Operational Risk and Resilience

Document Properties

  • Type of Publication: Industry Letter
  • Date: July 6, 2021
  • To: Federally Regulated Financial Institutions (FRFIs)

On December 15, 2020, the Office of the Superintendent of Financial Institutions (OSFI) concluded a consultation process on its discussion paper, Developing Financial Sector Resilience in a Digital World that highlighted certain aspects of operational resilience. On May 10, 2021, OSFI subsequently published a summary of next steps in areas related to non-financial risk more broadly.

During that same period, the Basel Committee on Banking Supervision (BCBS) published guidance in March 2021 on operational risk and resilience. As a BCBS member, OSFI participated in work that led to the publication of revised Principles for the Sound Management of Operational Risk (PSMOR) and new Principles for Operational Resilience (POR). OSFI believes these principles are broad-based and relevant to risk management at all financial institutions, not just banks. The International Association of Insurance Supervisors has also underscored its commitment to the operational resilience of insurance companies.Footnote 1

The revisions to the PSMOR strengthen BCBS guidance on operational risk management in areas such as risk identification and assessment, change management, and information and communication technology. The POR introduce the concept of operational resilience, which relates to the ability of an entity to deliver critical operations through disruption.

OSFI views operational resilience as an important objective of operational risk management and, as a result, critical for the overall safety and soundness of a financial institution. Operational resilience encompasses a number of risk management practices and capabilities, including:

  • Articulating risk appetite and setting risk tolerances for operational risk;
  • Identifying and analyzing critical operationsFootnote 2, interconnections and interdependencies;
  • Using scenarios and testing to assess resilience capabilities; and
  • Preventing, responding, adapting, recovering and learning from operational disruptions.

While OSFI’s existing Guidelines and AdvisoriesFootnote 3 cover many of these areas, there are opportunities to strengthen its guidance expectations in order to enhance operational resilience at FRFIs, including both deposit-taking institutions and insurance companies. As part of implementing any guidance on operational risk and resilience for financial institutions, OSFI will consider whether certain elements of this guidance could also be relevant to federally regulated pension plans.

OSFI is now seeking FRFIs’ views on:

  • How to position OSFI’s perspective on operational risk and resilience within its principles-based guidance framework (including Guideline E-21); and
  • How to address connections to related risks—including, but not limited to, technology and cyber risks, third-party risk, model risk, culture, compliance and reputation risk—within OSFI’s approach to operational risk management and operational resilience.

Please submit comments to Resilience@osfi-bsif.gc.ca by September 10, 2021.

Footnotes

Footnote 1

Please see: the IAIS’ upcoming “Supervisory Guidance on Operational Risk and Resilience in the Insurance Sector” in the 2021‑22 IAIS Public Roadmap.

Return to footnote 1

Footnote 2

For the purposes of the POR, critical operations include processes, services and their relevant supporting assets the disruption of which would be material to the continued operation of a financial institution or its role in the financial system.

Return to footnote 2

Footnote 3

For example, the Corporate Governance Guideline, Guideline B-10 on Outsourcing, Guideline E-21 on Operational Risk Management, and OSFI’s Cyber Security Self-Assessment Tool.

Return to footnote 3