This month, the Basel Committee on Banking Supervision released a report that makes interesting reading for risk and audit professionals, as well as board members and executives, in any industry or part of the world.
The report, Principles for Enhancing Corporate Governance, starts with six high-level principles. However, there is excellent value in reading further — many nuggets of wisdom can be found throughout the document.
Here are some that caught my eye, in the order they appear in the report.
"There have been a number of corporate governance failures and lapses, many of which came to light during the financial crisis that began in mid-2007.These included, for example, insufficient board oversight of senior management, inadequate risk management and unduly complex or opaque bank organisational structures and activities."
"A bank should have a risk management function (including a chief risk officer (CRO) or equivalent for large banks and internationally active banks), a compliance function and an internal audit function, each with sufficient authority, stature, independence, resources and access to the board"
"The sophistication of a bank's risk management, compliance and internal control infrastructures should keep pace with any changes to its risk profile (including its growth) and to the external risk landscape"
"From a banking industry perspective, corporate governance involves the allocation of authority and responsibilities, i.e. the manner in which the business and affairs of a bank are governed by its board and senior management, including how they:
Set the bank's strategy and objectives;
Determine the bank's risk tolerance/appetite;
Operate the bank's business on a day-to-day basis;
Protect the interests of depositors, meet shareholder obligations, and take into account the interests of other recognised stakeholders; and
Align corporate activities and behaviour with the expectation that the bank will operate in a safe and sound manner, with integrity and in compliance with applicable laws and regulations.”
"The board has ultimate responsibility for the bank's business, risk strategy and financial soundness, as well as for how the bank organises and governs itself.
"Accordingly, the board should:
Approve and monitor the overall business strategy of the bank, taking into account the bank's long-term financial interests, its exposure to risk, and its ability to manage risk effectively; and
Approve and oversee the implementation of the bank's:
Overall risk strategy, including its risk tolerance/appetite;
Policies for risk, risk management and compliance;
Internal controls system;
Corporate governance framework, principles and corporate values, including a code of conduct or comparable document; and
"A demonstrated corporate culture that supports and provides appropriate norms and incentives for professional and responsible behaviour is an essential foundation of good governance. In this regard, the board should take the lead in establishing the "tone at the top" and in setting professional standards and corporate values that promote integrity for itself, senior management and other employees."
"Under the direction of the board, senior management should ensure that the bank's activities are consistent with the business strategy, risk tolerance/appetite and policies approved by the board."
"Large banks and internationally active banks, and others depending on their risk profile and local governance requirements, should have an independent senior executive with distinct responsibility for the risk management function and the institution's comprehensive risk management framework across the entire organization" (CRO).
"Formal reporting lines may vary across banks, but regardless of these reporting lines, the independence of the CRO is paramount. While the CRO may report to the CEO or other senior management, the CRO should also report and have direct access to the board and its risk committee without impediment. Also, the CRO should not have any management or financial responsibility in respect of any operational business lines or revenue-generating functions. Interaction between the CRO and the board should occur regularly and be documented adequately. Non-executive board members should have the right to meet regularly — in the absence of senior management — with the CRO.
"The CRO should have sufficient stature, authority and seniority within the organisation. This will typically be reflected in the ability of the CRO to influence decisions that affect the bank's exposure to risk. Beyond periodic reporting, the CRO should thus have the ability to engage with the board and other senior management on key risk issues and to access such information as the CRO deems necessary to form his or her judgment. Such interactions should not compromise the CRO's independence.
"If the CRO is removed from his or her position for any reason, this should be done with the prior approval of the board and generally should be disclosed publicly. The bank should also discuss the reasons for such removal with its supervisor."
"Sound corporate governance is evidenced, among other things, by a culture where senior management and staff are expected and encouraged to identify risk issues as opposed to relying on the internal audit or risk management functions to identify them. This expectation is conveyed not only through bank policies and procedures, but also through the "tone at the top" established by the board and senior management."
"Information should be communicated to the board and senior management in a timely, complete, understandable and accurate manner so that they are equipped to make informed decisions."
"The board should recognise and acknowledge that independent, competent and qualified internal and external auditors, as well as other internal control functions (including the compliance functions), are vital to the corporate governance process in order to achieve a number of important objectives. Senior management should also recognise the importance of the effectiveness of these functions to the long-term soundness of the bank."
"The board and senior management can enhance the ability of the internal audit function to identify problems with a bank's governance, risk management and internal control systems by:
Encouraging internal auditors to adhere to national and international professional standards, such as those established by the Institute of Internal Auditors;
Requiring that audit staff have skills that are commensurate with the business activities and risks of the firm;
Promoting the independence of the internal auditor, for example by ensuring that internal audit reports are provided to the board and the internal auditor has direct access to the board or the board's audit committee;
Recognising the importance of the audit and internal control processes and communicating their importance throughout the bank;
Requiring the timely and effective correction of identified internal audit issues by senior management; and
Engaging internal auditors to judge the effectiveness of the risk management function and the compliance function, including the quality of risk reporting to the board and senior management, as well as the effectiveness of other key control functions."
I believe adoption of these principles, and especially the detailed practices supporting them, will go a long way to improving governance at any organization, in any industry, in any part of the world.
What do you think? Do you agree?