Skip to ContentSkip to Footer


Our enterprise risk management framework is designed to ensure that (i) the outcomes of activities involving risk are consistent with our governing objective, risk management capabilities, risk-taking capacity, and risk appetite, and (ii) we maintain an appropriate risk and reward balance to protect us from events that have the potential to materially impair our financial strength or our achievement of business objectives. Our enterprise risk management framework is rooted in the understanding that we are in the business of taking risk for an appropriate return. Balancing risk and reward is achieved through aligning risk appetite with business strategy, diversifying risk, seeking appropriate compensation for risk, mitigating risk through preventive controls, and transferring risk to third parties.


We align our risk tolerance with our overall vision, mission, and business goals by considering whether risks are core, non-core, or collateral in nature.

Core risks are those risks that we are willing to accept in order to achieve return expectations and successfully achieve our business objectives. These include insurance risks and financial risks. Non-core risks are those associated with activities outside of our risk appetite and approved business strategies, and are therefore generally avoided, regardless of expected returns. Collateral risks are those that are incurred as a by-product of pursuing the risk and return optimization of core risks. Operational risks often fall into this category. We endeavour to mitigate collateral risks to the extent that the benefit of risk reduction aligns with or exceeds the cost of mitigation.

Our risk appetite is also aligned with our risk management capabilities. We actively seek profitable risk-taking opportunities in those areas where we have established risk management capabilities, and seek to avoid risks that are beyond those capabilities.


Our enterprise risk management framework defines responsibility and authority for risk-taking, governance, and control.

Risk management occurs at all levels of the organization and is the responsibility of every employee. Our Board of Directors is ultimately responsible for ensuring that enterprise risk management policies and practices are in place and operating effectively. The Board of Directors reviews the development and maintenance of the ORSA, approval of risk management policies, the identification of major areas of risk facing us, the development of risk management strategies, and compliance with the risk management policies we implement. To assist in fulfilling the responsibility for ensuring that the key risks facing us are appropriately identified, challenged, and managed, the Board of Directors has delegated certain risk management functions to the following standing Board of Directors’ committees:

  • Risk Review Committee, which is composed entirely of independent directors, is responsible for the oversight of the enterprise-wide risk management framework and the regulatory compliance management program. This includes the development and implementation of ORSA, enterprise risk management policies, and governing objectives, and articulation of risk appetite, together with monitoring our key and emerging risks, and the results of our regulatory compliance management program.
  • Investment Committee, which is composed of a majority of independent directors, is responsible for the oversight of investment policies, practices, procedures, and controls related to the management of the investment portfolio, the performance of the investment portfolio, and monitoring the investment performance of our pension plans.
  • Corporate Governance Committee, which is composed entirely of independent directors, is responsible for developing effective corporate governance guidelines and processes; reviewing policies and processes to sustain ethical behaviour; assessing the effectiveness of the Board of Directors and its committees, as well as the contributions of individual directors; and identifying and recommending for election as directors those individuals with appropriate competencies, skills, and experience.
  • Audit Committee, which is composed entirely of independent directors, is responsible for overseeing the integrity of our financial statements and related public disclosure; the qualifications, independence, and appointment of our internal and external auditor; the design, implementation, and evaluation of our internal controls over financial reporting and our disclosure controls; and the work of our internal and external auditors.
  • Human Resources and Compensation Committee, which is composed entirely of independent directors, is responsible for supervising our human resources practices and policies. This includes reviewing our overall compensation philosophy, approving compensation to our senior executives, and reviewing retention, development, and succession plans.
  • From time to time, the Board of Directors may also strike ad hoc committees to provide dedicated oversight to key strategic initiatives.

We have implemented a three line of defence risk governance model, consisting of the following: front line risk-taking through business operations (first line), enterprise risk management and compliance functions (second line), and internal audit (third line). Primary accountability for enterprise risk management resides with our President and Chief Executive Officer, who further delegates responsibilities throughout the Company under a framework of management authorities and responsibilities. Key components of that framework include the following:

First line of defence

Business management provide day-to-day risk management and control:

  • Employees within each functional and business area identify, take, and manage risk on a daily basis, adhering to the Board of Directors’ approved risk appetite statements, and supporting policies and practices.
  • Accountable executives within each functional and business area establish and perform ongoing monitoring and oversight of functions and controls to review employee compliance with our risk management policies and practices. These individuals are supported by corporate legal, compliance, and enterprise risk management resources.

Second line of defence

Risk and compliance functions provide risk policies, tools, methodologies, and oversight:

  • The Chief Risk Officer, whose responsibilities include providing independent functional oversight of our enterprise risk management programs by ensuring that effective risk management processes are in place for risk identification, risk measurement and assessment, risk response development, risk monitoring and control, and reporting of risks inherent in our activities.
  • The enterprise risk management function, headed by the Chief Risk Officer, establishes enterprise risk policies and provides direction, processes, methodologies, models, and tools to the Company.
  • The Chief Risk Officer performs independent monitoring and analysis of risk-taking by the first line of defence and its risk management activities. Through the ORSA, the enterprise risk management function internally assesses our risks and determines the level of capital required to adequately support future solvency.
  • The compliance function communicates internal and external compliance requirements to the first line of defence and provides support to help the first line of defence ensure compliance with those requirements through the regulatory compliance management program.
  • The enterprise risk management and compliance functions’ own quality assurance and validation practices are applied to ensure that policies, methodologies, practices, models, frameworks, and other capabilities developed by enterprise risk management comply with requirements and quality standards, and are suitable for use within the Company.
  • Our Management Risk Committee is a cross-functional management committee composed of the President, Chief Executive Officer, and members of senior management. It is led by the Chief Risk Officer, and oversees the management of major enterprise risk and control activities, with a view to understanding existing and emerging risks, their impact on our risk profile, capital requirements, and ensuring that the magnitude of those risks remains within the Board of Directors’ approved risk appetite.

Third line of defence

Internal audit provides periodic independent assurance:

  • Internal audit focuses on the adequacy and effectiveness of first line internal controls, as well as enterprise risk management policies, the supporting framework, and related processes and practices, as well as compliance with policies, standards, and required practices, taking into account the relative risk in each area of coverage.
  • Internal audit has its own quality assurance and validation practices, and applies them to ensure that internal audits are carried out in compliance with established audit policies, standards, and methodologies, and that audit findings and conclusions are objective and appropriately supported.


The key risks we manage include insurance, financial, operational, and strategic risks, which are explained in greater detail below. Although we have described those risks that we believe to be material, it is possible that other risks and uncertainties may exist. If any of these risks or any other risks or uncertainties actually occur, it is possible that our business could be materially affected in an adverse manner. Our enterprise risk management framework cannot and is not designed to anticipate every risk in all environments, nor the timing or effect of every such risk.

Insurance risks

Underwriting risk

Underwriting risk is the risk of adverse financial exposures arising from various activities integral to the underwriting of insurance products, including product design, pricing, policy issuance, risk acceptance, and claims settlement. Our exposure to concentrations of insured risks is mitigated by the use of segmentation, policy issuance and risk acceptance rules, individual limits, and reinsurance.

In particular, a financial loss occurs when the liabilities assumed exceed the expectation reflected in the pricing of an insurance product. We price our products by taking into account several factors including product design and features, claim frequency and severity trends, product line expense ratios, special risk factors, capital requirements, regulatory requirements, and investment income. These factors are reviewed and adjusted as needed to ensure they are reflective of current trends and market conditions. We endeavour to maintain pricing levels that produce an acceptable return by appropriately measuring and incorporating these factors into our pricing decisions. Pricing segmentation and risk selection are used together to attract and retain risks at acceptable return rates. The process of calculating pricing involves the use of models, which exposes us to model risk in the event that actual results differ from those modelled, due to model limitations, data issues, or other factors.

New products are subject to a detailed review by management, including our actuarial specialists, prior to their launch in order to mitigate the risk that they are priced at an inadequate level. The performance and pricing of such new products are regularly monitored, and corrective action is taken as considered necessary, including re-pricing of the products and the use of reinsurance.

To minimize the risk arising from underwriting, we have policies that set out our underwriting risk appetite and criteria, as well as specifying tolerances for maximum financial risk retention. We utilize reinsurance in order to manage our exposure to insured risks. Once the retention limits are reached, reinsurance is utilized to cover the excess risk. We review the adequacy of our reinsurance programs, at least annually, to ensure sufficient reinsurance protection is in place at an appropriate cost.

To minimize the risk arising from claims settlement, we attempt to reduce our exposure to unpredictable future developments that could negatively impact claims settlement by promptly responding to new claims and actively managing existing claims, thereby shortening the claims cycle. In addition, our regular detailed review of claims handling procedures and frequent investigation of possible fraudulent claims attempt to manage our claims risk exposure.

Quality review procedures exist to ensure that our underwriting and claim activities fall within established guidelines and pricing structures. Head Office and field level reviews are conducted on a sampled basis. The results of these quality reviews are shared with the appropriate field management staff to ensure any issues identified are remedied.

We use reinsurance to manage our exposure to insurance risks. Reinsurance coverage risk arises because reinsurance terms, conditions, availability, and/or pricing may change on renewal, particularly during times of high levels of catastrophe events, either in Canada or globally, or as a result of higher than expected claims activity on the non-catastrophe reinsurance treaties. In addition, reinsurers may seek to impose terms that are inconsistent with corresponding terms in the policies written by us. Ceding risk to reinsurers does not relieve us of the obligation to our policyholders for claims. We work only with well-established and financially secure reinsurers that have extensive experience in the P&C insurance industry and a strong understanding of our business and the Canadian environment. Senior management reviews our reinsurance program to ensure its cost effectiveness and that adequate coverage is obtained, reflective of our risk tolerances and financial strength, and in compliance with our reinsurance and capital risk management policies.

In the normal course of our business, we may from time to time be subject to a variety of legal and regulatory actions relating to our current and past business operations. In addition, plaintiffs continue to bring new types of legal claims against insurance and related companies. Current and future court decisions and legislative activity may increase our exposure to these types of claims. This risk of potential liability may make reasonable resolution of claims more difficult to obtain.

Claims reserving risk

Claims reserving risk represents the risk that our estimates of claim liabilities are insufficient to cover future insurance claim payments. Our underwriting profitability depends upon our ability to accurately assess the risk associated with the insurance contracts underwritten by us. We establish claim liabilities to cover the estimated liability for payment of all claims and claims adjustment expenses incurred with respect to insurance contracts underwritten by us. Claim liabilities do not represent an exact calculation of the liability. Rather, claim liabilities are our best estimate of the expected ultimate cost of resolution and administration of claims. The process of calculating claim liabilities involves the use of models, which exposes us to model risk in the event that actual results differ from those modelled, due to model limitations, data issues, or other factors. Expected inflation is taken into account when estimating claim liabilities, thereby mitigating inflation risk.

Claim liabilities include an estimate for reported claims, as established by our claims adjusters based on the details of reported claims, plus a provision for IBNR.

Individual claims estimates are determined by claims adjusters on a case-by-case basis in accordance with documented policies and procedures. These specialists apply their knowledge and expertise, after taking available information regarding the circumstances of the claim into account, to set individual case reserve estimates. The IBNR provision is intended to cover future development on both reported claims and claims that have occurred but have not yet been reported. Uncertainty exists on reported claims in that all information may not be available at the valuation date. Uncertainty also exists regarding the number and size of claims not yet reported, as well as the timing of when the claims will be reported.

The valuation of claim liabilities is based on estimates derived by geographical region and line of business using generally accepted actuarial techniques. Numerous individual assumptions that impact average claim costs or frequency of late reported claims are made for each line of business. The principal assumption in the majority of actuarial techniques employed is that future claims development will follow a pattern similar to recent historical experience. However, there are times where historical experience is deemed inappropriate for evaluating future development due to recent judicial decisions, changes to government legislation, or major shifts in a book of business. Such instances can require significant actuarial judgment, often supported by industry benchmarks, in establishing an adequate provision for claim liabilities.

Establishing an appropriate level of claim liabilities is an inherently uncertain process and is closely monitored by the corporate actuarial department.

As the outstanding claim liabilities represent payments that will be made in the future, they are discounted to reflect the time value of money, effectively recognizing that the bonds held to support insurance liabilities will earn a return during that period. The discount rate used to discount the actuarial value of claim liabilities is based on the fair value yield of our bonds that support the claim liabilities. In assessing the risks associated with investment income and therefore the discount rate, we consider the nature of the bond portfolio, and the timing of claim payments and their matching to investment cash flows. Future changes in the bond portfolio could change the value of claim liabilities by impacting the fair value yield.

The following table presents the interest rate sensitivity analysis for a 1% change in interest rates on the net claim liabilities:

2016 Q2 Consolidated Financial Results
(in millions of dollars) 2016 2015
Impact on: 1% -1% 1% -1%
Net claim liabilities $ (67.3) $ 72.3 $ (67.3) $ 72.5

Catastrophe risk

Catastrophe risk may arise if we experience a considerable number of losses due to man-made or natural catastrophes that result in significant impacts on claims costs. Catastrophes can cause losses in a variety of different lines of business and may have continuing effects, which by their nature, could delay or impede efforts to accurately assess the full extent of the damage they cause on a timely basis. Although we evaluate catastrophe events and assess the probability of occurrence and magnitude of impact through various commonly used, industry-wide modelling techniques, and through the aggregation of limits exposed in each geographical territory in which we operate, such events are inherently unpredictable and difficult to quantify. In addition, the incidence and severity of catastrophe events may become increasingly unpredictable as climate patterns change, and severe weather caused by climate change will likely continue to affect the P&C industry and result in higher claims costs.

We manage our catastrophe events exposure through the deductibles charged to policyholders, by limitations on policies, by purchasing reinsurance, and monitoring the impact on capital position and overall risk tolerances. We currently purchase reinsurance to provide coverage for catastrophe events.

Financial risks

Our investment holdings are exposed to interest rate risk (including the impact of credit spreads), equity market price risk and preferred stock price risk, credit risk, foreign exchange risk, and liquidity risk.

We have established a detailed investment policy statement for the investment portfolio, which is subject to regular review and approval by the Investment Committee. The policy statement sets out our philosophy to investment management, which is to generate sufficient income while preserving capital. The philosophy focuses on maximizing our long-term capital strength, while seeking to maximize risk adjusted returns. The policy statement includes specific guidelines for such items as asset mix, concentration levels in specific investments, required quality of the underlying investments, the use of derivatives, and exposure to foreign currencies. Our investment policies limit the use of derivative instruments, without prior Investment Committee approval. We currently do not use derivative instruments. Compliance with these guidelines, and the relevant requirements of the Insurance Companies Act (Canada), is routinely monitored by management and reported to the Investment Committee.

Interest rate risk

Interest rate risk arises from the possibility that changes in interest rates will affect future cash flows or the fair values of financial instruments. Changes in interest rates can occur from both changes in the Government of Canada yield curve and changes in relevant market credit spreads. Typically, interest income will be reduced during sustained periods of declining interest rates, but this will also generally increase the fair value of the bond portfolio. The reverse is true during a sustained period of increasing interest rates.

As interest rate risk is a significant risk to us due to the nature of our investments and claim liabilities, a portion of our bond portfolio has been voluntarily designated as FVTPL financial assets, and this plus a portion of AFS bonds is managed to mitigate the effect of interest rate changes on our claim liabilities.

The impact of an immediate hypothetical 1% change in interest rates (assuming a parallel shift across yield curve), on the FVTPL and AFS bond portfolios, with all other variables held constant is as follows:

2016 Q2 Consolidated Financial Results
(in millions of dollars) 2016 2015
Impact on: 1% -1% 1% -1%
Net claim liabilities $ (67.3) $ 72.3 $ (67.3) $ 72.5

As discussed under “Claims reserving risk”, an immediate hypothetical 1% increase in the discount rate would reduce net claim liabilities, and increase income before income taxes, by $67.3 million (2015: $67.3 million). This would almost entirely be offset by the corresponding decrease in income before income taxes on the FVTPL bond portfolio discussed above of $64.8 million (2015: $67.0 million).

Common equity market price risk and preferred stock price risk

As part of our investment portfolio, a portion of the investments are held in equity investments in Canadian and foreign stocks. Economic trends, the political environment, and other factors can positively or adversely impact the equity markets, and consequently, the value of equity investments we hold. Our AFS portfolio includes Canadian common stocks with fair value movements that are benchmarked against movements in the Toronto Stock Exchange Composite Index, and foreign stocks and pooled funds with fair values that are benchmarked against movements in the Morgan Stanley Capital International Index. Also included in the AFS portfolio are our holdings of preferred stocks. Economic trends, interest rates, credit conditions, regulatory changes, and other factors can positively or adversely impact the value of preferred stocks that we hold. The fair value sensitivity of our preferred stocks are assessed against movements in the BMO 50 Resets Sub-Index.

The estimated impact of a 10% movement in the aforementioned indices to the value of our equity portfolio, with all other variables held constant, to the extent we do not dispose of any of these equities during the year, is as follows:

2016 Q2 Consolidated Financial Results
(in millions of dollars) 2016 2015
Impact on: 10% -10% 10% -10%
Fair value of Canadian stocks and OCI before income taxes $ 46.5 Loss:$ (46.5) $ 34.9 Loss:$ (34.9)
Fair value of foreign stocks, pooled funds and OCI before income taxes $ 25.5 Loss:$ (25.5) $ 24.7 Loss:$ (24.7)
Fair value of preferred stocks and OCI before income taxes $ 31.1 Loss:$ (31.1) $ 27.0 Loss:$ (27.0)

Credit risk

Credit risk is the risk of financial loss caused by our counterparties not being able to meet payment obligations as they become due. Our credit risk is concentrated in the bond, preferred stock and commercial loan portfolios, the securities lending program, premiums receivable, amounts owing from reinsurers, and structured settlements. Unless otherwise stated, our credit exposure is limited to the carrying amount of these assets. Our principal approach to mitigate credit risk is to maintain high credit quality standards and to diversify credit exposures by limiting single name concentrations. Concentration risk also exists where multiple counterparties may be financially affected by changing economic conditions in a similar manner. We have a concentration of investments in Canada and within the financial sector. These risk concentrations are regularly monitored and adjusted as deemed necessary.

Our investment policy requires that we invest in bonds and preferred stocks of high credit quality, and to limit exposure with respect to any one issuer. On a regular basis, we also monitor publicly available information referencing the investments held in the investment portfolio to determine whether there are investments which require closer monitoring of the credit risk. Refer to Section 6 — “Financial position” for further details pertaining to our investment portfolio credit ratings and investment mix.

We participate in a securities lending program managed by a major Canadian and US financial institution, whereby we lend securities we own to other financial institutions to allow them to meet delivery commitments. We minimize credit risk associated with this program by only dealing with counterparties who are rated “A+” or higher by independent rating agencies and by obtaining collateral with a fair value in excess of the value of the securities loaned under the program. Refer to Section 8 — “Commitments and contingencies” for further discussion.

Our credit exposure to any one individual policyholder or broker included in premiums receivable is not significant. We regularly monitor amounts due from policyholders and follow-up on all overdue accounts. As permitted by regulation, when premiums are overdue for an extended period of time we cancel the insurance coverage under the applicable policy. Before a broker is granted a contract, we conduct appropriate reviews. Delinquent accounts are regularly monitored and we take action against non- payment.

We periodically issue commercial loans to brokers. Sufficient collateral, principally in the form of security over a borrowing brokerage’s operating assets, is held to protect us against loss in the event of a default of any of these loans. Annual, and where required more frequent, financial reviews are undertaken to determine if the broker will be able to make the payments required by the loan as and when due. Our gross credit exposure on these commercial loans is limited to their carrying value, which amounted to $85.1 million as at December 31, 2016 (2015: $25.0 million). Management does not consider any of these current commercial loans to be impaired as at December 31, 2016.

Credit exposures on our reinsurance receivable and recoverable balances exist to the extent that any reinsurer may or may not be willing or able to reimburse us under the terms of the relevant reinsurance arrangements. We have policies which limit the exposure to individual reinsurers and we have a regular review process to assess the creditworthiness of reinsurers from whom we purchase coverage. Our reinsurance risk management policy generally precludes the use of reinsurers with credit ratings less than “A-”. Currently, all reinsurers have a credit rating of “A-” or better as determined by independent rating agencies. Where appropriate, we obtain collateral for outstanding balances in the form of cash, letters of credit, offsetting balances payable, guarantees, or assets held under reinsurance security agreements.

We have purchased annuities from life insurers to provide for fixed and recurring payments to claimants. As a result of these arrangements, we are exposed to credit risk to the extent to which any of the life insurers fail to fulfil their obligations. This risk is managed by acquiring annuities from life insurers with proven financial stability, all of which are rated “A- ” or better by independent rating agencies. As at December 31, 2016, no information has come to our attention that would suggest any weakness or failure in life insurers from which we have purchased annuities. Consequently, no provision for credit risk is required. The original purchase price of the outstanding annuities is $287.5 million (2015: $271.9 million). The annuities are purchased from multiple life insurers to diversify our counterparty credit exposure.

Foreign exchange risk

Foreign exchange risk is the risk that the value of a financial instrument will fluctuate due to changes in foreign exchange rates. Our foreign exchange risk relates primarily to our foreign common stock and pooled fund holdings in the AFS portfolio, which are denominated in various foreign currencies.

Our largest foreign currency exposure is the US dollar. The impact on the fair value of US dollar foreign stocks, pooled funds, and OCI before income taxes from a 10% change in the US dollar relative to the Canadian dollar is $14.0 million (2015: $11.2 million). Under this same scenario, the impact on the fair value of non-US dollar foreign stocks, pooled funds, and OCI before income taxes is $4.0 million (2015: $6.1 million), assuming historical correlations between currency pairs remain intact.

Liquidity risk

Liquidity risk is the risk of having insufficient cash resources to meet current financial obligations, particularly those related to claim payments. Liquidity risk arises from our general business activities, and in the course of managing our assets and liabilities. The liquidity requirements of our business are met primarily by funds generated by operations, asset maturities, and investment returns. To mitigate this risk, an appropriate portion of invested assets is maintained in short-term (less than one year) highly liquid money market securities, which are used to satisfy our operational requirements. A large portion of invested assets are held in highly liquid federal and provincial government debt to protect against any unanticipated large cash requirements. We have no outstanding debt aside from bank overdraft operating lines and trade payables. Refer to Note 6 — “Nature and extent of risks arising from financial instruments” included in our audited consolidated financial statements, for a summary of the Company’s financial assets and financial liabilities maturity profile.

Operational risk

Operational risk is the risk of financial loss from inadequate or failed processes, people, systems, or due to external events. This may relate to any of our activities and includes, for example, prohibited employee actions, criminal activity, and technology failures. We manage operational risk through our three line of defence risk governance model (refer to “Accountability” above for more detail), and are continually enhancing our enterprise risk management framework to include current risk assessments for all significant business and functional areas. There is also ongoing monitoring and follow-up on risks, incidents, and associated controls through regular reporting by the Management Risk Committee, under the stewardship of our Chief Risk Officer, to the Risk Review Committee and other relevant Board of Directors’ committees. Internal audit creates an annual risk-based internal audit plan which takes into consideration the key inherent risks of our operations. The annual internal audit plan is approved by the

People risk

Successful implementation of our strategy depends, among other matters, on our ability to attract, develop, and retain key employees. The loss of services of key employees could adversely impact our ability to execute on strategic initiatives, our financial performance, our compliance with insurance regulations, or result in an increased risk of operational errors. To mitigate this risk, we focus on the delivery of critical talent management and performance enhancement programs to ensure we identify, attract, develop, and retain an adequate number of employees with the appropriate skill set. In addition, we continue to strengthen our executive leadership team and Board of Directors to ensure necessary competencies are represented.

Information management risk

Information management risk is the risk of loss or harm resulting from the failure to appropriately manage information during its lifecycle. We routinely collect, process, use, retain, and dispose of various types of information from numerous sources, including personal information, policyholder information, and business or internal proprietary information. An inadvertent disclosure, unauthorized access, or other misuse of such information could have a negative impact on the privacy of our policyholders or other individuals, the continuity of our operations, or the confidentiality of our strategic plans and competitive initiatives. Although we proactively manage information management risk through our three line of defence risk governance model and enterprise risk management framework, the occurrence of such an event could result in reputational damage, financial loss, and legal and regulatory consequences.

Information technology risks

Our business depends on the successful and uninterrupted functioning of our computer and data processing systems. We rely on third-party service providers for delivering key components of these systems, including data, telephony, information technology infrastructure, and data centre services. The failure of these systems, including failure of our third-party service providers to deliver these services on a timely basis, could interrupt our operations or materially impact our ability to rapidly evaluate and commit to new business opportunities or otherwise conduct business. If sustained or repeated, a system failure could result in the loss of existing or potential business relationships, compromise our ability to process transactions in a timely manner, or otherwise impair our ability to develop, modify, or execute our strategies, and ultimately, could negatively affect our financial results. To manage this risk, we have an incident response process to identify, triage, and respond to critical technology incidents in a timely manner. In addition, our data centre is managed by a reputable third-party who provides disaster recovery services, including annual testing of, and redundant systems and facilities for, our critical services. We also require our third-party service providers to enter into service level agreements in order to secure their minimum commitment to our expected levels of service. Management regularly monitors the service levels provided by key third-party service providers.

To facilitate the achievement of operational and strategic objectives, we need to maintain and upgrade our computer and data processing systems. Such projects require the investment and coordination of resources, and often necessitate trade-offs to balance risk management with appropriate return on investment. Changes to a project’s scope, costs, or timing may impact the magnitude or timing of benefits to be achieved from the project or the investment required to deliver the project, and may negatively impact other initiatives and financial performance. As technology projects may require specialized skills or additional personnel not available in-house, we may engage third-party service providers to support a project. We exercise careful oversight of third-party service providers to ensure project deliverables comply with expected timeliness, quality and cost criteria, and to approve changes to scope, costs, or timing. The implementation of new or revised systems and the adaption of processes have the potential to introduce additional complexity and operational risk until full transition is completed. We manage the risks associated with significant technology projects through dedicated management committees that prioritize and oversee those technology projects. The Board of Directors’ Strategic Initiatives Committee also provides oversight to certain key technology projects.

Cyber security risk is the risk of breach of information, or the loss of system integrity or availability, as a result of an attack delivered via the Internet. There is an increasing prevalence of cyber-attacks affecting a variety of businesses with ever increasing operational and reputational impact. We continuously enhance systems, networks, processes, and data protection measures to detect and reduce the risk of unauthorized access, increase system resilience, and minimize the impact of a cyber-attack if it were to occur.

Regulatory and legal risks

Regulatory risk refers to the risk that modifications to regulations, including increasing complexity and amount, will threaten our ability and capacity to conduct profitable business in the future in the manner we do today.

As a participant in the P&C insurance industry, we are subject to significant regulation by the federal and provincial governments. Insurance legislation delegates regulatory, supervisory, and administrative powers to federal, provincial, or other jurisdictional insurance commissioners and agencies. Such regulation is generally designed to protect policyholders and is related to matters including: rate setting; restrictions on types of investments; the maintenance of adequate provisions for unearned premiums and unpaid claims; the examination of insurance companies by regulatory authorities, including periodic market conduct examinations; and the licensing of insurers and their agents and brokers. In particular, the personal automobile insurance product is subject to significant regulation in each province and it is possible that future regulatory changes may prevent us from taking actions, such as raising rates, to affect operating results.

Changes to capital and solvency standards, restrictions on certain types of investments, and periodic market conduct and financial examinations by regulators could also impact our ability to successfully implement our strategy. We are required by federal regulators to maintain sufficient capital in order to ensure our continued solvency and protect us and our policyholders from adverse events. The primary solvency test we must comply with is the MCT, whereby we are required to hold at least 150% available capital against required risk-weighted capital. In addition, under the ORSA framework (refer to “Own Risk and Solvency Assessment” above for more detail), we internally assess our risks and determine the level of capital required to adequately support future solvency. The internal capital targets established in our capital management policy are higher and more stringent than the regulatory minimum, and our current capital level is significantly higher than our internal targets. Our capital management policy also documents corrective actions that could be taken if capital levels fall, or are projected to fall, below our warning levels.

The application of existing laws or regulatory policy may require a degree of interpretation, particularly with respect to new or emerging issues, or new operations. In addition, changes to laws and regulations, including changes in their interpretation or implementation, or the introduction of new laws and regulations, could affect us by limiting the products or services we can provide, restricting the prices we are able to charge, requiring specified claims payments, limiting the effectiveness of our policy wordings, and/or increasing the ability of new or existing competitors to compete with our products and services. The brokers on whom we rely to distribute our insurance products are also subject to laws and regulations governing the conduct of their businesses, and the disclosure they provide to policyholders. We are unable to control the extent to which those brokers comply with applicable laws and regulations, and any failure by them to do so could result in the imposition of significant restrictions on their ability to do business with us, which could adversely affect our results of operations or financial position.

Legal and regulatory action risk refers to the impact of court awards, settlements, penalties, fines, and restrictions on the ability to carry on business as a result of lawsuits or non-compliance with applicable laws or regulatory requirements.

In the normal course of our business, we may from time to time be subject to a variety of legal and regulatory actions relating to our operations. In addition, plaintiffs continue to bring new types of legal claims against insurance and related companies. Current and future court decisions and legislative activity may increase our exposure to these types of claims. This risk of potential liability may make reasonable resolution of claims more difficult to obtain.

To manage legal and regulatory risk, we have established procedures and controls through three lines of defence. Our regulatory compliance management program supports our Chief Compliance Officer’s opinion to the Risk Review Committee and provides reasonable assurance that we are currently in material compliance with applicable laws, rules, and regulations. There is also ongoing monitoring and follow-up on risks, incidents, and associated controls through regular reporting by the Management Risk Committee, under the stewardship of our Chief Risk Officer (who also fulfils the role of Chief Compliance Officer), to the Risk Review Committee and other relevant Board of Directors’ committees. We also actively participate in discussions with regulators and governments, and in industry groups to ensure that significant concerns are understood.

Business interruption risk

Business interruption risk is associated with events that impact, or have the potential to impact, our ability to conduct business as normal. Interruptions to business can be triggered by events affecting our facilities, technology, people, or third-party suppliers; including events such as floods, earthquakes, technology failures, pandemics, etc. Such events can result in losses of financial assets, property and equipment, key employees, and/or the inability to write business and process transactions.

To mitigate business interruption risk, we have established a specialized Enterprise Business Continuity Management (“EBCM”) function headed by the Chief Risk Officer. The EBCM function proactively assesses potential risks to the Company, and ensures resilient planning and continuity arrangements are in place. Resiliency plans are developed and tested to ensure critical functions can continue despite a disruptive event. For example, resiliency plans exist to support emergency response, incident management, crisis management, crisis communication, disaster recovery, facilities recovery, regional incident response, business continuity, and a pandemic. We have deployed a response structure that provides rapid response to events, and have created teams at all levels to ensure quick and effective decisions can be made at the appropriate level and are executed efficiently. In addition, we also carry business interruption insurance to mitigate exposure to significant losses

Strategic risks

Strategic risk is the potential for loss or under-performance arising from the ineffective implementation of appropriate business strategies and/or the inability to adapt strategies to changes in the business environment. Our strategy, and our ability to develop and implement the strategy, is influenced by, among other things, industry competition, changes in the regulatory environment or requirements, general economic conditions, and legal matters. We closely monitor the environment in which we operate, and risks that impact the execution of our strategy are regularly assessed, managed, and addressed by the executive leadership team, with oversight from the Board of Directors. Each year the executive leadership team reassesses our strategy in light of industry, general economic, regulatory, technological, and other conditions, and develops a detailed business plan which is reflective of this strategy. The business plan is presented to and approved annually, or more frequently if required, by the Board of Directors.

Business, economic, and political environment risk

Our business and results can be affected significantly by changes in the business, economic, and political environment, including changes in the level of demand for insurance due to depressed economic conditions, resulting in fewer individuals and businesses purchasing insurance products, such individuals allowing their existing products to lapse, or reductions in policy coverage.

Increased political and governmental involvement in the insurance industry may otherwise change the business and economic environment in which we operate. Such changes could cause us to make unplanned modifications to our products or services, or result in other industry participants altering their strategies in a manner that increases competition in our target markets.

Competition risk

The financial performance of the P&C industry has historically tended to fluctuate in cyclical patterns of “soft” markets characterized generally by increased competition resulting in lower premium rates, followed by “hard” markets characterized by reduced competition and increasing premium rates. The risk exists that these fluctuations in industry conditions could produce an underwriting environment that negatively impacts our underwriting results, premium levels, and financial position.

When there is intense competition in the P&C industry for any product line, our competitors may price their products at rates that appear to be below the level required to make a reasonable return in an effort to gain or retain market share. If we are unable to realize superior risk selection or sufficient expense efficiencies, our ability to establish or maintain competitive pricing could be adversely affected. Given our disciplined approach to underwriting, there may be market conditions or competitive actions which restrict our ability to grow or maintain our written premium levels.

The entrance of new market participants or a shift in the methods to price insurance by competitors could also undermine our ability to establish or maintain competitive pricing. The introduction of disruptive innovations and changing technologies could affect the way that our customers purchase insurance, how we price insurance, the demand for our products, and our underwriting and other decision-making processes. Our ability to effectively compete may be impaired if we do not respond adequately to new market participants or existing competitors who deploy such technologies.

Distribution risk

In order to meet our overall strategy, we must manage our distribution risk. Distribution risk includes the inherent risk of dealing with independent brokers and new market entrants, as well as the risk that the broker distribution channel would not be viable in a specific market. Changes to customer preferences for different distribution channels, including an increasing preference for direct-to-consumer policies (direct distribution), could lead to a material decline in our market share.

We write products primarily through a network of select brokers across Canada. The ability of our broker network to be competitive against other distributors and distribution channels, and our ability to maintain a strong relationship with the brokers, are critical for staying competitive in the market. The competitive environment is further complicated by the consolidation of brokers, and the acquisition of brokers by other P&C insurance companies, which may have a direct impact on our market share and ability to grow profitably. We maintain close relationships with brokers through the business development staff, who provide training and guidance to enhance the brokers’ understanding and marketing of our products. Strong competition exists among insurers for brokers with a proven ability to develop and deliver a profitable book of business. Premium volume and profitability could be negatively affected if there is a material decrease in the number of brokers that choose to sell our insurance products. We periodically issue commercial loans to, or participate in equity investments, in certain profitable brokers to maintain broker loyalty. By doing so, we could be exposed to financial risk and potential relationship issues. To mitigate these risks, commercial loans and equity investments in brokers are subject to annual, or more frequent, financial reviews, and are supported by standard agreement terms for oversight and security assignment. The Board of Directors provides supervision by reviewing the loan portfolio and equity holdings semi-annually.

In recognition of ongoing industry growth in the direct distribution channel, we have implemented a multi-channel distribution strategy. While our broker business will continue to be a core part of our business model, we have launched a separately-branded, digital direct channel offering to allow us to serve this distinct market segment. Given the new nature of this distribution channel for us, there is risk that we may experience unforeseen operational issues, that the implementation of the direct distribution channel may not yield the benefits expected, or that it could result in negative reputational impact. Despite working closely with our brokers, and offering direct insurance products through a separately-branded entity, implementing the direct distribution channel may adversely impact our market share with the brokers who distribute our products. We closely monitor the performance of both the direct distribution channel and the broker network.

Demutualization risk

We are currently participating in the demutualization process in accordance with regulations established by the federal government.

A complex demutualization process is prescribed by the regulations designed to allow federally-incorporated mutual property and casualty insurance companies to demutualize. A number of events could cause our demutualization process to terminate prior to its completion, including our Board of Directors passing a resolution terminating the demutualization, any one of the necessary special resolutions not being passed by at least two-thirds of the policyholders voting at a special meeting, or the conversion proposal not being submitted to OSFI for review within one year following the appointment of the policyholder committee members by the Court. Also, our demutualization is subject to regulatory and government approval. As a result, the success, timing, and outcome of the demutualization process are uncertain.

Reputational risk

Reputational risk is the risk that negative publicity regarding the P&C insurance industry generally or our conduct or business practices, whether true or not, will adversely affect our performance, operations, broker relationships, or customer base, or require costly litigation or other defensive measures.

Reputational risk assessments involve a broad array of factors, including the extent and outcome of relevant legal and regulatory due diligence, the economic intent of particular transactions, the impact of events on the Company, the need for customer or public disclosure, conflicts of interest, fairness issues, and public perception.

We manage reputational risk by the implementation of our Code of Business Conduct, governance practices, enterprise risk management programs, policies, procedures, and employee and broker partner training. All of our directors, officers, and employees have a responsibility to conduct their activities in accordance with our Code of Business Conduct.

Under our ethics reporting program, employees are able to contact an independent service provider on a confidential and anonymous basis to communicate any concerns regarding compliance with our Code of Business Conduct, including questionable accounting or auditing matters, internal controls over financial reporting, and our disclosure controls and procedures. All concerns raised are forwarded to designated independent Company individuals for investigation and follow-up.