Re-calibrating Risk Management

Robert McDowell, Financial Insitutions and Services Group, Fasken Martineau DuMoulin LLP; and Koker Christensen, Financial Institutions and Services Group, Fasken Martineau DuMoulin LLP

The financial crisis revealed many financial institutions around the world did not fully appreciate the risks to which they were exposed. The Senior Supervisors Group, which includes the Office of the Superintendent of Financial Institutions (Canada) (OSFI) and supervisors from other countries, believes one of the deficiencies that contributed to, or was revealed by, the financial and banking crisis of 2008 was “the failure of some boards of directors and senior managers to establish, measure and adhere to a level of risk acceptable to the firm.”¹

Part of the fallout from the financial crisis has been an increased focus on risk management. While the financial crisis was primarily a banking crisis, the increased focus on risk management also has significant implications for insurers. This article provides an overview of key risk management developments, with a particular focus on what insurers should be doing to identify and manage risk properly, and related expectations regarding compensation.

Background: Risk Management in Canada

OSFI’s current approach to risk management emerged in 1999 with the release of the Supervisory Framework. The general approach set out in the Supervisory Framework is that boards of directors and management of federally regulated financial institutions are responsible for identifying and managing the risks faced by their institutions. OSFI’s role is to oversee how well institutions manage their risks. At the time, the original Supervisory Framework represented a significant shift in responsibility for risk management from OSFI to institutions themselves.

OSFI updated the Supervisory Framework in December 2010. The fundamental approach of the Supervisory Framework remains focused on risk assessment, which is described as “the fundamental work activity of supervision.” But OSFI further articulates its risk management expectations in its guidelines, which address a wide variety of risks – including governance, outsourcing, money laundering and terrorist financing, reinsurance, legislative compliance, capital management and stress-testing (the latter of which itself addresses risk identification).

Key Developments in Risk Management

Identifying risks

In order to manage risks, one must first identify them. Emerging views on risk management emphasize the need to have structured processes in place to identify emerging risks, to consider the interconnectedness of various risks and to consider the impact of the occurrence of various risk scenarios.

Numerous organizations and sources can be helpful in identifying risks.  These include the International Association of Insurance Supervisors, the World Economic Forum, the Financial Stability Board, the Global Risk Institute, Basel III (e.g., risk weighting of different assets, products and lines of business), risks identified in prospectuses and other public company filings, DCATs, work of auditors in connection with the annual audit of a company and analyses of causes of the last crisis (which include insufficient capital, liquidity and risk management).

As an example of current perspectives on risk identification, a recent workshop sponsored by the Global Risk Institute identified five broad categories or groupings of risk issues: (1) governance, culture and agency risk; (2) public policy and regulatory risk; (3) data integrity and quality, (4) emerging and unknown risks; and (5) model and business complexity.

In another example, the World Economic Forum identified the following 10 key risks in its report Global Risks 2011:

• climate change;
• fiscal crises;
• economic disparity;
• global governance failures;
• extreme weather events;
• extreme energy price volatility;
• geopolitical conflict;
• corruption;
• flooding; and
• water security.

Economic disparity and global governance failures are highlighted as being particularly significant given their high degree of impact and their interconnectedness with other risks.

Establishing risk appetite/tolerance

The concept of risk appetite – i.e., the amount of risk an institution is willing to take on in pursuit of value – has received considerable attention recently. In Observations on Developments in Risk Appetite Frameworks and IT Infrastructure, the Senior Supervisors Group addresses the importance of institutions establishing a “risk appetite framework” and using this as a strategic decision-making tool.2 This report states a risk appetite framework is to establish an explicit, forward-looking view of a firm’s desired risk profile in a variety of scenarios and to set out a process for achieving that risk profile.

A related concept is risk tolerance – for example, the maximum acceptable level of exposure. The International Association of Insurance Supervisors released its report Enterprise Risk Management in October 2010. It says insurers are to be required to:

• establish and maintain a risk tolerance statement that takes into account all relevant and material categories of risk and the relationships between them;
• make use of its risk tolerance levels in its business strategy; and
• embed its defined risk tolerance limits in its day-to-day operations via its risk management policies and procedures.

Corporate governance and risk management

The recent focus on risk management has included a critical review of the role of boards of directors and senior management, calling for a more explicit connection between corporate governance and risk management. A key issue here is independence.

The Basel Committee on Banking Supervision recently addressed the increased expectations related to the board’s responsibility to approve and oversee the implementation of the bank’s overall risk strategy, including its risk tolerance/appetite and policies for risk, risk management and compliance.³

In Observations on Developments in Risk Appetite Frameworks and IT Infrastructure, the Senior Supervisors Group notes that firms with more developed risk appetite frameworks assign roles in the following, fundamentally important way:

• the board, with input from senior management, sets overarching expectations for the risk profile;
• the CEO, CRO and CFO translate those expectations into incentives and constraints for business lines, and the board holds the businesses accountable for performance related to the expectations; and
• business lines manage within the boundaries of these incentives and constraints, and their performance depends in part on the risk assessment framework’s performance.

OSFI is currently conducting a system-wide review of corporate governance practices to benchmark and assess gaps in current practices against OSFI’s expectations as set out in the Corporate Governance Guideline and the Supervisory Framework. In an interview earlier this summer, Julie Dickson, superintendent of financial institutions, signalled that OSFI is stepping up its oversight of the boards of banks and insurers and that directors will be subject to higher expectations. OSFI has also indicated it is looking to update the Corporate Governance Guideline.

Compensation and risk management

Failure of an institution’s compensation structure to support its risk management strategy – rewarding excessive risk-taking, for example – is widely viewed as one of the causes of the financial crisis.

The Financial Stability Forum (the predecessor of the Financial Stability Board) released the FSF Principles for Sound Compensation Practices in 2009. They include the following principles related to the effective alignment of compensation with prudent risk-taking:

• compensation must be adjusted for all types of risk;
• compensation outcomes must be symmetric with risk outcomes;
• compensation payout schedules must be sensitive to the time horizon of risks; and
• the mix of cash, equity and other forms of compensation must be consistent with risk alignment.

The Canadian Coalition for Good Governance has articulated similar principles.⁴

In a May 2009 letter to federally regulated financial institutions, OSFI outlined its expectations that they adopt these principles and ensure their compensation practices align with them.

Role of the Chief Risk Officer (CRO)

The CRO is to be a key senior management position with significant clout, filled by a person with significant experience. In many financial institutions, the CRO reports directly to the Chief Executive Officer.

OSFI has publicly indicated it expects the CRO to have a broad view of all risks faced by the institution, including the basic risks – credit risk, market risk, operational risk, reputation risk and concentration risk. OSFI also expects the CRO to ensure that appropriate risk management strategies are in place; to have a solid awareness of capital management implications; and to be a strong voice with regular reporting to the CEO and board.⁵

end notes1 Risk Management Lessons from the Global Banking Crisis of 2008¸ Senior Supervisors Group  (2009).2 Observations on Developments in Risk Appetite Frameworks and IT Infrastructure, Senior Supervisors Group (2010). 3 Principles for enhancing corporate governance, Basel Committee on Banking Supervision (2010).4 2009 Executive Compensation Principles, Canadian Coalition for Good Governance (2009).5 For example, in remarks by Superintendent Julie Dickson to the Actuaries Club of Toronto on September 23, 2009.