Since the financial crisis in 2008, best practices for corporate governance have significantly evolved, and international regulators have placed a greater emphasis on corporate governance. In light of the global financial crisis and the increasingly heightened attention paid to the corporate governance of financial institutions, the Office of the Superintendent of Financial Institutions (OSFI) decided to update its Corporate Governance Guideline, which was originally published in 2003 (the Original Guideline), and created a corporate governance unit in 2010 to conduct a cross-sector review of governance at larger federally regulated financial institutions (FRFIs). This review provided OSFI with benchmarking information on current practices as well as information that helped it update the Original Guideline.
After publishing a draft of its revised Corporate Governance Guideline (the Draft Guideline) for comment in August 2012, OSFI released the final version (the Final Guideline) on January 28, 2013, which sets out its expectations regarding corporate governance of FRFIs. The Final Guideline, which represents the only revision to the Original Guideline, is meant to complement relevant portions of the respective FRFI statutes and regulations, as well as OSFI’s Supervisory Framework and Assessment Criteria; promote industry best practices in corporate governance; and address international standards as articulated by organizations such as the Financial Stability Board, the Organisation for Economic Co-operation and Development, the Basel Committee for Banking Supervision and the International Association of Insurance Supervisors.
OSFI expects FRFIs to conduct a self-assessment of compliance with the Final Guideline and to establish a plan to address any deficiencies by May 1, 2013. These self-assessments should be retained by the FRFI and made available to OSFI upon request. Full implementation of the Final Guideline by FRFIs is expected by no later than January 31, 2014. Once the Final Guideline is implemented, OSFI expects boards and senior management of FRFIs to be proactive and aware of corporate governance best practices that are applicable to their institution and, where appropriate, to adopt these best practices.
OSFI received over 30 submissions from various stakeholders following the release of the Draft Guideline in August 2012. In this article, we highlight the major changes between the Draft Guideline and the Final Guideline, and attach a summary of the Final Guideline (as appendix A).
Changes from the Draft Guideline
Independent third-party reviews. The Final Guideline removes the requirement of boards to periodically commission third-party reviews to assess the effectiveness of the board and board committee practices, oversight functions and processes and risk-management systems and practices. Instead, the Final Guideline softens this requirement by suggesting the conducting of regular self-assessments of the effectiveness of board and board committee practices and oversight functions and processes, occasionally with the assistance of independent external advisers. It leaves the board to establish the scope and frequency of such external input. In addition, the Final Guideline no longer specifies external assistance with respect to risk-management systems and processes.
Flexibility for smaller FRFIs. The Draft Guideline was revised to clarify which elements FRFIs can apply in a more flexible manner, depending on their circumstances. For example, the Final Guideline no longer requires that FRFIs have a designated chief risk officer (CRO) and clarifies that for smaller institutions, the CRO role can be performed by another executive of the FRFI (e.g., the executive would have a dual role). In addition, for smaller, less complex institutions, the full board or another board committee can serve as the Risk Committee. However, in place of establishing a separate Risk Committee, the board or other committee should ensure that it has the collective skills, time and information to provide effective oversight of risk management.
The concept of “independence.” The Final Guideline removes some inconsistent uses of the term “independent” and applies a more selective and consistent use for the term.
Application of the Guideline to subsidiaries. For clarity, Annex B in the Draft Guideline was deleted and replaced with a more succinct section in the main body of the Final Guideline relating to the application of the Final Guideline to subsidiaries.
Use of the word “ensure.” Commentators had noted that with respect to the board’s duties, the use of the word “ensure” throughout the Draft Guideline blurred the role of the board with that of senior management, since in oversight function, the board can never ensure actions or results. Therefore, the term “ensure” was deleted throughout the Final Guideline and replaced with terms such as “seek assurances from senior management” or “establish processes to periodically assess the assurances provided to it by senior management.”
Risk Committee and independence.The Draft Guideline was amended to clarify that all members of the Risk Committee should be “non-executives” of the FRFI (e.g., directors from affiliated companies are eligible) in order to be consistent with international standards.
Direct reporting lines. Commentators had suggested that references to “direct reporting lines” should be removed, since if the heads of the control functions were to “report” to the committees with only an “administrative” reporting line to the chief executive officer (CEO), their ability to function as effective members of the management team would be compromised. The Draft Guideline was therefore amended to clarify that the heads of the oversight functions “should have unfettered access and, for functional purposes, a direct reporting line to the Board or relevant Board committee (e.g., Audit, Risk).” This is consistent with international standards.
Summary of OSFI’s Corporate Governance Guideline
The Original Guideline was revised to (i) enhance the effectiveness of the board of directors; (ii) strengthen the risk governance of FRFIs (e.g., by requiring FRFIs to establish a “Risk Appetite Framework” to guide risk-taking activities); and (iii) to bolster the overall internal control framework of FRFIs (e.g., the role of the chief risk officer and Audit Committee).
The Role of the Board of Directors
OSFI creates a critical distinction between the responsibilities of the board of directors of a FRFI and the responsibilities of senior management. According to the Final Guideline, while the board is responsible for setting the direction and general oversight of the management and operations of an entire FRFI, senior management is accountable for implementing the board’s decisions and is responsible for directing and overseeing the operations of the FRFI.
Under section III of the Final Guideline, OSFI suggests that, at a minimum, the main focus of the board’s attention and activities should be to approve the FRFI’s (i) short-term and long-term enterprise-wide business objectives, strategy and plans, including the Risk Appetite Framework; (ii) significant strategic initiatives or transactions; (iii) internal control framework; (iv) appointment, performance review and compensation of the CEO and, where appropriate, other members of senior management; (v) succession plans with respect to the board, CEO and, where appropriate, other members of senior management; (vi) mandate, resources and budgets for the oversight functions; and (vii) external audit plan, including audit fees and scope of engagement.
Senior management, on the other hand, should be responsible for reviewing and discussing the FRFI’s (i) significant operational and business policies; (ii) business and financial performance in terms of the board-approved strategy and Risk-Appetite Framework; (iii) compensation policy for all human resources; (iv) implementation of internal controls; (v) organizational structure; and (vi) compliance with applicable laws, regulations and guidelines. However, the Final Guideline also notes that the board has a critical role in providing high-level guidance to senior management with respect to the matters listed above through review and discussion, and the board should seek assurances from senior management that decisions are consistent with the board-approved strategy and risk appetite.
The Final Guideline also specifies that while senior management should have regular interaction with regulators with respect to the overall operations of a FRFI, the board should also promptly notify regulators of any substantive issues affecting the FRFI.
Finally, the Final Guideline states that boards of parent companies should exercise adequate oversight of the activities of FRFI subsidiaries to ensure that the parent board can meet its responsibilities. To do this, the boards of parent companies should determine what board structures for such subsidiaries would best contribute to effective oversight of subsidiary operations.
The Final Guideline identifies a number of attributes of an effective board, including sound judgment when making decisions (taking into consideration the business objective and risk appetite of the FRFI); initiative (exercising responsibilities in a proactive manner with a readiness to probe and challenge); responsiveness to issues or deficiencies identified by senior management, regulators or the board itself; and operational excellence (permitting open debate and discussion and advance consideration of important matters). It also suggests that the board of a FRFI regularly conduct a self-assessment of the effectiveness of the board and board committee practices, occasionally with the assistance of independent external advisers. The Final Guideline states that the board has discretion in establishing the scope and frequency of such external input.
Skills and Competencies
According to the Final Guideline, an effective board should provide objective and thoughtful guidance to, and oversight of, senior management and should collectively bring a balance of expertise, skills, experience, perspectives and competencies. The Final Guideline suggests that there be reasonable representation at the board and board committee levels of individuals with financial industry and risk-management expertise, and that boards should have a skills and competency evaluation process in place that is reviewed annually and updated as appropriate.
The Final Guideline suggests that boards be independent from senior management (which can be demonstrated, for example, by having regularly scheduled board and board committee meetings that include sessions without senior management present). However, beyond the separation of the chair and CEO, OSFI does not view any single board structure as guaranteeing independence. Further, the board should document and approve an independent-director policy taking into account the specific ownership structure of the institution and, where appropriate, direct tenure. The notion of “independent,” as OSFI sees it, is much broader than the notion of “non-affiliated” as defined in the respective FRFI statutes.
In keeping with the idea that board independence should be maintained, the Final Guideline suggests that the role of the chair be separate from the role of CEO. The chair is expected to have frequent dialogue with, and a high level of influence among, other board members and senior management, in addition to direct and ongoing dialogue with regulators.
For the board to fulfill its duties and role of oversight of the FRFIs operations, OSFI expects FRFIs to establish oversight functions that are independent from operational management through an appropriate committee, such as an Audit Committee or Risk Committee. The heads of the oversight functions should have unfettered access and a direct reporting line to the board and its relevant committees. Boards should approve the mandate, resources and budgets of the oversight functions and, where appropriate, approve the appointment, performance review and compensation of the heads of these functions. More specifically, boards should review and discuss findings and reports produced by the oversight functions and follow up with concerns or findings that are raised by the oversight functions.
Given the different size and complexity of various FRFIs, the Final Guideline suggests that the size and sophistication of such oversight functions may vary among institutions. OSFI expects that boards and senior management of smaller, less complex FRFIs, instead of establishing specific oversight functions, will ensure that other internal or external functions or processes provide the required level of controls and independent enterprise-wide oversight.
In addition, the Final Guideline indicates that the board should regularly assess the effectiveness of the FRFI’s oversight functions and should occasionally, with the assistance of independent external advisers, conduct a benchmarking analysis of those functions or their processes. The board has discretion to establish the scope and frequency of such external input.
Risk Appetite Framework
Section IV of the Final Guideline states that FRFIs should have an enterprise-wide, board-approved Risk Appetite Framework (RAF) that guides the risk-taking activities of the FRFI and that is tailored to its domestic and international business activities. The RAF should be well-understood throughout the organization, and all operational, financial and corporate policies, practices and procedures of the FRFI should support the RAF. The RAF should set basic benchmarks, goals and limits of the amount of risk the FRFI is willing to accept. The RAF is intended to be forward looking and should consider the material risks to the FRFI, in addition to the FRFI’s reputation. Annex B of the Final Guideline sets out more details pertaining to OSFI’s expectations relating to RAFs.
Oversight of Risk
The Final Guideline contemplates that, depending on the size and nature of a FRFI’s risk exposures, risk-management systems will differ. In order to ensure that risk-management policies and procedures remain appropriate and effective, senior management should oversee regular reviews of such policies and procedures, and the board should seek assurances from senior management that these controls are operating effectively.
Board Risk Committee
Depending on the size and nature of a FRFI, boards should establish a dedicated Risk Committee to oversee risk management on an enterprise-wide basis. The Risk Committee should consist of members that are non-executives of the FRFI, and members of the committee should have sufficient knowledge in risk management of financial institutions. Through assurances from the CRO, the Risk Committee should ensure that risk-management activities are independent from operational management, are adequately resourced and have appropriate visibility throughout the organization. The Risk Committee should receive reports on significant risks of the FRFI and exposures relative to the FRFI’s risk appetite (including approved risk limits) and should provide input on the approval of material changes to a FRFI’s strategy and corresponding risk appetite.
Chief Risk Officer
FRFIs should have a senior officer who is responsible for identifying, measuring, monitoring and reporting on the risks of a FRFI on an enterprise-wide level, and who has unfettered access and a direct reporting line to the board or Risk Committee. This officer should provide regular reports to the board, the Risk Committee and senior management, including whether the FRFI is operating within the RAF. In addition, the board and Risk Committee should periodically seek assurances from the CRO as to the objectivity of any risk information or analysis provided by business lines. The Final Guideline also specifies that the CRO and risk-management function should not be directly involved in revenue-generation or in the management and financial performance of any business line or product of the FRFI, and that the CRO’s compensation should not be linked to the performance of specific business lines of the FRFI.
The Role of the Audit Committee
Under the respective FRFI statutes, FRFIs are required to establish an Audit Committee comprising non-employee directors, a majority of whom are “non-affiliated” with the institution. Duties of the Audit Committee include reviewing annual statements and evaluating and approving internal control procedures.
The Final Guideline stipulates that the Audit Committee, not senior management, should be responsible for recommending to shareholders the appointment, reappointment, removal and remuneration of the external auditor; the Audit Committee should agree to the scope and terms of the audit engagement and approve the engagement letter. The Audit Committee should also establish criteria for the types of non-audit services that the external auditor can and cannot provide to the FRFI and should be satisfied with the content of the auditor’s engagement letter before it is signed. The Audit Committee should also assess whether any change to the external auditor’s materiality level and/or proposed scope continues to ensure a quality audit. Annually, the Audit Committee should report to the board on the effectiveness of the external auditor.
OSFI also expects an Audit Committee to discuss the overall results of an audit and any related concerns raised by the external auditor with both senior management and the external auditor, including key areas of risk for material misstatement of financial statements, areas of significant auditor judgment (including accounting policies and estimates), significant unusual transactions, difficult or contentious matters noted during the audit, changes in the audit scope or strategy, internal control deficiencies identified during the course of the audit and areas of financial statement disclosures that could be improved.
OSFI Supervision of FRFIs
In section VI of the Final Guideline, OSFI outlines the importance of effective governance and discusses OSFI’s role in supervising and assessing the quality of oversight and control provided by a FRFI’s board and senior management. Specifically, OSFI notes that it will take a number of approaches to assess the effectiveness of a FRFI’s corporate governance processes, including discussions with boards, board committee, senior management and oversight functions, and it will seek evidence that processes exist and are operating effectively.