Importance of Governance and Assurance Functions in Financial Institutions
(Keynote Address delivered by Shri M. K. Jain, Deputy Governor, Reserve Bank of India – March 10, 2022 – at CAFRAL

Importance of Governance and Assurance Functions in Financial Institutions
(Keynote Address delivered by Shri M. K. Jain, Deputy Governor, Reserve Bank of India – March 10, 2022 – at CAFRAL)

Introduction

Delegates from various financial institutions, guest speakers and colleagues from CAFRAL, a very good morning to all. At the outset, let me thank CAFRAL for hosting this learning program. The lingering COVID-19 pandemic and the potential economic disruptions due to the latest geo-political events in Europe have again brought to the fore the reality that the nature and frequency of risks faced by the financial system of today are quite unparallel and unpredictable. Also, the banking sector today is much different from what it was a decade ago and is constantly evolving.

While the Reserve Bank is deploying various tools at its disposal to maintain the stability of the financial system, individual financial institutions, more specifically the banks, need to be watchful of the economic impact of such risk events and take adequate measures to maintain their resilience. In this regard, it is important to recognise the inter-linkages between quality of governance and resilience of financial institutions. Even as high-quality governance enhances resilience, poor corporate governance is a source of risk to the financial institutions as well as to the financial system.

Corporate Governance

While good corporate governance is essential for all institutions, the governance structure and processes of the banks are expected to be even more robust. Banks and financial institutions are different from other business entities in many ways. Their business model is very different from other business entities, enjoy high leverage as they can raise substantial amount of uncollateralised deposits, and perform the function of liquidity and maturity transformation. Hence, the governance structures and practices in the banks should prioritise protection of the interests of their depositors.

Oversight and Assurance Functions

With the growth in size and complexity of the financial institutions, there is an increased focus on adequacy of the governance framework for identifying, addressing and managing risk. Towards this, the ‘three lines of defense’ have pivotal responsibilities: i) ‘the business functions’ which are the risk takers and owners of the risk, (first line of defense) have the responsibility of managing the risk generated by virtue of their day-to-day business activities; ii) the ‘risk management function’ and the ‘compliance function’ (second line of defense) have the responsibility of exercising oversight on the business functions to ensure that their activities are within the risk and compliance policies of the bank; and iii) the ‘internal audit function’ (third line of defense) has the responsibility of identifying gaps from prescribed requirements and reporting to the Board / Audit Committee of the Board. Collectively, these three functions have to provide assurance to the Board / senior management about the adequacy and effectiveness of the governance framework and that the Board approved policies and business strategies are adhered to by the financial entity in conduct of its business.

RBI Initiatives and Measures

Reserve Bank attaches a lot of importance to the strengthening of governance and internal control functions in the banks and financial institutions. Recent guidelines issued by the RBI are intended to provide greater clarity on supervisory expectations, avoid conflict of interest, provide sufficient authority, resources and independence to these functions, among others:

Compliance: In September 2020, RBI has issued revised guidelines for Compliance Function in Banks and role of Chief Compliance Officers (CCOs) to bring uniformity in approach followed by banks, as also to align the supervisory expectations on CCOs with global best practices.

Internal Audit: Earlier in January 2020, RBI has issued guidelines for strengthening governance arrangements with regard to Risk Based Internal Audit (RBIA) in banks, which inter alia included enhancing the authority, stature, and independence of the Internal Audit Function. Similar set of guidelines were issued for select NBFCs and UCBs in February 2021, which were later extended to select Housing Finance Companies (HFCs) as well.

Risk Management: Though RBI has issued guidelines on Risk management systems for banks way back in 1999, to bring uniformity in approach followed by banks, as also to align the risk management system with the best practices. Guidelines on the role of Chief Risk Officer (CRO) in banks were issued in April 2017. Similar guidelines for NBFCs and UCBs have been issued in May 2019 and June 2021 respectively. RBI has also undertaken sensitization sessions with CCOs, CROs and HIAs over the past year to communicate its expectations on oversight and assurance functions.

Governance in Commercial Banks: Through a discussion paper published in June 2020, Reserve Bank has proposed substantial improvements to the governance framework of banks. Major highlights of the discussion paper were:

i) Empower the Board of Directors to

  1. set the culture and values of the organisation;
  2. recognise and manage conflicts of interest;
  3. set the appetite for risk and manage risks within the appetite;
  4. improve the supervisory oversight of senior management;

ii) Empower the oversight and assurance functions through various interventions;

iii) Achieve clear division of responsibilities between the Board and the management; and

iv) Encourage the separation of ownership from management.

Based on the suggestions and feedback on the Discussion Paper, Reserve Bank issued instructions regarding the Chair and meetings of the Board, composition of certain Committees of the Board, age, tenure and remuneration of Directors, and appointment of the whole-time directors (WTDs) in April 2021. With respect to the other proposals contained in the discussion paper, a Master Direction on Governance will be issued by RBI.

Enhanced Supervisory Focus on Oversight and Assurance Framework – RBI’s Assessment and Findings

During recent years, assessment of oversight and assurance functions has been bestowed enhanced focus in view of their importance in addressing the root cause of problems. Some of the common weaknesses that have been observed in these functions are:

a) Compliance Function – Failure / delay in detection and reporting of non-compliances, persisting sub-par compliance, deficiencies in compliance testing with respect to inadequate coverage and limited transaction testing, persisting irregularities due to non-addressing of root-causes and not ensuring sustainability of compliance were observed. Further, compliance setup was not resourced adequately with required number and quality of staff in many cases.

b) Risk Management – Disconnect was observed between the Risk Appetite Framework as approved by the Board and actual Business Strategy and decision making, weak risk culture which was amplified by absence of guidance from the senior management, improper Risk Assessment, repeated exceptions to risk policies, conflict of interest especially in Related Party Transactions and absence or faulty Enterprise-wide Risk Management. Operational risk was seen to be high on account of people risk (high attrition rate, lack of succession planning, involvement of staff in fraudulent practices, etc.), elevated IT and technology risk (lack of adequate investment in technology, lack of technically qualified personnel, business disruptions and weak BCP/DR arrangements, etc.), and high Outsourcing risks (over dependence on vendors, lack of monitoring arrangements, gaps in contractual arrangements, etc.).

c) Internal Audit – Audit process unable to capture irregularities, non-coverage of certain areas under scope of audit, compliance and audit not collaborating with each other, lack of ownership and accountability, inadequate review of practices that require alignment to address interests of all stakeholders, non-compliance/delay in compliance with audit observations were some of the major concerns identified.

Supervisory Expectations on Governance and Assurance Functions

Some of our expectations from the supervised entities in this regard are:

i) Effective Engagement and support from the Top

Oversight and assurance functions have a key role in value creation for a financial institution, strengthening public confidence, preserving and enhancing its reputation, and maintaining the integrity of its business and management. The Board should engage with the oversight and assurance functions and assure them of direct and unfettered access. The “tone from the top” would set the pace for a sound organization culture that values honesty and integrity.

ii) Independence of Oversight and Assurance Functions

Appointment and removal of heads of oversight and assurance functions should have stringent barriers and they must be independent of executive management. Assurance functionaries should not be performing any of the tasks on which they are required to take a view independent of the risk takers.

iii) Close engagement and collaboration

Maintaining independence does not preclude constructive engagement with management and business functions. Indeed, to be effective, heads of oversight and assurance functions must work closely with other functionaries, and also collaborate amongst themselves.

iv) Sustainable Compliance

Several weaknesses and irregularities have been recurring despite the averments made by bank managements of having carried out remediation. My expectation from the banks is that they make serious efforts towards overall improvement and sustainability in their compliance.

v) Risk Governance

Risk appetite and risk tolerance levels must be clearly defined, keeping in view past and forward-looking assessment of likely internal and external risk environment and actual business decision making should align with these limits, as also with the capacities available with the institution. Senior management should communicate the risk management policies, risk appetite statement and risk management expectations to the business units for proper understanding and compliance.

vi) Quality of Board discussions and time given for important matters

The Board members should focus on strategic and important matters. The quality of deliberations, the level of challenge provided to executive management, and the time allocated to important agenda items is often found to be inadequate. Many times, large number of Agenda items are included, including table items, which do not allow for proper evaluation of the proposals. The Board also needs to work in a cohesive manner.

vii) Role of Board and Senior Management in Cybersecurity and Technology

RBI has mandated banks to have awareness training programmes for their Board of Directors and senior leadership team and to familiarise them with IT and relevant cybersecurity concepts. The Board must start looking at cyber risk as an enterprise-wide risk management issue, rather than a pure IT security issue, owing to its firm-wide implications. Adequate and required level of investments in technology should be ensured. In its role of oversight, the Board needs to oversee the overall cybersecurity management, including appropriate risk mitigation strategies, systems, processes, and controls. Whether the institution has the appropriate skills, resources, and approaches in place to minimise the cyber risk and mitigate any damages that may occur also needs to be seen.

viii) Dominance of Individuals

It is important to ensure that financial institutions are Board-driven and do not end up being dominated by individuals. Experience has shown that this leads to undesirable consequences.

ix) Oversight over Related Party Transactions and Connected Lending

While various regulations are in place to check improper RPTs, including their disclosures, etc., it is important that the Board and Audit Committee exercise close oversight over such matters and get satisfactory assurances.

Detecting Red Flags in Board Reports

A bank’s Board needs concise, accurate and timely reports to help it perform its fiduciary responsibilities. I would like to list out some illustrative areas that should invite questions from directors:

  • Is the bank’s strategic plan realistic for the bank’s circumstances?
  • Is the bank’s business risk taking in alignment with its approved Risk Appetite?
  • Is management meeting the goals established in the planning process? If no, why?
  • Do earnings result from the implementation of planned bank strategies, or from transactions generating short-term earnings, but longer term risk?
  • Are policies and procedures in place that safeguard against conflicts of interest, insider fraud and abuses?
  • Does the bank have sufficient capital to support its risk profile and business strategies?
  • Are financial reports and statements accurate, or reflect true financial condition of the bank?
  • Are the Strategies of the bank aligned with the future needs and requirements?
  • Is the bank spending on IT systems adequately to maintain robust IT infrastructure and make it scalable as per the growing needs and challenges?

Conclusion

Let me now conclude. An efficient and vibrant financial system is crucial to economic development and social wellbeing of the country. The governance framework surrounding the individual players in the financial system assumes a central role not only in terms of value creation for various stakeholders but also in ensuring the oversight of the Board on risk appetite and risk culture of individual institutions.

Effective internal defenses will help in building organizations that are strong, resilient, disciplined and enjoy the benefits of sustained growth and customer confidence. It will also pre-empt supervisory actions and attendant reputational risks that arise in case transgressions are detected.

I am quite hopeful that proceedings of this seminar will add value to all of you and I am also confidant that all of you will espouse a robust governance culture at the banks and financial institutions you are associated with. I once again thank CAFRAL for hosting this important seminar and for giving me the opportunity to address you.

Stay safe and thank you.


1 Keynote address delivered by Shri M. K. Jain, Deputy Governor, Reserve Bank of India – at CAFRAL on March 10, 2022. The inputs provided by Shri Rohit Jain Executive Director, Shri Rajnish Kumar General Manager, Ms Monica D Soni DGM and Shri B. Netaji DGM DOS are gratefully acknowledged.