The proposed OSFI corporate governance guidelines have been criticized for blurring the line between the board and management and for adopting a ‘one sized fits all’ approach. This is hardly surprising, and is the criticism to many governance regulations over the last twenty years, along with cost, as boards have become more active.
The OSFI guidelines have not changed in almost 10 years. In full disclosure, I was asked by OSFI to a) conduct a review and assessment of OSFI's 2003 Corporate Governance Guideline and the Board Assessment Criteria against other international financial regulatory practices and recent developments or recommendations, and b) provide suggestions for future revisions after taking into consideration current global governance developments, including those related to financial institutions.
I reviewed 57 codes in total for OSFI, carefully tracking developments globally since the financial crisis. There are four major changes (among others) since the 2003 guidelines as follows:
1. Boards of federally-regulated financial institutions (FRFIs) will need to have risk and relevant financial industry expertise represented in their board. This is entirely reasonable and codifies what good boards already do in their competency matrix approach that I recommended to the OSC in 2005. The notion that a board such as JPMorgan should have no independent directors with banking experience, for example, can have dire consequences when approving complex products and risks that directors do not understand for want of expertise. OSFI is not being overly prescriptive, only saying it desires “reasonable representation” of risk and financial industry expertise, leaving it to FRFIs to define and determine. It is not unreasonable to have risk and industry expertise on the board of a financial institution.
2. Second, independent third parties should be retained to assess the board, risk management and oversight functions. This does not mean the board is “managing,” but rather the board gets to see an objective view other than from management. Management is conflicted in assuring its own work and the board should not be beholden to this. The board should be free at any time to commission an independent review of any material risks or internal controls. This puts the heat on management, as a third party will be reviewing at some point. If management is doing its job, it should welcome this input. This proposal can be criticized for “offloading” oversight to outsiders, but with 100s of FRFIs that carry deposits and insurance of Canadians, independent reviews from time to time are a fail safe.
3. Third, the board may need to have a dedicated risk committee and reporting function (e.g., CRO); and should approve a risk appetite framework (RAF) with cascading tolerance limits and implementation. This puts the heat on boards to know and understand the risks of their institution, and on management to translate that into thresholds complied with throughout the organization. OSFI set out at pages 19-20 of the draft guideline guidance on what the RAF should contain with areas and examples of best practices. It is not unreasonable for the board to approve risk, but with examples of what this actually entails. The OSC 2005 guideline (NP 58-201) is now out of date because risk is only a few lines: namely that the board should identify the principal risks and ensure implementation of appropriate systems to manage these risks – which is vague at best and wholly inadequate at worst.
4. Lastly, the CFO, head of internal audit and appointed actuary (for insurance companies) should have a direct reporting line to the audit committee; and the audit committee should approve the external audit fees and scope. Not only is this best practice, internationally, but I would also add, as OSFI similarly goes on to write, that the audit committee should have private sessions with the internal audit, external audit and appointed actuary at every audit committee meeting. The audit committee should also approve the internal audit work plan, budget, independence, person and compensation.
Overall the draft OSFI guidelines are proportionate, pragmatic and reflect leading practices (e.g., G30, Walker and OECD reports and Basel principles). Canada has a very well regulated financial services sector, that some say is the envy of the world. These new corporate governance guidelines will help ensure that this fiscal prudence and stewardship continues.