A Starling Insights Deeper Dive Report

Supervisors on Supervision

Public Exposure Draft

Peter Routledge

Superintendent of Financial Institutions (Canada)

Picture of Peter Routledge
View Full Report

Contributions to the Supervisors on Supervision Stocktake

What does culture mean in the supervisory context?

1.1.1d Others observe that conflating values and culture may be problematic, as it may conflate supervision with the making of moral judgments.

“Boards — by definition, that includes the CEO and senior leadership — must consider what cultural values are essential to their business model, their clients, and their ability to create shareholder value. They must define those values explicitly, and then ensure the institution is aligned to them. 

Which values? That’s up to them. Not us. We are not here to legislate values. 

When we articulate our expectations around integrity and security, the test we impose on ourselves is this: take the Milton Friedman article from the 1980s, which argues that the manager’s only imperative is to maximize shareholder value. If a board adopted that view as its guiding value set, would our guidance reject it? 

It shouldn’t. Our guideline should say: fine — but how will you measure adherence to that? And how will you steer your organization to live those values? 

It’s up to the board and senior management to define how they maximize shareholder value. It’s not our job to define it. 

Our job is to ensure they are doing so in a disciplined and transparent way — especially if they are a systemically important bank. If they fail, the country’s economic future is at risk. Our job is to ensure the financial system is stable — that funding is available in good times and bad, and that banks don’t disappear at the worst possible moment. That’s our role. We do not define the culture that delivers that. Boards do. 

Accountability starts with the board. The board represents shareholder interests. That’s the board’s job: to articulate values, and to ensure they are lived. Management executes the board’s vision and strategy. It’s the board’s responsibility to define a culture that will achieve that — not the regulator’s. The risk for supervisors is that we take our own values — those we hold dear — and impose them on institutions. That’s not just overreach — it’s illegitimate. We have no right to do that. Our job is to protect creditors, and more broadly, financial system stability. Full stop.”

What is the relationship between culture and governance and how does ambiguity about that relationship contribute to uncertainty?

1.1.3a Participants shared differing perspectives on which comes first, culture or governance.

“In any organization, unwritten rules, norms, and expectations exist alongside written rules and procedures. These unwritten rules, or what we call an organization’s culture, refer to the commonly held values, mindsets, beliefs, and assumptions that guide both what is important to an organization and how its people should behave. 

Culture can reinforce established rules and risk management disciplines, or it can lessen the effectiveness of them. Culture can be a competitive advantage, or a weakness. It can affect every aspect of an institution from its compensation practices to its control framework.”

Should culture, and the conduct proclivities it may promote or discourage among employees, factor into supervisory engagements?

If culture is important to supervision, then what factors make it challenging to assess?

1.2.2a Participants have pointed out that culture risk is typically only explored post-hoc, during root cause analysis, rather than proactively, before adverse outcomes arise.

“We have to be on the front foot about it. 

But culture is amorphous, qualitative. It’s hard for outsiders to spot dysfunction. We’re still sharpening our sense of smell. And frankly, we’re still figuring it out. In some cases, we’ve learned the hard way.

We’ve had cases where we didn’t do as well as we should have in assessing how values and principles — unique to a specific institution — actually flowed through the organization. When we’ve missed something, it’s usually because we missed something in governance.”

How do supervisors approach culture as a factor in governance failures in the absence of clear frameworks?

2.2.1a Participants discuss how the relationship between governance and culture risk presents unique challenges for supervision.

“All institutions have cultures. Culture comes from history and leadership. Sometimes you need to reinforce it. Sometimes you need to change it to achieve different outcomes. 

Culture risk, as we see it, has two parts. First, the board or senior management might define the wrong culture — one that doesn’t align with the institution’s goals. They misdirect the organization. Second, they might define a good culture, but fail to pursue it properly. They let it drift. They fail to embed it. 

So boards, in our view, need to find ways to assure that culture is aligned and sustained. We don’t supervise for outcomes — we supervise for process. Are you overtly thinking about culture? Have you reflected on how your values support your mission? Have you reviewed this more than once in the last decade? Are you checking annually — maybe even quarterly — how well the organization is living those values? 

If boards are doing that, and taking steps to measure it, regulators shouldn’t give them grief. The risk again is, if we push beyond that — we become overreaching. We diminish our supervisory legitimacy.”

How can supervisory culture be made more proactive and effective in connection with evaluating culture-related risk matters?

2.2.3b Participants described how establishing effective risk governance structures within supervisory agencies is important to supporting reliable supervisory judgment.

“Coming out of the first half of 2023, the sense I had was that the pendulum had swung quite far in the direction of resilience. Now, perhaps, we need to think about it swinging back. 

As we’ve pushed for greater resilience, one of the clearest lessons has been just how well aligned shareholders are with creditors. Our job, in supervision, is to protect depositors, policyholders, and creditors. Coming out of the Financial Crisis, we often assumed there was a conflict between shareholder and creditor interests. What we’ve learned is that these interests are actually quite well aligned — except in the most extreme, near-failure situations. 

That realization is changing how we engage with boards. Boards act on behalf of shareholders, and increasingly we see that their goals are aligned with ours. That means we have to listen more closely to what they’re telling us. And while that’s true for management as well, boards have a unique position: they’re focused on long-term shareholder value — and that’s perfectly aligned with protecting creditors. 

The burden is on supervisors to recognize where the pendulum is and where it’s heading — and to act early, before our regulated institutions do. We need to propose sensible ways to reduce burden, without putting the system at risk. Give firms more degrees of freedom — to compete, to take risk — within a resilient framework. 

That’s the mindset we’re trying to adopt: to be proactive, to lead, to stay on the front foot. It’s counterintuitive — certainly counter-cultural, given the last 15 years — but that’s how you earn credibility. Regardless of where you sit, it’s your independent pursuit of your mandate that carries the day — not transient political winds. But that credibility isn’t automatic. We have to earn it.”

Why have supervisors found it challenging to identify and assess culture-related risks prior to a risk event?

2.3.2a Participants discuss different approaches and frameworks for supervising culture driven risks and highlight relevant tradeoffs.

“Any culture guideline should be short and grounded in high-level principles. What values drive your business model? What values support your customers, your employees, your shareholders? Are they articulated? Are they practiced? If the board and management are doing that — living those values — then we’ve got nothing to say. That’s their call. Not ours.

What we care about is that they are overtly thinking about culture. Because culture eats strategy for breakfast. It’s what drives long-term resilience. There’s a leap of faith involved. I believe that if institutions do this well, they’ll be more resilient. But that link isn’t deterministic. 

Still, it’s enough for us to say: culture matters. So we stay on our side of the line. If we start dictating which values matter most, we lose diversity of behavior — and ultimately, resilience.”

2.3.2b Other participants described the importance of collaborative engagement with the management team of the firms they oversee.

“Historically, OSFI has been built around the idea of principles-based regulation. We set out broad principles — like ensuring the banking system can absorb trade-related shocks to the Canadian economy. That’s our broad objective. And I think most regulated institutions would agree that’s a good principle. The debate, the tension, comes in how to meet it.

That debate is healthy. Maybe I think capital needs to be at 12.5%; you think 10% is sufficient. Great, let’s talk about it. We’ll show our stress tests; you’ll show your assumptions. That’s constructive. 

But, as regulators, we need to recognize that after the shock of the Global Financial Crisis, we went too far — we wanted 100% insurance. That’s aggressive, and not the right mindset for a financial sector that promotes growth and risk-taking. You don’t get 100% protection in a functioning market. 

So what’s acceptable? That’s where we have to find equilibrium. We want firms to be able to take risk and deliver returns for shareholders. At the same time, we need to be able to say that the system is resilient to shocks — and that it would take a multi-sigma event to jeopardize that. 

Our system allows for that flexibility. Some of my international counterparts can’t even get in the room with their supervised firms — because of concerns about capture or anti-competitive optics. But in Canada, we have a tradition: when the system is at risk, we set aside personal interests and focus on the collective good. That habit served us very well in 2023, and again early this year. That kind of engagement requires constant dialogue.”

What steps can supervisors take to ensure that the exercise of their judgment regarding matters of culture risk governance isn’t arbitrary, and that it improves over time?

2.4.1a Participants described the importance of having mechanisms to preserve judgment, whereby earlier anticipatory assessments are tested against what actually unfolded thereafter.

“Well, fewer firms went to the wall in 2023 than in 2008. So I’d argue that the cumulative work since the Crisis has had an effect. Boards are taking culture more seriously. 

If you provide a credible evidence base that shows you’re taking culture seriously, that goes a long way with us. We exercise judgment. We look across institutions. We know we won’t be perfect, but we build a sense of relative strength. 

Still, there’s the ex-post challenge. Something goes wrong. A firm violates its own stated cultural values. They did all the surveys, the training, and still went down a bad path. Failed to comply with laws. Took a reputational and financial hit.

At that point, we know we misjudged the effectiveness of the culture, or its actual adherence. And that requires a supervisory response. The board will have failed its shareholders.

We have to get better at identifying deficiencies and acting on them early. But you can’t control for everything. No matter how balanced or reasonable your cultural guideline is, you’re still going to see failures. The goal is to ensure they’re rare and non-systemic. 

When they do happen, you ask: did we get the regulatory approach wrong? Or did we get our supervision of this particular firm wrong? Most often, it’s the latter. It’s not acceptable, but it is correctable. You learn from it, you adapt. The big mistake is thinking, ‘We have to prevent this from ever happening again.’ That leads to overregulation. You start defining what a ‘good culture’ is. You exceed your mandate. You lose your license. That’s worse than the failure you were trying to prevent. Here’s what we’ve learned over the past two years: 

First: don’t rely on the informal. Apply the codebook. Follow your formal framework — equally and consistently. No favors because ‘you’re a good banker.’ 

Second: even if you do everything right, failures may still happen. Learn from them. Make tactical adjustments. But don’t abandon your core principle: culture belongs to the board. Our job is to ensure they take that seriously and act consistently. 

Don’t try to reduce failure probability to zero. That temptation is strong. I’ve succumbed to it, and I suspect others have, too. But you can’t go there. It’s the road to ruin.”

What emerging techniques and tools offer promise to improve culture measurement and risk assessments?

3.2.2c Participants point to the value that would be achieved were we able to conduct reliable horizontal peer reviews and benchmarking exercises in the realm of culture risk supervision.

“If we detect something, we want to be able to say: ‘On this performance dimension, you’re a negative outlier.’ That’s powerful — especially to a board. CEOs might get defensive, but boards care. They know information asymmetries are real. They want that feedback.”

How can supervisory bodies move to embed culture risk into supervision and governance frameworks?

3.4.1a Participants describe current efforts to incorporate culture risk into supervision and highlight the questions that such efforts raise.

“We should be talking about governance with firms in a way that asks — quarterly and annually: is your culture consistent with your stated values? And what do we think needs to change about you leading the firm to ensure that alignment? As regulators, we should ensure that discipline is happening. But it’s the board’s responsibility to handle the substance.

We should ask: have you explicitly articulated your institution’s core cultural values? Have you documented them? How do they relate to creating shareholder value? Are you actually monitoring whether those values are lived throughout the organization? What’s your review process? Do you assess compliance annually? Do you examine how your values contribute to performance? 

Now, there’s an element of faith in this. We have to believe that if we focus on the discipline of governance, and make sure culture is being examined regularly, the desired outcomes will follow. 

That’s not a guaranteed link — but I’d rather take that leap of faith than try to define culture for every institution. That’s a slippery slope. Suddenly we become the cultural overlords — defining corporate culture across the financial system. That’s not our mandate. 

Shareholder value and financial stability are tightly aligned. Our job is to focus on the discipline of process, not to pass judgment on outcomes. As a board, are you ensuring your values are being carried through the organization? If you are — and if it’s credible and reasonable to us — you don’t have a problem. And if, despite that, something goes wrong, we’ll deal with it. But we’re not going to over-engineer our involvement just to prevent a black swan event. That’s not our role.

Let me give a related example: CEO or Board Chair succession. Don’t tell us who you’re appointing — we don’t need to know. But show us that you ran a principled process. Did you define the role’s requirements? Did you consider a slate of candidates? Did you engage stakeholders — shareholders and employees? If that process is there, we’re satisfied. 

And it’s the same with culture. We don’t dictate outcomes — we ensure there’s a credible, disciplined process in place.”

3.4.1b Participants also described the role of the supervisor in making culture risk governance tangible for supervised firms through training, tools, and targeted frameworks.

“Good prudential supervision is important for effective operations of a financial system. That is why OSFI is presently taking steps to modernize our Supervisory Framework to better capture the impact of systemic and macro-centric risks on the risk profile of our [federally regulated financial institutions (FRFIs)]. 

We want to build in flexibility to accommodate new and unforeseen risks, the interplay between financial and non-financial risks, as well as non-traditional business models. Finally, we want to further leverage data and advanced analytics to promote a more risk-based approach to supervision and to inform our future data strategy. Our supervisory approach will aim to build capability and is best suited for the changes in the risk environment. 

Incorporating the need for proactive and ongoing management of FRFI culture and behaviour risks in assessing the effectiveness of corporate governance is an ideal path to supervision. Identifying risks arising from behavioural patterns is important for a FRFI’s board and senior management because it demonstrates how closely the actual culture of a FRFI is aligned to its desired culture. 

OSFI sees the ideal state of the financial environment as one that incorporates a cultural perspective, with strong corporate governance and culture risk management. Through our efforts, the expected outcomes include culture and behaviour that are designed and governed through clear accountabilities and oversight and that the desired culture and expected behaviours are proactively promoted and reinforced. 

This will also help to assure that risks emerging from behavioural patterns are identified and proactively managed. These important areas will not only strengthen the resilience of FRFIs but increase the confidence in the broader financial system. This approach can support sound decision-making, prudent risk-taking, and effective risk management.”

How do supervisors need to adapt in order to accelerate progress in culture supervision?

3.4.2a Participants highlight the importance of effectively embedding challenge in their engagements with firms related to culture.

“It’s hard to step into a room with a Chair or CEO and challenge them. These are impressive people who’ve risen to the top. There’s a dangerous tendency toward deference. And when we’ve made mistakes, it’s because we weren’t as awake to that tendency as we should’ve been. That’s where the tension lies — when you walk into a CEO’s office and question governance or culture. That’s a potent conversation.”

What would a global initiative to transform culture risk governance and supervision in the financial sector look like?

4.4.1c Other participants express concerns that while coordination may be helpful, that pursuing a uniform approach across jurisdictions may exceed supervisory mandates.

[Responding to whether there is a need for a public-private initiative] “I haven’t found my way to that yet. It would be arrogant of me to say ‘no,’ especially since we have done that in other areas — non-financial risk, integrity and security. So I wouldn’t rule it out. 

But I haven’t seen the need. The most positive impact we can have is to hold boards and senior managers to core principles, and give them comparative feedback on how they’re adhering to those principles relative to peers, without violating confidentiality. 

But going further — into frameworks and metrics — makes me nervous. That’s where we risk crossing the line and starting to define what the ‘right’ values are. And that, to me, is a red line. As soon as OSFI starts defining values for boards, we’ve overshot our mandate. We’ll lose credibility — and our license to supervise. So unless I’m proven otherwise, I’d say: no. The risks of overreach are high. The upside is uncertain. I’m not willing to take that risk.”