The Office of the Superintendent of Financial Institutions (Canada) (OSFI) has released for comment draft Guideline E-21 – Operational Risk Management.

The draft Guideline communicates OSFI's expectation that federally regulated financial institutions (FRFIs) establish and maintain an enterprise-wide framework of operational risk management controls. The draft Guideline addresses four principles, which are consistent with the framework set out in OSFI's Supervisory Framework and Corporate Governance Guideline and are designed to promote best practices and reflect international standards.

This is the first time OSFI has comprehensively set out its expectations in this area. Previously, aspects of operational risk were addressed in various guidelines and in guidance directed at applicants seeking to establish new financial institutions. In some cases, OSFI had also expressed its expectations to individual FRFIs.

The Guideline will apply to all FRFIs other than branches of foreign banks and foreign insurance companies. OSFI has indicated that full implementation of the Guideline by FRFIs will be expected no later than one year from the date that it becomes effective.

Comments on the draft Guideline are to be submitted by October 9, 2015.

Principle 1: Operational risk management is fully integrated within the FRFI's overall risk management program and appropriately documented.

OSFI expects that each FRFI will have in place a documented framework for operational risk management that sets forth mechanisms for identifying and managing operational risk and provides a mechanism for discussion and effective escalation of issues. The draft Guideline lists items that this framework should consider.

Principle 2: Operational risk management serves to support the overall corporate governance structure of the FRFI. As part of this, FRFIs develop and utilise an operational risk appetite statement.

OSFI expects FRFIs to develop and maintain a risk appetite statement for operational risk. The statement should articulate the nature, types and approximate exposure levels of operational risk that the FRFI is willing or expected to assume, including a measurable component (limit/threshold). This is an extension of the risk governance expectations set out in OSFI's Corporate Governance Guideline, which addresses the need for a Risk Appetite Framework that contains a risk appetite statement and risk limits.

The draft Guideline states that the governance structure around operational risk management (especially the role of the Board of Directors) should be aligned with the FRFI's broader corporate governance framework. Senior Management should ensure that staff responsible for managing operational risk coordinate and communicate effectively with staff responsible for managing credit, market, and other risks.

Principle 3: FRFIs ensure effective accountability for operational risk management. A 'three lines of defence' approach, or appropriately robust structure, serves to separate the key practices of operational risk management and provide adequate independent overview and challenge. How this is operationalized in practice in terms of the organisational structure of a FRFI will depend on its business model and risk profile.

OSFI has promoted the three lines of defence approach to risk management for some time. The draft Guideline discusses OSFI's expectations for each line of defence in relation to operational risk management.

  • The first line of defence - the business line - is responsible for planning, directing and controlling the day-to-day operations of a significant activity and for identifying and managing the inherent operational risks in products, activities, processes and systems for which it is accountable.
  • The second line of defence consists of oversight activities that independently identify, measure, monitor and report operational risk on an enterprise basis. The draft Guideline highlights the importance of "independent challenge", which is defined as the process of developing an independent view regarding the quality and sufficiency of the business unit's operational risk management activities. The draft Guideline states that OSFI recognizes that the nature, size, complexity and risk profile of different FRFIs will mean that the responsibilities of the second line of defence groups may overlap with those of the first line of defence. The draft Guideline also states that the size and degree of independence of the second line of defence will differ among FRFIs.
  • The third line of defence - the internal audit function - should be independent of the first and second lines of defence, and provide an independent review and testing of the FRFI's operational risk management controls, processes, systems and the effectiveness of the first and second line of defence functions.

Principle 4: FRFIs ensure comprehensive identification and assessment of operational risk through the use of appropriate management tools. Maintaining a suite of operational risk management tools provides a mechanism for collecting and communicating relevant operational risk information, within the FRFI and to relevant supervisory authorities.

The draft Guideline notes that FRFIs are best able to determine their organizational structure and processes as well as the extent of their use of operational risk management tools. The draft Guideline discusses the following elements, which are generally included in risk management tools:

  • operational risk taxonomy;
  • risk and control assessments;
  • change management risk and control assessments;
  • internal operational risk event collection and analysis;
  • external operational risk event collection and analysis;
  • risk and performance indicators;
  • business process mapping;
  • scenario analysis and stress testing;
  • quantification/estimation of operational risk exposure; and
  • comparative analysis.