Corporate Governance for Banks in Southeast Europe: Policy - IFC

More documents

Recommendations

Info

B. Risk management and internal controls 43,44B1. Risk management versus internal control 45Risk management and internal control are twoprocesses that work hand in hand. Risk managementis intended to 1) identify risks; 2) assess the bank’sexposure to risks; 3) monitor exposure and conductconsequential capital planning; 4) monitor and assessdecision making as it relates to risk, in particular,whether risk decisions are in line with board-approvedrisk tolerance and policy; and 5) report to seniormanagement and the board.Internal control, on the other hand, ensures thateach key risk has an associated policy and controlmechanism, and that each control policy andmechanism is being applied effectively. Internal controlsprovide a variety of assurances to management, suchas the reliability of information, compliance with law,compliance with governance systems, prevention ofexcessive managerial discretion or fraud, and so on. It isa key responsibility of the board to ensure that effectivesystems of risk management and control are in place. 46Risk Management and RiskManagement Culture“When sophisticated risk management comestoo late, I do not think there is much reasonto celebrate.”George Bobvos, Montenegro“Effective risk management is not abouteliminating risk-taking; risk-taking is afundamental driving force in business andentrepreneurship. The aim should be to ensurethat risks are understood and managed and,when appropriate, communicated.”Hans Christiansen, Denmark“One of the most important lessons that I thinkcomes out of the crisis from a governancepoint of view is a focus on the risk governancerole of a board.”A best-practice board will typically need to rely onan internal auditor to provide the board, via theCatherine Lawton, United Kingdomaudit committee, with assurances regarding thebank’s risk management and internal controls andcorporate governance processes. The internal auditor traditionally reports to management administrativelyand to the board functionally, with the head of internal audit reporting directly to the chairperson of theaudit committee or to an independent lead board member. Internal auditors should enjoy substantiveindependence from management and have direct access to the board.Supervisors and bankers may use the term internal control to refer to a variety of aspects of the controlenvironment, including risk management, internal audit, controls, and compliance. Irrespective of how thefunctions of the control environment are named, each one is necessary and should be performed effectively.In addition, a bank’s general counsel or legal function contributes significantly to the control of risk. Manyproblems in developed markets during the recent financial crisis resulted from legal risk failures.For banks in the SEE region, implementing effective and reliable risk management and internal controls is oneof the most important challenges. It is only through an effective control environment that the board can beconfident that the information and reports that it receives are reliable. It is also the only way the board canexpress itself with any certainty on the risks in the bank.43 2010 BIS Principles, Section III.C, p. 17.44 For additional specific guidance on risk management, see CEBS, High Level Principles for Risk Management (2010).http://www.eba.europa.eu/documents/Publications/Standards---Guidelines/2010/Risk-management/HighLevelprinciplesonriskmanagement.aspx.45 2010 BIS Principles, Section III.C, p. 17.46 See also BIS, Framework for Internal Control Systems in Banking Organizations (1998).34Policy BriefCorporate Governance for Banks in Southeast Europe
Effective systems of risk management, internal audit, and internal control are often taken for granted indeveloped banking markets. For example, the Bank of Montreal recently added 200 people to strengthenits risk function, and Toronto Dominion Bank added 500 new staff on its risk side. SEE banks on the otherhand may have difficulty finding and affording one highly competent risk professional. These figures put intoperspective the relative scale of SEE banks and their capacity to respond.On the other hand, it is worth noting that a large number of risk professionals does not equate to good riskmanagement; even in developed markets where financial and human resources are broadly available, firmshave been known to accommodate their risk control to meet short-term sales or profitability objectives. Forexample, before the crisis, positions for risk professionals in UBS were filled by individuals with sales (not riskmanagement) backgrounds in order to accommodate growth. 47 This confirms the common knowledge thatthere are important human elements to developing a sound risk management culture.Another practical challenge in SEE is the communication of risk up to the board. In SEE banks, includinginternational subsidiaries, communication from the risk control functions goes to management first; thechief executive officer and management are inevitably the first port of call for the internal auditor. Theaudit committee is likely to be secondary, especially in countries where the internal audit function is notwell-developed and where internal auditors are junior and do not have sufficient stature to go to the auditcommittee or balance their authority against the management structure.It is important to note that the risks involved in banking in SEE pertain mainly to operational risk and creditrisk and not to financial instruments, asset-backed securities, sophisticated market trading risk, or specialpurposevehicles, as was the case in more developed banking countries during the financial crisis. Thedifferent nature of risk in the SEE region calls for an adapted approach to risk management.Recommendations:The control environment: Bank boards need to assure themselves that the bank’s control environmentis functioning properly. The control environment should comprise not only risk management, compliance,internal controls, and the internal audit, but also the external audit. The importance of the general counselfunction and legal function in managing risk should also be recognized. Each of these functions should haveadequate authority, stature, independence, resources, and access to the board. Larger banks should have asufficiently independent audit committee to ensure professional oversight of the control environment.Communication of risk to the board: The communication of risk needs attention. Even though internalaudit and chief risk officers (CROs) may have organization-chart reporting lines to the board or to an auditcommittee, it is important to ensure that these lines of communication function in practice and are secure.Further, risk and audit committees should not localize information on risks, which needs to be shared with thefull board.Board review of the control environment: SEE boards should approve their bank’s control policies andassess the extent to which the bank is managing its risk effectively. They should regularly review (at leastannually) policies and controls with senior management to determine areas needing improvement andto identify and address significant risks. The board should ensure that the control functions are properlypositioned, staffed, and resourced and are carrying out their responsibilities independently and effectively. Indoing so, they should work directly with the internal auditor and the CRO.47 OECD, “The Current Financial Crisis: Causes and Policy Issues,” Financial Market Trends (2008), 10.http://www.oecd.org/dataoecd/47/26/41942872.pdf.Corporate Governance for Banks in Southeast Europe Policy Brief 35
Page 2: © Copyright 2012. All rights reser
Page 7 and 8: II. Overview of bank corporate gove
Page 12 and 13: A1. Responsibilities of the board 1
Page 14 and 15: A2. Qualifications 19Bank boards sh
Page 17: Tests for integrity are needed. How
Page 20: RomaniaIn Romania, Regulation No. 1
Page 23: A5. Role of the chair 29The chair o
Page 29 and 30: Briefing of the board: Audit commit
Page 38 and 39: Chart 4: CRO (or Equivalent) Presen
Page 40 and 41: C. Compensation 58Compensation poli
Page 42 and 43: The disclosure of compensation, whi
Page 44 and 45: Skepticism regarding disclosureBeyo
Page 46: decision concerning the appointment
Page 49 and 50: Recommendations:Disclosure and tran
Page 51 and 52: These limitations are due to the ve
Page 53 and 54: examinations permit a systematic ev
Page 55 and 56: Recommendation:Remedial action: Sup
Page 57 and 58: VI. Additional issuesA. State owner
Page 59 and 60: VII. AnnexesA. Southeast Europe Pol
Page 61 and 62: INTERNATIONAL EXPERTSPeter Dey, Cha
Page 63 and 64: B. Important sources of guidance on
Page 65 and 66: C. Synopsis: BCBS Enhancing corpora
Page 67 and 68: Complex or opaque corporate structu
Page 69 and 70: oard. The supervisory board is resp
Page 71 and 72: Bulgaria19.1% Others16.3% Unicredit
Page 73 and 74: Romania19% BCR (Erste)13.1% BRD (So
Page 75: For information requests and genera

Corporate Governance for Banks in Southeast Europe: Policy - IFC

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?