Risk management

The risk appetite is the amount and type of risk an organization takes to achieve its objectives. The Enterprise Risk Management (ERM) policy sets out the overall intent and expectations for effective ERM at the Bank of Canada.

Risk appetite

The risk appetite is the amount and type of risk an organization takes to achieve its objectives. As such, the Bank’s risk appetite is anchored by its mandate, mission and values.

The Bank’s mandate is to promote the economic and financial welfare of Canada. The Bank achieves its mandate by:

  • keeping inflation low, stable and predictable
  • fostering a safe and efficient financial system
  • serving as fiscal agent to the Government of Canada
  • supervising retail payment systems and
  • providing Canadians with bank notes they can use with confidence

The Bank’s vision is to be a leading central bank—dynamic, engaged and trusted—committed to a better Canada.

Our values define who we are and how we work together:

  • Think ahead
  • Include everyone
  • Inspire confidence

The Bank operates in a complex and dynamic environment. It manages a wide range of strategic, operational, financial, environmental, and climate-related risks that arise from external forces as well as from its own activities. Furthermore, the Bank makes decisions that anticipates the future in the context of uncertainty and, sometimes, public debate.

Accordingly, the Bank uses judgment to weigh and manage all the risks in line with its Risk Appetite:

The Bank takes risks to fulfill its mandate and maintain the confidence and trust of Canadians. In doing this, the Bank:

  • anticipates, understands, and manages the risks it faces
  • innovates and embraces critical thinking and diverse views
  • minimizes the impact of risks that could prevent it from meeting its mandate

Enterprise Risk Management Policy

The Enterprise Risk Management policy sets out the overall intent and expectations for effective ERM at the Bank of Canada and together with related procedures and controls, serve the following core purposes:

Protecting the Bank

Everyone effectively manages risks to safeguard the Bank’s assets and integrity, and to prevent sustained negative impact in the confidence and trust of Canadians.

Effective Governance

A robust risk management governance structure provides clear, effective guidance on accountabilities, roles and responsibilities with respect to oversight and decision making at the Bank.

Risk-informed Decision-making

Timely and pertinent risk information is used for decision-making to achieve the Bank’s mandate and strategic objectives.

Measured approach to risk

The Policy promotes a risk–based approach across the Bank, aligned and proportional to the Bank’s needs.

Risk governance

ERM embeds risk considerations into governance. This allows the Bank to make risk-informed decisions in day-to-day operations to meet the vision, mandate and strategic goals laid out in its strategic plan.

The Governor, as Chief Executive Officer, has ultimate responsibility for risk management at the Bank, reporting to the Board of Directors. The Senior Deputy Governor and other members of the Executive Council oversee ERM implementation, and approve the risk appetite. The Senior Management Council approves risk policies, with advice from the Risk Oversight Committee (ROC)—a subcommittee of the Senior Management Council.

The CRO is the executive owner of the ERM program. The CRO:

  • develops the ERM program and oversees its implementation and effectiveness
  • oversees that risks are managed according to the Bank’s risk appetite
  • provides risk advice to senior management and stakeholders
  • provides integrated risk reporting and intelligence to the Board of Directors, the Senior Management Council and Bank leadership
  • chairs the ROC and is a member of the Senior Management Council

Risk management lines of defence

The Bank follows the Institute of Internal Auditors’ Three Lines of Defence model. This model is the industry standard for effective risk management and governance.

The first line of defence has primary responsibility for identifying and managing risk, including the operationalization of controls in keeping with associated policies, frameworks and risk appetites. This line consists of departmental leadership and staff.

The second line of defence sets the standards, provides advice and challenges the first line of defence. It also oversees risk management according to associated policies, frameworks and risk appetites. This line consists of the CRO, the Enterprise Risk Office, the Financial Risk Office and other operational units within the Bank that have risk mitigation among their core functions.

The third line of defence objectively assesses risk management, control and governance processes. It also advises on the design and implementation of these processes (while maintaining its independence). This line consists of the Bank’s Internal Audit function.

Principal risks

Bank risks are classified as strategic, operational, financial and environmental and climate-related. This classification scheme is the basis for including risk information in enterprise-wide communications and decision-making processes. In assessing its risks, the Bank considers the potential impact on its reputation.

Strategic risks

Strategic risks arise from external conditions, such as widespread shifts in public opinion or changes in economic or legal parameters. These risks threaten to disrupt the assumptions core to the Bank’s mandate or strategic goals.

The Bank manages strategic risks by continuously scanning the environment, maintaining extensive domestic and international networks and conducting research to develop effective mitigation measures. The Bank’s stakeholder engagement and communications functions also play an important role.

Operational risks

Operational risks stem from inadequate or failed internal processes or systems, underprepared people, or external events. The Bank pays close attention to operational risks that could affect the systems and tools that support its core functions.

The Bank operates in a complex security and threat landscape and faces operational risks that could affect its cyber security, business continuity or physical and personnel security. It has comprehensive programs to manage and mitigate operational risks. The Bank has also made significant investments in strategic initiatives to further enhance its resilience. These initiatives may involve collaborating with other central banks or the federal security and intelligence communities.

The Bank is also exposed to operational risks related to its human resources. The highly competitive labour market affects the Bank’s ability to attract and retain experts in specialized and emerging fields, such as the economy and financial system, cyber security and data science. The Bank regularly reviews and updates its human resources approaches to meet these challenges and monitors its workforce to ensure staffing and skills support its strategic objectives. Efforts to improve employee retention, develop leaders, promote employee wellness and enhance diversity and inclusion also help mitigate human resource risks.

Like similar organizations, the Bank manages operational risk with third parties to successfully deliver its activities and, ultimately, its mandate. The Bank’s Third-Party Risk Management Policy and Framework ensure consistent, sound practices to address risks at each stage of third-party relationships.

Financial risks

Financial risks relate to the potential for financial losses arising from credit, market and liquidity risks.

The Bank’s financial risks are low because its asset portfolio consists mainly of Government of Canada securities. In exceptional circumstances, however, such as a financial crisis, the Bank may take on a higher level of risk.

Senior management has established a system of internal controls for its financial assets and liabilities, including a framework for financial risk management. The Bank’s Financial Risk Office monitors and regularly reports on these risks.

The Bank discusses financial risks in detail in the notes to its financial statements. The financial statements do not reflect financial risks associated with the Bank’s role as a fiscal agent. These risks are borne by the government, subject to oversight according to the Funds Management Governance Framework of the Government of Canada and the Bank of Canada.

Environmental and climate-related risk

This risk is a recent addition to the corporate risk taxonomy. Bank leaders consider environmental risks and opportunities an important part of the Bank’s risk self-assessment process. The potential impacts of climate change on key aspects of the Bank’s work—such as macroeconomic forecasting and monetary policy—as well as the risks associated with the Bank’s impact on the environment are now systematically assessed as part of the decision-making process.