Address by Ed Sibley, Director of Credit Institutions to the Institute of Banking

17 November 2016

Introduction

Good morning ladies and gentlemen.

Firstly, I would like to thank the Institute of Banking for the opportunity to speak to you today to discuss the important subjects of governance and culture.

Today, I will outline: why the Central Bank considers governance and culture to be so important; our supervisory approach; reflections on what we see from our work; and what we expect regarding the features of sound governance, including considering the need for diversity and an inclusive culture.

As you know, it is the responsibility of board members and senior management to devise and implement a strategy that drives a bank to deliver sustainable performance over the long term. This is no easy task. Good governance is at the very heart of being successful and is consequently not some nebulous, intangible thing.

What is governance and why is it important

So, what exactly do I mean when I talk about governance. The Basel Committee on Banking Supervision in its 2015 Guidelines on corporate governance principles for banksⁱ states:

Corporate governance determines the allocation of authority and responsibilities by which the business and affairs of a bank are carried out by its board and senior management, including how they:

• set the bank’s strategy and objectives;
• select and oversee personnel;
• operate the bank’s business on a day-to-day basis;
• protect the interests of depositors, meet shareholder obligations, and take into account the interests of other recognised stakeholders;
• align corporate culture, corporate activities and behaviour with the expectation that the bank will operate in a safe and sound manner, with integrity and in compliance with applicable laws and regulations; and
• establish control functions.

This is a very comprehensive definition, although admittedly not particularly succinct. In other words, governance impacts and drives all aspects of a bank’s strategy, operations, risk profile, culture and permeates all levels of its organisation. It is no wonder that it is of such interest to supervisors and regulators and I will touch on several of these aspects with you today.

Banks, and indeed other financial services firms including credit unions, ultimately fail due to capital shortfalls or having insufficient liquidity to meet their obligations as they fall due, or a combination of both. These are very tangible, quantifiable reasons. But if we ask ourselves why these quantitative failings have crystallised, invariably we will find material governance failings. This has been very clearly illustrated most recently in Rush Credit Union, where governance and control failings persisted despite Central Bank actions, and even more catastrophically across the banking system leading up to the 2008 crash and beyond.

So, sound governance is critical for the avoidance of failure. However, we should not only consider it as a damage limitation tool. It is much more than this and should also be seen as a mechanism to maximise the chances of success. Banks face a myriad of complex issues that they must cope with to be successful in the long term. The level of uncertainty that we face (as evidenced by political events in the last few months), the pace of technological change, diverse competitive pressures, regulatory change, changing expectations of both customers and staff, dealing effectively with the remaining legacy issues of past mistakes, and so on, provide major challenges for us all.

Consequently, no bank can expect to develop a fixed, future-proof strategy, built on a set of granular assumptions that will hold true over an extended period. As Danièle Nouy, the Chair of the Single Supervisory Mechanism (SSM), has stated 'banks that adapt will thrive, those that don't will fail' ⁱⁱ. Effective governance is critical in ensuring that banks can adapt and react quickly, and adjust both strategies and tactics to meet these and other challenges. Critically, good governance ensures that the risks that banks have to take are and continue to be well understood, managed and factored into decision-making.

Supervisory approach

For all these reasons and more, governance continues to be high on the list of supervisory priorities for the Central Bank. This also holds true for the Single Supervisory Mechanism, of which we are one of the nineteen participating Member States, and which has ultimate responsibility for banking supervision across the Eurozone.

Governance is an area in which supervisors can and must offer robust and effective challenge to boards and senior management. Given its pervasiveness, it is an area in which we can focus our limited resources to maximum effect. In doing so, we strive to deliver outcomes that safeguard financial stability and protect consumers.

Governance and risk management is one of the four key elements of the SSM’s Supervisory and Review Process, commonly referred to as SREP, which is the cornerstone of our supervision. It is conducted on an annual basis for the largest banks (the 'significant institutions' (SIs) under the SSM's methodology). Our work is anchored on the SSM supervisory manual, our local requirements, including the Corporate Governance Codes, the relevant regulations, and European Banking Authority (EBA) guidelines. While examined as an area of focus in its own right, the effectiveness of governance arrangements is also considered across the entire range of risks we assess - from credit through to IT, and so on.

Through the SREPs, onsite inspection's, and thematic reviews we assess the effectiveness of governance arrangements. Indeed, the SSM conducted a Thematic Review on Governance in 2015 across the 120 or so largest banks operating in the Eurozone. It published the findings in June 2016ⁱⁱⁱ. The report assesses industry practices in the areas of internal governance and risk appetite frameworks, highlighting both good practices and shortcomings, with notable weaknesses identified around independent challenge by boards and weak risk appetite frameworks.

What we see

On that note, let me now share some insights into what we see from our supervision of governance across the banks operating in Ireland. As many of you will be aware, for the last two years, our day-to-day supervision now benefits from in-depth independent inspection's, performed by subject matter experts in our dedicated inspection's division. This enhancement to our supervisory toolkit has helped us to drill down further into practices within individual banks and the wider sector. It has allowed us to see both good and poor practices and the impacts these have, not only for our largest banks (SI’s) but also for the smaller ones (LSI’s). We also benefit from seeing good and poor practices across nineteen SSM countries.

On the positive side, we continue to see considerable improvements in the governance structures within banks operating in Ireland. This has been driven both by the industry and significant enhancements in the regulatory framework and our supervisory approach. For example, boards have been significantly strengthened in terms of size and composition, and all new directors are now assessed through the Fit and Proper application process and have clear line of sight of their duties and accountabilities.

Board committees such as risk and audit committees are more structured, their responsibilities are better documented and their output is more transparent for supervisors to assess. Control functions have been strengthened. Our interaction with bank boards and senior management has improved. This represents a good cultural shift from the past and demonstrates some of the progress made in recent years.

But we are far from finished. We continue to see governance weaknesses across the institutions we supervise. As touched on earlier, this was clearly the case in Rush Credit Union, where governance and control arrangements fell materially short of the minimum standards, seriously endangering members' funds over an extended period, and ultimately leading to the financial position of the credit union being completely compromised. In this circumstance, regretfully the Central Bank had to take such severe action to protect consumers.

While this was an extreme case in the Credit Union sector, this does not mean that it does not provide important lessons for all regulated firms, including banks. Governance failings heighten the risk of consumer detriment and the risks to the financial soundness of all institutions.

It is therefore the supervisors’ role to challenge and assess governance arrangements. It is inevitable that we will find issues and raise concerns in doing this work. The material increase in the intensity of our onsite inspection's, together with the enhancement in the regulatory framework means it is inevitable that we will unearth more issues. Having said that, it is disappointing that we continue to identify so many serious issues in both governance arrangements themselves and also in critical business areas where we would expect robust governance and culture to be more effective.

In this context, let me now share some related weaknesses we are encountering on a too frequent basis across the banking sector.

1) Firstly, we continue to see very serious failings in the governance of outsourcing across the banks. To be frank, I find this is astonishing. It is obvious that the ultimate responsibility for the proper management of risks associated with outsourcing arrangements and the outsourced activities resides with boards and senior management of banks - not the outsource provider. However, in practice, arrangements are too frequently being badly managed as a result of weak outsourcing frameworks, lack of oversight, poor risk information, and a lack of engagement and challenge from boards on the robustness of these arrangements.

Outsourcing is not new, although it continues to increase in prominence as banks seek to reduce costs, and focus more on their core business expertise and value generating activities. We expect strong governance frameworks over outsourcing arrangements, starting with adherence with the EBA guidelines on outsourcing at the very minimum. These guidelines effectively date back to 2006. Banks have had 10 years to ensure they comply with them. However, we continue to see examples of where they do not, resulting in serious risks being run, a lack of ability to manage and drive value from the outsourcing arrangements and ultimately requiring us to take enforcement action in a number of cases.

2) Secondly, I want to raise the issue of the effectiveness of board challenge. I noted earlier that, in general, it is much improved. Board members, and in particular independent non-executive directors, who are hugely important to the effectiveness of governance arrangements, have a very difficult and complex role. They are dependent on the information provided to them, but that does not mean that they have to accept it.

We continue to see issues with the quality, or lack thereof, of internal reporting to boards and senior management. The quality varies greatly between different risk functions and across different banks, and is impacting on the ability of boards to fully understand the risks of their institutions. Similarly, the level of granularity in board reporting often masks emerging risks.

This is not an academic issue. As a direct consequence, we see, for example, strategies not being appropriately challenged; loan pricing assumptions not being understood, and consequently fundamental flaws in loan pricing models going unchecked; and risk appetites and frameworks not being embedded or reflecting the underlying risks being run in the banks resulting in inadequate monitoring, reporting, understanding and challenging of the risk banks are running.

3) Thirdly, we continue to identify issues across the three lines of defence, with the most serious in the interaction between the first and second lines, which is where I will focus my attention today.

As you know, the first line of defence, which is the revenue generating business line, is the owner of the risk, whereby it recognises and manages the risk that it incurs in conducting its activities. The second line of defence comprises the risk management and compliance functions which are responsible for further identifying, measuring, monitoring and reporting risk, independently from the first line. As such, it defines preventive and detective internal control requirements, and ensures that such requirements are embedded in the policies and procedures of the first line. The internal audit function is in charge of the third line of defence and has responsibility for providing assurance to the board that the overall governance and control framework is effective^iv.

Unfortunately, we are seeing inconsistencies in practices across the sector. We continue to see issues whereby the responsibilities of the different lines of defence are poorly defined, particularly between the first and second lines. In some instances, we have seen little evidence of robust challenge from the second line. We also see internal audit issues not being closed effectively or in a timely manner.

4) Finally, to build on the point I made earlier, we are continuing to see too many issues in, for example, the management of key risks, including credit, IT, capital modelling and even regulatory reporting. While some are quite granular in nature, they often raise concerns regarding the effectiveness and robustness of governance and culture within the banks, and their ability to meet minimum regulatory requirements and expectations.

Culture

This brings me to culture. What is culture and what does good culture look like? The Financial Stability Board defines culture as an "institution’s norms, attitudes and behaviours related to risk awareness, risk taking and risk management, or the institution’s risk culture." ^v Or to put in another way, an organisation's culture is formed by the assumptions, values, expectations and beliefs, which drive behaviours and how staff act.

Culture is shaped by the tone from the top; accountability; effective communication and challenge and incentives, both monetary and non-monetary - "the best predictor of what people will do is what they are incentivised to do" ^vi. Thus, if staff are incentivised (and I am talking about incentives in their broadest form) to take a short term view, or not to challenge questionable behaviours or actions, or to take short cuts, or not to report concerns, or even worse, to act unethically and not in the long term interests of the company or its customers, that is what they most likely will do.

Governance obviously has a strong role to play here too. Indeed, referring back to the Basel standards I used earlier, governance determines the alignment of "corporate culture, corporate activities and behaviour with the expectation that the bank will operate in a safe and sound manner, with integrity".

But it works both ways. The culture within an institution is a key factor in determining its safety and soundness, as it is key to the effectiveness of its governance arrangements. It drives the values and beliefs which govern how individuals treat others, perform their tasks, take decisions, assess risk, and perhaps most importantly, do the right thing to ensure they operate in a safe and sound manner. It is the foundation upon which a strong governance framework is built and is critical to a firms’ long term prosperity. The Group of Thirty (G30) recently published a report that called out banks’ limited progress with regards to culture and emphasised that banks that take half-hearted actions to try to deal with issues of culture and behaviour will not succeed^vii.

So, if we accept its importance, why do we continue to see such failings that can be linked to cultural issues, both internationally and locally, including for example - Wells Fargo, the Libor scandal, Payment Protection Insurance, and in Ireland, mortgage customers incorrectly losing their tracker mortgages, to name but a few of the bigger issues. These have cost the industry, and individual firms, billions of euros in fines and redress, and significant reputational damage. In each of these examples, there were multiple opportunities to catch the problems earlier. Unfortunately, we also continue to see these issues appear in smaller, but still important ways, where the level of internal challenge is subdued, where speaking up does not appear to be encouraged, where engagement with the regulator is less than transparent and where the outlook is too short-term.

Boards, senior management, front line managers, risk and compliance officers, and so on need to continually ask themselves what is the culture of my organisation, how are staff incentivised to behave, how does my organisation treat people that raise problems, issues and concerns?

Regulators and supervisors have certainly enhanced their approach to governance and internal control since the crisis. An unexpected benefit from our joining of the SSM, is we are now learning how to enhance our approach to examining behaviour and culture, learning in particular from the work of our colleagues in the Netherlands^viii. This is not aimed at dealing with symptoms only, or at providing quick fixes, but it targets sustained change. We have started inspection's on this topic in Ireland now for the first time, through which we hope to answer, for example:

• What influence, positive or negative, do individual actions and group dynamics have on the financial performance, integrity and reputation of an institution?
• Which facilitating or restraining role does the institution’s prevailing culture play?
• Which measures are necessary to mitigate the risks related to human behaviour as much as possible?

But we are still learning. We would never try to prescribe what the culture of a regulated entity should be. Andrew Bailey, CEO of the UK Financial Conduct Authority stated earlier this year that culture “is not something that has a tangible form.…rather, it is the product of many things which regulators can influence, but much more directly which firms themselves can shape” ^ix. Responsibility for driving the right culture resides, first and foremost, with a bank’s board.

I would encourage all institutions to act more proactively on their cultural foundations. Let’s consider challenging ‘the what’ first. In their paper on Banking Conduct and Culture: A Call for Sustained and Comprehensive Reform, the G30 outlined that “Banks should specify their cultural aspirations through a robust set of principles, and fashion mechanisms that deliver high standards of values and associated conduct consistent with the firm’s purpose and broader role in society" ^x. To simplify, banks need to be clear on what they want their culture to be. Only then can they consider ‘how’ this can be implemented, improved, or sustained.

The G30 paper also outlines that “Banks should work to fully embed the desired culture through ongoing monitoring and perseverance, drawn from four key areas: senior accountability and governance, performance management and incentives, staff development and promotion, and an effective three lines of defence”.

In the UK, a Banking Standards Board was established in 2015 to help raise standards of behaviour, competence and culture across the UK banks. This is an industry initiative to drive self-improvement in the banks. It is a private sector body funded by membership subscriptions and open to all banks and building societies operating in the UK. It is neither a regulator nor a trade association; it has no statutory powers, and it will not speak or lobby for the industry. The UK Prudential Regulatory Authority has acknowledged some of the work of this body in its recent policy statement on regulatory references^xi.

This is a welcome initiative of banks collaborating to proactively improve and not relying on the regulator to push them, but it is only a start. In Ireland, more needs to be done, individually within the banks and collectively by those bodies that represent them.

Diversity and inclusion

Diversity of thought and background play an important role in the decision-making and culture of an organisation. The boards and senior management of banks operating in Ireland do not reflect the diversity of the country today. In the largest banks, less than a quarter of board members are female and comparisons are almost certainly worse for any other measure of diversity. I do not have statistics for the layers immediately below the boards, but my experience is that it is much the same, if not worse.

This is not a unique circumstance in Ireland. The Empowering Productivity Report, which was sponsored by the UK Treasury and the Bank of England, concludes that UK Financial Services had an average of 23% female representation on boards, but only 14% on Executive Committees^xii.

This matters for three really important reasons:

1. Undoubtedly one of the factors that led to the financial crisis in Ireland was the collective group think in the board rooms of the banks (and elsewhere)[xiii].
2. Secondly, the lack of diversity will clearly impact on the culture of organisations, which is important for the reasons I have outlined.
3. Thirdly, as I will get to, greater diversity in businesses is positively correlated with the performance of a business. It is in the Central Bank's interests for both financial stability and consumer protection reasons for banks operating in Ireland to perform strongly and sustainably.

There are increasing numbers of studies that show that diversity does matter from a business perspective. Correlation and causation are sometimes difficult to determine, but the correlation between greater diversity and business performance is certainly clear. Studies suggest that when companies embrace gender and ethnic diversity at the leadership level, they are more successful. McKinsey’s research in this area suggests that companies in the top quartile for gender or racial and ethnic diversity are more likely to have financial returns above their national industry medians. Companies in the bottom quartile in these dimensions are statistically less likely to achieve above-average returns.

Based on their studies, McKinsey believes more diverse companies “are better able to win top talent and improve their customer orientation, employee satisfaction, and decision making, and all that leads to a virtuous cycle of increasing returns... diversity is a competitive differentiator shifting market share toward more diverse companies”^xiv.

Research has shown that companies with a significant proportion of women in senior management positions perform better in part because of some leadership behaviours that women exhibit more consistently than their male colleagues. In particular (and I am conscious that I am generalising here), women are found to excel at people development, participative decision making, presenting a compelling vision and acting as role models – all drivers of financial performance. Research on board membership has also shown that female directors enhance board independence.

We have reviewed a sample of diversity policies, which banks are now required to have, and in the main they are striking for their lack of ambition. They may just about tick the box from a compliance perspective, but are highly unlikely to drive the necessary change. Much more is needed to be done, and our supervisory efforts in this regard are going to increase.

What we expect

So what do we expect? I am very comfortable admitting that we expect a lot, for the fundamental reason which I outlined earlier, that the governance and culture of a bank is of such critical importance. There is no shortage of regulatory requirements, standards and guidance relating to governance, from EU legislation, our own Corporate Governance Codes, EBA guidelines, and so on. All these expect strong and effective boards, robust governance arrangements, well defined lines of responsibility, effective risk management processes, control mechanisms and remuneration policies, and so on. In short, that governance should be appropriate to the nature, scale and complexity of institutions.

So an obvious first and minimum expectation from us is adherence to both the EU and national requirements. Notwithstanding the progress that has been made, it is disappointing that, as I described earlier, this expectation is not being consistently met. Consequently, we continue to have to use all of our supervisory tools, including enforcement, to improve governance standards. Many of you in this room also have an important role to play in ensuring that these minimum standards are met.

I would also expect that the majority of banks operating in Ireland aspire to do more than the very minimum - that is certainly what I am consistently told. So, I would also urge you to:

• Consider the effectiveness of the board, and the governance and control arrangements that are in place, including how the three lines of defence are working - listening hard to the information received from risk, compliance, audit, and our own work and asking yourselves why are issues arising, are the root causes being addressed in a timely manner, and how do we get ahead of regulatory expectations;
• Critically evaluate the culture of your organisation, what culture you want, how staff are incentivised to behave, and be brutally honest with yourselves as to whether the culture you want is the culture you have and how would you know if it is not;
• Meaningfully address diversity and inclusion in the boardroom, at the executive level and the pipeline of talent needed to run the organisation in the long-term, and in doing so avoid the pitfalls of group think and experience the benefits that can be gained.

Conclusion

In conclusion, it is difficult to overestimate the importance of the effective governance and culture of a bank. Ultimately, it is highly likely to be the difference between the success and failure of the bank, including ensuring the fair treatment of its customers. While progress has been made, there is much more to be done to ensure that governance, culture and ultimately the behaviour of banks continues to improve and meet the requirements of stakeholders. It is clear to me that there is still a way to go before it can be said that banks operating in Ireland are among the best in these areas.

--------------------------------------------------------------------------------

ⁱBasel Committee on Banking Supervision, Guidelines, Corporate governance principles for banks, July 2015

ⁱⁱThe shifting ground of banking – A supervisor’s perspective, Speech by Danièle Nouy, Chair of the Supervisory Board of the ECB, at the European Financial Round Table, Frankfurt am Main, 19 October 2016

ⁱⁱⁱSSM supervisory statement on governance and risk appetite, June 2016

^ivSpeech by Danièle Nouy, Chair of the Supervisory Board of the Single Supervisory Mechanism, at the European Confederation of Institutes of Internal Auditing (ECIIA) conference, Paris, 22 September 2015

^vGuidance on Supervisory Interaction with Financial Institutions on Risk Culture – 7 April 2014 - Financial Stability Board

^viMichael D Watkins, Harvard Business Review, May 2013

^viiSpeech by Julie Dickson, Member of the Supervisory Board of the European Central Bank, at the conference "Looking forward: effective supervision of behaviour and culture at financial institutions" in the Tropenmuseum and organised by De Nederlandsche Bank, Amsterdam, 24 September 2015

^viiiDe Nederlandsche Bank, Behaviour and Culture in the Dutch financial sector

^ixCulture in financial services – a regulator’s perspective, Speech given by Andrew Bailey, Deputy Governor, Prudential Regulation and Chief Executive Officer, Prudential Regulation Authority, City Week 2016 Conference 9 May 2016

^xGroup of thirty (G30), Banking Conduct and Culture: A Call for Sustained and Comprehensive Reform, 2015

^xiPRA Policy Statement | PS27/16 Strengthening accountability in banking and insurance: PRA requirements on regulatory references (part II) September 2016

^xiiJayne-Anne Gadhia, CEO, Virgin Money, Empowering Productivity - Harnessing the Talents of Women in Financial Services, March 2016

^xiiiAddress to the Chairpersons’ Forum Institute of Public Administration by Matthew Elderfield, Head of Financial Regulation, Central Bank of Ireland, 8 November 2010

^xivVivian Hunt, Dennis Layton, and Sara Prince, McKinsey & Company, January 2015