Risk Management

ASSESSMENT CRITERIAFootnote 1

ROLE OF RISK MANAGEMENT

The Risk Management function provides independent oversight of the management of risks inherent in the institution’s activities.  The function is responsible for ensuring that effective processes are in place for:

  • Identifying current and emerging risks;

  • Developing risk assessment and measurement systems;

  • Establishing policies, practices and other control mechanisms to manage risks;

  • Developing risk limits for Senior Management and Board approval;

  • Monitoring positions against approved risk limits; and

  • Reporting results of risk monitoring to Senior Management and, as appropriate, the Board.

QUALITY OF RISK MANAGEMENT OVERSIGHT

The following statements describe the rating categories for the assessment of the Risk Management function.

An overall rating of the Risk Management function considers both the appropriateness of its characteristics and the effectiveness of its performance in executing its mandate, in the context of the nature, scope, complexity, and risk profile of the institution.  Characteristics and examples of performance indicators that guide supervisory judgement in determining an appropriate overall rating are set out below.

Strong

The characteristicsof the Risk Management function meet or exceed supervisory expectations of what is considered necessary, given the nature, scope, complexity, and risk profile of the institution. Risk Management has consistently demonstrated highly effective performance.

Acceptable

The characteristicsof the Risk Management function meet supervisory expectations given the nature, scope, complexity, and risk profile of the institution. Risk Management performance has been effective. Risk Management characteristics and performance meet supervisory expectations.

Needs Improvement

The characteristics of the Risk Management function generally meet what is considered necessary, given the nature, scope, complexity, and risk profile of the institution, but there are some significant areas that require improvement and may affect effectiveness in the future or under adverse conditions. Risk Management performance has generally been effective, but there are some significant areas where effectiveness needs to be improved. The areas needing improvement are not serious enough to cause prudential concerns if addressed in a timely manner. The function’s characteristics and/or performance do not consistently meet supervisory expecations.

Weak

The characteristics of the Risk Management function are not, in a material way, what is considered necessary, given the nature, scope, complexity, and risk profile of the institution and may affect effectiveness in the future or under adverse conditions. Risk Management performance has demonstrated serious instances where effectiveness needs to be improved through immediate action. Risk Management characteristics and/or performance often do not meet supervisory expectations.

RISK MANAGEMENT CHARACTERISTICSFootnote 2

The following criteria describe the characteristics OSFI uses in assessing the quality of the Risk Management function’s oversight of the management of the institution’s activities and related risks, with due consideration to the institution’s safety and soundness. The application and weighting of the individual criteria will depend on the nature, scope, complexity, and risk profile of the institution and will be assessed collectively, together with Risk Management performance, in rating its overall effectiveness.

Essential Elements Criteria
1. Mandate

1.1 Extent to which the function’s mandate establishes:

  1. Clear objectives and enterprise-wide authority for its activities;

  2. Authority to oversee effectiveness and consistency of operating units’ risk practices;

  3. Authority to carry out its responsibilities independently;

  4. Right of access to the institution’s records, information and personnel;

  5. A requirement to report regularly on the effectiveness of the institution’s risk management processes and on its aggregate exposures compared to approved limits; and

  6. Authority to follow-up on action taken by management in response to identified issues and related recommendations.

1.2 Extent to which the function’s mandate is communicated within the institution.

2. Organization Structure

2.1 Appropriateness of the stature and authority of the function head within the organization for the function to be effective in fulfilling its mandate.

2.2 Extent to which the function head has direct access to the CEO, Senior Management and the Board (or a Board committee).

2.3 Appropriateness of the function’s organizational structure based on the nature, size, complexity, and risk profile of the institution.

2.4 Extent to which the function is independent of day-to-day management of risks and is not involved in revenue-generating activities or the management or financial performance of a line of business or product line.

3. Resources

3.1 Adequacy of the function’s processes to determine the required:

  1. Level of resources necessary to carry out responsibilities and in response to changes in the institution’s business activities and strategies, as well as its operating environment;

  2. Qualifications and competencies of staff; and

  3. Continuing professional development programs to enhance staff competencies.

3.2 Adequacy of the function’s resources and appropriateness of its collective qualifications and competencies for carrying out its mandate.

3.3 Sufficiency of staff development programs.

4. Methodology and Practices

4.1 Adequacy of the processes to regularly review and update risk management policies, processes and limits to take into account changes in the industry and in the risk appetite of the institution.

4.2 Appropriateness of risk management policies, practices, and limits given the institution’s activities and related risks.

4.3 Extent to which risk management policies and practices are co-ordinated with strategic, capital and liquidity management policies and practices.

4.4 Extent to which risk management policies, practices and limits are documented, communicated and integrated with the institution’s day-to-day business activities.

4.5 Adequacy of policies and practices to monitor positions against approved limits and for timely follow-up on material variances.

4.6 Adequacy of policies and practices to monitor trends and identify emerging risks, and to respond effectively to unexpected significant events.

4.7 Adequacy of policies and practices to model and measure the institution’s risks.

5. Reporting

5.1 Adequacy of policies and practices to report identified issues along with recommendations to management of business units and, as appropriate, Senior Management and the Board..

5.2 Adequacy of policies and practices to monitor and follow up on the resolution of the identified issues.

6. Internal Audit Oversight

6.1 Extent to which Internal Audit’s program includes reviews of the Risk function and its key controls, it has appropriate resources to carry out the reviews, and the scope and frequency of its reviews are sufficient to assess the effectiveness of the Risk function.

6.1 Adequacy of Internal Audit’s communication of its recommendations and follow-up with respect to the Risk function.

7. Senior Management Oversight

7.1 Adequacy of policies and practices for Senior Management to support the Board (or Board Committee) on the:

  1. Appointment and/or removal, performance review, compensation and succession plan of the function head;

  2. Function’s mandate, budget and resources (staffing and skill sets); and

  3. Function’s annual work plan including any material changes to that plan.

7.2 Adequacy of policies and practices to assess the effectiveness of the function, including communicating results to Senior Management and, as appropriate, the Board (or a Board committee).

7.3 Adequacy of policies and practices to report periodically to Senior Management on issues and recommendations with escalation to the Board, as appropriate.

7.4 Adequacy of the processes related to talent development and succession planning for function key roles.

7.5 Adequacy of the policies and practices to ensure that the Risk Appetite Framework remains appropriate relative to the risk profile of the institution, its strategic plan and its operating environment.

8. Board (and Board Committee) Oversight

8.1 Adequacy of policies and practices for the Board (or Board Committee) to approve:

  1. The appointment, performance review, compensation and succession plan of the head of the oversight function;

  2. The function’s mandate, budget and resources (staffing and skill sets); and

  3. The function’s annual work plan including any material changes to that plan.

8.2 Extent to which the Board (or Board Committee) receives periodic reporting on trends or pervasive risk impacting the organization.

8.3 Extent to which the Board (or Board Committee) demonstrates an ability to act independently of Senior Management through practices such as regularly scheduled Board (or Board Committee) meetings that include sessions without Senior Management present.

9. Relationship with Other Oversight Functions

9.1 Adequacy of the formal integration of the Risk function’s role and defined responsibility with other oversight functions as appropriate.

RISK MANAGEMENT PERFORMANCE

The quality of the Risk Management function’s performance is demonstrated by its effectiveness in overseeing the identification and management of risks, with due regard to the institution’s safety and soundness.

OSFI’s assessment will consider the effectiveness with which the Risk Management function anticipates, identifies and measures risks in a dynamic operating environment and oversees management of those risks within the limits established by the Board.  OSFI will look to indicators of effective Risk Management performance to guide its judgement in the course of its supervisory activities.  These activities may include:

  1. discussions with directors and management, including the Chief Risk Officer;

  2. assessment of the Risk Management function’s oversight practices and how particular issues, such as breaches in approved limits, are dealt with;

  3. review of risk management reports and reports of independent assessments of the function;

  4. review of Board or risk management committee minutes, etc.

Examples of indicators that OSFI may use to guide its supervisory judgement include the extent to which the Risk Management function:

  1. Proactively updates its policies, practices and limits in response to changes in the industry and in the institution’s strategy, business activities and risk limits;

  2. Integrates its policies, practices and limits with day-to-day business activities and with the institution’s strategic, capital and liquidity management policies;

  3. Models and measures inherent risks and actively participates in the development of new initiatives to ensure processes are in place to appropriately identify and mitigate risks prior to implementation;

  4. Monitors risk positions against approved limits and ensures that material breaches are addressed on a timely basis;

  5. Provides timely and accurate and relavant reporting which allows the  the Board to understand the institutions exposures relative to the institution’s risk appetite and limits, processes in place to identify, measure and monitor risks  and highlighlights exceptions to risk policies.

  6. Uses risk measurement and monitoring tools that are sensitive enough to provide early warning indicators of adverse trends and conditions; proactively analyzes these trends and conditions; and follows up to ensure that they are addressed on a timely basis;

  7. Proactively assesses and provides objective challenge to the institutions risk-taking activities, policies and practices.

  8. Proactively and effectively addresses risk management issues identified as a result of internal or external events, or by other control functions; and

  9. Provides regular, comprehensive, reports, independently of the business areas being reported upon, on the effectiveness of the institution’s risk management processes and ensures that significant issues are escalated to Senior Management and the Board on a timely basis.

Examples of documentation that OSFI may review in formulating its assessment of the characteristics of the Risk Management function include organizational charts, mandates, job descriptions, core competencies and personnel profiles; risk management policies, authorities and limits; systems documentation and testing; new product and initiative framework; and reports prepared for Senior Management and the Board (or a Board committee).

Footnotes

Footnote 1

The Assessment Criteria should be read in conjunction with OSFI’s Supervisory Framework.

Return to footnote 1

Footnote 2

Examples of documentation that OSFI may review in formulating its assessment of the characteristics of the Risk Management function include organizational charts, mandates, job descriptions, core competencies and personnel profiles; risk management policies, authorities and limits; systems documentation and testing; new product and initiative framework; and reports prepared for Senior Management and the Board (or a Board committee).

Return to footnote 2