The new 2024 European Central Bank (ECB) Single Supervisory Mechanism (SSM) draft guide on governance and risk culture significantly updates and builds upon the 2016 SSM supervisory statement on governance and risk appetite. Key themes in both documents emphasise the importance of robust internal governance, risk culture, and risk appetite frameworks (RAF) within financial institutions. However, the 2024 guide is 3 times in size and introduces several critical changes aimed at enhancing the effectiveness of supervisory practices based on lessons learned from the past decade.
The draft guide is important for Australian financial institutions for several reasons. Firstly, the ECB guidelines set global best practice standards that influence regulatory expectations internationally, including the Australian Prudential Regulation Authority (APRA). Also, many Australian banks have international exposure and aligning with ECB standards can help them meet global governance and risk culture benchmarks, reducing operational risks and regulatory friction.
Our risk and resilience team take a closer look into the evolution in governance and risk management expectations between the old and new supervisory statements. We explore the growing emphasis on robust internal governance, enhanced risk culture, and updated risk appetite frameworks.
1. Broadening the Scope of Risk Culture
As expected, the focus on risk culture is significantly expanded in the new 2024 guide, marking a shift towards a more comprehensive and practical approach. Unlike the 2016 statement, which recognised the importance of risk culture in broad terms, the new guidance emphasises embedding it deeply across all levels of the institution. This involves influencing not just formal policies but also everyday behaviours, decision-making, and governance structures.
The guide highlights that a strong risk culture must be an integral part of how an institution operates. Risk culture should shape leadership attitudes, staff conduct, and internal decision processes, ensuring that risks are acknowledged, evaluated, and addressed consistently across the institution. Supervisors are provided with more tangible tools to assess the effectiveness of these cultural practices, moving beyond superficial assessments.
A key addition to the 2024 guide is the introduction of measurable benchmarks and evaluation criteria. These metrics allow supervisors to track how effectively institutions are internalising and operationalising their risk culture. This approach emphasises that a sound risk culture is not just about having policies on paper but about translating those policies into everyday actions and decision-making.
Another important element is the expectation for senior management and the board to actively promote and model culture. The guide reinforces that leadership plays a critical role in setting the tone from the top, fostering an environment where risk management is seen as a shared responsibility across the organisation. In doing so, the guide makes clear that risk culture should evolve from a compliance-driven concept to a core part of how institutions govern themselves.
2. Internal Controls and Risk Culture
The 2024 SSM guide strengthens the connection between internal controls and risk culture, acknowledging advancements in compliance technology and increased regulatory pressure for proactive risk management. While the 2016 framework treated internal controls primarily as safeguards, the new guide emphasises that these controls must be fully aligned with the bank’s risk culture.
A key focus is on leveraging new technologies like AI-driven compliance systems to continuously monitor and identify behaviours that stray from the institution’s defined risk appetite. These systems enable real-time tracking and offer a more dynamic approach to compliance. Additionally, supervisors will now be looking for evidence that internal controls go beyond formal procedures.
Internal controls should actively support a risk-aware culture, with regular testing, auditing, and real-time feedback mechanisms to ensure that they are not just box-ticking exercises, but integral to the institution’s day-to-day operations. This shift highlights a more integrated approach, ensuring that risk management practices are deeply embedded within the institution’s culture, rather than being treated as separate, isolated processes.
3. Greater Focus on Governance Bodies
The 2024 SSM guide delves deeper into the composition, diversity, and effectiveness of governance bodies like management boards and committees, as a result of a decade of supervisory experience. It highlights the critical role of diversity in decision-making, emphasising that diverse perspectives help to counteract groupthink and foster well-rounded, robust governance practices. This focus marks a significant shift from the 2016 framework, where such diversity concerns were less prominent.
The guide also expands on the roles and responsibilities of internal control functions, providing more detail than the 2016 version. The aim is to ensure that these functions play a more active role in oversight and accountability.
Governance structures are now expected to have a much stronger influence on the institution’s risk appetite and overall governance decisions, ensuring that supervisory boards are not merely symbolic but have a real, strategic impact. This shift underscores the ECB’s drive for more effective and engaged governance frameworks, ensuring that banks are well-equipped to handle evolving risk landscapes and regulatory demands.
4. Risk Appetite Frameworks (RAF)
The 2024 SSM guide marks a shift toward a more detailed and prescriptive approach in setting risk appetite metrics compared to its 2016 version. Reflecting on the growing complexity of risks—particularly those related to climate change, digital transformation, and global market interconnections—institutions are now required to do more than just define broad risk appetite limits. They must perform granular, scenario-based analyses of their exposures. This includes specific thresholds for climate-related and cyber risks, which are integrated directly into their overall Risk Appetite Framework (RAF). This heightened focus ensures that institutions proactively measure and manage their vulnerabilities to these emerging threats.
In addition, the 2024 guide emphasises the need for dynamic RAFs. Unlike the 2016 approach, which was relatively static, banks now must continuously update their risk frameworks to adapt to the changing risk landscape. The guide also incorporates the latest European Banking Authority (EBA) standards, providing more detailed expectations for how risk appetite frameworks should be applied across all business units. Supervisors will now assess not only the existence of an RAF but also its real-time application across decision-making processes, ensuring that institutions remain agile and aligned with evolving risks.
This forward-looking guidance signals the ECB’s push for more resilient and proactive risk management, pushing institutions to adjust quickly to new challenges while maintaining strong governance.
5. New Emerging Risks – Climate, ESG, and Digitalisation
The 2024 SSM guide highlights risks that have grown more significantly since 2016, especially climate risks and environmental, social, and governance factors (ESG). Institutions now need to actively assess their exposure to climate-related threats, such as extreme weather or regulatory shifts toward greener policies. These risks are not just side concerns; they must be built directly into the institution’s Risk Appetite Framework, with clear metrics to measure how well the institutions can withstand climate-related financial disruptions.
In addition to climate risks, the guide stresses the growing importance of digital risks. With increased use of cloud computing and AI, institutions face new cybersecurity challenges.
The 2024 guide requires institutions to develop specific strategies to manage these risks, ensuring they are prepared to handle potential threats from cyberattacks and technological failures. By embedding these emerging risks into governance and risk management processes, the guide pushes institutions to be more resilient and forward-thinking in today’s rapidly changing environment.
6. Supervisory Tools and Approaches
The 2016 statement established a baseline for evaluating institution’s internal governance and risk appetite frameworks, but the 2024 guide introduces a more sophisticated and dynamic supervisory toolkit. The ECB now integrates thematic reviews, benchmarking, and ad-hoc evaluations, enabling a more holistic and real-time approach to supervision. The new guide also offers detailed examples of good practices gathered over the past decade, providing clearer pathways for institutions to enhance their governance structures.
Additionally, the 2024 guide imposes stricter expectations on documentation and transparency in risk management processes. institutions are now required to submit more frequent reports, including real-time risk assessments, as opposed to the less frequent, periodic reviews previously expected.
Enforcement actions will also be more swift and decisive when deficiencies in governance or risk management are identified. With access to a broader array of supervisory tools, supervisors can ensure compliance with the more rigorous standards set forth in the updated guidance. This shift demonstrates the ECB’s focus on pre-emptive action to address risks before they materialise.
7. Proportionality and Tailored Supervision
The 2024 guide introduces a refined proportionality principle, enhancing the flexibility of supervisory expectations by considering the size, complexity, and systemic importance of each institution. Unlike in the 2016 framework, where this principle was implicit, the updated guide makes proportionality central to its approach. This allows for a differentiated supervisory intensity, ensuring that smaller, less complex institutions are not overburdened with the same stringent requirements as larger, systemically important institutions.
This approach not only acknowledges the diversity of financial entities under the European Central Bank’s purview but also ensures that the regulatory framework is scalable. Smaller institutions with simpler business models benefit from reduced regulatory burden, allowing them to focus resources more effectively, while maintaining high oversight standards for larger institutions that pose greater systemic risks. By tailoring governance and risk management expectations to the specific profile of each institution, the ECB aims to create a fairer, more balanced supervision regime across the banking sector.
Next Steps
The 2024 SSM guide marks a critical evolution in the ECB’s approach to governance and risk management. While the 2016 statement laid the groundwork, the new guide takes a more detailed and proactive stance, reflecting years of supervisory insights and the increasing complexity of the financial ecosystem.
The expectations flowing from the new guide represents a significant step forward, and pose challenges for institutions.
Financial institutions will need to adapt to these enhanced expectations, particularly around governance diversity, risk culture, and real-time application of risk appetite frameworks, ensuring they can meet the challenges of modern banking supervision.
Institutions must not only adjust their governance frameworks but also ensure that cultural changes are genuinely internalised by staff. This requires continuous training, monitoring, and a shift in leadership approaches. As noted by ECB representatives, poor governance and risk culture have contributed to past banking failures, and the aim of these updates is to prevent such occurrences in the future.
Institutions must therefore engage in meaningful transformation efforts, particularly concerning culture, or face potential supervisory actions
Can We Help?
We understand financial services. Since 2001, we have assisted APRA regulated entities strengthen their risk management framework, capital management, reinsurance, recovery plans, cybersecurity and operational risk management.
We offer comprehensive support to enhance your risk management systems and processes. Services include interim Chief Risk Officer placements, on-demand Virtual Risk Officers, guidance in establishing formal risk frameworks, and independent reviews to assess framework maturity. Additionally, we conduct risk workshops, risk culture assessments, and provide specialised services in areas like business continuity, crisis management, cyber risk, and climate change risk.
Take risk management to the next level and contact us to discuss your risk and resilience needs.