Supervisory ratings for financial institutions

On this page

    Tier Rating

    An institution’s Tier Rating is based on its size and complexity, as well as our view of the impact that its failure could have on the financial system. While we start with data, the assigned Tier Rating reflects our supervisory judgment.

    The Tier Rating guides the type of work that we carry out to identify risks, and it helps us apply our risk appetite.

    We assign the Tier Rating according to a 1 to 5 scale and update it when there is a material change in an institution’s profile. We use the same scale when assessing pension plans and this helps us apply our risk appetite consistently across our supervisory work. Table 1 outlines the definition of each Tier Rating.

    Table 1: Definition of Tier Rating
    Tier Definition
    1 High Large and/or complex institutions or pension plans with highest system impact
    2 Medium-High Large and/or complex institutions or pension plans with significant system impact
    3 Medium Mid-size institutions with moderate system impact | Large and/or complex pension plans
    4 Medium-Low Smaller and/or less complex institutions with low system impact | Mid-size and/or moderately complex pension plans
    5 Low Smallest, least complex institution with very low system impact | Small, least complex pension plans

    Institutions that are subsidiaries or affiliates of larger institutions may be assigned a Tier Rating of ‘Related Federally Regulated Financial Institution’ where the risk profiles of the institutions are closely linked.

    Tier Ratings are different from capital and liquidity categories for small and medium sized banks

    The Tier Rating is different from the criteria we use to segment small and medium-sized banks (SMSBs) into three categories to determine their capital and liquidity requirements. While there is often a correlation between the two assessments, this is not always the case.

    Overall Risk Rating categories

    An institution’s Overall Risk Rating (ORR) considers the following risk categories:

    • business risk
    • financial resilience
    • operational resilience
    • risk governance

    The Tier Rating determines the granularity of our risk assessment:

    • For small institutions (in Tier 5), we assign an ORR that considers these categories.
    • For larger institutions (in Tiers 1 to 4), we also assign ratings for each of these categories on the same 1 to 8 scale as the ORR.
    • Our internal assessment of the largest institutions (in Tiers 1 to 3) also includes a more detailed analysis of additional risks.

    Ratings are designed to respond quickly to the most serious risks

    Our rating approach focuses on identifying the most serious risks facing an institution. Experience shows that financial crises can develop rapidly, so we need to be ready to take prompt action to address problems.

    There are no weights in our framework. For institutions in Tiers 1 to 4, any category has the potential to drive the ORR. We rate each category according to the level of risk it poses to the viability of the institution. In this way, the rating combines an assessment of risk and importance.

    For institutions that receive individual rating categories, the category with the weakest rating becomes the starting point for the ORR. The ORR can’t be better than any of the rated categories. It can be worse, for example, where different issues lead to multiple categories being rated at the same level.

    We use category ratings to spotlight areas where change is needed

    Risks are often connected, and some issues will impact more than one category. For example, the supervisor may determine that risk culture is the root cause of an issue that impacts an institution’s operational resilience.

    In these situations, we use the category ratings to reflect risk implications and spotlight where change is needed.

    Business risk

    This category represents a forward-looking assessment of an institution’s business model sustainability.

    The supervisor considers the institution’s ability to achieve targets and generate capital in alignment with its risk appetite. We think about competitive pressures the institution faces and its ability to execute its strategic plan. Reputational risks are also reflected in this category.

    Our view of business risk includes the level of vulnerability to external factors. This sets the context for our assessment of the institution’s financial resilience.

    Business risk can provide an early indicator of increasing prudential risk. If an institution fails to address a damaged business model, a loss of confidence can follow resulting in financial stress.

    Our Corporate Governance guideline sets out expectations around corporate governance, including in relation to an institution’s business plan, strategy, and risk appetite.

    Financial resilience

    Our assessment of financial resilience reflects the institution’s ability to withstand financial stress. It considers its financial risk profile, capital, and liquidity.

    When assessing the financial risk profile, we look at risk levels and exposures as well as the effectiveness of risk oversight and controls.

    For insurance companies, we pay particular attention to the management of insurance risk. This includes liability valuation and provisioning, as well as underwriting, reinsurance, and other risk management practices. Our analysis of insurers also includes investment risk and asset and liability management.

    For deposit-taking institutions, typical considerations include credit risk and market risk in both the trading and banking book.

    We assess capital adequacy for financial resilience in severe but plausible stress scenarios. We consider capital management and the institution’s ability to identify, measure, and monitor risk. Our analysis is forward-looking and includes the institution’s contingency plan and access to capital.

    Finally, financial resilience includes consideration of liquidity adequacy, funding risk, and the strength of liquidity management. This is a particularly important consideration for deposit-taking institutions.

    Tables 2, 3, and 4 list some of the key guidelines that relate to financial resilience. You can find a complete list of guidelines here: Table of Guidelines.

    Table 2: Key guidelines for deposit taking institutions concerning financial resilience
    OSFI guideline Area of relevance
    Capital Adequacy Requirements (CAR) Capital requirements for deposit-taking institutions
    Leverage Requirements Guideline (LR) Leverage requirements for deposit-taking institutions
    Internal Capital Adequacy Assessment Process (ICAAP) (E-19) ICAAP expectations for deposit-taking institutions
    Liquidity Adequacy Requirements (LAR) Liquidity requirements for deposit-taking institutions
    Interest Rate Risk Management (B-12) Expectations for managing interest rate risk in the banking book
    Table 3: Key guidelines for insurers concerning financial resilience
    OSFI guideline Area of relevance
    Life Insurance Capital Adequacy Test (LICAT) Capital requirements for life insurers
    Minimum Capital Test (MCT) Capital requirements for property and casualty insurers
    Mortgage Insurer Capital Adequacy Test (MICAT) Capital requirements for mortgage insurers
    Own Risk and Solvency Assessment (ORSA) (E-19) Expectations for insurers Own Risk and Solvency Assessment
    Sound Reinsurance Practices and Procedures (B-3) Expectations for effective reinsurance practices and procedures for insurers
    Table 4: Key guidelines applicable for both deposit-taking institutions and insurers concerning financial resilience
    OSFI guideline Area of relevance
    Stress Testing (E-18) Stress testing expectations for deposit-taking institutions and insurers
    IFRS 9 Financial Instruments and Disclosures Expectations around the accounting and disclosure of financial assets and liabilities
    Residential Mortgage Underwriting Practices and Procedures (B-20) Expectations for prudent residential mortgage underwriting
    Derivatives Sound Practices (B-7) Expectations around derivative activities
    Model Risk Management (E-23/draft) Expectations around enterprise-wide model risk management

    Operational resilience

    The ability to deliver operations, including critical operations through disruption, is an outcome of effective operational risk management.

    When looking at operational resilience, the supervisor considers the ability of the institution to respond and adapt to potential disruptions. This category includes an assessment of technology, cyber, and operational risks. Operational risks include business continuity, third party, and data management.

    As with financial resilience, this category includes an assessment of risk levels and the effectiveness of risk oversight and controls.

    Table 5 lists some of the key guidelines that relate to operational resilience. You can find a complete list of guidelines here: Table of Guidelines.

    Table 5: Key guidelines concerning operational resilience
    OSFI guideline Area of relevance
    Operational Resilience and Operational Risk Management (E-21/draft) Expectations for operational resilience and operational risk management
    Integrity and Security Guideline Sets expectations for integrity and security
    Technology and Cyber Risk Management (B-13) Expectations for technology and cyber risk management
    Third-Party Risk Management (B-10) Expectations for third-party risk management

    Risk governance

    Effective risk governance is the ability to identify, assess, and manage risks appropriately. When assessing effectiveness, we consider culture, accountability structures, and the extent to which oversight functions provide independent and objective challenges.

    Our assessment of risk governance includes the frameworks used to identify, assess, and manage risks. Senior management is responsible for implementing board decisions and directing the operations of the institution.

    We look to the business and central functions of the institution to:

    • maintain an effective control environment,
    • manage risks arising from everyday operations, and
    • oversee the execution of the business strategy.

    Business management has a responsibility to identify, measure, monitor, manage, and report on risks.

    Enterprise-wide risk and compliance functions provide independent oversight and objective challenges over business management risk taking activities and compliance matters. This includes establishing frameworks and procedures to independently identify, measure, monitor, and report on risks.

    The internal audit function provides independent assurance to the board and senior management on the effectiveness of:

    • internal controls,
    • risk management, and
    • governance processes.

    Table 6 lists some of the key guidelines that relate to risk governance.

    Table 6: Key guidelines concerning risk governance
    OSFI guideline Area of relevance
    Corporate Governance Expectations for corporate governance
    Culture and Behaviour Risk (draft) Expectations for management of culture and behaviour risk
    Regulatory Compliance Management (E-13) Expectations for management of regulatory compliance risk

    Climate risk considerations are reflected in ORRs

    Climate change is an example of a new risk type that is evolving rapidly. It has the potential to significantly affect the safety of individual institutions and the system more broadly.

    Climate risk considerations are relevant to all rating categories. We consider the institution’s level of financial and operational resilience to climate change, including physical and transition risks. We also look at the impact on business strategy, as well as the effectiveness of governance and risk management.

    Where we identify a climate risk issue, it is reflected in the relevant rating category. The ORR can be driven by climate risks when these are significant in our assessment of the institution’s viability risk.

    Our Climate Risk Management guideline establishes expectations related to the management of climate-related risks.

    Overall Risk Rating scale

    ORRs map directly to OSFI’s existing Intervention Stage ratings as shown in Table 7. You can read more about our approach to intervention in our Guide to Intervention.

    Table 7: ORR scale for institutions
    ORR Description Stage
    1 Minimal 0
    2 Low 0
    3 Moderate 0
    4 Watchlist 0
    5 Early warning 1
    6 Material 2
    7 Serious 3
    8 Non-viability imminent 4

    We use ratings to signal a need for early corrective action

    Institutions are categorized as Stage 0 (or not staged) when no significant problems are identified. For the ORR, we split Stage 0 into four distinct rating categories to give financial institutions a better sense of how we view their risk profile. The expanded scale also helps us signal when an institution needs to take early action to address supervisory concerns.

    We assign an ORR 1 when no significant issues are identified. We don’t expect perfection at this level. Issues could come up, but there is confidence in the institution’s ability to manage them. As a result, there is a minimal level of risk to viability.

    An ORR 2 means that an institution has low risk. We’re looking for the institution to make some changes to address issues that are identified, but these are not expected to have a significant impact on financial performance or critical operations.

    An ORR 3 means that than an institution has a moderate risk. While there is no anticipated risk to viability, we have identified issues that could significantly impact financial performance or critical operations unless they are addressed by the institution.

    An ORR 4 is described as watchlist to make it clear that identified issues need prompt attention or the institution is likely to be subject to formal intervention (a Stage rating of 1 or higher).

    For higher ratings, we think about how quickly threats are developing

    An ORR 5 is assigned to institutions that are in Stage 1 and is an early warning of issues that could impact viability. At this rating level, the impact to viability is not expected to occur within two years based on available information.

    An ORR 6 corresponds to Stage 2. At this level, the institution poses material safety and soundness concerns. While the threat to viability is not immediate, it could occur within two years.

    An ORR 7 is assigned, and the institution is placed in Stage 3, when future viability is in serious doubt. The institution has severe safety and soundness concerns that could affect viability within one year.

    An ORR 8 is assigned to institutions in Stage 4. At this point, non-viability is assessed as imminent.

    We recognize that there can be significant uncertainty in assessing timelines for risks to viability. Our ratings are informed by evidence and analysis but ultimately reflect supervisory judgment. Ratings are updated when new information indicates that risks are changing.