Audit of Supervisory Processes – Internationally Active Insurance Groups, Canada Mortgage and Housing Corporation

1. Background

Overview

OSFI regulates and supervises a number of federally regulated insurance companies as part of its mandate, which include a number of Internationally Active Insurance Groups (IAIGs), as well as the Canada Mortgage and Housing Corporation (CMHC).

Defined by the International Association of Insurance Supervisors (IAIS) as large insurers with a significant global presence, IAIGs are subject to OSFI’s own supervisory standards, as well as the IAIS’ Common Framework.

OSFI currently categorizes four institutions as IAIGs, composed of three life and one property & casualty insurance group: Canada Life Assurance Company (‘Canada Life’), Manufacturers Life Insurance Company (‘ManuLife’), Sun Life Assurance Company of Canada (‘SunLife’), and Intact Financial Corporation (‘Intact’).

OSFI also supervises mortgage insurers as part of its mandate, which includes CMHC. While OSFI’s supervisory role over CMHC is narrower due to it being a Crown corporation, OSFI examines CMHC’s commercial programs and provides periodic reporting to its Board of Directors and relevant federal ministers.

The supervision of IAIGs and CMHC is centralized within the Insurance & Pensions team, which is part of the Risk Assessment and Intervention Hub. Each IAIG and CMHC has a designated team responsible for supervisory work relevant to that institution. These teams are led by a Lead Supervisor (LS) who is ultimately responsible for the planning and execution of supervisory activities related to their designated institution. In performing their work, the LS may also seek support from specialized staff from the Risk Advisory Hub (RAH) or the Policy, Innovation, and Stakeholder Affairs Sector (PISA).

Supervisory activities

The supervision of both IAIGs and CMHC follows a risk-based approach, and includes the following components:

• Annual planning consists of the preparation of Supervisory Strategies which outline the supervisory work planned for the next three years.
• Monitoring refers to the regular review of information on the FRFI and its industry and environment, generally performed quarterly. Enhanced monitoring includes ad-hoc information requests beyond regular monitoring on additional risks.
• Reviews are targeted supervisory activities which focus on a specific area within the FRFI, such as a risk component, a significant activity, or a subsidiary. The supervisory work conducted for a review is typically more in-depth and includes both inherent risk assessments and the assessment of quality risk management programs.
• Reporting and intervention includes both routine and non-routine communication to FRFIs, such as the annual supervisory letters, interim letters, and staging or de-staging communications.
• Issues management is how OSFI monitors and follows up on issues identified through supervisory activities to monitor their remediation by FRFIs and ensure risks are addressed in a timely manner.

Previous audit engagements

The Internal Audit (IA) group has previously conducted audits of the Mortgage Insurance Group (2016) and the Life Insurance Group – Conglomerates team (2012), which preceded IAIGs. Recommendations issued focused on stakeholder communication, information management, strengthening quality reviews, and employing a risk-based approach. All recommendations have since been closed.

2. About the audit

2.1 Objective

To assess the adequacy and effectiveness of controls related to OSFI’s supervisory processes of Internationally Active Insurance Groups (IAIG) and the Canada Mortgage and Housing Corporation (CMHC).

2.2 Scope

The audit covered IAIG and CMHC supervisory activities conducted between April 1, 2020 and July 31, 2022, and focused on an assessment of the following:

• The design and operating effectiveness of key supervisory processes for IAIGs, including those related to the planning, execution, and outcomes of supervisory work.
• The design and operating effectiveness of key supervisory processes for CMHC, including those related to the planning, execution, and outcomes of supervisory work.
• Compliance with applicable supervisory framework, standards, and policies.

2.3 Approach and methodology

There has been a significant degree of change in this area, which includes the OSFI-wide restructuring, a shift from the conglomerate model to the IAIG classification, and the adoption of IAIS frameworks. Combined with not having a Quality Assurance program or audit coverage in this area over the past five years, this audit was undertaken to help provide an independent assessment of the effectiveness of supervisory processes to management.

Activities undertaken during the audit included document reviews, interviews, process walkthroughs, and sample testing of files. Sample testing focused on IAIG and CMHC activities performed throughout the scope of the audit, however, Intact was not included in file testing due to the recency of its classification as an IAIG resulting in insufficient activities in scope.

2.4 Statement of conformance

This audit was conducted in conformance with the Institute of Internal Auditors’ International Standards for the Professional Practice of Internal Auditing, consistent with the TB’s Policy on Internal Audit, and as supported by the results of the Quality Assurance and Improvement Program.

3. Overview of audit results

3.1 Summary of results

Supervisory processes over IAIGs and CMHC were carried out in accordance with the principles set out in the Supervisory Framework, as well as related guidelines. Supervisory processes were supported by established training and guidance, and well-defined approval roles for key steps. Recommendations for improvement include enhancing alignment with internal stakeholders, integrating the resource planning process, developing operational guidance, and enhancing reporting.

Since the scope of the audit period, there have been significant changes within the Supervisory sector, including the Blueprint transformation and the Supervisory Framework Renewal project. As a result of these changes, many processes have undergone review and may not exist as they did during the audit scope. The results of this audit can provide management additional information on process issues and support changes where they are already underway.

3.2 Management response

Management accepts the findings and has identified Management Action Plans with associated timelines for each recommendation as outlined in the relevant sections.

4. Observations and recommendations

4.1 Resource planning

 

The annual planning process establishes supervisory work for the upcoming year and includes a risk-based estimate of the overall resources required to meet the sector objectives. It consists of planning for FRFI-specific work (e.g. reviews, monitoring, issues follow-up, etc.), as well as non-FRFI specific work (e.g. OSFI projects, sector initiatives, etc.). Based on the risks identified in the planning phase, LSs may engage with specialist teams for specialised risk support (i.e. credit risk, technology risk, etc.)

As part of the IAIG supervisory strategy development and annual planning, each LS team undertakes a resource planning exercise to determine what supervisory activities to undertake during the upcoming fiscal year. The process is composed of two major components: initial resource planning and prioritization, and a specialist resource allocation, before the development of the final resource plan and supervisory strategy.

CMHC develops their supervisory strategy as part of a group plan for mortgage insurance supervision, although the key steps followed are similar to the IAIG planning process.

Resource allocation

The initial resource planning process for each FRFI occurs within the LS teams and is driven by the annual risk assessment. Based on the risks and priorities identified, LS teams develop a listing of proposed supervisory activities, which include reviews and monitoring work, and identifying relevant resource requirements.

While the existing resource planning processes are risk driven and enable incorporation of various planning elements, they do not effectively enable responsiveness to changes in the risk environment. This is due to a lack of mechanisms to provide information that enables LSs to re-assess initial resource plans and make adjustments, such as measuring resource utilization on an on-going basis. As a result, resourcing decisions rely on point-in-time information that was available during initial planning, which may have occurred up to 18 months ago for supervisory work performed late in the year.

Without being able to continuously incorporate new risk information into resourcing plans, LS’s may be limited in how effectively and quickly they can respond to risk changes. For example, both COVID-19 and the Blueprint transformation required significant supervisory strategy changes, but without the ability to calculate and compare resource utilization, there is a risk that there was insufficient information to assess if supervision strategy shifts were efficiently implemented.

Alignment with other sectors

Following the initial project identification and prioritization, the LS teams also identify which projects may require specialist resources. This is generally driven by the nature of the project and subject matter expertise required to carry out the supervisory activity. Projects requiring specialist resources are grouped into one consolidated list across the Insurance & Pensions area, and this list is submitted to the specialist teams, who then identify whether resources are available, and what projects should be allocated resources.

While the established planning process does allow the different specialist teams to offer input and feedback into the resource allocation process, the planning processes followed by the specialist teams and the Insurance & Pension teams are not currently aligned. Each area may follow different timelines for their planning process, which can result in delays, as well as inadequate resources to support the delivery of risk-based supervision activities.

While the Supervision sector is currently working on changing its resource planning and prioritization model to improve alignment with the specialist teams, work remained in progress during the scope of the audit.

Due to the lack of process alignment and layers of internal approvals, it currently takes an average of six months between the submission of a specialist resource request to the final approval of the planning strategy. Extended planning can create an administrative resource burden and may reduce the ability for plans to be agile and adapt to emerging and changing risks.

4.2 Integration of risk perspectives

 

As outlined above, LS teams often seek support from specialist teams within OSFI to provide specialized risk expertise. Specialist teams are involved in supervisory activities throughout the lifecycle, including annual planning, monitoring activities, and in the performance of reviews.

While the LS teams have FRFI-specific knowledge and context, the specialist teams are risk experts with a macroenvironmental risk perspective for their respective risk area. These risk areas include financial risks (e.g. actuarial risk, liquidity risk), and non-financial risks (e.g. operational risk, technological risk).

Annual planning

When LS teams submit their list of proposed projects to specialist teams for resource planning, there are multiple decision-making models used to determine which projects will be prioritized. There is currently no defined guidance on incorporating both LS and specialist group prioritization for resource planning. Instead, specialist resourcing can be driven by either a decision model based on the LSs’ prioritization of projects, or by a dual prioritization by both the LS and specialist teams.

The audit found that there was a lack of integration in project prioritization and planning between specialist and LS teams regardless of the decision-making model utilized. When only LSs’ prioritizations were used, specialist knowledge of macro-environmental risks and trends could not be incorporated. Comparatively, in the dual prioritization system, if the LS and specialist teams don’t use a consistent risk perspective, the dual prioritizations may be too polarized to be able to be effectively incorporated into one prioritized list.

Misalignment between the LS and specialist teams of risks may result in prioritizations that do not adequately balance the consideration of industry risk trends and FRFI-specific risks. This can lead to key supervisory activities not being adequately resourced, ultimately reducing OSFI’s ability to perform risk-based supervisory work.

Reviews

Specialist teams also play a significant role in the execution of supervisory reviews, with just over 50% (26 of 50) of planned reviews during the audit scope leveraging specialist resources. The extent of specialists’ involvement in review can vary from leading the performance of a review to assessing only a specific risk component.

Generally, each specialist team develops their own draft rating informed by their analysis of specific processes or risk components, which is then presented for review and sign off by the LS. Therefore, the rating process is reliant on both teams being able to integrate their knowledge to determine a consensus rating that reflects both risk perspectives.

However, there was a lack of alignment and defined collaboration when determining risk ratings. Each LS and specialist team had their own approach to collaboration, and different levels of interaction during reviews. Moreover, guidance on integrating different risk perspectives was not available to facilitate risk alignment when executing supervisory reviews.

Consequently, this may lead to misalignment between LS and specialist teams on the appropriate FRFI ratings to utilize for the period. In certain instances, it may result in adjustments to other risk components or areas to mitigate the impact of specialist ratings received.

Given the significance of both the LS and specialist team’s risk perspectives in determining the overall FRFI rating, the lack of guidance to integrate both teams’ perspectives may lead to risk assessments that do not effectively represent a FRFI’s risk profile.

4.3 Operational guidance

 

The Supervisory Framework provides the principles-based approach that should be followed for all supervisory activities across OSFI and is supplemented by technical guidance for the interpretation of specific requirements and elements.

Consistency of supervisory activities

Each LS team executes a number of supervisory processes, including issuing annual supervisory letters, performing reviews and quarterly monitoring, and developing FRFI risk assessments. The outcomes from these activities inform the supervisory approach for that FI, and may also be integrated into group planning for similar areas such as IAIGs.

While the type of supervisory activities performed across the LS teams are consistent, the audit found that process design and implementation varied significantly due to the lack of operational process level guidance. This included consistency of processes within the same IAIG teams over time, as well as the quality and extent of documentation established to support processes.

A correlation between the extent of resource turnover and the consistency and adequacy of documentation for supervisory activity was noted. Generally, LS teams with lower turnover demonstrated well-developed processes for supervisory activities, that were consistently implemented and were supported by documentation.

As an example, one IAIG LS team, with low turnover, developed formalized process guidance and designed innovative processes for reviews. Comparatively, other IAIG teams that had experienced a higher degree of staff turnover had limited defined processes, guidance or consistency in documentation of work.

These differences are further magnified by the lack of mechanisms for information sharing between IAIG LS groups, such as industry standards and best practices. While information sharing did occur informally in some circumstances, these were driven by specific individuals and targeted to specific activities, such as the onboarding of a new IAIG team.

Without defined processes and operational guidance across all IAIG teams, supervisory processes may vary even with when the risks informing supervisory activities are consistent. This may reduce the comparability of IAIGs when performing industry monitoring and may also impact FRFI relationships if they are supervised inconsistently.

File & document management

Since its implementation in 2020, Vu has been indicated to be the system of record for supervisory activities. Prior to its implementation, files were retained in eSpace with different elements of the supervisory process (such as supervisory plans or ratings) recorded in various systems. As modules, including risk assessments, planning, and issues management were rolled out at different points, the audit evaluated files based on the requirements in place at the time the supervisory activities were executed.

Generally, reviews and other supervisory activities were captured in Vu, and letters were generated and issued through the system. However, there were no minimum requirements for file management, and existing practices were inconsistent and varied significantly between LS teams. In some instances, document management practices within the same team also varied, especially when there was increased turnover.

In multiple instances across all IAIGs and CMHC, documents could not be easily accessed or traced to establish a link between the analysis recorded in Vu and the supporting documentation maintained in eSpace. Additionally, inconsistent document standards between LS and specialist teams may result in LS teams not being able to find documents, which can limit their ability to leverage documents for future work.

Without an established document or file management standard for recording supervisory activities, LS teams may not be able to demonstrate that supervision decisions are supported by evidence. These inconsistencies also limit the effectiveness of decision-making which relies on the information captured.

Issues management

During supervisory work, LS teams often identify issues that require remediation by FRFIs. These are communicated to FRFIs as part of interim supervisory letters, and an action plan is required to be established by the FRFI to address the finding. Subsequently, LS teams follow up to ensure action plans are implemented in a satisfactory manner.

The Issues Management Standard provides guidance on the follow-up process, including classification of findings, the types of closure mechanisms available, and communication expectations relating to recommendations. While this standard provides conceptual guidance for issues management, it does not establish operational guidelines or expectations in how follow-up should be executed. As a result, there was a high degree of variation in how issues management and follow up were conducted.

A key issue noted was that there are no defined expectations for monitoring and assessing issue closures, which resulted in a lack of timely assessment of evidence and outdated records in Vu for some issues due to be closed. Assessment times after submission of final closure evidence ranged from 4 days to 177 days, with an average of just over 50 days. In one review, there was no evidence that any follow up activity had been performed, despite the target completion for the item being in December 2021.

Moreover, while the Issues Management Standard requires the assessment of action plans for adequacy, there are no expectations for how this should be documented and retained. As a result, most files did not have documented evidence of the assessment of action plans.

Without timely and proactive follow up, there is a risk that issues will not be remediated effectively, resulting in a prolonged risk exposure to FRFIs. These findings are consistent with those observed in the Audit of Supervisory Processes – Systemically Important Banks (SIBs) and the relevant recommendations (Recommendations 3 and 4) raised in this area will apply across the Supervision Sector.

4.4 Reporting and monitoring

 

There are defined reporting mechanisms in place, which include semi-annual reporting on the Suite of Supervisory Metrics by a centralized team within Supervision Methods, Standards, and Controls. These reports are aggregated across the Supervision Sector and are presented to the Executive Committee to enable executive oversight and monitoring over supervisory activities.

In addition, defined escalation and approval mechanisms exist for staged and watchlisted institutions, which trigger reporting to a higher level of management for key supervisory actions. Typically, the majority of approvals for FRFI-related supervisory activities are conducted by the LS. For IAIGs, escalated approvals are directed to the Senior Director (SD) level and above, while escalated approvals for CMHC are directed to the Managing Director (MD) level and above.

While defined reporting and escalation mechanisms have been established, their current design does not enable them to support agile and proactive oversight. Current reporting is either aggregated, which means data cannot be leveraged at MD and SD levels effectively, or are focused on staged institutions, which are already subject to enhanced monitoring and oversight.

Although there are no OSFI-wide tools developed, the Insurance & Pensions team has established formal practices, through self-developed customized reporting and dashboards for use by the Senior Director. These reports include measures to monitor both in-progress and completed supervisory activities, to anticipate those that are coming due or are ready for review and approval.

Through building reporting capabilities directly into Vu, management can monitor ‘live’ data, which is the most effective tool for monitoring emerging and changing risks. Additionally, it allows for reports to be manipulated and generated in various categories, which enables broader oversight across both individual FRFIs and trends across similar FRFI groups (such as IAIGs).

Without standardized and timely reporting and monitoring tools available across the LS teams to be leveraged by different levels of management across OSFI, management may not have the necessary information to support decision-making in a quickly evolving risk landscape. This is especially relevant to the monitoring of institutions before the risk level rises enough to warrant watchlisting or staging the FRFI.

Appendix A – Recommendation ratings

Recommendations are ranked in order to assist management in allocating resources to address identified weaknesses and/or improve internal controls and/or operating efficiencies. These ratings are for guidance purposes only. Management must evaluate ratings in light of their own experience and risk appetite.

Recommendations are ranked according to the following definitions:

• High Risk: should be given immediate attention due to the existence of either a significant control weakness (i.e. control does not exist or is not adequately designed or not operating effectively) or a significant operational improvement opportunity.
• Medium Risk: a control weakness or operational improvement that should be addressed in the near term.
• Low Risk: non-critical recommendation that could be addressed to either strengthen internal control or enhance efficiency, normally with minimal cost and effort. Individual ratings should not be considered in isolation; and their effect on other objectives should be considered.