CDIC: Speeches

Federated Press Conference on Crown Corporation Governance: Best practices for improving organizational performance and board effectiveness

24 March 2003

Jean-Pierre Sabourin
President & Chief Executive Officer
Canada Deposit Insurance Corporation

March 24, 2003
Ottawa, Ontario

Managing Risk in a Crown Corporation:
The View from CDIC

Thank you for the kind introduction. It is a privilege to participate in this conference.

Over the past few years, corporate governance has emerged as a major issue of public concern. Confidence in elements of the private sector has been severely shaken. This has been due in part to a number of high-profile corporate scandals and related governance failings. In the public sector, meanwhile, expectations regarding accountability and transparency have been ever increasing. Citizens rightly expect the highest standards of ethical behavior in their public institutions, and government is under more scrutiny today than ever before. Crown Corporations are in the unique position of straddling both these worlds. In so doing, we are far from being immune to risk. In today's world, in short, sound and effective risk management plays a critical role in the effective corporate governance of Crown Corporations.

At the Canada Deposit Insurance Corporation -- or "CDIC" as we like to refer to ourselves -- risk management is the major focus of what we do. We deal with risk on a daily basis. This morning, I'd like to share some thoughts with you on how we have developed risk management strategies tailored to the environment in which we operate.

First, let me begin with a few words about CDIC's mandate. CDIC is a Crown corporation that has, as its primary task, the provision of deposit insurance to those who have eligible deposits in member banks, trust and loan companies. CDIC is also mandated to contribute to the stability of the financial system in Canada and to promote standards of sound business and financial practices among its members. We're required to meet these objectives for the benefit of depositors, while minimizing the Corporation's exposure to loss. In fact, CDIC's mandate creates a three-fold level of interest in risk management.

First, lessons learned in the past have taught us that if we are going to minimize our exposure to loss, we had better be concerned about the risk faced by our members. In providing deposit insurance, CDIC assumes an insurance risk (i.e., the risk of loss associated with insuring deposits with member institutions). This risk is in large part a reflection of the risk exposures faced or taken on by its member institutions. The better our members manage their risks, the less insurance risk CDIC faces.

Second, CDIC's statutory mandate requires it to promote standards of sound business and financial practices. The Standards set out CDIC's expectations regarding the business and financial practices of member institutions. The Standards create a corporate governance framework for members that incorporates risk management directly.

Third, good internal risk management is essential if CDIC's management and board of directors are going to effectively manage and direct CDIC's affairs well.

Let me address in more detail each of these interests in risk management. To begin with, CDIC has an interest in seeing that its members properly manage the risk inherent in their businesses. At present, CDIC insures some $350 billion in insured deposits. Since the Corporation was created in 1967, we have dealt with the failure of 43 members, with total deposits of almost $26 billion – at a net loss to CDIC of close to $4.7 billion. Over the last 35 years this represents an average loss of about 20 cents on the dollar. This is remarkably good considering CDIC does not have priority over other unsecured creditors in an insolvency – as is the case for holders of Canadian life insurance policies, or the deposit insurer south of the border. Since we are usually the largest creditor of any failed institution, we in effect act as proxy for uninsured depositors and other unsecured creditors as well – and as we seek to minimize our losses, we minimize theirs.

It is important to note that CDIC's ability to minimize its exposure to loss improved dramatically after 1987. Before 1987, CDIC was essentially a "paybox" with no mandate and little ability to manage its risks and minimize its losses. As a consequence, our losses in this period averaged about 52 cents on the dollar. After 1987, legislative amendments were made giving the powers to proactively manage our risks. We became more of a "risk minimizer". This helped reduce our loss rate to an average of 17 cents since 1987. In dollar terms, that is savings in excess of $4 billion. We know that members will fail in the future, as they do in all countries from time-to-time. The clear lesson learned here is that for organizations to be effective and minimize their exposure to loss they need to be held responsible for managing their risks and have the powers to do so.

Although our recovery rates may be good in the world of insolvency -- $4.7 billion is still a lot of money to lose, and we would prefer to reduce the risks of our doing so in the future while supporting a vigorous and competitive financial system. Our members agree with this because they pay premiums that are the mechanism to recoup CDIC's losses -- not the taxpayer. At CDIC, we took a careful look at the history of our 43 failures. In a few cases, fraud was at the heart of the failures. However, the most significant factor contributing to failures was the absence of good risk management. Time and again we have seen member institutions fail due to the lack of sound risk management policies and procedures, or the failure to follow them, as well, as the absence of corporate governance checks and balances between senior management and the Board.

This leads me to the subject of CDIC Standards of Sound Business and Financial Practices. Given our experience with member failures, we found it necessary to put in place Standards, which include the need for good risk management. The Standards set out CDIC's expectations regarding the business and financial practices of our member institutions. They focus on enterprise-wide governance and management. The Standards stress that responsibility for the quality of processes, policies, procedures, controls and internal reporting belongs to senior management on a day-to-day basis and rests ultimately with an institution's board of directors.

The Standards cover a number of subjects, including corporate governance, strategic management, risk management and the control environment. The Standards dealing with governance address responsibilities of the board in directing and overseeing the activities of a member institution. The care, diligence, skill and prudence exhibited by a member's directors has a critical influence on the institution's viability, safety and soundness, its ability to execute its business strategy and achieve its business objectives and its ability to engender confidence on the part of depositors, investors, supervisors, rating agencies and others. The other Standards focus on senior managements' responsibilities for ensuring that the institution manages its operations and risks prudently and that the board is provided with the information to enable it to assess whether the responsibilities delegated to senior management are being discharged effectively.

Let me now highlight the key elements of the CDIC Standard specifically related to Risk Management. This Standard requires that the Board of Directors:

understand the significant risks to which the institution is exposed;
approve appropriate and prudent risk management policies for those risks;
review them on a regular basis to ensure they remain adequate for the circumstances; and
obtain reasonable assurance on a regular basis that the institution has an appropriate and effective risk management process; and that policies for addressing significant risks are being adhered to.

To enable the Board to fulfil its responsibilities, the Standards require management to play an active role in the risk management process. Without going into detail, this requires that management have a process to:

identify and assess significant risks;
develop appropriate risk management policies;
manage institution risk in accordance with approved policies; and
provide the board with relevant reports to enable them to assess whether the institution has ongoing effective risk management.

CDIC Standards are not suggestions – they are the law. Enforceable risk management standards must be applied to the "directing minds" of our members, with rewards when these standards are met, and consequences when they are not met. As an extreme measure (and one in which CDIC has deployed on two occasions), we can terminate a member institution's policy of insurance, preventing them from taking new deposits. As well, we can launch legal action against management and directors when an institution fails – and, when we have done so, we have been highly successful in recouping some of our losses. In most cases, however, our approach is more pre-emptive. For example, a member that fails to follow our standards may be charged higher premiums under our differential premiums system. Along with the financial pain this causes, higher premiums provide an important signal to the institution's Board and management.

To facilitate making determinations about whether an institution is following Standards, CDIC requires Boards and senior management to confirm, by way of an annual attestation to CDIC, that the Standards are indeed being followed. Central to this self-assessment is whether the institution is "in control." The concept of "in control" goes to the heart of the Standards. We say that an institution is "in control" when it can provide reasonable assurance that its operations, individually and collectively, are subject to effective board governance. That is, they are managed in accordance with appropriate, effective and prudent strategic and risk management coupled with capital, liquidity and funding management processes. And they are supported by an appropriate control environment. The institution must also provide evidence that any significant standards related issues are identified and that actions are being taken to address them.

There is a growing recognition that following sound business and financial practices is key to any company achieving its objectives. Not only is it essential to the operating effectiveness of any organization – it is good business. Studies show not only that financial institutions with good business practices operate more effectively and respond more quickly to changes in the marketplace, but also that stakeholders increasingly recognize the relationship between good practices and performance and investors are prepared to pay a premium for good practices.

Indeed, CDIC itself has adopted our Standards as the benchmark against which our own business and financial practices are to be assessed. And, I suggest that other public sector decision-makers and managers can also reap similar benefits if their operations are seen to be following sound business and financial practices. It's true that our bottom line is often different than that of the private sector. It's not just about making money. Public sector goals are more diverse, and often deal with intangibles. And the rewards and sanctions for the private and public sectors differ – and must be different. Canadians are citizens of a country and not shareholders in the traditional sense. But one key concept is common to both public and private sectors. The buck has to stop with someone – and that someone must be in a position to demonstrate that his or her operations are "in control". CDIC's standards of sound business and financial practices may well offer many public sector organizations a roadmap. It works for our member institutions.

In addition to dealing with member risk management and the application of CDIC Standards, we have established processes, policies and practices to further strengthen our overall enterprise risk management. Enterprise risk management is the identification, assessment, management, monitoring and reporting, at any point in time, of the significant risks, inherent in CDIC's business objectives, strategies, plans and operations. The objective of this work is to help ensure that CDIC is following sound business and financial practices.

We have undertaken a number of initiatives in this area. In addition to adopting the Standards as an ERM benchmark, CDIC's Board has conducted an assessment of its corporate governance practices -- including assessing the Board's practices against Finance / Treasury Board guidelines and assessing its Audit Committee practices against the Auditor General's recommendations. And, we are continuing to enhance these practices by:

Setting out profiles for private sector directors and communicating these to the Minister to assist in evaluating potential candidates; and
Updating Board and Committee roles and responsibilities -- including creating a Corporate Governance Committee and expanding the mandate of the Audit Committee to include the oversight of enterprise risk management.

CDIC has been actively enhancing its strategic management process to ensure that it continues to be appropriate and prudent in light of CDIC's current and anticipated business and economic environment, resources and results. As examples, we have:

Initiated formal strategic planning sessions between management and the Board to be held annually; and
Formalized the establishment of its business objectives, strategies and plans as part of our overall strategic management process.

CDIC has reviewed its significant risks and is formalizing its risk management processes, policies, procedures and controls in place to manage these risks to a level acceptable to CDIC. To make this happen, I recently established a chief enterprise risk officer position reporting to me, as CEO. To date, the chief risk officer has worked with CDIC Management to confirm the risks inherent in our business objectives, strategies, plans and operations -- and determine the significance of CDIC's inherent risks.

During the next year, the chief risk officer will work with CDIC Management to:

Formalize policies governing the Board's expectations for the management of these risks;
Document the risk management practices in place to manage these risks; and
Implement a self-assessment process to enable Management to report and demonstrate to the Board that significant risks are being managed in accordance with approved policies.

We are also reviewing our control environment to ensure that our organizational structure supports the management of CDIC's activities and risks.

Also, you may have seen another of CDIC's risk management initiatives – our television ads – aimed at enhancing the knowledge of depositors about what is, and what is not, insured by CDIC. We view this as our responsibility to educate the public. Public awareness reduces the risk that, in the event of a failure of a member institution, uninsured depositors will seek deposit insurance protection on the basis that they were of the belief that, at the time of making the deposit:

they were insured, or
they were not properly made aware of deposit insurance protection.

In closing, let me reiterate that we at CDIC do not see risk management as an academic exercise, or as a "flavour of the month" management fad. Ongoing effective strategic and risk management is at the heart of sound corporate governance in both the private and public sectors.

We are eager to share what we have learned, which has been the purpose of my remarks this morning. Our Standards can be downloaded from our website: www.cdic.ca. I would be pleased to answer any questions you may have. Thank you.

Return to list