Governance and Risk Culture l DORA

On 24 July 2024, the European Central Bank (“ECB”) has unveiled its ‘Draft Guide on Governance and Risk Culture’ (“Guidance”) replacing the June 2016 SSM Supervisory Statement. The Guidance highlights the significance of establishing a robust governance framework for effective risk management.

Fundamentally, the ethos is “Well-run banks mean safer banks” as stated by Supervisory Board Vice-Chair Frank Elderson. In line with this principal, its Press release, the ECB stressed, that good governance is not merely a regulatory requirement but a foundational pillar that secures both the safety and soundness of banks. Governance has consistently been a primary focus of the Single Supervisory Mechanism supervisory priorities. This began in 2015 with a thematic review on governance and risk appetite for all significant institutions. This was followed by a thematic review on governance for less significant institutions in 2021 and a targeted analysis of management body effectiveness and diversity from 2022 to 2024.

This underpins the stability of the EU's financial system, bolstering public trust in the banking sector and marks a crucial step in enhancing the stability and resilience of the banking sector across the European Union.

The respective consultation period for the guidance shall run until 16 October 2024 and can be submitted by using this template, forwarded to SSMPublicConsultation@ecb.europa.eu. [1]

Identifying the key components of the Guidance

1. Establishing Clear Accountability

The establishment of clear accountability within an organisation is on of the core foundations of the ECB's new Guidance. Responsibilities for risk management must be well-defined across all levels. This clarity in accountability aims to nurture a culture where individuals understand their specific duties and most importantly, attain cognisance on the impact of their actions to the organisation's risk profile.

2. Promoting Effective Communication and Challenge

The governance framework must also facilitate open communication and constructive challenges at all levels. This approach enables issues to be raised and addressed promptly, creating an environment where both feedback and concerns about risk management can be discussed without hinderance. The Guidance highlights that effective communication channels are vital for identifying potential risks early and ensuring that they are mitigated before they escalate.

3. Incorporating Risk Culture in Strategic Decisions

Notably, Elderson clarified that: a “Sound risk culture does not mean taking no risks at all.”[2] Integrating risk considerations into strategic decision-making processes is another pivotal aspect highlighted by the ECB within the new Guidance. The management body and the senior management define values and set expectations for the bank’s risk culture. In particular, the management body should ensure that both risk appetite and strategic goals are aligned, embedding risk culture into the very fabric of the organisation’s strategy.

4. Utilising Risk Dashboards and Metrics

Implementing an aggregated and consolidated risk appetite dashboard, comparing the risk exposure and risk limits to the appetite for both financial and non-financial risks, is recommended. to track risk-related metrics and promote transparency within the organisation.[3] These dashboards provide a visual representation of the organisation’s risk profile, meant to enable management to monitor and respond to risk indicators in real-time.

5. Building a Risk-Aware Workforce

Continuous training and awareness programs are essential for embedding a risk culture within an organisation. A risk-aware workforce is better equipped to both recognise and manage potential risks. Such programs should be ongoing, evolving with the changing risk landscape to keep employees informed and prepared.

Conclusion

The ECB’s Draft Guide on Governance and Risk Culture emphasises that fostering a robust risk culture requires a dual approach:

1. Implementing a comprehensive governance framework, and

2. Ensuring continuous staff training and awareness.

These measures are instrumental not only in maintaining high-risk management standards but also in complying with applicable laws incumbent on banks, such as the imminent Digital Operational Resilience Act (“DORA”).

News Update by J.J. Galea

For assistance or inquiries regarding Financial Services and Innovative Technologies, please contact Dr Ian Gauci and Dr Cherise Abela Grech.


[1]https://www.bankingsupervision.europa.eu/legalframework/publiccons/html/governance_and_risk_culture.en.html#:~:text=As%20part%20of%20the%20public,institutions%20and%20other%20interested%20parties.

[2] https://www.bankingsupervision.europa.eu/press/blog/2024/html/ssm.blog240724~a4e2c38688.en.html

[3] Guidance, p. 54

Disclaimer This article is not intended to impart legal advice and readers are asked to seek verification of statements made before acting on them.
Skip to content