Risk Culture, Risk Governance, and Balanced Incentives Recommendations for Strengthening Risk Management in Emerging Market Banks In partnership with First printing, August 2015 All rights reserved. May not be reproduced in whole or in part by any means without the written consent of the International Finance Corporation. The conclusions and judgments contained in this report should not be attributed to, and do not necessarily represent the views of, IFC or its Board of Directors or the World Bank or its Executive Directors, or the countries they represent. IFC and the World Bank do not guarantee the accuracy of the data in this publication and accept no responsibility for any consequences of their use. IFC, a member of the World Bank Group, creates opportunity for people to escape poverty and improve their lives. We foster sustainable economic growth in developing countries by supporting private sector development, mobilizing private capital, and providing advisory and risk mitigation services to businesses and governments. Acknowledgements This report was commissioned by IFC through its Global Risk Management Advisory Program within the Financial Institutions Group. The program’s objective is to strengthen financial institutions’ risk management capacity and frameworks, while helping to support MSMEs access sustainable and responsible financial services in emerging markets by taking a comprehensive approach that focuses on all aspects of sound risk management including risk governance, market risk, liquidity risk, credit risk, operational risk, asset liability management, and capital adequacy. The program aims to demonstrate that growth and resilience to financial crises requires implementation of better risk management systems and processes. The report “Risk Culture, Risk Governance, and Balanced Incentives: Recommendations for Strengthening Risk Management in Emerging Market Banks” was developed under the overall guidance of Cameron Evans and Shundil Selim. The team would like to acknowledge the contribution of IFC’s internal peer reviewers: Garth Bedford, Charles Travis Canfield, and Kiril Nejkov. IFC would like to particularly thank the team at Deloitte, who were commissioned by IFC to produce this report. The Deloitte team was led by Julie Nyang’aya and included Urvi Patel and Crispin Njeru. Deloitte is the brand under which tens of thousands of dedicated professionals in independent firms throughout the world collaborate to provide audit, consulting, financial advisory, risk management, tax and related services to select clients. These firms are members of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”). IFC would especially like to acknowledge and thank the Government of Japan for their contribution and partnership in the Global Risk Management Advisory program and this report. Table of Contents Abbreviations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ii 1 Executive Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 2 Risk Culture in Banks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 2.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 2.2 Best Practices in Risk Culture. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 2.3 Risk Culture Maturity Rating Scale . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 2.4 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 3 Risk Governance in Banks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 3.2 Best Practices in Risk Governance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 3.3 Risk Governance Maturity Rating Scale . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 3.4 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 4 Incentive Programs in Banks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 4.2 Best Practices in Balanced Incentive Programs at Banks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 4.3 Balanced Incentives Program Maturity Rating Scale. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 4.4 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 5 Conclusion 6 Appendix 1: Implementing the Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 7 Working Definitions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 8 Annexes Annex 1: Illustrative Code of Conduct. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 Annex 2: Illustrative Whistle-Blower Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 Annex 3: Illustrative Board Risk Committee Charter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 Annex 4: Illustrative Terms of Reference for a Chief Risk Officer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 Annex 5: Illustrative Risk Appetite Statement. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 Annex 6: Illustrative Training Program for the Board of Directors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 Annex 7: Illustrative Training Program for Risk Champions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 Annex 8: Illustrative Board Risk Committee Evaluation Questionnaire. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 9 References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 Abbreviations BAC Board Audit Committee ICAAP Internal Capital Adequacy Assessment Process BARC Board Audit Review Committee ICT Information and Communication BIRMC Board Integrated Risk Management Technology Committee IFC International Finance Corporation BRMC Board Risk Management Committee IIA Institute of Internal Auditors CAE Chief Audit Executive IIF Institute of International Finance CBRC China Banking Regulatory Commission IMF International Monetary Fund CCO Chief Compliance Officer IRGC International Risk Governance Council CEO Chief Executive Officer IRM Institute of Risk Management CFO Chief Finance Officer ISO International Standards Organization CRO Chief Risk Officer IT Information Technology EBITDA Earnings Before Interest, Tax, Depreciation and Amortization KPI Key Performance Indicator ERM Enterprise Risk Management KRI Key Risk Indicator ESMA European Securities and Markets Authority LIBOR London Interbank Offered Rate ESOP Employee Share Ownership Plan MSME Micro, Small, and Medium Enterprises EU European Union PRA Prudential Regulation Authority FCA Financial Conduct Authority RAF Risk Appetite Framework FSA Financial Services Authority RAS Risk Appetite Statement FSB Financial Stability Board RCSA Risk and Control Self-Assessment FSI Financial Services Industry SME Small and Medium Enterprises GFSI Global Financial Services Industry USD United States Dollar 1 Executive Summary 1.1 Background The global financial turmoil The International Finance Corporation (IFC), as a member of the World which set in half a decade ago, Bank, believes that sound, inclusive, and sustainable financial markets are and whose impact continues to essential to building shared prosperity and ending extreme poverty. Access be felt through a sluggish global to finance is a key barrier to the growth of Small and Medium Enterprises (SMEs) and the establishment of micro-enterprises. The access to finance gap economy, has affirmed the in emerging markets is large—2 billion adults do not have access to savings importance of sound financial or credit, while 200 million micro, small, and medium enterprises (MSMEs) systems, and in particular do not have access to credit. Working through financial intermediaries enables IFC to encourage them to become more involved in sectors which the role which effective risk are strategic priorities such as women-owned businesses, climate change, and management plays in ensuring agriculture and in underserved regions such as fragile and conflict-affected sustainable growth of an states as well as in housing, manufacturing, infrastructure, and social economy. The Euro and United services. Our work with these clients has supported an estimated 100 million jobs. Through its Advisory Services, IFC has also scaled up the sustainable States of America (US) subprime provision of financial services in developing countries by addressing systemic crises have demonstrated that issues such as credit information and credit bureaus, improvements in risk even within a tightly regulated management, corporate governance, and the introduction of environmental and social standards. financial system, hard-earned growth can be easily eroded in The global financial turmoil which set in half a decade ago, and whose the absence of certain aspects of impact continues to be felt through a sluggish global economy, has affirmed the importance of sound financial systems, and in particular the good governance principles and role which effective risk management plays in ensuring sustainable growth management practices. of an economy. The Euro and United States of America (US) subprime crises have demonstrated that even within a tightly regulated financial system, hard-earned growth can be easily eroded in the absence of certain aspects of good governance principles and management practices. A key area of attention that has emerged from the diagnosis of the financial crisis is the critical importance of risk culture, risk governance, and balanced incentives within financial institutions as preconditions for maintaining an effective risk management framework. A lot of research and studies have been done on the impact of these three components with a focus on the failures in developed markets and on large banks. There has been little or no focus on the impact of similar issues in emerging markets. The IFC Global Risk Management advisory program aims to strengthen financial institutions’ risk management capacity and frameworks and has published this best practice handbook to expand the knowledge and research on practices on risk culture, risk governance, balanced incentives, and the impact these three components have on effective 2 Chapter 1: Executive Summary risk management. A number of studies1 have already been The approaches provided in this handbook are published on the impact of these three components, with complementary to a bank’s existing risk management a focus on the failures, practices, and trends in developed practices and framework and can provide a useful tool markets and on large banks, particularly in North America and guide for banks to further improve the effectiveness and Europe. This handbook, therefore, focuses on providing of their risk management activities. In risk management, guidelines and references to assist banks in emerging markets there cannot be a “one size fits all” solution, and therefore and includes examples of current practices in these regions recommendations provided should be tailored to fit each bank’s size, complexity of business, and any other rules, 1.2 About the Handbook regulations, and guidelines provided by the bank’s regulator. This handbook was developed through research and 1.3 Benefits of the Handbook consolidation of guiding principles as published by various authoritative sources. These sources include the The handbook provides some answers to the following Basel Committee on Banking Supervision, International questions that have been in the forefront of the Financial Monetary Fund (IMF), European Securities and Markets Services Industry (FSI) and especially banks in their pursuit Authority (ESMA), Financial Services Authority (FSA) of effective risk management programs: UK, which has since April 2013 been redesigned to create the Prudential Regulation Authority (PRA) and Financial • What are the key characteristics of the “softer” Conduct Authority (FCA), the World Bank, the Institute of qualitative factors of risk culture, risk governance and International Finance (IIF), the European Banking Authority balanced incentives? What is their impact on effective risk (EBA), Financial Stability Board (FSB), professional services management? organizations publications, as well as bank regulators in • Is there a way for a bank or a third party to benchmark or various regions. to assess these factors? Upon assessment, how can these factors be implemented? The above research has been complemented through the inclusion of case studies. Case study examples included The handbook has incorporated assessment tools and in this handbook were obtained from discussions and maturity rating scales which banks or third parties such questionnaires completed by local banks operating in as investors can use to benchmark a bank’s risk policies emerging markets and from publicly available information. against best practices and to identify gaps within its existing Indigenous banks from the six emerging market regions risk management practices in the areas of risk culture, risk of East Asia and Pacific, East Europe and Central Asia, governance, and balanced incentives. Latin America and the Caribbean, Middle East and North Africa, South Asia, and Sub-Saharan Africa were invited Lastly, the handbook contains an implementation guide to participate in the research that guided the development included under Chapter 6, Appendix 1, which provides of this handbook. The banks’ responses were voluntary. systematic guidance on how banks can achieve their desired The handbook therefore includes case studies on particular risk culture, risk governance, and balanced incentives plans risk management practices from representative banks in so as to support their risk management programs. The the regions that opted to participate. The participating guide encompasses an approach on current assessment of institutions ranged from commercial banks offering a bank’s practices, implementation of desired practices, retail and corporate banking services to SMEs (including and continuous monitoring and improvement of the bank’s microfinance institutions) to listed and large state-owned practices. banks with extensive regional networks. 1.4 Sections of the Handbook The handbook is divided into three chapters, which focus 1 Accenture, Global Risk Management Study, 2013, indicated having on best practices in risk culture, governance, and incentives 61% responses from North America and Europe, KPMG’s Expec- tations of Risk Management Outpacing Capabilities: It’s Time for and their impact on effective risk management. Each chapter Action, 2013, had 50%, Ernst & Young, Remaking Financial Services: discusses the best practices in each of these areas along with Risk management five years after the crisis: A survey of major financial institutions, 2013, had 56%, and Deloitte & Touche LLP, Global risk a maturity rating scale that can help organizations undertake management survey, eighth edition: Setting a higher bar, 2013, had 58% respondents from developed markets. Risk Culture, Risk Governance and Balanced Incentives 3 a self-assessment against defined qualitative maturity Figure 1: Risk culture framework assessment factors. Risk Organization Risk culture is a good indicator of how widely a bank’s risk Competence How the The risk environment management policies and practices have been adopted.2 It management is structured Lear encompasses the general awareness, attitudes, and behaviors competence and what is Obje egy & s ctive of the bank valued n of the bank’s Board of Directors, senior management, and ing t Sk Stra cs & ill employees toward risk. In its journey toward effective risk s hi es Et lu Va management, a bank should first understand its existing risk Recr ies, & Induitment Polic edures, culture and measure how well it supports the organization’s uctio P r o c ses n Risk oces risk strategy and risk management approach. Various & Pr Culture Per Res sonal tools, such as the Risk Culture Framework, can help banks Risk tation Chalponsibil n leng ity Orie e understand their existing risk culture.3 The Risk Culture en e e m nc Se ead t Com bility ag ma L ni e r Framework (see Figure 1) provides details of risk culture or sh an or M erf mun unta drivers and subcomponents. The framework consists of four P p i Motivation ica drivers: risk competency, organization, relationships, and Acco The reasons Relationships tion motivation. why people How people in manage risk the bank the way that interact with they do others To enhance the understanding of risk culture and its inter- relationship with risk governance and balanced incentives, banks should consider the following key culture influencers:4 Adapted from Deloitte, Cultivating a Risk Retirement Culture (2012). • Risk Competence: This encompasses the bank’s recruitment, learning, skills, and knowledge in relation Directors, senior management, and bank employees’ to risk. A bank can build on its existing risk competence risk management capabilities within the context of the through: bank. The learning programs should be continually a. Skills: The Board of Directors, senior management, reviewed for relevance. and employees should have skills for risk c. Recruitment and Induction: The bank’s recruiting identification, assessment, and identifying mitigating process should take into consideration a prospective actions. Regular training can enhance risk Board member or employee’s predisposition toward management skills of these individuals across the risk, plus their current knowledge and past experience bank, particularly with regard to best practices, on risk management. The bank’s induction programs regulatory requirements and knowledge of the bank’s for Board members and employees should include key policies, processes and standards. training on risk management to ensure that new b. Learning: The bank should propagate knowledge employees and Board members are properly oriented of risk management to all its employees, senior on the bank’s view toward risks. management, and Board of Directors. To cope with the changing risk dynamics, a bank should • Organization: These are the processes, procedures, and have formal learning programs where the Board of governance systems that support risk management. It is Directors, senior management, and employees are how the bank’s operating environment is structured and required to learn risk management practices. The what is valued. Human Resources or related department should work a. Strategy and Objectives: The bank should have clearly with the risk management function to identify or stated objectives. As part of the process of determining design suitable programs that enhance the Board of these objectives, the bank should identify the risks it faces and define an acceptable risk profile in its risk appetite statement. This is an iterative process 2 Deloitte, Cultivating a Risk Intelligent Culture: Understand, measure, strengthen, and report, 2012, p. 3. whereby there is continuous assessment and evaluation 3 Ibid., p. 2. of the risks and their potential implications within the 4 Ibid. strategy, objective, planning and oversight activities. 4 Chapter 1: Executive Summary b. Values and Ethics: It is important that all bank through the examples they set, promote and influence personnel (i.e., Board members, management and lower level employees to embrace the right risk employees) do not expose the bank to imprudent culture. risk taking by working outside of the bank’s defined c. Challenge: The bank should encourage constructive ethical principles. The bank should outline its value challenge on risk-related discussions. There should be systems and encourage commitment by all to ensure an enabling environment for such two-way discussions the application of defined ethical principles in all across all functions and between the various levels in business activities when making decisions. This may the bank from the Board to executives, managers to be extended to the activities of partnerships and employees, peer to peer, and the risk function to the relationships beyond bank personnel, such as, for business. This challenge should be seen as a valuable example, outsourced service providers. and constructive activity without fear of reprisal. c. Policies, Processes and Procedures: The bank’s policies, • Motivation: This is the analysis of why people manage processes and procedures should have sufficient risks the way they do, how risk is taken into account management controls to promote prudent risk taking in performance management, risk appetite, incentives, by employees within the acceptable risk appetite and obligations. Banks should align motivation systems parameters. The policies, processes, and procedures through: should support holistic risk management and highlight the roles and responsibilities of each employee in the a. Performance Management: The bank should align its risk management process. performance management systems toward prudent risk taking by senior management and employees. The Key • Relationships: These are the interactions between the Performance Indicators (KPIs) of senior management different hierarchical levels within the bank in areas should include risk management measures, which specifically covering ethics, management, leadership should have an appropriate weighting to ensure they behavior and communication flows. Banks can strengthen influence the right behavior. relationships through enhanced communication and b. Risk Orientation: There should be a common risk constructive challenge in the following areas: language throughout the bank. The Board and a. Effective Communication: Good corporate governance senior management should ensure that all employees requires that risks are understood, managed and, understand and live the bank’s risk appetite statement. where appropriate, communicated.5 There should be The nature of risks an employee is likely to take helps structured communication channels to ensure effective gauge his or her risk orientation. The bank should risk reporting within the bank and, where necessary, also ensure that its incentive mechanisms promote with external parties. The bank’s employees should prudent risk taking among its senior management and be encouraged to identify and report on existing and employees. emerging risks through a clearly defined escalation c. Accountability: The risk function in a bank should process. Communication also helps inform the whole constantly inform business units of the importance bank of the importance placed by top management on of risk management. Business units and employees staff having the right risk culture. within those functions should be held liable for any b. Leadership: The Board of Directors and senior imprudent risks taken by them. Employee risk taking management should be the main drivers of embracing should be premised on the bank’s risk appetite and the right risk culture. Whereas the Board of Directors be in line with the approach to risks managed by sets the tone for risk management practices, senior the bank. The Board as whole, senior management, management should support sound infrastructure and and each employee should be held accountable, processes for risk management and should provide individually and/or collectively, for imprudent risks the appropriate tools to employees for successful taken. risk management. It is important that business unit managers understand their responsibilities and, The subcomponents of this model have been used to develop the best practices in risk culture, risk governance, and balanced incentives as included in this handbook. 5 OECD, Risk Management and Corporate Governance, 2014, p. 7. Risk Culture, Risk Governance and Balanced Incentives 5 Table 1: Relationships between risk culture, risk governance, and balanced incentives Elements Risk Culture Risk Governance Incentive Program Skills x x Risk Competence Learning x x Recruitment and Induction x x Strategy and objectives x Organization Values and ethics x Policies, procedures and processes x x Challenge x x Relationships Leadership x x Communication x x x Performance management x x x Motivation Risk orientation x x x Accountability x x x Table 1 shows the interrelationships between the risk culture Risk intelligence is the ability of a bank and its employees to framework elements as described above and the aspects of distinguish between two types of risks: the risks that should risk culture, risk governance, and balanced incentives. be managed to prevent loss or harm; and the risks that must be taken to gain competitive advantage. It provides a 1.4.1 Chapter Two: Risk Culture in Banks bank with the ability to translate risk insights into superior judgment and practical action to improve resilience to An effective risk culture implies that the Board, senior adversity as well as improve agility to seize opportunities. management, and employees understand the bank’s approach to risks and take personal responsibility to manage risks A bank’s risk culture is not a stand-alone component in its in everything they do and encourage others to follow efforts toward effective risk management, but is intertwined their example. A bank should encourage the Board, senior with its risk governance practices as well as its incentive management, and employees to make the right risk-related programs. Chapters two and three of the handbook further decisions and exhibit appropriate risk management behavior discuss risk governance practices and balanced incentive by aligning its management systems and behavioral norms. programs, respectively. Creating an effective risk culture requires Boards and senior 1.4.2 Chapter Three: Risk Governance in Banks management to focus on the bank’s written rules that clearly define risk management objectives and priorities and by Risk governance refers to the principles of good taking a hard, honest look at any informal rules, protocols, governance applied to the identification, management and the way workflows are performed, how decisions are made, communication of risk. It incorporates the principles of and the link to the bank’s compensation practices. Often, accountability, participation and transparency in establishing it is these informal rules, practices and procedures that are policies and structures to make and implement risk-related strong influences in guiding people’s behavior. In doing this, decisions.6 Board members and senior management are responsible for setting the right tone at the top and for cultivating a bank- wide awareness of risks that fosters risk intelligent behavior at all levels of the bank. 6 International Finance Corporation, International Finance Corporation Control Environment Toolkit: Risk Governance, Model Risk Manage- ment Committee Charter, 2013, Sec. 2.1.25 (internal document on file with IFC). 6 Chapter 1: Executive Summary For a bank to reap the benefits of effective risk management, 1.4.3 Chapter Four: Incentive Programs in Banks the Board and senior management must show commitment Building value for a bank requires effective risk taking, to their risk governance responsibilities, which in turn whether it is taking prudent risks to gain a competitive influence the risk culture of the bank. While every employee advantage or mitigating risks to avoid potential losses. The in the bank plays a role in risk management, the oversight global financial crisis brought to the forefront the important role of risk management and establishing the framework for role incentives play in shaping senior management and good governance lies squarely with the Board. employees’ actions. A bank should aim to match incentives paid (or promised) to senior executives and employees with A sound risk governance framework promotes clarity and the risk being taken and the effective management of it to understanding of the bank’s risk appetite and the ways in promote the achievement of its long-term objectives. Banks which bank employees execute their responsibilities. Risk around the globe, and especially those in emerging markets governance should cover all aspects of risk management, and whose products, operations and complexity are steadily which includes setting the bank’s risk appetite, risk increasing, should learn from the global financial crisis and identification, risk assessment or measurement, incorporate risk performance into their incentive programs. prioritization, mitigation actions, and continuous monitoring. The Board and senior management should Effective incentive programs within a bank aim to strike define and assign responsibility for these risk management a balance between the bank’s practices, banking laws and functions to ensure that all the functions are carried out regulations, fluctuating market conditions, and public effectively and efficiently. Effective risk governance is key to perceptions. The Board has the responsibility of ensuring embedding the right risk culture in a bank as it clarifies the that the bank’s incentive compensation programs will roles and responsibilities of its employees. support the pursuit of the bank’s long-term objectives. The Board should have an active role in the determination of the Incentives also play an important role, as they help shape incentive compensation programs, and the potential impact employees’ attitudes toward assuming risk. Due to this on behavior, for the Board members, senior management, interrelationship, risk culture, risk governance and balanced and all other employees. incentives have an interdependent relationship in their role of ensuring effective risk management programs. Chapter three of the handbook discusses incentive programs. 2 Risk Culture in Banks At a Glance Risk culture is based on particular beliefs and assumptions. These can Recommended best practices be clustered according to specific cultural tenets, including risk, integrity, in Risk Culture governance and leadership, decision-making, empowerment, teamwork, responsibility and adaptability. These tools are expressed in everyday workplace Common Values practices through attitudes and behaviors, and when they are expressed by leaders, they serve as powerful (human) culture embedding mechanisms. Tone at the top 2.1 Introduction Common risk language There cannot be a “one size fits all” solution to risk management— however, the method an organization uses to manage risks should align Application of risk management principles with and support its strategy, business model, business practices and risk appetite and tolerance. This is especially true for banks, where significant Timely, transparent and honest risk communications risk-based decisions are made throughout the organization on a daily basis. This has given the concept of enterprise risk management (ERM) to Risk management responsibilities become more relevant, especially after the global financial crises. Challenging discussions on ERM is a process, effected by the bank’s Board of Directors, senior risk management management, and employees, applied in strategy setting and across the Risk reporting and bank, designed to identify potential events that may affect the bank and whistle-blowing manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of its objectives. The argument on the importance of culture to a bank’s enterprise-wide risk management processes and compliance standards would be supported by many. It ensures the following:7 • The Board and senior management consider the bank’s risk appetite in evaluating strategic alternatives, setting related objectives, and developing mechanisms to manage related risks; • Enhanced risk response decisions by providing the process to identify and select among alternative risk responses—risk avoidance, reduction, sharing, and acceptance; • Reduced operational losses or surprises by enhancing the capability to identify potential events and establish responses, reducing surprises and the associated costs or losses; • By identifying and managing multiple and cross-functional risks, the bank has effective responses to the interrelated impacts, and integrated responses to multiple risks; 7 Adapted from Committee of Sponsoring Organizations of the Treadway Commission, Executive Summary: Enterprise Risk Management—Integrated Framework, 2004, pp. 1–4. 8 Chapter 2: Risk Culture in Banks Case Study 1: An example of negative culture impacta The London Interbank Offered Rate (LIBOR) is an interest rate at which banks lend unsecured funds to each other and is published daily by the British Bankers’ Association (BBA). Each morning, global banks submit their borrowing costs to the Thomson Reuters data collection service and after removing the highest and lowest 25 percent of the submissions, the calculation agent averages the remaining submissions to determine LIBOR. LIBOR is considered the most important benchmark interest rate as many banks use LIBOR to set the interest rates for lending to consumers and businesses. When LIBOR rises, the rates and payments on loans often increase. Some European banks were recently under investigation for allegedly manipulating the LIBOR rate. The employees of the banks submitted rates that would benefit the banks instead of the rates the banks actually paid for the funds they borrowed. One particular European bank manipulated LIBOR downward to appear less risky. In another European bank, its senior management took the blame for creating a system in which its employees were awarded huge bonuses if they took part in the scheme. Their focus on short-term return on equity and their competitive position led to a decline in culture and values. This practice undermined investors’ confidence in the financial markets and distorted the pricing of trillions of dollars of financial instruments. The banks that participated in the LIBOR scandal have been sued with some paying huge amounts in settlement claims. There has also been a push to scrap the LIBOR rate in favor of a new rate based on real transactions data. a Alessi, C., Sergie, M.A., Understanding the Libor Scandal 5 December 2013 [viewed on 11 November 2014]. • By considering a full range of potential events, senior choices and actions.8 It is usually a mix between the formal and management is positioned to identify and proactively informal practices and processes that shape banks’ decisions. realize opportunities; and The bank’s Board of Directors and senior management • Obtaining robust risk information allows senior must demonstrate behavior consistent with the desired risk management to effectively assess overall capital needs and culture. They set the tone at the top, which trickles down enhance capital allocation. to the employees and shapes their behavior. In cases where Identifying what factors make a bank’s risk culture top management does not show commitment in driving strong and how these factors can be aligned with risk and the risk agenda, risk management may remain mere talk compliance initiatives can, however, be a challenge. Even with inadequate people, systems and resources in the risk more challenging is how banks can go about improving their management functions, thus leading to an ineffective risk risk culture and measuring progress over time. management program. To a large degree, a bank’s culture may influence how it manages The Board of Directors and senior management should risk when under stress. The risk culture of some banks as shown ensure early identification and escalation of business risks above can be a negative force, while for other banks it can and promote activities toward ensuring that the employees provide both stability and a competitive advantage. understand the bank’s risk culture. This is possible through clearly defining and assigning roles and responsibilities on 2.1.1 Risk Culture risk management functions. Culture is amorphous; it is both visible and invisible. Culture shapes the way people act on a daily basis, and influential people inside and outside of an organization can shape it, too. It is often visible through the choices and actions people make. At other times, it is not evident, as some of the cultural drivers and ethos operate “below the surface.” Nevertheless, they too influence 8 Deloitte, Culture in banking: Under the microscope, 2013, p. 4. Risk Culture, Risk Governance and Balanced Incentives 9 Illustrative responsibilities in risk management include:9 Responsibilities of individual employees: Responsibilities of the Chief Executive Officer (CEO)/Board: • Understand, accept and implement risk management • Determine strategic approach to risk and set risk appetite; (RM) processes; • Report inefficient, unnecessary or unworkable controls; • Establish the structure for risk management; • Report loss events and near-miss incidents; and • Understand the most significant risks; and • Cooperate with management on incident investigations. • Manage the bank in a crisis. Responsibilities of the Chief Risk Officer (CRO): Facts or supporting analyses, including a holistic risk impact assessment, should form the basis of decision making in a • Develop the risk management policy and keep it up to bank. The bank should see the risk function as a strategic date; business partner to the business units, facilitating sharing of • Document the internal risk policies and structures; knowledge and good practices. • Coordinate the risk management (and internal control) 2.1.2 Risk Intelligent Culture activities; and • Compile risk information and prepare reports for the To embed an effective risk culture in the bank’s practices, the Board. bank should aspire to reach a risk intelligent culture status. This implies that everyone in the organization understands the bank’s Responsibilities of the risk management function: approach to risks, takes personal responsibility to manage risks • Assist the company in establishing specialist risk policies; in everything they do and encourage others to follow their example. A bank’s management systems and behavioral norms • Develop specialist contingency and recovery plans; should encourage people to make the right risk related decisions • Keep up to date with developments in the specialist area; and exhibit appropriate risk aware behavior. and • Support investigations of incidents and near misses. In doing this, boards of directors and senior management are responsible not just for setting the right “tone at the top,” Responsibilities of the Chief Audit Executive (CAE): but also for cultivating an enterprise-wide awareness of risks • Develop a risk-based internal audit program; at all levels of the bank. • Audit the risk processes across the organization; Experience shows that culture change invariably follows • Receive and provide assurance on the management of behavior change, especially in critical positions. To jump-start risk; and the journey to risk awareness, it is far more effective to pull • Report on the efficiency and effectiveness of internal levers that affect how employees act—such as rewards, roles and controls. responsibilities, and training—than to rely on pronouncements and processes alone to drive the desired change in behavior. Responsibilities of the business unit manager: • Build risk aware culture within the unit; Critical drivers of effective risk culture should be monitored and managed just as conscientiously as any other driver of enterprise • Agree risk management performance targets; value. Formal assessments through surveys and interviews can • Ensure implementation of risk improvement help Boards and senior management understand their bank’s recommendations; and existing cultural norms and ways to influence them. The more • Identify and report changed circumstances/risks. a leader can become part of the bank’s culture rather than holding himself or herself above it, the better he or she will be able to understand its strengths, identify potential weaknesses, and develop strategies to keep the bank on the right track. It is also critical to align the bank’s unwritten rules with its formal, written ones through constant reinforcement of the “right” 9 Adapted from The Association of Insurance and Risk Managers, A way to behave. During a recent study—Culture in Banking— structured approach to Enterprise Risk Management (ERM), 2010, p. 12. bankers rated the leaders of the business units as bearing most 10 Chapter 2: Risk Culture in Banks responsibility for setting and changing the culture, followed • Business units are responsible for the performance of their by the Chief Executive Officer (CEO), the Board of Directors business and the management of risks they take within the (the Board) and the CRO, in that order.10 This reflects a known risk framework established by the senior management; finding in social psychology; that humans tend to conform to • Certain functions (e.g., HR, finance, IT, tax, legal, etc.) the behavior they see around them. Even with the Board taking have a pervasive impact on the business and provide overall responsibility for risk management, culture behaviors support to the business units as it relates to the bank’s exhibit themselves in day-to-day operations—hence the higher risk program; and perceived responsibility for those undertaking day-to-day • Certain functions (e.g., internal audit, risk management, management activities in the bank. When the Board does not compliance, etc.) provide objective assurance as well as set the correct tone for managing risks, risk awareness within monitor and report on the effectiveness of a bank’s risk the bank may be limited, as there is little or no sharing of program to governing bodies and senior management. information, concerns, and risk impacts within the bank. 2.2 Best Practices in Risk Culture Culture, while not easy to master, is crucially important in taking risk management beyond the mechanical articulation Financial Services Industry (FSI) stakeholders such as of rules and regulations. In the end, culture is what makes risk governments, regulators, industry bodies, shareholders, and aware behavior “the way we really do things around here.” bankers have done much soul-searching since the global The bank should recognize that the pursuit of its objectives financial crisis of 2007/2008 to understand what went inevitably means exposure to risk, and therefore the Board wrong and how they can prevent the crisis from happening should take responsibility for addressing risk with every decision again. The scale of the crisis led to the questioning of they make. The best practices provided in this handbook the strength of financial institutions and the suitability would ensure the following nine principles of a risk intelligent of regulatory and supervisory systems that deal with the organization are applied in a bank with the right risk culture:11 ever-evolving financial products in the global world. Of • A common definition of risk, which addresses both value particular importance were the following factors that preservation and value creation, is used consistently indicated the absence of the “right” risk culture:12 throughout the bank; • Lack of understanding of the risks and insufficient • A common risk framework supported by appropriate training for employees; standards is used throughout the bank to manage risks; • Lack of authority of the risk management function; • Key roles, responsibilities, and authority relating to risk • Lack of expertise or experience of the employees in the management are clearly defined and delineated within the risk management function; and bank; • Lack of real-time information on risks. • A common risk management infrastructure is used to support the business units and functions in the Creating the “right” culture has the potential to do more than performance of their risk responsibilities; merely fix problems. The right culture can provide banks with a competitive advantage that is difficult for rivals to emulate. • Governing bodies (e.g., Board, Board Audit Committee, Getting the culture right may not be the ultimate panacea Board Risk Committee, etc.) have appropriate to all the bank’s challenges. However, an effective risk transparency and visibility in the bank’s risk management culture can serve as glue that binds together elements such as practices to discharge their responsibilities; governance, risk management, compliance, high-level systems • Senior management is charged with primary responsibility and controls, and makes the bank cohesive and stronger. for designing, implementing, and maintaining an effective risk program; The following recommended best practices when adopted by a bank, can act as enablers to a risk culture, which would improve the overall effectiveness of its risk management programs: 10 Deloitte, Culture in banking: Under the microscope, 2013, p. 21. 11 Deloitte, Cultivating a Risk Intelligent Culture: Understand, measure, 12 European Commission, Corporate governance in financial institutions strengthen, and report, 2012, p. 7. and remuneration policies, 2010, p. 7. Risk Culture, Risk Governance and Balanced Incentives 11 • A common purpose, values and ethics: The Board of The code of conduct (See Annex 1 for an illustrative Directors, senior management, and employees should Code of Conduct) creates a common culture as the bank’s clearly understand the purpose for the bank’s existence, employees know and understand the bank’s expectations values, and ethics. of them. It provides guidelines that employees follow when • The right tone at the top: The Board of Directors and faced with difficult business decisions and improves the senior management should take responsibility for risk reputation of the bank, as its stakeholders are aware of its management, and their actions should indicate their corporate values. The code provides protection to the bank support of the same. if a Board member, senior manager, or employee commits a criminal act in the bank’s name. The following are • Common understanding of risk management terms: There guidelines a bank should undertake to develop an effective should be a consistent way of defining and understanding code of conduct: risks across the bank. • The code should be simple, principles-based, concise, and • Universal application of risk management principles: The written in language that is easily understood by all the Board of Directors, senior management, and employees bank’s employees; should apply risk management principles consistently as • The code should not include any legal language; they make their day-to-day decisions. • The code should apply to all Board members, senior • Timely, transparent, and honest communications on risks: The bank should ensure that both internal and external management, and employees, regardless of one’s hierarchy stakeholders are informed of the key risks facing the within the bank; bank and the mitigating controls or strategies in place to • The code should be developed by a cross-functional address the risks identified. team so as to address all relevant areas, have buy-in • Risk management responsibility: Risk management is across the bank, and represent the bank’s institutional everyone’s business and should be seen this way across the values. The team should include representatives from bank. human resources, risk management, internal audit, communications, legal, and any other function that may • Expectations of challenging discussions around risk be deemed important; and management: Conversations around risks facing the bank • The code should be regularly revised to reflect any should be encouraged, as well as an environment that supports open, iterative discussion and debate of the risks. changes in the banking and regulatory environment in which the bank operates. • Risk reporting and whistle-blowing mechanism: The bank should have processes for risk reporting to the Board and Whereas different banks may have codes of conduct with other relevant key stakeholders. Mechanisms for whistle- varying sections, the following, at a minimum, should be blowing should be encouraged within the bank. included in a bank’s code of conduct: • An introductory letter from the Board and senior 2.2.1 Commonality of Purpose, Values, and Ethics in the Bank management that sets the tone at the top and defines the importance of the code and the need for compliance A bank’s Board of Directors, by each member of the Board, senior management and Checkpoint: senior management, and employee in the bank; employees have a duty and ü ü The bank has a • The bank’s mission statement, vision, values, and guiding responsibility to be accountable code of conduct principles that reflect the bank’s commitment to ethics, to their employers, customers, ü ü Sign off on the integrity, and quality; depositors, creditors, colleagues, code of conduct the banking profession itself, • An ethical decision framework to assist employees in regulators, and the public. making the right choices and thinking of the consequences of their actions, and seeking help when unsure; To facilitate commonality of purpose, values, and ethics as a • A listing of the available resources for obtaining guidance, means of enhancing the bank’s risk culture, the bank should means to report issues anonymously, how to contact an define and establish a code of conduct to act as a guide for ethics officer, and the reporting chain of command; application in specific situations. 12 Chapter 2: Risk Culture in Banks Case Study 2: Ensuring common values To ensure that all its employees across the markets it operates in have aligned their values and interests with its approach to business, one of the banks interviewed has developed a code of ethics (“Code”) which all employees are required to review and sign off on to confirm understanding. The Code, available on the bank’s intranet, has the following objectives: • To provide a collective statement of standards for personal and corporate behavior; • To foster employee behavior that aligns with the bank’s core values—Integrity, Accessibility, Mutual Respect and Continuous Learning; • To ensure adherence to principles of professional behavior; • To promote and maintain confidence in the banking profession; • To resist and highlight improper or unprofessional conduct; • To instill a sense of honesty, fairness, and decency in the conduct of banking business; • To harmonize the concepts of profitability and social responsibility; • To reinforce compliance with regulators’ requirements; • To enhance and sustain public confidence in the banking industry; • To safeguard the cornerstones of the banking profession; and • To respect the bank’s rules of professional conduct. The Code is a mandatory module for all staff orientation classes and is also accessible in the bank intranet to all staff. The bank in 2013 introduced a mandatory e-learning module which all bank staff are required to undertake on an annual basis to confirm and refresh their understanding of the Code. It is reviewed alongside the Human Resources (HR) policy manual annually (where applicable). The Code, which was developed seven years ago by the HR team in liaison with the Legal and Compliance team, has been approved at the senior management level and by the Board of Directors and has benefited the bank in many ways, i.e., it is instrumental in instilling discipline and thus enhancing internal controls performance of the bank. It encourages ownership, accountability, compliance, confidentiality and ethical behavior. —enforces the code of ethics by The bank’s Management Disciplinary Committee—which reports to the Board HR Committee­ adjudicating any infringements by an employee and, depending on the severity, recommends an appropriate sanction, which could be a caution, warning, suspension or termination. • A listing of any additional ethics and related resources, 2.2.2 Right Tone at the Top on Risk Management website and/or any supplementary policies and procedures The Board and senior and their location; and Checkpoint: management should set • Examples of what constitutes acceptable and the tone on risk culture. ü ü Sufficient, sustained, unacceptable behavior. If leadership makes risk and visible leadership on risk related issues management a priority and The code of conduct document should be availed to all demonstrates it in their members of the Board, senior management, and employees, ü ü Action and clear accountability toward actions, then this will filter and should encourage commitment to the application of managing risk through to the rest of the the defined ethical principles in all business activities when ü ü Regular communication bank. making decisions. This should be implemented through on risk management requiring all employees and Board members to read and commit to the code of conduct or policy through their sign-offs. Risk Culture, Risk Governance and Balanced Incentives 13 To support the right tone at the top: risks, market risks, operational risks, information and communication technology risks, reputational risks, • There should be consistent, coherent, sustained and compliance risks, and country and transfer risks. This visible leadership in terms of how the Board and senior would ensure relationships among the various risks in the management act and expect the employees to behave and different business units are uncovered. respond when dealing with risk. • Risk assessment guidelines to evaluate the potential • There should be regular and meaningful communication likelihood and impact to assist with the prioritization of from the Board and senior management on matters or risk treatment strategies. topics related to risk management, such as considering risks in decision making throughout the bank and • Risk awareness channels for employees, including regular creating an environment where there is constructive and scheduled training on risk management and induction challenge on risk discussions and decisions. for new employees and Board members. This creates a clear and complete picture of the risk management 2.2.3 Common Understanding of Risk Management processor program in the bank. Terms In addition to the above, the risk management policy should There should be a common have the following sections:13 Checkpoint: understanding of the risk management framework • Risk management and internal control objectives (governance); The Bank has: across the bank. In this • Statement of the attitude of the bank towards risk (risk ü ü An enterprise-wide risk regard, banks should strategy); management policy enact a policy document • Description of the risk aware culture or control environment; ü ü Common definitions and that establishes and categories of risk; and • Level and nature of risk that is acceptable (risk appetite); guides a consistent, ü ü Regular risk awareness integrated approach to the • Risk management bank and arrangements (risk training identification, assessment architecture); and management of risk on • Details of procedures for risk recognition and ranking an “enterprise-wide” basis. (risk assessment); • List of documentation for analyzing and reporting risk The risk management policy document should outline, among other things: (risk protocols); • Risk mitigation requirements and control mechanisms • The definition of common risk management terms, such (risk response); as “risk,” “risk management,” “risk appetite,” “risk management framework,” “risk impact,” “risk factor,” • Allocation of risk management roles and responsibilities; “risk prioritization” and “risk mitigation.” • Criteria for monitoring and benchmarking of risks; • Specific roles and responsibilities of individuals with • Allocation of appropriate resources to risk management; and regard to risk management within the bank. This includes • Risk activities and risk priorities for the coming year. roles of the Board, risk committees, senior management, management-level committees, business unit managers, risk 2.2.4 Universal Application of Risk Management management function, internal audit, and all employees. Principles • The process and key principles for determining the risk appetite, including reference to the documented risk appetite All business activities of the statement as approved by the Board and ongoing review. Checkpoint: bank from strategic planning to day-to-day operations • The bank’s risk management framework and structure, ü ü Meeting agendas include risk discussions should consider risk. Risk including the role of the Chief Risk Officer (CRO) and ü ü Risk objectives are management discussions risk division units. quantifiable should be a standing agenda • Risk categorization, which includes a common understanding of the various classifications of risks facing the bank such as strategic risks, credit risks, liquidity 13 The Association of Insurance and Risk Manager, A structured approach to Enterprise Risk Management (ERM), 2010, p. 10. 14 Chapter 2: Risk Culture in Banks Case Study 3: Consideration of risk management principles In addition to defining a risk management framework that contains the definitions of key risk terms and their categorizations, a participating bank in this study further enhances the universal application of risk management principles through continuous discussion. Risk management is a standing agenda on the Board and Board subcommittee meetings as well as Management Operational Committee meetings. The bank further ensures that its officials consider the risk implications of their decisions through risk assessments as one of the key steps in approval of new products and/or initiatives and through regular Risk and Control Self Assessments (RCSAs) and Key Control Risk Assessments (KCSAs).The business units provide information in the RCSA and KCSA templates provided by the Risk Management Division. Any new risks identified are discussed at the monthly Management Operational Risk Committee and mitigating actions are identified. To further ensure that risk management principles are applied uniformly in the bank, risk management discussions are held at departmental meetings. With these practices, there has been a better and considerably active engagement between the business and risk functions thereby leading to a reduction of losses relative to business growth and day-to day operations. item at all Board and senior management meetings. Risk risks facing the bank. The bank’s governance processes should management discussions should also be entrenched in all provide for easily accessible and reliable communication business decision-making meetings held by various business channels that will ensure that internal stakeholders of the units. bank are encouraged to report new and emerging risks in their areas of operation and external stakeholders are Risks should be identified and measured in relation to the updated on the bank’s risk management efforts. bank’s risk assessment objectives. To ensure risk management principles are applied in all bank activities and decision- Effective communication enhances risk awareness in the bank making, the risk objectives must be specific and quantifiable across Board members, senior management, and employees at at various levels in the bank. all levels. The bank can disseminate its policies and procedures through various internal communication channels such as 2.2.5  Timely, Transparent, and Honest notice boards, periodic bulletins, and the intranet so that risk Communication on Risks awareness resonates across all levels of the bank. In a recent study undertaken by Ernst and Young,15 74 percent of the Communication is the continual, iterative process of respondents indicated that they are enhancing communications providing, sharing, and obtaining necessary information. and training programs to raise awareness of risk values and Internal communication is the means by which information expectations. is disseminated throughout the bank, flowing up, down, and across the entity. It enables employees to receive a clear message The bank should establish mechanisms to internally from the Board and senior management that risk management communicate information necessary to support the proper responsibilities must be taken seriously. External communication functioning of its risk management framework. These has two important uses: it enables inbound communication of mechanisms should ensure that:16 relevant external information, and it provides information to external parties in response to requirements and expectations.14 • Important components of the risk management framework are communicated appropriately; Communication is an integral part of risk management and includes educating the bank’s Board, senior management, and employees on the bank’s risk management practices, collection of feedback, and constructive dialogue around the 15 Ernst and Young, 2014 Risk management survey of major financial institutions "Shifting focus: Risk culture at the forefront of banking,” 2014, p. 12. 14 Committee of Sponsoring Organizations of the Treadway Commission, 16 Committee of Sponsoring Organizations of the Treadway Commission, Executive Summary: Internal Control—Integrated Framework, 2013, p. 5. Executive Summary: Internal Control—Integrated Framework, 2013, p. 7. Risk Culture, Risk Governance and Balanced Incentives 15 • Relevant information derived from risk management To ensure effective communication, a bank could deploy the practices are available at appropriate levels and times; following tools:17 and • Charts and narratives of business objectives linked to risk • Feedback channels are available for the internal tolerance levels: These are simple explanations that show stakeholders. the bank’s current risk profile in relation to its objectives. • Automated dashboards and detailed reports of key risk As the bank is required to communicate regularly with external stakeholders on its handling of various risks, the indicators: A dashboard is a simple pictorial snapshot of communication plan should involve: the bank’s major risks, the mitigation actions, and the risk owners. Dashboards are useful when updated regularly. • Engaging appropriate external stakeholders and ensuring The bank should therefore ensure that the dashboard has an effective exchange of information; been cascaded from the Board to the senior management • External reporting to ensure compliance with legal and and operational management. Reports should be regulatory requirements; generated from the dashboard as and when required and • Communicating with stakeholders in the event of a crisis. appropriately distributed in a timely manner. • Flowcharts and maps of processes with key controls: Key questions that should be considered with regard to a A flowchart is a pictorial representation of the bank’s bank’s communication and awareness channels include: business processes. It is developed from the operational • Has the bank taken into account different views on risk manual and identifies the key internal controls that the from various stakeholders, and relevant supervisory management has put in place. As flowcharts are easy to requirements? understand, the bank employees can contribute to the • Have the bank’s policies and procedures on risk-related improvements of the various controls or processes. activities been communicated in a timely manner to all • Discussions and briefings on routine and special topics: employees? The risk management function should ensure that the • Is there a sense of the risk culture in the bank? Are risks bank regularly updates its stakeholders on its current and exceptions escalated through proper channels? risk profile. Operation units should be involved in the identification of mitigation actions on emerging risks. Good risk communication should have the following • Whistle-blower channels: These are anonymous modes of characteristics: communications that are made available for stakeholders • Completeness: All the required information should be to report any risks or illegal activities noted. To encourage included in risk communication. This ensures that the use of the whistle-blower channels, the bank should recipients are able to make decisions as soon as they get communicate the anonymity safeguards to stakeholders. the information. Investigations should be carried out on any reports • Conciseness: The risk communication should only received through such channels. include relevant information. The sender should focus on the message that he intends to pass across, and avoid 2.2.6 Risk Management Responsibility—Individually unnecessary information that might confuse the recipient. and Collectively • Correctness: All risk communication should only include All employees should take accurate facts to enable the recipients to gauge the Checkpoint: personal responsibility, importance of the required actions. individually and/or collectively, ü ü Awareness of for the management of risk • Credibility: All communication should originate from employees’ roles in risk management in the business and should people and/or offices in the bank with sufficient influence. proactively seek to involve • Communication in the bank should flow upward, others when appropriate. downward, and across the bank to enable the risk function to provide information to the various stakeholders and actively seek and act on the feedback provided. 17 International Finance Corporation, Standards on risk governance in financial institutions, 2012, p. 14. 16 Chapter 2: Risk Culture in Banks The risk management framework should codify roles and Figure 2: Illustrative risk management responsibilities responsibilities of everyone in the bank with regard to risk management and provide clarity about responsibility. Although certain people will be charged with monitoring Board specific risks, everyone should ensure that risks are of Directors ht considered in all decisions within the realm of their duties ig rs ve and responsibilities. O Charter sk Board Ri Risk Committee To achieve this, the bank should establish risk committees (see Figure 2) at different levels of management. Charter Senior Management g Risk Committee tin A bank considering establishing a Board risk committee r po might consider the following key factors:18 Re Charter n io Operational/Business at The needs of stakeholders. Whether or not the bank will rm Units Risk Committees fo be required by the regulator(s) to have a risk committee, In sk Charter Ri the needs of the bank and its stakeholders should be considered. The Board should also assess the quality and comprehensiveness of the current risk governance and oversight structure, the risk environment, and the future needs of the bank. The composition and activities of the risk Business Units - Risk Owners committee and its relationship with other Board committees could reflect the Board’s assessment of these factors. Adapted from Deloitte, Improving Bank Board Governance: The bank board member’s guide to risk management oversight. Alignment of risk governance with strategy. The Board should consider whether risk oversight and management reporting may remain under the audit committee, while are aligned with management’s strategy. Banks vary in those associated with executive compensation plans might their business models, risk appetite, and approaches to remain with the compensation committee. But because risk management. A key consideration is that the Board, functional risks (such as tax or human resources risk) management and business units be aligned in their approach are often connected to operational or strategic risks, it is to risk and strategy—to promote risk taking for reward in important to consider how the interconnectivity of risks is the context of sound risk governance. addressed. In any event, the Board will need to determine which committees will oversee which risks. Oversight of the risk management infrastructure. The Board should consider whether the risk committee is responsible for Communication among committees. The Board should overseeing the risk management infrastructure—the people, consider how the committees will keep one another—and processes, and resources of the risk management program— the Board itself—informed about risks and risk-oversight or whether the audit committee or entire Board will oversee practices. Efficiency and effectiveness call for clearly it. The CRO should have a dual reporting relationship to the defined responsibilities, communication channels, and risk committee, or Board, and the CEO. handoff points. Scope of risk committee responsibilities. The Board In addition to the Board being in charge of risk management may need to decide whether the risk committee will oversight, establishing other related committees allows for a be responsible for overseeing all risks, or whether more coordinated, integrated and focused approach to risk other committees, such as the audit committee or the management. It enables the Board to:19 compensation committee, will be responsible for some. For example, oversight of risks associated with financial 19 Deloitte, As risks rise, boards respond: A global view of risk commit- 18 Deloitte, Risk Committee Resource Guide for Boards, 2012, p. 3. tees, 2014, p. 17. Risk Culture, Risk Governance and Balanced Incentives 17 • Assert and articulate its risk-related roles and • The Board’s or risk committee’s responsibilities regarding responsibilities more clearly and forcefully; the bank’s risk appetite, risk tolerances, and utilization of • Establish its oversight of strategic risks, as well as the risk appetite; the scope of its oversight of operational, financial, • The Board’s or risk committee’s responsibility to oversee compliance, and other risks; risk exposures and risk strategy for broadly defined • Task specific Board members and other individuals risks, including, for example, credit, market, operational, with overseeing risk and interacting with the senior compliance, legal, property, security, IT, and reputational risks; management and the CRO; • The risk committee’s responsibility to oversee the • Recruit Board members with greater risk governance identification, assessment, and monitoring of risk on an and risk management experience and expertise. Keep ongoing bank-wide or line of business basis; the Board more fully informed regarding risks, risk • The reporting relationships between the Board risk committee exposures, and the risk management infrastructure; and the CRO and the management risk committee; • Elevate risk as a management and an enterprise-wide • The risk committee’s oversight of management’s concern in day-to-day operations; and implementation of the risk management strategy; and • Improve advice provided to senior management regarding • Terms of service of risk committee members and the chair, risk, response plans, and major decisions, such as with incumbents subject to reappointment; term limits mergers, acquisitions, and entry into new markets or new (which may preclude members or chairs from having their lines of business. terms renewed) may not be desirable because they may cause the loss of individuals in valued roles. The charter for the committees tasked with risk management will describe the roles and responsibilities of overseeing the An illustrative risk committee charter has been included risk management framework. The committees should ensure in Annex 3 to demonstrate how the above elements can be that risk management responsibility is segmented, involves incorporated within a bank’s governance documents. all employees, and that they clearly understand their risk management roles and responsibilities. In developing the 2.2.7  Expectations on Challenging Discussions Board Risk Committee charter, the following information around Risk Management should be included:20 All employees should have • The risk oversight responsibilities of the committee and Checkpoint: a working knowledge of how it fulfills them; the key risks facing the ü ü People can • Who is responsible for oversight of management’s bank and more in-depth comfortably discuss risk committee; for example, whether it is the Board knowledge of the risks in their risk issues without risk committee or the full Board (it is the full Board fear of repercussions individual roles. To achieve that is ultimately accountable and responsible for risk this, the Board and senior governance); management should create an enabling environment where employees freely engage in risk • Who is responsible for establishing the criteria for discussions in the execution of their duties. management’s reporting to the Board about risk (the actual criteria need not be set in the charter, because it is All employees, at all levels, should be encouraged to discuss expected to change as the bank and risks evolve); risk management with others, including authority figures. • The composition of the Board risk committee and the Potential risks noted during these conversations should be qualifications of risk committee members (the committee appropriately escalated to ensure that they are appropriately should include a risk management expert, and it should be mitigated. made up of a majority of independent Board members); In a bank environment where employees are not free to discuss risk situations, major risks within the bank’s critical functions may not be timely identified and mitigated. Employees who do not have sufficient understanding of the risks associated 20 Deloitte, Risk Committee Resource Guide for Boards, 2012, p. 7. 18 Chapter 2: Risk Culture in Banks Case Study 4: Risk management responsibilities A listed commercial bank offering a full range of corporate and retail banking services that participated in this study has identified risk champions across the business to help embed the “right” risk culture across the bank and ensure individual and collective ownership over risk management and reporting.This ensures that the risk champions have constant interactions with the business units they represent. The information collected by the risk champions is then reported to the Board on a quarterly basis through the Risk Function. Risk champions are identified within the business unit based on their performance. They must have substantive knowledge of the business unit to be able to effectively guide the business unit on coordinating and reporting on risk management issues through the Risk Management department. The champions undergo regular formal risk management training from the Risk Management department and external consultants as appropriate to guide them in their role as risk champions. Through the risk champions, the bank has been able to benefit from a more coordinated and focused approach to risk management. The business units with support from their risk champions and the risk management function are involved in developing the mitigating actions in their respective business units thus facilitating effective risk ownership in the Bank. with the bank are likely to expose the bank to imprudent risk A bank’s failure taking. to adequately "If you don't open up your provide for risk information or mention 2.2.8 Risk Reporting and Whistle-Blowing event reporting and anything that is negative, you Mechanisms whistle-blowing are misleading yourself at the mechanisms Banks should have formal end of the day because you could weaken its Checkpoint: processes and reports for are not addressing properly ability to identify risk reporting to the Board, the issues and you are wasting ü ü Availability of and manage senior management, and other a very great opportunity to whistle-blowing risks. Senior relevant stakeholders. The risk improve your culture. We want mechanisms management’s such as reporting management framework should failure to recognize to be as transparent as possible hotlines, ethics define such processes, reports, and address issues to the outside stakeholders and integrity lines, and performance standards for email address raised may lead then internally." employees in preparing and and or a web to a significant —Matias Rodrigues Incite, Vice reporting risk information. portal for impact on the Chairman, Banco Santandera reporting issues bank’s overall anonymously Communication remains a performance and a KPMG, Expectations of Risk challenge with 62 percent of the Management Outpacing Capabilities: reputation. respondents in the 2013 Deloitte It’s time for action, 2013, p. 20. survey on Culture in Banking under the Microscope,21 To support risk indicating that they believe that upward communication reporting and of concerns to management, or lack thereof, was a whistle-blowing mechanisms: significant cultural problem. Twenty-six percent of the bankers interviewed in the same survey agreed that they • The bank should have a formal process for reporting had mechanisms on whistle-blowing. In other instances, the risk to the Board or a Board mandated committee—for survey found that whistle-blowing channels were seen to example, the Board Audit Committee or the Board Risk focus more on form rather than substance, with indications Committee and other relevant key stakeholders such as that organizations are just going through the motions, with the bank regulator. insufficient consequences when poor behaviors are identified. • The bank should define a reporting matrix for escalating risk issues. Employees should have a clear understanding of the channels and processes, as well as rights and 21 Deloitte, Culture in banking: Under the microscope, 2013, p. 11. Risk Culture, Risk Governance and Balanced Incentives 19 protections, for raising risk issues, whether directly or • Mobility. The bank should facilitate the redeployment of anonymously. the concerned employee, if he or she wishes, to another • The bank should have an appropriate risk management department or function in order to safeguard himself or toolkit for data collection and tracking of risks. This herself from possible hostile reactions from his or her will ensure constant availability of data for objective immediate department or function. quantification of the risks, which would advise the bank’s • Appraisal and promotion. Care should be taken during approach to risk assessment. staff appraisal and promotion procedures to ensure that • Whistle-blowing channels such as an anonymous the whistle-blower suffers no adverse consequences. reporting hotline, ethics, integrity lines, anonymous • Penalties for those taking retaliatory action. The Board, email address and/or a web portal for reporting issues senior management, and the immediate supervisors anonymously should be put in place and their usage should not use their positions to prevent employees monitored. for reporting any serious irregularities. Any form of • Whistle-blower issues should be duly acknowledged and retaliation undertaken as a result of whistle-blowing investigated by senior, independent management who should be sanctioned. have sufficient authority to investigate and manage the • Anonymity. As the above procedures reduce the need issue. and justification for anonymity, an employee should be encouraged to identify himself or herself to the bank To ensure the protection of whistle-blowers, the bank should to enable the bank apply the whistle-blower protective ensure the following:22 measures. • Confidentiality of identity. An employee reporting a serious irregularity in good faith should be guaranteed that his or her identity will be treated in confidence. 22 Adapted from the European Commission, Communication to the ˇ c Commission: Communication from Vice President Šef covi ˇ to the Commission on Guidelines on Whistleblowing, 2012, pp. 6–8. 20 Chapter 2: Risk Culture in Banks 2.3 Risk Culture Maturity Rating Scale Table 2 presents criteria that can be used to assess a bank’s maturity against each of the risk culture best practices. This scale represents three levels of maturity: “Below Standard,” “Standard,” and “Above Standard.” Table 2: Bank’s maturity against each of the risk culture best practices Component Below Standard Standard Above Standard Commonality of There is no code of conduct There is a code of conduct, but it There is a code of conduct which is fully enforced. that spells out the expected is not strictly enforced. All employees are required to review the Code purpose, values, and employee behaviors. Ethical standards are established of Conduct and to sign off to acknowledge their ethics in the bank understanding. Low ethical standards exist. but not consistently applied or are more apparent in some There is regular assessment of the employees’ business units than in others. understanding of the Code of Conduct. High ethical standards exist and are apparent in all business units. Right tone at the The Board has not set the The Board sets the tone The Board sets the tone for managing risks and tone for managing risks, and for managing risks and establishes a culture of risk awareness, which is top the culture of risk awareness demonstrates a culture of risk widely adopted and understood throughout the bank does not exist in the bank. Risk awareness at the top level but it by ensuring the bank has an approved risk appetite appetite has not been defined, has not been embraced broadly. and that risk metrics are included in performance and/or risk metrics are not The Board has approved a risk metrics for all employees. included in performance metrics. appetite and the risk metrics The Board assesses the risk culture of the bank and The Board does not assess the are included in some employee’s attitudes toward risk throughout the bank through risk culture of the bank and performance metrics. mechanisms, such as employee and vendor surveys, attitudes toward risk throughout The Board infrequently assesses on an ongoing basis. the bank. the risk culture of the bank and attitudes toward risk through a top-down approach. Common Risk has not been commonly The bank has a common The bank has a common definition of risk and a defined throughout the bank. definition of risk, and it is clearly articulated risk management strategy that understanding of Risk is defined differently at communicated to the rest of the addresses both value preservation and value creation risk management bank using a top-down approach. and is used consistently throughout the bank. different levels in the bank. terms Universal application A few members of the senior A few members of the senior Appropriate senior members of the management management have limited management periodically staff systematically consider the risk of action or of risk management consideration for risk as part request information from inaction as part of their core decision-making principles of their core decision-making management when they processes. processes. consider the risk of action or Appropriate business units gather, analyze, There is limited participation inaction as part of their core aggregate, communicate, and report to the Board and accountability of business decision-making processes. and management on the enterprise-wide risk units in overseeing the risk A few business units, e.g., finance, management process on an ongoing basis. management program. are primarily held responsible by All employees follow risk management practices in There is a culture of unnecessary management for overseeing the effectively weighing their actions in the decision- risk taking. risk management program and making process, and there is a culture of involving provide updates to management. risk experts in the decision-making process. Only some risks are considered in the decision-making process. Only top management takes Risks are taken as per the risk appetite of the bank risks, as per the defined risk and people are held personally accountable for appetite of the bank. managing risks. Top management considers a set of risks in the decision-making process Quality of Minimal or no communication Communication on risk There is consistent and effective communication within occurs in the bank on matters management occurs, but it is the bank flowing upward, downward, and across the information and relating to enterprise risk top-down. bank as well as with external parties supporting the communication management. enterprise-wide risk management practices. The Board and other governing channels The Board and other governing bodies request and receive The Board and governing bodies authorize the bodies lack transparency and periodic updates into the bank’s formation of an executive-level risk committee, visibility into the enterprise’s risk risk management practices. with a composition, including representatives management practices. from all business units or departments, to have transparency and visibility into the enterprise-wide risk management practices. Risk Culture, Risk Governance and Balanced Incentives 21 Table 2: Bank’s maturity against each of the risk culture best practices (continued) Component Below Standard Standard Above Standard Risk management There is a lack of individual or Discrete roles, responsibility, Well-defined and delineated roles, responsibility, collective management of risks and delegation of authority have and delegation of authority promote collaboration responsibility in the bank. been defined for a limited set of and coordination for developing and sustaining a Limited number of risk events risks as a part of the governance governance structure and executing on the bank’s that have high impact and high structure. risk management strategy. vulnerability are inconsistently There is limited individual and Individual and collective risk management reported. collective risk management responsibilities are practiced across all business units. responsibilities being practiced in some sections/business units. Discussion around People do not question decisions People challenge others if they There is open and honest dialogue regarding risks. made by their superiors. think they are not doing the There is constructive response to challenges. risk management Individuals yield to inappropriate right thing. People are confident when raising risk management pressure from others. Some people in the bank concerns. There is inadequate challenge of respond well to challenging excessive risk taking. discussions on risk management. There is reluctance to escalate risks appropriately. Risk reporting and Risks are minimally reported and Key risks are reported and All risks are reported and monitored holistically at monitored in the bank. monitored through separate the enterprise level. whistle-blowing The bank does not have a evaluations by top management Attention is drawn to risk events other than those whistle-blowing mechanism. in the bank. that have high impact and high vulnerability. Only risk events that have high Attention is drawn and resources made available impact and high vulnerability are proactively to address risk events other than those reported. that have high impact and high vulnerability. The bank has a whistle-blowing Whistle-blowing mechanisms are in place, and mechanism in place but management sees this as a useful tool in its risk investigations and sanctions are management process. not consistently carried out and enforced. Adapted from the Global Financial Service Industry (GFSI) Risk Transformation Toolkit, Deloitte Development LLP, May 2013. 2.4 Conclusion A bank’s risk culture is not a stand-alone component but is intertwined and influenced by the bank’s risk governance Banks must strive to create a culture of risk awareness practices as well as the incentives programs in place. within their operating environment, having appreciated its importance and significance to the bank’s ability to identify Risk governance is linked inextricably to the bank’s culture. and manage risk effectively. For a bank to reap the benefits of effective risk management, the Board and senior management must show commitment to The right risk culture can provide banks with a competitive their risk governance responsibilities, which in turn influence edge that is difficult for its rivals to emulate. It greatly the risk culture of a bank. In the next chapter, we explore the influences the bank’s risk management efforts as well as the role risk governance plays in effective risk management, well achievement of the bank’s vision, mission and objectives. as some recommended best practices. 3 Risk Governance in Banks At a Glance A bank that can understand risk holistically—that is, being aware of the full range of risks it confronts—can strategically use risk taking as a means Recommended best practices to strengthen its competitive position and reduce adverse impacts from in Risk Governance risk. Risk governance structure 3.1 Introduction Risk management framework A bank has many stakeholders that include the Board, senior management, employees, regulatory authorities, customers, suppliers, Qualifications and experience other banks and lenders, and the community in which it operates. Effective interaction with these stakeholders requires a bank to have good Training and capacity corporate governance practices. These practices include the processes, building programs customs, policies, procedures, laws, rules, and regulations, which enable the stakeholders to interact in a transparent and sustainable manner. Board evaluation Risk governance focuses on applying the principles of sound corporate governance to the identification, management and communication of risk. It incorporates the principles of accountability, participation and transparency in establishing policies and structures to make and implement risk-related decisions.23 A sound risk governance framework promotes clarity and understanding of the ways in which bank employees execute their responsibilities. The bank should strive to manage the risks its faces holistically by adequately assessing and addressing risk from all perspectives and quarters; breaking through the organizational barriers that may obscure a view of the entirety of risks facing the bank; and systematically anticipating and preparing an integrated response to potentially significant risks. This also requires institutions to move away from the traditional “silo-based” approach to risk management. Holistic risk management is a concept about managing all the risks simultaneously and is all about accountability—that is, people taking responsibility for their actions. Holistic risk management involves a methodology where the various risk types that can affect a bank are considered holistically, rather than independently.24 To ensure this, the bank’s risk governance should exhibit the following characteristics:25 23 Adapted from IFC, Risk Taking: A Corporate Governance Perspective, 2012, p. 11. 24 Adapted from “The Application of Holistic Risk Management in the Banking Industry,” by J. Chibayambuya & D.J. Theron, University of Johannesburg, p. 5. 25 Deloitte, The Risk Intelligent Enterprise: ERM done right, 2006, p. 2. Risk Culture, Risk Governance and Balanced Incentives 23 • Risk management practices that encompass the entire 3.1.1 Risk Governance Operating Framework business, creating connections between the so-called A risk governance operating framework is a mechanism that “silos” that often arise within large, mature, and/or the Board and senior management can use to translate the diverse enterprises; elements of the bank’s governance framework and policies into • Risk management strategies that address the full spectrum practices, procedures and job responsibilities. It can assist the of risks, including industry-specific, operational, Board and senior management to organize the risk governance compliance, competitive, business continuity, and responsibilities such that there are no inconsistencies, overlaps, strategic, among others; and gaps among the governance mechanisms. • Risk assessment processes that augment the conventional emphasis on probability by placing significant weight on The risk governance operating framework has four main vulnerability; components:26 • Risk management approaches that do not solely consider • Structure: A clear comprehensive organizational structure single events, but also take into account risk scenarios defines reporting lines for decision-making, risk management, and the interaction of multiple risks; financial and regulatory reporting as well as crisis preparedness and response. It includes organizational design • Risk management practices that are infused into the and reporting structure, committee structures and charters, corporate culture, so that strategy and decision-making and control and support function interdependencies. evolve out of a risk-informed process, and not considering risk after decisions are taken; and • Oversight responsibilities: Oversight responsibilities define the Board’s responsibilities, committee and management • Risk management philosophy that focuses not solely on responsibilities, accountability matrices, and management risk avoidance, but also on risk taking as a means to value hiring and firing authorities. The Board carries out this creation. responsibility across the bank in areas such as business Good risk governance practices influence the effectiveness of and risk strategy, financial soundness, and compliance. risk management, seen as fundamental for a bank’s success in • Talent and culture: This component enables the behaviors the global business environment, and a basic expectation of and activities required for effective risk governance by stakeholders, regulators, analysts, depositors, and customers. establishing compensation and incentive policies, promotion Improving risk governance in banks requires starting at policies, performance measurement management, training, the top of the management “pyramid,” where the Board and leadership and talent development programs. These and senior management establish the bank’s risk appetite, factors should reflect the bank’s overall commitment to policies, and limits. governance as well as principles of asset preservation and risk taking for rewards. Effective risk governance and oversight begins with a • Infrastructure: This comprises governance and risk solid mutual understanding of the extent and nature of oversight policies and procedures, reports, measures the Board’s responsibilities as compared to those of senior and metrics, management capabilities and the enabling management and other stakeholders. Whereas the Board is information technology (IT) support. accountable for the oversight of risk governance, the senior management is responsible for implementing the policies The four major components of the framework have and procedures through which risk governance is achieved subcomponents (see Table 3) that describe the activities within the bank. Board-level responsibilities include setting required to create an effective risk governance operating the expectations and standards, elevating risk as a priority, framework. These activities ensure that the bank defines and initiating the communication and activities that and documents the processes, procedures, and reporting constitute effective risk management. mechanisms required to operationalize the framework. Banks can achieve optimal risk governance practices through the establishment and implementation of a risk governance operating framework, as discussed below. 26 Deloitte, Developing an effective governance operating model: A guide for financial services boards and management teams, 2013, p. 6. 24 Chapter 3: Risk Governance in Banks Table 3: Components of a risk governance operating frameworka Component Subcomponents Descriptions Structure • Board structure and charter • Outlines Board and management committees’ structures, • Board Committees structure and charters mandates, membership, and charters. • Organizational structure and reporting lines • Establishes the design of the risk management framework. • Controls and support functions’ roles • Delineates organizational structure, reporting lines, and relationships. • Highlights the roles and independence of control and support functions from business owners. Oversight responsibilities • Board oversight responsibilities • Delineates Board and senior management approved policies, • Committee authorities and responsibilities supporting delegation of authority including reporting and escalation. • Management accountability and authority • Outlines the types of committees (both Board and senior • Reporting and escalation management) and associated responsibilities. • Specifies functional accountabilities for the day-to-day management of business practices across the bank. Talent and culture • Leadership development and talent programs • Aligns risk governance with operating and business principles. • Business and operating principles • Articulates core belief and foundation for risk culture. • Core beliefs and risk culture • Highlights characteristics of risk culture. • Performance management and incentives • Outlines leadership succession, assessment, and development responsibilities. • Aligns performance management, approach, measures and responsibilities to compensation and incentive plans. Infrastructure • Policies and procedures • Establishes design and content of manual and associated • Reporting and communication procedures. • Technology • Outlines type and frequency of internal reporting and communication. • Aligns technology and tools to the communication systems required. a Deloitte, Developing an effective governance operating model: A guide for financial services boards and management teams, 2013, p. 9. 3.2 Best Practices in Risk Governance • Qualifications and experience: The bank should ensure that the people charged with risk oversight have the To improve a bank’s risk management program, a number of required skills, expertise, and authority. best practices are recommended. While the risk governance operating framework provides for the governance structure, it • Training and capacity building programs: The bank is notable that the qualitative components of the governance should continuously train its Board, senior management, framework, such as the Board and senior management oversight and employees on risk management practices and role; commonality of values and ethics as codified in the code emerging standards and requirements. of conduct; performance management; incentives plans and • Performance management: The bank should constantly communication channels, greatly influence the bank’s risk evaluate how well its Board, senior management, and culture and are cross-cutting practices between establishing the employees are working toward the achievement of the right risk culture and effective risk governance. An effective risk bank’s long-term objectives. The performance measures governance operating framework would entail having: should include risk metrics. • Risk governance structure: The bank should clearly 3.2.1 Risk Governance Structure define the roles and responsibilities of the Board, senior management, employees, internal and external auditors, A risk governance and other stakeholders in its risk management program. Checkpoint: structure defines the roles • Risk management framework: The bank should have a of the stakeholders in ü ü Board oversight role risk management and the well-defined risk framework. This is a formal process for identifying, assessing, prioritizing, responding and ü ü Existence of the three processes by which risk lines of defense information is collected, mitigating major business risks across all its business units. aggregated, analyzed, and Risk Culture, Risk Governance and Balanced Incentives 25 communicated to provide a sound basis for management The three lines of defense are expected to play decisions in the bank. The stakeholders include the Board, complementary roles for sound risk management practices. senior management, business units, risk management However, the first line of defense can have a point of tension function, shareholders, internal and external auditors, with the risk management and internal audit functions. The creditors and debtors, regulatory bodies, and the general business units are remunerated for the business they generate public. The bank should define an appropriate risk for the bank and, in some cases, may view the activities governance structure with input from the stakeholders that is of the subsequent lines of defense as a curtailment of their consistent with the bank’s business operations and applicable “main” objective. There is therefore a natural tension regulatory requirements. The risk governance structure between value creation and value protection that may arise should then be approved by the Board. among the first line—i.e., business units whose primary objective is value creation, and the second and third lines Effective risk governance should incorporate the three lines whose primary objectives are related to value protection. of defense, which are the operating management and internal controls, the risk management and compliance function, and To ensure an effective risk governance structure, it is the internal audit. The three lines of defense then interact therefore important to enforce clear segregation of duties with the Board or its subcommittees, senior management, and independence in the reporting hierarchy for the three and external bodies such as the external auditors and the lines of defense. The second and third lines need to have supervisory authority to ensure effective enterprise-wide risk enough influence, expertise, and independence in the bank to management in the bank. sufficiently challenge the risk takers and provide independent opinion and communication lines to the Board. In addition Figure 3: Illustrative lines of defense Board of Directors or Board Risk Committee Senior management First Line of Defense Second Line of Defense Third Line of Defense Supervisory Authorities Risk Management External Auditors Internal Auditors Internal Controls Business Units Adapted from the European Confederation of Institutes of Internal Auditors / Federation of European Risk Management Associations Guidance on the 8th EU Company Law Directive, article 41. 26 Chapter 3: Risk Governance in Banks to this, the following elements would ensure an effective • Knowing which risks the bank is willing to take in the three lines of defense:27 pursuit of its objectives. This would be clearly stated in • Each risk has a clear link to the responsible owner in the the risk appetite, which defines the maximum allowable relevant line of defense; loss by the type of risk and overall risk for the bank. • Understanding the bank’s risk profile. This includes • Clear roles and accountabilities are assigned across the three lines and documented in the form of charters to the risks the bank faces, their potential impact, and the enable work activities. Where clear accountabilities are classifications of such risks. documented, there can be no wrong assumptions as to the • Keeping track of the compliance obligations of the bank, responsibility for risk, controls and assurance; including the ones based on regulatory requirements and • Each line has adequate skills to discharge its the ever-evolving industry expectations. The Board should responsibilities. This is usually straightforward in the ensure that it initiates efforts from its level, and that first line, but can be more complex in the second and such efforts are cascaded throughout the bank to ensure third lines. Many monitoring and assurance functions do relevant requirements are met. not contain deep knowledge of the business or industry, • Determine that the bank’s risk management infrastructure which provides a challenge in gaining the respect of the is consistent with the complexity of its business, the risks first line; it faces, and all applicable laws, regulations and industry • Senior management and the Board receive one combined requirements. report showing the status for individual risks; When defining the roles and responsibilities for risk • Clear communication protocols are established between oversight, the Board should be clear about which committees the three lines, risks, associated controls and assurance are charged with oversight for which specific risks. Further activities, defining the information to be exchanged and to the guidance provided in Chapter 2.2.6 of this handbook when; on factors to take into account when establishing a Board • Risk owners are responsible for collating all information risk committee, the Board may establish a Board risk from across the lines for their risks and have specific committee that should be charged with:28 points of contact in the other lines so as not to deal with • Overseeing the risk management infrastructure. The full multiple requests for information; Board may oversee the organization’s risk management • A person or function is assigned responsibility for infrastructure, or this oversight responsibility can be administering the model and overall coordination of delegated to the Board risk committee, rather than to the reports; and audit committee; • Addressing risk and strategy simultaneously. The Board • A single technology system is used for all data input, and from which reports are generated for individual risks. risk committee should address risk management and At any point in time, the status of individual risks and governance when strategies for growth and value creation associated controls assurance activities can be reviewed. are being created and management decisions are being made. The purpose of this responsibility is to promote Further details on the roles and responsibilities of each risk taking for reward in the context for practicing sound of these three lines of defense in ensuring effective risk risk governance; governance are provided in the following subsections. • Assisting with risk appetite and tolerance. The Board risk committee can assist , establish, communicate, and The Role of the Board of Directors and Board 3.2.1.1  monitor the risk culture, risk appetite, risk tolerances, Subcommittees and risk utilization of the bank at the enterprise and The Board has the ultimate responsibility for the bank’s risk business units; oversight. This includes: • Monitoring risks. The Board risk committee should assist in assessing and monitoring the bank’s compliance with the risk limit structure and effective remediation of 27 Ernst & Young, Maximizing value from your lines of defense: A prag- matic approach to establishing and optimizing your LOD model, 2013, pp. 6-7. 28 Deloitte, Risk Committee Resource Guide for Boards, 2012, pp. 11-12. Risk Culture, Risk Governance and Balanced Incentives 27 noncompliance on an ongoing and enterprise-wide basis. committee, the Board or its risk committee should hire, For the risk committee, this responsibility extends to all evaluate, and determine the compensation of the CRO. risks, or at least to all risks not monitored by the audit, The Board and the risk committee should consider how compensation, or other Board-level committees. In cases they might maintain ongoing communication with the of risks monitored by other Board committees, the Board CRO and the risk management function, including risk committee should be made aware of ongoing risks. separate sessions with the CRO. In addition to having the • Overseeing risk exposures. The Board risk committee CRO report directly to the Board or the risk committee, should consider the full range of risks and potential the risk committee can help ensure that the CRO has the interactions among risks, including risk concentrations, seniority, authority, and resources to oversee risk in the escalating and de-escalating risks, contingent risks, and enterprise. The Board can also support the CRO through inherent and residual risk; consistent communications and actions regarding the bank’s approach to risk and risk management; and • Advising the Board on risk strategy. The Board creates the • Consulting with external experts. The Board risk risk committee to serve as a repository of information and expertise on risk and to advise the Board on risk strategy. committee should consider having access to external Thus, the Board risk committee can help inform the expert advice regarding risk and risk governance and Board of risk exposures and advise the Board on future management in the form of meetings, presentations, risk strategy; verbal or written briefings, or assignments commissioned by it. The areas to cover could include the risk • Approving management risk committee charters. environment, regulatory developments, leading practices, Management may establish risk committees not only at or any other items the Board or committee specifies. In the enterprise level, but also in some cases at business some cases, the Board risk committee may seek external unit levels. The Board risk committee may consider Board education regarding risk management or regulatory and approve the charters of any such management risk matters. In other cases, the Board risk committee may committees; engage a consultant for a particular assessment or other • Overseeing the Chief Risk Officer (CRO). Like the Chief efforts best commissioned at the Board level. Audit Executive’s (CAE) relationship with the audit Case Study 5: Board level committees One of the banks interviewed indicated having established a Board Integrated Risk Management Committee (BIRMC) and a Board Audit Review Committee (BARC) through which the Board maintained oversight of risk management activities at the bank. Through these committees, the Board fulfils its responsibilities of approving a risk management strategy for the bank, articulating the bank’s risk appetite, establishing the risk governance structure, reviewing significant risk issues highlighted by its committees, reporting to stakeholders on risk management of the bank, and approving public disclosures. The mandate of the BIRMC includes ensuring that the bank has a comprehensive risk management framework; assessing the effectiveness of the bank’s risk management systems and monitoring risks through appropriate risk indicators and management information. The BIRMC ensures compliance with laws, regulations, regulatory guidelines, internal controls, and bank policies, and updates the Board on the bank’s risk exposure. The functions of the BARC include: making recommendations on matters in connection with the appointment, fee negotiation, resignation and dismissal of the external auditor of the Bank; discussing issues arising from the interim and final audits, and any matters the external auditor may so wish. The BARC also reviews the adequacy of the internal audit programs and results of the internal audit process and ensures that appropriate actions are taken on the recommendations of the internal audit department. As a champion of whistle-blowing, the BARC ensures that mechanisms are available for employees to report on possible improprieties in financial reporting, internal controls or any other matters and a fair and independent investigation of these reports. The committees meet on a quarterly basis and decisions made at these meetings are enforced via the Risk Management Division of the bank who also submit quarterly reports to the Board. 28 Chapter 3: Risk Governance in Banks 3.2.1.2 The Role of Senior Management The bank establishes internal controls, which are systems and procedures to ensure that its goals and objectives are Whereas the Board has the overall responsibility for risk achieved by ensuring that all the processes are correctly management practices, the senior management is tasked authorized, valued, classified, and recorded correctly and in with providing the correct infrastructure and processes for a timely manner. They are implemented to ensure the bank’s risk management and the appropriate tools to employees for policies are being followed and its objectives are achieved. effective execution. The business units are responsible for maintaining effective As part of senior management’s role in risk management, the internal controls and ensuring that risk and control responsibility for the day-to-day risk management function procedures are duly executed on a daily basis. The business should be assigned to an officer at a senior level, in most units identify, assess, control and mitigate risks, guide and cases a Chief Risk Officer (CRO) or equivalent, who should implement the internal policies, procedures, and processes, have sufficient seniority, authority, voice, and is independent while ensuring their activities are consistent with the bank’s from business line decisions and management.29 This is to goal and objectives. The business units should have a ensure that the CRO has the capacity/ability to influence key tiered structure to enables middle-level management design decision makers in the bank. Whereas the independence of and implement detailed procedures that would supervise the CRO from operational management is recommended, execution of the bank’s procedure by the employees. The there should be sufficient interaction between the CRO and business units serve as the first line of defense as controls are the operational management to ensure that the CRO and inbuilt in the bank’s systems and procedures. There should all risk managers have sufficient risk information from the be sufficient managerial control to ensure compliance and business.30 See Annex 4 for illustrative terms of reference of highlight any control breakdowns, inadequate processes, and a CRO. unexpected events.31 3.2.1.3 First Line of Defense: The Role of Business Units Second Line of Defense: The Role of the Risk 3.2.1.4  The first line of defense is composed of the business unit Management Function (operational) managers, as they own the processes of the The risk management function is responsible for the bank’s bank. As the first line of defense, operational managers risk management framework across the entire organization, own risks and therefore have the primary responsibility for ensuring that the bank’s risk meets the desired risk profile establishing controls to manage the identified risks. They as approved by the Board. The risk management function are also responsible for implementing corrective actions to is responsible for identifying, measuring, monitoring, address process and control deficiencies. recommending strategies to control or mitigate risks, and reporting on risk exposures. They are charged with owning and managing the risks that are in their departments. The risk management function should facilitate and monitor the implementation of an effective system of controls by The business units are charged with: operational management and guide the various operations • Identifying and assessing risks; of the business units in identifying the targeted and emerging • Implementing procedures and controls/limits consistent risks. The function should act as a reporting and monitoring with the bank’s risk appetite and policies; channel for risk-related information throughout the bank. • Responding to and mitigating risks; and As the second line of defense,32 the risk management • Monitoring risks and providing reports to the risk function: management function, senior management and the Board. • Is independent of business lines (i.e., is not involved in revenue generation) and reports to the CRO; 31 Institute of Internal Auditors, IIA Position Paper: The three lines of 29 Basel Committee on Banking Supervision, Principles for enhancing defense in effective risk management and control, 2013, p.3. corporate governance, 2010, p. 18. 32 Financial Stability Board, Thematic review on Risk Governance: Peer 30 Ibid. Review Report, 2013, pp. 32–33. Risk Culture, Risk Governance and Balanced Incentives 29 • Has authority to influence decisions that affect the firm’s compensation and budget is reviewed and approved by risk exposures; the risk committee; • Is responsible for establishing and periodically reviewing »» Is responsible for ensuring that the risk management the enterprise risk governance framework, which function is adequately resourced, taking into account incorporates the risk appetite framework (RAF), risk the complexity and risks of the firm as well as its RAF appetite statement (RAS), and risk limits: and strategic business plans; • Has access to relevant affiliates, subsidiaries, and concise »» Is actively involved in key decision-making and complete risk information on a consolidated basis; processes from a risk perspective (e.g., review of the risk-bearing affiliates and subsidiaries are captured by the business strategy / strategic planning, new product enterprise-wide risk management system and are a part of approvals, stress testing, recovery and resolution the overall risk governance framework; planning, mergers and acquisitions, funding and • Provides risk information to the Board and senior liquidity management planning) and can challenge management that is accurate and reliable and is management’s decisions and recommendations; and periodically reviewed by a third party (internal audit) to »» Is involved in the setting of risk-related performance ensure completeness and integrity; indicators for business units, senior management, and • Conducts stress tests (including reverse stress tests) employees. periodically and by demand. Stress test programs and The second line of defense should also incorporate a results (enterprise-wide stress tests, risk categories and stress compliance function, which ensures that the bank complies test metrics) are adequately reviewed and updated to the with institutional policies and procedures, standards Board or risk committee. Where stress limits are breached for market conduct, internal controls, laws, rules and or unexpected losses are incurred, proposed management regulations. As banks operate within an environment that actions are discussed by the Board or risk committee. is highly regulated by a number of complex laws, rules, and Results of stress tests are incorporated in the review regulations, a compliance function ensures that the bank is of budgets, in the RAF and Internal Capital Adequacy operating within the required legal and regulatory framework Assessment Process (ICAAP), and in the establishment of and thereby helping to reduce systemic vulnerabilities and contingency plans against stressed conditions. financial crimes. In addition to this, compliance has become a • Is headed by a CRO who has the organizational stature, Board level concern due to various factors: skill set, authority, and character needed to oversee and • Banks are being held to higher standards of evidence of monitor the bank’s risk management and to ensure that compliance; key management and Board members are apprised of the • The compliance function itself is now subject to bank’s risk profile and relevant risk issues on a timely and compliance; regular basis. The CRO should have a direct reporting line to the CEO and a distinct role from other executive • Whistle-blower channels may increase the chances of functions and business line responsibilities as well as a noncompliance being reported to the regulatory bodies; direct reporting line to the Board and/or risk committee. • Penalties for compliance failures have become more In addition to this, the CRO:33 severe, putting Boards and senior management at greater »» Meets periodically with the Board and risk committee personal risks; and without executive directors or senior management • Shareholders, lenders, rating agencies, customers, present; suppliers, the media, and the general public care about »» Is appointed and dismissed with input or approval compliance and are informed about it. from the risk committee or the Board, and such Compliance regulations (that include legislation, rules and appointments and dismissals are disclosed publicly; standards issued by legislators and supervisors, market »» Is independent of business lines and has the conventions, codes of practice promoted by industry appropriate stature in the firm, as his/her performance, associations, and codes of conduct applicable to the Board, senior management, and employees) that are country- specific, would cover matters such as observing the 33 Ibid., pp. 31–32. 30 Chapter 3: Risk Governance in Banks proper standard of market conduct, managing conflicts of effective comprehensive function, the bank should also interest, fair treatment of customers, prevention of money ensure the following:34 laundering, and/or dealing with designated terror groups or • The bank’s Board oversees the management of the bank’s individuals. In some countries, the regulators require that compliance risk. It should approve the compliance policy; the designated compliance officer report to them on specific • The bank’s senior management is responsible for the issues such as suspected cases of money laundering. effective management of the bank’s compliance risk. The compliance function should assist the senior The senior management should therefore establish an management in managing compliance risks by: keeping effective compliance function within the bank. The them informed of emerging compliance issues and any new senior management should also be responsible for developments; educating staff on compliance issues; and communicating the compliance policy and periodic establishing guidance to staff through policies, procedures reporting to the Board on the management of the bank’s and other documents such as guidelines. To guarantee an compliance risks; 34 Basel Committee on Banking Supervision, Compliance and the compliance function in banks, 2005 pp. 7–16. Case Study 6: Regulator guidelines on the risk management and compliance functions—East Africa One of the regulators in East Africa with over 44 banks under its jurisdiction recently issued updated risk management guidelines which require that banks and banking groups must have comprehensive risk management processes. A bank is required to have a comprehensive risk management function tailored to its needs and circumstances under which it operates and supervises the bank’s overall riskmanagement. The function should be independent from those who take or accept risks on behalf of the institution and should report directly to the Board Risk Management Committee. The risk management function is charged with: • Identifying current and emerging risks; • Developing risk assessment and measurement systems; • Establishing policies, practices and other control mechanisms to manage risks; • Developing risk tolerance limits for senior management and Board approval; • Monitoring positions against approved risk tolerance limits; and • Reporting results of risk monitoring to senior management and the Board. The regulator has also issued guidelines on compliance risk. Compliance risk is defined as the risk of legal or regulatory sanctions, financial loss, or loss to reputation an institution may suffer as a result of its failure to comply with all applicable laws, guidelines, code of conduct and standards of good practice. The guidelines require the establishment of a compliance function. This should be an independent function which facilitates efforts to comply with legal and regulatory requirements by tracking and documenting compliance. The function should be sufficiently resourced and its responsibilities should be clearly specified. Licensed institutions are required to organize their compliance function and set priorities for the management of their compliance risk in a way that is consistent with their own risk management strategy and structures. Some institutions may wish to organize their compliance function within their operational risk management function, as there is a close relationship between compliance risk and certain aspects of operational risk. Others may prefer to have separate compliance and operational risk functions, but establish mechanisms requiring close cooperation between the two functions on compliance matters. The function should report independently to the Board, or committee of the Board, that identifies, assesses, advises, monitors and reports on the institution’s compliance risk. A bank that is licensed by the regulator to operate should therefore include compliance risk as part of its risk management processes and risks of non-compliance identified, assessed, and managed as part of overall risk management. Risk Culture, Risk Governance and Balanced Incentives 31 Case Study 7: The role of the risk function To focus on the different risks facing the bank, one of the studied banks has established specialized units within the risk management department. The bank’s risk department is responsible for monitoring and reporting on credit, market, and operational risks. The department has the following units: • The credit risk management unit is divided to focus on the bank’s three target markets—large companies, SMEs and retail customers. It performs analyses of the credit files before submission to the appropriate credit committees. Its other major roles include development of assessment tools and risk management, and internal regulatory reporting on credit risk performance; • The market risk management unit’s roles include monitoring bank counterparties, active contribution to the Asset and Liability Management (ALM) risk perspective, and monitoring the activities of the bank’s exchange room. The assets and liabilities management unit assesses the bank’s liquidity and interest rate risks to ensure adequate cover of its exposure to banking risks in line with recommendations of the Basel Committee for Banking Supervision; and • The operational risk management unit’s roles include outlining the framework for dealing with operational risks, collection of incidences and losses, and calculation of capital requirements. The specialist units were established in the risk management department as part of the bank’s quest to provide innovative and convenient banking services for the benefit of its stakeholders. This has benefited the bank by minimizing losses, protecting its revenues and providing sustainable business through a more thorough and in-depth risk monitoring and reporting process. • The compliance function should be sufficiently Board Audit Committee, where this exists. The internal audit independent and have sufficient resources to carry out its function supports the risk management practices in the bank mandate effectively; by:35 • The activities of the compliance function should be subject • Reporting audit findings, significant issues, and the to periodic review by the internal audit function; and status of remedial action directly to the Board or audit • As the compliance function is an integral part of the committee on a regular basis; bank’s risk management program, if specific tasks are • Providing an overall opinion on the design and outsourced, the senior management should ensure effectiveness of the risk governance framework to the sufficient oversight of the outsourced tasks. audit committee on an annual basis; • Providing qualitative assessments of risks and controls. 3.2.1.5 Third Line of Defense: The Role of Internal Audit as opposed to evaluating compliance with policies and In a risk governance structure, the internal audit function procedures; is charged with providing the senior management and the • Assessing whether business and risk management units Board with assurance that internal controls are operating are operating according to the RAF; providing feedback as intended, providing insights for improving the controls, on how the firm’s risk governance framework and RAF processes, and procedures, and providing an objective view compare to industry guidance and better practices as a of the overall bank operations. The bank should establish means of influencing their evolution; and maintain an independent, adequately funded, and competent internal audit function, which acts according to • Providing input to risk assessments and feedback on internal international standards for the practice of internal auditing controls during the design and implementation processes; guided by associations such as the Institute of Internal escalating issues and concerns identified in the course of Auditors (IIA). audit work or through internal whistle-blowing, complaint, or other processes and situations where appropriate remedial The Chief Audit Executive (CAE) or equivalent should have action is not being implemented in a timely manner; and a functional reporting line directly to the Board, through the • Being aware of industry trends and best practices. 35 Financial Stability Board, Thematic Review on Risk Governance: Peer Review Report, 2013, pp. 33–34. 32 Chapter 3: Risk Governance in Banks The Board and/or audit committee should fully support the CAE the internal audit function. A quality assurance and and internal audit function by ensuring that the CAE:36 improvement program enables the bank to ensure that its • Is organizationally independent from business lines and internal audit function complies with IIA standards, is support functions and has unfettered access to the audit adequately resourced, and has an appropriate reporting committee; structure. It also ensures that the internal audit function becomes a reliable source of information on the bank’s • Meets regularly with audit committee members outside of internal control environment and supports the overall management’s presence; objectives it was set up to achieve. • Is appointed and dismissed with the approval of the audit There should be both internal committee (or chair of that “Internal auditing is an independent, assessment and external assessment committee); objective assurance and consulting of the internal audit function. • Has his/her performance, activity designed to add value Internal assessment could be compensation, and budget and improve an organization’s through ongoing monitoring of the reviewed and approved by the operations. It helps an organization performance of the internal audit audit committee; accomplish its objectives by bringing function or through periodic self- assessments. External assessments • Has the organizational stature, a systematic, disciplined approach should be undertaken at least once talent, and character needed to to evaluate and improve the every 5 years. provide a reliable independent effectiveness of risk management, assessment of the firm’s risk control, and governance processes.” As a means of further enforcing good governance framework and governance, the results of the quality —Institute of Internal Auditors internal controls and not be unduly assessment of the internal audit influenced by the CEO and other function should be communicated members of management; to the Board and senior management. This should include • Has the resources (people and systems) needed to effectively any opportunities for improvement of the function and carry out the responsibilities of internal audit; and the impact of any non-conformance with the standards of • Provides regular reports to the Board or audit committee internal auditing. which summarize the results of internal audit’s work, 3.2.1.6 The Role of External Auditors including overall conclusions or ratings, key findings, material risk/issues, and follow-up of management’s Traditionally, external auditors provide reasonable resolution of identified issues. assurance to the bank’s stakeholders that the financial statements are free from material misstatements. They There should be synergy and cooperation between the bank’s do this by expressing an opinion on the bank’s financial internal and external auditors to ensure a collaborative and statements, focusing on whether proper books of account productive relationship. External auditors could leverage on have been kept and maintained by the bank and whether the internal auditor’s activities and results to ensure efficient the financial statements presented give a “true and fair overall audit coverage for the bank. view” of the financial affairs of the bank. The external auditor’s opinion also indicates whether the bank’s financial The CAE must ensure that the bank has a quality assurance statements are in conformity with the accounting standards and improvement program of the internal audit function adopted by the bank, such as International Financial as prescribed by the Practicing Standards of the Institute Reporting Standards (IFRS), in addition to adherence to the of Internal Auditors. The program should evaluate the relevant Banking Act and the attendant regulations issued internal audit function’s conformance with the standards by the country’s bank regulator. of internal audit, and upholding of the principles of the IIA’s Code of Ethics, including integrity, objectivity, On the basis of the opinion on the financial statements, confidentiality, and competence of the employees in as provided by the external auditors, the audited financial statements are then relied upon by the bank’s stakeholders, 36 Ibid., p. 33. Risk Culture, Risk Governance and Balanced Incentives 33 who include the shareholders, investors, rating authorities, risk governance structure. The supervisory authorities in regulatory bodies such as the country’s tax authorities, different countries are taking a more proactive approach and banking regulators, and securities regulators (if listed or are adopting the Basel Committee guidelines in prescribing issuing publicly traded debt instruments), in addition to the rules and regulations for the banks under their jurisdiction. general public. In addition, in some emerging market countries, regulatory authorities have prescribed minimum standards for internal To form an opinion on the financial statements, the external controls, risk management structure, risk management auditors must gather appropriate and sufficient audit programs, maximum risk exposures, internal audit and evidence and undertake audit procedures to review the external audit programs. bank’s material account balances such as loans and advances and investments. They do this by gaining an understanding 3.2.2 Risk Management Framework of the bank’s operations and evaluating the bank’s internal A risk management framework controls system to the extent that it addresses significant Checkpoint: is a formal process for risks in the operations. identifying, assessing, and ü ü Risk appetite prioritizing major business The external auditors also focus on adherence to risk statement risks across the bank. A risk management guidelines set by the bank regulator. They do ü ü A risk management management framework this by reviewing the adequacy of the bank’s policies and toolkit enhances the bank’s value procedures on risk management (credit, liquidity, market, ü ü ICAAP as its management strikes a and operational risks) when compared to best practice balance between growth and and the regulator’s guidelines. The external auditors test related risk, thereby deploying the extent of the implementation of the risk management resources efficiently and effectively. It assists the bank in: guidelines while testing the bank’s transactions and system of internal controls. • Addressing the relevant risks the bank faces in areas such as its strategy, planning, operations, finance, and Although limited by scope, the external auditor offers an governance; extra line of defense by providing independent assurance • Acknowledging the risk management needs of specific on the operating effectiveness of the system of internal business units and across the bank; controls to the bank’s stakeholders. In addition to offering • Considering the causes of and interaction among various recommendations to the bank’s management for improving risks and the potential impact of multiple concurrent the bank’s processes, systems, and internal controls, threats or events; external auditors address any other area(s) identified by the Board, that present(s) a significant financial reporting • Creating a common language for defining risks and risk to the bank. developing a risk culture; • Viewing risk taking as a way to achieve the bank’s 3.2.1.7 The Role of Supervisory Authorities objectives rather than avoiding risks; and Bank regulatory agencies issue specific regulations and • Employing risk-based methods in decision making, guidelines governing the operations, activities, and especially when deploying the bank’s resources. acquisitions of banks, with regulation and supervision playing complementary roles. Supervisory roles involve the 3.2.2.1 Components of an Enterprise Risk Management monitoring, inspecting, and examining of banks to assess Framework their compliance with the relevant laws, regulations, and The Enterprise Risk Management (ERM) framework supervisory directives. components in Figure 4 (page 35), based on the COSO framework, are recommended for effective risk governance. Supervisory authorities issue guidelines on matters such as appointment of Board members; required cash reserve ratios, The different players in the three lines of defense described in and minimum disclosure requirements, and as such they help the previous section (3.2.1.2 to 3.2.1.6) are responsible for a bank in shaping its internal control environment and the particular components of the risk management framework. 34 Chapter 3: Risk Governance in Banks Case Study 8: Recommendations by the Monetary Authority of Singapore on corporate governance In East Asia, the Monetary Authority of Singapore has the following as part of the corporate governance guidelines for financial institutions: Independent directors should make up at least one third of the Board. There is a division of duties between the Chairman and the CEO. The Board should have a Nomination Committee that makes recommendations on: • The review of Board succession plans for directors, in particular, the Chairman, and for the CEO; • The development of a process for evaluation of the performance of the Board, its Board committees and directors; • The review of training and professional development programs for the Board; and • The appointment and re-appointment of directors (including alternate directors, if applicable) The Board is responsible for the governance of risk and may establish a separate Board risk committee. The Board should ensure that the management maintains a sound system of risk management and internal controls to safeguard shareholders’ interests and the bank’s assets, and should determine the nature and extent of the significant risks which the Board is willing to take in achieving its strategic objectives. The Board should determine the bank’s levels of risk tolerance and risk policies, and oversee management in the design, implementation and monitoring of the risk management and internal control (including financial, operational, compliance and information technology control) systems. The bank’s risk management and internal control systems should be reviewed at least annually by the Board and a comment included in the bank’s annual report as to whether the CEO or Chief Finance Officer (CFO) assured the Board on the effectiveness of the bank’s risk management and internal control systems.The Board should also approve the appointment, remuneration, resignation, or dismissal of the CRO. The Board or the Board risk committee should have influence over the performance assessment and succession planning of the CRO. The Board should establish an Audit Committee comprised of at least three directors with a majority of non-executive directors and an independent chairman. Its duties include: • Reviewing the significant financial reporting issues and judgments so as to ensure the integrity of the financial statements of the company and any announcements relating to the company’s financial performance; • Reviewing and reporting to the Board at least annually the adequacy and effectiveness of the bank’s internal controls, including financial, operational, compliance and information technology controls (such review can be carried out internally or with the assistance of any competent third parties); • Reviewing the effectiveness of the bank’s internal audit function; • Reviewing the scope and results of the external audit, and the independence and objectivity of the external auditors; and • Making recommendations to the Board on the proposals to the shareholders on the appointment, re-appointment and removal of the external auditors, and approving the remuneration and terms of engagement of the external auditors. The bank should establish an effective internal audit function that is adequately resourced and independent of the activities it audits. The head of the internal audit should report functionally to the Chairman of the Audit Committee and administratively to the CEO. The adequacy and effectiveness of the internal audit function should be reviewed, at least annually, by the Audit Committee The Board should also establish a Remuneration Committee, comprising at least three non-executive directors and an independent chairman. The Committee should review and recommend to the Board the remunerations for the Board and key management personnel (the key management personnel include the CEO and other persons having authority and responsibility for planning, directing, and controlling the activities of the bank). Lastly, the Committee should also seek the Board Risk Committee’s views to ensure that the remuneration practices do not create incentives for excessive or inappropriate risk-taking behavior.The remuneration should take account of the risk policies of the bank, be symmetric with risk outcomes, and be sensitive to the time horizon of risks. Annually, the bank should also name and disclose the remuneration of the directors, CEO, and at least five key management personnel. The disclosure should include the fixed salary, incentive pay, benefits in kind, stock options granted, share-based incentives and awards, and other long-term incentives. Risk Culture, Risk Governance and Balanced Incentives 35 The components of the risk management framework and Figure 4: Components of a risk management framework their responsibilities in this are described as follows: which supports risk governance • Internal environment: The internal environment Governance encompasses the elements of the bank’s risk culture. It Strategy Risk Responses takes into account the risk management tone, and sets Internal Environment the basis for how risk is viewed and addressed by the Risk Monitoring Assurance bank’s employees. It includes the bank’s risk management Information and Control Activities philosophy and risk appetite, integrity and ethical Communication values, and the environment in which it operates. The Risk Ownership risk appetite component is discussed in detail in section 3.2.2.2. Event Identification Risk Assessments Case Study 9: Three lines of defense to support the risk governance structure To implement a robust risk management program, one of the interviewed banks has defined a governance structure based on the three lines of defense model. The bank has clearly defined roles for the Board, the internal audit and risk management functions, and the business units. The Board is charged with risk oversight and determination of the bank’s risk appetite and reviews the risk appetite appropriate to the bank’s growth strategy. The Board has delegated its risk oversight responsibilities to committees that include the Board Audit Committee (BAC), Board Risk Management Committee (BRMC), Board Credit Committee (BCC), Information and Communication Technology (ITC) Committee, and the Assets and Liabilities Committee (ALCO). The BAC is responsible for ensuring that the Bank’s financial reporting is transparent by reviewing the effectiveness of the bank’s internal financial controls and risk management system, and monitoring the effectiveness of the internal audit function. The BAC also ensures the independence of the external audit function by appointing and assessing the performance of the external auditor. It is also responsible for ensuring compliance with laws and regulations affecting financial reporting. The BRMC is responsible for oversight of the bank’s risk management systems, practices, and procedures to ensure their effectiveness in risk identification and management as well as to ensure compliance with the bank’s internal policies and the guidelines laid out by the regulator. The ALCO establishes guidelines on the bank’s tolerance for risk and expectation from investment, sets and monitors specific financial targets and Key Performance Indicators (KPIs), monitors the bank’s capital, and ensures that management implements the assets and liability policy of the bank. The BCC’s duties include reviewing the bank’s credit portfolio KPIs that include concentrations and provisions, ensuring alignment with the bank’s credit strategy and risk appetite, and approving credit terms. These committees complement each other. The BAC provides the critical independent quality assurance, the BCC manages credit risk, and the ALCO committee manages market risk, the Operational Risk Committee manages operational risk, complianceand legal risk, regulatory risk, and reputational risk. In addition to this, the ICT Committee manages IT risks facing the bank and the BRMC oversees all the risks managed by all other Board subcommittees as well as external or emerging risks. The internal audit function is independent of all other business units and provides assurance of the adequacy and effectiveness of the bank’s risk management, control and governance processes. It is headed by the General Manager Internal Audit, who reports administratively to the Managing Director and functionally to the Board Audit Committee. To improve the independence of the internal audit function, its head has unfettered access to the Chairman of Audit Committee and the Chairman of the Board. The risk management function is charged with providing guidance to the business units and independently reporting and monitoring the risk management systems. The General Manager, Risk and Compliance Division, in conjunction with the Managing Director, is responsible for setting a framework that ensures effective risk management, compliance and control for all risk types across the bank. The business units take ownership of the risks with the heads of the business units responsible for identification and management of risk in their business units. This is undertaken through regular Risk and Control Self-Assessment exercises. 36 Chapter 3: Risk Governance in Banks • Strategies: The Board and senior management should • Control activities: Policies and procedures are established identify the bank’s long-term goals before it can identify and implemented to ensure that the risk responses are potential events affecting their achievement. The ERM effectively carried out. framework ensures that senior management has in place • Information and communication: The relevant risk a process to set objectives and that the chosen objectives information should be identified, captured, and support and align with the bank’s mission and are communicated in a form and timeframe that enables consistent with its risk appetite. people to carry out their responsibilities. • Event identification: Internal and external events • Risk monitoring: The entirety of ERM is continuously affecting achievement of a bank’s objectives must be monitored and modifications made as necessary. identified, distinguishing between risks and opportunities. Monitoring is accomplished through ongoing Opportunities are channeled back to management’s management activities, separate evaluations, or both. strategy or objective-setting processes. 3.2.2.2 The Risk Appetite • Risk assessment: Risks are analyzed by considering likelihood and impact as a basis for determining how they Setting the bank’s risk appetite is a core component of a should be managed. Risks are assessed on an inherent and bank’s ERM framework. Risk appetite defines the level of a residual basis. enterprise-wide risk that the bank is willing to accept or the • Risk response: The senior management selects risk capacity to absorb; it should include thresholds for specific responses—avoiding, accepting, reducing, or sharing actions, such as acquisitions, new product development, or risk—and develops a set of actions to align risks with the market expansion. While senior management can propose bank’s risk tolerances and risk appetite. risk appetite levels, the Board must review and adopt the risk appetite or challenge it for further assessment. The evaluation should be based on the risk appetite alignment Case Study 10: Risk management framework In one of the banks interviewed, the Board has facilitated the operationalization of the bank’s Risk Management Framework as follows. Different Board committees such as the Board Risk Management Committee (BRMC), Board Audit Committee, and the Board Credit Committee in co-operation with Management Committees provide the written principles for overall risk management policies. They also provide the guidelines for the bank’s risk identification, measurement, monitoring, and reporting. The execution of the framework is a function of the bank’s Enterprise Risk Management Group, which identifies, evaluates, and hedges financial risks with assistance from the bank’s strategic business units. The bank has also appointed a Chief Risk Officer (CRO) who has a direct reporting line to BRMC and a dotted line to the CEO. The establishment of a formal risk management framework has helped the bank to ensure that the risks inherent in the bank’s products, processes, activities, and new markets are identified early and the risks profiles are regularly reviewed. The bank’s risk management process considers various risks, including credit, operations, liquidity, legal, compliance, and strategic risks. The identification, assessment, prioritization and mitigation of identified risks are completed through periodic Risk and Control Self- Assessment (RCSA) and development of Key Risk Indicators (KRIs) to identify and monitor the risks. Workshops are held with all stakeholders such as the process owners, the Internal Control Department, Internal Audit, and senior management (through the Risk Management Committee) to assess the identified risks, proffer mitigations and then use heat maps based on frequency and impact to prioritize these. This process is further supported through: • Use of approved processes and templates for documenting identified risks; • Existence of a strategic framework for the assessment of risks associated with new ventures (markets and products); • Periodic review of existing products; • Existence of defined KRIs; and • Periodic RCSA exercises. The RCSA process is coordinated by the Operational Risk Management Department, which reports directly to the CRO and the Executive Risk Management Committee. The results of these exercises are also reported to the Board, through the BRMC, on a quarterly basis. Risk Culture, Risk Governance and Balanced Incentives 37 with the bank’s solvency requirements, business strategy and less quantifiable risk areas, such as reputational risk, also stakeholders’ expectations. The Board should define, approve need to be considered when setting risk appetite levels. and incorporate it in the bank’s strategic and tactical plans. An effective risk appetite statement should:37 Figure 5 (page 38) is an illustration demonstrating the key steps in developing a Risk Appetite Statement:38 • Include key background information and assumptions that informed the bank’s strategic and business plans at The following points on the Risk Appetite Framework the time they were approved; (RAF), Risk Appetite Statement (RAS), and risk limits are • Be linked to the bank’s short- and long-term strategic, important to note:39 capital and financial plans, as well as compensation programs; • The RAF incorporates a RAS that is forward-looking • Establish the amount of risk the bank is prepared to as well as information on the types of risks that the accept in pursuit of its strategic objectives and business bank is willing or not willing to undertake and under plan, taking into account the interests of its customers what circumstances. It contains an outline of the risk (e.g., depositors, policyholders) and the fiduciary duty management roles and responsibilities of the people to shareholders, as well as capital and other regulatory involved , the risk limits established to ensure that the requirements; framework is adhered to, and the escalation process where breaches occur; • Determine for each material risk and overall the maximum level of risk that the bank is willing to operate • The RAS is linked to the bank’s strategic, capital, within, based on its overall risk appetite, risk capacity, and financial plans and includes both qualitative and and risk profile; quantitative measures that can be aggregated and disaggregated such as measures of loss or negative events • Include quantitative measures that can be translated (e.g., earnings, capital, liquidity) that the Board and into risk limits applicable to business units and at group senior management are willing to accept in normal and level, which in turn can be aggregated and disaggregated stressed scenarios; and to enable measurement of the risk profile against risk appetite and risk capacity; • Risk limits are linked to the firm’s RAS and allocated by risk types, business units, business lines or product level. • Include qualitative statements that articulate clearly the Risk limits are used by senior management to control the motivations for taking on or avoiding certain types of risk profile and are linked to compensation programs and risk, including for reputational and other conduct risks assessment. across retail and corporate markets, and establish some form of boundaries or indicators (e.g., non-quantitative • The RAS should also have the following various measures) to enable monitoring of these risks; components:40 • Ensure that the strategy and risk limits of each business »» The risk/return trade-off: The Board needs to show unit align with the enterprise-wide risk appetite statement clearly the relationship between the risk that they take as appropriate; and and the perceived return. For higher rates of return, the amounts of risks to be taken would be larger; • Be forward looking and, where applicable, subject to however, this increases the possibility of the bank’s scenario and stress testing to ensure that the financial losing the resources committed to such products; institution understands what events might push the bank outside its risk appetite and/or risk capacity. Where possible, the risk appetite should be quantified either 38 Excerpted from the Report of the NACD Blue Ribbon Commission on as a monetary figure or as a percentage of revenue, capital, Risk Governance: Balancing Risk And Reward, Appendix C: Develop- ing a Risk Appetite Statement, published by National Association of or other financial measure (such as loan losses). However, Corporate Directors, 2009. 39 Financial Stability Board, Thematic Review on Risk Governance: Peer Review Report, 2013, p. 32. 37 Financial Stability Board, Principles for an effective Risk Appetite 40 International Finance Corporation, Standards on risk governance in Framework, 2013, pp. 5 – 6. financial institutions, 2012, p. 8. 38 Chapter 3: Risk Governance in Banks Figure 5: Risk appetite statement Determine implicit Review and revise risk appetite risk appetite Finalize appetite • Catalogue current and • Review and validate • Finalize risk appetite historical risk-taking draft risk appetite with definitions characteristics and management and selected • Introduce initial set of current risk exposures. Board members tolerance levels and • Perform additional • Consider the perspectives targets analyses as needed, e.g., of different stakeholder stress tests, to project groups expected risk levels based • Integrate disparate on current characteristics. perspectives converging • Assess current limits by to a common position risk type as evidenced in policy documents and past limit breaches. • Develop revised risk appetite • Benchmark against external reference points, e.g., rating agencies, competitors, etc. • Develop draft risk appetite for review by management and Board »» The interests of various stakeholders: The bank has Please refer to Annex 5 for an illustrative Risk Appetite various stakeholders, who include the depositors, Statement for a financial services organization.41 regulatory authorities, and other lenders. The Board should ensure that the interests of each are considered It is important to have an approved RAS, because it: and agree on prioritization of such interests; • Clarifies senior management’s authority and boundaries »» Risk identification and measurement capabilities: The for risk taking; Board should ensure that there is a well-laid-out risk • Serves as a guide in strategy setting and in allocating assessment process that identifies the various types of resources, where it represents the acceptable balance of risk and the level associated with the various business growth, risk and return; strategies. It is desirable to have the risks quantified, • Helps in prioritizing or triggering mitigation actions for but if this is not possible, clear and complete risks approaching or exceeding the risk appetite; qualitative descriptions should be obtained; • Supports Board oversight and senior management actions »» Translating risk tolerance into metrics and guidelines: to bring/keep the bank’s risk profile within its risk The Board should aim to ensure that the risk appetite appetite or determine whether its risk appetite requires is expressed in standard terms that everyone in the recalibration; and bank can understand and that each business unit has apportioned its risk appetite clearly. This ensures that • Helps make forward-looking and well-informed strategic the risk taking departments are well aware of the decisions that can shape the bank’s ability to remain acceptable risks they can take and the sanctions one faces should they take any unacceptable risks. 41 Excerpted from the Report of the NACD Blue Ribbon Commission on Risk Governance: Balancing Risk And Reward, Appendix C: Develop- ing a Risk Appetite Statement, published by National Association of Corporate Directors, 2009. Risk Culture, Risk Governance and Balanced Incentives 39 profitable while also managing risk prudently in the face • Be adequately formalized and documented; of economic, market, and regulatory events. • Specify the roles and responsibilities assigned to bank 3.2.2.3 Internal Capital Adequacy Assessment Process functions and business units; • Be supported by a sufficient number of qualified personnel The Internal Capital Adequacy Assessment Process (ICAAP) with the authority necessary to enforce compliance with is a set of sound, effective and complete strategies and plans; and processes that allow a bank to assess and maintain – on an ongoing basis – the levels, types, and distribution of its own • Be an integral part of management activity.`reasonably funds that it considers adequate to cover the risks faced by be expected to interfere with the independent exercise the bank. of his/her best judgment for the exclusive interest of the company. The risk appetite is a key component of a bank’s ICAAP, The Board should establish and approve the general where the objective is to ensure that there is a link between structure of the process, and ensure its prompt adaptation to risk and capital adequacy. ICAAP informs the Board of the significant changes in the strategic objectives, and business ongoing assessment of the bank’s risks, how the bank intends plans by making full use of results of ICAAP for strategic to mitigate those risks, and the capital levels required, and decision-making purposes. having considered all the mitigating factors. ICAAP is also an important focus of the regulators and may be used to ICAAP would enable the bank to, review and assess the capital adequacy and quality of risk management framework of a bank. • Use “what if” analyses to assess its risk exposures under adverse conditions and determine whether the amount of ICAAP should have two major components that include an internal capital needed to cover such exposure is in place, internal process to identify, measure, manage, and report or any other actions needed to be taken to reduce the risk; risks that the bank is exposed to or could be exposed to in and the future; and an internal process to plan and manage its • Verify the results and accuracy of the bank’s risk internal funds so as to ensure sufficient capital adequacy. It assessment models. should be reviewed by an objective and independent function such as the internal audit function or external consultants at 3.2.3 Qualifications and Experience least annually. Those responsible for risk Checkpoint: management should have the Within the bank’s risk management framework, ICAAP appropriate qualifications, ensures that the Board and senior management: ü ü Board experience and skills in risk qualifications • Adequately identify, measure, aggregate, and monitor the management, bank operations, ü ü CRO qualifications institution’s risks; legal and financial background ü ü CAE qualifications as appropriate. A carefully • Ensure that the bank holds adequate internal capital in relation to its risk profile; ü ü Risk and audit crafted plan, which starts from staff skills and recruitment and continues even • Uses and continually improves the bank’s risk experience after hiring, with the right management systems; and induction and training plans • Holds adequate capital commensurate with its current, enhances the Board’s qualification and experience. To ensure forecast and stressed risk profile. that the bank has the right mix of skills and experience, the bank should: The ICAAP process should be in line with the bank’s strategic objectives and meet the following requirements: • Recruit Board members from a large pool of people to ensure that the Board will be composed of members who • Consider all material risks; possess relevant expertise and will exercise objective • Incorporate prospective assessments; judgment. The Board should ensure that at least one of • Use appropriate methodologies to measure and relate to its members has a strong background in risk management capital; and/or internal audit. In addition to banking experience, 40 Chapter 3: Risk Governance in Banks selection of independent Board members should further »» How hands-on and in-depth is his or her experience? enhance the Board’s performance. In addition to this, it In other words, did he or she just sign off on risk may be of great benefit to the bank if one of the members management or oversight reports, or was he or she of the Board Risk Committee is a truly involved? “risk expert” and has any of the 42 »» What was the size of the risk A director is identified as following qualifications:43 organization and what role did the “independent” if the Board of »» Experience as a CRO, CEO, Directors will determine that such individual play in developing and chief finance officer (CFO), overseeing the risk organization? director meets the requirements or chief compliance officer established by the Board and is »» What were the results of risk (CCO) who has successfully otherwise free of material relations management and governance owned or managed a risk with a company’s management, activities during and after this management program at a person’s watch? What were his or controllers, or others that might bank of comparable size, scope, her successes and failures, and how reasonably be expected to interfere operations, and complexity; does he or she view them? with the independent exercise of his/ »» Experience successfully her best judgment for the exclusive »» How risk averse or risk tolerant managing significant risks and interest of the company. is this person in organizational a range of risks (for instance, settings? beyond a single risk, such as International Finance Corporation, — »» Has this individual had the credit or market risk) at a ‘Practical Guide to Corporate experience of identifying, analyzing, similar bank; and Governance,’ 2009, p. 227 monitoring, and reporting on risk to a »» Organizational and leadership Board of Directors? skills required to work with »» Is this individual a good fit with committee members, the Board, and management to the Board, executive team, and major shareholders in further the cause of sound risk management in the terms of personality, team orientation, communication enterprise. skills, and leadership style? • To ensure that the Board gets the right caliber of the “risk • Have a director’s orientation program whose objective expert” as defined above, the Board should consider the is to familiarize new Board members with the bank’s following questions in regard to a risk expert:44 risk management process and the Board’s roles and »» Has this person served as a CEO, CRO, CFO, or responsibilities. CCO, or in another position with substantial risk- • Ensure that the CRO, CCO, CAE and the members related responsibilities? How recent is his or her of risk management, compliance, and internal audit experience? functions have relevant professional qualifications and »» What was the industry, size, and scope of the experience, appropriate for the position in line with organization(s), and which risks did he or she manage country-specific education systems and requirements. or oversee? How do the businesses and risks that the However, at a minimum, the CRO, CCO, and CAE individual previously oversaw compare with those of and employees in the risk management, compliance, the company? and internal audit functions should have extensive »» What was the nature of regulatory requirements and experience working in or with banks, particularly in expectations for risk management in the individual’s business units such as operations, finance and/or legal prior organization? departments. 42 “This risk expert role is somewhat analogous to the role of the finan- cial expert required to be on the audit committee by the Sarbanes-Ox- ley Act of 2002” – Deloitte, Risk Committee Resource Guide for Boards, 2012, p. 9. 43 Deloitte, Risk Committee Resource Guide for Boards, 2012, p. 9. 44 Ibid. Risk Culture, Risk Governance and Balanced Incentives 41 3.2.4 Training and Capacity Building Programs The bank should consider if the following questions are answered adequately, with regard to its training program: Training is an investment Checkpoint: in intellectual capital which • Does the Board receive any training to understand and generally results in enhanced execute its responsibilities for risk oversight? How often ü ü Board training employee knowledge and skills. is training conducted and updated? ü ü Employee training It facilitates understanding • Are risk management procedures and protocols ü ü Training of complex products and/ documented and communicated? Are there training evaluation or service offerings, thereby programs focused on developing a risk awareness culture? helping the bank to manage its How often are these conducted and updated? What is the risks. It involves the imparting of risk management skills participation quotient of employees in these? and knowledge, concepts, and rules that aim to change the • Are there perceived weaknesses in the current training attitude and behavior of the bank employees toward risk. programs? In which areas? As risks in the economic, competitive, regulatory, legal, and • What unexpected risks have impacted the bank recently, technological environments are dynamic, risk governance and why? What is the training strategy to organize and must evolve in response. The bank’s leaders must therefore prepare for such events? undergo continuous training that may include conferences, At a minimum, training programs should include the selected readings, customized briefings, and courses designed following: for Board members and senior management in order to:45 • There should be annual training on creating awareness on • Stay abreast of leading practices as risks evolve and as the risk management to all employees of the bank. The CEO senior management updates its risk management methods; should champion this. • Understand new risks associated with new products and • The training should cover the concepts of risk how changes in regulations may increase or decrease risk; management, which include definition of risk, risk • Periodically benchmark risk governance practices of the management, emerging risks, risk assessment / bank with its peers, competitors, customers, and suppliers measurement, risk mitigation, and reporting processes, in order to understand evolving practices and evolving and the roles and responsibilities of the Board members, expectations of its stakeholders; senior management, and all employees. • Keep up to date on risk disclosure requirements in • There should be regular monitoring and reporting on the communication with external stakeholders; and training performed. • Offer orientation programs for new risk committee • There should be a mandatory induction program / members and a module in Board members’ orientations to sessions on risk management for all new employees and inform them about the risk committee. for new Board members. See Annexes 6 and 7 for sample training programs for the Board and risk champions, respectively. 45 Ibid., p. 16. Case Study 11: Risk management training One bank that was interviewed uses an e-learning platform to disseminate required learnings to the Bank’s employees. Courses on financial analysis, financial accounting, credit analysis, securities in banking and internal controls are included on this platform. Classes are also conducted through a mix of internal and external consultants and courses are a mix of mandatory and optional courses. For specialized trainings, some employees are selected for initial training so that they can transfer the knowledge acquired to other employees in their departments. The above training and capacity building programs provide knowledge to employees, giving them a comprehensive vision of risk management within the organization’s different sectors, from the theoretical aspects to implementation as a management tool. 42 Chapter 3: Risk Governance in Banks 3.2.5 Board Evaluation • During performance evaluation, the Board should consider the following process:47 Board evaluation is a Checkpoint: process by which the bank »» Select a coordinator and establish a timeline for the gauges how well its Board evaluation process; ü ü Regular assessment is achieving the targets set. »» In addition to risk committee members completing the of the Board’s performance through The main objective of the form as a self-evaluation, ask individuals who interact internal & external evaluation exercise is to with the risk committee members to provide feedback; reviewers; and improve the effectiveness of »» Ask each risk committee member to complete an ü ü Disclosure of risks the Board’s activities. evaluation by selecting the appropriate rating that facing the bank most closely reflects the risk committee’s performance The following practices ensure related to each practice; and that a bank’s Board evaluation meets its risk management objectives: »» Consolidate the results of such inquiry and evaluation into a summarized document for discussion and review • There should be regular assessment of the Board’s by the committee. performance on risk management oversight, Board composition, experiences, knowledge and skills which • In addition to self-assessment, commissioning an should inform better ways as to how the Board should independent external review of a bank’s risk governance effectively deliver on its mandate. policies, procedures, and performance can yield useful benchmarking information and shed light on leading risk • The areas of evaluation of the Board Risk Committee, in governance practices. particular, should include:46 • The Board should assess the adequacy of the disclosure »» The breadth and depth of the Board Risk Committee’s of the risks facing the bank in a clearly documented knowledge of risk and risk governance and disclosure policy. A disclosure of material circumstances, management (including ongoing education); an annual report, or other disclosures should document »» The independence of the risk committee members from the risks affecting the bank’s performance and meet the management; minimum requirements set out by regulatory bodies. »» The performance of the chair of the committee and his • The bank should have an integrated and detailed program or her relations with management and the CRO and for incorporating feedback from the performance review with the committee; initiatives and show improvement on implementation of such recommendations. »» The clarity of communications with management about risk, and the degree to which these 3.3 Risk Governance Maturity Rating Scale communications have been understood and acted upon; Table 4 lists criteria that can be used to assess a bank’s maturity against each one of the risk governance best »» The quality of Board, risk committee, and practices. The following key risk governance indicators management responses to potential or actual financial, can be used by banks to undertake a self-assessment and operational, regulatory, or other risk events; and benchmark their risk governance structures against the »» The effectiveness of the information received and recommended best practices. reporting about risk by management. 3.4 Conclusion The above is further illustrated in annex 8, in which an illustrative Board risk committee evaluation questionnaire The financial crisis spurred fundamental changes in risk has been included. governance practices at banks. In its report,48 the FSB noted that surveyed financial institutions were ahead of regulatory 47 Ibid., pp. 26-29. 48 Financial Stability Board, Thematic Review on Risk Governance, Peer 46 Ibid. Review Report, 2013, p. 17. Risk Culture, Risk Governance and Balanced Incentives 43 Table 4: Criteria that can be used to assess a bank’s maturity against each one of the risk governance best practices Component Below Standard Standard Above Standard Risk Lack of a defined governance The Board has documented and The Board-approved risk governance structures structure to oversee enterprise- approved governance structures and and guidelines are well understood throughout Governance wide risk management. Roles and guidelines and its committees have the bank, and risk management initiatives are Structure responsibilities of the Board, CRO and charters that explicitly include their risk continually sustained and strengthened by all senior management are not defined. management roles and responsibilities. key stakeholders who include the Board, senior A risk appetite statement is not These guidelines have not been management, and employees. established. communicated throughout the bank. A Board-approved risk appetite statement is The risk management functions Risk appetite is mentioned in leveraged across the bank to inform all business are not in existence or do not have connection with critical topics such as decisions and supports the enterprise-wide risk adequate resources and support to strategy discussions. management practices. play their role in risk governance as a There is an internal audit function The risk management function is integrated second line of defense. and/or a risk management function, as part of the second line of defense in the risk The bank does not have an internal but their recommendations are not governance structure. audit function, and even where there positively received and implemented. The internal audit function is integrated into the risk is one, it lacks independence and/ The individuals or groups tasked with governance framework as a third line of defense. or adequate resources to play its responsibilities for risk governance The individuals or groups tasked with role in providing assurance on risk report to the CEO or equivalent but responsibilities for risk governance have governance as a third line of defense. have no reporting line to the Risk appropriate independence and report directly to Individuals or groups tasked with Management Committee or Board. the Risk Management Committee or Board. responsibilities for risk governance lack the appropriate independence. Risk Lack of a defined risk management Though the bank has a risk management A risk management framework is understood framework that defines the bank’s framework which identifies risk across the bank and leveraged upon by all the Management risk management processes, management processes such as risk risk management stakeholders’ to drive the risk Framework functions such as risk identification, identification, measurement, and control management programs in the bank. assessment, measurement, control design and reporting, these practices The bank has a unified classification of risks, and design and reporting. have not been embedded in the risk those charged with risk oversight have a unified Due to lack of a risk framework, the culture of the bank and are not followed view of the risks facing the bank. bank’s risk appetite levels are not consistently in the day-to-day activities. A single risk management toolkit is used, and is clearly defined. Each business unit has its own accessible to all those charged with risk oversight Lack of a clearly defined taxonomy taxonomy of the risks it faces. There is in the bank to aid in the quantification of risks. for the explicit and implicit lack of a unified bank risk profile. risks covered by the bank’s risk Different risk management toolkits management program. are used by the bank in managing the Lack of tools and/or methodologies different risks, or each business unit has needed to adequately quantify risk(s). its own toolkit. Qualifications The Board, CRO, internal audit Some members of the Board have good A significant number of Board members have a functions and other persons charged backgrounds in finance, banking, and strong finance, audit, and/or risk background. & Experience with the responsibility for risk audit or risk management. The majority of the Board members and the governance do not have the requisite Employees in the Risk Management CRO and his team have excellent formal skills and experience. function and the Internal Audit function education and significant industry experience. have good formal education, credentials The Internal audit team has the requisite skills and training but skills gaps exist. to enable them to play the risk governance role as a third line of defense. Training and The Board and pertinent individuals The Board and risk management The Board and all functions receive regular and do not receive training to understand function receive occasional training to focused training to understand and execute Capacity and execute their required understand and execute their required their risk management responsibilities. Building responsibilities for risk management. roles and responsibilities for effective risk management. Board Risk management is not included in Risk management is included in Risk management is integrated with performance management systems. performance management systems for performance management systems and Evaluation There are minimal improvement management and not at lower levels continually adapted based on feedback and initiatives resulting from risk There is a high-level program for changing bank needs. management and/or internal audit improvement resulting from activities There is an integrated and detailed program activities, such as internal reviews, such as internal reviews, internal or for improvement resulting from activities internal or external assessments, user external assessments, user feedback, such as internal reviews, internal or external feedback, complaints, and other issues. complaints, and other issues, but this is assessments, user feedback, complaints, and only deployed superficially other issues. Adapted from the Global Financial Service Industry (GFSI) Risk Transformation Toolkit, Deloitte Development LLP, May 2013. 44 Chapter 3: Risk Governance in Banks and supervisory guidance. In general, surveyed institutions • In addition to changing the composition and improving that were most affected by the crisis have made the greatest the strength of the Board, there have been major advancements, perhaps necessitated by a need to regain developments in how banks analyze risks and the market confidence. Firms that were less troubled from the associated tools utilized such as RAFs, stress tests crisis, however, have increased the intensity of the measures and reverse stress testing. One of the key lessons that they had in place pre-crisis. Some of the most obvious from the crisis was that reputational risk was severely changes include: underestimated; hence, there is more focus on business • Consolidating and raising the profile of the risk conduct and the suitability of products, e.g., the type management function across banking groups through of products sold and who they are sold to. As the crisis the establishment of a group CRO, increasing the stature showed, consumer products such as residential mortgage and authority of the CRO, and increasing the CRO’s loans could become a source of financial instability. involvement in relevant internal committees; By implementing the recommended practices in this • Changing the reporting lines of the risk management handbook, a bank can attain effective risk governance where: function so that the CRO now reports directly to the CEO • Its Board and senior management incorporate a broad while also having a direct link to the risk committee; outlook on industry risks and integrate risk-aware • Intensifying the oversight of risk issues at the Board thinking into strategic decision-making. through creation of a stand-alone risk committee, • The Board executes its fiduciary responsibilities to supported by greater links with the risk management ensure that appropriate risk management controls and function and other risk-related Board committees, procedures are in place. particularly audit and compensation committees. Cross- • Capable processes, systems and trained people exist to membership of the audit committee and risk committee act on industry intelligence in a timely and coordinated is now quite common, with some firms involving (or at manner. least inviting) the chairman of the Board, even the full Board, onto the risk committee. The time commitment of • A consistent and holistic approach is used across the bank independent directors has increased considerably over the in managing different classes of risk in an effective and past several years; efficient manner. • Upgrading the skills requirements of independent In addition to the Board’s risk governance responsibility, directors on the risk committee and expecting these it is charged with oversight of the bank’s incentives and members to commit more time to these endeavors. The compensation programs. Incentives play a particularly composition of boards has changed considerably, with important role, as they help shape the employees’ attitudes many non-executive directors now having financial toward assuming risk. Incentive programs in banks and industry experience; the dominance of members from recommended best practices are discussed in the next industrial companies or major shareholders is much less chapter. than a decade ago; • Changing the attitude toward the ownership of risk across the firm, with the business line now being much more accountable for the risks created by their activities than previously; and 4 Incentive Programs in Banks At a Glance “The dictionary tells us incentives are things that incite an action. Firms need to ask what type of action they want to incite. Is it to get the best Recommended best practices deal for the customer, or the person or the firm selling the product?” in Incentive Program Board level responsiblity for —Martin Wheatley, Former Managing Director of the Financial Services the program Authority (FSA), United Kingdom (UK) Formal incentive program 4.1 Introduction Aligning incentives to Incentive programs linked to risk performance grew out of companies’ the bank’s risk horizon desires to reduce fixed compensation costs and focus on pay for performance. They were considered “pay at risk” because, unlike Transparent incentive reporting guaranteed compensation such as salary and benefits, incentive payouts depended on the achievement of tangible, predefined Creating awareness performance goals. Banks generally considered such incentive pay as a positive means of aligning pay and performance, encouraging senior management to make the right decisions, and driving the right results. However, this is thought to have lured some members of senior management to take significant financial risks to accrue significant rewards. 49 In a Deloitte Banking Industry Survey50 released in May 2013, bankers indicated that the main causes of the banking industry’s cultural problems were misaligned incentives and poor leadership. Employee incentive programs reinforced failures at the top. Better risk management and alignment of pay with meaningful, long- term performance address shortcomings in incentive programs seen as a contributor to the global financial crises. Banks should scrutinize their incentive programs to see how they factor in their business strategy, risk profile, and potential business risks. Incentive programs now advocate for and encourage ownership of risks by business units and specific employees. 51 49 S. O’Donnell, “Executive incentive practices: Post-TARP,” Bank Accounting & Finance, 2009, p. 18. 50 Deloitte, Culture in banking: Under the microscope, 2013, p. 2. 51 S. O’Donnell, “Executive incentive practices: Post-TARP,” Bank Accounting & Finance, 2009, p. 19. 46 Chapter 4: Incentive Programs in Banks 4.2 Best Practices in Balanced Incentive management, and employees are paid, and the relationship Programs at Banks between the payments and the bank’s performance. Due to the role • Creating awareness in the bank on the risk-based Checkpoint: imbalanced incentive program: The bank should create awareness of incentive its incentive compensation programs to accelerate buy-in ü ü Board oversight on development programs are and support from all employees. and operation of program perceived to ü ü Balance of risk and financial results 4.2.1 Board Level Responsibility have played ü ü Involvement of the risk in the global The Board has the ultimate responsibility of ensuring that management function in the financial crisis the bank’s incentive program for all employees and senior design of the program which started in management is appropriately balanced and does not jeopardize ü ü Shareholders’ approval of the the summer of the bank’s safety and soundness. The bank’s incentive program incentive program 2007, various should be aligned to its strategy, goals, and performance. A bodies such as Board that analyzes incentive compensation and the potential the FSB and the Basel Committee for Banking Supervision impact on risks should actively oversee the development and have published guidance for improving the linkages operation of a formal incentive program, incentive policies, between effective risk management programs in banks and systems, and the related control processes through an compensation. Other parties like the World Bank, IMF, IIF, established remuneration/compensation committee. UK FSA (which has since been split into PRA and FCA), regulatory authorities, and professional services organizations As part of its corporate governance responsibility, the have published papers and guidance materials to improve Board should consider the relationship between incentive bank incentive programs so that they more closely link compensation and risk, especially for the Board and senior long-term performance to compensation incentives. Below management. To carry out this role effectively, Board members is a summary of key recommendations from some of these of the compensation committee should have a comprehensive guidelines as well as market best practices which a bank can understanding of the bank’s risk profile and possess some follow in implementing or assessing its incentive program: level of expertise and experience in risk management and compensation practices in the financial services sector that is • Board-level responsibility for the incentive compensation appropriate for the nature, scope, and complexity of the bank’s programs: The Board has the overall responsibility activities. They should ensure that the design of the incentive for the design and operation of the bank’s incentive compensation programs balance risk and financial results in compensation programs. They may consider greater input a manner that prevents employees from exposing the bank and scrutiny from shareholders’ perspective, including to imprudent risks. Multiple levels of performance should be approval of some aspects. incorporated, such as overall bank performance, business unit, • Establishment of a formal risk-based incentive and individual performance, and also should ensure that the compensation program: The bank should establish bank’s risk management function is involved in the design and incentive programs that are formal and documented. The review of the incentive compensation program. compensation programs should be a mix of variable and non-variable aligned to performance measures which The above was further stressed in a recent position paper on encourage sound risk- taking. remuneration by the European Confederation of Directors’ • Aligning incentive payout to the bank’s risk horizon: Associations (ecoDa), stating, “It is important to stress that Incentive compensation payout schedules must be evaluating executive directors’ performance and fixing their sensitive to the time horizon of risks. remuneration is one of the Board’s main duties”.52 As part of the Board’s duties, it should focus on ensuring transparency • Performance measurement based on level of risk decision: in director and senior management remuneration. Incentive Risk metrics should be included in the Board and programs for other bank employees should borrow on the senior management’s KPIs. These targets should then be cascaded to all employees. • Transparent reporting on incentive payout: The bank 52 European Confederation of Directors’ Associations, ecoDa’s response to the European Commission’s Green Paper on corporate governance should disclose how the Board of Directors, senior in financial institutions and remuneration policies, 2011, p. 22. Risk Culture, Risk Governance and Balanced Incentives 47 same principles applied to senior management programs The effectiveness of the compensation committee in a bank as approved by the compensation committee. This can determines whether the incentive plans established encourage be delegated to an HR management committee as seen prudent risk taking. appropriate by the Board. Good practice may be best advanced through dialogue between boards, shareholders, and financial To facilitate a balanced incentive program, the Board should regulators on the basis of corporate governance codes—rather ensure the following are in place: than through regulation. Besides their decisive role in the determination of the remuneration of non-executive directors, • Formal establishment of a compensation or equivalent the bank’s shareholders should always have a say in the committee: The Board should establish a committee on remuneration policy of executives (through a “say on pay”). compensation to have an active role in directing and controlling the compensation policies and practices of the The bank’s shareholders should approve the incentive bank. The committee’s primary responsibility should be compensation program. The total cost of the incentive plans setting appropriate and supportable compensation programs paid out should be an agenda item in the shareholder’s aligned to the bank’s business mission and strategy and meeting and as part of the bank’s annual report. The other interests such as talent management. In its duties, the Dodd-Frank Act in the US enacted in 2010 laid out specific committee should consider the following issues: requirements on how shareholders’ “say on pay” should »» The total value of all cash and non-cash benefits be managed. In addition to including the CEO’s pay for provided to the Board and senior management, shareholders’ approval, the Act makes the following including, but not limited to, performance-based pay, inclusions on other employees of the institution:53 retirement benefits, and severance pay; • Disclosing the relationship between the compensation »» Compensation of the bank’s employees with costs of the senior management and the company’s comparable expertise in the banking industry; financial performance; and »» The bank’s financial condition and risk appetite; and • Disclosing the median annual total compensation of all »» Any fraudulent act or omission, breach of trust or employees (except the CEO), the annual total compensation fiduciary duty, or insider abuse with regard to the of the CEO, and the ratio of the median employee total bank’s operations and market conduct. compensation to the CEO’s total compensation. The compensation committee should meet with the senior Shareholders should therefore be encouraged to attend the management, the risk and HR functions, or compensation bank’s annual and/or extraordinary general meeting so that experts regarding compensation matters, as deemed they can provide input and/or voice their concerns, if any, on necessary. the incentive compensation payouts. • Independent and/or non-executive directors as members of the compensation committee: The bank should aim However, in systemically important financial institutions, at ensuring that the compensation committee comprises financial regulators could be an additional source of monitoring non-executive directors, the majority of whom should be for the Board and senior management remuneration policy, independent directors to guard against any potential conflicts specifically taking the interests of other stakeholders such as of interest. A compensation committee determines that the shareholders, customers, or other banks into consideration.”54 bank’s compensation and benefits packages are aligned with While important, regulation with respect to the incentive plans prudent risk taking and do not provide excessive benefits or and level of remuneration should not be excessively prescriptive lead to imprudent risk taking in the bank. and more “principles based;” otherwise there is a risk of potential unintended distortion of remuneration practices. • Regular review of the independence and performance of the compensation committee or its equivalent: There should be a regular assessment of the independence 53 United States Federal Law, Dodd-Frank Wall Street Reform and of committee members. The performance of the Consumer Protection Act, 2010, Subtitle E — Accountability and Executive Compensation. compensation committee should also be evaluated against the mandate set for the committee and the achievement of 54 European Confederation of Directors’ Associations, ecoDa’s response the objectives of the incentive compensation plans. to the European Commission’s Green Paper on corporate governance in financial institutions and remuneration policies, 2011, p. 23. 48 Chapter 4: Incentive Programs in Banks Case Study 12: Board level responsibility for compensation In an effort to establish a robust and objective remuneration and incentives program, the Board at one of the banks referenced in this study has a Board Nomination and Remuneration Committee composed of three independent non-executive directors. The committee meets bi-annually and is responsible for: • Evaluating the performance of the individual Board members and the CEO; • Setting the remuneration policies and strategic objectives of the Board and the CEO; • Setting policies on employee incentives such as bonuses; and • Setting the policies for the Employee Share Ownership Plan (ESOP) and providing requisite guidance to the Plan’s’s Trustees. • Establishment of a formal risk-based incentive complete list of major risks associated with all of the bank’s compensation program: The Board has a critical role of incentive plans and identify the employees and business units operationalizing risk-based incentive programs through a responsible for controlling each risk. formal risk-based incentive program framework. This is discussed in detail in section 4.2.2 below. Performance measures:56 As per the Basel Committee on Banking Supervision: “performance measures play an 4.2.2 Establish a Formal Incentive Program important role for the variable part of remuneration packages, There is increased as the value of remuneration depends on some kind of Checkpoint: expectation that performance.” Ultimately, performance can be defined as banks should ensure the degree to which the employee has achieved his or her ü ü Identification of risks facing proper Board objectives. Because of that, performance measures are an the incentive program oversight, implement essential tool for linking remuneration policies with both the ü ü Involvement of risk function enhanced controls bank’s strategy and the broader risk management framework. in designing incentive and policies, improve The Basel committee advocates that “both qualitative and program documentation, and quantitative performance measures should be considered. ü ü Regular assessment of the revise their incentive While performance measures are normally focused on incentive program plans to consider financial metrics, it is also important that financial institutions ü ü Proper documentation of mitigation strategies. include non-financial metrics in developing the risk-based the incentive program To achieve this, the remuneration hurdles. Performance measures also play a vital bank should establish role in risk adjustment as they deliver the input for such a incentive programs that are formal, performance based, and correction, regardless if they are applied ex ante or ex post. documented with pre-defined objective goals. In the case of ex post application, performance measures can serve not only as claw-back57 or malus58 triggers, but are The bank should have a formal incentive program, which also embedded in the design of deferred remuneration plans. provides for: Incorporating risk considerations in performance measurement can be achieved both by using risk metrics to correct measures Identification of the full spectrum of risks facing the bank’s incentive scheme:55 Banks should have a systematic and 56 Basel Committee on Banking Supervision; Range of Methodologies for documented approach to identify the full range of risks Risk and Performance Alignment of Remuneration, May 2011. p. 17. that could compromise the safety and soundness of the 57 A clawback provision is a contractual clause that gives the bank an institution. As already noted, risks can only be managed inherent right to reclaim some or all the incentive payouts given to an employee. This clause is usually invoked due to some special circum- effectively if the bank knows where and what they are. It stances outlined in the contract (for example, material misstatements in is recommended that the compensation committee, with the bank’s financial statements or a contribution to the damage of the bank’s reputation). support from other functions as appropriate, compile a 58 A malus provision is a contractual clause that gives the bank an inherent right to reduce the incentive payouts that have been vested but not yet paid to an employee. It allows the bank to revise the vested 55 L. Hay, Trends and issues: Directors’ accountability for ensuring risk- incentive payments if the performances over a multi-year period are based compensation programs, Pearl Meyer & Partners LLC, 2012, p. 1. below the KPIs when the original incentive was granted. Risk Culture, Risk Governance and Balanced Incentives 49 which are not risk adjusted measures and also by employing Involvement of risk management, compliance, and internal audit metrics which are adjusted for risk in the first place.” The function in the design of incentive programs:63 While there is no clawback clauses operate by requiring the employee to return “one-size-fits-all,” banks should consider for each role/function a specified amount of money to the bank, whereas the malus what type of risk adjustment features are most appropriate. clauses operate by affecting the vested amounts (reduction of The risk management, compliance, and internal audit functions the amount due but not paid). should be involved in the design and monitoring of incentive compensation programs because of their skill and expertise, Risk adjustments:59 When creating remuneration plans, a and promote sound governance practices in the definition and financial institution should ensure that incentives to take risk implementation of the incentive programs. are constrained by incentives to manage risk. The best way to achieve this outcome is to vary incentive-based remuneration At banks where risk management, compliance, and internal according to risks taken (ex ante) and risks realized (ex post). audit personnel are intensely involved in basic design There are two points at which this can be done: decisions of the incentive compensation system, as well as • Ex ante – by adjusting remuneration for risk as it is accrued in determining details of the risk-related elements of the and awarded, to take into account potential adverse incentive compensation, adoption of such incentive programs developments in the future. An ex ante is a “discount” on has tended to be faster. At banks where the risk, compliance, an incentive payout. The discount is designed to reflect the and internal audit functions play a peripheral or informal level of risk exposure being taken on by the bank at the role, progress has tended to be slower, primarily because time of underwriting but has not yet materialized; or other personnel tend to have less experience and expertise in designing risk identification and measurement features.64 • Ex post – by adjusting accrued remuneration during (e.g., through a malus clause) or after (e.g., through a clawback To ensure effective alignment of the programs, the risk clause), a deferral period in the light of experience and management, compliance, and internal audit functions observations of risk and performance outcome. Ex post should be involved in the review as well as in the design and adjustments are designed to incorporate risk outcomes after monitoring of short- and long-term incentives. Additionally, a reasonable deferral period that allows risks to materialize. given their role as “gatekeepers,” their own incentive Both methods rely on the bank’s having in place reliable compensation programs should ensure objectivity and not processes to measure potential risk exposures and/or be tied directly to the business units they monitor. As per the risk experience, and which are capable of “arm’s length” Commission of the European Communities’ recommendations verification.60 on remuneration policies in the financial sector, “Employees engaged in control processes should be independent from A key driver for risk-adjusted remuneration is that it is the business units they oversee, have appropriate authority, intended to influence employee and senior management and be compensated in accordance with the achievement of behavior within the bank. For incentive programs to be the objectives linked to their functions, independent of the effective, this process should ideally be supported by strong performance of the business areas they control.”65 When governance and a culture of prudent risk taking within any incentive programs for employees and senior management in organization.61 The balance between base pay—for example, these roles are being defined by the remuneration committee, salaries—and incentive payouts might contribute to reduce the they should take into account the relevance or applicability of effectiveness of incentive plans when, for instance, the base risk-adjusted pay matrices to drive the right behavior, given pay is not sufficient to make the incentive payout genuinely their mandate within the bank. discretionary or when the incentive payout is too small.62 63 Board of Governors of the Federal Reserve System, Incentive Compensation Practices: A Report on the Horizontal Review of 59 Basel Committee on Banking Supervision; Range of Methodologies for Practices at Large Banking Organizations,’2011, p. 21. Risk and Performance Alignment of Remuneration, May 2011, p. 17. 64 Ibid., p. 22. 60 Ibid., p. 18. 65 Report Issued by the Commission of the European Communities, 61 Ibid., p. 11. Brussels, 30.4.2009, C (2009) 3177, Commission recommendation on 62 Ibid., p. 18. remuneration policies in the financial services sector, p. 8. 50 Chapter 4: Incentive Programs in Banks Regular evaluation and assessment of the incentive programs: be part of the incentive program. Two employees who generate To assess the effectiveness of the incentive programs, the same short-run profit but take different amounts of risk banks should regularly review whether the design and on behalf of their company should not be treated the same implementation of their incentive compensation programs by the incentive compensation program. In general, both encourage appropriate risk-taking decisions. They should quantitative measures and human judgment should play a correct deficiencies discovered and make improvements role in determining risk adjustments. Risk adjustments should as suggested by the findings. The internal audit function account for all types of risk, including difficult to-measure risks plays a critical role in reviewing compliance with policies such as liquidity risk, reputation risk, and cost of capital.68 and procedures geared toward incentive compensation. An incentive program may be implemented as intended, but it To align incentive payouts to prudent risk taking: may still fail to achieve the desired relationship between risk • Incentive compensation payout schedules must be sensitive and incentive because features of its design and operation to the time horizon of risks. Profits and losses of different do not work out as expected. Detecting such scenarios activities of a bank are realized over different periods. requires that a bank monitor relationships among measures Variable incentive payments should be deferred accordingly. of short- and long-run financial performance, amounts Payments should not be finalized over short periods where of incentive compensation awards, measures of risk and risks are realized over long periods. The Board should risk outcomes, amounts of ultimate payments of deferred question payouts for income that cannot be realized or incentive compensation, and other factors relevant to incentive whose likelihood of realization remains uncertain at compensation decisions.66 This should ultimately be the the time of payout. A bank should introduce forward- responsibility of an established compensation committee. looking long-term incentive plans for senior management who occupy key strategic roles, based on performance Proper documentation: All programs, policies, monitoring achievements. Incentive policy should factor in linkage procedures, and governance protocols should be complete between variable components and performance measures: 69 and clearly documented. Banks should seek to document all »» Where the remuneration policy includes variable incentive plans as well as monitor and control procedures. components of remuneration, banks should set limits Where discretion is applied, documentation of rationale and on the variable component(s). The non-variable methodology should be included. Committee minutes should component of remuneration should be sufficient to reflect discussions and considerations of risk relative to plan allow the bank to withhold variable components of designs and payouts.67 remuneration when performance criteria are not met; 4.2.3 Align Incentive Payouts to Prudent Risk »» Award of variable components of remuneration Taking and Banks’ Risk Horizon should be subject to predetermined and measurable performance criteria; An employee’s incentive Checkpoint: compensation should take »» Performance criteria should promote the long-term into account the risks that sustainability of the bank and include non-financial ü ü Align incentive to criteria that are relevant to the bank’s long- term value the employee takes on risk behalf of the bank. Incentive creation, such as compliance with applicable rules and ü ü Defer incentives procedures, standards of conduct and behavior; compensation should take ü ü Use a mix of cash into consideration prospective »» Incentives should take into account the right mix of and shares in risks and risk outcomes that quantitative and qualitative measures that should be incentive payouts are already realized. Incentive assessed for individual employees, based on their roles, to compensation should be adjusted for all types of risk which the banks have agreed to 68 Financial Stability Forum, FSF principles for sound compensation practices, 2009, p. 2. 66 Board of Governors of the Federal Reserve System, Incentive 69 Adapted from Report Issued by the Commission of the European Compensation Practices: A Report on the Horizontal Review of Communities, Commission Recommendation complementing Practices at Large Banking Organizations, 2011, p. 23. Recommendations 2004/913/EC and 2005/162/EC as regards the 67 Office of the Comptroller of Currency, The role of a national bank regime for the remuneration of directors of listed companies, p.5. director: The director’s book, 2010, p. 24. Risk Culture, Risk Governance and Balanced Incentives 51 Case Study 13: Performance measurement To encourage the right risk behavior, one bank has established Key Performance Indicators (KPIs) to evaluate and reward the bank’s employees for prudent risk decisions. It rewards employees by use of incentives such as bonuses and equity. The bank has a formal process for identifying the risks it faces through its integrated risk management practices. The risk management function is involved in the design of the incentive program by providing and deciding which key risk indicators should be included in determining KPIs for different working staff groups. The incentive program features quantitative and qualitative performance rating systems. The quantitative performance rating system takes quantitative indicators such as profit and non-performing loan ratios into consideration, while qualitative performance rating system features 360° staff performance rating: an employee’s supervisors, peers and staff at junior levels give ratings on an employee’s performance. Those who contravene the bank’s policies and rules are subject to the sanctions stipulated in the code of conduct which include warnings, economic punishment such as fines, and administrative punishment. Deferral of incentive payouts is done on a case-by-case and is based on rules and policies formulated by the Remuneration and Appraisal Committee. The details of the incentive program are included in the bank’s internal policies and rules and are communicated to the employees through the bank’s intranet, emails, and print outs. ensure that the incentives drive the right behavior and not • There should be policies that restrict severance agreements financial metrics such as revenue generation only; and (significant benefits in case of termination of employment) »» Where a variable component of remuneration is and rewards for failure. This should include prohibition awarded, a major part of the variable component on paying severance agreements in the event of non- should be deferred for a minimum period of time. The performance.70 Severance incentives should consider the part of the variable component subject to deferment following at a minimum and not severance incentives should be determined in relation to the relative weight should consider:71 of the variable component compared to the non- »» Contractual arrangements should include provisions variable component of remuneration. that permit the bank to reclaim variable components of • Incentive compensation outcomes must be symmetrical remuneration that were awarded on the basis of data with risk outcomes. The incentive plan within a bank which subsequently proved to be manifestly misstated; should link the size of the bonus pool to its overall »» Termination payments should not exceed a fixed performance. Employees’ incentive pay-outs should be amount or fixed number of years of annual linked to the contribution of the individual and business remuneration, which should, in general, not be higher to such performance. than two years of then on-variable component of • Measuring and evaluating performance or awards should be remuneration or the equivalent thereof; and on a multi-year basis to allow for a greater portion of risks »» Termination payments should not be paid if the and risk outcomes to be observed within the performance termination is due to inadequate performance. assessment horizon. To be effective, multi-year assessments • The mix of cash, shares and other forms of compensation should give appropriate weight to poor outcomes due to past must be consistent with risk alignment. The mix will vary decisions. Otherwise, adverse outcomes may be effectively ignored due to an emphasis on current-year performance. • There should be a provision for clawback or recovery on 70 Institute of International Finance & Oliver Wyman, Compensation excess compensation paid in the event of scenarios such Reform in Wholesale Banking 2010: Progress on implementing global standards, 2010, p. 43. as material misstatement in financial reporting, ethical or 71 Adapted from Report Issued by the Commission of the European criminal misconduct or other agreed-upon conditions. Communities, Commission Recommendation complementing Recommendations 2004/913/EC and 2005/162/EC as regards the regime for the remuneration of directors of listed companies, p. 5. 52 Chapter 4: Incentive Programs in Banks depending on the employee’s position and role. The bank As a best practice, banks should ensure transparency around should be able to explain the rationale for its mix. Incentive incentive programs through: policies should factor in the following good practice • Clear, comprehensive, and timely information on the guidelines with regard to shares and share options:72 bank’s incentive programs to facilitate constructive »» Shares should not vest for at least three years after engagement by all stakeholders.73 their award; • Information regarding the relationship between the bank’s »» Share options or any other right to acquire shares financial performance and the total incentives actually paid.74 or to be remunerated on the basis of share price • Disclosures in an independent remuneration policy statement movements should not be exercisable for at least three or disclosures in annual financial statements that can be guided years after their award. by regulatory requirements (where applicable), the nature, the »» Vesting of shares, and the right to exercise share size, as well as the specific scope of activities of the bank. options or any other right to acquire shares or to be The following information can be considered for remunerated on the basis of share price movements, transparency and disclosure:75 should be subject to predetermined and measurable performance criteria; • Information concerning the decision-making process used for determining the remuneration policy, including, if applicable, »» After vesting, executive directors should retain a information about the composition and the mandate of a number of shares until the end of their mandate, remuneration committee, the name of the external consultant subject to the need to finance any costs related to whose services have been used for the determination of the acquisition of the shares; remuneration policy, and the role of the relevant stakeholders; »» The number of shares to be retained should be fixed, for • Information on linkage between pay and performance; example twice the value of total annual remuneration (the non-variable plus the variable components); and • Information on the criteria used for performance measurement and the risk adjustment; »» Remuneration of non-executive or supervisory directors should not include share options. • Information on the performance criteria on which the entitlement to shares, options or variable components of The above is the responsibility of the compensation remuneration is based; and committee and can be delegated across the various business • The main parameters and rationale for any annual bonus units as required. program and any other non-cash benefits. 4.2.4 Transparent Incentive Compensation 4.2.5 Creating Awareness of the Compensation Reporting Programs The bank should ensure that The importance of the Checkpoint: disclosures relating to how Checkpoint: incentive program’s compensation decisions are communication is ü ü Incentive ü ü Staff emails made, how performance frequently underestimated. compensation disclosure criteria are established, and ü ü The intranet All staff members should how performance results ü ü Periodic in-house be made aware of the ü ü The relationship lead to incentive payouts publications bank’s compensation between performance and incentive payout help improve employee ü ü During staff training program to help stimulate incentive reporting clarity. The main purpose of ensuring clarity in compensation reporting throughout the 73 Financial Stability Forum, FSF principles for sound compensation practices, 2009, p. 3.. bank is to ensure that compensation issued to employees 74 Institute of International Finance & Oliver Wyman, Compensation match their performance and the business performance of the Reform in Wholesale Banking 2010: Progress on implementing global bank within a set duration. standards, 2010, p. 27. 75 Report issued by the Commission of the European Communities, Brussels, 30.4.2009, C (2009) 3177, Commission recommendation on 72 Ibid. remuneration policies in the financial services sector, p. 8. Risk Culture, Risk Governance and Balanced Incentives 53 Case Study 14: Transparency guidelines in India There has been considerable effort to improve the incentive programs in the financial services industry since the global crises. The Financial Stability Board issued 9 principles of sound compensation practices in 2009 to encourage the right practices across various regions and discourage imprudent risk taking as a result of incentive programs in place. In 2012, the Reserve Bank of India issued guidelinesa on the compensation of bank employees to be implemented from the financial year 2012–2013. To encourage transparency in a bank’s incentive programs, the annual report should disclose the following information: • Composition and mandate of the remuneration committee; • Design and structures of the remuneration processes and key features and objectives of the remuneration policy; • The risk management processes of risks facing the remuneration policy; • How the bank links performance management with its levels of remuneration; • The bank’s policy on deferral and vesting of variable remuneration and the criteria for adjusting the deferred remuneration before and after vesting; • A description of the different forms of variable remuneration that are used and the rationale for using such; • Number of meetings held by the remuneration committee during the year and payment to its members; • Number of employees that have received a variable remuneration award during the financial year; • Number and total amount of sign-on awards made during the financial year; • Details of guaranteed bonus, if any, paid as joining / sign-on bonus; • Details of severance pay, in addition to accrued benefits, if any; • Total amount of outstanding deferred remuneration, split into cash, shares and share-linked instruments and other forms; • Total amount of deferred remuneration paid out in the financial year; • Breakdown of amount of remuneration awards for the financial year to show fixed and variable, deferred and non-deferred components; • Total amount of outstanding deferred remuneration and retained remuneration exposed to ex post explicit and/or implicit adjustments; and • Total amount of reductions during the financial year due to ex- post explicit adjustments. a Reserve Bank of India – Guidelines on Compensation of Whole Time Directors/CEOs/Risk takers and Control function staff, etc., 2012 (http://rbidocs.rbi.org.in/rdocs/notification/PDFs/349CC130112.pdf) effective risk taking. Mechanisms for sharing information 4.3 Balanced Incentives Program Maturity about the compensation program can be conducted through Rating Scale the institution’s formal communication channels, such as staff The maturity scale (Table 5) has been provided to help emails, intranet, and routine publications, and during regular assess an organization’s maturity with regard to a balanced training programs. incentives plan to aid in effective risk management. The bank should ensure that staff members understand the incentive programs’ mechanics and the reasons for the program. If employees do not accept the program, it will have limited or potentially even counterproductive impact on their motivation and decisions about taking and managing risks. 54 Chapter 4: Incentive Programs in Banks Case Study 15: Creating awareness of the incentive programs In order to create awareness of their incentive program, some banks ensure that human resource procedure manuals and salary administration policies are regularly updated and available to all the bank’s employees through the bank’s intranet portal. Supervisors are also trained on these policies and procedures so that they can impart such knowledge to the staff in their departments. Any feedback obtained through these sessions is channeled to the compensation team that clarifies any doubts and concerns about the incentive programs. This ensures there is a process of continuous communication and improvement on the bank’s incentive programs. Table 5: Maturity scale Component Below Standard Standard Above Standard Board level The Board is not involved in the The Board is involved in the design The Board is involved in the design of the responsibility design of the bank’s incentive of the incentive programs for senior incentive programs of all bank employees. program, as this role is played by the management and heads of business The bank has an effective compensation Human Resource department. units but no other levels of employees. committee mandated with the responsibility The bank does not have a The bank has a compensation for setting appropriate and supportable pay compensation committee to oversee committee responsible for setting programs that are aligned with the bank’s the compensation process. appropriate and supportable pay business mission and strategy and other best programs aligned with the bank’s interests. business mission and strategy and other best interests. However, such committees are not effective enough to meet such obligations, and their decisions are sometimes overridden. Formal The bank does not have a formal The bank has a formal incentive There is a formal incentive program which is incentive approved incentive program to program which is sometimes over- followed across the Board. Compensation plans reward risk taking. ridden due to other business pressure are aligned to long-term performance. program Risk management and internal control such as growth requirement versus the The bank seeks the advice of its risk personnel are not involved in the design risk factors of the opportunity. management and control design functions or review of incentive programs as part Risk management and internal controls in the design and review of the incentive of a broader strategy to incorporate risk personnel have minimal involvement programs. metrics in compensation calculations in the design and review of the bank’s and a general strengthening of the risk incentive program, and their input does governance functions of these two not always factor in the final incentive functions. plans. Align The bank relies mostly on short-term The bank considers both short-term The bank has an effective incentives plan with the incentive incentive plans in the compensation and long-term measures in its incentive right clawback policies on incentives compensation. of its employees. The growing planning. Compensation payments The plan considers both short-term and long-term payout to risk significance of long-term incentive are closely linked to the bank’s future measures and the effects on the employee. horizons of planning has not been taken into performance. Risk management is included in performance the bank consideration. Risk management is included in management systems such as “balanced Risk management is not included in performance management systems for scorecards.” performance management systems. management, but not at lower levels. Key Performance Indicators for management and lower levels are continually adapted. based on feedback and changing bank needs. Transparent There is no clear, transparent There is communication regarding Consistent communication occurs, flowing incentive communication of compensation compensation programs, flowing upward, downward, and across the bank, as programs. downward in the bank. well as disclosures with external parties. compensation reporting Creating Though there is an incentive Some of the employees, especially Employees throughout the bank are aware of awareness on program, employees are not fully at the senior levels, understand the how the incentive compensation programs are aware of how it works and the inputs incentive compensation programs fairly designed and how they influence their pay. the incentive that are considered in determining well. program total compensation. Adapted from the Global Financial Service Industry (GFSI) Risk Transformation Toolkit , Deloitte Development LLP, May 2013. Risk Culture, Risk Governance and Balanced Incentives 55 4.4 Conclusion • Ensure alignment of these programs with the bank’s risk horizon, From the review of the responses provided during the study, most banks in the emerging markets are still in the nascent • Ensure accurate measurement and incorporation of risk stages of developing balanced incentive programs. However, metrics in performance assessment; some of the regulators require some of the recommended • Promote transparent reporting; and best practices that include formation of a Board committee • Create awareness of the incentive programs, so as to responsible for compensation in the bank. As there are no eliminate ambiguity. stringent disclosure requirements, most banks do not disclose the total compensation for members of their Board or the Effective incentive and compensation practices within a bank senior management team. should be aimed at striking a balance between the bank’s practices and the existing banking regulations, fluctuating A bank’s risk profile is ultimately the result of the many market conditions, and public perceptions. There should decisions made each day as employees seek to accomplish the be greater attention paid to the impact of incentives on the bank’s business objectives. risk profile and effective use as a tool to drive the desired behavior and risk culture. For optimal incentive programs, it is recommended that the bank’s Board should: • Provide oversight in the development and operationalization of the incentive programs; 5 Conclusion Research continues to show that effective risk management goes beyond Financial firms are increasing establishing an Enterprise Risk Management (ERM) Framework as their risk appetite as they search a “check the box” exercise to meet regulators’ requirements. The financial crisis which emerged in 2007–2008 indicates that though risk for better returns. The Board management processes were in place to identify, assess, and manage and senior management should risk, shortcomings became evident where these processes were not therefore put more emphasis systematically refreshed based on changing conditions. on risk culture. The regulators Beyond having an ERM framework, banks must take into consideration have a role to play in promoting the impact of soft qualitative factors in their operating environment, the correct risk cultures in their which influence their risk management programs. Within the emerging jurisdictions. markets where many banks may still be in the implementation stage of ERM frameworks, it is important to incorporate lessons learned in the developed markets and to integrate the soft qualitative factors that influence the effectiveness of their risk management programs. Research continues to show that a weak risk culture, poor risk governance, and unbalanced incentive compensation contribute heavily to financial industry failures. As noted in a recent publication by the Financial Times, financial firms are increasing their risk appetite as they search for better returns. The Board and senior management should therefore put more emphasis on risk culture. The regulators have a role to play in promoting the correct risk cultures in their jurisdictions. However, regulators may place more emphasis on the quantitative issues of capital and liquidity, frequently at the expense of the no less important qualitative matter of risk culture.76 The recommended practices included in this handbook under risk culture, risk governance, and balanced incentives programs indicate that, due to the softer qualitative nature of these aspects, the practices to enhance these principles are interrelated and improvement in one area should be combined with others to result in a cascading positive effect across the bank. These include: • Board and senior management responsibility. Effective risk management requires the Board and senior management to take ultimate responsibility for the bank’s risk programs. Their role include, setting the right tone at the top, providing adequate resources for the risk management function, developing and determining the design on incentive programs, and facilitating performance evaluation of the 76 Rhodes, W., Risk culture must change to protect financial system, Financial Times, 7 August 2014. Available from . [22 August 2014]. Risk Culture, Risk Governance and Balanced Incentives 57 Board, senior management, and the bank’s employees • Communication plays an important role in risk against predefined performance objectives management due to its role in providing transparency • The right skills, knowledge, and capacity building. Those and reducing ambiguity of a bank’s practices. Effective charged with risk management responsibilities must show risk culture requires timely, transparent, and honest exceptional knowledge of risk factors facing the bank communication on risks as a way of encouraging risk and the financial services industry in general, to enable discussions, while effective risk governance requires them to take a leading role in championing the bank’s risk that a bank set risk reporting channels to support management programs. The bank must also put in place a communication of existing and emerging risks. The system which supports consideration of risk management success of a bank’s incentive program is also influenced in its hiring practices, induction and continuous training by the bank’s efforts in creating awareness of the program programs to enhance a risk- aware business environment. as a means of gaining support and buy-in from employees and other interested parties such as shareholders. • Incorporation of risk management in key performance indicators of employees’ performance evaluation and Effective adoption of the recommended practices included incentive programs for promotion, accrual, and payout in this handbook should make a significant contribution of the incentive. The extent to which risk culture is toward further enhancing the strength and effectiveness of a embedded in a bank is usually seen through the design bank’s risk management program. Such a bank will then take and implementation of its incentives programs. Incentives a new look at its risk management processes and allocation work as a powerful tool in influencing employees’ attitude of resources to ensure that risks are effectively identified, toward a risk-aware culture. assessed, and managed from strategic planning to day-to-day • Risk management—whose responsibility is it? A bank processes at all levels of the bank. should prioritize the establishment of a risk governance While it is not possible to completely avoid or predict structure which lays out the roles and responsibilities all risks, a bank that incorporates and considers the soft of the Board, senior management, risk and control qualitative factors of risk management plus the quantitative functions, risk champions, business units, and auditors. elements is bound to have a long-term competitive advantage The clarity on roles and responsibilities will enhance the in an economically and financially interconnected global risk culture and risk governance and effectively a bank’s environment. risk management program. 6 Appendix 1: Implementing the Best Practices This section outlines the various activities that a bank can on talent management through getting the right people into undertake as it implements the recommended best practices. the right positions to drive the right results, and emphasis on The bank should note, however, that the processes should the ethical and compliance standards that are important to be cyclic to continually improve its risk culture, risk the bank. governance, and balanced incentive practices. Cultural Refinement The following steps should be further customized to the A bank at this stage is getting more experienced and mature individual setting of the bank to ensure that they achieve the at its cultural development and trying to monitor cultural intended objectives of their implementation. performance versus expectations. The expectations can be set by various stakeholders, including employees, management, Achieving Optimal Risk Culture and the Board, investors and analysts. A bank trying to strengthen its risk culture should start with an assessment of the current state of its risk culture. Banks at this stage engage in adjustments of people, This is to understand its current condition and to establish strategies and communications in order to produce the a baseline from which progress and/or improvements in risk cultural outcomes that they desire. culture can be measured. The specific activities undertaken in each stage have been A bank should aim toward cultural improvement through outlined in Figure 6. meaningful changes to its current culture through a three- step process of cultural awareness, cultural change, and Achieving Optimal Risk Governance finally cultural refinement. The process of attaining optimal risk governance starts from the top with the Board and senior management. Whereas This can be achieved by undertaking the activities indicated many banks may be in different stages of strengthening their in the following stages: risk governance, the process below should be continuous to ensure that the bank is well aware of its complex operating Cultural Awareness environment, its ever-demanding stakeholders, and the In the cultural awareness stage, the bank should establish regulatory authorities. This includes: its risk management expectations and define the roles and • Developing a risk strategy; responsibilities around risk. At this stage, the bank should be • Defining risk appetite; communicating clearly and continuously to its employees on what its expectations are. • Identifying and assessing risks; • Aggregating and prioritizing risks; Cultural Change • Developing action plans; and At this stage, the bank should foster an environment that • Maintaining vigilance. both recognizes and rewards people for paying attention to risk, including knowing how to challenge the status quo Developing a Risk Strategy constructively. This is done by the Board and the senior management and The bank can develop motivational systems, both positive should be done during each strategic planning cycle. and negative, to reward the right kind of behavior or to The first activity is for the Board and senior management to penalize the wrong kind of behavior. There should be focus make explicit the assumptions on which the strategy is based, Risk Culture, Risk Governance and Balanced Incentives 59 Figure 6: Achieving optimal risk culture Stage 1 Stage 2 Stage 3 Cultural awareness Cultural change Cultural refinement Deliver communications from Create a culture of constructive Integrate risk management leadership using a common risk challenge. lessons learned into management vocabulary. communications, education and Embed risk performance training. Clarify risk management metrics into motivational responsiblillities and systems. Hold people accountable for accountabilities. their actions. Establish risk management Roll out risk management considerations in talent Refine risk performance metrics general education and management process. to reflect change in business customized training programs strategy, risk appetite, and based on role. Position individuals with desired tolerance. risk orientation in roles where Establish risk management in e ective risk management is Reposition individuals to reflect induction programs. critical. changes to business strategy and priorities, Refine recruitment methods to Reinforce behavioral, ethical include risk management and compliance standards. capabilities. Adapted from Deloitte, Cultivating a Risk Intelligent Culture (2012). and then to constructively challenge those assumptions to regulatory standards and not be seen as a simple checklist test their validity. Once the bank’s strategic options are on and “box-checking” exercise. the table, they should consider the potential interactions among risks that those options might entail, both with The information gathered in this process can be consolidated respect to individual strategic choices and with respect to into a report that describes the specific risks facing each different combinations of strategic choices. The Board and part of the bank and their significance and likely directional senior management will then be in a position to evaluate the change. This report can then be reviewed and challenged risks associated with each strategic option against the bank’s by the risk function and senior management, who can then risk appetite, short-listing the alternatives that fall within the aggregate risks across the bank and make adjustments to the risk appetite and discarding those that fall outside it. bank-wide risks that may not be apparent at a lower level. Risk Appetite Risk Aggregation and Prioritization This is the responsibility of the Board, working with senior This should be done at least quarterly by the business management, and should be reviewed at least annually. units, risk function, and senior management. The senior The risk appetite statement should be cascaded through the management should include this information in the various business units. management reports submitted to the Board. Risk Identification and Assessment A “master profile” of risks should be developed for the risks with the greatest consequences to the bank, and a risk Risk identification, quantification and assessment are dashboard should be created. Senior management should important because no effective risk management program periodically review the status of these risks based on the can succeed without an in-depth understanding of the reports from the business units and the risk management specific risks that face the bank. This should be done by function, and communicate as appropriate with the Board. the business units at least quarterly or as needed when new risks emerge with the risk function providing the required guidance. Risk identification should go beyond the minimum 60 Chapter 6: Appendices Developing Action Plans that match their risk culture and appetite. These policies and practices should reward appropriate risk taking to achieve an Mitigation actions should be put in place every time a new appropriate return and should never reward imprudent risk risk is identified, and such plans should be regularly reviewed taking that would affect the bank’s solvency or viability. by both the business units and the senior management for all the risks facing the bank, as risk management is an ongoing A holistic approach is recommended to create a good activity. incentive program. This approach calls for an integrated outlook toward a bank’s risk management activities which, The Board and senior management should be keen to when implemented, can turn current incentive plans that ensure that any exceeding of limits are promptly identified may be ad hoc or loosely managed into a formal, centrally and rectified and regular revision of the limits are done to coordinated incentive compensation program. respond to any market changes. Figure 7 illustrates an eight-step approach that can help Maintaining Constant Vigilance those charged with design and implementation of incentive The business units, risk management function, and senior compensation programs develop a truly proactive and management should effectively monitor and report on the comprehensive approach to incentive program risks. risks identified. This would be sufficiently covered by a robust ICAAP process. The first three steps, in which the compensation team conducts an “Incentive Program Risk Assessment,” Achieving Optimal Incentive Program represent the active process of determining, categorizing, To achieve a balanced incentive program for effective risk and prioritizing employee incentive program risks. Steps 4 management, banks should establish compensation policies through 8 represent the creation of an “Incentive Program Figure 7: Achieving a balanced incentive program 1 Context and Strategy 8 Communicate 2 Identify Major and Continuously Risks Improve 7 3 Monitor, Report Evaluate and and Evaluate Risks Prioritize Risks 6 4 Sell the Incentive Mitigate and Program to the Sta Control Risks 5 Selective Incentive Program Risk Culture, Risk Governance and Balanced Incentives 61 Risk Infrastructure” to help mitigate existing risks, never are. Depending on the bank’s risk tolerance, some implement controls to manage future employee incentive risks may be considered minor, others moderate, and still program risks, establish accountability for employee others unacceptably high. The compensation committee’s incentive risks and controls, and create a governance responsibility is to understand the bank’s overall risk structure to monitor risks on an ongoing basis. tolerance, apply the same standards to its list of incentive- related risks, and prioritize the need to mitigate each risk Steps 1-3: Conduct an Employee Incentive Program from most to least critical. Risk Assessment Steps 4–8: Continuously Build an Employee Step 1 - Understand the Context, Strategy and Objectives Incentive Risk Infrastructure through the behind the Bank’s Incentive Program Bank Defining the incentive program’s objectives is a fundamental Step 4 - Mitigate and Control Risks and important process that requires the participation of the Board and senior management. The objective of the incentive The functions responsible for various risk identified in program must be in line both with the strategic goals of the step 2 (identification of major risks and functions where bank and with its culture.77 The compensation committee or the risks reside) are required to make decisions in full those charged with the incentive program must understand consideration of the impact of the identified risks. Their the bank’s purpose behind the incentive program in order to first task should be to mitigate the most critical risks as manage effectively employee incentives. prioritized in step 3. Once the immediate mitigation controls are put in place, the compensation committee should decide With a thorough understanding of the bank’s underlying how to institutionalize those processes to mitigate risks strategy and how the incentives programs support that on an ongoing basis. This could involve anything from strategy, the team can evaluate which incentive-related risks updating the bank’s policies and procedures to improving may be worth taking, which risks might be less justified, and enabling technology to implementing additional controls how risks can be most effectively mitigated or avoided. and oversight over areas where risks are more likely to arise. The important thing is to treat incentive risk mitigation and Step 2 - Identify Major Incentive Risks and the Functions control as a process that needs to be continued into the near where the Risks Reside future – not as a simple one-time fix. Risks can only be controlled effectively if one knows Step 5 - Select the Incentive Mechanism where and what they are. We recommend that the bank’s compensation committee, with support from other functions Incentive programs include merit pay, incentive pay, such as the risk management, human resources and others as perquisites, benefits, profit sharing, ownership, employee appropriate, compile a complete list of major risks associated relationship marketing or a combination of these with all of the bank’s incentive programs and activities mechanisms. The incentive plans can be further distinguished and identify the people and departments responsible for between short-term and long-term programs as well as controlling each risk. This will provide valuable input for between individual and group-based incentives. further steps in the risk assessment and ongoing management process. Step 6 - Sell the Incentive Program to the Staff The bank should ensure that staff members understand Step 3 - Evaluate and Prioritize Incentive Risks the incentive programs’ mechanics and the reasons for A key principle of effective risk management is to distinguish the program. Information on a new or revised incentive between rewarded and unrewarded risks: Rewarded risks, program can be communicated through staff emails, such as those associated with new product development or newsletters or during meetings of functional areas. Failure new market entry, may be worth taking, but unrewarded to communicate effectively on compensation programs can risks such as non-compliance or operational failures lead to non-acceptance of the program, which may result in counterproductive impacts on employee motivation. 77 MicroSave, A Toolkit for Designing and Implementing Staff Incentive Schemes, 2005, p. 10. 62 Chapter 6: Appendices Step 7- Monitor, Report, and Evaluate Risks risk seriously, but also the need to educate the employees responsible for employee incentive program processes and This step starts with the review of an ongoing incentive controls about their specific roles in the risk management program, in which those charged with regular evaluation process. Each employee who undertakes any form of risk for of the compensation program regularly monitor risk levels, the bank should know how to execute the correct controls. update, and reprioritize the list of risks. Changes to internal Such employees should be kept up to date on any changes processes, incentive programs, and general business strategy to those processes and controls. It is also important to be on can all have implications for the risks facing the bank and the alert for opportunities to implement new and improved the way in which the department prioritizes and chooses to risk-management tools and strategies as appropriate. As part mitigate them. of the continuous improvement process, the compensation committee may need to undertake a new employee incentive Step 8 - Communicate and Continuously Improve program risk assessment (steps 1 through 3) from time to Communication and continuous improvement are the final time as the business environment and the bank’s situation two components of an effective employee incentive program change. management infrastructure. By “communication,” we mean not just the general need to build a culture that takes 7 Working Definitions Basel Committee on Banking Supervision – This is a forum Operating management – The team of persons tasked with for cooperation on banking supervisory matters. Its mandate heading the business units in a bank. is to strengthen the regulation, supervision and practices of banks worldwide with the purpose of enhancing financial Regulatory authority – This is a public body that is charged stability. with overseeing the activities of commercial banks and is commonly set up to enforce standards. It provides rules, Board of Directors – This is a group of people who are regulations, and guidelines to the banks that operate in appointed and/or elected by the shareholders and oversee its jurisdiction. In some emerging markets, regulatory the running of the bank. It can be either a one-tier Board authorities have prescribed minimum standards for internal or a two-tier Board, depending on the country. A one- controls, risk taxonomies, risk management structure, risk tier Board delegates its powers to the senior management, management programs, maximum risk exposures, internal whereas the two-tier Boards have a supervisory Board, which audit programs, and external audit programs. oversees the running of the bank, and a management Board, which has the responsibility of running the bank. For this Risk – The potential for loss or harm, or the diminished handbook, the Board refers to either the one-tier Board or opportunity for gain, caused by factors that can adversely the supervisory Board. affect the achievement of a bank’s objectives. Business unit – This is a segment of the bank which has a Risk appetite – The aggregate level and types of risk a bank specific function, say human resources, or a branch and is is willing to assume within its risk capacity to achieve its headed by manager. It may be also known as a department, strategic objectives and business plan. division, or functional area. Risk appetite framework – The overall approach, including Financial Stability Board – This international body was policies, processes, controls, and a system through which established to coordinate, at the international level, the a bank establishes, communicates, and monitors its risk work of national financial authorities and international appetite. standard-setting bodies and to develop and promote the implementation of effective regulatory, supervisory and other Risk culture – The general awareness, attitudes, and financial sector policies in the interest of financial stability. behaviors of the bank’s Board and employees toward risk. Incentives – Additional payments given to bank employees Risk governance – This is the assessment and management of on attainment of certain performance measures at the end of risks to align risk-taking activities with a bank’s capacity to a reporting period. absorb losses and its long-term viability. Key performance indicators – A set of quantifiable measures Risk intelligence – The ability of a bank to distinguish that a bank uses to gauge or compare performance in terms between two types of risks: the risks that should be avoided of meeting its strategic and operational goals. to survive by preventing loss or harm; and the risks that must be taken to thrive by gaining competitive advantage. Key risk indicators – A set of quantifiable measures that a Risk intelligence is the ability to translate these insights into bank can use to indicate how risky an activity is. It provides superior judgment and practical action to improve resilience an early warning to identify potential events that may harm to adversity and improve agility to seize opportunity. continuity of the activity. 64 Chapter 7: Working Definitions Risk management – The mechanism that creates stability Risk profile – A point-in-time assessment of the bank’s in the bank by enabling the identification, prioritization, net risk exposures (after taking into account its mitigating mitigation, and measurement of the implications of each actions) aggregated within and across each relevant risk decision. category based on forward-looking assumptions. Risk management framework – A structure that supports all Senior management – A team of persons charged with the processes that the bank undertakes during risk management. responsibility of the day-to-day running of the bank and having the authority to make specific decisions. This will Risk management principles – These are the justifications for usually include, but is not limited to, the chief executive carrying out risk management activities. Risk management: officer, chief operating officer, chief finance officer, and creates and protects the shareholders’ value; is an integral chief risk officer. They may also be referred to as the senior part of the bank’s processes; is part of decision making; management. explicitly addresses uncertainty; is systematic, structured, and timely; is based on the best available information; is Tone at the top – The atmosphere that is created in the tailored to fit the bank’s risk profile; takes into account workplace by the bank’s leadership, and that trickles down human and cultural factors; is transparent and inclusive; and to all employees. is dynamic, iterative, and responsive to change. 8 Annexes Annex 1: Illustrative Code of Conduct working environment in which [bank name] can succeed over the long term? Is the commitment I am making one I “Living Our Values” can follow through with? The only way we will maximize [It is advised that the Code of Conduct begin with a trust and credibility is by answering “yes” to those questions leadership letter, which may consist of the answers to some and by working every day to build our trust and credibility. of the following questions: Why does your bank need a Code, and why now? What are some of the challenges that Respect for the Individual your employees face and how can this Code of Conduct be We all deserve to work in an environment where we are a helpful document for everyone at all levels? What kind of treated with dignity and respect. [Bank name] is committed example might this Code set for others? What are the major to creating such an environment because it brings out the full trends facing your bank that will impact and affect the Code potential in each of us, which, in turn, contributes directly to and its implementation? It is not necessary to address all of our business success. We cannot afford to let anyone’s talents the examples. Ideally the leadership letter should be brief and go to waste. to the point. Like the Code’s title—Living Our Values —this letter is meant to inspire.] [Bank name] is an equal employment / affirmative action employer and is committed to providing a workplace that Statement of Our Core Values is free of discrimination of all types from abusive, offensive Bank Vision or harassing behavior. Any employee who feels harassed or [Insert bank vision statement] discriminated against should report the incident to his or her manager or to the Human Resources department. Principles Create a Culture of Open and Honest [Insert bank principles] Communication Values At [bank name] everyone should feel comfortable to speak his or her mind, particularly with respect to ethics concerns. [Insert bank values statement] Managers have a responsibility to create an open and supportive environment where employees feel comfortable Mission raising such questions. We all benefit tremendously when [Insert bank mission statement] employees exercise their power to prevent mistakes or wrongdoing by asking the right questions at the right times. Build Trust and Credibility [Bank name] will investigate all reported instances of The success of our business is dependent on the trust questionable or unethical behavior. In every instance where and confidence we earn from our employees, customers, improper behavior is found to have occurred, the bank will and shareholders. We gain credibility by adhering to our take appropriate action. We will not tolerate retaliation commitments, displaying honesty and integrity and reaching against employees who raise genuine ethics concerns in good the bank’s goals solely through honorable conduct. It is easy faith. to say what we must do, but the proof is in our actions. Ultimately, we will be judged on what we do. For your information, [bank name]’s whistle-blower policy is as follows: When considering any action, it is wise to ask: Will this build trust and credibility for [bank name]? Will it help create a 66 Chapter 8: Annex 1 [This policy should be adopted as an addendum to the bank’s offer or solicit improper payments or gratuities in connection handbook.] with the purchase of goods or services for [bank name] or the sales of its products or services, nor will we engage or Employees are encouraged, in the first instance, to address assist in unlawful boycotts of particular customers. such issues with their managers or the HR manager, as most problems can be resolved swiftly. If for any reason that is Proprietary Information not possible, or if an employee is not comfortable raising the It is important that we respect the property rights of others. issue with his or her manager or HR, [Bank name]’s [Title of We will not acquire or seek to acquire improper means Executive Officer] has an open-door policy. of a competitor’s trade secrets or other proprietary or confidential information. We will not engage in unauthorized Set Tone at the Top use, copying, distribution or alteration of software or other Management has the added responsibility for demonstrating, intellectual property. through their actions, the importance of this Code. In any business, ethical behavior does not simply happen; it is the Selective Disclosure product of clear and direct communication of behavioral We will not selectively disclose (whether in one-on-one expectations, modeled from the top and demonstrated by or small discussions, meetings, presentations, proposals example. Again, ultimately, our actions are what matters. or otherwise) any material non-public information with respect to [bank name], its securities, business operations, To make our Code work, managers must be responsible plans, financial condition, results of operations or any for promptly addressing ethical questions or concerns development plan. We should be particularly vigilant when raised by employees and for taking the appropriate steps making presentations or proposals to customers to ensure to deal with such issues. Managers should not consider that our presentations do not contain material non-public employees’ ethics concerns as threats or challenges to information. their authority, but rather as another encouraged form of business communication. At [bank name], we want the ethics Health and Safety dialogue to become a natural part of daily work. [Bank name] is dedicated to maintaining a healthy Uphold the Law environment. A safety manual has been designed to educate you on safety in the workplace. If you do not have a copy of [Bank name]’s commitment to integrity begins with this manual, please see your HR department. complying with laws, rules, and regulations where we do business. Further, each of us must have an understanding Avoid Conflicts of Interest of the bank policies, laws, rules, and regulations that apply to our specific roles. If we are unsure of whether a Conflicts of Interest contemplated action is permitted by law or [Bank name] We must avoid any relationship or activity that might impair, policy, we should seek the advice of the resource expert. or appear to impair, our ability to make objective and fair We are responsible for preventing violations of law and for decisions when performing our jobs. At times, we may be speaking up if we see possible violations. faced with situations where the business actions we take on behalf of [bank name] may conflict with our own personal Because of the nature of our business, some legal or family interests because the course of action that is best requirements warrant specific mention here. for us personally may not also be the best course of action for [bank name]. We owe a duty to [bank name] to advance Competition its legitimate interests when the opportunity to do so arises. We are dedicated to ethical, fair and vigorous competition. We must never use [bank name] property or information We will sell [bank name] products and services based on for personal gain or personally take for ourselves any their merit, superior quality, functionality and competitive opportunity that is discovered through our position with pricing. We will make independent pricing and marketing [bank name]. decisions and will not improperly cooperate with or coordinate our activities with our competitors. We will not Risk Culture, Risk Governance and Balanced Incentives 67 Here are some other ways in which conflicts of interest could Accepting Business Courtesies arise: Most business courtesies offered to us in the course of our • Being employed (you or a close family member) by, employment are offered because of our position at [bank or acting as a consultant to, a competitor or potential name]. We should not feel any entitlement to accept and keep competitor, supplier, or contractor, regardless of the a business courtesy. Although we may not use our position nature of the employment, while you are employed with at [bank name] to obtain business courtesies, and we must [Bank name]; never ask for them, we may accept unsolicited business • Hiring or supervising family members or closely related courtesies that promote successful working relationships and persons; good will with the firms that [bank name] maintains or may establish a business relationship with. • Serving as a Board member for an outside commercial bank or organization; Employees who award contracts or who can influence • Owning or having a substantial interest in a competitor, the allocation of business, who create specifications that supplier, or contractor; result in the placement of business or who participate in • Having a personal interest, financial interest, or potential negotiation of contracts, must be particularly careful to gain in any [bank name] transaction; avoid actions that create the appearance of favoritism or that may adversely affect the Bank’s reputation for impartiality • Placing bank business with a firm owned or controlled by and fair dealing. The prudent course is to refuse a courtesy a [bank name] employee or his or her family; and from a supplier when [bank name] is involved in choosing or • Accepting gifts, discounts, favors or services from a reconfirming a supplier or under circumstances that would customer / potential customer, competitor or supplier, create an impression that offering courtesies is the way to unless equally available to all [bank name] employees. obtain [bank name] business. Determining whether a conflict of interest exists is not Meals, Refreshments, and Entertainment always easy to do. Employees with a conflict of interest question should seek advice from management. Before We may accept occasional meals, refreshments, engaging in any activity, transaction, or relationship that entertainment and similar business courtesies that are shared might give rise to a conflict of interest, employees must seek with the person who has offered to pay for the meal or review from their managers or the HR department. entertainment, provided that: • They are not inappropriately lavish or excessive; Gifts, Gratuities, and Business Courtesies • The courtesies are not frequent and do not reflect a [Bank name] is committed to competing solely on the pattern of frequent acceptance of courtesies from the merit of our products and services. We should avoid any same person or entity; actions that create a perception that favorable treatment • The courtesy does not create the appearance of an of outside entities by [bank name] was sought, received or attempt to influence business decisions, such as accepting given in exchange for personal business courtesies. Business courtesies or entertainment from a supplier whose courtesies include gifts, gratuities, meals, refreshments, contract is expiring in the near future; and entertainment or other benefits from persons or companies with whom [bank name] does or may do business. We will • The employee accepting the business courtesy would not neither give nor accept business courtesies that constitute, feel uncomfortable discussing the courtesy with his or her or could reasonably be perceived as constituting, unfair manager or co-worker, or having the courtesy known by business inducements that would violate law, regulation, the public. or policies of [bank name] or customers, or would cause Gifts embarrassment or reflect negatively on [bank name]’s reputation. Employees may accept unsolicited gifts, other than money, that conform to the reasonable ethical practices of the marketplace, including: 68 Chapter 8: Annex 1 • Flowers, fruit baskets, and other modest presents that responsibility for the preparation for such reports, including commemorate a special occasion; and drafting, reviewing and signing or certifying the information • Gifts of nominal value, such as calendars, pens, mugs, contained therein. No business goal of any kind is ever an caps and t-shirts (or other novelty, advertising or excuse for misrepresenting facts or falsifying records. promotional items) which should not exceed XX amount Employees should inform senior management and the HR [nominal value prescribed by the bank]. department if they learn that information in any filing or Generally, employees may not accept compensation, public communication was untrue or misleading at the time honoraria, or money of any amount from entities with it was made or if subsequent information would affect a whom [bank name] does or may do business. Tangible gifts similar future filing or public communication. (including tickets to a sporting or entertainment event) that have a market value greater than [include monetary amount] Bank’s Records may not be accepted unless approval is obtained from We create, retain and dispose of our bank records as part of management. our normal course of business in compliance with all [bank name] policies and guidelines, as well as with all regulatory Employees with questions about accepting business and legal requirements. courtesies should talk to their managers or the HR department. All corporate records must be true, accurate and complete, and bank data must be promptly and accurately entered Offering Business Courtesies in our books in accordance with [bank name]’s and other Any employee who offers a business courtesy must ensure applicable accounting principles. that it cannot reasonably be interpreted as an attempt to gain an unfair business advantage or otherwise reflect negatively We must not improperly influence, manipulate or mislead upon [bank name]. An employee may never use personal any unauthorized audit, nor interfere with any auditor funds or resources to do something that cannot be done with engaged to perform an internal independent audit of [bank [bank name] resources. Accounting for business courtesies name] books, records, processes or internal controls. must be done in accordance with approved bank procedures. Promote Substance over Form Other than to our government customers, for whom special At times, we are all faced with decisions we would rather rules apply, we may provide non-monetary gifts (i.e., bank not have to make and issues we would prefer to avoid. logo apparel or similar promotional items) to our customers. Sometimes, we hope that if we avoid confronting a problem, Further, management may approve other courtesies, it will simply go away. including meals, refreshments or entertainment of reasonable value provided that: At [bank name], we must have the courage to tackle the • The practice does not violate any law or regulation or the tough decisions and make difficult choices, secure in the standards of conduct of the recipient’s organization; knowledge that [Bank name] is committed to doing the right • The business courtesy is consistent with industry practice, thing. At times this will mean doing more than simply what is infrequent in nature and is not lavish; and the law requires. Merely because we can pursue a course of action does not mean we should do so. • The business courtesy is properly reflected on the books and records of [bank name]. Although [bank name]’s guiding principles cannot address Set Metrics and Report Results Accurately every issue or provide answers to every dilemma, they can define the spirit in which we intend to do business and Accurate Public Disclosures should guide us in our daily conduct. We will make certain that all disclosures made in financial reports and public documents are full, fair, accurate, Accountability timely and understandable. This obligation applies to all Each of us is responsible for knowing and adhering to the employees, including all financial executives, with any values and standards set forth in this Code and for raising Risk Culture, Risk Governance and Balanced Incentives 69 questions if we are uncertain about bank policy. If we are not tolerate the use of bank resources to create, access, concerned whether the standards are met, or if we are store, print, solicit or send any materials that are harassing, aware of violations of the Code, we must contact the HR threatening, abusive, sexually explicit, or otherwise offensive department. or inappropriate. [Bank name] takes seriously the standards set forth in the Questions about the proper use of bank resources should be Code, and violations are cause for disciplinary action, up to directed to your manager. and including termination of employment. Media Inquiries Be Loyal [Bank name] is a high-profile bank in our community, Confidential and Proprietary Information and from time to time, employees may be approached by reporters and other members of the media. In order to Integral to [bank name]’s business success is our protection ensure that we speak with one voice and provide accurate of confidential bank information, as well as non-public information about the bank, we should direct all media information entrusted to us by employees, customers and inquiries to the [Public Relations Executive]. No one may other business partners. Confidential and proprietary issue a press release without first consulting the [Public information includes such things as pricing and financial Relations Executive]. data, customer’s names/addresses or non-public information about other companies, including current or potential Do the Right Thing suppliers. We will not disclose confidential and non-public information without a valid business purpose and proper Several key questions can help identify situations that may be authorization. unethical, inappropriate or illegal. Ask yourself: • Does what I am doing comply with the [bank name] Use of Bank Resources guiding principles, Code of Conduct, and bank policies? Bank resources, including time, material, equipment • Have I been asked to misrepresent information or deviate and information, are provided for bank business use. from normal procedure? Nonetheless, occasional personal use is permissible as long • Would I feel comfortable describing my decision at a staff as it does not affect job performance or cause a disruption to meeting? the workplace. • How would it look if it made the headlines? Employees and those who represent [bank name] are trusted • Am I being loyal to my family, my bank and myself? to behave responsibly and use good judgment to conserve • What would I tell my child to do? bank resources. Managers are responsible for the resources assigned to their departments and are empowered to resolve • Is this the right thing to do? issues concerning their proper use. Information and Resources Generally, we will not use bank equipment such as Chief Executive Officer (or equivalent) computers, copiers and fax machines in the conduct of an outside business or in support of any religious, political [Insert name and contact information] or other outside daily activity, except for bank-requested support to non-profit organizations. We will not solicit Head of Human Resources (or equivalent) contributions or distribute non-work-related materials during work hours. [Insert name and contact information] In order to protect the interests of the [bank name] network [Title of Other Contact Person] and our fellow employees, [bank name] reserves the right to monitor or review all data and information contained on [Insert name and contact information] an employee’s bank-issued computer or electronic device, the use of the Internet or [bank name]’s intranet. We will 70 Chapter 8: Annex 2 Annex 2: Illustrative Whistle-Blower Policy Compliance Officer [Bank name]Whistle-Blower Policy The Bank’s Compliance Officer (or designate) is responsible for investigating and resolving all reported complaints and General allegations concerning violations of the Code and, at his/her The bank’s Code of Conduct requires all employees to discretion, shall advise the senior management and/or the observe high standards of business and personal ethics in the audit committee. The Compliance Officer has direct access to conduct of their duties and responsibilities. As employees the Board Audit Committee and is required to report to the and representatives of the bank, we must practice honesty Audit Committee at least annually on compliance activity. . and integrity in fulfilling our responsibilities and comply with all applicable laws and regulations. Matters to Be Reported Employees may report: Reporting Responsibility • Any immoral, illegal or unethical practices; It is the responsibility of all employees to comply with the bank’s Code of Conduct and to report violations or • Violations of the Bank’s Code of Conduct; suspected violations in accordance with this Whistle-Blower • Violations of the Bank’s accounting procedures or internal Policy (Policy). controls; and • [Include the legislations that govern the Bank’s practices]. No Retaliation No employee who in good faith reports a violation of Acting in Good Faith the Code of Conduct shall suffer harassment, retaliation Anyone filing a complaint concerning a violation or or adverse employment consequence. An employee who suspected violation of the Code must be acting in good faith retaliates against someone who has reported a violation and have reasonable grounds for believing the information in good faith is subject to discipline up to and including disclosed indicates a violation of the Code. Any allegations termination of employment. This Whistle-Blower Policy that prove not to be substantiated and which prove to have is intended to encourage and enable employees and others been made maliciously or knowingly to be false will be to raise serious concerns within the bank prior to seeking viewed as a serious disciplinary offense. resolution outside the bank. Confidentiality Reporting Violations Violations or suspected violations may be submitted on a The bank’s Code of Conduct addresses the bank’s open-door confidential basis by the complainant or may be submitted policy and encourages employees to share their questions, anonymously. Reports of violations or suspected violations concerns, suggestions or complaints with someone who will be kept confidential to the extent possible, consistent can address them properly. In most cases, an employee’s with the need to conduct an adequate investigation. supervisor is in the best position to address an area of concern. However, if you are not comfortable speaking Reporting to your supervisor or you are not satisfied with your An employee can use the following channels: supervisor’s response, you are encouraged to speak with someone in the Human Resources Department or anyone • Through telephone [include numbers – it would help if in management whom you are comfortable in approaching. toll-free lines are available]; Supervisors and managers are required to report suspected • Through fax [include number]; violations of the Code of Conduct to the bank’s Compliance • Through email [include email address]; Officer, who has specific and exclusive responsibility to investigate all reported violations. For suspected fraud, • Through mail [include postal address and/or physical or when you are not satisfied or are uncomfortable with address]; and following the bank’s open door policy, individuals should • Through the Bank’s website, [include hyperlink to the contact the Bank’s Compliance Officer directly. Bank’s website or intranet]. Risk Culture, Risk Governance and Balanced Incentives 71 These channels are available throughout the year, and the The possible outcomes of any reports will include any of the employee should provide as much information as is possible following: to enable investigation and resolution of the violation(s) • Disciplinary action (up to and including dismissal) and/ reported. or legal action against the wrongdoer, depending on the results of the investigation; or Handling of Reported Violations • Disciplinary action (up to and including dismissal) against The Compliance Officer will notify the sender and the employee if the claim is found to be malicious or acknowledge receipt of the reported violation or suspected otherwise in bad faith; or violation within five business days. All reports will be • No action if the allegation proves unfounded. promptly investigated, and appropriate corrective action will be taken if warranted by the investigation. 72 Chapter 8: Annex 3 Annex 3: Illustrative Board Risk Committee II. Composition and Meetings CharteR78 The risk committee will comprise three or more directors I. Purpose and Authority as determined by the Board. Each risk committee member will meet the applicable standards of independence, and The risk committee is established by and among the Board of the determination of independence will be made by the Directors to properly align with management as it embarks a Board. Each member will have an understanding of risk risk management program. The primary responsibility of the management expertise commensurate with the bank’s size, risk committee is to oversee and approve the company-wide complexity and capital structure. risk management practices to assist the Board in: • Overseeing that the executive team has identified and At least one member will qualify as a “risk expert.” The risk assessed all the risks that the organization faces and has committee will consider the experience of the designated established a risk management infrastructure capable of member with risk management expertise, including, for addressing those risks; example, background in risk management or oversight • Overseeing, in conjunction with other Board-level applicable to the size and complexity of the bank’s activities, committees or the full Board, if applicable, risks, such attitude toward risk, and leadership capabilities. as strategic, financial, credit, market, liquidity, security, property, IT, legal, regulatory, reputational, and other The risk committee will provide its members with annual risks; continuing education opportunities and customized training focusing on topics such as leading practices with regard to • Overseeing the division of risk-related responsibilities risk governance and oversight and risk management. to each Board committee as clearly as possible and performing a gap analysis to determine that the oversight Committee members will be appointed by the Board at of any risks is not missed; and the annual organizational meeting of the Board. Unless a • In conjunction with the full Board, approving the bank’s chairperson is elected by the full Board, the members of the enterprise-wide risk management framework. committee may designate a chairperson by majority vote. Additionally, the risk committee, in conjunction with the full The risk committee may have the authority to conduct Board and with the nominating and corporate governance investigations into any matters within its scope of committee, may do well to consider and plan for succession responsibility and obtain advice and assistance from outside of risk committee members. legal, accounting, or other advisors, as necessary, to perform its duties and responsibilities. The risk committee will report to the full Board of Directors. The risk committee will consider the appropriate reporting In carrying out its duties and responsibilities, the risk lines for the bank’s CRO and the company’s management- committee shall also have the authority to meet with and level risk committee—whether indirectly or directly—to the seek any information it requires from employees, officers, risk committee. directors, or external parties. In addition, the risk committee should make sure to meet with other Board committees to The committee will meet at least quarterly, or more avoid overlap as well as potential gaps in overseeing the frequently as circumstances dictate. The committee bank’s risks. chairperson will approve the agenda for the committee’s meetings, and any member may suggest items for The risk committee will primarily fulfill its responsibilities by consideration. Briefing materials will be provided to the carrying out the activities enumerated in Section III of this committee as far in advance of meetings as practicable. charter. Each regularly scheduled meeting will begin or conclude with an executive session of the committee, absent members of management. As part of its responsibility to foster open communication, the committee will meet periodically with management, heads of business units, the CRO (if 78 Adapted from Deloitte, Risk Committee Resource Guide for Boards, 2012, pp.18 – 21. applicable) and even divisional CROs, the director of the Risk Culture, Risk Governance and Balanced Incentives 73 internal audit function, and the independent auditor in methods for identifying, managing, and reporting risks separate executive sessions. and risk management deficiencies; • Continually, as well as at specific intervals, monitor III. Responsibilities and Duties risks and risk management capabilities within the bank, To fulfill its responsibilities and duties, the risk committee including communication about escalating risk and crisis will: preparedness and recovery plans; • Continually obtain reasonable assurance from Enterprise responsibilities management that all known and emerging risks have been • Help to set the tone and develop a culture of the bank identified and mitigated or managed; vis-à-vis risk, promote open discussion regarding risk, • Communicate formally and informally with the senior integrate risk management into the bank’s goals and management team and risk management regarding risk compensation structure, and create a corporate culture governance and oversight; such that people at all levels manage risks rather than • Discuss with management and the CRO the bank’s major reflexively avoid or heedlessly take them; risk exposures and review the steps management has • Provide input to management regarding the bank’s risk taken to monitor and control such exposures, including appetite and tolerance and, ultimately, approve risk the company’s risk assessment and risk management appetite and the statement of risk appetite and tolerance policies; messaged throughout the company and by line of • Review and assess the effectiveness of the bank’s business; enterprise-wide risk assessment processes and recommend • Monitor the organization’s risk profile — its ongoing and improvements, where appropriate; review and address, potential exposure to risks of various types; as appropriate, management’s corrective actions for • Define risk review activities regarding the decisions deficiencies that arise with respect to the effectiveness of (e.g., acquisitions), initiatives (e.g., new products), such programs; and and transactions and exposures (e.g., by amount) • In coordination with the audit committee, understand and prioritize them prior to being sent to the Board’s how the company’s internal audit work plan is aligned attention; with the risks that have been identified and with risk • Review and confirm that all responsibilities outlined in governance (and risk management) information needs. the charter have been carried out; Chief Risk Officer • Monitor all enterprise risks; in doing so, the committee • Ensure that the bank’s CRO has sufficient stature, recognizes the responsibilities delegated to other authority, and seniority within the bank and is committees by the Board and understands that the other independent from individual business units within the committees may emphasize specific risk monitoring bank; and through their respective activities; • If the CRO reports to the risk committee, review the • Conduct an annual performance assessment relative to appointment, performance, and replacement of the the risk committee’s purpose, duties, and responsibilities; CRO of the bank in consultation of the nomination and consider a mix of self- and peer-evaluation, supplemented governance committee (if applicable) and the full Board. by evaluations facilitated by external experts; • Oversee the risk program/interactions with management; Reporting • Review and approve the risk management infrastructure • Understand and approve management’s definition of and the critical risk management policies adopted by the the risk-related reports that the committee could receive bank; regarding the full range of risks the bank faces, as well as • Periodically review and evaluate the bank’s policies their form and frequency; and practices with respect to risk assessment and risk • Respond to reports from management so that management and annually present to the full Board a management understands the importance placed on such report summarizing the committee’s review of the bank’s 74 Chapter 8: Annex 3 reports by the committee and how the committee views Charter review their content; • Review the charter at least annually and update it as • Read and provide input to the Board and audit committee needed to respond to new risk-oversight needs and any regarding risk disclosures in financial statements, proxy changes in regulatory or other requirements; statements, and other public statements regarding risk; • Review and approve the management-level risk committee • Keep risk on both the full Board’s and management’s charter, if applicable; agenda on a regular basis; and • Perform any other activities consistent with this charter, • Coordinate (via meetings or overlap of membership), the bank’s bylaws, and governing laws that the Board or along with the full Board, relations and communications risk committee determines are necessary or appropriate; with regard to risk among the various committees, and particularly between the audit and risk committees. • Submit the charter to the full Board for approval. Risk Culture, Risk Governance and Balanced Incentives 75 Annex 4: Illustrative Terms of Reference for a • Work with business units to establish, maintain and Chief Risk Officer continuously improve risk management capabilities; Brief Description • Work with the Head of Internal Audit and the Chief Finance Officer to ensure alignment between the The Chief Risk Officer (CRO) implements the execution risk management process and internal audit and risk of Enterprise Risk Management (ERM) processes and financing; infrastructure as a key facilitator to achieving the business objectives of the organization with regard to risk and • Develop and champion the implementation of an IT compliance matters. strategy to support risk management; and • Support the development of the risk management team, The CRO will be a member of the senior management of working as a mentor to direct reports. the bank and will be expected to work with the senior management to ensure that the bank’s overall business Desired Skills and Experience objectives are fully met. • University degree and/or relevant professional qualification; Primary Responsibilities • Minimum of 15 years’ relevant experience in a highly • Assist the Board and senior management to establish and respected bank or financial services organization; communicate the Bank’s risk management principles, • An intimate knowledge of internal business processes, objectives and direction to staff; specifically in the financial services industry; • Assist the Chief Executive Officer and the Risk • A recognized risk leader who is dynamic, proactive and Management Committee to develop and communicate decisive, with the ability to adapt well to and initiate risk management policies, risk appetite / tolerance level change in the bank, and seek ways to optimize risks as a and risk limits on different corporate activities; competitive business advantage; • Implement appropriate risk reporting to the CEO, Risk • Considerable risk management experience; Management Committee, and full Board; • Exceptional leadership skills at the executive level; • Work with management in developing risk mitigation measures to address the bank’s key risks and to monitor • High credibility and strong reputation with regulators in their effectiveness; the markets he/she has operated in; • Establish policies and procedures, risk metrics, risk • Ability to review and critically analyze substantial reports and improvements in risk readiness through amounts of information and bring to bear exceptional communication, training, and risk-based performance decision-making skills; and management systems; • Excellent communication skills, both written and verbal. • Set the strategic risk management vision and deliver that strategy to the bank; • Facilitate enterprise-wide risk assessments and monitor priority risks across the bank; • Promote an environment that supports transparency and the bank’s key risk-return objectives; • Implement appropriate systems, controls, and reporting to ensure risk can be managed effectively and in a cost- effective manner; • As a key member of the senior management team, help develop strategy in a manner that integrates risk management and controls; 76 Chapter 8: Annex 5 Annex 5: Illustrative Risk Appetite Statement79 Criteria Risk Culture 1 Earnings volatility • Deliver annual target Earnings before Interest, Tax, Depreciation and Amortization (EBITDA) growth of 15% through YYYY. • Maintain a target return volatility of <20% through YYYY (Group level). • Where possible, based on liquidity considerations, retain exposure to real estate market volatility. 2 Target debt rating • Maintain a large credit rating of AA (stable) or equivalent across external rating agencies. 3 Liquidity headroom • Maintain a target leverage ratio of 55%, with headroom of $600 MM. • Review earnings at risk monthly to ensure that potential breach of covenants remain <10% of distribution—Take action In the form of financial products If required to mitigate market risk exposures with a focus on FX and commodities. 4 Diversification of levels • Limit concentration of large exposures to $2 BN of capital in any one country; $200 MM against any one counterparty. • Limit concentration of business unit revenues to 50% of total, and by brand lo 5% of total. 5 Governance • Ensure operational efficiency and safety standards are maintained within top quartile of industry peer group. • Risk retention and coverage levels (property, liability, business interruption) set to limit potential for catastrophic losses at <1%. 6 Strategy growth • All new business opportunities to be evaluated on a fully costed, risk-return basis in relation to other investment alternatives. • Strategic options to be considered in light of subsequent portfolio diversification implications. 7 Regulation • Zero tolerance for any international regulatory breaches. • Exceed legal regulatory standards in key geographies. 8 Corporate reputation • Maintain a score of >80% on the corporate reputation index (takes into account media, consumer, employee, and analyst views) relative to peer institutions. • Ensure external communications adhere to the highest code of legal standards and transparency within all key markets. 79 Adapted from the Report of the NACD Blue Ribbon Commission on Risk Governance: Balancing Risk And Reward, Appendix C: Developing a Risk Appetite Statement, published by National Association of Corporate Directors, 2009. Risk Culture, Risk Governance and Balanced Incentives 77 Annex 6: Illustrative Training Program for the Board of Directors Training topic Learning objective Sample areas to be covered Introduction to corporate governance Aim is to provide a background on why • Why corporate governance is essential for corporate governance has grown in prominence today’s Board; and and a crucial corporate agenda. • Background and evolution of corporate governance. Overview of corporate governance At the end of the session, the directors will be • Corporate governance defined; able to understand the concepts related to • Key concepts; corporate governance. • Typical corporate governance structure; and • Key corporate governance actors. Principles of corporate governance Objective will be to highlight various best • Principles of corporate governance; practice and local good practice corporate • Corporate governance minimum guidelines governance principles such as those issued by in the [include region] market. key regulators of the financial services industry. • Board composition and leadership; • Board organization; • Board charter; • Code of ethics; • Independence declarations; and • Delegation of authority and decision- making. Role in risk management This aims at sensitizing the Board on what is • Definition of risk and risk management; required so as to ensure that the Board has • Key risks facing the bank and relevant laws effective oversight on risk management within and regulations; the organization. • Understand the bank’s risk management framework, policies, processes, limits; and • How the Board can provide leadership on the risk agenda and drive the Bank toward effective risk management. Oversight in action—roles and The objective is to sensitize the directors on the Specific roles of: roles and responsibilities of the Board so as to • Board Chair; responsibilities effectively carry out their oversight role. • Directors; • Board committees (Audit, Credit, Remuneration); • CEO; • Company Secretary; and • Senior management. Elevating Board effectiveness The objective is to highlight how the Board can • Director induction; assure itself on its effectiveness. • Continued Board education; • Board and Board committees evaluation; • Board succession planning; and • Senior management development and succession planning. 78 Chapter 8: Annex 7 Annex 7: Illustrative Training Program for Risk • Why Enterprise Risk Management? Champions • The process of risk management; and The following is a sample two-day workshop designed for • Roles and responsibilities in risk management. employees who have been identified as risk champions within their business units or the operational managers within the Practical Training / Session Breakouts: These assist the bank. The workshop comprises two sections: participants of the workshop to have hands- on experience on risk issues affecting the bank and include focus groups Theoretical Training: This would include the following and exercises that include the following topics which help the participants to grasp the importance of • Risk identification; having risk management be part of each employee’s duties: • Risk measurement; • Overview of enterprise risk management; • Risk response; and • Recent events that have shaped developments in risk • Updating the bank’s risk register. management; Sample Timetable Session 1: Introduction to risk management Session 4: The risk management process – part C • Purpose of risk management; • Risk treatment; • Risk management principles; • Risk treatment plans ; and • The risk management process; • Risk reporting and assurance. • Attributes of effective risk management; and [Breakout session – risk assessment exercise] • The roles and responsibilities of various stakeholders in risk management. Session 2: The risk management process – part A Session 5: The risk management framework • Establishing the context; • Overview of the risk management framework; • Risk theory; • Mandate and commitment; • Risk identification tools; and • Monitoring and review; • Risk description. • Continual improvement; and [Breakout session – risk identification in participants’ business units] • ICAAP. [Breakout session – going through ICAAP] Session 3: The risk management process – part B Session 6: Good risk management • Risk analysis and evaluation; • How we know when we are doing risk management well; • Qualitative analysis and evaluation; • Being a successful risk manager; and • Awareness of quantitative analysis and evaluation; and • Achieving a risk-aware culture through successful risk • Risk appetite. management. [Breakout session – role of the risk appetite in achieving the bank’s goals] Risk Culture, Risk Governance and Balanced Incentives 79 Annex 8: Illustrative Board Risk Committee Evaluation Questionnaire80 For each of the following statements, select a number between 1 and 5, with 1 indicating that you strongly disagree and 5 indicating that you strongly agree with the statement. Select 0 if the statement is not applicable or you do not have enough knowledge or information to rank the bank’s risk committee on that particular statement. Compostion and quality 1 2 3 4 5 1. Qualified risk committee members are identified by sources independent of management (e.g., independent Board members assisted by an outside search firm). 2. Members of the risk committee meet all applicable independence requirements. 3. The designated risk expert meets the definition of “expert” as agreed to by the committee and the Board. 4. Risk committee members have the appropriate qualifications to meet the objectives of the risk committee’s charter, including appropriate risk background/qualifications. 5. The risk committee demonstrates integrity, credibility, trustworthiness, active participation, an ability to handle conflict constructively, strong interpersonal skills, and the willingness to address issues proactively. 6. The risk committee demonstrates appropriate banking knowledge and includes a diversity of experiences and backgrounds. 7. The risk committee participates in a continuing education program to enhance its members’ understanding of relevant risk management and banking issues. 8. The risk committee reviews its charter annually to determine whether its responsibilities are described adequately and recommends changes to the Board for approval. 9. New risk committee members participate in an orientation program to educate them on the company, their responsibilities, and the company’s risk management and oversight policies and practices. 10. The risk committee chairman is an effective leader. 11. The risk committee, in conjunction with the nominating committee (or its equivalent), creates a succession and rotation plan for risk committee members, including the risk committee chairman. Understanding the business and associated risks 1 2 3 4 5 12. The risk committee oversees or knows that the full Board or other committees are overseeing significant risks that may directly or indirectly affect the bank. Examples include: • Regulatory and legal requirements; • Concentrations (e.g., suppliers and customers); • Market and competitive trends; • Financing and liquidity needs; • Financial exposures; • Business continuity; • Bank reputation; • Financial strategy execution; • Financial management’s capabilities; • Management override of controls; • Fraud control; and • Other pressures such as “tone at the top.” 13. The risk committee discusses the bank’s risk appetite and specific risk tolerance levels in conjunction with strategic objectives, as presented by management, at least annually. 14. The risk committee considers, understands, and approves the process implemented by senior management to effectively identify, assess, monitor, and respond to the bank’s key risks. 15. The risk committee understands and approves senior management’s fraud risk assessment and has an understanding of identified fraud risks. 16. The risk committee considers the bank’s performance versus that of its peers in a manner that enhances comprehensive risk oversight by using reports provided directly by management to the risk committee or at the full Board meeting. 80 Adapted from Deloitte Development LLC, Risk Committee Resource Guide for Boards, 2012, pp. 27 – 29. 80 Chapter 8: Annex 8 Processes and procedures 1 2 3 4 5 17. The risk committee reports its proceedings and recommendations to the Board after each committee meeting. 18. The risk committee develops a calendar that dedicates the appropriate time and resources needed to execute its responsibilities. 19. Risk committee meetings are conducted effectively, with sufficient time spent on significant or emerging issues. 20. The level of communication between the risk committee and relevant parties is appropriate; the risk committee chairman encourages input on meeting agendas from committee and Board members and senior management, including the CEO, CFO, CRO, CAE, CCO, and business-unit leaders. 21. The risk committee sets clear expectations and provides feedback to the full Board concerning the competency of the bank’s CRO and the risk function. 22. The risk committee has input into the succession planning process for the CRO. 23. The agenda and related information (e.g., prior meeting minutes, reports) are circulated in advance of meetings to allow risk committee members sufficient time to study and understand the information. 24. Written materials provided to risk committee members are relevant and at the right level to provide the information the committee needs to make decisions. 25. Meetings are held with enough frequency to fulfill the risk committee’s duties at least quarterly, which should include periodic visits to bank locations with key members of management. 26. Regularly, risk committee meetings include separate private sessions with business unit leaders, the CRO, and the CAE. 27. The risk committee maintains adequate minutes of each meeting. 28. The risk committee meets periodically with the committee(s) responsible for reviewing the bank’s disclosure procedures (typically the audit committee) in order to discuss respective risk-related disclosures. 29. The risk committee coordinates with other Board committees (e.g., audit committee) to avoid gaps or redundancy in overseeing individual risks. 30. The risk committee respects the line between oversight and management of risks within the organization. 31. Risk committee members come to meetings well prepared. Monitoring activities 1 2 3 4 5 32. An annual performance evaluation of the risk committee is conducted, and any matters that require follow- up are resolved and presented to the full Board. 33. The bank provides the risk committee with sufficient funding to fulfill its objectives and engage external parties for matters requiring external expertise. Communication activities 1 2 3 4 5 34. The risk committee communicates regularly with regulators and others on risk- management-related matters. 9 References Accenture. 2013. Global Risk Management Study. Commission of the European Communities. 2005. Commission Recommendation complementing Alessi, C., Sergie, M.A., Understanding the Libor Scandal Recommendations 2004/913/EC and 2005/162/EC as 5 December 2013 [viewed on of listed companies. 11 November 2014] Committee of Sponsoring Organizations of the Treadway Ashby, S., Palermo, T., & Power, M. 2012. Risk culture Commission. 2004. Enterprise Risk Management - in financial organizations: An interim report. The Integrated Framework. London School of Economics and Political Science. Deloitte. 2006. The Risk Intelligent Enterprise: ERM done Bank for International Settlements. 2010. Principles for right. enhancing Corporate Governance. Deloitte. 2008. Less risk, greater rewards: Taking a risk Basel Committee on Banking Supervision. 2011. Range of intelligent approach to your employee rewards Methodologies for Risk and Performance Alignment program. of Remuneration. Deloitte. 2009. Altering Compensation Approaches to Basel Committee on Banking Supervision. 2010. Principles Reflect the Changing Financial Services Landscape. for Enhancing Corporate Governance. Deloitte. 2012. Cultivating a Risk Intelligent Culture: Board of Governors of the Federal Reserve System. 2011. Understand measure, strengthen, and report. Incentive Compensation Practices: A Report on the Horizontal Review of Practices at Large Banking Deloitte. 2012. Risk Committee Resource Guide for Boards. Organizations. Deloitte. 2012. The Leadership premium: How companies Brodeur, A., Buehler, K., Pastalos-Fox, M., & Pergler, M. win the confidence of investors. 2009. The Role of the CRO: Risk Management Deloitte. 2013. Culture in banking: Under the microscope. Lessons from the Crisis. McKinsey & Company. Deloitte. 2013. Developing an effective governance operating Campbell, A., Cultural failures at JP Morgan, Barclays model: A guide for financial services boards and and HBOS. Available from . [22 August 2014] [viewed on 22 August Transformation Toolkit. 2014]. Deloitte. 2013. Global risk management survey, eighth Chibayambuya, J. and D.J. Theron. The Application of edition: Setting a higher bar. Holistic Risk Management in the Banking Industry. University of Johannesburg. Deloitte. 2014. As risks rise, boards respond: A global view of risk committees Commission of the European Communities. 2009. Commission recommendation on remuneration Ernst & Young. 2012. Progress in financial risk policies in the financial services sector. Brussels. C management: A survey of major financial institutions. (2009) 3177. 82 Chapter 9: References Ernst & Young. 2013. Remaking financial services, risk; Risk Institute of International Finance. 2010. Compensation management five years after the crisis: A survey of Reform in Wholesale Banking 2010: Progress in major financial institutions. Implementing Global Standards. Ernst & Young. 2013. Maximizing value from your lines of International Finance Corporation. 2013. Control defense: A pragmatic approach to establishing and Environment Toolkit: Risk Governance, Model Risk optimizing your LOD model. Management Committee Charter. Ernst and Young. 2014. 2014 Risk management survey of International Finance Corporation. 2012. Standards on risk major financial institutions. Shifting focus: Risk governance in financial institutions. culture at the forefront of banking. International Finance Corporation. 2012. Risk Taking: A European Commission, 2010. Corporate governance in Corporate Governance Perspective. financial institutions and remuneration policies. KPMG International. 2013. Expectations of Risk European Commission. 2012. Communication to the Management Outpacing Capabilities: It’s Time for Commission: Communication from Vice President Action. Šefovi to the Commission on Guidelines on Levy, C., Lamarre, E., & Twining, J. 2010. Taking Control Whistleblowing. of Organizational Risk Culture. McKinsey & European Confederation of Directors’ Associations. 2011. Company. ecoDa’s response to the European Commission’s MicroSave. 2005. A Toolkit for Designing and Implementing Green Paper on corporate governance in financial Staff Incentive Schemes. institutions and remuneration policies. National Association of Corporate Directors. 2009. Report Financial Services Authority. 2012. Guidance Consultation: of the NACD Blue Ribbon Commission on Risk Risks to customers from financial incentives. London. Governance: Balancing Risk and Reward. Financial Stability Board. 2013. Thematic Review on Risk O’Donnell, S. 2009. Executive Incentive Practices Post- Governance, Peer Review Report. TARP. Bank Accounting and Finance. Financial Stability Board. 2013. Principles for an effective OECD. 2014, Risk Management and Corporate Governance. Risk Appetite Framework. Office of the Comptroller of Currency. 2010. The role of a Financial Stability Forum. 2009. FSF principles for sound national bank director: The director’s book. compensation practices. Pearl Mayer & Partners LLC. 2012. Bank Executive & Goslin, T., & Terry, J. 2008. The Journal: Global Board Compensation: Compensation Solutions to Perspectives on challenges and opportunities. Reward Today’s Directors & Executives. London: PricewaterhouseCoopers. PricewaterhouseCoopers. 2009. Risk: Getting appetite right. L. Hay. 2012, Pearl Meyer & Partners LLC 2012. Trends PricewaterhouseCoopers, The Journal: Banking and and issues: Directors’ accountability for ensuring Capital Markets. risk-based compensation programs. Reserve Bank of India. 2012. Guidelines on Compensation of Institute of Internal Auditors. 2013. IIA Position Paper: The Whole Time Directors/CEOs/Risk takers and Control three lines of defense in effective risk management function staff, etc. and control. Rhodes, W. 2014. Risk culture must change to protect Institute of International Finance. 2009. Reform in the financial system, Financial Times, 7 August Financial Services Industry: Strengthening Practices 2014. Available from . [22 August 2014]. Risk Culture, Risk Governance and Balanced Incentives 83 The Application of Holistic Risk Management in the United States Federal Law. 2010. Dodd-Frank Wall Street Banking Industry,” by J Chibayambuya & DJ Reform and Consumer Protection Act. Theron, University of Johannesburg. Working Group on Corporate Governance - Group of 30. The Association of Insurance and Risk Manager. 2010. A 2012. Toward Effective Governance of Financial structured approach to Enterprise Risk Management Institutions. (ERM). The Incentive Research Foundation. 2012. Incentives, Motivation, and Workplace Performance: Research & Best Practices. 2121 Pennsylvania Avenue, N.W. Washington, D.C. 20433 ifc.org