Internal governance: Addressing weaknesses
New Guidelines make this the perfect time for banks to renew their focus on internal governance.
The arrival of new EBA Guidelines on internal governance will only reinforce supervisors' growing focus on this wide-ranging topic. Banks should ensure that they understand where supervisors see the greatest `expectation gaps', that they are prioritising their responses effectively, and that they are taking the right steps to achieve lasting improvements in internal governance.
We often discuss internal governance in our quarterly ECB newsletter, but rarely as a topic in its own right. After all, most banks view strong internal governance as a permanent priority, not a one-off target. It is also a very broad topic, incorporating themes as varied as management bodies, control frameworks, risk management and organisational culture.
Nonetheless, internal governance remains a key area of focus for European banking supervisors. That is hardly a surprise, given the fundamental role it plays in maintaining the stability and reliability of individual institutions and - by extension - the entire banking system.
Furthermore, 30th June 2018 sees the entry into force of new EBA Guidelines on internal governance - the most comprehensive guidance on the topic since 2011.
In our view, the introduction of the new guidelines will only highlight the difference between supervisory expectations for banks' internal governance and the reality `on the ground'. The size of this gap is illustrated by the latest SREP results, which appear to show that no SSM banks have achieved the optimal score of 1 in the area of Governance and Risk Management. Danièle Nouy's speech of April 2018, “Risk appetite frameworks: good progress but still room for improvement”, also makes it clear that supervisors urgently want the expectation gap to close.
The ECB's Annual Report for 2017 gives a more detailed insight into the areas that banks should prioritise. It shows that many on-site inspections made severe findings in areas such as organisational structure, the role and responsibility of management bodies, internal audit and the compliance function. To take two examples in greater detail:
- Deficiencies in the operation of the management body. Problems highlighted by the ECB include roles and responsibilities, the delegation of powers, and the need for effective Board oversight and accountability. We have seen it challenging for boards to strike a balance between the ability to provide `strategic steering' and the need for a detailed understanding of the activities for which they are responsible. Areas for banks to focus on include effective monitoring of risk and compliance functions, the quality and clarity of risk data, and the management of outsourced activities.
- Deficiencies in internal control frameworks. Banks need to ensure that all three `lines of defence' are working effectively. In particular, it is vital that core internal control functions such as risk, compliance and internal audit are sufficiently independent from business units and from each other. Each function needs well defined responsibilities, clear reporting lines and adequate staffing and support for the bank's IT framework.
Against this background, the arrival of the EBA's new Guidelines means that now is the perfect time for banks to renew their efforts to address internal governance weaknesses.
But that begs a number of questions. How can boards best take ownership of such a large and complex set of challenges? After all, some feel it is impractical to objectively judge an evolving, risk-sensitive target like internal governance against a rigid set of standards.
It also remains to be seen how supervisors will implement the new rules. How much flexibility will they apply? Will they allow banks to harness new technology to the goal of improving internal governance?
In our view, effective prioritisation is essential to `working smarter' and closing as many expectations gaps as possible. We believe banks should focus on:
- Prioritising the SREP's supervisory findings. Danièle Nouy has said that supervisors “will continue being tough and intrusive”, so remediating any outstanding issues is a must.
- Developing a strong risk appetite framework. The clear message from supervisors is that a strong risk appetite framework is the first step towards improving internal governance.
- Using technology to strengthen all three lines of defence. Using digitalisation to strengthen controls - and defending against digital risks - is increasingly important to internal governance.
- Focusing on data quality. High quality data is a pre-requisite for effective control, and the basis of all sound decision making.
Looking further ahead, we also see a number of areas that banks should prioritise in order to `future proof' the quality of their internal governance. In particular:
- Creating a strong culture of governance in areas such as codes of conduct, accountability and whistleblowing will help to guard against future risks;
- Ensuring that remuneration schemes are conducive to sound management will help to prevent behaviour that could be harmful to good governance; and
- Assessing how digitisation may affect governance, and how new technologies can be harnessed, will be essential to managing the effects of this rapidly evolving area.
In conclusion, internal governance may not be a new topic, but it is only climbing higher on supervisors' lists of priorities. With attention on deficiencies growing, banks need to ensure they are prioritising the right actions, eliminating the most serious expectation gaps and building a sustainable framework for effective governance.