Since 2002, the Office of the Superintendent of Financial Institutions ("OSFI") has been providing the Federally Regulated Financial Institutions ("FRFIs") it supervises and regulates with what is known as the Composite Risk Rating ("CRR"). Developed by OSFI under its supervisory framework (the "Supervisory Framework"), CRR is a key measure of a FRFI's safety and soundness with respect to its depositors and policyholders which must be kept confidential pursuant to the Supervisory Information Regulations.1 The determination of the CRR is guided by a set of assessment criteria (the "Assessment Criteria") available on the OSFI website2.

On September 30, 2015, OSFI issued updated Financial Assessment Criteria (the "Updated Financial Assessment Criteria"). This update follows the introduction of new actuarial assessment criteria in April, 2014 - both developments were for the purpose of reflecting the revisions made to the Supervisory Framework in 2010.

Background: OSFI's Supervisory Framework

OSFI's Supervisory Framework is based on an understanding of its supervisory goal as being primarily "to safeguard depositors and policyholders from loss."3 More specifically, OSFI points to risk assessment as "the fundamental work activity of supervision."4 The Supervisory Framework sets out the approach, principles, concepts and core process used by OSFI to conduct risk assessment.

The CRR is the end-product of a chain of assessments that OSFI conducts on a FRFI. This chain of assessment begins with the identification of the FRFI's significant activities, defined as lines of business, units or processes that are fundamental to the FRFI's business model and its ability to meet its overall business objectives5. For each significant activity, OSFI determines the inherent risks, each being "the probability of a material loss due to exposure to, and uncertainty arising from, current and potential future events."6 OSFI expects the FRFI to manage the inherent risks of each significant activity at two levels: operational management (day-to-day controls), and oversight functions (enterprise wide oversight of operational management). The revised Supervisory Framework identifies seven oversight functions: financial, compliance, actuarial, risk management, internal audit, senior management and board of directors.

OSFI assesses the quality of a FRFI's operational management and oversight functions in relation to the inherent risks of each significant activity, and obtains the net risk of that activity. Because the significant activities are of varying importance to the FRFI, OSFI weighs each net risk based on the relative importance of the significant activity, and aggregates the weighted net risks of all significant activities to arrive at the overall net risk of the FRFI. OSFI treats the overall net risk as a measure of the potential adverse impact that the FRFI's significant activities as a whole could have on the three sources of the FRFI's financial support: earnings, capital adequacy, and balance sheet liquidity.7 If a FRFI has a higher overall net risk, OSFI requires that the FRFI have more effective generation of internal capital, higher level and quality of capital, and/or stronger capital management policies and processes, to ensure its safety and soundness. Therefore, as the final step of its risk assessment, OSFI examines the FRFI's earnings, capital and liquidity in relation to the FRFI's overall net risk. The result is the CRR, which represents the overall risk profile of the FRFI.

OSFI describes its assessment of the oversight functions using four rating categories: strong, acceptable, needs improvement, and  weak. In order to ensure "consistency and comparability"8 of such assessments, OSFI developed Assessment Criteria specific to each oversight function. The Assessment Criteria define the meaning of each rating category, identify the essential elements that OSFI looks for, and specify the criteria and examples for each essential element. The Assessment Criteria guide OSFI's reviews and also help the FRFI comprehend the ratings given to them.

Updated Financial Assessment Criteria

The title of the Updated Financial Assessment Criteria has been modified from "Financial Analysis" to "Financial". This name change is meaningful in that it reflects the expansion of the role of the financial oversight function (the "Financial Function") to include not only the in-depth analysis of the operational results of a FRFI's operating units, but also "the timely and accurate reporting … of the operational results."9 The objective of such analysis and reporting is "to support planning, strategy, performance measurement and decision-making by senior management and the board of directors."10 Nevertheless, OSFI makes it clear that its overall rating of a FRFI's Financial Function will be contextualized by the "nature, size, complexity, and risk profile of the FRFI."11 Such contextualization is consistent with OSFI's "principles-based" approach to supervision, as stated in the Supervisory Framework.

The overall rating of the Financial Function remains a two-part assessment of the quality of the function in terms of (1) the characteristics of the Financial function, and (2) the effectiveness of its performance in executing its mandate.12 In assessing the characteristics of the Financial Function, the Updated Financial Assessment Criteria retain most of those relating to the following "essential elements": mandate, organization structure, resources, senior management and board oversight, and policies, practices and methodology.

With respect to the mandate of the Financial Function, OSFI's evaluating criteria historically focused on the extent to which the Financial Function's mandate establishes clear objectives and enterprise-wide authority for its activities, independence from its business units, a right of access to information and a requirement to provide recommendations on opportunities, management information systems and changes to enhance decision making. OSFI will now also consider the extent to which the mandate establishes authority to oversee the operating units' financial practices and to follow up on management's response to the Financial Function's recommendations for enhancing the FRFI's financial management information system.13

Regarding the policies, practices and methodologies of the Financial Function, OSFI will now consider the extent to which they are consistent with the FRFI's strategic, capital and liquidity management policies, communicated to and adopted by the operating units and are adequate to facilitate an effective financial management system.

In addition to the criteria discussed above, OSFI has introduced new criteria relating to the Financial Function's reporting, internal audit oversight, and relationships with other oversight functions.14 With respect to reporting, OSFI will consider its adequacy, as measured by the nature, level and timeliness of the required reporting to senior management, the board of directors and operating units in appropriate circumstances, and by the amount of reporting on the effectiveness of the financial processes or the resolution of issues identified by the Financial Function. Internal audit oversight refers to the reviews of, and recommendations regarding, the Financial Function's effectiveness. Finally, OSFI is interested in assessing whether the Financial Function's role and responsibility are  integrated adequately with other oversight functions.

The performance of the Financial Function is assessed in terms of its effectiveness in providing oversight of operating unit analysis and reporting and independent analysis and reporting to senior management and the board.15 OSFI conducts its assessment by reference to certain indicators of effective performance. The Updated Financial Assessment Criteria provides seven new "examples of indicators" for a total of 12 examples. The examples illustrate a few common themes: being proactive in obtaining input from the operating units, conducting assessment and analysis, responding to identified issues, providing recommendations to senior management and the board, and updating its policies, practices and methodologies; regular collaboration with senior management and the board to develop a risk appetite framework that is consistent with the FRFI's strategic, financial and capital plans; and effective implementation of the Financial Function's policies, practices and methodologies to ensure that they are consistent with the FRFI's strategic, capital and liquidity management policies and integrated with the activities of the operating units.