Integrated Risk Management Guideline

Document for printing

May 2015

IntroductionThis guideline was first published in April 2009

Risks and their management are intrinsic to all financial institutions. However, inadequate, incomplete or lack of management of such risks can result in serious consequences and adversely affect the operation and solvency of financial institutions.

The core principles and guidance published by the Basel Committee on Banking SupervisionBank for International Settlements, Basel Committee on Banking Supervision. Core Principles for Effective Banking Supervision, September 2012.Bank for International Settlements, Basel Committee on Banking Supervision, Joint Forum, Principles for the Supervision of Financial Conglomerates, September 2012. and the International Association of Insurance SupervisorsInternational Association of Insurance Supervisors. Insurance Core Principles, Standards, Guidance and Assessment Methodology, October 2011, ICP 9 amended October 2012, ICP 22 amended October 2013. clearly explain the need for financial institutions to manage their risks in a sound manner and for regulators to provide the appropriate framework. These international bodies also emphasize the governance component that must underlie such a framework and stress that financial institutions must have comprehensive, formal and consistent risk management strategies, policiesA set of general principles adopted by a financial institution for conducting its activities in a given area. and proceduresA set series of tasks to be performed. It is generally the result of imperatives that cannot be negotiated by the individual who applies it. in terms of risk management. Their implementation must enable them to identify, assess, quantify, control, mitigate and monitor risks.

The AMF adheres to the principles and guidance published by international bodies that foster sound and prudent management practicesA financial institution’s management practices ensuring good governance and compliance with the laws governing its activities, in particular, the assurance that the financial institution will maintain adequate assets to meet its liabilities as and when they become due and adequate capital to ensure its sustainability. . Pursuant to the authority conferred upon it under various sector-based statutes,Insurers Act, CQLR, c. A-32.1, section 463; Deposit institution and deposit protection Act, CQLR, c. I-13.2.2, section 42.2; Act respecting financial services cooperativesA legal person in which persons with common economic needs unite to form a deposit and financial services institution to meet those needs. , CQLR., c. C-67.3, s. 565.1; Trust companies and savings companies Act, CQLR, c. S-29.02, section 254. the AMF is issuing this guidelineA document that describes the steps that financial institutions can take to satisfy their legal obligation to follow sound and prudent management practices and sound commercial practices. expressly to inform financial institutions of its expectations regarding integrated risk managementA set of practices and processes, supported by a risk-aware culture and enabling technologies, that improves decision making and performance through a holistic view of a financial institution’s set of risks. .

One of the objectives of the guideline is the implementation of an adequate integrated risk management frameworkA set of policies, procedures and controls for managing an organization’s key functions. within each financial institution. The guideline favours the adoptionA contract under which the holder has the right, but not the obligation, to buy or sell a specific number of shares at a predetermined price during a specific period of time. by each financial institution of a comprehensive and co-ordinated approach to integrated risk management that takes into account their interrelationships and interdependencies.

 

1. Integrated risk management

The AMF expects financial institutions to carry out integrated risk management that is supported by strategies, policies and procedures that enable them to identify, assess, quantify, control, mitigate and carefully monitor material risks.

Risks are inherent in the conduct of a financial institution’s business and can represent both opportunities and threats. Since some undesirable risks cannot be eliminated entirely, they must be managed based on their significance, i.e. the scope and frequency of the effects they are likely to have on a financial institution if they materialize. It is therefore important for an institution to adopt strategies, policies and procedures to be able to manage its risks effectively and efficiently.

Risk management is therefore essential to the conduct of a financial institution’s business. It is an ongoing, dynamic and evolving process that must be part of the institution’s corporate cultureRefers to the common values and standards that define a business and influence its mindset, conduct and the actions of its entire staff. and help it achieve its strategic objectives.

The AMF further believes that financial institutions should gravitate toward integrated risk management rather than take an approach where risks are considered separately. Thus, the risks considered less important but which could become when combined should also be considered. A holistic approachBased on an overall, integrated view, a management approach emphasizing the importance of all risks of a financial institution, while taking account of the interdependence between them. takes into consideration the interrelationship and interdependence between risks, important aspects that can influence how much risk the institution will assume. As a result, financial institutions will need standardized processes and reliable information systems that allow them to identify connections between risks and to obtain reports that contain relevant, clear and adapted information in a timely manner so that senior managementThe group of individuals responsible for managing a financial institution on a day-to-day basis in accordance with the strategies and policies set by the board of directors. and the board of directorsA body of elected or appointed individuals ultimately responsible for the governance and oversight of a financial institution. can monitor the achievement of the institution’s strategic objectives.

This approach also makes it possible to better take into account risks that are harder to quantify using traditional methods. Certain operational risks, strategic risks and reputation risks are good examples.

Moreover, an integrated risk management framework increases the effectiveness with which the cascading effects of risks with multiple consequences are handled. Risks associated with the use of technologies, given their multiple ramifications, are good examples: interrupted operations, loss of data, identity theft, cyberattacks, damage to reputation, lawsuits, etc. With this in mind, strategies, resources, technologies and knowledge must be aligned to manage these risks adequately and comprehensively across the entire financial institution.

As stated above, integrated risk management involves identifying, assessing, quantifying, controlling, mitigating and carefully monitoring the material risks to which a financial institution is exposed. It allows the institution to identify events likely to affect it beyond the limits of its risk appetiteThe aggregate level and types of risk a financial institution is willing to assume to achieve its strategic objectives and business plan. .

 

2. Risk appetite, tolerance levels and limits

The AMF expects financial institutions to define and maintain a general risk appetite statement containing qualitative and quantitative elements. It also expects institutions to clearly define their tolerance levels for the most material risks and embed them in their operations in keeping with their risk management policies and procedures.

Risk appetite refers to a broad notion whereby a financial institution determines the aggregate level of risk it can accept in order to reach its strategic objectives and execute its business plan, all the while respecting its obligations to its insureds, depositors or other clients and in line with available capital.

Risk appetite is therefore closely tied to the institution’s business strategy. A clear definition is essential to sound risk management insofar as it helps define the type and overall level of risk the institution is prepared to accept and assume in relation to its strategic objectives. It can be broken down as follows:

  1. The risk appetite statement should contain qualitative information that makes it possible to situate the targeted risks as well as the desired behaviour of the institution based on different scenarios. The statement should also contain a few quantitative objectives or limits, expressed on the basis of revenue, capital or any other metric deemed relevant (for example, based on maximum loss or level of concentration).

  2. Risk tolerance levels should specify the level of variation the financial institution deems acceptable, based on its judgment, for each material risk in pursuing its objectives.

  3. Risk limits aim to reflect risk appetite and tolerance levels according to specific and tangible granular components (for example, by business line). The objective is to guide and support the institution’s risk takers from each business sector so that their decisions are in line with the institution’s strategic objectives.

Defining a risk appetite statement that is understandable, easily communicable and relevant in terms of the institution’s objectives and profile helps strengthen the institution’s risk management culture.

The financial institution’s general risk appetite statement should be backed by sufficient documentation justifying the choice of risk toleranceRisk tolerance sets boundaries on the level of risks a financial institution is prepared to accept based on its risk appetite. levels and limits. This documentation should make it possible to understand the context that led to this choice and facilitate its integration into any update to the strategic plan.

A financial institution’s risk appetite must be dynamic, in other words, evolving with the institution’s situation (notably its solvency position), the health of the industry, market conditions and macroeconomic factors.

Furthermore, all events likely to significantly affect the institution or its environment should give rise to a reassessment of its risk profileA financial institution’s overall level of risk exposure that is based on an evaluation of the risks inherent in the financial institution’s significant activities, its ability to manage risks, its financial condition and its commercial practices. .

Similarly, stress testingA risk management technique used to assess the potential vulnerability of a financial institution by testing defined and exceptional, but plausible, adverse scenario. exercisesAutorité des marchés financiers. Stress Testing Guideline. are critical when assessing resource adequacy against the institution’s risk appetite. The assessment should review all material and probable risks, categorized by likelihood and impact. This approach provides senior management and the board of directors with an accurate picture of the potential consequences of all significant events on, for example, the solvency of the institution.

 

3. Integrated risk management governance

The AMF expects a financial institution’s integrated risk management framework to be supported by a solid governance structure which, in particular, should enable it to clearly define the roles and responsibilities of the various stakeholdersAny individual, group or organization that can affect, be affected by, or perceive itself to be affected by, a result, a decision or an intervention coming from another party. assigned to risk management.

It is the responsibility of the financial institution’s senior management to give assurances to the board of directors that the risk appetite and tolerance levels are adequately established and respected, and that the measures taken to manage them are sufficient. Similarly, it is also up to the decision-makers to incorporate the opportunities identified within the risk management framework into the financial institution’s strategic thinking and the resulting objective-setting process.

The board of directors and senior management therefore have primary responsibility for developing the management framework for the risks to which the institution is exposed. This framework must be supported by an organizational strategy focused on optimizing the management of risks.

In addition, effective and successful management depends on promoting a risk management culture within the institution and the tone set by its officers. The objectives must be understandable and communicated across all levels of the institution. As stated above, risk management at a financial institution should not be considered a project, but rather should form an integral part of its corporate risk cultureThe set of norms, values, attitudes and behaviours that characterizes the way in which a financial institution conducts its activities related to risk awareness, risk taking and risk management and controls. , a way of doing business.

3.1 Roles and responsibilities of the board of directorsA reference to the board of directors can also include a board committee, such as a board committee established to examine specific issues.

Given the increased responsibility and accountability of directors, they have an interest in taking an active role in determining the risk appetite, and in choosing the integrated risk management strategies developed by senior management.

Optimal risk management should include obtaining the relevant information necessary to understand the risks so the board of directors can properly carry out its mandate. Given that board ineffectiveness can be blamed when a financial institution grapples with failure or experiences problems, the board must ensure that the institution’s financial objectives are compatible with its stated risk appetite and in line with its business strategies and operational objectives.

Likewise, the self-assessment that the board of directors must perform routinely relative to its overall mandate should also cover the board’s knowledge and understanding of the risks to which the financial institution is exposed.

In this context, the board of directors must be involved in integrated risk management and, in particular, should:

  • Approve strategies in line with the risk appetite of the institution;

  • Ensure senior management implements policies and procedures to determine and maintain the appropriate level of capital in light of the institution’s risks and strategic objectives;Autorité des marchés financiers. Capital Management Guideline.

  • Review and approve the risk management framework as well as the implementation of strategies to support it. This risk management framework should in particular include mechanisms for delegating responsibilities and plans to be executed in the event of deficiencies;

  • Review and approve the proposed policies establishing the rules for accepting, monitoring, managing and reporting on the material risks to which the institution is exposed as well as other risks that might become material in combination with others;

  • Require senior management or the chief risk officer to report regularly on the material risks to which the institution is exposed. The report should also discuss the procedures in place to manage these risks and the overall effectiveness of the procedures;

  • Ensure that the institution’s integrated risk management function is independent of ongoing operations, has a status and sufficient visibility, and is reviewed periodically;

  • Ensure that the board’s collective skills and experiences are sufficient to properly understand, assess and quantify the risks faced by the institution when such risks are presented by senior management;

  • Be aware of the processesAutorité des marchés financiers. Capital Management Guideline. used to assess and quantify risks as well as the scenarios used and the stress tests performed. The stress tests may be based on past events and hypothetical developments, and include both the best- and worst-case scenarios. In all cases, the board of directors should be aware of the limitations of the models, assumptions and tools used;

  • Be regularly apprised of evolving trends, emerging risks and material changes likely to alter the financial institution’s risk profileA financial institution’s overall level of risk exposure that is based on an evaluation of the risks inherent in the financial institution’s significant activities, its ability to manage risks, its financial condition and its commercial practices. ;

  • Ensure regular communication with risk managers and the chief risk officer. This type of communication should include documented reports on all types of material risks as well as on the interrelationships between the risk management framework, the solvency position and the strategic objectives. Plain language is particularly important, because it enables the board of directors to make use of the often detailed, technical and complex information provided to it, grasp that information and understand its scope and effects on the management of the institution.

3.2 Roles and responsibilities of senior management

As part of integrated risk management, senior management of the financial institution should, in particular:

  • Implement a risk management policy and risk management procedures that are adapted to the financial institution’s risk profileA financial institution’s overall level of risk exposure that is based on an evaluation of the risks inherent in the financial institution’s significant activities, its ability to manage risks, its financial condition and its commercial practices. and strategic plan, and ensure that they are rolled out efficiently and effectively at all levels;

  • Designate appropriate individuals to be in charge of monitoring and controlling all material risks in line with the strategies adopted by the financial institution;

  • Align the risks against the institution’s objectives regarding the creation and preservation of value as well as the business processes or specific sectors in which such risks may materialize;

  • Assess the potential effects of the risks identified on the financial institution’s strategies, compliance and the integrityThe quality that an individual has of being honest and having strong moral principles that he or she refuses to change. It is demonstrated through the individual’s actions and through the conduct of the his or her personal and professional business. of its financial reporting, and ensure they are taken into account;

  • Identify the risks that may materialize for the purpose of establishing an order of priority based on the institution’s characteristics and operating mode;

  • Establish procedures for communicating with and drawing on higher reporting levels in response to the materialization of risks, the effectiveness of controls and changes likely to affect the financial institution’s risk profile;

  • Implement an effective compensation system that does not encourage risky practices such as the pursuit of higher returns through speculative position-taking.

3.3 Roles and responsibilities of the chief risk officer

Ideally, overall responsibility for integrated risk management should be entrusted to a chief risk officer in charge of developing and managing a strategy in this matter. Failing the existence of such a position—in light of the size of the financial institution, for example—this responsibility should be entrusted to a member of senior management.

However, this role is not “exclusive,” since the person in charge must be able to rely on all people involved in risk management. The chief risk officer is responsible for developing and implementing the risk management strategy. In more complex institutions, he is responsible for co-ordinating the risk management approach.

The chief risk officer’s role includes co-ordination, with the ability to synthesize and communicate information effectively. He should also be able to explain matters in a manner tailored to various audiences.

The chief risk officer’s objectives should follow a holistic approachBased on an overall, integrated view, a management approach emphasizing the importance of all risks of a financial institution, while taking account of the interdependence between them. and enable notably the following:

  • Promoting a risk cultureThe set of norms, values, attitudes and behaviours that characterizes the way in which a financial institution conducts its activities related to risk awareness, risk taking and risk management and controls. by taking into account and incorporating risks in the institution’s strategic decisions;

  • Developing and implementing the risk management framework and strategies using, in particular, the expertise of risk managers at various levels of the institution;

  • Ongoing discussions with the primary business sector managers about their exposure to greater risks in order to ensure that their practices comply with the risk management framework;

  • Communicating information to interested partiesAny person or organization that may be affected by a decision or activity of another party. , in particular with regard to objectives pertaining to optimal risk-based capital allocation and risk appetite;

  • Advising members of the management team and the board of directors;

  • Understanding by senior management and the board of directors of the issues and interrelationships between the institution’s strategic objectives, solvency position and risk management framework, particularly through the tools it has for risk and capital assessment;

  • Mitigating risks that could be harmful to the institution.

 

4. Dynamic and evolving integrated risk management framework

The AMF expects financial institutions to establish a framework to adequately manage all of their risks based on their risk appetite. This framework should be dynamic, evolving and implemented considering the nature, size and complexity of the institution’s activities.

The AMF recognizes that implementing a risk management framework is largely influenced by the nature, size and complexity of a financial institution’s activities. Thus, the institution must implement strategies, policies and procedures that are adequate for managing its risks effectively and efficiently in light of its specific attributes.

In general, an integrated risk management framework should:

  • Be taken into consideration when formulating the organizational strategy;

  • Give senior management and the board of directors an acceptable level of confidence and comfort regarding their understanding and management of the full range of risks related to the fulfillment of the institution’s objectives;

  • Guide and support the senior management and the board of directors in decision-making and facilitate their understanding of the interrelationships between this framework, the capital management framework and the institution’s strategic objectives;

  • Be implemented at all levels within the institution in order to generate an overall view of risk exposures;

  • Help identify events likely to affect the financial institution in a tangible manner and enable the institution to manage them in light of its risk appetite;

  • Focus on risks (independent or interrelated) that hinder the achievement of the financial institution’s operational objectives and its strategies, and that are likely to significantly affect its functions and processes;

  • include the delegation of responsibilities and mechanisms for the plans to be implemented in case of deficiencies;

  • Include the implementation and maintenance of a stress testingA risk management technique used to assess the potential vulnerability of a financial institution by testing defined and exceptional, but plausible, adverse scenario. program.

A financial institution’s integrated risk management framework must be dynamic to enable it to pinpoint risks and benefit from the management of those risks. In this regard, it must allow for modifications to the institution’s risk appetite in light of changes to its risk profileA financial institution’s overall level of risk exposure that is based on an evaluation of the risks inherent in the financial institution’s significant activities, its ability to manage risks, its financial condition and its commercial practices. . In particular, it should allow a financial institution to have:

  • A better ability to prevent, detect, remedy and report problems related not only to inadequate risk management, but also to events or problems caused by elements that could come from outside the institution;

  • Reduced risk management costs through enhanced sharing of risk-related information and a better integration of existing risk management processes;

  • The means to increase strategic flexibility where the context differs from what was originally anticipated in the planning process or in the event of situations that prove to be more favourable or unfavourable than expected.

In addition to being dynamic, the risk management framework should be able to evolve. It is to the advantage of a financial institution to continue refining its risk management framework to an optimal level, and do so in line with its specific attributes.

The objective of becoming effective and sophisticated with respect to risk management can be achieved in particular through decompartmentalizing risk management and adopting more integrated and co-ordinated measures. This method of managing risks implies the evolution of a minimal risk management framework, in which risks are considered on an individual basis, toward a more holistic vision based on a risk portfolio.

This also involves documenting, in an aggregated and synthesized manner,The AMF may, if it deems it appropriate, provide more specific expectations concerning the documentation required to support the risk management framework. findings and decisions stemming from the application of the risk management framework and stress testing exercisesAutorité des marchés financiers. Stress Testing Guideline. (for example, adjustments made to the risk appetite statement and strategic plans).

Through the various stages of identifying, assessing, quantifying, controlling, mitigating and monitoring risks, the approach adopted should be an evolving one. For example, the approach could shift from a consideration of all risks to a consideration of material risks, from merely mitigating risks to a more optimal management of risks, from quantifying risks summarily to quantifying and monitoring them in a more structured and rigorous manner etc.

Finally, a dynamic and evolving risk management framework will enable optimization of capital use and of management of exposure to the different types of risks faced by the financial institution. Consequently, capital management activities should draw on the integrated risk management framework, in particular through an internal risk and solvency assessment process.To learn about expectations in this regard, see the Capital Management Guideline.