Enhancing the Culture of Risk-Taking in Financial Firms - Gerry Cross, Director of Policy & Risk

20 March 2018 Speech

Central Bank of Ireland

Comments in response to the Inaugural Lecture in the Distinguished Visitor Public Lecture Series: “Corporate Governance of Risk-Taking in Systemically Important Financial Firms” by Professor Steven L. Schwarcz, Duke University School of Law

Introduction: a question of trust

Many thanks to Steven for this very interesting lecture. And to Blanaid for the invitation to provide a short response.

Steven’s topic this evening, the Corporate Governance of risk taking, is a topic of great consequence and one that is very important in the eyes of the Central Bank.

As Steven rightly says, risk taking by financial firms, and the failures of governance in that regard were at the heart of the global financial crisis. Ten years after the collapse of Lehman Brothers, the epicentre of the crisis, we have seen regulatory and other reforms of an unprecedented scale and nature. It is important that we reflect on what we as a community of regulators have put in place during that period and ask whether this has both addressed the weaknesses and failures that gave rise to the crisis, and has done so in the most effective and appropriate way.

The question of trust in financial services and the financial system remains one of the major open questions and ongoing challenges following on from the crisis. Financial services, which very often involve contracts and products of long duration, much consequence, significant complexity, and/or potentially material opacity, can only function well where there are strong levels of functioning trust in the system. This has been at significantly reduced levels for quite some time now.

A key factor in the efforts to restore trust in the financial system is the culture prevailing in financial firms. Culture determines myriad outcomes. But amongst these are both a firm's approach to risk taking and its approach to its customers and how it treats them. Both these aspects have been areas of significant failure in Ireland. The first crystallising in the context of the financial crisis and the latter most recently manifesting in the context of the tracker mortgage scandal.

The question of culture in financial services firms is high on the agenda of the Central Bank of Ireland. Specifically in the context of the tracker mortgage follow up we have undertaken to provide a report on culture in the major retail banks to the Minister of Finance by the summer. We will however be looking at the issue for financial firms more widely and it will remain a key topic of focus for some time to com. I will say a little more about this later.

Steven has very helpfully set out many of the regulatory changes that have been introduced in an effort to address the issue of risk taking in large financial firms. I think that this is very much the right starting point. As I mentioned, an awful lot has been done since the crisis. At times it is difficult to keep track of it all. But we need to if we are to work out whether the problem has been solved and, if not, why not.

Let me also recall some of the key changes that have been made in relation to the governance of risk taking since the crisis.

Post-crisis regulatory changes

Since the crisis significant regulatory change has been introduced. As has been identified by Steven, many of these will have a direct result on risk taking within financial institutions.

To mention just a few:

The enhancement of capital requirements, in terms of both quality and quantity, and the introduction of liquidity requirements both in terms of short term stress situations and longer term stable funding, amongst others, will result in a much enhanced internalisation by financial firms of the risks they pose to others and to the system as a whole.

The significant advances in resolution frameworks, in particular the introduction of bail-in as a fundamental tool of resolution, and of bail-inable debt, means that the incentive dynamics have been changed. The placing at clear risk of loss of non-preferred debt-holders means that their interest in effective governance of risk-taking, including the avoidance of high-stakes, roll-of-the-dice plays, should have a salutary role on risk appetite and risk governance within the institutions.

The fourth Capital Requirements Directive (CRDIV) sets out requirements that credit institutions’ remuneration packages must align with the long-term interests of the credit institution, including through retention, deferral, and performance and clawback arrangements. It also sets out detailed requirements for variable elements of remuneration, which includes a bonus cap on the remuneration of staff whose professional activities have a material impact on the risk profile of the institution.

In addition there have been significant enhancement of corporate governance requirements in general, including requirements relating to the governance of risk.

The corporate governance requirements in CRD IV, seek to address “excessive and imprudent risk-taking in the banking sector” by ensuring effective board oversight, promoting a sound risk culture, and enabling regulatory authorities to monitor internal governance arrangements. These requirements, which have been effective from 1 January 2014, address board diversity, risk management, and the responsibilities of the board. Some changes impact all firms and others only "significant" firms.

Key corporate governance requirements for all firms include: separation of the role of chair and CEO; members of the management body are to be of sufficiently good repute, and should possess sufficient knowledge, skills and experience not only to perform their duties but also to ensure independence of mind; the management body is required to possess adequate collective knowledge, skills and experience to understand the main risks arising from the activities across the firm as a whole.

Additional requirements for "significant" firms include:

  • Establishment of a separate independent risk committee composed of non-executive directors (NEDs) to advise the management body on the firm's overall current and future risk appetite and strategy and assist in a risk oversight role.
  • Establishment of an independent nomination committee composed of NEDs. When recruiting members to the management body, firms must consider a broad range of qualities and competences, including diversity.
  • A requirement that members not hold more than one of a specified combination of directorships (including directorships held outside of financial services) in any organisation at the same time – one executive directorship and two non-executive directorships or four non-executive directorships.

Irish Corporate Governance changes

The Corporate Governance Code for Credit Institutions and Insurance Undertakings was introduced in 2010 by the Central Bank to strengthen standards of corporate governance in light of the financial crisis. The Code sets out clear minimum corporate governance requirements for firms and their subsidiaries. The most recent update in 2013, which became effective in 2015, included: an expansion of the role of the board of directors to include monitoring capital adequacy, ensuring an effective organisational structure for the institution and setting a remuneration framework in line with the institution's risk strategies; a new officeholder entitled a "Chief Risk Officer"; and specific criteria to assess whether a director is independent.

A Fitness and Probity Regime was introduced by the Central Bank under the Central Bank Reform Act 2010. This Fitness and Probity Regime applies to persons in senior positions (referred to in the legislation as Controlled Functions (“CFs”) and Pre-Approval Controlled Functions (“PCFs”)) within regulated financial service providers (“RFSP”). The core function of the Fitness and Probity Regime is to ensure that persons in senior positions within RFSPs are competent and capable, honest, ethical and of integrity and also financially sound. The Fitness and Probity Regime also applies to RFSPs who are obliged to ensure that their senior personnel comply with the Fitness and Probity Regime.

Risk governance changes (including risk appetite)

The 2010 Corporate Governance Code for Credit Institutions and Insurance Undertakings introduced new requirements relating to the articulation, documentation and embedding of a risk appetite framework. In 2013 the Code was revised and strengthened, expanding the role of the Board. The 2013 revision of the Code states that the CRO shall be responsible for the facilitation of the setting of the risk appetite by the board.

The CRR and CRD IV further efforts to reduce excessive risk taking by firms and ultimately the accumulation of excessive risk in the financial system. Specifically in relation to risk management CRDIV requires that:

  • The management body be responsible for the firm’s overall risk strategy and for the adequacy of the firm’s risk management system, and must devote sufficient time to risk issues.
  • As already mentioned, significant firms are required to establish a separate risk committee,
  • Firms establish a risk management function that is independent from operational functions and has been granted sufficient authority, stature, resources and access to the management body.
  • In significant firms, the risk management function must be headed by an independent senior manager who has distinct responsibility for that function.

In June 2014 the Central Bank published a Discussion Paper on Risk Appetite to generate discussion and debate with stakeholders on risk appetite, its linkage with organisational strategy and its importance for financial institutions.

Looking forward

So, much has been done to address the question of excessive risk taking. With all that has been done, can we therefore be confident that we have addressed the problem of excessive risk-taking by large financial firms?

Well, I think that we can be confident that we have addressed many problems and many aspects of the problem. But have we finally solved the problem of the risk of excessive risk-taking in financial firms. Here I am afraid that I share some of Steven’s doubts. The rules now in place, whether going to the pricing of risk, the mitigation of risk, the management of risk, or the governance of risk, do and will have a very salutary effect on firms' risk taking. They do, to a significant degree, what Steven says should be being done: they cause firms to internalise the external costs - to the system and to their customers - of excessive risk taking.

However, while I think that they take us a long way down the right road, in the end I don’t think that, in themselves, they bring us to the end of the journey. And the reason for this shortfall, brings me back to the question I started with: that of culture.

Rules and requirements are necessary, they are essential, but they are not sufficient. To be fully effective they need to be embedded in the right culture. Rules and requirements embedded in a culture of compliance, supervision and enforcement can take us a long way. But given the complexity and potential opacity of so much of financial services activities something more is needed. And that is a strong culture of seeking right outcomes not just because they are required but because they are right. To paraphrase the Central Bank’s Deputy Governor for Prudential Regulation, Ed Sibley: financial firms’ need to be asking themselves not just the question is it legal?, but also, is it the correct thing to do? What we need to see in any firm is a prevailing culture which seeks the outcomes not just because that is what the rules say and there is a fear of being found out and suffering the consequences, but because it seeks for itself the right approach based on an internalisation of acceptable outcomes and customer interests.

Achieving this remains a real challenge – for firms themselves and for regulators. For regulators, by definition, our stock in trade is to a significant extent a toolset of rules, requirements and guidance backed by assertive supervision and effective enforcement. So a challenge is how to avoid the risk that the more rules you have the more firms adopt a “compliance” rather than an “outcomes” mindset and culture. That firms comply because they are required to rather than because they have internalised the outcomes sought.

This is one of the challenges that we are thinking about as we consider the possible introduction of a senior manager accountability framework for Irish firms. The UK introduced a senior manager responsibility scheme in 2016. Australia is in the process of introducing something similar. At the Central Bank, we are currently looking at the experience in those countries to consider whether there may be things for us to learn from them We are considering the benefits of such a senior manager accountability as well as the potential pitfalls and costs. We are looking at the different aspects of such a framework to assess which work well and the outcomes they can deliver.

And as we do so, one of the questions that we will be asking is how one strikes the balance between increasing the body of detailed rules for firms to comply with on the one hand, and enhancing the incentives and environment for firms to think for themselves about doing the right thing, both what it is and how to do it. Not because they are told to, but because that is what they expect of themselves.

Frameworks for setting out more clearly the responsibilities and accountability of individual senior managers and for avoiding gaps in those responsibilities may well provide a very helpful way of addressing some of these challenges.

In conclusion, my thanks and congratulations to Steven for his most stimulating lecture and my thanks to you all for your attention.


My thanks to Pamela Farrell for her contribution to this speech.