OSFI Issues Final Operational Risk Management Guideline
The Office of the Superintendent of Financial Institutions (“OSFI”) issued the final version of Guideline E-21 – Operational Risk Management (the “Guideline”) on June 29, 2016. Operational risk is defined by OSFI as “the risk of loss resulting from people, inadequate or failed internal processes and systems, or from external events.” This Guideline applies to all federally regulated financial institutions and is expected to be implemented no later than June 2017.
The Guideline was issued following a consultation process which began in August 2015. In connection with this consultation process, OSFI considered three approaches to evaluating and supervising operational risk management: first, maintaining the status quo (where the relevant guidance was located in various separate guidelines); second, relying on international operational risk guidance (such as the Basel Principles for the Sound Management of Operational Risk); or third, issuing a new consolidated operational risk guideline. The issuance of the Guideline represents OSFI’s endorsement of the third approach, which was preferred to the first option (where guidance was located in various guidelines thus making it difficult to access and leading to inconsistent approaches) and the second option (as international guidance in respect of operational risk varies considerably, particularly with respect to different industry sectors and does not reflect OSFI supervisory expectations). OSFI also recognized that “operational risk is an evolving discipline” and that “there is value in separating operational risk from overall risk management”.
The Guideline uses a principles-based approach to the evaluation and management of operational risk, supporting feedback received during the consultation process that favoured a less prescriptive and more principles-based approach. OSFI recognizes that different financial institutions may have different operational risk management practices depending on their size; ownership structure; nature, scope and complexity of operations; corporate strategy and risk profile. The principles are to be applied with regard to the nature, size, complexity and risk profile of the relevant institution.
In particular, the Guideline sets out the following four principles:
- Principle 1 (Operational Risk Management Framework): Operational risk management should be fully integrated within an institution’s overall risk management program and appropriately documented.
- Principle 2 (Operational Risk Appetite Statement): Operational risk management should serve to support the overall corporate governance structure of the institution. As part of this, institutions should develop and use an operational risk appetite statement. Small, less complex institutions with lower operational risk profiles may use reporting/escalation thresholds for material operational risk events.
- Principle 3 (Three Lines of Defence): Institutions should ensure effective accountability for operational risk management. A “three lines of defence” approach, or appropriately robust structure, should serve to delineate the key practices of operational risk management and provide adequate objective overview and challenge. The first line of defence is the business line responsible for managing the inherent operational risks in its products, activities, processes and systems. The second line of defence is the objective oversight activities that identify, measure, monitor and report operational risk on an enterprise basis. The third line of defence is the internal audit function. How the three lines of defence approach is operationalized in practice and reflected in the organizational structure of an institution will depend on its business model and risk profile.
- Principle 4 (Identification and Assessment of Operational Risk): Institutions should ensure comprehensive identification and assessment of operational risk through the use of appropriate management tools. Maintaining a suite of operational risk management tools provides a mechanism for collecting and communicating relevant operational risk information, both within the institution, and to relevant supervisory authorities.
In addition to these four principles, the Guideline includes in Annex 1 guidance on “emerging sound practices” primarily for larger, more complex institutions. These include possible frameworks for determining responsibilities between the separate lines of defence, with a focus on improvements in operational risk management, rather than on compliance. The Guideline, Annex 1 also sets out examples of prescriptive tools that may be used to manage operational risk (such as operational risk taxonomies, risk and control assessments, change management risk and control assessments, material business process mappings and various types of risk analysis). The Guideline, Annex 2 sets out a reference chart of OSFI guidance referred to in the Guideline.
OSFI is primarily focused on the risk management of the institutions it regulates and wishes to ensure they meet evolving international risk management standards and OSFI’s expectations. The Guideline provides consolidated operational risk management guidance to institutions to help them understand and meet OSFI’s principle-based expectations. As the Guideline aligns with OSFI’s current supervisory expectations, OSFI expects full implementation of the Guideline by the institutions it regulates by June 2017.