Corporate Governance for Banks in Southeast Europe: Policy - IFC
Corporate Governance for Banks in Southeast Europe: Policy - IFC
Corporate Governance for Banks in Southeast Europe: Policy - IFC
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Effective systems of risk management, <strong>in</strong>ternal audit, and <strong>in</strong>ternal control are often taken <strong>for</strong> granted <strong>in</strong>developed bank<strong>in</strong>g markets. For example, the Bank of Montreal recently added 200 people to strengthenits risk function, and Toronto Dom<strong>in</strong>ion Bank added 500 new staff on its risk side. SEE banks on the otherhand may have difficulty f<strong>in</strong>d<strong>in</strong>g and af<strong>for</strong>d<strong>in</strong>g one highly competent risk professional. These figures put <strong>in</strong>toperspective the relative scale of SEE banks and their capacity to respond.On the other hand, it is worth not<strong>in</strong>g that a large number of risk professionals does not equate to good riskmanagement; even <strong>in</strong> developed markets where f<strong>in</strong>ancial and human resources are broadly available, firmshave been known to accommodate their risk control to meet short-term sales or profitability objectives. Forexample, be<strong>for</strong>e the crisis, positions <strong>for</strong> risk professionals <strong>in</strong> UBS were filled by <strong>in</strong>dividuals with sales (not riskmanagement) backgrounds <strong>in</strong> order to accommodate growth. 47 This confirms the common knowledge thatthere are important human elements to develop<strong>in</strong>g a sound risk management culture.Another practical challenge <strong>in</strong> SEE is the communication of risk up to the board. In SEE banks, <strong>in</strong>clud<strong>in</strong>g<strong>in</strong>ternational subsidiaries, communication from the risk control functions goes to management first; thechief executive officer and management are <strong>in</strong>evitably the first port of call <strong>for</strong> the <strong>in</strong>ternal auditor. Theaudit committee is likely to be secondary, especially <strong>in</strong> countries where the <strong>in</strong>ternal audit function is notwell-developed and where <strong>in</strong>ternal auditors are junior and do not have sufficient stature to go to the auditcommittee or balance their authority aga<strong>in</strong>st the management structure.It is important to note that the risks <strong>in</strong>volved <strong>in</strong> bank<strong>in</strong>g <strong>in</strong> SEE perta<strong>in</strong> ma<strong>in</strong>ly to operational risk and creditrisk and not to f<strong>in</strong>ancial <strong>in</strong>struments, asset-backed securities, sophisticated market trad<strong>in</strong>g risk, or specialpurposevehicles, as was the case <strong>in</strong> more developed bank<strong>in</strong>g countries dur<strong>in</strong>g the f<strong>in</strong>ancial crisis. Thedifferent nature of risk <strong>in</strong> the SEE region calls <strong>for</strong> an adapted approach to risk management.Recommendations:The control environment: Bank boards need to assure themselves that the bank’s control environmentis function<strong>in</strong>g properly. The control environment should comprise not only risk management, compliance,<strong>in</strong>ternal controls, and the <strong>in</strong>ternal audit, but also the external audit. The importance of the general counselfunction and legal function <strong>in</strong> manag<strong>in</strong>g risk should also be recognized. Each of these functions should haveadequate authority, stature, <strong>in</strong>dependence, resources, and access to the board. Larger banks should have asufficiently <strong>in</strong>dependent audit committee to ensure professional oversight of the control environment.Communication of risk to the board: The communication of risk needs attention. Even though <strong>in</strong>ternalaudit and chief risk officers (CROs) may have organization-chart report<strong>in</strong>g l<strong>in</strong>es to the board or to an auditcommittee, it is important to ensure that these l<strong>in</strong>es of communication function <strong>in</strong> practice and are secure.Further, risk and audit committees should not localize <strong>in</strong><strong>for</strong>mation on risks, which needs to be shared with thefull board.Board review of the control environment: SEE boards should approve their bank’s control policies andassess the extent to which the bank is manag<strong>in</strong>g its risk effectively. They should regularly review (at leastannually) policies and controls with senior management to determ<strong>in</strong>e areas need<strong>in</strong>g improvement andto identify and address significant risks. The board should ensure that the control functions are properlypositioned, staffed, and resourced and are carry<strong>in</strong>g out their responsibilities <strong>in</strong>dependently and effectively. Indo<strong>in</strong>g so, they should work directly with the <strong>in</strong>ternal auditor and the CRO.47 OECD, “The Current F<strong>in</strong>ancial Crisis: Causes and <strong>Policy</strong> Issues,” F<strong>in</strong>ancial Market Trends (2008), 10.http://www.oecd.org/dataoecd/47/26/41942872.pdf.<strong>Corporate</strong> <strong>Governance</strong> <strong>for</strong> <strong>Banks</strong> <strong>in</strong> <strong>Southeast</strong> <strong>Europe</strong> <strong>Policy</strong> Brief 35