Upload
ngocong
View
223
Download
5
Embed Size (px)
Citation preview
Office of the Superintendent of
Financial Institutions (OSFI) -
Enterprise-wide Risk Management
(ERM)
Michele Bridges, Managing Director of Finance
and Corporate Planning
Financial Management Institute
November 23, 2010
- 2 -
What is OSFI?
• The Office of the Superintendent of
Financial Institutions (OSFI) is an
independent agency of the Government
of Canada established in 1987.
• OSFI supervises and regulates federally
registered banks, insurers, trust and
loan companies and private pension
plans that are subject to federal
oversight.
- 3 -
OSFI’s Mission Statement
We are the primary regulator of federal
financial institutions and pension plans. Our
mission is to safeguard policyholders,
depositors and pension plan members from
undue loss. We advance and administer a
regulatory framework that contributes to public
confidence in a competitive financial system.
We also provide actuarial services and advice
to the Government of Canada. We are
committed to providing a professional, high
quality and cost effective service.
- 4 -
About OSFI
• Approximately 550 employees.
• Offices located in Ottawa, Toronto, Montréal, and Vancouver.
• Office is comprised of the following sectors: Supervision, Regulation, Corporate Services, and the Office of the Chief Actuary.
• Superintendent (Julie Dickson) is the head of OSFI.
• The OCA is headed by the Chief Actuary, and all other sectors are headed by an Assistant Superintendent.
- 5 -
ERM Overview
What is risk?
Risk is any event that could impair our ability to achieve our objectives.
• “Risk” and “could”
– Future oriented words
– External and internal (i.e. operational risks)
• “Objectives”
– Need to be clear about objectives
– Objectives cascade down
- 6 -
ERM Overview (continued)
Imagine if you will …
1. Both top-down and bottom-up communication exercises (Senior management communicates its concerns to staff as well as an annual deep-dive exercise where staff provide input to detailed risk assessments)
2. Staff meet to agree on their concerns.
3. Concerns are consolidated.
4. Some risks are not adequately controlled.
5. Close control gaps.
= ERM
- 7 -
ERM Overview (continued)
ERM Framework
• Conceptually ERM is quite straight forward.
• Devil is in the detail of implementation.
• ERM framework built through understanding
key ERM concepts.
- 8 -
ERM Overview (continued)
Why implement ERM?
Our environment
• Rapid and complex change.
• Infinite choices of where to commit
resources, but scarce resources.
• Informal methods don’t cut in any more.
ERM Benefits
• Better prioritization of work and resources
allocation. (i.e. better planning)
• Basis for improved reporting.
• Better management.
- 9 -
ERM Overview (continued)
Why implement ERM? (Continued)
Government of Canada Compliance
• Treasury Board Secretariat risk management related
policies and guidelines:
– Integrated Risk Management Implementation
Guide
– Integrated Risk Management Framework
– Policy on Active Monitoring
– Risk Management Policy
– Policy on Internal Control
• TBS Management Accountability Framework (MAF)
– departments and agencies rated on their risk
management practices.
- 10 -
ERM at OSFI
Implementation Timeline
• ERM was rolled out at OSFI in June 2005.
• Then:– Annual formal risk assessments.
– Bottom up approach.
– Executive oversaw process but no direct involvement.
• Now:– Quarterly risk assessments.
– Top down approach.
– Bimonthly discussions with Executive Committee.
– At annual planning meeting Executive agrees on ERM results prior to finalizing OSFI priorities.
- 11 -
ERM at OSFI (Continued)
OSFI ERM Management Policy
• Prescribes the scope and effective date of the policy.
• Outlines the roles and responsibilities of:
– Superintendent and Executive Committee
– The Risk Management Function
– Assistant Superintendents
– Sector Risk Coordinators, and
– Internal Audit
OSFI ERM Framework
• Sets out risk management process including details on
performing risk assessments.
• Approach is now more dynamic and top down and
includes bimonthly discussions with Executive
Committee on risks.
- 12 -
ERM at OSFI (Continued)
Roles in ERM
• Risk Coordinators – conduct risk assessments and document results in Sector and Divisional Risk Registers:– Supervision Sector
– Regulation Sector
– Corporate Services Sector
– Office of the Chief Actuary
– Audit & Consulting Services
• OSFI ERM Risk Coordinator – rolls-up Risk Registers to OSFI-wide ERM Overview.
• Executive Committee & Audit Committee -Review ERM results.
- 13 -
Which areas of OSFI are
subject to risk assessments?
• Program Activity Architecture (PAA as required by Treasury Board) is used in determining the key business lines that are subject to risk assessments.
• Separate risk registers are required for each of the three sectors, plus the OCA and A&CS divisions.
• Risk assessments are performed at the business line level or lower levels within a business line at the discretion of the Assistant Superintendent.
- 14 -
OSFI
Risk
Consolidation
Sector
Consolidation
Activity /
Sub-Activity
Consolidation
Risk
Registers
OSFI Consolidated Risk Summary
Regulation Sector Supervision SectorCorporate Services
Sector
Rule Making Approvals Supervisory Support
Accounting
Actuarial
Capital
Other
Legislative
Segregated Funds
Capital Models
Accounting
Actuarial
Capital
Other
Compliance
How are risks consolidated?
Office of the ChiefActuary
Audit & Consulting Services
- 15 -
Update Process
• Risk assessments are completed on a quarterly basis –
March update involves a more detailed review.
• Update considers addition of new risks or removal of
risks that are no longer relevant/significant.
• Each sector is responsible for determining the best
approach (i.e. who to involve) in performing the update.
• Updated risk reports are submitted to OSFI’s Risk
Coordinator.
• Office wide summary is prepared for Executive and for
Audit Committee (summary for Audit Committee is
apprised of a more limited set of risks, consistent with its
mandate).
- 16 -
Six Elements in OSFI’s Risk
Management Process
1. Define the objectives
2. Identify the risks
3. Identify the key controls
4. Assess the risks
5. Develop and implement
action plans
6. Documentation
- 17 -
1. Define Objectives
• Objectives are key to the ERM process.
• Consider the risks that could impair the
achievement of objectives for a particular
business line or activity.
• Objectives must be clearly stated,
understood and up-to-date.
- 18 -
2. Identification of Risks
• Risk identification is key.
• Consider those risks that could impact the ability to achieve objectives.
• Focus is on top 5 – 7 risks.
Risk Identification & Assessment (ERM)
SWOT
Risk ID
& Assess.
Emerging
Risk
Cttee
Performance
Measures
Environ-
mental
Scan
Executive
Planning
Meeting
ERM Risk
Register
Update
- 19 -
2. Identification of Risks
(continued)
OSFI’s Risk Inventory
External Risks• Economic conditions• Financial industry environment• Legal environment• Catastrophic events
Internal (Operational) Risks• People
– Skills– Allocation of resources
• Governance Processes– Strategic and business planning– Information/MIS– Organization structure
• Key Internal Processes– Key Business Line Processes– Other key processes– Legal decisions
• Relationship Management– Stakeholders– Direct and indirect influencers
• Systems– Effectiveness of systems– Security of systems
• Culture– Core values– Change management
- 20 -
3. Identify Key Controls
• Identify and document key controls.
• Controls are activities, resources, systems
and people that help mitigate, transfer or
avoid risks.
• Control activities:
– Are the policies and procedures that help ensure
that management’s risk responses are carried out.
– Occur throughout the organization, at all levels and
in all functions.
• Controls can be preventive, detective or
corrective in nature.
- 21 -
4. Assessment of Risks
A. Inherent Risk = [Impact + Likelihood]/2
• The quantification of a risk, which is determined by considering the impact of the risk on the organization’s ability to achieve its objectives, and the degree of likelihoodof the risk occurring within a given timeframe.
B. Risk Direction
• Concluding, on a subjective basis, on whether the residual risk (i.e. inherent risk after considering the effect of current controls) is stable, increasing or decreasing.
- 22 -
4. Assessment of Risks
(Continued)
C. Control Comprehensiveness
• Rating the comprehensiveness of controls
in place to mitigate the risk.
• A 5-point control comprehensiveness
assessment scale can aid in assessing five
control characteristics, namely:
– Extensiveness of control structure
– Awareness of controls (by employees)
– Documentation of controls
– Internal review of controls
– Independent review of controls
- 23 -
4. Assessment of Risks
(Continued)
D. Risk Tolerance
• The level of residual risk you are willing to accept
after considering the level of controls and the risk
versus reward trade-off.
Potentially Over Controlled – Controls in place to
mitigate the risk are excessive and could be reduced
in the interests of efficacy
Acceptable – Controls in place to mitigate the risk are
acceptable – there is no control gap
Cautionary – Controls in place to mitigate the risk are at
a minimum level and may need to be enhance in the
future – there may be a control gap
Potentially Under Controlled – Controls in place to
mitigate the risk are likely inadequate and should
probably be enhances – there is likely a control gap
- 24 -
5. Develop and Implement Action
Plans
• Develop action plans (aka mitigation
strategies) to address unacceptable gaps.
• Monitor progress status against these
action plans.
• Action plans can feed into priorities/
strategic planning process.
- 25 -
6. Documentation
• Documentation of OSFI’s risk management process is standardized across the office.
• Risk register is used to document the six steps.
• Where a sector has several business lines, a risk register is prepared for each line.
• The Sector Risk Coordinator prepares a risk consolidation of all risk registers prepared in the sector.
• Each Assistant Superintendent is required to sign off on their respective risk consolidation.
- 27 -
Applying ERM Results
• Used by staff and management to
support decision making.
– ERM is incorporated as an integral part
of OSFI planning discussions and
exercises.
• Used as a key input into strategic, operational
and financial planning.
– ERM inputs throughout the planning process to help
identify, quantify, and include risk information when
developing strategic priorities and business plans.
– ERM is formally incorporated into the Planning Model
and Integrated Planning Cycle.
- 28 -
Applying ERM Results –
Why Integrate with Planning?
• Structured approach to provide essential information in forming corporate objectives and actions, and setting priorities such that risks are effectively managed.
– Including HR and IM/IT Strategies and Plans.
• Planning based on risk-sensitive information provides:
– Better prioritization of work.
– Better support of decision-making throughout planning process.
• Supports more comprehensive reporting
(“Risk Profile” section of Report on Plans
and Priorities, Departmental Performance
Report and Annual Report).
• Supports the Audit Committee in delivering
its mandate.
• Can provide substantiated justification for
greater resource requests in risk areas.
- 29 -
Contacts
www.osfi-bsif.gc.ca
Michele Bridges: Managing Director, Finance and Corporate Planning
– Phone: (613) 991-4607
– Email: [email protected]
Sharon Nitschke: Manager, Policy Initiatives and Corporate Coordination
– Phone: (613) 990-8798
– Email: [email protected]
Katie Brown: Manager, Corporate Planning and Performance Measurement
– Phone: (613) 949-8935
– Email: [email protected]