Regulatory notice - Culture Risk Management

Information
Publication type
Regulatory notice
Date
Sector
Banks,
Foreign Bank Branches,
Life Insurance and Fraternal Companies,
Property and Casualty Companies,
Trust and Loan Companies
Generate PDF
Table of contents
Related documents

Purpose and scope

This Regulatory Notice sets expectations for managing culture risk. It applies to all federally regulated financial institutions including foreign bank branches and foreign insurance company branches to the extent it is consistent with applicable requirements and legal obligations related to their business in Canada.Footnote 1

Financial institutions have unique cultures informed by their mission, strategy, size, operations, and risk profile.

Background

Culture influences behavioural norms, which send signals throughout an organization about what is, and is not, valued, important, and acceptable. Culture supports or undermines sound decision-making, prudent risk-taking, and effective risk management. This, in turn, can materially support or weaken a financial institution’s safety, soundness, integrity and security.

Key terms

‘Culture’ refers to the commonly held values, mindsets, beliefs, and assumptions that guide what is important and how people should behave.Footnote 2

‘Culture risk’ refers to the misalignment between a financial institution’s stated desired culture and its actual culture that may prevent it from achieving its objectives.

‘Senior management’ refers to the chief executive officer (CEO) and those directly accountable to the CEO, as well as the heads of major business platforms or units and heads of oversight functions.

‘Leaders’ refers to individuals with people management responsibility or those who influence others through their words, actions, and decisions.

Governance

Senior management is responsible for culture risk managementFootnote 3 by:

  • defining, promoting, embedding, and managing the desired culture needed to achieve its mission and strategy and manage risk effectively.
  • aligning policies, processes, practices, and people to support the desired culture.

Fostering desired culture

Culture is deliberately shaped, evaluated, and maintained through:

  • effective leadership.
  • talent and performance management.
  • compensation, rewards and recognition, and incentives.
  • accountability practices.

Senior management sets the tone from the top for the desired culture; they and all leaders:

  • model and reinforce the desired culture through their words, actions, and decisions.
  • hold themselves and others accountable to the desired culture and behaviour consistent with it.

Effective people management promotes and reinforces the desired culture by:

  • encouraging behaviours consistent with it and discouraging inconsistent behaviours.
  • applying a consistent approach to managing talent and performance, compensation, rewards and recognition, incentives, and accountability practices.

Managing culture risks

Culture risks are proactively managed by:

  • developing measures to identify and assess culture risk.
  • assessing their root causes, impacts, potential consequences, and effects on other risks.
  • using monitoring and reporting processes to enable continuous assessment and effective oversight.
  • evaluating the effectiveness of culture risk management to learn and improve.

Culture risk management is integrated within the enterprise-wide risk management program that includes:

  • defining clear roles and responsibilities.
  • assigning adequate people and financial resources.
  • developing strategies, structures, and frameworks for how culture is shaped, evaluated, and maintained related to areas such as effective leadership, talent and performance management, compensation, rewards and recognition, incentives, and accountability practices.

Appendix: Preliminary Industry Considerations

The following preliminary considerations are provided to industry to guide the development and maintenance of their culture risk management program. The questions posed elaborate on culture expectations as laid out in both the Culture Risk Management Regulatory Notice and the Corporate Governance Guideline.

Board

The board is responsible for the institution’s culture and should promote a risk culture that stresses integrity and effective risk management.

Does the Board:

  • formally designate responsibility for overseeing the institution’s culture?
  • satisfy itself that the decisions and actions of senior management are aligned with the desired culture?
  • validate that the institution’s desired culture supports the institution’s mission, strategy, and risk management approach?
  • hold senior management accountable through performance management and compensation decisions for embedding the desired culture?
  • receive information to enable oversight of the institution’s culture and management of culture risk?
  • maintain line of sight into culture risk issues and corresponding remediation activities to ensure issues are addressed?
  • reinforce the institution's desired culture through their words, actions and decisions?

Governance

Senior management is responsible for culture risk management.

Does senior management:

  • formally define, articulate, and communicate the desired culture to enable a shared understanding of acceptable and unacceptable behaviours?
  • clearly demonstrate and communicate the alignment between the institution’s desired culture and its mission, strategy, and risk management approach?
  • identify and address culture risks that may impede embedding of desired culture?
  • ensure the desired culture is reinforced through appropriate policies, processes, practices, and people resources?

Senior management sets the tone from the top for the desired culture.

Do leaders at all levels reinforce desired culture by:

  • modeling their words, actions, and decisions to ensure a shared understanding of the desired culture?
  • demonstrating alignment between desired culture and day-to-day operations and decisions?
  • taking personal responsibility for their words, actions, and decisions?
  • holding others accountable through talent and performance management and compensation decisions when they exhibit undesirable behaviours?

Effective people management promotes and reinforces the desired culture.

Do talent and performance management promote and reinforce the desired culture through:

  • inclusion within recruiting and hiring practices and decisions?
  • identifying and taking action to address current and future talent needs necessary to achieve strategic objectives and desired culture?
  • inclusion within onboarding processes and practices?
  • inclusion within learning and development activities?
  • proactive development and management of succession planning, retention and talent pipeline strategies processes, and practices? 
  • inclusion within processes, practices and decisions, related to goal setting, performance evaluations, promotions, discipline, and termination?
  • administration of an approach to making adjustments that is consistent, clear, and proportionate to the situation?

Do compensation, rewards and recognition, and incentives promote and reinforce desired culture through:

  • inclusion of culture related metrics and measures for individuals at all levels (including senior management and material risk takers)?
  • consistent application of downward adjustments when individuals exhibit undesired behaviours?
  • alignment with performance management decisions?
  • administration of an approach to making adjustments that is consistent, clear, and proportionate to the situation?
  • validation of how well the design and application of compensation, rewards and recognition, and incentives mitigate culture risk?

Managing Culture Risks

Culture risks are proactively managed.

Does the financial institution:

  • use qualitative and quantitative measures to support timely identification of culture risks?
  • use root cause analyses to identify and address systemic drivers of culture risk?
  • identify potential impacts that culture risk has on other financial and non-financial risks?
  • conduct assessments to identify and assess the extent to which culture risks are widespread across the organization?
  • take actions to address culture risks informed by assessment data and prioritized based on risk?
  • enable effective oversight through timely reporting of culture risk information to appropriate stakeholders?
  • take proactive action to address culture risk trends before breaches occur?
  • take timely action to address tolerance breaches?
  • communicate relevant culture risk information across business areas and the enterprise to ensure a shared understanding?

Culture risk management is integrated within the enterprise-wide risk management program.

Is culture risk management integrated through:

  • formally articulated and continuously reinforced roles and responsibilities for culture risk management?
  • empowering individuals to fulfill their responsibilities through processes, practices, and structures?
  • supporting oversight of culture risk with adequate people and financial resources?
  • incorporation of culture risk management within the enterprise-wide risk management program in a manner that allows for a holistic view of culture risk across the institution?
  • consideration of culture risk in business decisions and operations?
  • developing strategies, structures, and frameworks to ensure desired culture is supported?
Date modified: