Rising to the challenge: the role of boards in effective bank governance
Speech by Elizabeth McCaul, Member of the Supervisory Board of the ECB, at Joint ECB/EUI Seminar “Diverse and effective boards in a changing and competitive landscape”
Florence, 17 April 2023
I am absolutely delighted to be participating in this exciting conference and am happy to see so many of you joining us here in Florence for this ECB/EUI seminar on “Diverse and effective boards in a changing and competitive landscape”. When we sent the invitations a couple of months ago, I think few of us could have predicted how much the landscape would change between then and now.
It is rather fitting that we are meeting here in Italy today, since, as in the saying “all roads lead to Rome”, my view of supervision comes down to the idea that all roads lead to governance. Indeed, throughout my career, I have seen that strong governance is the true north that guides a sound bank, and thus, a sound banking system.
Today’s seminar is a wonderful opportunity for dialogue between you, as non-executive directors, and us, as representatives of the supervisory community, on what constitutes effective bank governance, especially in the current environment. Indeed, if ever we needed a reminder of the importance of effective governance, management oversight and accountability, the past month has provided one in spades.
While we are looking forward to the results of the reviews that are being conducted by the US authorities, there are already some discernible themes emerging – in particular with regard to the failure of Silicon Valley Bank, or SVB – which are of the utmost relevance to our seminar on governance today, and the importance of which cannot be stressed enough. These are proper board oversight, having sufficient banking and risk management expertise in the board, and setting the right incentives in driving strategy while also recognising and mitigating risks. Of course, the fact that SVB did not have a Chief Risk Officer for most of 2022 was most certainly not sufficient.
In my remarks today, I will cover three main areas.
First is the obvious starting point: why we continue to place strong governance and comprehensive risk management at the heart of our supervisory priorities.
Second, I will explain our approach to addressing deficiencies in the functioning, oversight and composition of the boards of the banks that we supervise.
Finally, I will highlight our expectations in areas related to our supervisory priorities, such as capital planning and risk data aggregation, IT and cyber risk, and diversity.
Governance in times of change and uncertainty
Effective governance has been a priority of our supervision for several years, and will continue to be in the years to come. As part of our work on this priority, we are carrying out an update of our supervisory expectations on governance. Today’s seminar is an important opportunity to listen to the industry as we fine-tune those expectations, and marks one of many milestones along the way.
Particularly in the current climate, it is essential for banks to have strong and effective governance. A bank needs a board that can steer it through calm and stormy waters alike, setting the compass on the strategy for the bank, while ensuring a sustainable business model and monitoring risks in a forward-looking manner.
In today’s environment, backward-looking indicators of risk might be misleading. It is therefore more important than ever for boards to be vigilant. Boards need to take a proactive approach to identifying emerging risks and trends, assessing potential impacts on the bank, and taking appropriate actions to mitigate them.
Your role as non-executive directors is critical to setting the right tone within the boardroom in terms of openness, challenging the management, creating an inclusive atmosphere in which probing questions and rigorous analysis are welcomed, and promoting a strong risk culture by setting appropriate incentives.
We see you as our eyes and ears at the table. Fostering that culture of transparency and constructive challenging of ideas is essential for ensuring that the risk profile remains consistent with the risk appetite. Challenge is not something that is just for the sake of challenge. Around the board table we need the right level of expertise and intellectual discourse for such challenge to be effective. An isolated board which does not invite different perspectives into the boardroom, and which is dominated by a handful of individuals, risks instead inviting a very real enemy of effective debate: groupthink. Groupthink is slow to recognise changes in the weather; it cannot visualise the storm ahead to see the risks which strike at the heart of its business model. For banks to safely navigate these dangers, we need independent directors to be thinking about how they can facilitate boardroom discussions that fully reflect the diverse perspectives around the table.
Internal governance and risk management continue to be a cause of concern for us, despite the progress made in recent years. The results of the 2022 Supervisory Review and Evaluation Process (SREP) reflect those concerns, with 73% of institutions assigned a score of 3 for internal governance, indicating room for improvement across the board.
Internal governance SREP scores
One major concern is the effectiveness of management bodies in terms of their composition, collective suitability and oversight role. Almost half of the supervised banks were subject to at least one measure concerning their management body. Weak decision-making procedures and the absence of a healthy challenge culture hamper effective governance and strategic steering.
Detailed breakdown of business model-related measures
The root causes of this insufficient oversight are often deficiencies in the basic functioning and composition of boards and board committees. Culprits include low frequency of meetings, unclear mandates, insufficient reporting lines to independent control functions, and poor communication flows between the board and its committees or between the board and the heads of internal control functions. Furthermore, for around one-third of our supervised banks, formally independent non-executive directors make up less than half of the board, which can hamper the board’s capacity to challenge decisions. In some institutions, insufficient knowledge of banking, risk management or more specialised areas (like IT and climate and environmental risks) may also hinder non-executive directors in that regard. Banks that are not forward-thinking in terms of the composition and expertise of their boards will not be able to navigate the increasingly competitive and choppy waters ahead.
While we acknowledge that governance set-ups can differ between banks according to national traditions, there are some aspects which I consider to be non-negotiable. These are the independence, collective knowledge and sufficient time commitment of board members, as well as sufficient time dedicated to debate which allows the proper oversight and challenging capacity needed to correct the bank’s course.
Supervisory follow-up and effectiveness
Let me now explain how we follow up with our supervised banks to ensure that the deficiencies we have identified are being addressed effectively.
Earlier today, we published the observations and recommendations of the high-level SREP expert group on improving the effectiveness and efficiency of our supervision. I am very proud that our Chair Andrea Enria had the foresight to ask for an independent review by such renowned experts eight months ago, before the world turned its attention to the effectiveness of supervision. It is a great example of how to avoid groupthink by inviting expertise, challenge, openness and transparency to our own Supervisory Board table and I would like to compliment my fellow Board members for this openness. We are now carefully analysing the report to assess how we can follow up. While it is too early to give you a detailed assessment, I can tell you that I particularly welcome the recommendation to strengthen the use of qualitative measures to more intrusively address gaps in banks’ internal controls, governance and risk culture.
As I said on previous occasions, capital requirements may be among the sharpest swords that a supervisor has, but they are not always the most effective tool available to effect change in a bank’s governance structure and risk management framework. Clear qualitative measures with time-bound milestones for remediation are the most effective tools to use in the first instance. If such measures and timeframes are not met with serious and sufficient rigour on the part of a bank’s board, then escalation should occur – this could include enforcement requiring change, using tools such as limitations on business activity, demanding changes in the board and management, and monetary sanctions. While capital add-ons should not be the first port of call for supervisors seeking to strengthen governance and risk management, such measures certainly can and should also be deployed to achieve the desired results.
Indeed, the effectiveness of supervisory actions is key for banking supervision. As Chair Enria recently explained, it depends on our ability to effectively engage with the banks and request speedy and satisfactory remediation of the weaknesses.
To that end, we make use of the full range of tools at our disposal, depending on the severity of the deficiency, the expected remediation timeframe and the bank’s engagement. We encourage our supervisors to use the available measures, remediation tools and enforcement actions, including, if necessary, sanctions for severe or long-standing issues. We ensure consistency and clarity in our supervisory actions and help banks implement them. Ultimately, our goal is to see the banks under our supervision improve their governance, risk management and internal controls processes.
Let me now highlight a few specific areas which I think deserve particular attention and which will also feature in the two panels later today.
Supervisory priority: forward-looking risk assessments and risk data aggregation
The current risk environment underlines once again that board members should assess risks and capital in a forward-looking manner, relying not only on baseline but also on sufficiently adverse scenarios. The failure of SVB has shown that it is not sufficient to focus solely on regulatory and accounting figures. By doing so, some important realities may be missed about the actual economic values of assets, liabilities and risks.
Board members should challenge capital adequacy in a forward-looking manner. They need to be reasonably convinced that the forward capital trajectory indicates that the bank’s capital adequacy would remain sound under potential adverse scenarios. Only then should board members approve appropriately calibrated distribution plans.
In order to properly assess risks, banks need reliable data. They are a fundamental precondition for the strong governance structure and comprehensive risk management framework necessary to support adequate decision-making. However, risk data aggregation and reporting (RDAR) remains an area of persistent concern. Seven years after our thematic review, adequate RDAR capabilities are still the exception and full adherence to the BCBS 239 principles has yet to be achieved. In fact, RDAR was the worst-rated sub-category of internal governance in the 2022 SREP cycle and we see an increasing number of outstanding supervisory measures in this area, most of them triggered by on-site assessments. This begs a few questions that we should be asking: how can risk be assessed and mitigated if the board and management do not have reliable data to guide decisions on basic things such as exposures, key risk data or key information about internal control results? How can effective challenge be provided without sufficient data?
It is the responsibility of the board to promote the identification, assessment and management of data quality risks as part of the entity’s overall risk management framework. If it fails to do so, it is accountable for that failure. In addition, the management body should ensure that sufficient funding is set aside, in terms of volume and throughout the required timeframe, to fully implement projects dedicated to the improvement of the entity’s RDAR capabilities.
If banks continue to fail to make progress, we are ready to use all our supervisory tools to ensure that banks have effective RDAR capabilities to provide timely and accurate risk data for their capital planning, liquidity and compliance risk management.
Supervisory priority: digitalisation and IT/cyber risk
We are aware that fragmented IT landscapes continue to affect banks’ risk data aggregation capabilities, impairing their ability to produce accurate and comprehensive risk reports.
One area to highlight is the lack of IT expertise in banks’ boards. As part of our most recent stocktake, 14% of supervised banks reported that their board members had no knowledge at all about IT risk. While we recognise the fierce competition for IT talent across the industry, this is concerning in the context of the need to effectively manage banks’ digital transformation strategies. The rate of change in the IT landscape is ever-increasing. When we planned today’s meeting, we had no idea that ChatGPT, Open AI’s chatbot, would have 100 million active users in January, just two months after its launch. How are boards evaluating the impact of this tool on the ways of working, or on the provision of inputs into strategy? How will boards be thinking about how to assess the risks of using such tools? We have also seen the effects of the digital world of social media in the collapse of SVB, where USD 42 billion in deposits left the bank in just five hours. This proves once again the need to evaluate the impact of the digital world on the liquidity base. There are clearly different skills needed at the board table to assess these types of risks, and we may need different supervisory measurements for such risks to liquidity and capital.
In more traditional terms, boards need to understand the IT strategy, its alignment with the business strategy and the related risks to be able to challenge management in that regard. This includes short-term risks, such as cyber risks, but also longer-term strategic risks which can ensue from a lack of investment in IT infrastructures or overreliance on service providers without a tested exit plan in place.
Sufficient IT expertise is important for the board to fulfil its role. We welcome the Digital Operational Resilience Act, which will come into force in 2025 and enshrine training requirements for the boards in EU law.
Some banks still see diversity as a “nice to have”. But diversity is fundamental to sound governance.
Diverse boards promote an inclusive culture and foster an independent and critical challenging capacity. Bringing together a broader range of perspectives, skills and experiences reduces the risk of biased decisions, groupthink and herd mentality.
We are pleased to see that significant institutions have made some progress in their diversity framework: while 20% did not have a diversity policy at the end of 2021, almost all have one now, following requests sent by Joint Supervisory Teams, in line with the European regulatory framework. Additionally, diversity policies are now more comprehensive, covering diversity aspects beyond gender, e.g. education, experience, geographical provenance and age.
However, gender representation remains an issue: at the end of 2022, 33% of all non-executive directors were female, while the share was only slightly higher for those who were newly appointed that year, standing at 34%. This raises serious concerns about how the number can improve in the near future.
It is banks’ responsibility to push for better numbers, but we as supervisors also have a role to play. The effectiveness of the management body and its diversity are part of our supervisory priorities, where we focus on banks’ diversity framework, succession planning and the oversight of board committees.
We use our entire supervisory toolkit in our evaluations, ranging from fit and proper assessments and how diversity is considered in new appointments to checking how diversity policies are implemented as part of our ongoing supervision. By connecting these supervisory processes, we intend to create a self-reinforcing cycle that helps create a culture of openness and effective challenge, fostered by diversity at the board table.
Let me conclude my remarks here and provide a brief overview of the remainder of today’s agenda.
First, my colleagues will outline the framework for governance supervision in the Single Supervisory Mechanism. Following that, we will engage in a deep dive on the topic of collective suitability and diversity in a panel discussion moderated by my esteemed colleague Anneli Tuominen. Then, in another engaging panel, we will explore strategies for enhancing the effectiveness and efficiency of board oversight in challenging times.
I am very much looking forward to these discussions, and I hope you all share my enthusiasm. There could not be a better moment to focus on the true north of strong governance.
Thank you all for your attention.
ECB Banking Supervision (2022), “ECB Banking Supervision: SSM supervisory priorities for 2023- 2025”.
ECB Banking Supervision (2016), “SSM supervisory statement on governance and risk appetite”, June.
See also ECB Banking Supervision (2023), “Strong risk culture – sound banks”, Supervision Newsletter, 15 February.
ECB Banking Supervision (2023), “Element 2: Internal governance and risk management”, SREP 2022 aggregate results.
Press release “ECB welcomes expert group recommendations on European banking supervision”, 17 April 2023.
McCaul, E. (2022), “Is the water bluer on the other side of the pond?”, Revue bancaire et financière.
Enria, A. (2023), “A new stage for European banking supervision”, speech at the 22nd Handelsblatt Annual Conference on Banking Supervision, 28 March.
ECB Banking Supervision (2018), Report on the Thematic Review on effective risk data aggregation and risk reporting, May.