ARTICLE
22 October 2024

OSFI Releases Final Guideline On Operational Risk And Resilience For Federal Financial Institutions

MT
McCarthy Tétrault LLP

Contributor

McCarthy Tétrault LLP provides a broad range of legal services, advising on large and complex assignments for Canadian and international interests. The firm has substantial presence in Canada’s major commercial centres and in New York City, US and London, UK.
The Office of the Superintendent of Financial Institutions ("OSFI"), Canada's principal bank and insurance solvency and prudential regulator, published the final version of Guideline E-21...
Canada Finance and Banking

The Office of the Superintendent of Financial Institutions ("OSFI"), Canada's principal bank and insurance solvency and prudential regulator, published the final version of Guideline E-21: Operational Risk Management and Resilience ("Guideline") on August 22, 2024. This article will explore the Guideline's key requirements, its changes from its most recent draft in 2023, and the implementation timeline.

1. Key Requirements of the Final OSFI Guideline E-21

The Guideline sets out OSFI's "expectations for financial institutions to prepare for and recover from adverse events." Financial institutions face various operational risks, such as internal control failures, pandemics, and technology failures. To mitigate these risks, the Guideline sets expectations for financial institutions to withstand, adapt to, and recover from disruptions while maintaining critical operations. OSFI established the following four key requirements for all federally regulated financial institutions, including foreign bank and insurance company branches, based on their size, strategy, risk profile, operational complexity, and interconnectedness with the financial system:

(a) Governance

The first key requirement is governance. This requires "[a]n effective operational risk management framework and approach to operational resilience" to be "properly governed, documented, and implemented." This involves, for example, ensuring ongoing scenario analyses are taking place, addressing any operational deficiencies in a timely manner, and ensuring that breaches of tolerances are escalated and addressed. Senior management is ultimately accountable for this, with the business/central functions being "accountable for managing operational risks and contributing to operational resilience." This should be overseen and challenged by the independent risk and compliance functions – as well as internal auditors (or similar functions) – to ensure sufficient governance.

(b) Operational Risk Management

The second key requirement is operational risk management. This requires "[a]n effective enterprise-wide operational risk management framework" to be in place. For example, there should be a defined risk appetite statement that is adhered to and regularly reviewed, and a risk taxonomy including "categories of risks related to people, inadequate internal processes and systems, and external events." To manage these risks, a variety of tools – such as risk and control assessments, key risk indicators, operational risk event data analysis, and scenario analysis – may be used. Moreover, operational risks should always be monitored and reported as they are found, to "identify control weaknesses and potential breaches of risk appetite and limits."

(c) Operational Resilience

The third key requirement, operational resilience, recognizes that, sometimes, disruptions will happen. To deal with these situations, the Guideline requires critical operations to be identified, assessed, and updated regularly. Internal and external dependencies must also be mapped to provide a holistic view of critical operations and identify vulnerabilities.

Operational resilience also requires "tolerances for disruption" to be established, which consider "the maximum level of disruption a financial institution can withstand across a range of severe but plausible scenarios." To do so, scenario testing should be used to "regularly assess the ability of critical operations" to continue despite severe-but-plausible disruptions within established tolerances for disruption such as power outages, pandemics, and cyber incidents. OSFI recommends a variety of testing methodologies, such as table-top exercises, simulations and live-systems testing, and expects scenario testing to mature over time. Third parties should be included in these tests where possible, and "[t]he frequency and intensity of testing should be proportional to the criticality of and risk to operations."

(d) Key Areas of Operational Risk Management that Strengthen Operational Resilience

Finally, the Guideline enumerates several key areas of operational risk management that contribute to strong operational resilience:

  • Business Continuity Risk Management: This involves "planning for, and recovering from, disruptions to operations." To that end, business impact analyses should be conducted, and business continuity plans should be developed and tested.
  • Disaster Recovery Risk Management: To prepare for "severe but plausible risk events related to loss of technology infrastructure" such as networks and data servers, a disaster recovery plan should be in place. Failover and backup plans should also be developed and tested.
  • Crisis Management: Both a crisis management team and plan should be established to respond to crises quickly and effectively. The crisis management plan should be regularly reviewed and tested, with exercises being undertaken following a crisis to implement lessons learned. A crisis management plan should include topics such as: (i) "protocols for escalation to senior management and the board," (ii) "criteria for invoking the plan," and (iii) "internal and external communication protocols for timely sharing of information with stakeholders."
  • Change Management: Significant business changes, such as entering a new market or offering new products, are often accompanied by new operational risks. Thus, financial institutions should ensure they have comprehensive change management processes. For example, they should make adjustments to operational risk appetite based on the business change, deploy tested contingency plans if a change fails and test any changes on systems/processes before introducing them and assess post-implementation effectiveness. Effective change management processes should also consider general expectations for operational risk management, such as having a defined risk appetite statement and adequate control assessments.
  • Technology and Cyber Risk Management: Since technology plays such a significant role in the operations of financial institutions, the Guideline notes that "[s]ound technology and cyber risk management is fundamental to bolstering operational resilience" by ensuring risks resulting in operational disruptions can be effectively managed and mitigated. Financial institutions should referencee Guideline B-13: Technology and Cyber Risk Management for OSFI's expectations related to technology and cyber risks.
  • Third-Party Risk Management: Critical third-party arrangements may become a threat to operational resilience, including by "disruption at the third party or the loss or corruption of critical data." Thus, the Guideline notes that "effective third-party risk management is an important contributor to operational resilience." Financial institutions should reference Guideline B-10: Third-Party Risk Management for OSFI's expectations related to third-party risk.
  • Data Risk Management: Finally, the Guideline emphasizes effective data risk management, especially in light of the impact that missing, inadequate, or breached data can have on the financial institution, financial system and broader economy. Data risk management programs should include, for example, clear roles and responsibilities for those that manage data, and processes for classifying, aggregating, and protecting data.

2. Changes From the Draft Guideline

While the Guideline maintains the core principles from its most recent draft in 2023, it has incorporated feedback from an extended public consultation that concluded in February 2024. Namely, the Guideline has been revised with simplified language for clarity, along with the following changes based on industry feedback:

(a) Scenario Testing and Analysis

The Guideline clarifies that the list of operational risk management tools (such as risk and control assessments and scenario analyses) is not exhaustive. To that end, OSFI has clarified that scenario analysis remains relevant in "identifying and assessing the impact, controls and mitigating actions of operational risk at the business unit level and enterprise wide," whereas scenario testing "goes further to test whether critical operations can remain within tolerances for disruption on an end-to-end basis, across multiple business lines, in severe but plausible circumstances."

Addressing feedback regarding an annual scenario testing cycle proposed in the draft guideline, the Guideline also clarifies that scenario testing is now aligned with risk and criticality and can occur outside the regular cycle if significant changes in the risk environment arise.

Finally, OSFI acknowledged industry feedback that third parties might not always be available for scenario testing and have clarified that third-party participation should be arranged "where possible."

(b) Change Management

The Guideline also clarifies that change management processes should apply to significant changes, providing a non-exhaustive list of significant changes that introduce operational risk to financial institutions. For example, offering new products or services, or entering a new market, come along with new risks that should be addressed.

OSFI has also emphasized that change management processes should "govern both the operational risks introduced by the change, as well as the effective management of the change itself." That way, financial institutions are best prepared to deal with significant changes.

(c) Guideline Structure and Terminology

Finally, the Guideline was reorganized – and certain terms were explained – to make it more clear and easier to understand. Namely, the Guideline was reorganized to prioritize operational risk management prior to introducing the concept of operational resilience, and terms including "business and central functions" and "risk management and compliance" have been clarified, and explained in the Supervisory Framework.

3. Implementation Timeline

The Guideline is designed to have a phased implementation timeline, with the first two sections effective immediately and full compliance required by September 1, 2026. The full timeline is as follows:

  • August 22, 2024: section 1 (Governance) and section 2 (Operational Risk Management) were effective immediately from the date of the Guideline's publication.
  • September 1, 2025: Full adherence to section 4 (Key Areas of Operational Risk Management That Strengthen Operational Resilience) is expected by this date. OSFI expects financial institutions to remediate any gaps in compliance for these areas by this date.
  • September 1, 2026: Full adherence to the Guideline is expected by this date. OSFI expects financial institutions to have completed scenario testing for all critical operations by September 1, 2027.

OSFI has also announced plans to conduct selective supervisory work during the phased implementation period to assess certain financial institutions' progress in implementing their operational resilience programs and the effectiveness of their operational risk management practices.

4. How McCarthy Tétrault Can Help

Whether you are a new entrant to Canada's financial services market or a financial institution with a long track record in Canada, we are here to help. By leveraging our deep industry expertise and experience, we help our clients navigate Canada's complex, highly regulated financial institutions environment to achieve their business goals.

To view the original article click here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More