Promoting effective risk governance: no time for complacency

Speech - Toronto -


Good afternoon and thank you for inviting me to speak about the role and importance of effective risk governance.

In my last remarks at this forum, I discussed OSFI's recent evolution in prudential supervisory practices in response to the rapidly changing risk environment for regulated institutions.

Today, I want to focus on what the changes in the risk environment mean for our expectations of regulated institutions, particularly in the critical area of risk governance, given that the ultimate responsibility for overseeing sound and prudent management rests with their respective boards of directors.

And there’s no time for complacency. As the risk environment we face continues to change and becomes more uncertain, boards truly are the institution’s last line of defense.

At OSFI, we have been reflecting on the extent to which the risk governance principles developed since the Global Financial Crisis (GFC) are still applicable in today's uncertain risk environment, such as those of the Financial Stability Board (FSB) and related standard setters, as well as the lessons highlighted in the Group of Thirty report “Towards Effective Governance of Financial Institutions”.

The GFC was a turning point for risk governance given the basic failings observed in risk management and board oversight, resulting in, amongst others, higher standards for transparency and accountability, and fostering a culture of ethics and integrity, along with changes in regulatory oversight. 

But more recent events, such as the collapse of Archegos Capital Management, the failure of several financial institutions in the spring of 2023, and geopolitical and technological developments, that some would have considered unthinkable not long ago, have given us much to ponder. 

At OSFI, we have always recognized the critical role played by the board of directors and the continued centrality of effective risk governance in achieving prudent outcomes.

Superintendent Routledge also spoke at this forum in early May about the important role that boards of directors play as insightful, watchful stewards over their institutions, especially when risks intensify.

To take the soccer analogy from my previous remarks on effective supervision one step further, if the soccer team is the financial institution and the referee is OSFI, then it follows that the manager or coach is the CEO, and the club president is the board of directors.

The sports fans in this room know that the best soccer clubs not only have a strong team and an excellent manager, but also an astute club president or chair who makes key management appointments, oversees the management team, and prepares for the future.

With that dynamic in mind, I'd like to spend the remainder of my time on three questions:

  1. What are the key changes in the risk environment post GFC?
  2. What are the enduring attributes of an effective board from a prudential perspective?
  3. And [therefore], where should boards focus their limited time and efforts?

Question 1: What are the key changes in the risk environment post-GFC?

Let me turn to the first question: what’s changed in the risk environment, post-GFC?

Despite the events of 2023, I believe financial institutions and their boards have become much better at overseeing the financial risks at play during the GFC, namely credit, market, and liquidity risks.

Enterprise risk management frameworks, underpinned by comprehensive risk appetite statements, have become indispensable tools in this regard and the role of culture in influencing risk-taking behavior is being increasingly recognized and considered as part of board deliberations.

Culture and other non-financial risks, such as technology and cyber, are beginning to be better integrated into risk management frameworks, helping us to address the "next wave" of risks that have largely been associated with operational resilience.

But today we also see additional and overlapping forces at work.

Financial and non-financial risks are alive and well, but the underlying drivers of uncertainty are more pronounced, ranging from climate, population and demographic change to digitalization, populism, and geopolitical tensions, as former Bank of Canada Governor, Stephen Poloz explains in his book The Next Age of Uncertainty.

Alongside these major shifts, the velocity of risk has reached unprecedented levels, while failing to meet "table stakes" compliance obligations has become increasingly consequential for regulated institutions. 

This has forced us to rethink our objectives, including OSFI’s expanded mandate for integrity and security, as well as assumptions about the agility of risk management, the speed and scale of contagion across financial institutions, and the nature and extent of stakeholder engagement.

Taken together, these factors have created a highly uncertain risk environment that poses fundamentally different challenges for boards in fulfilling their responsibilities.

In addition to the “known unknowns” we’ve always faced, there are also “unknown unknowns” for which we must be prepared.

Let me pause for a moment to focus on the implications of rising uncertainty as distinct from rising risk.

"Risk", as addressed by the post-GFC reforms, was conceived as something measurable and predictable to which you could apply specific risk management responses, such as the establishment of risk limits and financial reserves.

“Uncertainty,” on the other hand, is about things that you cannot control or predict, but whose outcomes can still be adverse or even catastrophic.

From a risk governance perspective, responding to “uncertainty” requires a different mindset and more adaptive approaches, planning for a variety of possibilities, whether in terms of capital, liquidity, or operations, and being able to maintain sound performance over an extended period of stress that is itself unpredictable.

Rather than simply sitting comfortably atop regulatory targets, financial institutions must test and continually improve their resilience using scenario analysis and simulations, contingency playbooks, and tabletop exercises.

This points to a key element of our new supervisory framework; namely, a focus on resilience as opposed to financial or operational "strength".

We have seen recent evidence of this over the past two years, as even institutions with strong capital positions have failed to withstand financial pressures.

The reality of an uncertain future is that expectations of board effectiveness and oversight must be continually refreshed and challenged considering our evolving experience and the board's ongoing responsibilities to ensure that institutions remain resilient to the far less predictable.

Question 2: What are the enduring attributes of an effective board from a prudential perspective?

Given the constant change and increasing complexity of risk management, it is easy to forget the basics of sound risk governance. 

This brings me to the second question: what are the enduring attributes of an effective board from a prudential perspective that will help prepare for the uncertainties that lie ahead?

One of the advantages we have as supervisors is the ability to look across the boards of the institutions we regulate. 

So, let me run you through the "top ten” behaviours and tendencies that we see in effective boards of directors.

  • First, they understand what the board's responsibility is – strategy, risk management, and succession planning – and not the day-to-day operations. Like the meddling soccer club president, some directors come very close to (and even cross) this line.
  • Second, they ask the right questions, whether about strategy, emerging risks, or reputational issues. More importantly, like the soccer club president, they challenge management when the strategy or tactics aren't good enough by holding them clearly accountable.
  • Third, they proactively guard against complacency by identifying areas of weakness even when financial performance is strong. This is particularly important in Canada, where financial institution failures are rare and past performance can be a false assurance of future success.
  • Fourth, they don’t consistently rely on subject matter experts, including in key technical areas ranging from cyber risk to balance sheet management to regulatory compliance. By not relying on any single star player, effective boards have the expertise and knowledge to challenge the experts appropriately.
  • Fifth, they consciously negate the halo effect. Effective directors do not allow their positive impressions of or relationships with the CEO, the management team, or their fellow directors to influence their thinking on fundamentals related to risk control and accountability.
  • Sixth, effective boards create not only "safe spaces" (where directors trust each other), but also "brave spaces" to support thought leadership and effective challenge (where directors feel encouraged to speak up, even when it is uncomfortable to do so with peers).
  • Seventh, they foster a culture of continuous improvement and an agile mindset throughout the organization. They are proactive and seek to stay on top of emerging risks, such as the heightened reputational risk created by social media channels. Weak boards focus on meeting minimum expectations and addressing issues piecemeal.
  • Eighth, an effective board acts quickly when concerns are raised by control functions, auditors, and regulators. They are constructive rather than defensive when concerns or issues are raised, and they value the broader perspectives that "outsiders" bring to risk control.
  • Ninth, an effective board is honest and open with prudential regulators. They do not give rehearsed statements or tell us only what they think we want to hear. They are open and skeptical, and not a public relations function for their management team, including the CEO.
  • And tenth, they understand that board turnover should not be perfectly correlated with term expiration. They conduct regular self-assessments of their members and have a sense of urgency about addressing underperformance or skill gaps.

Truly great boards bring diverse perspectives and skills to the table to help navigate risk and uncertainty – considering different scenarios and preparing for the unpredictable and immeasurable.

This, in turn, helps to set the tone for management in preparing for an uncertain future.

Question 3: Where should boards focus their limited time and efforts?

As the demands on boards continue to grow, this brings me to the third question: where should boards focus their limited time and efforts?  From my perspective, success requires a broader view of performance as a safeguard against complacency. 

While expectations for risk governance and the board are high, boards are not a cure-all and shouldn't be expected to address all the institution's challenges on their own.

There are only so many ways that boards, whether in regular meetings or through committees, can obtain information, oversee strategy execution, and manage risk.

Like the president of a football club, the board's role is to put in place the right management team and oversight structures, including succession planning for senior management.

While maintaining the appropriate distance to allow management to execute, an effective board drives accountability throughout the organization, with a focus on senior management, to promote risk management and resilience, as well as prudent risk‑taking.

So, I’d like to highlight three key areas for boards to focus on in this era of uncertainty: accountability, culture, and proportionality.

Accountability for risk owners

With respect to the need for accountability by risk owners, our new Supervisory Framework can help set the stage for the areas that we believe are critical to supporting strong risk governance: these include expectations for business and central functions, risk and compliance oversight functions, and internal audit.

For today, I’ll focus on the business and central functions (or: “front-line functions”).

In this area, leadership and oversight are critical to achieving clear accountability in support of prudent risk-taking.

Leaders ensure that frontline staff understand risk appetite and limits in several areas – spanning both financial risks that directly drive financial performance (like underwriting loans or insurance policies) and non-financial risks (like information security and compliance obligations such as anti-money laundering (AML)) that can impact integrity and security.

Without accountable business leadership, it is unlikely that the front line will truly "own" and therefore control their risk, no matter how good the risk management oversight or internal audit.

Recently, regulators around the world have identified senior management responsibility and individual accountability as key drivers of effective risk management.

Too often, especially in larger institutions, we see diffuse or collective accountability and a lack of real ownership of risk outcomes. This is especially true for non-financial risks, including compliance.

It is critical that financial institutions address this issue head on.

Business leaders should own and deeply understand their risk and compliance obligations and be accountable for timely remediation, rather than relying on risk or compliance oversight functions to do their work for them when gaps emerge.

Nurturing culture risk management

Now, let me turn to culture. 

Underpinning the success of risk owners and the oversight functions is the culture of the institution, for which the board has overarching responsibility.

Of course, culture and the risks associated with it are easy to talk about in the abstract, but with its many drivers, how can it be practically measured, assessed, and managed?

More to the point, how does the board drive accountability across all employees for a sound culturethat is aligned with the institution’s risk appetite?

Clearly, an important part of the culture equation is the question of incentives, and we firmly believe that compensation remains a powerful tool for encouraging the right risk behaviors and discouraging the wrong ones.

Following the GFC, the international regulatory community pursued an ambitious policy agenda on executive compensation. Some of the resulting policies, such as deferred compensation and claw-backs, are theoretically sound but have had limited practical success.

Some jurisdictions have sought to go further, adopting so-called senior managers regimes (such as the UK PRA’s), but we have not yet done so. In Canada, we have so far taken a more principles-based approach to compensation reform, consistent with our broader approach to prudential regulation and “fit and proper”.

More recently, we have been encouraged to see financial institutions incorporate non-financial measures into executive scorecards to promote a healthy culture, reinforce positive behaviors, and emphasize sound risk management.

But are changes in compensation arrangements sufficient to meaningfully change behaviour/ culture/ decision-making to support sound risk-taking and risk management? 

Perhaps not.

Perhaps more direct accountability and personal consequences are needed within existing governance structures.

Scaling for complexity

Finally, a comment on scaling expectations for size and complexity or “proportionality”.

We recognize that some institutions may find it difficult to respond to the risk environment and our related expectations.

For example, some institutions are so small that they can't be expected to meet all our expectations and must focus on how to achieve the same results with more limited resources.

Other institutions are so large that integration across many business units and geographies is a serious challenge. It is impossible for the board (and senior management) to be "everything, everywhere, all at once".

This can lead to the risk ownership issues I mentioned earlier, where we often see delayed action and obscured issues and incentives.

Ultimately, this tension between needs and capacity is a real challenge for boards, and one that we are constantly discussing with regulated institutions.

But the need for focus and clarity of thought, given the constraints under which boards operate, is also a crucible through which boards can forge the tools of their success.

Boards need to narrow down the key issues for management - what do they want to focus on, what can they do, and what assessments are they comfortable with?

They have the duty and privilege to set the overall priorities, and now more than ever, this is of critical importance.

We hope that our new Supervisory Framework can help in this regard.

By providing clarity on risks and desired outcomes, we can promote clarity on accountability for risk management outcomes and resilience. In turn, equipped with clear intended outcomes, boards will hopefully be empowered to ask the tough questions of their senior management and hold them accountable, to identify areas of weakness in the face of relentless change, and to act quickly to fill those gaps.

The full-time whistle: there is no time for complacency

In sum, there is no time for complacency when it comes to effective risk governance. 

When I take a step back from the day-to-day of prudential supervision, one of the things I keep coming back to is the problem of moral hazard that lurks in the background of our financial system.

Boards have an incentive to set risk appetites that maximize profitability while being shielded by the concept of limited liability.

They do not have the incentives or the information to price in and manage the potential spillover effects of institutional failure. But as regulators, we must!

As regulators, we weigh up the potential negative externalities that arise from the financial institutions’ activities and intervene where appropriate, while still allowing institutions to compete and take reasonable risks.

But newer forms of externalities have emerged from the private sector (“ESG”), also focused on longer-term sustainability, which, in an era of uncertainty, serve to underscore a reframing of objectives that reflects the board’s own accountability when things go wrong.

This only underscores the need to recognize that true success is measured by resilience over a long season of grueling games, not a short penalty shootout.

The traditional mindset of focusing more narrowly on shareholder value is no longer sufficient and is increasingly subject to market discipline.

Boards and senior management teams must be equipped to tackle this new reality, they need to adapt and evolve as circumstances and stakeholders change, while maintaining the fundamentals of prudential oversight, including risk control and compliance management.

This evolution will require a careful redesign of incentive structures and accountability measures to align with a more comprehensive view of good performance.

The merits of a “senior managers regime” also deserve ongoing consideration.

Ultimately, we need to move from relatively static definitions of strength to a mindset of adaptability and resilience in the face of relentless uncertainty.

In this way, regulated institutions will contribute to a financial system that truly serves the long-term interests of depositors, policyholders, the broader economy, and Canadians.

We know that the season ahead will likely be a challenging one, but to quote the greatest soccer player in history [Pelé]: “The more difficult the victory, the greater the happiness in winning.”