There is increasing recognition by global financial regulators that organizational culture can have a material impact on risk management and, consequently, the resilience of financial institutions and the broader economy.1 Grounded in that proposition, the Office of the Superintendent of Financial Institutions (OSFI) recently issued a draft Culture and Behaviour Risk Guideline (the Guideline) for a three-month consultation period. Once adopted, it will apply to all federally regulated financial institutions (FRFIs) in Canada.
Risk culture in the financial sector
Culture, as defined in the Guideline, encompasses the shared values, mindsets, beliefs and assumptions that shape the way people think and act within the FRFI, and that guide both what is important and how they should behave in the FRFI.
In particular, the draft Guideline directly addresses the importance of risk culture within FRFIs and recognizes that it can influence the behaviours and actions of its members when it comes to identifying, assessing and responding to risks. In other words, risk culture can directly influence how individuals and organizations manage risk and, in the context of an FRFI, it can ultimately strengthen or weaken the resilience of the institution.
The Guideline seeks to bolster institutional resilience, maintain public confidence, and mitigate the material impact that organizational culture can have on risk management by requiring FRFIs to design governance processes that actively manage culture and continuously evaluate risk. The expectations defined in the Guideline state that governance processes are to be aligned with an FRFI’s respective size, nature, scope, complexity of operations, strategy, and risk profile.
The proportional implementation of principles and top-down management approach mirrors well-established corporate governance principles articulated by the Organisation for Economic Co-operation and Development (OECD) and Bank for International Settlements (BIS).2 Although not yet released, the OSFI is set to produce a corresponding self-assessment tool that may be leveraged by FRFIs to review the efficacy of their governance protocols and ensure compliance with the stated Guideline expectations.
Guiding principles and outcomes
The Guideline identifies fundamental outcomes alongside various general guiding principles, summarized below.
Governance structures and oversight
The first outcome outlined in the draft guideline aims to ensure that culture and behaviour are managed effectively through clear accountabilities and oversight. To achieve this, each FRFI will have to ensure that they design their desired culture and expected behaviours in line with the FRFI's purpose and strategy, and that they establish appropriate structures and frameworks to govern them.
This will require FRFIs to create effective governance structures that oversee culture and expected behaviours, as well as define the desired culture necessary to achieve their strategic objectives and manage risks. FRFIs will also have to develop and execute a plan to embed the desired culture throughout their organization.
Shaping culture and behaviour
The second outcome aims to proactively promote and reinforce the desired culture and expected behaviours. To achieve this, the Guideline emphasizes the importance of consistent promotion and reinforcement of the desired culture and expected behaviours by leaders at all levels through their actions, decisions and communications.
It also explicitly mentions the need to align talent and performance management strategies with the desired culture and expected behaviours.
Furthermore, the Guideline highlights the importance of compensation, incentives and rewards in promoting and reinforcing the desired culture and expected behaviours.
In this regard, the OSFI expects FRFIs to use leadership, talent and performance management practices, and compensation to promote and reinforce their desired culture and expected behaviours.
Managing behaviour risks
Another desired outcome is the identification and proactive management of risks associated with behavioural patterns.
In this regard, the Guideline states that FRFIs should proactively monitor and address risks related to culture and behaviour that may affect their resilience. The OSFI will expect FRFIs to use mechanisms and techniques to detect, evaluate and handle risks arising from behavioural patterns that are not in line with the desired culture and expected behaviours.
Practical implications for FRFIs
Given the impact that commonly held values, attitudes and beliefs about risks and risk-taking within FRFIs (that is, risk culture) can have as they materially support or weaken the resilience of FRFIs, the OSFI expects that FRFIs will, notably, do the following:
- Clearly identify responsibilities for key roles and functions across all lines of defence in the management of culture and behaviour risks, and support them by adequate human and financial resources that may include frameworks related to remuneration, ethics and conflict management, performance, talent management, risk and resilience, escalation and whistleblowing.
- Design an implementation and monitoring plan for such a clearly defined organizational culture as necessary to manage risks effectively.
- Ensure leaders actively shape the culture by what they say and do, and do not say nor do. This includes:
- senior leaders (including senior management and heads of oversight functions) setting a consistent “tone from the top” that is aligned with the desired culture; and
- holding people accountable to the expected behaviours of the FRFI.
- Consider the FRFI’s strategic objectives and desired culture in the context of:
- recruitment, hiring, onboarding, learning and development, and talent retention and succession; and
- performance management practices, including goal setting, performance evaluation, promotion, discipline, and termination.
- Implement compensation frameworks and incentive plans to encourage expected behaviours and discourage undesired behaviours at all levels. Such frameworks may include financial and non-financial awards, performance score cards, as well as informal and formal recognition, among others.
- Use a range of qualitative and quantitative methods and techniques to identify and assess behavioural patterns that commonly exist across the institution. This may include a combination of informal conversations with employees, surveys, interviews, focus groups, employee-related data (for example, turnover and retention rates) and performance indicators, among many others.
- Determine what behavioural patterns and associated behaviour risks require a response. Responses may include ongoing monitoring of existing behavioural patterns, actions to modify existing behavioural patterns that pose a risk to the FRFI, or reinforcing existing behavioural patterns that support the desired culture.
Comments during the consultation period can be submitted to the federal government at [email protected] until May 31, 2023.The authors would like to thank Jake Palace, articling student, for his contribution to this article.
1 The Financial Stability Board issued supervisory guidance in 2014 and the International Association of Insurance Supervisors issued an exploratory paper in 2021. Regulators in several jurisdictions have also issued information papers on the topic and have incorporated culture into their supervisory activities (such as De Nederlandsche Bank, Australian Prudential Regulation Authority and Monetary Authority of Singapore).