Supervisory Framework

Overview

The Supervisory Framework guides our oversight of federally regulated financial institutions and private pension plans. Our primary goal is to protect depositors, policyholders, financial institution creditors, and pension plan beneficiaries. In doing so we contribute to public confidence in the Canadian financial system.

Supervision is judgment-based. We use the framework to support our:

  • assessments of risks
  • responses to the risks that we identify

The framework applies to financial institutions and pension plans. It is differentiated where necessary to reflect the specific characteristics of deposit-taking institutions, insurance companies, and pension plans.

Aligned with international principles

We’ve adopted the following methodologies and we apply them in the context of our mandate:

The foundations of our supervisory approach

While our supervision reduces risk, it doesn’t eliminate it

We recognize that management, boards of directors, and pension plan administrators are ultimately responsible for risk decisions and that financial institutions can fail, and pension plans can experience financial difficulties resulting in the loss of benefits.

We are principles-based

We communicate our expectations and avoid being prescriptive, where possible. Our expectations are set out in guidelines and other policy documents.

Through our supervisory work, we assess alignment with our expectations and take corrective action when necessary. Supervisors use their judgment to understand the effectiveness of risk oversight and controls.

We need to be open with the institutions and pension plans we regulate

Open and transparent communication with regulated institutions and pension plans helps us to achieve our objectives. When necessary, we’re ready to have difficult conversations with institutions and pension plans to achieve sound outcomes.

We protect the confidentiality of information and follow all applicable legal requirements. This, in turn, supports our ability to engage with regulated institutions and pension plans to promote our goals.

We’re good stewards for regulatory oversight

We’re accountable to the public and act with independence and integrity.

In a fast-changing environment, we plan for uncertainty. This means we approach our work with curiosity and are always looking for ways to improve and innovate.

Key principles of supervision

The following key principles help guide us as we follow our mandate.

Our work is risk-based

As supervisors, we make risk-based decisions all the time. We consider size, complexity, and potential impacts to the financial system. We intensify our supervision when we identify risks that could impact safety and soundness or pension-related rights and benefits.

We form views about risk through many activities, including by analyzing data and other information. We rely on the work of external auditors. Where appropriate, we also use the work of oversight functions to avoid duplication of effort.

We rely on sound judgment and diversity of thought

We use professional judgment supported by evidence in our work.

Diversity of thought brings new perspectives that may uncover hidden risks and lead to better outcomes.

We’re forward-looking and ready to act

Our risk assessments are forward-looking, and we take prompt action to address areas of concern. The framework helps us respond quickly to changes in risks.

We often need to make decisions with imperfect information. Our bias towards action means that we accept the risk of engaging too early. This is better than being slow to act. Our quick action helps contribute to public confidence in the Canadian financial system.

How we supervise financial institutions

Our supervisory process

Risk identification

Factoring in size, complexity, and potential system impact

We’re guided by our risk appetite in terms of the supervisory work that we carry out. We recognize that it is not cost-effective or realistic for us to intervene on all risks facing institutions. We have a high appetite for early corrective action to address risks that could jeopardize the public’s confidence in the Canadian financial system.

The type of supervisory work that we do to identify risks considers an institution’s size, complexity, and potential impact on the financial system. This is reflected in an institution’s Tier Rating.

Risk identification starts with data analytics. For larger institutions, our work also includes more frequent supervisory reviews and discussions with management teams and boards of directors.

Analyzing risk trends in a broader context

The risks facing financial institutions are more volatile, complex, and interconnected than ever before. These broader risks set the context for our supervision of individual institutions.

We scan the environment for emerging risks and other relevant trends. This work draws on stress testing and advanced analytics. By thinking about broader trends, we are better positioned to respond quickly to risks that emerge.

We share our view of the most significant risks facing the financial system in our published risk outlooks. We use these publications to explain the high level supervisory and regulatory actions we take in response to risks.

Leveraging data and analytics

Good data is essential to effective supervision. We use data analytics to generate insights and timely signals of changes in risk level. Metrics derived from regulatory returns and other sources provide a consistent starting point for supervisory judgment. We expect advanced data analytics will continue to lead to new supervisory capabilities.

Risk assessment

An institution’s risk rating reflects our view of risk to viability

The Overall Risk Rating (ORR) reflects the level of risk to the viability of a financial institution and has a 1 to 8 scale (ORR scalefor financial institutions).

Our ratings reflect issues that we want an institution to address. We follow a structured approach in assessing risk and use our judgment to assign ratings, supported by data and other evidence.

We monitor risk ratings on an ongoing basis and update them when necessary.

An institution’s ORR and its Tier drive the intensity of our supervisory activity.

Our assessment highlights the main sources of risk for an institution

An institution’s ORR considers these categories:

  • business risk
  • financial resilience
  • operational resilience
  • risk governance

You can read more about each category in the section on financial institution’s ORR categories.

We do not expect perfection for the strongest ratings

We assign an ORR of 1 when no significant issues are identified. Issues could come up, but we have confidence in the institution’s ability to manage them. As a result, there is a minimal level of risk to viability.

Institutions identify some risks through their own oversight and governance processes. Greater transparency around this process helps us to develop and maintain confidence in the institution’s risk oversight.

Issues identified by the institutions themselves can lead to rating changes where they represent an elevated risk to viability. Rating changes are also more likely when we have concerns about the institution’s action plan to address the issues.

Building in flexibility to our approach

We developed a flexible approach to respond to new risks as well as the interplay between financial and non-financial risks.

As an example, we expect that digital innovation will lead to new business models in the financial system. Business risk will be a prominent part of the supervisory risk assessment for these institutions.

We evaluate branch operations in accordance with statutory regimes

Foreign entities operating in Canada on a branch basis are supervised in accordance with the statutory regimes set out in the Bank Act and the Insurance Companies Act. A branch is not a separate legal entity, but rather an extension or presence of the foreign entity in Canada.

We are not the solvency regulator of the foreign entity as a whole. The home country regulator of the foreign entity is the primary regulator.

Our supervisory role for a branch is limited to the business in Canada of the foreign entity. We assess compliance with legal requirements as well as alignment with supervisory and regulatory expectations. Where these requirements and expectations are not met by the foreign entity, we could apply additional supervisory measures to the foreign entity in respect of its branch.

Our guideline Foreign Entities Operating in Canada on a Branch Basis communicates our expectations for foreign entities operating in Canada on a branch basis.

Risk response and remediation

We are outcomes focused

When we have supervisory concerns, we highlight these to institutions and explain the outcomes we want to see. Generally, the institution is responsible for managing the way it achieves the outcomes. We update our rating assessments when we’re satisfied that supervisory concerns are addressed.

Transparency is a cornerstone of effective supervisory relationships

We provide institutions with information to help them address any supervisory concerns.

Our expanded rating scale gives institutions greater clarity about their risk position and supports our ability to take early corrective action. In addition to the ORR, larger institutions (in Tiers 1 to 4) also receive ratings for business risk, financial resilience, operational resilience, and risk governance.

Supervisory information is sensitive with legal prohibitions on inappropriate disclosure.

We escalate our intervention when outcomes are not achieved

We expect institutions to provide a detailed action plan in response to supervisory concerns. We track the progress of remediation activity and are ready to escalate intervention activity when the institution does not achieve satisfactory outcomes. Our approach to intervention is explained in our Guide to Intervention.

Supervisory reporting

We provide regulated institutions with written reports

We communicate with institutions through formal letters in addition to our ongoing discussions with management teams. Our letters highlight key themes and outline any specific concerns.

We communicate supervisory ratings privately and notify the institution by letter whenever any of these ratings changes.

Supervisory letters also remind institutions about the legal prohibitions on inappropriate disclosure of supervisory information.

We share information with Canadian and foreign regulators in certain situations

We share letters and other supervisory information with certain provincial regulators where agreements are in place. Information sharing also takes place when we host or attend supervisory collegesSupervisory colleges are multilateral working groups of financial sector regulators that are formed for the purpose of enhancing effective consolidated supervision on an ongoing basis..

Supervisory colleges are multilateral working groups of financial sector regulators that are formed for the purpose of enhancing effective consolidated supervision on an ongoing basis.

We also share information with foreign regulators where there is a memorandum of understanding.

In all cases, we take measures to protect the confidentiality of information.

Working with our partners in Canada’s federal regulatory system

We use various formal and informal processes to ensure we effectively execute our mandate.

For example, the Financial Institutions Supervisory Committee is a committee whose members include OSFI, the Department of Finance, the Bank of Canada, the Canada Deposit Insurance Corporation, and the Financial Consumer Agency of Canada. It meets at least quarterly to share information on matters relating to supervising federally regulated financial institutions.

We also work with the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC), which is responsible for ensuring compliance with Canada’s Proceeds of Crime (Money Laundering) and Terrorist Financing Act.

Supervisory ratings for financial institutions

Tier Rating

An institution’s Tier Rating is based on its size and complexity, as well as our view of the impact that its failure could have on the financial system. While we start with data, the assigned Tier Rating reflects our supervisory judgment.

The Tier Rating guides the type of work that we carry out to identify risks, and it helps us apply our risk appetite.

We assign the Tier Rating according to a 1 to 5 scale and update it when there is a material change in an institution’s profile. We use the same scale when assessing pension plans and this helps us apply our risk appetite consistently across our supervisory work. Table 1 outlines the definition of each Tier Rating.

Table 1: Definition of Tier Rating
Tier Definition
1 High Large and/or complex institutions or pension plans with highest system impact
2 Medium-High Large and/or complex institutions or pension plans with significant system impact
3 Medium Mid-size institutions with moderate system impact | Large and/or complex pension plans
4 Medium-Low Smaller and/or less complex institutions with low system impact | Mid-size and/or moderately complex pension plans
5 Low Smallest, least complex institution with very low system impact | Small, least complex pension plans

Institutions that are subsidiaries or affiliates of larger institutions may be assigned a Tier Rating of ‘Related Federally Regulated Financial Institution’ where the risk profiles of the institutions are closely linked.

Tier Ratings are different from capital and liquidity categories for small and medium sized banks

The Tier Rating is different from the criteria we use to segment small and medium-sized banks (SMSBs) into three categories to determine their capital and liquidity requirements. While there is often a correlation between the two assessments, this is not always the case.

Overall Risk Rating categories

An institution’s Overall Risk Rating (ORR) considers the following rating categories:

  • business risk
  • financial resilience
  • operational resilience
  • risk governance

The Tier Rating determines the granularity of our risk assessment:

  • For small institutions (in Tier 5), we assign an ORR that considers these categories.
  • For larger institutions (in Tiers 1 to 4), we also assign ratings for each of these categories on the same 1 to 8 scale as the ORR.
  • Our internal assessment of the largest institutions (in Tiers 1 to 3) also includes a more detailed analysis of additional risks.

Ratings are designed to respond quickly to the most serious risks

Our rating approach focuses on identifying the most serious risks facing an institution. Experience shows that financial crises can develop rapidly, so we need to be ready to take prompt action to address problems.

There are no weights in our framework. For institutions in Tiers 1 to 4, any category has the potential to drive the ORR. We rate each category according to the level of risk it poses to the viability of the institution. In this way, the rating combines an assessment of risk and importance.

For institutions that receive individual rating categories, the category with the weakest rating becomes the starting point for the ORR. The ORR can’t be better than any of the rated categories. It can be worse, for example, where different issues lead to multiple categories being rated at the same level.

We use category ratings to spotlight areas where change is needed

Risks are often connected, and some issues will impact more than one category. For example, the supervisor may determine that risk culture is the root cause of an issue that impacts an institution’s operational resilience.

In these situations, we use the category ratings to reflect risk implications and spotlight where change is needed.

Business risk

This category represents a forward-looking assessment of an institution’s business model sustainability.

The supervisor considers the institution’s ability to achieve targets and generate capital in alignment with its risk appetite. We think about competitive pressures the institution faces and its ability to execute its strategic plan. Reputational risks are also reflected in this category.

Our view of business risk includes the level of vulnerability to external factors. This sets the context for our assessment of the institution’s financial resilience.

Business risk can provide an early indicator of increasing prudential risk. If an institution fails to address a damaged business model, a loss of confidence can follow resulting in financial stress.

Our Corporate Governance guideline sets out expectations around corporate governance, including in relation to an institution’s business plan, strategy, and risk appetite.

Financial resilience

Our assessment of financial resilience reflects the institution’s ability to withstand financial stress. It considers its financial risk profile, capital, and liquidity.

When assessing the financial risk profile, we look at risk levels and exposures as well as the effectiveness of risk oversight and controls.

For insurance companies, we pay particular attention to the management of insurance risk. This includes liability valuation and provisioning, as well as underwriting, reinsurance, and other risk management practices. Our analysis of insurers also includes investment risk and asset and liability management.

For deposit-taking institutions, typical considerations include credit risk and market risk in both the trading and banking book.

We assess capital adequacy for financial resilience in severe but plausible stress scenarios. We consider capital management and the institution’s ability to identify, measure, and monitor risk. Our analysis is forward-looking and includes the institution’s contingency plan and access to capital.

Finally, financial resilience includes consideration of liquidity adequacy, funding risk, and the strength of liquidity management. This is a particularly important consideration for deposit-taking institutions.

Tables 2, 3, and 4 list some of the key guidelines that relate to financial resilience. You can find a complete list of guidelines here: Table of Guidelines.

Table 2: Key guidelines for deposit taking institutions concerning financial resilience
OSFI guideline Area of relevance
Capital Adequacy Requirements (CAR) Capital requirements for deposit-taking institutions
Leverage Requirements Guideline (LR) Leverage requirements for deposit-taking institutions
Internal Capital Adequacy Assessment Process (ICAAP) (E-19) ICAAP expectations for deposit-taking institutions
Liquidity Adequacy Requirements (LAR) Liquidity requirements for deposit-taking institutions
Interest Rate Risk Management (B-12) Expectations for managing interest rate risk in the banking book
Table 3: Key guidelines for insurers concerning financial resilience
OSFI guideline Area of relevance
Life Insurance Capital Adequacy Test (LICAT) Capital requirements for life insurers
Minimum Capital Test (MCT) Capital requirements for property and casualty insurers
Mortgage Insurer Capital Adequacy Test (MICAT) Capital requirements for mortgage insurers
Own Risk and Solvency Assessment (ORSA) (E-19) Expectations for insurers Own Risk and Solvency Assessment
Sound Reinsurance Practices and Procedures (B-3) Expectations for effective reinsurance practices and procedures for insurers
Table 4: Key guidelines applicable for both deposit-taking institutions and insurers concerning financial resilience
OSFI guideline Area of relevance
Stress Testing (E-18) Stress testing expectations for deposit-taking institutions and insurers
IFRS 9 Financial Instruments and Disclosures Expectations around the accounting and disclosure of financial assets and liabilities
Residential Mortgage Underwriting Practices and Procedures (B-20) Expectations for prudent residential mortgage underwriting
Derivatives Sound Practices (B-7) Expectations around derivative activities
Model Risk Management (E-23/draft) Expectations around enterprise-wide model risk management

Operational resilience

The ability to deliver operations, including critical operations through disruption, is an outcome of effective operational risk management.

When looking at operational resilience, the supervisor considers the ability of the institution to respond and adapt to potential disruptions. This category includes an assessment of technology, cyber, and operational risks. Operational risks include business continuity, third party, and data management.

As with financial resilience, this category includes an assessment of risk levels and the effectiveness of risk oversight and controls.

Table 5 lists some of the key guidelines that relate to operational resilience. You can find a complete list of guidelines here: Table of guidelines.

Table 5: Key guidelines concerning operational resilience
OSFI guideline Area of relevance
Operational Resilience and Operational Risk Management (E-21) Expectations for operational resilience and operational risk management
Integrity and Security Guideline Sets expectations for integrity and security
Technology and Cyber Risk Management (B-13) Expectations for technology and cyber risk management
Third-Party Risk Management (B-10) Expectations for third-party risk management

Risk governance

Effective risk governance is the ability to identify, assess, and manage risks appropriately. When assessing effectiveness, we consider culture, accountability structures, and the extent to which oversight functions provide independent and objective challenges.

Our assessment of risk governance includes the frameworks used to identify, assess, and manage risks. Senior management is responsible for implementing board decisions and directing the operations of the institution.

We look to the business and central functions of the institution to:

  • maintain an effective control environment,
  • manage risks arising from everyday operations, and
  • oversee the execution of the business strategy.

Business management has a responsibility to identify, measure, monitor, manage, and report on risks.

Enterprise-wide risk and compliance functions provide independent oversight and objective challenges over business management risk taking activities and compliance matters. This includes establishing frameworks and procedures to independently identify, measure, monitor, and report on risks.

The internal audit function provides independent assurance to the board and senior management on the effectiveness of:

  • internal controls,
  • risk management, and
  • governance processes.

Table 6 lists some of the key guidelines that relate to risk governance.

Table 6: Key guidelines concerning risk governance
OSFI guideline Area of relevance
Corporate Governance Expectations for corporate governance
Culture Risk Management Expectations for management of culture risk
Regulatory Compliance Management (E-13) Expectations for management of regulatory compliance risk

Climate risk considerations are reflected in ORRs

Climate change is an example of a new risk type that is evolving rapidly. It has the potential to significantly affect the safety of individual institutions and the system more broadly.

Climate risk considerations are relevant to all rating categories. We consider the institution’s level of financial and operational resilience to climate change, including physical and transition risks. We also look at the impact on business strategy, as well as the effectiveness of governance and risk management.

Where we identify a climate risk issue, it is reflected in the relevant rating category. The ORR can be driven by climate risks when these are significant in our assessment of the institution’s viability risk.

Our Climate Risk Management guideline establishes expectations related to the management of climate-related risks.

Overall Risk Rating scale

ORRs map directly to OSFI’s existing Intervention Stage ratings as shown in Table 7. You can read more about our approach to intervention in our Guide to Intervention.

Table 7: ORR scale for institutions
ORR Description Stage
1 Minimal 0
2 Low 0
3 Moderate 0
4 Watchlist 0
5 Early warning 1
6 Material 2
7 Serious 3
8 Non-viability imminent 4

We use ratings to signal a need for early corrective action

Institutions are categorized as Stage 0 (or not staged) when no significant problems are identified. For the ORR, we split Stage 0 into four distinct rating categories to give financial institutions a better sense of how we view their risk profile. The expanded scale also helps us signal when an institution needs to take early action to address supervisory concerns.

We assign an ORR 1 when no significant issues are identified. We don’t expect perfection at this level. Issues could come up, but there is confidence in the institution’s ability to manage them. As a result, there is a minimal level of risk to viability.

An ORR 2 means that an institution has low risk. We’re looking for the institution to make some changes to address issues that are identified, but these are not expected to have a significant impact on financial performance or critical operations.

An ORR 3 means that than an institution has a moderate risk. While there is no anticipated risk to viability, we have identified issues that could significantly impact financial performance or critical operations unless they are addressed by the institution.

An ORR 4 is described as watchlist to make it clear that identified issues need prompt attention or the institution is likely to be subject to formal intervention (a Stage rating of 1 or higher).

For higher ratings, we think about how quickly threats are developing

An ORR 5 is assigned to institutions that are in Stage 1 and is an early warning of issues that could impact viability. At this rating level, the impact to viability is not expected to occur within two years based on available information.

An ORR 6 corresponds to Stage 2. At this level, the institution poses material safety and soundness concerns. While the threat to viability is not immediate, it could occur within two years.

An ORR 7 is assigned, and the institution is placed in Stage 3, when future viability is in serious doubt. The institution has severe safety and soundness concerns that could affect viability within one year.

An ORR 8 is assigned to institutions in Stage 4. At this point, non-viability is assessed as imminent.

We recognize that there can be significant uncertainty in assessing timelines for risks to viability. Our ratings are informed by evidence and analysis but ultimately reflect supervisory judgment. Ratings are updated when new information indicates that risks are changing.

How we supervise pension plans

We supervise federally regulated pension plans to determine whether they are meeting minimum funding requirements and are complying with other legislative requirements. We act promptly when a pension plan is not meeting these requirements.

Our supervision accepts that pension plan administrators need to take reasonable risks. Pension plans that meet the minimum funding requirements are permitted to operate with a solvency or going concern deficit. We promote good risk management practices and sound governance.

We use our Supervisory Framework to support our:

  • assessments of risks
  • responses to the risks that we identify

The framework applies to financial institutions as well as pension plans. It is differentiated where necessary to reflect the specific characteristics of deposit-taking institutions, insurance companies, and pension plans.

You can read more here about the foundations of our supervisory approach and ou key principles of supervision.

Our supervisory process

In the following sections we describe the main elements in our supervisory process:

Risk identification

Factoring in size and complexity

We’re guided by our risk appetite in terms of the supervisory work that we carry out to identify risk. The type of regular supervisory work that we do to identify risks considers a pension plan’s size and complexity, and this is reflected in the pension plan’s Tier Rating.

The Tier Rating helps us apply our risk appetite. It is also linked to supervisory proportionality, since larger and more complex pension plans normally require more sophisticated risk management and governance, and this is reflected in the work we carry out to identify risk at those pension plans.

Risk identification starts with data analytics

We use a series of indicators to detect risks based on information submitted by pension plans in regulatory filings and other sources. These indicators are applied to all pension plans and are a cornerstone of our risk-based approach. We focus our attention on pension plans that are identified as having higher risks.

Analyzing risk trends in a broader context

As part of our monitoring work, we look out for broader economic risks. These include the industry outlook for the employer(s) and market movements that could impact the solvency and funding of pension plans.

Reviewing actuarial reports

We require pension plans with defined benefit provisions to submit an actuarial report annually, or once every three years if the solvency ratio is 1.20 or better. We review filed actuarial reports to assess whether going concern and solvency valuations are aligned with actuarial standards and supervisory expectations. We bring any issues to the attention of the pension plan actuary and the pension plan administrator.

Estimated solvency ratio

Our monitoring of pension plans with defined benefit provisions includes an exercise to estimate the solvency ratio. The objective of this exercise is to identify pension plans that might have experienced a significant deterioration in their solvency position since the latest actuarial report and, if appropriate, take supervisory actions.

Supervisory reviews

We undertake in-depth supervisory reviews in certain situations to support risk identification. This type of work allows us to assess the effectiveness of risk management and controls in more detail. We use supervisory judgment in planning this work, including its scope and depth.

Risk assessment

A pension plan’s risk rating reflects our view of risk to rights and benefits

The Overall Risk Rating (ORR) reflects the level of risk to the security of rights and benefits for pension plan members, retirees, and beneficiaries. It has a 1 to 8 scale (ORR scale for pension plans).

We follow a structured approach in assessing risk and use our judgment to assign ratings, supported by data and other evidence. Our ratings reflect issues that we want a pension plan administrator or employer(s) to address.

We monitor risk ratings on an ongoing basis and update them when necessary.

A pension plan’s ORR and its Tier drive the intensity of our supervisory activity.

Our assessment highlights the main sources of risk for a particular pension plan

A pension plan’s ORR considers the following rating categories:

  • business risk
  • financial resilience
  • operational resilience
  • risk governance

You can read more about each category in the section on pension plan's ORR categories.

We do not expect perfection for the strongest ratings

We assign an ORR of 1 when no significant issues are identified. Issues could come up, but we have confidence in the pension plan administrator’s ability to manage them. As a result, there is a minimal level of risk to pension-related rights and benefits.

Pension plan administrators can identify some risks through their own oversight and governance processes. Greater transparency around this process helps us develop and maintain confidence in risk oversight.

Issues identified by pension plan administrators can lead to rating changes where they represent an elevated risk. Rating changes are also more likely when we have concerns about the action plan to address the issue.

Risk response and remediation

We expect pension plan administrators to take prompt corrective action to address supervisory concerns and risk issues, including meeting minimum funding and other statutory requirements.

We are outcomes focused

When we have supervisory concerns relating to practices, controls, and oversight, we highlight these to the pension plan administrator and explain the outcomes we want to see. Generally, the administrator is responsible for managing the way it achieves the outcomes.

We update our rating assessments when we’re satisfied that supervisory concerns are addressed.

Transparency is a cornerstone of effective supervisory relationships

We provide pension plan administrators with information to help them address any supervisory concerns. When necessary, we communicate through formal letters in addition to ongoing discussions. Our letters outline any specific concerns.

We escalate our intervention when outcomes are not achieved

We are ready to escalate intervention activity when the pension plan administrator does not achieve satisfactory outcomes.

Our approach to intervention is explained in our Guide to Intervention for Federally Regulated Private Pension Plans. The objective is to intervene as early as possible to minimize problems before they escalate and to reduce the risk of loss to pension plan members, retirees, and other beneficiaries.

Supervisory ratings for pension plans

Tier Rating

A pension plan’s Tier is based on its size and complexity, with consideration to potential system impact. While we start with data, the assigned Tier Rating reflects our supervisory judgment.

The Tier Rating guides the type of work that we carry out to identify risks.

We assign the Tier Rating using the same 1 to 5 scale that we use for financial institutions. This helps us apply our risk appetite consistently across our supervisory work. Table 8 outlines the definition of each Tier Rating.

Table 8: Definition of Tier Rating
Tier Definition
1 High Large and/or complex institutions or pension plans with highest system impact
2 Medium-High Large and/or complex institutions or pension plans with significant system impact
3 Medium Mid-size institutions with moderate system impact | Large and/or complex pension plans
4 Medium-Low Smaller and/or less complex institutions with low system impact | Mid-size and/or moderately complex pension plans
5 Low Smallest, least complex institution with very low system impact | Small, least complex pension plans

Overall Risk Rating categories

A pension plan’s Overall Risk Rating (ORR) considers the following categories:

  • business risk
  • financial resilience
  • operational resilience
  • risk governance

You can find more information about the legislation, regulations and directives that apply to pension plans here: Pension Plans.

The Tier Rating determines the granularity of our risk assessment:

  • For pension plans in Tier 5 we assign an ORR that considers the four rating categories.
  • For larger and/or more complex pension plans, we also assign ratings for each of the four rating categories on the same 1 to 8 scale as the ORR.

Ratings are designed to respond quickly to the most serious risks

Our rating approach focuses on identifying the most serious risks facing a pension plan.

There are no weights in our framework, and for larger and/or more complex pension plans, any category has the potential to drive the ORR. We rate each category according to the level of risk it poses to the security of rights and benefits. In this way, the rating combines an assessment of risk and importance.

The category with the weakest rating becomes the starting point for the ORR. The ORR can’t be better than any of the rated categories. It can be worse, for example, where different issues have led to multiple categories being rated at the same level.

We use category ratings to spotlight areas where change is needed

Risks are often connected, and some issues will impact more than one rating category. For example, the supervisor may determine that risk governance is the root cause of an issue that impacts a pension plan’s financial resilience.

In these situations, we use the category ratings to reflect risk implications and spotlight where change is needed.

Business risk

The business risk rating is a forward-looking assessment and includes the employer’s ability to fund the pension plan. For example, it includes indications about the financial strength of the employer(s), and strategic decisions that could affect the pension plan’s funding. We also consider the impact of the pension plan design on funding requirements.

The main driver of the business risk rating is the financial strength of the employer(s). Our focus for this category is on the ability of the employer(s) to meet current and future funding requirements.

Financial resilience

The financial resilience rating assesses how the pension plan would be affected by financial stress. We do this by looking at the financial position of the pension plan and the performance of its assets.

The solvency position of the pension plan is an important part of the financial resilience rating because it is an indication of the risk to rights and benefits. For example, if a pension plan was to terminate underfunded, the ability of the pension plan administrator to pay members’ full benefits would depend on whether the employer(s) can fund any shortfall.

We consider risks related to the investment of plan assets, including factors such as the asset mix, returns, liquidity, liability profile, and use of leverage. In the case of defined contribution plans, we consider the appropriateness of investment choices provided to members.

Operational resilience

The operational resilience rating assesses the ability of a pension plan administrator to deliver the promised pension benefits or respect rights through disruption.

The rating considers how rights and benefits could be at risk due to the operations of the pension plan. Oversight of third-party service providers, data management, and technological considerations all factor into this rating.

Risk governance

The risk governance rating reflects the ability of a pension plan administrator to identify significant risks to rights and benefits and to assess and manage their potential impact. We also assess the impact of any identified issues relating to non-compliance with the Pension Benefits Standards Act, 1985 or the Pooled Registered Pension Plans Act.

Our assessment of risk governance includes the frameworks used to identify, assess, and manage risks. This category reflects the overall effectiveness of risk governance for a pension plan.

Overall Risk Rating scale

ORRs map directly to OSFI’s existing Intervention Stage ratings as shown in Table 9. You can read more about our approach to intervention in our Guide to Intervention for Federally Regulated Private Pension Plans.

Table 9: ORR scale for pension plans
ORR Description Stage
1 Minimal 0
2 Low 0
3 Moderate 0
4 Watchlist 0
5 Early warning 1
6 Material 2
7 Serious 3
8 Permanent insolvency 4

We use ratings to signal a need for early corrective action

We categorize pension plans as Stage 0 (or not staged) when no significant problems are identified. For the ORR, we split Stage 0 into four distinct rating categories to provide more granularity to our assessment of the pension plan’s risk profile. The expanded scale also helps us identify when a pension plan needs to take early action to address supervisory concerns.

We assign an ORR 1 when no significant issues are identified. We do not expect perfection at this level. Issues could come up, but there is confidence in the pension plan administrator’s ability to manage them. As a result, there is a minimal level of risk to rights and benefits.

An ORR 2 means that a pension plan has low risk. Issues have been identified, but these are not expected to have a significant impact on the pension plan.

An ORR 3 means that a pension plan has a moderate risk. While there is no anticipated risk to rights or benefits, we have identified issues that could significantly impact the pension plan unless they are addressed.

An ORR 4 is described as watchlist to make it clear that identified issues need prompt attention or the pension plan is likely to be staged.

For higher ratings, we think about how quickly threats are developing

An ORR 5 is assigned to pension plans that are in Stage 1 and is an early warning of issues that could impact rights and benefits.

An ORR 6 corresponds to Stage 2, and at this level the issues pose a threat to the security of rights and benefits. These could deteriorate into a serious situation if not addressed promptly.

An ORR 7 is assigned when there is serious doubt about the ability to deliver benefits or meet rights. The pension plan is placed in Stage 3 and plan termination is a strong possibility.

An ORR 8 is assigned to pension plans in Stage 4. At this point, the pension plan has terminated in an underfunded position and is in the process of wind-up. Benefits will likely be reduced.