Office of the Superintendent of Financial Institutions
This document elaborates on some of the requirements for the internal
ratings-based (IRB) approach contained in Chapter 6 of OSFI’s Capital
Adequacy Requirement (CAR) Guideline. It outlines key principles for IRB institutions. Adherence to these principles will be an important consideration in OSFI’s initial approval of institutionsFootnote 1 for IRB and ongoing use of the IRB approach.
Institutions planning to use the IRB approach will need to demonstrate to
OSFI that their corporate governance Footnote 2 , internal controls, and
use of risk ratings are sufficiently advanced and sophisticated to be
commensurate with the nature, scope, complexity and risk profile of the
institution. In addition, the minimum requirements outlined in Chapter 6
of the CAR Guideline require institutions to ensure that their overall
credit risk management practices are consistent with the evolving sound
practice guidelines issued by the Basel Committee on Banking Supervision
and relevant national supervisors (i.e., OSFI).
The practices outlined in this document are consistent with OSFI’s
assessment of the effectiveness of an institution’s corporate governance
and risk management and control practices as described in OSFI’s Supervisory
Framework, and Corporate
Governance Guideline. OSFI will use its
reliance-based supervisory approach for assessing the appropriateness and
effectiveness of risk management and control practices at IRB
institutions, and for assessing their ongoing adherence to minimum
Governance activities include setting business strategy and objectives,
determining risk appetite, setting capital management strategy,
establishing culture and values, developing internal policies, and
monitoring performance. These activities need to be included in an
effective corporate governance framework that observes principles of
strong Senior Management oversight, effective credit risk
management and models oversight, appropriate controls to ensure adherence
to all applicable IRB minimum requirements, and effective reviews by
Internal Audit or an equally independent function.
An institution’s Senior Management should ensure that rigor and discipline are incorporated into the institution’s risk management policies, operational controls and reporting processes with respect to credit risk. Senior Management should approve all material aspects of the institution’s risk rating and estimation processes
The use of an IRB institution’s internal loss estimates for regulatory capital purposes will mean that it will be critically important for Senior Management and Credit Risk Management to be proactive, thorough, and timely in carrying out their respective responsibilities relative to IRB minimum requirements.
Senior Management needs to ensure that Credit Risk Management is well positioned to carry out the Basel framework oversight, both at initial approval and post-approval. Credit Risk Management is expected to incorporate the IRB minimum requirements in mandates and accountabilities, risk management processes, and model review activities, where appropriate. Senior Management, Internal Audit, and other control functions should assess the effectiveness of the institution’s internal controls, including those related to rating systems, and whether the institution’s operations to satisfy IRB minimum requirements and results are reliably reported. Senior Management will need to ensure that credit Risk Management and Internal Audit have adequate resources and skills to carry out the new Basel framework-related work.
In order to qualify for and maintain IRB status, an institution should
Senior Management has gained the appropriate level of understanding of the new Basel framework and, in particular, IRB concepts, the institution’s risk rating system, and associated management reports. Mechanisms to gain the appropriate level of understanding of IRB concepts include awareness sessions and meetings/discussions between Senior Management, Risk Management and Internal Audit. These mechanisms allow Senior Management to review the scope of the work to be carried out by Credit Risk Management and Internal Audit for IRB purposes.
Senior Management is aware of the impact of the Basel
framework on the institution’s existing processes of quantification,
assessment, monitoring and control/mitigation of credit risk.
Senior Management fully understands the critically
important role that the use of rating systems plays in meeting the IRB
minimum requirements, including the requirement that they receive, on an
ongoing basis, periodic reports on whether internal rating systems are
application and approval of policy changes or exceptions should be in
The institution’s risk management policies include accountabilities for
the development, implementation and ongoing maintenance of and adherence
to practices to meet IRB requirements.
Senior Management receives appropriate representations in
order to fulfil their responsibilities relating to IRB approval.
In addition, Senior Management should ensure that:
the various components of the IRB framework fit together seamlessly and
are being appropriately operationalized;
incentives to make the system rigorous extend across line, Risk
Management and other oversight/control groups; and
rating systems provide accurate and consistent internal loss estimates
across a range of economic conditions.
Senior Management should take an active role, articulating its
expectations for the technical and operational aspects of the rating
system and the controls governing this process. Consequently, Senior
Management should possess or develop a sound understanding of the design
and operation of the rating system, and understand how the institution’s
credit policies, underwriting standards, lending practices, and collection
and recovery practices affect internal loss estimates. In addition to
overseeing the control processes, Senior Management should regularly
interact with risk managers and those responsible for validating the
performance of the rating system to discuss the performance of the rating
process, areas needing improvement, and the status of efforts to improve
previously identified deficiencies.
Senior Management should satisfy itself that the institution meets the use
test, such that internal ratings are engrained into the risk management
culture and practices of the institution. Internal ratings and estimates
of default and loss should be an integral part of credit approval, risk
management, internal capital allocation and corporate governance functions
of institutions using the IRB approach.
A well-designed rating system plays an important role in institution decision-making and monitoring processes for a number of important activities, including containing the risk profile within the Risk Appetite FrameworkFootnote 3, reserving, portfolio management, performance management, economic capital modelling and management, and regulatory capital management. The use of internal ratings and estimates purely for purposes of regulatory capital reporting, and not for decision-making and monitoring, is not acceptable to OSFI both at initial approval and on an ongoing basis.
For a more fulsome discussion of the ‘use’ test, please refer to the OSFI
Implementation Note, The Use of Ratings and Estimates of Default and
Loss at IRB Institutions.
Please refer to OSFI’s Corporate Governance Guideline for OSFI’s expectations of institution Boards of Directors in regards to the management of capital and liquidity.
Management reporting to Senior Management should be timely
The depth and frequency of information provided to Senior Management should be commensurate with their oversight responsibilities, the significance and type of information being reported, and the condition of the institution. Information provided should be sufficiently detailed to assess the continuing appropriateness of the institution’s rating approach, the adequacy of the controls around the rating system, and the status of adherence to minimum IRB requirements.
As outlined in the IRB minimum requirements in Chapter 6 of CAR Guideline, an institution’s credit risk control units, or some other function that is equally independent from origination, are expected to report regularly (at least annually) to Senior Management on the effectiveness of the institution’s rating system.
Risk Management’s reports to Senior Management should include key information and analyses derived from an institution’s rating system for both retail and non-retail exposures, as outlined in the IRB minimum requirements. Such reporting should be at the appropriate level of summary detail for Senior Management. The following fundamental information should be included in the reports:
Reports should also incorporate results of ongoing activities related to
testing the effectiveness of ratings systems, such as:
Results of Internal Audit reviews related to rating systems and processes
should be provided to Senior Management in a timely manner.
Material findings should be escalated promptly, as appropriate.
The institution should have a system of robust credit risk control
mechanisms that govern the implementation, use and maintenance of risk
ratings systems and credit risk management practices.
Institutions should have independent credit risk control units, for
non-retail and retail exposures, that are responsible for the design or
selection, implementation and performance of their internal rating
systems. The unit(s) should be functionally independent from the personnel
and management functions responsible for originating exposures.
Standards for credit risk management should be established and be
appropriate for each credit risk portfolio. These standards should also be
aligned on an enterprise-wide basis, providing consistency and the overall
objective of soundness of risk management and measurement.
All credit risk exposures should be rated within the institution’s rating
Chapter 6 of CAR Guideline states that for corporate, sovereign and bank exposures, each borrower, including each separate legal entity and all recognized guarantors, should be assigned a borrower rating and that each exposure should be associated with a facility rating, as part of the loan approval process.
As part of the IRB approval process, and on an ongoing basis, institutions
will be required to satisfy OSFI that:
Processes have been operationalized to capture and track the rating
information throughout the credit origination, approval, and management
processes. This tracking should be evident in credit applications,
collateral management systems, rating models, and the institution’s
management information systems.
Rating systems are able to aggregate connected borrowers for non-retail
exposures. The institution’s definition of what constitutes a connected
exposure should be clearly detailed in policies, providing clear
examples of what constitutes a connection, or not.
Implementation and practices in use at the institution are in line with
the institution’s rating system policies and practices that adhere to
IRB minimum requirements.
Institutions should be able to demonstrate the integrity of rating
assignments with clear accountabilities assigned to ensure independence.
The rating assignments and periodic rating reviews should be completed or
approved by a party that does not directly stand to benefit from the
extension of credit.
Institutions can achieve objective risk ratings through use of an
independent rating approval process, i.e., one in which the parties
responsible for approving ratings and transactions are separate from the
transaction originators. Institutions with a less independent rating
process should compensate by strengthening other control and oversight
mechanisms. A significant factor in the evaluation of the integrity of the
rating assignments will be an assessment of the degree of independence and
the strength of the compensating controls.
Responsibility for recommending and approving ratings varies by
institution and, quite often, by portfolio. At some institutions, ratings
are assigned and approved by relationship managers and/or deal teams. Most
institutions have independent credit officers assign and/or approve
ratings. Institutions that delegate rating responsibility to relationship
managers or deal teams need to ensure that rigorous controls exist to
prevent bias from affecting the rating assignment process. Roles and
responsibilities of rating assignors should be clearly documented, in line
with the objectives in the institution’s rating assignment practices.
Institution policies should articulate who bears ultimate responsibility
for rating accuracy and rating system performance. Individuals involved in
rating assignment, parameter estimation, and rating system oversight
should be held accountable for complying with rating system policies and
ensuring that aspects of the rating system within their control are
unbiased and as appropriate as possible. For accountability to be
effective, it should be both observable and reinforced. These individuals
should have the tools and resources necessary to carry out their
With regard to the integrity of rating processes, documented policies and
procedures should address the following questions:
Who (i.e., oversight functions, line roles, such as the relationship
manager or portfolio manager, etc.) will propose or recommend both
borrower and facility ratings, initially and for the purposes of
Who has authority to confirm or approve risk ratings (typically an
independent function such as Risk Management)?
Who is responsible for the verification of rating inputs?
Who has the authority to approve exceptions and under what
Who has the authority to update rating changes in the system and how and
when will these be effected?
What are the processes to ensure that initial rating assignments and any
subsequent rating changes are captured in the institution’s data
What are the controls to verify that processes are being followed?
What are the processes to ensure the findings and recommendations
resulting from Internal Audit’s periodic reviews of the rating process
are promptly addressed?
Third parties should be able to observe and understand rating systems’
goals, characteristics and components.
Transparency refers to the ability of third parties, such as auditors or
bank supervisors, to observe and understand a rating system’s goals and
the distinguishing characteristics of individual rating grades. The rating
definitions should be clear and detailed enough to allow third parties to
understand the assignment of ratings, to replicate rating assignments, and
to evaluate the appropriateness of the grade/pool assignment.
IRB institutions should have transparency in both the overall rating
system and the individual ratings. Absent this principle, the roles,
responsibilities and accountabilities of individuals and groups in the
business units or oversight functions would be vague, and a comprehensive
validation of the rating system’s performance would be difficult.
Transparency requires documentation that captures the following key areas:
When an institution uses a model to assign risk ratings or develop risk
estimates, the model itself may not be transparent without a great deal of
effort to document how the model functions. Consequently, in preparation
for IRB qualification, and on an ongoing basis, institutions will be
required to satisfy OSFI that:
Policies clearly define what constitutes a “model”.
The institution has a mechanism to maintain an up-to-date inventory of
The accountabilities of groups responsible for the use, development,
validation, and vetting Footnote 5 of models, which may include line or other
business units, credit Risk Management or Internal Audit are clearly
There is a clear distinction between those individuals responsible for
model development and those responsible for model validation and
vetting. In general, OSFI believes that model development should be in a
separate and distinct group from model validation and vetting. However,
OSFI recognises that, in some limited circumstances, the same group may
perform these activities. Where this occurs, the onus will be on Risk
Management to demonstrate how this arrangement provides an effective
challenge to model development.
Internal Audit has opined on the effectiveness of the model vetting and
validation process, including the comprehensiveness of the work and the
expertise of those responsible for model vetting and validation.
For a more fulsome discussion of the validation of rating systems, please
refer to the OSFI Implementation Note, Validating Risk Rating Systems
at IRB Institutions.
OSFI expects Internal Audit, or an equally independent function, to review
the effectiveness of the institution’s internal controls that are intended
to ensure adherence to all applicable IRB minimum requirements, including
the design elements of internal controls.
Chapter 6 of CAR Guideline states that Internal Audit, or an equally independent function, should review, at least annually, an institution’s rating system and its operations. Areas of review include adherence to all applicable IRB minimum requirements. Internal Audit should document its findings.
Internal Audit should confirm that an institution’s system of controls
over rating systems and their internal estimates are effective. As part of
its review of control mechanisms, Internal Audit will evaluate the depth,
scope, and quality of credit risk control’s work and will conduct
sufficient testing to ensure that their conclusions are well founded. The
level of testing will depend on whether Internal Audit is the primary or
secondary independent reviewer of that work and the extent of independence
of the other reviewer.
Internal Audit is expected to play a critical role in reporting to Senior Management with respect to the effectiveness of an institution’s internal controls designed to ensure adherence to all IRB minimum requirements. This report will contribute to Senior Management’s ability to fulfil their responsibilities with respect to IRB requirements. Results of Internal Audit reviews related to rating systems and processes should be provided to Senior Management in a timely manner. Material findings should be escalated promptly, as appropriate.
Results of Internal Audit reviews related to rating systems and processes
should be provided to Senior Management in a timely manner.
Material findings should be escalated promptly, as appropriate.
In preparation for IRB approval, Internal Audit activities should include,
but not be limited to:
a review of processes with respect to the initial mapping exercise of
the IRB minimum requirements to the audit programs;
a review of the detailed two- or three-year audit plan that would
indicate the activities that would be reviewed annually and the
activities that would be covered on some pre- determined cycle in order
to assess the adherence to IRB minimum requirements;
a review of the audit scope and assessment of the design and
effectiveness of the internal controls intended to ensure adherence to
all IRB minimum requirements;
a review of reports related to the credit risk control units charged
with the responsibility for the design, selection, implementation and
validation of the institution’s rating systems. Internal Audit work
should include a review of the effectiveness of the internal controls to
ensure independence of credit risk control units;
an assessment of the adequacy of resources and skills required to
perform the new Basel framework audit work; and
details of any Internal Audit work that would be outsourced to another,
equally independent, function or external audit.
Institutions are required to submit their application packages (including
their self-assessment as at October 31, 2005) to OSFI for IRB approval
purposes by February 1, 2006. By March 31, 2006, an institution’s Internal
Audit group will be required to provide an assessment, in the form of
negative assurance, based on work conducted to that point in time, of the
institution’s progress towards readiness to adhere to all IRB minimum
requirements. This assessment from Internal Audit should be based on a
review of management’s IRB self-assessment, which is part of the formal
application process, and on observations and other audit procedures
performed to date.
An updated assessment, in the form of an opinion from Internal Audit as to
the effectiveness of the internal controls and whether the controls are
designed appropriately to ensure adherence to all applicable IRB minimum
requirements, will also be required by October 31, 2007. For a more
fulsome discussion of the requirements relating to IRB approval, please
refer to the OSFI Implementation Note, 2007/2008 Approval of IRB
Approaches for Institutions.
OSFI anticipates that Internal Audit will begin reviewing the design elements and effectiveness of internal controls to meet all applicable IRB minimum requirements as and when these are implemented at the institution. Many of these systems (e.g., loan classification systems) may be in place long before the implementation date of the Basel framework, and Internal Audit should begin incorporating the review of these, as part of their regular audits, at an early date.
Banks and bank holding companies to which the Bank Act applies
and federally regulated trust and loan companies to which the Trust
and Loan Companies Act applies are collectively referred to as
Return to footnote 1 referrer
Refer to OSFI’s Corporate Governance Guideline for additional guidance in this area.
Return to footnote 2 referrer
Return to footnote 3 referrer
“PD” – probability of default; “EAD” – exposure at default; “LGD” – loss given default.
Return to footnote 4 referrer
The terms “validation” and “vetting” are often used interchangeably.
However, for the purposes of this document, validation is distinguished
from vetting. Vetting is a discrete activity, occurring only at some
pre-defined event or timing (e.g., initial model approval). By contrast,
validation is a continuous activity (e.g., ongoing model performance
Return to footnote 5 referrer