OSFI makes the connection between integrity and culture
Canada’s banking regulator is widening its oversight of non-financial risks within federally regulated financial institutions (FRFIs). With its Culture and Behaviour Risk Guideline released in May 2023 and its Integrity and Security Guideline released October 23, it’s clear that the regulator is shining a spotlight on conduct risk. This is a very good thing.
The regulator defines culture as the commonly held values, mindsets, beliefs and assumptions that guide both what is important and how people should behave in an organization. As for integrity, it includes actions, omissions, and decisions consistent with the letter and intent of ethical standards, regulations, and the law.
At Valital, we believe that culture risk management is a foundational element in an FRFI’s ability to manage reputation risk, which OSFI continues to identify as an ongoing area of development for FRFIs. Reputation risk is inextricably linked to a range of business risks and is a key dimension in culture risk management.
As the saying goes, “perception is reality.” How an organization is perceived by its employees, customers, the public and other external groups can have a material impact on the business itself as well as on its corporate culture. Institutions with positive reputations attract the best talent, engender trust and often face less regulatory scrutiny. Corporate scandals erode trust, making it necessary for FRFIs to place a high value on ethics, integrity, values and culture.
Inside-out culture risk management
OSFI believes tone from the top is critical to shaping the right culture. In its Integrity and Security Guideline, the regulator maintains that senior leaders should be of good character, demonstrating integrity through their words, actions and decisions.
Culture, according to OSFI, must be deliberately shaped, evaluated and maintained. Culture must reflect norms of ethical behaviours. As such, talent and performance management strategies and practices promote and reinforce the desired culture and expected behaviours. This plays out through recruitment, hiring, onboarding, learning and development, retention and succession.
The regulator recommends that FRFIs perform background checks on all employees and contractors prior to commencement of employment and renew on a regular basis, with processes and criteria in place to trigger off-cycle checks.
Outside-in culture risk management
We would argue that an organization that has shaped its culture consistently with strong ethical norms will be vigilant about who they accept as customers and with whom they align themselves in all aspects of their business. It’s more important than ever for FRFIs to have a better understanding of the individuals behind every entity they choose to work with. Watchlists, sanctions lists, criminal records checks, for example, are not enough to provide FRFIs the fullest picture possible of the individuals behind entities.
That’s why we believe that FRFIs need to systematically integrate open source intelligence into their formalized risk management processes to help pinpoint nuanced behavior and misconducts that can make them rethink their business decisions. It is our belief that FRFIs must help all their people to identify themselves as risk managers through continuous education and access to tools and practices that help them to think first about culture and reputation risk before entering into business relationships with individuals who appear to pose no obvious financial risk to an organization.
The democratization of reputational risk resilience means that culture risk management should be the domain of everyone within the enterprise. When each person recognizes that they must play a role in ensuring that the values of their external business stakeholders align with their corporate values, they can begin to embrace accountabilities, taking ownership for their decisions and how those decisions can impact their institution's reputation.
Be they contractors, consultants, suppliers or vendors, culture risk management must now include being mindful of the kind of “company the FRFIs keep.”
Two sides of the same coin
Yes, reputation management requires both an “outside-in” and an “inside-out” approach when it comes to fostering a risk culture. Given that so much of our lives are lived online these days, it is becoming increasingly clear that how employees conduct themselves online can impact their institution’s reputation. Clearly, institutions cannot dictate their employees’ behavior outside of work but the truth remains that in many instances, employees represent their employer’s brand. A culture of risk management means that all employees understand their actions can have brand-damaging effects. When employees fully understand and embrace this truth, they will recognize that they are accountable for their behaviors and decisions and the potential consequences for those behaviors.
Finally, with respect to culture, changing social norms continue to evolve and behavior that used to be tolerated, maybe even accepted in the past, is often unacceptable today. Missteps on hot-button topics such as diversity and gender, immigration, the environment and a plethora of other topics can quickly lead to outrage and censure across social media and in the press. There must be a willingness within FRFIs to remain vigilant in ensuring that the attitudes and behaviors that are encouraged and accepted within their institutions are ones that minimize risk and reputation damage.
Culture and integrity cannot be separated from reputation. They are two sides of the same coin. Reputation risk can be caused by conduct risk inside and outside the organization. Ongoing education, an enterprise-wide view on ownership of risk and access to regulatory and compliance tools to help people mitigate conduct risk can help strengthen and buttress an organization’s risk culture.