Summary report: Supervisory Framework post-implementation review

Publication type
Supervisory Framework
Date

Table of contents

    Background

    In April 2024, we launched a renewed Supervisory Framework to strengthen how we oversee federally regulated financial institutions and pension plans. After one year of implementation, we conducted a review to gather feedback and ensure the Framework remains effective and well-aligned to the changing risk environment.

    This report summarizes the key activities and findings from that review.

    What we did

    We gathered feedback from over one hundred participants, including:

    • financial institutions
    • financial Institutions Supervisory Committee (FISC) partners
    • audit advisory committees
    • industry associations
    • OSFI staff

    We also analyzed data and trends from the first year of the Framework's implementation. This feedback confirmed the Framework's strengths and identified opportunities for further refinements.

    What we found

    Overall, the updated Framework improved supervisory effectiveness and communication. Specifically, it supports:

    • better risk conversations: The new Overall Risk Rating (ORR) and clearer supervisory letters make our expectations easier to understand and enable more meaningful discussions about risk.
    • earlier intervention: The Framework enhances our ability to respond to emerging risks and take earlier actions.

    The review also identified two key areas for improvement:

    1. “Weakest link” risk rating approach

      The ORR considers four rating categories: business risk, financial resilience, operational resilience, and risk governance. Currently, the weakest rating among these categories becomes the starting point for the ORR, and the ORR cannot be better than that rating – this is known as the “weakest link” principle.

      For financial institutions specifically, this approach may sometimes overstate the overall risk to viability, especially when non-financial risks drive the ORR.

      The review highlighted the need for more flexibility in our risk rating approach to ensure that the ORR accurately reflects the materiality of risk.

    2. Clarity and transparency in methodology

      We also found that there is a need for clearer assessment and rating methods, including greater transparency in how we arrive at ratings and how we incorporate integrity and security risks.

    Next steps

    We are developing an action plan to implement refinements to the Framework. We will introduce these refinements in phases through to the end of the 2026-27 fiscal year.

    Key areas include:

    • Introducing flexibility in the application of the weakest link principle: While the weakest link will remain foundational to the determination of the ORR, our methodology will consider circumstances where the ORR can be better than the weakest link to ensure that it accurately reflects the risk to viability.

    • Refining and expanding rating definitions and indicators: We will refine and expand our rating methodology to better distinguish between risk rating levels 1 through 8. This will ensure more clarity on how supervisors arrive at conclusions, especially for non-financial risks.

      Definitions will clarify that the absence of supervisory findings does not imply the absence of risk. As a prudential supervisor, we consider not only the quality of an institution’s risk management and controls but also the risk inherent to its business activities.

    • Clarifying our risk tolerance: We will further explain how ORRs align with Intervention Stage Ratings (Stages 0 to 4). ORRs rated 1 to 4 correspond to Stage 0 (not staged) and are tolerable, with standard supervisory activities applying. For institutions above Stage 0, risk control practices fall outside our tolerance. This, in turn, determines the level of additional supervisory attention required.

    • Explicitly integrating integrity and security risks into our risk assessment: We will more explicitly incorporate integrity factors within our evaluation of risk governance and security considerations within our operational resilience assessment. This will ensure integrity and security risks are more clearly identified and reflected in our risk assessment.

    We will share more details at Industry Day on December 4, 2025, and continue to keep stakeholders informed as we implement these refinements.

    Report a problem or mistake on this page
    Please select all that apply:
    Date modified: