Office of the Superintendent of Financial Institutions
OSFI is issuing the Operational Risk Management Guideline (Guideline E-21), which applies to all Federally Regulated Financial Institutions (FRFIs). As part of its program of risk-based supervision, OSFI evaluates FRFIs’ risk management frameworks. The evaluations are made pursuant to the approaches outlined in OSFI’s Supervisory Framework, which was revised in December 2010.
Guideline E-21 is intended to provide consolidated guidance for operational risk management, across all FRFIs. Elaboration of OSFI expectations, in a principle-based manner, and emerging sound practices, should aid in consistency of application across industries and institutions. The guideline is consistent with the OSFI Corporate Governance guideline (2013) and reflects international risk management standards.
Although institutions have generally improved their operational risk management functions in recent years, current OSFI operational risk guidance is not comprehensive and is dispersed across various guidelines making it difficult for FRFIs to access all of the related guidance. Further, current guidance is not consistent in its application to all types of FRFIs, which requires OSFI to communicate supervisory expectations more informally to some industry sectors.
Relying on international standards directly can be an efficient approach that highlights existing and widely accepted guidance. However, international operational risk guidance varies considerably, particularly between industry sectors. This variance does not appear to be justified on the basis of differences in operational risk exposure and management between sectors. In addition, the guidance is not available in a central location and does not reflect OSFI supervisory expectations in this area.
Under this option, Guideline E-21 would:
Issuing Guideline E-21 would contribute to the harmonization of OSFI’s published guidance for all FRFIs and provide additional guidance on key functions in operational risk management. Issuing Guideline E-21 would not impose significant incremental costs on the financial services industry because FRFIs have largely made significant improvements to their operational risk management practices over the last several years.
OSFI recognises that FRFIs may have different operational risk management practices depending on their: size; ownership structure; nature, scope and complexity of operations; corporate strategy; and risk profile. All FRFIs are expected to demonstrate effective and comprehensive adherence to the four high-level principles outlined in the guideline. At the same time, for example, OSFI supervisory expectations will have greater flexibility for smaller, less-complex institutions with demonstrated low operational risk profiles. In a number of cases, specific areas of flexibility are indicated directly within the guideline. In all cases, FRFIs are encouraged to discuss with their supervisors the applicability of best practices to their individual circumstances.
OSFI posted a draft version of the guideline for public consultation in August 2015. OSFI reviewed all submissions and, as a result, has made a number of revisions to the final version of the guideline. A summary of material comments received from industry stakeholders and an explanation of how they have been addressed is available in an annex attached to the cover letter that accompanies the final version of the guideline.
Option 3 addresses all of the objectives outlined above and is the most effective means to communicate OSFI’s expectations for operational risk management at FRFIs.
Since Guideline E-21 aligns with supervisory expectations already in place, full implementation of the Guideline by FRFIs is expected by June 2017.