ECB issues Supervisory Statement on Governance and Risk Appetite

The European Central Bank has published a supervisory statement setting out its findings from a thematic review of governance and risk appetite arrangements in significant banking institutions in the euro zone. 

The thematic review was structured in two parts. The first part focused on the assessment of the organisation and composition of the boards, the quality of debate and the documentation supporting the decision-making process. The second part was aimed at assessing the risk appetite framework (RAF) in terms of policies, design and governance as well as its deployment within entities and business lines. 

The ECB is seeking to foster consistently high standards and as such the assessment followed a two-layer approach in that it assessed not only compliance with national and European legislation but also consistency with best international practices. 

Functioning and effectiveness of boards 

The findings from the review were also split into two parts. The first set of findings articulated developing supervisory expectations regarding the functioning and effectiveness of boards and included:
    • Board composition The composition of the board is seen as one of the main drivers of its effectiveness. The ECB sought to assess the overall composition of each board to determine whether the board's members were collectively in a position to perform its functions adequately. The objective was to assess the "collective suitability" of the board in the sense of collective knowledge, expertise and diversity and not to assess individual members. Four main areas were considered:
        • The size and structure of the board can affect the quality of debate and hence its effectiveness. The review found that an overly large board could hamper interactive discussions. Conversely, small boards sometimes faced issues of diversity in the composition of their committees. In addition, a lack of clarity in the definition of the scope, structure and composition of a board's committees could limit the comprehensiveness of the topics discussed on the board.

        • Level of board independence The thematic review discovered that the level of independence on the board as a whole could be further strengthened in several firms. Indeed, the assessment confirmed that having independent members on the board enhanced its capacity to challenge senior management. Conversely, insufficient independence on the board as a whole or in its committees (especially the audit and risk committees) tended to limit its oversight capacity.

        • Board expertise The collective knowledge of boards has often been assessed as an area for improvement. The review found that some areas of expertise, such as IT and accounting could be further strengthened. In this respect, induction arrangements and ongoing training are not always sufficient to ensure risk awareness and thus enable the necessary quality of debate. Finally, for larger and international institutions, the national diversity on the board has been assessed as insufficient in a few cases.

      • Succession planning Some firms had failed to define succession planning, or there was room for improvement. This jeopardises the continuity of activity on the board, especially if some board members have particular areas of expertise as part of the collective knowledge of the board and/or a number of board members leave within a short period of time.
  • The assessment of the functioning and effectiveness of boards was split into five areas of consideration:
      • Quality of debate The thematic review concluded that the quality of debate on the board, and hence its capacity to provide an independent challenge to the management body in its executive functions, could be further enhanced in a majority of firms. The possible root causes varied from one institution to another, but often related to the board's practices and organisation, the quality of documentation and interactions among board members.

      • A board's practices and organisation play a vital role in the quality of debate but the review found that the time available for debate was sometimes too limited, either because meetings were not held frequently enough or were too short in duration; the documentation was not sent to board members sufficiently far in advance; board members were not sufficiently proactive in defining agendas; or because there were information asymmetries among board members.

      • Oversight role The thematic review found that excessive concentration of power, domination of the debate by an individual or a group of members, and information asymmetries among board members reduced the quality of debate and thus impaired the oversight role of the board in several institutions. The capacity of non-executive board members to challenge executive members was also identified as an area for attention in a majority of firms.

      • Documentation The main areas for improvement identified were the need to make documentation clearer and more concise; the impact of data aggregation issues on the quality of risk reports; and insufficient detail in the minutes of board committee meetings.

    • Board oversight of control functions The thematic review recommended that oversight by boards of control functions (risk, compliance, and internal audit) should be further strengthened, in terms of both the regular reporting by these functions to the board and the involvement of the board in the assessment of their effectiveness. More generally, the thematic review concluded that risk perspective should be further enhanced in board discussions in most of the firms surveyed.
Risk appetite framework

The second part of the review covered supervisory expectations regarding the risk appetite framework. 

A well-developed RAF articulated through the risk appetite statement is considered to be a cornerstone of a sound governance framework, together with a strong risk culture and well-defined responsibilities for risk management and control functions. The report highlighted three main findings for the design of a risk appetite framework:
    • Formalisation The formalisation of an RAF is a prerequisite for its effective implementation. The thematic review identified heterogeneity in the maturity of the RAFs in the significant institutions assessed. Several firms interviewed (mainly smaller institutions) had only recently established a formalised and integrated RAF . At the time of the thematic review, around 30 percent of the RAFs had been developed within the last 18 months and 12 percent were still under development. The maturity of the RAF also has an impact on its effective implementation.
    • Scope The thematic review identified that the scope of the RAFs was not always comprehensive, with some material risk areas missing, such as non-financial risks or profitability and business risk. Risk appetite metrics were not always adjusted properly to the institution's business model and risk profile.
  • Calibration and monitoring of limits has been identified as one area for improvement, with a particular focus on: risk appetite limits not being set at an appropriate level to manage risk-taking effectively; limits not including enough material concentration areas (per single name, sector and/or country); the escalation process in the event of a limit breach not defined or displays weaknesses; and data aggregation issues hampering an effective reporting of limit breaches.
The ECB single supervisory mechanism regards the establishment of an effective RAF as a strategic tool to reinforce a strong risk culture in financial institutions, which in turn is critical for sound risk management. The implementation of the framework had two areas of further work:
    • The thematic review concluded that, for most of the banks, the RAF needs to be integrated and embedded more closely into the other structural processes of the institution, such as strategy, budget process, capital and liquidity planning, recovery plan and remuneration framework.
  • The review found that the quality of the governance and deployment of the RAF depended on its level of maturity. In some more recent, less mature RAFs, the governance often needs to be better formalised. Even in more mature RAFs, however, the involvement of essential stakeholders such as the board and the internal audit function should be further strengthened. Last, but not least, for all the institutions, the establishment of the RAF at the level of entities and business lines could still be improved.
Compliance tips and next steps

The ECB's findings are a blueprint for the euro zone regulatory expectations in terms of board governance, risk management and the deployment of the RAF. The findings can also be used more widely as a benchmark for all firms, particularly the approach to internal control functions. Governance requirements included the need for the board to have full and direct access to heads of internal control functions, and this access should not be intermediated through executive management. The heads of the internal control functions should also report regularly to the board or its relevant committees. 

The ECB noted that some firms have implemented a semi-annual report from the chief compliance officer to the risk committee concerning the main developments and risk areas related to compliance. In many institutions, the chief risk officer reported quarterly to the risk committee. In the largest institutions, this frequency was found to be "even higher'', the report found. 

The ECB's expectations about the positioning of the risk and control functions have been made clear. For example, each institution should have a chief risk officer (CRO) or a senior risk officer with exclusive responsibility for the risk management function and for monitoring the risk management framework across the entire organisation. Although the CRO reporting line differs from one institution to another, the CRO should report to the board and/or the CEO and should have direct access to the board or its risk committee without impediment. 

Similarly, the chief compliance officer (CCO), as part of the second line of defence, is expected to have sufficient authority, stature, independence, resources and access to the board. The CCO should report directly to the board. 

The internal audit function, as part of the third line of defence, should be fully independent of business lines and of the second line of defence. In practice, the internal audit function should have a direct reporting line to the board or to the audit committee (or its equivalent). In addition, it should promptly inform senior managers about its findings so that timely corrective action can be taken.

Specifically for euro zone banks the thematic review has identified follow-up supervisory actions for 2016, as well as areas for forthcoming on-site inspections and aspects to focus on as part of the supervisory review and evaluation process. Banks will also be assessed on how well they have implemented the actions included in the individual follow-up letters sent to banks, and deep-dive investigations will be performed on a sample of firms on specific governance areas, such as the oversight role of the board on risk and control functions and the RAF implementation. 

Governance will remain at the top of the ECB's single supervisory mechanism priorities as it seeks to foster both consistency of approach and the highest standards. In the follow-up to the thematic review, the single supervisory mechanism will also continue to build on its policy recommendations to promote good practices and to play an active role in the definition of international standards.


  • Susannah Hammond is senior regulatory intelligence expert in the Enterprise Risk Management division of Thomson Reuters Regulatory Intelligence; the views expressed are her own