As a principles-based regulator, we endeavour to set high-level principles and allow flexibility in how financial institutions meet those expectations. This holds the promise of maximizing the effectiveness of prudential regulation (which is one of our goals), while minimizing the costs of complying with those expectations (which is good for financial institutions, and arguably for the economy as a whole).
Away from the Lamppost: Culture, Conduct and the Effectiveness of Prudential Regulation
It is nearly seven years since the failure of Lehman Brothers and its aftermath opened eyes around the world to weaknesses in the regulation and supervision of financial institutions. This led to a wave of global regulatory and supervisory initiatives.
In Canada, this wave is cresting.
For us at OSFI, this is the time to increase our focus on the effectiveness of the measures we have taken. To do this, we will be obliged to look not only at the direct evidence that financial institutions are meeting our expectations about risk management and oversight, but also at the indirect and unwritten indicators of how risk outcomes are really determined. This will take us into the important, but for OSFI largely uncharted, area of culture.
The role of culture in effective risk management
In our approach to prudential regulation, we like to emphasize that it is the boards and senior management of financial institutions, and only they, who are responsible for taking risks and managing those risks.
That said, one of our most important roles is to restrain risk-taking by financial institutions that would be excessive from the public’s point of view.
This is designed to prevent disruptions in the provision of financial services and to protect individuals and businesses who have entrusted their funds to financial institutions.
Given the nature of financial services, we can only accomplish this goal by being proactive, by acting well before a situation becomes dire. We cannot rely much, if at all, on backward-looking indicators of risk management. A book of business that is performing well in a benign economic environment can quickly start generating large losses when circumstances change. At that point, there is usually little that can be done to staunch the bleeding.
To that end, we have instituted new or reinforced guidance on risk management in the years following the financial crisis, as have many other countries. This includes a new requirement for boards of directors of financial institutions to establish a risk appetite statement and risk limits, and to set out the roles and responsibilities of management in implementing these.
We also expect financial institutions to design their compensation schemes to encourage responsible risk management and avoid rewarding excessive risk taking. And we expect financial institutions to support their risk limits and risk-based compensation schemes with up-to-date and accurate data about their own risk positions.
Having set those expectations, we start by looking for direct evidence that financial institutions are meeting them. We examine their risk limits. We read the fine print in their bonus schemes. And we read the risk reports that their management information systems generate.
This is valuable information, but it is only part of the picture. In any organization, written rules and procedures exist alongside unwritten rules, norms and expectations. These unwritten rules, which we can call an organization’s “culture”, for want of a better word, can reinforce the written rules. Or they can undermine, or at times even supplant, the written rules.
Boards and management have a strong interest in the very broad range of cultural issues that exist in their organization. They will want to understand and influence the customer service culture, the learning culture, and so on.
At OSFI, our interest in culture is more narrow. It focuses specifically on the institution’s norms, attitudes and behaviours related to risk awareness, risk taking and risk management and how these reinforce, or undermine, responsible risk management.
What we are looking for is a culture that consistently supports risk awareness, and prudent behaviours and judgments about risk-taking. A culture that reinforces the risk governance framework. A culture that values the recognition of emerging risks and risk-taking activities that are beyond a financial institution’s risk appetite and sees that these are assessed, escalated and addressed in a timely manner.
Even with this relatively narrow focus, culture can be an elusive issue. Culture, by definition, cannot be observed directly. Moreover, the unwritten rules, norms and expectations can vary significantly across an organization of any size, so there can be many subcultures in any given financial institution.
As always, our first stop is to ask boards and management for their own assessment of the interaction between the institution’s culture and its risk management. Of course, we do not stop there, particularly when there is any other evidence that sound risk management does not have adequate traction at the bank.
Some of the indicators of a culture that supports responsible risk management include:
- the “tone from the top” about risk,
- the independence and stature of the risk and internal audit functions,
- the nature of communication between senior management and the board on risk issues, and
- how promotions are determined and the messages those promotions send about risk management throughout the organization.
While these issues are not entirely new ground at OSFI, we are very aware of just how challenging it is to observe what is only implicit. By keeping our focus on assessing the effectiveness of risk management, and by keeping our expectations principles-based, we will avoid turning culture into a compliance exercise and avoid placing ourselves as the arbiters of culture.
Effective boards and their culture
Let’s turn to another area where cultural issues can be very important: boards of directors and their roles.
Expectations for the boards of directors of Canadian financial institutions have been rising for many years. This is part of a much larger trend that extends well beyond financial services, well beyond risk management, and well beyond Canada.
It was not that long ago that a typical major bank in Canada had a board of well over thirty members, many of them corporate clients of the bank, few of them with knowledge of the inner workings of large financial institutions or the broader financial services industry. This approach to board membership was already seen as outmoded by the time that OSFI issued its first Corporate Governance Guideline in 2003.
We issued a revised Corporate Governance Guideline in 2013. This one heightened the focus on the board and its effectiveness. It codified the expectation that the board would approve the overall strategy and risk appetite, and would exercise oversight of senior management and internal controls.
OSFI has taken a principles-based approach to corporate governance guidance, leaving boards with the flexibility they need to organize their work as they see fit. We recognize that boards have responsibilities that go well beyond those set out in the corporate governance guideline. We also recognize that financial institutions vary in size, complexity, and the issues that they face, and that board members will vary in their approaches to oversight.
The question of “culture” is as important at the board level as it is within the institution itself. Every question that a board member poses to senior management both reflects and shapes the culture of that board. Moreover, those questions will transmit to senior management how the board sees its oversight responsibilities and how it wants to exercise them.
Let’s take as our example the information flow between senior management and their boards. Some board members, perhaps many board members, think that the material they receive for board and committee meetings is too voluminous, too detailed, and arrives too late.
There may, in fact, be a written policy somewhere in the institution that board materials should be concise, written at a high level, and sent well ahead of the meeting. But if the board does not assert itself with management about the volume and timeliness of board material then excessively detailed and late-arriving board material will become part of the culture. A culture where it is accepted that the board appreciates voluminous material, or that the board is inclined to let management manage them.
At times OSFI is seen as part of the problem in this regard, so let me be part of the solution. Yes, our expectations for boards have risen. Yes, those expectations are demanding. No, we have no explicit or implicit requirements about the volume or detail of the material that should go to boards. What we do expect is effective oversight. When boards believe that they are not receiving the information they need to ensure effective oversight, they need to task management to do things differently. Boards should not accept “regulatory requirements” as a reason for receiving inadequate board material.
Culture, Conduct and Prudential Regulation
To this point, I have been speaking about how the culture of a financial institution can support or impede sound risk management. In the Twitterverse, the discussion of culture in financial institutions is dominated by concerns about cultures that tolerate misconduct.
As you know, OSFI is a prudential regulator. Our focus is squarely on safety and soundness. Conduct -- that is, the way an institution interfaces with its clients, customers and counterparties -- is regulated by other bodies. So we could conceivably leave conduct, and misconduct, issues aside. But like so many things in prudential regulation, it’s not that simple.
Rather, there are a number of ways that misconduct can become a prudential issue.
The first is through direct financial losses. Major misconduct can lead to significant fines, penalties, legal settlements and restitution payments. One study has found that post-crisis misconduct costs and provisions at 15 large international banks (none of them Canadian) totalled the equivalent of over 300 billion Canadian dollars, and this was only up until 2013.
Repeated major misconduct can lead to financial losses indirectly as well, by impairing an institution’s reputation and so damaging its relationships with customers and clients.
For these reasons, we have come to see conduct as a prudential issue. More than a decade ago we issued guidance on what we then called “legislative compliance management.” This had its origin in our statutory responsibility to see that financial institutions were conforming with the provisions of the Bank Act, the Insurance Companies Act, and so on.
In 2014, we revised the guideline and reissued it under the title: Regulatory Compliance Management. In that guideline we note that financial institutions are exposed to prudential risks arising from potential non-conformance with the laws, rules, regulations and prescribed practices in every jurisdiction in which they operate.
And we set out our expectation that an effective and enterprise-wide regulatory compliance management framework should be included as part of a financial institution’s overall risk management program.
I want to raise some more subtle, but nonetheless important, ways in which repeated major misconduct can raise prudential issues.
One links back to our earlier discussion of the impact of culture on responsible risk management. Significant misconduct anywhere in a financial institution is almost certainly evidence of an important gap between the institution’s written rules or stated policies, and the way things really work. As I put it earlier, it is evidence of a culture that undermines, or even supplants, the written rules.
So if we saw repeated major misconduct in a particular institution, we would have to ask ourselves how many areas of that institution suffer from leadership that is unable, or unwilling, to create a culture that supports its stated objectives. And that would raise questions about the effectiveness of risk management throughout the institution.
For principles-based regulators like OSFI, there is yet another way in which conduct can become a prudential issue.
As a principles-based regulator, we endeavor to set high-level principles and allow flexibility in how financial institutions meet those expectations. This holds the promise of maximizing the effectiveness of prudential regulation (which is one of our goals), while minimizing the costs of complying with those expectations (which is good for financial institutions, and arguably for the economy as a whole).
In my view, we are fortunate that we have, in Canada, the preconditions that allow for effective principles-based prudential regulation. One of those preconditions is clear, honest, open and reliable two-way communication between us and the individual financial institutions. For principles-based prudential regulation to work well, we need to be able to rely on the information that we receive from institutions.
We do a lot of checking, to be sure. We are guided by the old Russian proverb, famously translated by Ronald Reagan as: “Trust, but verify.” Just as important as the verification is the trust. If we saw repeated major misconduct in the institutions that we supervise, we would have to ask ourselves if our “trust but verify” approach was really reliable.
We would be drawn toward, and perhaps ultimately obliged to implement, a rules-based approach characterized by detailed and inflexible requirements and independent verification of every item on the checklist.
And that would be a real loss for us, for the financial services industry, and, most importantly, for the public interest.
Fortunately, I see no reason to believe that there are such significant misconduct issues in Canadian financial services at present.
We keep close track of episodes of misconduct in the banks and insurers that we regulate, and they are typically proactive in bringing any issues to our attention.
Of course, the record is not spotless, much as we might like it to be.
But I am happy to report that we have seen nothing in recent years that even approaches a significant prudential issue.
Many speeches start with a joke: this one ends with one.
A man is walking down a dark alley where he comes across a second man. The second man is on his hands and knees, crawling around underneath the only lamppost in the alley. “Can I help you?” says the first man. “Please,” says the second man, “I lost my car keys.” The first man also gets down on his hands and knees and together the two men crawl around under the lamppost for several minutes, looking for the keys. Finally, the first man gives up and says to the second: “I don’t see your keys. Are you sure you dropped them here?” “Not at all,” says the second man, “I dropped them at the other end of the alley.” “So why are we looking here!?!” asks the first man. The second man replies, “Because the light is so much better here!”
Supervisors are used to looking where the light is shining: at organizational charts, at risk limits, at quantitative models, and so on. And we find a lot of interesting things when we do that. But to be effective, we also have to look at things that won’t be found under the lamppost, including how culture reinforces or impedes responsible risk management.