Supervisory Framework Renewal – Briefing – Fall 2023

Speech -


We provided a briefing on our new Supervisory Framework to federally regulated financial institutions in early November 2023. This page provides a summary of that briefing.

The Supervisory Framework guides our supervision of regulated financial institutions and private pension plans. The framework recognizes the specific nature of the different industries we regulate.

The material here focuses mostly on financial institutions. We are going to hold an event for pension industry stakeholders in early 2024.

Why we are updating the framework

History of OSFI’s Supervisory Framework

Our Supervisory Framework has served us well since it was first introduced in 1999. Limited updates were made in 2010. The risk environment is changing rapidly, and we are modernizing our approach to ensure it remains fit for purpose.

Our approach to developing the new framework

We undertook the following initiatives to help inform the design of the new framework.

Benchmarking peer review

A benchmarking review was conducted by 5 international peer regulators. We also held bilateral discussions with other regulatory authorities.

Supervisory roundtables

Supervisory roundtable discussions were held among 9 foreign regulatory agencies to discuss technical areas and best practices.

While the international research informed our work, the design of the new framework reflects our prudential mandate and priorities as a regulator.

Internal focus groups

We ran focus groups in early 2022 to get feedback from a representative mix of OSFI supervision staff.

Our vision for the new framework

While our Supervisory Framework is changing, supervisory judgment will remain a core part of OSFI’s principles-based approach. With the modernization of our framework we are looking to:

  • Better capture the impact of systemic and macro-centric risks on entity risk profiles
  • Enable early correction action through greater differentiation in risk ratings, particularly within Stage 0
  • Build in flexibility in the framework to accommodate new risks
  • Leverage data and advanced analytics more extensively
  • Streamline and simplifying our supervisory processes

Framework scope

The new framework will apply to all federally regulated financial institutions and private pension plans.

The framework is designed to be flexible, and we will update it when needed.

The changes to the framework have no direct impact on intervention stage ratings and these will continue to be assigned on the same scale. These stage ratings will be an ‘anchor’ to our intervention activities as other elements of our framework change.

The recent expansion of OSFI’s mandate does not have an immediate impact on the new framework, but some updates are possible in the medium term.

Supervisory communication with regulated institutions is private and the confidentiality of supervisory information is protected by statute.

Notable changes

  • An expanded 8-point scale for risk ratings
  • More information for regulated institutions about drivers of their rating
  • Closer linkage to OSFI’s risk appetite
  • Introduction of new risk categories (business risk, financial resilience, operational resilience and risk governance)
  • Integration of climate risk considerations
  • Creation of additional capacity for risk-based supervisory work

A closer look at the new Framework

Three key elements of the new Framework

  1. The Tier rating reflects size and complexity, with consideration of potential contagion in the event of failure
  2. The Overall Risk Rating (ORR) reflects the risk of failure (level of overall risk to the financial viability) of a financial institution or the risk to security of member benefits for a pension plan. The ORR will be reflected on an 8-point scale, providing more information about risk position
  3. Greater emphasis is placed on achieving sound supervisory outcomes by providing more information to institutions to help them address any supervisory concerns

Supervisory intensity will be driven by the combination of the Tier rating and the Overall Risk Rating.


The purpose of tiering is to create a consistent risk-based approach to supervision in alignment with OSFI’s risk appetite.

Tier Definition
1 High Failure would materially impact stakeholders and/or financial stability
2 Medium-High Failure would materially impact stakeholders and/or financial stability
3 Medium Failure may result in moderate systemic consequences
4 Medium-Low Failure would result in little to no systemic consequences
5 Low Failure would have no systemic impact

Tier ratings are assigned based on size and complexity and consider factors such as interconnectedness and substitutability. The Tier rating will be communicated privately to institutions.

The Tier ratings will help us apply our risk appetite. There’s a direct link between the Tier rating and the number of categories that need to be rated.

Overall Risk Rating (ORR)

The ORR replaces the current Composite Risk Rating (CRR) and reflects our assessment of the overall level of risk to the financial viability of a financial institution. There are four risk categories contributing to the ORR:

  1. Business risk is the risk to viability arising from the business model
  2. Financial resilience is the ability for an institution to withstand financial stress given its financial risk profile, capital and liquidity
  3. Operational resilience reflects the ability of an institution to deliver its operations, including critical operations, through disruption. It is a prudential outcome of effective operational risk management
  4. Risk governance evaluates the institution’s ability to identify significant risks and manage their impact

These categories are reflected in an ORR scorecard. The scorecard will record our risk assessment of a financial institution and provide a consistent approach to rating risks.

All of the four risk categories have the ability to drive the ORR outcome since there are no fixed weights or formulas in the scorecard. Each rating speaks to the risk to viability associated with the issues that have been identified for that category.

We will communicate ratings for the four risk categories to larger institutions (in Tiers 1-4). This communication is private and the confidentiality of supervisory information is protected by statute

Key features of the ORR Scorecard

The new scorecard is dynamic. The risk categories that need to be rated depend on the industry and tier of the entity.

Our ratings focus on identified risks, or things that we want to see change at the regulated institution. Ratings will be updated when the institution achieves the supervisory outcomes we are looking for.

Our ratings are focused on enterprise level assessments. We are moving away from assigning ratings at the significant activity or business line level. This will increase our capacity for risk-based work.

Some of the issues that we identify will impact more than one rating category. This helps us ‘spotlight’ any concerns and supports outcome-focused communication.

The Overall Risk Rating cannot be better than the weakest category rating. That’s because each category rating speaks to the level of risk to overall viability related to the issues that have been identified for that category. In some situations, we will assign an Overall Risk Rating that is worse than the category ratings. This might be done when there are problems across multiple categories.

Climate risk is an important area of focus and we’ve developed the new framework to support this work. Climate risk considerations can impact all of the new rating categories. We therefore show climate as a transverse risk. Significant climate-rated risks will be reflected in our rating of the relevant category. When we communicate with institutions it will be clear when climate risk is an issue.

Rating scale

The ORR has an expanded 8-point rating scale that maps to existing intervention stage ratings. Stage 0 is broken down into four categories to support our ability to take early corrective action. All risk categories will be rated using the 8-point scale.

ORR Rating Scale
Rating Rating description Stage
1 Minimal - No significant issues identified 0
2 Low - Issues are unlikely to impact financial performance or critical operations 0
3 Moderate - Issues could impact financial performance or critical operations unless addressed 0
4 Watchlist - Issues expected to impact financial performance or critical operations unless addressed promptly 0
5 Early warning - Issues could impact viability, but this is not expected within two years 1
6 Material - Issues could impact viability within one to two years 2
7 Serious - Issues raise serious doubts about viability within one year 3
8 Non-viability imminent - Non-viability is imminent 4

Outcome-focused supervision

A key focus of the new framework is to give financial institutions and pension plans more information to help them address any supervisory concerns. As noted previously, our communication with regulated institutions is private and the confidentiality of supervisory information is protected by statute.

We will provide institutions in Tiers 1-4 with ratings for the four risk categories in addition to the Overall Risk Rating.

We’re also introducing a new category of ‘urgent’ findings in supervisory letters to identify particularly serious concerns and help institutions prioritize remediation activity.

Agility of the new Supervisory Framework

Agility is a key feature of the new framework. In a fast-moving risk environment, we need to be ready to respond quickly. Our new approach has been developed with this in mind.

  1. Risk ratings can be updated dynamically once an issue(s) is identified and documented; it is assessed to determine potential impact on viability.
  2. New risk rating determined based on the weakest rating in any category. Driven by actions OSFI is looking for the financial institution or pension plan to change.
  3. As a financial institution or pension plan grows, there is greater supervisory intensity.

Impact for regulated financial institutions

What is changing

  • Institutions will receive an ORR instead of a CRR; assessed on an 8-point rating scale.
  • In addition to the ORR, four risk category ratings will be provided to tier 1-4 institutions.
  • Introduction of “urgent findings” in supervisory letters

What is staying the same

  • Intervention stage ratings will continue on the existing scale. These stage ratings provide an ‘anchor’ to our intervention activities as other elements of the Framework change.
  • Institutions will continue to receive annual and interim supervisory letters.
  • The rating and recommendations shared by OSFI will still be prescribed supervisory information.
  • Information requests and interaction with OSFI’s lead supervisors will remain unchanged to support OSFI risk assessments.

Commitment to transparency

  • Our objective is to provide more information about our assessments to help address any supervisory concerns. We expect this will lead to a richer dialogue and better assessments.
  • The framework provides a structure for our risk assessment. As such, we do not conduct public consultation about changes to the framework. We are communicating with stakeholders to explain why and how the framework is changing, and how it will impact you.
  • As part of our commitment to continuous improvement we will carry out a post-implementation review as well as holistic reviews at least once every five years.

Key milestones and timeline

A summary of key milestones until the new Framework effective date are reflected below:

  • Sep 2023 – Commenced info sessions with largest institutions
  • Nov 2023 – Industry webinars
  • Feb 2024 - Publication of new Framework content on OSFI’s website
  • April 2024 – New Framework effective


  • If you have questions, please reach out to your OSFI Lead Supervisor
  • Maria Moutafis (Senior Director of Supervision Methods, Standards and Controls) can also be contacted at SFR‑RCS@osfi‑