Office of the Superintendent of Financial Institutions
This guideline communicates OSFI’s expectations with respect to corporate governance of federally regulated financial institutions (FRFIs). It applies to all FRFIs other than the branch operations of foreign banks and foreign insurance companies.Footnote 1
OSFI’s corporate governance expectations are principles-based and recognize that a FRFI’s corporate governance practices may depend on its size; ownership structure; nature, scope and complexity of operations; strategy; and risk profile.
This guideline complements:
Corporate governance is a set of relationships between a company’s management, its Board of Directors (Board), its shareholders, and other stakeholders. It also provides the structure through which the objectives of the company are set, and through which the means of attaining those objectives and monitoring performance are determined.
The quality of FRFI corporate governance practices is an important factor in maintaining the confidence of depositors and policyholders, as well as overall market confidence. This guideline, therefore, draws attention to specific areas of corporate governance that are especially important for financial institutions (e.g., risk governance), owing to the unique nature and circumstances of financial institutions and risks assumed relative to other corporations.Footnote 3
The Board is responsible for the FRFI’s business plan, strategy, and risk appetite and culture. The Board oversees the FRFI’s Senior Management and internal controls.
In addition to the roles and responsibilities of the Board outlined in federal legislation, the Board should discharge, at a minimum, the following essential duties in relation to the FRFI:
1. Approve and oversee:
Risk Management and Oversight
Board, Senior Management and Oversight Functions
The duties above are the primary responsibilities of the Board, and should be the main focus of the Board’s attention and activities. The Board is not responsible for the ongoing and detailed operationalization of its decisions; this is the responsibility of Senior Management.
2. Provide challenge, advice and guidance to the Senior Management of the FRFI, as appropriate, on:
Operational and Business Policies
Business Performance and Effectiveness of Risk Management
The duties above are the responsibility of Senior Management. The Board has the discretion to decide the extent and nature of its input, and to provide challenge, advice and guidance on these matters and others.
The Board should be satisfied that the decisions and actions of Senior Management are consistent with the Board-approved business plan, strategy and risk appetite of the FRFI, and that the corresponding internal controls are sound.
2. Senior Management is responsible for implementing the Board’s decisions and directing the operations of the FRFI.
Senior Management is composed of the Chief Executive Officer (CEO) and individuals who are directly accountable to the CEO. This can include the heads of the Oversight Functions, such as the Chief Financial Officer (CFO), Chief Risk Officer (CRO), Chief Compliance Officer (CCO), Chief Internal Auditor (CIA), and Chief Actuary (CA), as well as the heads of major business platforms or units.
Senior Management is responsible for implementing the Board’s decisions and directing the operations of the FRFI within the authority delegated to them by the Board, and in compliance with applicable laws and regulations.
In order to fulfil its responsibilities, the Board relies on Senior Management to provide sound advice on the organizational objectives, plans, strategy, structure and significant policies of the FRFI. Senior Management should set out information, options, potential trade-offs, and recommendations to the Board in a manner that enables the Board to focus on key issues and make informed decisions in a timely manner.
The Board should, in turn, understand the decisions, plans and policies being implemented by Senior Management and their potential impact on the FRFI.
The Oversight Functions provide objective assessments to the directors to allow them to fulfill their responsibilities. The Oversight Functions identify, measure, and report on the FRFI’s risks, assess the effectiveness of the FRFI’s risk management and internal controls, and determine whether the FRFI’s operations, results and risk exposures are consistent with the FRFI’s risk appetite.
The heads of the Oversight Functions should have sufficient stature and authority within the organization, and should be independent from operational management. The heads of the Oversight Functions should have unfettered access and a functional reporting line to the Board or the appropriate Board committee.
The Board, with the support of Senior Management, should regularly assess the effectiveness of the FRFI’s Oversight Functions.
A FRFI that is part of a larger corporate group (another FRFI or company in Canada, or another company abroad) may be subject to or may adopt certain policies of the parent. In this situation, the subsidiary Board should be satisfied that these policies are appropriate for the FRFI’s business plan, strategy and risk appetite, and comply with specific Canadian regulatory requirements.
If the parent is another FRFI, the parent Board should exercise adequate oversight of the activities of the subsidiary FRFI to be satisfied that the parent Board can meet its enterprise-wide oversight responsibilities applicable to FRFIs under this guideline.
3. An effective Board should be independent and provide objective oversight of, thoughtful guidance, advice and constructive challenge to, Senior Management.
The hallmarks of an effective Board include demonstrated sound judgment, initiative, proactiveness, responsiveness and operational excellence. Board members should strive to facilitate open communication, collaboration and appropriate debate in the decision-making process.
The Board should regularly assess its practices, and those of the Board committees, and should pursue strategies to enhance its overall effectiveness.
The Board should be diverse and, collectively, bring a balance of expertise, skills, experience, competencies and perspectives, taking into consideration the FRFI’s strategy, risk profile, culture and overall operations. The contributions of individual directors will reflect their particular expertise, skills, experience and competencies.
Relevant financial industry and risk management expertise are key competencies for the Board. There should be appropriate representation of these skills at the Board and Board committees levels.
The Board should have a skills and competency evaluation process that is integrated with the overall Board succession or Board renewal plans, and that pays particular attention to the positions of the Chair of the Board and Chairs of the Board committees. Diversity should also be a factor in these plans.
The Board, collectively, should be independent from Senior Management and the operations of the FRFI.Footnote 6 Achieving independence can involve various Board structures and processes. Regardless of the approach, in all situations, OSFI views the separation of the Chair and CEO as critical (see next section). It is important that the Board’s behaviour and decision-making processes are independent, objective and effective, taking into account the particular circumstances of the FRFI.
The Board’s ability to act independently of Senior Management can be demonstrated through practices such as regularly scheduled Board and Board committee meetings that include sessions without Senior Management present.
To promote independence of thinking, the Board should have a director independence policy that considers, among other factors, the specific shareholder/ownership structure of the FRFI and director tenure. The recruitment process for new directors and the development of a director profile (both responsibilities of the Board) should emphasize the independence of Board members from Senior Management.
Board and Board Committee Chairs
4. The role of the Board Chair should be separate from the CEO, as this is critical in maintaining the Board’s independence and its ability to execute its mandate effectively.
Effective Boards and Board committees require a Chair that is experienced, skillful and exhibits leadership that encourages open discussion and appropriate debate.
The Chair of the Board and the chairs of Board committees should have frequent dialogue with, and a strong level of influence among, other Board members and Senior Management, as well as access to all FRFI information and staff. Given the critical nature of the role, the Chair should also foster direct and on-going dialogue with regulators.
Board and Board committee chairs should be independent, non-executiveFootnote 7 directors.
5. Consistent with their specific roles and responsibilities and through their behaviours, actions and words, the Board and Senior Management should promote a risk culture that stresses integrity and effective risk management throughout the FRFI.
Risk taking is a necessary part of a FRFI’s business. Accordingly, business strategies incorporate decisions regarding the risks the FRFI is willing to undertake and how it will manage and mitigate those risks.
Risk governance is a distinct and crucial element of the FRFI’s corporate governance. Risks may arise from direct exposures taken by the FRFI, subsidiaries, affiliates or counterparties, or indirectly through activities that create risks to the FRFI’s reputation. FRFIs should be in a position to identify the significant risks they face, assess their potential impact and have policies and controls in place to manage them effectively.
6. The FRFI should have a Risk Appetite Framework that guides the risk-taking activities of the FRFI.
The FRFI should develop a Risk Appetite Framework that takes into account its risk profile. It should be enterprise-wide and tailored to the FRFI’s domestic and international business activities and operations. On an on-going basis, the FRFI should be satisfied that the Risk Appetite Framework remains appropriate relative to the risk profile of the FRFI, its long-term strategic plan and its operating environment.
The Risk Appetite Framework should set basic goals, benchmarks, parameters and limits (e.g., level of losses) as to the amount of risk the FRFI is willing to accept, taking into account various financial, operational and macroeconomic factors. It should consider the material risks to the FRFI, as well as the institution’s reputation vis-à-vis policyholders, depositors, investors and customers.
The Risk Appetite Framework should be forward-looking and consistent with the FRFI’s business model, overall philosophy, short-term and long-term strategy and corresponding risk mitigation. It is intended to provide boundaries on the on-going operations of the FRFI with respect to asset class and liability choices, activities and participation in markets that are not consistent with the stated risk appetite of the institution.Footnote 8
The establishment of controls and a process to ensure their effectiveness are critical elements of the Risk Appetite Framework, as they help to ensure that the FRFI stays within the risk boundaries set by the Board.
Risk management systems and practices will differ, depending on the scope and size of the FRFI and the nature of its risk exposures. To manage risks effectively, the Board and Senior Management must understand the risks attendant to the FRFI’s business model, including each business line and product, and how they relate to the FRFI’s strategy and Risk Appetite Framework.
Board Risk Committee
7. The Board should establish a Board Risk CommitteeFootnote 9 to oversee risk management on an enterprise-wide basis.
Guided by the FRFI’s Risk Appetite Framework, the Risk Committee should have an understanding of the types of risks to which the FRFI may be exposed, and the techniques and systems used to identify, measure, monitor, report on and mitigate those risks.
The Risk Committee should have a clear mandate. All Committee members, including the Chair, should be non-executives of the FRFI.
As part of its duty to oversee risk management of the FRFI, the Risk Committee should seek assurances from the CRO (or equivalent) that the risk management function of the FRFI is independent from operational management, is adequately resourced, and has appropriate status and visibility throughout the organization.
The Risk Committee should receive timely and accurate reports on significant risks of the FRFI and exposures relative to the FRFI’s risk appetite (including approved risk limits). It should provide input on material changes to the FRFI’s strategy and corresponding risk appetite. As well, the Risk Committee should be satisfied with the manner in which material exceptions to risk policies and controls are identified, measured, monitored, and controlled, as well as how exceptions/breaches are addressed.
Chief Risk Officer
8. The FRFI should have a senior officer (CRO or equivalentFootnote 10) who is responsible for the oversight of all risks across the firm.
The CRO is the head of the FRFI’s risk management function. The CRO and the risk management function are responsible for identifying, measuring, monitoring and reporting on the risks of the FRFI on an enterprise-wide and disaggregated level, independently of the business lines or operational management.
The CRO should have sufficient stature and authority within the organization, and should be independent from operational management. The CRO should have unfettered access and a functional reporting line to the Board or the Risk Committee.
The CRO and risk management function should not be directly involved in revenue-generation or the management and financial performance of any business line or product of the FRFI. As well, the CRO’s compensation should not be linked to the performance (e.g., revenue generation) of specific business lines of the FRFI.
While the CRO and the risk management function should influence the FRFI’s risk-taking activities (e.g., to ensure that the FRFI’s strategy or business initiative is operating within the stated risk appetite of the FRFI), the on-going assessment of risk-taking activities by the CRO and risk management function should remain objective.
The CRO should provide regular reports to the Board, the Risk Committee and Senior Management in a manner and format that allows them to understand the risks being assumed by the FRFI. The CRO should provide an objective view to the Risk Committee or the Board, as appropriate, on whether the FRFI is operating within the Risk Appetite Framework. The CRO should meet with the Risk Committee or the Board on a regular basis, with and without the CEO or other members of Senior Management present.
The CRO and risk management function should have processes and controls in place to assess the accuracy of any risk information or analysis provided by business lines in order to provide objective reporting to the Board, the Risk Committee and Senior Management.
Federal legislation requires that each FRFI establish an Audit Committee comprised of non-employee directors, a majority of whom are not “affiliated” with the institution. Footnote 11
The statutory duties of the Audit Committee, as described in federal legislation, include reviewing the annual statements of the FRFI, evaluating and approving internal control procedures for the institution, and meeting with the Chief Internal Auditor and/or the Appointed ActuaryFootnote 12 to discuss the effectiveness of the institution’s internal controls and the adequacy of practices for reporting and determining financial reserves.Footnote 13
The Audit Committee should approve the FRFI’s audit plans (internal and external). Audit plans should be risk-based and address all the relevant activities over a measurable cycle. Where part or all of the internal audit function is outsourced, the Audit Committee should still be responsible for overseeing the performance of the FRFI’s internal audit function as a whole.
The Audit Committee, not Senior Management, should recommend to the shareholders the appointment and removal of the external auditor. It should also agree to the scope and terms of the audit engagement, and review and recommend for approval by the Board the engagement letter and remuneration of the external auditor. Annually, the Audit Committee should report to the Board on the effectiveness of the external auditor.
The Audit Committee should discuss with Senior Management and the external auditor the overall results of the audit, the annual and quarterly financial statements and related documents, the audit report, the quality of the financial statements and any related concerns raised by the external auditor.
The Audit Committee should be satisfied that the financial statements present fairly the financial position, the results of operations and the cash flows of the FRFI. The Audit Committee should meet with the external auditor, the CIA and other heads of the Oversight Functions, as appropriate, with and without the CEO or other members of Senior Management present.
Effective corporate governance is an essential element in the safe and sound functioning of FRFIs. The Board and Senior Management are designated as key Oversight Functions in OSFI’s Supervisory Framework.
Effective oversight of the business and affairs of an institution by its Board and Senior Management is essential to the maintenance of an efficient and cost-effective supervisory system. It helps protect depositors and policyholders, and allows OSFI to use the work of the FRFI’s internal processes and functions, thereby reducing the amount of supervisory resources needed for OSFI to meet its mandate.
In addition, in situations where a FRFI is experiencing problems, or where significant corrective action is necessary, the important role of the Board is heightened and OSFI requires significant Board involvement in seeking solutions and overseeing the implementation of corrective actions.
OSFI supervises FRFIs to assess their financial condition and monitor compliance with the applicable federal legislation. Supervision is carried out within a framework that is risk-focused.Footnote 14 OSFI has developed a comprehensive set of assessment criteria, key among which is the quality of oversight and control provided by the Board and Senior Management.
OSFI conducts supervisory work and monitors the performance of FRFIs to assess safety and soundness, the quality of control and governance, and regulatory compliance. The Board and Senior Management are ultimately accountable for the safety and soundness of the FRFI, as well as its compliance with federal legislation. As such, OSFI’s reports and findings can provide useful input to the Board’s own oversight of the FRFI. Open communication between the Board and regulators helps promote the mutual trust and confidence essential to the efficiency of OSFI’s principles-based approach to supervision. Accordingly, OSFI expects to be promptly notified of substantive issues affecting the FRFI.
The Board should understand the regulatory environment within which the FRFI and its subsidiaries operate. It should be informed of the results of supervisory work by OSFI and other regulators, and should follow-up with Senior Management accordingly.
The Board should consider regulatory findings in its on-going evaluation of Senior Management and oversight function performance, recognizing that primary responsibility for identifying weaknesses rests with the Board and Senior Management.
OSFI will undertake a number of approaches, including discussions with the Board, Board committees, Senior Management and Oversight Functions, as well as the review of Board and Board committee material, in order to assess the effectiveness of the FRFI’s corporate governance. OSFI will look to gain insight into the discussions and deliberations at the Board and Committee level, including those with and without Senior Management. This may include understanding the Board’s behaviour and assessing the objectivity, degree of challenge and independence in the decision making process.
Where separate Oversight Functions do not exist, OSFI will look to other functions, processes or controls to assess the independent oversight provided.
OSFI recognizes that FRFIs make independent decisions regarding the nomination of Board members or appointment of Senior Management in the course of conducting their day-to-day business.
As part of OSFI’s on-going supervisory process, however, FRFIs should notify OSFI, as early as possible in the process, of any potential changes to the membership of the Board and Senior Management, and any circumstances that may adversely affect the suitability of Board members and Senior Management.
The process and criteria used by the FRFI in the selection process for Board and/or Senior Management members should be transparent to OSFI. Information regarding the qualifications of candidates of the Board and Senior Management should be provided to OSFI.
A number of factors set financial institutions apart from other business firms, and has led them to be subject to generally higher levels of regulation, including:
These characteristics create unique challenges for the governance of financial institutions and underscore the importance of effective risk management systems and rigorous internal controls. They point to the need for knowledgeable, independent oversight exercised by or on behalf of the Board, along with the additional assurance of regulatory oversight, to provide assurance to markets on the reliability of reporting and disclosure. Also, as a consequence of being a regulated industry, the governance processes of financial institutions are subject to review and may be influenced by the views of OSFI and other regulatory bodies.
Finally, many financial institutions have complex organizational structures with a large number of entities (some of which may not be regulated) used to deliver different financial products and services. For these organizations, the relationship between the parent company and its subsidiaries merits special consideration and the effective governance of subsidiaries should be a high priority for the Board and Senior Management.
The Risk Appetite Framework should contain a risk appetite statement and risk limits, as well as an outline of the roles and responsibilities of those overseeing the implementation of the Risk Appetite Framework. The Risk Appetite Framework is an integral part of the FRFI’s overall enterprise-risk management framework.
The risk appetite statement reflects the aggregate level and type of risk that the FRFI is willing to accept in order to achieve its business objectives. Key features of the risk appetite statement are:
Risk limits are the allocation of the FRFI’s risk appetite statement to:
Risk limits are often expressed in quantitative terms, and are specific, measurable, frequency-based and reportable.
Once approved by the Board, the Risk Appetite Framework should be implemented by Senior Management throughout the organization as an integral part of the overall enterprise risk management framework of the FRFI. The Risk Appetite Framework should align with the organization’s strategy, its financial and capital plans, its business unit strategies and day-to-day operations, as well as its risk management policies (e.g., risk limits, risk selection/underwriting guidelines and criteria, etc.) and compensation programs.
Where the Risk Appetite Framework sets aggregate limits that will be shared among different units, the basis on which such limits will be shared should be clearly identified and communicated.
Effective control, monitoring and reporting systems and procedures should be developed to ensure on-going operational compliance with the Risk Appetite Framework, including the following:
The Board and Senior Management should receive regular reports on the effectiveness of, and compliance with, the Risk Appetite Framework. These reports should include a comparison of actual results versus stated Risk Appetite Framework measures. Where breaches are identified, action plans should exist and be communicated to the Board. The Risk Appetite Framework should be an integral part of the Board’s discussions and decision-making processes.
Branches do not have a Board of Directors and, accordingly, this guideline does not apply to branch operations. OSFI looks to the Chief Agent or Principal Officer of a branch to oversee the management of the branch, including matters of corporate governance. The Chief Agent and/or Principal Officer of branches should refer to Guideline E-4A and Guideline E-4B, as appropriate.
Return to footnote 1
The terms “Senior Management” and “Operational Management” are used throughout this guideline, and are defined in OSFI’s Supervisory Framework. For the purpose of this guideline, however, the Oversight Functions include: Financial; Risk Management; Compliance; Internal Audit; and Actuarial.
Return to footnote 2
Refer to Annex A for a description of the special nature of financial institutions.
Return to footnote 3
Refer to Annex B for a description of the Risk Appetite Framework.
Return to footnote 4
Principles for Sound Compensation Practices, Financial Stability Board (FSB), 2009.
Return to footnote 5
The notion of “independent”, as it applies in this guideline, is much broader than the notion of “non-affiliated”, as defined in the federal financial institution statutes. It has been described and elaborated upon in various legal and international documents (e.g., securities law, international standards, and reports).
Return to footnote 6
A non-executive director is a member of the Board who does not have management responsibilities within the FRFI.
Return to footnote 7
Refer to Annex B for further details.
Return to footnote 8
For small, less complex FRFIs, in place of establishing a separate Risk Committee, the Board should be satisfied that it has the collective skills, time and information (i.e., appropriate reporting) to provide effective oversight of risk management on an enterprise-wide basis.
Return to footnote 9
For small, less complex FRFIs, the CRO role can be held by another executive of the FRFI (i.e., the executive has dual roles). Some FRFIs may not have a CRO position per se, but nonetheless can clearly identify an individual within the FRFI that is accountable to the Board and Senior Management for the same functions. In these cases, the dual role must not compromise the independence required of the CRO.
Return to footnote 10
As defined in the federal legislation and the Affiliated Persons Regulations associated with each financial institution’s governing statute.
Return to footnote 11
The role of the Appointed Actuary is outlined in OSFI’s Guideline E-15, Appointed Actuary: Legal Requirements, Qualifications and Peer Review.
Return to footnote 12
FRFIs should ensure that they are in compliance with the relevant securities requirements in respect of the Audit Committee in the relevant jurisdictions.
Return to footnote 13
Refer to OSFI’s Supervisory Framework.
Return to footnote 14