Office of the Superintendent of Financial Institutions
This document outlines OSFI's expectations for data maintenance for institutionsFootnote 2 that are using the Standardized Approach ("SA") for operational risk under Chapter 3 of the Capital Adequacy Requirements ("CAR") GuidelineFootnote 3. The term "data maintenance" includes various key elements of a data management process, including data collection, data processing, data aggregation, data reporting, data security and data storage/retention.
This document applies to institutions implementing the SA for operational risk.
While institutions using the Simplified Standardized Approach ("SSA") do not calculate the Business Indicator ("BI"), and are not required to collect operational loss data, for regulatory capital purposes, OSFI encourages these institutions to consider the principles and expectations in this document as they develop their operational risk data capabilities.
Operational risk management and capital measurement are highly dependent on an institution's ability to maintain a reliable, comprehensive operational risk dataset(s).
The SA for operational risk uses financial data in the calculation of BIFootnote 4 and internal operational loss data in the calculation of the Loss Component ("LC")Footnote 5. Capital requirements are based on the annual average values of the BI over three years (multiplied by a set of marginal coefficients) and the Internal Loss Multiplier ("ILM"), which is calculated using the BI and the LC.
The Basel Committee on Banking Supervision's
Principles for Effective Risk Data Aggregation and Risk Reporting ("RDARR") are a set of international standards for banks' risk data aggregation capabilities and internal risk reporting practices, which apply to a bank's risk management data and include data that is critical to enabling the bank to manage the risks it faces, such as operational risk.
OSFI expects institutions using the SA to adequately apply the RDARR principles to the maintenance of their data used in the calculation of operational risk capital (i.e., internal operational loss data and business indicator data):
In addition, OSFI expects that for data used in the calculation of operational risk capital institutions will have:
Documentation outlining the end-to-end systems and data flows, including key controls for critical failure points, to support the data management processes required to calculate operational risk capital;
Established policies and documented procedures for the storage, retention and archiving, including, where applicable, the procedures for logical/physical deletion of loss data and destruction of data storage media and peripherals;
Processes to maintain back-ups of relevant data files/stores and databases in a manner that can facilitate ready retrieval in the event of information calls on the institutions' compliance and ongoing supervisory assessments; and
Processes to ensure that the electronic versions of all relevant data are accessible in a format that provides flexibility to enable searching, aggregation and reporting.
Additional details on OSFI's expectations can be found in the Assessment Tool. These criteria should be used in assessing, both initially and on an ongoing basis, an institution's data used in the calculation of operational risk capital. OSFI will consider the institution's risk profile and complexity when assessing its compliance with these criteria.
Institutions using the SA must also meet the general and specific criteria on loss data identification, collection and treatment that are outlined in CAR Chapter 3.
Institutions using the SA are required to use financial data to calculate the BI component. To maintain reliable BI data, and ensure that the BI is calculated consistent with the requirements and definitions in CAR Chapter 3 (and the related capital adequacy return instructions), institutions should, at a minimum:
Document the process to provide for the consistent mapping of its general ledger and/or relevant OSFI returns to the components of the BIFootnote 6;
Establish a system or process that facilitates the reconciliation between the BI reported on the OSFI capital adequacy return and Net Interest Income and Non-Interest IncomeFootnote 7;
Ensure that the robustness of the BI mapping process is commensurate with its complexity; and
Conduct periodic independent reviews of the processes involved in the calculation and reporting of the BI component. At a minimum, this would include regular effective and independent challenge by the institution's second line of defense, and periodic independent review by the third line of defense.
Includes both internal operational loss data and the components used to calculate the Business Indicator.
Return to footnote 1
Banks and bank holding companies to which the
Bank Act applies and federally regulated trust companies and loan companies to which the
Trust and Loan Companies Act applies are collectively referred to as "institutions".
Return to footnote 2
The revised Chapter 3 of the CAR is linked here:
Capital Adequacy Requirements (CAR) Chapter 3 – Operational Risk.
Return to footnote 3
The BI consists of three components: the interest, leases, and dividend component; the services component; and the financial component, as defined in Chapter 3 of the CAR (section 3.4.1).
Return to footnote 4
The LC is equal to 15 times average annual operational risk losses incurred over the previous 10 years and affects the calculation of operational risk capital through the Internal Loss Multiplier (ILM). See Chapter 3 of the CAR (section 3.4.1) for more detail on the calculation of the ILM.
Return to footnote 5
This includes the process for ensuring that Fee and Commission Income is reported on a gross basis, and that Fee and Commission Expenses includes all relevant expenses, including those netted against income, on the institution's financial statements.
Return to footnote 6
Net Interest and Non-Interest Income is line 22 from OSFI's P3 return.
Return to footnote 7