The Office of the Superintendent of Financial Institutions (OSFI) issued a draft guideline on Thursday calling on federally regulated financial services firms to manage their operational risks properly in the wake of a series of scandals within the global financial services sector, including the recent LIBOR and foreign-exchange trading scandals.
Specifically, the guideline defines operational risk as the risk of loss resulting from people, inadequate or failed internal processes and systems, or from external events. This includes legal risk but excludes strategic and reputational risk.
“Operational risk is inherent in all products, activities, processes and systems, and the effective management of operational risk should be a fundamental element of a [firm’s] risk management program,” OSFI’s draft guideline says. “Understanding operational risks leads to better decision making through the observation and analysis of past operational risk events and patterns of observed behaviour within the [firm]. In addition, a robust framework for operational risk management provides a mechanism for discussion and effective escalation of issues leading to better risk management in this area over time and increased institutional resilience.”
OSFI does not currently have comprehensive guidance on dealing with operational risk; the regulator notes that it can be difficult for firms to access all of the relevant guidance that is scattered throughout its various other guidelines. In addition, its existing guidance isn’t always consistent between different types of financial services firms.
To address these issues, OSFI is proposing a single guideline that focuses solely on operational risk, which includes four key principles for effective risk management in this area.
Among other things, the guideline calls for firms to integrate operational risk management fully within their overall risk-management programs. Furthermore, the draft guideline says firms should develop and utilize an operational risk appetite statement and that they should ensure they have effective accountability mechanisms for this task.
“A ‘three lines of defence’ approach, or appropriately robust structure, serves to separate the key practices of operational risk management and provide adequate independent overview and challenge,” OSFI’s draft guideline says.
OSFI is seeking comments on the draft guideline by Oct. 9.