OSFI to improve quality of risk registers: internal audit report

The Office of the Superintendent of Financial Institutions (OSFI) has a comprehensive enterprise risk management (ERM) program in place, but there’s still room for improvement, according to an Internal Audit report.
Internal Audit conducted the review to determine whether OSFI’s risk management, control processes and governance are adequate to ensure risks are appropriately identified and managed.
“While OSFI, through its ‘ERM Policy’ and related ‘Framework’ and its ‘Corporate Planning Framework’ and guidance, has in place and is applying all components of a comprehensive risk management framework, improvements should be undertaken to strengthen its effectiveness,” the report says.
Specifically, a focused management effort is required in the following, according to the audit:
•Adopting a structured comprehensive Internal Control Framework to ensure consistency in assessing controls and in the interim document controls for key risks;
•Improving the quality and consistency of the risk registers, a key management tool in ERM, to allow for a common understanding and aggregation of risks OSFI wide; and
•Ensuring risk exposures are more transparent by separating risk tolerance, to more easily facilitate risk decisions.
Auditors also cited examples of strengths of OSFI’s risk management program. These included:
•Its Long-Term Priority and In-The-Loop communications, keep staff abreast of risks that matter;
•Its Emerging Risk Committee and the Research Division identifies and assesses emerging risks and their potential impact to financial institutions and to OSFI’s supervisory and regulatory work and resources; and
•Its Corporate Planning Strengths Weaknesses Opportunities Threats (SWOT) and Blue-Sky exercises, as well as continuous monitoring of external, emerging and internal risk, demonstrates a strong commitment to risk management.