Risk management


The management of risks is embedded in the culture and daily practices of all Bank employees. It is also more formally laid out in the Bank’s Enterprise Risk Management (ERM) policy which promotes and enables risk-informed decisions in a manner consistent with the Bank’s vision, medium-term plan and appetite for risk.

The Bank of Canada is exposed to strategic, operational or financial risks that can arise from its own activities or from external forces. Through effective risk management, the Bank takes advantage of innovation and opportunities that arise from informed risks, and proactively avoids or responds to any dangerous exposure or performance challenges that may arise. The Enterprise Risk Management Policy is supported by the Enterprise Risk Management Framework in conjunction with the Bank’s Risk Appetite Statement.

The Bank of Canada’s risk

The Bank operates in a specialized and complex environment. It uses sound internal controls to manage a range of operational and financial risks from both external forces and its own activities. At the same time, its policy work is highly strategic and dynamic. This is because the central bank makes decisions about the future in the context of uncertainty and, sometimes, public debate. The Bank therefore regularly monitors known risks and scans the horizon for emerging risks in both policy and operational areas. It uses judgment to weigh all risks in light of their potential impact on its credibility, reputation and capacity to achieve long-term objectives, and it manages them accordingly.

The Bank achieves this by:

  • minimizing and managing the impact of risks that could affect the Bank’s ability to fulfill its mandate
  • taking informed risks to foster innovation, advance the Bank’s research and policy development, and improve operations and business practices

Risk management policy

This policy sets out the overall intent and expectations for effective ERM at the Bank of Canada.

The Bank manages its operations with due regard to risk through the implementation of robust, regularized and consistently applied enterprise risk management practices that conform to accepted standards of practice. The Bank’s ERM objectives are to:

  • Identify, assess and manage risks to departmental and Bank-wide objectives in a manner that balances the cost of risk treatments with the opportunities that come from informed risk taking
  • Integrate risk information into decision-making processes throughout the Bank, supporting priority setting and resource allocation at the operational and strategic levels
  • Escalate principal risks to the Bank to senior management and the Board, in support of meaningful risk oversight
  • Engage in open and transparent dialogue on risk within and across Bank departments

Risk governance

ERM embeds risk considerations into governance. This allows the Bank to make risk-informed decisions in day-to-day operations to meet the vision, mandate and strategic goals laid out in its medium-term plan.

The Governor, as Chief Executive Officer, has ultimate responsibility for risk management at the Bank, reporting to the Board of Directors. The Senior Deputy Governor and other members of the Executive Council oversee ERM implementation. They also review and approve any changes to the ERM policy, framework and risk appetite statement in consultation with the Board of Directors, the Senior Management Council and the Risk Oversight Committee (ROC)—a subcommittee of the Senior Management Council.

The CRO is the executive owner of the ERM program and chairs the ROC. The CRO:

  • is a member of the Senior Management Council
  • participates in enterprise-wide discussions on the Bank’s risks
  • helps develop the Bank’s risk profile
  • monitors risk-related activities and issues
  • prepares regular reports for the ROC, the Senior Management Council, the Executive Council and the Board of Directors

Risk management lines of defence

The Bank follows the Institute of Internal Auditors’ Three Lines of Defence model. This model is the industry standard for effective risk management and governance.

The first line of defence has primary responsibility for identifying and managing risk, including the operationalization of controls in keeping with associated policies, frameworks and risk appetites. This line consists of departmental leadership and staff.

The second line of defence sets the standards, provides advice and challenges the first line of defence. It also oversees risk management according to associated policies, frameworks and risk appetites. This line consists of the CRO, the Enterprise Risk Office, the Financial Risk Office and other operational units within the Bank that have risk mitigation among their core functions.

The third line of defence objectively assesses risk management, control and governance processes. It also advises on the design and implementation of these processes (while maintaining its independence). This line consists of the Bank’s Internal Audit function.

Principal risks

Bank risks are classified as strategic, operational, financial and environmental and climate-related. This classification scheme is the basis for including risk information in enterprise-wide communications and decision-making processes. In assessing its risks, the Bank considers the potential impact on its reputation.

Strategic risks

Strategic risks arise from external conditions, such as widespread shifts in public opinion or changes in economic or legal parameters. These risks threaten to disrupt the assumptions core to the Bank’s mandate or strategic goals.

The Bank manages strategic risks by continuously scanning the environment, maintaining extensive domestic and international networks and conducting research to develop effective mitigation measures. The Bank’s stakeholder engagement and communications functions also play an important role.

Operational risks

Operational risks stem from inadequate or failed internal processes or systems, underprepared people, or external events. The Bank pays close attention to operational risks that could affect the systems and tools that support its core functions.

The Bank operates in a complex security and threat landscape and faces operational risks that could affect its cyber security, business continuity or physical and personnel security. It has comprehensive programs to manage and mitigate operational risks. The Bank has also made significant investments in strategic initiatives to further enhance its resilience. These initiatives may involve collaborating with other central banks or the federal security and intelligence communities.

The Bank is also exposed to operational risks related to its human resources. The highly competitive labour market affects the Bank’s ability to attract and retain experts in specialized and emerging fields, such as the economy and financial system, cyber security and data science. The Bank regularly reviews and updates its human resources approaches to meet these challenges and monitors its workforce to ensure staffing and skills support its strategic objectives. Efforts to improve employee retention, develop leaders, promote employee wellness and enhance diversity and inclusion also help mitigate human resource risks.

The global economic and financial environment changes rapidly. This means that the Bank may not have access to, or be able to exploit, the data required to inform its policy and research or to support internal business decisions. An Enterprise Data and Analytics Strategy (EDAS) launched last year will start brining benefits in 2021 and help manage these risks.

Like similar organizations, the Bank manages operational risk with third parties to successfully deliver its activities and, ultimately, its mandate. The Bank’s Third-Party Risk Management Policy and Framework, launched in 2020, ensure consistent, sound practices to address risks at each stage of third-party relationships.

Financial risks

Financial risks relate to the potential for financial losses arising from credit, market and liquidity risks.

The Bank’s financial risks are low because its asset portfolio consists mainly of Government of Canada securities. In exceptional circumstances, however, such as a financial crisis, the Bank may take on a higher level of risk.

Senior management has established a system of internal controls for its financial assets and liabilities, including a framework for financial risk management. The Bank’s Financial Risk Office monitors and regularly reports on these risks.

The Bank discusses financial risks in detail in the notes to its financial statements. The financial statements do not reflect financial risks associated with the Bank’s role as a fiscal agent. These risks are borne by the government, subject to oversight according to the Funds Management Governance Framework of the Government of Canada and the Bank of Canada.

Environmental and climate-related risk

This risk is a recent addition to the corporate risk taxonomy. Bank leaders consider environmental risks and opportunities an important part of the Bank’s risk self-assessment process. The potential impacts of climate change on key aspects of the Bank’s work—such as macroeconomic forecasting and monetary policy—as well as the risks associated with the Bank’s impact on the environment are now systematically assessed as part of the decision-making process.