The Office of the Superintendent of Financial Institutions (OSFI) released a draft guideline on October 13, 2023, on the operational resilience and operational risk management requirements of Federally regulated financial institutions (FRFIs) operating in Canada and foreign bank branches authorized to conduct business in Canada. The draft guideline is open to public consultation until February 5, 2024.
Key Requirements of the Guideline
Identifying the FRFI’s critical operations and mapping the internal and external dependencies (e.g., people, systems, processes, third parties, facilities, etc.) required to support critical operations.
Establishing tolerances for disruption in respect of an FRFI’s critical operations.
Conducting scenario testing to gauge the ability of the FRFI to operate within its tolerances for disruption across a range of severe but plausible scenarios.
Establishing a culture that promotes and reinforces behaviors that support operational resilience and proactively managing culture and behavior risks that may influence resiliency.
The design and implementation of the FRFI’s operational resilience approach and operational risk management should be proportionate to the FRFI’s size, nature, scope, complexity of operations, strategy, risk profile, and interconnectedness to the financial system.
The Relationship Between Operational Risk Management and Operational Resilience
OSFI states that operational resilience (OpsRes) is built on the foundation of operational risk management (ORM). OSFI further asserts that OpsRes emphasizes the end-to-end performance of the FRFI’s critical operations across the organization, and as ORM matures it should also focus on the performance of operations end-to-end.
How Archer Can Help
The Guideline lists four outcomes FRFIs are expected to achieve related to operational resilience and managing operational risks:
The FRFI can deliver critical operations through disruption.
Operational risk management is integrated within the FRFI’s enterprise-wide risk management program and supports operational resilience.
Operational risks are managed within the FRFI’s risk appetite.
Operational resilience is underpinned by operational risk management subject areas, including business continuity management, disaster recovery, crisis management, change management, technology and cyber risk management, third-party risk management, and data risk management.
Archer can play an important part in helping organizations build these operational risk management and operational resilience capabilities. For example:
Archer Enterprise and Operational Risk Management enables organizations to:
Establish an enterprise-wide operational risk management framework.
Set a risk appetite for operational risks.
Ensure comprehensive identification and assessment of operational risk using appropriate operational risk management practices.
Conduct ongoing monitoring of operational risk to identify control weaknesses and potential breaches of limits/thresholds, provide timely reporting, and escalate significant issues.
Archer Resilience Management enables organizations to:
Identify its critical operations and map internal and external dependencies.
Establish tolerances for the disruption of critical operations.
Develop and regularly conduct scenario testing on critical operations to gauge its ability to operate within established tolerances for disruption across a range of severe but plausible operational risk events.
For more information or to speak to an Archer expert, you can contact us here.