Internal Audit Report on Risk Support Sector – Corporate Governance Division
Table of contents
Glossary and Abbreviations
- OSFI
- Office of the Superintendent of Financial Institutions
- CGD
- Corporate Governance Division
- RSS
- Risk Support Sector
- FRFI
- Federally Regulated Financial Institutions
- FSB
- Financial Stability Board
- TBS
- Treasury Board Secretariat
- OKPI
- Operational key Performance Indicator
1. Background
Context
The 2008 financial crisis exposed vulnerabilities in risk management and oversight practices of financial institutions. Post-crisis, new regulatory requirements and enhanced corporate governance supervision were introduced.
Corporate Governance Division (CGD), established in January 2010, is the latest division to be added to the Risk Support Sector (RSS). CGD’s mandate is to contribute to OSFI’s mandate by conducting on-site reviews, carrying out monitoring and early intervention activities at Federally Regulated Financial institutions (FRFIs), with respect to corporate governance, risk and strategic governance, enterprise-wide risk appetite frameworks, compensation practices, internal audit and risk culture. CGD reports to the Assistant Superintendent, RSS, who reports to the Superintendent.
To achieve its mandate, CGD performs the following activities:
- Performs supervisory reviews (institution specific and cross-system) and assesses FRFI corporate governance, risk and strategic governance, enterprise-wide risk appetite frameworks, internal audit, compensation practices and/or risk culture;
- Takes a leadership role in the oversight of corporate and risk governance practices, compensation, internal audit, and risk culture across the Supervision sector as it relates to internal guidance and external assessments at FRFIs, including such matters as independence of oversight functions;
- Identifies acceptable practices for corporate governance, risk and strategic governance, enterprise-wide risk appetite, internal audit, compensation practices, and risk culture, and in conjunction with Supervision, encourages their adoption by FRFIs;
- Contributes to, and supports OSFI’s related international initiatives including provide input to OSFI Executives;
- Works with the Regulation Sector to develop guidance, as appropriate, with respect to FRFI corporate governance, risk governance, risk appetite, compensation practices and risk culture; and
- Represents OSFI/Canada on the Financial Stability Board (FSB)’s Compensation Monitoring Contact Group.
In addition to OSFI’s Corporate Governance Guideline, CGD uses other applicable principles, such as the FSB’s Principles for Sound Compensation Practices, and Principles for Sound Compensation Practices Implementation Standards.
Objective
The objective of the audit was to assess whether CGD’s supervisory process was risk-based and effectively contributed to supervision’s risk assessment and intervention process.
Scope
The audit covered CGD’s activities for supporting supervision in risk assessing their institutions during the fiscal years 2015/16 and 2016/17.
Scope Exclusion:
OSFI’s Regulation Sector is currently leading a Board Requirements Review Project to examine and tailor OSFI’s expectations of boards to the size, complexity and risk profile of respective financial institutions. Any activity covered in this project was excluded from IA’s scope to avoid duplication of work.
Statement of Conformance
The audit was conducted in conformance with the Institute of Internal Auditors’ International Standards for the Professional Practice of Internal Auditing, consistent with the Treasury Board Secretariat (TBS) Policy on Internal Audit and the Internal Auditing Standards of the Government of Canada, as supported by the results of the Quality Assurance and Improvement Program
2. Results of the Engagement
Executive Summary
Corporate Governance Division (CGD) supports OSFI’s mandate with expertise in the areas of corporate governance, risk and strategic governance, enterprise-wide risk appetite frameworks, compensation practices, internal audit and risk culture. The CGD team demonstrated a sound understanding of the subject matter based on the files reviewed.
As CGD continues to take a leadership role in emerging corporate governance related matters, its contribution to OSFI’s mandate can be enhanced by strengthening the integration and collaboration of CGD’s efforts with respect to assisting supervision sectors in performing institution specific supervisory reviews, including participation in monitoring and early intervention activities.
3. Management Response
Management wishes to thank the audit team for their professional and transparent approach to the audit.
The Corporate Governance Division plays two important functions in supporting OSFI work on corporate governance: (1) it supports ‘top-down’ priorities designed to address new or evolving practices in corporate governance; and (2) it executes FRFI-specific review work as part of the supervisory plans in DTSS and ISS. And while these two areas of work are often complementary, ‘top-down’ work has tended to represent a greater proportion of CGD’s work plan than FRFI-specific work due to the evolving nature of FRFI risk governance expectations in recent years.
Executive management continues to support the Corporate Governance Division as a member of the Risk Support Sector. The Corporate Governance Division will continue to proactively identify FRFI specific work with DTSS and ISS through the annual planning process, and will continue to allocate time to support Lead Supervisors throughout the year.
4. Observations and Recommendations
Medium Priority Observation
1. Supervisory Collaboration
Executive management should consider whether CGD is adequately satisfying a key tenet of its mandate with respect to performing institution specific supervisory reviews and assisting supervision sectors in assessing FRFI corporate governance and risk management matters.
Effective corporate governance is an essential element in the safe and sound functioning of financial institutions. The quality of FRFI corporate governance practices is an important factor in maintaining the confidence of depositors and policyholders, as well as overall market confidence.
An objective of OSFI’s supervisory mandate, and more specifically its intervention process, is to enable OSFI to identify areas of concern at an early stage and intervene effectively to minimize FRFI risk. According to OSFI’s Guide to Intervention for Federally Regulated Deposit-Taking Institutions, conditions leading to OSFI categorizing an institution as Stage 1 can include capital and earnings concerns or “the institution has issues in its risk management or has control deficiencies that although not serious enough to present a threat to financial viability or solvency could deteriorate into more serious problems if not addressed.” Further Stages involve elevated concerns of the above conditions.
It is critical for supervision sectors to work closely with CGD to enable supervisors’ institutional knowledge to be complemented with CGD’s specialized skillset so that corporate governance risks can be identified and assessed in a timely manner.
Although executive directed projects have historically occupied the majority of CGD’s capacity, the low number of supervision requests can be traced to a perception that supervision sectors can manage assessments without CGD’s assistance due to the absence of technical quantitative measurements to assess corporate governance matters, and the belief that corporate governance skills are requisite skills that all supervisors possess.
Recommendation
Executive management should consider whether CGD is adequately satisfying a key tenet of its mandate, specifically with respect to performing institution specific supervisory reviews and assisting supervision sectors in assessing FRFI corporate governance and risk management matters.
If it is determined that FRFI risk assessment practices would benefit from increased subject matter expertise offered via CGD participation, it is then incumbent on executive management to identify means to foster increased interaction between supervision and CGD when performing institution specific supervisory reviews.
Executive management will look at the need for CGD to conduct reviews as part of the risk based planning cycle, and in particular, to provide subject matter expertise to staged FRFIs.
Management Action Plan
As part of an RSS exercise over the next few months, CGD will look to these and other opportunities as part of the broader RSS re-set. This exercise is expected to be completed in Q2, FY 2018-19.
Appendix 1
Observation Ratings
Observations are ranked in order to assist management in allocating resources to address identified weaknesses and/or improve internal controls and/or operating efficiencies. These ratings are for guidance purposes only. Management must evaluate ratings in light of their own experience and risk appetite.
Observations are ranked according to the following:
High priority - should be given immediate attention due to the existence of either a significant control weakness (i.e. control does not exist or is not adequately designed or not operating effectively or a significant operational improvement opportunity.
Medium priority – a control weakness or operational improvement that should be addressed in the near term.
Low priority - non-critical observation that could be addressed to either strengthen internal control or enhance efficiency, normally with minimal cost and effort.
Individual ratings should not be considered in isolation and their effect on other objectives should be considered.