- Original Supervisory Framework release date: August 1999
- Revision date: December 2010
The Office of the Superintendent of Financial Institutions (OSFI) is an independent agency of the Government of Canada established in 1987 to contribute to public confidence in, and the safety and soundness of, the Canadian financial system. OSFI supervises and regulates federally registered banks and insurers, trust and loan companies, cooperative credit associations, and fraternal benefit societies, as well as private pension plans subject to federal oversight, and ensures that they are complying with their governing legislation.
When OSFI identifies issues that may impact the stability of the financial system, it reports them to the Financial Institutions Supervisory Committee.
OSFI supervises financial institutions in accordance with its Supervisory Framework, first introduced in 1999 and updated in 2010 in this document. Supervision of pension plans is guided by a similar but separate Framework.
THE SUPERVISORY FRAMEWORK
The Supervisory Framework describes the principles, concepts, and core process that OSFI uses to guide its supervision of federally regulated financial institutions (FRFIs). These principles, concepts, and core process apply to all FRFIs in Canada, irrespective of their size, and accommodate the unique aspects of the deposit-taking, life insurance, and property and casualty insurance sectors.
Supervision involves assessing the safety and soundness of FRFIs, providing feedback as appropriate, and using powers for timely intervention where necessary. Its primary goal is to safeguard depositors and policyholders from loss. As such, the focus of supervisory work is determining the impact of current and potential future events, both internal to a FRFI and from its external environment, on the risk profile of the FRFI.
SUPERVISION’S PRIMARY GOAL IS TO SAFEGUARD DEPOSITORS AND POLICYHOLDERS FROM LOSS.
Since OSFI’s Supervisory Framework was first introduced in 1999, significant developments in the financial services industry have changed the nature of the risks and risk management of financial institutions. For example, product sophistication has increased, globalization has caused risks to become more systemic, and financial institutions have experienced multiple and severe stresses to their solvency and liquidity. Meanwhile, international standards and requirements for supervising financial institutions have also been strengthened.
The updated Supervisory Framework described in this document reflects the enhancements OSFI has made to address these changes, and the experience gained from applying the 1999 Framework over the past ten years. In summary, these enhancements continue to make OSFI’s risk-based supervision as dynamic and forwardlooking as possible and help ensure that OSFI can respond effectively to changes in the Canadian and international financial sectors, now and in the future.
The Supervisory Framework is designed to assist OSFI in meeting its statutory obligations set out in the Office of the Superintendent of Financial Institutions Act (OSFI Act) and other governing legislation regarding the supervision of FRFIs. These obligations are broad and overarching, and to meet them in practice requires detailed and consistent standards and criteria for supervising FRFIs.
OSFI has adopted the Basel Committee on Banking Supervision’s “Core Principles for Effective Banking Supervision”, and the International Association of Insurance Supervisors’ “Insurance core principles and methodology” as its sources for detailed supervisory standards and criteria. These methodologies specify international expectations for banking and insurance supervision. OSFI applies these methodologies within the context of its mandate and the nature of the financial services industry in Canada.
The supervision of Canadian financial institutions is conducted on a consolidated basis, which involves an assessment of all of a FRFI’s material entities (including all subsidiaries, branches and joint ventures), both in Canada and internationally. OSFI uses information available from other regulators as appropriate.
OSFI designates a relationship manager (RM) for each FRFI. The RM is responsible for maintaining an up-to-date risk assessment of the FRFI. Specialists and other staff within OSFI help support this work. The RM is the main point of contact for the FRFI.
The supervision of FRFIs is principles-based. It requires the application of sound judgment in identifying and assessing risks, and determining, from a wide variety of supervisory and regulatory options available, the most appropriate method to ensure that the risks that a FRFI faces are adequately managed.
SUPERVISORY INTENSITY AND INTERVENTION
The intensity of supervision will depend on the nature, size, complexity and risk profile of a FRFI, and the potential consequences of the FRFI’s failure. Where there are identified risks or areas of concern, the degree of intervention will be commensurate with the risk assessment, and in accordance with the Guide to Intervention for Federal Financial Institutions.
BOARD AND SENIOR MANAGEMENT ACCOUNTABILITY
A FRFI’s Board of Directors and Senior Management are responsible for the management of the FRFI and ultimately accountable for its safety and soundness and compliance with governing legislation. OSFI’s mandate to supervise includes apprising FRFIs of situations having material risk that it has identified during its work, and recommending or requiring corrective actions to be taken. OSFI also looks to the Board and Senior Management to be proactive in providing OSFI with timely notification of important issues affecting the FRFI.
While OSFI’s supervision will reduce the likelihood that FRFIs will fail, the OSFI Act explicitly recognizes that FRFIs operate in a competitive environment and need to take reasonable risks. As such, FRFIs can experience financial difficulties that could lead to their failure.
RELIANCE ON EXTERNAL AUDITORS
OSFI relies upon FRFIs’ external auditors for the fairness of the financial statements. OSFI’s assessment of a FRFI’s overall financial performance depends upon the FRFI’s audited financial statements.
USE OF THE WORK OF OTHERS
OSFI uses, where appropriate, the work of others to reduce the scope of its supervisory work and minimize duplication of effort. This enhances both OSFI’s efficiency and its effectiveness. For example, as supervisors do not perform audit work, they may use the detailed testing performed by a FRFI’s external auditor and Internal Audit function to help them assess the effectiveness of controls. Similarly, they may use the detailed analysis performed by a FRFI’s Risk Management function to help them assess the effectiveness of the FRFI’s models.
External sources of work that may be of use to OSFI are the FRFI’s external auditor and appointed actuary, as well as the FRFI’s oversight functions, which include the Financial, Compliance, Actuarial, Risk Management, Internal Audit, Senior Management and Board functions. Other useful external sources include rating agencies, industry groups, foreign regulators, consultants, and other domestic and international organizations.
Risk assessment—the fundamental work activity of supervision—is undertaken by following seven key principles.
PRINCIPLE #1 - FOCUS ON MATERIAL RISK
The risk assessment OSFI performs in its supervisory work is focused on identifying material risk to a FRFI, such that there is the potential for loss to depositors or policyholders.
PRINCIPLE #2 - FORWARD-LOOKING, EARLY INTERVENTION
Risk assessment is forward-looking. This view facilitates the early identification of issues or problems, and timely intervention where corrective actions need to be taken, so that there is a greater likelihood of the satisfactory resolution of issues.
PRINCIPLE #3 - SOUND PREDICTIVE JUDGMENT
Risk assessment relies upon sound, predictive judgment. To ensure adequate quality, OSFI management requires that these judgments have a clear, supported rationale.
PRINCIPLE #4 - UNDERSTANDING THE DRIVERS OF RISK
Risk assessment requires understanding the drivers of material risk to a FRFI. This is facilitated by sufficient knowledge of the FRFI’s business model (i.e., products and their design, activities, strategies and risk appetite), as well as the FRFI’s external environment. The understanding of how risks may develop and how severe they may become is important to the early identification of issues at a FRFI.
PRINCIPLE #5 - DIFFERENTIATE INHERENT RISKS AND RISK MANAGEMENT
Risk assessment requires differentiation between the risks inherent to the activities undertaken by the FRFI, and the FRFI’s management of those risks – at both the operational and oversight levels. This differentiation is crucial to establishing expectations for the management of the risks and to determining appropriate corrective action, when needed.
PRINCIPLE #6 - DYNAMIC ADJUSTMENT
Risk assessment is continuous and dynamic in order that changes in risk, arising from both the FRFI and its external environment, are identified early. OSFI’s core supervisory process is flexible, whereby identified changes in risk result in updated priorities for supervisory work.
PRINCIPLE #7 - ASSESSMENT OF THE WHOLE INSTITUTION
The application of the Supervisory Framework culminates in a consolidated assessment of risk to a FRFI. This holistic assessment combines an assessment of earnings and capital in relation to the overall net risk from the FRFI’s significant activities, as well as an assessment of the FRFI’s liquidity, to arrive at this composite view.
PRIMARY RISK ASSESSMENT CONCEPTS
The Supervisory Framework uses many concepts to enable a common approach to risk assessment across FRFIs and over time. The primary concepts are described below.
1. SIGNIFICANT ACTIVITIES
The fundamental risk assessment concept within the Supervisory Framework is that of a significant activity. A significant activity is a line of business, unit or process that is fundamental to the FRFI’s business model and its ability to meet its overall business objectives (i.e., if the activity is not well managed, there is a significant risk to the organization as a whole in terms of meeting its goals).
OSFI identifies significant activities using various sources including the FRFI’s organization charts, strategic business plan, capital allocations, and internal and external reporting. This facilitates a close alignment between OSFI’s assessment of the FRFI and the FRFI’s own organization and management of its risks, and enables OSFI to make use of the FRFI’s information and analysis in its risk assessment.
Judgment is used in selecting significant activities, which may be chosen for quantitative reasons (such as the activity’s percentage of total FRFI assets, revenue, premiums written, net income, allocated capital, or its potential for material losses), and/or qualitative reasons (such as its strategic importance, planned growth, risk, effect on brand value or reputation, or the criticality of an enterprise-wide process).
2. INHERENT RISK
In the Supervisory Framework, the key inherent risks are assessed for each significant activity of a FRFI. The definition of inherent risk is directly related to OSFI’s mandate to protect depositors and policyholders. Inherent risk is the probability of a material loss due to exposure to, and uncertainty arising from, current and potential future events. A material loss is a loss or combination of losses that could impair the adequacy of the capital of a FRFI such that there is the potential for loss to depositors or policyholders.
Inherent risk is intrinsic to a significant activity and is assessed without regard to the size of the activity relative to the size of the FRFI, and before considering the quality of the FRFI’s risk management. A thorough understanding of both the nature of the FRFI’s activities and the environment in which these activities operate is essential to identify and assess inherent risk.
OSFI uses the following six categories to assess inherent risk: credit risk; market risk; insurance risk; operational risk; regulatory compliance risk; and strategic risk. For each significant activity, the key inherent risks are identified and their levels are assessed as low, moderate, above average, or high. The categories and levels of inherent risk are described in more detail in Appendix A.
OSFI does not view reputational risk as a separate category of inherent risk. It is a consequence of each of the six inherent risk categories. Accordingly, it is an important consideration in the assessment of each inherent risk category.
Based on the key inherent risks identified for a significant activity and their levels, supervisors develop expectations for the quality of risk management. The higher the level of inherent risk, the more rigorous the day-to-day controls and oversight expected. State-of-the-art controls are expected where appropriate.
3. QUALITY OF RISK MANAGEMENT
OSFI assesses the quality of risk management (QRM) at two levels of control. These are:
Operational management for a given significant activity is primarily responsible for the controls used to manage all of the activity’s inherent risks on a day-to-day basis. Operational management ensures that there is a clear understanding by FRFI line staff of the risks that the activity faces and must manage, and that policies, processes, and staff are sufficient and effective in managing these risks. When assessing operational management, OSFI’s primary concern is whether operational management is capable of identifying the potential for material loss that the activity may face, and has in place adequate controls.
INHERENT RISK IS THE PROBABILITY OF A MATERIAL LOSS DUE TO EXPOSURE TO, AND UNCERTAINTY ARISING FROM, CURRENT AND POTENTIAL FUTURE EVENTS.
In general, the extent to which OSFI needs to review the effectiveness of operational management of a significant activity depends on the effectiveness of the FRFI’s oversight functions (see page 6). In a FRFI with sufficient and effective oversight functions, it may often be possible for OSFI to assess the effectiveness of operational management for a given activity using the work of the oversight functions. However, this approach does not preclude the need for OSFI to periodically validate that key day-to-day controls are effective.
Oversight functions are responsible for providing independent, enterprise-wide oversight of operational management. There are seven oversight functions that may exist in a FRFI: Financial; Compliance; Actuarial; Risk Management; Internal Audit; Senior Management; and the Board (see Appendix B). The presence and nature of these functions are expected to vary based on the nature, size and complexity of a FRFI and its inherent risks. Where a FRFI lacks some of the oversight functions, they are not sufficiently independent, or they don’t have enterprise-wide responsibility, OSFI expects other functions, within or external to the FRFI, to provide the independent oversight needed.
For each significant activity, OSFI assesses operational management and each of the relevant oversight functions as strong, acceptable, needs improvement, or weak. The appropriate rating is determined by comparing the nature and levels of the FRFI’s controls or oversight to OSFI’s expectations developed when assessing the levels of the key inherent risks.
THE IMPORTANCE OF THE NET RISK OF THE SIGNIFICANT ACTIVITY IS A JUDGMENT OF ITS CONTRIBUTION TO THE OVERALL RISK PROFILE OF THE FRFI.
For each relevant oversight function present in a FRFI, OSFI also determines an overall rating (strong, acceptable, needs improvement, or weak) that reflects the quality of the function’s oversight across the entire FRFI (see Appendix B). OSFI has Assessment Criteria that guide the determination of the overall rating for each oversight function. The assessment includes a determination of the direction of the quality of oversight (improving, stable, or deteriorating).
4. NET RISK
NET RISK IS INHERENT RISK(S) AFTER MITIGATION BY QRM
For each significant activity, the level of net risk is determined based on judgment that considers all of the key inherent risk ratings and relevant QRM ratings for the activity. Net risk is rated low, moderate, above average, or high. Appendix C shows typical net risk ratings for combinations of inherent risk and QRM ratings. The net risk assessment includes a determination of the direction of net risk (decreasing, stable, or increasing).
OSFI expects a FRFI to maintain controls and oversight that are commensurate with the key inherent risks, so that levels of net risk are considered prudent by OSFI. Where levels of net risk are considered imprudent, a FRFI is expected to address the situation by either improving QRM or reducing inherent risk.
5. IMPORTANCE AND OVERALL NET RISK
The importance of the net risk of the significant activity is a judgment of its contribution to the overall risk profile of the FRFI. Importance is rated as low, medium, or high. The significant activities assigned higher importance ratings are the key drivers of the overall risk profile.
The net risks of the significant activities are combined, by considering their relative importance, to arrive at the Overall Net Risk of the FRFI. The Overall Net Risk is an assessment of the potential adverse impact that the significant activities of the FRFI collectively could have on the earnings performance and adequacy of the capital of the FRFI, and hence on the depositors or policyholders. Overall Net Risk is rated as low, moderate, above average, or high, and the direction is assessed as decreasing, stable, or increasing.
Earnings are an important contributor to a FRFI’s long-term viability. Earnings are assessed based on their quality, quantity and consistency as a source of internally-generated capital. The assessment takes into consideration both historical trends and the future outlook, under both normal and stressed conditions. Earnings are assessed in relation to the FRFI’s Overall Net Risk.
Earnings are rated as strong, acceptable, needs improvement, or weak, and their direction is assessed as improving, stable, or deteriorating.
Adequate capital is critical for the overall safety and soundness of FRFIs. Capital is assessed based on the appropriateness of its level and quality, both at present and prospectively, and under both normal and stressed conditions, given the FRFI’s Overall Net Risk. In the case of foreign branches, OSFI considers the adequacy of capital equivalency deposits and vested assets. The effectiveness of the FRFI’s capital management processes for maintaining adequate capital relative to the risks across all of its significant activities is also considered in the assessment. FRFIs with higher Overall Net Risk are expected to maintain a
higher level and quality of capital and stronger capital management processes.
Capital is rated as strong, acceptable, needs improvement, or weak, and its direction is assessed as improving, stable, or deteriorating.
Adequate balance sheet liquidity is critical for the overall safety and soundness of FRFIs. OSFI assesses liquidity at a FRFI by considering the level of its liquidity risk and the quality of its liquidity management. Liquidity risk arises from a FRFI’s potential inability to purchase or otherwise obtain the necessary funds to meet its on- and off-balance sheet obligations as they come due. The level of liquidity risk depends on the FRFI’s balance sheet composition, its funding sources, its liquidity strategy, and market conditions and events. FRFIs are required to maintain, both at present and prospectively, a level of liquidity risk and liquidity management processes that are prudent, under both normal and stressed conditions.
Liquidity is rated as strong, acceptable, needs improvement, or weak, and the direction is assessed as improving, stable, or deteriorating.
9. THE RISK MATRIX AND COMPOSITE RISK RATING
A Risk Matrix (see Appendix D) is used to record all of the assessments described above. The purpose of the Risk Matrix is to facilitate a holistic risk assessment of a FRFI. This assessment culminates in a Composite Risk Rating (CRR).
The CRR is an assessment of the FRFI’s risk profile, after considering the assessments of its earnings and capital in relation to the Overall Net Risk from its significant activities, and the assessment of its liquidity. The CRR is OSFI’s assessment of the safety and soundness of the FRFI with respect to its depositors and policyholders. The assessment is over a time horizon that is appropriate for the FRFI, given changes occurring internally and in its external environment. Composite Risk is rated low, moderate, above average or high. The assessment is supplemented by the Direction of Composite Risk, which is OSFI’s assessment of the most likely direction in which the CRR may move. The Direction of Composite Risk is rated as decreasing, stable, or increasing.
The CRR of a FRFI is used in determining its stage of intervention, which is described in the Guide to Intervention for Federal Financial Institutions. Appendix E shows the combinations of Composite Risk Ratings and intervention ratings usually assigned.
While the Risk Matrix is a convenient way to summarize OSFI’s conclusions of risk assessment, it is supported by detailed documentation of the analysis and rationale for the conclusions.
THE CORE SUPERVISORY PROCESS
OSFI uses a defined process to guide its FRFI-specific supervisory work: the first step is planning supervisory work; the second is executing supervisory work and updating the risk profile; and the third is reporting and intervention. This process is dynamic, iterative and continuous, as shown below:
Performing supervisory work in this fashion helps keep OSFI’s risk assessments current and future oriented, which is vital to its ongoing effectiveness.
1. PLANNING SUPERVISORY WORK
A supervisory strategy for each FRFI is prepared annually. The supervisory strategy identifies the supervisory work necessary to keep the FRFI’s risk profile current. The intensity of supervisory work depends on the nature, size, complexity and risk profile of the FRFI.
The supervisory strategy outlines the supervisory work planned for the next three years, with a fuller description of work for the upcoming year. The supervisory strategy is the basis for a more detailed annual plan, which indicates the expected work and resource allocations for the upcoming year.
Supervisory work for each significant activity is planned and prioritized after considering the net risk assessment of the activity (including the types and levels of inherent risk, the quality of risk management, and any potential significant changes in these), the need to update OSFI’s information on the activity (due to information decay), and the importance of the activity. Similarly, supervisory work for each relevant oversight function is planned and prioritized after considering the assessment of the quality of its oversight, and the need to update OSFI’s information on the function.
In addition to FRFI-specific planning, OSFI’s planning also includes a process to compare the work effort across FRFIs. This is done to ensure that assessments of risk for individual FRFIs are subject to a broader standard, and that supervisory resources are allocated effectively to higher-risk FRFIs and significant activities.
2. EXECUTING SUPERVISORY WORK AND UPDATING THE RISK PROFILE
There is a continuum of supervisory work that ranges from monitoring (FRFI-specific and external), to limited off-site reviews, to extensive on-site reviews, including testing or sampling where necessary.
Monitoring refers to the regular review of information on the FRFI and its industry and environment, to keep abreast of changes that are occurring or planned in the FRFI and externally, and to identify emerging issues.
FRFI-specific monitoring includes the analysis of the FRFI’s financial results, typically considering its performance by business line and vis-à-vis its peers, and any significant internal developments. It may also extend to gathering information on non-regulated entities which have a significant influence on the FRFI, such as a holding company or foreign parent company. FRFI-specific monitoring usually also includes discussions with the FRFI’s management, including oversight functions.
Given the dynamic environment in which FRFIs operate, OSFI also continuously scans the external environment and industry, gathering information as broadly as possible, to identify emerging issues. Issues include both FRFI-specific and system-wide concerns. OSFI periodically requires FRFIs to perform specific stress tests which OSFI uses to assess the potential impact of changes in the operating environment on individual FRFIs or industries. Environmental scanning and stress testing have increased in importance since the Supervisory Framework was first introduced in 1999; changes in the external environment are a main driver of rapid changes in FRFI risk profiles.
Reviews refer to more extensive supervisory work than monitoring. The nature and scope of information reviewed, and the location of the review (“off-site” at OSFI premises when the scope of the review is limited or “on-site” at the FRFI’s premises when the scope is more extensive), are based on the specific requirements identified in the planning process. When an on-site review is conducted, OSFI may request information from the FRFI in advance. Reviews include discussions with FRFI management, including oversight functions.
In addition to the core supervisory work of monitoring and reviews, OSFI frequently undertakes comparative or benchmarking reviews to identify standard and best industry practices.
As supervisory work is conducted, the RM updates the overall risk profile of the FRFI. The Risk Matrix and supporting documentation detail OSFI’s formal assessment of the FRFI’s business model and associated safety and soundness, both current and prospective. Key documents are subject to sign-off protocols within OSFI.
When there are shifts in the risk assessment of the FRFI, OSFI responds by adjusting work priorities set out in the supervisory strategy and annual plan, as necessary, to ensure that important matters emerging take precedence over items of lesser risk. Such flexibility is vital to OSFI’s ability to meet its legislated mandate.
3. REPORTING AND INTERVENTION
In addition to ongoing discussions with FRFI management, OSFI communicates to FRFIs through various formal, written reports.
Annually, or as appropriate, the RM writes a Supervisory Letter to the FRFI. The Supervisory Letter is the primary written communication to the FRFI. It summarizes OSFI’s key findings and recommendations (and requirements, as necessary) based on the supervisory work that was conducted since the last Supervisory Letter was issued, and discloses or affirms the FRFI’s Composite Risk Rating.
Supervisory Letters to Canadian companies are addressed to the Chief Executive Officer (CEO) and copied to the Chair of the Audit Committee (and Risk Committee, where applicable). Supervisory Letters to Canadian branches of foreign companies are addressed to the Principal Officer or Chief Agent of the branch. Where there are significant issues with a Canadian branch or subsidiary of a foreign company, a copy of the Supervisory Letter is sent to the CEO and the Chair of the Audit Committee at the home office or parent company. In all cases, OSFI requests that a copy of the Supervisory Letter be provided to the external auditor, and to the appointed actuary where applicable.
During the year, OSFI may also issue an Interim Letter to the FRFI so as to provide the FRFI with timely feedback on issues arising from a specific body of supervisory work. The Interim Letter is sent to the appropriate senior manager within the FRFI, and a copy may also be provided to other individuals within the FRFI, if warranted.
With both types of letters, findings and recommendations are discussed with the FRFI before the letter is issued. A letter is generally issued within 45 calendar days of the completion of a review. The FRFI is typically asked to provide a response within 30 calendar days. OSFI analyzes the FRFI’s response for appropriateness, and follows up on the FRFI’s actions on a timely basis.
Both types of letters remind FRFIs that applicable Supervisory Information Regulations prohibit them from disclosing, directly or indirectly, prescribed supervisory information, including Supervisory Letters, except as provided for in the regulations.
TO OTHER CANADIAN AND FOREIGN REGULATORS
OSFI shares its letters with the Canada Deposit Insurance Corporation (CDIC) and provincial regulators with whom it has agency agreements. Reporting to these parties is in accordance with their respective agreements.
In accordance with the OSFI Act, OSFI is also permitted to share information pertaining to compliance with Part 1 of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act with the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC).
In addition, OSFI shares information, as appropriate, with foreign regulators with which it has a home-host relationship and a Memorandum of Understanding. Such information-sharing may take place when OSFI hosts or attends supervisory colleges.
In all cases, the confidentiality of information is respected.
FINANCIAL INSTITUTIONS SUPERVISORY COMMITTEE (“FISC”) AND SENIOR ADVISORY COMMITTEE (“SAC”)
As part of its ongoing supervisory work, OSFI monitors FRFIs and also scans the financial system in which they operate. In doing so, OSFI is able to identify issues that may impact the stability of the financial system. Where OSFI identifies such issues, it reports them to FISC and/or SAC, as appropriate, for further discussion and the determination of any necessary actions.
Information received from FISC and SAC members according to their unique mandates also, in turn, informs OSFI’s environmental scanning and identification of broad issues that may impact specific FRFIs.
TO THE MINISTER OF FINANCE
OSFI reports annually to the Minister of Finance on the safety and soundness of FRFIs and their compliance with the governing legislation.
APPENDIX A – INHERENT RISK CATEGORIES AND RATINGS
Credit risk arises from a counterparty’s potential inability or unwillingness to fully meet its onand/ or off-balance sheet contractual obligations. Exposure to this risk occurs any time funds are extended, committed, or invested through actual or implied contractual agreements.
Components of credit risk include: loan loss/ principal risk, pre-settlement/replacement risk and settlement risk.
Counterparties include: issuers, debtors, borrowers, brokers, policyholders, reinsurers and guarantors.
Market risk arises from potential changes in market rates, prices or liquidity in various markets such as for interest rates, credit, foreign exchange, equities, and commodities. Exposure to this risk results from trading, investment, and other business activities which create on- and off-balance sheet positions.
Positions include: traded instruments, investments, net open (on- and off-) balance sheet positions, assets and liabilities, and can be either cash or derivative (linear or options-related).
Insurance risk arises from the potential for claims or payouts to be made to policyholders or beneficiaries. Exposure to this risk results from adverse events occurring under specified perils and conditions covered by the terms of an insurance policy. Typical insured perils include: accident, injury, liability, catastrophe, mortality, longevity, and morbidity.
Insurance risk includes uncertainties around:
- the ultimate amount of net cash flows from premiums, commissions, claims, payouts, and related settlement expenses,
- the timing of the receipt and payment of these cash flows, and
- policyholder behavior (e.g., lapses).
Although the business of insurance contributes to the investment portfolio of an insurer, actual or imputed investment returns are not elements of insurance risk.
Operational risk arises from potential problems due to inadequate or failed internal processes, people and systems, or from external events. Operational risk includes legal risk i.e., potential unfavourable legal proceedings. Exposure to operational risk results from either normal day-to-day operations (such as deficiencies or breakdowns in respect of transaction processing, fraud, physical security, money laundering and terrorist financing, data/information security, information technology systems, modeling, outsourcing, etc.) or a specific, unanticipated event (such as Enron-like litigation, court interpretations of a contract liability, natural disasters, loss of a key person, etc.).
REGULATORY COMPLIANCE RISK
Regulatory compliance risk arises from a FRFI’s potential non-conformance with laws, rules, regulations, prescribed practices, or ethical standards in any jurisdiction in which it operates.
Strategic risk arises from a FRFI’s potential inability to implement appropriate business plans and strategies, make decisions, allocate resources, or adapt to changes in its business environment.
A material loss is a loss or combination of losses that could impair the adequacy of the capital of a FRFI such that there is the potential for loss to depositors or policyholders.
Low inherent risk exists when there is a lower than average probability of a material loss due to exposure to, and uncertainty arising from, current and potential future events.
Moderate inherent risk exists when there is an average probability of a material loss due to exposure to, and uncertainty arising from, current and potential future events.
Above average inherent risk exists when there is an above average probability of a material loss due to exposure to, and uncertainty arising from, current and potential future events.
High inherent risk exists when there is a higher than above average probability of a material loss due to exposure to, and uncertainty arising from, current and potential future events.
APPENDIX B – QUALITY OF RISK MANAGEMENT CATEGORIES AND OVERALL RATINGS
Operational management is responsible for planning, directing and controlling the day-today operations of a significant activity of a FRFI.
Financial is an independent function responsible for ensuring the timely and accurate reporting and in-depth analysis of the operational results of a FRFI in order to support decision-making by Senior Management and the Board. Its responsibilities include:
- providing financial analysis of the FRFI’s and business line/unit performance and the major business cases to Senior Management and the Board, highlighting matters requiring their attention; and
- ensuring an effective financial reporting and management information system.
THE PRESENCE AND NATURE OF OVERSIGHT FUNCTIONS ARE EXPECTED TO VARY BASED ON THE NATURE, SIZE AND COMPLEXITY OF A FRFI AND ITS INHERENT RISKS.
Compliance (including the Chief Anti-Money Laundering Officer) is an independent function with the following responsibilities:
- setting the policies and procedures for adherence to regulatory requirements in all jurisdictions where the FRFI operates;
- monitoring the FRFI’s compliance with these policies and procedures; and
- reporting on compliance matters to Senior Management and the Board.
Actuarial is an independent function, applicable only to FRFIs with insurance business, with responsibilities beyond the legal requirements of the appointed actuary that could include the following:
- evaluating the design, pricing and valuation of the insurance products offered by the FRFI;
- assessing the reasonableness of provisions set for policy liabilities, and the appropriateness of the process followed;
- reviewing models used to determine exposures, and the adequacy of reinsurance programs to mitigate these exposures;
- analyzing stress testing results, and the process used, to establish the adequacy of capital and capital planning for the FRFI under adverse conditions; and
- reporting on the results of its work to Senior Management and the Board.
Risk Management is an independent function responsible for the identification, assessment, monitoring, and reporting of risks arising from the FRFI’s operations. Its responsibilities typically include:
- identifying enterprise-wide risks;
- developing systems or models for measuring risk;
- establishing policies and procedures to manage risks;
- developing risk metrics (e.g., stress tests) and associated tolerance limits;
- monitoring positions against approved risk tolerance limits and capital levels; and
- reporting results of risk monitoring to Senior Management and the Board.
Internal Audit is an independent function with responsibilities that include:
- assessing adherence to, and the effectiveness of, operational controls and oversight, including corporate governance processes; and
- reporting on the results of its work on a regular basis to Senior Management and directly to the Board.
Senior Management is responsible for directing and overseeing the effective management of the general operations of the FRFI. Its key responsibilities include:
- developing, for Board approval, the business model and associated objectives, strategies, plans, organizational structure and controls, and policies;
- developing and promoting (in conjunction with the Board) sound corporate governance practices, culture and ethics, which includes aligning employee compensation with the longer-term interests of the FRFI;
- executing and monitoring the achievement of Board-approved business objectives, strategies, and plans and the effectiveness of organizational structure and controls; and
- ensuring that the Board is kept well informed.
The Board is responsible for providing stewardship and oversight of management and operations of the entire FRFI. Its key responsibilities include:
- guiding, reviewing and approving the business model and associated objectives, strategies and plans;
- reviewing and approving corporate risk policy including overall risk appetite and tolerance;
- ensuring that Senior Management is qualified and competent;
- reviewing and approving organizational and procedural controls;
- ensuring that principal risks are identified and appropriately managed;
- ensuring that compensation for employees, Senior Management and the Board is aligned with the longer term interests of the FRFI;
- reviewing and approving policies for major activities; and
- providing for an independent assessment of management controls.
The characteristics (e.g., mandate, organization structure, resources, methodologies, practices) of the function exceed what is considered necessary, given the nature, scope, complexity, and risk profile of the FRFI. The function has consistently demonstrated highly effective performance. The function’s characteristics and performance are superior to sound industry practices.
The characteristics (e.g., mandate, organization structure, resources, methodologies, practices) of the function meet what is considered necessary, given the nature, scope, complexity, and risk profile of the FRFI. The function’s performance has been effective. The function’s characteristics and performance meet sound industry practices.
The characteristics (e.g., mandate, organization structure, resources, methodologies, practices) of the function generally meet what is considered necessary, given the nature, scope, complexity, and risk profile of the FRFI, but there are some significant areas that require improvement. The function’s performance has generally been effective, but there are some significant areas where effectiveness needs to be improved. The areas needing improvement are not serious enough to cause prudential concerns if addressed in a timely manner. The function’s characteristics and/or performance do not consistently meet sound industry practices.
The characteristics (e.g., mandate, organization structure, resources, methodologies, practices) of the function are not, in a material way, what is considered necessary, given the nature, scope, complexity, and risk profile of the FRFI. The function’s performance has demonstrated serious instances where effectiveness needs to be improved through immediate action. The function’s characteristics and/or performance often do not meet sound industry practices.
APPENDIX C – TYPICAL NET RISK RATINGS
The chart below shows typical net risk ratings for combinations of inherent risk and QRM ratings.
|Aggregate Quality of Risk Management for a Significant Activity
||Level of Inherent Risk for a Significant Activity|
|Net Risk Assessment|
APPENDIX D – RISK MATRIX
|Quality of Risk Management
|Direction of Risk
APPENDIX E – ALIGNMENT BETWEEN COMPOSITE RISK RATINGS AND INTERVENTION RATINGS
|Composite Risk Rating
|1 Early warning|
||1 Early warning|
|2 Risk to financial viability or solvency|
||2 Risk to financial viability or solvency|
|3 Future financial viability in serious doubt|
|4 Non-viable/insolvency imminent|