Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Risk Management Report
April 2015
What’s new in this report: Risk Limit / Risk Appetite Statement
Revised Risk Register
Nine new and emerging risks (see Section 3 of
Risk Register)
Contents
Page Introduction
1
Mission and Principles
1
Risk Management
1
a) Risk Limit / Risk Appetite Statement b) Risk identification
2 3
Risk Profile
5
Risk Register Section 1: Major and significant risks Section 2: Other identified risks Section 3: New and emerging risks
7
13 19
Appendix: Risk management definitions
22
1
Introduction Each Spring the Board of Directors prepares a report on PACICC’s risk management activities (this report). The annual Risk Management Report is developed by the Audit and Risk Committee and senior management. Risk management is also a continuous process at PACICC, reviewed as a standing issue at meetings of the Board, the Audit and Risk Committee, and senior management. The Advisory Committee of insurance industry Chief Risk Officers provides independent advice on best practices, when requested. Risk management is central to the successful management and governance of PACICC.
PACICC Mission Statement and Principles The Mission of the Property and Casualty Insurance Compensation Corporation is to protect eligible policyholders from undue loss in the event that a member insurer becomes insolvent. We work to minimize the cost of insurer insolvencies and seek to maintain a high level of consumer and business confidence in Canada’s P&C insurance industry through the financial protection we provide to policyholders. Principles:
a) In the unlikely event that an insurer becomes insolvent, policyholders should be protected from undue financial loss through
prompt payment of covered claims.
b) Financial preparedness is fundamental to PACICC’s successful management support of insurance company liquidations,
requiring both adequate financial capacity and prudently managed compensation funds.
c) Good corporate governance, well informed stakeholders and cost effective delivery of member services are foundations for
success.
d) Frequent and open discussions with members, regulators, liquidators and other stakeholders will strengthen PACICC’s
performance.
e) In-depth P&C insurance industry knowledge – based on applied research and analysis, is essential for effective monitoring of
insolvency risk.
Risk Management Risk management includes all actions used to control risks that could prevent PACICC from achieving its mission. PACICC’s risk management framework sets out the policies and governance, key responsibilities, processes and activities necessary for effective risk management. (See the Appendix for a list of definitions generally associated with risk management and as used at PACICC.) Two elements of the risk management framework include:
The risk limit / risk appetite statement establishing the amount of risk PACICC is willing accept or tolerate
The process for identifying risks that will be subject to analysis, assessment and monitoring.
2
a) Risk Limit / Risk Appetite Statement (NEW)
PACICC’s risk limit / risk appetite is $1.54 billion. PACICC measures its risk limit / risk appetite in relation to its ability to generate revenue from member companies over a two-year period to pay for the eligible claims of an insolvent member. PACICC’s annual maximum assessment capacity is 1.5 percent of the total covered premiums of member companies. Based on 2014 industry results, PACICC can generate up to $1.54 billion over a two-year period. PACICC also maintains a Compensation Fund to address liquidity issues in the days and weeks immediately following a member insurer insolvency. The Compensation Fund presently holds an additional $52 million. The annual assessment cap seeks to minimize the risk that funds required by PACICC could impose a solvency risk on healthy member insurers. It is possible, although very unlikely, that PACICC’s requirement for funds may exceed its risk limit / risk appetite. PACICC is actively working to reduce the risk of an extraordinary insolvency event. PACICC is also working to establish alterative financing options. However, as the financial guarantee fund for the industry, PACICC does not have the authority to reject member insurer insolvencies. If PACICC needs to generate more than $1.54 billion through our current funding mechanisms, then the required funds would be collected over several years, and approved payment of consumer claims would be delayed until funds become available. Key reasons why PACICC’s risk limit-risk appetite is set at two times the annual general assessment capacity include:
This is the maximum industry assessment that could be levied on member firms without causing further solvency problems or
possible contagion effects
Two years is a reasonable time period to settle most eligible policyholder claims resulting from the insolvency of a member
company based PACICC’s experience paying the covered claims of failed members, and claims development in the industry
Funds recovered from a liquidated estate are generally not available for a period of several years or longer so it is important
that PACICC has the capacity to generate most of the required funds to wind-up an insolvent insurer
Two years is the maximum time that PACICC should plan to commit all of its capacity to wind-up a member insurance
company, because a longer time period would impair PACICC’s preparedness to respond to the risk of subsequent
insolvency events
PACICC maintains a Compensation Fund that is available to meet initial payout requirements during the early stage of a
member company insolvency. (The Compensation Fund had a market value of $52 million as of February 2015)
To fulfill its Mission, it is essential for PACICC to refund unearned premiums promptly, and to settle claims within a
reasonable period following a member insolvency. Protecting this “ability to pay” helps maintain consumer confidence in
Canada’s P&C insurance industry, and preserves PACICC’s reputation as a reliable guarantee fund.
Claims liabilities beyond PACICC’s risk limit / risk appetite are extraordinary risks, and must be managed outside the normal general assessment mechanism. For example, revenues to pay for these additional claims liabilities could be generated through PACICC’s proposed extraordinary funding mechanism.
3
b) Risk Identification
PACICC maintains a comprehensive risk profile of all the key significant risks that could prevent the organization from achieving its mission. The risk profile was prepared by PACICC’s Audit and Risk Committee and senior management. It is continuously reviewed and updated as necessary. The Board is ultimately responsible for assuring the risk profile is appropriate for the organization. PACICC has established criteria for identifying significant risks. Parameters are set for gradients of impact (severity) from low to high,
and similarly for likelihood (probability). In some cases, consideration of the adverse impact on reputation is required and appropriate
gradients are set.
Risk Register
Considering PACICC’s Mission and key functions, each aspect of an organization’s operation, activities and functions is assessed as
to vulnerabilities. In turn, each vulnerability is analyzed and reasonably likely causes or triggers are identified. Consequences are
considered, including possible reputation impacts. Each risk is assessed as to potential impact, considering a reasonable probability
of the risk occurring. If considered significant, the vulnerability is posted and tracked on the risk register with brief notes as to the
basis for the risk being assessed as significant.
Risk Profile
PACICC has established a threshold of acceptable risk, based on the organization’s risk limit / risk appetite. Three “zones” are
utilized, as follows:
Red Unacceptable risks
Yellow Risks to be monitored closely
Green Risks to be managed
For PACICC, the risks assessed as falling in the red and yellow zones are priority issues and these are posted on the risk profile,
which is used for more extensive analysis, monitoring and reporting.
Identifying risks (new and emerging)
Once a risk profile is prepared, one challenge is identifying new and emerging risks. Risk identification is a process that is used to
find, recognize and describe the risks that could adversely affect PACICC’s ability to achieve its mission. This includes the
identification of possible triggers and potential consequences. Historical data, theoretical analysis, informed opinions, expert advice
and stakeholder input are used to identify PACICC’s risks. This is a dynamic process, assigned to senior management working with
4
the members of the Audit and Risk Committee to coordinate and to lead the necessary review to keep the risk profile current as to
the risks most likely to affect the organization.
Senior management conduct an annual exercise dedicated to reviewing and updating the risk profile. This includes a ”brain-storming” segment that is used to identify new risks and to validate existing risks. Risks are reviewed periodically to ensure that management and the Board of Directors have a comprehensive understanding of the risks and the various impacts on the organization.
Risk Assessment
Part of identifying risks includes discussing the ranking and prioritizing of the identified risks. Senior management works with the Audit and Risk Committee to review and solicit information as to risks, and to quantify the potential impact of a risk on the organization. Part of the review seeks to analyze co-related risks and to determine the combined impact. In addition, the federal regulator (OSFI) periodically requires the industry to prepare “stress test scenarios” considering co-related risks. Part of the assessment requires consideration of the potential impact of adverse publicity or reaction by stakeholders. Of particular importance are risks that could diminish PACICC’s ability to maintain confidence in the financial viability of Canada’s P&C insurance industry.
In assessing risks, PACICC considers the probability of an event occurring. The potential impact is then assessed and used as the basis for the organization’s risk management priorities and action plans. In PACICC’s case, a key consideration is the likelihood of a risk causing member insurers to become insolvent.
Periodically, a reality test as to the ranking and prioritizing of risks is a valuable step. While subjective, this exercise helps ensure that profiled risks are rated appropriately and are receiving adequate resources and attention.
5
PACICC’s Risk Profile, as at April 2015
Very High
Financial Risk 1-1 Insolvency cost exceeds two times annual assessment capacity
Risks:
1-1 Failure of one of Canada’s 10 largest P&C insurers; or multiple failures from a catastrophe
1-2 Failure of a larger member insurer; or multiple, smaller insurer insolvencies
1-3 Supervisory practices below minimum IAIS standards
1-4 Rate regulation may contribute to insurer insolvency
1-5 Insurance company winding-up practices in Canada are outdated
1-6 Adverse changes in new insurance legislation
1-7 PACICC could be forced to increase coverage & benefits
1-8 Risks 1-1 or 1-2 could place extraordinary demands on PACICC’s human resources
1-9 Lack of member financial information could result in higher-than-expected wind-up costs
1-10 Much of Canada’s accumulated P&C liquidation expertise has “retired” (or will soon)
High
Financial Risk 1-2 Insolvency cost exceeds annual assessment capacity
Regulatory Risks 1-6 New laws 1-7 Benefits
unilaterally enhanced
Medium
Operational Risks 1-8 Extraordinary
resource demands
1-9 Insolvency costs greater than anticipated
Operational Risks 1-10 Lack of
Liquidator expertise
Low
Regulatory Risks 1-3 Inadequate
solvency supervision
1-4 Regulation of rates
1-5 WURA
Very Low Low Medium High
Likelihood
Imp
act
Ra
tin
g
6
Rating Criteria
A. Impact (Severity)
Impact Criteria Ranking
Low Medium High Very High
a) Assessment Risk < $ 5 million $5 to $500 million $ .5 to $1.5 billion >$1.5 billion
b) Operations Risk <$100 thousand $ .1 to $1.0 million $1.0 to $2.0 million >2.0 million
c) Reputation Risk Isolated complaints, industry focus only
Local media and regulatory involvement
Social media exposure, wide media coverage, regulatory involvement
Constant national media attention, government intervention
B. Likelihood (Probability)
Likelihood Criteria Ranking
Very Low Low Medium High
All risks Occur < 1 / 100 years Occur within 10 yrs Occur within 5 yrs Occur within 1 yr
7
Section 1: Major Risks (red) and Significant Risks (yellow)
Risk No
Inherent Risk and Description
Triggers for adverse Impact Controls/ Mitigation Rating (Net Risk)
Impact Likelihood
1-1 Financial Risk – Costs
exceed two times
PACICC’s annual
assessment capacity
Failure of one of Canada’s 10-largest P&C insurers (or failure of their parent companies)
Concurrent, multi-member insurer insolvencies, resulting from a major natural or man-made catastrophic event.
An extensive major financial crisis leading to multiple insolvencies. Factors could include; stronger economic growth and employment could fuel higher inflation, adverse reaction to volatility of the market, Bank of Canada may increase interest rates.
PACICC monitors the financial condition of the industry and individual insurers within the industry
PACICC has prepared an extensive analysis as to the critical point for the industry’s capacity to react to catastrophes (Natural Disasters and Catastrophes - 2013)
PACICC has initiated a review aimed at setting up an Extraordinary Funding Mechanism
PACICC has established a Compensation Fund of approximately $52 million under PACICC control to meet immediate requirements.
OSFI and other regulators monitor insurer exposure to Earthquake (Guideline B-9)
IBC has a committee reviewing impact of the costs of extreme earthquakes
PACICC is working with RMS Canada to develop more accurate estimates of the potential for a large earthquake to trigger insurer insolvencies Canadian Institute of Actuaries requires inflation risk to be taken into account as part of DCAT modelling OSFI’s annual stress testing exercises recently examined higher inflation (in 2010)
Very High Very Low
8
Risk No
Inherent Risk and Description
Triggers for adverse Impact Controls/ Mitigation Rating (Net Risk)
Impact Likelihood
1-2 Financial Risk –
Annual payout exceeds
industry annual
assessment capacity
Insolvency of a larger Member insurer could result in an assessment greater than the Annual Assessment Threshold in the first year of an insolvency.
Assessments for concurrent, multiple insolvencies of smaller member insurers could also exceed the industry Annual Assessment Threshold
Failure of a smaller or provincial insurer (concentration in a small market, e.g. province) which limits the assessment base)
An unexpected event adversely affects the profitability of a number of Member companies – e.g. a natural catastrophe, terrorism or adverse economic trends, with adverse impact on Member ability to meet increased expense for annual assessment
Insurers have not adequately controlled their underwriting exposure in the earthquake zones
Insurers have not arranged sufficient reinsurance protection
PACICC monitors the financial condition of the industry and individual insurers within the industry
PACICC has established a Compensation Fund of approximately $52 million under PACICC control to meet immediate requirements.
PACICC has initiated a review aimed at setting up an Extraordinary Funding Mechanism
PACICC has prepared an extensive analysis as to the critical point for the industry’s capacity to react to catastrophes (Natural Disasters and Catastrophes - 2013)
Policyholders in B.C. and Alberta will soon be required to have coverage for fire following an earthquake
PACICC is aware of efforts by IBC to update estimates of insured and economic losses that could result from a major urban earthquake in Canada
PACICC is currently working with RMS Canada to develop more accurate estimates of the potential for a large earthquake to trigger member insurer insolvencies
High
Very Low
1-3 Regulatory Risk –
Inadequate solvency
supervision
Some insurance legislation and/or regulations at the provincial level in Canada do not contain adequate standards for insurance solvency supervision. In particular, practices do not meet the minimum standards published by the International Association of Insurance Supervisors
PACICC advocates that insurance solvency supervision be done by regulators that meet international standards. Presently, some provincial supervision falls below IAIS standards
Dr. Norma Neilson (U. of Calgary) has documented which provinces do not meet
Low High
9
Risk No
Inherent Risk and Description
Triggers for adverse Impact Controls/ Mitigation Rating (Net Risk)
Impact Likelihood
(IAIS)
international standards for solvency supervision
Ontario announced its intention to withdraw from insurance solvency supervision
CCIR established a solvency supervisory working group
PACICC has developed an insolvency protocol; updated its Model Winding-Up Order; developed case-study materials that have been distributed to all insurance superintendents; and has conducted seminars with regulators in B.C., Alberta, Ontario and Newfoundland
1-4 Regulatory Risk –
Regulation of
insurance rates may
contribute to insurer
insolvency
Political pressure exerted on the rate filing/approval process (e.g. Ontario to reduce rates)
Incorrect assumptions regarding what constitutes an adequate rate of return for an insurance company
Insurance companies are not permitted to challenge the decisions of rate regulators if insurers disagree with those decisions
Relatively weak regulation of actuarial practices for pricing and loss reserving in some provinces
Discussions by politicians to regulate property rates
Scrutiny of insurance company financial health by rating agencies, supplemented by PACICC’s own financial analysis
Growing use of risk-based supervision by regulators
PACICC research on the relationship between solvency and rate regulation
PACICC encourages senior staff at OSFI to communicate concerns regarding the regulation of rates (for example, automobile insurance rate reduction) to provincial supervisors when they deem it appropriate
PACICC is seeking to strengthen provincial regulation of actuarial practices. PACICC is also seeking more information about the role of consulting actuaries in the regulation of insurance rates
Low High
10
Risk No
Inherent Risk and Description
Triggers for adverse Impact Controls/ Mitigation Rating (Net Risk)
Impact Likelihood
1-5 Regulatory Risk –
Insurance company
winding-up and
restructuring legislation
and practices are out-
dated in Canada
Canada's Winding-up and Restructuring Act (WURA) has not undergone a comprehensive review in nearly 100 years
Few updates and changes have been made to the WURA
Insolvency management and corporate restructuring practices have evolved internationally at a much faster pace than has Canada's legislative framework
PACICC made a detailed submission to Finance Canada in November 2010 proposing specific changes to modernize the WURA. The submission was made as part of the scheduled five-year review of Federal financial-sector legislation
PACICC has also initiated stakeholder discussions about the difficulties expected with a complex, conglomerate failure
Progress toward mitigating this risk has been slow. We expect some international pressures – coming from the Financial Stability Board and from the IAIS – ultimately to assist in modernizing Canada’s resolution regime for failed P&C insurance companies. But the timing remains difficult to predict. In the meantime, PACICC faces some reputation risk among its members when existing (or new) insolvencies take many years to be resolved
Low High
1-6 Regulatory Risk –
Adverse changes in
new insurance
legislation
Government could enact legislation affecting aspects of PACICC’s operations (e.g. membership eligibility, industry funding, reporting procedures, Board composition, regulatory oversight, etc.)
PACICC could be compelled to add members in a line or lines of business inconsistent with its current mandate
The risk is higher for legislation proposed or enacted by provincial governments
Review of PACICC coverage and benefits (scheduled as 2016 priority)
PACICC maintains regular dialogue with industry regulators to ensure that possible risks and exposures are understood
Active monitoring of industry developments and financial performance
Regular communication with stakeholders helps ensure that PACICC's mandate is clearly understood
High
Low
11
Risk No
Inherent Risk and Description
Triggers for adverse Impact Controls/ Mitigation Rating (Net Risk)
Impact Likelihood
1-7 Regulatory Risk –
Benefits unilaterally
enhanced; insolvency
costs are deemed
unrecoverable
Broader interpretation of insurance policy wording by courts and regulators
Insurance supervisors could, for example, coerce the industry into funding higher levels of premium refunds than PACICC currently provides
If PACICC was forced to cover certain specialty lines, the assessment base could be insufficient to fund the costs of failure (for example, this could be triggered by a change in a provincial statute)
Maintain a good understanding of financial guarantee fund best practices in other countries
Educate stakeholders on best practices
Continue to advocate that moral hazard risk be minimized and that protection apply to personal lines and business policyholders, excluding large corporations
High Low
1-8 Operational Risk –
Extraordinary demands
on PACICC’s human
resources due to the
failure of a larger
member company, or to
multiple company
failures
Large or multiple insurer failures would likely result in a high volume of requests for claims settlement authority and/or resolution of related issues
PACICC has developed a contingency plan to address this risk. The plan was approved by the Board in November 2010
Regular dialogue takes place with regulators to discuss troubled companies
PACICC staff conduct periodic solvency tests on member insurers
Medium Low
1-9 Operational Risk –
Insolvency costs
greater than anticipated
Insolvency of a Member company for which PACICC has no or limited financial data and is ill-equipped to assess insolvency costs in advance
Our research shows that deficient loss reserves and/or inadequate pricing are key causes of insurer failure (deficient reserves are hard to detect in advance)
We advocate that insurance supervisors make insurance company financial data publicly available (consistent with PACICC position paper). Some success was achieved with Alberta’s decision in 2009 to make insurance company data public. (Discussions with other provinces continue)
Through a combination of publicly available data and voluntary disclosure, PACICC now has financial data for all but 6 percent (or 12) of its member companies
Medium Low
12
Risk No
Inherent Risk and Description
Triggers for adverse Impact Controls/ Mitigation Rating (Net Risk)
Impact Likelihood
We encourage provincial insurance supervisors to adopt the IAIS standards of solvency supervision
Maintain dialogue with regulators and member insurers to gain better understanding of marketplace (for example, through anecdotal evidence)
1-10 Operational Risk –
Loss of accumulated
liquidation expertise
Ageing/pending retirement of the most experienced licensed trustees in bankruptcy who have hands-on experience liquidating P&C insurance companies
This reduces the ability of firms to assemble, on short notice, a full team of qualified professionals
A sustained period of good financial health in the P&C insurance industry, diminishing opportunities to train successors
PACICC’s concerns have been communicated to insurance supervisors and to the leading firms that provide insurance company liquidation services
PACICC’s ability to mitigate this risk is limited. Although the estimated financial impact in a single calendar year may be modest, we consider the likelihood of occurrence to be “medium” (meaning the risk could occur within five years – especially in the event of a member insolvency)
Medium Medium
Post to Risk Profile – major risk
Post to Risk Profile – significant risk
Maintained on Risk Register
New risk
13
Section 2: Other Identified Risks (not considered major or significant)
Risk No
Inherent Risk and Description
Triggers for adverse Impact Controls/ Mitigation Rating (Net Risk)
Impact Likelihood
2-1 Operational Risk –
Failure of member to
pay assessment
obligations
Poor internal administration processes by Members can lead to non- or late payment
Members may experience cash flow problems
Some Members may not understand their payment obligations
Deliberate non-payment due to disagreement or dissatisfaction
Member assessments are mandatory once approved by the Board of Directors, and are due within 30 days of receipt
PACICC can charge interest on overdue assessments (we have done so, but rarely)
To maintain licensing, member companies are required under provincial legislation to meet the requirements of PACICC
PACICC notifies the responsible regulator of any assessments that are substantially overdue (by more than three months)
The existing rules (as specified in the Memorandum of Operation) are working reasonably well, so no special or additional risk management actions are needed at this time
Very Low Low
2-2 Financial Risk –
Liquidity crisis
adversely affects
Canada’s P&C
insurance industry
Risks related to new and largely unregulated financial products are poorly developed and can increase to the point where large unexpected or unintended losses are incurred
Capital held by insurers in the form of invested assets declines in value
Monitoring the financial health of PACICC member companies (where we have adequate data)
Monitoring efforts by policymakers and solvency regulators to address the underlying causes of a credit crisis
Advising member company CEOs to proactively manage
Low Low
14
Risk No
Inherent Risk and Description
Triggers for adverse Impact Controls/ Mitigation Rating (Net Risk)
Impact Likelihood
Liquidity crisis reduces available credit, dampens economic activity and increases the risk of recession
credit/liquidity/market risks and communicate concerns to solvency supervisors
2-3 Operational Risk –
Risk to PACICC’s
investment portfolio of
higher rates of
inflation
Downturn in financial markets
Poor investment choices
Ratings downgrade(s) of held investments
PACICC regularly (annually) reviews its investment policy
PACICC uses a professional investment manager
Low
Low
2-4 Operational Risk –
Significant property or
liability loss in excess
of insurance coverage
Fire or explosion in our building/ work location
Break-in involving theft or vandalism on premises
Loss of laptops
For alleged improper actions by PACICC’s Directors or Officers, liability claims could be made for breach of duty or conflict of interest. PACICC insurance coverage includes D&O
Annual review of insurance policies and limits
PACICC’s By-laws provide that member funding can be called upon in the unlikely event that financial liability exceeded the Corporation’s D&O insurance policy limit (Section XVII, paragraph 52. (2))
Low
Low
2-5 Operational Risk –
Operating
requirements exceed
budget
An unanticipated large capital or operating expenditure, such as IT or premises costs
Structural accounting or funding changes in budget requirements can result in short-term adjustments (for example, the Board’s decision to pay investment management fees from the annual operating budget rather than from the Compensation Fund)
Operating Fund surplus (approx. $1.5 million) can, with Board approval, fund a short-term budget deficit without asking members to pay more
Low Low
15
Risk No
Inherent Risk and Description
Triggers for adverse Impact Controls/ Mitigation Rating (Net Risk)
Impact Likelihood
2-6 Regulatory Risk –
Greater use of
unlicensed
reinsurance in Canada
PACICC’s experience with insurance liquidations shows that unlicensed reinsurance is difficult to collect for an insolvent insurer. Two factors contribute to this risk:
unlicensed reinsurers operate outside of Canada and are not subject to Canadian insurance regulation; and
it is less likely that an unlicensed reinsurance contract would contain an insolvency clause
OSFI Guideline B-3 has changed the rules respecting limits on unlicensed reinsurance in Canada, removing the 25 percent limit, potentially allowing insurers to utilize more unlicensed reinsurance – provided they can justify a higher share in the Reinsurance Risk Management Plans (RRMP’s) they submit to OSFI
Thus far, there appears to be no significant increase in the use of unlicensed reinsurance by P&C insurance companies in Canada
Monitoring market trends to track changes in the share of unlicensed reinsurance
Maintaining a dialogue with OSFI regarding changes in the share of unlicensed reinsurance and the potential risks this could pose
Low
Low
2-7 Regulatory Risk –
Government decision
to tax PACICC’s
investment income
(Currently exempt
from income tax as
non-profit)
Existing policies could be “reinterpreted” by the Canada Revenue Agency to question the tax-free status of PACICC’s Compensation Fund
CRA is conducting audits of non-profit corporations to ensure that those so designated are not engaging in activities intended to earn a profit
Maintain a good understanding of the tax treatment of guarantee funds in other countries, and work with guarantee fund counterparts in Canada, should PACICC need to counter a tax-related threat
Low Low
16
Risk No
Inherent Risk and Description
Triggers for adverse Impact Controls/ Mitigation Rating (Net Risk)
Impact Likelihood
2-8 Regulatory Risk –
Requirement for all
Board members to be
public directors
Potential for frustration if insurance regulators seek to exert greater control or influence over PACICC (for example, to expand our mandate to address restructuring and wind-up)
Governance at other financial guarantee funds (for example, Assuris) could encourage regulators to seek changes at PACICC
P&C insurance guarantee funds in other countries are governed by a majority of industry directors because this is the best model for our mandate to address the wind-up of failed Member companies
Continuing discussions with interested parties stresses the importance of effective governance consistent with PACICC’s mandate
PACICC strives to demonstrate that its governance is effective and that its Board functions well. These messages are conveyed through regular corporate reporting to members and other stakeholders, as well as meetings with insurance supervisors
Insurance supervisors receive copies of all PACICC Board submissions and are invited to participate in Board meetings
PACICC has a written Board mandate covering a Code of Ethics and Business Practices
Low Low
2-9 Operational Risk –
Loss of key personnel
Senior staff could leave PACICC to accept other employment, for health reasons, etc.
Lack of adequate succession planning by PACICC
Losing depth is potentially a bigger exposure than losing a CEO
Staff could be borrowed short-term from IBC, Assuris, CDIC, and/or member companies
Documented procedures
A management succession plan is in place, overseen by PACICC’s Governance and Human Resources Committee
Low Low
2-10 Operational Risk –
Significant IT failure
Equipment failure
Computer viruses
Attack by computer hacker
PACICC uses an externally-hosted, secure, internet-based server that provides full back up and recovery for all corporate records. All staff are equipped so they can continue their work offsite when required
Low Low
17
Risk No
Inherent Risk and Description
Triggers for adverse Impact Controls/ Mitigation Rating (Net Risk)
Impact Likelihood
2-11 Operational Risk –
Major external event
could interrupt
business
Issues affecting the availability of staff would have an immediate/direct impact on PACICC service delivery to stakeholders (policyholders, Members, regulators, media, etc.)
Possible events include: flu pandemic, terrorist attack, large-scale natural disaster, power black-out, fire and severe weather (ice storm, flood)
Human resources policies and procedures in place are efficient, fair and appropriate
New website enhances PACICC’s ability to communicate information to stakeholders via the Internet
Disaster recovery plan is documented
Ability to work off-site is supported by IT services arrangement; insurance would cover PACICC for most losses; and we have a fire-proof safe for protecting original documents
Citrix software limits data being stored on laptops
Medium Low
2-12 Operational Risk –
Key operations at
PACICC could fall
below best practice
PACICC could fail to gather and analyze information regarding practices utilized by P&C (and other) financial guarantee funds
Funding constraints could create difficulty in maintaining operational effectiveness could become more difficult to obtain
PACICC is undertaking research to gather up-to-date information on key operational practices utilized by P&C insurance guarantee funds in other developed countries
Where possible, management should seek to identify emerging operational pressures or risks as information for PACICC’s Board of Directors
Recent research released by the OECD suggests that increasing “co-insurance” could be an effective practice for guarantee funds to follow. (Yet if PACICC was to adopt this practice for covered claims payments, it would be difficult to avoid reputation damage)
Low Low
18
Risk No
Inherent Risk and Description
Triggers for adverse Impact Controls/ Mitigation Rating (Net Risk)
Impact Likelihood
2-13 Operational Risk –
Unauthorized access,
ineffective governance
Fraud
Security breach
Loss of data
Under Review
OSFI has indicated concern and has surveyed the industry
Low
(Preliminary)
Low
(Preliminary)
2-14 Financial Risk –
Rating, underwriting,
claims
Unexpected coverage
Losses greater than expected
Inadequate coverage
Wildfires
Under Review Medium
(Preliminary)
Low
(Preliminary)
2-15 Financial Risk –
Failure of a financial
conglomerate could
lead to unintended
consequences for
insurance consumers
International failure, with Canadian operation, branch or subsidiary
Domestic conglomerate with Life and or Banking affiliates
CDIC (for example) has more extensive powers and administrative options than PACICC (the ability to create a “bridge bank” in the event of a failure)
Under Review Medium
(Preliminary)
Low
(Preliminary)
2-16 Operational Risk –
Key Suppliers
Unanticipated failure could impair PACICC operations in the short-term while alternate arrangements are made (new supplier contracted or new equipment sourced)
Key service areas include: IT supplier, Financial accounting, Investment management, Banking and Legal
PACICC retains established, reputable suppliers with proven experience
Service level agreements are in place (for example, IT)
While the loss of service being provided by a supplier could be disruptive in the short term, management believes that PACICC’s current outsourced service arrangements could be replaced quickly (in most cases within one month)
Low Low
19
Section 3: New and Emerging Risks (Note: highlighted risks are those considered most relevant to PACICC)
Risk No
Inherent Risk and Description
Triggers for adverse Impact Controls/ Mitigation Rating (Net Risk)
Impact Likelihood
3-1 Financial Risk – Risk
of correlation to
covered policies
Nuclear risks are
covered by Nuclear
Pool, which includes
PACICC members
Destruction of a nuclear facility in
Canada
Member participates in a series of
nuclear losses
Under Review
(added to Register 3 – 2015)
TBD TBD
3-2 Financial Risk –
Extreme weather and
climate change
Catastrophic insurance damage
claims from wildfire, flood, tornadoes,
etc.
Under Review
(added to Register 3 – 2015)
TBD TBD
3-3 Operational Risk –
Critical infrastructure
failure
Roads inaccessible to handle claims
Staff unavailable to handle claims
Prolonged power outage
Communications system breakdown
Under Review
(added to Register 3 – 2015)
TBD TBD
3-4 Financial Risk –
PACICC coverage
limits may prove
inadequate
Price of homes increasing Under Review
(added to Register 3 – 2015)
TBD TBD
20
Risk No
Inherent Risk and Description
Triggers for adverse Impact Controls/ Mitigation Rating (Net Risk)
Impact Likelihood
3-5 Financial Risk –
New insurance
product(s) not covered
by PACICC
Driverless cars
Drones (for commercial use)
Cyber crime coverage
Flood insurance
Under Review
(added to Register 3 – 2015)
TBD TBD
3-6
(1-1)
Financial Risk –
Insolvency caused by
financial market
instability
Note: new Triggers for
Risk 1-1
Oil price shock
Deflation
Under Review
(added to Register 3 – 2015)
TBD TBD
3-7
(2-9)
(2-11)
Operational Risk –
Pandemic
Note: new Triggers for
Risks 2-9 and 2-11
Pandemic Under Review
(added to Register 3 – 2015)
TBD TBD
3-8
(1-4)
Regulatory Risk –
Property rates could be
subject to regulatory
approval
Note: new Trigger for
Risk 1-4
Property rates regulated Under Review
(added to Register 3 – 2015)
TBD TBD
3-9 Regulatory Risk –
Increased
requirements for
consumer education
and awareness
Consumers not aware of coverage
Financial Literacy initiatives
Increasing international regulatory
initiatives
Under Review
(added to Register 3 – 2015)
TBD TBD
21
Appendix: PACICC Risk Management Definitions
Note: The following definitions have been based on the ISO 31000 2009 Plain English Risk Management Dictionary, with minor edits as appropriate for PACICC’s risk management environment.
Risk Risk is the “effect of uncertainty on objectives” and an effect is a positive or negative deviation from what is expected. Organizations strive to reduce uncertainty as much as possible.
Uncertainty is a state or condition that involves a deficiency of information and leads to inadequate or incomplete knowledge or understanding. In the context of risk management, uncertainty exists whenever the knowledge or understanding of an event, consequence, or likelihood is inadequate or incomplete.
Risk management (Enterprise Risk Management – ERM)
Risk management refers to a coordinated set of activities and methods that is used to direct an organization and to control the many risks that can affect its ability to achieve objectives. The term risk management also refers to the architecture that is used to manage risk. This architecture includes risk management principles, the risk management framework and risk management processes.
Risk management framework (Risk Management Statement)
A risk management framework is a set of components that support and sustain risk management throughout an organization. There are two types of components: foundations and organizational arrangements. Foundations include the risk management policy, goals and objectives, mandate, and commitment (Mission and Principles). Organizational arrangements include the plans, relationships, accountabilities, resources, processes and activities used to manage the organization’s risks.
Risk management policy
A risk management policy documents an organization’s commitment to risk management and clarifies its general direction and intention. Components include procedures, practices, controls, responsibilities and activities (including their sequence and timing).
Risk management process
A risk management process is one that systematically applies management policies, procedures, controls and practices to a set of activities intended to establish the context of risks, communicate with stakeholders and identify, analyze, evaluate, treat, monitor and review risks.
To establish the context means to define the external and internal parameters that organizations must consider when they manage risk. External context includes external stakeholders, local, national, and international environment, as well as any external factors
22
that influence its objectives. Key drivers and trends include stakeholder values, perceptions and relationships, as well as social, cultural, political, legal, regulatory, financial, technological, economic, natural, and the competitive environment factors.
Internal context includes its internal stakeholders, the approach to governance, contractual relationships, capabilities, culture and standards. Governance includes the organization’s structure, policies, objectives, roles, accountabilities and decision making process. Capabilities include knowledge and resources; human, technological and capital.
Risk assessment
Risk assessment is a process that is in turn made up of three processes: risk identification, risk analysis and risk evaluation.
Risk identification is a process that is used to find, recognize and describe the risks that could affect the achievement of objectives. It also includes the identification of possible causes and potential consequences. Historical data, theoretical analysis, informed opinions, expert advice and/or stakeholder input could be used to identify an organization’s risks.
Risk analysis is a process that is used to understand the nature, sources and causes of the risks that are identified and used to estimate the level of risk. Analysis is also used to study impacts and consequences and to examine the controls that currently exist.
Risk evaluation is a process that is used to compare risk analysis results with risk appetite in order to determine whether or not a specified level of risk is acceptable or tolerable.
Risk Register (PACICC-defined)
PACICC has compiled a Risk Register of more likely risks applicable to PACICC not meeting its goals and objectives, with a cursory assessment of each. More significant risks are then selected for in-depth review and, if deemed appropriate, escalated to PACICC’s Risk Profile.
Risk Profile (PACICC-defined)
The PACICC Risk Profile is a graphic presentation and written description of the major risks which could significantly and adversely impact PACICC’s ability to meet its goals and objectives. The description includes a comprehensive risk assessment (see definition), ranking of the severity and likelihood (probability) of the risk, a description of consequences, and a description of the treatment (action plan) showing owners and timelines. The Risk Profile includes any risks that the organization must monitor and manage, regardless of type of risk, for example, financial, operational, or reputational.
A consequence is the outcome of an event and has an effect on objectives. A single event can generate a range of consequences which can have both positive and negative effects on goals and objectives. Initial consequences can also escalate through ripple effects.
23
Likelihood (probability) is the chance that something might happen. Likelihood can be defined, determined, or measured objectively or subjectively and can be expressed either qualitatively or quantitatively.
The severity of a risk is its magnitude. It is estimated by considering and combining consequences and likelihoods. The severity of risk can be assigned to a single risk or to a combination of risks. Severity is described as Level of risk per ISO 39000
Risk treatment is a risk modification process. It involves selecting and implementing one or more treatment options, e.g. avoiding the risk, reducing the risk, removing the source of the risk, modifying the consequences, changing the probabilities, sharing the risk with others, or simply retaining the risk.
Risk appetite (PACICC defined, with adaption / modification of ISO definitions of Risk Attitude and Risk Criteria)
Risk appetite is a point of reference used to assess and evaluate the significance or importance of an organization’s risks. It is used to determine whether a specified level of risk is acceptable or tolerable. An organization’s risk appetite also defines its general approach to risk, for example, whether risks should be retained, shared, reduced or avoided, and whether or not risk treatments are implemented or postponed.
Residual risk
Residual risk is the risk left over by determining the inherent risk of an activity, then reducing the risk based on the organization’s governance and control processes, and specific risk-mitigation measures.
The key objective in monitoring risks on the Risk Profile is to ensure implementation treatments (action plans) serve to reduce residual risk. Mitigation strategies include removing the source of the risk, modifying the consequences, changing the probabilities, transferring the risk or retaining the risk.