On November 21, 2024, the Office of the Superintendent of Financial Institutions (“OSFI”) released a regulatory notice on managing culture risk (the “Notice”). The Notice follows industry feedback on OSFI’s February 2023 draft Culture and Behaviour Risk Guideline, (the “Draft Guideline”) from which the Notice departs in a number of respects noted below, primarily by being less detailed and less prescriptive. The Notice includes an Appendix of questions that are intended to assist in guiding discussions of culture risk at the board, senior management and broader institutional levels and is effective immediately (upon release).
Background
The Notice applies to all federally regulated financial institutions (FRFIs), including foreign bank branches and foreign insurance company branches to the extent it is consistent with applicable requirements and legal obligations related to their business in Canada. It sets expectations for the management of institutional culture, which “send[s] signals throughout an organization about what is, and is not, valued, important, and acceptable.” Because culture influences the integrity and soundness of institutional decision-making, the management of “culture risk” has become a key element of a FRFI’s risk management program, for which senior management of the FRFI is responsible. The Notice emphasizes the importance of embedding the “desired culture” at all levels of the organization.
Culture Risk Management: Key Elements
The Notice introduces the term “culture risk”, which did not appear in the Draft Guideline, defining it as “the misalignment between a financial institution’s stated desired culture and its actual culture”. The purpose of the Notice is to “[set] expectations for managing culture risk”, although, unlike the Draft Guideline, the language of the Notice is almost entirely non-prescriptive.
The Notice states that senior management is responsible for:
- fostering the FRFI’s desired culture by ensuring that it is defined, promoted, embedded and managed in a way that supports the FRFI’s mission, strategy and overall risk management; and
- managing culture risks by ensuring that the FRFI’s policies, processes, practices and people are aligned in support of the FRFI’s culture.
The Notice defines “senior management” as the CEO and those directly responsible to the CEO, as well as the heads of major business platforms or units and the heads of oversight functions. The specific attribution of responsibilities to senior management, rather than to the organization as a whole, is another point of distinction between the Notice and the Draft Guideline.
Fostering the desired culture
The Notice outlines the key elements of fostering a “desired culture”, including (among others):
- effective leadership (modelling and reinforcing the desired culture);
- talent management (encouraging behaviours consistent with the desired culture); and
- compensation, recognition, incentives and accountability (consistently incentivizing respect for the desired culture).
These points correspond to similar statements in the Draft Guideline, although the Notice does not describe them as prescriptive “expectations”.
Managing culture risks
Proactive management of culture risks can include the following steps, according to the Notice:
- developing risk identification and assessment measures;
- analyzing risks in terms of causes and consequences;
- establishing continuous assessment and oversight processes; and
- continuous evaluation to learn and improve.
Organizationally, achieving this requires:
- defining clear roles and responsibilities;
- sufficient staffing and financial resources; and
- developing strategies and structures to create, maintain and evaluate the desired organizational culture.
These points are similar to those that are described as “behaviour risks” in the Draft Guideline, although they are not expressed as prescriptive expectations in the Notice.
Additional Guidance in the Appendix
The Notice includes an Appendix outlining the questions a FRFI should ask as it develops its culture risk management program in keeping with both the Notice and the OSFI Corporate Governance Guideline. The questions relate to the role of the board, the role of management (leadership and people management) and culture risk management (identification of risks and integration of risk management into the organization’s broader activities).
[View source.]
