The Canadian Office of the Superintendent of Financial Institutions ("OSFI") has issued a final version of Guideline E-21 on Operational Risk Management (the "Guideline"). The Guideline applies to all Canadian federally regulated financial institutions ("FRFIs") and provides consolidated guidance on OSFI's expectations regarding the management of operational risk ("ORM"). The final version of the Guideline incorporates revisions resulting from comments received during the public consultation process, which began August 2015.
For the purpose of the Guideline, operational risk is defined as the risk of loss resulting from people, inadequate/failed internal processes or from external events. OSFI considers effective ORM essential to the safety and soundness of an institution and expects all FRFIs to have a framework for operational risk management. The Guideline promotes industry best practices and reflects international standards in operational risk management. It is principles-based so that the expectations can be scaled to reflect the nature and complexity of institutions in the course of supervisory oversight. The principles can be summarized as follows:
Principle 1: Operational Risk Management Framework
FRFIs should have an ORM framework setting out their approach for identifying and managing operational risk. The ORM framework for larger FRFI may address: approaches to managing operational risk; accountability and ownership of operational risk; risk assessment tools; approaches to establishing and monitoring risk appetite; governance structures to manage risk; the application of the ORM framework institution-wide; and provisions for the regular review of ORM policies.
Principle 2: Operational Risk Appetite Statement
FRFIs should have a comprehensive operational risk appetite statement as part of the overall risk appetite framework. This statement should include a measurable component indicating the acceptable level of operational risk and thresholds for escalation to senior management. In formulating the operational risk appetite statement, a FRFI may consider: changes in the external environment; material changes in business volumes; the quality of the control environment; the effectiveness of mitigation strategies; the FRFI's operational risk event experience; and the frequency/volume/nature of risk appetite limit breaches.
Principle 3: Three Lines of Defence
Accountability for ORM should be delineated across a "three lines of defence" approach or another appropriately robust structure.
- The first line of defence is the business line, which should have ownership of the operational risk faced in its day-to-day activities through responsibilities such as: adherence to the ORM framework; identifying risk within the business line and establishing relevant controls; oversight/reporting on the business line's operational risk profile within the operational risk appetite; analyzing residual risks; promoting an ORM culture within the first line; and staff training.
- The second line of defence is responsible for the objective assessment of the quality and sufficiency of ORM activities. In larger FRFIs, the second line of defence should be a separate function from the first line of defence and be responsible for activities such as: objectively assessing and providing feedback to the first line of defence; developing strategies to identify/monitor/control operational risk; establishing institution-wide ORM policies/procedures/tools; ensuring adequate oversight of ORM; integrating ORM into overall risk management; monitoring/reporting on the FRFI's operational risk profile; promoting an ORM culture institution-wide; and ensuring timely and accurate escalation of material issues.
- The third line of defence is the internal audit function. This line of defence should be separate from the first and second lines of defence and engage in the objective review and testing of the FRFI's overall ORM controls as well as the effectiveness of the first and second lines of defence.
Principle 4: Identification and Assessment of Operational Risk
FRFIs should use appropriate ORM tools, on a global basis if appropriate, for collecting and communicating operational risk information. The objective is to generate risk management value proportionate to the risks faced. Examples of ORM tools provided in the Guidance are:
- Operation risk taxonomy involves creating a common classification for operational risk types to be used FRFI-wide in order to create consistency.
- Risk and control assessments (RCAs) are assessments of risks and alignment of those risks with controls.
- Change management RCAs assess the inherent risks and controls connected to significant changes.
- Internal operational risk event collection analysis assesses exposure to operational risk by monitoring operational risk events over time as well as the effectiveness of controls.
- External operational risk event collection and analysis considers operational risk events occurring at organizations other than the FRFI.
- Risk and performance indicators consist of risk metrics (including internal, external or environmental indicators) used to monitor the main drivers of operational risk.
- Material business process mapping manages risk for significant or FRFI-wide processes.
- Scenario analysis considers the potential sources of operational risk by assessing the expected and unexpected responses to an operational risk event.
- Quantification/estimation of operational risk exposure is used to estimate an FRFI's exposure to operational risk via existing Internal Capital Adequacy Assessment Process and Own Risk Solvency Assessment.
- Comparative analysis involves the first line of defence reviewing risk assessments and outputs of each operational risk management tool.
OSFI expects each FRFI to fully implement the Guideline by June 2017. In implementing the Guideline, OSFI advised that FRFIs should be sensitive to OSFI's view that the Guideline not be used as a static checklist for compliance, but rather as a principles-based approach providing flexibility for FRFIs to develop ORM processes that best fit the size and complexity of the FRFI. OSFI emphasizes the need for FRFIs to engage in continual assessment and improvement of their ORM processes.