OSFI-FCAC AI Risk Assessment Methodology
Scoring Framework
This framework is based on guidelines from OSFI (Office of the Superintendent of Financial Institutions) and FCAC (Financial Consumer Agency of Canada) for managing AI-related risk. It is applied to assess AI exposure and governance quality across Canada's six largest commercial banks.
Final_risk_estimate =
avg(Exposure₁, Exposure₂)−0.25 × (Control − 3)
· Exposure (1–5): Each risk category has two exposure sub-scores reflecting AI usage breadth, complexity, and external dependencies.
· Control (1–5): Governance/control sub-score. 3 = baseline. Above 3 reduces risk; below 3 increases it.
· Final score range: 1 (lowest risk) to 5 (highest risk).
· Control (1–5): Governance/control sub-score. 3 = baseline. Above 3 reduces risk; below 3 increases it.
· Final score range: 1 (lowest risk) to 5 (highest risk).
Risk Categories (0)
Loading…
Internal Risk (0)
External Risk (0)
Score Interpretation
≥4.0
High
Significant AI exposure with controls that may not fully mitigate risks. Requires immediate attention.
≥3.0
Relative High
Elevated AI risk exposure; governance framework needs strengthening.
≥2.0
Moderate
Moderate AI deployment with broadly adequate controls.
≥1.0
Relative Low
Limited AI usage with solid control framework in place.
<1.0
Low
Minimal AI deployment; robust controls effectively manage risk.
Data Sources
Annual Reports
Strategic direction, overall AI positioning
MD&A
AI risk disclosures, risk factor analysis
Earnings Call Transcripts
Management commentary on AI strategy
AI News Releases
Specific AI milestones, partnerships, and innovations
OSFI-FCAC Regulatory Docs
Risk assessment framework and classification standards
Industry Reports (DAIS, Evident)
Third-party AI talent & capability benchmarking