What OSFI did (and did not) include in its updated risk management guidelines

Canada’s solvency regulator released the final version of its Guideline E-21: Operational Risk Management and Resilience today, calling for the new expectations in the guideline to be implemented in two phases over 2025 and 2026.

Although the Office of the Superintendent of Financial Institutions (OSFI) has restructured the guideline to include simple language and clear expectations, the basic principles in the document haven’t changed much from the initial draft of the updated guideline in 2021, save for some tweaks based on feedback during public consultation.

Specifically, the regulator addressed two areas of concern raised by stakeholders, including property and casualty insurers: 1) scenario analysis, and 2) change management practices.

Scenario analysis

First, P&C insurers and others asked OSFI to make it clear scenario analysis is still a valid part of operational risk management. OSFI clarified both scenario analysis and testing are valid ways to assess an organization’s operational risks.

“Scenario analysis is still relevant and focuses on identifying and assessing the impact, controls, and mitigating actions of operational risks at the business unit level and enterprise-wide,” OSFI said in a letter to federally regulated institutions Thursday.

“Scenario testing goes further to test whether critical operations can remain within tolerances for disruption on an end-to-end basis, across multiple business lines, in severe but plausible circumstances.”

During consultation, some industries asked for the frequency of scenario-testing to be risk-based, rather than annual. To which OSFI responded: “Scenario-testing should align with risk and criticality, but when significant changes in the risk environment arise, it should take place outside the regular cycle.”

Finally, OSFI acknowledged third parties may not always be available to participate in scenario-testing, as a previous draft of the guidance had suggested. OSFI responded by saying third party participation in scenario testing should be arranged “where possible.”

In other news: Quebec floods cause claims surge, 70,000 filed after torrential rainstorm

Change management

Financial institutions asked for the flexibility to scale regulated review of business’ change management activities to the type of change initiated. OSFI responded that “change management activities should apply to significant changes.”

But OSFI did not budge on the request to restrict the regulated review of change management activities to just the changes themselves and not to the process.

“We disagree,” OSFI said in its letter to stakeholders. “Poorly executed change can lead to disruption. We clarified that processes should govern the risks introduced by change and the change management practices themselves.”

OSFI’s had guidelines for operational risk management in place since 2016. The regulator began to review the guidelines in 2021, with a view to making sure insurers, banks and other financial institutions can deliver goods and services despite various crises common in today’s business world — e.g., business interruption, cyber threats, weak internal controls, labour shortages, and natural catastrophes such as floods, fires and earthquakes.

OSFI’s guidelines cover four sections: governance, operational risk management, business resilience, and planning for disruptions (ways in which risk management can improve resilience).

OSFI wants federally regulated insurers to fully adhere to the new expectations for operational resilience planning by Sept. 1, 2025. Insurers should be adhering to the full updated guideline by Sept. 1, 2026.

Feature photo courtesy of iStock.com/MicroStockHub