Good governance in a changing environment
Sound governance is of paramount importance in any organisation. It helps, for example, ensure sound and informed decision-making and provide the necessary checks and balances that counter excessive risk-taking.
Getting this right becomes even more pressing and critical in an environment that is complex, nuanced and constantly changing and that can be also prone to unexpected developments.
This explains why, since the inception of the Single Supervisory Mechanism, governance and risk management have been at the top of the agenda for ECB Banking Supervision. Although banks have made some progress, they still need to make improvements to meet supervisory expectations.
The ECB has been engaged in a continuous dialogue with banks as well as in bilateral and collective interaction, such as the second banking supervision conference, which was held in March 2018 and was dedicated to governance. Conference participants agreed that sound governance is a strong asset for both banks and supervisors, and vital for the proper functioning of the European banking market.
As governance is multifaceted and affects various areas, ECB Banking Supervision has developed a comprehensive approach to assess the design and implementation of good governance within institutions. The approach is based on a wide range of supervisory tools, including the assessment of documentation, meetings with key function holders, fit and proper assessments and even occasional attendance by bank supervisors as observers at board meetings. The findings feed into the Supervisory Review and Evaluation Process.
As a result of this supervisory engagement and work on governance, four areas have emerged where banks need to make improvements in the coming period: fit and proper assessments, boards’ independence, risk appetite frameworks, and risk reporting and data aggregation.
Fit and proper assessments
Fit and proper assessments are important for governance supervision. The board is ultimately responsible for the sound and prudent management of the bank, and must provide leadership and vision for the bank’s strategy, culture and values. The suitability of board members is extremely important for the effectiveness of the board itself and the governance of the bank as a whole.
European banking supervision considers five criteria within the fit and proper assessment:
- conflicts of interest and independence of mind
- time commitment to perform the functions involved
- collective suitability of the board
The ECB and the national supervisors have together built an all-encompassing framework to assess the suitability of board members. This framework builds on local strengths and recognises local needs. At the same time, it ensures that all directors are assessed in a consistent manner and comply with the same policies, both at the time of their appointment and during their mandate. European banking supervision has also considerably increased the transparency of fit and proper expectations. Most importantly, the ECB published the guide to fit and proper assessments in May 2017 and in May 2018 aligned it with the new joint European Securities and Markets Authority (ESMA) and European Banking Authority (EBA) guidelines on suitability (EBA/GL/2017/12) and on internal governance (EBA/GL/2017/11). Despite all these significant achievements, the governance rules applicable in Europe still differ from one country to another. As the ECB has to apply national law in this area, further harmonisation and supervisory convergence are needed to create a level playing field.
Banks need to have a sufficient number of independent members on their boards. These members play a key role in providing the necessary checks and balances. However, formal independence (i.e. independence from the institution, as defined in paragraph 91 of EBA/GL/2017/12) is not enough in itself: all board members need to be independent thinkers too. In board discussions, the view of each board member must count. This is a prerequisite not only for sound collective decision-making, but also for fostering critical thinking and diversity, which are essential qualities in counterbalancing the risk of groupthink. Banks and their non-executive members must have an acute awareness and a sound understanding of the board’s oversight function.
The bank’s internal policies around board composition, recruitment, initial and ongoing suitability (including self-assessment) and succession planning should support the further development of the oversight role.
Risk appetite frameworks as a prerequisite of sound risk management
Sound governance and risk management frameworks also need to be supported by a mature risk appetite framework (RAF). The RAF represents the aggregate level and the different types of risk a bank is willing to take within the limits of its risk capacity. It is in the institution’s best interest to ensure that its RAF is well documented and comprehensive in terms of risk coverage, and implemented at consolidated as well as business line and entity levels.
Although the design of the RAF has significantly improved across banks, most still need to make stronger efforts to implement and embed their RAF in their decision-making processes. In particular, the board must challenge senior management to ensure that each strategic decision has been sufficiently assessed, taking into account the institution’s risk appetite.
Banks should use their RAF when building their budgetary process. Business targets must be consistent with the defined risk appetite. The RAF should also be used in connection with the remuneration framework. For instance, risk modifiers should ensure that severe limit breaches have a negative impact on variable remuneration.
Risk data aggregation
Adequate risk data aggregation capabilities that are in line with international best practices, as set out in the Basel Committee on Banking Supervision's standard 239, underpin the sound management of financial risks. So far, not many banks meet these standards. ECB Banking Supervision will continue to challenge institutions and monitor their progress to ensure that the relevant standards are met.
Governance expectations in a changing environment
The current financial environment is characterised by banks’ increased use of digitalisation as well as initiatives to streamline their organisations. These trends should not be detrimental to the effectiveness of the banks’ governance and risk management frameworks. In particular, banks must ensure that their three-lines-of-defence model is operational at all times to safeguard the quality of controls. The first line – the business line level – manages the risks that the bank assumes in conducting its activities. The second line is responsible for further identifying, monitoring and reporting risks, as well as challenging the first line on the way it manages risks. And the third line of defence, internal audit, provides independent assurance to the board that the overall governance framework is effective and policies are being properly applied.
Banks should work towards an appropriate sustainable balance between risk and reward. For example, digitalisation, which creates many opportunities for banks, needs to be supported by a strong governance and risk management framework. Banks are expected to find the right balance between agility and innovation. They need to enhance their IT systems’ capabilities, including appropriate controls, while ensuring compliance with any new regulatory requirements such as the Payment Services Directive 2, the Markets in Financial Instruments Directive II, or the General Data Protection Regulation.
In this constantly evolving financial landscape, banks’ governance and risk management frameworks need to be sufficiently resilient, stable and robust to adapt to the current environment as well as to new emerging risks. The identification, measurement, monitoring and mitigation of emerging risks such as IT risk and cyber-risk are essential. It is up to boards and senior management, with the support of middle management, to be proactive and forward-looking in ensuring that their institutions adapt in a controlled manner and that their business models continue to be sustainable.