- Type of Publication: Draft Guideline
- Category: Sound Business and Financial Practices
- Date: November 2017
- Audiences: Banks / BHC / T&L / CRA / Life / Frat / P&C / IHC
I. Purpose and Scope of the Guideline
This guideline communicates OSFI’s expectations with respect to corporate governance of federally regulated financial institutions (FRFIs). It applies to all FRFIs other than the branch operations of foreign banks and foreign insurance companies.
OSFI’s corporate governance expectations are principles-based and recognize that a FRFI’s corporate governance practices may depend on its size; ownership structure; nature, scope and complexity of operations; strategy; and risk profile.
This guideline complements:
- Relevant provisions of the Bank Act, the Insurance Companies Act, the Trust and Loan Companies Act, the Cooperative Credit Associations Act and associated regulations; and,
- OSFI’s Supervisory Framework and Assessment Criteria
Corporate Governance for Financial Institutions
Corporate governance is a set of relationships between a company’s management, its Board of Directors (Board), its shareholders, and other stakeholders. It also provides the structure through which the objectives of the company are set, and through which the means of attaining those objectives and monitoring performance are determined.
The quality of FRFI corporate governance practices is an important factor in maintaining the confidence of depositors and policyholders, as well as overall market confidence. This guideline, therefore, draws attention to specific areas of corporate governance that are especially important for financial institutions (e.g., risk governance), owing to the unique nature and circumstances of financial institutions and risks assumed relative to other corporations. See Annex A for a description of the special nature of financial institutions.
II. The Board of Directors
The Board is responsible for the FRFI’s business plan, strategy, risk appetite and culture, and oversees the FRFI’s Senior Management and internal controls.
The Role of the Board
In addition to the roles and responsibilities of the Board outlined in federal legislation, the Board should discharge, at a minimum, the following essential duties in relation to the FRFI:
1. Approve and oversee:
- Short-term and long-term business plan and strategy;
- Significant strategic initiatives (e.g., mergers and acquisitions);
Risk Management and Oversight
- Risk Appetite Framework;
- Internal Control Framework;
- Significant policies, plans and strategic initiatives related to the management of, or that materially impact, capital and liquidity (e.g., internal capital targets, share issuance);
- Codes of ethics and conduct;
Board, Senior Management and Oversight Functions
- Appointment, performance review, and compensation of the CEO and, where appropriate, other key members of Senior Management, including the heads of the Oversight Functions;
- Succession plans with respect to the Board, CEO and, where appropriate, other key members of Senior Management, including the heads of the Oversight Functions;
- Mandate, resources and budgets for the Oversight Functions;
- External audit plan, including audit fees and the scope of the audit engagement; and
- Internal audit plan.
The duties above are the primary responsibilities of the Board, and should be the main focus of the Board’s attention and activities.
2. Provide challenge, advice and guidance to the Senior Management of the FRFI, as appropriate, on:
Operational and Business Policies
- Significant operational, business and risk management policies of the FRFI, including those in respect of credit, market, operational, regulatory compliance and strategic risks, and their effectiveness; and
- Compensation policy for all human resources that is consistent with the Financial Stability Board (FSB) Principles for Sound Compensation and related Implementation Standards;
Business Performance and Effectiveness of Risk Management
- Performance of the FRFI relative to the Board-approved business plan and strategy;
- Effectiveness of the Risk Appetite Framework;
- Effectiveness of the Internal Control Framework;
- Effectiveness of the Oversight Functions; and
- Effectiveness of significant policies and plans related to management of capital and liquidity (e.g., ICAAP/ORSA report).
The duties above are the responsibility of Senior Management. The Board has the discretion to decide the extent and nature of its input, and to provide challenge, advice and guidance on these matters and others.
The Board should be satisfied that the decisions of Senior Management are consistent with the Board-approved business plan, strategy and risk appetite of the FRFI, and that the corresponding internal controls are sound.
The Board and Senior Management
2. Senior Management is responsible for implementing the Board’s decisions and directing the operations of the FRFI.
Senior Management is composed of the Chief Executive Officer (CEO) and individuals who are directly accountable to the CEO, such as the heads of major business platforms or units. In addition, Senior Management may also include the executives responsible for the Oversight Functions, such as the Chief Financial Officer (CFO), Chief Risk Officer (CRO), Chief Compliance Officer (CCO), Chief Internal Auditor, and Appointed Actuary.
Senior Management is responsible for directing the operations of the FRFI within the authority delegated to them by the Board, and in compliance with applicable laws and regulations.
In order to fulfil its responsibilities, the Board relies on Senior Management to provide sound advice on the organizational objectives, plans, strategy, structure and significant policies of the FRFI. Senior Management should set out information, options, potential trade-offs, and recommendations to the Board in a manner that enables the Board to focus on key issues and make informed decisions in a timely manner.
The Board should, in turn, understand the decisions, plans and policies being undertaken by Senior Management and their potential impact on the FRFI.
The Board and the Oversight Functions
The Oversight Functions provide independent and objective assessments to the directors to allow them to fulfill their responsibilities. The Oversight Functions identify, measure, and report on the FRFI’s risks, assess the effectiveness of the FRFI’s risk management and internal controls, and determine whether the FRFI’s operations, results and risk exposures are consistent with the FRFI’s risk appetite.
The heads of the Oversight Functions should have sufficient stature and authority within the organization, and should be independent from operational management. The heads of the Oversight Functions should have unfettered access and a direct reporting line to the Board or the appropriate Board committee.
The Board should regularly assess the effectiveness of the FRFI’s Oversight Functions.
Boards of Subsidiaries or with FRFI Subsidiaries
A FRFI that is part of a larger corporate group (another FRFI or company in Canada, or another company abroad) may be subject to or may adopt certain policies, practices or procedures of the parent that govern strategy, risk oversight and controls. In this situation, the subsidiary Board should be satisfied that these policies, practices, or procedures are appropriate for the FRFI’s business plan, strategy and risk appetite, and comply with specific Canadian regulatory requirements.
If the parent is another FRFI, the parent Board should exercise adequate oversight of the activities of the subsidiary FRFI to be satisfied that the parent Board can meet its enterprise-wide oversight responsibilities applicable to FRFIs under this guideline.
3. An effective Board should provide independent oversight of, and thoughtful guidance and constructive challenge to, Senior Management.
The hallmarks of an effective Board include demonstrated sound judgment, initiative, proactiveness, responsiveness and operational excellence. Board members should strive to facilitate open communication, collaboration and appropriate debate in the decision-making process.
The Board should regularly assess its practices, and those of the Board committees, and should pursue strategies to enhance its overall effectiveness.
The Board should, collectively, bring a balance of diversity, expertise, skills, experience, competencies and perspectives, taking into consideration the FRFI’s strategy, risk profile, culture and overall operations. The contributions of individual directors will reflect their particular expertise, skills, experience and competencies.
Relevant financial industry and risk management expertise are key competencies for the Board. There should be appropriate representation of these skills at the Board and Board committees levels.
The Board should have a skills and competency evaluation process that is integrated with the overall Board succession or Board renewal plans, and that pays particular attention to the positions of the Chair of the Board and Chairs of the Board committees. Diversity should also be a factor in these plans.
The Board, collectively, should be independent from Senior Management of the FRFI. Achieving independence can involve various Board structures and processes. Regardless of the approach, in all situations, OSFI views the separation of the Chair and CEO as critical (see next section). It is important that the Board’s behaviour and decision-making processes are objective and effective, taking into account the particular circumstances of the FRFI.
The Board’s ability to act independently of Senior Management can be demonstrated through practices such as regularly scheduled Board and Board committee meetings that include sessions without Senior Management present.
The Board should have a director independence policy that considers the specific shareholder/ownership structure of the institution, as well as director tenure. The recruitment process for new directors and the development of a director profile (both responsibilities of the Board) should emphasize the independence of Board members from Senior Management.
Board and Board Committee Chairs
4. The role of the Board Chair should be separate from the CEO, as this is critical in maintaining the Board’s independence and its ability to execute its mandate effectively.
Effective Boards and Board committees require a Chair that is experienced, skillful and exhibits leadership that encourages open discussion and appropriate debate.
The Chair of the Board and the chairs of Board committees, should have frequent dialogue with, and a strong level of influence among, other Board members and Senior Management, as well as access to all FRFI information and staff. Given the critical nature of the role, the Chair should also foster direct and on-going dialogue with regulators.
Board committee chairs should be independent, non-executive directors.
III. Risk Governance
5. The Board and Senior Management, consistent with their specific roles and responsibilities and through their behaviours, actions and words, promote a risk culture that stresses integrity and effective risk management throughout the FRFI.
Risk taking is a necessary part of a FRFI’s business. Accordingly, business strategies incorporate decisions regarding the risks the FRFI is willing to undertake and how it will manage and mitigate those risks.
Risk governance is a distinct and crucial element of the FRFI’s corporate governance. Risks may arise from direct exposures taken by the FRFI, subsidiaries, affiliates or counterparties, or indirectly through activities that create risks to the FRFI’s reputation. FRFIs should be in a position to identify the significant risks they face, assess their potential impact and have policies and controls in place to manage them effectively.
Risk Appetite Framework
6. The FRFI should have a Risk Appetite Framework that guides the risk-taking activities of the FRFI.
The FRFI should develop a Risk Appetite Framework that is enterprise-wide and tailored to its domestic and international business activities and operations. The Risk Appetite Framework, as approved by the Board, should be well-understood throughout the organization and embedded within the culture of the FRFI. All operational, financial and corporate policies, practices and procedures of the FRFI should be guided by the Risk Appetite Framework.
The Risk Appetite Framework should set basic goals, benchmarks, parameters and limits (e.g., level of losses) as to the amount of risk the FRFI is willing to accept, taking into account various financial, operational and macroeconomic factors. It should consider the material risks to the FRFI, as well as the institution’s reputation vis-à-vis policyholders, depositors, investors and customers.
The Risk Appetite Framework should be forward-looking and consistent with the FRFI’s business model, overall philosophy, short-term and long-term strategy and corresponding risk mitigation. It is intended to provide boundaries on the on-going operations of the FRFI with respect to asset class and liability choices, activities and participation in markets that are not consistent with the stated risk appetite of the institution. Refer to Annex B for further details.
The establishment of controls and a process to ensure their effectiveness are critical elements of the Risk Appetite Framework, as they help to ensure that the FRFI stays within the risk boundaries set by the Board.
Oversight of Risk
Risk management systems and practices will differ, depending on the scope and size of the FRFI and the nature of its risk exposures. To manage risks effectively, the Board and Senior Management must understand the risks attendant to the FRFI’s business model, including each business line and product, and how they relate to the FRFI’s strategy and Risk Appetite Framework.
Board Risk Committee
7. The Board should establish a Board Risk Committee to oversee risk management on an enterprise-wide basis.
Guided by the FRFI’s Risk Appetite Framework, the Risk Committee should have an understanding of the types of risks to which the FRFI may be exposed, and the techniques and systems used to identify, measure, monitor, report on and mitigate those risks.
The Risk Committee should have a clear mandate. All Committee members, including the Chair, should be non-executives of the FRFI. There should be reasonable representation of key competencies for the Risk Committee, notably relevant financial industry and risk management expertise.
As part of its duty to oversee risk management of the FRFI, the Risk Committee should seek assurances from the CRO (or equivalent) that the risk management function of the FRFI is independent from operational management, is adequately resourced, and has appropriate status and visibility throughout the organization.
The Risk Committee should receive timely and accurate reports on significant risks of the FRFI and exposures relative to the FRFI’s risk appetite (including approved risk limits). It should provide input to the approval of material changes to the FRFI’s strategy and corresponding risk appetite. As well, the Risk Committee should be satisfied with the manner in which material exceptions to risk policies and controls are identified, measured, monitored, and controlled, as well as how exceptions/breaches are addressed.
Chief Risk Officer
8. The FRFI should have a senior officer (CRO or equivalent) who is responsible for the oversight of all risks across the firm.
The CRO is the head of the FRFI’s risk management function. The CRO and the risk management function are responsible for identifying, measuring, monitoring and reporting on the risks of the FRFI on an enterprise-wide and disaggregated level, independently of the business lines or operational management.
The CRO should have sufficient stature and authority within the organization, and should be independent from operational management. The CRO should have unfettered access and a direct reporting line to the Board or the Risk Committee.
The CRO and risk management function should not be directly involved in revenue-generation or the management and financial performance of any business line or product of the FRFI. As well, the CRO’s compensation should not be linked to the performance (e.g., revenue generation) of specific business lines of the FRFI.
While the CRO and the risk management function should influence the FRFI’s risk-taking activities (e.g., to ensure that the FRFI’s strategy or business initiative is operating within the stated risk appetite of the FRFI), the on-going assessment of risk-taking activities by the CRO and risk management function should remain objective.
The CRO should provide regular reports to the Board, the Risk Committee and Senior Management in a manner and format that allows them to understand the risks being assumed by the FRFI. The CRO should provide an objective view to the Risk Committee or the Board, as appropriate, on whether the FRFI is operating within the Risk Appetite Framework. The CRO should meet with the Risk Committee or the Board on a regular basis, with and without the CEO or other members of Senior Management present.
The CRO and risk management function should have processes and controls in place to assess the accuracy of any risk information or analysis provided by business lines in order to provide objective reporting to the Board, the Risk Committee and Senior Management.
IV. The Role of the Audit Committee
Federal legislation requires that each FRFI establish an Audit Committee comprised of non-employee directors, a majority of whom are not “affiliated” with the institution. There should be reasonable representation of key competencies on the Audit Committee, notably relevant financial industry and risk management expertise.
The statutory duties of the Audit Committee, as described in federal legislation, include reviewing the annual statements of the FRFI, evaluating and approving internal control procedures for the institution, and meeting with the Chief Internal Auditor and/or the Appointed Actuary to discuss the effectiveness of the institution’s internal controls and the adequacy of practices for reporting and determining financial reserves.
The Audit Committee should review and approve the FRFI’s audit plans (internal and external). Audit plans should be risk-based and address all the relevant activities over a measurable cycle. The work of internal and external auditors should be co-ordinated. Where part or all of the internal audit function is outsourced, the Audit Committee should still be responsible for overseeing the performance of the FRFI’s internal audit function as a whole.
The Audit Committee, not Senior Management, should recommend to the shareholders the appointment, reappointment, removal and remuneration of the external auditor. It should also agree to the scope and terms of the audit engagement and approve the engagement letter.
The Audit Committee should discuss with Senior Management and the external auditor the overall results of the audit, the annual and quarterly financial statements and related documents, the audit report, the quality of the financial statements and any related concerns raised by the external auditor.
The Audit Committee should probe, question and seek assurances from the external auditor that the financial statements present fairly the financial position, the results of operations and the cash flows of the FRFI. Annually, the Audit Committee should report to the Board on the effectiveness of the external auditor.
V. Supervision of FRFIs
The Role of Corporate Governance in OSFI’s Supervisory Process
Effective corporate governance is an essential element in the safe and sound functioning of FRFIs. The Board and Senior Management are designated as key Oversight Functions in OSFI’s Supervisory Framework.
Effective oversight of the business and affairs of an institution by its Board and Senior Management is essential to the maintenance of an efficient and cost-effective supervisory system. It helps protect depositors and policyholders, and allows OSFI to use the work of the FRFI’s internal processes and functions, thereby reducing the amount of supervisory resources needed for OSFI to meet its mandate.
In addition, in situations where a FRFI is experiencing problems, or where significant corrective action is necessary, the important role of the Board is heightened and OSFI requires significant Board involvement in seeking solutions and overseeing the implementation of corrective actions.
OSFI’s Supervisory Assessment
OSFI supervises FRFIs to assess their financial condition and monitor compliance with the applicable federal legislation. Supervision is carried out within a framework that is risk-focused. OSFI has developed a comprehensive set of assessment criteria, key among which is the quality of oversight and control provided by the Board and Senior Management.
OSFI conducts supervisory work and monitors the performance of FRFIs to assess safety and soundness, the quality of control and governance processes, and regulatory compliance. The Board and Senior Management are ultimately accountable for the safety and soundness of the FRFI, as well as its compliance with federal legislation. As such, OSFI’s reports and findings can provide useful input to the Board’s own oversight of the FRFI. Open communication between the Board and regulators helps promote the mutual trust and confidence essential to the efficiency of OSFI’s principles-based approach to supervision.
The Board should understand the regulatory environment within which the FRFI and its subsidiaries operate. It should be informed of the results of supervisory work by OSFI and other regulators, and should follow-up with Senior Management accordingly.
The Board should consider regulatory findings in its on-going evaluation of Senior Management and oversight function performance, recognizing that primary responsibility for identifying weaknesses rests with the Board and Senior Management.
OSFI will undertake a number of approaches, including discussions with the Board, Board committees, Senior Management and Oversight Functions, as well as the review of Board and Board committee material, in order to assess the effectiveness of the FRFI’s corporate governance processes. OSFI will seek evidence that processes exist, are operating effectively and that the Board is able to fulfil its roles and responsibilities. OSFI will look to gain insight into the discussions and deliberations at the Board and Committee level, including those with and without Senior Management. This may include understanding the Board’s behaviour and assessing the objectivity, degree of challenge and independence in the decision making process.
Where separate Oversight Functions do not exist, OSFI will look to other functions, processes or controls to assess the independent oversight provided.
Changes to the Board or Senior Management
OSFI recognizes that FRFIs make independent decisions regarding the nomination of Board members or appointment of Senior Management in the course of conducting their day-to-day business.
As part of OSFI’s on-going supervisory process, however, FRFIs should notify OSFI, as early as possible in the process, of any potential changes to the membership of the Board and Senior Management, and any circumstances that may adversely affect the suitability of Board members and Senior Management.
The process and criteria used by the FRFI in the selection process for Board and/or Senior Management members should be transparent to OSFI. Information regarding the expertise and character of candidates of the Board and Senior Management should be provided to OSFI.
Annex A – The Special Nature of Financial Institutions
A number of factors set financial institutions apart from other business firms, and has led them to be subject to generally higher levels of regulation, including:
- The effectiveness of the economy depends significantly on how well its financial services sector functions. Relative to non-financial businesses, the failure of a financial institution can have a greater impact on members of the public who may have placed a substantial portion of their life savings with the institution and who may be relying on that institution for day-to-day financial needs. There is also potential in some circumstances for system-wide impacts from failures or material impacts in selected markets, given the interconnectedness of the financial system. Safety and soundness concerns are, therefore, of particular importance for financial institutions.
- Financial institutions may have high ratios of debt-to-equity (leverage), making them more vulnerable to unexpected adverse events.
- Financial institutions can experience severe liquidity problems if their customers or counterparties lose confidence in their safety and soundness.
- Financial institutions may accept funds from the public and often deal in long-term financial commitments, which are predicated on a high degree of confidence in the long-term stability and soundness of the institutions making these commitments.
- The value of many financial institutions’ assets and liabilities can be volatile and may be difficult to price accurately. Similarly, financial institutions may issue and trade in complex financial instruments, which can be difficult to evaluate properly and can materially and rapidly affect the risk profile of an institution.
- Financial institutions can have large mismatches between the term of their assets and liabilities. This can result in material funding or investment risks.
These characteristics create unique challenges for the governance of financial institutions and underscore the importance of effective risk management systems and rigorous internal controls. They point to the need for knowledgeable, independent oversight exercised by or on behalf of the Board, along with the additional assurance of regulatory oversight, to provide assurance to markets on the reliability of reporting and disclosure. Also, as a consequence of being a regulated industry, the governance processes of financial institutions are subject to review and may be influenced by the views of OSFI and other regulatory bodies.
Finally, many financial institutions have complex organizational structures with a large number of entities (some of which may not be regulated) used to deliver different financial products and services. For these organizations, the relationship between the parent company and its subsidiaries merits special consideration and the effective governance of subsidiaries should be a high priority for the Board and Senior Management.
Annex B – Risk Appetite Framework
The Risk Appetite Framework should contain a risk appetite statement and risk limits, as well as an outline of the roles and responsibilities of those overseeing the implementation of the Risk Appetite Framework. The Risk Appetite Framework is an integral part of the FRFI’s overall enterprise-risk management framework.
Risk Appetite Statement
The risk appetite statement reflects the aggregate level and type of risk that the FRFI is willing to accept in order to achieve its business objectives. Key features of the risk appetite statement are:
- It should be linked to the FRFI’s short-term and long-term strategic, capital and financial plans, as well as compensation programs.
- It includes qualitative and quantitative measures that can be aggregated and disaggregated.
- Qualitative measure may include:
- Significant risks the FRFI wants to take and why;
- Significant risks the FRFI wants to avoid and why;
- Attitude towards regulatory compliance; and
- Underlying assumptions and risks.
- Quantitative measures may include:
- Measures of loss or negative events (such as earnings, capital or liquidity, earnings per share at risk or volatility) that the FRFI is willing to accept.
- It should be forward-looking.
- It should consider normal and stressed scenarios.
- It should aim to be within the FRFI’s risk capacity (i.e., regulatory constraints).
Risk limits are the allocation of the FRFI’s risk appetite statement to:
- Specific risk categories (e.g., credit, market, insurance, liquidity, operational);
- The business unit or platform level (e.g., retail, capital markets);
- Lines of business or product level (e.g., concentration limits); and
- More granular levels, as appropriate.
Risk limits are often expressed in quantitative terms, and are specific, measurable, frequency-based and reportable.
Implementation of the Risk Appetite Framework
Once approved by the Board, the Risk Appetite Framework should be implemented by Senior Management throughout the organization as an integral part of the overall enterprise risk management framework of the FRFI. The Risk Appetite Framework should align with the organization’s strategy, its financial and capital plans, its business unit strategies and day-to-day operations, as well as its risk management policies (e.g., risk limits, risk selection/underwriting guidelines and criteria, etc.) and compensation programs.
Where the Risk Appetite Framework sets aggregate limits that will be shared among different units, the basis on which such limits will be shared should be clearly identified and communicated.
Effective control, monitoring and reporting systems and procedures should be developed to ensure on-going operational compliance with the Risk Appetite Framework, including the following:
- The CRO (or equivalent) should ensure that aggregate risk limits are consistent with the FRFI’s risk appetite statement.
- The CRO (or equivalent) should include in regular reports to the Board or Risk Committee, and Senior Management, an assessment against the risk appetite statement and risk limits.
- Internal Audit should routinely assess compliance with the Risk Appetite Framework on an enterprise-wide basis and in its review of units within the FRFI.
The Board and Senior Management should receive regular reports on the effectiveness of, and compliance with, the Risk Appetite Framework. These reports should include a comparison of actual results versus stated Risk Appetite Framework measures. Where breaches are identified, action plans should exist and be communicated to the Board. The Risk Appetite Framework should be an integral part of the Board’s discussions and decision-making processes.