Skip to main content
Perspective:
Perspective
11 Aug 2025

How the ECB Guide on Risk Culture impacts European Banks

Building resilient governance and a forward-looking risk culture for Dutch financial institutions.

In the rapidly evolving regulatory landscape of financial governance and risk management, the European Central Bank (ECB) released its draft Guide on Governance and Risk Culture in July 2024, with the final version anticipated shortly. This ECB Guide is more than a checklist; it sets the bar for resilience amid unprecedented regulatory pressure and market volatility. This article outlines key expectations, emphasises the importance of swift regulatory compliance, and provides a clear roadmap of best practices for building a robust governance model and a resilient risk culture.

Why Governance & Risk Culture Matter Now

Effective governance is crucial for sound decision-making in banks, ensuring safety and stability in the financial system. Previous bank failures and global financial crisis highlighted the need for banks to address the root causes of their governance issues. Deficiencies in internal governance and risk culture can act as early warning signals for potential financial difficulties, emphasizing the necessity for robust governance and risk culture frameworks.

A central element of this framework is the Risk Appetite Framework (RAF), which sets out the level and types of risks a bank is willing to assume. The RAF should be fully integrated into the bank’s governance, guiding strategic decisions and supporting a sound risk culture throughout the organisation.

ECB has increased its scrutiny and stated that financial institutions’ progress on risk culture has generally not been sufficient. Where the 2016 SSM Supervisory Statement primarily set out basic rules, the 2024 ECB Guideline establishes a foundation for profound, culture-driven governance that aligns with today’s risks and supervisory expectations. At the same time, the EBA and Dutch Central Bank (DNB) have also sharpened their focus, raising the bar for a robust risk culture. Banks face a clear challenge: how to evolve their governance model into a forward-looking, integrated strategy that goes beyond box-ticking. The ECB's guide calls for transformation, ensuring that risk management practices are fully integrated across the organisation. 

A Practical Compass: The ECB Identified Four Pillars That Form the Foundation of Risk Culture

  • Tone from the top and leadership: Leaders model and reinforce a prudent risk appetite, cascading down the bank’s risk culture. This includes management body composition, functioning, responsibility for defining corporate culture, and consistent communication on risk and regulatory compliance.
  • Effective communication, challenge and diversity: Healthy governance fosters open challenge and early surfacing of risks. This pillar requires diversity of knowledge, skills, and experience within the management body to promote constructive challenge and a “speak-up” culture.
  • Accountability: Clear ownership across all lines makes everyone responsible for identifying, managing, and escalating risks. This involves assigning clear responsibilities for managing financial and non-financial risks, defining the role of control functions, and ensuring staff familiarity with ethical values and risk limits.
  • Incentives, including remuneration: Rewards and promotions align with long-term, risk-adjusted performance to curb excessive risk-taking. This pillar emphasises proper incentive setting with ex ante and ex post risk alignment in remuneration schemes, linking them to strategic objectives and the Risk Appetite Framework (RAF). Financial incentives should not be solely linked to short-term profitability.

Each pillar functions alongside the others; a weakness in any one undermines the entire framework.

Supervisory Activities

The ECB, DNB, and EBA all emphasise the importance of a strong risk culture and robust governance. With the EBA recently revisiting its guidelines on internal governance to highlight the need for transparent structures enabling effective oversight across all three lines of defence. The ECB’s supervisory framework is a holistic approach that actively assesses these areas, requiring banks to demonstrate and provide clear evidence that their risk culture and governance frameworks meet supervisory expectations. Importantly, these elements must befully integrated into the banks’ overall risk management processes.

In addition, the DNB stresses that management must take full ownership of the risk culture, including the risk appetite statement and framework. This is not optional, and financial institutions that fail to comply may face increased regulatory scrutiny or sanctions. In the Netherlands, significant institutions are prudentially supervised by the ECB with strict governance and risk requirements, while the DNB oversees conduct and macroprudential aspects. Less significant institutions fall mainly under DNB supervision and must apply proportionate governance and risk culture measures appropriate to their size.

How to Start: Strategy Meets Culture

By adopting a dynamic, integrated risk culture framework closely aligned with commercial strategy, financial institutions can transform governance from a mere compliance exercise into a strategic asset that creates genuine business value.

To support this, Deloitte has developed its Risk Culture Assessment Framework (Figure 1). This framework provides a concrete tool to assess current maturity and guide strategic decisions. Deloitte’s approach reviews four main influences of culture through structured assessments, interviews, and cultural diagnostics. The framework incorporates human capital and risk management perspectives for a richer assessment of governance and risk culture, including dimensions such as diversity and inclusion (D&I). Using behavioural controls, it uncovers how risk behaviours are shaped across the organisation—both formally and informally.

By quantifying governance and risk culture, the Deloitte Risk Culture Framework provides a maturity score and identifies practical actions to align risk culture with strategic objectives, regulatory expectations, and long-term value creation.

Figure 1: Deloitte’s Risk Culture Framework

Final Thoughts

Dutch financial institutions face urgency to act on this ECB Guide. Failure to proactively elevate governance standards risks intensified supervisory measures, escalated regulatory scrutiny, and potential sanctions. Responding effectively requires a forward-looking governance strategy proportionate to the business and aligned with regulatory compliance. This demands more than mere compliance; it requires an integrated and holistic approach including behavioural and formal controls. The ECB’s Draft Guide on Governance and Risk Culture represents a shift in mindset. Dutch institutions must act now to elevate governance from a regulatory obligation to a strategic advantage. Start small, build smart, stay consistent.

Let’s Talk

Curious how Deloitte can support you in assessing the maturity of your risk culture? Or want to explore Deloitte’s transformation tools? Reach out to us for a conversation.

Did you find this useful?

Yes
No

Thanks for your feedback

Your feedback is important to us

To tell us what you think, please update your settings to accept analytics and performance cookies.

Need help updating cookies?

Get in touch

Pieter van Doorn

Pieter van Doorn

Partner
+31882885374

Our Thinking

EU banks under the spotlight

The European Banking Authority (EBA) has introduced binding standards on Pillar 3 disclosures on ESG risks for banks in the EU. To assess trends and identify outliers among these EU banks, Deloitte has created a Pillar 3 ESG reporting benchmark.
Analysis

Data Vault makes risk and finance at Rabobank more agile and scalable

Data Vault makes financial processes at Rabobank more flexible and scalable with reliable data storage. Discover how compliance and innovation are brought together.
Story

The future of retail banking

Retail banking is at a crossroads, facing shifting demographics, accelerated technological advances, and rising consumer expectations—all in an increasingly crowded financial services ecosystem. How can banks not only stay competitive, but thrive in the future of retail banking? Explore 10 strategic moves to help banks take control of their trajectory.
Analysis
5 minute read

Transforming compliance in the banking sector

A leading European bank needed to ensure robust compliance across multiple jurisdictions, harmonise its control environment, and reduce operational costs.
Story
7 minute read

Let's connect

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited (“DTTL”), its global network of member firms, and their related entities (collectively, the “Deloitte organization”). DTTL (also referred to as “Deloitte Global”) and each of its member firms and related entities are legally separate and independent entities, which cannot obligate or bind each other in respect of third parties. DTTL and each DTTL member firm and related entity is liable only for its own acts and omissions, and not those of each other. DTTL does not provide services to clients. Please see www.deloitte.com/about to learn more. 

In The Netherlands the services are provided by independent subsidiaries or affiliates of Deloitte Holding B.V., an entity which is registered with the trade register in The Netherlands under number 40346342.

© 2025. For information, contact Deloitte Global.