ECB Publishes Draft Guide on Governance and Risk Culture
August 28, 2024, Covington Alert
A recent publication issued by the European Central Bank (“ECB”) represents the latest influential regulatory pronouncement on the high-priority supervisory areas of bank governance and risk culture. This article highlights some of the key insights which banks may wish to consider.
Since the global financial crisis, governance and risk culture within banks have consistently featured as supervisory focuses for the ECB, with the authority viewing deficiencies in these areas as early warning signals for, or (at the extreme) root causes of, difficulties ahead. Despite increased supervisory attention, the ECB has concluded that the progress made to-date by banks in relation to governance and risk culture has “not generally been sufficient”.
Accordingly, on 24 July 2024, the ECB issued a consultation on its new draft guide on governance and risk culture (the “Guide”). The Guide sets out the ECB’s expectations regarding banks’ governance and risk culture, and is intended to significantly build on and replace the SSM Statement on Governance and Risk Appetite of 2016. This follows the ECB’s ‘risk culture deep dives’ of select banks, as well as a review of international work in this space[1].
Banks and other stakeholders have until 16 October 2024 to provide their views to the ECB on the Guide.
1. Application of the Guide
“Governance and risk culture are essential features of any well-functioning organisation, having an impact on its structure, culture, and people. Shaping the organisation of a bank and its management body, defining its values, norms, expected behaviours and collective mindset are key to ensuring the soundness of its business operations, strategic planning, and decision-making” (Guide, p.3).
The ECB has confirmed that it will intensify its supervisory activities of banks within its remit, to ensure that sufficient actions are being taken to enhance governance standards. Any “non-remediated supervisory” findings may therefore be escalated – with the ECB citing its powers to require reinforcement of arrangements, process, mechanisms and strategies under Article 16(2)(b) of the SSM Regulation.
While supervisory expectations will be applied proportionately, the ECB has emphasised that “good governance and risk culture are equally important for all banks, whatever their size” - indicating that elements of the Guide will be relevant for consideration by smaller institutions. National competent authorities will also be encouraged to align their assessments of governance of less significant institutions with the expectations and practices set out in the Guide.
Whilst the Guide (once finalised) will not be legally binding, the ECB may view any material and inexplicable divergences from its expectations to be non-compliant with applicable EU legal requirements[2]. Banks might usefully conduct a gap analysis of their governance, culture and risk arrangements against the supervisory expectations set out in the Guide[3], including the various best practice and ‘red flag’ examples. Any identified gaps should then be appropriately remediated or rationalised – with any such rationalisation properly documented and approved.
2. The Key Takeaways from the Guide
The Guide covers:
- why assessing governance structure and risk culture is important, and how it assesses these elements;
- how it expects banks’ management bodies to operate to ensure good governance;
- its expectations of banks’ internal control functions;
- its expectations regarding banks’ risk appetite frameworks; and
- its supervisory approach towards governance and risk issues.
Our key takeaways from the Guide are as follows:
- Defining governance: The ECB considers that the central components of a bank’s governance should include the allocation, and interaction, of the roles and responsibilities within the bank, and the implementation of a strong three lines of defence model. A bank must ensure that its internal governance framework is evidenced in practice.
Banks must be ready to evidence the suitability of its management body members and key function holders.
Management body members must be given timely access to quality data in order to carry out effective decision-making at all times (both ‘BAU’ and in crisis situations).
A firm’s governance arrangements should continuously be adapted to evolving risks and challenges to a bank – including geopolitical developments, legislative changes, digitalisation (i.e. AI), information and communication technology and security risks, and ESG risks.
- Defining risk culture: The ECB considers risk culture and governance to be intrinsically linked. The ECB believes that the way a bank defines its culture plays a key role in ensuring prudent risk-taking and risk management. This implies that the bank’s governance arrangements, culture and behaviours should be aligned with prudent risk-taking. Risk culture is the collective mindset and shared set of norms, attitudes and behaviours that permeates and shapes decisions taken throughout each level of an organisation. Banks should be aware of behavioural and cultural patterns (including group dynamics and collective mindsets) which may drive decision-making, leadership and communications styles – as the ECB considers these can often be indicative, or the root cause, of risk culture-related deficiencies.
The Guide describes risk culture as having four dimensions, as follows:
- leadership tone: management bodies should ensure that the banks’ corporate culture is adhered to internally, and consistently conveyed to all internal and external stakeholders;
- culture of effective communication, constructive challenge and diversity: the membership of management bodies should be such that they retain the knowledge, skills, and diversity of experience and background necessary to ensure their effectiveness. Management should also establish a culture in which personnel (at all levels) feel comfortable to raise concerns, and engage in honest debate;
- accountability for risks: banks should assign clear responsibilities for the taking, monitoring, and mitigating of financial and non-financial risks; and
- incentives: banks’ incentive systems should reward behaviours that align with their risk profile and culture to encourage adherence to this culture and discourage excessive risk taking.
- The importance of risk culture for banks: The ECB expects banks to define their culture and underlying values, and to link these to their codes of conduct. Senior management should regularly communicate its aspired risk culture to all staff through multiple channels – including mission statements, values of the bank and lessons learned.
Culture should then be monitored, measured and assessed to ensure adherence across all levels of the bank. This includes senior management - the management body and senior managers are seen as setting the tone of each bank, and should therefore behave in line with the values of the bank. The ECB recommends that banks regularly discuss the bank’s culture at management body level, as well as its implementation across the bank. Effective tools should be in place for banks to mitigate their culture risk, i.e. the risk of a misalignment between the bank’s stated values and the actions of member of its management body, and the behaviour of its employees. It is recommended that findings from the ongoing monitoring of how such culture is implemented, are reported to, and discussed by the management body and its relevant committees.
It is expected that banks identify and act upon root causes of undesired behaviours.
- Good governance and risk culture practices and red flags: The Guide sets out numerous observed ‘good practices’, along with an insightful list of non-exhaustive ‘red flags’ which the ECB considers indicative of potential governance and risk culture issues, extracted below.
- Risk Appetite Framework (“RAF”): The ECB considers a “well-developed” RAF to be one of the “cornerstone[s]” of good governance. Per the Guide, a bank’s risk appetite should be central in setting its strategic goals, and not the other way around – the RAF should therefore be integrated in a bank’s decision-making process, and aligned with other strategic processes, including the bank’s ILAAP, ICAAP, budget and remuneration processes.
The ECB is cognisant that a bank’s RAF may consist of multiple risk policies and processes. This, in the ECB’s view, highlights the importance of having in place a “coherent and consistent risk management procedural framework” that is tied together by a “summary statement” of the RAF.
The RAF should be treated as a ‘live’ document that is inputted into and approved by the management body on a regular basis – taking into consideration any updates regarding the bank’s risk profile, relative to its risk appetite. To support oversight and decision-making, banks are expected to develop appropriate internal monitoring of their risk appetites, via a ‘risk appetite dashboard’ which compares the risk exposure and risk limits to appetite, in relation to both financial and non-financial risks.
- ECB’s supervisory approach. The ECB states that it will assess banks’ governance arrangements by using a range of supervisory tools (both on-site and off-site, e.g. the ongoing assessment of a bank’s governance documentation) and information sources, to ensure it has a holistic picture. The ECB also promises to ensure compliance by using “all measures in [its] supervisory toolkit” where it identifies deficiencies.
In practice, this means banks should prepare for increased and more regular supervisory activities in this area, from ad hoc information and meeting requests to on-site supervisions and deep dives on behaviour and culture. It may also imply greater information-sharing within ECB departments and across EU authorities, generally.
Our team would be happy to address any questions you may have on the ECB’s proposed Guide.
[1] In a September 2023 speech, the ECB referenced, for example, the Australian Prudential Regulation Authority’s Bank Executive Accountability Regime, and draft Culture and Behaviour Risk Guidelines released by the Canadian Office of the Superintendent of Financial Institutions.
[2] In particular, the Capital Rights Directive (2013/36/EU) and linked EBA guidelines (EBA/GL/2021/04, EBA/GL/2021/05, EBA/GL/2021/06).
[3] While the Guide is in draft form, we would not expect the final version to contain significant revisions.