If you take an interest in the conduct and regulation of banks, you encounter the word, “governance,” almost immediately.
The Australian Prudential Regulatory Authority (“APRA”) has a standard with that title.1 The Basel Committee on Banking Supervision (“BCBS”) has issued a series of documents on “corporate governance for banks.” The newest version (the “2014 Guidelines”)2 went out for comment in October of 2014. It is worth investigating what “governance” means and what is going on.
The word has been around for a long time. Shakespeare used it. By itself – which is to say, independent of context – “governance,” is an abstract version of the word, “government.” It is the act of governing, a means or method or style of governing; the way power is allocated and decisions get made in any particular arena.
Corporate governance is constitutional law for companies and in some respects a compendium of trivia. How many directors must there be? Can the board have committees? May it meet by phone? Who can call an extraordinary general meeting? The answers to such questions become important in a board fight or a takeover battle, but most of the time the whole subject has traditionally been left to the corporate secretary.
Governance became fashionable in the 1990s. Using the word was a signal that the subject under discussion was serious, and involved public policy issues. Some date this usage from 1992, when the highly influential Cadbury Report, commissioned in response to audit failures, was published.
Its official name was the “Report of the Committee on the Financial Aspects of Corporate Governance.”
The Cadbury Report defined corporate governance as “the system by which companies are directed and controlled.” Its main concern was restoring confidence in the published financial statements of British companies. It saw the underlying failures as including “competitive pressures…which made it difficult for auditors to stand up to demanding boards.” The report also discussed the role of non-executive directors in standing up to demanding executives, and the value of an audit committee.
The Organization for Economic Co-operation and Development (“OECD”) published “Principles of Corporate Governance” in June of 1999. It defined the matter as involving “a set of relationships between a company’s management, its board, its shareholders, and other stakeholders.” It explained its interest on the basis that the ”ultimate success of a corporation is the result of teamwork that embodies contributions from a range of different resource providers including investors, employees, creditors and suppliers.”
The BCBS published “Enhancing Corporate Governance for Banking Organizations,” in September of 1999, explicitly building on the foundation laid by the OECD. New versions of both documents have appeared every few years.
“Corporate governance” now clearly refers to the ways shareholders, boards and managements constrain each other, but also to the claims of other relevant parties. For example, the OECD has said from the start that the “corporate governance framework should be complemented by an effective, efficient insolvency framework”3 that protects creditors’ rights. The BCBS reminds boards to “take into account the legitimate interests of depositors, shareholders and other stakeholders.”
Academic interest in governance starts with what economists call “the agency problem” – the natural tendency of managers to look after their own interests at the expense of the owners who hired them. The problem is acute where the enterprise in question is a bank, because of the asymmetry of pay- offs. As lenders, banks have much more downside risk than upside opportunity and the consequences of poor risk decisions only emerge over time. Managers who are rewarded for current earnings – in fact managers who can earn any sort of bonus – have an incentive to take risks that shareholders might prefer to avoid. Because bank failure harms the entire community, ill-conceived incentives can harm a variety of stakeholders. The Global Financial Crisis spotlighted these issues, with the result that remuneration is now classified as part of bank governance.
Vigilant boards have traditionally been seen as the answer to the agency problem. In the case of banks, whose whole business is taking risk, there are too many mouse holes for the cat to watch. In response, a preferred organizational structure has emerged that internalizes the scrutiny boards once supplied. Referred to as the “Three-Lines-of-Defense model,” it mandates “an effective independent risk management function, under the direction of a Chief Risk Officer (CRO), with sufficient stature, independence, resources and access to the board,”5 and an internal audit function that “provides independent assurance to the board and supports board and senior management in promoting an effective governance process and the long-term soundness of the bank.”6 Like the risk management function, internal audit should have sufficient standing, skills and resources. Many governance regimes give the senior internal auditor a direct reporting line to the chairman of the board audit committee.
A whole range of prescriptive detail is taking root in the world of bank governance. Board audit and risk committees are now required in many jurisdictions. They are supposed to be separate, though that isn’t always mandatory. The chairman of the board may not chair either of these committees. This perhaps reflects the fact that many chairmen are executive and potentially lack objectivity. Many more examples could be supplied.
While the Three-Lines-of-Defense model is not yet required of banks, it is edging toward conform-or-explain status. Interestingly, supervisors are troubled not only when the risk management function is too weak, but also when it is too strong, and has taken over too much of the decision-making. Supervisors want the front line to “own the risk,” as the saying goes – with risk management in a position to challenge. Good governance must be replete with checks and balances.
Now, having the customer-facing bankers own the risk has a lot to recommend it, as do employing a chief risk officer with gravitas and appointing an independent-minded audit committee chairman. So do most of the tiny, creeping suggestions the official sector is making. But what’s interesting – and some will find troubling – is the way “governance” has come to include matters that once would have been seen as management’s responsibility, and within management’s discretion.
Consider, for example, the BCBS’s statement that “[a] bank’s risk governance framework should include policies, supported by appropriate control procedures and processes, designed to ensure that the bank’s risk identification, aggregation, mitigation and monitoring capabilities are commensurate with the bank’s size, complexity and risk profile.”7 To a reader unfamiliar with the governance conversation of the past decade, many sentences in the 2014 Guidelines would make more sense were the word, “management,” substituted for the word, “governance.” (To be fair, APRA has separate prudential standards, 220 and 510 respectively, for Risk Management and Governance.) A cynic might suggest that supervisors like “governance” because the word blurs the traditional distinction between oversight and management. I don’t hold that view, but it’s out there.
The concept of governance, as applied to banks, increasingly reminds me of a movie I once saw in which a meteorite brings to earth a small, sponge- like organism that swallows up everything it touches and quickly grows to threaten the planet. For example, compliance is now part of governance: “The compliance function is independent from management and provides separate reporting to the board on…how the bank is managing its compliance risk.”8
In my view, compliance is a board matter – and appropriately so – because (1) such large fines have been imposed for compliance failures, (2) inattention to the detail of regulatory reporting, AML and sanctions obligations provides early warning of broader sloppiness, and (3) compliance failures typically raise ethics concerns. But it distorts the concept of governance to apply it to everything that belongs on a board’s agenda.
There are two possible explanation of this expansion of the concept. One is that the Global Financial Crisis exposed numerous instances of boards completely failing to understand the risks their banks were taking. What supervisors are saying, when they describe in such detail what a risk management framework should include, is essentially, “Would you directors please pay attention?”
The other interpretation is that supervisors are terminally pessimistic about banking as a profession, see good judgment as an impossible dream and have come to believe there must be challenge built into virtually all decision- making. Taken far enough, this sentiment would represent a change in the business model of banking. I suspect the official sector itself doesn’t know which explanation is more correct.
As supra-national organizations, the BCBS and the OECD are necessarily agnostic about legal structure. Neither opines on the relative merits of the anglosphere’s “unitary board,” the German approach of having both a management board and an oversight board, or the practice in many less-developed countries of allowing certain minority shareholders to exercise disproportionate influence. It would be unfortunate should everyone elect to ignore structure. The fundamental governance question, after all, whether in business or in politics, is what arrangements produce good decisions.
My own view is that partnership is the ideal form in which to conduct a banking business. Shared liability enforces internal transparency and enables the exercise of collective judgment. The lack of liquidity in the partners’ ownership interests makes them focus on the long term. Partnerships lack permanent capital, however, and have great difficulty being large enough to operate on a global basis. No significant banking partnerships remain. But some of the most successful banking organizations work hard at duplicating the partnership ethos.
The BCBS makes it one of a board’s responsibilities to “establish the bank’s corporate culture and values.”9 This strikes me as an odd choice of words. A culture can be nurtured and even nudged, but I do not think it can be established. The quality of an organization’s culture is a joint product of history, structure and managerial intent.
As used by supervisors, the concept of governance has almost no boundaries, which makes it an awkward intellectual tool. Culture is inherently pervasive, which is one of its merits. I would argue that, properly understood, governance is part of culture, not the reverse. But it is good to get culture into the discussion. It leads to a better view of how banks operate.
People watching from outside, or at least some of them, see any corporation as a set of contracts, and governance as rules. The people working inside companies, and particularly banks, tend to see them as life forms, which have instincts and a metabolism and a place in the ecological order, same as human beings. From that perspective, “governance” means taming the beast. The cage you keep it in needs to be strong enough and spacious enough, but the interesting questions are about what diet and training regime will make it both obedient and healthy.
Tutoring banks and controlling what they eat is the way many supervisors define their jobs. They must be encouraged to remember that. They are comfortable talking about “governance” precisely because it is so all- encompassing a concept, and sounds like something administrators should be involved with. They must be encouraged to have more nuanced and more hopeful conversations, both with banks and with the public.