OSFI’s guideline on Operational Risk Management is great news but the devil is in the detail and its effective implementation can be challenging

Regulators globally are demanding banks embed a systematic approach to operational risk management across their organization.

This coupled with ubiquitous and uncomfortable head line news on record regulatory fines, particularly related to financial crime/money laundering, has created a sense of urgency with the Board of Directors, Chief Risk and Compliance Officers to embed a robust operational risk management framework that is integrated to a financial institution’s compliance and reputational risk program.

On June 29, 2016 OSFI released a final version of the Operational Risk Management Guideline (Guideline E-21) following a public consultations process. The guideline outlines OSFI’s expectations for the management of operational risk in line with international best practices, and is applicable to all federally regulated financial institutions (FRFIs). It is principle based and considers the lessons learned from the financial crisis, particularly in respect of the “three lines of defense structure” for effective governance of operational risk management.

All FRFIs should implement policies, procedures and practices as aligned with the Guideline, to effectively manage as well as seek continuous improvement in these areas as industry practice evolves. We further encourage Non Bank Financial Institutions (NBFIs) to adopt the principles to proactively manage their operational risks for better strategic decision making and internal control.

Are Banks Ready and Able to Implement OSFI’s E-21 Guidelines?

It should however be pointed out that it is one thing to issue such comprehensive guidelines and it is another to implement it effectively.

The Basel Committee on Banking Supervision (BCBS, Basel) originally issued in February 2003, Sound Practices for the Management and Supervision of Operational Risk. As operational risk practices in the banking industry evolved, in June 2011 BCBS issued another paper, Principles for the Sound Management of Operational Risk that included three key themes: Governance, Risk Management and Disclosure. In early 2014, the Committee conducted a review of the extent of implementation of its Principles. The study involved 60 systemically important banks (SIBs) in 20 jurisdictions with a specific focus on the guidance related to the three-lines of defence.

This study, 11 years after Basel’s operational risk management guideline was originally issued, revealed that “banks have made insufficient progress in implementing the Principles originally introduced in 2003 and revised in 2011” (Source: Review of the Principles for the Sound Management of Operational Risk, October 6, 2014).

It is noteworthy that the key findings of the study, among others, were that banks had inadequately implemented the three-lines of defense and there was need to significantly improve operational risk management culture, board and senior management oversight, operational risk appetite and tolerance statements as well as the need for robust risk disclosures.

There Has Been Improvements but the Bar Has Just Risen Higher

OSFI recognizes FRFIs’ operational risk management improvement efforts over the years according to Deputy Superintendent Mark Zelmer:

“Federally regulated financial institutions have made significant improvements in their operational risk management practices over the last several years,” said Deputy Superintendent Mark Zelmer. “This guideline supports continual improvement in their operational risk management activities.”

However, OSFI, with E-21, has now raised its expectation bar significantly on requirements to sustainably maintain the safety and soundness of Canada’s banking ecosystem. We encourage FRFIs and NBFI’s to appreciate the lessons learned from Basel’s study to ensure the effective implementation of the guideline, especially now in an era of heightened cyber fraud, financial crime and threats to traditional banking earning models from far nimble players.

The Payments Canada Summit 2017

Securefact is proud to be a silver sponsor at The Payments Canada Summit 2017 taking place this Tuesday through to Friday in Toronto. Come visit us in booth #34 and discuss the five ways you can turn compliance obligations into your competitive advantage. 5 Ways to...