Overall Risk Management Assessment Criteria

squircle icon

Select the section you’d like to navigate to.

Role of Management

Provides independent oversight of the management of risk inherent in the provincially regulated financial institution’s (“PRFI”) activities, and responsible for ensuring that effective processes are in place for:

  • Identifying current and emerging risks;
  • Developing risk assessment and measurement systems;
  • Establishing policies, practices and other control mechanisms to manage risks;
  • Developing risk tolerance limits for senior management and board approval;
  • Monitoring positions against approved risk tolerance limits; and
  • Reporting results of risk monitoring to senior management and the board.

Quality of Risk Management Oversight

The following statements describe the rating categories to assess the risk management function’s oversight to ensure the risks inherent in the PRFI’s activities are suitably mitigated.

An overall rating of the risk management function considers both its characteristics and the effectiveness of its performance in executing its mandate in the context of the nature, scope, complexity, and risk profile of the PRFI. Characteristics and examples of performance indicators that guide supervisory judgement in determining an appropriate overall rating are set out below.

StrongThe mandate, organization structure, resources, methodologies, and practices of the risk management function meet or exceed what is considered necessary given the nature, scope, complexity, and risk profile of the PRFI. Risk management has consistently demonstrated highly effective performance. Risk management characteristics and performance are superior to generally accepted risk management practices.
AcceptableThe mandate, organization structure, resources, methodologies, and practices of the risk management function meet what is considered necessary, given the nature, scope, complexity, and risk profile of the PRFI. Risk management performance has been effective. Risk management characteristics and performance meet generally accepted risk management practices.
Needs ImprovementThe mandate, organization structure, resources, methodologies, and practices of the risk management function generally meet what is considered necessary given the nature, scope, complexity, and risk profile of the PRFI, but there are some significant areas that require improvement. Risk management performance has generally been effective but there are some significant areas where effectiveness needs to be improved. Areas of improvement are not serious enough to cause prudential concerns if addressed in a timely manner. Risk management characteristics and/or performance do not consistently meet generally accepted risk management practices.
WeakThe mandate, organization structure, resources, methodologies, and practices of the risk management function are not what is considered necessary in a material way given the nature, scope, complexity, and risk profile of the PRFI. Risk management performance has demonstrated serious instances where effectiveness needs to be improved through immediate action. Risk management characteristics and/or performance often do not meet generally accepted risk management practices.

Risk Management Criteria*

The following statements describe the characteristics to be used in assessing the quality of the risk management function’s oversight of the management of the PRFI’s activities and related risks, with due consideration to the PRFI’s safety and stability. The application and weighting of the individual criteria will depend on the nature, scope, complexity, and risk profile of the PRFI and will be assessed collectively, together with risk management performance, in rating its overall effectiveness.

Essential ElementsCriteria
1. Mandate1.1 Extent to which the function’s mandate establishes:

a) Clear objectives and enterprise-wide authority for its activities;
b) Authority to carry out its responsibilities independently;
c) Right of access to the PRFI’s records, information and personnel;
d) Requirement to report regularly on the effectiveness of the PRFI’s risk management processes and on its aggregate exposures compared to approved limits; and
e) Authority to follow-up on action taken by management in response to identified issues and related communications.

1.2 Extent to which the function’s mandate is communicated within the PRFI.
2. Organization Structure2.1 Appropriateness of the stature and authority of the function head within the organization for the function to be effective in fulfilling its mandate.
2.2 Extent to which the function head has direct access to the CEO and the board (or appropriate committee, e.g., risk or audit committee).
2.3 Appropriateness of the function’s organizational structure.
2.4 Extent to which the function is independent of day-to-day management of risks.
3. Resources3.1 Adequacy of the function’s processes to determine the required:

a) Level of resources necessary to carry out responsibilities;
b) Qualifications and competencies of staff; and
c) Continuing professional development programs to enhance staff competencies.

3.2 Adequacy of the function’s resources and appropriateness of its collective qualifications and competencies for executing its mandate.
3.3 Sufficiency of staff development programs.
4. Methodology and Practices4.1 Adequacy of process to regularly review and update risk management policies, processes, and limits to consider changes in the industry and in the risk appetite of the PRFI.
4.2 Appropriateness of risk management policies, practices, and limits given the PRFI’s activities and related risks.
4.3 Extent to which risk management policies and practices are coordinated with strategic capital and liquidity management policies and practices.
4.4 Extent to which risk management policies, practices, and limits are documented, communicated, and integrated with the PRFI’s day-to-day business activities.
4.5 Adequacy of policies and practices to monitor positions against approved limits and for timely follow-up on material variances.
4.6 Adequacy of policies and practices to monitor trends and identify emerging risks, and to respond effectively to unexpected significant events.
4.7 Adequacy of policies and practices to model and measure the PRFI’s risks, including stress testing.
5. Reporting5.1 Adequacy of policies and practices to report identified issues along with recommendations to business units management team.
5.2 Adequacy of policies and practices to monitor and follow up on the resolution of identified issues.
6. Senior Management and Board Oversight6.1 Extent to which board (or a board committee) and senior management approval is required for the:

a) Appointment and/or removal of the function head;
b) Function’s mandate and resources (e.g., function’s overall budget); and
c) Policies, practices, and limits for managing significant risks and activities.

6.2 Adequacy of policies and practices to report regularly to the board (or a board committee) and senior management on
the effectiveness of the PRFI’s risk management processes, aggregate exposures, and significant issues.
6.3 Adequacy of policies and practices to perform periodic independent reviews of the function, including communicating results to the board (or a board committee) and senior management.

Risk Management Performance

The quality of the risk management function’s performance is demonstrated by its effectiveness in overseeing the identification, monitoring, measurement, and reporting of risks, with due regard to the PRFI’s safety and stability.

The assessment will consider the effectiveness with which the risk management function anticipates, identifies, and measures risks in a dynamic operating environment and oversees management of those risks within the tolerance limits established by the board.

BCFSA will look to indicators of effective risk management performance to guide its judgement during its supervisory activities. These activities may include: discussions with directors and management, including the chief risk officer [1]; assessment of the risk management function’s oversight practices and how particular issues, such as breaches in approved limits, are dealt with; review of risk management reports and reports of independent assessments of the function; review of board or risk management committee minutes, etc.

Examples of indicators that could be used to guide supervisory judgement include the extent to which the risk management function:

  • Proactively updates its policies, practices, and limits in response to changes in the industry and in the institution’s strategy, business activities and risk limits;
  • Integrates its policies, practices, and limits with day-to day business activities and with the PRFI’s strategic, capital, and liquidity management policies;
  • Models and measures inherent risks and actively participates in the development of new initiatives to ensure processes are in place to appropriately identify and mitigate risks before implementation;
  • Monitors risk positions against approved limits and ensures that material breaches are addressed on a timely basis;
  • Uses risk measurement and monitoring tools that are sensitive enough to provide early warning indicators of adverse trends and conditions; proactively analyzes these trends and conditions; and follows up to ensure that they are addressed on time;
  • Proactively and effectively addresses risk management issues identified as a result of internal or external events, or by other control functions; and
  • Provides regular, comprehensive reports to the board (or a board committee) and senior management on the effectiveness of the PRFI’s risk management processes and ensures that significant issues are escalated to senior management and the board on time.

[1] References to chief risk officer include any other positions responsible for risk management.

* Examples of documentation that BCFSA may review in formulating its assessment of the characteristics of the risk management function include: organizational charts, mandates, job descriptions, core competencies and personnel profiles, risk management policies, authorities and limits, systems documentation and testing, new product and initiative framework, and reports prepared for senior management and the board (or a board committee).