Final Guideline E-21 – Operational Risk Management - Letter (2016)

Publication type
Sound Business and Financial Practices
Foreign Bank Branches,
Trust and Loan Companies,
Life Insurance and Fraternal Companies,
Property and Casualty Companies
Table of contents

To: Federally Regulated Financial Institutions (FRFIs)

The Office of the Superintendent of Financial Institutions (OSFI) is issuing the final version of its guideline on Operational Risk Management. The guideline reinforces OSFI’s expectations regarding the management of operational risk through a consolidated piece of guidance. The guideline applies to all federally regulated financial institutions and contains a principles-based approach to regulatory requirements that reflects the nature, and complexity of institutions OSFI supervises. This means that our principles based guidance will be scaled to reflect these considerations in the course of supervisory oversight. In addition, the requirements of the guideline are consistent with those of OSFI’s Corporate Governance Guideline.

The final version of the guideline incorporates revisions resulting from comments received during the public consultation process, which began August 2015. The attached Annex summarizes material comments received from industry stakeholders and provides an explanation of how they have been addressed. We thank all those who participated in the consultation process.

It is OSFI’s expectation that full implementation of the principles within the guideline will be achieved no later than June 2017.

Mark Zelmer
Deputy Superintendent


Operational Risk Management Guideline – Summary of Consultation Comments and OSFI Responses
Industry Comments OSFI Response

Proportionality / Principles Based Approach / Supervisory Expectations

Some commenters requested that the final version of the guideline should be less prescriptive and more principles based.

The Guideline has been revised to more clearly distinguish between principles based expectations and emerging sound practices. Emerging sound practices may be recommended by OSFI Supervisors based on the nature, size, complexity and risk profile of the institution.

Implementation / Timing

It was requested that the one year implementation period noted in the public consultation be adjusted to a 3-5 year implementation period.

A question was raised regarding how capital requirements will interact with the more general operational risk management expectations outlined in the guideline and whether increased resources for operational risk management should result in reduced required capital for operational risk.

Based on OSFI reviews, federally regulated financial institutions have made significant progress in their operational risk management practices over the past several years. OSFI views the one year implementation as reasonable given the principles based nature of the guideline and the progress that has already been achieved by federally regulated financial institutions.

The focus of this guideline is on general operational risk management expectations and not on capital requirements outlined in other guidelines. OSFI recognises that operational risk is an evolving discipline. Over time, as industry and OSFI gain experience with more formal operational risk management programs, OSFI would be willing to discuss what steps could be taken with respect to the link between demonstrated improvements in operational risk management and the capital requirements for operational risk.

Enterprise Risk Management Approach

Some commenters enquired as to whether operational risk needs to be differentiated from overall enterprise risk management.

In OSFI’s view, operational risk management spans a range of internal processes and there is value is separating operational risk from overall risk management. With specific reference to the Risk Appetite Statement, operational risk can be an accompaniment to the overall Risk Appetite framework.

Use of tools

It was noted that the draft guideline placed too much emphasis on details regarding tools to be used in managing operational risk.

The details regarding the operational risk management tools have been moved to an Annex so that the main part of the guideline focuses on operational risk management principles.

Risk Appetite Statement: quantification of operational risk

The view was expressed that the risk appetite statement section was not clear as to how expectations would be different for varying federally regulated financial institutions.

Principle 2 has been amended to clarify OSFI’s expectation that FRFIs develop and utilise an operational risk appetite statement, or in the case of small, less complex FRFIs with lower operational risk profiles, reporting/escalation thresholds for material operational risk events.