Insurers in Canada are required to implement a system of enterprise-wide risk management that identifies the inherent risks in their activities and manages those risks to appropriately defined levels. Regulatory reforms that address risk management of insurers and other financial institutions have dominated the landscape in Canada over the past few years. Recent initiatives put into place by Canada's federal insurance regulator include:
- a revised guideline on corporate governance;
- a revised guideline on regulatory compliance management;
- a new guideline on own risk and solvency assessment; and
- a new guideline on operational risk management.
The revised guideline on corporate governance requires, among other things:
- a board-approved risk appetite framework;
- hands-on involvement by senior managers in risk management policies and practices and dedicated board oversight;
- in appropriate circumstances, the establishment of a dedicated risk committee; and
- the appointment of a chief risk officer with unfettered access and a functional reporting line directly to the board or risk committee.
The corporate governance guideline applies to domestic insurers only because significant responsibility is placed on the board of directors as the ultimate oversight function. Branch operations do not have local boards of directors.
The guideline on regulatory compliance management is a revision of the prior guideline on legislative compliance management and communicates the regulator's expectations with respect to the management of regulatory compliance risk by insurers. The guideline makes the board of directors – or chief agent, in the case of a branch operation of a foreign company – ultimately responsible for effective enterprise-wide regulatory compliance management and mandates a chief compliance officer. Internal audit (or another independent review function) is required to validate the effectiveness of, and adherence to, the insurer's compliance framework through regular risk-based testing.
The new guideline on own risk and solvency assessment (ORSA) outlines the regulator's expectations with respect to the insurer's own assessment of its risks, capital needs and solvency position, and the setting of internal targets based on the insurer's ORSA. The ORSA guideline also addresses:
- the scope of the ORSA;
- its relation to enterprise risk management;
- the role of the board, senior management and other participants in performing, monitoring, reporting or reviewing the ORSA; and
- other key elements of the assessment process.
The new guideline on operational risk management is designed to complement the above noted guidance in order to round out an insurer's overall risk management systems and culture. The Office of the Superintendent of Financial Institutions (OSFI) expects each insurer to implement policies and procedures for operational risk management as part of its enterprise-wide, board-approved risk appetite framework. OSFI recommends that an insurer's methodology of operational risk management should follow the 'three lines of defence' model for establishing and independently assessing the insurer's processes:
- the business line, which plans, directs and controls day-to-day operations;
- an oversight function (eg, compliance and/or legal); and
- an independent review and assessment by internal audit.
Similar to the corporate governance guideline, the guideline on operational risk management applies only to domestically incorporated insurers.
For further information on this topic please contact Carol Lyons at McMillan LLP by telephone (+1 416 865 7000) or email (firstname.lastname@example.org). The McMillan LLP website can be accessed at www.mcmillan.ca.
This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.