Canada Canada Deposit Insurance Corporation Société d’assurance-dépôt du Canada CDIC Canada Canada Deposit Insurance Corporation Société d’assurance-dépôt du Canada CDIC Protecting Your Deposits CDIC’s Experience in Implementing ERM J.P. Sabourin President and Chief Executive Officer CDIC April 2004

Canada Canada Deposit Insurance Corporation Société d’assurance-dépôt du Canada CDIC Presentation Outline CDIC’s ERM definition CDIC’s rationale / objectives for implementing ERM CDIC’s ERM implementation approach  Initial steps  Work currently being undertaken  Future steps ERM benefits / value derived to date CDIC’s “Lessons Learned” in implementing ERM

Canada Canada Deposit Insurance Corporation Société d’assurance-dépôt du Canada CDIC CDIC ERM Definition ERM The comprehensive, systematic and disciplined process by which CDIC identifies, assesses, manages, monitors and reports on, at any point in time, the significant risks inherent in its objects, strategies, plans and affairs

Canada Canada Deposit Insurance Corporation Société d’assurance-dépôt du Canada CDIC ERM Rationale CDIC is subject to Treasury Board of Canada ERM Guidelines Risk Management is one of four components of the CDIC Standards “in control” framework

Canada Canada Deposit Insurance Corporation Société d’assurance-dépôt du Canada CDIC “In Control” Concept The demonstration that CDIC’s affairs are: Subject to effective governance Being managed in accordance with ongoing, appropriate and effective strategic and risk management processes Being conducted in an appropriate control environment and Significant weaknesses (related thereto) are being identified and appropriate and timely action is being taken to address them

Canada Canada Deposit Insurance Corporation Société d’assurance-dépôt du Canada CDIC ERM Objectives Demonstrate that: CDIC has identified / understands / is managing its significant risks Risk decisions are:  Explicitly integrated into CDIC’s strategic and day-to- day decision making  Subject to good corporate governance  Being supported by an appropriate control environment

Canada Canada Deposit Insurance Corporation Société d’assurance-dépôt du Canada CDIC ERM Objectives (cont’d) Facilitate: Validation of CDIC’s strategies / plans / initiatives Prioritization of CDIC’s strategies / plans / initiatives Effective resource allocation

Canada Canada Deposit Insurance Corporation Société d’assurance-dépôt du Canada CDIC Initial ERM Implementation Steps Built an ERM foundation Conducted a corporate-level risk assessment Profiled corporate risk management culture

Canada Canada Deposit Insurance Corporation Société d’assurance-dépôt du Canada CDIC ERM Foundation Created CRO position to develop CDIC’s ERM approach / coordinate ERM implementation Developed ERM implementation plan Formed an executive management-level ERM Committee to validate ERM approach and results Formalized Board ERM policy

Canada Canada Deposit Insurance Corporation Société d’assurance-dépôt du Canada CDIC ERM Policy Formalizes ERM role of the CDIC Board / Management Forms one of 19 principles under the CDIC Board Governance Policy Developed to reflect:  CDIC’s statutory requirements  CDIC Standards  Other ERM “best practices”

Canada Canada Deposit Insurance Corporation Société d’assurance-dépôt du Canada CDIC Board ERM Responsibilities Understand CDIC’s significant risks Establish RM policies related thereto Regularly review RM policies (evergreen) Obtain reasonable assurance re:  CDIC’s ERM process  Adherence with RM policies

Canada Canada Deposit Insurance Corporation Société d’assurance-dépôt du Canada CDIC Management ERM Responsibilities Identify risks Assess their significance Develop RM policies for the Board Regularly review RM policies (evergreen) Manage risks within RM policies Report to the Board re:  Significant risks / management of significant risks  ERM process

Canada Canada Deposit Insurance Corporation Société d’assurance-dépôt du Canada CDIC Corporate-Level Risk Assessment ERM Committee: Updated catalogue of inherent corporate risks / risk categories / definitions / risk examples / corporate risk management practices Assessed residual risk exposures (likelihood of occurrence of each risk taking into consideration risk management practices and its potential impact should it occur)

Canada Canada Deposit Insurance Corporation Société d’assurance-dépôt du Canada CDIC Risk Assessment (cont’d) ERM Committee: Assessed each risk risk exposure as “reasonable”, “cautionary” or “concern” (including supporting rationale) Identified “owners” for each risk Where applicable, identified initiatives to enhance the management of each risk Validated that risk management initiatives are in line with Corporate Plan

Canada Canada Deposit Insurance Corporation Société d’assurance-dépôt du Canada CDIC Corporate Risk Categories Insurance Risk: CDIC’s risk of loss (or costs incurred in the event of an intervention) associated with insuring deposits Financial Risk: The risk associated with managing CDIC’s assets and liabilities, both on- and off-balance sheet Operational Risk: The risk of loss, to which CDIC is exposed that is attributable to the possibility of disruptions in its operations caused by human performance, the inadequacy or failure of processes or technology, and external events Reputational Risk: The risk of impairment of the credibility of, and confidence in, CDIC

Canada Canada Deposit Insurance Corporation Société d’assurance-dépôt du Canada CDIC Insurance Risk Insurance Power Risk: The risk that CDIC does not have the necessary powers to support the management of its insurance risk in accordance with CDIC’s statutory objects Underwriting Risk: The risk that CDIC accepts a new member institution with an unacceptable level of insurance risk Assessment Risk: The risk that CDIC does not systematically or promptly identify, member institutions that pose a potentially high level of insurance risk Intervention Risk: The risk that CDIC does not respond appropriately to members that pose an unacceptable level of insurance risk

Canada Canada Deposit Insurance Corporation Société d’assurance-dépôt du Canada CDIC Financial Risk Liquidity Risk: The risk that funds will not be available to CDIC to honour its cash obligations (both on- and off- balance sheet) as they arise Market Risk: The risk of loss attributable to adverse changes in the values of financial instruments and other investments or assets owned directly or indirectly by CDIC, whether on- or off- balance sheet, as a result of changes in market rates or prices Credit Risk: The risk of loss attributable to counterparties failing to honour their obligations, whether on- or off- balance sheet, to CDIC

Canada Canada Deposit Insurance Corporation Société d’assurance-dépôt du Canada CDIC Operational Risk People Risk: The risk resulting from inadequacies in the competencies, capacity or performance of CDIC personnel Information Risk: The risk that timely, accurate and relevant information is not available to facilitate informed decision making and/or the exercise of effective oversight Technology Risk: The risk that CDIC’s technology does not appropriately support the achievement of its objectives, strategies, plans and affairs (including the management of the risks related thereto)

Canada Canada Deposit Insurance Corporation Société d’assurance-dépôt du Canada CDIC Operational Risk (cont’d) Process Risk: The risk resulting from the incorrect execution of, a breakdown in, or a gap in, a process, policy, procedure or control Compliance Risk: The risk that CDIC fails to comply with statutory requirements and relevant guidelines governing its affairs as a Crown corporation, and its internal policies Legal Risk: The risk that legal matters adversely impact CDIC’s ability to achieve its objects, strategies and plans Outsourcing Risk: The risk associated with CDIC engaging third parties to perform services on its behalf

Canada Canada Deposit Insurance Corporation Société d’assurance-dépôt du Canada CDIC Operational Risk (cont’d) Business Continuity Risk: The risk that a disruption impacting CDIC’s personnel, information, premises, technology or operations will impede its ability to achieve its objects, conduct its affairs, or implement its strategies and plans Security Risk: The risk that CDIC fails to ensure the safety of its people, the security of its assets, and the security and confidentiality of its information

Canada Canada Deposit Insurance Corporation Société d’assurance-dépôt du Canada CDIC Reputational Risk External Communication Risk: The risk of not communicating necessary information, or communicating in an inappropriate manner, or that communication is misinterpreted by the intended audience External Relationships Risk: The risk that dealings with external parties are not adequate to promote the interests of CDIC, or are conducted in an appropriate manner

Canada Canada Deposit Insurance Corporation Société d’assurance-dépôt du Canada CDIC Significance Criteria Likelihood = probability of occurrence using a five-point qualitative scale Impact = potential impact (using a five-point qualitative scale) of an occurrence on CDIC’s:  Achievement of its mandate  Financial position  Reputation

Canada Canada Deposit Insurance Corporation Société d’assurance-dépôt du Canada CDIC Corporate Risk Significance Map

Canada Canada Deposit Insurance Corporation Société d’assurance-dépôt du Canada CDIC Risk Management Culture Management profiled CDIC’s corporate-level risk management culture  4 areas X 5 questions per area = 20 questions

Canada Canada Deposit Insurance Corporation Société d’assurance-dépôt du Canada CDIC Management Understanding 1. We understand CDIC’s objects and strategies 2. CDIC has plans in place to achieve its objects and strategies 3. We know the major risks and challenges related to achieving CDIC’s objects and strategies 4. We understand our responsibilities, accountabilities and authorities 5. Realistic targets and indicators are in place to assess CDIC’s performance in achieving its objects and strategies

Canada Canada Deposit Insurance Corporation Société d’assurance-dépôt du Canada CDIC Supporting Environment 6. CDIC’s management style and behaviour supports the open flow of information about the management of CDIC’s affairs and any significant risk issues 7. Risk identification, assessment and management are built into the management of CDIC’s affairs 8. CDIC’s Code of Conduct and Ethical Behaviour is practised throughout the organization 9. CDIC’s communication supports the management of its risks and the achievement of its objects and strategies 10. Performance assessments are aligned with the prudent, appropriate and effective management of CDIC’s risks

Canada Canada Deposit Insurance Corporation Société d’assurance-dépôt du Canada CDIC Capability / Capacity 11. CDIC has sufficient personnel with the right knowledge and skills to achieve its objects and strategies 12. CDIC is appropriately structured to effectively and efficiently achieve its objects and strategies 13. CDIC has sufficient financial, technological and other resources to achieve its objects and strategies 14. Appropriate people make decisions about significant risks impacting CDIC’s affairs in a timely manner 15. CDIC has sufficient, relevant and timely information available to achieve its objects and strategies

Canada Canada Deposit Insurance Corporation Société d’assurance-dépôt du Canada CDIC Implementing Change 16. CDIC’s environment is monitored regularly to see if we need to adjust our Corporate Risk Framework, strategies and plans 17. CDIC monitors its performance against its targets and indicators 18. Resource and information needs are reassessed as CDIC’s objects, strategies or plans change, or as risk issues are identified 19. Risk management practices are periodically assessed as to their continued appropriateness and effectiveness 20. Follow up procedures are in place to ensure that needed changes or actions occur

Canada Canada Deposit Insurance Corporation Société d’assurance-dépôt du Canada CDIC Risk Assessment Methodology CDIC Management team individually interviewed to identify:  Inherent corporate risks  Risk management practices ERM Committee collectively:  Confirmed corporate risk catalogue  Assessed each risk  Assessed corporate risk management culture Results reported to CDIC Audit Committee Process validated by Internal Audit

Canada Canada Deposit Insurance Corporation Société d’assurance-dépôt du Canada CDIC Current ERM Implementation Steps Developing ERM Board reporting package For each “Insurance Risk”:  Further documenting risk management practices  Developing Board policies / risk tolerances Further integrating ERM and strategic planning  Validating CDIC’s catalogue of corporate risks against its environmental scanning results

Canada Canada Deposit Insurance Corporation Société d’assurance-dépôt du Canada CDIC Future ERM Implementation Steps Document risk management practices / develop Board policies for remaining risks Conduct risk (and risk management culture) assessments for remaining risks and for each business function Validate initial corporate risk (and risk management culture) assessments Initiate regular ERM Board reporting Fully coordinate ERM and strategic management  so that risk decisions are explicitly integrated into strategic and day-to-day decision making

Canada Canada Deposit Insurance Corporation Société d’assurance-dépôt du Canada CDIC ERM Benefits to Date Clarified Management’s collective understanding of risks and the risk management practices Evidenced that CDIC is aware of, and is managing its significant corporate risks Confirmed:  CDIC’s Corporate Plan is focused on the right initiatives  Resources are allocated to areas of greatest concern  A strong corporate risk management culture

Canada Canada Deposit Insurance Corporation Société d’assurance-dépôt du Canada CDIC ERM Lessons Learned Implementing ERM is like filming a long / complex movie  Hire a director (CRO)  Have a clear story (ERM implementation plan)  Engage studio executives (Board Governance / ERM Policy)  Engage actors (ERM Committee / Management)  Film one scene at a time (Corporate-level risk assessment)  Keep camera focused (ERM implementation plan)

Canada Canada Deposit Insurance Corporation Société d’assurance-dépôt du Canada CDIC More ERM Lessons Learned Risks are like an onion  They have many layers Each risk has many sub-risks - which in turn have many sub-risks  Cutting through too quickly can cause tears Don’t try to do everything at once - peel layer-by-layer It is easier to peel the outer layers before you peel the inner layers - CDIC started with a corporate-level risk assessment and is now conducting risk assessments at a more detailed level

Canada Canada Deposit Insurance Corporation Société d’assurance-dépôt du Canada CDIC Closing Remarks ERM is not a “ one time ” project but a continuous process that needs to be:  Ingrained into your strategic and daily decision- making  Subject to effective corporate governance  Supported by an appropriate control environment It is complex - so keep it simple

Canada Canada Deposit Insurance Corporation Société d’assurance-dépôt du Canada CDIC Questions?

Canada Canada Deposit Insurance Corporation Société d’assurance-dépôt du Canada CDIC Canada Canada Deposit Insurance Corporation Société d’assurance-dépôt du Canada CDIC Protecting Your Deposits CDIC’s Experience in Implementing ERM J.P. Sabourin President and Chief Executive Officer CDIC April 2004