Assessment tool - operational risk capital data

ASSESSMENT TOOL - OPERATIONAL RISK CAPITAL DATAFootnote 1
CriteriaReferenceCompliance
Rating
Target
Compliance
Date
Risk Mgmt.
Assessment
of
Effectiveness
Internal
Audit
Rating
Comments
including Names
of Supporting
Documents
1. General Criteria on Loss Data Identification, Collection, and Treatment
1.01The institution is using 10 years of high quality historical internal loss data for regulatory capital purposes.CAR Ch. 3 (27) (a)     
1.02The institution has demonstrated that robust, documented procedures and processes for the identification, collection, and treatment of internal loss data are in place.CAR Ch. 3 (27) (b)     
1.03The institution has documented its criteria and demonstrated that processes are in place for mapping historical internal loss data enterprise-wide to Basel Level 1 supervisory categories as defined in Annex 3-2 of OSFI’s Capital Adequacy Requirements ("CAR") GuidelineFootnote 2.CAR Ch. 3 (27) (c) and Annex 3-2.     
1.04The internal loss data are comprehensive and capture all material activities and exposures from all appropriate sub-systems and geographic locations. The institution has demonstrated the ability to identify and track any part of the institution where loss data have not, or are not being, collected and included in the dataset.CAR Ch. 3 (27) (d)     
1.05All operational losses related to the definition of operational risk as defined in section 3.1 of CAR Chapter 3 are included in the loss data collection.CAR Ch. 3 (2)     
1.06For capital purposes, the institution has set a minimum threshold of $30,000 CAD (net losses after recovery) per loss event for internal loss data collection and for the calculation of average annual losses, and has demonstrated that processes are in place to identify and measure when this threshold has been reached.CAR Ch. 3 (27) (e)     
1.07The institution has demonstrated that documented processes are in place to (i) calculate the percentage of the institution without high quality loss data, and (ii) identify when it is approaching, or has surpassed, the materiality threshold for loss data comprehensiveness, detailed in Chapter 3 of OSFI’s CAR Guideline.CAR Ch. 3 (27)(d) & (40) (c)     
1.08The institution has demonstrated that effective documented processes are in place for the collection of information on the reference dates of operational risk events. The reference dates should include: date of occurrence, data of discovery, and date of accounting.CAR Ch. 3 (27) (f)    
1.09The institution has demonstrated that it has in place effective documented processes for the collection of information on recoveries of gross loss amounts as well as descriptive information on the drivers or causes of the loss event. The level of detail should be commensurate with the size of the gross loss amount.CAR Ch.3 (27) (f)     
1.10The institution has demonstrated that processes are in place for the inclusion or exclusion of certain operational loss events (i.e. those related to credit and market risk) in accordance with Section 3.4.3 of CAR Chapter 3.CAR Ch.3 27 (g), 27(h)     
1.11The institution has demonstrated that effective processes are in place to independently review the comprehensiveness and accuracy of loss data. The institution has also demonstrated that effective processes are in place to independently review the processes for the identification, collections and treatment of internal loss data. At a minimum, this would include regular, effective and independent challenge by the institution’s second line of defense, and periodic independent review by the third line of defense.CAR Ch. 3 (27) (i)    
2. Specific Criteria on Loss Data Identification, Collection, and Treatment
2.01The institution has documented policies and has demonstrated that procedures are in place for applying the gross loss definition, reference date, grouped losses, recovery, and net loss in the internal operational loss data sets and definitions align with those outlined in the CAR Chapter 3 Guideline.CAR Ch. 3 (28) and (29)     
2.02The institution has demonstrated that documented and effective processes are in place for identifying and capturing the gross loss amounts, non-insurance recoveries, and insurance recoveries for all operational loss events.CAR Ch.3 (30)     
2.03Recoveries are used to reduce losses in the calculation of capital requirements only after the institution receives payment (e.g. receivables do not count as recoveries).CAR Ch. 3 (30)     
2.04The institution has demonstrated that it has processes in place to ensure that the gross loss computation in the calculation of capital requirements includes the following items (as defined in the CAR):
  1. direct charges to the institution’s P&L accounts and write-downs due to the operational risk event;
  2. costs incurred as a consequence of the event including external expenses with a direct link to the operational risk event and costs of repair or replacement incurred to restore the position that was prevailing before the operational risk event;
  3. provisions or reserves accounted for in the P&L against the potential operational loss impact;
  4. pending losses; and
  5. timing losses.
CAR Ch. 3 (31)     
2.05The institution has demonstrated that it has processes in place to ensure that the gross loss computation in the calculation of capital requirements excludes the following items:
  1. costs of general maintenance contracts on property, plant or equipment;
  2. internal or external expenditures to enhance the business after the operational risk losses: upgrades, improvements, risk assessment initiatives and enhancements; and
  3. insurance premiums.
CAR Ch. 3 (32)     
2.06The institution has demonstrated that the institution’s loss dataset includes the date of accounting. The institution uses a date no later than the date of accounting for including losses related to legal events in the loss data set. For legal loss events, the date of accounting is the date when a legal reserve is established for the probable estimated loss in the P&L.CAR Ch. 3 (33)     
2.07The institution has demonstrated that documented and effective processes are in place so that losses caused by a common operational risk event or by related operational risk events over time, but posted to the accounts over several years, are allocated to the corresponding years of the loss database, in line with their accounting treatment.CAR Ch.3 (34)     
3. Exclusion of Losses from the Loss Component
3.01The institution has demonstrated that documented controls and governance are in place to (i) identify the exclusion of certain operational loss events from the calculation of the Loss Component that meet the criteria in section 3.4.5 of CAR Chapter 3; and (ii) ensure appropriate approvals occur, including approval from OSFI.CAR Ch. 3 (35) and (37)     
3.02The institution has demonstrated that documented and effective processes are in place for disclosing the total loss amount and number of exclusions in accordance with OSFI’s Pillar 3 requirements.CAR Ch. 3 (36)    
4. Inclusion of operational loss events related to mergers and acquisitions
4.01The institution has demonstrated that documented policies and processes are in place for the inclusion of historical loss events from any merged or acquired businesses over the previous ten years. Loss data included from any mergers or acquired businesses meets OSFI’s expectations, including those in the CAR Guideline.CAR Ch. 3 (40)    
4.02The institution has demonstrated that documented processes are in place for the estimation of historical loss data for each of the years (within the last ten years) where high-quality internal loss data are missing, in accordance with the methodology detailed in CAR Chapter 3 section 3.4.7.CAR Ch. 3 (40) (a)    
4.03The institution has demonstrated that documented processes are in placefor the estimation of operational risk loss amounts for merged entities or acquired businesses where the collection of actual loss data is not feasible immediately, in accordance with the methodology detailed in CAR Chapter 3 section 3.4.7.CAR Ch. 3 (40) (b)    
5. Quality of Operational Risk Capital Data (i.e., internal loss data and business indicator data)
5.1 Governance
5.1.01The institution has documented agreed service level standards for both outsourced and in-house operational risk capital data-related processes, as well as policies covering, data confidentiality, integrity and availabilityRDARR Principle 1     
5.1.02The institution’s data procedures and reporting practices are fully documented and subject to high standards of validation that are aligned and integrated with the other independent review activities within the institution’s risk management program.RDARR Principle 1     
5.1.03Senior management have reviewed and approved the institution’s operational risk capital data collection and reporting procedures for both current and historic data.RDARR Principle 1     
5.1.03.1Senior management are aware of and understand any limitations associated with the quality of the operational risk capital data used to support the calculation of operational risk capital using the Standardized Approach.      
5.1.04The institution’s due diligence process for mergers and acquisitions includes an assessment of the operational risk capital data collection capabilities and reporting practices of the acquired entity. This includes development of a plan to integrate and align the acquired operational risk capital data collection capabilities and reporting practices within its own framework, and a process to report as a single entity in a consistent manner.RDARR Principle 1   
5.2 Data architecture and IT infrastructure
5.2.01The institution has established roles and responsibilities in relation to the ownership and quality of operational risk capital data and information for both the business and IT functions.RDARR Principle 2     
5.2.02The operational risk capital data owners (business and IT functions as appropriate), in partnership with risk managers, have established a process to ensure there are adequate controls throughout the lifecycle of operational risk capital data, including for all aspects of the technology infrastructure, as appropriate.RDARR Principle 2     
5.2.03The institution has established integrated loss data taxonomies and architecture aligned with Annex 3-2 (Level 1) of the CAR Guideline. Operational risk capital data architecture includes but is not limited to:
  1. Identification of all mapping rules and filter criteria;
  2. Consistent naming conventions for loss data;
  3. Usage of single identifiers and/or unified naming conventions for data; and
  4. Established metadata (i.e. types of data to be stored, data types, valid range of data values, etc.).
RDARR Principle 2     
5.2.03.1The institution has fully documented and demonstrated the effectiveness of the end-to-end data flows, including key controls for critical failure points, to support data management processes and oversight of the data required to support the calculation of operational risk capital using the Standardized Approach (SA). At a minimum this would include:
  1. identification of all systems, data flows, control points, processes and reports;
  2. identification of all manual processes; and
  3. identification of all data to be collected and managed to calculate the Internal Loss Multiplier and Business Indicator.
      
5.2.03. 2If an institution has multiple systems involved in the end-to-end flow, the institution have the ability to demonstrate the linkages and approaches used to complete and aggregate the operational risk capital data.      
5.3 Accuracy and Integrity
5.3.01The institution has established documented processes for collecting operational risk capital data. Where the institution relies on manual processes and/or desktop applications (e.g. spreadsheets, end-user databases) for collecting internal loss data, it has effective mitigants in place (e.g. end-user computing policies and procedures) and other effective controls that are consistently applied for maintaining such data.RDARR Principle 3     
5.3.01.1There are adequate documented controls throughout the lifecycle of the data. Operational risk capital data are correctly entered, kept current and aligned with the data definitions.RDARR Principle 3     
5.3.02Operational risk capital data are reconciled with sources, including accounting data where appropriate; the institution is able to explain all material differences.RDARR Principle 3     
5.3.03The institution’s risk personnel have sufficient access to operational risk capital data to ensure they can appropriately aggregate, validate and reconcile the data to relevant reports.RDARR Principle 3     
5.3.04Measurement and monitoring processes have been designed and implemented to ensure the accuracy and integrity of operational risk capital data.RDARR Principle 3    
5.3.04.1The institution has established documented processes and metrics and thresholds to measure accuracy and integrity of both current and historic operational risk capital data. The institution can also demonstrate that processes are in place to identify when measures are near defined thresholds.      
5.3.04.2The institution has demonstrated that documented processes are in place for identifying when data limitations exist in both historic and current operational risk capital data.      
5.3.05The institution has demonstrated that it has established escalation channels and processes to develop action plans to rectify poor operational risk capital data quality.RDARR Principle 3     
5.4 Completeness
5.4.01The institution has demonstrated that effective, documented processes are in place for measurement and monitoring completeness of all current and historic operational risk capital data including measurable metrics and thresholds to measure completeness.RDARR Principle 4    
5.4.02The institution has demonstrated that escalation channels and effective processes are in place to develop action plans to rectify completeness issues.RDARR Principle 4     
5.5 Timeliness
5.5.01The institution has demonstrated that it has identified and documented timeliness requirements for reporting operational risk capital data. For operational loss data, these requirements must reflect the nature of the loss event based on the characteristics and overall risk profile of the institution. Internal loss data are reported one quarter in arrears while Business Indicator data are reported based on the most current quarter.RDARR Principle 5     
5.5.02The institution has demonstrated that its operational risk capital data aggregation capabilities are able to produce aggregate information on a timely basis to meet all internal loss reporting and capital reporting requirements.RDARR Principle 5     
5.6 Adaptability
5.6.01The institution has demonstrated that it has sufficient capability to customize operational risk capital data, including internal loss data, to users’ needs (e.g. dashboards, key takeaways, anomalies), to drill down as needed, and to produce quick summary reports.RDARR Principle 6     
5.6.02The institution has demonstrated that its operational risk capital data aggregation processes allow for the incorporation of new developments on the organization of the business and/or external factors that influence the institution’s risk profile.RDARR Principle 6     
5.7 Accuracy
5.7.01Requirements and processes to reconcile reports to internal loss data and other authoritative sources are defined and can be demonstrated.RDARR Principle 7     
5.7.01.1Reconciliation processes include explanations, reporting and action plans to deal with data errors or weaknesses in data integrity.      
5.7.02The institution has demonstrated that it has integrated procedures for identifying, reporting and explaining operational risk capital data errors or weaknesses in data integrity via exception reports and for measuring and reporting data accuracy and integrity.RDARR Principle 7     
5.7.02.1The institution has demonstrated that it has established materiality thresholds for accuracy, including thresholds for escalation. Where applicable, action plans have been established to rectify breaches.     
5.7.03The institution has demonstrated that measurable accuracy requirements for operational risk capital data have been established and implemented.RDARR Principle 7     
5.8 Comprehensiveness
5.8.01The institution has demonstrated that it has determined reporting requirements for operational risk capital data that best suit its own business models and risk profiles. Risk management reports for loss data include exposure information for all risk areas (e.g. event type, etc.) and all significant components of those areas.RDARR Principle 8     
5.9 Clarity and usefulness
5.9.01The institution has demonstrated that Senior management determine its own operational risk capital, including internal loss reporting requirements. The institution has also demonstrated that Senior management receive relevant information that allows it to fulfil its management mandate relative to the institution and operational risk capital-related risks to which it is exposed.RDARR Principle 9     
5.9.02The institution has demonstrated that it has an inventory and classification of operational risk capital data items that includes a reference to the concepts used to elaborate the reports.RDARR Principle 9     
5.9.03The institution has demonstrated that it confirms periodically with recipients that operational risk capital information, including internal loss information that is aggregated and reported is relevant and appropriate, in terms of both amount and quality, to the governance and decision-making process.RDARR Principle 9     
5.10 Frequency
5.10.01The institution has demonstrated that it assesses periodically the purpose of each report associated with the reporting of operational risk capital, including internal loss information, and sets requirements for how quickly the reports need to be produced in both normal and stress/crisis situations.RDARR Principle 10     
5.10.02The institution demonstrated that it has tested its ability to produce accurate reports within established timeframes and can demonstrate that these timeframes are being adhered to.RDARR Principle 10     
5.10.03The institution has demonstrated that in times of stress/crisis all relevant reports containing operational risk capital data, including internal loss information, would be available within a short period of time allowing management to react effectively to evolving risks.RDARR Principle 10     
5.11 Distribution
5.11.01The institution has demonstrated that documented procedures are in place to allow for rapid collection and analysis of operational risk capital data and timely dissemination of reports, balanced with the need to ensure confidentiality as appropriate.RDARR Principle 11     
6. Operational Risk Capital Data Storage/Retention/Security
6.01The institution has documented policies, and has demonstrated that procedures are in place, for the storage, security, retention and archiving of operational risk capital data. This includes, where applicable, the procedures for logical/physical deletion of data and destruction of data storage media and peripherals.DME
Section IV
     
6.02The institution has documented policies, and has demonstrated that procedures are in place, for the maintenance of back-ups of relevant data files, data stores and databases in a manner that allows for operational risk capital data/information to be secure and readily available.DME
Section IV
     
6.03The institution has demonstrated that it has processes in place to ensure the availability of electronic versions for all relevant operational risk capital data and that this data are in a format that provides flexibility to enable searching, aggregation and reporting. and can be made accessible in Canada.DME
Section IV
     
7. Specific Expectations for Business Indicator Data
7.01The institution has demonstrated that processes are in place for the consistent mapping of its general ledger and/or relevant OSFI returns to the line items in the BI. This includes a process for ensuring that Fee and Commission Income is reported on a gross basis, and that Fee and Commission Expenses includes all relevant expenses, including those netted against income, on the institution’s financial statements.DME
Section VI
     
7.02 The institution has demonstrated that processes are in place for the reconciliation between the BI reported on the capital adequacy return ("BCAR") and Net Interest Income and Non-Interest Income (as defined in OSFI’s P3 Return). This reconciliation is done quarterly.DME
Section VI
     
7.03The institution has demonstrated that it conducts periodic independent reviews of the processes involved in the calculation and reporting of BI component. At a minimum, this would include regular, effective and independent challenge by the institution’s second line of defense, and periodic independent reviews by the third line of defense.DME
Section VI
     
7.04The institution can demonstrate that it has processes in place for the exclusion of BI data for divested activities, including OSFI approval.CAR Ch. 3 (38)     
7.05The institution has established processes for disclosing those divested activities excluded from the BI in accordance with OSFI’s Pillar 3 requirements.CAR Ch. 3 (38)     
7.06The institution has demonstrated that processes are in place to reflect mergers or businesses that have been acquired over the previous three years in the BI, as detailed in section 3.4.7 of CAR Chapter 3.CAR Ch. 3 (39)     

Footnotes

Footnote 1

Includes both internal operational loss data and the components used to calculate the Business Indicator.

Return to footnote 1

Footnote 2

The draft Chapter 3 of the CAR, posted for public consultation in March 2021, is linked here: Capital Adequacy Requirements (CAR) Chapter 3 – Operational Risk

Return to footnote 2