Culture Risk Management

​​​​​​​Document Properties

  • Type of Publication: Letter
  • Date: March 15, 2022
  • To: All Federally Regulated Financial Institutions and Federally Regulated Pension Plans

The Office of the Superintendent of Financial Institutions (OSFI) examines the culture practices of federally regulated financial institutions (FRFIs) and how the risks created, perpetuated, or magnified by a FRFI’s culture can affect their safety and soundness.

Building upon this work, OSFI plans to issue a principles-based, outcomes-focused culture risk management guideline for consultation in late 2022. This letter seeks comments on proposed outcomes of effective culture risk management that will form the basis of OSFI’s future guidance and supervisory expectations.

OSFI is also seeking comments on how culture risks can affect federally regulated pension plans (FRPPs) to inform its prudential approach. While this letter refers to FRFIs throughout, FRPPs often face similar risks and the themes raised in this letter may apply to FRPPs as well.

OSFI’s interest in culture risk management

Globally, financial regulators recognize that organizational culture can have a material impact on the health of financial institutions and the broader financial system.Footnote 1 Similarly, some financial institutions are starting to proactively disclose culture risk management information in their published annual reports.

Culture risks—or the widespread behaviours and mindsets that can threaten sound decision-making, prudent risk-taking, and effective risk management—can weaken an institution’s financial and operational resilience. When culture risks, such as complacency or groupthink, are not proactively identified, managed, and monitored, they can erode a FRFI’s ability to effectively manage its financial and non-financial risks and achieve its strategic business objectives. In turn, this can create the conditions that allow for incidents ranging from near misses to—in severe cases—the insolvency of a FRFI.

The evolving nature of OSFI’s work on culture risk management

OSFI is enhancing its assessment of culture risks beyond corporate governance effectivenessFootnote 2 to form a more comprehensive view of the adequacy and effectiveness of FRFI culture risk management. This approach aligns with and supports OSFI's prudential mandate to contribute to public confidence in the Canadian financial system.

In recent years, OSFI has increased its culture risk supervisory activities, including conducting industry scans and incorporating culture risks in supervisory reviews. This work highlighted the need for OSFI to be transparent about its expectation that FRFIs proactively identify and manage culture risks.

Proposed outcomes of culture risk management guidance

As part of its future guidance, OSFI will expect FRFIs to establish and maintain a robust approach to manage and oversee culture risks. OSFI is proposing six prudential outcomes that FRFIs should achieve to support effective culture risk management. These outcomes will serve as the basis of this guidance and related supervisory expectations.

This diagram highlights six outcomes that contribute to sound decision-making, prudent risk-taking, and effective risk management of culture risks at federally regulated financial institution (FRFI). The six outcomes include: leadership; compensation, people management & incentives; resilience; accountability and ownership; group dynamics and decision-making; and risk mindsets and behaviours. Central to ensuring the effectiveness of these outcomes and overall management of culture risks, FRFIs need a robust approach to identify, measure, assess, monitor, and report on culture risks.

Culture Risk Management & Oversight
There is a robust approach to identify, measure, assess, monitor, and report on culture risks.

  • Leadership: Leaders, at all levels, consistently promote and reinforce the desired culture through their words, actions and decisions.

  • Compensation, People Management & Incentives: The FRFI acquires, develops, retains, compensates, and incentivizes executives, material risk-takers and all other employees to promote and reinforce its desired culture, effective culture risk management, and achieve sound financial and non-financial outcomes.

  • Accountability & Ownership: Individuals have a clear understanding of their roles and responsibilities, have capacity and autonomy to fulfill them, take ownership of their decisions and actions, and are held accountable for them.

  • Risk Mindsets & Behaviours: Risk mindsets and behaviours within the FRFI align with and support the structures in place to ensure financial and non-financial risks are effectively managed.

  • Group Dynamics & Decision-Making: The work environment enables individuals to feel safe to speak up, openly communicate and work together to make sound decisions and achieve financial and non-financial outcomes.

  • Resilience: Individuals are vigilant towards known and unknown threats, notice and effectively respond to problems and opportunities, and continuously learn, improve, and adapt to changing conditions.

OSFI recognizes that each FRFI’s culture is unique and determined by the institution. These proposed outcomes are principles-based to acknowledge that how a FRFI manages its culture risks and achieves these outcomes will vary with its size, nature, scope, and complexity of operations. The annex articulates additional details on the proposed outcomes.

Discussion questions

OSFI is seeking comments on the following questions:

  1. What are your views on OSFI’s proposed culture risk management outcomes? Are there other outcomes OSFI should consider?
  2. Which of the outcomes outlined above is your organization currently overseeing as part of its culture risk management? How is your organization measuring and assessing culture risks in these areas?
  3. Is your organization proactively disclosing culture risk management information as part of its published annual reports? Why or why not? Do you foresee any challenges if OSFI were to expect FRFIs to enhance existing annual reporting requirements to include this information?
  4. Does a FRFI’s size, nature, complexity, risk profile or various sub-cultures (e.g., differences between geographies, business units or functions) give rise to specific culture risk management issues that OSFI should consider?
  5. How do culture risks influence the way FRPPs are managed and administered? What are the benefits of similar outcomes-focused guidance for FRPPs?

Stakeholders can submit comments to by May 31, 2022.


OSFI’s Culture Risk Management Outcomes
Culture Risk Management & Oversight
  • FRFI governance and oversight practices are in place to identify, measure, assess, monitor, and report on culture risks.
LeadershipCompensation, Incentives & People ManagementAccountability & OwnershipRisk Mindsets & BehavioursGroup Dynamics & Decision-MakingResilience
  • Senior Management sets a consistent ‘tone from the top’ and reinforces it through their actions and decisions.
  • ‘Tone from the top’ is supported by middle management through their words, actions, and decisions.
  • All leaders observe the ‘echo from the bottom’, continually monitoring employee experiences and perceptions to assess and ensure alignment with the desired culture.
  • Remuneration and performance management practices for executives, material risk-takers and all other employees compensate and incentivize desired behaviours, while also dis-incentivizing undesirable behaviours.
  • Non-financial rewards and recognition reinforce desired behaviours.
  • Talent management strategies and practices align with the desired culture and ensure the FRFI has the necessary talent to achieve its strategy and purpose.
  • Roles and responsibilities are well defined and clearly understood.
  • Accountabilities are embraced and individuals take ownership for their behaviours and decisions.
  • There are clear and proportionate consequences for neglecting accountabilities or undesirable behaviours.
  • The risk framework, including risk appetite and risk management, is embedded across the institution.
  • Risk information is promptly escalated through the appropriate channels, widely communicated, and proactively monitored.
  • Oversight functions’ independence and challenge role are valued and respected across the institution.
  • Individuals feel safe to speak up, raise concerns, report issues, and provide feedback without fear of reprisal.
  • Within and across groups, individuals effectively communicate and collaborate with one another.
  • Decision-making is informed by the consideration of diverse viewpoints as well as constructive debate and challenge.
  • Individuals proactively consider current and potential future circumstances that could result in threats or opportunities for the FRFI and take the appropriate action to address them.
  • How the FRFI looks to continually improve through learning from failures, near misses, and successes.
  • Agility, adaptability, and innovation are encouraged and practiced across the institution.


Footnote 1

The Financial Stability Board issued supervisory guidance in 2014 and the International Association of Insurance Supervisors issued an exploratory paper in 2021. Regulators in several jurisdictions have also issued information papers on the topic and have incorporated culture into their supervisory activities (e.g., De Nederlandsche Bank, Australian Prudential Regulation Authority, and Monetary Authority of Singapore).

Return to footnote 1

Footnote 2

OSFI’s current expectations of FRFI culture are set out in its Corporate Governance Guideline. In particular, the Board of Directors (Board) plays an influential role in the FRFI’s culture through its roles and responsibilities. Further, OSFI expects the Board and Senior Management to promote a risk culture that stresses integrity and effective risk management throughout the FRFI.

Return to footnote 2