Keynote Speech by

Romy Bowers, Chief Risk Officer, CMHC – SCHL

Embracing change in a time of transformation: A CMHC Case Study

Canadian Institute’s
13th Crown Corporate Conference
Ottawa, ON
January 31, 2018

Check against delivery

Good afternoon. It’s a pleasure to be here with you for this final keynote in two days of conversations about governance and innovation.

It’s fitting that we wrap up this event with a discussion on risk. Because our experience at Canada Mortgage and Housing Corporation is that strong risk management drives both good governance and innovation.

There’s a well-known quote: “A ship in harbour is safe — but that’s not what ships are built for.” We too, as Crown corporations, were built to serve Canadians. Not to stay sheltered in a harbour.

In fact, in this climate, the real danger is staying in the harbour. The tsunami of change we’ve experienced over the past 10 years is powerful and far reaching.

We can’t simply hunker down and ride out the storm. The storm is the new normal — and we have to be out in front of it.

This means we have to plan for risk. We have to take managed risks to become more agile. We have to find innovative ways to fulfil our mandates and improve the lives of Canadians. Because if we don’t, the real risk is that that we become irrelevant. Or worse yet, that we unintentionally disrupt markets, destabilize the economy or weaken Canada’s social fabric.

That’s why understanding and effectively managing risk is a key priority at CMHC. It has been at the core of a major transformation in our organization, called CMHC in Motion. A transformation that reached our programs, our structure, our relationships with clients, our information and digital technologies and our staff.

Like all good risk managers, we’re observing and analyzing the impacts. And we’re learning a few lessons along the way. I’d like to share these with you in the hopes that they can add to the conversations you’re having at your own organization about risk and innovation.

About CMHC

Large-scale disruptions force us to make bold moves. That’s how the CMHC was created. In the wake of World War II, veterans returned home to Canada needing housing. CMHC was founded to address this massive need.

Eighty years later, addressing the housing needs of Canadians remains the mission of CMHC. But the context and the disruptions affecting housing need have changed. And they continue to change at record speed. Migrations of people within the country. An aging demographic. A more diverse Canada. Climate change. Digital technologies. The global financial crisis.

All of these factors have profoundly affected where and how Canadians live and what they need in a home.

Many of you here will be familiar with CMHC through our mortgage loan insurance products. These help qualified Canadians with down payments of less than 20 per cent to become home owners — an innovation at the time that helped Canadians access homeownership. Less well known to most Canadians are our securitization programs. This ensures that financial institutions have a reliable supply of mortgage funding.

Together, these programs are worth billions of dollars per year. They contribute to Canada’s financial stability by underpinning a healthy housing finance system. They also provide valuable revenue to the Government of Canada. CMHC contributes significantly to the Government’s financial position. Last year, for example, we paid a special dividend of $4 billion and we’ve started to pay further quarterly dividends when actual capital exceeds targets.

But because these programs are backed 100 per cent by the government, they also have the potential to expose taxpayers to risk.

The US housing crisis, which led to a global economic crisis, is a recent reminder of the magnitude of this risk.

You may also know about CMHC through the National Housing Strategy that the federal government announced in November. We’re leading this ambitious strategy — a historic investment in addressing the housing needs of Canada’s most vulnerable citizens. It will allocate $40 billion over ten years to:

  • reduce chronic homelessness by 50%
  • create 100,000 new housing units
  • repair 300,000 existing units
  • ensure another 385,000 households keep their affordable housing, and
  • protect 530,000 community housing units so families can spend less on housing and more on other essentials.

This strategy represents an unprecedented scale of federal leadership on housing here in Canada — and perhaps internationally. I’m confident that the government’s vote of confidence in CMHC to lead this strategy is directly linked to the steps we’ve taken over the past five years to transform and to strengthen our risk management. This work has put us in a solid position to deliver on the strategy. I’m going to make the case throughout my remarks for robust risk management… and I’ll start by talking about how it has fueled our transformation.

CMHC in Motion — the transformative power of risk

From the programs I just described, it’s clear that the stakes of CMHC’s work are high. It’s at the heart of Canada’s economic and social well-being. So we have to carefully assess the risk inherent in any change we make, any intervention we take.

In the past, this has meant that the CMHC has been very risk-adverse. It preferred to stay under the radar. Sheltered in the harbour.

But as CMHC began its transformation to become more agile, more ready to foresee and address change, it was clear that it could only do this by embracing risk.

I’ll show you a short video we created to show CMHC employees just how central risk management is to our transformation.

The last speaker in the video was our President and CEO Evan Siddall — our biggest champion of embracing risk. Evan comes from an investment banking background. He understands that to have an impact we have to take risks. And that risk must be managed responsibly. Especially when you are acting on behalf of Canadians. A wrong move could have significant consequences for our housing system and financial stability.

As Chief Risk Officer, I can’t stress enough how important it is to have a risk champion at the helm of an organization. It means I have had his support — and our Board of Directors’ support – to create a strong risk culture across the organization. And beyond that… to set a goal for CMHC to be recognized as a world-leader in housing risk management.

This goal is so fundamental to our work that it is embedded in our strategic statement. It makes risk an expected and valued part of our approach to work.

This is a huge achievement — especially given where we were five years ago.

So how did get from there to here?

We invested a great deal of resources and energy into creating the framework and activities to foster a risk culture. So let me take a few minutes to share some of these…

Our risk framework

First of all CMHC invested in building our in-house expertise. My position — Chief Risk Officer — was created. I was given resources to build a strong team to carry out our work.

Job one was to strengthen our risk management framework.

The framework includes a risk appetite statement. This defines the “sandbox” in which we work. It guides our business decisions and clarifies where we can take calculated risks to help us meet our goals.

Each year this is reviewed and approved by the Board of Directors. There is a board committee specifically to ensure the appropriate policies, procedures, controls and systems are in place to identify, assess and manage the key risks we face.

Our Risk Management Framework also includes a risk governance model. This outlines the accountability for risk across the organization. It ensures that every employee at every level plays a role in managing risk — along three lines of defence.

The first line of defence is the staff working on the ground, with our clients, carrying out our programs and services. These are the people placed to identify and report on risk as they see it in their day-to-day work.

The second line of defence is my team, working with the CFO and the Chief Compliance Officer. We monitor risk factors, set standards, challenge, advise and train staff.

The third line of defense is objective, independent assurance from internal audit.

The terminology of “three lines of defense” sounds very “risk management-y” and sort of geeky. But it’s a simple tool that helps organizations to differentiate risk taking from risk oversight.

It’s not meant to add another level of bureaucracy or hurdles. It’s really about introducing a system of checks and balances to govern organizations in a risk-based manner.

One specific example: My risk team — 2nd line of defense — worked with the Assisted Housing team responsible for funding projects that renovate and retrofit existing buildings that provide housing for Canadians in need– this team would be the first line of defense.

Using tools and guidelines developed by my team, the 1st line were able to identify a risk of giving funds to ineligible groups if the right controls weren’t in place. So, they developed controls they thought would be effective. Then, we looked at the controls, and the process to evaluate which groups were eligible and which should be prioritized. We made sure the controls were designed properly and were operating properly.


Text version

A flow chart showing the Risk Governance structure at CMHC as well as the three lines of defense.

First row: Board of Directors

Second row: Audit Committee, Risk management committee, Other Board committees

Third row: Senior management

Bottom row:

First line of defense — Identify and control: involves the business areas and support functions as well as the operations support teams within that group.

Second line of defense — Set standards and challenge: involves the chief risk officer, chief financial officer, and chief compliance officer.

Third line of defense — Independent Assurance: involves internal audit.

A risk management framework isn’t created once, then forgotten. Part of being an agile organization is continually revaluating and tweaking it.

For example, each year we report on a number of risk categories. This shows us where we need to focus and prioritize. This graph created at the end of last year, showed that our risks in terms of reputation, insurance and guarantees, credit, market and liquidity remained low.

So, with this information in hand, we know we can focus on categories of higher risk.

The fact that strategic risk is in the moderate zone tells us that we need to continue to optimize our ability as an organization to foresee and plan how to respond to changes in our environment.

The fact that operations risk was high, reaffirms our plans to continue shoring up our internal systems — namely IT systems — which have suffered from many years of underinvestment.

Identifying and addressing this risk led to and continues to inform a multi-year technology and business transformation initiative currently underway at CMHC. It’s a major push to improve client and employee experiences, create opportunities to innovate and transform our services. And in turn, it will allow us to better embrace agility and risk in our work.


Text version

Low acceptable — risk is low or appropriately managed, no action required.

Reputation risk

Insurance and guarantee risk

Credit risk

Market risk

Liquidity risk

Moderate cautionary — requires on-going management attention, action may be required

Strategic risk

High cautionary — requires close management attention

Operational risk

† Risk is low or appropriately managed, no action required.

+ Requires ongoing management attention, action may be required.

* Requires close management attention.

One of the things I’m most proud of — and what has been key to our growth in risk management — is our work to create a risk culture.

As you all know, changing culture in any organization is difficult. Cultivating a risk culture doesn’t just happen organically. We’ve had to be proactive, consistent and committed to keeping the risk conversation going.

We developed an employee awareness campaign, called Risk is Everyone’s Business, and offered training to empower employees.

Managers are tasked with discussing risk with their teams — both the actual risks in their everyday work, and making the connection with the broader conversation about risk as a strategic direction.

We address risk in blogs and articles in our internal e-bulletin and intranet.

My team and I have hosted live info sessions for staff and prepared online training modules for new staff as part of the onboarding process.

Perhaps the most important move was to embed risk in our corporate values. These are the touchstones for our work. They send a powerful message of what we expect from each other.

This slide shows three of our ten values:

“Be an owner” means owning responsibility for success and failures.

“Celebrate both wins and failures” acknowledges that failure can be an acceptable risk — and an integral part of innovation.

“Ask why” engages staff in innovation. It sends a message that constructive criticism and questioning is encouraged by all levels in the organization. Our President reinforces this value and often tells staff that the most costly words to any organization are: “We’ve always done it this way.”

The good news is that these awareness efforts are paying off.

We take regular, short surveys of staff on the topic of risk. When we started we simply wanted to gauge get an evolving portrait of their understanding and awareness of risk.

Over the years, we’ve added more questions about behaviours related to risk. We have also defined our aspiration in term of risk culture and communicated it with our employees. They feel more empowered: one of the highlights of 2017 was seeing that 84 percent of staff agree with our risk management culture.

In the five years since we began our major push to strengthen risk culture at CMHC, we’ve also seen great progress in the levels of awareness, understanding and behaviours. Most important, we’re seeing a consistent shift from risk averse to smart risk taking. And we hope to push the needle even further in 2018.

The value-add of risk management


Because our experience has shown us that a strong, proactive approach to risk management can be a power lever to meeting organizational goals in many areas.

It helps shows where you can afford to take risk and where you can have the most impact. It clarifies your planning and shows where you can provide leadership.

Let me share a few stories from our experience.

Stress testing

A few years ago, as part of our work on risk management, we began creating a number of stress tests to assess our solvency in the event of various cataclysmic events. As our President says, a failure of imagination is all that prevents us from coming to terms with the risk we carry.

So why we imagine nightmare situations. Worse-case scenarios beyond our control. Disasters like an earthquake in Vancouver, an oil price shock over a sustained period, or a five- or six-year period of global economic deflation. How would these scenarios affect housing markets and CMHC’s solvency?

Over the years we’ve continued to boost our investments in technology and personnel to enhance our stress testing processes. This testing shows us that it would take a very severe housing downturn and huge increase in unemployment rates, lasting several years, to erode our capital significantly.

This is all great news… and certainly helps us to assess the risk of our decisions. But last year, we recently took this exercise a step further. We decided to share the results and the methodology of our testing. This is considered a bold move in the financial industry — and we had to overcome plenty of internal opposition to the idea.

People feared that the results would not be well understood. They feared criticism of our stress testing approach. Pushing past this fear proved to be a success. We’ve learned from the experience. Clients have reached out to us to discuss our approach, and we’ve become better risk managers as a result.

I’d ask you to think about your own organizations. What’s the risk appetite for being more transparent in exchange for more credibility, leadership, or create opportunities for innovation? Is this widely understood and supported across the organization?


Another value-add of risk management: Efficiency and operational effectiveness.

Through our risk assessment, we realized that one of our risks was overly heavy processes and bureaucracy. This led to a decision to flatten the hierarchy of the organization and reduce focus on levels.

Again, reflect on your own organization: Have you used a risk-based approach to look at some of your processes? Are there lower risk projects or activities that don’t need as many layers of approvals? Are there higher risk projects that need more direct involvement from senior management, and more agile processes?

This brings me to another area where strong risk management has added great value for us a CMHC: our technology and business transformation.


Our Chief Information Officer is a big supporter of using risk management to enable IT decisions.

We worked together, using our risk framework to guide our decision to outsource major parts of our technology transformation, and to take an iterative approach, trying and testing a series of smaller IT projects. This has helped us to avoid some of the pitfalls seen in other, now infamous, large-scale government IT projects.

We knew there was definitely some risk in deciding to work with an outside company, Accenture. It meant relinquishing some of the control. But we scoped out these risks and we’ve been able to mitigate them. To the extent that our outsourcing arrangement has become a model for other government departments.

First, we took a long term view of the partnership. This gave both parties the incentive to invest in the relationship at all levels, starting at the most senior levels. Our CIO reports to our President, sits at our executive table and makes regular reports to the Board on the progress of this initiative. Our President has made it clear to everyone that he is 100 percent in support of the partnership and fully committed to its success.

We ensured each party plays a clear role. Each adds value and complements the other partner’s contribution. Accenture brings expertise that CMHC does not have. However at the end of the day, CMHC remains accountable. We own the risk and have to be in the driver’s seat for decision making.

Risks are documented and discussed openly. And when things do go wrong, if you have a robust risk culture, you can use mistakes as a learning opportunity. Our CIO has been honest and upfront with staff about some of the bumps in the road in our digital transformation. In doing so, he’s modelling our risk culture – learning from mistakes and adjusting course accordingly.

Employee engagement

Another value-add of our approach to risk has been increased employee engagement. Engagement continues to be an area of concern across government, as the public service’s annual employee survey shows.

But when you put employees in the first line of defense against risk, when you encourage them to ask why and to take risks, you are honouring their expertise. You are showing confidence in their unique first-hand understanding expertise of the programs and services they deliver.

We want employees to understand that there is no innovation without risk. They are fellow travellers — and effective risk management demands intentional innovation.

People need to know that they are accountable, but that it’s not the end of the world when calculated risks don’t result in the anticipated benefit. And there’s much to learn from experimentation.

It’s no coincidence that as our risk management culture has improved, so have our levels of employee engagement, enablement and morale.

Again, a question for you to consider in terms of your organization: Do your employees understand what the risks to your organization are? Do they understand their role in identifying and managing risk? Are they clear on what their sandbox is for taking calculated risks? What message are they getting about the repercussions when risks don’t pay off as planned?  And how does this relate to levels of staff engagement in your organization?


Ultimately a risk culture is a culture of transparency, continuous learning and personal accountability — a culture that is positioned to be agile and innovative.

Which brings me to the value-add of risk management that I want to mention — and I’ve already made this point throughout my remarks: innovation.

Innovative government is sometimes called an oxymoron. But the innovation agenda is challenging us all to find ways to make this a reality. And the only way it’s possible is by embracing risk.

We’re fostering innovation in the housing sector through our funding. Housing projects that go beyond the usual partnerships and funding models, for example. We need to be sure we’re modelling this same thinking internally.

To be sure we did this, we actually included innovation into our risk appetite. That was a big move in itself because usually risk appetite statements are negative – for example: ‘Don’t go over this limit.” Instead we included a positive statement: Foster innovation.

We continue to make sure staff are aware of the linkage between innovation and risk management, to see examples of it in their peers and managers, and understand how to apply in their everyday work.

A couple examples: At CMHC we’re involved in a cross-divisional initiative called the Future of Work. We’re looking at our relationship with work and how we work, and the conditions that need to be in place to make us a higher performing organization. It brings together five work streams that address HR policies, our workspaces, technology — and is being built based on feedback from a national tour that engaged staff in all our regions.

Again… an initiative not without risk. It calls on us to fundamentally rethink how we work with clients and with each other. But it reflects our core values and promotes an accountable culture and enabled employees. Ultimately, we think these changes will benefit employees and our business alike, letting us focus on what really matters.

Risk and innovation also come together in our strategy development process. During this process, we ask ourselves: What value does CMHC bring to Canadians? How must we change to meet the changing needs of our society? There’s a real commitment in this process to not content ourselves with maintaining the status quo. We have to be willing to explore non-traditional partners, building projects, funding and delivery models if the change is beneficial to Canadians. Always with the right tools to identity and mitigate risk as we go along.

Because this is what brings our mandate to life. This is what will make it possible for us to continue to play a role in creating:

… a housing system that can withstand financial crisis — in whatever form they take.

… safe places for women and children leaving abuse…

… stable housing for people living with HIV/AIDS or addictions…

… housing for an aging population that wants to stay engaged and involved.

… affordable, quality housing for new Canadians, for families on-reserve… in the North… and other remote areas of Canada.


I want to leave some time for questions, so I’ll finish with this familiar quote from astronaut Neil Armstrong: “There can be no great accomplishment without risk.”

The impacts of 21st century transformations will play out differently for your organizations. But there’s no doubt they will be monumental.

We, as leaders of Crown agencies, will need to continue to monitor these changes in order to fulfil our respective mandates and better serve Canadians each in our own way. We’ll have to get better and better at anticipating them, charting new courses and then readjusting these courses to remain relevant. We’ll be under more scrutiny and called on to be more transparent than ever.

But the exciting thing about all of this is that it gives us the opportunity to embrace risk. It’s a chance for you to think about how you can use risk management to better understand your changing context. And as a lever for effecting change in your organization. How can risk assessment help you imagine where you can best make a difference? How can your goals to become more transparent help you to actually diffuse risk, and build credibility? How can fostering a risk culture help you meet some of your goals to boost staff engagement and innovation?

Thank you. I’d be happy to take any questions.



Print(opens in a new window)