Difference between revisions of "FSRA.RiskMgmt"

NEW for 2025-Fall: Content now AVAILABLE! This is a new reading for 2025-Fall.

Reading: “Operational risk management framework in rating and underwriting of automobile insurance,” September 2022 Official Link

Author: Financial Services Regulatory Authority of Ontario

Forum

BA Quick-Summary: Risk Management Framework Goal: Improve fairness and accuracy in auto insurance rating and underwriting through better operational risk management (ORM). Key Framework Elements: Defined risk appetite Clear roles (Three Lines of Defence) Strong data governance Regular updates. Model Risk Focus: Ensure fairness, transparency, and proper oversight, especially for AI/ML models. Next Steps: Guidance may become mandatory to streamline rate approvals for compliant insurers.

Pop Quiz

When would an insurer have to use a major filing in Ontario?

Study Tips

💡 Key Insight:

• This guidance is about managing risks in HOW you price and underwrite - not just WHAT you price
• It's currently Information Guidance but will transition to create compliance obligations
• Focus on the proportionality principle - requirements scale with insurer size/complexity

📚 Study Strategy Summary:

This guidance represents a shift toward principles-based regulation for Ontario auto insurance. It's about building robust processes to prevent errors and ensure fairness.

Key things to focus on:

• The ORM Cycle: Risk ID → Assessment → Mitigation → Monitoring
• 4 Foundational Practices: Risk Appetite, Roles/Responsibilities, Data Governance, Maintenance
• Three Lines of Defence: Business, Risk/Compliance, Internal Audit
• Model Risk Management: Special focus on AI/ML fairness and explainability

⚠️ Before You Start:

This guidance is evolving - it will transition from Information to Interpretation/Approach Guidance, creating actual compliance obligations and enabling streamlined rate processes for compliant insurers.

• Future State: ORM compliance = expedited rate approvals
• Consumer Focus: Every requirement ties back to fair treatment
• Integration: Links to UDAP Rule sections 4(1)(i)-(ii), 9(1)(v), 9(1)(ii), 9(1)(iv)

Estimated study time: 1-2 days

Overview: Why ORM Matters

The ORM Revolution in Auto Insurance

FSRA identified critical gaps through consultations:

• Missing independent model review (2nd line)
• Lack of consumer impact assessment
• No process for error detection/reporting

Key Insight: ORM isn't just about preventing losses - it's about ensuring accurate rates and fair underwriting for consumers!

Purpose and Scope

🎯 TWO Core Purposes - Memorize These!

1. Promote just, reasonable and accurate rates
2. Support fair treatment in underwriting

Proportionality Principle 📏:

• Requirements scale with:

 * Nature (business model)
 * Size
 * Complexity
 * Risk profile

The ORM Framework Structure

Key Definitions You MUST Know

Term	Definition	Why It Matters
Operational Risk	Risk of loss from failed processes, people, systems, or external events	The core risk we're managing
ORM	Operational risk management for auto rating/underwriting	Specific to auto insurance context
ORM Framework	Policies/procedures for managing operational risk	Your documented approach
Senior Management	CEO, CFO, CRO, CCO, rating/underwriting executives	Who's accountable
Inherent Risk	Risk BEFORE controls	Starting point
Residual Risk	Risk AFTER controls	What remains

mini BattleQuiz 1 You must be logged in or this will not work.

The ORM Cycle (Your Core Process)

📝 CRITICAL: The 4-Step Cycle [Hint: IAPM]

1. Risk Identification

Tools to Use:

• Surveys
• Workshops
• Risk registers
• Questionnaires

💡 Exam Tip: Identification must be TIMELY - catch risks early!

2. Risk Assessment

Two-Part Assessment:
1. Inherent Risk: What's the risk WITHOUT controls?
2. Residual Risk: What's left AFTER controls?

⚡ Key Point: Must assess materiality CONSISTENTLY across all risks

3. Risk Prioritization and Mitigation

Risk Response Options (memorize these!):

• Accept
• Reduce
• Share
• Avoid

Must align with risk appetite!

4. Risk Monitoring and Reporting

When Risks Exceed Acceptable Levels:

• Establish action plans
• Escalate to Senior Management
• Report to Board if needed

Remember: ORM Cycle runs ONGOING for existing processes + AD-HOC for new products/changes

The 4 Foundational Practices

🎯 MEMORIZE These 4 Foundations [Hint: ARDM]

1. Risk Appetite for Rating/Underwriting

Must Include:

• Clear statements of risk tolerance
• Measurable components (limits/thresholds)
• Escalation triggers

Consider When Setting Appetite:

• External environment changes
• Business volume changes
• Control environment quality
• Past operational risk events

💡 For smaller insurers: Can use reporting thresholds as evidence of appetite

2. Roles, Responsibilities & Accountability

Governance Structure

Board of Directors:

• Ultimate responsibility for ORM Framework
• Ensure independent risk functions exist
• Understand operational risks

Senior Management:

• Establish/maintain policies
• Operationalize framework
• Embed accountability (Three Lines model)

Three Lines of Defence Model

Line	Who	Role	Key Activities
1st Line	Business units	Risk ownership	Owns risks, follows ORM cycle, may have QA
2nd Line	Risk/Compliance	Challenge & oversight	Framework design, independent review
3rd Line	Internal Audit	Independent assurance	Test effectiveness of 1st & 2nd lines

Second Line Review Must Cover :

• Reproducibility: Can they trace decisions?
• Soundness: Is risk management conceptually sound?

3. Data Governance

📝 Data Quality Requirements [Hint: AACT]

• Appropriate
• Accurate
• Complete
• Timely

Key Elements:

• Data quality assessments
• Problem/opportunity identification
• Limitation documentation
• Clear data ownership

4. Framework Maintenance

Three Maintenance Components:

1. Training

  * Ongoing staff education
  * Role-specific requirements
  * Adequacy reviews

2. Documentation

  * Current, accurate, complete
  * Includes: risk registry, appetite statements, model docs, decisions
  * Log operational risk events/near misses

3. Periodic Reviews

  * Monitor framework appropriateness
  * Adjust for changing conditions
  * Update all elements as needed

mini BattleQuiz 2 You must be logged in or this will not work.

Model Risk Management (Appendix 1)

Why Models Get Special Treatment

Models pose unique risks due to:

• Quantitative complexity
• AI/ML "black box" issues
• Potential for systematic bias
• Scale of impact on consumers

4 Model Risk Foundations

Model-Specific Requirements [Hint: MTAF]

1. Model materiality classification
2. Three Lines throughout lifecycle
3. Model Approval Function (MAF)
4. Fairness assessment process

Model Lifecycle & Three Lines

Development Stage:

• 1st Line: Business rationale, documentation
• 2nd Line: Independent review of soundness

Implementation Stage:

• Pre/post testing
• Reconciliation checks
• Error mitigation

Monitoring Stage:

• Periodic reviews
• Performance tracking
• Trigger events for review

Model Fairness Requirements

Throughout the Process:

Inputs :

• No prohibited variables
• Ethical data use
• Bias detection

Processing :

• Balance predictive power WITH fairness
• Consider alternative specifications
• Document fairness constraints

Outputs :

• Track fairness metrics
• Detect unintended use
• Monitor for group harms

AI/ML Special Considerations

Two Critical Concepts for AI/ML

1. Interpretability : Understanding model mechanics and soundness
2. Explainability : Conveying results to stakeholders (including consumers!)

Application Areas

🔧 Where Else ORM Applies

• Third-party services: Insurer retains accountability
• Privacy protection: Helps meet PIPEDA obligations
• Error management: Systematic approach to rating/underwriting errors

Quick Reference Charts

🎯 Component	📝 Key Requirements	🔍 Focus Areas
ORM Cycle	4 steps: IAPM	Ongoing + ad-hoc application
Foundational Practices	ARDM framework	Appetite, Roles, Data, Maintenance
Three Lines	Business, Risk, Audit	Independence is key
Model Risk	MTAF requirements	AI/ML fairness critical

🚨 Gap Identified	⚡ Risk Created	🛡️ ORM Solution
No 2nd line review	Inaccurate pricing	Independent model review
No impact assessment	Unfair discrimination	Fairness testing process
No error detection	Wrong premiums	Monitoring & reporting
Weak governance	UDAP violations	Three Lines model

mini BattleQuiz 3 You must be logged in or this will not work.

Full BattleQuiz You must be logged in or this will not work.

Practice Questions

Conceptual Questions:

What are the 4 steps in the ORM Cycle?

What are the 4 foundational practices every ORM Framework needs?

How do inherent and residual risk differ?

What's the proportionality principle and why does it matter?

Application Questions:

An insurer uses AI for underwriting with no explainability tools. What risks does this create?

How would Three Lines of Defence apply to implementing a new rating model?

What data governance elements are needed for ORM?

Why must the Model Approval Function review more than just the final model?

Evolution Questions:

How will this guidance change from Information to Interpretation?

What benefits will ORM-compliant insurers receive?

Which UDAP Rule sections connect to ORM requirements?

FSRA Operational Risk Management Framework - Practice Questions Answer Key

Conceptual Questions

Q: What are the 4 steps in the ORM Cycle?

Answer: The 4-Step ORM Cycle - IAPM

1. Identification 🔍

  * Ensure operational risks are identified in a timely manner
  * Tools: surveys, workshops, risk registers, questionnaires

2. Assessment 📊

  * Assess materiality of identified risks consistently
  * Articulate inherent risk (before controls) and residual risk (after controls)

3. Prioritization and Mitigation 🎯

  * Rank new risks against existing risks
  * Determine management approach: Accept, Reduce, Share, or Avoid
  * Align with risk appetite

4. Monitoring and Reporting 📈

  * Monitor risks being managed
  * Report risk levels to stakeholders
  * Establish action plans for risks outside acceptable levels
  * Escalate to Senior Management/Board when necessary

🔄 Remember: Cycle runs ONGOING for existing processes + AD-HOC for new products/changes

Q: What are the 4 foundational practices every ORM Framework needs?

Answer: The 4 Foundational Practices - ARDM

1. Appetite - Risk Appetite for Rating/Underwriting 🎯

  * Clear statements of risk tolerance
  * Measurable components (limits/thresholds)
  * Escalation triggers
  * Specific to auto insurance rating and underwriting

2. Roles, Responsibilities & Accountability 👥

  * Governance structure (Board & Senior Management)
  * Three Lines of Defence model
  * Clear documentation of who does what
  * Robust accountability mechanisms

3. Data Governance 📊

  * Data quality assessments (AACT - Appropriate, Accurate, Complete, Timely)
  * Problem/opportunity identification
  * Data limitation documentation
  * Clear data ownership

4. Maintenance 🔧

  * Training programs
  * Documentation (current, accurate, complete)
  * Periodic reviews
  * Framework updates as needed

Q: How do inherent and residual risk differ?

Risk Type	Definition	Purpose
Inherent Risk	Risk level BEFORE accounting for existing controls or risk responses	Starting point - shows raw risk exposure
Residual Risk	Risk level AFTER accounting for existing controls/responses	What remains - shows effectiveness of controls

💡 Key Insight: The gap between inherent and residual risk shows control effectiveness

Q: What's the proportionality principle and why does it matter?

Answer: Proportionality Principle

Definition: The degree of ORM adoption should be commensurate with:

• Nature (including business model)
• Size
• Complexity
• Risk profile of the insurer

Why it matters:

• ✓ Prevents "one-size-fits-all" approach
• ✓ Smaller insurers aren't overburdened
• ✓ Larger/complex insurers have robust frameworks
• ✓ Resources allocated efficiently
• ✓ Regulatory burden matches actual risk

📏 Example: A small mutual insurer may use reporting thresholds as risk appetite evidence, while a large insurer needs comprehensive metrics

Application Questions

Q: An insurer uses AI for underwriting with no explainability tools. What risks does this create?

Answer: Multiple Risk Categories

1. Model Risk 🤖

• Cannot understand model soundness (interpretability lacking)
• Cannot explain results to stakeholders (explainability lacking)
• "Black box" decision-making

2. Fairness/Discrimination Risk ⚖️

• Potential unfair discrimination (UDAP violation)
• Cannot detect bias in model outputs
• No ability to assess adverse impact on customer groups

3. Regulatory/Compliance Risk 📋

• Violates model governance expectations
• Cannot demonstrate fairness to FSRA
• Potential UDAP Rule violations (sections 4(1)(i)-(ii), 9(1)(v), 9(1)(ii), 9(1)(iv))

4. Operational Risk ⚡

• Cannot detect unintended model use
• Unable to identify when model fails
• No ability to explain decisions to consumers

5. Reputational Risk 📰

• Consumer complaints about unexplained decisions
• Potential public backlash
• Loss of consumer trust

Q: How would Three Lines of Defence apply to implementing a new rating model?

Line	Role	Specific Activities for New Model
1st Line (Business)	Model owner/developer	• Develop business rationale • Build and test model • Document methodology • Implement quality assurance • Own the model risk
2nd Line (Risk/Compliance)	Independent review	• Challenge model design • Verify reproducibility • Assess soundness • Review documentation • Approve for Model Approval Function • Design model governance framework
3rd Line (Internal Audit)	Independent assurance	• Test effectiveness of 1st & 2nd lines • Verify framework compliance • Report to Board on control adequacy • Review model approval process

⚠️ Critical: 2nd Line must be able to independently trace 1st Line's decision-making

Q: What data governance elements are needed for ORM?

Answer: 4 Key Data Governance Elements

1. Data Quality Assessments

• Define characteristics for credible estimates
• Verify through fitness-for-use assessments
• Monitor quality regularly
• Ensure AACT (Appropriate, Accurate, Complete, Timely)

2. Problem/Opportunity Identification

• Timely identification of data issues
• Resolution processes
• Improvement opportunities
• Goal: increase quality of existing and future data

3. Data Limitation Documentation

• Identify all known limitations
• Explain why data is still appropriate despite limitations
• Special monitoring considerations
• Mitigation strategies

4. Data Ownership

• Designated owner for each data source
• Clear accountability for data quality
• Defined responsibilities
• Escalation paths

Q: Why must the Model Approval Function review more than just the final model?

Answer: Comprehensive Review Required

The Model Approval Function (MAF) must review:

1. All Relevant Materials 📚

• Model results
• Second line's review materials
• Complete documentation
• Identified findings and remediation

2. Model Development Process 🔄

• How the model was developed
• Assumptions and approximations
• Data sources and limitations
• Testing performed

3. Model Influences 🔗

• Other models that influenced development
• Dependencies between models
• Cascading impacts

4. Compliance Verification ✓

• All legislative requirements met
• Regulatory guidance satisfied
• UDAP considerations addressed

💡 Why: MAF ensures not just model quality but also process integrity and regulatory compliance

Evolution Questions

Q: How will this guidance change from Information to Interpretation?

Answer: Two-Phase Evolution

Current State (Information Guidance) 📋

• No new compliance obligations
• Describes FSRA views
• Voluntary adoption
• Sets expectations for future

Future State (Interpretation + Approach) 🎯

Guidance Type	What It Does	Impact
Interpretation Guidance	• Identifies ORM requirements in UDAP Rule • Creates compliance obligations • Makes ORM mandatory	Legal requirement to comply
Approach Guidance	• Explains assessment process • Sets criteria for streamlined rates • Defines "good" ORM	Access to benefits

Q: What benefits will ORM-compliant insurers receive?

Answer: Expedited Rate Change Processes

Primary Benefit: 🚀 Streamlined rate approval process

How it works:

• Strong ORM = demonstrated control
• FSRA has confidence in insurer's processes
• Less regulatory scrutiny needed
• Faster rate change approvals

Additional Benefits:

• ✓ Reduced regulatory burden
• ✓ Competitive advantage (faster to market)
• ✓ Lower compliance costs over time
• ✓ Better relationship with FSRA
• ✓ Fewer errors = fewer consumer complaints

Q: Which UDAP Rule sections connect to ORM requirements?

Answer: Key UDAP Rule Sections

Section	Topic	ORM Connection
s. 4(1)(i)-(ii)	General UDAP provisions	ORM prevents unfair/deceptive acts through controls
s. 9(1)(v)	Specific prohibited practices	ORM identifies and prevents these practices
s. 9(1)(ii)	Unfair discrimination	Model fairness processes prevent discrimination
s. 9(1)(iv)	Rating/underwriting practices	ORM ensures accurate, fair processes

Additional Connection:

• s. 439 of Insurance Act: General requirement for sound business practices
• ORM helps achieve "more effective compliance" with these requirements

Study Tips

1. ORM Cycle (IAPM) - Continuous process, not one-time
2. Foundations (ARDM) - All 4 needed for effective framework
3. Proportionality - Size matters in implementation
4. Three Lines Model - Independence is critical
5. Evolution Path - Information → Interpretation → Benefits
6. UDAP Connection - ORM prevents violations through systematic controls

⚡ Bottom Line: ORM is becoming mandatory and brings expedited rates for compliant insurers!

Common Pitfalls to Avoid

1. Thinking ORM is optional - It's becoming mandatoru
2. One-size-fits-all approach - Use proportionality principle
3. Focusing only on models - ORM covers ALL rating/underwriting processes
4. Ignoring third parties - Insurer remains accountable
5. Static implementation - ORM requires ongoing maintenance

Final Exam Strategy

🎯 Bottom Line: This guidance is about building systematic processes to ensure fair and accurate auto insurance pricing. Success requires understanding both the framework components AND their consumer protection purpose.

High-Probability Exam Topics:

• The 4-step ORM Cycle (IAPM)
• The 4 foundational practices (ARDM)
• Three Lines of Defence model
• Model risk management requirements (MTAF)
• AI/ML interpretability vs. explainability
• Proportionality principle application
• Connection to UDAP Rule sections

POP QUIZ ANSWERS

For an insurer initially entering the PPA market or when proposed changes do not meet the criteria for a simplified filing