840 likes | 854 Views
Overview of OSFI’s Risk Based Supervisory Framework OSFI International Advisory Group IAIS-FSI-ASSAL Training Seminar Regional Seminar on Capital Adequacy and Risk-based Supervision 6 – 11 May 2007 Rio de Janeiro, Brazil. Ralph Lewars Senior Advisor, International Advisory Group.
E N D
Overview of OSFI’s Risk Based SupervisoryFrameworkOSFI International Advisory GroupIAIS-FSI-ASSAL Training SeminarRegional Seminar on Capital Adequacy and Risk-based Supervision6 – 11 May 2007Rio de Janeiro, Brazil Ralph Lewars Senior Advisor, International Advisory Group
Supervisory Framework • Objective • to provide an effective process to assess the safety and soundness of regulated FIs • Achieved by evaluating FI’s • risk profile • financial condition • risk management processes • compliance with applicable laws and regulations
Supervisory FrameworkDiscussion Points • Key Principles & Overview • Inherent Risk Assessment • Assessment of the Quality of Risk Management Control Functions • Assessment of: • Net Risk and Overall Net Risk • Capital and Earnings • Composite Risk
Supervisory Framework Key Principles • Applies to all FIs • Consolidated Supervision • Risk Focused • Reliance on Oversight Functions • Conduct Benchmarking Studies, peer group and ratio analyses • Use of Specialists
Supervisory Framework Key Principles • Timely Reporting • Intervention Commensurate with Risk Profile of the Institution • Not all areas of the institution will be reviewed each year • Provide Supervisory Ratings to FIs • Reliance on External Auditors and Appointed Actuaries • Exercise of Sound Judgment
Defining the Significant Activity A Quick review… • Determined by business objectives • Defined by such factors as: • line of business (Auto, liability, property) • target markets • products or services • enterprise-wide process or unit • Asset/Liability Management, Investment Management, Information Technology • Geographic unit – e.g. U.K. operations. • Subsidiary • Unique to each institution
Supervisory Framework Materiality of Activities • Materiality is in relation to the context of the institution. • Materiality of an activity is in terms of the current and/or future impact on the institution’s capital and earnings.
Supervisory Framework Materiality of Activities Examples of Quantitative Criteria • Premium income represented by the activity • Asset represented by the activity • Revenue by activity compared to total revenue • Net income before tax for the activity compared to total net income before tax • Internal allocation of capital to the activity
Steps in the Thought Process • Key principles: • understand nature/characteristics of the activity • identify factors that can increase/decrease the level of risk • consider the effect of industry & environmental conditions, as well as experience, on the activity
Steps in the Thought Process • Focus on the primary inherent risk • Determine the “starting point” for like activities • Consider nature/characteristics of the activity at the FI • Ask yourself… “where does inherent risk lie in the activity I’m reviewing?”
Supervisory Framework Inherent Risk Categories • Inherent Risk is intrinsic to a business activity and arises from exposures and uncertainty from potential future events or changes in business or economic conditions. (S.F., s.4.2) • Due to the specific nature of the business activity the institution engages in, and uncertainty of future events (that might impact that activity) • Exists in all business activities • Risk Categories are: • Credit – Market • Insurance – Operational • Liquidity – Legal and • Strategic Regulatory • Sub-categories may be considered under each
Approach to Inherent Risk Assessment • All downside, no consideration of upside • In OSFI’s Supervisory Framework, risk is not a measure of potential reward or an evaluation of relative risk/reward
Supervisory Objectives of Identifying and Assessing Inherent Risks • Understand nature and extent of risks • OSFI’s expectations regarding the nature and extent of the mitigants (Operational Management/Risk Management Control Functions) expected to be in place to manage the risk • Identify areas of focus • Support assessments of capital adequacy and risk profile of the institution (composite rating)
Key Concepts in Assessing Inherent Risks • Assessment is primarily qualitative • Use informed judgment • No regard to mitigation • No regard to size of the activity • Dynamic, forward-looking, continuous
Key Concepts in Assessing Inherent Risks Assessment is Qualitative Inherent risk in itself is not financial in nature, but could result in a financial impact on an institution Therefore Our assessment of inherent risk is primarilyqualitative, i.e. not numerical, but is considered as high (H), Above Average (AA), Moderate (M), or low (L)
Key Concepts in Assessing Inherent Risks Use Informed Judgment, based on: • A sound understanding of the: • environment • industry (to identify inherent risk factors); and
Key Concepts in Assessing Inherent Risks Use Informed Judgment, based on: • A sound understanding of the (cont’d): • institution(to define significant activities and their characteristics at this specific institution, e.g. product design, target market, distribution channel)
Key Concepts in Assessing Inherent Risks Mitigation • Inherent Risk is assessed without factoring in the institution’s risk management processes and controls for the activity WHY? • Because we are assessing the “true” inherent risk intrinsic to the activity
Key Concepts in Assessing Inherent Risks Size of Activity • Inherent Risk is assessed without regard to “size” of the significant activity relative to the size of the institution or its capital WHY? • Because inherent risk is the risk intrinsic to an activity
Key Concepts in Assessing Inherent Risks The assessment of Inherent Risk is • Dynamic • Forward-looking • Continuous • Systematic
Approach to Assessing Inherent Risk • Define the significant activity (SA) • Identify and assess the risks inherent in that SA… • …without considering the impact of mitigation provided by the institution’s risk management processes and controls
e.g. Ontario Auto Market Risk Liquidity Risk Primary Risk (Insurance) Legal & Regulatory Risk Strategic Risk Operational Risk Identification of the Primary Inherent Risk
Starting Point • Consider where along the industry risk spectrum the activity typically lies e.g. Auto … what is the level of inherent insurance risk that would be assigned “on average” to most Auto insurance business activities undertaken in the industry?
Starting Point # of FIs Automobile Above Average High Low Moderate
Automobile # of FIs Personal Property Product Liability Above Average High Low Moderate Starting Point –Insurance Risk
Higher RISK Lower Variable Premiums Guaranteed Premiums and Benefits and/or Benefits Life Products – Inherent Risks Long Length of Contract Short
Higher Lower High Predictability of Loss Experience Data Low Non-Life Products – Inherent Risk High Complexity of Product Low
MODERATE Individual Life -Term to 100 Payout annuities (with mortality) Group dental, medical, short-term disability Group Life (term) LOW Non-par whole life Non- par individual level and decreasing term Par products with current dividend payouts Individual Life Adjustable products –par & non-par Inherent Risk Guidance – Insurance Risk –Life
Inherent Risk Guidance –Insurance Risk • Consider factors that can drive Inherent Insurance Risk higher or lower • Nature & complexity of policies (types of risks,complexity of products, options, limits,exclusions, policyholder behavior) • Predictability of loss experience –severity, frequency, catastrophes, business cycle • Competition (price/product features) • Concentrations (line of business, diversification of risks relative to size of policies • New market/industry/products
Inherent Risk Rating • Once the primary inherent risk has been assessed, consider other inherent risk categories (incidental risks) … • Operational (e.g., processing risk…) • Market (e.g., interest rate risk…) • Legal/regulatory (e.g., disclosure risk…) • Strategic (e.g., risk of political disruption..)
Inherent Risk Ratings • Low • Moderate • Above Average • High
Inherent Risk Rating • Low Inherent Risk exists when there is a lower than average probability of an adverse impact on an institution’s capital and earnings due to exposure and uncertainty from potential future events
Inherent Risk Rating • Moderate Inherent Risk exists when there is an average probability of an adverse impact on an institution’s capital and earnings due to exposure and uncertainty from potential future events
Inherent Risk Rating • Above Average Inherent Risk exists when there is an above average probability of an adverse impact on an institution’s capital and earnings due to exposure and uncertainty from potential future events
Inherent Risk Rating • High Inherent Risk exists when there is a higher than average probability of an adverse impact on an institution’s capital and earnings due to exposure and uncertainty from potential future events
Quality of Risk Management Operational Management • Operational Management is responsible for planning, directing and controlling the day-to-day operations of the institution’s business activities. • Supervisors assess the effectiveness of operational management for the significant activities.
OSFI Risk Management Oversight Responsibility Board Senior Management Risk Independent Financial Internal Compliance Management Analysis …. Oversight Audit Risk Management Operational Management Processes Significant Wealth E -commerce Line of Business Activities Management
Quality of Risk Management Control Functions • Board • Senior Management • Risk Management • Internal Audit • Compliance • Financial Analysis
Assessing Risk Management Control Functions • Two Tracks to the assessment: • review by Significant Activity – left to right review (Track 1) • top down review – predictive, diagnostic (Track 2) • Characteristics vs. Performance • …Challenge: determining effectiveness • Documenting the assessment
RISK MATRIX Inherent Risks Quality of Risk Management Significant Activities Direction of Risk Materiality Net Risk Market, Liquidity, Insurance, etc. Operational Management Risk Mgt., Sr. Mgt., Board InternaAudit Credit Compliance #1 #2 #3 Inherent Risks mitigated by Operational Management overseen by Risk Management Control Functions results in Net Risk by Significant Activities Overall Net Risk Capital Earnings Composite Rating Direction of Risk Time Frame Track 1 – Assess Risk Management by Significant Activity Weighted Net Risk by Significant Activities results in Overall Net Risk 45
Net Risk/ Direction of Risk Quality of Risk Management Inherent Risk Mitigated by Equals Risk Equation Significant Activity
Significant Activities (S.A.) Inherent Risks by S.A. Quality of Risk Management by S.A. (Operational Management + Oversight) Earnings Performance Adequacy of/Access to Capital Net Risk by S.A. Materiality by S.A Capital/ Earnings Composite Risk Rating Overall Net Risk Supervisory FrameworkTrack 1 Inherent Risks mitigated by Quality of Risk Management = Net Risk
What is Net Risk? • “Net risk for each significant activity is a function of the aggregate level of inherent risk offset by the aggregate quality of risk management • It’s a definition of a concept, not a formula!!! • Answers the question “Is this an activity that we have to worry about?”
What is Direction of Net Risk? • An informed judgement • Three directions: Decreasing, Stable or Increasing • Are we getting less worried, more worried or just as worried about the significant activity?
What is Direction of Net Risk? • Based on impact of: • potential changes in Inherent Risks, Operational Management or Risk Management Control Functions • business and economic climate on the significant activity • nature and pace of planned changes within the institution