Introduction

Background

1. Export Development Canada (the Corporation) was established in 1969 to help Canadian companies benefit from international business opportunities. It reports to the Minister of International Trade. Its purposes and powers are established by the Export Development Act and the Export Development Canada Exercise of Certain Powers Regulations.

2. The Corporation takes on risk to help Canadian exporters, mainly by providing insurance and financing. The insurance protects exporters against losses incurred as a result of exporting (for example, if a foreign customer defaults on payment). Financing is provided through loans, loan guarantees, and investments, which are given to foreign buyers to help them buy Canadian products or to Canadian companies to help them develop their business abroad. The Corporation also offers information and advice to Canadian exporters.

3. Export Development Canada has approximately 1,500 employees working in 37 locations (18 in Canada and 19 abroad). Exhibit 1 provides some details of its business activities and income.

4. The focus of the Corporation’s 2017–21 business strategy is to increase the number of Canadian companies that export and to support their diversification to new markets. The Corporation adjusts its business strategy to remain relevant to Canadian companies and explores new ways of addressing the challenges they face.

5. The Corporation is financially self-sustaining and does not receive government funding. To achieve its business objectives, it must price its products and services appropriately, manage its risks, and have the right people in place.

6. Since our last audit of the Corporation in 2009, it has begun carrying out several transformation initiatives. One of these is to transform its information technology systems to improve service delivery. Another is a multi-year transformation of its risk management practices to keep pace with evolving best practices in the financial services industry, informed by the review carried out by the Office of the Superintendent of Financial Institutions in 2014.

Focus of the audit

7. Our objective for this audit was to determine whether the systems and practices we selected for examination at Export Development Canada were providing it with reasonable assurance that its assets were safeguarded and controlled, its resources were managed economically and efficiently, and its operations were carried out effectively as required by section 138 of the Financial Administration Act.

8. In addition, section 139 of the Financial Administration Act requires that we state an opinion, with respect to the criteria established, whether there was reasonable assurance there were no significant deficiencies in the systems and practices examined. A significant deficiency is reported when the systems and practices examined did not meet the criteria established, resulting in a finding that the Corporation could be prevented from having reasonable assurance that its assets are safeguarded and controlled, its resources are managed economically and efficiently, and its operations are carried out effectively.

9. Based on our assessment of risks, we selected systems and practices in the following areas:

• corporate management practices,
• risk management, and
• organizational transformation.

These systems and practices and the criteria used to assess them are found in the exhibits throughout the report.

10. More details about the audit objective, scope, approach, and sources of criteria are in About the Audit at the end of this report.

Findings, Recommendations, and Responses

Corporate management practices

In corporate governance, there was a significant deficiency related to the appointment of Board directors and a weakness in Board oversight

Overall message

11. Overall, we found that Export Development Canada had a significant deficiency in corporate governance related to the appointment of Board directors. The appointment of directors is the responsibility of the Governor in Council^{Definition i} and is thus outside the Corporation’s control. At the time of the audit, 1 position was vacant, and 8 of the 12 current Board members, while continuing to serve, had terms that had expired, putting the continuity of the Board’s oversight at risk.

12. We also found that the Board’s ability to oversee risk management could be hindered because the Board did not receive all the information it needed to fully understand some of the Corporation’s risks.

13. We found that the Corporation had some good corporate governance practices in place, and that it had good strategic planning and performance measurement and reporting processes.

14. These findings matter because vacancies on the Board, uncertainty about the appointments or terms of its directors, and insufficient risk information could hinder the effectiveness of the Board’s oversight of the Corporation.

15. For additional information, see Subsequent Event at the end of the report.

16. Our analysis supporting this finding discusses the following topics:

• Corporate governance
• Strategic planning and performance measurement and reporting

17. The Export Development Act provides for a Board of 13 directors, including the President and Chief Executive Officer.

18. In our 2009 audit, we found that the Corporation had to improve its approach to performance reporting. As of 2017, the Corporation was implementing a new approach to strategic planning and performance measurement and reporting, which will continue into 2018.

19. Our recommendations in this area of examination appear at paragraphs 26, 31, and 32.

20. Corporate governance. There was a significant deficiency related to the appointments of members to the Corporation’s Board of Directors and a weakness in Board oversight. The Corporation had in place good corporate governance practices in other areas (Exhibit 2).

21. Weakness—Board oversight. We found a weakness in the Board’s oversight of the Corporation in operational risk management. The Board’s ability to oversee this area was hindered because comprehensive reporting on operational risk management was not in place (see paragraph 42). Furthermore, certain other key elements of risk management reporting to the Board were not in place, such as reporting the Corporation’s overall position against its risk appetite statement or having aggregated risk limits across business lines (see paragraphs 34 to 49).

22. This weakness matters because Board oversight of risk management helps ensure that an organization remains aligned with its strategic objectives and manages its risks in line with its risk tolerances.

23. Significant deficiency—Board appointments and competencies. Out of 12 directors (excluding the President and Chief Executive Officer), the Chairperson’s position was vacant and the terms of 8 other directors had expired. (In accordance with the Financial Administration Act, these directors continue to serve until their replacements are appointed.) In addition, the President and Chief Executive Officer’s term will expire in February 2019, and the Corporation may face challenges in attracting a qualified individual for this position (see paragraph 28).

24. The Corporation identified expiration dates of the terms of Board directors, as well as the skills and competencies needed to fill these positions. To initiate an appointment process, the Corporation communicated this information to its Minister in advance of the terms’ expiration. However, its actions did not result in timely appointments or reappointments to the Board of Directors. As these appointments are made by the Governor in Council, this was beyond the Corporation’s control.

25. This significant deficiency matters because if many director positions were filled by new appointments at about the same time, it could compromise continuity in the Board’s oversight. It could also undermine the Corporation’s ability to carry out its significant transformation initiatives and achieve its new strategic objectives.

26. Recommendation. The Corporation should continue to engage with its responsible Minister to help ensure that appropriate appointments to its Board of Directors are made in a timely and staggered manner.

The Corporation’s response. Agreed. The Corporation will continue to engage with our responsible Minister to request that appointments be made in a timely manner—and be staggered as to the number of Directors appointed in any one year—to ensure Board continuity and appropriate governance.

27. For additional information, see Subsequent Event at the end of the report.

28. Weakness—Board appointments and competencies. We found that the President and Chief Executive Officer’s compensation range—set by the Governor in Council and based on salary ranges established in 2012—had fallen behind the Senior Vice President’s compensation ranges, which were established by the Board of Directors based on market standards.

29. This weakness matters because this discrepancy could hinder the Corporation’s ability to attract qualified individuals to the President and Chief Executive Officer position, further putting at risk continuity in the oversight of the Corporation.

30. We also found that the Corporation did not publicly disclose executive compensation—in its annual report, for example. Compensation represents one of the Corporation’s largest operational expenditures. In addition, given the importance of appropriate compensation in attracting individuals with the proper qualifications, and the Corporation’s issue with the level of compensation of the President and Chief Executive Officer, disclosing executive compensation or salary structures would promote transparency, as it does elsewhere in government and in the financial services industry. It would also contribute to a better understanding by stakeholders at large of salary structures and inherent issues.

31. Recommendation. The Corporation should continue to engage with its responsible Minister and the Privy Council Office to address the issue related to the President and Chief Executive Officer’s compensation.

The Corporation’s response. Agreed. The Corporation is very concerned that the total compensation structure of the President and Chief Executive Officer position is significantly below market as confirmed by a chief executive officer compensation benchmarking study conducted on behalf of the Board of Directors by external compensation consultants in August 2017. The Corporation will continue to engage with our responsible Minister and the Privy Council Office to request a review of the total compensation structure of the President and Chief Executive Officer position with the objective of ensuring that the Corporation continues to have the ability to attract, engage, and retain qualified candidates for this position going forward. This is particularly important and pressing, given that the current President and Chief Executive Officer’s term expires in early 2019.

32. Recommendation. The Corporation should consider disclosing its compensation framework as well as total compensation for senior management—for example, in its annual report—in line with government and financial services industry practices.

The Corporation’s response. Agreed. The Corporation is continuously improving disclosure and transparency in external reporting. A review of compensation related to annual report content will be conducted relative to industry peers and best practices over the course of 2018.

33. Strategic planning and performance measurement and reporting. The Corporation had good strategic planning and performance measurement and reporting processes (Exhibit 3).

Risk management

A significant deficiency in the Corporation’s risk management practices was due to a number of weaknesses

Overall message

34. Overall, we found weaknesses in how the Corporation managed risk and in how the Corporation managed credit risk. Combined, these weaknesses amounted to a significant deficiency. The Corporation did not keep up with evolving industry practices in risk management. At the time of our audit, it did not have operational and strategic risk management frameworks in place, and it was developing and implementing credit risk management policies that were aligned with its risk appetite statement.

35. Some of the weaknesses in risk management were not new—we reported on the Corporation’s operational risk management practices in our 2009 special examination. These weaknesses will persist until the Corporation addresses them in its risk management transformation project, which is expected to be completed in 2019.

36. This finding matters because the Corporation’s business was to assume the risk of others, and it operated in an environment of changing risk. Keeping risk management practices in line with evolving industry practices would help manage these risks effectively. At the time of our audit, the Corporation had a risk management transformation project under way to update its practices.

37. Our analysis supporting this finding discusses the following topics:

• Risk management
• Credit risk management for financing and insurance

38. According to the Corporation’s risk management framework, it should consider the following risks:

• Strategic risks including external environment risks (such as the economy, political changes, and global developments) and those associated with the strategic direction of the Corporation.
• Operational risks including those in the areas of human resources (attraction, retention, development, and deployment); information management and technology; governance; legal and compliance; security; and the Corporation’s ability to innovate and transform.
• Financial risks including market risks (those associated with changing cash flows due to interest rates or foreign exchange rates), credit risks (those associated with the failure of an obligor to honour its financial commitments), and liquidity risk (the risk that the Corporation would be unable to meet its financial commitments).

39. Financial institutions establish a risk appetite statement as part of their risk management practices. This statement describes the amount and type of risk an organization accepts before it must implement risk mitigation measures to reduce risk. An organization’s overall tolerance for losses is broken down into limits and targets, which are assigned to the different business areas of the organization. Examples can include obligor, country, and industry limits for financing and insurance transactions. Once the limits and targets are established, the organization must regularly measure and monitor its position against them to ensure that its overall risk appetite is not exceeded and that corrective action is taken when appropriate. Exhibit 4 provides a simplified overview of the Corporation’s intended risk management approach.

40. In our 2009 audit, we noted that the Corporation had not yet developed an operational risk management policy.

41. Our recommendations in this area of examination appear at paragraphs 44, 45, 46, and 49.

42. Risk management. We found that Export Development Canada had a framework to describe how it should manage risk across the Corporation. However, in some cases, it did not have comprehensive policies that implemented the framework. Where it did have policies, it had not yet implemented all of them (Exhibit 5).

43. Weaknesses—Risk management. We found a number of weaknesses in the Corporation’s overall management of risk, including the lack of strategic and operational risk management frameworks. Although the Corporation had a significant project under way to renew its risk management framework and practices, we assessed the systems and practices in place at the time of our examination.

• Weakness—Risk management framework. The Corporation had an overall risk management framework in place, but did not have frameworks for strategic and operational risk management modules. In 2004, it identified the need to strengthen its operational risk management and reiterated this in its response to our 2009 special examination. However, it had still not implemented a comprehensive policy framework for operational risk management.

  This weakness matters because the lack of policy frameworks for strategic and operational risk management meant that the Corporation did not have a comprehensive approach to how those risks should be managed. This situation could expose it to unidentified and unmitigated risks.

• Weakness—Risk appetite statement. The Corporation had a risk appetite statement for its strategic, operational, and financial risks. However, it did not have targets and policies for strategic and operational risk that were aligned with the risk appetite statement. Such targets and policies would guide day-to-day decision making in these areas.

  This weakness matters because without these targets and policies, the Corporation could not ensure that its decision making was aligned with its risk appetite statement and risk tolerances.

• Weakness—Risk identification and assessment. Senior management identified risks and presented them to the Board for validation. However, the Corporation did not systematically gather risk information from its business units to identify risks and use them to inform the risk response plans.

  Also, while the Corporation had a number of policies and activities in place to address security threats and their targets, it lacked an inventory and classification of key assets such as information assets or critical systems.

  This weakness matters because without processes for identifying and assessing risks in all business units, unanticipated risks may occur or risk response plans may not adequately mitigate risks. Also, without an inventory of key assets, it was difficult to link threats to specific assets. This means that threats could go undetected and unmitigated, exposing the Corporation to reputational and financial losses.

• Weakness—Risk monitoring and reporting. We found that while the Corporation’s risk reporting included some operational risk management information, it was not comprehensive. For example, it did not include an assessment of the risk response plans’ effectiveness or of how risks were trending.

  This weakness matters because without complete operational risk information, the Corporation may be exposed to risks that were not identified or mitigated within its risk appetite statement.

44. Recommendation. The Corporation should complete its risk management transformation project as planned, including the following activities:

• developing and implementing policies to support its risk management framework in each of the three risk modules (strategic, operational, and financial);
• completing its risk appetite statement by developing the remaining supporting policies, training, and risk limits; and
• implementing risk identification and control assessment processes within all business units.

The Corporation’s response. Agreed. The Corporation notes that work on its enterprise risk management project (the Project) is currently under way. The completion of the Project, which will more systematically address each of the elements noted within the recommendation, is and will continue to be a key priority for the Corporation, with regular reporting to the Board of Directors. The prioritization of elements to be addressed by the Project was informed by gaps previously identified by the Corporation as part of the establishment of an enterprise risk management framework and group led by the Chief Risk Officer, and by those raised during an in-depth review by the Office of the Superintendent of Financial Institutions of the Corporation’s risk management and governance practices, which took place in 2014 and 2015. Notwithstanding that a more comprehensive policy framework and approach to manage risk will be addressed by the Project, the Corporation has in place and has periodically updated policies addressing certain operational risks, including information technology, human resources, corporate security and compliance and ethics, among others.

45. Recommendation. The Corporation should ensure that risk reporting includes comprehensive information about operational risk management.

The Corporation’s response. Agreed. The Corporation had developed work plans to enhance risk reporting to include comprehensive information about operational risk management as part of the risk management transformation project (the Project), referred to in the response to the recommendation in paragraph 44. Completion of the Project will address the elements noted within the recommendation. Completion dates for the various work streams of the Project range from the first quarter of 2018 to the last quarter of 2019, as prioritized on a risk basis.

46. Recommendation. The Corporation should develop an inventory and classification of key assets (including information and critical systems) and monitor and mitigate threats against these assets.

The Corporation’s response. Agreed. Although the Corporation has an inventory of technology assets and physical assets, it does not have a comprehensive inventory and classification of information assets. The Corporation will develop and maintain an inventory and classification of all key assets by 30 September 2018 and will monitor and mitigate threats against these assets. The 2018 biannual Enterprise Threat Risk Assessment will use this inventory to complete its internal and external threat risk assessment by 31 December 2018.

47. Credit risk management for financing and insurance. Given the nature of its business, the Corporation is exposed to significant financial risk. We found that it had not yet fully implemented all of its renewed credit risk management systems and practices that were aligned with its updated risk appetite statement (Exhibit 6).

48. Weaknesses—Credit risk management for financing and insurance. We found a number of weaknesses in how the Corporation managed its credit risk for financing and insurance.

• Weakness—Credit risk appetite. As part of its updated financial risk management framework, the Corporation developed for the first time a risk appetite statement to guide its business lines in decision making. However, it had not updated its credit risk policies, procedures, and limits to fully align them with the risk appetite statement. The Corporation was operating under its existing financial risk management framework, which predated the risk appetite statement. It aimed to complete the updates to the credit risk policies and procedures by June 2018. Also, while the Corporation measured its exposure to credit risk at the business line level, we found that the limits for credit risk were not combined across all business lines.

  This weakness matters because credit risk policies, procedures, and limits that are aligned with the risk appetite statement must be in place for each business line to ensure that transactions do not exceed the expressed risk appetite. Also, not having limits for credit risk combined across business lines prevented the Corporation from comparing its combined risk exposure with its risk appetite statement.

• Weakness—Credit risk identification and measurement. Consistent with industry practice, the Corporation relied on financial and risk models in making credit decisions. These models are used to measure and manage risk by computing lender credit risk ratings, to determine values of loans, and to calculate potential gains and losses. Industry practice includes regular tests of models to ensure that they are reliable. The Corporation recently developed a Model Risk Management Policy for its models and established a team to manage its model risk. However, it did not have supporting guidelines and standards in place for this, and had not yet subjected its models to validation.

  Model validation was expected to take place over the course of several years, and a plan was being developed to prioritize high-impact models to be subjected to validation first.

  This weakness matters because models that have not been subjected to validation could produce unreliable information for decision making, which could expose the Corporation to unexpected losses.

49. Recommendation. The Corporation should complete its risk management transformation project as planned, with prompt consideration of the following items:

• aligning credit risk policies and procedures with its risk appetite statement;
• implementing the Model Risk Management Policy by completing guidelines and standards, and ensuring that models are subjected to validation according to plan, with higher-impact models being prioritized; and
• developing risk limits that combine risk exposures across all business lines.

The Corporation’s response. Agreed. The Corporation notes that work on our enterprise risk management project (the Project) is currently under way. The completion of the Project, which will more systematically address each of the elements noted within the recommendation, is and will continue to be a key priority for the Corporation, with regular reporting to the Board of Directors. The prioritization of elements to be addressed by the Project was informed by gaps previously identified by the Corporation as part of the establishment of an enterprise risk management framework and group led by the Chief Risk Officer, and by those raised during an in-depth review by the Office of the Superintendent of Financial Institutions of the Corporation’s risk management and governance practices, which took place in 2014 and 2015.

Regarding the element of the recommendation pertaining to model risk management, a Model Risk Management team is now established and reports directly to the Chief Risk Officer. To support the recently approved Model Risk Management Policy, all related guidelines and procedures are now complete. Also, an enterprise-wide model inventory and a plan to validate high-impact models are now substantially complete.

Organizational transformation

The Corporation was managing its organizational transformations well, but improvement was needed in oversight

Overall message

50. Overall, we found that Export Development Canada was doing well in managing its two major transformation initiatives—the transformation of its risk management framework and of its credit insurance systems. However, the Board and senior management did not have consolidated reporting of how the initiatives had an impact on the Corporation as a whole.

51. This finding matters because without consolidated reporting of the initiatives’ impacts, senior management and Board members may not understand the collective effects of these impacts and may not prioritize efforts and resources where needed.

52. Our analysis supporting this finding discusses the following topic:

• Management of organizational transformations

53. The Corporation is renewing its risk management framework and developing a new service delivery model for credit insurance. These are both significant initiatives.

54. Our recommendation in this area of examination appears at paragraph 58.

55. Management of organizational transformations. The Corporation had systems and practices in place to oversee and report on its transformation initiatives. However, it did not have consolidated reporting on these initiatives and their overall impact on the Corporation (Exhibit 7).

56. Weakness—Transformation program and project oversight. We found that management reported to the Board on the progress of its two transformation initiatives separately. This meant that neither the Corporation nor the Board had consolidated reporting of these initiatives and how they had an impact on the Corporation as a whole.

57. This weakness matters because without this reporting, it was difficult for senior management and Board members to understand the collective risks and impacts the initiatives were having on the Corporation. The Board could not oversee effective prioritization of initiatives, or that conflicts or resourcing issues (for example, where many initiatives affected one area at the same time) were identified and addressed in a timely manner.

58. Recommendation. The Corporation should implement reporting that enables it to understand and monitor the consolidated impacts of its transformation initiatives.

The Corporation’s response. Agreed. Although the overall impact of the corporate transformation projects has been reflected at the specific initiative level and is understood by the Board members, the Corporation will develop enhanced reporting to management and the Board, which will enable better understanding and monitoring of the consolidated impacts of significant transformation initiatives. This reporting will be implemented by the end of the first quarter of 2018.

Conclusion

59. In our opinion, based on the criteria established, there were significant deficiencies in the Corporation’s Board appointment process and in its risk management processes, but there was reasonable assurance that there were no significant deficiencies in the other systems and practices that we examined. We concluded that, except for these significant deficiencies, the Corporation maintained its systems and practices during the period covered by the audit in a manner that provided the reasonable assurance required under section 138 of the Financial Administration Act.

Subsequent Event

60. The corporate governance section of this report discusses the significant deficiency that we found in the board appointments for Export Development Canada’s Board of Directors. In November 2017, 9 of the 12 Board members’ terms had expired, and the Chairperson’s position was vacant.

61. On 28 November 2017, the Minister of International Trade announced the appointment of a new Chairperson to the Board of Directors. This new appointment will contribute to the Corporation’s oversight.