October 2024
Room for improvement
The European Central Bank (ECB) has long striven to improve the quality of banks’ internal governance and risk management. Historically this has been the element of the Supervisory Review and Evaluation Process (SREP) where banks have scored worst, with little sign of improvement in recent years. This has led to growing frustration among supervisors – and increasingly intrusive investigations.
In its Supervisory Priorities for 2024 the ECB therefore promised further action to tackle persistent deficiencies in the quality of banks’ management. To that end, on 24 July the ECB published its new draft Guide on Governance and Risk Culture (for consultation until 16 October). The new Guide, which draws on the results of a series of risk culture deep dives conducted last year, as well as wider thinking by the ECB and national central banks, updates the ECB’s 2016 Supervisory Statement on Governance and Risk Appetite.
Structure and behaviour
The Guide’s most significant innovation is the focus on behavioural aspects of risk culture: how employees act in practice when taking and managing risks. ECB Supervisory Board Vice-Chair Frank Elderson described informal behavioural norms as the ‘software’ of governance (complementing the ‘hardware’ of committee structures and formal policies) in a speech last September.
In the latest Guide the ECB sets out an expectation for bank leadership to articulate and encourage a healthy risk culture at all levels of the organisation. That should begin with bank leadership setting a clear ‘tone from the top’ on the importance of prudent risk management, as well as encouraging constructive challenge and welcoming diverse perspectives before decisions are taken.
This culture of prudence should be rooted in appropriate management structures. Boards and committees should be sufficiently large and diverse to accommodate a range of perspectives and expertise. In our view, banks should clearly allocate roles and responsibilities to allow for individual accountability. Risk management and other internal control functions must be independent of first-line business units and must be given sufficient resources and status within the organisation to be effective. Finally risk management goals should be reflected in banks’ compensation and reward policies to create strong individual incentives for prudence. The Guide does not prescribe precisely how banks should meet these expectations, but it does list both good practices and ‘red flags’ for governance and risk culture that the ECB has observed in the course of its supervisory activities.
Putting it into practice
The ECB will finalise the new Guide around the end of this year. Alongside, the ECB continues to scrutinise banks’ governance arrangements as part of its ongoing supervision. The ECB has extended its review of management body effectiveness (begun in 2023) into this year. This exercise has featured in-depth examinations of the workings of bank boards, including through supervisors attending board meetings.
KPMG professionals have also seen wider-ranging on-site inspections (OSIs) focusing on culture and governance. These have examined how internal controls are organized and how they function on a day-to-day basis, including through interviews with staff across all three lines of defence.
The publication of the new Guide makes clear that banks should expect this scrutiny to continue. Banks should therefore prepare for future examinations by reviewing their existing structures, policies and practices against the expectations in the Guide. As a first step they should check for any of the ‘red flags’ listed in Guide and should address them in advance of any supervisory inspection.
As we have written before, documentation is key to demonstrating robust governance and a healthy risk culture. In our view, banks should ensure that roles and responsibilities of management and control functions are clearly assigned, and that the strategies and policies governing business decisions are clearly framed and documented. Comprehensive records of internal communications, meeting discussions and outcomes, as well as of channels for staff to raise concerns, are also essential evidence to show supervisors that internal rules are applied in practice and risks are prudently managed.
Cultural assets
Improving governance and culture, however, is more than just an exercise in regulatory compliance. Research has shown it has clear benefits for business. Managements where roles, responsibilities and policies are clearly articulated, and in which leaders are open to hearing a range of opinions and perspectives will make better decisions. A clear sense of purpose boosts employee morale and engagement and aids the recruitment and retention of talent. The psychological safety to speak up about concerns or mistakes leads to earlier reporting of problems, fewer accidents or cases of misconduct and supports continuous learning and improvement. Finally, a positive corporate culture can strengthen an organisation’s public reputation. Together these effects improve companies’ financial performance.
Effective governance and a healthy culture thus help firms build long-term value. So, it is in banks’ interests to invest in their quality of management. Good leadership and a good culture are good for business.