Good governance for good decisions
Speech by Danièle Nouy, Chair of the Supervisory Board of the ECB, Second banking supervision conference, “Governance expectations for banks in a changing financial environment” , Frankfurt, 22 March 2018
There is ample research showing how bad people are at taking decisions. The human brain is evidently not very well suited to handling risk and uncertainty. It is prone to all sorts of biases, which are reflected in the decisions people take. And most of the time, they don’t even realise that they are biased.
I don’t have to tell you that for banks, bad decisions can have costly consequences. It is thus crucial that banks put in place systems that ensure sound decision-making. And this brings us to governance. Good governance provides the necessary checks and balances; it counters excessive risk-taking; and it ensures that decisions are taken in a sustainable manner. Good governance means good decisions, or at least, much better decisions.
Where do we stand on governance?
Since the start of European banking supervision in 2014, we have raised the bar for what counts as sound governance. And the crucial question is, of course: have the banks cleared that bar?
Well, banks have made progress, but they have not yet cleared the bar. So they definitely have to aim a bit higher. In doing so, they need to follow international best practices and the new guidelines issued by the European Banking Authority (EBA).
But before we continue, let me clarify something. To reflect the different governance structures that exist across the euro area, I will, in my remarks today, use the generic terms “board” to and “senior management”, which to refers to the people who carry out and manage the bank’s activities, in a manner consistent with the business strategy, risk appetite and other policies approved by the board. This is also in line with the Basel Committee on Banking Supervision’s “generic” approach.
Now, let’s first take a quick look at what banks have achieved and how they are responding to our tougher expectations. Banks now reflect more deeply on how they compose and organise their boards. They have, for instance, improved the quality of reports that are presented to their boards; and they have enhanced the design of their risk appetite frameworks. They have also started to follow our suggestions on fit and proper assessments.
All this is well and good, and it is certainly a step in the right direction. However, there are still a few areas where progress has been too slow. Let me give you some examples.
First, banks could be more aware of how important the board’s oversight function is. This should be reflected in the fit and proper assessments we receive for board members. Criteria such as experience and time commitment require scrutiny. Chairing a board, being a member of board committees and interacting with internal control functions are crucial tasks. Taking them on requires skill, knowledge and availability. How can banks ensure that board members fulfil all the criteria? Well, there is a wide range of tools that they can make use of: internal policies on board composition, recruitment, the assessment of initial and continued suitability, succession planning and self-assessment of the functioning of boards. Only when these policies are implemented, with the current and future needs of a bank in mind, will they help to make the most of the board’s oversight function.
When it comes to the composition of boards, we still see banks which have too many board members. And an overly large board makes for a less fruitful debate. We expect banks to make sure that the size of their boards does not impede their work. We also expect them to clearly structure their boards. Each committee must be accountable for its respective topics.
The second example concerns independence within the board. And here, the new EBA guidelines I just mentioned come into play.
They specify that banks need to have a sufficient number of independent members on their boards. And the same applies to the risk, nomination and remuneration committees of larger banks. We support this, of course. After all, independent board members play a key role in providing the checks and balances which are crucial for sound decision-making. It is true that the number of formally independent board members has increased over the past few years. But in some banks, the number is not yet adequate.
And formal independence itself is not enough either. Independent minds are needed if checks and balances are to be more than just an idea. Board members need to be independent thinkers. Only then will they be able to form their own opinions and exercise their own judgement. And only then will they together be able to make sound and objective decisions in the best interest of the bank. Independence of mind and collective ownership of decisions must go hand in hand. In discussions, the view of each board member must count. But when it comes to decisions, the board must take them as one and stand for them as one.
How do we, the supervisors, monitor this? In doing their job, board members should follow the philosopher Bertrand Russell, who said: “In all affairs it’s a healthy thing now and then to hang a question mark on the things you have long taken for granted”. To make it work in practice requires a culture of debate which values a diversity of views, of course. We assess independence of mind in our fit and proper assessments, for instance. And as part of the ongoing supervisory dialogue, we also assess whether a bank’s internal governance and risk culture are suited to making the most of such independence.
The third area where progress has been lacking involves the link between the board and the internal control functions. This link must be made stronger. Risk management, compliance and internal audit must inform the decisions that are taken at the top. The heads of these areas must report regularly and directly to the board of directors. If they don’t, risks might not be taken properly into account when decisions are taken. In addition, they must be able to meet with the board and its relevant committees without the bank’s senior management being present.
At the same time, the board must assess whether internal control functions are working efficiently and effectively. All too often, this is not done.
The fourth area is risk appetite frameworks, which should cover a wide range of risks, both financial and non-financial. Banks must integrate them closely into the entire organisation. They must link them to the overall strategy; they must extend them to all levels of the organisation; and they must align them with remuneration policies. Without this, risk appetite frameworks will remain mere blueprints that have no impact on actual risk-taking. So banks should move ahead here.
The fifth area is data quality. This is an issue which all banks face. Good data underpin sound decisions. This is particularly true when it comes to risks. Inadequate risk data create a blind spot, and it becomes next to impossible to take sound decisions. Banks need to make efforts to improve their data frameworks. The largest banks also need to comply with the principles on risk data aggregation and risk reporting issued by the Basel Committee on Banking Supervision. However, many banks are far from doing so.
These are the five areas where work still needs to be done. Banks need to implement the recommendations issued by the Joint Supervisory Teams. We acknowledge, of course, that in some cases it will take time to properly implement corrective measures related to governance. After all, they are structural in nature.
Governance – coping with a changing environment
Ladies and gentlemen, banks face a lot of challenges these days. They suffer from low profits; they have to deal with new technologies and the new competition these bring with them and they need to adapt to stronger regulation and supervision.
In trying to deal with all these challenges, banks might easily be tempted to take what appear to be shortcuts. Low profits, for instance, might tempt banks to embark on a search for yield, in other words, taking excessive risks to reap higher returns. Such a shortcut can easily prove to be a dead end.
And this is why solid risk appetite frameworks matter so much. They help to ensure that each bank not only defines a risk strategy but also adheres to it. This in turn will help banks to steer clear of excessive risk-taking.
So, the current challenges put governance frameworks to the test. But more than that, they might also endanger the frameworks themselves. There is no doubt that banks must bring down costs. However, they must not save in the wrong places. They must not cut down on risk management, compliance and internal audit, for instance. These functions play a key role in identifying, measuring and mitigating new risks.
And this brings me to digitalisation, which certainly offers new opportunities for banks. It might also force them to rethink some of their internal governance and risk management arrangements. But to be fair, we are talking about a fairly new trend here, so the full impact is not yet clear.
In any case, boards must be able to challenge the senior management on IT issues. To that end, they need to ensure that they have the necessary expertise and devote enough time to debates on such issues.
In addition, banks need to make sure that their “three lines of defence” model is adapted to the digital world. And this might require some adjustments. As a first line of defence, banks must define additional controls to ensure that IT systems are always available and secure. As a second line, they need to define an IT risk strategy. This forms the basis from which they can challenge the first line of defence. It should, among other things, set out the desired IT risk appetite. As for the third line of defence, banks need to incorporate digitalisation into their audit plans and the related methods and processes. Banks need, for instance, to reflect on how to audit IT systems once they have been implemented.
All these changes and developments put governance frameworks to the test. Will they hold up in the face of mounting challenges? In short, will they be able to ensure that banks make sound decisions?
What lies ahead?
Well, this will become clear over time. One thing is certain, though, and that is that governance has become even more important. Banks thus need to improve their frameworks and adapt them to all the challenges and changes they are facing.
And what about supervisors? Well, we will continue being tough and intrusive. And we will use all the tools that we have developed in recent years. These include the Supervisory Review and Evaluation Process, or SREP, as well as on-site inspections, fit and proper assessments, thematic reviews and deep dives. All these tools will help us to monitor and improve governance in banks.
We will also take a close look at remuneration schemes to see whether they are conducive to the sound and prudent management of banks. We will assess whether these schemes are in line with European standards as defined by the EBA, for instance.
Risk management is one of our supervisory priorities for 2018. In that context, we will assess the internal models banks use to determine their risk-weighted assets. At the same time, we expect banks to improve their internal capital and liquidity adequacy assessment processes – ICAAP and ILAAP for short.
As always, the most important thing is that supervisors and banks talk to each other. This is the purpose of our supervisory dialogue- with banks, which takes place in the context of the SREP as well as during on-site inspections, thematic reviews and deep dives.
We will step up our general efforts to communicate with the banks – on supervisory guidelines, policies and processes, for instance. To that end, we use advanced tools for sharing information, such as the STAR Portal for stress testing. And we support proactive communication between banks and supervisors. The aim is to give banks a better idea of what we expect from them.
We are also currently reviewing our authorisation application processes, including for fit and proper assessments. And in doing so, we try to take the viewpoint of the end user. This helps us to see how we could improve efficiency – by collecting all the necessary information in a timely manner, for instance. It also helps us to see how we could improve transparency – on the status of authorisation procedures, for instance. And it will help us to improve the feedback we provide to banks. They should not have the feeling that their submissions are dealt with in a black box.
Last but not least, conferences such as this one also foster dialogue between banks and supervisors. You will have noticed that in the room today we have supervisors from Europe and beyond, and we have banks with different governance structures. That means we have a lot of different perspectives. So let’s listen to the variety of voices we have here and seek out common solutions. That’s how good governance works.
Thank you for your attention.