Earlier this month, Jamey Hubbs, Assistant Superintendent of the Office of the Superintendent of Financial Institutions (OSFI) spoke at Northwind’s 2016 Financial Services Invitational Forum in Cambridge, Ontario.
“OSFI is looking for the institutions we supervise to have strong and appropriate risk cultures, a stress testing regime that is an integrated part of that risk culture rather than a mechanical compliance exercise and a disclosure regime that will exert market discipline and hence reinforce internal risk culture with external vigilance,” he said.
Here are a few excerpts from his speech (you can read the entire text here):
“We look for evidence that the risk appetite is impacting decisions and behaviours within the organization. However, we also recognize that to have a comprehensive understanding of risk culture and behaviours within the institutions we supervise, periodic reviews are not sufficient. To have an accurate understanding will require more frequent work, and this is where OSFI’s lead supervisor teams come into play. Lead supervisors have the most frequent interactions with the institutions we supervise; therefore they are uniquely and well positioned to determine if the institution’s risk appetite impacts daily decisions and behaviours. Put simply, our lead supervisors are well placed to see if the “echo from the bottom” matches the “tone from the top”.
“More broadly, OSFI is reviewing performance management. We are looking to see if financial institutions consider the behaviours of individuals or departments against risk appetite when setting compensation levels and promotional opportunities.”
“Another area we look at is acquisitions. Here, our focus has been on the role of risk culture in the acquisition decision process. Is the acquiring institution including an examination of the risk culture of the potential acquisition as part of the due diligence process? If so, how is that done and what weight does this work carry in the final analysis? While we appreciate that no due diligence process is fool proof, by not examining the risk culture and behaviour of any potential acquisition the chances of a negative shock are increased.”
“A strong risk appetite framework, balanced with appropriate compensation practices can go a long way to mitigating misconduct risk. As many of you are aware, OSFI established a corporate governance division in 2010. That division has led much of our work in this field and will continue to do so. OSFI wants to enhance our ability to assess how risk culture and other drivers of behaviour affect risk management across a range of institutions. This is an area that will receive continued focus over the next few years.”
Hubbs’ message resonates well with the driving idea behind RSA Archer’s newest release, built around the concept of “inspiring everyone to own risk“. As our colleague Steve Schlarman recently put it, risk management solutions need to “inspire the users to change the way they think about compliance and risk. Just as the GRC program needs to change the way the business unit managers and front line employees conduct their business, the technology underpinning that effort needs to fuel that shift in thinking.”
We’ve been having similar conversations with organizations over the past few months across all industries. You can get in touch with us at firstname.lastname@example.org to learn more.