Deputy Superintendent Angie Radiskovic keynote speech at the Canadian Institute’s 31st Flagship Conference on Regulatory Compliance for Financial Institutions

Speech - Toronto -

Check against delivery

Good morning.

It's a pleasure to be with you at the Canadian Institute's 31st Flagship Conference. I'd like to extend a warm welcome to all participants and to also thank the organizers for the invitation to speak here today.

The conference agenda covers a number of topics that are near and dear to my heart and are also timely and hugely relevant in today's uncertain world.

  • In preparing for today's remarks, I recalled that I had last spoken at this conference 6 years ago (the 25th flagship) of the topic of the "Evolution of Non-Financial Risks (NFR)". At that time, I headed up the newly named "NFR Group" which consisted of Operational risk division (ORD), Compliance and a brand new Technology Risk Division (TRD). 2 things that struck me when I found the 2019 poster  – First, I looked a lot younger 6 years ago, and second, I had no idea back then that the "evolution" of NFR which I likely spoke about would pale in comparison to what was to come (a 1/100 year global pandemic, wars in Europe and the Middle East, and a fundamental breakdown in global trade), and if you did foresee it, certainly not all within a span of just 5 years!
  • We meet again now at a time of increasing change. The global risk environment is evolving rapidly—shaped of course by geopolitical shifts, trade uncertainties, technological disruption (AI!), and climate-related pressures. Undoubtedly, we are in a new era of persistent uncertainty, where resilience—both financial and operational—is not just a safeguard, but a strategic advantage.

In this environment, regulators and institutions alike must sharpen their focus—not only on what risks exist, but on how those risks interact, evolve, and compound one another. The pace and complexity of change demand a more dynamic approach to risk management—one that is forward-looking, data-informed, and grounded in sound judgment.

How OSFI's operating model and practices have evolved over this period

To meet the demands of this new era of persistent uncertainty, OSFI has evolved.

  • Earlier this year, we launched a new operating model that includes the creation of the Risk, Strategy and Policy (RSP) Sector. The RSP Sector is central to OSFI's continued advancement as a proactive and forward-looking regulator. It's where we align strategic thinking with regulatory & supervisory action. Our sector combines various functions related to data and analytics (DCM), strategy, corporate planning, and risk surveillance and assessments, as well as policy development and approvals...all working together to ensure OSFI anticipates, responds to and reports on risks with agility and precision.  Our priorities include enhancing regulatory efficiency, modernizing guidance, and ensuring institutions – and the supervisors that assess them – are focusing on the right risks at the right time. RSP risk specialists focus on emerging risks, the evolution of current risks and their potential impacts to regulated constituents. In summary, we created this sector to become a more risk-aware, risk-focused and risk-responsive organization –not only for the risks we Supervise and Regulate against, but also when it comes to our own internal operations.
  • Of greater interest to this group is how OSFI has evolved in the area of NFR. Much of this work is housed within RSP and we work closely with other parts of OSFI, particularly with line supervisors. Within the NFR Group, TRD is now the largest team having broadened its work from tech and cyber risk management assessments to developing and analysing incident reports submitted to us by Federally Regulated Financial Institutions (FRFIs). Corporate governance assessments shifted back to line supervisors allowing us to expand our work into regulatory compliance and build out risk culture assessments – Culture and Compliance Risk Division (CCRD). In recent years, ORD began to pay greater attention to the evolution of third-party risk management and continuity of critical operations which could be threatened by other risk events (for example, malicious cyber activity). As you know, the last 5 years have seen a corresponding and high-level of activity in NFR guideline work -- we created new guidelines and amended/modernized existing ones. Many of these you will be discussing today and tomorrow.
  • A foundational change was the renewal of OSFI's Supervisory Framework which we launched in April 2024.  Now, one year later, we've conducted a review to gather feedback. Overall, the feedback we received was positive, key being that we're more granular in communicating our risk assessments—including on operational resilience—and this has led to better and more pointed risk conversations with Boards and senior managers. There is also room for improvement including on refining and expanding rating definitions and indicators between risk levels. This will ensure greater clarity and transparency in how supervisors arrive at conclusions, especially for non-financial risks which are more qualitative in nature. I encourage you to register for our Industry Day on December 4th if you would like to learn more.
  • As this crowd well knows, Budget 2023 expanded OSFI's mandate requiring us to ensure that FRFIs have adequate policies and procedures in place to manage risks related to their integrity and security including from foreign interference. We formed a new sector, Integrity, National Security and Integrated Solutions, to collaborate with other parts of government, namely security and intelligence departments, on national security and foreign interference matters within the financial sector, including with FINTRAC. We issued the Integrity and Security Guideline in Jan/24. I&S assessments are greatly informed by the work of NFR, and so the teams work closely together to exchange information and to identify common areas of concern.
  • Finally, we've become more transparent with industry about what we consider to be the most material risks– writ large – that industry should focus on. We do this by issuing our Annual and Semi-Annual Risk Outlooks, also known as the ARO and the SARO, each Spring and Fall. In last month's SARO we reaffirmed four key risks; integrity and security (which had been climbing up steadily to #1 spot), wholesale credit, funding and liquidity, and real estate secured lending.  We also added two emerging concerns. First, tariff-related uncertainty and weaker macroeconomic performance on both sides of the border. And second, gradual increases in mortgage delinquencies, particularly in variable rate fixed payment mortgages.

Integrity/Non-financial risks work

Now that I've covered the risk environment and OSFI's operating model, I thought it might be useful to give you an overview of the Supervisory and Regulatory work we've done this past year, what themes arose from that work, and albeit preliminary, how our workplan for next year is shaping up.

Culture and compliance risk division

We conducted a number of standard Regulatory Compliance Management (RCM) reviews including cross-sector thematics with Supervision (20 FIs). Findings fall into what I would categorize as "low hanging fruit":

  • Gaps in Chief Compliance Officer (CCO) opinion and compliance testing programs related to scope of coverage and basis of conclusions
  • Inadequate controls to ensure that the regulatory compliance inventory remains current
  • Lack of clarity in Chief Risk Officer (CRO) accountabilities
  • Cross-sector revealed a range of findings from design of the RCM framework to independent review and governance

For next year, we're considering doing further work on CCO opinions, their coverage of monitoring and testing, and how transparently results are being reported especially to the Board. From a guidance perspective, we don't anticipate changes to E13 or to the Culture Regulatory Notice.

Technology risk division

As you well-know, technology and cyber risks are growing in frequency and sophistication (particularly due to AI) and it is crucial that financial institutions manage these risks to remain resilient. OSFI takes this very seriously!

Our work this past year focused on Intelligence Led Cyber Resilience Testing assessments. The Intelligence-led Cyber Resilience Testing (I-CRT) framework is a supervisory tool that allows FRFIs to proactively identify and address issues with their cyber resilience. When a reportable cyber incident occurs, FRFIs are required to notify OSFI as this reporting helps us identify systemic vulnerabilities and prevent future incidents

We conducted several tech and cyber risk reviews against Guideline B13 this year, as well as enhanced monitoring of disaster recovery plans (jointly with ORD). What we found:

  • On technology and cyber risk, while institutions are generally well protected from external threats, we identified weaknesses in identity and access management, network security, data loss prevention (links to some agenda items on data privacy), security awareness and disaster recovery.
  • Real-life testing of disaster recovery capabilities is often lacking, and gaps in change management practices have led to outages impacting customers.
  • We also noted a lack of visibility to senior management and the Board for key technology and cyber risks.

Next year, in addition to further work in ICRT and tech & cyber reviews, we plan to look at disaster recovery, vulnerability management reviews, and cloud computing governance reviews. Guideline B-13 will remain unchanged next fiscal year.

Operational risk division

For ORD, our work this year was heavily focused on third party risk management: aspects include: criticality and inherent risk ratings, exit and contingency plans, and a third party due-diligence cross sector. Reviews showed:

  • Third party exit and contingency plans lack details to be executable
  • Number and granularity of critical operations as determined by financial institutions vary significantly with little correlation to an institutions' size and complexity
  • The reliance on tabletop testing is insufficient to ensure critical operations can continue through a severe disruption.

Next year, ORD and TRD will partner up on a number of reviews related to business continuity, change management, and data protection. We also plan to do more work surrounding fraud and transaction processing risk management (as this impacts fraud losses).

In 2024, OSFI released final Guideline E-21: Operational Risk Management and Resilience.

This guideline:

  • enhances expectations for operational risk management.
  • sets new expectations for operational resilience, a vital component of our supervisory framework.
  • sets new expectations for business continuity risk management, crisis management, change management, and data risk management, all of which strengthen operational resilience.

Institutions are expected to implement E-21 by September/26. Some mid-sized financial institutions had not defined their critical operations in early Fall 2025 and may struggle to meet this deadline.

In 2023, we published the Third-Party Risk Management Guideline (B-10) and there will be no changes to B10 next year.

In closing, I'd like to zoom out and give you a sense for how I anticipate our office will continue to evolve in the coming year or two.

Canada's financial system remains resilient. Our systemically important banks reported Common Equity Tier 1 (CET1) ratios averaging 13.7% in the most recent quarter which equates to $60 billion in excess capital beyond the regulatory minimum.

This financial resilience needs to be paired with adaptability – and by this, I mean OSFI's adaptability. As a regulator, we need to be smart, take well calibrated risks that support innovation, promote competitiveness and economic growth all the while maintaining the resilience in the system. We've started down the path on a number of initiatives. We have, for example, eliminated 52 documents or 600 pages of redundant, obsolete or trivial information from our guidance library and this reduction effort will continue. We're also undertaking to streamline application reviews for new entrants, enhance transparency of the application process, and reduce unnecessary regulatory friction to ensure that capable, well-governed organizations can enter the federal system in a more timely manner.

You will be hearing more, too, about how our risk priorities will become increasingly focused on credit risk, liquidity risk and corporate governance while deprioritising areas that pose less immediate risk to systemic stability.  

Governance, board accountability and senior management suitability are foundational to the integrity of FRFIs and are undeniably prudential. We see this as a key risk because, as the financial landscape evolves, so too must governance standards and practices. Senior leaders and board members face growing pressures and increasingly challenging decisions. They must be well-equipped and held accountable so we are exploring enhancing our current suitability and accountability regime through guidance. More to come on this in 2026 including through public consultation.

To conclude, resilience—operational, technological, and financial—is not optional. It is the cornerstone of a safe and sound financial institution and a stable financial system. Together, through strong risk management and collaboration, we can meet these challenges head-on.

Thank you again to the Canadian Institute for hosting this important event and I wish you all a  productive conference.

Report a problem or mistake on this page
Please select all that apply:
Date modified: