Office of the Superintendent of Financial Institutions
Internal Audit conducts assurance work to determine whether the Office of the Superintendent of Financial Institutions Canada‟s (OSFI’s) risk management, control processes, and governance, as designed and represented by management, are adequate and functioning in a manner to ensure risks are appropriately identified and managed.
The audit of the Life Insurance Group - Conglomerates ('LIG - Conglomerates') was approved by the OSFI Audit Committee and the Superintendent for inclusion in the OSFI 2010-2011 Internal Audit Plan.
This report was presented to the OSFI Audit Committee and approved by the Superintendent on June 22, 2012. The Deputy Superintendent, Supervision Sector and the Life Insurance Group Senior Management, who have provided their management response within this report, have also reviewed it.
The objective of OSFI‟s supervisory process is to assess the safety and soundness of an institution on a consolidated basis, and to provide early warnings of issues to allow OSFI to intervene in a timely and effective manner where OSFI considers an institution‟s practices to be, or likely to become, imprudent or unsafe.
The Life Insurance Group is part of OSFI‟s Supervision Sector and is responsible for the supervision of all federally regulated life insurance and life reinsurance companies. LIG supports OSFI‟s mandate to protect policyholders from undue loss and to promote confidence in the financial system. The LIG - Conglomerates is the division that has responsibility for the supervision of the large Canadian life insurance conglomerate institutions.
LIG –Conglomerates supervises and monitors the safety and soundness of the life insurers by focusing on elements such as governance, risk management practices and controls, capital adequacy, proper accounting of assets and liabilities, and liquidity. The division‟s supervisory activities also include verifying and enforcing insurers‟ compliance with rules established by legislation and OSFI‟s regulatory framework.
OSFI has a single supervisory regime for both insurance and deposit taking institutions, irrespective of their size. OSFI uses a disciplined, risk-based methodology to supervise Federally Regulated Financial Institutions. OSFI‟s supervisory methodology ('Methodology') is described, at a high level, in the Supervisory Framework 2010, and in more detail in a number of Supervisory Guides, including templates. These documents provide the conceptual framework to support an effective supervisory process that all supervisory groups, including LIG - Conglomerates, must apply.
The audit examined whether OSFI‟s supervisory methodology was appropriately applied in assessing the safety and soundness of life insurance conglomerate institutions. The audit had the following sub-objectives:
The audit focused on the life insurance conglomerate institutions.
Recognizing that the supervisory process is a cumulative knowledge process and is continuously evolving, we selectively examined the supervisory work carried out by the LIG-Conglomerates‟ teams from April 2008 to December 2011 with a focus on the supervisory period from April 2009 to March 2010.
The audit was conducted in accordance with the Institute of Internal Auditors‟ International Standards for the Professional Practice of Internal Auditing, consistent with the Treasury Board Policy on Internal Audit.
The approach to conducting the audit included:
Application of OSFI‟s Methodology on a large institution is complex and requires the use of a disciplined approach and the application of significant judgement by supervisory teams in conducting their assessments. Change initiatives were introduced to enhance LIG - Conglomerates‟ ability to support OSFI‟s mandate in supervising life insurance conglomerate institutions and intervene in a timely manner. These initiatives are directionally appropriate and have several positive aspects, notably enhancements to the group‟s structure and monitoring activities.
Effective implementation of OSFI‟s Methodology requires a thorough understanding of the principles of risk-based supervision and a consistent application of these principles. As a result, effective and timely quality control reviews play an important role in ensuring that supervisors‟ work is performed in accordance with OSFI‟s Methodology, and in identifying areas that need to be improved and/or where additional staff training and coaching may be required.
During our audit, we noted that LIG –Conglomerates‟ supervisory teams demonstrated a sound understanding of the business activities of the institutions. While supervisory teams understood the principles of risk-based supervision, we noted that quality control reviews require improvement to ensure OSFI‟s Methodology is consistently applied and that the logic and flow of the documentation clearly show how the supervisory teams‟ conclusions were reached and the ratings assigned. Management oversight needs to be strengthened to ensure that the quality control reviews are conducted at each step in the supervisory process and achieve their intended purpose.
Our observations and recommendations are detailed in Section 5 of this report.
We wish to recognize the excellent rapport and exchange of views with all involved in the audit. The depth of the review and focusing on what matters would not have been possible without the support received throughout the audit.
Line for Chief Audit Executive Signature_________________________________
Chief Audit Executive, IA
Line for Date_________________________________
This report has been reviewed by the Senior Director, Life Insurance Group, and the Managing Director, Life Insurance Group-Conglomerates, and the Deputy Superintendent, Supervision, who acknowledge its observations and recommendations.
The recommendations will support the Life Insurance Group - Conglomerates with its work to put in place the appropriate processing, reviews, approvals, and monitoring controls as needed.
We thank the audit team for their collaborative approach and detailed review of the supervisory work of the LIG – conglomerate teams. We are in agreement with the findings of the audit. We note that changes were made to the Supervisory Framework during the period the audit was conducted which resulted in changes in required documentation. We recognize all of those changes have not been fully implemented to date in our work. LIG continues to work with the Practices Division on additional guidance and training related to specific aspects of the Supervisory Framework of particular significance to the supervision of insurance institutions.
LIG is committed to addressing the recommendations outlined in this report. Since the end-date of the audit period, significant staffing changes, including the addition of new staff, have been made to the supervisory teams for the conglomerates. All new staff, including senior staff, have either already taken or will be taking the Supervisory Framework course and will be involved in the application of this framework and its associated guidance in the performance of their supervisory responsibilities.
OSFI‟s risk-based methodology requires supervisors to understand the institution‟s environment, industry and business profile in order to develop an inventory of the institution‟s significant activities. Supervisory teams need to make explicit decisions on the materiality / importance of each activity to the institution, based on both qualitative and quantitative factors. This process enables supervisors to set the proper context for assessing the risk profile of their institutions.
Once the institution‟s significant activities are identified, supervisors develop a Supervisory Strategy for the institution to ensure OSFI‟s assessment of the institution‟s risk profile remains current and that OSFI meets its “early intervention” mandate. Thus, the objective of a multi-year Supervisory Strategy is to achieve an appropriate level of ongoing coverage to support the assessment of the risk profile of the institution and facilitate an early identification of prudential issues. The Supervisory Strategy is the basis for the annual institution specific plan that outlines, in more detail, the anticipated supervisory resources required over the upcoming year.
IA reviewed the supervisory documentation prepared by the teams during the planning phase of the supervisory process, which summarize their knowledge of the institutions and respective multi-year supervisory strategy.
In general, supervisory teams followed OSFI‟s methodology as required. While there was good analytical information gathered in the supervisory documents we reviewed, IA noted the following:
The analysis of key environmental and industry risk factors needs to clearly demonstrate their relevance and potential impact to the institution‟s business activities and the linkage to the team‟s rationale for selecting a particular supervisory strategy, including the appropriateness of its short and longer-term risk focus and anticipated resource requirements.
The Supervisory Framework requires the assessment of key inherent risks and key controls, as they are the drivers of the supervisory work. Having identified the significant activities, supervisors assess the level of risk inherent in these activities and the quality of risk management to arrive at the Net Risk and the direction of risk for each activity. The risk assessment enables the supervisors to build expectations of the type and rigour of controls necessary to mitigate the risks inherent to the activity. Accordingly, the assessment of the quality of risk management involves a comparison of these expectations with what is in place at the institution.
The methodology also requires an assessment of the overall effectiveness (based on a combination of characteristics and performance indicators) of each of the institution‟s Risk Management Control Functions (RMCFs) or Oversight Functions, at the activity and the institution level. OSFI‟s objective in assessing the RMCFs is to determine the extent to which it can use their work (independent oversight) to ensure appropriate controls are in place and operating effectively at the activity level (Operational Management).
Once the Net Risk of all of the significant activities has been assessed, the „importance‟ of each activity is taken into account to arrive at the institution‟s Overall Net Risk. Once this is determined, the amount and quality of the institution‟s earnings, liquidity and capital are considered to arrive at the institution‟s Composite Risk Rating. These assessments are summarized and reported in Section Notes (SNs), the Risk Assessment Document (RAD) and on the Risk Matrix.
The Methodology also requires timely follow up of findings and recommendations reported to the institution and that any unresolved issues are escalated to the appropriate level of senior management.
IA reviewed the Section Notes and other supervisory documentation prepared by the teams during the execution, reporting and follow-up phases of the supervisory process, which summarize their analysis and assessments and a high level understanding of the institution‟s risk profile.
While teams generally followed OSFI‟s methodology to document their analysis and assessments of the significant activities and Oversight Functions, IA noted instances where:
Quality Control (QC) is a key component of the supervisory process and active oversight is required at each step in the supervisory process to ensure the work is carried out in an efficient and effective manner. The Supervisory Guide G19, “Review of Supervisory Work,” supports an effective execution of the quality control review process. The guide states (paragraph 1.2) that, “reviewing supervisory work is a key responsibility of Supervision management performed at each step in the supervisory process to:
In a rapidly changing and complex environment, LIG – Conglomerates requires staff with the relevant skills, knowledge, and experience to perform in-depth analyses and apply judgement within short timeframes on complex issues requiring specialized life insurance knowledge. As a result, the concept of continual training, development and coaching of staff should be embedded into LIG‟s quality control.
In our review of the supervisory work we were looking for evidence that LIG‟s quality control reviews were:
IA noted that quality control reviews of LIG‟s supervisory work were not always effective at ensuring that the quality of assessments contained in the supervisory documents clearly demonstrated the integration and linkages in the teams‟ facts and analyses supporting the conclusions reached and the ratings assigned. During the audit file review IA observed instances where:
In order to strengthen and reinforce knowledge and have consistent application of the supervisory methodology among all staff, an internal training program has been initiated in 2012. Bi-weekly staff meetings have been structured to discuss and learn how the supervisory methodology is applied in each conglomerate supervisory team through the various stages of the supervisory process. The planned sessions are intended to reinforce supervisory principles, process, documentation and quality control expectations. The Practices Division and other “risk experts” from within OSFI will be invited to provide guidance and training on individual modules of the internal program and also provide focused refresher training on supervisory risk assessment components as necessary.
Management recognizes the need to implement its vertical Quality Control responsibilities in a more uniform manner. Sign-offs on the documentation of supervisory work, as well as through the development of annual and mid-year plans, will be strengthened. Processes will be formalized and monitored to ensure the appropriate oversight of work within all three LIG-conglomerate teams as well as across the three teams. Specifically: