Culture and Behaviour Risk Guideline

A. Overview

Culture can influence sound decision-making, prudent risk-taking and effective risk management, which can materially support or weaken the resilience of Federally Regulated Financial Institutions (FRFIs).

Given the contributions culture can have on the safety and soundness of financial institutions and confidence in the broader financial system, the Office of the Superintendent of Financial Institutions (OSFI) expects FRFIs to:

1. Define a desired culture and continuously develop and improve the culture to support their purpose, strategy, effective management of risks, and resilience; and,
2. Continuously evaluate and respond to behaviour risks that can affect the FRFI’s overall safety and soundness.

This guideline sets principles-based expectations for FRFIs to oversee their culture and assess the impact of behavioural patterns to effectively manage the associated risks.

A1. Definitions

‘Culture’ refers to the commonly held values, mindsets, beliefs and assumptions that guide both what is important and how people should behave in an organization. ‘Risk culture’ refers to a subset of culture that specifically refers to the commonly held values, attitudes and beliefs about risks and risk-taking within FRFIs. This guideline focusses on FRFI culture more broadly, which encompasses risk culture but is not limited to that scope.

‘Behavioural patterns’ are also known as ‘behavioural norms’ and refers to behaviours that are common or typical across a group of people.

‘Behaviour risks’ refers to behavioural patterns that are misaligned to the expected behaviours and the desired culture of the FRFI and/or increase financial and non-financial risks.

A2. Purpose and scope

This Guideline establishes OSFI’s expectations for FRFIs management of culture and behaviour risks to support FRFIs’ risk governance and resilience.

FRFIs should read this Guideline in conjunction with other OSFI guidance; in particular:

• OSFI Corporate Governance Guideline;
• OSFI Guideline E-21 (Operational Risk Management); and,
• OSFI Guideline E-13 (Regulatory Compliance Management).

A3. Outcomes and guideline structure

This guideline presents expected outcomes and principles for FRFIs in their sound management of culture and behaviour risks. This guideline has three sections, one for each outcome and its related principles.

Culture and behaviour risk outcomes:

1.0 Governance structures and oversight

1.1 Governance

Senior Management is responsible for the design, implementation and monitoring of FRFI culture.

Please refer to OSFI’s Corporate Governance Guideline for OSFI’s expectations of FRFI Boards of Directors regarding business strategy, risk appetite and operational, business, risk and crisis management policies.

FRFIs should establish appropriate governance structures for overseeing culture and expected behaviours. Governance structures should include clear responsibilities for key roles and functions across all lines of defence in the management of culture and behaviour risks, supported by adequate human and financial resources.

Governance structures should be appropriate and proportional to the size, nature, scope, complexity of operations, strategy, and risk profile of the FRFI. This may include frameworks related to remuneration, ethics and conflict management, performance, talent management, risk and resilience, escalation and whistleblowing among others. Related governance structures, policies and processes should:

• Support the design and development of FRFI culture,
• Apply consistently across the FRFI; and,
• Remain current through regular review and updates, as appropriate.

1.2 Culture design and development

OSFI expects FRFIs to define the desired culture needed to achieve its strategy and to manage risks effectively. FRFIs should develop and implement a plan to embed the desired culture across the institution. Definition and development of the desired culture should include:

• Clear articulation of the desired culture, including expected behaviours and values;
• Alignment to its purpose, vision, strategy and enterprise risk management approach;
• Consideration of key talent and people management strategies;
• Consideration of policies, processes, practices and systems needed to support the desired culture;
• Implementation of frameworks, mandates and objectives that reinforce accountabilities; and,
• Proactive management of culture and behaviour risks through monitoring, assessment and reporting to support ongoing oversight and continuous improvement.

2.0 Shaping culture and behaviour

Many factors shape culture and behaviour, but at a minimum, OSFI expects FRFIs to use leadership, talent and performance management practices, and compensation and incentive plans to promote and/or reinforce their desired culture and expected behaviours.

2.1 Leadership

Leaders at all levels play an important role in shaping FRFI culture. Leaders actively shape the culture by what they say and do, and do not say and do. This includes:

• Senior leaders (including senior management and heads of oversight functions) setting a consistent ‘tone from the top’ that is aligned with the desired culture and expected behaviours of the FRFI;
• Leaders at all levels, including all people managers, modelling their own behaviours and decisions in accordance with the desired culture and expected behaviours of the FRFI; and,
• Leaders at all levels consistently holding people accountable to the desired culture and expected behaviours of the FRFI.

2.2 Talent and performance management

2.2.1 Culture and behaviour are considered in talent management

FRFI talent management strategies, processes and practices should consider the desired culture and expected behaviours of the FRFI. Current and future talent needs should be identified and addressed to achieve the FRFI’s strategic objectives and desired culture. In this context, talent management includes recruitment, hiring, onboarding, learning and development, retention and succession.

2.2.2 Expected behaviours are considered in performance management

FRFIs’ performance management strategies, processes and practices should consider the desired culture and expected behaviours of the FRFI. There should be clear, transparent, proportionate and consistently applied consequences for performance including behaviour. In this context, performance management includes goal setting, performance evaluation, promotion, discipline and termination.

2.3 Compensation, rewards and incentives

Behaviours are influenced by the design and application of compensation frameworks, reward programs and incentive plans, including the way in which compensation and incentives are distributed or adjusted.

2.3.1 Incentives and disincentives

FRFIs should design and implement compensation frameworks and incentive plans to encourage expected behaviours and discourage undesired behaviours at all levels, including Senior Management, material risk takers and staff.

Compensation frameworks, reward programs, and incentive plans may include, for example, financial and non-financial awards, performance score cards, informal and formal recognition among others.

2.3.2 Compensation and incentive practices and decisions

FRFIs should ensure that compensation, rewards and incentive practices and decisions, including adjustment decisions:

• Demonstrate the values, expected behaviours and desired culture of the FRFI;
• Promote sound decision making, prudent risk taking and effective risk management; and,
• Align with and support performance and talent management decisions and actions, including any disciplinary measures.

3.0 Managing behaviour risks

OSFI expects FRFIs to implement mechanisms and techniques to identify, assess and manage risks arising from behavioural patterns that do not align to the desired culture and expected behaviours. Examples of behaviour risks may include complacency, excessive risk taking, poor communication, or a lack of speaking up or raising concerns, among others.

3.1 Identify behavioural patterns

Identifying patterns of behaviours is an important way to observe how closely the actual culture of a FRFI is aligned to its desired culture. Some behavioural patterns will support and reinforce the desired culture, while other behavioural patterns may not.

FRFIs should use a range of qualitative and quantitative methods and techniques to identify behavioural patterns that commonly exist across the institution. Methods and techniques may include a combination of informal conversations with employees, surveys, interviews, focus groups, employee related data (for example, turnover and retention rates) and performance indicators, among many others.

Where behavioural patterns are found to reflect the expected behaviours and support the desired culture of the FRFI, these patterns should be encouraged and reinforced.

3.2 Assess for behaviour risks

Where behavioural patterns do not reflect the expected behaviours and support the desired culture of the FRFI, these patterns should be assessed to understand:

• Root causes;
• Potential impacts;
• Unintended consequences; and,
• Whether the behavioural patterns are widespread.

The results of the assessment of behavioural patterns should inform any actions taken to effectively manage behaviour risks. Behaviour risks are behavioural patterns that are misaligned to the expected behaviours and the desired culture of the FRFI or increase financial and non-financial risks.

FRFIs should employ a risk-based approach when assessing behaviour risks. Particular attention should, for example, be given to widespread behaviour risks and those that may pose a substantial risk to a specific area of the FRFI or impact their resilience. Reporting on behavioural risks should be consistent with reporting on other risks within the FRFI.

3.3 Respond to behaviour risks

FRFIs should determine what behavioural patterns and associated behaviour risks require a response. Responses could include ongoing monitoring of existing behavioural patterns, actions to modify existing behavioural patterns that pose a risk to the FRFI or reinforcing existing behavioural patterns that support the desired culture.

Decisions to monitor, modify or reinforce existing behavioural patterns should be supported by a rationale. FRFI decisions and actions to modify or reinforce behavioural patterns should also be appropriately tracked and evaluated.