The Financial Stability Board (FSB) recently released for consultation a paper entitled “Guidance on Supervisory Interaction with Financial Institutions on Risk Culture” (the “Risk Culture Guidance”). This is the latest in a series of publications relating to risk governance and management released by the FSB following the global financial crisis. The FSB has invited comments on the Risk Culture Guidance by January 31, 2014.
In its introduction, the Risk Culture Guidance discusses “outcomes-based supervision” and comments that supervision is not only to ensure compliance with rules but also with spirit. The Guidance states that an institution’s risk culture is at the crux of an outcomes-based approach to supervision.
The Risk Culture Guidance is a thoughtful and content-rich treatment of the subject and is an important extension of previous developments regarding risk management. The Guidance is consistent with OSFI’s approach to corporate governance and risk management and we think it is very likely that the principles discussed in the Guidance will inform OSFI’s approach to supervision and regulation, and may be addressed in future guidance published by OSFI. In light of the foregoing, and given the centrality of risk management in today’s regulatory environment, Canadian financial institutions should pay close attention to the Risk Culture Guidance.
Foundational Elements of a Sound Risk Culture
Risk culture has been defined as “…the norms and traditions of behavior of individuals and of groups within an organization that determine the way in which they identify, understand, discuss, and act on the risks the organization confronts and the risks it takes.” The Risk Culture Guidance identifies three foundational elements relating to a sound risk culture:
- Risk Governance - this involves addressing the roles and responsibilities of the Board, the Chief Risk Officer (“CRO”) and the risk management function, and the independent assessment of the risk governance framework. In this regard, the importance of the separation of risk oversight functions from management and separate budgets, resources and reporting lines for risk oversight functions was also noted.
- Risk Appetite - this involves an effective risk appetite framework, an effective risk appetite statement, risk limits and defining the roles and responsibilities of the Board and senior management with respect to the risk appetite statement. This assumes institutions have the processes to create their strategy and plans and models and systems to measure and aggregate risks.
- Compensation - ensuring compensation is aligned with prudent risk taking and supervisory oversight and stakeholder engagements.
It is noteworthy that each of these elements is addressed in OSFI’s Corporate Governance Guideline, which was updated earlier this year. With respect to compensation, the Corporate Governance Guideline refers to the FSB’s Principles for Sound Compensation Practices and related Implementation Standards.
Indicators of a Sound Risk Culture
The Risk Culture Guidance discusses the indicators of a sound risk culture, which are summarized below.
Tone From the Top
The Risk Culture Guidance emphasizes the importance of the attitudes and behavior of the Board and senior management and their responsibility for setting the right tone regarding risk. Indicators of tone from the top discussed in the Risk Culture Guidance are:
- leading by example including expecting integrity and a sound approach to risk and particularly encouraging open exchanges of views and challenges;
- assessing espoused values, including to ensure that the “tone at the middle” and throughout the organization is the same as the tone at the top;
- ensuring common understanding and awareness of risk, including that decision making throughout the organization is consistent with the institution’s risk appetite; and
- learning from risk culture failures.
A very noteworthy point is made that the Board and senior management should have mechanisms to manage talent development and succession planning to lessen the influence of dominant personalities and behaviour.
We note that the Risk Culture Guidance adds and emphasizes more than most the importance of middle management and staff in all of this and the training of middle management and staff regarding risk management and culture.
The Risk Culture Guidance discusses the importance of employees understanding the institution's risk culture and its approach to risk and of accountability with respect to risk-taking. Indicators of accountability discussed in the Risk Culture Guidance are:
- ownership of risk;
- escalation processes (including whistleblowing) are established and employees are made aware of them systematically; and
- enforcement (i.e., consequences of excessive risk-taking regardless of whether positive revenue or net income was generated).
The Risk Culture Guidance states that an institution’s culture must encourage transparency and open dialogue between management and the Board and management and staff, on all levels and at all points in the business process. Key factors in this regard are openness to dissent and the stature of risk management within the institution. To this we would add, an open dialogue with risk management oversight, namely, internal audit, risk management, compliance, financial and, in the case of insurers, actuarial.
The Risk Culture Guidance states that financial and non-financial incentives should support the institution’s core values and risk culture by rewarding behavior that promotes the institution’s long-term interests over short-term revenue generation. In this context, the Risk Culture Guidance addresses remuneration and performance (i.e., do remuneration and performance metrics support and drive the desired risk-taking behaviours, risk appetite and risk culture) and talent development and succession planning (e.g., does succession planning for key management positions include risk management experience). The example is made that the CRO can be considered as a candidate for CEO.
Recent Remarks by Deputy Superintendent Andrew Kriegler Relevant to Risk Culture
On the same date as the release of the Risk Culture Guidance, Deputy Superintendent Andrew Kriegler spoke to an Autorité des marchés financiers conference in Montreal. He introduced an interesting approach, referring to outside rules and inside rules. Outside rules have more emphasis on showing stakeholders the standards to which institutions are being managed while inside rules have more emphasis on an institution’s behaviour and attitudes and how it is managing itself. Basel III for risk based capital, liquidity and leverage are good examples of outside rules in his view. In contrast, he said that OSFI’s Corporate Governance Guideline is an example of inside rules.
Andrew Kreigler particularly discussed new work to be done on internal audit to increase expectations around it based on reviews of institutions’ practices and current national and international best practices. He emphasized three principles from among 20 the Basel Committee on Banking Supervision set out in 2012 for supervisors to consider, namely:
- Is internal audit assessing the effectiveness of internal control, risk management and governance systems?
- Does internal audit have the knowledge, experience and resources to carry out their work?
- Does internal audit have sufficient standing and authority not only to carry out their responsibilities but also to have their evaluations and recommendations heeded?
He concluded by saying OSFI will have increased focus on behaviour and risk culture not just on rules being followed.
 International Institute of Finance, “Reform in the financial services industry: Strengthening Practices for a More Stable System” (2009) at 31.