Oversight Expectations for TSA & AMA Institutions
Information
Table of contents
Guidance to be rescinded
As a result of OSFI's policy review, this guidance was identified as outdated, redundant, or no longer fit-for-purpose. It will be rescinded and removed from the website by April 1, 2025.
I. Introduction
The purpose of this implementation note is to provide guidelines and practices for Corporate Governance at institutions
Institutions that are implementing the Basic Indicator Approach (BIA), and are therefore not subject to OSFI's Operational Risk Assessment Process
This implementation note sets out principle-based requirements and expectations for TSA and AMA institutions.
II. Background
As part of OSFI's Operational Risk Assessment Process
The guidance outlined in this document is consistent with OSFI's assessment of the effectiveness of an institution's corporate governance and risk management and control practices as described in OSFI's Supervisory Framework and Corporate Governance Guideline. OSFI will use its reliance-based supervisory approach for assessing the appropriateness and effectiveness of operational risk management and control practices at TSA and AMA institutions, and for assessing their ongoing adherence to minimum requirements.
III. Guidelines & Practices
An institution's operational risk management framework consists of those policies and practices that govern the identification, measurement/assessment, control and monitoring, and reporting of its operational risk.
An institution must ensure that appropriate controls are in place to ensure ongoing adherence to all applicable CAR requirements relative to TSA or AMA, as appropriate.
1. Senior Management
Senior Management should play an active role in the oversight and management of the operational risk management framework. Senior Management is accountable for the effective implementation of an operational risk management framework that is appropriate to the institution's risk profile.
Senior Management accountabilities include:
-
Having a clear understanding of the institution's operational risk profile, including the internal and external sources of operational risk to the institution,
-
Establishing an appropriate tolerance or appetite, which may include a range of qualitative and/or subjective statements, as appropriate, for the types and/or level of operational risk the institution may take on,
-
Having a clear understanding of the impact of applying the operational risk approach at the institution (i.e. TSA or AMA),
-
Establishing specific authority, resource, responsibility and reporting to ensure accountabilities for implementation and management of the operational risk management framework,
-
Overseeing that the operational risk management framework is appropriate to the circumstances of the institution, and is consistently applied across the institution as appropriate and remains effective over time,
-
Approving the policies, procedures, standards and supporting documentation relating to the operational risk management framework,
-
Reviewing reports on the status of the institution's operational risk exposures and management activities, including the status of significant operational risk events, and
-
Ensuring the operational risk management framework, and adherence to it, is subject to regular independent reviews.
Senior Management of AMA institutions is expected to follow certain additional requirements. Senior Management should:
-
Clearly understand the measurement systems and processes affecting the operational risk management framework and its impact on operational risk capital,
-
Be satisfied that the measurement systems and processes include the key elements, including the use of internal data, relevant external data, scenario analysis and factors reflecting the business environment and internal control systems,
-
Satisfy itself and assure the Board that the operational risk management framework and measurement systems are conceptually sound and meet the use test, such that the system is closely integrated with the institution's day-to-day risk management processes, and
-
Be aware of emerging industry operational risk measurement and management practices.
Please refer to OSFI's Corporate Governance Guideline for OSFI's expectations of institution Boards of Directors in regards to the management of capital and liquidity.
2. Operational Risk Management Function
TSA and AMA institutions are expected to have an operational risk management function (ORMF) that is responsible for the enterprise-level design and implementation of the bank's operational risk management framework. In this respect, a function is defined as a specific organizational unit made up of one or more persons dedicated to operational risk management. However, paragraph 39 of Chapter 8 of the CAR guideline recognizes that the size and complexity of TSA institutions may not warrant the existence of a specific organizational unit dedicated to operational risk management
The operational risk management responsibilities include:
-
Developing strategies to identify, assess/measure, monitor and control/mitigate operational risk,
-
Establishing and documenting firm-wide policies and procedures relating to the bank's operational risk management framework and management of operational risk exposures, as appropriate,
-
Ensuring that there is a means to systematically track relevant operational risk data, including material losses,
-
Designing and implementing a risk-reporting system for operational risk, and
-
Ensuring that adequate processes and procedures exist to provide appropriate oversight of the institution's operational risk management practices.
In order to ensure compliance, the institution should have a documented set of internal policies, controls and procedures concerning the operational risk management framework that includes policies for the treatment of non-compliance issues and exceptions. The operational risk management functions and business units must be subject to review testing and verification by internal audit (or an equally independent function) to assess the overall effectiveness of their internal controls for its adherence to the operational risk management framework.
In line with paragraph 48(a) of Chapter 8 of the CAR Guideline, an ORMF at AMA institutions must be functionally independent. An AMA ORMF should be able to demonstrate that it can provide independent and objective assessments to Senior Management on the institution's operational risk exposures and the effectiveness of operational risk management practices. Therefore, in addition to the above, AMA ORMFs responsibilities should include:
-
Designing and implementing the firm's operational risk measurement methodology,
-
Ensuring that the operational risk measurement processes are closely integrated into the risk management processes of the institution, and
-
Defining the roles of model development and validation, ensuring there is separation between the two roles.
3. Reporting
Effective management of operational risk includes regular and timely reporting to Senior Management and business unit management. The nature and scope of reporting should be appropriate to the needs of the audience receiving the report. The frequency and content of internal operational risk reporting should be reflective of the nature, scope, and complexity of the risk profile of the institution. For example, Senior Management may require information such as trends, levels of exposure and key issues on a regular basis. Conversely, operational management will require detailed information more frequently to effectively manage day-to-day operational risk. Institutions should have practices for taking appropriate action based on the operational risk reporting.
The operational risk reporting should include the following fundamental information:
-
Operational risk capital charge, as appropriate,
-
Relevant operational risk data including material losses by business line, and
-
Results of relevant assessments of business environment factors, risk and control self- assessments or other internal control factors.
4. Internal AuditAs per the CAR guideline, external audit reviews of an institution's operational risk assessment system are not mandated by OSFI.
Internal Audit (or an equally independent function) is expected to assess the effectiveness of the institution's internal controls over the operational risk management processes and measurement systems intended to ensure adherence to TSA or AMA requirements. The scope and frequency of internal audit reviews should be commensurate with the operational risk within an activity.
Internal Audit activities should include, but not be limited to:
-
Assessing the effectiveness of the institution's internal controls, including the design elements of internal controls, intended to ensure adherence to TSA or AMA requirements,
-
Determining scope and frequency of Internal Audit activities in a manner consistent with its audit methodology and principles,
-
Assessing the adequacy of resources and skills required to perform this audit work, and
-
Conducting periodic assessments of the effectiveness of the institution's internal controls over the operational risk management processes on an institution-wide basis. These assessments must include both the activities of the business units and of the operational risk management function.
In addition to the above, Internal Audit at AMA institutions should include the following activities:
- Assessing the effectiveness of the institution's internal controls over the operational risk models and risk measurement systems of the operational risk management framework, including data integrity and validation processes.