24 July 2024
Where do banks’ governance and risk culture stand after ten years of European supervision? Despite improvements, the ECB has concluded that there is still progress to be made. That’s why we are publishing a Guide on governance and risk culture outlining supervisory expectations and good practices.
Well-run banks are the cornerstone of a safe and sound banking system. This is why we have invested a lot on governance in the first decade of European banking supervision[1]. In these ten years, some banks have made notable strides. Overall, however, there is still room and need for improvement. Today, we are publishing a Guide on governance and risk culture, which replaces the SSM supervisory statement on governance and risk appetite of 2016. To help banks improve their governance and risk culture, the Guide includes good practices based on real-life examples. After all, our unique vantage point as European supervisor means we can look closely at the inner workings of banks across Europe.
Governance at the root of vulnerabilities in banks
Why is governance so important? In most cases, healthy banks are well run[2]. In contrast, failing banks are typically badly run. In supervision we see all too often that the root cause of banks’ vulnerabilities is their governance and risk culture. For instance, the banking turmoil in March 2023 involving Silicon Valley Bank and Credit Suisse[3] showed that if left unaddressed, qualitative shortcomings stemming from weak governance can later resurface in quantitative areas such as banks’ liquidity positions. Think about bad governance as an early warning indicator for trouble and, sometimes, full-on crisis.
So good governance and sound risk culture aren’t just nice to have. They are a key element that supervisors around the world strive for in their mission to keep banks safe and sound.[4] This is even more important in the current environment, in which banks are facing economic, competitive and geopolitical headwinds, while at the same time having to manage climate and nature-related risks.
Banks’ governance in the first decade of European supervision
In governance supervision, we don’t only look at the tangible elements of governance, such as the structure and composition of banks’ management bodies. We also look at the culture that drives the behaviour of people within formal governance structures. Risk culture includes factors such as the tone from the top, culture of effective challenge, incentives and accountability for risks.[5] To be clear: sound risk culture does not mean taking no risks at all. It means a culture where the risk perspective is well reflected in key strategic processes of the bank such as strategy, decision-making and remuneration.
When European banking supervision started ten years ago, some banks showed significant governance weaknesses. For instance, board meetings in some banks had become a box-ticking exercise, without sufficient discussion and challenge. Since then, the governance of banks under European supervision has improved. For instance, unlike ten years ago, now almost all banks perform an annual self-assessment of the organisation, functioning and collective suitability[6] of their boards and committees. Ten years ago, one-third of banks under European supervision did not have a risk appetite framework, which defines the risk that a bank is willing to take. Encouragingly, today all banks have one. When European supervision started, the level of banking knowledge within banks’ boards was a concern. Today, 89% of non-executive management body members have at least five years of experience in banking, finance or economics. All this is good news.
However, there is still room and need for improvement. Worryingly, there are some persistent structural weaknesses in the effectiveness of management bodies and in the quality of oversight. These weaknesses have different root causes that need to be addressed.
Good and bad practices
Depending on each institution, some root causes relate to the structure and composition of management bodies, while others relate to the way they function – and this includes behavioural aspects.
One root cause of weakness in board composition is limited diversity, which includes the geographical provenance, skills, education, experience and gender of members. For instance, 17% of banks do not have a management body member with more than five years of ICT experience.[7] Moreover, although almost all banks now have a formal diversity policy in place, there has not been enough progress on gender representation. Disappointingly, banking is still predominantly a man’s world: currently, only 19% of the members of banks’ management bodies in their management function and 35% in their supervisory function are women. This is not good enough, especially when we consider the Women on Boards Directive[8], which sets a clear target: the corporate board of a publicly listed bank can only be considered balanced when each gender makes up at least 33% of its composition. All EU Member States are expected to incorporate this EU directive into national law by the end of this year and listed banks will then have to meet this legal obligation by June 2026 at the latest[9].
Another root cause of ineffective management bodies is the too limited role of independent non-executive directors[10]. Why? Because independent directors are well placed to constructively challenge the board with a fresh perspective from someone who does not come from inside the bank. Our targeted review on management body effectiveness focusing on 38 banks showed that the proportion of independent non-executive directors has only slightly increased from 59% in 2020 to 62% today. Soberingly, in around one-third of supervised banks, less than half of the board is made up of independent non-executive directors.
Another root cause of ineffective management bodies is when executives are systematically present at the meetings of control functions and committees, which hampers the quality of debate and challenge. Today, we still observe this bad practice in 55% of banks in our targeted review. In contrast, as a good practice, we see that in some banks the management body agendas differentiate between “open” sessions (open to all members) and “closed” sessions (open only to non-executive members). This enables non-executive directors to have an independent debate and constructively challenge executives.
Banks must do better in terms of aligning their culture with prudent risk taking. For instance, we still see banks in which the compensation of the Chief Risk Officer is linked too much to commercial objectives. As a good practice, some banks encourage appropriate risk-taking behaviour through financial and non-financial incentives and establish a strong link between the risk appetite framework and remuneration. Other banks have implemented a “risk culture dashboard”, which is embedded into their governance frameworks, facilitating reporting and follow-up actions in relation to the bank’s risk culture.
Next steps
The good practices observed in some banks show that the key ingredients for sound governance and risk culture are already being applied. In as far as they are not, banks are in the driving seat when it comes to putting them into practice. To facilitate this, we will maintain our ongoing dialogue with banks to clarify our supervisory expectations. As part of the consultation process for the Guide, we will organise a stakeholder meeting on 26 September 2024.
Going forward, our supervisory teams will continue to keep a close eye on the progress made by each bank. If we see that critical findings are not remediated in a timely manner, we will use all the measures in our supervisory toolkit to ensure compliance. This includes imposing clear qualitative SREP requirements with time-bound milestones for remediation. And if requirements are not met in time, further supervisory escalation will follow.
We will continue our efforts to strengthen banks’ governance and risk culture on behalf of European citizens also in the decades to come. Because well-run banks mean safer banks.
Check out The Supervision Blog for future posts.
For topics relating to central banking, why not have a look at The ECB Blog?
Governance has regularly been at the top of the list of SSM supervisory priorities, starting in 2015 with the thematic review on governance and risk appetite for all significant institutions, followed by a thematic review on governance for less significant institutions (2021) and a targeted analysis of management body effectiveness and diversity (2022-2024).
“Well run” means a management body that steers the bank, providing oversight and constructive challenge on the bank’s strategy, as well as internal control functions that challenge business lines and make sure that the bank operates within a safe control environment.
See Federal Reserve System (2023), “Review of the Federal Reserve’s Supervision and Regulation of Silicon Valley Bank”, April, and Basel Committee on Banking Supervision (2023), Report on the 2023 banking turmoil, October, pp.1,18-19.
Effective governance is a key element underpinning several of the Basel Committee on Banking Supervision’s principles. See the BCBS Guidelines on corporate governance principles for banks and the BCP Core Principles for effective banking supervision. Moreover, it has also been highlighted by the International Monetary Fund (2023), Good Supervision: Lessons from the Field, September, pp.4,10,27 and the independent expert group that the ECB tasked with reviewing our supervisory process: see Assessment of the European Central Bank’s Supervisory Review and Evaluation Process, Report by the Expert Group to the Chair of the Supervisory Board of the ECB, pp.37,39.
We assess risk culture with a wide range of tools. This includes occasionally attending a number of board and committee meetings, interviewing board members or conducting risk-culture deep dives. Assessing behaviour and culture components has become an essential part of governance supervision in many jurisdictions around the world. See Elderson, F. (2023),’’Treading softly yet boldly: how culture drives risk in banks and what supervisors can do about it’’.
Annex 1 of the joint ESMA and EBA Guidelines on the assessment of the suitability of members of the management body and key function holders under Directive 2013/36/EU and Directive 2014/65/EU (EBA/GL/2021/06) provides a tool to help assess the collective competence of members of the management body.
To ensure diversity of skills and collective suitability, for instance, we expect at least one non-executive member of the management body to have a minimum of five years of recent and specific knowledge and experience in the field of ICT and security risk management. See “New policy for more bank board expertise on ICT and security risks”, Supervision Newsletter, February 2024.
At the end of 2022, the co-legislators formally adopted the Women on Boards Directive that EU Member States need to have transposed into national law by end-2024: Directive (EU) 2022/2381 of the European Parliament and of the Council of 23 November 2022 on improving the gender balance among directors of listed companies and related measures (OJ L 315, 7.12.2022, p. 44).
According to the Women on Boards Directive banks will need to comply either with the 40% objective for non-executive directors only or 33% objective for both executive and non-executive directors. See European Commission (2022), “Gender Equality: The EU is breaking the glass ceiling thanks to new gender balance targets on company boards”, 22 November.
According to the joint ESMA and EBA Guidelines on the assessment of the suitability of members of the management body and key function holders under Directive 2013/36/EU and Directive 2014/65/EU (EBA/GL/2021/06), being “independent” means that a member of the management body in its supervisory function does not have any present or recent past relationships or links of any nature with the relevant institution or its management that could influence the member’s objective and balanced judgement and reduce the member’s ability to make decisions independently.