New FSRA Guidance Emphasizes Operational Risk in Credit Unions and Caisses Populaires

4 minute read

March 2023

The Financial Services Regulatory Authority of Ontario (FSRA) recently released guidance for credit unions and caisses populaires (CU/CP) regarding operational risk and resilience. These guidelines cover the basics of operational risk management and establish the practices necessary to achieve resilience: namely, instituting a risk management framework, implementing business continuity plans, and incorporating cybersecurity into their wider risk programs. 

If operational risk is the danger that an organization might lose business or be penalized because of faulty processes or external circumstances, then operational resilience is the ability to withstand a risk event while continuing to deliver service. The FSRA’s guidance provides recommendations for CU/CPs to manage risk and enhance operational resilience by carrying out best practices, including: 

Establishing a risk management framework 

A risk management framework is a system for organizing regular risk assessments, risk monitoring and reporting practices, and risk mitigation plans. Effective risk management means visibility into your operational risk landscape, so continuous monitoring and control assessment are essential tools for identification and mitigation. By maintaining regular assessment cadences, you can identify threats to your operational resilience and the vulnerabilities that might be exploited to produce a risk event. Examples of risk frameworks include: 

  • National Institute of Standards and Technology (NIST) 
  • International Organization for Standardization (ISO) 
  • Control Objectives for Information and Related Technology (COBIT) 
  • Secure Controls Framework (SCF) 
  • Committee of Sponsoring Organizations (COSO) 

It’s also important to develop detailed risk mitigation plans, and to prioritize mitigation efforts according to risk criticality. For example, a vulnerability in your keycard system could be exploited, but its criticality depends on your workforce: if most of your employees work from home, then the physical office space is likely a lower-priority area than your cloud services and two-factor authentication policies. 

Implementing business continuity and disaster recovery plans 

Business continuity plans are the backbone of operational resilience: by knowing which vulnerabilities are most likely to result in a disruption and developing plans for maintaining service as a risk event unfolds, you can ensure that, even as your organization recovers, you don’t sustain a costly service disruption. 

Developing continuity plans means identifying core systems and functions then determining what would need to happen for the organization to function while that system was being serviced. For instance, if a local network failure could prevent your employees from accessing customer data, it may be a good idea to establish off-site backups so you can deliver service while your IT team addresses the outage. Operational resilience means knowing where disruptions are the most likely to occur and establishing detailed and prioritized backup plans.  

Incorporating cybersecurity into your risk management framework 

Cybersecurity is a rapidly expanding risk domain, with events increasing across industries and many teams playing catch-up with hackers. A cyber event can cost an organization money in the form of large fines, disrupt function for extended periods, and decrease business by eroding customer trust. To establish resilience in the face of cyber risk, your cybersecurity program must be integrated into your wider risk management framework.  

Running a cybersecurity program separate from other risk domains means limiting your visibility into your risk posture and straining to align with wider organizational objectives. By contrast, a program that’s integrated into the organization’s risk framework has a better view of risk and can run more efficiently as a result. You can align your cybersecurity program with other domains, including third-party risk, by identifying the overlap between controls across domains. For instance, if you have an internal control regarding two-factor authentication, you likely have controls in your third-party ecosystem requiring the same from your vendors. Integrating your cyber controls into a wider framework allows you to link those external controls to your internal ones, reducing redundancy and increasing visibility. Additionally, by automating key processes and ensuring no cybersecurity assessment goes unanswered, a cybersecurity management platform can shore up vulnerabilities and increase operational resilience without increasing your cyber workload. 

Regularly reviewing and updating your risk management framework 

Operational risk is always evolving, so your risk management framework should change to keep up. One benefit of ongoing monitoring and regular assessments is that both practices bring operational changes to your attention. If your operational risk was concentrated in one area when you began developing your program, changing industry conditions and risk mitigation efforts will likely shift the concentration over time. By monitoring your risk assessments and using them to analyze trends in operational risk, you can adjust your efforts to assure that the most critical risk is always your top priority. In an environment of frozen or shrinking budgets, it’s important not to invest your time and money in areas that won’t make an impact—every dollar spent on risk management should drive results. 

Communicating risk to the wider organization 

The FSRA also highlights the importance of effective communication for establishing operational resilience. After all, if your risk managers are the only people in the organization who understand your risk posture, then that leaves vulnerabilities open in other business units. By instituting risk training throughout the organization, you can ensure that everyone understands where your vulnerabilities lie and where a threat is most likely to arise. Additionally, awareness programs are a great way to supplement training and ensure that the wider organization is up to date on the latest changes to your risk landscape. Operational resilience cannot reside within a single business unit, so the whole organization must understand your risk posture and be trained to act accordingly. 

In conclusion, operational risk and resilience are critical considerations for credit unions and caisses populaires. The new FSRA guidelines help companies enhance their operational resilience so they can better fulfill their obligations to members, customers and stakeholders while protecting against potential losses. 

One way to establish compliance with these guidelines and achieve resilience quickly is to implement a cybersecurity program management solution. ProcessUnity Cybersecurity Performance Management (CPM) provides tools for automating key cyber processes and mitigating risk according to criticality. 

Related Articles

About Us

ProcessUnity is a leading provider of cloud-based applications for risk and compliance management. The company’s software as a service (SaaS) platform gives organizations the control to assess, measure, and mitigate risk and to ensure the optimal performance of key business processes. ProcessUnity’s flagship solution, ProcessUnity Vendor Risk Management, protects companies and their brands by reducing risks from third-party vendors and suppliers. ProcessUnity helps customers effectively and efficiently assess and monitor both new and existing vendors – from initial due diligence and onboarding through termination. Headquartered outside of Boston, Massachusetts, ProcessUnity is used by the world’s leading financial service firms and commercial enterprises. For more information, visit