Transcript turkey

Overview of OSFI’s Risk Based
Supervisory Framework
OSFI International Advisory Group
IAIS-FSI-ASSAL Training Seminar
Regional Seminar on Capital Adequacy and Risk-based Supervision
6 – 11 May 2007
Rio de Janeiro, Brazil
Ralph Lewars
Senior Advisor,
International Advisory Group
2
Supervisory Framework
Objective
to provide an effective process to
assess the safety and soundness of
regulated FIs
Achieved by evaluating FI’s
risk profile
financial condition
risk management processes
compliance with applicable laws and
regulations
3
Supervisory Framework
Discussion Points
Key Principles & Overview
Inherent Risk Assessment
Assessment of the Quality of Risk
Management Control Functions
Assessment of:
Net Risk and Overall Net Risk
Capital and Earnings
Composite Risk
4
Supervisory Framework
Key Principles
Applies to all FIs
Consolidated Supervision
Risk Focused
Reliance on Oversight Functions
Conduct Benchmarking Studies, peer
group and ratio analyses
Use of Specialists
5
Supervisory Framework
Key Principles
Timely Reporting
Intervention Commensurate with Risk
Profile of the Institution
Not all areas of the institution will be reviewed
each year
Provide Supervisory Ratings to FIs
Reliance on External Auditors and
Appointed Actuaries
Exercise of Sound Judgment
6
FINANCIAL INSTITUTION
RISK MATRIX AS AT
Significant
Activities
Materiality
Credit
Market
Liquidity
Insurance
Operational
Legal & Regulatory
Strategic
Activity 2
Activity 3
Etc…
Quality of Risk Management
Operational Management
Activity 1
Inherent Risks
Board Oversight
Senior Management
Risk Management
Internal Audit
Compliance
Financial Analysis
Overall
Rating
Capital
Earnings
Composite Rating
Direction of Risk
Time Frame
Net
Risk
Direction
Of Risk
Defining the Significant
Activity A Quick review…
Determined by business objectives
Defined by such factors as:
line of business (Auto, liability, property)
target markets
products or services
enterprise-wide process or unit
• Asset/Liability Management, Investment Management,
Information Technology
• Geographic unit – e.g. U.K. operations.
• Subsidiary
Unique to each institution
8
Supervisory Framework
Materiality of Activities
Materiality is in relation to the context of
the institution.
Materiality of an activity is in terms of the
current and/or future impact on the
institution’s capital and earnings.
9
Supervisory Framework
Materiality of Activities
Examples of Quantitative Criteria
Premium income represented by the activity
Asset represented by the activity
Revenue by activity compared to total revenue
Net income before tax for the activity compared to total
net income before tax
Internal allocation of capital to the activity
10
Steps in the Thought Process
Key principles:
understand nature/characteristics of the
activity
identify factors that can increase/decrease the
level of risk
consider the effect of industry & environmental
conditions, as well as experience, on the
activity
11
Steps in the Thought Process
Focus on the primary inherent risk
Determine the “starting point” for like
activities
Consider nature/characteristics of the
activity at the FI
Ask yourself… “where does inherent risk
lie in the activity I’m reviewing?”
12
Supervisory Framework
Inherent Risk Categories
Inherent Risk is intrinsic to a business activity and arises
from exposures and uncertainty from potential future
events or changes in business or economic conditions.
(S.F., s.4.2)
Due to the specific nature of the business activity the
institution engages in, and uncertainty of future events (that
might impact that activity)
Exists in all business activities
Risk Categories are:
–
–
–
–
13
Credit
– Market
Insurance
– Operational
Liquidity
– Legal and
Strategic
Regulatory
Sub-categories may be considered under each
Approach to Inherent Risk
Assessment
All downside, no consideration of upside
In OSFI’s Supervisory Framework, risk is
not a measure of potential reward or an
evaluation of relative risk/reward
14
Supervisory Objectives of Identifying
and Assessing Inherent Risks
Understand nature and extent of risks
OSFI’s expectations regarding the nature
and extent of the mitigants (Operational
Management/Risk Management Control
Functions) expected to be in place to
manage the risk
Identify areas of focus
Support assessments of capital adequacy
and risk profile of the institution
(composite rating)
15
Key Concepts in Assessing
Inherent Risks
1.
2.
3.
4.
5.
16
Assessment is primarily qualitative
Use informed judgment
No regard to mitigation
No regard to size of the activity
Dynamic, forward-looking, continuous
Key Concepts in Assessing
Inherent Risks
Assessment is Qualitative
Inherent risk in itself is not financial in nature,
but could result in a financial impact on an
institution
Therefore
Our assessment of inherent risk is primarily
qualitative, i.e. not numerical,
but is considered as high (H), Above Average
(AA), Moderate (M), or low (L)
17
Key Concepts in Assessing
Inherent Risks
Use Informed Judgment,
based on:
A sound understanding of the:
environment
industry (to identify inherent risk
factors); and
18
Key Concepts in Assessing
Inherent Risks
Use Informed Judgment,
based on:
A sound understanding of the (cont’d):
institution (to define significant
activities and their characteristics at
this specific institution, e.g. product
design, target market, distribution
channel)
19
Key Concepts in Assessing
Inherent Risks
Mitigation
Inherent Risk is assessed without
factoring in the institution’s risk
management processes and controls for
the activity
WHY?
Because we are assessing the “true”
inherent risk intrinsic to the activity
20
Key Concepts in Assessing
Inherent Risks
Size of Activity
Inherent Risk is assessed without regard
to “size” of the significant activity relative
to the size of the institution or its capital
WHY?
Because inherent risk is the risk intrinsic
to an activity
21
Key Concepts in Assessing
Inherent Risks
The assessment of Inherent Risk is
Dynamic
Forward-looking
Continuous
Systematic
22
Approach to Assessing
Inherent Risk
Define the significant activity (SA)
Identify and assess the risks inherent in
that SA…
…without considering the impact of
mitigation provided by the institution’s risk
management processes and controls
23
Identification of the Primary
Inherent Risk
e.g. Ontario Auto
Market Risk
Liquidity Risk
Strategic Risk
Primary Risk
(Insurance)
Operational
Risk
24
Legal & Regulatory
Risk
Starting Point
Consider where along the industry risk spectrum
the activity typically lies
e.g. Auto
… what is the level of inherent insurance risk
that would be assigned “on average” to most
Auto insurance business activities undertaken
in the industry?
25
Starting Point
Automobile
Low
Moderate
Above
Average
High
Starting Point –Insurance Risk
Personal Property
Automobile
Product Liability
Low
Moderate
Above
Average
High
Life Products – Inherent Risks
Long
Higher
Length of
Contract
RISK
Short
Lower
Variable Premiums
and/or Benefits
Guaranteed Premiums and Benefits
Non-Life Products – Inherent Risk
High
Higher
Complexity
of Product
Low
Lower
High
Predictability of Loss Experience Data
Low
Inherent Risk Guidance –
Insurance Risk –Non-Life
30
HIGH
Environmental Liability
Aviation (Hull/liability)
Professional liability
Product Liability
Marine (hull/cargo/liability)
ABOVE AVERAGE
General liability
Auto-liability & personal
accident
Business Interruption
Commercial Property
Hail
Fidelity Bonds
Surety Bonds
Inherent Risk Guidance –
Insurance Risk –Non-Life
31
MODERATE
Accident & Sickness
Mortgage Insurance
Credit
Boiler & machinery
Warranty
LOW
Personal Property
Automobile- Other
Title
Legal Expense
Inherent Risk Guidance –
Insurance Risk –Life
32
HIGH
Long-term care ( non- cancellable)
Universal life (index/equity-linked)
Individual disability income (non-cancellable)
Segregated fund guarantees
ABOVE AVERAGE
Critical Illness
Long-term care (guaranteed renewal)
Individual disability income (guaranteed renewal)
Group Long-term disability
Inherent Risk Guidance –
Insurance Risk –Life
33
MODERATE
Individual Life -Term to 100
Payout annuities (with mortality)
Group dental, medical, short-term disability
Group Life (term)
LOW
Non-par whole life
Non- par individual level and decreasing term
Par products with current dividend payouts
Individual Life Adjustable products –par &
non-par
Inherent Risk Guidance –
Insurance Risk
Consider factors that can drive Inherent
Insurance Risk higher or lower
Nature & complexity of policies (types of
risks,complexity of products, options,
limits,exclusions, policyholder behavior)
Predictability of loss experience –severity,
frequency, catastrophes, business cycle
Competition (price/product features)
Concentrations (line of business, diversification
of risks relative to size of policies
New market/industry/products
34
Inherent Risk Rating
Once the primary inherent risk has
been assessed, consider other
inherent risk categories (incidental
risks) …
Operational (e.g., processing risk…)
Market (e.g., interest rate risk…)
Legal/regulatory (e.g., disclosure
risk…)
Strategic (e.g., risk of political
disruption..)
35
Inherent Risk Ratings
Low
Moderate
Above Average
High
36
Inherent Risk Rating
Low Inherent Risk exists when there is a
lower than average probability of an
adverse impact on an institution’s capital
and earnings due to exposure and
uncertainty from potential future events
37
Inherent Risk Rating
Moderate Inherent Risk exists when
there is an average probability of an
adverse impact on an institution’s capital
and earnings due to exposure and
uncertainty from potential future events
38
Inherent Risk Rating
Above Average Inherent Risk exists
when there is an above average
probability of an adverse impact on an
institution’s capital and earnings due to
exposure and uncertainty from potential
future events
39
Inherent Risk Rating
High Inherent Risk exists when there is a
higher than average probability of an
adverse impact on an institution’s capital
and earnings due to exposure and
uncertainty from potential future events
40
Quality of Risk Management
Operational Management
Operational Management is responsible for
planning, directing and controlling the day-to-day
operations of the institution’s business activities.
Supervisors assess the effectiveness of
operational management for the significant
activities.
41
OSFI
Risk Management Oversight Responsibility
Board
Senior
Management
Independent
…. Oversight
Risk Management
Processes
Significant
Activities
Risk
Management
Internal
Audit
Compliance
Financial
Analysis
Operational Management
Wealth
Management
E -commerce
Line of Business
Quality of Risk Management
Control Functions
Board
Senior Management
Risk Management
Internal Audit
Compliance
Financial Analysis
43
Assessing Risk Management
Control Functions
Two Tracks to the assessment:
review by Significant Activity – left to
right review (Track 1)
top down review – predictive,
diagnostic (Track 2)
Characteristics vs. Performance
…Challenge: determining
effectiveness
Documenting the assessment
44
Track 1 – Assess Risk Management by Significant Activity
RISK MATRIX
Quality of Risk Management
Significant
Activities
Market,
Liquidity,
Insurance,
etc.
Risk Mgt.,
Sr. Mgt.,
Board
Net
Risk
Direction
of Risk
#1
#2
#3
Inherent Risks mitigated by Operational Management
overseen by Risk Management Control Functions results in
Net Risk by Significant Activities
Overall
Net
Risk
Capital
Earnings
Composite Rating
Direction of Risk
Weighted Net Risk by
Significant Activities results in
Overall Net Risk
Time Frame
45
Risk Equation
Significant Activity
Inherent
Risk
Mitigated
by
Quality of
Risk
Management
Net Risk/
Equals
Direction
of Risk
Supervisory Framework
Track 1
Significant Activities (S.A.)
Inherent Risks by S.A.
Quality of Risk Management by
S.A.
(Operational Management
+ Oversight)
Net Risk by S.A.
Materiality by S.A
Overall Net Risk
Earnings
Performance
Adequacy
of/Access to
Capital
Capital/
Earnings
Composite
Risk Rating
Inherent Risks mitigated by Quality of Risk Management = Net Risk
47
What is Net Risk?
“Net risk for each significant activity is a
function of the aggregate level of inherent
risk offset by the aggregate quality of risk
management
It’s a definition of a concept, not a
formula!!!
Answers the question “Is this an activity
that we have to worry about?”
48
What is Direction of
Net Risk?
An informed judgement
Three directions: Decreasing, Stable or
Increasing
Are we getting less worried, more worried
or just as worried about the significant
activity?
49
What is Direction of
Net Risk?
Based on impact of:
potential changes in Inherent Risks,
Operational Management or Risk
Management Control Functions
business and economic climate on the
significant activity
nature and pace of planned changes within
the institution
50
What is Overall Net Risk?
Overall means “total, inclusive of all”,
“taking everything into account, general”
OSFI Supervisory Framework: “Overall
Net Risk is the weighted aggregate of the
Net Risk of all Significant Activities of an
institution.”
51
What is Overall Net Risk?
Considers the relative materiality of each
activity
An informed judgement as to level of net
risk to institution’s capital and earnings
arising from all of its significant activities
Rated as Low, Moderate, Above Average
or High
52
Practical Approach to Overall
Net Risk
Which activities have the greatest
materiality?
What are the net risk ratings for these
activities?
What directions are the net risks going in?
53
Practical Approach to Overall
Net Risk
Which activities are strategic to the
success of the institution regardless of
quantitative materiality?
What are the net risk ratings for these
activities?
What directions are the net risks going in?
54
Practical Approach to Overall
Net Risk
Establish direction of overall net risk in a
similar fashion
Finally, ask:
Does this rating and direction agree with our
overall knowledge and sense of this
institution?
55
Overall Net Risk Ratings
Low
Moderate
Above Average
High
56
Overall Net Risk Rating
Low:
The institution has risk management that
substantially mitigates risks inherent in its
significant activities down to levels that
collectively have lower-than-average
probability of a material adverse impact on
its capital and earnings in the foreseeable
future.
57
Track 2 – Assess Risk Management by RMCF
RISK MATRIX
Inherent Risks
Significant
Activities
#1
#2
#3
Market,
Liquidity,
Insurance,
etc.
Quality of Risk Management
Risk Mgt.,
Sr. Mgt.,
Board
Net
Risk
Direction
of Risk
Eff.
Characteristics combined with
performance results in a Risk
Management Control Function
“Effectiveness” rating by
Significant Activity, and the Risk
Management Control Function
Eff.
Eff.
overall
Capital
Earnings
Composite Rating
Direction of Risk
Overall
Overall
Overall
Eff.
Eff.
Eff.
Time Frame
58
Key Attributes of Risk
Management Control Functions
Independence
no operational responsibilities
reports to CEO/Board
free from influence
Separate organizational unit
Oversight Power and Authority
Direct link to Senior Management
and Board
59
Why assess the Risk Management
Control Functions?
To determine if we can use their
work and how much (supervisory
leverage)
To use their work as a “window” into
the control environment of the
institution
To determine if we can reduce the
scope of our supervisory work over
operational controls
60
What if there are no Risk
Management Control Functions?
Senior Management
retains that
responsibility
We bucket our
assessments under
Senior Management
on the Risk Matrix.
We say what the
company does in
the Senior
Management
section note
May make
recommendations
61
OSFI
Risk Management Oversight Responsibility
Board
Senior
Management
Independent
….Oversight
Risk Management
Processes
Significant
Activities
Risk
Management
Internal
Audit
Compliance Financial
Analysis
Operational Management
Wealth
Management
E -commerce
Line of Business
What If We Can’t Rely on the Risk
Management Control Functions?
Look for compensating controls.
Take alternate steps:
requiring expanded External Auditor
work
expanding our supervisory work onsite
make appropriate recommendations or
direct that appropriate work be done
62
Assessing Risk Management
Control Functions
Supervisory Assessment Guides
Characteristics
Essential Elements, i.e. organization, mandate,
resources, methodology/policies, reporting process,
relationship with Senior Management and Board
Performance
How well the Risk Management Control Function
fulfills its mandate
Characteristics + Performance = Effectiveness
63
Ratings of
Risk Management Control
Functions (Oversight)
Characteristics of
the Function
Performance of
the Function
Overall Effectiveness
of the Function
• Essential Elements
• Criteria
• Performance
Indicators
•
•
•
•
Strong
Acceptable
Needs Improvement
Weak
Examples of Essential
Elements
1. Mandate
2. Organization Structure
3. Resources
4. Methodology and Practices
5. Senior Management and Board Oversight
65
Rating of Risk Management
Control Functions - Criteria
Mandate
Extent to which the mandate establishes authority to
carry out responsibilities independently
Organization
Adequacy of the practices to review the organization
structure
Appropriateness of the organization structure
Resources
Adequacy of the practices to review the required
qualifications, skills, etc. regularly
Appropriateness of qualifications, skills available …
to fulfill responsibilities
66
Rating of Risk Management Control
Functions - Performance
Demonstrated effectiveness of oversight in the
context of the function’s mandate
Evaluated based on performance indicators
(e.g., proactive follow-up of issues identified to
ensure timely resolution)
67
Assessment of Risk Management
Control Functions
Ratings
Strong
the function consistently demonstrates
high effective performance;
characteristics and performance are
superior to generally accepted industry
practices
Acceptable
the function demonstrates effective
performance and meets generally
accepted industry practices
68
Assessment of Risk Management
Control Functions
Ratings
Needs Improvement
the function may demonstrate effective
performance, but there may be some areas
where effectiveness can be improved (but not
serious to cause prudential concerns)
Weak
the function has demonstrated serious
instances where effectiveness needs to be
improved through immediate action;
characteristics and performance do not meet
generally accepted industry practices and
standards
69
Capital and Earnings
Some Basic Questions
What Ratings should be assigned to the
institution’s Capital and Earnings?
What factors should be considered when rating
the institutions’ Capital and Earnings?
What impact, if any, will the Capital and Earnings
Ratings have on the institution’s overall
Composite Risk Rating?
70
Capital and Earnings
Earnings
Absorb normal and expected losses in a
given period and provide a source of
financial support by contributing to the
institution’s internal generation of capital
and its ability to access capital externally
71
Capital and Earnings
Earnings Criteria
Historical trends, level and composition
Peer group comparison
Future outlook
Quantity, quality, volatility, composition
72
Capital and Earnings
Capital
Source of financial support to protect
against unexpected losses – a key
contributor to safety and soundness
Capital Management is the on-going
process of raising and maintaining capital
at levels sufficient to support planned
operations
73
Capital and Earnings
Capital Criteria
Adequacy
Management
Oversight
74
Capital and Earnings Ratings
Strong
Acceptable
Needs Improvement
Weak
75
Earnings Rating Definition
Strong:
The institution has consistent earnings
performance, producing returns that
significantly contribute to its long term
viability, and there is no undue reliance
on non-recurring sources of income to
enhance earnings. The earnings outlook
for the next 12 months continues to be
positive.
76
Capital Rating Definition
Strong:
Capital adequacy is strong for the nature,
scope, complexity, and risk profile of the
institution, and meets OSFI’s target levels.
The trend in capital adequacy over the next
12 months is expected to remain positive.
Capital management policies and practices
are superior to generally accepted industry
practices.
77
What is the Composite Risk
Rating?
OSFI’s Supervisory Framework:
The Composite Risk Rating is an assessment of
the institution’s overall risk profile, after considering
the impact of capital and earnings on its Overall
Net Risk. It reflects OSFI’s assessment of the
safety and soundness of the institution.
Capital and Earnings are assessed relative to the level
of Overall Net Risk.
The supervisor assesses the extent to which Earnings
and Capital are able to sustain the current and planned
operations of the institution and contribute to its longterm viability by protecting against losses.
78
Composite Risk Rating Possibilities
Capital and Earnings Combinations
Overall Net
Risk
S/ S S/A
S/W A/S
A/A
A/W W/S W/A W/
W
M/AA
AA/H
AA/H
AA/H
H
H
H
H
H
L/M
M/AA
M/AA
M/AA
AA
AA/H
AA/H
AA/H
H
Moderate
L
L/M
L/M
L/M
M
M/AA
M/AA
M/AA
AA/H
Low
L
L
L/M
L
L
L/M
L/M
M
AA
High
Above
Average
S: Strong
H: High
AA: Above Average
M: Moderate
W: Weak
L: Low
A: Acceptable
What is the Risk Profile?
Contained in the Risk Matrix
Summarizes our assessment of risk in an
institution
Arises out of the mixture of inherent risks
and risk mitigation of all significant
activities combined with capital and
earnings
80
What is the Composite Risk
Rating?
A component for:
level: (High, Above Average, Moderate, Low);
direction: Increasing, Stable or Decreasing;
and,
time frame: 3 months, 6 months, etc.
It summarizes our risk profile of an
institution
81
What Do We Mean by High, Above
Average, Moderate and Low Composite
Risk?
Levels Defined:
Low:
• “resilient to most adverse business and
economic conditions”
Moderate:
• “resilient to normal adverse business and
economic conditions”
Above Average:
• “early warning…could lead to a risk to its
financial viability”
High:
• “serious safety and soundness concerns”
82
Composite Risk Rating
Definition
Low:
A strong, well-managed institution. The combination
of its overall net risk and its capital and earnings
makes the institution resilient to most adverse
business and economic conditions without materially
affecting its risk profile. Its performance has been
consistently good, with most key indicators in excess
of industry norms, allowing it ready access to
additional capital. Any supervisory concerns have a
minor effect on its risk profile and can be addressed in
a routine manner.
83
Thank -You
84