OSFI's expectation is clear: culture risk should be an integral part of the enterprise risk management (ERM) framework
As 2024 wound down, the Office of the Superintendent of Financial Institutions (OSFI) issued a regulatory notice on culture risk management.1
What does that mean for your financial services organization now?
OSFI defines culture risk as all behavioural patterns that do not reflect the expected behaviours or support the desired organizational culture and may prevent an institution from achieving its objectives. This recent OSFI notice lays out clear expectations for how federally regulated financial institutions (FRFIs) should manage culture risk, underscoring the importance of aligning corporate culture with strategic objectives and effective risk management.
The notice spans three fundamental areas:
Governance: The board is responsible for the institution’s culture and should promote a risk culture that stresses integrity and effective risk management. Senior management is responsible for defining, promoting, embedding and managing the desired organizational culture to achieve the institution's mission and strategy and effectively manage risk. This includes aligning policies, processes, practices and people to support the desired culture.
Fostering desired culture: Institutions are expected to deliberately shape, evaluate and maintain their culture through effective leadership, talent and performance management, compensation, rewards and recognition, incentives and accountability practices. Senior management sets the tone from the top for the desired culture by modelling and reinforcing it through their words, actions and decisions, while holding themselves and others accountable to behaviours consistent with that culture.
Managing culture risks: Proactive management of culture risks involves developing measures to identify and assess these risks in the context of the organizational culture, understanding their root causes and potential impacts, as well as integrating culture risk management in the enterprise-wide risk management program.
Organizations that recognize the strategic asset behind these expectations and are willing to invest beyond regulatory compliance alone can build a competitive advantage by decreasing risk management costs and establishing sustainable business growth.
Unlock your potential: Take full control of your organizational culture
Organizational culture is about how people collectively behave in an organization. For example, how people collaborate, how decisions are made or how value is created. Employee behaviours can foster an environment that is conducive to the emergence of nonfinancial risks by increasing the prevalence of causes leading to risk events. That’s why it must be managed as a distinct source of risk that can impact your organization.
At EY Canada, we advocate for financial institutions to integrate a culture risk management approach into a deeply integrated organizational culture management program in line with the enterprise risk management (ERM) framework requirements. To initiate this process, we recommend taking the following steps2:
1. Understand your current-state organizational culture to get a sense of where you’re starting from. You need both top-down and bottom-up perspectives to identify behaviours and traits to stop, start and continue for value creation and protection. Identify the systemic levers that are enabling your desired culture and those that are impeding it. Be sure to include viewpoints from people at all levels of the organization in this initial, information-gathering stage.
2. Define your desired organizational culture and identify the associated risks. While expected behaviours can help achieve specific goals, they may also be the underlying cause of non-financial risks. Effectively shaping your desired culture necessitates an informed understanding of the “risk versus reward” dynamic. Overall, the desired culture should foster engagement of all to better unleash your employees’ potential.
3. Monitor organizational culture continuously to maintain alignment with the institution’s goals. Staying on track requires financial institutions to set and monitor key behavioural indicators (KBIs) as well as key performance indicators (KPIs). This cannot be an add-on or afterthought. Rather, it’s part and parcel of defining the desired organizational culture. Through data analytics, financial institutions gain critical insight to make changes and improvements along the way.
4. Revise your governance model to support a broad-based, cross-functional approach to managing organizational culture, incorporating the risk dimension. Your governance framework should facilitate integration by dismantling internal silos and promoting collaboration across corporate functions and the business. Culture risk management itself should bring together representatives from the business, HR, legal, compliance and risk functions with clearly defined roles and responsibilities.
5. Consolidate existing risk and compliance culture programs under the culture risk management umbrella to create synergies and broadly cover culture risks. The frameworks, policies and processes supporting your current conduct, risk and compliance culture programs will serve as the foundation for a culture risk program that addresses a wider array of risks associated with your organizational culture.
6. Align your operating model and environment to foster the desired organizational culture and mitigate risks related to it. For culture to take hold, organizational levers and influencers must encourage expected behaviours. Making sure areas like talent and performance management, compensation, accountability practices and more reinforce the culture you’re trying to create and the risks you’re working to mitigate. That lends gravitas to this shift.