Risk management

The risk appetite is the amount and type of risk an organization takes to achieve its objectives. The Enterprise Risk Management (ERM) policy sets out the overall intent and expectations for effective ERM at the Bank of Canada.

Risk appetite

The risk appetite is the amount and type of risk an organization takes to achieve its objectives. As such, the Bank’s risk appetite is anchored by its mandate, mission and values.

The Bank’s mandate is to promote the economic and financial welfare of Canada. The Bank achieves its mandate by:

  • keeping inflation low, stable and predictable
  • fostering a safe and efficient financial system
  • serving as fiscal agent to the Government of Canada
  • supervising retail payment systems and
  • providing Canadians with bank notes they can use with confidence

The Bank’s vision is to be a leading central bank—dynamic, engaged and trusted—committed to a better Canada.

Our values define who we are and how we work together:

  • Think ahead
  • Include everyone
  • Inspire confidence

The Bank operates in a complex and dynamic environment. It manages a wide range of strategic, operational, and financial related risks that arise from external forces as well as from its own activities. Furthermore, the Bank makes decisions that anticipates the future in the context of uncertainty and, sometimes, public debate.

Accordingly, the Bank uses judgment to weigh and manage all the risks in line with its Risk Appetite:

The Bank takes risks to fulfill its mandate and maintain the confidence and trust of Canadians. In doing this, the Bank:

  • anticipates, understands, and manages the risks it faces
  • innovates and embraces critical thinking and diverse views
  • minimizes the impact of risks that could prevent it from meeting its mandate

Enterprise Risk Management Policy

The Enterprise Risk Management policy sets out the overall intent and expectations for effective ERM at the Bank of Canada and together with related procedures and controls, serve the following core purposes:

Protecting the Bank

Everyone effectively manages risks to safeguard the Bank’s assets and integrity, and to prevent sustained negative impact in the confidence and trust of Canadians.

Effective Governance

A robust risk management governance structure provides clear, effective guidance on accountabilities, roles and responsibilities with respect to oversight and decision making at the Bank.

Risk-informed Decision-making

Timely and pertinent risk information is used for decision-making to achieve the Bank’s mandate and strategic objectives.

Measured approach to risk

The Policy promotes a risk–based approach across the Bank, aligned and proportional to the Bank’s needs.

Risk governance

ERM embeds risk considerations into governance. This allows the Bank to make risk-informed decisions in day-to-day operations to meet the vision, mandate and strategic goals laid out in its strategic plan.

The Governor, as Chief Executive Officer, has ultimate responsibility for risk management at the Bank, reporting to the Board of Directors. The Senior Deputy Governor and other members of the Executive Council oversee ERM implementation, and approve the risk appetite. The Executive Council approves risk policies, with advice from the Risk Oversight Committee (ROC)—a sub-committee of the Executive Council.

The CRO is the executive owner of the ERM program. The CRO:

  • develops the ERM program and oversees its implementation and effectiveness
  • oversees that risks are managed according to the Bank’s risk appetite
  • provides risk advice to senior management and stakeholders
  • provides integrated risk reporting and intelligence to the Board of Directors, the Executive Council and Bank leadership
  • chairs the ROC

Risk management lines of defence

The Bank follows the Institute of Internal Auditors’ Three Lines of Defence model. This model is the industry standard for effective risk management and governance.

The first line of defence has primary responsibility for identifying and managing risk, including the operationalization of controls in keeping with associated policies, frameworks and risk appetites. This line consists of departmental leadership and staff.

The second line of defence sets the standards, provides advice and challenges the first line of defence. It also oversees risk management according to associated policies, frameworks and risk appetites. This line consists of the CRO, the Enterprise Risk Office, the Financial Risk Office and other operational units within the Bank that have risk mitigation among their core functions.

The third line of defence objectively assesses risk management, control and governance processes. It also advises on the design and implementation of these processes (while maintaining its independence). This line consists of the Bank’s Internal Audit function.

Principal risks

Bank risks are classified as strategic, operational and financial. This classification scheme is the basis for including risk information in enterprise-wide communications and decision-making processes. In assessing its risks, the Bank considers the potential impact on its reputation.

Strategic risks

Strategic risk is the risk of internal and external factors that may impede the central bank from achieving its mandate and strategic objectives. This could include, for example, demographic changes impacting our future workforce, widespread shifts in public opinion impacting our trust and credibility, or climate related risks impacting our operations and the broader financial system.

The Bank manages strategic risks by continuously scanning the environment, maintaining extensive domestic and international networks, and conducting research to develop effective mitigation measures. The Bank’s stakeholder engagement and communications functions also play an important role.

Operational risks

Operational risk is the risk of negative impact resulting from inadequate or failed internal processes, people, systems, or from external events.

The Bank faces a range of potential operational risks that relate to, among other things, technology infrastructure, cyber security, or financial crime. It has comprehensive programs to manage and mitigate operational risks. The Bank has also made significant investments in initiatives to further enhance its operational resilience. These initiatives may involve collaborating with other central banks or the federal security and intelligence communities.

Like similar organizations, the Bank also manages operational risk with third parties to successfully deliver its activities and, ultimately, its mandate. The Bank’s Third-Party Risk Management Policy and Framework ensure consistent, sound practices to address risks at each stage of third-party relationships.

Financial risks

Financial risks relate to the potential for financial losses arising from credit, market and liquidity risks.

The Bank’s financial risks are low because its asset portfolio consists mainly of Government of Canada securities. In exceptional circumstances, however, such as a financial crisis, the Bank may take on a higher level of risk.

Senior management has established a system of internal controls for its financial assets and liabilities, including a framework for financial risk management. The Bank’s Financial Risk Office monitors and regularly reports on these risks.

The Bank discusses financial risks in detail in the notes to its financial statements. The financial statements do not reflect financial risks associated with the Bank’s role as a fiscal agent. These risks are borne by the government, subject to oversight according to the Funds Management Governance Framework of the Government of Canada and the Bank of Canada.

On this page
Table of contents