Consultation summary report

• IIA
• OMIA
• CAIR
• CURIE
• OSBIE
• IBC
• Nova

Although stakeholders were pleased to be consulted on the development of this new Guidance and agree with FSRA’s stated principles-based and risk-based approach to regulatory oversight, they raised some specific issues with each of the Guidance documents. Some stakeholders acknowledge that the corporate governance Guidance sets out high standards for effective, efficient and agile corporate governance and operational risk for Insurers.  A stakeholder acknowledged both the explicit mention of Reciprocals in the Guidance and efforts made by FSRA to provide reassurances on the application. The stakeholder expressed concerns that the Guidance does not highlight the differences in approach or expectations and asserts that Reciprocals are unique and ought to be treated differently by FSRA.

Suggestions include:

• It is imperative that any potential new regulatory guidance is well-coordinated and consistent with similar guidance issued by a similar regulator, such as the Office of the Superintendent of the Financial Institutions (OSFI) or the Autorité des marches financiers’ (AMF).
• FSRA should continue to provide thematic commentary as assessments under RBSF-I are conducted.
• FSRA should consider the possibility that the regulatory burden, administrative cost and reduced flexibility associated with this Guidance outweighs the benefits to be achieved.

FSRA welcomes this feedback and is pleased that the principles-based approach in both Guidance frameworks was well received by the senior management and boards of directors of the sector.

FSRA reviews best practices from other jurisdictions and considers other regulatory Guidance in the drafting of its own Guidance, while considering the need to make necessary adjustments to Ontario’s legislative framework given the unique nature of our insurance sector, which includes Reciprocals, farm mutuals, stock P&C and a reinsurer. As such, stakeholders will see many elements in our Guidance that are consistent with our peer jurisdictions and common industry practices, to the extent that they are relevant for Ontario’s insurance sector.

FSRA’s Corporate Governance and Operational Risk and Resilience Guidance do not set compliance obligations. Specifically, as interpretation guidance, the Corporate Governance Guidance sets out FSRA’s view of requirements under the applicable statutes and regulations referenced in the Guidance, and, as approach guidance, the Operational Risk and Resilience Guidance sets out FSRA’s processes and practices for assessing Insurers’ operational risk and resilience in accordance with FSRA’s RBSF-I.

• OMIA
• CAIR

Reciprocal Governance

A stakeholder expressed that both frameworks should not apply to reciprocals as they are not “incorporated” under the Act. Reciprocals are and were intended to be treated differently from other Insurers.  

Farm Mutuals

A stakeholder expressed that their members are typically the smallest Insurers in any given category and the scale and scope of their operations does not always coincide easily with some of the more complex processes, procedures, and policies that may be considered common industry practices that may be required for lager entities with more complex business models.

The stakeholders identified that one of the challenges for smaller Insurers will be reaching an appropriate level of documentation and resourcing required to meet some of the assessment parameters.

Ultimately, stakeholders stressed the need for the assessment process to remain proportional, gathers only the information needed for effective assessment, and is built and streamlined in such a way as to minimize the financial impact on the entity and subsequently policyholders.

FSRA’s outcomes-focused, and risk-based supervision is based on sound knowledge of the business and the application of proportionality. FSRA will apply these pieces of Guidance in a proportional manner, considering the size, complexity, and risk profile of Insurers, including farm mutuals and Reciprocals.

FSRA appreciates that Reciprocals are not-for-profit entities, and they provide subscribers an opportunity to mutually protect each other with adequate coverage in a more appropriate and cost-effective manner, compared to a traditional insurance policy.

Operational risks are common to all insurance companies, regardless of their structure or business model, including farm mutuals, reciprocals, and traditional stock or mutual insurers.

Although Reciprocals are subject to different requirements under the Act, foundational prudential elements such as operational risk and resilience and sound corporate governance principles apply to all regulated entities.  These Guidance documents set out FSRA’s processes and practices for assessing Insurers’ corporate governance and operational risk and resilience in accordance with FSRA Approach Guidance No. PC0045APP, Risk Based Supervisory Framework for Ontario-incorporated Insurance Companies and Reciprocals (“RBSF-I”).  The identified processes and practices are not mandatory; however, they can, depending on the factual circumstances be reflective or whether or not an Insurer has met their obligations.

FSRA will continue to work with Reciprocals and Farm Mutuals to ensure there is a shared understanding of RBSF-I.

• IIA
• CAIR

A stakeholder stated that the Corporate Governance Guidance recognizes the importance of an independent internal audit function and outlined the importance of internal audit related to oversight and risk management to ensure the independent assurance of the risk management function. However, the proposed Guidance limits its discussion of the role of internal audit to Principle 4, Integrity of Financial Statements. The stakeholder referenced the Government of Ontario’s Internal Audit Directive that outlines “internal audit includes but is not limited to the examination and evaluation of the adequacy and effectiveness of the organization’s governance, risk management, and internal controls as well as the quality of performance in carrying out assigned responsibilities to achieve the organization’s stated goals and objective.”

Another stakeholder identified that given the lean resource organizational structure of Reciprocals, it would be difficult to practically achieve the three lines of defense model as outlined under principle 3 of the Guidance. The “Risk Management Requirement” has potential to place an undue strain on Reciprocal exchanges’ human and financial resources.

Moreover, under the Assurance and Effectiveness section of Principle 3, the Reciprocals sector interprets that section to mean that a Reciprocal should have a robust risk management and internal control framework, and the Board must review the adequacy and effectiveness of these frameworks on a continuous basis (as opposed to every internal control being tested annually).

The stakeholder recommends highlighting internal audit in Principle 3, in “Proposed Guidance: Corporate Governance for Ontario-incorporated Insurance Companies and Reciprocal Insurance Exchanges.”

The IIA recommends that internal audit be highlighted as a resource for assessments and assurance related to other operating areas mentioned in the Guidance, such as information technology (including cyber) risk management, third-party risk management, resilience plan management and the oversight of new business activities in “Proposed Guidance: Operational Risk and Resilience for Ontario-incorporated Insurance Companies and Reciprocal Insurance Exchanges”.

Under the Corporate Governance Guidance, internal audit is mentioned in Principle 1 (Defined Roles and Responsibilities), Principle 3 (Effectiveness of Oversight Structures) and Principle 4 (Integrity in Financial Reporting).

Under Principle 3, the Guidance speaks to the importance of the three lines of defense and how they facilitate effective governance, oversight, and risk management by the Board. This is a best practice.

FSRA recognizes that Reciprocals have lean structures. As a result of the feedback received through the consultation the section on Risk Management Requirement has been removed and clarification provided that the Guidance sets out best practices. Additionally, the three lines of defence model is a best practice that can be applied in a manner proportional to each Insurers’ size, complexity, and risk profile.

As such, under the Assurance and Effectiveness section, the intended outcome is that Reciprocals’ senior management develop and maintain an adequate system of internal controls and risk management. The Board of the Reciprocal, with the assistance of the appropriate Board committee, is accountable for reviewing the adequacy and effectiveness of these frameworks and the underlying assumptions and methodologies. Such a review can be carried out internally or with the assistance of qualified third parties to achieve assurance as outlined in the Guidance.

The Guidance sets FSRA’s views that an Insurer should, at least annually, review their risk management and internal control systems to achieve independent assurance. However, this does not preclude an Insurer from undertaking more frequent testing to meet its business objectives. In applying proportionality, where an Insurer lacks some of the other oversight functions like Risk Management, they are not sufficiently independent, or they do not have enterprise-wide responsibility, other functions (for example Senior Management) may provide the independent oversight.

Internal audit is not mentioned directly in other areas of the Guidance as an explicit requirement given FSRA has oversight over a breadth of Insurers that are of differing management and governance structures and size. As such, FSRA will look for and consider other factors such as compensating controls that an Insurer can undertake to demonstrate the intended outcome of the Guidance.

Internal audit is mentioned in Principle 1 of the Corporate Governance Guidance given its importance at an enterprise-wide level. FSRA acknowledges the importance of internal audit in contributing to an organization’s overall governance by providing the board with objective assurance across all business lines and operating areas, as articulated under our RBSF-I. 

• IBC
• CAIR

The stakeholder communicated that it would be difficult for Reciprocals to adequately meet some of the Board independence and composition requirements in the Guidance. Unlike a traditional Insurer, through the subscribers’ agreement, Reciprocal insurance exchanges have a contract with their subscribers/policyholders regarding the governance of the Reciprocal exchange, including its management and oversight. The stakeholder advises that FSRA consider revising the following sections (given what is described under the Insurance Act vs Subscribers’ Agreement):

• Board independence: reciprocals consider a board independent as long as it’s independent from management. It is impracticable to have a director that is not affiliated with the Insurer as the advisory board is comprised of the Reciprocal insurance exchange’s policyholders.
• Board composition: it is challenging to identify areas for enhancement of the composition of the board, its committees, and skillsets as Board members are restricted to its member base.
• Board composition: hard to comply with the requirement of no more than two-thirds of the directors of an incorporated insurer can be affiliated with the insurer

In the Corporate Governance Guidance, stakeholders asked that FSRA should not prohibit an insurer’s CEO from serving as a Board member provided that the total number of directors affiliated with the insurer is no more than two-thirds of the board. Stakeholders assert that this is something that is commonplace among other Insurers and is permitted under the Corporations Act, FSRA should not prohibit an Insurer’s CEO from serving as a Board member as there are other mechanisms to demonstrate independence as stated in OSFI’s Corporate Governance Guideline.

A stakeholder identified that unlike OSFI’s Corporate Governance Guideline, this draft Guidance does not include diversity as a factor in Board composition or succession planning. They recommend that FSRA explicitly reference diversity as a factor to consider in Insurers’ Board composition, succession and renewal plans.

FSRA appreciates that each Reciprocal is governed by a subscriber’s agreement which requires the establishment of an advisory board to be responsible for the supervision of the Exchange. We also appreciate that the interests of the subscribers and the Reciprocal Exchanges are aligned and that meeting some of the independence intended outcomes may be challenging as Reciprocals are not permitted to have Directors outside their subscriber base.

The Guidance indicates that FSRA views independence as being autonomous from senior management of the Reciprocal, which is in line with the stakeholder comment.

Best practices in corporate governance suggest that, in order to ensure independence and avoid conflicts of interest, the CEO of an organization should not also sit on its Board. While the Guidance does not state that a CEO is prohibited from serving on the board, in order to meet the intended outcomes and demonstrate effective and independent oversight, Insurers are encouraged to assemble independent boards that are able to have constructive debate and effectively challenge the CEO and other members of senior management.

Under the “Board Composition” section of Principle 2, FSRA addresses diversity by stating the board should have a balance and mix of skills, knowledge, and experience to foster constructive debate, effectively challenge Senior Management to ensure that they are able to discharge their duties and responsibilities. To achieve this, Insurers should construct their boards in an appropriate manner and ensure they are able to meet the mission and objective of the organization to best serve members, policyholders, and subscribers.

• OMIA

The stakeholder communicated that mutuals’ boards have evolved over the years and have moved to a governance-based model and are not involved with the day-to-day management of the insurer, including such responsibilities as human capital and resource planning matters at the staff and operational level.

The stakeholder expressed concerns with FSRA’s interpretation of board activities to include appointment, performance review, and compensation of the key members of senior management in oversight functions, as well as compensation practices.

The stakeholder does not believe that the intention of the language under principle one is to have boards of directors directly involved in staff management but rather to have systems in place to assure themselves that the CEO and other key members of the management team are effectively managing staff. The stakeholder would appreciate further discussion of these elements for additional clarity.

The Corporate Governance Guidance indicates that senior management is responsible for the day-to-day management of the Insurer and the operational implementation of the strategic direction set by the Board of directors.

As the board’s overall role and responsibilities include providing leadership, as well as approving and overseeing the implementation of the strategic direction, the board must satisfy itself that the organization has the necessary resources, policies, and practices in place to meet its objectives and effectively measure performance against them.

The Guidance indicates that the board is accountable for and should direct and oversee activities related to human capital resource planning and senior management rather than staff, which is in line with the stakeholder comment. To effectively have oversight of the Insurer and discharges its duties, the board’s accountabilities include appointment of the CEO, human capital, and resource planning to ensure the organization can deliver on its mission and strategic objectives. 

• IBC
• CAIR

One stakeholder suggested that it is unclear whether the requirements in this section apply to Reciprocals, and further clarification is need in certain areas – e.g., the annual statement of condition of the affairs of the Insurer.

The annual statement on the condition of affairs of an Insurer and audit committee requirements is found in regulation and apply to all Insurers that FSRA oversees, including Reciprocal Insurance Exchanges. This being said, the provisions from the Corporations Act and requirements referring to incorporated Insurers would not apply. 

• CAIR

The stakeholder identified that although Principle 3 acknowledges that Reciprocals are not subject to the Minimum Capital Test (MCT) Guideline, it also states that not meeting the intended outcomes of the principles may result in an elevated level of supervisory support. The stakeholder is concerned that the Guidance does not adequately acknowledge the exclusion Reciprocals are afforded to under the Insurance Act and supporting regulation.

Maintaining adequate capital is critical for the overall safety, soundness, and resilience of all incorporated insurers. Reciprocals are required to maintain adequate surplus. In consideration of stakeholder feedback, FSRA has made necessary revisions to both the Corporate Governance and Operational Risk and Resilience Guidance and will not consider any amendments to the MCT Guideline at this time.

In addition, FSRA has developed Guidance setting out Insurers’ development of an Own Risk Solvency Assessment (“ORSA”) to ensure that Insurers effectively set and maintain adequate capital levels that are commensurate to their risks. This Guidance describes FSRA’s principles-based approach for assessing an Insurer’s ORSA, which supports prudent capital management. 

• IBC
• CAIR

A stakeholder disagreed that operational risk management should enable the minimization of risk of loss to policyholders and suggested that FSRA should remove the expectation to minimize risk of loss to policyholders and replace with an expectation to set risk appetite and measurable limits and thresholds for risk acceptance. This would align with the approach taken in OSFI’s draft Guideline E-21, Operational Resilience and Operational Risk Management, which expects an Insurer to set a risk appetite for operational risks, articulating the nature and types of operational risks that the insurer is willing to accept within business-as-usual circumstances and include a measurable component with limits/thresholds for risk acceptance.

In the section dealing with identification of risk method (e.g., risk appetite, tolerance and limits), there is an opportunity to take a broader integrated risk management approach and to be more inclusive when referencing principles of risk identification (e.g., risk appetite, tolerance and limits).

The stakeholder recommends that FSRA’s principles reconsider the unique structure and mandates of a Reciprocal insurance exchange. Further the stakeholder advises FSRA to consider incorporating “may”, “should” or “can” or similar words in reference to Reciprocals.

Providing greater examples to illustrate how the Guidance could work in practice, including further defining three lines of defense and clarify of independent risk oversight would be valuable for stakeholders.  

FSRA agrees that operational risk is inherent in all products, activities, processes, and systems.  FSRA also agrees that part of the operational risk management cycle includes setting a risk tolerance in line with the Insurer’s risk appetite statement and framework, as well as measurable limits and thresholds for risk acceptance. The ultimate objective of effecting operational risk management activities and operational resilience is to minimize the risk of loss to policyholders, subscribers, and customers and to improve Insurers’ safety and soundness.

The “Purpose” section of the Operational Risk and Resilience Guidance states that FSRA will apply this Guidance in a proportional manner, based on the size, complexity, and risk profile of the regulated entity, which includes consideration for the unique structure and mandates of Reciprocal Insurance Exchanges.

The Guidance is reflective of FSRA’s principles-based approach, which focuses on the achievement of desired outcomes, as opposed to providing prescriptive rules and exhaustive examples. This approach allows Insurers to flexibly apply the principles in a way that is appropriate for their business operations.

• IBC
• CAIR

A stakeholder disagreed with the suggestion in FSRA’s proposed statement that resilience is equal to recovery, which is an unrealistic standard and asked that FSRA should align with the approach taken in OSFI’s Guideline E-21 which expects Insurers to be prepared to deliver critical operations through severe but plausible circumstances within established tolerances for disruption.

A stakeholder recommends that FSRA should clarify what its expectations are for the resilience assessment of an insurer (principle 4). Stakeholders would like clarification on the internal stress testing requirements FSRA would look for, and if this would include Financial Condition Testing (FCT), for example. 

Under the Approach section of the Operational Risk and Resilience Guidance, FSRA describes the assessment of resilience characteristics versus resilience performance.  Resilience characteristics are demonstrated during a business-as-usual environment; at which time the Insurer enhances its crisis preparedness through improving its ability to monitor and anticipate any escalation of risks. Resilience performance of the Insurer is demonstrated by its ability to respond and adapt to stress by taking feasible and timely action, leveraging pre-determined processes under pre-established protocols to facilitate streamlined and effective recovery.  Therefore, in the event of an operational risk event, effectiveness in recovery including actions taken by Senior Management and the Board will be assessed as part of resilience performance.

FSRA agrees that the expectation to identify critical operations, establish tolerances for disruption of critical operations, and performing regular testing are important and generally included in the Operational Risk Management Framework (ORMF) which includes the Insurer’s operational risk appetite, tolerance, and limits. The Board also reviews the Insurer’s business continuity plan (“BCP”), disaster recovery plan (“DRP”) and other contingency plans. To define the Insurer’s risk appetite and review the ORMF’s alignment with it, the Board articulates the nature, types, and levels of operational risk that Insurers are willing to assume and ensures that they are providing adequate and effective oversight on that basis (Principle 1 and Principle 3).  The quality of the Insurer’s business contingency plans, among other things, is an example of the Insurer's demonstration of resilience characteristics.

FSRA understands that stress events may result in financial loss. Insurers that have a high degree of resilience, achieved through both resilience characteristics and performance, are more likely to incur shorter lapses in their operations and experience smaller losses from operational disruptions, thus lessening incident impact on critical operations and related services, functions, and systems.

FSRA will look to the regulated entity to demonstrate resilience in areas including business continuity, recovery planning and other contingency plans. The suite and range of scenario modelling and testing FSRA would review is contingent on the size, complexity and risk profile of the Insurer. Though the FCT reporting is a requirement for Insurers that are required to appoint an actuary under Part II.1 of the Insurance Act, under the Guidance FSRA does not prescribe specific stress testing scenarios but can review the FCT of an Insurer that has an FCT to report. 

• OMIA

The stakeholder expressed that it would be important for FSRA as the regulator assessing the entities to ensure that the assessment process simplifies as much as possible the integration and interrelationship of these two Guidance.

The Operational Risk & Resilience and Corporate Governance are complementary pieces of Guidance, and FSRA made a deliberate decision to develop and release both pieces of Guidance simultaneously.

A robust operational risk management framework and operational resilience must be underpinned by a strong and robust governance structure. As such, Principle 1 of the Operational Risk and Resilience Guidance is “Governance”, as the ultimate accountability and responsibility of operational risk rests with the Insurer’s Board and Senior Management.

Under FSRA’s integrated RBSF-I, Operational risk is an inherent risk that is intrinsic to all the business activities of an Insurer and arises from exposure to, and uncertainty from, potential future events. Based on the inherent risks identified for each significant activity and the level of these inherent risks, FSRA will assess the extent to which a commensurate level of controls and oversight (Quality of Controls and Oversight) are needed to adequately mitigate the inherent risks. Under this model, the assessment is undertaken using an integrated report given the interrelationship of these two Guidance documents.

We appreciate the comment about simplification of the assessment process, and where warranted, the supervisory teams will simplify the assessments as they apply proportionality. 

• Nova
• OMIA
• CAIR

Stakeholders suggest that small organizations typically have financial expertise in the role of a CFO but they may not have the capacity or resources– based on size, complexity and risk profile – to maintain separate resources solely devoted to fulfilling other oversight functions (e.g., Chief Risk Officer, Chief Compliance Officer). Stakeholders identified that innovative and adaptive approaches may have to be undertaken by some small Insurers to meet the intended outcome of the three lines of defence model.

Stakeholders believe how FSRA assesses Insurers under this model will be a critical factor in ensuring that the administrative and operational costs of establishing three lines of defence is not prohibitive.

From a practical standpoint, FSRA should be able to effectively apply a proportionality and consider innovative or unique ways in which smaller Insurers may build and monitor risk frameworks.

Some stakeholders suggested Internal Audit plan and related execution with internal/external resources may also be impractical.

FSRA appreciates the feedback from stakeholders and acknowledges that the effective implementation of the three lines of defence and oversight functions is proportionate, outcome focused and adaptable to the size, complexity and risk profile of each Insurer.

FSRA appreciates that not all Insurers have a dedicated resources in-house for internal audit or other oversight functions. FSRA has clarified that the Corporate Governance Guidance does not impose binding actions required to meet an Insurer’s obligations. Rather it identifies common industry practices regarding corporate governance, which can inform FSRA’s determination of whether, and to what extent, an Insurer is meeting its obligations under the statutes and regulations referenced in the Guidance.

The presence and nature of this oversight function vary based on the size, complexity, and risk profile of an Insurer and the inherent risks present in its significant activities.

Where an Insurer lacks a critical oversight function and has engaged external expertise to perform that function, the Insurer may maintain accountability for that function (i.e. Insurers can outsource the function’s responsibility but not the accountability and ownership of risks).

Where an Insurer lacks some of the other oversight functions or they are not sufficiently independent, or they do not have enterprise-wide responsibility, in applying proportionality, other functions (for example Senior Management, including the CFO) may provide the independent oversight.

• OMIA

The cost of adapting to standards such as IFRS-17 should not be underestimated not only within the P&C sector but within all the auxiliary organizations that test support this type of reporting. The cost of these changes is all borne directly by policyholders as it increases the cost of doing business.

Some Insurers feel that international regulators have shown little concern for the cost and practical implications of some of the standards adopted over the past several years, including IFRS-17 as an accounting standard. FSRA can play an important leadership role in supervising Ontario-based insurance companies and Reciprocal exchanges in ensuring that outsized reporting requirements are not adopted.

FSRA appreciates the operational and financial implications of the global accounting standard change on our regulated entities. FSRA’s Guidance documents do not impose additional financial reporting requirements on Insurers.

• OMIA

The stakeholder believed that a period of evolution will be required to become fluent and comfortable with some of these new requirements. And the Insurers are in the early days of standards being published and/or approaches being developed.

The purpose of FSRA’s Guidance Framework is to describe our principles, processes and practices for the use of guidance in carrying out our legislative mandate. Pursuant to the Framework, FSRA does not and can not set out new mandatory requirements in guidance.

Instead, these pieces of Guidance help to clarify FSRA’s views on relevant legislative and regulatory requirements. As FSRA continues to conduct integrated RBSF-I based assessments of Insurers and engage with the sector, it will consider the nuances of diverse business models and appreciate that attaining the intended outcomes is an iterative process as Insurers are still adapting to FSRA’s integrated RBSF-I.

FSRA has been assessing Insurers under the RBSF-I since the implementation of the framework in April 2023, these Guidance documents now articulate FSRA’s intended outcomes and common industry practices. FSRA uses the integrated RBSF-I to identify imprudent or unsafe business practices that may impact policyholders, members and subscribers, and intervenes on a timely basis if warranted. FSRA will assess Insurers against these common industry practices under the RBSF-I to determine the appropriate level of supervisory engagement.

As FSRA continues its integrated assessments, improvements and insights will be gleaned. FSRA will continue to streamline and look for efficiencies in its process where possible to ensure Insurers are able to effectively adopt the Guidance and respond to FSRA’s ongoing monitoring and supervisory assessments.