This is not a guideline. It is intended to communicate basic principles associated with reputation risk management, highlight observations from OSFI’s work in this area, and indicate issues that OSFI may focus on during supervisory reviews.
In 2004, OSFI reviewed reputation risk management practices at selected federally regulated financial institutions (FRFIs). The reviews were intended to enhance OSFI’s understanding of reputation risk management practices and the control systems used by FRFIs. This included, for example, a review of reputation risk management policies and procedures and the roles played by boards, senior management and other oversight functions in ensuring the policies were communicated and adhered to. The reviews focused on reputation risk management practices in the areas of structured financial transactions, trading in mutual and segregated funds, due diligence with respect to funding of brokered mortgages and financial reinsurance. The results referenced below reflect OSFI’s findings in the areas reviewed at the selected FRFIs and are not necessarily reflective of all financial institutions.
While it is evident that many FRFIs have taken significant steps to enhance their reputation risk management practices, there are still areas that would benefit from further development. Recent corporate scandals have resulted in regulatory bodies and the public placing more focus on business practices, ethics and integrity. This is a key issue for an industry that relies on the confidence of consumers, creditors and the general marketplace.
For example, when a FRFI acts as an advisor, arranges or actively participates in financial transactions, it may assume insurance, market, credit, operational and/or other risks. Reputation risk often arises because of inadequate management of these other risks, whether they are associated with complex financial transactions or relatively routine operational activities. The manner in which these activities are executed can create reputation risks that are difficult to predict and quantify. Reputation risk can arise in virtually any area of a FRFI’s operations even when transactions technically comply with legal, accounting and regulatory requirements.
Considering the number of risks associated with financial activities, it is critical that FRFIs utilize effective practices to manage reputation risk on an ongoing basis. OSFI believes that boards and senior management are ultimately responsible for ensuring that each FRFI develops and implements risk management practices appropriate to the risks faced by the institution.
Individual FRFIs will adopt different approaches to reputation risk management taking into account the nature, scope, complexity, and risk profile of the institution. The supervisory process takes this into consideration.
Principles and Observations from the Review
FRFIs should identify reputation risk management as an important aspect of an effective risk management framework that is appropriate for each FRFI’s unique circumstances.
Consistent with this, OSFI noted during its reviews differing strategies to address reputation risk. In some cases, distinct reputation risk management and control frameworks are employed, while other FRFIs manage reputation risk as part of their overall management of financial and other risks such as regulatory, legal, fiduciary and operational risks. OSFI noted in some cases that insufficient consideration may be given to reputation risk, either within specific areas (e.g., business activities, products, locations, etc.) or on an enterprise-wide basis.
FRFIs are expected to tailor their reputation risk management practices in a way that they believe most effectively fits their particular circumstances and risk management challenges. All institutions must recognize that their reputation is a strategically important asset and should endeavour to strengthen their reputation risk management practices.
FRFIs should not treat the following as a checklist of activities. However, OSFI is of the view that these activities are important for effective reputation risk management. OSFI recognizes that individual institutions will adopt individual approaches to management of reputation risk, taking into account their circumstances.
Senior Management and Board Oversight:
Senior management and boards should be actively involved in setting the appropriate “tone” regarding the development and implementation of effective reputation risk management practices.
Demonstrations by the executive and board members of a strong personal commitment to the management of risks to the FRFI’s reputation are crucial to achieving and maintaining effective control throughout the organization. This includes appropriate attention by boards and senior management to events that occur within their institution, as well as appropriate consequences for material breaches of internal policies that put the FRFI’s reputation at risk. This also includes a strong commitment to a corporate code of ethics and conflict of interest policy.
During the reviews of selected FRFIs, OSFI surveyed elements related to board and senior management oversight, such as the frequency of review and approval of significant reputation risk management policies, awareness of these policies throughout the institution, and how actively engaged institutions are in the promotion of prudent reputation risk management practices. While senior management and boards were generally committed to implementing effective reputation risk management practices, there were instances where the level of board and senior management knowledge and involvement on an ongoing basis could be improved.
Depending on the specific circumstances of a FRFI (e.g., scope and complexity of operations), during future supervisory assessments OSFI may focus on issues such as whether senior management and the board of directors have communicated a strong commitment to protecting the institution’s reputation and whether they have assigned appropriate roles and responsibilities for reputation risk management practices.
Reputation Risk Policies:
FRFIs should have effective policies that establish a framework for managing reputation risk on an on-going basis. This could involve having stand-alone reputation risk management policies and procedures or could involve addressing reputation risk management elements within other risk management processes.
OSFI’s reviews of selected FRFIs indicated that the policies associated with their reputation risk management practices often address elements such as: the identification of risk factors, committee structures, transparency requirements (e.g., disclosure of reasons for, or intent of, the transaction), and transaction/product review and approval procedures. Generally, responsibility for reputation risk management should not rest solely with a FRFI’s control functions, but should be a factor that business units appropriately take account of during their operations.
Most of the selected FRFIs had implemented reputation risk policies related to the particular lines of business or products identified in the review. However, as the reviews were narrowly focused, FRFIs may want to examine their practices in all lines of business. In addition, a few FRFIs have been proactive in identifying or managing reputation risk on an enterprise-wide basis.
Depending on the specific circumstances of a FRFI, OSFI may focus its attention during upcoming supervisory assessments on issues such as whether: appropriate policies have been established, they adequately address all facets of effective reputation risk management practices and they are understood and adhered to.
Monitoring and Reporting:
FRFIs should have procedures in place for: monitoring the effectiveness of reputation risk management practices, regular reporting to senior management and the board and ensuring appropriate actions are taken when warranted.
As part of its reviews, OSFI assessed the adequacy of operational controls and independent oversight in areas such as: practices to identify and address the risk in activities that could give rise to reputational risk; assessment and reporting on compliance with reputation risk management policies; identification and review of early warning indicators; and effectiveness of follow-up in the event of non-compliance.
Some of the FRFIs that formed part of the review have very effective monitoring and reporting procedures in place. However, OSFI noted that others could improve their practices by making better use of monitoring tools and establishing measurement criteria. OSFI also noted that some FRFIs could improve the comprehensiveness and timeliness of reporting to senior management and the board of directors.
Depending on the specific circumstances of a FRFI, future supervisory assessments may focus on how reputation risk management practices are monitored on an ongoing basis, the quality and timeliness of reports, and the extent to which issues are analysed and addressed.
Reputation Risk Management Training Programs:
FRFIs should ensure that all employees are aware of, and capable of, identifying and managing the reputation risks within their areas of responsibility.
OSFI reviewed reputation risk training programs at selected FRFIs, paying particular attention to their comprehensiveness and appropriateness. Results showed significant variation in practices in this area. Some of the selected FRFIs utilize advanced training programs, while others had yet to implement comprehensive and ongoing training. It was also noted that, in some cases, training programs were weak in such areas as codes of conduct or conflict of interest.
Depending on the specific circumstances of a FRFI, future supervisory assessments may focus on the nature of the training provided to employees, who receives training and how often, and whether there is follow-up to ensure the training is relevant and effective.
FRFIs should ensure their practices for controlling reputation risk are periodically reviewed by internal audit (or through another independent assessment process), and that issues are addressed on a timely basis.
OSFI’s reviews of selected FRFIs focused on issues such as awareness of reputation risk issues, sufficiency of internal audit resources, staff knowledge and qualifications, reporting and follow-up on recommendations. Results in this area were generally acceptable; however, there were some instances where methodologies could be enhanced to better incorporate an assessment of reputation risk management practices into ongoing internal audit reviews.
Depending on the specific circumstances of a FRFI, specific areas where OSFI may focus its attention during upcoming supervisory assessments include whether internal audit (or some other independent assessment process) periodically reviews adherence with, and the adequacy of, reputation risk management practices.
Reputation risk management is an evolving area. At this time, OSFI does not intend to establish specific guidance for the control and management of reputation risk. However, recent events, as well as the results of OSFI’s work in this area, suggest that improving the effectiveness of reputation risk management practices should be a priority for all FRFIs. As part of the supervisory process, OSFI will continue to pay increasing attention to how FRFIs manage all aspects of reputation risk.