OSFI’s Supervisory Ratings: Rating the Risk

March 31, 2003 | Last updated on October 1, 2024
5 min read

In 1999, the Office of the Superintendent of Financial Institutions (OSFI) – Canada’s federal regulator of financial institutions – released its “Supervisory Framework” outlining an innovative approach to supervision. The framework is risk-based and enhances OSFI’s ability to intervene on a timely basis where it considers an institution’s practices to be imprudent or unsafe.

The Office of the Superintendent of Financial Institutions’ (OSFI) supervisory process assesses the effectiveness of an institution’s corporate governance and oversight practices in mitigating risks and, where appropriate, uses the work of an institution’s risk management control functions (oversight functions) to focus OSFI’s resources on higher-risk areas within an institution. Institutions with effective risk management practices can enjoy less supervisory attention. Under the framework, OSFI has committed to providing institutions with their “composite risk” ratings and the ratings for the applicable oversight functions. Confidentiality of these ratings is protected by regulations.

In 2002, OSFI introduced “assessment criteria” to guide supervisory judgment in determining the ratings. The criteria were developed from a study of corporate governance material published here and abroad, a review of the oversight practices at some 40 different types and sizes of institutions regulated by OSFI, and extensive consultations with industry sectors through their respective associations. The criteria are not required standards. Rather, they are used to assist supervisors in formulating their assessments of an institution’s risk profile during monitoring and onsite activities. The assignment of supervisory ratings will be phased in over a three-year period.

Composite risk rating

OSFI began sharing the composite risk rating (CRR) with some institutions in 2002. The CRR is OSFI’s assessment of an institution’s safety and soundness. It is based on assessments of the risks inherent in an institution’s significant activities, the effectiveness of its risk management practices, and the extent to which earnings and capital provide a cushion for unexpected losses. There are four ratings for composite risk: “low”, “moderate”, “above average” and “high”.

The definition of low composite risk is: a strong, well-managed institution. The combination of its overall net risk and its capital and earnings makes the institution resilient to most adverse business and economic conditions without materially affecting its risk profile. Its performance has been consistently good, with most key indicators in excess of industry norms, allowing it ready access to additional capital. Any supervisory concerns have a minor effect on its risk profile and can be addressed in a routine manner.

The definition draws together the elements of the CRR, namely the “overall net risk”, capital and earnings. It also indicates that, for an institution’s composite risk to be rated low, it must be:

Financially strong and well managed;

Resilient to most adverse business and economic conditions;

Able to access capital readily; and

Free of significant supervisory concerns.

The other CRR categories show a gradual deterioration in these conditions, to the point where they would seriously threaten the institution’s viability if not promptly addressed.

Oversight function ratings

Over the next two years, OSFI will also share with institutions its ratings for the applicable oversight functions – board, senior management, risk management, internal audit, compliance, and financial analysis. These ratings will reflect OSFI’s assessment of the functions’ effectiveness in overseeing the management of risks across the institution.

OSFI recognizes that smaller institutions may not need all of the oversight functions usually found in larger institutions. The key here is to assess how well an institution oversees its activities. In the absence of effective oversight, OSFI will step up its supervisory activity and recommend or require that the institution implement an appropriate level of oversight.

An oversight function’s rating is based on an assessment of the function’s characteristics and performance. In other words, OSFI not only looks at “how” a function oversees operations, but “how well” it does so. The criteria OSFI will be using to assess a function’s characteristics are grouped by key features or “essential elements”, such as its mandate, organizational structure, resources, methodology and practices, etc. The criteria were designed to apply to all types and sizes of institutions, including Canadian branches of foreign institutions. However, board criteria will not be applicable to branches. Instead, OSFI looks to the chief agent to oversee the management of the branch, including matters of corporate governance. The effectiveness of this oversight will be assessed using the “senior management” criteria.

Here is an example of a criterion for assessing board practices: Criterion 4.2: “Adequacy of policies and practices to promote independent, effective, and timely decision making, including practices related to the role of unaffiliated directors.” The criterion uses the phrase “adequacy of” to allow supervisors to scale the application of the criterion to the needs of each institution.

Although a function’s characteristics may be predictive of the effectiveness of the oversight, what really matters is “how well” the function oversees operations. For example, while an institution may have a policy to prevent conflicts of interest, oversight breaks down when the policy is waived to allow management to enter into arrangements that conflict with its duty to manage in the best interests of the institution. These are the kinds of performance indicators OSFI will be using to assess the effectiveness of the oversight.

Supervisors will exercise judgment when applying the criteria and performance indicators to the unique circumstances of each institution to determine a function’s rating. These circumstances will also determine the relative importance supervisors will assign to the individual criteria and performance indicators in establishing the rating. Oversight functions will be rated “strong”, “acceptable”, “needs improvement” or “weak”.

The rating for “strong” board oversight is: The composition, role and responsibilities, and practices of the board meet or exceed what is considered necessary, given the nature, scope, complexity, and risk profile of the institution. The board has consistently demonstrated highly effective performance. Board characteristics and performance are superior to generally accepted corporate governance practices. The rating definition contains references to board characteristics and performance, as well as to the appropriateness of the characteristics for the size and complexity of the institution. It also indicates that for a board to be rated strong, it must:

Have characteristics that meet or exceed what is needed to effectively mitigate risk;

Consistently demonstrate highly effective performance; and

Have oversight practices that are superior to what OSFI would normally expect to find in institutions of similar size and complexity.

Implications

So what are the implications of the framework and supervisory ratings for federally regulated financial institutions? The framework and criteria are internal tools used by OSFI to assess supervised institutions. Sharing these tools with supervised institutions will increase the transparency of OSFI’s assessments and help institutions better understand the basis of the assessment and the significance of the assigned ratings.

Additional information on the framework and supervisory ratings is available by emailing john.fernandes@osfi-bsif.gc.ca or on OSFI’s website: http://www.osfibsif.gc.ca/ eng/publications/practices/index_superviso rypract.asp where an overview of the framework, the assessment criteria, an explanation of terms used in the c riteria, and frequently asked questions and answers that arose during OSFI’s industry consultations may be found.