OSFI clarifies expectations for implementation of revised corporate governance guideline 


February 2013

Insurance Bulletin

In late January, 2013, OSFI1 released its final version of the revised Corporate Governance guideline. The final version reflects OSFI's response to commentary received on the first version published in August, 2012. For a discussion on the version released in August, please see OSFI issues new draft corporate governance guideline.

OSFI received a significant amount of feedback on the August version. Some commentators were concerned that the guideline was tailored primarily to banks or publicly-traded insurance companies and yet Canadian financial institutions come in various shapes and sizes. The guideline did not appear to provide much latitude for implementation.

Apparently, it was never OSFI's intention to create the impression that all aspects of the guideline should apply to all institutions equally. At a speech given to the 2012 National Insurance Conference of Canada in Quebec City on October 1, 2012, the Superintendent of Financial Institutions, Julie Dickson, stated that:

"The draft Guideline is not a one-size-fits-all approach; OSFI recognizes that there are a number of permutations and combinations that exist, given ownership structure, size, complexity, risk profile, etc."

The final version of the revised guideline highlights this important recognition. For example, the following text boxes have been placed upfront (emphasis added):

OSFI recognizes that FRFIs2 may have different corporate governance practices depending on: their size; ownership structure; nature, scope and complexity of operations; corporate strategy; and risk profile.


OSFI expects Boards and Senior Management of FRFIs to be proactive, and to be aware of best practices related to corporate governance that are applicable to their institution. Where appropriate, FRFIs should adopt these best practices.

With this clarification, FRFIs have the flexibility and latitude to implement the guideline in a focused and thoughtful manner, taking into account the specific circumstances of the organization and applicable best practices, as well as the overall spirit of the revised guideline, namely, an emphasis on effective risk governance.

The fact that corporate governance systems will vary from organization to organization depending on such factors as ownership structure has been recognized in other contexts. In October 2011 the Canadian Coalition for Good Governance (CCGG) formulated a policy entitled "Governance Differences of Equity Controlled Corporations". The policy recognizes that the CCGG's original 2010 guideline entitled "Building High Performance Boards" did not reflect legitimate governance differences of controlled corporations. Although the CCGG's focus is on governance of publicly-traded companies (as opposed to OSFI-regulated entities such as banks and insurers that are not publicly-traded), the considerations addressed by the 2011 policy can apply similarly in the context of FRFI governance.

important to do's for FRFIs

The clutch points for implementation of the revised guideline are as follows:

May 1, 2013

FRFI's are to provide their OSFI relationship manager with a written self-assessment of their current compliance with the guideline and associated action plans for full implementation of the guideline's requirements

January 31, 2014

FRFI's to have fully implemented the guideline

OSFI has also indicated that they intend to conduct seminars on the guideline for directors of small and medium-sized FRFIs. OSFI will be contacting boards directly with further details.

Canadian institutions that are subject to the guideline need to perform a gap analysis to identify the aspects of their existing corporate governance systems that are not in sync with the revised guideline and formulate a strategy for compliance, taking into account the specific circumstances of the organization. This exercise should be a collaborative effort of management and the independent directors, and, where applicable, representatives of the shareholder, in order to build a plan for compliance and rationalize any variances to the guideline's requirements.

Companies that are wholly-owned, for example, will need to consider carefully how their corporate governance system can comply with the guideline in circumstances where their board's primary functions do not, for example, extend to such matters as formulation of strategic initiatives, and CEO compensation, because these matters are traditionally determined by the sole shareholder. Some of these tensions may be addressed by considering the corporate governance theory behind the particular governance requirement and its application to the FRFI.

Once a consensus has been formulated, the company's corporate governance documentation (for example, codes of conduct, handbooks, board and committee charters and workplans) will need to be revised to reflect changes required to comply with the guideline as well as to document the rationale where it is determined that an alternative approach will be followed.

Although OSFI did not capitulate on all of the requirements contained in the August version that had raised concerns, certain elements were relaxed, such as requirements for:

  • periodic independent third party reviews of board and committee effectiveness and oversight functions (changed to regular self-assessments occasionally with the assistance of independent external advisors);

  • a designated Chief Risk Officer (changed to a senior officer who has responsibility for the oversight of all relevant risks across the FRFI, recognizing this officer may have a dual role);

  • a separate risk committee (the guideline clarifies that the boards of smaller, less complex FRFIs may perform the function of the risk committee, but should have the requisite collective skills, time and information); and

  • hard reporting lines from the Chief Risk Officer role to the board and risk committee, as opposed to the CEO (changed to "unfettered access" but a direct reporting line "for functional purposes").

The following is a summary of the requirements of the corporate governance guideline, as finalized.

summary of revised corporate governance guideline

board of directors

The guideline enumerates the board's "essential duties" namely, approval of (i) enterprise-wide business objectives, strategy and plans and the organization's Risk Appetite Framework, (ii) significant strategic initiates or transactions; (iii) internal control framework; and (iv) the appointment, performance review and compensation of the CEO and where appropriate other senior officers.

The guideline also identifies functions that are the responsibility of management, but for which the board should provide high-level guidance. These are (i) significant policies; (ii) performance to board-approved strategy and the Risk Appetite Framework; (iii) compensation policy;3 (iv) implementation and effectiveness of internal controls; (v) organization structure; and (vi) compliance.

The board should establish processes to periodically assess the assurances provided by management, and the board should ensure that regulators are promptly notified of issues affecting the company.

The board's composition should represent a balance of competencies based on the FRFI's specific operations and circumstances. The inclusion of risk management expertise (in addition to other key competencies, such as financial and industry expertise) on the board and committees is a highlight in the revised guideline. The board should regularly conduct self-assessments of board and committee effectiveness, occasionally with the assistance of independent external advisors, as determined by the board. The board should have a skills and competency evaluation process that is reviewed annually. Directors should seek educational opportunities to understand the FRFI's risks in particular and risk governance practices generally.

The guideline emphasises that the board should be independent of senior management. A footnote clarifies that the notion of independence is to be construed in accordance with international standards and more broadly than the concept of non-affiliation contained in the relevant statutes. The board should have a director independence policy that takes into consideration the specific shareholder/ownership structure of the FRFI.

Given the emphasis on board independence from management, the guideline strongly advocates that the role of the board chair should be separated from the CEO. This separation is viewed as critical in maintaining the board's independence.

oversight functions and internal controls

The CEO is responsible to ensure that the FRFI's "oversight functions" (namely, financial, risk management, compliance, internal audit and actuarial) have the necessary resources and independence of operational management. The oversight functions should have unfettered access – and, functionally, a direct reporting line – to the board or a board committee. The board should review the mandates, resources and budget of the oversight functions and, where appropriate, should approve the appointment, performance review and compensation of the heads of those functions, for example, the Chief Financial Officer, Chief Risk Officer, Chief Compliance Officer, Chief Internal Auditor and the Chief Actuary.

It is OSFI's expectation that smaller, less complex FRFI's that do not establish specific oversight functions will ensure that other internal or external processes will be adopted in order to provide the requisite independent enterprise-wide oversight.

As part of its role to regularly assess the effectiveness of the oversight functions, the board should occasionally conduct a benchmarking analysis with the assistance of independent external advisors, as determined by the board.

The board should approve the FRFI's overall internal control framework and monitor its effectiveness. In this regard, the board may rely upon internal and external audit reports, actuarial reports and regulatory opinions as to the financial condition of the FRFI.

risk appetite framework, risk committee and chief risk officer

As part of its overall emphasis on risk governance, the guideline calls for a board-approved Risk Appetite Framework that guides the risk taking activities of the FRFI. The Risk Appetite Framework should be well understood throughout the organization and be embedded in the fabric of its culture. The guideline contains an Annex that provides OSFI's expectations regarding the contents of the Risk Appetite Framework.

OSFI acknowledges that risk management systems and practices will differ depending on the scope and size of the FRFI and the nature of its risk exposures. Senior management is responsible for overseeing the FRFI's risk management policies and practices and for providing assurances to the board. The board, in turn, should have a process to periodically assess senior management's assurances with respect to the effectiveness of the risk governance controls.

Depending on the nature, size, complexity and risk profile of the FRFI, the board should establish a risk committee to oversee risk management. The committee should have a clear mandate and all members should be "non-executive" (meaning they do not have management responsibilities within the FRFI). Committee members should be knowledgeable with respect to risk management and "where appropriate" should have technical expertise in risk disciplines. The risk committee should seek assurances from the Chief Risk Officer (or equivalent) that risk management activities are independent of operational management, are adequately resourced and have status within the organization. Governance systems of smaller, less complex FRFI's may, in place of establishing a separate risk committee, provide that the board of directors will fulfill the oversight of the risk management function, but the board should ensure that its composition enables it to discharge this oversight role effectively.

FRFI's should have a senior officer who has responsibility for oversight of relevant risks (a Chief Risk Officer, or equivalent) who has the requisite stature, authority and independence and unfettered access to the board or risk committee. The Chief Risk Officer (or equivalent) should not be responsible for revenue generation or management of financial performance and his/her compensation should not be linked to performance of specific business lines. The Chief Risk Officer (or equivalent) should provide an objective view to the board or risk committee that the FRFI is operating within the Risk Appetite Framework and should meet regularly with the board or risk committee, including sessions without the CEO and other senior managers present.

audit committee

The guideline clarifies OSFI's expectation that the audit committee and not senior management, should recommend to the shareholders the appointment, reappointment, removal and remuneration of the external auditor, as well as the scope and terms of the audit engagement and engagement letter. In addition, the audit committee should satisfy itself with the quality of the audit by taking into account the effect of any fee reductions and/or changes to materiality or audit scope. The audit committee should assess, among other things, auditor independence and establish criteria and approvals for non-audit services. The committee should assess whether the FRFI's accounting and actuarial practices are appropriate and within bounds of acceptable practise. Regular in camera meetings should take place with the auditor, internal auditor and the FRFI's actuary. The guideline enumerates other specific matters that the audit committee should consider and states that the committee should seek assurances from the auditor regarding its audit opinion and report to the board annually as to the effectiveness of the auditor.

role of corporate governance and OSFI's assessment of governance effectiveness

The guideline states that "Effective corporate governance is an essential element in the safe and sound functioning of financial institutions". Effective corporate governance helps promote an efficient and cost-effective supervisory system because it allows OSFI to use the work of the FRFI's own governance processes and practices to reduce the amount of supervisory resources needed for OSFI to fulfil its regulatory mandate. In return, OSFI encourages boards to communicate with OSFI regarding its reports and findings, as useful input into the board's own oversight. For example, the board should consider regulatory findings in its on-going evaluation of senior management and performance of oversight functions.

OSFI intends to pursue different approaches in order to assess the effectiveness of a FRFI's corporate governance processes. These include: discussions with the board, board committees, senior management and oversight functions, and review of board and committee documentation, in order to assess whether effective processes exist and are operating and whether the board has the ability to meet its responsibilities. Where separate oversight functions do not exist, OSFI will assess the FRFI's alternative processes in order to determine whether independent oversight is being provided.

The guideline ends by stating that FRFIs should notify OSFI of upcoming changes to board membership and/or senior management, as well as the existence of any circumstances that may adversely affect the suitability of board members/senior management.


Although a number of concerns were raised with respect to the comprehensiveness of the guideline, its focus on risk governance is timely. Risk based regulation of financial institutions is accepted regulatory practise and the principles contained in the guideline represent prudent risk management. All FRFIs should have processes and procedures to ensure that risks are anticipated, addressed and mitigated and OSFI has clarified that FRFIs may implement the requirements of the guideline in a manner that is best-suited to the organization (i.e. taking into account the FRFI's size, ownership structure, nature, scope and complexity of operations, corporate strategy and risk profile).

OSFI's approach arguably has the effect of shifting some of the burden of solvency supervision from the regulator to the institution itself by means of the corporate/risk governance structure. This intention is essentially stated in the guideline. Regulators cannot be forensic accountants who ferret out an institution's material weaknesses and problems by conducting their on-site assessments and other reviews. Ideally, through an effective risk governance structure, material weaknesses or problems will come to light as a result of the vigilant efforts of senior management, the oversight functions, the board and board committees, and be dealt with appropriately.

The revised guideline also reflects the continuing trend – in keeping with the approach taken by regulators in other parts of the world – to make the "independent" directors the ultimate gatekeepers. Although the guideline is not legislation, and despite the fact that certain requirements were softened in the final version, in effect it attempts to charge the independent directors (e.g. the risk committee) with ultimate responsibility for effective risk management, which is somewhat unrealistic. By definition, independent directors are not full time operational managers and the information they receive is limited to what is revealed to them by management and the opinions they receive from the professional disciplines engaged by the company such as the auditors, and, for insurers, the actuary and the peer reviewer. By statute, directors are entitled to rely on these reports and opinions. Taken to its limit, this approach could arguably shift the risk of financial fallout from compensation associations to directors and officers insurance carriers.

The fact that the guideline ostensibly creates an uneven playing field for Canadian companies vis à vis foreign branches was also met with some opposition and it could result in Canadian companies that are wholly-owned subsidiaries of foreign entities considering their options with respect to converting into a branch in an effort to avoid the burden of compliance with portions of the guideline that were viewed as excessive. However, since OSFI has clarified that governance practices will differ depending on the circumstances of the particular institution, FRFI's are able to tailor their governance structures – within the parameters of the guideline – and avoid implementing practices and requirements that are inapplicable or inappropriate to their organization. In keeping with the guideline, FRFIs will occasionally need to have an independent review of their chosen structure and, over time, presumably Canadian best practices will evolve.

by Carol Lyons

1 Office of the Superintendent Financial Institutions (OSFI). OSFI is the Canadian federal regulator for banks, trust companies, insurers and other similar financial institutions.  The revised guideline applies to all of these regulated institutions, except for foreign bank branches and branches of foreign insurers operating in Canada.

2 Federally Regulated Financial Institutions.

3 The compensation policies are to be consistent with the Financial Stability Board's Principles for Sound Compensation and related Implementation Standards

a cautionary note

The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.

© McMillan LLP 2013