On June 29, 2016, the Office of the Superintendent of Financial Institutions (OSFI) released the final version of Guideline E-21 - Operational Risk Management. This follows a public consultation process on a draft of this guideline, which was released in August 2015 (you can refer to our commentary on the draft Guideline here).
Whereas the draft Guideline had proposed excluding Canadian branches of foreign banks and foreign insurance companies, the final Guideline applies to all federally regulated financial institutions (FRFIs). FRFIs are expected to adhere to the four high-level principles outlined in the final Guideline by June 2017.
The final Guideline sets out four operational risk management principles:
- Operational risk management should be fully integrated within a FRFI's overall risk management program and appropriately documented.
- Operational risk management should serve to support the overall corporate governance structure of the FRFI. As part of this, FRFIs should develop and utilize an operational risk appetite statement, or in the case of small, less complex FRFIs with lower operational risk profiles, use of reporting/escalation thresholds for material operational risk events.
- FRFIs should ensure effective accountability for operational risk management. A "three lines of defence" approach, or appropriately robust structure, should serve to delineate the key practices of operational risk management and provide adequate objective overview and challenge. How this is operationalized in practice in terms of the organisational structure of a FRFI will depend on its business model and risk profile.
- FRFIs should ensure comprehensive identification and assessment of operational risk through the use of appropriate management tools. Maintaining a suite of operational risk management tools provides a mechanism for collecting and communicating relevant operational risk information, both within the FRFI, and to relevant supervisory authorities.
While these principles are largely consistent with the draft Guideline, the final Guideline incorporates several revisions resulting from comments received during the consultation process that will be of interest to smaller FRFIs:
- the final Guideline more clearly distinguishes between principles based expectations, which apply to all FRFIs, and emerging sound practices, which are primarily for consideration by larger, more complex FRFIs;
- details regarding operational risk management tools have been moved to an Annex with the intent being that the main body of the final Guideline focuses on operational risk management principles; and
- in response to concerns relating to the expectation in the draft Guideline that FRFIs have an operational risk appetite statement, Principle 2 has been revised in the final Guideline to provide that smaller, less complex FRFIs do not need to have an operational risk appetite statement and can instead use reporting/escalation thresholds for material operational risk events.