In August 2015 the Office of the Superintendent of Financial Institutions (OSFI) released draft Guideline E-21 – Operational Risk Management for federally regulated financial institutions (FRFIs). It applies to all FRFIs, including insurance companies. However, similar to OSFI's comprehensive Corporate Governance Guideline finalised in January 2013 (for further details please see "OSFI clarifies expectations for implementation of Corporate Governance Guideline"), FRFIs under the guideline do not include branch operations of foreign banks and foreign insurance companies.

The guideline identifies the appropriate framework and processes that OSFI expects FRFIs to maintain in order to mitigate operational risk. Through the guideline, OSFI hopes to promote industry best practices consistently across all FRFIs. The guideline is OSFI's first direct statement on operational risk management, complementing its comprehensive list of corporate governance requirements contained in the Corporate Governance Guideline. The guideline is open for public comment until October 9 2015.

According to the guideline, 'operational risk' is the risk of loss resulting from people, inadequate or failed internal processes and systems or external events. Operational risk includes non-adherence to internal procedures, legal risk, fraud or unethical behaviour more broadly, but excludes strategic and reputational risk.

The guideline is organised around the recognition of four principles:

  • Operational risk management is integrated within the FRFI's overall risk management framework and appropriately documented.
  • Operational risk management supports the FRFI's overall corporate governance structure and includes an operational risk appetite statement.
  • A robust accountability structure (eg, the 'three lines of defence' approach) separates the components of operational risk management and provides for independent review and challenge.
  • Through appropriate operational risk management tools, the FRFI identifies and assesses its operational risk and can collect operational risk information for communication both internally and to supervisory authorities.

Operational risk management framework

OSFI expects every FRFI to have a robust framework with mechanisms in place to identify and manage operational risk as a fundamental element of the FRFI's risk management programme. Depending on the nature, size, complexity and risk profile of the FRFI, the operational risk management framework should:

  • describe the FRFI's approach to operational risk management and reference the relevant policies and procedures;
  • embody a model that includes a structured independent peer review process (see also the three lines of defence model discussed below);
  • articulate clear accountability and ownership for operational risk management among the three lines of defence;
  • identify risk assessment and reporting tools and their effective use;
  • describe the FRFI's approach to establishing and monitoring operational risk appetite and related limits of exposure;
  • address the governance structures in place to manage operational risk, including reporting lines and accountabilities (including ensuring that operational risk management has sufficient status within the FRFI to be effective);
  • ensure independence of key functions as part of an effective control environment;
  • apply to the FRFI on an enterprise-wide basis;
  • require that the FRFI's relevant policies be reviewed and revised regularly to take into account material changes (all to be subject to board and senior management oversight); and
  • be able to produce documentation, including risk management value, suitable for the intended audience.?

Operational risk appetite statement and corporate governance

The operational risk appetite statement developed by a FRFI should be a component of its enterprise-wide, board-approved risk appetite framework mandated by the Corporate Governance Guideline. It should set out the nature, types and approximate exposure levels of operational risk that the FRFI is willing or expected to assume. It should include limits/thresholds for acceptable levels of operational risk which, if exceeded, give rise to escalation to management or the board for necessary action. The FRFI's board and management should regularly review the operational risk appetite to confirm continuing appropriateness. The operational risk management governance structure, including, in particular, the roles of the board and senior management, should be aligned with the FRFI's overall corporate governance framework. The guideline enumerates a number of management responsibilities for ensuring the proper establishment, implementation, maintenance and oversight of the operational risk management and coordination of operational risks with credit, market and other risks of the FRFI.

Three lines of defence model

OSFI recognises that a FRFI's use of any particular operational risk management methodology will depend on its business model and risk profile. However, OSFI recommends that the operational risk management framework be organised in accordance with the three lines of defence model in an effort to achieve accountability. According to OSFI, this particular model provides a structured independent peer review process with clear accountability at each level. Each of the three lines is responsible for implementing its respective risk management procedures to monitor and report on operational risk.

First line The first line of defence, referred to as the 'business line', encompasses responsibility for planning, directing and controlling day-to-day operations of significant activities, and identifying and managing inherent operational risks in products, activities, processes and systems. The first line is responsible for adherence to the operational risk management framework by:

  • identifying and assessing operational risk;
  • establishing and assessing mitigating controls;
  • monitoring and reporting;
  • reporting on unmitigated residual risk;
  • promoting a risk management culture; and
  • ensuring appropriate escalation of material issues.

Second line The second line of defence comprises oversight activities designed to identify, measure, monitor and report operational risk independently on an enterprise basis. The second line designs and implements the FRFI's operational risk management framework. It may include personnel from other FRFI functions (eg, compliance and legal).

The second line effectively acts as an independent challenger to the first line's adherence to operational risk policies and ensures that the appropriate risk management tools are put into action. Second line reviews should be made by competent staff in a structured and timely process that can be communicated to the first line in a manner that encourages continuous improvement. The guideline emphasises that this role does not involve the facilitation, guidance or documentation of decisions.

Third line The third line of defence is generally seen to be the internal audit function (independent of both the first and second lines). It reviews the effectiveness of the first and second lines' practices from the perspective of the FRFI's overall operational risk management and corporate governance functions. While the third line performs much the same kind of review as the second line, it also evaluates the nature and scope of the FRFI's overall operational risk management framework in the context of the FRFI's size, complexity and risk profile.

As an alternative to internal audit, the third line's reviews may be performed by properly qualified external experts. Regardless, these individuals should not be involved in the development or operation of the framework; rather, their role is purely audit focused. It is the third line's responsibility to ensure that recommendations for improvements are appropriately escalated to the FRFI's management, and that an adequate and timely response is returned to address the relevant operational risks.

Identification and assessment of operational risk

OSFI recognises that each FRFI is in the best position to determine which tools are the most appropriate to identify and assess its operational risk, given its nature, size, complexity and risk profile. The guideline provides a description of the following important operational risk management tools that may be used to help the FRFI achieve a robust level of operational risk management:

  • an operational risk taxonomy;
  • risk and control assessments;
  • change management risk and control assessments;
  • internal operational risk event collection and analysis;
  • external operational risk event collection and analysis;
  • risk and performance indicators;
  • business process mapping;
  • scenario analysis and stress testing;
  • quantification/estimation of operational risk (as required by other OSFI guidance); and
  • comparative analysis.


It is OSFI's objective – and in the interest of every FRFI – to minimise operational risk exposure as much as possible. In order to achieve an effective operational risk management environment, the guideline promotes four principles:

  • integration of operational risk management within the FRFI's enterprise-wide risk management programme;
  • the maintenance of an overall risk appetite statement for operational risk;
  • a model of independent review; and
  • adoption of appropriate risk management tools.

According to OSFI, FRFIs have made significant improvements to their operational risk management practices in the last several years. Although this is OSFI's first directive on the subject, the guideline aligns with supervisory expectations already in place across most FRFIs. As a result, the guideline's implementation costs within the insurance industry, and the financial services industry more generally, are expected to be low. Assuming that the guideline is ultimately issued, OSFI expects all FRFIs to implement the guideline fully within a year of its effective date.

For further information on this topic please contact Carol Lyons or Jeremy Rankin at McMillan LLP by telephone (+1 416 865 7000) or email ( or The McMillan LLP website can be accessed at

This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.