On February 24, 2011, the Office of the Superintendent of Financial Institutions (Canada) (OSFI), the Canadian federal prudential insurance regulator, released an updated version of its "Supervisory Framework" (Framework), which contains the principles, concepts and core processes used by OSFI to guide its supervision of federally-regulated financial institutions (FRIs) (including deposit-taking institutions and life and property and casualty insurance companies incorporated in Canada or licensed to carry on business in Canada).
In its cover letter to FRIs, OSFI noted that there have been significant changes in the nature of risks faced by FRIs, and the way those risks are managed, since the original version of the Framework was issued in 1999. In addition, there have been significant developments in international regulation and supervision, including:
- the introduction and revision of the core (supervisory) principles of the Basel Committee on Banking Supervision (Basel) and the International Association of Insurance Supervisors (IAIS), respectively, which have been adopted by OSFI;
- the Financial Stability Board's recommendations for enhancing the supervision of systemically important financial institutions;
- upgrades to capital rules and expectations (as per the Basel II Accord and the Basel III reforms); and
- in general, heightened requirements for liquidity, risk management and corporate governance.
OSFI recently conducted a thorough review of the Framework in light of these developments and the lessons learned from the application of the Framework over the last decade, and the updates made to the Framework are a result of this review. While the approach, principles and concepts contained in the Framework were not changed significantly, important enhancements were made. Specifically, the Framework now includes:
- specific references and linkages to the Basel and IAIS core principles;
- required assessment of liquidity for a FRI as a whole;
- that the responsibilities of a FRI's board of directors expressly include the approval of the FRI's overall risk appetite and oversight of corporate compensation systems and practices; and
- that the oversight function includes the actuarial function, in recognition of the actuarial function's important role in the oversight of risks in FRIs with insurance operations.
Background to the Framework
As OSFI noted, supervision involves assessing the safety and soundness of FRIs, providing feedback as appropriate and using regulatory powers for timely intervention when necessary. The primary goal is to safeguard depositors and policyholders from loss. Accordingly, the focus of supervisory work is determining the impact of current and potential future events, both internal to a FRI and from its external environment, on the risk profile of the FRI. The Framework's principles, concepts and core processes apply to all FRIs in Canada, regardless of their size. Since the Framework was first introduced in 1999, significant developments in the financial services industry have changed the nature of the risks faced by, and risk management practices of, financial institutions. For example, products have become more sophisticated, globalization has caused risks to become more systemic and certain financial institutions have experienced multiple and severe stresses to their solvency and liquidity. Meanwhile, international standards and requirements for supervising financial institutions have also been strengthened. In particular, OSFI has adopted the Basel "Core Principles for Effective Banking Supervision" and the IAIS "International core principles and methodology" as its sources for detailed supervisory standards and criteria. These methodologies, which specify international expectations for banking and insurance supervision, are applied by OSFI within the context of its mandate and the nature of the financial services industry in Canada.
OSFI's general approach is based on a number of foundations, including consolidated supervision, a designated relationship manager for each FRI, principles-based supervision, appropriate supervisory intensity and intervention, board and senior management accountability, risk tolerance which recognizes that FRIs can experience financial difficulties that could lead to their failure, and reliance on external auditors for the fairness of financial statements.
Primary Risk Assessment Concepts
The Framework utilizes a number of concepts to enable a common approach to risk management across FRIs and over time, including the fundamental risk assessment concept within the Framework, which is that of a "significant activity" (a line of business, unit or process that is fundamental to the FRI's business model and its ability to meet its overall business objectives). Under the Framework, the key inherent risks are assessed for each significant activity of the FRI. Inherent risk is the probability of a material loss due to exposure to, and uncertainty arising from, current and potential future events. OSFI uses six categories to assess inherent risk: credit risk; market risk; insurance risk; operational risk; regulatory compliance risk; and strategic risk. OSFI does not view reputational risk as a separate category of inherent risk; rather, it is viewed as a consequence of each of the six inherent risk categories and, accordingly, is an important consideration in the assessment of each inherent risk category. Based on the key inherent risks identified for a significant activity and their levels, OSFI then develops expectations for the quality of risk management. The greater the level of inherent risk, the more rigorous the day-to-day controls and oversight expected. State-of-the-art controls are expected where appropriate. OSFI then assesses the quality of risk management at the operational management level of control and at the level of oversight functions.
For each significant activity, a level of "net risk" is determined based on all of the key inherent risk ratings and the relevant quality of risk management ratings for each activity. From this, OSFI determines an "overall net risk" assessment, which is an evaluation of the potential adverse impact that the significant activities of the FRI collectively could have on the earning performance and adequacy of capital of the FRI, and hence on depositors or policyholders. OSFI also considers earnings, adequacy of capital and adequacy of liquidity.
A risk matrix is used to record the assessments and to develop a holistic view of the FRI. The process cumulates in the determination of the FRI's Composite Risk Rating (CRR), which is an assessment of the FRI's risk profile after considering the assessments of the FRI's earnings and capital in relation to overall net risk from significant activities, and the assessment of the FRI's liquidity. The CRR is OSFI's overall assessment of the safety and soundness of the FRI with respect to depositors and/or policyholders. CRR is rated as low, moderate, above average or high, and the direction of the CRR is also rated as decreasing, stable or increasing. OSFI uses the CRR in determining the appropriate stage of regulatory intervention, which is described in OSFI's publication "Guide to Intervention by OSFI for Federal Financial Institutions".
The Framework also includes an updated description of OSFI's core supervisory practices, and a number of appendices containing greater detail on the various risk categories and ratings.