CDIC

1
CDIC
Protecting Your Deposits
The Experience of Canada Deposit Insurance
Corporation in Implementing Enterprise Risk
Management
J. R. LaBrosse Secretary General International
Association of Deposit Insurers
22 June 2004
2
Presentation Outline

• CDICs ERM definition
• CDICs rationale / objectives for implementing
  ERM
• CDICs ERM implementation approach
• Initial steps
• Work currently being undertaken
• Future steps
• ERM benefits / value derived to date
• CDICs Lessons Learned in implementing ERM

3
CDIC ERM Definition

• ERM
• The comprehensive, systematic and disciplined
  process by which CDIC identifies, assesses,
  manages, monitors and reports on, at any point in
  time, the significant risks inherent in its
  objects, strategies, plans and affairs

4
ERM Rationale

• CDIC is subject to Treasury Board of Canada ERM
  Guidelines
• Risk Management is one of four components of the
  CDIC Standards in control framework

5
In Control Concept

• The demonstration that CDICs affairs are
• Subject to effective governance
• Being managed in accordance with ongoing,
  appropriate and effective strategic and risk
  management processes
• Being conducted in an appropriate control
  environment
• and
• Significant weaknesses (related thereto) are
  being identified and appropriate and timely
  action is being taken to address them

6
ERM Objectives

• Demonstrate that
• CDIC has identified / understands / is managing
  its significant risks
• Risk decisions are
• Explicitly integrated into CDICs strategic and
  day-to-day decision making
• Subject to good corporate governance
• Being supported by an appropriate control
  environment

7
ERM Objectives (contd)

• Facilitate
• Validation of CDICs strategies / plans /
  initiatives
• Prioritization of CDICs strategies / plans /
  initiatives
• Effective resource allocation

8
Initial ERM Implementation Steps

• Built an ERM foundation
• Conducted a corporate-level risk assessment
• Profiled corporate risk management culture

9
ERM Foundation

• Created CRO position to develop CDICs ERM
  approach / coordinate ERM implementation
• Developed ERM implementation plan
• Formed an executive management-level ERM
  Committee to validate ERM approach and results
• Formalized Board ERM policy

10
ERM Policy

• Formalizes ERM role of the CDIC Board /
  Management
• Forms one of 19 principles under the CDIC Board
  Governance Policy
• Developed to reflect
• CDICs statutory requirements
• CDIC Standards
• Other ERM best practices

11
ERM Policy
12
Board ERM Responsibilities

• Understand CDICs significant risks
• Establish RM policies related thereto
• Regularly review RM policies (evergreen)
• Obtain reasonable assurance re
• CDICs ERM process
• Adherence with RM policies

13
Management ERM Responsibilities

• Identify risks
• Assess their significance
• Develop RM policies for the Board
• Regularly review RM policies (evergreen)
• Manage risks within RM policies
• Report to the Board re
• Significant risks / management of significant
  risks
• ERM process

14
Management ERM Responsibilities

• Identify risks
• Assess their significance
• Develop RM policies for the Board
• Regularly review RM policies (evergreen)
• Manage risks within RM policies
• Report to the Board re
• Significant risks / management of significant
  risks
• ERM process

15
Management ERM Responsibilities

• Identify risks
• Assess their significance
• Develop RM policies for the Board
• Regularly review RM policies (evergreen)
• Manage risks within RM policies
• Report to the Board re
• Significant risks / management of significant
  risks
• ERM process

16
Corporate-Level Risk Assessment

• ERM Committee
• Updated catalogue of inherent corporate risks /
  risk categories / definitions / risk examples /
  corporate risk management practices
• Assessed residual risk exposures (likelihood of
  occurrence of each risk taking into consideration
  risk management practices and its potential
  impact should it occur)

17
Risk Assessment (contd)

• ERM Committee
• Assessed each risk risk exposure as reasonable,
  cautionary or concern (including supporting
  rationale)
• Identified owners for each risk
• Where applicable, identified initiatives to
  enhance the management of each risk
• Validated that risk management initiatives are in
  line with Corporate Plan

18
Corporate Risk Categories

• Insurance Risk CDICs risk of loss (or costs
  incurred in the event of an intervention)
  associated with insuring deposits
• Financial Risk The risk associated with managing
  CDICs assets and liabilities, both on- and
  off-balance sheet
• Operational Risk The risk of loss, to which CDIC
  is exposed that is attributable to the
  possibility of disruptions in its operations
  caused by human performance, the inadequacy or
  failure of processes or technology, and external
  events
• Reputational Risk The risk of impairment of the
  credibility of, and confidence in, CDIC

19
Insurance Risk

• Insurance Power Risk The risk that CDIC does
  not have the necessary powers to support the
  management of its insurance risk in accordance
  with CDICs statutory objects
• Underwriting Risk The risk that CDIC accepts a
  new member institution with an unacceptable level
  of insurance risk
• Assessment Risk The risk that CDIC does not
  systematically or promptly identify, member
  institutions that pose a potentially high level
  of insurance risk
• Intervention Risk The risk that CDIC does not
  respond appropriately to members that pose an
  unacceptable level of insurance risk

20
Financial Risk

• Liquidity Risk The risk that funds will not be
  available to CDIC to honour its cash obligations
  (both on- and off- balance sheet) as they arise
• Market Risk The risk of loss attributable to
  adverse changes in the values of financial
  instruments and other investments or assets owned
  directly or indirectly by CDIC, whether on- or
  off- balance sheet, as a result of changes in
  market rates or prices
• Credit Risk The risk of loss attributable to
  counterparties failing to honour their
  obligations, whether on- or off- balance sheet,
  to CDIC

21
Operational Risk

• People Risk The risk resulting from
  inadequacies in the competencies, capacity or
  performance of CDIC personnel
• Information Risk The risk that timely, accurate
  and relevant information is not available to
  facilitate informed decision making and/or the
  exercise of effective oversight
• Technology Risk The risk that CDICs technology
  does not appropriately support the achievement of
  its objectives, strategies, plans and affairs
  (including the management of the risks related
  thereto)

22
Operational Risk (contd)

• Process Risk The risk resulting from the
  incorrect execution of, a breakdown in, or a gap
  in, a process, policy, procedure or control
• Compliance Risk The risk that CDIC fails to
  comply with statutory requirements and relevant
  guidelines governing its affairs as a Crown
  corporation, and its internal policies
• Legal Risk The risk that legal matters
  adversely impact CDICs ability to achieve its
  objects, strategies and plans
• Outsourcing Risk The risk associated with CDIC
  engaging third parties to perform services on its
  behalf

23
Operational Risk (contd)

• Business Continuity Risk The risk that a
  disruption impacting CDICs personnel,
  information, premises, technology or operations
  will impede its ability to achieve its objects,
  conduct its affairs, or implement its strategies
  and plans
• Security Risk The risk that CDIC fails to
  ensure the safety of its people, the security of
  its assets, and the security and confidentiality
  of its information

24
Reputational Risk

• External Communication Risk The risk of not
  communicating necessary information, or
  communicating in an inappropriate manner, or that
  communication is misinterpreted by the intended
  audience
• External Relationships Risk The risk that
  dealings with external parties are not adequate
  to promote the interests of CDIC, or are
  conducted in an appropriate manner

25
Significance Criteria

• Likelihood probability of occurrence using a
  five-point qualitative scale
• Impact potential impact (using a five-point
  qualitative scale) of an occurrence on CDICs
• Achievement of its mandate
• Financial position
• Reputation

26
Corporate Risk Significance Map
27
Risk Management Culture

• Management profiled CDICs corporate-level risk
  management culture
• 4 areas X 5 questions per area 20 questions

28
Management Understanding

• We understand CDICs objects and strategies
• CDIC has plans in place to achieve its objects
  and strategies
• We know the major risks and challenges related to
  achieving CDICs objects and strategies
• We understand our responsibilities,
  accountabilities and authorities
• Realistic targets and indicators are in place to
  assess CDICs performance in achieving its
  objects and strategies

29
Supporting Environment

• CDICs management style and behaviour supports
  the open flow of information about the management
  of CDICs affairs and any significant risk issues
• Risk identification, assessment and management
  are built into the management of CDICs affairs
• CDICs Code of Conduct and Ethical Behaviour is
  practised throughout the organization
• CDICs communication supports the management of
  its risks and the achievement of its objects and
  strategies
• Performance assessments are aligned with the
  prudent, appropriate and effective management of
  CDICs risks

30
Capability / Capacity

• CDIC has sufficient personnel with the right
  knowledge and skills to achieve its objects and
  strategies
• CDIC is appropriately structured to effectively
  and efficiently achieve its objects and
  strategies
• CDIC has sufficient financial, technological and
  other resources to achieve its objects and
  strategies
• Appropriate people make decisions about
  significant risks impacting CDICs affairs in a
  timely manner
• CDIC has sufficient, relevant and timely
  information available to achieve its objects and
  strategies

31
Implementing Change

• CDICs environment is monitored regularly to see
  if we need to adjust our Corporate Risk
  Framework, strategies and plans
• CDIC monitors its performance against its targets
  and indicators
• Resource and information needs are reassessed as
  CDICs objects, strategies or plans change, or as
  risk issues are identified
• Risk management practices are periodically
  assessed as to their continued appropriateness
  and effectiveness
• Follow up procedures are in place to ensure that
  needed changes or actions occur

32
Risk Assessment Methodology

• CDIC Management team individually interviewed to
  identify
• Inherent corporate risks
• Risk management practices
• ERM Committee collectively
• Confirmed corporate risk catalogue
• Assessed each risk
• Assessed corporate risk management culture
• Results reported to CDIC Audit Committee
• Process validated by Internal Audit

33
Risk Assessment Methodology

• CDIC Management team individually interviewed to
  identify
• Inherent corporate risks
• Risk management practices
• ERM Committee collectively
• Confirmed corporate risk catalogue
• Assessed each risk
• Assessed corporate risk management culture
• Results reported to CDIC Audit Committee
• Process validated by Internal Audit

34
Current ERM Implementation Steps

• Developing ERM Board reporting package
• For each Insurance Risk
• Further documenting risk management practices
• Developing Board policies / risk tolerances
• Further integrating ERM and strategic planning
• Validating CDICs catalogue of corporate risks
  against its environmental scanning results

35
Current ERM Implementation Steps

• Developing ERM Board reporting package
• For each Insurance Risk
• Further documenting risk management practices
• Developing Board policies / risk tolerances
• Further integrating ERM and strategic planning
• Validating CDICs catalogue of corporate risks
  against its environmental scanning results

36
Future ERM Implementation Steps

• Document risk management practices / develop
  Board policies for remaining risks
• Conduct risk (and risk management culture)
  assessments for remaining risks and for each
  business function
• Validate initial corporate risk (and risk
  management culture) assessments
• Initiate regular ERM Board reporting
• Fully coordinate ERM and strategic management
• so that risk decisions are explicitly integrated
  into strategic and day-to-day decision making

37
ERM Benefits to Date

• Clarified Managements collective understanding
  of risks and the risk management practices
• Evidenced that CDIC is aware of, and is managing
  its significant corporate risks
• Confirmed
• CDICs Corporate Plan is focused on the right
  initiatives
• Resources are allocated to areas of greatest
  concern
• A strong corporate risk management culture

38
ERM Lessons Learned

• Implementing ERM is like filming a long / complex
  movie
• Hire a director (CRO)
• Have a clear story (ERM implementation plan)
• Engage studio executives (Board Governance / ERM
  Policy)
• Engage actors (ERM Committee / Management)
• Film one scene at a time (Corporate-level risk
  assessment)
• Keep camera focused (ERM implementation plan)

39
More ERM Lessons Learned

• Risks are like an onion
• They have many layers
• Each risk has many sub-risks - which in turn have
  many sub-risks
• Cutting through too quickly can cause tears
• Dont try to do everything at once - peel
  layer-by-layer
• It is easier to peel the outer layers before you
  peel the inner layers - CDIC started with a
  corporate-level risk assessment and is now
  conducting risk assessments at a more detailed
  level

40
Closing Remarks

• ERM is not a one time project but a continuous
  process that needs to be
• Ingrained into your strategic and daily
  decision-making
• Subject to effective corporate governance
• Supported by an appropriate control environment
• It is complex - so keep it simple

41

• Questions?

42
CDIC
Protecting Your Deposits
CDICs Experience in Implementing ERM
J.R. LaBrosse
June 2004