On November 21, 2024, the Office of the Superintendent of Financial Institutions Canada (OSFI) published a Regulatory Notice regarding Culture Risk Management applicable to all federally regulated financial institutions (FRFIs), including foreign bank branches and foreign insurance company branches (Regulatory Notice).
The Regulatory Notice defines “culture risk” as the misalignment between a financial institution’s stated desired culture and its actual culture that may prevent it from achieving its objectives.
OSFI states that culture may support or undermine sound decision-making, prudent risk-taking and effective risk management, which may, in turn, materially support or weaken a financial institution’s safety, soundness, integrity and security. Culture is also discussed in OSFI’s Integrity and Security Guideline dated January 31, 2024 (Integrity and Security Guideline), in the context of integrity, as well as OSFI’s Corporate Governance Guideline dated September 30, 2018.
The Regulatory Notice sets out the following expected outcomes in respect of governance, fostering desired culture and culture risk management:
- Senior management is responsible for culture risk management by defining, promoting, embedding and managing the desired culture needed to achieve its missions and strategy and manage risk effectively and by aligning policies, processes, practices and people to support the desired culture.
- Culture should be deliberately shaped, evaluated and maintained through effective leadership, performance management, compensation and accountability practices.
- Senior management sets the tone from the top for the desired culture – all leaders should model and reinforce the desired culture through words, actions and decisions, and individuals should be held accountable to ensure that behaviour consistent with the desired culture is promoted.
- The desired culture is promoted and reinforced by ensuring behaviours consistent with desired culture are encouraged, while inconsistent behaviours are discouraged; and a consistent approach is applied to talent/performance management, compensation and other practices.
- Culture risks should be managed proactively. Culture risks, as well as their root causes, impacts and effects on other risks, should be identified and assessed. Culture risks should also be monitored continuously and reporting processes should be in place to ensure effective oversight.
- Culture risk management is integrated within the financial institution’s enterprise-wide risk management program.
The Regulatory Notice also sets out preliminary industry considerations to assist with the development and maintenance of a financial institution’s culture risk management program.
Culture risk management was a topic of great discussion at OSFI’s Quarterly Release Industry Day held December 5, 2024. OSFI responded to more than 10 questions received from participants during the information session, ranging from how OSFI would regulate culture risk and OSFI’s expectations in respect of implementation of the Regulatory Notice to the implication of culture risk on the overall risk rating of the FRFI and OSFI’s expectations relating to compensation and key performance indicators.
The Integrity and Security Guideline states that there is “no ideal culture” and most can agree that culture is a relatively amorphous concept, making culture risk more difficult to measure than other types of risk. Accordingly, financial institutions are encouraged to focus on the outcomes that OSFI highlights in the Regulatory Notice: ensuring that culture promotes sound decision-making, prudent risk-taking and effective risk management. The Regulatory Notice is a further indication of OSFI’s commitment to focusing on non-financial risks, reasoning that such risks have an indirect material impact on the overall stability of a financial institution.
For more information on this topic, please reach out to the authors, Marisa Coggin or Derek Levinsky or any member of the Corporate Regulatory Insurance team.
