Office of the Superintendent of Financial Institutions
This document outlines OSFI’s expectations for data maintenance for institutionsFootnote 2 that are using
the Standardized Approach (“SA”) for operational risk under Chapter 3 of the Capital Adequacy
Requirements (“CAR”) GuidelineFootnote 3. The term “data maintenance” includes
various key elements of a data management process, including data collection, data processing, data aggregation,
data reporting, data security and data storage/retention.
This document applies to institutions implementing the SA for operational risk.
While institutions using the Simplified Standardized Approach (“SSA”) do not calculate the Business
Indicator (“BI”), and are not required to collect operational loss data, for regulatory capital
purposes, OSFI encourages these institutions to consider the principles and expectations in this document as
they develop their operational risk data capabilities.
Operational risk management and capital measurement are highly dependent on an institution’s ability to
maintain a reliable, comprehensive operational risk dataset(s).
The SA for operational risk uses financial data in the calculation of BIFootnote 4 and internal
operational loss data in the calculation of the Loss Component (“LC”)Footnote 5. Capital
requirements are based on the annual average values of the BI over three years (multiplied by a set of marginal
coefficients) and the Internal Loss Multiplier (“ILM”), which is calculated using the BI and the LC.
The Basel Committee on Banking Supervision’s Principles for Effective Risk Data Aggregation and Risk Data
Reporting (“RDARR”) are a set of international standards for banks’ risk
data aggregation capabilities and internal risk reporting practices, which apply to a bank’s risk
management data and include data that is critical to enabling the bank to manage the risks it faces, such as
OSFI expects institutions using the SA to adequately apply the RDARR principles to the maintenance of their data
used in the calculation of operational risk capital (i.e., internal operational loss data and business indicator
In addition, OSFI expects that for data used in the calculation of operational risk capital institutions will
Documentation outlining the end-to-end systems and data flows, including key controls for critical
failure points, to support the data management processes required to calculate operational risk capital;
Established policies and documented procedures for the storage, retention and archiving, including, where
applicable, the procedures for logical/physical deletion of loss data and destruction of data storage
media and peripherals;
Processes to maintain back-ups of relevant data files/stores and databases in a manner that can
facilitate ready retrieval in the event of information calls on the institutions’ compliance and
ongoing supervisory assessments; and
Processes to ensure that the electronic versions of all relevant data are accessible in a format that
provides flexibility to enable searching, aggregation and reporting.
Additional details on OSFI’s expectations can be found in the Assessment Tool. These criteria should be
used in assessing, both initially and on an ongoing basis, an institution’s data used in the calculation
of operational risk capital. OSFI will consider the institution’s risk profile and complexity when
assessing its compliance with these criteria.
Institutions using the SA must also meet the general and specific criteria on loss data identification,
collection and treatment that are outlined in CAR Chapter 3.
Institutions using the SA are required to use financial data to calculate the BI component. To maintain reliable
BI data, and ensure that the BI is calculated consistent with the requirements and definitions in CAR Chapter 3
(and the related capital adequacy return instructions), institutions should, at a minimum:
Document the process to provide for the consistent mapping of its general ledger and/or relevant OSFI
returns to the line items in the BIFootnote 6;
Establish a system or process that facilitates the reconciliation between the BI reported on the OSFI
capital adequacy return and Net Interest Income and Non-Interest IncomeFootnote 7;
Ensure that the robustness of the BI mapping process is commensurate with its complexity; and
Conduct periodic independent reviews of the processes involved in the calculation and reporting of the BI
component. At a minimum, this would include regular effective and independent challenge by the
institution’s second line of defense, and periodic independent review by the third line of
Includes both internal operational loss data and the components used to calculate the Business
Return to footnote 1
Banks and bank holding companies to which the Bank Act applies and federally
regulated trust companies and loan companies to which the Trust and Loan Companies
Act applies are collectively referred to as “institutions.”
Return to footnote 2
The draft Chapter 3 of the CAR, posted for public consultation in March 2021, is linked here: Capital Adequacy Requirements
(CAR) Chapter 3 – Operational Risk
Return to footnote 3
The BI consists of three components: the interest, leases, and dividend component; the services
component; and the financial component, as defined in Chapter 3 of the CAR (section 3.4.1)
Return to footnote 4
The LC is equal to 15 times average annual operational risk losses incurred over the previous 10
years and affects the calculation of operational risk capital through the Internal Loss
Multiplier (ILM). See Chapter 3 of the CAR (section 3.4.1) for more detail on the calculation of
Return to footnote 5
This includes the process for ensuring that Fee and Commission Income is reported on a gross
basis, and that Fee and Commission Expenses includes all relevant expenses, including those
netted against income, on the institution’s financial statements.
Return to footnote 6
Net Interest and Non-Interest Income is line 22 from OSFI’s P3 return.
Return to footnote 7