Introduction

Delegates from various financial institutions, guest speakers and colleagues from CAFRAL, a very Good Morning to all. At the outset, let me thank CAFRAL for hosting this learning program. The lingering Covid-19 pandemic and the potential economic disruptions due to the latest geo-political events in Europe have again brought to the fore the reality that the nature and frequency of risks faced by the financial system of today are quite unparalleled and unpredictable. Also, the banking sector today is much different from what it was a decade ago and is constantly evolving.

While the Reserve Bank is deploying various tools at its disposal to maintain the stability of the financial system, individual financial institutions, more specifically banks, need to be watchful of the economic impact of risk events and take adequate measures to maintain their resilience. In this regard, it is important to recognise the inter-linkages between quality of governance and resilience of financial institutions. Even as high-quality governance enhances resilience, poor corporate governance is a source of risk to the financial institutions as well as to the financial system.

Corporate Governance

While good corporate governance is essential for all institutions, the governance structure and processes of banks are expected to be even more robust. Banks and financial institutions are different from other business entities in many ways. Their business model is very different from other business entities – they enjoy high leverage as they can raise substantial amount of uncollateralised deposits, and they perform the function of liquidity and maturity transformation. Hence, the governance structures and practices in banks should prioritise protection of the interests of their depositors.

Oversight and Assurance Functions

With the growth in size and complexity of the financial institutions, there is an increased focus on adequacy of the governance framework for identifying, addressing and managing risk. Towards this, the ‘three lines of defense’ have pivotal responsibilities: (i) ‘the business functions’ (first line of defense), which are the risk takers and owners of the risk, have the responsibility of managing the risk generated by virtue of their day-to-day business activities; (ii) the ‘risk management function’ and the ‘compliance function’ (second line of defense) have the responsibility of exercising oversight on the business functions to ensure that their activities are within the risk and compliance policies of the bank; and (iii) the ‘internal audit function’ (third line of defense) has the responsibility of identifying gaps from prescribed requirements and reporting to the board / audit committee. Collectively, these three functions have to provide assurance to the board / senior management about the adequacy and effectiveness of the governance framework and that the board approved policies and business strategies are adhered to by the financial entity in conduct of its business.

RBI Initiatives and Measures

Reserve Bank attaches a lot of importance to the strengthening of governance and internal control functions in banks and financial institutions. Recent guidelines issued by the RBI are intended to provide greater clarity on supervisory expectations, avoid conflict of interest, provide sufficient authority, resources and independence to these functions, among others:

Compliance: In September 2020, RBI issued revised guidelines for compliance function in banks and role of Chief Compliance Officers (CCOs) to bring uniformity in approaches followed by banks, so as to align the supervisory expectations from CCOs with global best practices.

Internal Audit: Earlier in January 2020, RBI issued guidelines for strengthening governance with regard to risk based internal audit (RBIA) in banks, which included, inter alia, enhancing the authority, stature, and independence of the internal audit function. Similar set of guidelines were issued for select Non-Banking Financial Companies (NBFCs) and Urban Cooperative Banks (UCBs) in February 2021, which were later extended to select Housing Finance Companies (HFCs) as well.

Risk Management: Though RBI issued guidelines on risk management systems for banks way back in 1999, to bring uniformity in approaches followed by banks, as also to align the risk management system with the global best practices. Guidelines on the role of Chief Risk Officer (CRO) in banks were issued in April 2017. Similar guidelines for NBFCs and UCBs were issued in May 2019 and June 2021 respectively. RBI has also undertaken sensitisation sessions with CCOs, CROs and HIAs over the past year to communicate its expectations on oversight and assurance functions.

Governance in Commercial Banks: Through a discussion paper published in June 2020, Reserve Bank proposed substantial improvements to the governance framework of banks. Major highlights of the discussion paper were:

i. Empower the Board of Directors to

1. set the culture and values of the organisation;

2. recognise and manage conflicts of interest;

3. set the appetite for risk and manage risks within the appetite;

4. improve the supervisory oversight of senior management;

ii. Strengthen the oversight and assurance functions through various interventions;

iii. Achieve clear division of responsibilities between board and management; and

iv. Encourage the separation of ownership from management.

Based on the suggestions and feedback received on the Discussion Paper, the Reserve Bank issued instructions regarding the Chair and meetings of the Board; composition of certain Committees of the Board; age, tenure and remuneration of Directors; and appointment of whole-time directors (WTDs) in April 2021. With respect to the other proposals contained in the discussion paper, a Master Direction on Governance will be issued by RBI.

Enhanced Supervisory Focus on Oversight and Assurance Framework – RBI’s Assessment and Findings

During recent years, assessment of oversight and assurance functions has been bestowed enhanced focus in view of their importance in addressing the root cause of problems. Some of the common weaknesses that have been observed in these functions are:

a) Compliance Function – Failure / delay in detection and reporting of non-compliances, persisting sub-par compliance, deficiencies in compliance testing with respect to inadequate coverage and limited transaction testing, persisting irregularities due to non-addressing of root causes and not ensuring sustainability of compliance were observed. Further, compliance setup was not resourced with adequate number and quality of staff in many cases.

b) Risk Management – Disconnect was observed between the risk appetite framework approved by boards and actual business strategy and decision making, weakening the risk culture which was amplified by absence of guidance from senior management, improper risk assessment, repeated exceptions to risk policies, conflict of interest especially in related party transactions, and absence or faulty enterprise risk management. Operational risk was seen to be high on account of people risk (high attrition rate, lack of succession planning, involvement of staff in fraudulent practices, etc.), elevated technology risk (lack of adequate investment in technology, lack of technically qualified personnel, business disruptions and weak business continuity plan (BCP) / disaster recovery (DR) arrangements, etc.), and high outsourcing risks (overdependence on vendors, lack of monitoring, gaps in contractual arrangements, etc.).

c) Internal Audit - Inability to capture irregularities, non-coverage of certain areas under the scope of audit, non-collaboration between compliance and audit, lack of ownership and accountability, inadequate review of practices that require alignment to address interests of all stakeholders, and non-compliance/delay in compliance with audit observations were some of the major concerns identified.

Supervisory Expectations on Governance and Assurance Functions

Some of our expectations from the supervised entities in this regard are:

(i) Effective Engagement and Support from the Top

Oversight and assurance functions have a key role in value creation for a financial institution, strengthening public confidence, preserving and enhancing its reputation, and maintaining the integrity of its business and management. The boards should engage with the oversight and assurance functions and assure them of direct and unfettered access. The “tone from the top” would set the pace for a sound organisation culture that values honesty and integrity.

(ii) Independence of Oversight and Assurance Functions

Appointment and removal of heads of oversight and assurance functions should have stringent barriers and they must be independent of executive management. Assurance functionaries should not be performing any of the tasks on which they are required to take a view independent of the risk takers.

(iii) Close Engagement and Collaboration

Maintaining independence does not preclude constructive engagement with management and business functions. Indeed, to be effective, heads of oversight and assurance functions must work closely with other functionaries and collaborate amongst themselves.

(iv) Sustainable Compliance

Several weaknesses and irregularities have been recurring despite the averments of remediation made by bank managements. Banks should make serious efforts towards overall improvement and sustainability in their compliance functions.

(v) Risk Governance

Risk appetite and risk tolerance levels must be clearly defined, keeping in view past and forward-looking assessment of likely internal and external risk environment and actual business decision making should align with these limits, as also with the capacities available with the institution. Senior management should communicate the risk management policies, risk appetite statement and risk management expectations to the business units for proper understanding and compliance.

(vi) Quality of Board Discussions and Time Given for Important Matters

The board members should focus on strategic and important matters. The quality of deliberations, level of challenge provided to executive management, and time allocated to important agenda items is often found to be inadequate. Many times, large number of agenda items are included, which do not allow for proper evaluation of proposals. The boards also need to work in a cohesive manner.

(vii) Role of Board and Senior Management in Cybersecurity and Technology

RBI has mandated banks to have awareness programmes for their Board of Directors and senior leadership team to familiarise them with IT and relevant cybersecurity concepts. The boards must start looking at cyber risk as an enterprise risk management issue, rather than a pure IT security issue, owing to its firm-wide implications. Adequate level of investments in technology should be ensured. In its oversight role, the boards need to oversee the overall cybersecurity management, including appropriate risk mitigation strategies, systems, processes, and controls. Whether the institution has the appropriate skills, resources, and approaches in place to minimise cyber risk and mitigate any damages that may occur also needs to be seen.

(viii) Dominance of Individuals

It is important to ensure that financial institutions are board-driven and do not end up being dominated by individuals. Experience has shown that this leads to undesirable consequences.

(ix) Oversight over Related Party Transactions (RPTs) and Connected Lending

While various regulations are in place to check improper RPTs, including their disclosures, etc, it is important that boards and audit committees exercise close oversight over such matters and get satisfactory assurances.

Detecting Red Flags in Board Reports

A bank’s board needs concise, accurate and timely reports to perform its fiduciary responsibilities. I would like to list out some illustrative areas that should invite questions from directors:

• Is the bank’s strategic plan realistic for the bank’s circumstances?

• Is the bank’s business risk taking in alignment with its approved risk appetite?

• Is management meeting the goals established in the planning process? If not, why?

• Do earnings result from the implementation of planned bank strategies, or from transactions generating short-term earnings, but posing longer term risk?

• Are policies and procedures in place that safeguard against conflicts of interest, insider fraud and abuses?

• Does the bank have sufficient capital to support its risk profile and business strategies?

• Are financial reports and statements accurate, or reflect true financial condition of the bank?

• Are the strategies of the bank aligned with its future needs and requirements?

• Is the bank spending adequately on IT systems to maintain robust infrastructure and make it scalable as per the growing needs and challenges?

Conclusion

Let me now conclude. An efficient and vibrant financial system is crucial for economic development and social well-being of the country. The governance framework surrounding the individual players in the financial system assumes a central role not only in terms of value creation for various stakeholders but also in ensuring the oversight of the Board on risk appetite and risk culture of individual institutions.

Effective internal defenses will help in building organisations that are strong, resilient and disciplined; and enjoy the benefits of sustained growth and customer confidence. It will also pre-empt supervisory actions and attendant reputational risks that arise in case transgressions are detected.

I am quite hopeful that proceedings of this seminar will add value to all of you and I am also confident that all of you will espouse a robust governance culture at the institutions you are associated with. I once again thank CAFRAL for hosting this important seminar and giving me the opportunity to address you.

Stay safe and thank you.

¹ Keynote address delivered by Shri M. K. Jain, Deputy Governor, Reserve Bank of India – at CAFRAL on March 10, 2022. The inputs provided by Shri Rohit Jain Executive Director, Shri Rajnish Kumar General Manager, Ms Monica D Soni DGM and Shri B. Netaji DGM DOS are gratefully acknowledged.