Office of the Superintendent of Financial Institutions
The purpose of this implementation note is to provide guidelines and practices for Corporate Governance at institutionsFootnote 1 implementing the Standardized Approach (TSA) or the Advanced Measurement Approach (AMA) for operational risk. It expands on the minimum criteria set out in Chapter 8 of the Capital Adequacy Requirements ("CAR") Guideline.
Institutions that are implementing the Basic Indicator Approach (BIA), and are therefore not subject to OSFI's Operational Risk Assessment ProcessFootnote 2, are encouraged to adopt the key practices set out in this implementation note as appropriate.
This implementation note sets out principle-based requirements and expectations for TSA and AMA institutions.
As part of OSFI's Operational Risk Assessment ProcessFootnote 3, institutions are expected to meet the CAR requirements relevant to the operational risk approach being implemented, i.e., TSA or AMA. Further, on an ongoing basis, institutions will need to demonstrate to OSFI that their corporate governanceFootnote 4, and risk management and control practices related to operational risk are commensurate with the nature, scope, complexity and risk profile of the institution.
The guidance outlined in this document is consistent with OSFI's assessment of the effectiveness of an institution's corporate governance and risk management and control practices as described in OSFI's Supervisory Framework and Corporate Governance Guideline. OSFI will use its reliance-based supervisory approach for assessing the appropriateness and effectiveness of operational risk management and control practices at TSA and AMA institutions, and for assessing their ongoing adherence to minimum requirements.
An institution's operational risk management framework consists of those policies and practices that govern the identification, measurement/assessment, control and monitoring, and reporting of its operational risk.
An institution must ensure that appropriate controls are in place to ensure ongoing adherence to all applicable CAR requirements relative to TSA or AMA, as appropriate.
Senior Management should play an active role in the oversight and management of the operational risk management framework. Senior Management is accountable for the effective implementation of an operational risk management framework that is appropriate to the institution's risk profile.
Senior Management accountabilities include:
Having a clear understanding of the institution's operational risk profile, including the internal and external sources of operational risk to the institution,
Establishing an appropriate tolerance or appetite, which may include a range of qualitative and/or subjective statements, as appropriate, for the types and/or level of operational risk the institution may take on,
Having a clear understanding of the impact of applying the operational risk approach at the institution (i.e. TSA or AMA),
Establishing specific authority, resource, responsibility and reporting to ensure accountabilities for implementation and management of the operational risk management framework,
Overseeing that the operational risk management framework is appropriate to the circumstances of the institution, and is consistently applied across the institution as appropriate and remains effective over time,
Approving the policies, procedures, standards and supporting documentation relating to the operational risk management framework,
Reviewing reports on the status of the institution's operational risk exposures and management activities, including the status of significant operational risk events, and
Ensuring the operational risk management framework, and adherence to it, is subject to regular independent reviews.
Senior Management of AMA institutions is expected to follow certain additional requirements. Senior Management should:
Clearly understand the measurement systems and processes affecting the operational risk management framework and its impact on operational risk capital,
Be satisfied that the measurement systems and processes include the key elements, including the use of internal data, relevant external data, scenario analysis and factors reflecting the business environment and internal control systems,
Satisfy itself and assure the Board that the operational risk management framework and measurement systems are conceptually sound and meet the use test, such that the system is closely integrated with the institution's day-to-day risk management processes, and
Be aware of emerging industry operational risk measurement and management practices.
Please refer to OSFI's Corporate Governance Guideline for OSFI's expectations of institution Boards of Directors in regards to the management of capital and liquidity.
TSA and AMA institutions are expected to have an operational risk management function (ORMF) that is responsible for the enterprise-level design and implementation of the bank's operational risk management framework. In this respect, a function is defined as a specific organizational unit made up of one or more persons dedicated to operational risk management. However, paragraph 39 of Chapter 8 of the CAR guideline recognizes that the size and complexity of TSA institutions may not warrant the existence of a specific organizational unit dedicated to operational risk managementFootnote 5. In larger and more complex institutions, the ORMF may be supported by additional independent organizational units having expertise related to specific operational risk exposures, such as outsourcing and business continuity.
The operational risk management responsibilities include:
Developing strategies to identify, assess/measure, monitor and control/mitigate operational risk,
Establishing and documenting firm-wide policies and procedures relating to the bank's operational risk management framework and management of operational risk exposures, as appropriate,
Ensuring that there is a means to systematically track relevant operational risk data, including material losses,
Designing and implementing a risk-reporting system for operational risk, and
Ensuring that adequate processes and procedures exist to provide appropriate oversight of the institution's operational risk management practices.
In order to ensure compliance, the institution should have a documented set of internal policies, controls and procedures concerning the operational risk management framework that includes policies for the treatment of non-compliance issues and exceptions. The operational risk management functions and business units must be subject to review testing and verification by internal audit (or an equally independent function) to assess the overall effectiveness of their internal controls for its adherence to the operational risk management framework.
In line with paragraph 48(a) of Chapter 8 of the CAR Guideline, an ORMF at AMA institutions must be functionally independent. An AMA ORMF should be able to demonstrate that it can provide independent and objective assessments to Senior Management on the institution's operational risk exposures and the effectiveness of operational risk management practices. Therefore, in addition to the above, AMA ORMFs responsibilities should include:
Designing and implementing the firm's operational risk measurement methodology,
Ensuring that the operational risk measurement processes are closely integrated into the risk management processes of the institution, and
Defining the roles of model development and validation, ensuring there is separation between the two roles.
Effective management of operational risk includes regular and timely reporting to Senior Management and business unit management. The nature and scope of reporting should be appropriate to the needs of the audience receiving the report. The frequency and content of internal operational risk reporting should be reflective of the nature, scope, and complexity of the risk profile of the institution. For example, Senior Management may require information such as trends, levels of exposure and key issues on a regular basis. Conversely, operational management will require detailed information more frequently to effectively manage day-to-day operational risk. Institutions should have practices for taking appropriate action based on the operational risk reporting.
The operational risk reporting should include the following fundamental information:
Operational risk capital charge, as appropriate,
Relevant operational risk data including material losses by business line, and
Results of relevant assessments of business environment factors, risk and control self- assessments or other internal control factors.
Internal Audit (or an equally independent function) is expected to assess the effectiveness of the institution's internal controls over the operational risk management processes and measurement systems intended to ensure adherence to TSA or AMA requirements. The scope and frequency of internal audit reviews should be commensurate with the operational risk within an activity.
Internal Audit activities should include, but not be limited to:
Assessing the effectiveness of the institution's internal controls, including the design elements of internal controls, intended to ensure adherence to TSA or AMA requirements,
Determining scope and frequency of Internal Audit activities in a manner consistent with its audit methodology and principles,
Assessing the adequacy of resources and skills required to perform this audit work, and
Conducting periodic assessments of the effectiveness of the institution's internal controls over the operational risk management processes on an institution-wide basis. These assessments must include both the activities of the business units and of the operational risk management function.
In addition to the above, Internal Audit at AMA institutions should include the following activities:
Banks and bank holding companies to which the Bank Act applies and federally regulated trust or loan companies to which the Trust and Loan Companies Act applies are collectively referred to as "institutions".
Return to footnote 1 referrer
OSFI Implementation Note, "Operational Risk Assessment Process for TSA and AMA Institutions", September 2005
Return to footnote 2 referrer
OSFI Implementation Note, "Operational Risk Assessment Process for TSA and AMA Institutions", December 2005
Return to footnote 3 referrer
Refer to OSFI's Corporate Governance Guideline for additional guidance in this area.
Return to footnote 4 referrer
Institutions should refer to section 8.3.1 of the CAR Guideline for clarification of OSFI's expectations in this regard.
Return to footnote 5 referrer
As per the CAR guideline, external audit reviews of an institution's operational risk assessment system are not mandated by OSFI.
Return to footnote 6 referrer