OSFI’s response to draft guideline Culture and Behaviour Risk - Management Feedback

Clarify terminology and key concepts

Feedback: Remove references to behaviour risk as the term is confusing and expectations around it are too prescriptive.

Response: References to behaviour risk have been removed. The regulatory notice focuses on principles-based expectations for managing culture risks.

Feedback: Clarify that each institution has its own culture and that OSFI is not prescribing a specific culture.

Response: We clarified that institutions have unique cultures that should be defined, governed, and managed based on their size, nature, and complexity.

Feedback: Clarify the language in the guideline and define important concepts such as “leader” and “culture risk”.

Response: Language in the regulatory notice has been streamlined, and a key terms section with revised definitions has been added.

Connections to other guidelines

Feedback: We support the principles in the draft guideline; many are already industry common practice or covered in other guidelines. No new expectations on culture are needed.

Response: We welcome the feedback that many institutions are already applying these expectations in practice, but believe additional guidance is necessary to respond to the risk landscape. Culture can materially support or weaken institutions’ resilience, integrity, and soundness. The regulatory notice outlines specific expectations for culture and managing culture risks not outlined in other guidelines.

Implementation

Feedback: The finalization of the culture and behaviour risk guideline should be delayed in favour of other risks or given a long implementation period.

Response: The finalization of our guidance on culture considers our recently expanded mandate related to integrity and security, which came into effect on January 1, 2024. Our policy framework is evolving, and we will continue to evaluate the most appropriate policy response to culture expectations.