In July 2024, the ECB issued a draft Guide on governance and risk culture which completes the various governance provisions and specific expectations of Directive 2013/36/EU (CRD IV) in the form of a practical tool for financial institutions' governance and risk culture, supporting the overall objectives of CRD IV. Specifically, CRD IV includes provisions that require institutions to have robust governance arrangements, including a clear organisational structure, effective risk management, and appropriate internal control mechanisms. The draft Guide elaborates on these requirements by outlining best practices and principles that institutions should follow to ensure a sound risk culture and effective governance framework, thereby fostering the overall stability and resilience of the financial system.
Banks’ governance has been on the ECB’s supervisory radar since the early days of the SSM and will continue to be a supervisory priority in 2025 and 2026 where ECB will continue to exercise its supervision under Article 16(2)(b) of the SSM Regulation.
In particular, the draft Guide on governance and risk culture aims to provide further guidance and clarify the expectations regarding the governance arrangements, processes, and mechanisms that institutions should have in place to comply with the requirements set out in CRD IV. The draft Guide is designed to complement and build upon the SSM Statement on Governance and Risk Appetite of 2016 and the EBA Guidelines on Internal Governance aiming to ensure robust governance and risk management practices across European financial institutions.
“Governance and risk culture are essential features of any well-functioning organisation, having an impact on its structure, culture, and people. Shaping the organisation of a bank and its management body, defining its values, norms, expected behaviors and collective mindset are key to ensuring the soundness of its business operations, strategic planning, and decision-making”, according to point 3 of the draft Guide, highlighting that effective governance clearly centers around the right cultural foundation.
Complementary guidance on governance
Provides more detailed and specific expectations regarding SSM Statement and the EBA Guidelines by offering practical advice, along with a list of “red flags” that can indicate potential issues, to mention a few:
¨ Deficiencies in the whistleblowing process
¨ Governance arrangements, including, committee structure and escalation process not facilitating debate
¨ Lack of link between variable remuneration framework and risk appetite
Enhanced focus on risk culture
While the 2016 SSM Statement primarily focuses on governance and risk appetite, the new guidance explores deeper into aspects of risk culture, organisational behavior, and the roles and responsibilities of senior management and boards in fostering an effective risk environment, including its link to remuneration and accountability. “Risk culture relates to a bank’s governance and to behavioral and cultural patterns. Governance concerns the more formal aspects of risk culture, such as a bank’s organisational structure and the procedures, control frameworks and policies that are in place, while behavioral and cultural patterns can be found in decision-making, leadership and communication styles. There are different cultural drivers for these behavioral patterns, such as group dynamics and collective mindsets, identified at all levels of the bank, including management bodies, senior management, middle management and staff. These drivers can also be root causes of a bank’s risk culture-related deficiencies.”
The draft Guide highlights the role of risk culture in ensuring that risk management practices are embedded throughout the organisation. This is crucial for ensuring that the principles laid out in the CRD IV and EBA Guidelines are effectively implemented. The term "risk culture" encompasses the norms, attitudes, and behaviors related to risk awareness, risk-taking, and risk management within an organisation. It is shaped by the organisation’s leadership, values, and communication and is a crucial element in ensuring sound risk management practices. The draft Guide describes risk culture as having four dimensions:
Leadership tone set by the board and senior management, demonstrating commitment to ethics, integrity and culture of prudent risk-taking and compliance with established policies.
Culture of effective communication, constructive challenge and diversity of knowledge, skills and experience, culture of constructive challenge and quality of debate.
Accountability, clear responsibilities and clear definition of the role of control functions across the three lines of defense.
Proper setting of incentives with ex ante and ex post risk alignment mechanisms in remuneration schemes, including non-financial incentive schemes is another key dimension of risk culture.
Processes and procedures through which a company pursues to govern its operations, and conduct can evidence organisational and operational intention where governance and culture operate in synchronism and if they produce bad outcomes, those responsible for establishing and maintaining them can be held accountable. Subsequently, risk culture should be monitored, measured and assessed to ensure adherence across all levels. The draft Guide sets out various observed good practices, along with a list of “red flags” that can indicate potential issues, to mention a few:
¨ Insufficient challenge from internal control functions (e.g. lack of a role for the risk management function or its head in challenging decisions)
¨ Insufficient independence of internal control functions from the management body in its management function
¨ Unbalanced application of the third line of defense, i.e. the first line of defense lacking a culture of accountability for risk, leaving this to the second third lines of defense
Risk appetite framework and the comprehensive nature of the RAF as envisioned in the draft Guide, where “The ECB considers a well-developed RAF, articulated through the risk appetite statement, to be a cornerstone of a sound governance framework. “
Supervisory approach
The ECB states that it will assess banks’ governance arrangements by using a range of supervisory tools (both on-site and off-site, e.g. the ongoing assessment of a bank’s governance documentation) and information sources, to ensure it has a holistic picture. The ECB also promises to ensure compliance by using “all measures in [its] supervisory toolkit” where it identifies deficiencies. In practice, this means banks should prepare for increased and more regular supervisory activities in this area.
Financial supervision is an evolving field, and regulations and guidelines are regularly updated to reflect new insights, emerging risks, and evolving best practices. New guidances do not typically replace existing foundational documents but rather update and enhance the overall regulatory framework.