Operational Risk Management - osfi-bsif.gc.ca

For the purposes of this Guideline, operational risk is defined as the risk of ... Guideline E-19 Own Risk and Solvency Assessment (ORSA). Skiptomaincontent Skiptosecondarymenu OperationalRiskManagement PageContentAlternativeFormats PDF,385KBAccompanyingDocuments Letter GuidelineImpactAnalysisStatementRelatedDocuments NewsRelease CorporateGovernanceGuideline OperationalRiskSelf-AssessmentTemplate OperationalRiskAssessmentProcessforTSA&AMADocumentProperties TypeofPublication:Guideline Category:SoundBusinessandFinancialPractices Date:June2016 Audience:AllFRFIs No:E-211.PurposeandScopeoftheGuidelineThisGuidelinesetsoutOSFI'sexpectationsforthemanagementofoperationalriskandisapplicabletoallfederallyregulatedfinancialinstitutions(FRFIs).OSFIrecognizesthatFRFIsmayhavedifferentoperationalriskmanagementpracticesdependingontheir:size;ownershipstructure;nature,scopeandcomplexityofoperations;corporatestrategyandriskprofile.ForthepurposesofthisGuideline,operationalriskisdefinedastheriskoflossresultingfrompeople,inadequateorfailedinternalprocessesandsystems,orfromexternalevents.Thisincludeslegalriskbutexcludesstrategicandreputationalrisk.Theriskoflossresultingfrompeopleincludes,forexample,operationalriskeventsrelatingspecificallytointernalorexternalfraud,non-adherencetointernalprocedures/values/objectives,orunethicalbehaviourmorebroadly.Riskexposurerelatingtoexternaleventsandthatstemsfromcoveragesoldbyinsurerstothirdpartiesisexcluded,whileriskonaninsurer'sownoperationsisconsideredwithinscope.OSFIrecognisesthatwithinindustrypractice,externalfraudmaybecurrentlycategorisedwithinbusinessrisk(ratherthanseparatelywithinoperationalrisk).OSFIencouragesinstitutionstoconsiderincludingexternalfraudeventsinthedefinitionofoperationalriskforriskmanagementpurposes.TableofContents 1.PurposeandScopeoftheGuideline 2.OperationalRiskManagementFramework 3.OperationalRiskAppetiteStatement 4.ThreeLinesofDefence 5.IdentificationandAssessmentofOperationalRisk Annex1–EmergingPractices Annex2–ListofRelatedGuidance2.OperationalRiskManagementFrameworkPrinciple1OperationalriskmanagementshouldbefullyintegratedwithinaFRFI'soverallriskmanagementprogramandappropriatelydocumented.Operationalriskisinherentinallproducts,activities,processesandsystems.Assuch,theeffectivemanagementofoperationalriskshouldbeafundamentalelementofaFRFI'sriskmanagementprogram.OSFIexpectsFRFIstohaveaframeworkforoperationalriskmanagementthatsetsforthmechanismsforidentifyingandmanagingoperationalriskFootnote1.UnderstandingoperationalrisksleadstobetterdecisionmakingthroughtheobservationandanalysisofpastoperationalriskeventsandthepatternsofobservedbehaviourwithintheFRFI.Inaddition,arobustframeworkforoperationalriskmanagementprovidesamechanismfordiscussionandeffectiveescalationofissuesleadingtobetterriskmanagementovertimeandincreasedinstitutionalresilience.Thecomprehensivedatacollectionwhichtheframeworksupportsallowsforanalysisofcomplexcorporate-wideissuesandfacilitatestailoredriskmitigationactions.Additionaltoolssuchasanalysisofexternaleventsandscenarioanalysiscanprovideriskmanagementvalueanddiscouragecomplacencyinoperationalriskmanagement.3.OperationalRiskAppetiteStatementPrinciple2 OperationalriskmanagementshouldservetosupporttheoverallcorporategovernancestructureoftheFRFI.Aspartofthis,FRFIsshoulddevelopandutiliseanoperationalriskappetitestatement,orinthecaseofsmall,lesscomplexFRFIswithloweroperationalriskprofiles,useofreporting/escalationthresholdsformaterialoperationalriskevents.Larger,morecomplexFRFIswithsignificantlevelsofoperationalriskintheiractivitiesshoulddevelopandmaintainacomprehensiveriskappetitestatementforoperationalrisks,aspartoftheFRFI'soverallRiskAppetiteFramework(seeOSFI's CorporateGovernanceGuidelineincludingitsAnnexB).TheriskappetitestatementforoperationalriskshouldarticulatethenatureandtypesofoperationalriskthattheFRFIiswillingorexpectedtoassume.Theoperationalriskappetitestatementshouldbesuccinct,clear,andincludeameasurablecomponent(limits/thresholds).ThepurposeofhavingameasurablecomponentistoindicatethelevelofoperationalriskthatisconsideredacceptablewithintheFRFI.Thelimits/thresholdsmayalsoservetoindicatethelevelatwhichoperationalriskevents,nearmisses,orcumulativepatterns,areconsiderednecessaryforescalationtoSeniorManagement(insomecases,separatereportingthresholdsmaybeestablished).Informulatingtheirriskappetitestatementforoperationalrisk,FRFIsmayconsiderelementssuchas:changesintheexternalenvironment;materialincreases/decreasesinbusinessoractivityvolumes;thequalityofthecontrolenvironment;theeffectivenessofriskmanagementormitigationstrategies;theFRFI'soperationalriskeventexperience;andthefrequency,volumeornatureofriskappetitelimit/thresholdbreaches.Theoperationalriskappetitestatement,and/orthereportingthresholdformaterialoperationalriskeventsshouldberegularlyreviewedtoensureitremainsappropriate.Escalationandreportingprocessesforbreaches,orpotentialbreaches,shouldbeinplace.4.ThreeLinesofDefencePrinciple3 FRFIsshouldensureeffectiveaccountabilityforoperationalriskmanagement.A"threelinesofdefence"approach,orappropriatelyrobuststructure,shouldservetodelineatethekeypracticesofoperationalriskmanagementandprovideadequateobjectiveoverviewandchallenge.HowthisisoperationalizedinpracticeintermsoftheorganisationalstructureofaFRFIwilldependonitsbusinessmodelandriskprofile.Appropriateaccountabilityforthemanagementofoperationalriskisessential.A"threelinesofdefence"structureisonewaytoachievesuchaccountability.Forillustrativepurposes,therolesandresponsibilitiesofeachofthethreelinesaredescribedbelow.Indeterminingwhatisconsideredanappropriatelyrobuststructure,bothFRFIsandOSFIwillconsidersize,ownershipstructure,nature,scopeandcomplexityofoperations,corporatestrategyandriskprofile.FirstLineofDefenceThebusinessline–thefirstlineofdefence–hasownershipofriskwherebyitacknowledgesandmanagestheoperationalriskthatitincursinconductingitsactivities.Thefirstlineofdefenceisresponsibleforplanning,directingandcontrollingtheday-to-dayoperationsofasignificantactivity/enterprise-wideprocessandforidentifyingandmanagingtheinherentoperationalrisksinproducts,activities,processesandsystemsforwhichitisaccountableFootnote2.SecondLineofDefenceThesecondlineofdefencearetheoversightactivitiesthatobjectivelyidentify,measure,monitorandreportoperationalriskonanenterprisebasis.Theyrepresentacollectionofoperationalriskmanagementactivitiesandprocesses,includingthedesignandimplementationoftheFRFI'sframeworkforoperationalriskmanagement.ThesecondlineofdefenceFootnote3isbestplacedtoprovidespecializedreviewsrelatedtotheFRFI'soperationalriskmanagement.Inaddition,itshouldbenotedthatotherstaff/corporateareasoftheFRFI(e.g.compliance)mayalsobedeemedpartofthesecondlineofdefence.AkeyfunctionrequiredofthesecondlineofdefenceistoprovideanobjectiveassessmentFootnote4ofthebusinesslines'inputstoandoutputsfromtheFRFI'sriskmanagement(includingriskmeasurement/estimation),andtoestablishreportingtoolstoprovidereasonableassurancethattheyareadequatelycompleteandwell-informed.ThirdLineofDefenceTheinternalauditfunctionischargedwiththethirdlineofdefence.Thethirdlineofdefenceshouldbeseparatefromboththefirstandsecondlinesofdefence,andprovideanobjectivereviewandtestingoftheFRFI'soperationalriskmanagementcontrols,processes,systemsandoftheeffectivenessofthefirstandsecondlineofdefencefunctions.ThethirdlineofdefenceisbestplacedtoobserveandreviewoperationalriskmanagementmoregenerallywithinthecontextoftheFRFI'soverallriskmanagementandcorporategovernancefunctions.ObjectivereviewFootnote5andtestingcoverageshouldbesufficientinscopetoverifythattheoperationalriskmanagementframeworkhasbeenimplementedasintendedandisfunctioningeffectively.5.IdentificationandAssessmentofOperationalRiskPrinciple4 FRFIsshouldensurecomprehensiveidentificationandassessmentofoperationalriskthroughtheuseofappropriatemanagementtools.Maintainingasuiteofoperationalriskmanagementtoolsprovidesamechanismforcollectingandcommunicatingrelevantoperationalriskinformation,bothwithintheFRFI,andtorelevantsupervisoryauthorities.OSFIrecognisesthattheFRFIitselfhasthebestperspectivetodetermineitsorganizationalstructure,processes,andtheextentofitsuseoftoolsFootnote6toachievearobustlevelofoperationalriskmanagement.FRFIsareencouragedtocontinuetodevelopandimprovethetoolstheyusetomanagetheiroperationalriskandtomonitorandadoptbestpracticesinthisarea,asappropriate(includingprioritisingenterprisewideFootnote7coverage).Thespecifictoolsusedtoidentifyandassess/analyseoperationalriskwilldependonarangeofrelevantfactors,particularlythenature(includingbusinessmodel),size,complexityandriskprofileoftheFRFI.Theobjectiveoftheuseofoperationalriskmanagementtoolsistogenerateriskmanagementvalueproportionatetotheotherrisksfacedbytheindividualinstitution.OSFIrecognisesthattheuseofwellimplementedtoolsaddsgreaterriskmanagementvalue,andthatFRFIsmayhaveexistingtoolsinplacetocollectandanalyseinformationrelevantforoperationalriskmanagement.SeeAnnex1item 6forfurtherbestpracticesrelatedtooperationalriskmanagementtools.Alltoolsmayapply;however,thedescriptionsincludedshouldnotbeinterpretedasachecklisttobeusedforcomplianceorauditpurposes. Annex1–EmergingPracticesThefollowingsoundpracticesareprimarilyforconsiderationbylarger,morecomplexFRFIs.However,someofthepracticesaremorewidelyapplicableandmaybehelpfulasconcreteexamplesofindustrypractice. Theexamplesofemergingpracticesbelowarenotexhaustiveanddonotrepresentachecklistoranend-pointforsupervisoryorinternalauditreview.Discussionsintheseareasshouldfocusonimprovementsinoperationalriskmanagement,ratherthanfocusingoncompliance.Anoperationalriskmanagementframeworkcanprovideauniquemechanismforspecificdatarequestsbyseniormanagementleadingtomorecomprehensiveinformationgatheringrelatingtocomplexorganisationalissues.Forexample,ifseniormembersofaFRFIareobservingaparticulartypeofoperationalriskeventinoneareaoftheorganisation,itcanbeusefultocollectinformationonwhethersimilareventsorpatternsareoccurringinotherareas(i.e.thereareindicationsofbroadercorporate-wideissues).Decisionmakingatthehighestlevelsofanorganisationbenefitsfrommorecompleteinformation.Operationalriskmanagementframeworksaredesignedtopermitthecollectionofinformationinspecificareasacrossbusinesslinesonanenterprisewidebasis.Thiscanbeparticularlyusefulinareassuchasexternalfraudacrossproductlines,legallossesacrosstheorganisation,orsystembreaches/inadequacies(whetherindicativeofisolatedinstancesofroguebehaviourorwidersystemicproblems).Inlargerorganisationswithwell-establishedsecondlinesofdefence,theinformationcollectionandaggregationcapabilitiesoftheseprofessionalgroupscanleadtobetterproblemidentificationandthusmorecomprehensiveandlonger-termsolutionstocorporate-wideorganisationalissues.1.WithinFRFIs,thedocumentedframeworkforoperationalriskmanagementmayconsiderthefollowingelements:AdescriptionoftheFRFI'sapproachtomanagingoperationalrisk,includingreferencetotherelevantoperationalriskmanagementpoliciesandprocedures;Clearaccountabilityandownershipforoperationalriskmanagementamongstthethreelinesofdefence;TheriskassessmentandreportingtoolsusedbytheFRFIandhowtheyareusedwithintheinstitution;TheFRFI'sapproachtoestablishingandmonitoringriskappetiteandrelatedlimitsforoperationalrisk;Thegovernancestructuresusedtomanageoperationalrisk,includingreportinglinesandaccountabilities.Thisincludesensuringthatoperationalriskmanagementhassufficientstatuswithintheorganisationtobeeffective;ApplicationtotheFRFIenterprise-wide;Requirementsforrelevantpoliciestobereviewedonaregularbasis,andrevisedasappropriate;Efficientcorrespondingdocumentation,whichshouldprovidecommensurateriskmanagementvalueandbesuitablefortheintendeduser/audience2.WithinFRFIs,thefirstlineofdefensemayberesponsiblefordevelopingcapabilitiesinthefollowingareas:adherencetotheoperationalriskmanagementframeworkandrelatedpolicies;identificationandassessmentoftheinherentoperationalriskwithintheirrespectivebusinessunitandassessingthematerialityofriskstotherespectivebusinessunits;establishmentofappropriatemitigatingcontrolsandassessingthedesignandeffectivenessofthesecontrols;oversightofandreportsonthebusinesslines'operationalriskprofilesandsupportingoperationwithinestablishedoperationalriskappetitestatementFootnote8;analysisandreportageoftheresidualoperationalriskthatisnotmitigatedbycontrols,includingoperationalriskevents,controldeficiencies,humanresources,process,andsysteminadequaciesFootnote9;promotionofastrongoperationalriskmanagementculturethroughoutthefirstlineofdefence;confirmationoftimelyandaccurateescalation,withintheFRFI,ofmaterialissues;stafftrainingintheirrolesinoperationalriskmanagementifrequired.Dependingonthesizeandcomplexityofthefinancialinstitutions,thefirstlineofdefensemaybefurtherdividedbetween'1a'and'1bFootnote10'roles.3.OSFIrecognizesthatthenature,size,complexityandriskprofileofdifferentFRFIswillmeanthattheresponsibilitiesofthesecondlineofdefencegroupsmayoverlapwiththoseofthefirstlineofdefence.Further,thesizeanddegreeofindependenceofthesecondlineofdefencewilldifferamongFRFIs.Forexample,forsmallFRFIswithlowoperationalriskexposures,objectiveoverviewmaybeachievedthroughseparationofduties.InlargerFRFIs,however,thesecondlineofdefencewillgenerallyconsistofaseparatefunctionmostoftenreportingintotheriskmanagementfunction.Thesecondlineofdefenceshouldhaveanappropriatelevelofsufficientlyskilledresourcesandstaturetoeffectivelyfulfillitsresponsibilities.WithinFRFI's,examplesofresponsibilitiescommonlyassociatedwiththesecondlineofdefenceinclude:providingeffectiveobjectiveassessment,whichshouldbeevidencedanddocumentedwherematerial(e.g.byprovidingexamplesofthechallengesandoutcomes)soastobesubsequentlyobservabletothefirstlineofdefence;confirmingcontinueddevelopmentofappropriatestrategiestoidentify,assess,measure,monitorandcontrol/mitigateoperationalrisk;confirmingcontinuedestablishmentanddocumentationofappropriateFRFI-widepoliciesandproceduresrelatingtotheFRFI'soperationalriskmanagementframework;confirmingcontinueddevelopment,implementationanduseofappropriateenterprise–wideoperationalriskmanagementtools;confirmingadequateprocessesandproceduresexisttoprovideappropriateoversightoftheFRFI'soperationalriskmanagementpractices;confirmingthatoperationalriskmeasurementprocessesareappropriatelyintegratedintotheoverallriskmanagementoftheFRFI;reviewingandcontributing,tothemonitoringandreportingoftheFRFI'soperationalriskprofile(thismayalsoincludeaggregatingandreporting);promotingastrongoperationalriskmanagementculturethroughouttheenterprise;andconfirmingtimelyandaccurateescalation,withintheFRFI,ofmaterialissues.Similartothefirstline,thesecondlineofdefencemayalsobefurtherdividedbetween'2a'and'2bFootnote11'roles.4.ObjectiveAssessmentistheprocessofdevelopinganobjectiveviewregardingthequalityandsufficiencyofthebusinessunit'soperationalriskmanagementactivities,includingtheidentificationandassessmentofoperationalrisks;identificationandassessmentofcontrols;assumptions;andriskdecision(e.g.,acceptance,transfer,denial,actionplan).Thisincludesprovidingchallengewhenappropriate.ObjectiveAssessmentis:basedonastructuredandrepeatableprocessthataccommodatescontinuousimprovement(whileallowingforad-hocflexibilitywhereappropriate);appliedthroughthevariousoperationalriskmanagementtools,reportingandothergovernanceprocesses;performedbyknowledgeableandcompetentstaff;sharedwiththebusinessinaconstructivemanner;performedonatimelybasis;measuredbyoutcomes(e.g.,ithasinfluencedamanagementdecision/action);evidenced/documented.Evidenceofobservablechallengemayincludebothevidenceofchallengeintegraltoaprocessorevidenceofchallengewithsupportingdocumentationatvariousstagesoftheprocess,asappropriate.Consistentwithotherareasofoperationalriskmanagement,andriskmanagementmoregenerally,thelevelofdocumentationrequiredshouldaddriskmanagementvalueandnotbeundulydistractingfromoverallriskmanagementgoals.ObjectiveAssessmentismorethanfacilitation,guidance,ordocumentationofdecisions.5.WithinFRFI'sthirdlineofdefenseforoperationalrisk:objectivereviewandtestingactivitiesgenerallyinvolvetestingforcompliancewithestablishedpoliciesandprocedures,aswellasevaluatingwhethertheframeworkforoperationalriskmanagementisappropriategiventhesize,complexityandriskprofile.Objectivereviewandtestinggenerallyconsiderthedesignanduseofoperationalriskmanagementtoolsinboththefirstandsecondlinesofdefence,theappropriatenessofobjectiveassessmentappliedbythesecondlineofdefence,andthemonitoring,reportingandgovernanceprocesses.6.ThefollowingareexamplesofoperationalriskmanagementtoolsthathavebeenusedwithinFRFIsandmaybeuseful:Operationalrisktaxonomy;Riskandcontrolassessments(RCAs);Changemanagementriskandcontrolassessments;Internaloperationalriskeventcollectionandanalysis;Externaloperationalriskeventcollectionandanalysis;Riskandperformanceindicators;Materialbusinessprocessmapping;Scenarioanalysis;Quantification/estimationofoperationalriskexposureComparativeanalysisEachriskmanagementtoolisdescribedinmoredetailbelow.(a)OperationalRiskTaxonomyAcommontaxonomyofsourcesofoperationalrisktypesaidswithconsistencyofriskidentificationandassessmentactivities,andarticulationofthenatureandtypeofoperationalrisktowhichtheFRFIispotentiallyexposed.Aninconsistenttaxonomyofoperationalrisktermsmayincreasethelikelihoodofnotproperlyidentifying,categorizing,andallocatingresponsibilityfortheassessment,monitoring,andmitigationofrisks.(b)RiskandControlAssessments(RCAs)RiskandcontrolassessmentsareoneoftheprimarytoolstypicallyusedtoassessinherentoperationalrisksandthedesignandeffectivenessofmitigatingcontrolswithinFRFIs.RCAsprovidevaluethrough:includinganassessmentofbusinessenvironment,inherentrisks,controls,andresidualrisks,referencingtheFRFI'soperationalrisktaxonomy;encouragingproperalignmentbetweentheriskanditsmitigatingcontrols;beingcompletedonaperiodicbasis(tosupportaccurateandtimelyinformation);andhavingappropriatesupportingactivitiesandfrequencyofmaintenancetoremaincurrentandrelevantinthemanagementofoperationalriskRCAsgenerallyarecompletedbythefirstlineofdefenceacrosstheenterprise,includingthevariouscontrolgroups,andshouldreflectthecurrentenvironmentbutalsobeforward-lookinginnature.ResultingactionplansemergingfromcompletionofanRCAshouldbetrackedandmonitoredtofacilitaterequiredenhancementsbeingappropriatelyimplemented.Inaddition,thesecondlineofdefenceshouldreviewandprovideobjectivechallengetotheriskandcontrolassessments,andtheresultingactionplansofthefirstlineofdefence.(c)ChangeManagementRiskandControlAssessmentsChangemanagementriskandcontrolassessmentsestablishaformalizedprocessforassessinginherentoperationalriskandtheappropriatenessofmitigatingcontrolswhentheFRFIundertakessignificantchanges.Theoperationalriskassessmentsmadeaspartofthechangemanagementprocessshouldgenerallybeperformedbythefirstlineofdefence.Thisriskassessmentprocessmayconsider:inherentrisksinthenewproduct,service,oractivity;changestotheFRFI'soperationalriskprofileandriskappetite;therequiredsetofcontrols,riskmanagementprocesses,andriskmitigationstrategiestobeimplemented;theresidualrisk(unmitigatedrisk);andchangestotherelevantrisklimit/threshold.(d)InternalOperationalRiskEventCollectionandAnalysisRobustinternaloperationalriskeventcollectionandanalysisincludeshavingsystemsandprocessesinplacethatcaptureandanalysematerialinternaloperationalriskevents(e.g.thosethatexceedanappropriateinternalthreshold).Anoperationalriskevent,whichisdefinedasanunintendedoutcomeresultingfromoperationalrisk,includesactualandpotentialoperationallossesandgains,aswellasnearmisses(i.e.wheretheFRFIdidnotexperienceanexplicitlossorgainresultingfromanoperationalriskevent).Internaloperationalriskeventcollectionandanalysisprovidesmeaningfulinformationforassessing1)aFRFI'sexposuretooperationalriskthroughaggregatingandmonitoringoperationalriskeventsovertime,and2)theoveralleffectivenessoftheoperationalcontrolsenvironment.Thecaptureofinternaloperationalriskdatashouldprimarilybemanagedbythefirstlineofdefenceandappropriatecontrols(i.e.segregationofduties,verification)shouldbeinplaceformaintainingdataintegrityatanacceptablelevel.Foroperationalriskeventsdeterminedtobematerial,FRFIsareexpectedtoidentifytherootcauseaswellasanyrequiredremedialactionsosimilareventsinthefutureeitherdonotoccurorareappropriatelymitigated.Establishedreportingandanalysisstandardsshouldalsoaddressminimumexpectationsovereventanalysis,including:whethertheexposureisanactual,potentialornearmissevent;theunderlyingoperationalriskcategoryexposureasdefinedwithintherisktaxonomy;deficienciesandcontrolfailuresthatcanbemitigated;thecorrectiveactionstobetakentoaddressthedeficienciesandcontrolfailures;andappropriatesign-offsandapprovalsFormaterialoperationalriskevents,appropriaterootcauseanalysisisgenerallyconductedbythefirstlineofdefenceandappropriatelyescalatedbasedonthepotentialorobservedimpactoftheevent.Thesecondlineofdefencereviewsandappliesobjectivechallengetotheanalysisconductedbythefirstlineofdefence.(e)ExternalOperationalRiskEventCollectionandAnalysisExternaloperationalriskeventsareoperationalriskrelatedeventsoccurringatorganisationsotherthantheFRFIitself.Externaloperationalriskeventcollectionandanalysisactivitiesmayincludesubscribingtoanexternallossreportingdatabase,monitoringtheFRFI'sownoperationalriskeventexperienceovertimerelativetoitspeers,assessingoverallexposures,andtheoveralleffectivenessoftheoperationalcontrolsenvironment.(f)RiskandPerformanceIndicatorsRiskandperformanceindicatorsareriskmetricsusedtomonitorthemaindriversofexposureassociatedwithkeyoperationalriskswhichalsocanprovideinsightintocontrolweaknessesandhelptodetermineaFRFI'sresidualrisk.Riskandperformanceindicators,pairedwithescalationandmonitoringtriggers,acttoidentifyrisktrends,warnwhenrisklevelsapproachorexceedthresholdsorlimits,andpromptactionsandmitigationplanstobeundertaken.Theseriskmetricscouldcontaininternalandexternalorenvironmentalindicatorsrelevanttodecisionmaking.(g)MaterialBusinessProcessMappingBusinessprocessmappingisacommontoolusedtoidentifyandmanageoperationalrisksforsignificantorenterprise-wideprocesses.Businessprocessmappinginvolvesidentifyingthestepswithintheprocess,andassessingtheinherentoperationalrisks,riskinterdependencies,andtheeffectivenessofcontrols,aswellassubsequentmanagementactionsrequiredwhencontrolweaknessesareidentified.(h)ScenarioAnalysisScenarioanalysisisaprocessofidentifyingpotentialoperationalriskeventsandassessingtheirpotentialoutcomeandimpactontheFRFI.Scenarioanalysiscanbeaneffectivetooltoconsiderpotentialsourcesofoperationalriskandtheneedforenhancedriskmanagementcontrolsormitigationsolutions.Inordertoeffectivelyusescenarioanalysisaspartofariskmanagementprogram,operationalriskscenariosdevelopedshouldconsiderbothexpectedandunexpectedorganisationalresponserelativetoanoperationalriskeventoreventtype.Ifscenarioanalysisisusedasaninputintothequantification/estimationofoperationalriskexposure,thesecondlineofdefencereviewwhetherthescenarioschosenareappropriateandconsistentwiththeFRFI'sscenarioanalysisprogram.(i)Quantification/EstimationofOperationalRiskExposureQuantification/estimationofexposuretooperationalriskisdiscussedthroughexistingInternalCapitalAdequacyAssessmentProcess(ICAAPFootnote12)orOwnRiskSolvencyAssessment(ORSAFootnote13)exercises.Quantification/estimatesmaybecomparedtotherequiredcapitalforoperationalriskundertherelevantcapitaladequacy/minimumrequiredcapitalguidelineforadditionalvalue.Regardlessoftheoperationalriskquantificationapproachtaken,keyassumptionsshouldbedocumented,andappropriatevalidation,vettingandverificationactivitiesshouldbeperformed.\(j)ComparativeAnalysisComparativeanalysisinvolvesthefirstlineofdefencereviewingtheriskassessmentsandoutputsofeachoftheoperationalriskmanagementtools,toconfirmtheoverallassessmentofoperationalrisk.Comparativeanalysiscanhelptofacilitateriskassessmentsbeingperformedinaconsistentmannerandthatlessonslearnedareappropriatelysharedwithintheorganization.Comparativeanalysiscanalsoidentifyareaswheregreaterconsistencywithintoolsused,onanenterprise-widebasis,maygenerateriskmanagementvaluethroughsupportingmoreconsistentinformationcollection,aggregation,andresultinganalysis.Comparativeanalysiscanalsohelpidentifyoperationalriskmanagementtoolsthatmaynotbeeffectiveorwellimplemented.Annex2–ListofRelatedGuidanceReferenceddirectlywithintheguideline: CorporateGovernanceGuidelineIncludeorreferencecapitalrequirementsforoperationalrisk:GuidelineA CapitalAdequacyRequirementsGuidelineA LifeInsuranceCapitalAdequacyTestGuidelineA MinimumCapitalTestGuidelineA MortgageInsurerCapitalAdequacyTestGuidelineE-19 OwnRiskandSolvencyAssessment(ORSA)GuidelineE-19 InternalCapitalAdequacyAssessmentProcess(ICAAP)Relevantforoperationalriskscenarioanalysis:GuidelineE-18 StressTestingIncludespecificguidancerelatingtoFRFIprocesses: CyberSecuritySelf-AssessmentGuidanceGuidelineB-7 DerivativesSoundPracticesGuidelineB-8 Deterring&DetectingMoneyLaunderingandTerroristFinancingGuidelineB-10 OutsourcingofBusinessActivities,FunctionsandProcessesGuidelineB-20 ResidentialMortgageUnderwritingPracticesandProceduresGuidelineB-21 ResidentialMortgageInsuranceUnderwritingPracticeandProceduresGuidelineE-4 ForeignEntitiesOperatinginCanadaonaBranchBasisGuidelineE-5 Retention/DestructionofRecordsGuidelineE-13 RegulatoryComplianceManagement(RCM)GuidelineE-20 CDORBenchmark-SettingSubmissions Footnotes Footnote1SeeAnnex1item1forelementsofoperationalriskframeworkswhichmaybeconsideredbestpracticeforlarger,morecomplexFRFIs,dependingontheirindividualriskprofile.AsFRFIsevolve,intermsofsizeorotherrelevantfactors,supervisoryexpectationsmayincreaseinthisarea. Returntofootnote1Footnote2SeeAnnex1item2forfirstlineofdefenceresponsibilitieswhichmaybeconsideredbestpracticeforlarger,morecomplexFRFIs,dependingontheirindividualriskprofile. Returntofootnote2Footnote3SeeAnnex1item3forsecondlineofdefenceresponsibilitieswhichmaybeconsideredbestpracticeforlarger,morecomplexFRFIs,dependingontheirindividualriskprofile. Returntofootnote3Footnote4SeeAnnex1item4forfurtherelaborationonprovidingeffectiveobjectiveassessment. Returntofootnote4Footnote5SeeAnnex1item5forthirdlineofdefenseresponsibilitiesthatmaybeconsideredbestpracticeforlarger,morecomplexFRFIs,dependingontheirindividualriskprofile. Returntofootnote5Footnote6SeeAnnex1item6fordescriptionsofoperationalriskmanagementtoolsthatmaybeconsideredbestpracticeforlarger,morecomplexFRFIs,dependingontheirindividualriskprofile. Returntofootnote6Footnote7Enterprise-widemeansthroughoutallbusinessactivitiesapplicabletotheFRFIanditssubsidiariesworld-wide. Returntofootnote7Footnote8Thesecondlineofdefencemayalsocontributetothisrole;particularlywithrespecttoaggregatinginformationonanenterprisewidebasis. Returntofootnote8Footnote9Thesecondlineofdefencemayalsocontributetothisrole;particularlywithrespecttoaggregatinginformationonanenterprisewidebasis. Returntofootnote9Footnote101b–thebusinessmaychoosetoestablishcontrolgroupsthatmayhavespecificaccountabilityforactivitiesspecifictooperationalrisk,including:Identifying,measuring,managing,monitoringandreportingoperationalriskarisingfromoperatingactivitiesandinitiativesinlinewithcorporatestandardsEstablishinganappropriateinternalcontrolstructuretomanagetheoperationalrisksintheirspecificareaEscalate,inatimelymanner,operationalriskstoseniormanagementorriskmanagementDevelopandimplement,inatimelymanner,correctiveactionsforoperationalriskissuesthathavebeenidentified. Returntofootnote10Footnote112b–thesecondlineofdefencemaychoosetoestablishaqualityassuranceprogramthatchallengesthequalityandnatureoftheeffectivechallengeprovidedbythesecondlineofdefence(2a). Returntofootnote11Footnote12SeeOSFI ICAAPGuidelineE-19. Returntofootnote12Footnote13SeeOSFI ORSAGuidelineE-19. Returntofootnote13​ ModifiedDate: 2021-06-28 Secondarymenu RegulationandGuidance ActsandRegulations Guidance TableofGuidelines TableofAdvisories ApprovalsandPrecedents ApplicationandApprovalGuides RegulatoryandLegislativeAdvisories LegislativeRulings CapitalRulings NameRequest RiskAssessmentandIntervention SupervisoryPractices GuidetoIntervention TrustAgreements RegulatoryData FilingCorporateReturns FilingFinancialReturns ViewingFinancialData Anti-moneyLaunderingandCompliance Anti-moneyLaundering Anti-terrorismFinancing Sanctions Messages IndustryNotices WebTools WhoWeRegulate