The Composite Risk rating is the key rating under OSFI's Supervisory Framework. It represents our assessment of the safety and soundness of an institution with respect to its depositors or policyholders. The Assessment Criteria provide rating categories and criteria for assessing the Composite Risk rating and each of its components, i.e., Overall Net Risk, Earnings, Capital and Liquidity. OSFI also has Assessment Criteria that guide the determination of the overall rating for each of the institution's applicable Oversight Functions.
The ratings were initially developed as an internal process for standardizing OSFI's approach to the assessment of institutions, thereby improving the consistency and comparability of our assessments. The Assessment Criteria may be revised periodically as industry practices and supervisory expectations change over time.
The Assessment Criteria for supervisory ratings are not required standards. They are used to guide supervisory assessments. Ratings are based on actual findings and observations made during OSFI's reviews and through monitoring activities.
Each institution is provided with its Composite Risk rating and its intervention rating (for staged institutions only). Other supervisory ratings are not currently shared.
Confidentiality of the rating information is protected by the Supervisory Information Regulations. The regulations prohibit institutions from disclosing, directly or indirectly, prescribed supervisory information, except as specifically provided for in the regulations.
Composite Risk Rating
The Composite Risk rating is an assessment of the institution's overall risk profile. The following chart illustrates the structure of the Composite Risk Rating:
Once the Net Risk in significant activities has been assessed, the importance of each activity is taken into account to arrive at the level and direction of Overall Net Risk for the institution as a whole. The Overall Net Risk is, in effect, a weighted aggregation of the Net Risks in the institution's significant activities.
The adequacy of Earnings, and Capital, given an institution's Overall Net Risk, and the adequacy of its Liquidity, is assessed to arrive at the level and direction of the institution's Composite Risk.
The objective of assessing Earnings is to understand and assess the quality, quantity and volatility/sustainability of an institution's earnings and how they contribute to Capital.
Capital is a source of financial support that contributes to an institution's safety and soundness. It is a cushion to absorb unexpected losses and to provide a safety net for the institution. In assessing Capital, the objective is to assess capital adequacy and the effectiveness of capital management policies and processes, including ICAAP and ORSA, in the context of the risk profile of the institution.
OSFI assesses Liquidity by considering the levels of the institution's liquidity risk and the quality of its liquidity management.
Oversight Function Ratings
OSFI expects that the presence and nature of oversight by an institution over its activities will be commensurate with its nature, size, complexity and risk profile. As such, OSFI expects institutions to establish organizational structures and control practices that are appropriate to their unique circumstances.
The unique circumstances of an institution are key considerations in assessing the overall quality of the institution's Oversight Functions as well. This requires the use of judgment in applying criteria and performance indicators included in the Assessment Criteria, in the context of the institution. The particular circumstances of each institution will determine the relative importance of the individual criteria and performance indicators in arriving at an overall rating for a function.
Smaller institutions are not likely to have all the Oversight Functions because oversight responsibilities, in these institutions, are generally carried out by Senior Management. Where an institution lacks some or all of the Oversight Functions, OSFI looks to other functions, within or external to the institution, to handle these oversight responsibilities, for example, operations reviews by other branches, outsourcing arrangements, and Senior Management's activities. In the absence of effective oversight, OSFI will step up its supervision of the institution and recommend or require that the institution implement an appropriate level of oversight.