From risk management to risk governance

More active and independent boards
Accounting controls


On August 7 2012 the Office of the Superintendent of Financial Institutions (OSFI) issued a draft guideline entitled Corporate Governance of Federally Regulated Financial Institutions.(1) The draft guideline is intended to supplement and modernise the existing OSFI Corporate Governance Guideline,(2) purportedly bringing the corporate governance of federal regulated financial institutions (FRFIs) such as insurers into greater alignment with prevailing industry best practices and standards.

While the draft guideline remains consistent with the existing guideline in its general direction and guidance, it intensifies the focus and raises expectations for effective governance in several areas. This update summarises notable changes and trends under three broad categories:

  • risk management;
  • boards of directors; and
  • accounting controls.

The draft guideline has been released for comment only and is therefore subject to change.

From risk management to risk governance

The most obvious change introduced by the draft guideline, and one of particular relevance to the insurance industry, is the increased focus on risk. This is unsurprising given the continuing increased global emphasis on enterprise risk management and risk-based supervision as tools for safeguarding and regulating financial institution soundness and solvency.

In the existing guideline, OSFI recognises the importance of managing risk and of implementing policies to deal with risk exposure, risk tolerance and risk control. It is less clear who should shoulder responsibility for enterprise risk management. Boards of directors are expected to have a general understanding of risk exposure and of "techniques used to measure and manage those risks". Boards are also expected to define the overall philosophy and tolerance for risk, set policies for risk management and receive regular reports from management. OSFI also expects audit committees to ensure that audit plans are risk based and that external auditors take into account the specific risk exposure of the FRFI.

Risk governance
The draft guideline represents a major departure from the existing guideline in terms of risk. Under the draft guideline, risk management is now a mere subset of risk governance, which entails a more systematic, defined and holistic approach to dealing with risk. FRFIs are now asked to develop a risk appetite framework (RAF) to guide risk exposure in pursuit of business objectives. Annex C to the new guideline details OSFI's expectations as to the contents of an RAF. Essentially, an RAF must contain statements of risk appetite (eg, market risks or hedging strategies) and risk tolerance (eg, credit limits or leverage ratios). It is to be approved by the board and implemented by management across all business units as part of an integrated enterprise risk-management strategy.

Risk committee and the chief risk officer
Another new addition set out in the draft guideline is the requirement to establish a risk committee, made up of independent directors. Its mandate is to oversee risk management on an enterprise-wide level. In addition, it is expected to supervise and review the performance of the chief risk officer (CRO), who is responsible for implementing processes and controls to assess, measure, monitor and report on risk. The CRO should be insulated from all business lines and revenue-generating activities, have unimpeded access to the board and have a direct reporting line to the risk committee.

In its turn, the risk committee must ensure that risk management activities remain independent from operations management and have adequate resources and visibility. In addition, it must work with the CRO to review internal risk reports.

OSFI emphasises the importance of taking an enterprise-wide view of risk at the board level, independent of senior management.

More active and independent boards

The draft guideline amplifies the responsibility and accountability expected of directors by mandating:

  • a higher degree of involvement in management oversight;
  • the independence of board processes; and
  • an increased focus on board committees and functions.

OSFI has clarified the essential responsibilities of the board, distinguishing between activities under the purview of management that should be reviewed by the board and primary board duties that require board approval. This demarcation is less clear in the existing guideline. The draft guideline clarifies that board approval applies to responsibilities such as setting business objectives, internal control frameworks and external audit plans. Board review, on the other hand, is warranted for management-led responsibilities such as operational policies, financial performance, and the implementation of internal controls. While the scope of board responsibilities has been clarified and made more comprehensive, OSFI's hallmarks of effective board performance remain essentially unchanged.

OSFI also urges boards to commission third-party reviews regularly in order to assess the effectiveness of all oversight functions.(3) While OSFI has expected FRFIs to establish independent and specific oversight functions for many years, it now calls for a higher degree of board scrutiny over their performance.

Board chair
For many FRFIs, the role of board chair in 2012 and beyond will be more comprehensive than it was during the previous decade. OSFI has increased the scope of the chair's responsibility and expects the chair to devote significantly more time and energy to his or her role than fellow directors. A primary expectation is that the chair will be actively involved in regular dialogue with fellow directors and senior management. He or she is also expected to be a key interface between the FRFI and regulators. While OSFI has long supported director engagement with senior management, it now expects the chair's reach to extend far deeper into the organisation, having access to "all FRFI information and staff". Finally, after previously expressing no preference on the matter of non-executive chair versus lead director, OSFI now indicates that it is critical that the role of chair be separated from that of chief executive officer (CEO).

Skills and competence
A corollary to intensified board responsibility is the increased expectation of skills and financial sector expertise among directors. OSFI now considers it essential for individuals with relevant financial and risk management experience to be represented on the board and across committees. Boards are urged to develop formal tools to evaluate skills, such as a competency matrix, which would be reviewed annually with an eye to appropriate board composition.

In both versions of the guideline, OSFI took the position that "demonstrable Board independence is at the core of effective FRFI governance". However, the degree of separation expected between board and management has intensified. As previously noted, OSFI now urges that the role of chair be separated from that of CEO. It also encourages regular private meetings of the board and committees with no managers present. In addition, the board is encouraged to implement a director independence policy to ensure adequate independence, taking into account the needs and structure of the particular FRFI. The draft guideline stresses that 'independence' should be construed much more broadly than the concept of 'unaffiliated', which is set out in the relevant statutes. Director independence should be determined in accordance with emerging international standards.

Accounting controls

While the existing guideline establishes a broad mandate for the audit committee to become involved with external audits, its authority is limited to discussing, reviewing and meeting with auditors. In contrast, the draft guideline states that the audit committee, rather than management, "should be responsible for approving external auditor fees and the scope of the audit engagement". The new guideline also codifies a new role within the FRFI: chief internal auditor.

The chief internal auditor, along with the chief financial officer and the appointed actuary, "should have direct reporting lines to the Audit Committee", rather than exclusively to management. These changes can be viewed as part of a broader trend for increasing the responsibility of independent board members and intensifying oversight on decisions formerly under the sole purview of senior managers.

OSFI also expects the audit committee to assess the appropriateness of accounting and actuarial practices. This responsibility implies a relatively advanced and specialised skill set for audit committee members.


In the draft guideline, OSFI chose to raise the bar further with respect to regulatory requirements for corporate governance. Although there are references in the draft guideline acknowledging that implementing some of the requirements may vary among organisations (eg, "depending on the nature, size, complexity and risk profile of the FRFI"), it still largely remains a broad brush, one-size-fits-all approach, with the emphasis on independent directors as gatekeepers.

In a speech to the Toronto Board of Trade which predated the draft guideline,(4) OSFI's superintendent acknowledged the arguments that increased board involvement in corporate governance could eventually result in board responsibility overload and a blurring of the lines of responsibility between the board and management. She indicated at that time that OSFI was currently "assessing all the things we ask boards to do" The link at the bottom of this update accesses a chart that summarises current OSFI guidance which specifically contain duties and responsibilities for boards of insurers. The existing regulatory onus on boards of insurers is not insignificant.

Aspects of the draft guideline arguably can be seen to blur the line between the board and management, and possibly even between the board and external advisers. Examples include the statement that FRFI boards as well as management "need to have a full understanding of the risks attendant to the FRFI's business model including each business line and product". It is difficult to imagine how independent directors of insurers can realistically be informed of the risks involved with each product offered by the insurer. Further, an "adequate number of" members of the risk committee (all independent directors) are to have "sufficient knowledge in the risk management of financial institutions", and, "where appropriate, the Committee should include individuals with technical knowledge in risk disciplines that are significant to the FRFI". As well, members of the audit committee (all independent directors) are required to have skills and expertise sufficient to enable them to assess whether the FRFI's accounting and actuarial practices are appropriate and within acceptable bounds. Finally, the draft guideline indicates that the audit committee is responsible for ensuring that the financial statements present fairly the financial position, results of operations and cash flows of the FRFI.

The draft guideline expects independent directors to fulfil their duties with a high degree of scepticism. Boards are directed to take measures to obtain independent verification of management assurances; this appears to be in addition to the requirement to commission formal periodic third-party reviews of oversight functions. Not that healthy scepticism in an outside director is ever a bad thing, but taking all of these observations together, the draft guideline could be seen as creating a new quasi-managerial role for independent directors of FRFIs. For certain FRFIs - such as insurers that are wholly owned subsidiaries where the shareholder controls the appointment and removal of directors as well as management, and sets the strategic direction for its subsidiary - many aspects of this kind of role do not fit. Where there is a sole or dominant shareholder, one of the most important functions of the independent directors, from a theoretical point of view, is to protect against shareholder abuse of the FRFI by policing the self-dealing provisions in the legislation, rather than spending most of their time second-guessing senior management.

Assuming that few changes are introduced to clarify the applicability of portions of the draft guideline to different FRFIs, it appears that the challenge for insurers will be to sift through the requirements in order to identify those that apply to them, and from there determine the aspects and levels of implementation that are best suited to their organisation. This determinationshould be based on a demonstrably defensible rationale. Perhaps this kind of compliance determination exercise may evolve into an approach that is similar to the comply or disclose approach adopted by securities regulators.

A summary of the directors' duties for insurers can be found at

For further information on this topic please contact Carol Lyons, Hartley Lefton, Calie Adamson or Tim Hughes at McMillan LLP by telephone (+1 416 865 7000), fax (+1 416 865 7048) or email (, , or The McMillan LLP website can be accessed at


(1) Office of the Superintendent of Financial Institutions, Draft Guideline, Corporate Governance of Federally Regulated Financial Institutions (OSFI, August 7 2012).

(2) Office of the Superintendent of Financial Institutions, Corporate Governance Guideline (OSFI, January 2003).

(3) OSFI conducts regular reviews of each of six oversight functions. These are risk management, internal audit, compliance, financial analysis, senior management and the board of directors. OSFI, Introduction to the Supervisory Framework Ratings Assessment Criteria (OSFI, July 2002).

(4) Remarks by Superintendent Julie Dickson, Office of the Superintendent of Financial Institutions to the Toronto Board of Trade, Toronto Ontario, April 5 2012

This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.