Operational (e.g., processing risk)
• Market (e.g., interest rate risk)
• Legal/regulatory (e.g., disclosure risk)
• Strategic (e.g., risk of political disruption..)

36
Inherent Risk Ratings

• Low
• Moderate
• Above Average
• High

37
Inherent Risk Rating

• Low Inherent Risk exists when there is a lower
  than average probability of an adverse impact on
  an institutions capital and earnings due to
  exposure and uncertainty from potential future
  events

38
Inherent Risk Rating

• Moderate Inherent Risk exists when there is an
  average probability of an adverse impact on an
  institutions capital and earnings due to
  exposure and uncertainty from potential future
  events

39
Inherent Risk Rating

• Above Average Inherent Risk exists when there is
  an above average probability of an adverse impact
  on an institutions capital and earnings due to
  exposure and uncertainty from potential future
  events

40
Inherent Risk Rating

• High Inherent Risk exists when there is a higher
  than average probability of an adverse impact on
  an institutions capital and earnings due to
  exposure and uncertainty from potential future
  events

41
Quality of Risk Management

• Operational Management
• Operational Management is responsible for
  planning, directing and controlling the
  day-to-day operations of the institutions
  business activities.
• Supervisors assess the effectiveness of
  operational management for the significant
  activities.

42

43
Quality of Risk Management Control Functions

• Board
• Senior Management
• Risk Management
• Internal Audit
• Compliance
• Financial Analysis

44
Assessing Risk Management Control Functions

• Two Tracks to the assessment
• review by Significant Activity left to right
  review (Track 1)
• top down review predictive, diagnostic (Track
  2)
• Characteristics vs. Performance
• Challenge determining effectiveness
• Documenting the assessment

45
Track 1 Assess Risk Management by Significant
Activity
Weighted Net Risk by Significant Activities
results in Overall Net Risk
45
46
Risk Equation
Significant Activity
47
Supervisory FrameworkTrack 1
Inherent Risks mitigated by Quality of Risk
Management Net Risk
48
What is Net Risk?

• Net risk for each significant activity is a
  function of the aggregate level of inherent risk
  offset by the aggregate quality of risk
  management
• Its a definition of a concept, not a formula!!!
• Answers the question Is this an activity that we
  have to worry about?

49
What is Direction of Net Risk?

• An informed judgement
• Three directions Decreasing, Stable or
  Increasing
• Are we getting less worried, more worried or just
  as worried about the significant activity?

50
What is Direction of Net Risk?

• Based on impact of
• potential changes in Inherent Risks, Operational
  Management or Risk Management Control Functions
• business and economic climate on the significant
  activity
• nature and pace of planned changes within the
  institution

51
What is Overall Net Risk?

• Overall means total, inclusive of all, taking
  everything into account, general
• OSFI Supervisory Framework Overall Net Risk is
  the weighted aggregate of the Net Risk of all
  Significant Activities of an institution.

52
What is Overall Net Risk?

• Considers the relative materiality of each
  activity
• An informed judgement as to level of net risk to
  institutions capital and earnings arising from
  all of its significant activities
• Rated as Low, Moderate, Above Average or High

53
Practical Approach to Overall Net Risk

• Which activities have the greatest materiality?
• What are the net risk ratings for these
  activities?
• What directions are the net risks going in?

54
Practical Approach to Overall Net Risk

• Which activities are strategic to the success of
  the institution regardless of quantitative
  materiality?
• What are the net risk ratings for these
  activities?
• What directions are the net risks going in?

55
Practical Approach to Overall Net Risk

• Establish direction of overall net risk in a
  similar fashion
• Finally, ask
• Does this rating and direction agree with our
  overall knowledge and sense of this institution?

56
Overall Net Risk Ratings

• Low
• Moderate
• Above Average
• High

57
Overall Net Risk Rating
Low The institution has risk management that
substantially mitigates risks inherent in its
significant activities down to levels that
collectively have lower-than-average probability
of a material adverse impact on its capital and
earnings in the foreseeable future.
58
Track 2 Assess Risk Management by RMCF
RISK MATRIX
Inherent Risks
Quality of Risk Management
Significant Activities
Direction of Risk
Materiality
Internal Audit
Oper. Management
Risk Mgt., Sr. Mgt., Board
Net Risk
Market, Liquidity, Insurance, etc.
Compliance
Credit
1 2 3
Eff.
Characteristics combined with performance results
in a Risk Management Control Function
Effectiveness rating by Significant Activity,
and the Risk Management Control Function overall
Eff.
Eff.
Overall Eff.
Overall Eff.
Overall Eff.
Capital
Earnings
Composite Rating
Direction of Risk
Time Frame
58
59
Key Attributes of Risk Management Control
Functions

• Independence
• no operational responsibilities
• reports to CEO/Board
• free from influence
• Separate organizational unit
• Oversight Power and Authority
• Direct link to Senior Management and Board

60
Why assess the Risk Management Control Functions?

• To determine if we can use their work and how
  much (supervisory leverage)
• To use their work as a window into the control
  environment of the institution
• To determine if we can reduce the scope of our
  supervisory work over operational controls

61
What if there are no Risk Management Control
Functions?

• Senior Management retains that responsibility
• We bucket our assessments under Senior Management
  on the Risk Matrix.
• We say what the company does in the Senior
  Management section note
• May make recommendations

62
What If We Cant Rely on the Risk Management
Control Functions?

• Look for compensating controls.
• Take alternate steps
• requiring expanded External Auditor work
• expanding our supervisory work on-site
• make appropriate recommendations or direct that
  appropriate work be done

63
Assessing Risk Management Control Functions

• Supervisory Assessment Guides
• Characteristics
• Essential Elements, i.e. organization, mandate,
  resources, methodology/policies, reporting
  process, relationship with Senior Management and
  Board
• Performance
• How well the Risk Management Control Function
  fulfills its mandate
• Characteristics Performance Effectiveness

64
Ratings of Risk Management Control Functions
(Oversight)
Overall Effectiveness of the Function
Characteristics of the Function
Performance of the Function

• Strong
• Acceptable
• Needs Improvement
• Weak

• Performance
• Indicators

• Essential Elements
• Criteria

65
Examples of Essential Elements

1. Mandate
2. Organization Structure
3. Resources
4. Methodology and Practices
5. Senior Management and Board Oversight

66
Rating of Risk Management Control Functions -
Criteria

• Mandate
• Extent to which the mandate establishes authority
  to carry out responsibilities independently
• Organization
• Adequacy of the practices to review the
  organization structure
• Appropriateness of the organization structure
• Resources
• Adequacy of the practices to review the required
  qualifications, skills, etc. regularly
• Appropriateness of qualifications, skills
  available to fulfill responsibilities

67
Rating of Risk Management Control Functions -
Performance

• Demonstrated effectiveness of oversight in the
  context of the functions mandate
• Evaluated based on performance indicators
• (e.g., proactive follow-up of issues identified
  to ensure timely resolution)

68
Assessment of Risk Management Control Functions

• Ratings
• Strong
• the function consistently demonstrates high
  effective performance characteristics and
  performance are superior to generally accepted
  industry practices
• Acceptable
• the function demonstrates effective performance
  and meets generally accepted industry practices

69
Assessment of Risk Management Control Functions

• Ratings
• Needs Improvement
• the function may demonstrate effective
  performance, but there may be some areas where
  effectiveness can be improved (but not serious to
  cause prudential concerns)
• Weak
• the function has demonstrated serious instances
  where effectiveness needs to be improved through
  immediate action characteristics and performance
  do not meet generally accepted industry practices
  and standards

70
Capital and Earnings

• Some Basic Questions
• What Ratings should be assigned to the
  institutions Capital and Earnings?
• What factors should be considered when rating the
  institutions Capital and Earnings?
• What impact, if any, will the Capital and
  Earnings Ratings have on the institutions
  overall Composite Risk Rating?

71
Capital and Earnings

• Earnings
• Absorb normal and expected losses in a given
  period and provide a source of financial support
  by contributing to the institutions internal
  generation of capital and its ability to access
  capital externally

72
Capital and Earnings

• Earnings Criteria
• Historical trends, level and composition
• Peer group comparison
• Future outlook
• Quantity, quality, volatility, composition

73
Capital and Earnings

• Capital
• Source of financial support to protect against
  unexpected losses a key contributor to safety
  and soundness
• Capital Management is the on-going process of
  raising and maintaining capital at levels
  sufficient to support planned operations

74
Capital and Earnings

• Capital Criteria
• Adequacy
• Management
• Oversight

75
Capital and Earnings Ratings

• Strong
• Acceptable
• Needs Improvement
• Weak

76
Earnings Rating Definition
Strong The institution has consistent earnings
performance, producing returns that significantly
contribute to its long term viability, and there
is no undue reliance on non-recurring sources of
income to enhance earnings. The earnings outlook
for the next 12 months continues to be positive.
77
Capital Rating Definition
Strong Capital adequacy is strong for the
nature, scope, complexity, and risk profile of
the institution, and meets OSFIs target levels.
The trend in capital adequacy over the next 12
months is expected to remain positive. Capital
management policies and practices are superior to
generally accepted industry practices.
78
What is the Composite Risk Rating?

• OSFIs Supervisory Framework
• The Composite Risk Rating is an assessment of the
  institutions overall risk profile, after
  considering the impact of capital and earnings on
  its Overall Net Risk. It reflects OSFIs
  assessment of the safety and soundness of the
  institution.
• Capital and Earnings are assessed relative to the
  level of Overall Net Risk.
• The supervisor assesses the extent to which
  Earnings and Capital are able to sustain the
  current and planned operations of the institution
  and contribute to its long-term viability by
  protecting against losses.

79
Composite Risk Rating Possibilities
Capital and Earnings Combinations
Overall Net Risk
W/W
W/A
W/S
A/W
A/A
A/S
S/W
S/A
S/ S
H
H
H
H
H
AA/H
AA/H
AA/H
M/AA
High
H
AA/H
AA/H
AA/H
AA
M/AA
M/AA
M/AA
L/M
Above Average
AA/H
M/AA
M/AA
M/AA
M
L/M
L/M
L/M
L
Moderate
AA
M
L/M
L/M
L
L
L/M
L
L
Low
S Strong H High M Moderate W Weak AA Above
Average L Low A Acceptable
80
What is the Risk Profile?

• Contained in the Risk Matrix
• Summarizes our assessment of risk in an
  institution
• Arises out of the mixture of inherent risks and
  risk mitigation of all significant activities
  combined with capital and earnings

81
What is the Composite Risk Rating?

• A component for
• level (High, Above Average, Moderate, Low)
• direction Increasing, Stable or Decreasing and,
  
• time frame 3 months, 6 months, etc.
• It summarizes our risk profile of an institution

82
What Do We Mean by High, Above Average, Moderate
and Low Composite Risk?

• Levels Defined
• Low
• resilient to most adverse business and economic
  conditions
• Moderate
• resilient to normal adverse business and
  economic conditions
• Above Average
• early warningcould lead to a risk to its
  financial viability
• High
• serious safety and soundness concerns

83
Composite Risk Rating Definition
Low A strong, well-managed institution. The
combination of its overall net risk and its
capital and earnings makes the institution
resilient to most adverse business and economic
conditions without materially affecting its risk
profile. Its performance has been consistently
good, with most key indicators in excess of
industry norms, allowing it ready access to
additional capital. Any supervisory concerns have
a minor effect on its risk profile and can be
addressed in a routine manner.
84

• Thank -You