18 November 2020

SSM: Good governance in times of crisis

The coronavirus (COVID-19) pandemic represents the biggest test for banks since the 2008 financial crisis. Against this backdrop, it is crucial that banks make the right decisions so that they are able to weather the pandemic shock which is pushing the global economy into recession.

 Good governance and effective internal controls play an important role in fostering responsible decision-making. These areas have been a key focus of supervisory attention since the very start of European banking supervision, as they make banks more resilient, especially in crisis situations like the present one.

While the current economic context is uncertain and can change rapidly, certain overarching governance principles are as relevant as ever: banks need checks and balances at all levels, a clear organisational structure with well-defined lines of responsibility and effective risk management and controls. It goes without saying that some governance arrangements may need to be adjusted to address the unique issues stemming from the crisis.

In the course of its supervisory tasks, the ECB has identified a number of good and bad practices, building on its existing expectations in three key areas: internal governance arrangements, internal control functions and risk data aggregation.

Banks need to have clear internal governance arrangements in place, especially during times of instability. To cope with the COVID-19 crisis, banks have either built on their existing committee structures or established new crisis committees. One good practice that banks have adopted is to diversify the composition of committees by including representatives from different areas of expertise, including operational continuity, information technology and infectious diseases, in addition to the usual stakeholders (like business lines, risk management and compliance).

Another good practice relates to the role of the management body, which has a major impact on how banks respond to a crisis. The management body in its management function is expected to take crisis-related decisions on a sound and well-informed basis. Most advanced banks have managed not only to focus on the material aspects of the crisis but also to reprioritise projects, make good use of teleworking and digital opportunities and adjust their strategy, when needed, within a reasonable time frame.

As an area for improvement, the management body in its supervisory function should be more involved so that it can provide stronger oversight of strategic decisions proposed by executive directors. Some non-executive directors still lack oversight on important topics, such as credit risk management, capital planning, and conduct risks emerging from the crisis.

Effective internal controls play a crucial role in ensuring that banks can properly monitor, manage and mitigate their risks, both in normal times and in times of crisis. This can be achieved through strong control functions and a sound risk appetite framework.

Control function	Examples of good practices
Risk management	Incorporating credit support measures in risk management, including adjustments to the internal model framework; conducting additional quality checks of credit underwriting standards.
Compliance	Implementing additional controls to prevent fraud and misconduct.
Internal audit	Adjusting audit plans to allow for an increased focus on credit risk, IT and cyber risks, conduct risk, and capital and liquidity management.

A risk appetite framework sets out the different types of risk a bank is willing to take on and establishes risk limits. It enables banks to compare their risk profile to their risk appetite and helps them to monitor their risks and take any corrective action. During the crisis, some banks appear to have adjusted risk limits solely to avoid breaching certain thresholds. We consider this to be a bad practice, as it hampers banks’ ability to monitor risks effectively and, in particular, to identify any potential deterioration in their risk profile.

The COVID-19 crisis is also having an impact on the work plans of banks’ internal control functions. While some functions have been able to reprioritise their work to focus on the areas most affected by the pandemic, others have not. This is a cause for concern, as the latter less agile functions may not be able to set the right priorities or identify areas requiring attention.

Last but not least, sound risk data aggregation and reporting underpin effective risk management. Relevant, accurate and timely data play a key role in supporting decision-making and building reliable and credible scenarios for planning purposes. This requires banks to have robust data governance and IT infrastructures in place.

These topics have been on the supervisory agenda for a number of years and ECB Banking Supervision has repeatedly called on the sector to strengthen its capabilities. Yet, the pandemic has shown that many banks still face challenges in this area, both internally and when addressing supervisory requests. This could hamper well-informed decision-making and thus undermine the response to the crisis.

To conclude, good governance is a key asset – and even more so in times of crisis, when uncertainty is high. It requires good communication, both within the bank and with external stakeholders, as well as proper accountability for risks and sufficient transparency at all levels.

ECB Banking Supervision has already engaged with banks on a number of topics related to the crisis. As part of its ongoing Supervisory Review and Evaluation Process (SREP), it is finalising ad hoc recommendations that will identify areas where banks need to make progress, especially in the light of the persistent uncertainty and the evolution of the pandemic.

Area Red flags in supervisory assessments Internal governance

Insufficient strategic steering and/or reprioritisation of projects; insufficient constructive challenge of executive directors by the management body in its supervisory function.

Control framework

Insufficient challenge of business lines by the risk management function; limited capability of the internal control functions to adapt their annual planning to reflect the crisis.

Risk data aggregation

Data aggregation issues caused by lack of integrated IT systems and manual data collection; slow development and implementation of crisis scenarios and forecasts.

© ECB - European Central Bank