Internal Audit Report on Life Insurance Group - Conglomerates

Document Properties

  • Type of Publication: Audit
  • Date: June 2012

1. Background

Introduction

Internal Audit conducts assurance work to determine whether the Office of the Superintendent of Financial Institutions Canada‟s (OSFI’s) risk management, control processes, and governance, as designed and represented by management, are adequate and functioning in a manner to ensure risks are appropriately identified and managed.

The audit of the Life Insurance Group - Conglomerates ('LIG - Conglomerates') was approved by the OSFI Audit Committee and the Superintendent for inclusion in the OSFI 2010-2011 Internal Audit Plan.

This report was presented to the OSFI Audit Committee and approved by the Superintendent on June 22, 2012. The Deputy Superintendent, Supervision Sector and the Life Insurance Group Senior Management, who have provided their management response within this report, have also reviewed it.

Context

The objective of OSFI‟s supervisory process is to assess the safety and soundness of an institution on a consolidated basis, and to provide early warnings of issues to allow OSFI to intervene in a timely and effective manner where OSFI considers an institution‟s practices to be, or likely to become, imprudent or unsafe.

The Life Insurance Group is part of OSFI‟s Supervision Sector and is responsible for the supervision of all federally regulated life insurance and life reinsurance companies. LIG supports OSFI‟s mandate to protect policyholders from undue loss and to promote confidence in the financial system. The LIG - Conglomerates is the division that has responsibility for the supervision of the large Canadian life insurance conglomerate institutions.

LIG –Conglomerates supervises and monitors the safety and soundness of the life insurers by focusing on elements such as governance, risk management practices and controls, capital adequacy, proper accounting of assets and liabilities, and liquidity. The division‟s supervisory activities also include verifying and enforcing insurers‟ compliance with rules established by legislation and OSFI‟s regulatory framework.

OSFI has a single supervisory regime for both insurance and deposit taking institutions, irrespective of their size. OSFI uses a disciplined, risk-based methodology to supervise Federally Regulated Financial Institutions. OSFI‟s supervisory methodology ('Methodology') is described, at a high level, in the Supervisory Framework 2010, and in more detail in a number of Supervisory Guides, including templates. These documents provide the conceptual framework to support an effective supervisory process that all supervisory groups, including LIG - Conglomerates, must apply.

2. Audit Objective, Scope and Approach

Audit Objectives

The audit examined whether OSFI‟s supervisory methodology was appropriately applied in assessing the safety and soundness of life insurance conglomerate institutions. The audit had the following sub-objectives:

  1. To determine whether the supervision of the institutions demonstrated a risk-based approach;
  2. To determine whether sufficient and relevant evidential matter was available to support the supervisory risk assessments; and
  3. To determine whether quality control reviews were effective at detecting work quality issues and ensuring that OSFI‟s methodology was consistently applied as intended.

Audit Scope

The audit focused on the life insurance conglomerate institutions.

Recognizing that the supervisory process is a cumulative knowledge process and is continuously evolving, we selectively examined the supervisory work carried out by the LIG-Conglomerates‟ teams from April 2008 to December 2011 with a focus on the supervisory period from April 2009 to March 2010.

Audit Approach

The audit was conducted in accordance with the Institute of Internal Auditors‟ International Standards for the Professional Practice of Internal Auditing, consistent with the Treasury Board Policy on Internal Audit.

The approach to conducting the audit included:

  • A review of OSFI‟s supervisory framework and related guides to update our understanding of its requirements.
  • Discussions with LIG-Conglomerates‟ supervisory teams to facilitate our understanding of the supervisory process (i.e. planning, execution, reporting and follow-up phases) and practices in place.
  • For each of the conglomerates, we selectively examined key supervisory documentation prepared by the teams and assessed the teams‟ application of OSFI‟s Supervisory Framework and Guides.

3.  Conclusion

Conclusion

Application of OSFI‟s Methodology on a large institution is complex and requires the use of a disciplined approach and the application of significant judgement by supervisory teams in conducting their assessments. Change initiatives were introduced to enhance LIG - Conglomerates‟ ability to support OSFI‟s mandate in supervising life insurance conglomerate institutions and intervene in a timely manner. These initiatives are directionally appropriate and have several positive aspects, notably enhancements to the group‟s structure and monitoring activities.

Effective implementation of OSFI‟s Methodology requires a thorough understanding of the principles of risk-based supervision and a consistent application of these principles. As a result, effective and timely quality control reviews play an important role in ensuring that supervisors‟ work is performed in accordance with OSFI‟s Methodology, and in identifying areas that need to be improved and/or where additional staff training and coaching may be required.

During our audit, we noted that LIG –Conglomerates‟ supervisory teams demonstrated a sound understanding of the business activities of the institutions. While supervisory teams understood the principles of risk-based supervision, we noted that quality control reviews require improvement to ensure OSFI‟s Methodology is consistently applied and that the logic and flow of the documentation clearly show how the supervisory teams‟ conclusions were reached and the ratings assigned. Management oversight needs to be strengthened to ensure that the quality control reviews are conducted at each step in the supervisory process and achieve their intended purpose.

Our observations and recommendations are detailed in Section 5 of this report.

We wish to recognize the excellent rapport and exchange of views with all involved in the audit. The depth of the review and focusing on what matters would not have been possible without the support received throughout the audit.

Line for Chief Audit Executive Signature_________________________________
Chief Audit Executive, IA

Line for Date_________________________________
Date

4. Management Response

Overview

This report has been reviewed by the Senior Director, Life Insurance Group, and the Managing Director, Life Insurance Group-Conglomerates, and the Deputy Superintendent, Supervision, who acknowledge its observations and recommendations.

The recommendations will support the Life Insurance Group - Conglomerates with its work to put in place the appropriate processing, reviews, approvals, and monitoring controls as needed.

Management Response / Comments

We thank the audit team for their collaborative approach and detailed review of the supervisory work of the LIG – conglomerate teams. We are in agreement with the findings of the audit. We note that changes were made to the Supervisory Framework during the period the audit was conducted which resulted in changes in required documentation. We recognize all of those changes have not been fully implemented to date in our work. LIG continues to work with the Practices Division on additional guidance and training related to specific aspects of the Supervisory Framework of particular significance to the supervision of insurance institutions.

LIG is committed to addressing the recommendations outlined in this report. Since the end-date of the audit period, significant staffing changes, including the addition of new staff, have been made to the supervisory teams for the conglomerates. All new staff, including senior staff, have either already taken or will be taking the Supervisory Framework course and will be involved in the application of this framework and its associated guidance in the performance of their supervisory responsibilities.

5. Observations and Recommendations

What we examined
5.1 Risk-based Supervision of Life Conglomerate Institutions

OSFI‟s risk-based methodology requires supervisors to understand the institution‟s environment, industry and business profile in order to develop an inventory of the institution‟s significant activities. Supervisory teams need to make explicit decisions on the materiality / importance of each activity to the institution, based on both qualitative and quantitative factors. This process enables supervisors to set the proper context for assessing the risk profile of their institutions.

Once the institution‟s significant activities are identified, supervisors develop a Supervisory Strategy for the institution to ensure OSFI‟s assessment of the institution‟s risk profile remains current and that OSFI meets its “early intervention” mandate. Thus, the objective of a multi-year Supervisory Strategy is to achieve an appropriate level of ongoing coverage to support the assessment of the risk profile of the institution and facilitate an early identification of prudential issues. The Supervisory Strategy is the basis for the annual institution specific plan that outlines, in more detail, the anticipated supervisory resources required over the upcoming year.

IA reviewed the supervisory documentation prepared by the teams during the planning phase of the supervisory process, which summarize their knowledge of the institutions and respective multi-year supervisory strategy.

What we found

In general, supervisory teams followed OSFI‟s methodology as required. While there was good analytical information gathered in the supervisory documents we reviewed, IA noted the following:

  • The analysis of key environmental and industry risk factors, their potential impact, and linkages to the institution‟s business profile did not always clearly demonstrate the supervisory teams‟ risk-based thinking and rationale.
  • Supervisory Strategy documents indicated that:
    • “Coverage cycle based on last time reviewed” was the key driver in determining future supervisory work. The need for updated information and/or validation of the institution‟s risk profile, while good determining factors for planning, they are not necessarily risk-based. We noted instances where the appropriate priority may not have been given to reviewing the higher net risk activities.
    • The materiality/importance of each activity to the institution was primarily determined based on quantitative factors, and did not always include qualitative factors; and
    • The risk focus of areas planned for review in the short and long- term, and specific supervisory concerns to be addressed, and skill requirements, were not always specified.

Recommendation:

The analysis of key environmental and industry risk factors needs to clearly demonstrate their relevance and potential impact to the institution‟s business activities and the linkage to the team‟s rationale for selecting a particular supervisory strategy, including the appropriateness of its short and longer-term risk focus and anticipated resource requirements.

What we examined
5.2 Supervisory Risk Assessments: Execution, Reporting and Follow-up

The Supervisory Framework requires the assessment of key inherent risks and key controls, as they are the drivers of the supervisory work. Having identified the significant activities, supervisors assess the level of risk inherent in these activities and the quality of risk management to arrive at the Net Risk and the direction of risk for each activity. The risk assessment enables the supervisors to build expectations of the type and rigour of controls necessary to mitigate the risks inherent to the activity. Accordingly, the assessment of the quality of risk management involves a comparison of these expectations with what is in place at the institution.

The methodology also requires an assessment of the overall effectiveness (based on a combination of characteristics and performance indicators) of each of the institution‟s Risk Management Control Functions (RMCFs) or Oversight Functions, at the activity and the institution level. OSFI‟s objective in assessing the RMCFs is to determine the extent to which it can use their work (independent oversight) to ensure appropriate controls are in place and operating effectively at the activity level (Operational Management).

Once the Net Risk of all of the significant activities has been assessed, the „importance‟ of each activity is taken into account to arrive at the institution‟s Overall Net Risk. Once this is determined, the amount and quality of the institution‟s earnings, liquidity and capital are considered to arrive at the institution‟s Composite Risk Rating. These assessments are summarized and reported in Section Notes (SNs), the Risk Assessment Document (RAD) and on the Risk Matrix.

The Methodology also requires timely follow up of findings and recommendations reported to the institution and that any unresolved issues are escalated to the appropriate level of senior management.

IA reviewed the Section Notes and other supervisory documentation prepared by the teams during the execution, reporting and follow-up phases of the supervisory process, which summarize their analysis and assessments and a high level understanding of the institution‟s risk profile.

What we found

While teams generally followed OSFI‟s methodology to document their analysis and assessments of the significant activities and Oversight Functions, IA noted instances where:

  • All inherent risk categories had been rated for each significant activity, rather than for just the key inherent risks. Rating all risk categories may dilute the focus from the key inherent risks and result in an inefficient use of OSFI‟s resources.
  • The analysis and rationale to support the key inherent risk ratings was not always transparent.
  • The linkages between the key inherent risks and how the key controls effectively mitigated the identified risks were not always clearly established.
  • The assessments of the Oversight functions were, in general, based on an assessment of characteristics with minimal performance indicators. It was unclear at times how results of the work undertaken by the Oversight Functions had been used in completing the supervisory work and/or integrated into the supervisory assessment.
  • Although supervisors tracked OSFI‟s recommendation reported to the institutions in the Follow-up Document, the process to ensure OSFI‟s recommendations are properly implemented and periodically evaluated for their adequacy, effectiveness and timeliness, is unclear and not fully integrated with the supervisory process.

Recommendations:

  • Section notes should contain sufficient information to support the basis for conclusions reached, ratings assigned and actions taken. In particular, the section notes need to support the analysis of the institution‟s significant activity key inherent risks, key controls, and factors that increase or decrease the level and direction of net risk.
  • The assessments of day-to-day controls (Operational Management) and independent oversight (RMCFs) needs to clearly demonstrate how the institution‟s controls effectively mitigated the identified key inherent risks of the activity.
  • The assessment of the effectiveness of Oversight Functions needs to be based on both characteristics and performance indicators.
  • The follow-up process should be formally established, including guidance, to ensure management actions from OSFI‟s recommendations are properly monitored for timely and effective resolution.

What we examined
5.3 Quality Control Reviews

Quality Control (QC) is a key component of the supervisory process and active oversight is required at each step in the supervisory process to ensure the work is carried out in an efficient and effective manner. The Supervisory Guide G19, “Review of Supervisory Work,” supports an effective execution of the quality control review process. The guide states (paragraph 1.2) that, “reviewing supervisory work is a key responsibility of Supervision management performed at each step in the supervisory process to:

  • Ensure the consistent application of OSFI’s supervisory methodology,
  • Mitigate OSFI’s supervisory risk, and
  • Develop supervisory staff.”

In a rapidly changing and complex environment, LIG – Conglomerates requires staff with the relevant skills, knowledge, and experience to perform in-depth analyses and apply judgement within short timeframes on complex issues requiring specialized life insurance knowledge. As a result, the concept of continual training, development and coaching of staff should be embedded into LIG‟s quality control.

In our review of the supervisory work we were looking for evidence that LIG‟s quality control reviews were:

  • effective at detecting work quality issues from the development of the institution‟s business profile to the issuance of the Management Letter to the institution,
  • detecting variations in staff interpretation and in the application of OSFI‟s methodology as opportunities to develop and coach staff, and
  • compliant with the guide requirements.

What we found

IA noted that quality control reviews of LIG‟s supervisory work were not always effective at ensuring that the quality of assessments contained in the supervisory documents clearly demonstrated the integration and linkages in the teams‟ facts and analyses supporting the conclusions reached and the ratings assigned. During the audit file review IA observed instances where:

  • The “one-up” line reviews did not always have the required rigour. We noted that questions raised were, for the most part, of an administrative nature. There were questions IA would have expected to be raised during the quality control review, but were not.
  • Although quality control reviews of supervisory documents were usually conducted:
    • They did not always comply with the requirements of the applicable guide, that is, were not done at each step in the supervisory process; did not always use the prescribed template; were not always reviewed and signed-off by the appropriate level of management.
    • They were often not timely, in part due to more aggressive external reporting timeframes that did not follow the standard set out in supervisory guide G8, Management Reporting.
    • Supervisory guidance was minimal for some key supervisory documents, e.g. the Risk Assessment Document.

Recommendations:

  • The requirements of the guide G19 should be fully implemented to ensure that quality control reviews are conducted in a timely and effective manner by the appropriate level of management (LIG‟s and Support Groups).
  • Training should be done to promote a common understanding of what supervisory documents/files should contain to ensure a quality work product. Enhanced guidance may be warranted.
  • LIG should consider having the “Practices Division” provide training on new and/or previously introduced supervisory guides to promote awareness and address areas where the supervisory methodology is not being applied as intended, e.g., the assessment of the performance of RMCFs.

6. Management Action Plan

Management Action Plan

In order to strengthen and reinforce knowledge and have consistent application of the supervisory methodology among all staff, an internal training program has been initiated in 2012. Bi-weekly staff meetings have been structured to discuss and learn how the supervisory methodology is applied in each conglomerate supervisory team through the various stages of the supervisory process. The planned sessions are intended to reinforce supervisory principles, process, documentation and quality control expectations. The Practices Division and other “risk experts” from within OSFI will be invited to provide guidance and training on individual modules of the internal program and also provide focused refresher training on supervisory risk assessment components as necessary.

Management recognizes the need to implement its vertical Quality Control responsibilities in a more uniform manner. Sign-offs on the documentation of supervisory work, as well as through the development of annual and mid-year plans, will be strengthened. Processes will be formalized and monitored to ensure the appropriate oversight of work within all three LIG-conglomerate teams as well as across the three teams. Specifically:

  1. Supervisory Strategies and related annual plans for 2012-13 and 2013-14 will be signed off by Managing Director, Conglomerates and Senior Director, LIG and will be subject to a quarterly review for continued appropriateness through 2013-14.
  2. Independent review of 2013-14 plans (and supporting supervisory documents) will be performed by:
    1. LIG Director, Operations (Q3 2012-13 and Q1 2013-14)
    2. Supervisory Practices (Q3 2012-13 and Q1 2013-14)
    3. Supervision Quality Assurance Function (Q3 2012-13 and Q1 2013-14)
  3. Independent reviews of supervisory work and related management oversight (on a sample basis through 2012-13 and 2013-14) will be performed within LIG by Director, Operations with support from Supervisory Practices and Supervision Quality Assurance Advisor as required.
  4. Supervision Quality Assurance Function will assess (on a sample basis) work completed in 2012-13 for compliance with supervisory guidance on Review of Supervisory Work in Q4 2012-13.