Operational risk management systems need to be strengthened to ensure the long-term sustainability of financial institutions. According to an analysis published by Morningstar DBRS, stronger governance rules and enhanced regulatory oversight are essential to maintain the stability of Canada’s financial ecosystem.
Entitled Operational Risk: Key Risk to the Canadian Financial System in a Rapidly Evolving Environment, the commentary was released on March 27. One of the key contributors is Patrick Douville, vice president, global insurance and pension ratings.
The report highlights the increasing complexity of the financial system, driven by numerous factors. “Operational risk can be broadly defined as the risk of financial loss and reputational damage resulting from human error or malfeasance, inadequate or failed internal processes and systems, or external events,” the authors write.
The threats facing financial institutions include rapid technological change and cybersecurity issues, fraud and money laundering, natural disasters, climate-related risks, and foreign interference in domestic affairs.
While operational risk management has been tightened significantly since the 2008 financial crisis, the fast pace of change, along with the complexity and interdependence of various factors, continues to challenge implementation.
The authors also point to rare and unpredictable events — such as the collapse of the asset-backed commercial paper market in 2008—as examples of situations where data alone is not sufficient for sound decision-making. In such cases, decisions are based more on assumptions and subjective assessments. This reinforces the need for a more disciplined approach to risk management, particularly as the consequences of failure today may be more severe than in the past.
Balancing rigour and flexibility
Operational risk management (ORM) systems must be both rigorous and adaptable in order to identify, assess, and monitor emerging risks. This enables senior management and boards of directors to act swiftly and mitigate the frequency and severity of external disruptions.
For Morningstar DBRS, which evaluates financial strength across sectors, ORM systems must be calibrated to match the size, complexity, and risk profile of each organization’s operations.
The authors also note that Canada’s Office of the Superintendent of Financial Institutions (OSFI) recently updated its risk outlook for the Canadian financial system. The regulator emphasized its concerns regarding cybersecurity and the integrity of the financial ecosystem.
Since June 2023, OSFI has expanded its supervisory mandate to include integrity and security within the scope of non-financial and operational risks. Several guidelines have since been updated, including those on the capital adequacy of life insurers. “These guidelines focus on various areas of risk management that contribute to operational resilience such as third-party risk, cyber security, regulatory compliance, and corporate governance,” the authors explain.
Updating internal procedures
Federally regulated financial institutions are required to update their internal processes to close gaps between their risk systems and regulatory expectations, reduce the likelihood of failure, and support operational efficiency. “OSFI remains concerned with financial institutions’ operational resilience and heightened risks related to nonfinancial and operational risks,” Morningstar DBRS notes.
In response, the agency revised its internal credit risk assessment processes for banks in June 2024, followed by updates for insurance companies in September 2024. Morningstar DBRS has also begun factoring in certain operational and non-financial risks as part of its environmental, social, and governance (ESG) evaluations.
These factors have already influenced recent credit ratings, such as TD Bank’s AA (high) rating with a negative trend, and the BBB rating assigned to Laurentian Bank of Canada, which carries a stable outlook.
