Audit of Supervision Small and Medium Sized Banks – Management Action Plans

Publication type
Audit
Date

Management response to the audit

We appreciate the Internal Audit review and accept the findings and recommendations.

The audit provides a constructive assessment of our supervisory practices. It also highlights opportunities to improve clarity, consistency, and formalization in ways that will strengthen our control environment and supervisory effectiveness.

We will address the recommendations in a timely and coordinated way, in partnership with the Supervision Institute and other internal stakeholders. We are building on progress already underway, including developing the Supervision Digital Information Access Management Procedure, rolling out new tools to support isolation pod access monitoring, enhancing sensitive supervisory information (SSI) guidance, developing a progressive supervision training program, updating monitoring and intervention guidance, and introducing a new functionality in Vu to improve centralized tracking of intervention measures. Together, these initiatives provide a strong foundation for our action plans and for the continued strengthening of supervisory practices.

Recommendation #1 (Medium Risk)

(i) Clarify roles and responsibilities related to the safeguarding of SSI; and (ii) Develop and communicate guidance to safeguard SSI within OSFI risk appetite.

Planned actions to support the recommendation

  • Milestone 1: Finalize and publish the Prescribed Supervisory Information (PSI) Procedure and eCourse.

  • Milestone 2: Review, communicate, and reinforce formal guidance on information access to digital supervisory information and the safeguarding of SSI.

    Guidance will establish responsibilities and accountabilities (including lead supervisor (LS) and central support roles) for control access management and monitoring for eSpace restricted docsets and Vu isolation pods.

  • Milestone 3: Deliver an information / Q&A session to supervision staff (including non-financial risk specialists and Integrity and Security Risk Division) and leaders on updated SSI requirements, including monitoring expectations, and escalation procedures.
  • Milestone 4: Strengthen awareness of, and compliance with, security requirements through targeted change management activities aligned with enterprise direction and CISO‑led initiatives.

Target milestone completion

  • Milestone 1: Q1 2026-27
  • Milestone 2: Q2 2026-27
  • Milestone 3: Q3 2026-27
  • Milestone 4: Q4 2026-27

Accountability

  • Milestone 1:
    • Katie Brown (SMSC / SI)
    • Carolyn Bourque (Supervision Learning and Development [SLD] / SI)
  • Milestone 2:
    • Katie Brown (Supervision Methods, Standards, and Controls [SMSC] / Supervision Institute [SI])
    • Dennis van Welie (Supervision Central Office [SCO] / Supervision Quality Assurance Division [SQAD])
  • Milestone 3:
    • Steve Bevington, Domestic Banking (DB)
  • Milestone 4:
    • Natasha Scott (Supervision Outreach and Integration [SOI] / SI

Target overall completion

Q4 2026-27

Recommendation #2 (Medium Risk)

Develop and implement controls to facilitate the oversight of adherence to SSI guidance.

Planned actions to support the recommendation

Milestone 1: Implement operational changes and controls in alignment with formal guidance on information access to digital supervisory information and the safeguarding of SSI, including effective and efficient monitoring processes.

Target milestone completion

Q3 2026‑27

Accountability

  • Katie Brown (SMSC / SI)
  • Dennis van Welie (SCO/SQAD)

Target overall completion

Q3 2026-27

Recommendation #3 (Medium Risk)

Conduct a comprehensive skills and knowledge gap analysis to map to existing training or devise a plan for additional training required.

Planned actions to support the recommendation

  • Milestone 1: Domestic Banking to participate in the supervision learning and development needs analysis that will inform the SI 2027-28 delivery plan.

    *Note that, in addition to its annual needs analysis, SI considers formal job descriptions as well as other sources (for example, risk outlooks, emerging risks, senior leadership requests, etc.) in the identification of skills and knowledge requirements.

  • Milestone 2: Develop a LS development roadmap to set clear expectations.
  • Milestone 3: Leverage quarterly monitoring roundtables to support knowledge in Domestic Banking to support the development of knowledge and skills regarding each of the Supervisory Framework’s pillars.

Target milestone completion

  • Milestone 1: Q1 2026-27
  • Milestone 2: Q4 2026-27
  • Milestone 3: Q4 2026-27

Accountability

  • Milestone 1:
    • Carolyn Bourque (SLD / SI)
    • Steve Bevington (DB)
  • Milestone 2:
    • Carolyn Bourque (SLD / SI)
  • Milestone 3:
    • Steve Bevington (DB)

Target overall completion

Q4 2026-27

Recommendation #4 (Medium Risk)

Partner with Supervision Institute to assess current documentation and communication expectations and update related guidance as needed, strengthen vertical review and quality control, and reinforce alignment across key monitoring outputs.

Planned actions to support the recommendation

  • Milestone 1: Management will reinforce expectations for properly documenting risk assessments in monitoring templates in accordance with the Monitoring Standard through Goal Commitment Documents, vertical review processes, and during our quarterly round tables.
  • Milestone 2: Implement revisions to methodology and tools to clarify expectations regarding the treatment of related institutions as part of the Supervisory Framework post-implementation review work.

Target milestone completion

  • Milestone 1: Q1 2026-27 and ongoing thereafter
  • Milestone 2: Q4 2026-27

Accountability

  • Milestone 1:
    • Steve Bevington (DB)
  • Milestone 2:
    • Katie Brown (SMSC / SI)

Target overall completion

Q4 2026-27

Recommendation #5 (Low Risk)

Complete intervention guide updates, activate new functions to centralize the tracking of intervention measures and de-stage conditions, and provide training to supervisors as needed.

Planned actions to support the recommendation

  • Milestone 1: Establish and implement an approach to centralize tracking of intervention measures and de-stage conditions.
  • Milestone 2: Complete intervention guide updates (including life and property and casualty).
  • Milestone 3: Deliver intervention training.

Target milestone completion

  • Milestone 1: Q3 2026-27
  • Milestone 2: Q4 2026-27
  • Milestone 3: Q2 2027-28

Accountability

  • Milestone 1:
    • Katie Brown (SMSC / SI)
  • Milestone 2:
    • Katie Brown (SMSC / SI)
  • Milestone 3:
    • Carolyn Bourque (SLD / SI)
    • Darren Gault (Crisis Response Unit)

Target overall completion

  • Q2 2027-28
Report a problem or mistake on this page
Please select all that apply:
Date modified: