- Type of Publication: Draft Guideline
- Category: Sound Business and Financial Practices
- To: Banks/BHCs/T&L/CCA/CRA/Life/Frat/P&C/IHC
- Date: August 2015
- No: E-21
1. Purpose and Scope of the Guideline
1. This Guideline sets out OSFI’s expectations for the management of operational risk and is applicable to all federally-regulated financial institutions (FRFIs) other than the branch operations of foreign banks and foreign insurance companies.
OSFI recognizes that FRFIs may have different operational risk management practices depending on: their size, ownership structure; nature, scope and complexity of operations; corporate strategy; and risk profile.
2. For the purposes of this Guideline, operational risk is defined as the risk of loss resulting from people, inadequate or failed internal processes and systems, or from external events. This includes legal risk but excludes strategic and reputational risk. The risk of loss resulting from people includes, for example, operational risk events relating specifically to internal or external fraud, non-adherence to internal procedures/values/objectives, or unethical behaviour more broadly. While the definition of external fraud should be interpreted broadly, the definition may not include, for example, external fraud specific to insurance risk. In addition, while the definition of external events should also be interpreted broadly, it does not include, for example, catastrophic risk exposure within the insurance industry. Operational risk related to outsourcing arrangements should be included.
2. Operational Risk Management Framework
Principle 1: Operational risk management is fully integrated within the FRFI’s overall risk management program and appropriately documented.
3. Operational risk is inherent in all products, activities, processes and systems, and the effective management of operational risk should be a fundamental element of a FRFI’s risk management program. OSFI expects that each FRFI will have a framework for operational risk management, which sets forth mechanisms for identifying and managing operational risk. Understanding operational risks leads to better decision making through the observation and analysis of past operational risk events and patterns of observed behaviour within the FRFI. In addition, a robust framework for operational risk management provides a mechanism for discussion and effective escalation of issues leading to better risk management in this area over time and increased institutional resilience.
4. In addition, the documented framework for operational risk management should consider the following elements:
- Describe the FRFI’s approach to managing operational risk and reference the relevant operational risk management policies and procedures;
- A “three lines of defense” model, which is in essence a structured independent peer review process. As discussed in Section IV, the first line of defense is the business owners of the risk. The second line of defense provides a specialised peer review, independent challenge and accountability function. The third line of defense is a more traditional general audit function.
- Clear accountability and ownership for operational risk management amongst the three lines of defence.
- The risk assessment and reporting tools used by the FRFI and how they are used effectively within the institution.
- The FRFI’s approach to establishing and monitoring risk appetite and related limits for operational risk exposure;
- The governance structures used to manage operational risk, including reporting lines and accountabilities. This includes ensuring operational risk management has sufficient status within the organisation to be effective.
- The need for appropriate independence of key functions as part of an effective control environment;
- Application to the FRFI enterprise-wide;
- Requirements for relevant policies to be reviewed on a regular basis, including whenever a material change in the operational risk profile occurs, and revised as appropriate. Policies should include adequate Board and Senior Management oversight.
- Efficient corresponding documentation, which should provide commensurate risk management value and be suitable for the intended user/audience.
5. For additional information on OSFI’s requirements and expectations regarding operational risk management, refer to Annex 1 of this guideline which outlines a list of related publications. In particular, for OSFI expectations relating to adequate documentation see Guideline E-13 Regulatory Compliance Management.
3. Operational Risk Appetite Statement and Corporate Governance
Principle 2: Operational risk management serves to support the overall corporate governance structure of the FRFI. As part of this, FRFIs develop and utilise an operational risk appetite statement.
6. FRFIs should develop and maintain a risk appetite statement for operational risk, which is a component of the FRFI’s overall Board-approved Risk Appetite Framework (see OSFI’s Corporate Governance Guideline) The risk appetite statement for operational risk should articulate the nature, types and approximate exposure levels of operational risk that the FRFI is willing or expected to assume. The operational risk appetite statement should be succinct, clear, and include a measurable component (limit/threshold). The purpose of requiring a measurable component is to give an indication of the level of operational risk which is considered acceptable within the FRFI. The limit/threshold should also serve to indicate the level at which operational risk events, or cumulative patterns, are considered necessary for escalation to Senior Management and/or the Board.
7. In formulating the risk appetite statement FRFIs may consider elements such as: changes in the external environment; material increases in business or activity volumes; the quality of the control environment; the effectiveness of risk management or mitigation strategies; the FRFI’s operational risk event experience; and the frequency, volume or nature of risk appetite limit/threshold breaches.
8. The Board of Directors and Senior Management should regularly review the appropriateness of the operational risk appetite to confirm it remains reasonable and appropriate. Escalation and reporting processes for breaches, or potential breaches, should be in place.
9. Given the importance of operational risk, the governance structure surrounding it – in particular the role of the Board of Directors – should be aligned, as appropriate, within a FRFI’s broader corporate governance framework.
10. As it relates to operational risk management, Senior Management responsibilities include the establishment, implementation, maintenance and oversight of:
- a framework for operational risk management and operational risk policies;
- a clear, effective and robust governance structure which is conducive to transparent and consistent lines of responsibilities;
- sufficient operational risk management resources;
- operational risk management capabilities, including establishing and maintaining robust challenge mechanisms and effective issue-resolution processes;
- an independent review of implementation of the operational risk management framework; and
- operational risk management training and development programs to increase staff awareness of operational risk;
11. Senior Management should ensure that staff responsible for managing operational risk coordinate and communicate effectively with staff responsible for managing credit, market, and other risks, as well as with those in the FRFI who are responsible for the procurement of external services such as insurance risk transfer and outsourcing arrangements (see OSFI Guideline B-10 Outsourcing of Business Activities, Functions and Processes).
4. Three Lines of Defence
Principle 3: FRFIs ensure effective accountability for operational risk management. A ‘three lines of defence’ approach, or appropriately robust structure, serves to separate the key practices of operational risk management and provide adequate independent overview and challenge. How this is operationalized in practice in terms of the organisational structure of a FRFI will depend on its business model and risk profile.
12. Appropriate accountability for the management of operational risk is essential. A “three lines of defence” structure is one way to achieve such accountability. For illustrative purposes, the roles and responsibilities of each of the three lines are described below. How these roles are operationalized within a FRFI will depend on its business model and risk profile.
First Line of Defence
13. The business line – the first line of defence – has ownership of risk whereby it acknowledges and manages the operational risk that it incurs in conducting its activities. The first line of defence is responsible for planning, directing and controlling the day-to-day operations of a significant activity and for identifying and managing the inherent operational risks in products, activities, processes and systems for which it is accountable. The first line of defence is responsible for developing capabilities in the following areas:
- adherence to the operational risk management framework and related policies;
- identifying and assessing the inherent operational risk within their respective business unit and assessing the materiality of risks to the respective business units;
- establishing appropriate mitigating controls and assessing the design and effectiveness of these controls;
- monitoring and reporting on the FRFI’s operational risk profile and ensuring adherence to established operational risk appetite statement;
- reporting on the residual operational risk which is not mitigated by controls including operational risk events, control deficiencies, personnel and process inadequacies;
- promoting a strong operational risk management culture throughout the first line of defence; and,
- confirming timely and accurate escalation, within the FRFI, of material issues.
Second Line of Defence
14. The second line of defence are oversight activities that independently identify, measure, monitor and report operational risk on an enterprise basis. They represent a collection of operational risk management activities and processes, including the design and implementation of the FRFI’s framework for operational risk management. The second line of defense is best placed to provide specialized reviews related to the FRFI’s operational risk management. In addition, it should be noted that other staff/corporate areas of the FRFI (e.g. compliance, legal) may also be deemed part of the second line of defense.
Responsibilities commonly associated with the second line of defence include items such as:
- providing effective independent challenge, which should be evidenced and documented (e.g. by providing examples of the challenges and outcomes) so as to be subsequently observable, to the first line of defence;
- confirming continued development of appropriate strategies to identify, assess, measure, monitor and control/mitigate operational risk;
- confirming continued establishment and documentation of appropriate FRFI-wide policies and procedures relating to the FRFI’s operational risk management framework;
- confirming continued development, implementation and use of appropriate enterprise operational risk management tools;
- confirming adequate processes and procedures exist to provide appropriate oversight of the FRFI’s operational risk management practices;
- confirming that operational risk measurement processes are appropriately integrated into the overall risk management of the FRFI;
- reviewing and contributing to the monitoring and reporting of the FRFI’s operational risk profile;
- promoting a strong operational risk management culture throughout the enterprise; and
- confirming timely and accurate escalation, within the FRFI, of material issues.
15. A key function required of the second line of defence is to challenge the business lines’ inputs to and outputs from the FRFI’s risk management (including risk measurement/estimation), and reporting tools to ensure they are adequately complete and well-informed.
16. Independent Challenge is the process of developing an independent view regarding the quality and sufficiency of the business unit’s operational risk management activities, including the identification and assessment of operational risks; identification and assessment of controls; assumptions; and risk decision (e.g., acceptance, transfer, denial, action plan).
17. Independent Challenge should be:
- based on a structured and repeatable process that accommodates continuous improvement (while allowing for ad-hoc flexibility where appropriate);
- applied through the various operational risk management tools, reporting and other governance processes;
- performed by knowledgeable and competent staff;
- shared with the business in a constructive manner;
- performed on a timely basis;
- measured by outcomes (e.g., it has influenced a management decision/action; and evidenced/documented.
Independent Challenge is not facilitation, guidance, or documentation of decisions.
18. OSFI recognizes that the nature, size, complexity and risk profile of different FRFIs will mean that the responsibilities of the second line of defence groups may overlap with those of the first line of defence. Further, the size and degree of independence of the second line of defence will differ among FRFIs. For example, for smaller FRFIs with low operational risk exposures, independence may be achieved through separation of duties. In larger FRFIs, however, the second line of defence will generally consist of an independent function with a reporting structure independent of the first line, most often reporting into the risk management function. The second line of defence should have an appropriate level of sufficiently skilled resources and stature to effectively fulfill its responsibilities.
Third Line of Defence
19. The internal audit function is charged with the third line of defence. The third line of defence should be independent of both the first and second lines of defence, and provide an independent review and testing of the FRFI’s operational risk management controls, processes, systems and the effectiveness of the first and second line of defence functions. The third line of defense is best placed to observe and review operational risk management more generally within the context of the FRFI’s overall risk management and corporate governance functions.
20. Independent review and testing coverage should be sufficient in scope to verify that the operational risk management framework has been implemented as intended and is functioning effectively. Independent review and testing activities should generally involve testing for compliance with established policies and procedures, as well as evaluating whether the framework for operational risk management is appropriate given the size, complexity and risk profile. Independent review and testing should generally consider the design and use of operational risk management tools in both the first and second lines of defence, the appropriateness of independent challenge applied by the second line of defence, and the monitoring, reporting and governance processes.
21. Those performing these reviews should be competent and appropriately trained and generally not involved in the development, implementation and operation of the framework. Reviews are generally performed by the internal audit function of the FRFI but may also involve suitably qualified external parties. Where independent review activities are outsourced, Senior Management should consider the effectiveness of the underlying arrangements and the suitability of relying on an outsourced function. Whether performed internally or by external parties, third line of defence activities should be performed regularly, on a timely basis, and to a consistent standard. Further, processes should be in place to ensure that recommendations for improvement and any issues are appropriately escalated within the FRFI, and management response accurately, timely and adequately addresses the nature of the issues raised.
5. Identification and Assessment of Operational Risk
Principle 4: FRFIs ensure comprehensive identification and assessment of operational risk through the use of appropriate management tools. Maintaining a suite of operational risk management tools provides a mechanism for collecting and communicating relevant operational risk information, within the FRFI and to relevant supervisory authorities.
22. OSFI recognises that the FRFI itself has the best perspective to determine its organizational structure, processes, and the extent of its use of tools to optimally achieve a robust level of operational risk management. Further it is the FRFI that is ultimately responsible for the risk assumed. FRFIs are encouraged to continue to develop and improve the tools they use to manage their operational risk and to monitor and adopt best practices in this area as appropriate. The specific tools used to identify and assess operational risk will depend on a range of relevant factors, particularly the nature, size, complexity and risk profile of the FRFI.
23. Such operational risk management tools generally include elements such as:
- Operational risk taxonomy;
- Risk and control assessments;
- Change management risk and control assessments;
- Internal operational risk event collection and analysis;
- External operational risk event collection and analysis;
- Risk and performance indicators;
- Business process mapping;
- Scenario analysis and stress testing;
- Quantification/estimation of operational risk (as required via Internal Capital Adequacy Assessment Process (ICAAP) or Own Risk Solvency Assessment (ORSA) and;
- Comparative analysis.
Each risk management tool is described in more detail below.
Operational Risk Taxonomy
24. A common taxonomy of sources of operational risk types aids with consistency of risk identification and assessment activities, and articulation of the nature and type of operational risk to which the FRFI is potentially exposed. An inconsistent taxonomy of operational risk terms may increase the likelihood of failing to identify and categorize risk, or allocate responsibility for the assessment, monitoring, and mitigation of risks.
Risk and Control Assessments
25. Risk and control assessments (RCAs) are one of the primary tools typically used to assess inherent operational risks and the design and effectiveness of mitigating controls within FRFIs. Where utilized, RCAs should:
- cover the entire organisation, including all lines of business;
- include an assessment of business environment, inherent risks, controls, and residual risks, referencing the FRFI’s operational risk taxonomy;
- have proper alignment between the risk and its mitigating controls;
- be completed on a periodic basis; and
- remain comprehensive; going beyond changes in current risks and specific loss exposures.
26. RCAs generally are completed by the first line of defence across the enterprise, including the various control groups, and should reflect the current environment but also be forward-looking in nature. Resulting action plans emerging from completion of an RCA should be tracked and monitored to ensure required enhancements are appropriately implemented. In addition, the second line of defence should review and provide independent challenge to the risk and control assessments, and the resulting action plans of the first line of defence.
Change Management Risk and Control Assessments
27. Change management risk and control assessments establish a formalized process for assessing inherent operational risk and the appropriateness of mitigating controls when it undertakes significant changes. The operational risk assessments made as part of the change management process should generally be performed by the first line of defence. This risk assessment process typically considers elements such as:
- inherent risks in the new product, service, or activity;
- changes to the FRFI’s operational risk profile and risk appetite;
- the required set of controls, risk management processes, and risk mitigation strategies to be implemented;
- the residual risk (unmitigated risk); and
- changes to the relevant risk limit/threshold.
28. Following completion of the change, post-implementation reviews should be conducted for material changes to ensure the anticipated objectives and benefits were appropriately achieved. The second line of defence should review and apply independent challenge to the risk and control assessments, and resulting action plans.
Internal Operational Risk Event Collection and Analysis (Data Collection)
29. Robust internal operational risk event collection and analysis includes having systems and processes in place which capture and provide analysis over material internal operational risk events (e.g. those that exceed an appropriate internal threshold/limit). An operational risk event, which is defined as an unintended outcome resulting from operational risk, includes actual and potential operational losses and gains, as well as near misses (i.e. where the FRFI did not experience an explicit loss or gain resulting from an operational risk event).
30. Internal operational risk event collection and analysis provides meaningful information for assessing a FRFI’s exposure to operational risk through the aggregation and monitoring of operational risk events over time, as well as the overall effectiveness of the operational controls environment. The capture of internal operational risk data should primarily be managed by the first line of defence and appropriate controls (i.e. segregation of duties, verification) should be in place to ensure the integrity of data is maintained at an acceptable level.
31. For operational risk events determined to be material, analysis should be undertaken to identify the root cause as well as any required remedial action to ensure similar events in the future either do not occur or are appropriately mitigated. Established reporting and analysis standards should also address minimum expectations over event analysis, including:
- whether the exposure is an actual, potential or near miss event;
- the underlying operational risk category exposure as defined within the risk taxonomy;
- deficiencies and control failures that can be mitigated;
- the corrective actions to be taken to address the deficiencies and control failures; and
- appropriate sign-offs and approvals.
32. For material operational risk events, appropriate root cause analysis is generally conducted by the first line of defence and appropriately escalated based on the potential or observed impact of the event. The second line of defence reviews and applies independent challenge to the analysis conducted by the first line of defence.
External Operational Risk Event Collection and Analysis
33. External operational risk events are operational risk related events occurring at organisations other than the FRFI itself. External operational risk event collection and analysis activities may include subscribing to an external loss reporting database, monitoring the FRFI’s own operational risk event experience over time relative to its peers, assessing overall exposures, and the overall effectiveness of the operational controls environment.
Risk and Performance Indicators
34. Risk and performance indicators are risk metrics used to monitor the main drivers of exposure associated with key operational risks which also can provide insight into control weaknesses and help to determine an FRFI’s residual risk. Risk and performance indicators, paired with escalation and monitoring triggers, act to identify risk trends, warn when risk levels approach or exceed thresholds or limits, and prompt actions and mitigation plans to be undertaken.
Business Process Mapping
35. Business process mapping is a common tool used to identify and manage operational risks for significant or enterprise-wide processes. Business process mapping involves identifying the steps within the process, and assessing the inherent operational risks, risk interdependencies, and the effectiveness of controls, as well as subsequent management actions required when control weaknesses are identified.
36. Scenario analysis is a process of identifying potential operational risk events and assessing their potential outcome and impact on the FRFI. Scenario analysis can be an effective tool to consider potential sources of operational risk and the need for enhanced risk management controls or mitigation solutions. In order to effectively use scenario analysis as part of a risk management program, operational risk scenarios developed should consider both expected and unexpected behaviour relative to an operational risk event or event type. If scenario analysis is used as an input into the quantification/estimation of operational risk exposure, the second line of defence review whether the scenarios chosen are appropriate and consistent with the FRFI’s scenario analysis program.
Quantification/Estimation of Operational Risk Exposure
37. All FRFIs are required to quantify/estimate their exposure to operational risk through existing ICAAP or ORSA exercises. This quantification/estimate may be compared to the required capital for operational risk under the relevant capital adequacy/minimum required capital guideline for additional value. Regardless of the operational risk quantification approach taken, key assumptions should be documented, and appropriate validation, vetting and verification activities should be performed.
38. Comparative analysis involves, the first line of defence reviewing the risk assessments and outputs of each of the operational risk management tools to confirm the overall assessment of operational risk. This comparative analysis can also help identify operational risk management tools that may not be effective. Comparative analysis can help to ensure that risk assessments are performed in a consistent manner and that lessons learned are appropriately shared within the organization.
Annex – List of Related Publications from OSFI
Corporate Governance Guideline
Cyber Security Self-Assessment Guidance
Guideline A Capital Adequacy Requirements
Guideline A Minimum Continuing Capital and Surplus Requirements
Guideline A Minimum Capital Test
Guideline B-3 Sound Reinsurance Practices and Procedures
Guideline B-7 Derivatives Sound Practices
Guideline B-8 Deterring & Detecting Money Laundering and Terrorist Financing
Guideline B-9 Earthquake Exposure Sound Practices
Guideline B-10 Outsourcing of Business Activities, Functions and Processes
Guideline B-12 Interest Rate Risk (IRR) Management
Guideline B-20 Residential Mortgage Underwriting Practices and Procedures
Guideline B-21 Residential Mortgage Insurance Underwriting Practice and Procedures
Guideline E-4A Role of the Canadian Chief Agent & Record Keeping Requirements
Guideline E-4B Role of the Principal Officer and Record Keeping Requirements
Guideline E-5 Retention/Destruction of Records
Guideline E-10 Use of Depositories by Insurance Companies
Guideline E-12 Inter-segment Notes for Life Insurance Companies
Guideline E-13 Regulatory Compliance Management (RCM)
Guideline E-14 Role of the Independent Actuary
Guideline E-15 Appointed Actuary: Legal Requirements, Qualifications and Peer Review
Guideline E-16 Participating Account Management and Disclosure to Participating Policyholders and Adjustable Policyholders
Guideline E-17 Background Checks on Directors and Senior Management of FREs
Guideline E-18 Stress Testing
Guideline E-19 Own Risk and Solvency Assessment (ORSA)
Guideline E-19 Internal Capital Adequacy Assessment Process (ICAAP)
Guideline E-20 CDOR Benchmark-Setting Submissions