ECB's Draft Guide on Governance and Risk Culture - Focus on Culture and Conduct Deep Dive
- James Ross
- Aug 7, 2024
- 8 min read
The ECB draft guide emphasises the critical role of robust governance and a strong risk culture in ensuring the safety and soundness of banks and the stability of the EU's financial system. The guide sets out the ECB's supervisory expectations in these areas, covering aspects such as the management body's composition, functioning, and effectiveness; the roles and responsibilities of internal control functions; and establishing and implementing a comprehensive Risk Appetite Framework (RAF).
Key Takeaways
Effective Governance: The management body should be suitably qualified, dedicate sufficient time to fulfilling its responsibilities, and clearly define its roles and those of key function holders.
Sound Risk Culture: Banks should foster a strong risk culture that permeates the organisation, promoting responsible risk-taking and sound decision-making.
Robust Internal Controls: Independent and well-resourced internal control functions (risk management, compliance, internal audit) are crucial for effective risk management and compliance.
Comprehensive Risk Appetite Framework: A well-developed RAF, integrated into the bank's strategic decision-making, is essential for guiding risk awareness and ensuring prudent risk-taking.
Holistic Supervisory Approach: The ECB employs a holistic approach to assess governance and risk culture, utilising various supervisory tools and sources of information.
Firm Implications
Enhance Governance: Continuously improve internal governance practices, ensuring they are comprehensive and proportionate to the risks involved.
Cultivate Risk Culture: Foster a strong organisational risk culture, promoting responsible behaviour and sound decision-making.
Align with Supervisory Expectations: Review the ECB guide and ensure that governance and risk culture practices align with supervisory expectations.
Ensure Proportionality: Tailor governance and risk management measures to the bank's activities and risks' nature, scale, and complexity.
Commit to Continuous Improvement: Proactively enhance governance and risk culture practices, anticipating ongoing scrutiny from the ECB.
Consider National Specificities: Comply with EU and national regulations while considering the specific context of the bank's operations.
Chapter 2 Summary
Chapter 2 of the ECB guide focuses on the role of the management body and key function holders in promoting sound governance and risk culture. It outlines the ECB's expectations regarding collective suitability, time commitment, and responsibilities for these individuals.
Key Points:
Collective Suitability: The management should possess diverse skills, knowledge, and experience to oversee the bank's activities and manage its risks effectively.
Time Commitment: Members should dedicate sufficient time to effectively fulfilling their responsibilities, including attending meetings, reviewing materials, and making decisions.
Responsibilities: The management body should be responsible for setting the bank's overall strategy, overseeing risk management, ensuring compliance, and promoting a sound risk culture.
Key Function Holders: Key function holders are crucial in implementing the bank's strategy and managing risks. The ECB expects them to possess the necessary skills, knowledge, and experience for their roles.
Firm Implications:
Management Body Composition: Banks should carefully assess the collective suitability of their management body, ensuring it has the right mix of skills and experience to oversee the bank's operations effectively.
Time Commitment and Engagement: Management body members should dedicate sufficient time to their responsibilities and actively engage in decision-making processes.
Clear Responsibilities: Banks should clearly define the responsibilities of the management body and key function holders, ensuring accountability and effective oversight.
Fit and Proper Assessments: Banks should conduct thorough fit and proper assessments for management body members and key function holders to ensure their suitability for their roles.
Succession Planning: Banks should have robust succession plans to ensure continuity in leadership and risk management expertise.
Chapter 3 Summary
Chapter 3 of the ECB guide focuses on the functioning and effectiveness of bank management bodies. It highlights the importance of a clear distinction between the management and supervisory functions of the body. The supervisory function oversees and challenges the management function, ensures effective internal governance, and addresses deficiencies.
Key points:
Management body responsibilities: The management body has overall responsibility for the institution, including defining and overseeing governance arrangements, steering strategy, and ensuring a robust risk management system.
Structure of the management body: Clear roles and responsibilities, leadership structure, and committees (risk, audit, nomination, remuneration) are essential for effective oversight.
Management body composition: The size of the management body should be appropriate, and its members should possess collective suitability and diversity to understand the institution's activities and risks.
Independence and conflicts of interest: The management body should include a sufficient number of formally independent members and have a framework for managing potential conflicts of interest.
The chair of the management body plays a key role in fostering a culture of challenge and debate and should generally be a non-executive and independent member.
Committee composition: Committees should comprise members with relevant knowledge and sufficient independent members.
Management body and committee documentation: Clear and concise documentation is essential for effective discussions and decision-making. Agendas and materials should be shared in advance, and records of deliberations and decisions should be maintained.
Policies: The bank should have suitability, diversity, and succession planning policies.
Firm Implications:
Clear Roles and Responsibilities: Clearly define the roles and responsibilities of the management body, its committees, and key function holders to ensure accountability and effective oversight.
Management Body Composition: Ensure the management body is appropriately sized and composed of individuals with diverse skills, experience, and backgrounds to facilitate informed decision-making and challenge.
Independence: Maintain a sufficient number of formally independent members on the management body and its committees to promote objective assessments and effective oversight.
Conflicts of Interest: Implement a robust framework for managing potential conflicts of interest among management body members and key function holders.
Chair Selection: To foster a culture of challenge and debate, consider appointing a non-executive and independent member to chair the management body.
Committee Composition: Ensure committees have the right mix of expertise and independence to fulfil their oversight responsibilities.
Documentation and Communication: Provide clear and concise documentation to support informed discussions and decision-making. Ensure effective communication and information flow between the management body and its committees.
Policies and Procedures: Develop and maintain comprehensive policies regarding suitability, diversity, and succession planning and ensure effective implementation.
Chapter 4 Summary
Chapter 4 of the ECB guide focuses on the crucial role of internal control functions in banks, including risk management, compliance, and internal audit. These functions are vital in establishing a sound risk culture, ensuring compliance with regulations, and providing independent oversight. The chapter emphasises the necessity of independence, stature, resources, and clear responsibilities for these functions to operate effectively.
Specificities of Each Internal Control Function:
Risk management: This function is responsible for identifying, assessing, monitoring, and reporting all risks, both financial and non-financial. It is vital in setting risk strategy, risk appetite, and risk limits. The CRO (Chief Risk Officer) leads this function, providing comprehensive risk information and advising the management body.
Compliance: This function ensures compliance with applicable laws, regulations, and internal policies. It also assesses the impact of regulatory changes and remediates non-compliance cases. The CCO (Chief Compliance Officer) leads this function, ensuring a structured compliance monitoring program and a well-documented compliance policy.
Internal audit: This function independently reviews the first and second lines of defence, assessing the effectiveness of risk management, governance, and internal controls. It reports deficiencies to the management body and plays a crucial role in monitoring the implementation of supervisory measures.
Firm Implications:
Independence and Stature: Ensure internal control functions have sufficient independence, authority, and resources to fulfil their duties. Provide them with unhindered access to the management body and relevant committees.
Clear Roles and Responsibilities: Define and document each internal control function's roles, tasks, and responsibilities, ensuring clear accountability and avoiding conflicts of interest.
Qualified Staff: Maintain an adequate number of qualified staff in internal control functions, ensuring they possess the necessary knowledge and skills to assess financial and non-financial risks.
Risk Management: Establish a central risk management function with a holistic view of all risks and an active role in setting risk strategy and appetite. Ensure the CRO has the authority to challenge decisions and escalate concerns.
Compliance Monitoring: Implement a structured compliance monitoring program and a well-documented compliance policy. Ensure compliance with both group-wide and local regulations.
Internal Audit: Conduct regular internal audits following a risk-based approach. Ensure the internal audit function has the necessary resources and expertise to cover all relevant activities and risks.
Performance Assessment and Remuneration: Involve the management body and specialised committees in the performance assessment, remuneration, and appointment of heads of internal control functions.
Outsourcing: If outsourcing any internal control functions, ensure compliance with EBA guidelines and the bank's outsourcing policy.
Chapter 5 Summary
Chapter 5 of the ECB guide focuses on the importance of a well-developed Risk Appetite Framework (RAF) in banks' governance framework. The RAF is a cornerstone alongside a strong risk culture and well-defined responsibilities for risk management and control functions. It emphasises the need for the RAF to be integrated into decision-making processes, including strategic planning, internal liquidity adequacy assessment process (ILAAP), internal capital adequacy assessment process (ICAAP), budget, and remuneration.
Key Points
RAF Design: Banks should formalise a summary statement to ensure consistency in risk management, with active management bodies involved in setting and approving the RAF.
Scope: The RAF should comprehensively include financial and non-financial risks, with corresponding metrics reflecting the bank's business model and complexity.
Limits: Risk appetite limits should be set appropriately, with a clear breach escalation process.
Implementation: The RAF should guide risk awareness and prudent risk-taking, contributing to a sound risk culture. It should be stable over time and drive the bank's strategy.
Governance and Deployment: The three lines of defence and management bodies should actively define, monitor, and deploy the RAF across the organization.
Monitoring and Review: Regular monitoring and review of the RAF is essential, including the use of risk appetite dashboards and independent reviews by the internal audit function.
Firm Implications
Formalise RAF: Develop a comprehensive RAF that includes financial and non-financial risks, with clearly defined metrics and limits aligned with the bank's risk appetite.
Integrate RAF into Decision-Making: Incorporate the RAF into strategic planning, budgeting, and remuneration processes to ensure risk considerations are embedded in all decision-making.
Monitor and Review: Implement regular monitoring and review processes to assess the RAF's effectiveness and alignment with the bank's risk profile. Use risk appetite dashboards to track risk exposure and limit breaches.
Clear Roles and Responsibilities: Establish clear roles and responsibilities for all stakeholders involved in the RAF, including the management body, senior management, internal control functions, and business lines.
Independent Review: Ensure the internal audit function conducts an independent review of the RAF regularly to assess its effectiveness and identify any areas for improvement.
Escalation Process: Develop and implement a clear escalation process for breaches of risk appetite limits, ensuring timely reporting and corrective action.
Communication and Training: Communicate the RAF and its implications to all staff members to promote risk awareness and a sound risk culture.
Chapter 6 Summary: Supervisory Approach
The ECB adopts a comprehensive approach to assess governance and risk culture in banks, utilising various supervisory tools and sources of information. This includes offsite and onsite inspections, fit and proper assessments of management and key function holders, and review of governance documentation.
Key Points:
Holistic Approach: ECB Banking Supervision uses a holistic approach, combining information from various supervisory tools and sources to construct a comprehensive picture of a bank's governance and risk culture.
Ongoing Supervision: This includes assessing management and key function holders through fit and proper assessments, reviewing governance documentation, and conducting interviews and meetings, including observing management body meetings.
On-Site Inspections: These provide a complementary tool to assess governance and risk culture deficiencies identified during ongoing supervision.
Deep Dives: Specific in-depth assessments of individual banks are conducted based on their idiosyncratic risks.
Escalation Process: In non-compliance, supervisory powers can be activated, administrative penalties imposed, and fit and proper reassessments triggered if necessary.
Thematic Reviews and Targeted Analyses: These provide a peer perspective, benchmarking, and examples of observed good practices.
Firm Implications:
Comprehensive Governance and Risk Culture: Banks should maintain robust governance arrangements and a strong risk culture that permeates the entire organisation.
Transparency and Documentation: Maintain clear and comprehensive governance documentation, including policies, procedures, and meeting minutes, to facilitate supervisory review.
Preparedness for Supervisory Interaction: Be prepared for ongoing supervisory interactions, including fit and proper assessments, interviews, and observations of management body meetings.
Remediation of Deficiencies: Address any identified deficiencies in governance and risk culture promptly and effectively, including those highlighted in supervisory findings.
Compliance with Regulations: Ensure compliance with all applicable prudential requirements and supervisory measures to avoid escalation and potential penalties.
Stay Updated on Supervisory Practices: Stay informed about evolving supervisory expectations and good practices to adapt and improve governance and risk culture proactively.
