The Office of the Superintendent of Financial Institutions Canada (OSFI) has released the final version of its revised Corporate Governance Guideline (the Final Guideline). The release of the Final Guideline follows an extensive consultation process that began in August 2012 when OSFI released a draft revised Corporate Governance Guideline (the Draft Guideline) for public comment. The Draft Guideline proposed significant changes in the areas of board effectiveness, risk governance and the roles of the chief risk officer (CRO) and the audit committee. For a summary of the Draft Guideline, please refer to our earlier bulletin. This Bulletin provides an overview of differences between the Final Guideline and the Draft Guideline and offers some observations regarding the Final Guideline.
Overview of Key Changes From the Draft Guideline
OSFI received over 30 submissions following the release of the Draft Guideline and has made a number of changes in the Final Guideline in response to these comments. OSFI’s letter accompanying the Final Guideline includes an Annex summarizing key comments received from the public and an explanation of how these comments were dealt with in the Final Guideline. Some of the key changes are summarized below.
- In response to concerns that the Draft Guideline was not flexible enough for smaller institutions, the Final Guideline has been revised to clarify which elements can be applied in a more flexible manner depending on the institution’s circumstances (e.g., an institution does not necessarily need to have a dedicated CRO).
- Clarification regarding the application of the Final Guideline to subsidiaries.
- With respect to an institution’s oversight functions, the Final Guideline contains changes making it clear that the role of the Board is to approve the mandate, resources and budget of the oversight functions.
- In response to concerns about expectations described in the Draft Guideline regarding independent third party reviews, the Final Guideline takes a different approach. It provides that the Board should regularly conduct a self-assessment of the effectiveness of Board and Board Committee practices, occasionally with the assistance of independent external advisors. It also provides that the Board should regularly assess the effectiveness of the oversight functions and processes and occasionally, as part of its assessment, conduct a benchmarking analysis of those functions or processes with the assistance of independent external advisors.
- In response to concerns that the Risk Appetite Framework (RAF) may require assessment of an overly-exhaustive set of risks, the Final Guideline makes it clear that the RAF should consider material risks rather than every risk.
- Changes regarding expectations with respect to the CRO.
- The requirement for all Audit Committee members to be independent has been deleted for consistency with applicable legislation. However, OSFI notes that it is an international best practice for all members of the Audit Committee to be independent and OSFI supports this standard.
- The requirement for all members of the Risk Committee to be independent has been deleted and has been replaced with the requirement that all committee members be non-executives of the institution, allowing the possibility for directors or officers of an affiliate to serve as members of an institution’s Risk Committee.
Some Observations Regarding the Final Guideline
OSFI’s expectations regarding corporate governance, as embodied in the Final Guideline, have undergone significant changes in the past few years. Institutions will need to take stock of their practices to ensure they meet the current standards. With this in mind, we offer the following observations regarding the Final Guideline.
- The Final Guideline does not apply to the branch operations of foreign banks and foreign insurance companies. Footnote 1 to the Final Guideline provides that “OSFI looks to the Chief Agent or Principal Officer of a branch to oversee the management of the branch, including matters of corporate governance”. Areas that would appear to be appropriate to apply in a branch include the establishment and oversight by the Chief Agent or Principal Officer of oversight functions, including the proper resourcing of them, the assessment of the effectiveness of those functions and occasionally conducting a benchmarking analysis of those functions with the assistance of independent external advisors; the creation of a risk appetite framework, ongoing review of risk management policies to ensure they remain appropriate and effective, the appointment of a Chief Risk Officer and the establishment of internal controls across the operations of the branch including for accounting, compliance and all risk management areas.
- Boards are expected to take on a broader role in terms of what they approve, including, where appropriate, approving the appointment of members of senior management, including the heads of oversight functions.
- The broader approval role to be played by the Board may require the Board to engage in more granular activities, particularly when approving the mandate, resources and budget of the oversight functions.
- It is clear from the Final Guideline that Boards are expected to review the implementation and effectiveness of internal controls pertaining to virtually all policies, including those relating to accounting, compliance and risk management, all of which are to support the RAF.
- Board members should expect to engage in more frequent dialogue with the Chair and to meet regularly with the management of business units and the oversight functions with and without other members of Senior Management present.
- Heads of the oversight functions are expected to have unfettered access and a direct reporting line to the Board or the relevant Board committee.
- The Final Guideline states that the CRO’s compensation should not be linked to the performance of specific business lines. This implies that the CRO’s compensation can be linked to the broader performance of the institution.
- It is noteworthy that the Audit Committee, not Senior Management, should recommend to the shareholders the appointment, reappointment, removal and remuneration of the external auditor, and should also agree to the scope and terms of the audit engagement and approve the engagement letter.
- The Final Guideline notably expands the relationship between the Board, through its Audit Committee, and the external auditor. The Final Guideline states that the Audit Committee and the external auditor should discuss the overall results of the audit, the financial statements, the audit report, the quality of the financial statements and any related concerns including:
- key areas of risk for material misstatement of the financial statements;
- areas of significant auditor judgment;
- whether the external auditor considers estimates/models to be “aggressive” or “conservative” within an acceptable range;
- significant or unusual transactions;
- difficult or contentious matters noted during the audit;
- changes in the audit scope or strategy;
- internal control deficiencies identified during the course of the audit;
- areas of financial statement disclosures that could be improved; and
- the role of other audit firms.
Implementation and Next Steps
As next steps, institutions are expected to conduct a self-assessment of compliance with the Final Guideline and establish a plan to address any deficiencies. This is a significant undertaking as there are approximately 100 actions to be taken pursuant to the Final Guideline. Institutions are to advise their Relationship Manager in writing of the results of the self-assessment and the related action plans by May 1, 2013. OSFI expects full implementation of the Final Guideline by January 31, 2014.