Key Changes in Final Corporate Governance Guideline
On January 28, 2013, OSFI released a new Corporate Governance Guideline to replace the Guideline that was originally released in 2003. A draft of the Guideline had been released for comment in August, 2012. In a cover letter, OSFI indicated that it expects institutions to conduct a self-assessment for compliance with the new Guideline and to develop a plan to address any gaps by May 1, 2013. OSFI also indicated that it expects full compliance with the Guideline by January 31, 2014.
The first thing to note about the Final Guideline is that in certain key areas, it is less prescriptive than the Draft. For example, in some places where the Draft required that the board take certain steps, the Final Guideline asks the board to take those steps “where appropriate”. This approach was adopted with respect to the over-arching requirement that the Board and Senior Management pursue best practices in governance practices. While still requiring that the board inform itself about best practices, the Final Guideline indicates that best practices should be adopted “where appropriate”. Other examples of this approach include the appointment of, and performance reviews and compensation for, the oversight function heads and succession planning for senior management and the oversight function heads. Rather than requiring that the board be involved in these processes, the Final Guideline requires board involvement “where appropriate”.
OSFI has also removed any requirement that the board “ensure” that something has been done. According to OSFI this has been replaced with an expectation that the board will seek appropriate assurances or conduct assessments of the assurances that it receives from management.
With respect to board effectiveness assessments, the requirement that the board periodically commission independent third-party effectiveness reviews has been replaced with a requirement that the board “occasionally” seek the assistance of independent external advisors in conducting its self assessment. The same change was made with respect to the board’s assessment of the effectiveness of the oversight functions. In the later case, the requirement for periodic independent reviews of effectiveness was substituted with an occasional benchmarking analysis done with the assistance of independent advisors.
With respect to risk management, the requirement that the board periodically “verify” the assurances provided to it by senior management has been substituted with a requirement that the board periodically “assess” these assurances. In addition, the requirement that the board periodically commission independent third-party reviews of the effectiveness of the risk management systems and practices has been removed. However, as a control function, the board must still assess its effectiveness, occasionally with the assistance of an independent advisor.
In the area of board skills and competency assessments, the specific reference to the board preparing a competency matrix has been removed leaving the board more scope to determine how best to conduct this assessment. However, the Final Guideline now asks that the board integrate its assessment into its succession and renewal plans.
While the concept of director independence from management has been kept intact, the concept is no longer referred to a “demonstrable independence”. Presumably, this allows the board more scope in determining an appropriate level of independence in the particular circumstances of the institution.
The Final Guideline specifies that the board must approve the mandate, resources and budget of the oversight functions. However, boards are no longer required to “play and active role” in the activities of the oversight functions. Rather, the board is asked to approve, where appropriate, the appointment, performance review and compensation of the heads of the functions.
In the Final Guideline, OSFI has elaborated that a “direct reporting line” means direct access and reporting for functional, as opposed to administrative, purposes. However, while the Draft only referenced direct reporting lines for the CRO function, the Final Guideline specifically requires these reporting lines for all of the oversight functions.
To eliminate any confusion over what is meant by an “independent” oversight function, the Final Guideline indicates that independence means independent from operational management.
Risk Management Committee
The Final Guideline clarified that Risk Committee members need only be non-executives rather than independent. According to OSFI, this change will make it easier for institutions to find qualified individuals to serve on the risk committee. For example, the change will allow representatives from a parent to serve on the Risk Committee.
The Risk’s Committee’s role with respect to material changes to the institution’s strategy and corresponding risk appetite and limits has been enhanced. The Draft required only that the Risk Committee be made aware of these changes. The Final Guideline requires that the Committee provide input to the approval of material changes in strategy and corresponding changes to risk appetite and limits.
Chief Risk Officer
The Draft provided that the chief risk officer (CRO) could not be directly involved in revenue generation or in the management and financial performance of any business line or product. The Final Guideline provides that, in addition, the CRO’s compensation should not be linked to the performance of any specific line of business. In its cover letter, OSFI clarified that linking the CRO’s compensation to the broader performance of the institution is acceptable.
The Final Guideline no longer requires that members of the Audit Committee be independent deferring to the current statutory requirement that the Committee be comprised of non-management directors, a majority of whom are unaffiliated. However, in its cover letter, OSFI noted that in its view it is international best practice for all members of the Audit Committee to be independent.
The Draft provided that the Audit Committee should approve external audit fees and the scope of the engagement. The Final Guideline provides further that it is the role of the Committee to recommend the appointment, reappointment, removal and remuneration of the auditor as well as to agree to the scope and terms of the engagement. The Final Guideline also adds some cautionary language around offers of fee reductions from external auditors and determining whether audit quality will suffer as a result of the fee reduction.
With respect to the work of the external auditor, the Final Guideline directs the Audit Committee to have additional discussions with the auditor around the review of models, any identified control deficiencies and possible areas for improved disclosure. While the Audit Committee is no longer required to “ensure” that the financial Statements are presented fairly, the Committee should “probe, question and seek assurances” in that regard. The Final Guideline also adds a requirement that the Audit Committee report to the board on the effectiveness of the external auditor.
The Audit Committee is no longer required to ensure that the audit plans are appropriate. Rather, the Committee is expected to review and approve the plans to ensure that they are appropriate.
Assistance for Smaller Institutions
The Final Guideline provides some clearer direction for smaller institutions that are hoping to avoid adopting all of the measures recommended by the Guideline. The Final Guideline states in a footnote that smaller, less complex institutions need not have a separate Risk Committee provided that the board ensures that it has the collective skills, time and information to provide effective oversight.
In addition, these institutions need not have a dedicated CRO provided that there is another individual accountable to the board and senior management for the same functions described in the Guideline. The Final Guideline maintains the language respecting the need for dedicated oversight functions in smaller, less complex institutions if there are “compensating controls” and sufficient independent oversight.
CCG and Resolver join forces
We are extremely excited to have partnered with :Resolver to build a powerful turn-key solution for compliance risk management for the Canadian banking and financial services sector. Resolver’s integrated platform supports application areas including Risk Assessment, Internal Control, Internal Audit, Compliance Management, Enterprise Risk Management and Incident Management. Resolver’s team is comprised of security, risk, and compliance experts supporting customers across 100 countries with offices in North America, United Kingdom, the Middle East, and Australia.