Corporate Governance for Banks in Southeast Europe: Policy - IFC
Corporate Governance for Banks in Southeast Europe: Policy - IFC
Corporate Governance for Banks in Southeast Europe: Policy - IFC
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
strategy. When the executive body or the management body considers it necessary, the CRO should also<br />
report directly to the management body or, where appropriate, to the audit committee (or equivalent).” 52<br />
Background Box 4: CROs <strong>in</strong> SEE <strong>Banks</strong><br />
In Albania, Croatia, Montenegro, and Serbia, there are no regulatory requirements <strong>for</strong> the appo<strong>in</strong>tment of a<br />
CRO, but responses to the survey undertaken <strong>in</strong> 2010–2011 <strong>in</strong>dicate that the presence of a chief risk officer is<br />
usually monitored as part of the supervisory process.<br />
In Bosnia, FYR Macedonia, and Romania, the appo<strong>in</strong>tment of a CRO is required. In Bulgaria, <strong>in</strong> compliance<br />
with the legal provisions of Article 73(3) LCI, the Bulgarian National Bank has issued b<strong>in</strong>d<strong>in</strong>g guidel<strong>in</strong>es <strong>for</strong> the<br />
appo<strong>in</strong>tment of CROs. It is <strong>in</strong>cluded as part of the onsite <strong>in</strong>spection per<strong>for</strong>med by supervisors.<br />
In Romania, bank<strong>in</strong>g regulation requires the establishment of an <strong>in</strong>dependent risk function overseen by a<br />
CRO. The legal and regulatory frameworks on risk governance as well as supervisory practice seem to foster a<br />
strong risk culture with<strong>in</strong> the banks. In compliance with Regulation 18/2009, banks reviewed have established<br />
a risk function that operates <strong>in</strong>dependently under the oversight of a chief risk officer. The <strong>in</strong>dependence of<br />
the risk function is underp<strong>in</strong>ned by direct report<strong>in</strong>g l<strong>in</strong>es of local chief risk officers to the heads of the group<br />
risk function.<br />
Source: EBRD, <strong>Corporate</strong> <strong>Governance</strong> Assessment of <strong>Banks</strong> (2010–2011).<br />
In SEE, smaller local banks might not have sufficient resources <strong>for</strong> a dedicated CRO. <strong>Banks</strong> may f<strong>in</strong>d it more<br />
practicable to assign these functions to another officer of the bank. The Committee of <strong>Europe</strong>an Bank<strong>in</strong>g<br />
Supervisors (now <strong>Europe</strong>an Bank<strong>in</strong>g Authority) suggests that “when the <strong>in</strong>stitution’s characteristics—<strong>in</strong><br />
particular its size, organization, and the nature of its activities—do not justify entrust<strong>in</strong>g such responsibility<br />
to a specially appo<strong>in</strong>ted person, the person responsible <strong>for</strong> <strong>in</strong>ternal control can be made responsible <strong>for</strong> risk<br />
management as well.” 53 However, best practice also suggests that the responsibilities of the CRO not be<br />
shared with other operational functions with<strong>in</strong> the bank, such as the chief f<strong>in</strong>ancial officer or other senior<br />
management, to avoid clear conflicts of <strong>in</strong>terest and to preserve the CRO’s <strong>in</strong>dependence.<br />
In subsidiaries of <strong>for</strong>eign banks, CROs and the risk management function are sometimes provided by the<br />
home office. This solution should be carefully assessed and be subject to the regulator’s approval. 54 Data on<br />
practices <strong>in</strong> SEE suggest that the great majority of SEE banks follow best practices <strong>in</strong> provid<strong>in</strong>g the CRO with<br />
direct access to the board (see Chart 4). Of greater concern may be that only 50 percent of regulators report<br />
regular contact with bank risk departments, when such contact is considered to be good practice. 55<br />
52 Committee of <strong>Europe</strong>an Bank<strong>in</strong>g Supervisors, High Level Pr<strong>in</strong>ciples <strong>for</strong> Risk Management (2010), paragraph 21, p. 4.<br />
Further, the <strong>Europe</strong>an Parliament’s Report on <strong>Corporate</strong> <strong>Governance</strong> <strong>in</strong> F<strong>in</strong>ancial Institutions (2011) takes the view that “chief risk officers should have<br />
the same status <strong>in</strong> a f<strong>in</strong>ancial <strong>in</strong>stitution as the chief f<strong>in</strong>ancial officer and should be able to report directly to the board,” paragraph 14, p. 14. In<br />
addition, the report underl<strong>in</strong>es that “the CRO should have direct access to the board of the company; <strong>in</strong> order to ensure his <strong>in</strong>dependence and<br />
objectivity is not compromised, his appo<strong>in</strong>tment and dismissal will be decided by the whole board,” paragraph 22, p. 5. In all of these cases it is clear<br />
that the CRO needs to be able to act with <strong>in</strong>dependence: paragraph 14, pp. 14–21. Further discussion of the importance of the <strong>in</strong>dependence of the<br />
CRO and the impact that lack of skills and <strong>in</strong>dependence had on the f<strong>in</strong>ancial crisis can be found <strong>in</strong> Section 3.1.1, pp. 18–19, and Section 3.2.2, p. 21,<br />
and <strong>in</strong> the example on p. 22.<br />
53 Committee of <strong>Europe</strong>an Bank<strong>in</strong>g Supervisors, High Level Pr<strong>in</strong>ciples <strong>for</strong> Risk Management (2010), paragraph 20, p. 4.<br />
54 2010 BIS Pr<strong>in</strong>ciples recommends that the board and management of a subsidiary rema<strong>in</strong> responsible <strong>for</strong> effective risk management processes at the<br />
subsidiary. Although parent companies should conduct strategic, groupwide risk management and prescribe corporate risk policies, subsidiary<br />
management and boards should have appropriate <strong>in</strong>put <strong>in</strong>to their local or regional adoption and to assessments of local risks.<br />
55 EBRD, <strong>Corporate</strong> <strong>Governance</strong> Assessment of <strong>Banks</strong> (2010–2011).<br />
<strong>Corporate</strong> <strong>Governance</strong> <strong>for</strong> <strong>Banks</strong> <strong>in</strong> <strong>Southeast</strong> <strong>Europe</strong> <strong>Policy</strong> Brief 37