Office of the Superintendent of Financial Institutions
This guideline outlines OSFI’s expectations with respect to an institution’s internal capital adequacy assessment process as described in Part 3 of the Basel II Framework.
Footnote 1 It applies to banks, bank holding companies and to federally regulated trust and loan companies, collectively referred to as institutions.
Capital Adequacy Requirements (CAR) guideline establishes minimum standards for calculating minimum or target regulatory capital requirements.
OSFI’s supervisory review process evaluates the inherent risk within each significant activity undertaken by an institution and then evaluates the quality of the risk management applied to mitigate these risks. OSFI’s assessment of an institution’s ICAAP supplements its independent assessment of inherent risk and risk management, and can result in fine-tuning of these assessments.
Capital requirements specified in the CAR guideline are regulatory minimums that assume an institution has a portfolio of risk exposures that is highly granular and widely diversified. Because minimum regulatory capital requirements contain restrictive or simplifying assumptions, an institution should not rely only on compliance with regulatory minimums when conducting its own assessment of the adequacy of its capital.
A thorough and comprehensive ICAAP is a vital component of a strong risk management program. The ICAAP should produce a level of capital adequate to support the nature and level of an institution’s risk. Each federally-regulated deposit-taking institution is responsible for developing and implementing its own ICAAP for the purpose of setting internal capital targets and developing strategies for achieving those internal targets that are consistent with its business plans, risk profile and operating environment.
From OSFI’s perspective, ICAAPs provide additional information that can aid in assessing inherent risk and may point to the need for additional supervisory work as part of the normal course Supervisory Review Process. While OSFI makes use of information gleaned from an institution’s ICAAP to assess the quality of risk management, OSFI does not approve an institution’s ICAAP.
OSFI expects federally regulated deposit-taking institutions, including Canadian subsidiaries of foreign banks, to put into place an ICAAP that covers the consolidated operations from the top level regulated entity in Canada. The consolidated approach means that a formal ICAAP is not required at every legal entity below the Canadian parent institution.
Although an ICAAP should cover the consolidated operations from the top level regulated entity in Canada, OSFI expects an institution’s capital planning to consider the risks of its foreign operations and also the availability of capital and assets in Canada to protect Canadian depositors.
Canadian subsidiaries of foreign banks may borrow from consolidated group methodologies for assessing risk. However, a foreign bank subsidiary’s ICAAP should reflect its own circumstances, and group-wide data and methodologies should be appropriately modified to yield internal capital targets and a capital plan that is relevant to the foreign bank subsidiary.
A rigorous ICAAP has six main components:
While these fundamental features of ICAAP are broadly prescribed, there is no single ‘correct’ approach, and one approach does not fit all institutions. An institution’s ICAAP should be as simple or complex as needed, and should reflect how the institution is managed and organized in practice. It should not be established solely to fulfill a regulatory requirement.
The extent of formalization and sophistication of ICAAPs will differ, depending on the institution’s complexity, range of business activities, risk profile, and operating environment.
Senior management is responsible for overseeing the design and implementation of the institution’s ICAAP. In order to perform an effective assessment of its capital adequacy, an institution should have in place a sound risk management process. Management should understand the nature and level of risk taken by the institution and how this risk relates to adequate levels of capital. Management should also ensure that the formality and sophistication of the risk management processes are appropriate for the risk profile and business plan of the institution.
As part of the strategic planning process, an institution should perform an analysis of its current and future capital requirements in relation to its strategic objectives. The strategic plan should clearly describe the institution’s capital needs in relation to, among other things, anticipated balance sheet growth and acquisitions, the Risk Appetite FrameworkFootnote 2 and access to external capital resources.
Please refer to OSFI’s
Corporate Governance guideline for OSFI’s expectations of institution Boards of Directors in regards to the management of capital and liquidity.
Capital planning is a crucial element in an institution’s ability to achieve its desired strategic objectives. A sound capital assessment process should include the following elements:
Most institutions consider several factors in relating capital to the level of risk, for example:
Institutions with more complex and diverse risk profiles will also use risk modeling techniques and integrated scenario analyses to estimate the risks that they may incorporate into their overall assessment of capital adequacy. Quantifiable estimates of risk used in this assessment should also have a business use (i.e., should not be made solely for use in ICAAP) and should be subject to validation. As economic capital (EC) models were designed as a relative measure of risk to be used for performance measurement and pricing, the assumptions underlying these models typically hold under normal conditions and not under the stressed conditions considered in ICAAP. Although EC models provide useful inputs to ICAAP, EC is not a substitute for ICAAP.
In evaluating the adequacy of capital relative to risk and in making decisions on the appropriate level and structure of capital, smaller, less complex institutions may continue to rely heavily on well documented, qualitative considerations. Qualitative considerations may include implicit or explicit regulatory and market expectations, peer group analysis, and the results of forward- looking stress tests and sensitivity analyses of the components of risks that should be covered by capital. For risks that can not be directly quantified (e.g., reputational risk), all institutions may use well documented, qualitative considerations.
An effective capital planning process requires an institution to assess both the risks to which it is exposed and the risk management processes in place to manage and mitigate those risks; evaluate its capital adequacy relative to its risks; and consider the potential impact on earnings and capital from potential economic downturns. The institution should identify the time horizon over which it is assessing capital adequacy. It should evaluate whether long-run capital targets are consistent with short-run goals, based on current and planned changes in risk profile and the recognition that accommodating additional capital needs can require significant lead time. Capital planning should factor in the potential difficulties of raising additional capital during downturns or other times of stress.
The ICAAP should address all material risks faced by the institution as they relate to the adequacy of capital, including all risks explicitly captured in minimum regulatory capital requirements as well as risks that are not fully captured under minimum regulatory capital requirements. The techniques used in assessing material risks should be commensurate with the scope and complexity of the institution’s risk taking activities.
Institutions should have methodologies that enable them to assess the credit risk involved in individual exposures and at the portfolio level. The credit review assessment of capital adequacy should cover four areas:
The sophistication of the methodologies used to quantify credit risk should be appropriate to the scope and complexity of the institution’s credit risk taking activities. Less complex credit risk taking activities may incorporate a variety of methodologies but should at minimum take into consideration:
Institutions should refer to OSFI’s
Large Exposure LimitsFootnote 4 guideline and the
Large Exposure Limits guidance note as well as the supporting Basel Committee document
Principles for the Management of Credit Risk for further guidance on expectations for managing exposures to single borrowers or connected entities.
The impact of risk concentrations should be reflected in an institution’s ICAAP. Typical situations in which risk concentrations can arise include exposures to:
Risk concentrations can also arise through a combination of exposures across these broad categories. An institution should have an understanding of its firm-wide credit risk concentrations resulting from similar exposures across its different business lines.
An institution may also incur a concentration to a particular asset type indirectly through investments backed by such assets (e.g., collateralised debt obligations – CDOs), as well as through collateral or guarantees used to mitigate credit risk. Institutions that place more reliance on collateral values than on an evaluation of a borrower’s or counterparty’s capacity to perform may see themselves exposed to unexpected market risk in addition to wrong way risk
Footnote 5, particularly where the value of the collateral declines.
An institution should have in place adequate, systematic procedures for identifying high correlation between the creditworthiness of a protection provider or collateral and the obligors of the underlying exposures due to their performance being dependent on common factors beyond systemic risk (i.e. “wrong way risk”).
Institutions should exercise caution when including risk diversification benefits in ICAAP. Assumptions on diversification are often based on expert judgement and are difficult to validate. Institutions should be conservative in their assessment of diversification benefits, in particular between different classes of risk, and should consider whether such benefits exist under stressed conditions.
Where securitization activities (e.g., securitization of own-assets for risk transfer and/or funding; provision of backstop credit facilities to third-party conduits) are material, an institution’s ICAAP needs to consider the risks arising from originating, structuring, distributing and/or investing in such assets, including risks that are fully captured in minimum regulatory capital requirements. These may include, for example, reputational risk and the provision of non- contractual or implicit support to securitization vehicles. Asset performance may cause assets to return to the balance sheet through amortization and repurchase. Disruptions in market demand for asset-backed paper may leave assets in securitization pipelines on the balance sheet or force the originator to support its own paper. These have adverse implications for capital and liquidity that should be part of the institution’s capital and liquidity planning.
An institution should develop prudent contingency plans specifying how it would respond to capital pressures that arise when access to securitization markets is reduced. The contingency plans should also address how the institution would address valuation challenges for potentially illiquid positions held for sale or for trading. The risk measures, stress testing results and contingency plans should be incorporated into the banks risk management processes and its ICAAP and should result in an appropriate level of capital under Pillar 2 in excess of the minimum requirements commensurate with the risk appetite statement.
Institutions should also refer to Chapter 7 of the
CAR guideline for further guidance on sound practices for managing risk associated with securitization transactions.
Institutions that engage in cross border lending are subject to increased risk including country risk, concentration risk, foreign currency risk (market risk) as well as regulatory, legal, compliance and operational risks, all of which should be reflected in the ICAAP. Laws and regulators’ actions in foreign jurisdictions could make it much more difficult to realize on assets and security in the event of a default. Where regulatory, legal and compliance risks associated with concentrations in cross border lending are not considered elsewhere in an institution’s risk assessment process; additional capital may be required for this type of lending in an institution's ICAAP.
Similar rigour should be applied to the management of operational risk as is done for the management of other significant banking risks. The failure to properly manage operational risk can result in a misstatement of the institution’s risk/return profile and expose the institution to significant losses.
Institutions should refer to OSFI’s guideline B-21
Operational Risk Management and to the Basel Committee’s paper
Principles for the Sound Management of Operational Risk released in June 2011 which describes a set of principles for managing operational risk.
Institutions should have methodologies that enable them to assess and actively manage all material market risks, wherever they arise throughout the institution (i.e., position, trading desk, business line or firm-level).
For more sophisticated institutions, the assessment of internal capital adequacy for market risk, at a minimum, should be based on both value-at-risk (VaR) or similar modelling and stress testing, including an assessment of concentration risk and the assessment of illiquidity under stressful market scenarios.
An institution’s VaR model should be adequate to identify and measure risks arising from all its trading activities and should be integrated into the overall internal capital assessment as well as subject to rigorous ongoing validation. A VaR model’s estimates should be sensitive to changes in the trading book risk profile.
The ICAAP should include all material interest rate risk positions of the institution and consider all relevant repricing and maturity data. The system should have well-documented assumptions and techniques. An institution should be able to support its assumptions about the behavioural characteristics of non-maturity deposits and other assets and liabilities, especially those exposures characterized by embedded optionality. Given uncertainty in such assumptions, stress testing and scenario analysis should be used in the analysis of interest rate risks.
In general, an increase in uncertainty related to modeling and business complexity should result in more capital being held.
Institutions should refer to OSFI’s guideline B-12,
Interest Rate Risk Management and the supporting Basel Committee document
Principles for the Management and Supervision of Interest Rate Risk for further considerations relevant to the measurement of interest rate risk.
Liquidity is vital to the ongoing viability of any banking organization. An institution’s capital position can have an effect on its ability to obtain liquidity, especially in a crisis. Whereas, institutions are not expected to separately capitalize their liquidity risk, the stress scenarios for target capital planning and liquidity risk management should be complementary. Institutions should refer to OSFI’s guideline B-6,
Liquidity Principles, and the supporting Basel Committee document
Principles for Sound Liquidity Risk Management and Supervision.
Although risks such as strategic and reputation risk are not easily measurable, institutions are expected to develop techniques for managing all aspects of these risks. Reputation risk is a key issue for an industry that relies on the confidence of consumers, creditors and the general marketplace. For example, when an institution acts as an advisor, arranges or actively participates in financial transactions, it may assume insurance, market, credit, and operational risks. Reputation risk often arises because of inadequate management of these other risks, whether they are associated with direct or indirect involvement in the sale or origination of complex financial transactions or relatively routine operational activities.
Reputational risk can lead to the provision of implicit support, which may give rise to credit, liquidity, market and legal risk – all of which can have a negative impact on an institution’s earnings, liquidity and capital position. An institution should identify potential sources of reputational risk to which it is exposed. This includes the institution’s business lines, liabilities, affiliated operations, off-balance sheet vehicles and markets in which it operates. The risks that arise should be incorporated into the institution’s risk management process and appropriately addressed in its ICAAP and liquidity contingency plans.
Institutions should refer to the industry notice
OSFI’s Review of Reputation Risk Practices: Principles, Observations and Next Steps for a further discussion of reputation risk.
Stress testing is a risk management technique used to evaluate the potential effects on an institution’s financial condition, of a set of specified changes in risk factors, corresponding to exceptional but plausible eventsFootnote 7. An institution’s capital planning process should incorporate rigorous, forward-looking stress testing that identifies possible events or changes in market conditions that could adversely impact the institutions. In their ICAAPs, institutions should examine future capital resources and capital requirements under adverse scenarios. The results of forward-looking stress testing should be considered when evaluating the adequacy of an institution’s capital.
For further guidance on stress testing expectations, institutions should refer to guideline E-18,
The institution should establish an adequate system for monitoring and reporting risk exposures and assessing how changes to the institution’s risk profile affects the need for capital. The institution’s senior management should receive regular reports on the institution’s risk profile and capital needs. These reports should allow senior management to:
The institution’s internal control structure is essential to the capital assessment process. Effective control of the capital assessment process includes an independent review and, where appropriate, the involvement of internal and external audits. Senior management has a responsibility to ensure that the institution establishes a system for assessing the various risks, develops a system to relate risk to the institution’s capital level, and establishes a method for monitoring compliance with internal policies.
The institution should conduct periodic reviews of its risk management process to ensure its integrity, accuracy, and reasonableness. Areas that should be reviewed include:
OSFI assesses capital adequacy at two levels. An institution must have sufficient capital to meet its target regulatory requirements (regulatory capital), as well as sufficient capital to support its risk profile, (i.e., its Inherent Risks and
Overall Net Risk (ONR)) as determined through the OSFI
Supervisory Framework.Footnote 8
OSFI’s risk assessment process begins with an evaluation of the inherent risk within each significant activity of a financial institution. OSFI then examines the quality of risk management applied to mitigate these risks. Considering this information, OSFI arrives at an assessment of both the level of net risk of the significant activity and the direction of the net risk, i.e., whether it is decreasing, stable or increasing. Then, taking into account the materiality of each of the significant activities of a company, OSFI arrives at an overall net risk rating and its direction.
OSFI then develops a composite risk rating (and direction) for the financial institution, taking into account both our assessment of the overall net risk (which includes an assessment of the adequacy of risk management processes) and our assessment of financial factors, such as capital and earnings. Capital can be assessed as “strong”, “acceptable”, “needs improvement” or “weak”.
The depth and frequency of supervisory review of an institution’s ICAAP will be proportional to the nature, scale and complexity of its activities, and the risks posed to OSFI’s supervisory objectives with respect to the safety and soundness of the institution.
The dialogue between, on the one hand, OSFI’s assessment of inherent risk and ONR, and the institutions’ ICAAP on the other, will embrace the following four elements:
OSFI expects that capital assessment will not become a formula-driven process of add-ons. Expert judgement will continue to be necessary to operationalize the assessment and quantification of risk and integrate those results into the overall assessment of capital. Initially, this assessment will likely include measures of outliers for risk concentrations and outliers for interest rate risk in the banking book.
Once capital rating criteria are more fully developed and experience is gained from a reasonable period of implementation, the supervisory assessment of the internal target capital for some institutions could indicate that the industry-wide target is conservative for that institution or not conservative enough. This would lead to discussions with the institution about a more appropriate level of capital within the target capital framework.
International Convergence of Capital Measurement and Capital Standards: a Revised Framework, issued by the Basel Committee on Banking Supervision, June 2006
Return to footnote 1 referrer
Refer to OSFI’s
Corporate Governance guideline for additional guidance in this area.
Return to footnote 2 referrer
Not all risks can be directly quantified and capitalized. Material risks, including those that are difficult to quantify in an ICAAP framework, should be mitigated by internal controls and contingency plans.
Return to footnote 3 referrer
Guideline B-2- Large Exposure Limits (2019) applies to domestic systemically important banks (“D-SIBs”). Until OSFI provides further guidance, all other federally regulated deposit-taking institutions (excluding subsidiaries of D-SIBs that are incorporated or continued under the
Bank Act and the
Trust and Loan Companies Act remain subject to the
original version of Guideline B-2.
Return to footnote 4 referrer
Wrong way risk is defined in
Chapter 4 of the CAR guideline.
Return to footnote 5 referrer
See also the Basel Committee’s December 2009 consultative paper,
International framework for liquidity risk measurement, standards and monitoring. This document is expected to result in additional liquidity guidance which should also be considered.
Return to footnote 6 referrer
Stress Testing by Large Financial Institutions: Current Practice and Aggregation Issues, Committee on the Global Financial System, April 2000
Return to footnote 7 referrer
Other documents relevant to OSFI’s Supervisory Framework can be accessed at
Return to footnote 8 referrer