Skip to main content

Fixing the foundations: building risk culture and governance block-by-block

At a glance:
 

  • Shortcomings in European banks’ governance and risk culture are a longstanding concern for the ECB – the 2023 Supervisory Review and Evaluation Process (SREP) results demonstrated that many banks have a lot of work to do.
  • The ECB’s new draft Guide on risk culture and governance includes important new material, particularly around: risk culture, remuneration, preparing for requirements in CRD6 and coverage of emerging risks.
  • The guidelines signal the ECB’s conclusion that banks need to address the root cause of their governance issues. This means going a layer deeper to the behavioural and cultural drivers of governance and risk culture issues.
  • The guidelines also reinforce the ECB’s emphasis on the three lines of defence model as the basis for banks’ internal controls.
  • With new requirements in the EU’s upcoming Capital Requirements Directive (CRD6) for banks to draw up SMCR-style statements of roles and responsibilities, the guidelines set out in detail how the ECB expects banks’ management bodies and internal control functions to operate. Experience from the SMCR in the UK suggests that banks would be wise to get a head start on the January 2026 compliance deadline.
  • The ECB sets new expectations for banks’ remuneration frameworks to include KPIs related to: risk- and control-related objectives; assumption of responsibilities and accountability; and remediation of audit and supervisory findings.
  • Governance and culture shortcomings cannot be addressed overnight. With the ECB increasingly willing to use Periodic Penalty Payments to drive timely and more effective remediation, delaying improvements to governance and risk culture could ultimately become even more expensive for SSM banks.


The ECB has proposed a new Guide on governance and risk culture, to replace its 2016 supervisory statement on governance and risk appetite. Addressing banks’ governance shortcomings was one of the ECB’s primary motivations for reforming the SREP and strengthening qualitative measures. Previous SREP publications have revealed the scale of the issue, with the ECB imposing measures to mitigate deficiencies in internal governance and risk management imposed on 74% of banks.

The draft Guide covers a lot of ground – it is three times longer than its predecessor – but much of its content will be familiar to banks and should be read in conjunction with its existing guidance on fit and proper assessments, climate and environmental risk management and risk data aggregation and reporting. Indeed, the ECB explicitly says that it is not looking to introduce new rules, but rather to build on existing requirements and industry practices that have emerged since 2016.

Even so, the Guide does include new material – particularly around risk culture, remuneration, preparing for requirements in CRD6 and coverage of emerging risks. The “good practices” and “red flags” across the document also create de facto new expectations on how banks should evidence that they are meeting requirements.
 

What’s new?
 

Risk culture 

The granularity of the ECB’s guidance on risk culture is what distinguishes it most clearly from its predecessor. While hardly a new topic – indeed the governance module of the SREP already includes an assessment of banks’ risk culture – the ECB clearly sees the need to spell out its expectations in more detail, having cited severe deficiencies in risk culture as a primary driver of some banks’ deteriorating governance module scores in the 2023 SREP. The guidance may also be a useful reference for UK banks, with the PRA having emphasised the importance of a strong risk culture in its 2024 letters to UK deposit takers and international banks, but provided comparatively less detail on its expectations.

The ECB sets out four components of a sound risk culture:

  • tone from the top and leadership
  • a culture of effective communication, challenge and diversity
  • accountability for risks
  • incentives (including remuneration) 

The four components are now closely aligned with the Financial Stability Board’s 2014 supervisory guidance on assessing risk culture, and use terminology consistent with CRD and existing EBA guidelines, so should already be familiar to banks (albeit with an important added emphasis on diversity). While the guidelines are comprehensive in their coverage, in our view the ECB downplays the importance of recruitment (and onboarding), which can have a critical role in establishing a sound risk culture or, equally, can propagate a poor one.


Remuneration

While much of the remuneration-related content in the ECB’s Guide repackages existing EBA guidelines on remuneration, the ECB has gone into more detail in a number of areas – particularly through the good practices outlined in the document and the “red flags” highlighted from a behavioural and cultural standpoint.

For example, the ECB expects banks to include in their performance assessment frameworks, among other things: risk- and control-related objectives; KPIs related to assumption of responsibilities and accountability; and KPIs related to remediation of audit and supervisory findings. The latter is particularly pertinent given the recent reforms to the SREP, reflecting the ECB’s concerns that supervisory findings are left unaddressed for too long, as well as the ECB’s recent focus on the effectiveness of internal audit functions. The ECB also seeks to strengthen the link between remuneration and banks’ Risk Appetite Framework (RAF), with KPIs aligned to key metrics in the RAF and risk-related ex-ante adjustments to remuneration carried out in setting the bonus pool. Going beyond the EBA guidelines, the ECB emphasises the importance of banks ensuring that non-financial incentives (e.g. promotions) do not encourage excessive risk-taking.

While many of the provisions and principles will be familiar to banks, the draft Guide arguably represents a tightening up of supervisory expectations. Going forward, supervisory teams will have a detailed array of good practices (and “red flags”) against which they can assess banks’ remuneration (and other non-financial incentives) arrangements.
 

Preparing for “fit and proper” requirements in CRD6

CRD6 introduces a new harmonised “fit and proper” framework. In order to enable supervisors to assess the individual and collective suitability of management body members, CRD6 requires firms to draw up individual statements setting out the roles, duties and reporting lines of all members of the management body, senior management and key function holders (such as heads of internal control functions). The transposition deadline for the Directive is 10 January 2026.

This is a significant task, and the ECB seeing the need to prime banks for compliance now indicates that it expects some banks will need to get a head start. The new requirements are similar to those imposed on UK banks by the SMCR regime. In our experience, implementing SMCR was a complex exercise. EU banks should not treat the allocation of responsibilities as a box-ticking exercise – defining and formalising responsibilities can have a material impact on the way senior stakeholders view their role and give rise to tricky discussions around accountability and remuneration.
 

Increased focus on emerging risks

A key difference between this guide and its predecessor is the increased emphasis on risks emerging from geopolitical developments, digitalisation (including AI and crypto-assets) and ESG. ECB supervisors have long highlighted the need for banks to be able to identify and manage novel and emerging risks and adapt to longer-term structural trends shaping financial services, although the increased focus on geopolitical risk management is a comparatively new development. A sound risk culture plays a big part in banks being able to do so – employees need to be incentivised to challenge the status quo and proactively look for new risks, rather than simply managing what is in front of them.

Having the right expertise in place in the management body and across all three lines of defence, and ensuring that that remains the case through training and well formalised succession planning, is difficult. Demand for expertise (internally and externally) may outstrip supply.

In emerging risk areas in particular, banks should have in mind the ECB’s expectation that there is accountability for risks balanced across the three lines of defence. For example, if all of the internal expertise on a complex and new topic sits in the second line, ultimately the second line can become the “sole owner” of the risk with insufficient first line accountability.


Back to basics

At their heart, these guidelines signal the ECB’s objective that banks need to address the root cause of their governance issues. This means going a layer deeper to the behavioural and cultural drivers of governance and risk culture issues, which are in turn determined by the four components of a sound risk culture identified by the ECB. Addressing the more policy- and process-based “governance” red flags without addressing related “behavioural and cultural” red flags will not lead to the right outcomes. More generally, aligning with the good practices and dealing with the red flags in the Guide only get you so far – they are an important reference, but are not exhaustive.

The guidelines also reinforce the ECB’s emphasis on the three lines of defence model as the basis for banks’ internal controls. At a time when some banks are seeking to optimise costs and to adjust the balance of resources and responsibilities across the three lines of defence, the ECB has set out in clear terms how it views the role of each control function. Banks should expect robust challenge from their supervisors if they seek to optimise costs by combining internal control functions or significantly paring back resources in one or more of the lines of defence.
 

No time to waste

Banks should actively engage with the Guide, and consider performing a comprehensive gap assessment, even before it is finalised later in the year. Addressing governance issues, particularly where they are driven by deep-rooted behavioural and cultural issues, can’t happen overnight.

As mentioned above, governance issues are widespread among SSM banks. All banks supervised by the ECB have room for improvement – in the SREP scoring system of 1-4 (with 1 being the strongest), no bank scored a 1 or a 2+ on the governance module in the 2023 SREP. Most banks scored a 3 or worse – meaning that, in the ECB’s view, the governance risks identified pose a medium to high level of risk to the banks’ viability.

Qualitative issues will be a more prominent part of the reformed SREP. With supervisors empowered to use Periodic Penalty Payments (of up to 5% of average daily turnover for every day that the infringement continues) to drive timely and more effective remediation, delaying improvements to governance and risk culture could ultimately become even more expensive for SSM banks.

Our thinking