On June 5, Ontario’s financial services regulator (FSRA) hosted a webinar for Ontario-incorporated insurance companies and reciprocal insurance exchanges (“Insurers”) on proposed guidance for Corporate Governance as well as Operational Risk and Resilience.
The webinar enabled attendees to gain a better understanding of the six principles of effective corporate governance, and desired outcomes, as well as a better understanding of the four principles of effective operational risk management and resilience, and desired outcomes.
Materials from the webinar are now available online, including:
- Full video recording
- Transcript
- Presentation materials
- Q&A (all questions answered in the webinar)
You can view this video with closed captioning by selecting the “CC” button in the video menu. Note: the closed captioning text is automatically generated and has not been reviewed for accuracy.
0:03
Hello everyone and welcome to today's webinar, Proposed Operational Risk and Resilience Guidance and Corporate Governance Guidance Information Webinar.
0:12
Before we get started, I'd like to go over a few items so you know how to participate in today's event.
0:17
You have the opportunity to submit text questions to today's presenters by typing your questions into the questions pane of the control panel. You may send your questions at any time during the presentation.
0:27
We will be having two question periods throughout today's session.
0:32
And now I'd like to introduce Victoria Lasso, Director Policy Credit Union Insurance Prudential and Tensions Advisor.
0:42
Great, thanks so much, Tracy.
0:44
And thank you everyone for joining us for this webinar on the proposed corporate governance guidance and operational risk and resilience guidance for the Ontario incorporated insurance companies and reciprocals.
1:00
So both pieces of guidance are for consultation as many of you may know and we're very much looking forward to your feedback.
1:07
Today's an opportunity to learn about the guidance and ask questions that you may have and I should note that throughout the presentation we'll refer to insurers and by that we mean the Ontario Incorporated Insurance Companies and Reciprocals.
1:23
So these include the farm mutuals, reciprocals, stock, PNC companies, and one reinsurer.
1:30
So on the agenda today, we will start with some introductions as we'll have a few presenters in the land acknowledgement, cover some background information about the two initiatives, how principle-based regulation applies in both contexts, and next steps.
1:50
And as Tracy mentioned, And we'll split the presentation into two parts, so we'll walk through the corporate governance guidance first, followed by a question and answer period.
1:59
And then we'll move on to the operational risk management guidance, as well as a question and answer period.
2:04
And we have two hours today, so hoping to be able to answer everyone's questions.
2:11
So let me introduce today's speakers.
2:15
So I've already introduced myself, my name is Victoria Lesot, I'm the Director of Insurance Prudential Credit Gain and Pension Policy here at FISRA.
2:25
And I'll be joined by Amber McNair, Senior Manager of Policy for Credit Gains and Insurance Prudential, as well as David Maxwell, Head of Regulation and Strategic Initiatives for the Credit Gain and Insurance Prudential Sector.
2:39
And I should mention that for those of you who are not able to join or want to refresh your memory later on, on this webinar, we'll be posting a webinar on our website sometime later this summer.
2:51
So before we begin, just want to start with a land acknowledgement.
2:57
So it's important to acknowledge the land we're on is the traditional territory of many nations, including the Mississaugas of the Credit, the Anishinaabe, the Chippewa, the Haudenosaunee, and the Wendat peoples, and is now home to many diverse First Nations and UNMAT peoples.
3:13
We acknowledge that Toronto is covered by Treaty 13 with the Mississaugas of the Credit and the Williams Treaty signed with multiple Mississaugas and Chippewa bands.
3:23
And now jumping into our presentation, I'll cover a few concepts that are cross-cutting across both pieces of guidance.
3:30
Things like principles-based regulation, our risk-based supervisory framework, a little bit about how this all fits into FISRA's objects and the relationship between risk management and capital management.
3:44
So, on this slide, I wanted to highlight the Resource Principles-Based Regulation Approach, or PBR.
3:51
You might hear that for the presentation, PBR, and particularly how this fits into this guidance.
3:57
So, as many of you will know, PBR is a regulatory approach used by regulators that relies on broadly stated principles that are outcomes-focused rather than prescriptive.
4:07
And PBR gives regulators and stakeholders the flexibility to relatively quickly respond to market conditions.
4:16
And we make use of qualitative terms such as fair or reasonable to facilitate compliance.
4:24
And it also allows insurers to honor the spirit of the law while also maintaining flexibility and applying it to their own unique business operations and changes to their business environment.
4:36
And both pieces of guidance, as you'll see when we go into the details, are consistent with this principles-based regulatory approach.
4:47
So both pieces of guidance will set out high-level requirements for principles and outcomes that insurers should achieve, such as the roles and responsibilities of an insurer's board that should be appropriately delegated.
5:02
So we use the term like appropriately to give flexibility to the regulated entity to apply that principle flexibly.
5:12
And then the guidance, as you'll see further notes, this idea of proportionality.
5:17
So insurers should adopt these principles depending on their size, their complexity and their risk profile.
5:25
And going on the next slide into this idea of proportionality a little bit further, wanted to touch on our risk-based supervisory approach for insurers.
5:37
So, FISR's application of principles-based regulation and risk-based supervision is predicated on having strong knowledge of the business of the insurers that we regulate.
5:49
And so, by understanding the insurer's mission, their objectives, the lines of business, and the unique risks applicable to the insurer, FISR is able to apply both pieces of guidance proportionally, commensurate with the size and the scale of each insurer.
6:05
So understanding your business allows us to be more proactive and reactive, allows us to identify issues and course correct before something becomes a large risk and impacts the stability of the sector.
6:23
And just principles-based regulation is founded on a supervisory relationship that's cooperative, collaborative and fosters mutual trust and we look forward to continuing to work with the sector as part of our risk-based supervisory framework and the assessments.
6:40
The Visitors Insurance Prudential Supervisory team undertakes several types of supervisory work that you'll see here on the slide, so kind of three broad categories, supervisory assessments, thematic reviews and proactive monitoring, and then we also engage with insurers informally. And all of this allows us to kind of tie it back to PBR.
7:01
This allows us to consider to apply the principles in the proposed guidance proportionally, to measure it with the size, the risk profile, and the complexity of each insurer.
7:15
So going into the specific pieces of guidance on the next slide.
7:20
So both of these pieces of originate from our four-year work plan for insurance prudential rules and guidance, and they're both foundational pieces to strengthen FISRA's regulatory framework to support the application of the risk-based supervisory framework that I just mentioned and ultimately to strengthen Ontario incorporated insurers and reciprocals.
7:42
We're releasing both pieces of guidance simultaneously, given the importance of corporate governance to risk oversight, including oversight of operational risks.
7:53
And you'll see that the principles of both both guidances have that risk management interconnection and so we wanted to publish them simultaneously.
8:04
And so this slide provides a bit of a quick overview of what the of what the two pieces of guidance are about and we'll definitely go into these in more detail.
8:12
But for the proposed operational risk and resilience guidance, There are four key principles that set out the requirements for insurers to effectively manage operational risk and demonstrate resiliency that will ultimately better protect policyholders, members, subscribers.
8:31
So the principles you see here around governance, risk identification, risk management and resilience, and we'll go into those during the webinar.
8:38
And on the right hand of the slide, some of the key pieces of the proposed corporate governance guidance are six principles that set out kind of foundational corporate governance outcomes for insurers to achieve effective corporate governance, and the proposed guidance outlines a physical supervisory approach for maintaining an appropriate corporate governance framework.
9:05
And we'll go into those principles as well later on in the webinar.
9:09
In terms of the effective dates for both pieces of guidance, I would say it's TBD.
9:13
We'll talk about that a little bit more in the next step slides at the end of the webinar.
9:18
But we plan to consider feedback from stakeholders over the summer.
9:22
And after the consultation concludes and we make appropriate changes based on feedback, we will consider the effective date.
9:30
So, next slide, a little bit about FISRA's objects and how this fits in within our objects under Section 3 of the Natural Services Regulatory Authority of Ontario Act, which is the statute that sets out our mandate.
9:48
So there's a number of objects that we considered in drafting this guidance, so to regulate generally supervise the insurance sector to contribute to public confidence in the insurance sector, to promote high standards of business conduct, protect the rights and interests of consumers, deter deceptive or fraudulent conduct, and foster strong, sustainable, competitive, and innovative insurers.
10:16
And the two pieces of guidance we're talking about today are are instrumental in supporting these somewhat interrelated objectives.
10:24
So as an example, implementing sound corporate governance practices, things like accountability, transparency, having a sound risk management framework are more likely to achieve and maintain public confidence when implemented effectively, and thus achieve long-term sustainable business performance for an insurer, which in turn protects the policy holders the subscribers of the insurer.
10:50
And likewise, the ability of insurers to have an effective operational risk identification, management and resilience, improves an insurer's ability to monitor the current environment and anticipate future threats, effectively respond to stress events.
11:04
And this all supports sustainability of the insurer and promotes high standards of business conduct.
11:09
So that's the lens that we applied in drafting this guidance and drafting awarded guidance. Our next slide.
11:20
Going into a key concept and I mentioned this before and you'll see this theme run through throughout the rest of the presentation for both pieces of guidance.
11:28
It's the interrelationship between capital management and risk management.
11:34
As many of you may be aware, FSRA's 2023 minimal capital test guideline for insurers or We refer to it very affectionately, we call it the MCT guideline.
11:45
It sets out a number of requirements with respect to prudential capital management for insurers.
11:51
The guideline is a harmonized solvency test across all of Canada, both provincially and federally.
11:59
And it basically requires that sufficient capital levels must be held in order to maintain financial strength for an insurer, absorb losses to withstand adverse conditions and meet other risk and business objective.
12:12
The guideline requires insurers to establish an internal capital target considering the unique risk profile of each insurer and plausible variations in both capital and operating results due to various stress events.
12:26
And so as part of writing this guidance, you'll see our interpretation, this sets out our view that in order to be able to prudently manage capital, insurers should have practice in the place to identify and manage their enterprise-wide risks, including operational risk.
12:44
And related to that, in order to be able to appropriately manage capital, there should be appropriate corporate governance practices in place for oversight of various enterprise-wide risks to ensure that there's sufficient capital for those risks.
12:59
And the next slide kind of linkage so between risk management corporate governance being key to capital requirements set out in the MCT guidelines.
13:10
So at the top you have the enterprise wide risk management program of the insurer and appropriate risk governance around that supported by some of the corporate governance principles that we'll talk about today that are set out in the proposed guidance.
13:24
Then on the right hand side you have the operational risk oversight for the insurer supported by some the proposed principles we have in the in the draft, operational risk and resilience guidance, which we'll talk about today.
13:36
And then on the left hand side, you have the capital requirements and internal capital targets set out in the MCT guideline, which are supported by appropriate capital planning, appropriate risk oversight, and risk management.
13:51
So again, we'll go you'll see this concept of risk management and capital management throughout the presentation for both pieces of So, with those cross-cutting themes for both guidances, I'll pass it on to Amber McNair to dive into the details of our first guidance, which is the corporate governance guidance.
14:16
Thanks, Victoria. So, what do we mean?
14:24
What is our rationale for the corporate governance guidance.
14:29
So corporate governance is really foundational and a critical factor through which the objectives of the insurer are set and a means of attaining those objectives and monitoring performance.
14:42
Insurers that demonstrate sound corporate governance practices are more likely to achieve and maintain long term sustainable business performance. Next.
14:56
And so what do we mean by corporate governance?
15:01
So corporate governance is a set of relationships between a company's management, its board, and other stakeholders.
15:08
The board's overall role includes providing leadership as well as approving and overseeing the implementation of the insurer's strategic direction and overall business objectives, taking into account the need to protect members, policyholders, subscribers, and other stakeholders and boards are responsible for ensuring their organization has the necessary resources, policies and practices in place to meet its objectives and effectively measure performance against them.
15:40
Good corporate governance, as reflected by an effective board is fundamental to the success of implementing principles based regulation.
15:47
FISRA does not currently have any prudential guidance or rules setting out expectations or requirements for insurers on corporate governance or corporate culture and behavior risk.
15:59
Sound corporate governance provides the structure through which the objectives of the insurer are set and the means of attaining those objectives and monitoring performance are determined.
16:09
It helps formalize accountability and define how responsibilities allocated and corporate decisions are made.
16:14
The quality, performance, and effectiveness of an insurer's corporate governance is foundational and a critical factor in maintaining the confidence of FISRA members, subscribers, policyholders, stakeholders, market participants, and consumers.
16:31
The proposed guidance sets out practices for effective corporate governance to achieve the outcomes, the role of the board in setting the tone from the top in achieving effective corporate governance, the role of the board under principles based regulation, and the important relationship between the regulator and the board.
16:51
Next, as visitors supervises and regulates a number of financial services sectors in Ontario, we use four distinct types of guidance to support requirements that are set out in legislation, in regulation, and also in rules.
17:11
Our approach to standardizing guidance in this is intended to be more transparent and clear for stakeholders so they can better understand what is legally binding, what is visitors interpretation or application of law, and what is information that is designed to be helpful.
17:29
Four types of guidance that we produce are interpretation, information, approach and decision guidance, and we determine the appropriate type of guidance depending on the specific circumstances in regulated sectors.
17:41
So this guidance is a combination of interpretation and approach.
17:48
The interpretation portion of the guidance sets out FSRA's view of requirements under its legislative mandate.
17:56
Non-compliance can lead to enforcement or supervisory action.
18:01
The approach section of the guidance describes FSRA's internal principles, processes and practices for supervisory action and application of CEO discretion.
18:13
The approach section does not create compliance obligations for regulated parties, but can be considered indicative of FISRA's position.
18:21
It does not alter requirements to comply with existing legal or regulatory frameworks.
18:28
The interpretation section of the proposed corporate governance guidance puts out FISRA's views of the requirements for insurers affected corporate governance practices, policies and procedures under the Insurance Act, including the Corporate Governance and Reciprocal Insurance Exchanges Regulations of the Insurance Act and the Corporations Act.
18:49
FISRA interprets these requirements to clarify and set out practices for the composition of an insurance board and its independence, roles and responsibilities with respect to senior management, ethical and responsible action, integrity in reporting and disclosure, oversight functions and corporate culture.
19:08
The approach section of this guidance sets out for this approach to assessing insurers corporate governance under the risk-based supervisory framework, which Victoria referred to earlier, and the intended outcomes for effective and prudent corporate governance practices that best protect policyholders and other stakeholders.
19:26
Next.
19:32
So on this slide, you'll see that we describe the intended outcomes for the insurers board.
19:37
These include that the board is able to act independently in the best interest of members and the insurer itself, that the board's collective skill set and experience are appropriately aligned with business strategies and associated risks, board responsibilities and those delegated to management support effective oversight of all material aspects of the insurer, that reporting supplied by senior management fosters informed decision-making by the board, and the board has confidence that issues that need their attention will be escalated to them by senior management. Next.
20:19
Key themes for this guidance are accountability and responsibility and the delineation of roles and responsibilities between senior management and the board.
20:27
The board must direct senior management and provide effective oversight of the insurer.
20:33
Responsibilities delegated to senior management including implementation and operationalization of approved strategy and risk appetite should be documented in related frameworks, policies, and mandates to ensure that the delineation and responsibilities are clearly understood.
20:51
Next, for the current challenging external operating environment means that insurers are facing heightened risks with regard to the high interest rate environment, increase in catastrophic events and natural disasters.
21:07
In this context, the role of the board and common understanding of roles and responsibilities is more punctuated.
21:16
The board is accountable for setting the risk appetite and strategy of the insurer to the approval of various policies and processes.
21:26
So the board can delegate responsibilities to operational management for the implementation of these policies, the board must satisfy itself that the desired outcomes are being achieved in accordance with business objectives and mission of the insurer.
21:41
Board directors should ensure that they receive sufficient accurate and timely information to provide assurances that all parties have discharged their responsibilities as delegated and directors should have a process for determining and documenting which policies and procedures they should review and approve.
21:57
The underlying methodology and rationale by which a board determines which policies and procedures it should review and approve should be updated regularly to ensure that it continues to meet the board's needs to provide effective oversight.
22:11
Next, the board must direct senior management and provide effective oversight of the insurer.
22:22
This should include establishing direction and the approval of short term and long term strategic plans in alignment with capital considerations and financial circumstances of the insurer to ensure that the requisite resources are in place for the company to meet its strategic objectives.
22:39
The board should demonstrate this by holding strategy sessions and engaging senior management linkages between the insurer's strategy, risk appetite, financial and capital plans.
22:50
The board should receive regular reporting from senior management that allows it to assess the insurer's alignment with the approved strategy and risk appetite on an ongoing basis.
23:00
Next, principles for effective corporate governance include that roles and responsibilities are clearly understood and appropriately delegated, enabling the effective oversight of the insurer, and that the boards are appropriately structured to allow them to act independently.
23:25
To achieve these principles, the insurer establishes committees with clear mandates, duties in terms of reference, for example, that references are providing oversight over the insurer's business plan, strategy, and risk framework, and that there's a separation of roles and responsibilities of the board versus those of senior management, and the boards are overseeing CEO performance.
23:49
Principle three of the proposed guidance states that the board is accountable for the governance of risk, including determining the nature and extent of the significant risks which the insurer is willing to take to achieve a strategic objectives.
24:02
To achieve this principle, there should be independence from management of the risks that are overseen, that there are three lines of defense, that oversight functions are sufficiently resourced of access to appropriate skill sets, that robust processes are in place to monitor, identify and report on nature's risks and effectiveness.
24:23
And finally, principle four relates to reporting and disclosure and states that in support of its oversight role, the board works to ensure that appropriate reporting processes are implemented to achieve quality and effectiveness in reporting that enables informed decision-making.
24:39
To achieve this principle, boards should have access to unfiltered information from the audit committee and other oversight functions.
24:46
It's up to the boards to determine the levels of assurance they require for the insurer's financial and corporate reporting to be considered credible.
24:55
Next, principle five of the proposed guidance dates that the insurer's corporate culture is fostered by its board.
25:07
An appropriate corporate culture promotes integrity and transparency and drives behavior that is in the long-term best interest of the insurer.
25:15
Boards should ensure, with the support of senior management, that they define a desired culture that supports the insurer's purpose, strategy, and effective oversight of risks and resilience, and that they foster a culture that encourages openness and constructive challenge of judgments underlying assumptions.
25:32
And Principle 6 states that the board oversees the full scope of an insurer's operations by establishing governance processes for the insurer's subsidiaries that are commensurate with each subsidiary's impact on the insurance's enterprise-wide strategy and risk profile.
25:48
To this end, there should be clear reporting lines to the parent insurer.
25:53
Insurers should refrain from forming complex structures given the inherent risk involved and the governance risks of these entities must be managed.
26:04
So I'll turn it over to David now to move into the approach section of the guidance.
26:14
Thanks, Amber.
26:15
And actually, before we move on, just sort of a couple of the principles that Amber touched on that I'd like to reinforce a little bit.
26:25
She spoke about outcomes when it comes to the principles.
26:29
And I think this sort of outcome-focused approach really important, especially as we look to scale what is being articulated here for the various shapes and sizes of insurers that are on the call today.
26:43
And those of you who have either met me in person or had the misfortune of hearing me speak before will have probably heard me say that these really should be shared desired outcomes.
26:56
I think ultimately we are pushing for the same types of outcomes that you are.
27:01
And when we talk about things like the board being in a position to make informed decisions in the best interest of the insurer and its subscribers, members, policyholders, I firmly believe that that's something that we can all get behind.
27:16
And ultimately, we'll talk a little bit as we go through this section of the presentation about a collaborative approach towards ensuring that those outcomes are achieved.
27:28
Again, going back to this idea of of independence for the board, and I know that we have a number of different board structures represented here today, but ultimately what we look for is an ability to act independently from senior management regardless of how your board is composed.
27:48
What you'll see here is a few sort of indicators of independence that is sort of characteristics that we look at when we're trying to determine whether the board is set up to act independently.
28:04
These are not surefire success factors.
28:08
I think it's important that in practice the board is able to demonstrate that it is making decisions independently, that it is challenging senior management on the information that it's receiving.
28:21
And really that sort of comes down to first of all ensuring that roles and responsibilities are clearly defined, but also making sure that the composition of the board appropriately reflects the nature of the business, the nature of the consumers that you're serving, so that diverse views are brought to the table, and ultimately that issues are given the discussion that they warrant.
28:44
So again, these are some of the elements that we will look to as we're assessing independence, but ultimately it's our conversations with directors, with the senior management team that ultimately give us the most insight into this particular factor. We can move to the next place.
29:07
So part of ensuring that the board is able to act independently is making sure that they're getting independent advice that is reporting from those other than the members of their staff that are actually putting risks on the and owning those risks and the three lines of defence concepts should be familiar to most people on the call at this point. 29:32
Within our framework we define them as operational management, risk management and internal audit.
29:38
Again, hopefully familiar terms to you at this point.
29:43
Really, these structures are meant to ensure that there are multiple perspectives on the issues provided to the board at any given time So that again, they're able to make informed decisions from their position on the board.
29:57
Again, they're not supposed to be involved in operational decisions.
30:01
And so as they get a much higher level of view of what's going on at your insurer, it's important that they have more than one source and that some of those sources are independent.
30:14
So we will look for these structures or something like them.
30:19
Again, we're being proportional as we assess this, and so we understand that some insurers might not have enough employees or resources to have a fully dedicated risk management function.
30:33
In cases like that, we will look to what we call compensating controls, whether it's elements within the senior management team or elsewhere that allow the board to periodically get an independent opinion on risks and on performance relative to the principles that have been outlined by the board.
31:00
So, again, our intended outcome here, and this, again, I hope is a shared and desired income, sorry, not income, outcome, the other one, is ultimately that the board is able to seek independent insurances.
31:16
More so than that, they actually do seek independent assurances that risks are appropriately managed and that the insurer is aligned with legal and regulatory requirements.
31:27
We've talked again a little bit about what proportionality looks like in this regard.
31:33
Ultimately, this is a much of this is functions that are delegated to the senior management team.
31:42
And I want to go back again, just to reference something that Amber said, sort of the distinction between accountability and responsibility.
31:51
Ultimately, the reason that we make that distinction is that some responsibilities can be delegated by the board to board committees, to their senior management team.
32:02
Accountability, on the other hand, you have to make sure that things get done when you're accountable.
32:10
And the board is not able to delegate that.
32:13
And so what we're talking about here is ensuring that there are appropriate feedback mechanisms so that the board is in a position to make sure that things are getting done.
32:24
Again, informed decision-making, having the right information at the right level in front of them so that they can get assurances that oversight responsibilities are being carried out as delegated to the senior management team.
32:40
And we can go to the next.
32:44
So we talk about integrity of reporting and disclosure.
32:47
I wanna sort of emphasize that this is both internal and external reporting.
32:55
So we look at it across a number of different facets.
32:58
The first one is the structures that have been put in place to facilitate that reporting.
33:05
And again, we'll look at to what extent those have an independent component and ultimately the decisions that are being made at each stage to get up to ultimately the board's attention.
33:19
Reporting has to be integrated and that it should be enterprise wide.
33:23
It should encompass all of the activities of the insurer and ultimately reflect a level of granularity at each level that's appropriate for the audience.
33:36
So obviously reporting to the management team will be more detailed than reporting to the board.
33:41
But ultimately, as we look at integrated reporting, what we're really concerned about is, is there clarity through the governance directors, through the reporting lines about what is important, what needs to be escalated, who ultimately is making determinations about what warrants the board's attention?
34:02
Because in ideal circumstances, it should be the board themselves that are making that determination.
34:08
Does reporting include considerations of risk at every stage?
34:13
Again, this is inherent to integrated reporting, but it's worth stressing on its own.
34:19
Is the board able to periodically get assurances that operations are in line with the limits that have been set by the board, the principles that have been articulated by the board, regulatory minimums that have been established by FISRA.
34:36
Ultimately, it's incumbent on the senior management team to ensure that risk reporting is at a high enough level that it is relevant to directors, but ultimately encompasses all of the insurers' activities.
34:51
And part of that comes with just articulating a risk appetite statement that makes sense, that's consistent with the way that risks are measured, and ultimately rolls up to the director level in a way that allows them to meaningfully understand how operations are currently affecting risk.
35:11
Obviously, integrity of financial statements is an important component here.
35:14
This is the outward facing component and external audit.
35:19
This is largely their concern.
35:22
We take an interest in this because, and Victoria talked about this at the outset, statutory objects.
35:29
In addition to having a prudential mandate, we also have a consumer protection mandate.
35:35
Financial statements and disclosures are an important part of maintaining that relationship and that duty to your policyholders, your members, your subscribers, and so we take that as seriously as we do the internal reporting.
35:49
And then finally, and we've talked about this a little bit already, by periodically assessing the quality of reporting is really important and this is a key responsibility of the board to tell senior management when they don't feel they're getting enough information or when they feel like they're getting too much, too detailed information.
36:14
A sure sign of an engaged board and a board that is challenging management is when they seek to influence the type of information that they're so that they're able to make more effective decisions.
36:27
And so ultimately, we look to understand that process as part of our assessment as well.
36:33
We can move to the next.
36:38
Amber mentioned culture, as she was talking about our principles.
36:42
And the reason that we care about culture from a prudential perspective is that everything we're talking about here is ultimately information flows within your insurer and how it gets to the right people at the right time in order to allow people to make timely and effective decisions.
37:05
Culture is ultimately a mechanism that can either support the flow of information to where it needs to go or seriously undermine that process if the wrong type of culture is being fostered.
37:22
And so while certainly we you know culture is a nebulous subject and we don't have any specific guidance on exactly what a effective risk culture is, we talk about it in the context of governance because it is such a an important enabler.
37:41
And in fact when it doesn't exist as we say here well-designed frameworks, robust systems experienced people can be rendered completely ineffective if the wrong behaviors are being incentivized within the organization. Moving to the next.
38:01
So what we ask of the board is really first of all to set the tone from the top when it comes to articulating the desired behaviors and the culture of the organization.
38:15
And I will say that with the insurers that I've had the pleasure of interacting with so far.
38:21
I think this is taken very seriously and the board has done a very nice job of articulating again those desired behaviours, whether it's in the form of principles or a vision for the organisation or supported by a code of conduct.
38:38
All of these things are fundamental to good governance.
38:42
It's important then to reinforce those desired behaviors with the management team and with staff at all levels.
38:50
And what does that mean?
38:52
Well, it means making sure that roles and responsibilities and expectations in that regard are documented, are clearly understood.
39:02
This allows the board to then seek assurances that frameworks, policies, procedures, and even performance objectives for staff appropriately reflect the behaviours that the board wants to see from their staff, from their management team.
39:20
And again, integrity, transparency, these are behaviours that are fundamental to effective governance.
39:30
Ultimately, I mean, we talked about performance objectives, but as much as we would like to say that it's not the case, compensation, rewards, incentives are are significant drivers of behavior.
39:44
And so in addition to tone from the top, in addition to clearly articulating roles and responsibilities with regards to behaviors in policies and procedures, we also look to the extent that those behaviors are evident in compensation programs and compensation outcomes, because I think this has the chance to go very wrong if that's not the case.
40:10
And finally, this is all reinforced by leading by example.
40:16
The board of directors should demonstrate the behaviors that they wanna see from the rest of the organization and the same for the senior management team.
40:26
But ultimately, it is up to the board to foster the type of culture that they wanna see in their organization.
40:36
On to the next, please.
40:38
So quickly, in terms of just how we assess board effectiveness, ultimately a lot of what we've talked about to date is characteristics.
40:50
So, you know, how roles and responsibilities are documented.
40:57
Compensation programs, as we discussed.
40:59
Enterprise risk management frameworks.
41:01
The characteristics of the board itself.
41:04
What does the board look like in terms of compensation?
41:06
what does the collective skill set look like, what experiences do they bring to the table that can help them set direction for the insurer going forward.
41:17
Characteristics are part of our assessment but we also look at performance and this is really a measure of effectiveness and I think characteristics can and often are a driver of performance but there's not always a correlation between the two.
41:36
And if there's one thing that I want to stress, it's that when we're assessing the board, we weigh performance more heavily than we do characteristics.
41:45
And so this is why I can be fairly confident in saying that these are actual proportional assessments.
41:52
And as you look through the guidance and ultimately, we articulate some of the things that we look for when we're assessing the board.
42:01
and you may not have all of those things.
42:05
Ultimately, we may suggest that you formalize some of what you're doing, document it, so that ultimately it becomes a characteristic and we get some assurances that this will be a sustainable practice that everybody understands, and that when there's turnover in the organization, that practices won't change.
42:26
But ultimately, what it's important to demonstrate to us is the performance aspect.
42:31
And that again is, you know, can you demonstrate that the parties involved have been effective in carrying out their roles and responsibilities?
42:42
Does the board challenge management?
42:44
Can they evidence times when they've asked for more information or they've asked for changes to reporting where questions have been asked of management regarding the information they've been provided.
42:57
and ultimately as we look at performance we also look at the extent to which the board has engaged directly with BISRA.
43:06
We need to interact with boards as part of this process as part of our assessment and that's not just informal assessments that occurs in our regular meetings with insurers when we're invited to board meetings and I will say we love being invited to board meetings So, feel free to invite us in to talk about anything and everything.
43:31
But ultimately, the more we foster an open and transparent relationship between FISRA and the board, the better the principles-based approach works, and the more we're able to collaborate in trying to achieve these intended outcomes.
43:48
Next, please.
43:51
So just one more slide here to sort of emphasize the importance of collaboration.
44:00
I think this is more than just lip service, and my hope is that insurers who have already been subject of the RBSF assessment will attest to this.
44:11
But ultimately, we will work with you first of all to understand how well what you're already doing aligns with outcomes that we're all trying to achieve.
44:23
And then on solutions, enhancements to allow the insurer to better demonstrate that it is achieving the outcomes that we're seeking.
44:35
And so we talk about here about ongoing work to build consensus and understanding.
44:40
And I think more, most importantly, the free flow of information, because ultimately if we are going to have a risk-based approach we need to understand where the risks are and we will work with you to understand what our comfort level is with the way that you operate and that will ultimately determine maybe how often you see us in the course of the year but again this is when intended outcomes are aligned this is a transparent and collaborative process.
45:14
To the extent that collaboration does break down, and I want to stress that this is not something that happens often, and it takes a long time to get to this point.
45:24
But ultimately, for example, if we don't feel like we're getting good information from an insurer, we do have to make conservative assumptions about your practices, about your risks.
45:35
And that will ultimately drive our supervisory intensity through our risk-based supervisory framework.
45:42
We may have to get more prescriptive with our requirements with the contents of our interim supervisory letters if we're not getting traction on a collaborative approach and ultimately you are going to see more of us as we need to drive home a ultimately practices that we're comfortable are achieving the outcomes.
46:10
Again, when I say collaboration breaks down, that doesn't mean that we have to agree on every point.
46:19
This is a fair bit down the road when our collaborative approach has clearly not achieved the desired outcomes.
46:28
And we don't take that position lightly.
46:33
So with that, I am going to turn it back to Victoria for the first of our question periods.
46:41
Great, thanks so much, David and Amber.
46:45
And then for the question and answer period, we'll have a few more individuals just coming on screen.
46:52
They'll pop up in a minute who will help answer some of the questions.
46:57
So we have Stethon Rabi, who's our legal counsel for the tough legal questions that you may have, and Steve Kakelliaris, the Director of Approvals and Supervisory Practices in the credit union and insurance prudential sector.
47:13
So I'm seeing a few questions have come in and I'll read them out shortly, but please note that you can type any of your questions in the question box and I'll read them out.
47:23
We can discuss them.
47:25
So I see quite a few questions have come in for David.
47:29
David, you're popular today.
47:30
Surprise.
47:34
Just on your point about controls and three lines of defense, you talked about compensating controls, that we look for compensating controls in the cases where, let's say three lines of defense, the key characteristics are not there, at least in the way that we envision them on the slide.
47:55
So can you speak a little bit more about the compensating controls when there's no dedicated risk function?
48:03
Sure, so when there is no dedicated risk function, we typically look to senior management to understand the extent to which structures or processes exist within which they are able to provide some independent perspective to the board.
48:26
I think, you know, it looks a little bit different in every insurer and I sort of we don't have any preconceived notions about what it could look like.
48:38
You know, something we often see, for example, is is sort of the collective as a substitute for independence.
48:46
So, this would be a situation where a committee, whether it's a large or small committee of senior management members, provide independent oversight.
48:57
And the fact that it's a shared responsibility makes it more independent than just having the head of a business line, for example, reporting directly into the board.
49:09
So, I think, you know, one of the things that I want to stress as we go through this process is that we're not expecting you or asking you to create anything brand new just for the purposes of an RBSF assessment.
49:28
We want to work with you to understand what your existing practices are and we will provide guidance in a collaborative way based on our understanding.
49:41
so whether it's through the assessment, whether it is through our quarterly meetings that we'll be establishing with a more regular cadence or you know just reach out to your relationship manager and pose the question and start that dialogue because again our goal here is not to force you into a specific box in this regard but to understand why you're comfortable that your practices are appropriate for your insurer. 50:14
Great.
50:14
Thanks, David.
50:15
And a bit of a related question in terms of independence, but more independence of the board from senior management.
50:24
Can the CEO be a director of the board?
50:27
And is that the norm?
50:32
Yeah, I'm not sure about the norm.
50:37
Certainly it's a practice that we've seen.
50:42
And I think, you know, again, we look at everything in context, right, and so a lot of it has to do with the personalities involved.
50:52
And I think the relative comfort level of various members of the board with the subject matter.
50:59
So I think the one clear distinction we make is that the chair of the board and the CEO should be separate, which I would hope goes without saying.
51:08
But ultimately, you know, we would want to understand what you as an insurer are doing to make sure that the rest of the directors, for example, aren't abdicating their decision making power to the CEO as a member of the board.
51:25
And that could take many forms, whether it's, you know, periodic in-camera meetings without the CEO there, or just demonstrating to the regulator that your governance processes are such that no one person can dominate the conversation.
51:48
So there are specific dynamics in which we might recommend the CEO not be on the board, but we don't make any blanket statements in that regard intentionally.
52:06
Great. Thanks, David.
52:09
And maybe to give you a bit of a break.
52:12
There was a follow up question for my part of the presentation.
52:16
Just asking about the difference.
52:18
I used two terms.
52:19
I used objective and an object when speaking about FISRA's mandate under the Financial Services Regulatory Authority of Ontario Act.
52:29
And I think I use those.
52:31
Those are legislated objects that FISRA is given by the legislature that we have to implement in our day-to-day activities. So that's one way that we use the term object.
52:47
And then the other term that I think perhaps David used when he was talking about kind of corporate culture and corporate strategy is the insurers business objectives and you know the process having a appropriate process for setting of business objectives and working with your management on those.
53:10
So I think those are, I hope that clarifies it, I think in the context of FISRA's mandate it's an object and in the context of insurers business objectives.
53:25
There was a question, there's a few questions about posting the PowerPoint for attendees.
53:31
So we will post it on our website.
53:32
And I think we usually do send out an email when the webinar, the webinar has been posted.
53:39
So it takes, it's probably in the next month and a half or so, you should see that.
53:46
Okay, now back to David.
53:48
So you spoke about culture and the importance of culture.
53:54
Could you be a little bit more specific on how you define culture?
54:00
Yeah, I think it's a fair question.
54:06
And I intend to provide an immensely unsatisfying answer.
54:12
I think what we're more concerned about is the way that you define culture.
54:18
I think what we want to understand is specifically the way in which it either supports or undermines effective governance.
54:27
And so again, these issues of transparency, of integrity, the extent to which those are emphasized and reinforced, again, through your policies, procedures, roles and responsibilities, and ultimately in, you know, in compensation programs and outcomes.
54:51
I think making sure that, again, notwithstanding that, you know, you have long-standing organizational cultures that I think probably implicitly reinforce these desired behaviors already, we will seek to understand how that works, how it's reinforced, and how you get assurances that those behaviors are being consistently displayed.
55:19
And so I think as a definition, culture is really a set of values and behaviors that exist within an organization.
55:32
The way we look at it is specifically in terms of the way that the ways in which it either again supports or undermines the flow of information to decision makers and that's again as far as I can really go in a general context I think I certainly feel and hopefully you do as well that you know it when you see it And hopefully in your interactions with the regulator, you can provide us with comfort as well.
56:07
Great, thank you.
56:08
Hopefully that's satisfactory, but whoever posed the question, feel free to follow up if you want to clarify anything.
56:16
So the next question is for Steve.
56:21
And this is about the kind of the internal audit process.
56:26
So could you please elaborate on the internal audit process with respect to risk management.
56:33
Who would typically conduct this audit?
56:39
Well, I mean, I think it should be somebody who is independent of risk management, right?
56:44
So it is an assurance function.
56:49
We're just looking to make sure whoever is identifying and reporting on the risks, there's a separation from those people who are receiving the reporting, managing the risks.
57:06
And it should be somebody who is sufficiently independent of those processes, who has the, you know, the expertise to be able to assess whether that process is achieving those outcomes of independence.
57:29
Yeah, just to add to that, I mean, ultimately, we look at, again, independence, which for larger institutions will be a, could be an internal function whose sole role is to provide internal audit.
57:49
We also look at skill sets, right, and to what extent is it reasonable that an internal function could have sufficient skill sets to have independent opinions on everything that's happening within the insurer.
58:03
We often see our regulated entities go to a third party that specializes in audit services to provide that third line of defense.
58:15
The only thing that I'd stress in those cases is that while you can outsource any function almost, the remains accountable for the effective performance of that function.
58:29
I think that's particularly true when it comes to internal audit because they are directly accountable to the audit committee and it's important that the audit committee is able to form views on how effective that internal audit function is and act accordingly. Great, thank you very much and welcome Stefan.
58:50
I think we're having a bit of IT issues but glad to have you here. Great, okay.
58:59
One question, and I think this is relating to some of the slides that I talked about in terms of principles based regulation, but maybe I'll start this off and then others feel free to jump in.
59:11
So, can we hear about what an increasingly prescriptive approach might look like?
59:16
So in the beginning, I talked about our principles-based approach and both pieces of guidance, setting out high-level principles and objectives which could be tailored to the size complexity and the risk profile of the insurer.
59:29
So an example could be of those principles getting more prescriptive is, for example, setting out how often boards should meet, what types of things should be reviewed for appropriate corporate governance, the types of documents, the types of committees that need to be formed in order to provide appropriate oversight. So those are my thoughts on how we could get more prescriptive.
59:57
I'll pass it on to the panel.
1:00:00
Yeah, I guess, you know, just to emphasize, since to some this might sound like a return to the comforting days of the regulator will tell me exactly what to do, and then I'll it.
1:00:16
You know, what it really ends up, you know, resulting in is solutions that aren't ultimately tailored to your specific circumstances, to your specific operations.
1:00:29
It's why I think both sides should prefer the collaborative approach to identifying ways in which these outcomes can achieved.
1:00:38
I think, you know, we will, and I'll stress this again, we will work for quite some time with you collaboratively to find something that makes sense and that both parties can be comfortable with.
1:00:53
And the move towards a more prescriptive approach is something that we should all try to avoid if we can. Great, thanks David.
1:01:05
And I think this next question is maybe somewhat of an example of, you know, whether there's, of maybe the flexible approach.
1:01:17
So in terms of how often do we, board meetings, how often do we anticipate boards should be meeting?
1:01:25
Is it quarterly, annually, or semi-annually?
1:01:31
Yeah, it's a fair question.
1:01:33
And it's, again, something that we will look to understand why you're comfortable with the number of meetings.
1:01:42
I think, you know, some of it obviously will fluctuate not just with the complexity of your business but how dynamic is it?
1:01:48
Are there significant quarter over quarter changes?
1:01:52
Is quarterly not enough?
1:01:55
You know, these are things that we'll assess as we talk to your management team, as we talk to your board.
1:02:02
I think most insurers will now be submitting board packages to FSRA.
1:02:09
This is part of our monitoring process, it's an important way for us to understand at a high level your insurer, what's important to your board, the types of issues that are being discussed.
1:02:25
And I think with some of you, we would have started with not even the packages themselves, but the calendar of meetings to better understand what meetings are happening.
1:02:35
And then from there, determine what information we need to see in terms of board packages.
1:02:43
So to the extent that we're not necessarily comfortable with how frequently your board is meeting, we'll have insights into that more and more now through the collection of this information.
1:02:58
And we will start that conversation with you at that point.
1:03:03
At which point, you know, the onus will be on you to show your work and convince us that the way you're operating is sufficient given your size, given your complexity, given the nature of your business.
1:03:17
Great.
1:03:17
Thank you.
1:03:18
And maybe just another version of that same question is how often will FISRA meet with boards?
1:03:27
So back to you, David.
1:03:30
as often as you'd like, but maybe slightly more often than that.
1:03:37
I think, again, we find real value in direct interactions with boards of directors, and we will take advantage of that opportunity anytime we're invited to do so.
1:03:52
I think that as part of an assessment, we will have in-camera meetings with key members of your board.
1:04:01
I'm thinking the board chair, specific committee chairs, just to get, again, a sense of their perspective on the issues.
1:04:11
If there's one thing that I really wanna drive home, it's that these interactions with directors are, and with management teams for that matter, they're not a test.
1:04:19
There is no pass fail element here.
1:04:23
They are not designed to be gotcha moments in any way.
1:04:27
We're looking to understand or complement our understanding of your institution.
1:04:31
Get your perspectives and views, understand what's important to you, and the extent to which your views on that are supported by the organization's processes and reporting.
1:04:44
So I don't think that there's a set cadence.
1:04:48
Again, it will depend in part on how often your board wants to engage with us.
1:04:56
But whether it's as part of our quarterly meetings with the management team or in any other forum, directors are certainly welcome to join at any point.
1:05:10
Great.
1:05:11
Thanks, David.
1:05:12
And maybe the last question for Amber on risk, just a little bit about the reciprocals and how some of the capital standards apply to reciprocals.
1:05:29
So are capital standards applicable to reciprocals given the nature of subscriber agreements and the fact that the MCT guideline does not lie.
1:05:44
So all insurers should have sufficient capital to meet minimum and supervisory target regulatory capital, as well as sufficient capital to support its own risk profile and business objectives, taking into account unforeseen risks and the external operating environment.
1:06:05
Although under the Act, reciprocals aren't required to comply with the minimum capital requirements that are set out in the 2023 guideline.
1:06:15
The CEO of FISRA requires reciprocals to file the MCT as part of their returns pursuant to the authority set out under the Insurance Act.
1:06:25
And on top of that, principles set out in the guidance are considered common industry practices, which Pfizer will assess under its RBS app.
1:06:38
So not meeting the intended outcomes may result in an elevated level of supervisory engagement.
1:06:48
Great.
1:06:49
And I think that was it for the questions.
1:06:52
There was one question to see if somebody asked if they could get a copy of the actual PowerPoint presentation without waiting for the webinar to be posted.
1:07:03
So we'll loop back on that because it does take some time for the webinar to be fully translated and posted.
1:07:10
So thank you for the question.
1:07:11
And I think we can now move on to part two of our webinars.
1:07:18
So getting into the second hour, thanks to everyone for tagging along with us here. 1:07:27
So I think Amber and David will present the next portion.
1:07:32
So I'll pass it over to Amber for an overview of the proposed operational risk and resilience guidance.
1:07:40
Hey, thanks Victoria.
1:07:47
So FISRA is developing the operational risk and resilience guidance at this time, given that insurers are increasingly relying on technology, data, and third-party ecosystem in their daily operations.
1:08:01
So for this reason, FISRA is placing a higher degree of importance on operational risk identification, assessment, and management, as well as operational resilience.
1:08:12
The objective of the proposed operational risk and resilience guidance is to enhance non-financial risk management and non-financial resilience by improving the insurer's ability to monitor its current environment, its ability to anticipate future threats and opportunities, and its ability to respond effectively to any stress event and learn from past failures and successes.
1:08:39
Next. So what do we mean by operational risk and resilience?
1:08:46
Operational risk is the risk of loss resulting from inadequate or failed internal processes, people, and systems or from external events.
1:08:59
This definition includes legal risk but doesn't include strategic and reputational risks. Reputational risk may arise from operational risk serialization.
1:09:11
With operational resilience, the insurers effective treatment of operational risk during a business as usual and under stress contributes to their safety and soundness and operational resilience.
1:09:25
Insurers that have a high degree of resilience are more likely to incur shorter lapses in their operations and experience smaller losses from operational disruptions, reducing the impact that an incident could have on critical operations and related services functions and systems.
1:09:44
So in achieving operational resilience ensures may need to adopt a new mindset with an added perspective, develop preparedness and awareness plans and implement effective strategies when we make from businesses as usual to a stress environment.
1:10:02
Next, so the proposed operational risk and resilience guidance includes interpretation and approach guidance, but unlike the corporate governance guidance, it also includes information guidance.
1:10:21
So information guidance provides information that may be useful to the sector, but does not create compliance obligations.
1:10:29
So the interpretation portion of the proposed operational risk and resilience guidance sets out his review of any relevant legislative or regulatory requirements with respect to operational risk from the insurance act and related regulations.
1:10:44
And Victoria spoke to the key principle that we're interpreting through the MCT guidance earlier.
1:10:52
And the approach section of this guidance outlines our processes and practices for assessing insurers operational risk and resilience in accordance with the risk-based supervisory framework.
1:11:04
The Interpretation and Approach sections both set out four principles for operational risk management and insurers would need to demonstrate how they're meeting those principles and supervisory outcomes.
1:11:18
The principles relate to governance, risk identification and assessment, risk management and resilience and adherence to these principles would be applied proportionately based on size and complexity.
1:11:33
And in the information section of the guidance, it basically acknowledges that some insurers have begun considering environment, social and governance factors in their risk management practices and summarizes some of the guidance and standards relating to ESG risk management that have been developed by other jurisdictions and standard setters and outlines potential future implications for insurers. Next.
1:12:06
So operational risk could originate from many places, including the insurer's products, activities, people, processes, systems, and the external environment.
1:12:17
And the insurer should consider the complexity of its products and services, delivery channels, and level of automation when identifying the nature and complexity of operational risk.
1:12:27
So we have a few examples here of operational risk events to illustrate outcomes that could arise from different types of operational risk.
1:12:37
So in our first example of cyber risk, a cyber attack has comprised and ensures core underwriting system and also resulted in a data breach at the data warehouse hosted by the third party vendor.
1:12:52
Data was corrupted and the system was shut down by the third party vendor for investigation and to be able to clean and restore the data.
1:12:59
and this led to major operational disruptions of the insurer.
1:13:05
The second example relates to exposure to data risk and legal risk.
1:13:11
In this example, an insurer has erroneously transferred confidential policyholder information in an application, in an API interface, call to a fintech without first securing the consent of the policyholder.
1:13:25
and the privacy breach resulted in legal liability and reputational damage for the insurer.
1:13:32
And the last example that we have here relates to exposure to third-party risk.
1:13:38
And in this example, an insurer relies on a third-party consultant without understanding the underlying model assumptions.
1:13:46
As a result, poor risk management decisions were made by the insurer, which led to financial losses.
1:13:53
Next, so this slide captures the principles that are laid out in the proposed operational risk and resilience guidance and the associated outcomes to demonstrate the effectiveness of the operational risk management framework.
1:14:15
So under principle one, which speaks to governance, senior management is responsible for developing, updating and implementing the policies, processes and systems used to manage operational risk and enhance operational resilience effectively at all decision levels, and ensuring that it's understood among staff, third parties and other relevant stakeholders based on the level of their involvement in managing the risks.
1:14:42
The board is responsible for establishing the necessary strategies and governance structures, overseeing and approving insurers operational risk management program, as well as ensuring that there are adequate resources to carry out their operational risk management activities and meet policyholder obligations.
1:15:02
Under principle two, which speaks to risk identification and assessment, insurers are required to comprehensively identify, assess and understand the operational risk inherent in all of the insurer's products, activities, people, processes and systems, as well as its external environment and enables the development and implementation of corresponding risk strategies.
1:15:26
Principle three speaks to risk management and states that an insurer must implement a robust operational risk management program to reduce the frequency of risk materialization and the impact of operational risk events on the insurer's policyholders and other stakeholders.
1:15:45
An insurer's approach to managing operational risk must be carefully considered, adequately documented and periodically updated to reflect changes in their operating environment, risk appetite, tolerance, and or the advancement of risk management capabilities.
1:16:04
So these examples illustrate the operational risk management processes and positive outcomes.
1:16:11
Under principle four, the board and senior management plan for adverse scenarios and ensure that the the insurer is crisis ready.
1:16:21
The insurer achieves resilience during business as usual through enhancing crisis preparedness and improving its ability to monitor and anticipate any escalation risks.
1:16:33
And next.
1:16:38
So on this slide, we've provided an example of what effective governance of operational risk looks like.
1:16:45
The intended outcome is that ultimate accountability and responsibility of operational risk oversight resides with the insurers board and senior management.
1:16:54
In assessing how effectively insurers achieve the intended outcomes, FISR will assess the extent to which the board periodically reviews and approves the insurers operational risk management framework and supporting frameworks.
1:17:07
Insurers establish a structure with adequate separation between functions or individuals that manage versus oversee operational risk.
1:17:17
But the board effectively integrates its operational risk management framework into its enterprise risk management program and other enterprise-wide initiatives.
1:17:27
And the board ensures that there are adequate resources to carry out operational risk management activities.
1:17:35
And I will turn it over to David now to speak to the approach portion of the guidance.
1:17:44
Thanks, Amber.
1:17:47
So I do want to focus on the approach because ultimately, again, when we're being evidence-based in how we develop rules and guidance, the evidence in this case was that there was some benefit to the sector from us articulating our approach to assessing operational risk, to assessing resilience, because they do form a very important part of our overall framework.
1:18:17
And so, as you look through the guidance itself and at some of the specific characteristics that are listed there.
1:18:27
Again, those are just characteristics and ultimately you should be asking yourselves, do we do this?
1:18:36
And if you're comfortable with the answer, then you know that starts the conversation with FISRA.
1:18:43
So the only sort of real sort of foundational elements that we will always look to are covered in the interpretation section, right?
1:18:54
And that's the board ultimately approving the overall approach to operational risk management and resilience and an associated risk appetite, being able to identify and monitor operational risks, put some sort of control framework around those risks, and then ultimately test your own resilience and learn whether it's from test results or, you know, unfortunately from operational risk events about what you could do better and improve your overall framework as a result.
1:19:32
Everything else and how that is implemented is ultimately a function of your organization, the types of risks that you're facing and you should design your own programs appropriately.
1:19:47
We have part of our framework up here.
1:19:50
I will note that this is the, anyway, this is in our framework, which is online.
1:19:57
If you're not familiar with our framework, I highly suggest that you have a read.
1:20:01
It is pertinent to your jobs.
1:20:05
But ultimately, we look at operational risk in a couple of different ways.
1:20:12
For larger and more complex insurers, or for those that have a significant IT component of their strategy, we may look at it as a significant activity.
1:20:23
And so for those of you who don't know, as we're looking at your business as part of an assessment, we break it down into what we feel the most significant activities are so that we can look at the inherent risks and controls associated with each activity.
1:20:36
So again, we may look at operational risk in the context of a significant activity.
1:20:41
All significant activities will be assessed as to the inherent level of operational risk.
1:20:47
Given that activity in a vacuum, how likely is it that something can go wrong that could potentially disrupt operations?
1:20:56
We will look at the quality of controls and oversight.
1:21:00
again that's the three lines of defense that we've already talked about plus senior management and the board in terms of their ability to oversee and manage operational risk that will come down to the framework that you have in place the clarity of the roles and responsibilities your processes for scanning the environment and your internal operations for the potential for new operational risks.
1:21:27
All of this is what we will seek to understand as we look at the quality of controls and oversight.
1:21:33
And then ultimately this topic is deemed to be of such important to supervisors that we have included it as a modifier to the risk rating of your institution.
1:21:47
And if you'll see down at the bottom of the slide that last gold arrow, once we've assessed what we feel is the residual risk in each of your lines of business, from both the market conduct and prudential perspective, that risk rating gets or can get modified by our view as to the strength of your capital, including earnings, the strength of your liquidity and liquidity management processes, and of course resilience, which we're talking about here today.
1:22:15
And so again, when we look at resilience, it's about not just what you have in place in terms of your practices, your policies, your systems, your people, but ultimately the extent to which you are able to continuously learn rather, whether it's from the mistakes of others, the results of your testing or, you know, ultimately operational risk events that have impacted you to ultimately improve your processes and reduce the likelihood of any disruption going forward.
1:22:50
Next, please.
1:22:54
So again, we look at characteristics and performance, and we've already covered a good chunk of this, because again, the characteristics are really what is your framework?
1:23:05
What are your processes?
1:23:08
What evidence is there that the board reviews the risk appetite, the risk reports, the high-level framework that controls all of this?
1:23:17
And then performance, which again is higher weighted, is your demonstrated ability to adapt, to respond, to learn from past failures and successes.
1:23:32
And again, this can be as simple as periodically testing your processes, documenting the results and taking any learnings into the next round of framework enhancements.
1:23:44
And it can be as unfortunate as specific learnings from a cyber risk incident or some other disruption to your processes.
1:23:54
So these are the two lenses through which we assess resilience.
1:23:59
But again, ultimately, we put more weight on performance than we do characteristics.
1:24:05
Next, please. So Amber mentioned that there is an information section to this guidance.
1:24:15
The reason that it's information is that we are not currently putting in place any expectations or requirements when it comes to ESG.
1:24:27
We feel like these are incredibly important topics.
1:24:31
We are engaged with a number of stakeholders at the provincial level and at the national level on better understanding these risks, on participating in stress testing exercises.
1:24:43
But we don't currently feel like there is enough data available for there to be evidence that guidance or standards are warranted in Ontario at this time.
1:24:57
That said, we are extremely interested in learning about how you incorporate these elements into your broader risk management framework.
1:25:05
And I think certainly the physical risks associated with climate change are at the forefront right now, but through our interactions with you, with your board, with your management team, we would like to understand the extent to which these factors here are considered and the way that they are incorporated into your broader processes.
1:25:31
But at present, as I said, we will not be issuing specific guidance or standards in this regard.
1:25:39
That said, if you are looking for guidance and standards, on the next slide, there are a number of standard-setting bodies that have put out more information on this, and if I could add another one to the list here, the Task Force on Climate-related Financial Disclosures as being the basis for, for example, OSPI's framework on climate risk management.
1:26:10
And so again, if this is something that you would like to engage with in more detail with us, please reach out to your relationship manager and we would be delighted to have a conversation.
1:26:24
With that, I believe it's time for the next round of questions.
1:26:33
Great. Thanks, David, and I'll come back on. Maybe let's go to the next slide.
1:26:40
I think we have one summary slide just to kind of wrap all the concepts we heard together, which are very interrelated concepts, and then just talk about next steps, and then we can go into the final question and answer period.
1:26:53
I jumped the gun again. Sorry, Victoria.
1:26:55
No, no, all good. All good.
1:26:57
So just to summarize, the proposed operational risk and resilience guidance, which we just talked about, sets out key principles for risk identification, assessment, management and resilience, which has become of greater importance, as we've seen an increased use of technology and data third party cyber risks, which increase day to day operational risks for insurers. And so that's the purpose of that guidance.
1:27:24
And then the proposed corporate governance guidance sets out foundational principles for effectively managing the business of insurers and in a safe and sound manner.
1:27:37
So as David mentioned, we look forward to continuing to work with insurers on the principle set out in both proposed guidances and having them be a common set of principles that we both agree on and also engaging with insurers through the risk-based supervisory framework as well as ongoing dialogues with respect to the two pieces of guidance specifically so they're open for consultation.
1:28:04
The consultation closes on June 17th in a couple of weeks so we really look forward to to your feedback and and stay tuned for further updates.
1:28:14
Once again we don't have an effective date for for for these guidance for both pieces of guidance and we'll we'll in that once we consider stakeholder feedback.
1:28:25
So on the next slide, let's go into the final Q&A for mostly the operational risk and resilience guidance, but if anybody has questions on the corporate governance guidance at this stage, we can also address them as well.
1:28:41
So there's a question about the ORM process, the operational risk management process.
1:28:48
How do you define robust in the context of the operational risk management process and can FISRA provide an example?
1:29:00
And I believe this question came up when you were speaking about kind of the governance framework around operational risk.
1:29:06
So maybe I can start and then David, feel free to jump in as well.
1:29:11
So with respect to the operational risk framework, when insurer boards approve the framework, it should include things like the risk appetite, the tolerance and the limits that make sense for the insurer and the daily risks that are identified. 1:29:27
So for example, if an insurer has many third-party providers, you may want to have a separate third-party risk management framework that's appropriate for your activities.
1:29:37
But we'll ultimately look at how insurers are providing appropriate oversight over those risks?
1:29:46
Yeah, I mean, I think ultimately we don't define robust, right?
1:29:51
And I think that's sort of the point of a principles-based approach that can be scaled.
1:29:58
I think ultimately when we're looking at your insurer, we'll want to understand why you feel your processes are efficient to, you know, prevent or mitigate a disruption that could potentially harm, whether it's policyholders, subscribers, consumers, or compromise confidence in the insurance sector more broadly, right, because that's the other risk with disruptions.
1:30:32
And so robust will be will consider your resources and it would consider the size and complexity of your business and to a certain extent it will have to consider also the impact of the sector of a significant disruption in your activities and so we will have significantly higher expectations for example for a systemically important reinsurer than we would for a smaller insurance company.
1:31:06
So, you know, one of the fun and frustrating things about principles based regulation is that we don't define robust, but we look forward to figuring it out together.
1:31:21
Great. Thanks, David.
1:31:23
And just a reminder to everyone, if you have any questions, feel free to add it to the to the chat box.
1:31:29
So the next question is for Amber, just about the interrelationship with the IT risk management guidance that FISRA has issued.
1:31:42
So some of the requirements, for example, around cyber risk are similar to the IT risk management guidance.
1:31:51
What is, what's the purpose of issuing this guidance separately?
1:31:56
Good question.
1:31:57
So, overall, the operational risk and resilience guidance goes beyond IT risk management.
1:32:04
It speaks to outsourcing third-party risk, data risk, physical climate risk, among other things.
1:32:12
As operational risk could originate from any of the insurers' products or activities, systems, external environment, et cetera, we wanted to ensure that we developed guidance that's specific and proportional to Ontario insurers.
1:32:30
And this guidance complements and should be read in conjunction with other applicable FISRA guidance, including the IT risk management guidance, which sets out the enterprise-wide IT risk management practices.
1:32:49
Great, thank you.
1:32:52
And actually, for now, I think that is the last question we have for the webinar.
1:33:00
I'll just give it maybe another minute if there's any last questions from anyone.
1:33:07
But outside of this webinar, of course, you know some of the individuals on this call and feel free to reach out to us at any point as well.
1:33:22
Oh, I see there is one more question that just came in.
1:33:26
So it's with respect to the risk rating that gets assigned.
1:33:31
So is an ORR, and this is for Steve, is an ORR assigned to each regulated entity based on information FISRA currently has and can this be shared?
1:33:42
Or is an ORR only assigned after an RBSF assessment?
1:33:49
yeah so sorry about that yeah I mean I know RR is not a sign on information that is recurrently has like we whenever we do one we will you know we would notify you in advance and you know we would there would be a request for information which would go you know beyond what we normally would collect either, you know, the PNC one form or a board package.
1:34:22
So I guess the answer is that not based on what we currently have, we'd need more information in order to do a comprehensive assessment.
1:34:36
And no, you know, that's a reading, that's an internal reading between us and the institution and cannot be shared.
1:34:45
And that would be explicitly indicated in our interim supervisory letter that we issue after each RBSFI assessment.
1:35:01
And the last part of that question, yeah, so yeah, I mean, an overall risk rating is assigned only after we do an RBSFI assessment, because of course, it's a comprehensive process and rating which we cannot come up with you know just based on the regular quarterly reporting that we currently receive.
1:35:25
Yeah maybe just to add quickly to that and Steve's got it exactly right the one sort of nuance there is that the information we currently have about your insurer may determine when we come and do an RBSF assessment.
1:35:40
The key thing here is that we are risk-based, and so we have to dedicate what are very limited resources appropriately.
1:35:50
And so the information that we gather from you through the P&C returns, through board packages, through our quarterly conversations with your management team, through interactions with the board of directors, all of that ultimately feeds the knowledge of business that Victoria spoke about at the outside of this presentation.
1:36:12
And we will, on the basis of our understanding of your institution relative to the risks elsewhere in the sector, make determinations about when to do an RBSF assessment.
1:36:27
I think, you know, that's why you haven't seen a schedule of assessments, because we need to be reactive.
1:36:34
And as much as we try to plan for these things, plans always have to change based on our perception of the risk.
1:36:41
And so, yeah, we go based on more than we have now when assigning an ORR, but the determination of when your assessment will occur will certainly be fed by the information we have now. Great, thank you.
1:36:59
Just a follow-up question on the ORR. So I think, Steve, you mentioned that it cannot be shared.
1:37:10
It's just between the regulated entity and FSRA.
1:37:12
So the question is, is there talk about ORR being published at some point in the future?
1:37:22
Not that I'm aware of.
1:37:25
And yeah, I mean, I think it's probably something that should just be between fizz and the insurer.
1:37:34
And I think if it's public, it could be taken out of context and people could infer things that, you know, could be, I guess, negative or damaging to, you know, the insurer.
1:37:51
And at this point, I don't know, there has been no talk of that whatsoever.
1:37:58
Yeah, we need to balance our statutory objects in that regard.
1:38:04
We have a market conduct mandate, which implies all transparency all the time.
1:38:11
Ultimately, as you will have seen, as Victoria was talking, we have statutory objects, one of which is maintaining confidence in our regulated sectors.
1:38:20
And so I've worked for and with the half dozen regulators in the last 20 years, never have I seen one that publicly communicates the type of ratings that we're talking about here. And it's for exactly that reason.
1:38:40
Confidence in the sector, we need to be able to feel free to express our opinion about the quality of controls and oversight at your insurer without sparking, I won't say panic, but a lack of confidence in the insurance sector more broadly.
1:39:03
Great, thank you.
1:39:04
So maybe just shifting gears from ORR to some of the ESG comments that you talked about, David.
1:39:12
I think you mentioned there was another task force that was referenced in the guidance on ESG, but it was not on the slide.
1:39:21
Do you have that off the top of your head or do you loop back?
1:39:26
Yeah, it's called the Task Force on Climate-Related Financial Disclosures.
1:39:33
It was originally led by, I think, Bloomberg, but it's the basis for a lot of the climate frameworks that we have seen come out of prudential regulators more recently.
1:39:50
But again, it's not it's not the only authority, but I think it's another point of reference when you're talking about both physical and transition risks.
1:40:07
Thank you. Okay, maybe speaking a little bit about resilience, there's a question about resilience. And I'll point this one to Steve.
1:40:16
So it seems that resilience is a very subjective word and concept, and also it is best assessed in hindsight.
1:40:26
So it's, I see it, it is difficult to try to assess it in advance.
1:40:33
Do you have any thoughts on that based on what we've discussed today?
1:40:38
Yeah, I mean, subjective.
1:40:41
I mean, we do kind of break it down into characteristics and performance. There are some things in the guidance that speak to it, but I would agree.
1:40:54
I mean, it probably is best assessed in hindsight, and that's why we put a premium on performance, So by performance, we mean, if there is an incident, how well did the insurer respond to it?
1:41:09
Was a long disruption short?
1:41:12
When did it cost a lot?
1:41:14
Were you able to, did you need to come up with different ways to continue to provide your products and services and so forth?
1:41:23
So, yeah, I think we would agree that it is best assessed in hindsight and that is why we put more weight on the performance aspect rather than the characteristics.
1:41:35
Of course, if there are no or limited, you know, incidents, then obviously, you know, we would only have the characteristics or mainly the characteristics upon which to assess it.
1:41:54
Okay, thank you.
1:41:55
Next question for David.
1:41:59
So we spoke about scans of the external environment as part of identification of operational risk.
1:42:07
So what types of support might be expected for scans of the external environment?
1:42:13
As an example, is it things like board minutes showing discussion of the emerging external risks?
1:42:19
Yeah, great question.
1:42:22
And I think, you know, board minutes, we really try and not stress those too much.
1:42:32
I think we'll always look at board minutes, but we don't really want to draw major conclusions for them, because again, we know that we're dealing with a wide range of sizes of insurers.
1:42:45
And this idea of a dedicated corporate secretary function with 12 people in it that can make sure that all minutes are perfectly recorded and all discussions perfectly captured is not terribly realistic.
1:42:59
And so we don't sort of put that on the board minutes.
1:43:02
I think what I would do is look to whatever policies and procedures make up your operational risk management framework and see if there are roles and responsibilities articulated for someone or for scanning the external environment, for saying, hey, you know, ransomware seems to be increasingly a thing.
1:43:29
What are we doing internally on this?
1:43:32
And then as far as when the board sees it, there's a threshold for that, right?
1:43:36
If it's determined that this is a high risk for the institution or at least a material risk that warrants the board attention.
1:43:42
It's not so much the board minutes, but being able to say, as part of the board package, we had these sort of 10 slides on ransomware and the controls that we are putting in place or already had in place to keep that kind of thing from happening to us.
1:43:59
So it's more about being able to show that somebody is responsible for the scan and then to the extent possible, evidencing sort of the outcomes from that.
1:44:11
So here's what we saw and here's what we did.
1:44:13
And that's how you show your work.
1:44:21
Thanks, David.
1:44:22
And I think that was the last question at least that I'm seeing.
1:44:26
So thank you so much, everyone.
1:44:28
This has been a great two hours or almost two hours for us.
1:44:33
And we really appreciate you coming to the webinar and hearing more about the guidance and asking the questions.
1:44:40
And as well, thank you to the panelists here.
1:44:43
And just as a reminder, we'll be posting the webinar and website later in about a month and a month and a half.
1:44:49
And then we'll loop back on the question about the PowerPoint deck separately.
1:44:54
Thanks again and have a great day.