Operational Due Diligence and Regulations in Canada:

As regulators continue to strengthen their focus on operational risk management, Operational Due Diligence (ODD) has become crucial for Canadian funds.

The Office of the Superintendent of Financial Institutions (OSFI) has developed comprehensive guidelines for managing third-party risks, significantly impacting how funds conduct their operational due diligence. This article examines the regulatory landscape governing ODD in Canada and explores key considerations for funds operating in the Canadian market.

OSFI's Third-Party Risk Management Framework

The OSFI Third-Party Risk Management Guideline sets out clear expectations for federally regulated financial institutions (FRFIs) regarding their relationships with third parties. While investment funds are not directly regulated by OSFI, these guidelines establish industry standards and best market practices that influence ODD practices across the financial sector.

The guideline identifies six key outcomes that financial institutions should achieve through effective third-party risk management:

1. Clear governance and accountability structures with comprehensive risk management strategies
2. Identification and assessment of risks posed by third parties
3. Management and mitigation of third-party risks within the risk appetite framework
4. Monitoring and assessment of third-party performance with proactive risk management
5. Ongoing identification and management of various third-party relationships
6. Transparent, reliable, and secure technology and cyber operations conducted by third parties

Risk-Based Approach to ODD

Central to OSFI's framework is the concept of a risk-based approach to third-party management. Financial institutions are expected to assess their third-party arrangements regularly, with higher-risk and more critical arrangements subjected to more frequent and rigorous assessment.

For funds conducting ODD, this translates to several key considerations:

1. Criticality Assessment

Funds must determine the criticality of each third-party relationship by considering several key factors. This assessment helps establish appropriate oversight levels and shapes the due diligence process, ensuring resources are allocated proportionately to the significance of each relationship.

Key considerations:

• The severity of loss or harm if the third party fails to meet expectations.
• The substitutability of the third party, including portability of services.
• The degree to which the third party supports critical operations.
• The impact on business operations if the fund needed to transition to another service provider.

2. Risk Level Determination

When assessing risk levels, funds should consider a comprehensive set of factors that might impact the relationship. This multi-dimensional analysis enables funds to develop a nuanced understanding of exposure. It also creates tailored risk management strategies that address the specific challenges presented by each third-party arrangement.

Key considerations:

• The probability of the third party failing to meet expectations.
• The ability to assess controls at the third party and meet regulatory requirements.
• The financial health of the third party and potential "step-in" risk.
• The third party's use of subcontractors and supply chain complexity.
• The degree of reliance on third parties with elevated concentration risk.
• Information management, data, cyber security, and privacy practices.
• Other relevant financial and non-financial risks.

3. Due Diligence Requirements

OSFI expects financial institutions to conduct thorough due diligence proportionate to the level of risk and criticality of each third-party arrangement. 

This includes:

• Initial due diligence prior to entering into arrangements
• Ongoing due diligence as part of the contract renewal process
• Periodic assessments proportionate to risk levels or when material changes occur.

Funds should ensure their due diligence processes evaluate both qualitative and quantitative factors related to each third-party arrangement.

4. Managing Concentration Risk

Concentration risk emerges as a significant concern in the guidelines. Funds must assess concentration risk across multiple dimensions, including:

• Geographic concentration
• Supplier concentration
• Subcontractor concentration.

This assessment should span across business functions, legal entities, and the entire organisation, with a view to understanding potential systemic concentration risks.

5. Subcontracting Risk Management

The guidelines emphasise that financial institutions remain responsible for risks arising from subcontracting arrangements undertaken by their third parties. These requirements acknowledge the complexity of modern supply chains and the need for transparency throughout all tiers of service provision. Funds are expected to maintain visibility beyond their immediate service providers.

For funds, this means:

• Identifying and understanding third-party subcontracting practices.
• Assessing the third party's own risk management programme.
• Ensuring appropriate ongoing updates and reporting on subcontractor usage.
• Establishing contractual provisions to control subcontracting risk where necessary.

6. Technology and Cyber Risk Considerations

Given the increasing reliance on technology services, the guidelines include specific expectations for managing technology and cyber risks in third-party arrangements:

Clear Roles and Responsibilities: Funds should establish clear roles and responsibilities between themselves and third parties for technology and cyber controls, with more granular descriptions where necessitated by risk level.

Compliance with Standards: Third parties with elevated levels of technology and cyber risk should comply with institutional standards or recognised industry standards for mitigating risk. This is especially relevant in areas such as access management and data security.

7. Cloud-Specific Requirements

For cloud services, funds should develop specific requirements to ensure appropriate governance and risk management. These cloud-specific controls recognise the unique characteristics of cloud environments and the need for specialised approaches to security, data protection, and operational resilience.

Funds should ensure:

• Cloud adoption occurs in a planned and strategic manner.
• Interoperability is optimised while remaining consistent with risk appetite.
• Existing controls and standards are augmented, especially in data protection, key management, and container management.

8. Cloud Portability

Funds should consider portability when entering arrangements with cloud service providers, including:

• Assessing benefits and risks of portability
• Developing mitigants in the absence of portability
• Considering multi-cloud strategies to build resilience and mitigate concentration risk.  

9. Incident Management and Reporting

The guidelines emphasise the importance of incident management and reporting. 

Funds should ensure their third parties have:

• Clearly defined and documented processes for identifying, investigating, escalating, and remediating incidents.
• Appropriate notification requirements to enable compliance with regulatory reporting obligations.
• Processes for conducting root cause analysis and sharing results for significant incidents.

10. Contingency Planning and Exit Strategies

Funds must establish contingency and exit plans proportionate to the risk and criticality of third-party arrangements. 

These should include:

• Triggers for invoking contingency or exit plans.
• Activities to maintain critical operations during disruptions.
• Procedures for both stressed and non-stressed exits.
• Sufficient detail to allow rapid execution.
• Regular reviews and updates, particularly following material changes.

The OSFI Third-Party Risk Management Guideline provides a comprehensive framework that influences ODD practices for funds operating in Canada. By adopting a risk-based approach to third-party management, funds can align their ODD processes with regulatory expectations while effectively managing operational risks.

As the regulatory landscape continues to evolve, funds should stay informed about changes to guidelines and best practices. They should also regularly review and update their ODD processes accordingly. By doing so, they can meet regulatory requirements while enhancing their operational resilience, protecting stakeholder interests.

The Role of Thomas Murray’s Operational Due Diligence Solution

Thomas Murray’s Operational Due Diligence product, hosted on the Orbit Risk platform, is designed to tackle the challenges of modern ODD. Key features include:

• Questionnaire platform: An advanced questionnaire tool with in-built communication and task tracking
• Managed Services: End-to-end support for due diligence questionnaires, reducing administrative burdens.
• Ongoing Monitoring: AI-powered alerts tailored to investment portfolios.
• Financial Statement Analysis: Automated data extraction and trend analysis.
• Cyber Security Risk Ratings: Detection of vulnerabilities and exposures with configurable alerts.
• Entity Summary Dashboards: Centralised operational profiles for informed decision-making.

These capabilities not only streamline workflows but also enhance risk management and reporting, enabling fund managers to focus on strategic priorities.

ODD is indispensable for asset allocators aiming to safeguard their assets and optimise performance. By leveraging technology to automate processes, enhance insights, and streamline workflows, firms can overcome resource constraints and stay ahead in an increasingly complex investment landscape.

As ODD evolves, solutions like Thomas Murray’s Operational Due Diligence tool are setting new benchmarks for efficiency, accuracy, and strategic value.