Internal Audit Report on Supervision of Life Insurance Non-Conglomerate Institutions

Publication type
Audit
Date

Table of contents

    1. Background

    Introduction

    Internal Audit (IA) conducts assurance work to determine whether the Office of the Superintendent of Financial Institutions Canada’s (OSFI’s) risk management, control, and governance processes, as designed and represented by management, are appropriate and functioning in a manner to ensure risks are appropriately identified and managed, and to ensure compliance with organizational policies, plans and procedures.

    An audit of the supervision of Life Insurance Non-Conglomerate Institutions was recommended by OSFI’s Audit Committee and approved by the Superintendent for inclusion in the OSFI 2016-17 Internal Audit Plan.

    Management has reviewed this report and provided their response along with action plans. The report was first presented to the OSFI Audit Committee in February 2017. An updated management response is being presented to the OSFI Audit Committee in November 2017 for review and approval by the Superintendent.

    Context

    OSFI’s supervisory process involves assessing the safety and soundness of financial institutions, providing feedback as appropriate and using powers for timely intervention where necessary. OSFI uses a disciplined, risk-based methodology in supervising both federally regulated insurance and deposit taking institutions. The methodology is described in the Supervisory Framework (2010), and in more detail in a number of supervisory guides and templates. These documents provide the conceptual framework to support an effective supervisory process that all supervisory groups, including those supervising Life Insurance Non-Conglomerate Institutions, must apply.

    It is imperative that OSFI identifies, assesses and monitors emerging risks in a timely and consistent manner. Doing so will enable OSFI the flexibility needed to supervise institutions, and to adjust its supervisory strategies and plans as required.

    The supervisory process involves identifying key risks, assessing the sensitivities of an institution’s activities to external factors, understanding how effectively the institution is managing its risks, making recommendations to strengthen management and governance, where required, and determining the extent of OSFI resources required for ongoing monitoring, on-site review work and other intervention activities. From a supervisory framework perspective, this process culminates in OSFI’s assessment of an institution’s risk profile: the Composite Risk Rating (CRR).

    In accordance with the Supervisory Framework, supervision teams summarize the analyses and assessments of their respective institution’s risk profile in the Risk Assessment Document (RAD) and on the Risk Matrix (RM). The RAD is the basis for an institution’s supervisory strategy. The RAD is a key evergreen supervisory document that provides a clear and current overview of an institution’s business profile, operating environment, significant activities, oversight functions, overall net risk, quality and amount of earnings, capital, and liquidity, and composite risk rating. Supervision teams must keep the RAD up-to-date to reflect significant changes and/or risks in an institution and its operating environment based on monitoring and on-site work and adjust their Supervisory Strategies and plans, as required.

    The life insurance industry consists of three conglomerates and 72 non-conglomerate institutions. Non-conglomerate life insurance institutions (including affiliates) account for less than 10% of the assets for the sector and are comprised of the following:

    • Large institutions (required/available capital>$100 million);
    • Medium institutions (required/available capital between $20 and $100 million);
    • Small institutions (required/available capital < $20 million);
    • Bank insurance subsidiaries;
    • Reinsurers;
    • Fraternals (insurance coverage for members of a fraternal association); and
    • Run offs (companies with little new business and continue to run off their business until expiry of the policies).

    Supervisory responsibility in the portfolio is split between the Toronto, Montreal and Vancouver offices with Toronto supervising the majority of the non-conglomerate institutions. The Montreal office supervises 7 non-conglomerate institutions, and the Vancouver office supervises 3 non-conglomerate institutions. The Montreal and Vancouver offices report directly to the Superintendent, and the Life Insurance Group Non-Conglomerate (LIG NC) group in Toronto reports to the Assistant Superintendent Insurance Supervision Sector, who reports to the Superintendent.

    2. About the Audit

    Audit Objectives

    The objective of the audit was to assess whether the groups supervising the Life Insurance Non-Conglomerate Institutions apply the OSFI’s supervisory methodology as intended. Specifically, the audit assessed whether:

    • The logic and flow of documentation clearly supported the rationale for the institution’s risk assessments, conclusions and supervisory actions taken;
    • The analyses and assessments contained in the RAD clearly demonstrated the risk-based rationale for selecting the institution’s Supervisory Strategy; and
    • Quality control reviews were effective at detecting work quality issues and ensuring that OSFI’s methodology was consistently applied as intended.

    Audit Scope

    The audit focused on four Life Insurance Non-Conglomerate Institutions that best represented the nature and scope of the work performed by the supervisory teams. Two institution supervisory files were selected from Toronto, one from the Montreal Office, and one from the Vancouver Office.

    IA selectively examined the supervisory work carried out during the period of April 1, 2015 to March 31, 2016. Recognizing that the supervisory process is a cumulative knowledge process and is continuously evolving, IA reviewed documentation relating to events before and/or after the period chosen, as appropriate.

    Audit Approach

    The approach to conducting the audit included:

    • A review of OSFI’s Supervisory Framework and applicable guides;
    • Process walkthroughs and discussions with the supervisory teams and staff in other applicable areas; and
    • Examination of documents including selected supervisory documentation in supervisory files.

    Statement of Conformance

    The audit was conducted in conformance with the Institute of Internal Auditors’ International Standards for the Professional Practice of Internal Auditing, consistent with the Treasury Board Secretariat (TBS) Policy on Internal Audit and the Internal Auditing Standards of the Government of Canada, as supported by the results of the Quality Assurance and Improvement Program.

    3. Observation Ratings

    Observation Ratings

    Observations are ranked in order to assist management in allocating resources to address identified weaknesses and/or improve internal controls and/or operating efficiencies. These ratings are for guidance purposes only. Management must evaluate ratings in light of their own experience and risk appetite.

    Observations are ranked according to the following:

    High priority - should be given immediate attention due to the existence of either a significant control weakness (i.e. control does not exist or is not adequately designed or operating effectively) or a significant operational improvement opportunity.

    Medium priority – a control weakness or operational improvement that should be addressed in the near term.

    Low priority - non-critical observation that could be addressed to either strengthen internal control or enhance efficiency, normally with minimal cost and effort.

    Individual ratings should not be considered in isolation and their effect on other objectives and areas should also be considered.

    4. Results of the Audit

    Executive Summary

    The application of OSFI’s supervisory methodology is complex. It requires the use of a disciplined approach and significant judgement by supervisory teams in conducting their assessments. Effective implementation of the methodology requires a thorough understanding of the principles of risk-based supervision and a consistent application of these principles.

    Supervision involves maintaining an up-to-date view of an institution’s risk profile. Documenting the various assessments that contribute to an institution’s overall risk profile is considered a critical control. The logic and flow of the documentation reviewed could be strengthened to more clearly demonstrate the supervisory teams’ risk based approach, evidential support and rationale. Notably, the Toronto office would benefit from reprioritizing the initiative to address documentation issues pertaining to Quality of Risk Management functions.

    The intention of OSFI’s supervisory methodology is to enhance the consistency and comparability of assessments, using a standardized approach to maintain an up-to-date view of an institution’s risk profile. The extensive architecture of documents and templates currently comprising OSFI’s guides and assessment criteria results in supervisors and reviewers interpreting the guides differently, particularly with respect to whether documentation is mandatory or supplementary. Management would benefit from reviewing current guides and assessment criteria to achieve a consensus with respect to what is considered sufficient documentation.

    5. Management Response

    Response

    Management agrees that the supervisory methodology and its application is complex and requires significant judgement by supervisors in forming and documenting their assessments. Even someone who is skilled in the supervisory framework or knowledgeable about the financial industry requires significant training to be able to apply their knowledge to a FRFI. This is because implementation of the methodology requires a thorough understanding of the principles of risk-based supervision, consistent application of these principles and a sound understanding of the business to which they are applied. Though the methodology is the same across all FRFIs, the application of the principles to a deposit taking institution is different in many respects from the application to an insurer. In addition, the application of the methodology to smaller institutions is not the same as for the larger institutions.

    OSFI’s current FRFI supervisory methodology consists of over 40 lengthy guides intended to provide instruction to supervisors in applying judgement to assess risks. While some guides have been updated regularly, particularly the core guides, others have not. There have been many changes in the financial industry in recent years, and the rate of change increased significantly following the financial crisis of 2008. Utilization data confirms FRFI supervisors, both in banking and insurance, do not refer to many of the non-core guides often, if at all.

    As a result, many of the guides require updating to be effective and some of them are no longer necessary. The Common Supervisory Services (CSS) unit has staffed a Methodology group that is currently reviewing the guides and will be making recommendations later in 2017/18 regarding those that require updating and those that can be removed.

    In addition to issues around existing guides, the current documentation requirements are considered to be burdensome by many supervisors. Strict adherence to the current requirements would require a significant increase in staff without improving the accuracy of the risk assessments. That said, a certain level of documentation is required, and documentation standards (whatever they are) should be adhered to.

    OSFI has launched a business process and technology initiative for FRFI supervision named “Vu”. The Vu initiative was launched in response to concerns about the burden and inefficiency involved in meeting documentation requirements (discussed above) and a more general dissatisfaction with the tools available to support supervisors in their core work. Once implemented, Vu is expected to transform existing supervisory business processes, including eliminating duplication and other inefficiencies within the current supervisory methodology. The system will also better support what are currently manual processes around peer review and quality assurance activities, facilitating consistent and appropriate application of supervisory methodology.

    In summary, the Vu project will result in a supervisory platform that is updated, not only in terms of the “What”, but the “How”.

    In addition to the implementation of Vu, CSS is reviewing the Supervisory
    Framework for an appropriate alignment of roles, authorities and other control/oversight mechanisms.

    The control framework for the FRFI supervisory methodology and the FRFI Supervisory Framework is currently distributed across and embedded within the methodology guidance documents, including G-19 (Review of Supervisory Work) and G-15 (Supervisory Documentation). For example, Guide G-15 states that supervisory documents are to be written for readers with the appropriate knowledge of the institution, the subject matter, and the context for the documentation. The calibration of what constitutes appropriate knowledge for the reader and the required documentation to support that calibration has been a longstanding and systemic challenge.

    CSS will review the state of current controls, the control objective and propose a future state control framework to address these issues for consideration by the CSS Committee.

    Accordingly, management sees three steps in ensuring accurate application of the supervisory methodology, to all insurance FRFIs:

    1. The ISS has introduced the Supervisory Talent Enhancement Program (STEP) which will support insurance supervisors in improving the application of the framework methodology to regulated insurance institutions and will promote documentation that is more succinct, concise and effective. Part of STEP involves having a supervisory assessment reviewed by a supervisor from a different insurance group in ISS to provide an independent review of the assessments and their consistency (including documentation) by size and complexity of FI. This will also provide training and development opportunities for supervisory staff across ISS. Reviewers will be insurance supervisors skilled in the application of the methodology who understand its application to insurance entities.

    STEP is being developed with a formal framework to ensure that the process is followed and will provide supervision with assurance that:

    • the assessments are accurate;
    • the level of work and documentation is appropriate for the size and complexity of the financial institution;
    • the documentation is effective in communicating the supervisor’s findings; and
    • an environment of continuous professional development is established for supervisors.

    2. In order to confirm that like institutions in like circumstances are treated appropriately, the CSS has staffed a consistency group and is developing a framework for determining how to effectively assess the consistent application of the Supervisory Framework across all FRFIs. The draft framework and a monitoring program for supervisory consistency will be prepared for the CSS Committee, whose members are the Assistant Superintendents for Insurance Supervision, Deposit-taking Supervision and Risk Support. The target date for completing the draft framework is March 2018. The Life Insurance Non-Conglomerate institutions group will review the consistency assessments for life insurers and incorporate learnings into their supervisory assessments.

    3. The final process is to ensure compliance and confirm the integrity of the process, not only within the Insurance Non-Conglomerate group but throughout all of OSFI’s supervisory efforts. OSFI (ISS, DTSS, RSS, CSS) will work with Internal Audit on the development of each of the above initiatives to ensure the process will be auditable and confirm the results satisfy our objectives of:

    • being principles based;
    • taking a balanced approach to protecting depositors, policyholders and creditors while allowing financial institutions to compete and take risks;
    • ensuring consistent application of the methodology;
    • confirming accurate risk assessments; and
    • providing the Superintendent with a level of comfort regarding independence in assessing the effective application of the supervisory process.

    Management is convinced the above process will be the most effective in ensuring our mandate and Compass For Success are met. Furthermore, we believe the interaction with IA will help ensure supervisors understand and comply with the process. However, we acknowledge it will take two to three years to fully implement.

    The following table provides an initial time line:

    Objective Date Participants
    Methodology review schedule March 31, 2018 CSS, DTSS*, ISS, RSS*
    Definition of STEP, what it will achieve, and formalizing the process December 31, 2017 CSS, ISS, DTSS*, IA, RSS*
    Implementation of documentation review work to be carried out by STEP 2018-2019 ISS
    Consistency function reviews to have commenced and delivered to the CSS Committee March 31, 2018 CSS, ISS, DTSS*-, IA, RSS*

    *While this audit was on the supervision of Life Insurance Non-Conglomerate Institutions, the approach that OSFI is implementing is equally relevant to DTSS and RSS. Both sectors will participate as observers in the ISS-CSS work. DTSS and RSS will be implementing OSFI’s updated supervisory methodology in the manner described above: consistent, auditable, and principles and risk based.

    The volume of work required to complete the above is extensive but critical in fulfilling OSFI’s mandate and success criteria. As the initiatives identified in the above are more clearly defined, the time frame for completion will clarified and the CSS Committee will establish a more definitive critical path.

    6. Observations and Recommendations

    1. Supervisory Assessments

    Medium Priority Observation

    Supervisory documentation – rationale, accuracy, consistency, and completeness

    Supervisory documentation is the record of OSFI’s understanding, analysis and assessment of an institution’s operations, financial condition and risk profile. Key supervisory documentation includes: the Supervisory Strategy (SS), Risk Assessment Document (RAD), including the Risk Matrix (RM), and Section Note (SN) for significant activities, and Quality of Risk Management (QRM).

    Risk assessment relies upon sound, predictive judgement. To ensure supervision quality, OSFI management requires that these judgements have a clear, supported rationale. Quality control (QC) review is also in place to ensure that OSFI’s methodology is consistently applied as intended.

    Based on the files reviewed, it was apparent that supervisory documentation could be strengthened to more clearly demonstrate the supervisory teams’ risk based approach, evidential support and rationale, in accordance with OSFI’s Supervisory Guides and Assessment Criteria:

    • Key supervisory documentation did not always have a clear, supported rationale when there was a change in rating. In these instances, changes to QRM function risk ratings were neither pointed out nor explained in the RAD and the SN.
    • Key supervisory documentation did not always describe how key inherent risks were mitigated by operational management. In these instances, the RAD described the inherent risks and oversight functions but did not address the extent to which the risks were being managed by operational management.
    • Key supervisory documentation was not always accurate, consistent and complete. Inconsistent ratings for a given risk were noted within various sections in the RAD and among the RAD and RM. There were also instances where SNs for the QRM functions were not updated after the review work.
    QRM in Toronto office

    Previous initiatives in the Toronto office to enhance supervisory documentation efforts have fallen short of management’s intended goals due to competing priorities and lack of resources. Management self-identified the following gaps in documentation pertaining to QRM in the files reviewed:

    • The conclusion drawn on the effectiveness of an oversight function in a SN was based on characteristics of the function with minimal assessment of performance indicators.
    • Not all significant activities were covered in the assessment of how well the oversight function executed its role across all significant activities in a SN.
    • SNs were not updated to reflect significant changes in several oversight functions.
    QC review

    QC review of supervisory work/G19 represents a key control for OSFI to ensure documented judgements are reasonable and have sufficient logical flow, supporting evidence and rationale as inaccurate, inconsistent and incomplete ratings can lead to confusion and can hinder current and future decision making. QC reviews did not detect the supervisory assessment issues noted above.

    Follow-Up Documents (FUD)

    FUD is used to track an institution’s progress against recommendations. The use of FUD differed across offices. The Montreal and Vancouver offices record issues identified during onsite review and monitoring in the FUD. For a staged institution, the issues are documented in both the Intervention Report and the FUD. The Toronto office only uses the FUD to record issues arising from onsite review and when an institution is staged; the issues will only be recorded on the Intervention Report, not the FUD. As FUD is a key performance indicator, it is important for all offices to use FUD consistently to enhance its comparability.

    Recommendations

    Direction and commitment from Senior Management is needed to allocate time to update the documentation where necessary. This is especially important for the Toronto office, which may benefit from establishing a timeline to address the QRM documentation deficiencies.

    To strengthen key supervisory documentation, supervisory teams may benefit from further staff training and coaching. Effective QC reviews should be reinforced to ensure quality control reviews achieve their intended purpose. Training and calibration among reviewers can assist in ensuring QC standards and expectations are understood and consistent among reviewers. In the long run, the information discrepancies among/within documents due to input repetitiveness and the manual nature in completing the templates may be addressed by the Supervisory Tools and Technology Renewal initiative.

    Clarification is necessary regarding the use of FUD to ensure this key performance indicator has integrity and comparability.

    Management Action Plan

    Supervisory documentation – rationale, accuracy, consistency, and completeness

    As stated in the Management Response, OSFI’s written procedures governing the FRFI supervisory methodology require updating. Current challenges with documentation volume and redundancy are being addressed through Project Vu and the work of the recently launched CSS Methodology team, as discussed above.

    QRM in Toronto office

    Management acknowledges there are gaps in QRM documentation as currently required and has made efforts to close them.

    As stated above, current challenges with documentation are being addressed through Project Vu and the work of the CSS Methodology team.

    QC review

    Management believes the issues identified are primarily typographical errors that are perpetuated by the current documentation processes and do not affect the assessment. This documentation weakness will be addressed by the implementation of Project Vu.

    FUD

    Management agrees that there have been differences in FUD management between Montreal, Toronto and Vancouver. The accountability for all insurance FRFIs has been centralized in ISS as of April 1, 2017. This will better align OSFI’s supervisory work carried out across Canada.

    Specifically, management will be consistently applying separate tracking of FuD items and intervention reports. The documents identified for follow-up in an intervention report have specific performance indicators and mixing the follow-up requirements from the two will distort the performance measures for FuD. Institutions subject to intervention must pay additional fees and have an incentive to clear up the outstanding items as quickly as possible. Failure to do so would increase their stage rating and assessment. Hence, intervention requirements should be subject to a distinct protocol.

    Senior management agrees that its leadership on the updating of supervisory documentation is important. Three Assistant Superintendents sit on the CSS Committee, which is charged with overseeing this work. The Chair of this group rotates annually and the Assistant Superintendent, Insurance, currently holds that seat. Management also agrees on the need for further staff training and coaching. In addition to the STEP being implemented in ISS, the Assistant Superintendent, Insurance, is also the Executive Sponsor for the Supervisory Training Initiative which is developing a core curriculum of courses for the training of supervisors.

    2. Interpretation of Supervisory Guides and Assessment Criteria

    Medium Priority Observation

    Supervisory Guides and Assessment Criteria were developed to guide supervisors in assessing the safety and soundness of institutions. The guides assist supervisors in determining the type and level of information to be included in the various supervisory documentation such as the SS, RAD, RM and SN. The intention of the Guides and Assessment Criteria is to enhance the consistency and comparability of OSFI’s assessments by using a standardized approach to assess institutions.

    It is clear from the files reviewed during this audit as well as previous Internal Audit assurance engagements that supervisors and reviewers interpreted the OSFI’s Guides and Assessment Criteria differently in terms of what information was mandatory in the supervisory documentation and what information was supplementary.

    Some supervisors documented their consideration of certain guidance in the Guides, including the reason the guidance was not applicable for their institutions, while others provided no comment when they felt the guidance was not applicable for their institutions.

    Determining whether information is mandatory or supplementary is subject to supervisors’ interpretations and can lead to inconsistencies. Wording such as “should”, “must”, “is expected to”, “need to”, and “is required” are found throughout the Assessment Criteria and the Supervisory Guides; yet the Assessment Criteria stated that the criteria are not required standards but are “considerations supervisors will use where appropriate to guide their assessments”.

    Supervisors expressed their frustrations with the length of the Guides, making it challenging to refer to for quick reference. There are over thirty Guides for life insurance institutions and many of them are over twenty pages long with some spanning over fifty pages.

    Given the judgement-based approach to supervision, it is important that supervisory documentation communicates how supervisory teams arrive at their assessments to assist reviewers in determining whether judgements are reasonable. The documentation also provides continuity to the supervisory process and facilitates cross-institutional comparisons.

    Recommendations

    Given the recurring gap between supervisory efforts/activities and OSFI’s expectations outlined in the Guides and Assessment Criteria, management would benefit from reviewing current guidelines and achieving a new consensus with respect to exactly what is considered sufficient documentation to support an institution’s risk profile.

    The new Common Supervisory Services unit (CSS) may be best positioned to work with supervisory teams to assess what core/foundational documentation is mandatory to communicate how OSFI’s assessment is arrived at. Once this is established, Guides and Assessment Criteria can be streamlined, and training can be implemented to ensure a consistent understanding across all supervisory teams.

    Management Action Plan

    Management agrees with the findings and considers them central to this audit. Concurrent with the implementation of the transformational Vu Project, we have commenced an OSFI wide initiative to address the issues. The effort and work required to implement these solutions is significant and will take two to three years to complete.

    3. Authorities and communication

    Low Priority Observation

    The Montreal and Vancouver offices supervise both insurance and deposit taking institutions. For consistency in applying supervisory practices, it is imperative the two offices work closely with the Insurance Supervision Sector (ISS) and the Deposit Taking Supervision Sector (DTSS) when supervising institutions. OSFI’s reorganization triggered the Montreal and Vancouver offices becoming separate units reporting to the Superintendent with no indirect reporting lines to ISS or DTSS.

    The authorities in the Supervisory Guides have not been revisited to ensure they are aligned to the new structure. Supervisory Guide G-1 requires the approval of the Assistant Superintendent for less than quarterly updating, review and approval of RAD for respective institutions. Supervisory Guide G-15 requires approval by the Managing Director and Senior Director for institutions eligible for small, less complex documentation. The Montreal and Vancouver Managing Directors approved the eligible institutions and did not obtain the respective approvals in both cases while indicating that the former Assistant Superintendent delegated the authorities.

    Processes have not been established to ensure information flow across offices is effective, and all stakeholders are engaged in initiatives. The Montreal and Vancouver Offices were not always invited to participate in initiatives impacting their work plans, which disadvantaged their ability to plan and implement changes in a timely manner. The Montreal office was not included in the ongoing discussions of risk tolerance and Life Insurance Capital Adequacy Test initiatives until nearly a year after these initiatives were launched.

    Recommendations

    With the reporting structure change, it is the opportune time to revisit authorities for various supervisory activities to ensure approval authorities are aligned with OSFI’s risk tolerance for the activities. Common Supervisory Services could consider a review of the appropriateness of the authorities for various activities, taking into consideration the new reporting structure. Authorities in Supervisory Guides could be updated once the review is completed.

    Communication facilitates consistency in practices across offices in achieving “One Office”. OSFI management may benefit from establishing processes to ensure information flows effectively across the Superintendent’s Office, Regulation Sector, Insurance Supervision Sector, Deposit Taking Supervision Sector, Supervision Support, the Montreal and Vancouver offices. It will be beneficial to establish each stakeholder’s role and responsibility particularly for major initiatives.

    Management Action Plan

    With the accountability for insurance supervision now centralized in ISS, the issue is in the process of being resolved.