Canada’s Office of the Superintendent of Financial Institutions (OSFI) has issued a draft guideline on Operational Risk Management, which you can read here. We invite Canadian organizations who have questions or concerns about these guidelines to get in touch with one of Iceberg’s GRC management consultants at firstname.lastname@example.org or 613-595-0808.
Here’s an letter from Mark Zelmer, OSFI’s Deputy Superintendent, about the draft guideline:
OSFI is issuing for comment draft Guideline E-21 (Operational Risk Management) to clarify its expectations for FRFIs’ operational risk management and to provide a comprehensive OSFI guideline in this area. The draft guideline contains four key principles for effective operational risk management:
- Operational risk management is fully integrated within the FRFI’s overall risk management program and appropriately documented.
- Operational risk management serves to support the overall corporate governance structure of the FRFI. As part of this, FRFIs develop and utilise an operational risk appetite statement.
- FRFIs ensure effective accountability for operational risk management. A ‘three lines of defence’ approach, or appropriately robust structure, serves to separate the key practices of operational risk management and provide adequate independent overview and challenge. How this is operationalized in practice in terms of the organisational structure of a FRFI will depend on its business model and risk profile.
- FRFIs ensure comprehensive identification and assessment of operational risk through the use of appropriate management tools. Maintaining a suite of operational risk management tools provides a mechanism for collecting and communicating relevant operational risk information, within the FRFI and to relevant supervisory authorities.
OSFI is inviting comments on the Guideline until October 9, 2015. Comments may be provided directly to OSFI or through industry associations via e-mail to: Noeleen Riordan, Senior Analyst, Capital Division (email@example.com). As per our usual practice, when we release the final guideline, OSFI will provide a summary of the comments received and an explanation of how they were treated.
Some highlights from the document:
- “Understanding operational risks leads to better decision making through the observation and analysis of past operational risk events and patterns of observed behaviour.”
- “A robust framework for operational risk management provides a mechanism for discussion and effective escalation of issues leading to better risk management in this area over time and increased institutional resilience.”
- “FRFIs are encouraged to continue to develop and improve the tools they use to manage their operational risk and to monitor and adopt best practices in this area as appropriate.”
- “An inconsistent taxonomy of operational risk terms may increase the likelihood of failing to identify and categorize risk, or allocate responsibility for the assessment, monitoring, and mitigation of risks.”
- “RCAs (risk and control assessments) generally are completed by the first line of defence across the enterprise, including the various control groups, and should reflect the current environment but also be forward-looking in nature.”