Operational Risk Capital Data Management Expectations

To: Banks, Bank Holding Companies, Federally Regulated Trust and Loan Companies

OSFI is releasing the final version of two documents on the management of operational risk capital dataOperational Risk Capital data includes internal operational risk loss data and the components used to calculate the Business Indicator. for institutions required, or those applying, to use the Basel III Standardized Approach for Operational Risk ("SA") capital in Canada:

1. Data Maintenance Expectations for Institutions Using the Standardized Approach for Operational Risk Capital Data ("DME"); and
2. Assessment Tool - Operational Risk Capital Data ("AT")

The DME outlines data management principles that OSFI expects institutions using the SA to adhere to, which includes the Basel Committee on Banking Supervision's Principles for Effective Risk Data Aggregation and Risk Reporting ("RDARR") (PDF). The AT summarizes OSFI's detailed expectations based on Chapter 3 of the Capital Adequacy Requirements Guideline<a href="/en/node/1289">CAR Chapter 3 – Operational Risk</a>, RDARR principles, and the DME. Together, the DME and AT aim to ensure that institutions have effective management of current and historical operational risk capital data.

In addition, OSFI has reviewed the existing implementation notes and self-assessment templates for institutions using TSA/AMA in light of the new requirements for the Basel III SA. Many of the qualifying requirements for TSA/AMA (e.g., scenario analysis, external data, business environment and internal control factors etc.) are not part of the new SA, which uses internal operational loss data as a direct input as part of the capital charge calculation. Moreover, many of the operational risk management expectations found in the implementation notes have been updated and incorporated into other Basel standards as well as OSFI guidance (e.g., Guideline E-21: Operational Risk management; and the Corporate Governance Guideline).

As such, we are rescinding the existing governance<a href="/node/468">Implementation note on governance expectations (2006)</a> and data maintenance<a href="/node/501">Implementation note on data maintenance principles for operational risk (2006)</a> implementation notes for AMA/TSA institutions as well as the TSA & AMA Self-assessment TemplateTSA & AMA self-assessment template. The template is divided into two worksheets: Operational Risk Management ("ORM") Practices and AMA Methodology. upon implementation of the revised CAR guideline in 2023. These would be replaced by the final version of the DME and related AT.

Questions concerning the DME and AT may be addressed via email at datamaintenance-tenuedesdonnees@osfi-bsif.gc.ca.

Your Truly,

Elspeth Bowler
Managing Director, Operational Risk Division