ARTICLE
19 September 2024

ECB's Draft Guide On Governance And Risk Culture

Ki
KPMG in Cyprus

Contributor

KPMG has been operating in Cyprus since 1948 and currently employs more than 800 professionals working from 6 offices across the island. It is a member of KPMG International Limited, a global organisation of independent professional services firms providing Audit, Tax and Advisory services. KPMG operates in 143 countries and territories and has approximately 273,000 people working in member firms around the world. Clients look to KPMG for a consistent standard of service based on high-order professional capabilities, industry insight, local knowledge and expertise.
In July 2024, the European Central Bank (ECB) released its draft guide on governance and risk culture (the Guide).
Cyprus Finance and Banking

In July 2024, the European Central Bank (ECB) released its draft guide on governance and risk culture (the Guide). This document outlines key supervisory expectations for assessing supervised entities within the current regulatory framework, in addition to existing requirements from the European Banking Authority's guidelines on internal governance and those of respective National Competent Authorities. The Guide highlights observed best practices as well as potential red flags in governance, behavior, and culture.

The importance of broader governance principles has been underscored in recent ECB publications, including the May 2024 guidance on effective risk data aggregation and reporting.

The Guide links risk culture attributes with governance arrangements such as the Management Body and leadership responsibilities, effective communication and transparency, risk ownership and accountability, remuneration incentives, risk appetite, and the expectations across the three lines of defense. Entities are generally expected to define culture, values, and codes of conduct, as well as to monitor and periodically report these to the Management Body.

The Guide emphasizes the role of the Management Body in setting the tone from the top, highlighting its responsibilities, composition, suitability, independence, and the documentation of criteria in policies, including diversity.

Described as a cornerstone of a sound governance framework and a driver of a bank's strategy, the design of the Risk Appetite Framework includes both financial and non-financial risks, with defined limits and qualitative and quantitative metrics. This framework should promote risk awareness and contribute to the overall risk culture.

The Guide also addresses the robustness of internal control mechanisms, which rely on a strong three lines of defense model. It clarifies the responsibilities of the first line of defense, emphasizing that business lines are accountable for the risks they take in operational arrangements, which may include front office, back office, and support functions (e.g., HR, Legal, IT). The independence of internal control functions is stressed, along with detailed responsibilities.

Next Steps for Banks

To align with the ECB Guide, banks could consider the following actions:

  • Review the robustness of existing governance arrangements, organizational structures, decision-making authorities, defined lines of responsibility, and internal control mechanisms.
  • Identify and evaluate cultural and behavioral patterns across the organization, from top-down and within different group dynamics, ensuring that risk-taking behaviors align with the overall risk culture.
  • Assess the alignment of the approved risk appetite with remuneration packages and incentives.
  • Evaluate the effectiveness of risk management practices, including clarity in roles and responsibilities for managing relevant risks.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More