Weekend Reading: The ECB's New Guide on Governance and Risk Culture — Evolution, Not Revolution

By: Erich Hoefer , Co-Founder & COO of Starling

Over the last 10 years, banking regulators worldwide have increasingly emphasized the critical importance of organizational culture in financial institutions. Bodies like the Financial Stability Board (FSB) and the Basel Committee on Banking Supervision (BCBS), as well as many national supervisors, have all insisted that a sound culture is essential for prudent risk-taking, effective governance, and ultimately, the safety and soundness of banks.?

Yet, for all this talk, there's been a conspicuous lack of concrete guidance. Regulators have seemed reluctant to prescribe specific desired cultural practices, perhaps wary of 'one-size-fits-all'?pitfalls. Banks, meanwhile, have sought clearer direction. After all, culture initiatives can be resource-intensive. Many institutions are understandably hesitant to invest heavily without a clearer regulatory roadmap. What data regarding culture will regulators find credible and compelling??

Without a clear answer to so basic a question, the industry has remained mired in a bit of a standoff, with both regulators and firms gesturing vaguely at the importance of culture, but neither side making bold moves.?Now, it seems, the European Central Bank (ECB) is taking a step to break this impasse.

Now, it seems, the European Central Bank (ECB) is taking a step to break this impasse.

The ECB's 2024 Guide on Risk Culture

With the release of its draft "Guide on governance and risk culture," the ECB has offered some of the most explicit supervisory expectations we've seen to date on what good culture looks like and how banks should approach it.

The Guide represents a significant update to their 2016 supervisory statement on governance and risk appetite. Although it is offered for guidance only and does not carry the weight of a regulatory standard, the ECB has made it clear that, with respect to governance and culture, expectations for boards and management teams have changed.

Through the Guide and its other supervisory efforts, the ECB has sought to elevate "risk culture,"?and to cast it as a critical component of corporate governance and risk management.?

At a stakeholder meeting during which the ECB sought industry feedback on the proposed changes, Frank Elderson, Vice-Chair of the ECB Supervisory Board, was pointed in making the case for culture as a matter of supervisory interest: "In supervision we see that qualitative shortcomings in governance and risk culture are all too often the root cause of banks' vulnerabilities that can later resurface also in quantitative areas such as banks' liquidity positions," Elderson said. "Various banking crises have shown that it is often in a bank's culture that the first whispers of trouble can be discerned."

The Guide provides a definition of "risk culture" that establishes important context.?

"… [R]isk culture relates to a bank's governance and to behavioural and cultural patterns. Governance concerns the more formal aspects of risk culture, such as a bank's organisational structure and the procedures, control frameworks and policies that are in place, while behavioural and cultural patterns can be found in decision-making, leadership and communication styles. There are different cultural drivers for these behavioural patterns, such as group dynamics and collective mindsets, identified at all levels of the bank, including management bodies, senior management, middle management and staff."

As we discussed recently in another?Weekend Reading, regulators globally have struggled to settle on what constitutes "risk culture"?and what it tells us about the relationship between policies and process, on one hand, and behavior and culture on the other. "Do we expect risk culture to determine the efficacy of risk governance," we asked, "or are risk governance mechanisms meant to enforce the desired precepts of risk culture?" What comes first, the chicken or the egg?

Regular readers of Starling Insights will know that we view governance and culture as distinct but intertwined in a mutually supportive manner. ?Rather than one preceding the other, governance and culture operate in tandem — the double-helix of organizational DNA.?

What is referred to as "governance,"?we describe as the?formal?structures by which an organization is managed, while the term "culture" captures the equally important but?informal?structures that direct operations and shape performance outcomes.?Both governance and culture are rightly of equal supervisory interest, but they are distinct.?

By lumping both of these structural features together under the umbrella term of "risk?culture,"?the ECB appears to have recognized that both governance and culture are important, but it has provided little clarity as to how the two functions interact, or how we are to test for whether they are interacting in a mutually-supportive manner or operating at cross-purposes.

The Guide further outlines four key dimensions of risk culture on which banks should focus:

1. Tone from the top and leadership
2. Culture of effective communication, challenge, and diversity
3. Accountability for risks
4. Incentives, including remuneration

These themes aren't new. The Financial Stability Board (FSB) described these as useful indicators in 2014 and the European Banking Authority (EBA) repeated the list in its own guidelines on governance in 2021. In both cases, the FSB and EBA offered a brief summary with the caveat that these are only representative of the aspects of culture that are of supervisory concern.

In its current proposed update, however, the ECB goes much further. In addition to establishing the above "four dimensions of risk culture," the ECB has provided expectations for each and specified steps banks can take to implement them successfully. This latter guidance takes the form of specific process and cultural recommendations, and what the ECB describes as "best practices" observed among the banks it supervises.

Perhaps the most significant shift is in the expectations of boards. While the ECB's 2016 statement focused primarily on the board's role in oversight and challenging senior company officers, the new Guide expects boards to?ensure?the delivery of effective governance and risk management.?

It's quite a step up. Specifically, the Guide states that the management body "defines, oversees and is accountable for the implementation of the governance arrangements that ensure effective and prudent management of the bank." It calls for boards to have "adequate collective knowledge, diversity of skills and experiences to be able to understand the institution's activities, including the main risks."

The Double-Helix of Organizational DNA

We welcome this initiative and applaud the ECB for recognizing the importance of culture, but there are a number of areas where we believe the ECB's approach may lead to confusion and unintended consequences. We detailed these concerns in?Comments?we submitted to the ECB this past week.??

First, the ECB focuses almost exclusively on "risk culture," rather than organizational culture more generally. While there are some aspects of culture with more immediate impact on risk, to imply that only these culture considerations are of supervisory interest is to ignore the broader cultural context in which risk management and risk-taking occur. Further, by limiting its definition to the "Four Dimensions" mentioned, the ECB makes it more likely that this narrow focus will result in blindspots that impair root cause analyses.?

Second, under the "risk culture" umbrella, the Guide conflates formal?structures of governance (e.g., policies and processes) with?informal?structures (e.g., behavioral norms and patterns among "mindsets"). As outlined above, both the formal (governance) and informal (culture) structures at work in an organization warrant supervisory attention. The Guide, however, conflates process-change efforts with culture-change efforts in a way that will likely lead to 'tick-box' exercises rather than meaningful change.

And third, while the Guide acknowledges the importance of culture at all levels, it focuses primarily on processes and behaviors at the Board and C-suite level of the firm. While this view is certainly important, it betrays a traditional focus on 'Tone from the Top' and fails to provide guidance as to how firms can effectively assess and purposefully shape cultural factors throughout the organization.?

Assessing Culture Risk?Governance — The Starling Diagnostic Framework

We have offered our own views on what we call "Culture Risk Governance," and we have described how this diagnostic Framework can be used by management teams and supervisors to assess both the formal (governance) and informal (culture) operants that collectively determine performance outcomes. We described this approach in recent weeks?here?and?here.

In our diagnostic Framework, the?formal structures that management can directly manage, to include policies and processes, are best thought of as "inputs." The performance outcomes and the problems that keep management teams up at night are viewed as resulting "outputs." At work in between are people, presumptions, and practices — operational "throughputs." Effective Culture Risk Governance requires attention to all of these dimensions.

Inputs?

• Policies?establish how the firm intends to operate, consistent with regulatory demands;?
• Processes?then look to establish the means by which policies are put into effect;??

Throughputs?

• People?enliven policies and processes (or fail to), to include many whose contributions go unrecognized;?
• Presumptions?(right or wrong) around how people are believed to behave shape management activities;
• Practices?on a day-to-day basis reveal the actual operational realities of the firm;

Outputs

• Performance?outcomes attest to the efficacy of the foregoing (or lack thereof); and?
• Problems?are made manifest when performance outcomes consistently go awry.

By attending to these 7 elements of Culture Risk Governance, we can better understand how formal and informal elements interact and test for efficacy?before?problems are made visible through Culture Risk Governance failures. This Framework enables firms to provide assurance to their supervisors that effective Culture Risk Governance is in place or, when remedial measures are needed, the Framework allows us to identify where interventions must focus.

The ECB should acknowledge that board members are already overwhelmed by data. If boards are to meet the dramatically expanded expectations placed upon them under the terms of the current Guide, then they will need to embrace new methods and metrics. The Framework we outline here and In our Comments to the ECB is aimed at establishing these new methods and metrics.

As we await the final version of the Guide, it's worth considering how current approaches to governance and risk culture measure up to evolving expectations. We're interested in our readers' thoughts on this: do you agree with our take? where do we go from here??

This piece first appeared in Starling Insights' newsletter on October 20, 2024. If you are interested in receiving our thrice-weekly newsletter, among many other benefits, please consider signing up as a Member of Starling Insights.