To emphasise this, on 24 July 2024, the European Central Bank (ECB) issued their draft guidance on governance and risk culture. This guidance sets out expectations of supervised banks in the form of a practical tool, inviting feedback from the industry by 16th October 2024.
Effective governance and positive risk culture build customer trust and strengthen banks' resilience. This article provides a summary of the guidance from the ECB and highlights important next steps for firms to consider.
The ECB guidance outlines four key areas:
- Governance and risk culture: importance for banks
- Functioning and effectiveness of the management bodies
- Internal control functions
- Risk Appetite Framework
Governance and risk culture: importance for banks
The guidance outlines the distinction between risk culture and governance, illustrating that governance encompasses the more formalised aspects of policies and committees, whereas risk culture is a more behaviour-led, less tangible concept, spanning all elements of an organisation. Both are key influences of decision-making by all individuals and can therefore drive positive and negative behaviours.
Four key influences of risk culture are outlined by the ECB, with the expectation that all banks consider each one of these in turn.
- Tone from the Top and Leadership
- Culture of Effective Communication, Challenge, and Diversity
- Accountability for Risks
- Incentives and Remuneration
The guidance provides examples of positive risk culture and governance practices for firms to leverage, as well as red flags for firms to avoid.
Functioning and effectiveness of the management bodies
The guidance highlights that it is the management bodies of banks that hold ultimate responsibility for the institution's governance. They must exhibit strong oversight and the ability to challenge management constructively.
Responsibilities and roles within the management body should be clearly defined, with an effective structure and use of committees. The size of the management body should support its oversight capabilities, and members should possess diverse skills and experience relevant to the institution’s activities and risks.
To enhance oversight, the ECB recommends having a sufficient number of independent members, particularly in supervisory roles, and managing potential conflicts of interest effectively. The chair of the management body should ideally be a non-executive, independent member to promote a culture of challenge and set the tone for the organization.
Committees should be composed of knowledgeable and independent members, with clear mandates and effective interaction with the management body.
The banks’ management bodies should establish and periodically review practices for its operations, ensuring clear documentation and effective communication. Suitability policies for members should be transparent and based on defined criteria, with diversity policies promoting varied backgrounds and gender targets. Succession planning is also required to ensure smooth transitions and continuity.
Additional good practices are detailed in the guidance, in particular relating to specific committees within the bank and succession planning.
Internal control functions
The ECB summarises the three lines of defence model with good practices for each. Banks are expected to establish robust, independent internal control functions, across the three lines, with sufficient authority, resources, and stature.
Particular emphasis is given to the significance of the relationship between the functions and the bank’s management body. They must have direct access to the management body, for example, and the management body should be involved in the appointment, remuneration, and performance assessment of internal control heads.
Risk Appetite Framework
The ECB reinforces the importance of a bank’s Risk Appetite Framework (RAF) as a cornerstone of effective governance, integrating it fully into decision-making processes and strategic planning.
The RAF should be well-documented, involve the management body in its approval and regular review, and align with strategic processes such as ILAAP, ICAAP, and remuneration policies. The RAF should be sufficiently comprehensive, covering all financial and non-financial risks, with clear metrics and limits, including for emerging risks such as climate and geopolitical risks.
Risk appetite limits should be appropriately set and monitored, with escalation processes for breaches. The RAF should support risk culture by linking to variable remuneration and internal controls. Regular independent reviews and a structured deployment across business lines are essential, alongside a risk appetite dashboard for oversight and decision-making.
Additional good practices include robust risk monitoring, early warning signals, and aligning risk appetite with business strategy and remuneration.
Conclusion
The ECB is currently welcoming comments from banks and other stakeholders on the draft guidance during the consultation period, which ends on 16 October 2024.
These draft guidelines provide a practical framework for firms to use to start reviewing their own internal organisational governance and risk culture, identifying any gaps to be addressed and moving towards best practices. Firms should use the ECB’s examples of good practices and the expectations outlined to implement positive changes, fostering a culture of compliance and continuous improvement.
How Grant Thornton can help
Grant Thornton are experts in internal organisational governance and risk culture. With deep knowledge of the ECB's guidance, we are well-positioned to help firms align with these new standards.
Our team of experts and former regulators can assist in developing robust governance frameworks, enhancing risk management practices, and ensuring compliance with regulatory expectations. Partnering with Grant Thornton ensures that your firm is prepared to meet the evolving demands of the ECB's guidelines effectively.
Contact us
Learn more about how our Regulatory solutions can help you
