February 21, 2024Calculating...

Scaling up risks: OSFI’s new supervisory approach to financial institutions

The Office of the Superintendent of Financial Institutions (OSFI) released its new framework for supervising federally regulated financial institutions (FRFIs) on February 8, 2024. The new framework, which will come into force in April 2024, is the most significant change to OSFI’s supervisory approach in 25 years.

What you need to know

  • Eight-point risk rating. The new framework will expand the previous four-point intervention risk rating scale to an eight-point Overall Risk Rating Scale, which maps to OSFI’s existing intervention stage ratings to provide an earlier indication of changes in OSFI’s risk assessment of particular FRFIs.
  • Tier risk rating system. OSFI will implement Tier Rating, which will be based on an FRFI’s size and complexity, as well as OSFI’s view of the impact that the FRFI’s failure could have on the financial system.
  • New risk assessment categories. New risk assessment categories (i.e., business risk, financial resilience, operational resilience and risk governance) will be introduced.
  • Risk rating drivers. The new framework will include more information for FRFIs about the drivers of their risk ratings.


OSFI’s new supervisory framework introduces changes to the current risk rating scale, introducing an eight-point Overall Risk Rating Scale and Tier Rating system. Within this framework, there are new risk assessment categories, with the ultimate goal of ensuring that institutions understand what drives their individual risk ratings and OSFI’s risk appetite.

A summary of the key changes is below.

Eight-point risk rating scale

The existing framework operates under a four-point “Intervention Risk Rating”:

  • Stage 0: Normal
  • Stage 1: Early warning
  • Stage 2: Risk to financial viability or solvency
  • Stage 3: Future financial viability in serious doubt
  • Stage 4: Non-viable/insolvency imminent

The new framework will expand this to an eight-point “Overall Risk Rating Scale” (ORR), which will map directly to OSFI’s existing intervention stage ratings.

Stage 0

OSFI will assign an ORR 1 when no significant issues are identified; an ORR 2 means that an FRFI has a low risk; an ORR 3 means that an FRFI has a moderate risk; and an ORR 4 is described as a watchlist to make it clear that identified issues need prompt attention or the FRFI is likely to be subject to formal intervention (i.e., a Stage 1 or higher rating).

An FRFI with an ORR between 1 and 4 will be in Stage 0. The rationale for splitting the existing Stage 0 into four distinct rating categories is to give FRFIs a better sense of how OSFI views their risk profile and provide signals for early corrective actions.

Stages 1 to 4

For higher ratings, OSFI will consider how quickly threats are developing.

An ORR 5 will be assigned to FRFIs that are in Stage 1 and is an early warning of issues that could impact viability. At this rating level, the impact to viability is not expected to occur within two years based on available information.

An ORR 6 will correspond to Stage 2. At this level, the FRFI poses material safety and soundness concerns. While the threat to viability is not immediate, it could occur within two years.

An ORR 7 will be assigned, and the FRFI will be placed in Stage 3, when future viability is in serious doubt (e.g., the FRFI has severe safety and soundness concerns that could affect viability within one year).

Finally, an ORR 8 will be assigned to FRFIs in Stage 4. At this point, non-viability is assessed as imminent.

Tier Rating

OSFI will also implement Tier Rating according to a 1-to-5 scale, which will be based on an FRFI’s size and complexity, as well as OSFI’s view of the impact that its failure could have on the financial system.

  • Large and/or complex FRFIs with the highest system impact will be defined as Tier 1 High.
  • Large and/or complex FRFIs with significant system impact are Tier 2 Medium-High.
  • Mid-size FRFIs with moderate system impact are Tier 3 Medium.
  • Small and/or less complex FRFIs with low system impact are Tier 4 Medium-Low.
  • Smallest, least complex FRFIs with very low system impact are Tier 5 Low.

Risk rating system: how Tier Rating, the ORR, and risk categories work together

The Tier Rating will determine the granularity of OSFI’s risk assessment. For small FRFIs (in Tier 5), OSFI will assign an ORR that considers the four new risk assessment categories (discussed below): business risk, financial resilience, operational resilience and risk governance.

For larger FRFIs (in Tiers 1 to 4), OSFI will also assign ratings for each of the four risk categories on the same 1-to-8 scale as the ORR. Each category will be rated according to the level of risk it poses to the viability of the FRFI. In addition, OSFI’s internal assessment of the largest FRFIs (in Tiers 1 to 3) will also include a more detailed analysis of additional risks.

For FRFIs that receive individual rating categories, any category has the potential to drive the ORR—the category with the weakest rating will become the starting point for the ORR. The ORR can’t be better than any of the rated categories; however, it can be worse (e.g., where different issues lead to multiple categories being rated at the same level).

New risk assessment categories

Business risk

This category represents a forward-looking assessment of an FRFI’s business model sustainability. Business risk can provide an early indicator of increasing prudential risk. If an FRFI fails to address a damaged business model, a loss of confidence can follow, resulting in financial stress.

Financial resilience

OSFI’s assessment of financial resilience reflects the FRFI’s ability to withstand financial stress and considers the FRFI’s financial risk profile, capital and liquidity. OSFI assesses capital adequacy for financial resilience in severe but plausible stress scenarios, and considers capital management and the FRFI’s ability to identify, measure and monitor risk. The analysis is forward-looking and includes the FRFI’s contingency plan and access to capital. Financial resilience also includes consideration of liquidity adequacy, funding risk and the strength of liquidity management. This is a particularly important consideration for deposit-taking institutions.

Operational resilience

Under this category, OSFI considers the ability of the FRFI to respond and adapt to potential disruptions. This category includes an assessment of technology, cyber, and operational risks. Operational risks include business continuity, third-party and data management.

Risk governance

OSFI defines effective risk governance as the ability to identify, assess and manage risks appropriately. When assessing effectiveness, OSFI considers culture, accountability structures and the extent to which oversight functions provide independent and objective challenges. OSFI’s assessment of risk governance includes the frameworks used to identify, assess and manage risks.

Climate risk considerations

In addition to the four risk categories above, OSFI also identifies climate change as an example of a new risk type that is rapidly evolving and has the potential to significantly affect the safety of individual FRFIs and the system more broadly. Accordingly, climate risk considerations are relevant to all rating categories.

OSFI considers an FRFI’s level of financial and operational resilience to climate change (including physical and transition risks) and the impact on business strategy, as well as the effectiveness of governance and risk management. The ORR, discussed above, can be driven by climate risks when these risks are significant in OSFI’s assessment of the FRFI’s viability risk.

How OSFI supervises FRFIs: risk rating drivers

There are four main elements to OSFI’s supervisory process: the work OSFI does to identify risks at FRFIs, how OSFI assesses risks and assigns ratings, OSFI’s response to risks and the monitoring of remediation activity, and how OSFI reports the results of their supervisory work.

Risk identification

OSFI factors in size, complexity and potential financial system impact in terms of the supervisory work it carries out. This is reflected in an FRFI’s Tier Rating (as discussed above). Risk identification begins with data analytics. OSFI analyzes risk trends in a broader context by scanning the environment for emerging risks and other relevant trends. This work draws on stress testing and advanced analytics. OSFI then leverages the data and analytics to generate insights and timely signals of changes in risk level. Metrics derived from regulatory returns and other sources provide a consistent starting point for supervisory judgment. OSFI expects advanced data analytics will continue to lead to new supervisory capabilities.

Risk assessment

The ORR reflects the level of risk to the viability of an FRFI with the 1-to-8 scale described above.

Risk response and remediation

OSFI is “outcomes-focused”. When OSFI has supervisory concerns, it will highlight these to FRFIs and explain the outcomes it wants to see.  

Supervisory reporting

OSFI engages in supervisory reporting by providing FRFIs with written reports, by sharing information with Canadian and foreign regulators in certain situations, and by working with their partners in Canada’s federal regulatory system.

To discuss these issues, please contact the author(s).

This publication is a general discussion of certain legal and related developments and should not be relied upon as legal advice. If you require legal advice, we would be pleased to discuss the issues in this publication with you, in the context of your particular circumstances.

For permission to republish this or any other publication, contact Janelle Weed.

© 2024 by Torys LLP.

All rights reserved.

Subscribe and stay informed

Stay in the know. Get the latest commentary, updates and insights for business from Torys.

Subscribe Now