Risk Awareness: Finding the Risks Before They Find You - Remarks by Assistant Superintendent Jamey Hubbs to the Northwind’s 2016 Financial Services Invitational Forum, Cambridge, Ontario, May 5, 2016


OSFI is looking for the institutions we supervise to have strong and appropriate risk cultures, a stress testing regime that is an integrated part of that risk culture rather than a mechanical compliance exercise and a disclosure regime that will exert market discipline and hence reinforce internal risk culture with external vigilance.


It has been customary for the Office of the Superintendent of Financial Institutions (OSFI) to speak at this gathering and I am pleased to have the opportunity to continue that tradition.

There are three topics I would like to touch on tonight. First, risk culture, behaviour and conduct, or perhaps more accurately, misconduct. I will then turn to stress testing and provide OSFI's take on this practice and its function as a key supervisory tool. I will then conclude by emphasizing the importance of public disclosures and speak to future developments in this area. These are important areas of focus for OSFI, so I want to provide an update on our current direction in these areas.

The link between these three topics is not obvious, but the common thread here is risk culture. OSFI is looking for the institutions we supervise to have strong and appropriate risk cultures, a stress testing regime that is an integrated part of that risk culture rather than a mechanical compliance exercise and a disclosure regime that will exert market discipline and hence reinforce internal risk culture with external vigilance.

Risk culture, behaviour and conduct

It is widely accepted that prudential regulators and supervisors must be concerned with the risk culture, behaviour and conduct of financial institutions. Over $235 billionFootnote 1 in fines related to misconduct have been levied since the financial crisis, which points to the prudential risk that this area represents. The fact that over half of the world's global systemically important banks (or G-SIBs) — among them the top ten G-SIBs — have had such misconduct-related fines levied against them, demonstrates that misconduct is not limited to just a fewbad apples.

For me, the key take away from this is that many of these fines are related to activities that took place after the financial crisis. There was a lot of post-crisis regulatory work done, both at the global and domestic level, in setting standards for capital, liquidity and leverage. But even with the heightened awareness and attention on financial institutions, financial institutions still behaved in a manner that exposes them to prudential and reputational risk; exposure that can damage an institution's reputation and relationships with its customers, ultimately affecting its bottom line.

Before I get into the areas of risk culture that are of particular interest to OSFI, let me start by saying much of our supervisory work is tied to the Risk Appetite Framework at each institution. In keeping with OSFI's principles-based approach, each institution has flexibility to determine its own risk appetite, as well as the associated limits, and they can put in place processes for monitoring and managing these, as well as the appropriate governance. We look for evidence that the risk appetite is impacting decisions and behaviours within the organization. However, we also recognize that to have a comprehensive understanding of risk culture and behaviours within the institutions we supervise, periodic reviews are not sufficient. To have an accurate understanding will require more frequent work, and this is where OSFI's lead supervisor teams come into play.

Lead supervisors have the most frequent interactions with the institutions we supervise; therefore they are uniquely and well positioned to determine if the institution's risk appetite impacts daily decisions and behaviours. Put simply, our lead supervisors are well placed to see if the "echo from the bottom" matches the "tone from the top".

So where do OSFI's risk culture interests lie? One of the key areas OSFI reviews to determine if incentives are aligned with the institution's risk appetite is the area of compensation. To be clear, our focus is not on the level of compensation, but rather, is the compensation program in place designed to incent bad behaviours? And are those behaviours aligned with the risk appetite framework of the institution? Further, we are looking for evidence that the compensation program is operating as designed. If there are behaviours outside or inconsistent with the risk appetite, do they impact compensation?

More broadly, OSFI is reviewing performance management. We are looking to see if financial institutions consider the behaviours of individuals or departments against risk appetite when setting compensation levels and promotional opportunities.

Another area we look at is acquisitions. Here, our focus has been on the role of risk culture in the acquisition decision process. Is the acquiring institution including an examination of the risk culture of the potential acquisition as part of the due diligence process? If so, how is that done and what weight does this work carry in the final analysis? While we appreciate that no due diligence process is fool proof, by not examining the risk culture and behaviour of any potential acquisition the chances of a negative shock are increased.

Retail risk governance is another area where we have done some work. Given the importance of the retail segment within Canadian banks' operations, we want to understand how risk levels are set and governed.

A strong risk appetite framework, balanced with appropriate compensation practices can go a long way to mitigating misconduct risk. As many of you are aware, OSFI established a corporate governance division in 2010. That division has led much of our work in this field and will continue to do so. OSFI wants to enhance our ability to assess how risk culture and other drivers of behaviour affect risk management across a range of institutions. This is an area that will receive continued focus over the next few years.

Stress testing

Let me now turn to stress testing, and the importance of integrating it into the risk management systems of an institution.

From historical experience, we know there will always be some form of emerging risk that financial institutions will face. Institutions with strong risk cultures value the recognition of emerging risks and risk-taking activities and see to it that these risks are assessed, escalated, and addressed in a timely manner. Stress tests are a means for an institution to measure and understand the risks they are facing. A good stress testing regime is a system that is integrated in the institution's risk culture rather than treated as a mechanical compliance exercise.

As a supervisory tool, stress testing has evolved significantly at the international level since the financial crisis. As an example, one can look to the Federal Reserve System in the U.S. and their development of the Comprehensive Capital Analysis and Review or CCAR to see the magnitude of change in this practice.

At OSFI, stress testing is a significant part of our supervisory regime, and in partnership with the Bank of Canada, we too have advanced stress testing practices. For example, in the 2015 Macro Stress TestFootnote 2, we included liquidity for the first time and it is our plan to continue to assess and improve our stress testing practises on an ongoing basis.

I do want to put into context how OSFI views stress testing as it differs somewhat from other jurisdictions. At OSFI, we view stress testing as the foundation for a focused conversation with institutions, not a pass/fail exercise. Furthermore, we view it as an input for our own internal discussions and decisions. Allow me to expand.

Stress testing can be useful on many fronts. We are a risk-based supervisor, and stress testing can provide insight into where risk resides, both at a system and institution-specific level. This insight is useful when setting capital, liquidity and leverage levels as well as prioritizing our supervisory efforts.

In addition, through stress testing OSFI gains a deeper understanding of how institutions identify risk, their ability to manage and aggregate risk data, their modelling capabilities, governance practices and how insights gained from stress testing are used by senior management or the board in the decision-making process.

At OSFI, we appreciate that stress testing focuses on tail risks and extreme events. Behaviours in these extreme scenarios can be hard to model and, in the case of Canada, recent history does not provide much guidance. Therefore we must take caution to not place too much reliance on stress test results. Or, as said by the British statistician George Box, "All models are wrong but some are useful."

OSFI's view of stress testing was expressed well by former Superintendent Julie Dickson when she presented at this forum in 2012.

I quote:

"The key benefit, then, is that the results provide a platform for supervisors to have critical discussions with banks, informed by stress test data. In other words, it is about the process, and the discussions we have with the banks that matter the most – the numbers that come out of the exercise are of secondary importance given all the assumptions that go into the exercise and the unavoidable uncertainty that characterizes analysis of such tail-risk events.

Stress tests are designed to improve banks' own internal processes on planning and risk management. Firms and regulators should spend as much time on why the results might be wrong – resulting from things that might not play out as they expect – as they do in taking comfort from the results. In short, the limitations of stress testing must be understood or a false sense of invincibility can arise."

End quote.

So what can you expect from OSFI in the area of stress testing going forward?

We plan to continue our practice of having a macro stress test every other year, and will work with industry to advance stress testing practices in the off years. As an example of advancing practices, we plan to conduct further analysis in areas such as the reasonableness of earnings projections under stress and will further review banks' stress testing methodologies and approaches. We welcome the creation of a Canadian Bankers Association (CBA) stress testing working group and look forward to engaging with them.

We will also continue the policy of not publishing stress testing results. Other jurisdictions do release stress testing results, however OSFI believes that stress testing is best used as a supervisory tool and the results remain private since stress testing should be embedded in the practices and culture of the institutions we supervise.

The importance of public disclosures

Let me now turn to the topic of public disclosures.

In a world of constant change and emerging risks, clear and meaningful disclosures provide an opportunity for institutions to describe to stakeholders what is changing, what are the risks, and how these risks are being managed.

In times of uncertainty, high quality disclosures can serve to ease the fears of the public and help to promote the safety and soundness of the Canadian financial system.

Disclosures can serve to highlight effective risk management. The purpose of risk disclosures is to allow stakeholders such as depositors, creditors and even the public at large to better understand the risk profile of an organization. When a risk governance structure, risk appetite statement and risk culture are properly designed and executed, the reporting of this information becomes a powerful tool to confirm to the public that the institution is accountable and transparent on all aspects of its risk-taking, and the activities it undertakes to mitigate such risks.

Market discipline is brought about through the disclosure of risks and risk activities. The theory behind market discipline is that public disclosures impose strong incentives on institutions to conduct their business in a safe, sound and efficient manner. This includes an incentive to maintain a strong capital base as a cushion against potential future losses arising from risk exposuresFootnote 3. Timely disclosures allow the public to understand and react to these results, especially if risk exposures begin to increase. In turn, market feedback will require management to explain its actions and think about whether further action is necessary to retain public confidence.

The public disclosure of risk culture, risk appetite and risk activities acts as a mechanism to hold an institution accountable for its actions. Good behaviour is rewarded, while bad behaviour is questioned.

Risk information that is publicly available

Today, public disclosures of risk governance, risk culture and risk appetite are required by the Financial Stability Board's Enhanced Disclosure Task Force (EDTF) recommendations. The Basel Committee on Banking Supervision has also incorporated similar risk management information into its Pillar 3 disclosure requirements.

Pillar 3 recognizes that market discipline has the potential to reinforce minimum capital standards (Pillar 1) and the supervisory review process (Pillar 2), and so promote safety and soundness in banks and financial systems.

Since 2008, OSFI has required deposit-taking institutions to apply Pillar 3 disclosures. These disclosures cover a wide range of capital and risk measures, such as the composition of capital, leverage ratio, liquidity coverage ratio, credit risk, market risk and operational risk, to name a few.

Last year, the Basel Committee on Banking Supervision (BCBS) completed the first phase of its review of Pillar 3 disclosure requirements and issued revised disclosure requirements for internationally active banks in support of its capital standards.

In January, OSFI issued a draft guideline for public consultation on the domestic implementation of these revised Pillar 3 disclosure requirements. We are currently taking into careful consideration the comments we received and expect to issue a final guideline this summer.

Disclosures on the horizon

Looking ahead, you can expect to see the BCBS introduce additional disclosures under its second phase of its Pillar 3 review to reflect frameworks under development, such as operational risk, Total Loss Absorbency Capacity (TLAC) and the revised market risk framework issued earlier this year.

Also coming down the road is the adoption of International Financial Reporting Standards, IFRS 9 more specifically, the new accounting standard for financial instruments. Financial institutions will need to consider how to provide meaningful information to their stakeholders on the transitional and ongoing impact arising from this new accounting standard. The Financial Stability Board's Enhanced Disclosure Task Force has published recommendations on financial disclosures for IFRS 9, with an emphasis on the expected credit loss aspect.


This has been a bit of a wide-ranging discussion, so I want to reiterate how these areas are related and what it is that OSFI is looking for from the institutions we supervise.

OSFI wants to see:

  • strong and appropriate risk cultures
  • stress testing regimes that are an integrated part of an institution's risk culture rather than a mechanical compliance exercise, and
  • disclosure regimes that will exert market discipline and reinforce internal risk culture with external vigilance

We believe that principles-based supervision is most successful when based on open and frank conversation and I look forward to discussing these topics with you and your organization in the future.

Thank you for your time and attention. I am happy to answer your questions.


Footnote 1

Source: http://graphics.thomsonreuters.com/15/bankfines/index.html

Return to footnote 1

Footnote 2

OSFI collaborates with the Bank of Canada to conduct an annual Macro Stress test. This stress test helps inform the Bank of Canada Financial System Review which is released two times each year.

Return to footnote 2

Footnote 3

BCBS Working Paper on Pillar 3 – Market Discipline, http://www.bis.org/publ/bcbs_wp7.pdf

Return to footnote 3