Following a public consultation process that began in August 2015, on June 29, 2016, the Office of the Superintendent of Financial Institutions ("OSFI") released the final version of Guideline E-21 - Operational Risk Management (the "Guideline"). As discussed in our previous bulletin, the draft guideline issued in August 2015 did not apply to Canadian branch operations of foreign banks and foreign insurance companies. The final Guideline now applies to all federally regulated financial institutions ("FRFIs"), including the branch operations of foreign banks and foreign insurance companies.
The Guideline outlines OSFI's expectations for operational risk management ("ORM") using a principles-based approach which takes into account the complex and diverse nature of the institutions it supervises with the goal of facilitating consistent ORM practices across these varied institutions.
OSFI recognizes that ORM standards and recommendations are currently dispersed across industries and institutions, which makes it difficult for FRFIs to access appropriate guidance. The Guideline is designed to consolidate existing OSFI guidance that falls under the rubric of operational risk.
OSFI defines operational risk as the risk of loss resulting from people, inadequate or failed internal processes and systems, or from external events. It includes legal risk but excludes strategic and reputational risk. According to OSFI, operational risk is an important feature of any FRFIs' risk management program and warrants sound risk-based supervision and guidance by OSFI.
The final version of the Guideline is the product of an external consultation process, whereby OSFI sought, studied and addressed feedback from industry stakeholders. As set out in OSFI's letter accompanying the final Guideline, the feedback included suggestions and inquiries around a number of matters, including, for example, (a) adjusting the one-year implementation period to a 3-5 year implementation period, (b) articulating any anticipated correlation between the level of capital required and the robustness of an FRFI's ORM framework, and (c) whether ORM should be differentiated from overall enterprise risk management, as is done in the Guideline. No specific changes were made to accommodate these particular questions and OSFI's responses to each were as follows:
- implementation should not and will not require a 3-5 year period considering the growth and improvement of ORM practices by FRFIs over the past few years;
- the focus of the Guideline is general ORM practices and not capital requirements, but OSFI remains flexible to future discussions regarding the steps that might be taken with respect to linking demonstrated improvements in ORM and an FRFIs' capital requirements for operational risk; and
- there is value in separating operational risk from overall risk management; operational risk can be an accompaniment to an FRFIs' overall Risk Appetite Framework (as articulated by OSFI's Guideline on Corporate Governance (2013)).
Nevertheless, the Guideline does revise certain components of the draft issued in August 2015 based on industry feedback. These revisions include:
- more clearly distinguishing between principles-based expectations and emerging sound practices by focusing on ORM principles within the Guideline and moving the details of emerging sound practices (which is primarily for consideration by larger, more complex FRFIs) to Annex 1; and
- amending Principle 2 to make it clear that smaller, less complex FRFIs with lower operational risk profiles do not need to develop and utilise the operational risk appetite statement but may instead develop and utilise reporting/escalating thresholds for material operational risk events.
In keeping with the August 2015 version, the final version of the Guideline promotes four ORM principles:
- ORM should be completely integrated within an FRFIs' overall risk management program, and appropriately documented;
- ORM should support the overall corporate governance structure of FRFIs through appropriate use of an operational risk appetite statement, or for small, less complex FRFIs with lower operational risk profiles, appropriate use of reporting/escalation thresholds for material operational risk events;
- a robust accountability structure should be adopted, such as the "three lines of defence" approach which separates the components of ORM and provides for independent review and challenge suitable to the organization's business model and risk profile; and
- appropriate management tools that allow FRFIs to collect and communicate relevant operational risk information internally and to supervisory authorities should be used.
OSFI expects FRFIs to adhere to its expectations found within the Guideline but also recognizes that each institution has differing risk profiles. The principle-based approach allows for flexibility of OSFI supervisory expectations to meet the needs of each institution. Furthermore, according to OSFI, the Guideline remains consistent with OSFI's Corporate Governance Guideline and international risk management standards.
The reason for OSFI's decision to make the Guideline apply to branch operations and not solely to FRFIs that are Canadian incorporated entities (i.e. that have boards of directors) does not appear to have been highlighted in the documentation released by OSFI that accompanied the final version of the Guideline. Presumably, when originally issued, the draft version did not apply to branches because it was meant to mirror OSFI's Corporate Governance Guideline, which also does not apply to branches because the board of directors is given ultimate responsibility for the matters dealt with by the Corporate Governance Guideline. Since branches do not have boards of directors (other than the one or two tier board(s) of the foreign entity that are governed by the local legislation of the foreign country), it is possible to rationalize that a good portion of the Corporate Governance Guideline should not apply to them, because the Corporate Governance guideline deals largely with the roles of the board of directors and board committees and the specific offices that report to them. However, it was extremely difficult to rationalize the fact that ORM would not equally apply to a branch as to a Canadian incorporated entity. In that sense, now that the final Guideline applies to branches as well as corporate entities, the playing field has been somewhat leveled, as it relates to ORM.