Office of the Superintendent of

Financial Institutions (OSFI) -

Enterprise-wide Risk Management

(ERM)

Michele Bridges, Managing Director of Finance

and Corporate Planning

Financial Management Institute

November 23, 2010

- 2 -

What is OSFI?

• The Office of the Superintendent of

Financial Institutions (OSFI) is an

independent agency of the Government

of Canada established in 1987.

• OSFI supervises and regulates federally

registered banks, insurers, trust and

loan companies and private pension

plans that are subject to federal

oversight.

- 3 -

OSFI’s Mission Statement

We are the primary regulator of federal

financial institutions and pension plans. Our

mission is to safeguard policyholders,

depositors and pension plan members from

undue loss. We advance and administer a

regulatory framework that contributes to public

confidence in a competitive financial system.

We also provide actuarial services and advice

to the Government of Canada. We are

committed to providing a professional, high

quality and cost effective service.

- 4 -

About OSFI

• Approximately 550 employees.

• Offices located in Ottawa, Toronto, Montréal, and Vancouver.

• Office is comprised of the following sectors: Supervision, Regulation, Corporate Services, and the Office of the Chief Actuary.

• Superintendent (Julie Dickson) is the head of OSFI.

• The OCA is headed by the Chief Actuary, and all other sectors are headed by an Assistant Superintendent.

- 5 -

ERM Overview

What is risk?

Risk is any event that could impair our ability to achieve our objectives.

• “Risk” and “could”

– Future oriented words

– External and internal (i.e. operational risks)

• “Objectives”

– Need to be clear about objectives

– Objectives cascade down

- 6 -

ERM Overview (continued)

Imagine if you will …

1. Both top-down and bottom-up communication exercises (Senior management communicates its concerns to staff as well as an annual deep-dive exercise where staff provide input to detailed risk assessments)

2. Staff meet to agree on their concerns.

3. Concerns are consolidated.

4. Some risks are not adequately controlled.

5. Close control gaps.

= ERM

- 7 -

ERM Overview (continued)

ERM Framework

• Conceptually ERM is quite straight forward.

• Devil is in the detail of implementation.

• ERM framework built through understanding

key ERM concepts.

- 8 -

ERM Overview (continued)

Why implement ERM?

Our environment

• Rapid and complex change.

• Infinite choices of where to commit

resources, but scarce resources.

• Informal methods don’t cut in any more.

ERM Benefits

• Better prioritization of work and resources

allocation. (i.e. better planning)

• Basis for improved reporting.

• Better management.

- 9 -

ERM Overview (continued)

Why implement ERM? (Continued)

Government of Canada Compliance

• Treasury Board Secretariat risk management related

policies and guidelines:

– Integrated Risk Management Implementation

Guide

– Integrated Risk Management Framework

– Policy on Active Monitoring

– Risk Management Policy

– Policy on Internal Control

• TBS Management Accountability Framework (MAF)

– departments and agencies rated on their risk

management practices.

- 10 -

ERM at OSFI

Implementation Timeline

• ERM was rolled out at OSFI in June 2005.

• Then:– Annual formal risk assessments.

– Bottom up approach.

– Executive oversaw process but no direct involvement.

• Now:– Quarterly risk assessments.

– Top down approach.

– Bimonthly discussions with Executive Committee.

– At annual planning meeting Executive agrees on ERM results prior to finalizing OSFI priorities.

- 11 -

ERM at OSFI (Continued)

OSFI ERM Management Policy

• Prescribes the scope and effective date of the policy.

• Outlines the roles and responsibilities of:

– Superintendent and Executive Committee

– The Risk Management Function

– Assistant Superintendents

– Sector Risk Coordinators, and

– Internal Audit

OSFI ERM Framework

• Sets out risk management process including details on

performing risk assessments.

• Approach is now more dynamic and top down and

includes bimonthly discussions with Executive

Committee on risks.

- 12 -

ERM at OSFI (Continued)

Roles in ERM

• Risk Coordinators – conduct risk assessments and document results in Sector and Divisional Risk Registers:– Supervision Sector

– Regulation Sector

– Corporate Services Sector

– Office of the Chief Actuary

– Audit & Consulting Services

• OSFI ERM Risk Coordinator – rolls-up Risk Registers to OSFI-wide ERM Overview.

• Executive Committee & Audit Committee -Review ERM results.

- 13 -

Which areas of OSFI are

subject to risk assessments?

• Program Activity Architecture (PAA as required by Treasury Board) is used in determining the key business lines that are subject to risk assessments.

• Separate risk registers are required for each of the three sectors, plus the OCA and A&CS divisions.

• Risk assessments are performed at the business line level or lower levels within a business line at the discretion of the Assistant Superintendent.

- 14 -

OSFI

Risk

Consolidation

Sector

Consolidation

Activity /

Sub-Activity

Consolidation

Risk

Registers

OSFI Consolidated Risk Summary

Regulation Sector Supervision SectorCorporate Services

Sector

Rule Making Approvals Supervisory Support

Accounting

Actuarial

Capital

Other

Legislative

Segregated Funds

Capital Models

Accounting

Actuarial

Capital

Other

Compliance

How are risks consolidated?

Office of the ChiefActuary

Audit & Consulting Services

- 15 -

Update Process

• Risk assessments are completed on a quarterly basis –

March update involves a more detailed review.

• Update considers addition of new risks or removal of

risks that are no longer relevant/significant.

• Each sector is responsible for determining the best

approach (i.e. who to involve) in performing the update.

• Updated risk reports are submitted to OSFI’s Risk

Coordinator.

• Office wide summary is prepared for Executive and for

Audit Committee (summary for Audit Committee is

apprised of a more limited set of risks, consistent with its

mandate).

- 16 -

Six Elements in OSFI’s Risk

Management Process

1. Define the objectives

2. Identify the risks

3. Identify the key controls

4. Assess the risks

5. Develop and implement

action plans

6. Documentation

- 17 -

1. Define Objectives

• Objectives are key to the ERM process.

• Consider the risks that could impair the

achievement of objectives for a particular

business line or activity.

• Objectives must be clearly stated,

understood and up-to-date.

- 18 -

2. Identification of Risks

• Risk identification is key.

• Consider those risks that could impact the ability to achieve objectives.

• Focus is on top 5 – 7 risks.

Risk Identification & Assessment (ERM)

SWOT

Risk ID

& Assess.

Emerging

Risk

Cttee

Performance

Measures

Environ-

mental

Scan

Executive

Planning

Meeting

ERM Risk

Register

Update

- 19 -

2. Identification of Risks

(continued)

OSFI’s Risk Inventory

External Risks• Economic conditions• Financial industry environment• Legal environment• Catastrophic events

Internal (Operational) Risks• People

– Skills– Allocation of resources

• Governance Processes– Strategic and business planning– Information/MIS– Organization structure

• Key Internal Processes– Key Business Line Processes– Other key processes– Legal decisions

• Relationship Management– Stakeholders– Direct and indirect influencers

• Systems– Effectiveness of systems– Security of systems

• Culture– Core values– Change management

- 20 -

3. Identify Key Controls

• Identify and document key controls.

• Controls are activities, resources, systems

and people that help mitigate, transfer or

avoid risks.

• Control activities:

– Are the policies and procedures that help ensure

that management’s risk responses are carried out.

– Occur throughout the organization, at all levels and

in all functions.

• Controls can be preventive, detective or

corrective in nature.

- 21 -

4. Assessment of Risks

A. Inherent Risk = [Impact + Likelihood]/2

• The quantification of a risk, which is determined by considering the impact of the risk on the organization’s ability to achieve its objectives, and the degree of likelihoodof the risk occurring within a given timeframe.

B. Risk Direction

• Concluding, on a subjective basis, on whether the residual risk (i.e. inherent risk after considering the effect of current controls) is stable, increasing or decreasing.

- 22 -

4. Assessment of Risks

(Continued)

C. Control Comprehensiveness

• Rating the comprehensiveness of controls

in place to mitigate the risk.

• A 5-point control comprehensiveness

assessment scale can aid in assessing five

control characteristics, namely:

– Extensiveness of control structure

– Awareness of controls (by employees)

– Documentation of controls

– Internal review of controls

– Independent review of controls

- 23 -

4. Assessment of Risks

(Continued)

D. Risk Tolerance

• The level of residual risk you are willing to accept

after considering the level of controls and the risk

versus reward trade-off.

Potentially Over Controlled – Controls in place to

mitigate the risk are excessive and could be reduced

in the interests of efficacy

Acceptable – Controls in place to mitigate the risk are

acceptable – there is no control gap

Cautionary – Controls in place to mitigate the risk are at

a minimum level and may need to be enhance in the

future – there may be a control gap

Potentially Under Controlled – Controls in place to

mitigate the risk are likely inadequate and should

probably be enhances – there is likely a control gap

- 24 -

5. Develop and Implement Action

Plans

• Develop action plans (aka mitigation

strategies) to address unacceptable gaps.

• Monitor progress status against these

action plans.

• Action plans can feed into priorities/

strategic planning process.

- 25 -

6. Documentation

• Documentation of OSFI’s risk management process is standardized across the office.

• Risk register is used to document the six steps.

• Where a sector has several business lines, a risk register is prepared for each line.

• The Sector Risk Coordinator prepares a risk consolidation of all risk registers prepared in the sector.

• Each Assistant Superintendent is required to sign off on their respective risk consolidation.

- 26 -

Risk Register - Example

- 27 -

Applying ERM Results

• Used by staff and management to

support decision making.

– ERM is incorporated as an integral part

of OSFI planning discussions and

exercises.

• Used as a key input into strategic, operational

and financial planning.

– ERM inputs throughout the planning process to help

identify, quantify, and include risk information when

developing strategic priorities and business plans.

– ERM is formally incorporated into the Planning Model

and Integrated Planning Cycle.

- 28 -

Applying ERM Results –

Why Integrate with Planning?

• Structured approach to provide essential information in forming corporate objectives and actions, and setting priorities such that risks are effectively managed.

– Including HR and IM/IT Strategies and Plans.

• Planning based on risk-sensitive information provides:

– Better prioritization of work.

– Better support of decision-making throughout planning process.

• Supports more comprehensive reporting

(“Risk Profile” section of Report on Plans

and Priorities, Departmental Performance

Report and Annual Report).

• Supports the Audit Committee in delivering

its mandate.

• Can provide substantiated justification for

greater resource requests in risk areas.

- 29 -

Contacts

www.osfi-bsif.gc.ca

Michele Bridges: Managing Director, Finance and Corporate Planning

– Phone: (613) 991-4607

– Email: michele.bridges@osfi-bsif.gc.ca

Sharon Nitschke: Manager, Policy Initiatives and Corporate Coordination

– Phone: (613) 990-8798

– Email: sharon.nitschke@osfi-bsif.gc.ca

Katie Brown: Manager, Corporate Planning and Performance Measurement

– Phone: (613) 949-8935

– Email: katie.brown@osfi-bsif.gc.ca