Law in Quebec

The guideline comes on the heels of a series of onerous “expectations” issued by the Office of the Superintendent of Financial Institutions (OSFI) over the past several years on corporate governance and regulatory compliance management (Guideline E-13). The introduction of a guideline on operational risk, defined by OSFI as the risk of loss “resulting from people, inadequate or failed internal processes and systems, or from external events,” comes as no surprise as it is in line with the federal regulator’s views on how financial institutions ought to be managed, said Paul Belanger, group leader of the financial services practice at Blake, Cassels & Graydon LLP in Toronto.

“It is completely reasonable for OSFI to have institutions focus on operational risk, and the way they are doing it is completely sensible,” said Belanger. “But it would be useful for everybody if the pace of change could slow a little bit so that we could take stock collectively and then decide what more is needed.”

The pace and scale of regulatory change is beginning to take its toll on staff who are responsible for planning, directing and controlling day-to-day operations of federally regulated financial institutions (FRFIs) — the so-called first line of defence, said Sandeep Dhiman, a partner at PwC Canada who leads the financial crimes and operational risk practice.

“OSFI has been on this journey of enhancing governance for financial institutions for about five years,” remarked Dhiman. “They started with corporate governance, and then moved on to specific functions. But there already is a bit of fatigue in the first line. They don’t see a distinction between operational risk or any other kind of compliance requirements because they are blurred. They are on the brink of their patience. So I don’t know if, culturally speaking, there is an appetite for another change. That will be real nub of the whole thing.”

The operational risk management guideline (Guideline E-21) was partly introduced to remedy a situation of OSFI’s own making. By its own admission, OSFI’s operational risk guidance was not comprehensive and was dispersed across various guidelines, “making it difficult for FRFIs to access all of the related guidance.” Moreover, the guidance was not consistent in its application to all types of FRFIs, compelling OSFI to disseminate supervisory expectations informally to some industry sectors.

Pressure to conform with international standards also played a role. Before the advent of Guideline E-21, OSFI aligned its expectations and directed FRFIs to the Basel Committee on Banking Supervision (BCBS) and the “Principles for the Sound Management of Operational Risk and the Role of Supervision.” Many FRFIs made significant progress implementing these international standards, but there was always the potential for “misalignment” without explicit guidance from OSFI because international standards and guidelines can vary across countries, particularly across industry sectors, said Dhiman. While OSFI’s guidelines do not deviate from international standards and guidelines, it “finally” provides its own expectations for sound operational risk management, added Dhiman.

The guideline, which promotes industry best practices, is anchored by four principles. According to OSFI, operational risk is inherent in all products, processes and systems. As a result, effective management of operational risk should be completely integrated with an FRFI’s overall risk management program – and should be appropriately documented. The operational risk management program should also serve to support the overall corporate governance structure of FRFIs. Financial institutions should therefore develop and use an operational risk appetite statement or in the case of small, less complex FRFIs with lower operational risk profiles use reporting and escalation thresholds for material operational risk events. Financial institutions should also adopt a robust accountability structure such as the “three lines of defence” approach.  The first line of defence is the business line while the second is responsible for objectively assessing and providing feedback to the first line as well as developing strategies to identify, monitor and control operational risk. The third line of defence is the internal audit function, which should test the FRFI’s overall operational risk management controls and the effectiveness of the first and second line of defence.

“What OSFI is trying to set up is a much more integrated operational risk function in banks,” said Dhiman. “Most institutions in Canada have operational risk type of function or capability for upwards of 10 years, (but) it’s not baked into their day-to-day decision-making. This guideline is really trying to make them embed it better into their risk management process.”

The guideline is principles-based, which implies that FRFIs should develop operational risk management processes that best fit their size and the complexity of their organization. All FRFIs are expected to adhere to the four operational risk management principles but OSFI points out in the guideline that its supervisory expectations will be tailored and that it will be more flexible towards smaller, less-complex institutions with “demonstrated” low operational risk profiles. That remains to be seen, said Belanger.

“This guideline is a one-size-fits-all, and it calls for a quite a lot of work for any organization but larger ones have the infrastructure to be able to do this,” said Belanger. “For a smaller institution, it is an enormous cost for them. OSFI does say they will administer these guidelines with a view to smaller institutions being able to do less. The question is whether they mean it.”

That is a concern that the Canadian Institute of Actuaries also raised during the public consultation process. The Institute notes that while the guideline has more limited requirements for smaller, less complex FRFIs, it is still concerned that smaller companies will be “challenged” to implement the operational risk management guideline without creating additional bureaucracy and incurring more costs.

Dhiman is concerned about the tight deadline as FRFIs are expected to implement the operational risk management framework by no later than June 2017. He points out that financial institutions are still wrestling with the implementation of the regulatory management guideline E-13, which was supposed to be implemented by May 2015, that is six months after they were published by OSFI in November 2014.

“One year is a tight deadline,” said Dhiman. “The banks should have started thinking about this when the guidance paper first came out (for public consultation). I think what is going to happen is that the banks are going to take it easy and say I already have this and they will try to stretch the existing programs a bit to make the case they already comply with this stuff. But then when OSFI challenges it, they will have to rethink and go back.”