Exchanging perspectives for better bank governance

Keynote speech by Anneli Tuominen, Member of the Supervisory Board of the ECB, at the joint European Central Bank/European University Institute seminar “Governance and risk culture: going forward by looking back”

Florence, 24 April 2024

I am very happy to be speaking at today’s seminar on governance and risk culture.

Last year, here in Florence, we had some very useful discussions about the functioning and composition of bank boards and the challenges involved. Exchanging views in this way is important for us to understand your challenges and for you to understand our expectations, so that we can together further shape and improve governance and risk culture at Europe’s banks.

All banks need good governance and a sound risk culture to take the right decisions. We saw in the global financial crisis and in last year’s banking sector turmoil that deficiencies in internal governance and risk culture can often be early warning signs of turbulence ahead. Good governance, on the other hand, can help banks develop an active strategy to steer them through the challenges of a constantly evolving environment.

We will celebrate the tenth anniversary of the Single Supervisory Mechanism (SSM) later this year. In these ten years, governance has continually figured among the top priorities and both supervisors and banks have done a significant amount of work to improve in this area. And indeed, over the last few years, we have seen progress in banks’ awareness of governance-related topics and their implementation. Despite this, our targeted review showed that there are still long-term structural deficiencies in the functioning of management bodies.

One of the advantages of European banking supervision is that we can assess and compare practices in different banks and different business models. This benchmarking is particularly important when we are discussing governance and the collective suitability of management bodies across different banks. Today I would like to share what we want to see in terms of good governance and risk culture, and I am looking forward to hearing your views on this during our exchanges.

Suitability of individual members

Let me start with a familiar topic, the suitability criteria for members of the management body. While the management body as a whole is accountable for all areas of a bank’s business, individual members are expected to understand and contribute to the specific areas of the business for which they are responsible.

The bank and the supervisor each have a part to play in ensuring that individual members are and remain suitable for their specific roles. This is of crucial importance for the bank’s performance.

The bank needs to clearly allocate responsibilities and duties to a role and ensure that the person appointed is suitable. We, as supervisor, perform a prudential assessment and consider whether the person’s knowledge, skills, experience, reputation and independence of mind are sufficient, and whether they can dedicate enough time to the role. If need be, we can, for example, set conditions and obligations within the context of the suitability assessment. In some, fortunately rare, cases we have to conclude that the proposed appointee does not fulfil the criteria.

Once someone has been appointed as a member of the management body, the bank remains responsible for ensuring that they remain suitable for the role. Should new facts that may affect a person’s suitability emerge after the initial assessment, the bank must inform the supervisor. This might lead the bank to conduct a reassessment. On this basis, or on our own initiative, we may also decide to carry out a reassessment.

But we also go beyond these individual elements, looking at the interplay with suitability of the management body as a whole. We assess whether, collectively, the management body’s members have the right combination of characteristics and expertise to ensure the bank is properly managed.

Collective suitability

Collective suitability means that the management body must have adequate collective knowledge, skills and experience to be able to understand the bank’s activities. The composition of the management body needs to provide a sufficiently broad range of experience, which includes being well-versed in risk management and being able to understand, identify, monitor and mitigate the risks the bank faces.

As I mentioned in my introduction, we see progress in banks’ awareness regarding governance topics. We also see progress on board composition in terms of ensuring diversity. This contributes to collective suitability. At the same time, our targeted review showed that there are still some long-term structural deficiencies as regards the oversight role that management bodies play.^[1] These deficiencies relate to insufficient challenging capacity and concerns in the areas of collective suitability and diversity, and how they affect the supervisory function of the management body.

Let me elaborate on what I mean by “challenging capacity”.

We expect all members of the management body to actively participate in meetings and follow the discussions, ask questions and effectively challenge the management function. As one of your colleagues aptly put it during last year’s seminar, effective challenging means “asking the right question at the right moment with the right intent and the right tone”.

To challenge in this way requires an appropriate level of knowledge and experience. Naturally, we would not expect each member to have the same level of knowledge and expertise, but they should have at least basic knowledge in all areas and together cover all aspects. Especially in this complex and constantly evolving environment, this task should not be underestimated.

The first step is to ensure that, as a collective, the management body possesses all the necessary knowledge and experience at all times. It is also essential that this knowledge remains up to date. Let’s take one example, information and communications technology (ICT), and security risks stemming from the digitalisation of banking services. As described in our new policy on this topic, the management bodies should include at least one non-executive member with relevant and recent knowledge of, and expertise in, ICT and digital security risks.^[2] And it is good practice for all members of management bodies to undertake regular training, at least once a year, so they can properly understand and assess their bank’s main ICT and digital security risks. Given the complexity of this area, one could even question whether it can be covered on a part-time basis. I would be happy to hear your views on this.

In addition, if meetings – for instance meetings of the committees with a supervisory function – are well prepared, this can have a positive effect on challenging capacity. We have observed that, among other things, providing the agenda and complete documentation far enough in advance, with proper interaction both among committee members and between committees, helps to ensure high-quality discussions.

But merely having the right knowledge and expertise is not enough on its own. We also need to look at the risk culture, including the behaviour and personality of individuals and the chemistry within the management body.

Risk culture

Risk culture encompasses the collective mindset and the shared set of norms, attitudes and behaviours related to the awareness, management and control of risks at all levels in a bank. It shapes employees’ and managers’ day-to-day decisions and has an impact on their risk-taking behaviour.

The management body has an essential role in establishing a sound risk culture. When the management body works as a team and creates an environment where members feel empowered to speak up, this positive “tone from the top” will enhance collaboration and team spirit across the whole organisation. The role of the chair is key here. If it is too dominant, there could be a lack of debate, and views and opinions could go unchallenged.

On the other hand, management bodies that have a culture of encouraging constructive criticism tend to develop a broader range of views and opinions, based on different experiences, perceptions and values. This is crucial to avoid groupthink, remain informed about the various complex topics and reach good decisions in a rapidly changing environment.

Accountability and remuneration are two other elements that play an important role in establishing a good culture within a bank. Regarding accountability, the allocation of responsibilities for monitoring and managing risks must be clear if a bank is to have a sound risk culture. And in terms of remuneration, incentives must not be excessively linked to short-term profitability so that risk-taking behaviour is aligned with a bank’s long-term interests.

These are just some ways to improve governance and risk culture. I am mindful of the fact that changes in the culture of an organisation cannot be implemented overnight. Improving in this area is a journey that is far from over. It is a marathon that we need to run together. I look forward to discussing best practices and the main challenges you are facing throughout the day.

Supervisory approach

Thanks to the experience we have gained over the last few years, combined with our opportunities to compare and share good (and bad) practices at different banks, we will continue building on our supervisory expectations.

Personally, I think that we have contributed to improving the governance of our supervised banks. We needed to be forceful to achieve improvements in governance structures, which was not possible to the same extent before the start of the SSM.

As mentioned in our supervisory priorities for 2024-26, strong internal governance arrangements and effective strategic steering are instrumental in ensuring that banks’ business models are resilient and sustainable.^[3] This is why banks need to further improve in areas with long-standing deficiencies, as mentioned earlier. Your constructive feedback is very valuable in helping us to understand what your main challenges are.

To achieve these goals, our Joint Supervisory Teams and horizontal functions will continue to work with you to address the deficiencies. In addition, we will update and publish our guide on governance and risk culture in the coming months, and share examples of good practices, drawing on exchanges like those we will be having today.

In our targeted review, we saw that, alongside knowledge and experience, the culture of a management body and how its members interact were crucial to its effectiveness. We will continue our supervisory assessments in this area.

Conclusion

To conclude, good governance is key in keeping a bank healthy. I am not saying anything new by stressing that each individual member of a management body, and the management body as a collective, should have sufficient knowledge and experience to be able to monitor and constructively challenge proposed decisions and bring new insights.

As I have said, governance and risk culture are key elements if banks are to establish an environment in which management bodies are well suited to their tasks and can be challenged constructively. While this may be more difficult to assess than other elements, it is nevertheless crucial. The ongoing dialogue between the banks and the Joint Supervisory Teams, our on-site inspections and the targeted review have provided insights into how culture and behaviour can be improved, and I am confident we will see further positive developments.

We should also acknowledge the fact that the world around us has changed. Banks need to be resilient in the face of new risks. First, we do not necessarily fully know the full implications of climate change for the global economy. Second, we need to be prepared to face the consequences of the new geopolitical environment, be it the financial consequences or the heightened risk of serious and successful cyberattacks or hybrid influencing. The banks, and in particular their management bodies and internal control functions, need to have a good understanding of this new world. Having the relevant expertise and knowledge on such risks should therefore not be taken lightly.

I would like to conclude by thanking you, both for being here today and for the exchanges we will have. These discussions are crucial if we are to bring bank governance to the next level and thereby make the banking sector more resilient overall.