On February 28, 2023, the Office of the Superintendent of Financial Institutions (OSFI) released its draft Culture and Behaviour Risk Guideline ("Draft Guideline") for a three-month consultation period. The Draft Guideline was informed by feedback to OSFI's Culture Risk Management Letter dated March 15, 2022, which signalled OSFI's plans to release a guideline on culture risk management, consistent with information papers and culture risk supervisory activities by international regulators (see Fasken bulletin: OSFI Seeks Input on Culture Risk Management). OSFI's view is that culture can either support or weaken the resilience of a Federally Regulated Financial Institutions (FRFI), which in turn could affect confidence in the broader financial system. Accordingly, the stated intent of the guideline is to set expectations that FRFIs have governance, processes and practices that define, assess, and manage culture and behaviour risks in a manner that is proportional to their business and risk profile.
OSFI plans to release an accompanying self-assessment tool that may be used by FRFIs to review the design and effectiveness of their practices, which should also help gaps or opportunities for improvement in compliance with the final culture risk management expectations.
In order to provide clarity and in response to feedback on the Culture Risk Management Letter, OSFI proposes the following definitions:
- Culture: commonly held values, mindsets, beliefs and assumptions that guide what is important and how people should behave in an organization;
- Behavioural Patterns: behaviours that are common or typical across a group of people; and
- Behavioural Risks: Behavioural Patterns that are misaligned to the expected behaviour and the desired culture of the FRFI and/or increase financial and non-financial risks.
Of note, OSFI is clear that the Draft Guideline is intentionally focussed on Culture broadly and is not limited to "risk culture", a subset of Culture that encompasses the common values, attitudes and beliefs about risk and risk-taking within FRFIs.
Expected Outcomes and Principles
The Draft Guideline sets out three expected culture and risk outcomes and a number of related principles, which are summarized below.
Outcome #1: Culture and behaviour are designed and governed through clear accountabilities and oversight
Principle #1: Desired culture and expected behaviours are designed to align with the purpose and strategy of the FRFI and governed through appropriate structures and frameworks.
OSFI will expect each FRFI to establish appropriate governance procedures and structures to oversee culture and expected behaviour. These governance procedures may include considerations related to remuneration, ethics and conflict management, performance, talent management, risk and resilience, escalation and whistleblowing among others.
Governance procedures and structures are to: (a) support the design and development of FRFI culture; (b) be applied consistently and embedded across the organization; and (c) be updated and reviewed on a regular basis for currency.
Definition and development of desired culture is expected to include:
- A clear articulation of the desired culture, including expected behaviours and values;
- Alignment to the FRFI's purpose, vision, strategy and enterprise risk management approach;
- Consideration of key talent and people management strategies;
- Consideration of policies, processes, practices and systems needed to support the desired culture;
- The implementation of frameworks, mandates and objectives that reinforce accountabilities; and,
- Proactive management of culture and behaviour risks through monitoring, assessment and reporting to support ongoing oversight and continuous improvement.
Outcome #2: Desired culture and expected behaviours are proactively promoted and reinforced
In order to achieve Outcome #2, OSFI will expect FRFIs to implement human resources tools, including leadership, talent and performance management practices, and compensation and incentive plans to promote and/or reinforce their desired culture and expected behaviours.
Principle 2: Leaders, at all levels, consistently promote and reinforce the desired culture and expected behaviours through their words, actions and decisions.
Senior leaders, including senior management and heads of oversight functions, will be expected to set a 'tone from the top' that is aligned with the desired culture expected behaviours. In addition, leaders at all levels will be expected to lead by example with respect to their behaviours and decisions. Leaders at all levels will also be expected to consistently hold people accountable to the desired FRFI culture and expected behaviours.
Principle 3: Talent and performance management strategies and practices promote and reinforce the desired culture and expected behaviours.
Talent management and performance management tools will be expected to be used to achieve the desired FRFI culture.
More specifically, the Draft Guideline provides that talent management strategies and practices should take into account desired FRFI culture and expected behaviours and that current and future talent needs are also to be identified and addressed in the manner required for the FRFI to achieve its strategic objectives and desired culture.
In addition, performance management strategies and practices (goal setting, performance evaluation, promotion, discipline and termination) are to take desired FRFI culture and expected behaviours of the FRFI into consideration.
Principle 4: Compensation, incentives and rewards promote and reinforce the desired culture and expected behaviours.
The compensation structure and incentive plans at FRFIs will be expected to be designed to encourage expected behaviours and discourage undesired behaviours at all levels, including Senior Management, material risk takers and staff. More specifically, OSFI will expect that FRFIs ensure that compensation, rewards and incentive practices and decisions, including adjustment decisions:
- Demonstrate the values, expected behaviours and desired culture of the FRFI;
- Promote sound decision making, prudent risk taking and effective risk management; and,
- Align with and support performance and talent management decisions and actions, including any disciplinary measures.
Outcome #3: Risks emerging from behavioural patterns are identified and proactively managed
Principle 5: FRFIs proactively monitor for, assess, and act to address risks related to culture and behaviour that may influence their resilience.
FRFIs will need to implement mechanisms to identify, assess and manage Behavioural Risk. Such mechanisms are to include qualitative and quantitative methods and techniques (such as informal conversations with employees, surveys, interviews, focus groups, employee related data and performance indicators) to identify behavioural patterns across the FRFI.
Behavioural patterns that reflect the expected behaviours and support the desired FRFI culture are to be encouraged and reinforced, whereas those that do not are to be assessed in order to understand:
- Root causes;
- Potential impacts;
- Unintended consequences; and
- Prevalence (e.g., whether the behavioural patterns are widespread),
with particular attention to be paid to widespread behaviour risks and those that may pose a substantial risk to a specific area of the FRFI or impact resilience. These risks are to be reported within the FRFI in a manner consistent with reporting on other risks within the FRFI.
FRFIs will need to determine which behavioural patterns and behaviour risks require a response (which could include ongoing monitoring of existing behavioural patterns, actions to modify existing behavioural patterns or reinforcing existing behavioural patterns that support the desired FRFI culture).
A Guideline Information Session is scheduled for Monday, March 6th, 2023 from 1:30-2:30 PM (ET) with sign up on this OSFI registration page.
In addition to consulting with their regulatory teams, FRFIs may want to consult with their HR and employment law advisors on the Draft Guidance when preparing feedback to OSFI. Feedback can be provided to email@example.com until May 31, 2023.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.