ECB's draft guide on governance and risk culture

Key messages from the July 2024 publication

In July 2024, the European Central Bank (ECB) released its draft guide on governance and risk culture (the Guide). This document outlines key supervisory expectations for assessing supervised entities within the current regulatory framework, in addition to existing requirements from the European Banking Authority’s guidelines on internal governance and those of respective National Competent Authorities. The Guide highlights observed best practices as well as potential red flags in governance, behavior, and culture.

The importance of broader governance principles has been underscored in recent ECB publications, including the May 2024 guidance on effective risk data aggregation and reporting.

The Guide links risk culture attributes with governance arrangements such as the Management Body and leadership responsibilities, effective communication and transparency, risk ownership and accountability, remuneration incentives, risk appetite, and the expectations across the three lines of defense. Entities are generally expected to define culture, values, and codes of conduct, as well as to monitor and periodically report these to the Management Body.

The Guide emphasizes the role of the Management Body in setting the tone from the top, highlighting its responsibilities, composition, suitability, independence, and the documentation of criteria in policies, including diversity.

Described as a cornerstone of a sound governance framework and a driver of a bank’s strategy, the design of the Risk Appetite Framework includes both financial and non-financial risks, with defined limits and qualitative and quantitative metrics. This framework should promote risk awareness and contribute to the overall risk culture.

The Guide also addresses the robustness of internal control mechanisms, which rely on a strong three lines of defense model. It clarifies the responsibilities of the first line of defense, emphasizing that business lines are accountable for the risks they take in operational arrangements, which may include front office, back office, and support functions (e.g., HR, Legal, IT). The independence of internal control functions is stressed, along with detailed responsibilities.

Next Steps for Banks

To align with the ECB Guide, banks could consider the following actions:

Review the robustness of existing governance arrangements, organizational structures, decision-making authorities, defined lines of responsibility, and internal control mechanisms.
Identify and evaluate cultural and behavioral patterns across the organization, from top-down and within different group dynamics, ensuring that risk-taking behaviors align with the overall risk culture.
Assess the alignment of the approved risk appetite with remuneration packages and incentives.
Evaluate the effectiveness of risk management practices, including clarity in roles and responsibilities for managing relevant risks.

For further guidance on navigating these expectations, please contact our local Risk Consulting team.