A Starling Insights Deeper Dive Report

Supervisors on Supervision

— Perspectives: Failures of Culture, Risk & Governance — The Credit Suisse Crisis —

Access the Full Report

This case is presented to illustrate how governance failures can persist, substantial post-Financial Crisis reforms notwithstanding. These reforms significantly strengthened capital and liquidity standards; however, the organisational mechanisms through which information travels, responsibility is exercised, and incentives operate, remained insufficiently specified and weakly operationalised. 

The record at Credit Suisse (CS) demonstrates the risk of operating formal risk frameworks without functioning feedback loops: early warnings were surfaced in multiple parts of the firm, but escalation was discretionary and time-indeterminate; accountability was widely shared in principle but thin in practice; remuneration signals were misaligned with risk and control outcomes. 

In such settings, supervisory dialogue risks becoming persuasive rather than corrective — particularly when powers are fragmented or consequences are not pre-committed. In a digital market, these delays convert governance weakness into confidence loss at speed.

Viewed through the lens brought to this study, the Credit Suisse example highlights challenges with regard to: 

• Measurement: the absence of a holistic, evidence-based view of risk culture;
• Incentives: pay and permissions that do not reflect loss experience or control effectiveness; 
• Authority: tools that exist but are not fully absorbed; 
• Posture: a credible, sceptical conversation with boards and senior management; and
• Tempo: time-bound escalation calibrated to how quickly information spreads). 

The purpose here is not to assign individual blame but to clarify culture risk governance mechanisms that warrant reconsideration in light of this example. Where supervision cannot make qualitative risk legible, cannot tie it to management decisions, and cannot act with timely predictability, our post-Crisis reforms remain vulnerable to failure.

Post-mortem studies of the near-collapse of Credit Suisse in March 2023, culminating in its emergency acquisition by UBS, are unanimous in concluding that events were fundamentally driven by internal failings within the bank, rather than external regulatory shortcomings. 

The report of the Swiss Financial Market Authority (FINMA) on the lessons learned from the CS Crisis¹ highlighted deficiencies in Credit Suisse's corporate governance in the years leading up to the crisis. The report pointed out that responsibilities were poorly defined, and management frequently failed to enforce accountability. 

The Federal Council concurred in its report, noting that “deficiencies in the corporate governance of financial institutions can have serious consequence” and that “the inaction of financial market executives (e.g. in remedying shortcomings in the organisation) can cause major damage to the financial institution itself, to the Swiss financial centre and to the national economy.”²

In particular from 2018 onwards, Credit Suisse was repeatedly at the centre of scandals and leaks. “There were clear signs of a sub-par corporate culture and inadequate risk management as well as a lack of assertiveness and sense of responsibility at management level. Striking examples of this include the case of Mozambique, the bank’s surveillance activities, or the Greensill and Archegos cases.”

The Parliamentary Investigation Committee also concluded that the near-collapse of CS and the resulting emergency merger, in its view, could be attributed to the self-inflicted crisis of CS rooted in a questionable risk culture combined with inadequate risk management, particularly in the investment banking sector, and governance issues at the leadership level. 

The interplay of these factors triggered an irreversible loss of market confidence in autumn 2022, ultimately culminating in the acute crisis of March 2023.³ The Federal Council concurred with the Committee’s view noting that the responsibility for the behaviour of CS, which led its demise, lay comprehensively and at all times with its own internal organs.⁴

Internal weaknesses eroded market confidence over time, triggering massive liquidity outflows and bringing the bank to the verge of insolvency. The loss of confidence — and the consequently existential threat to CS — extended to the firm’s Board of Directors and Executive Board, who are argued to have “defied numerous interventions by FINMA in the preceding years.”

FINMA’s analysis corroborates this, concluding that “CS’s problems manifested themselves in a range of business areas and as various risk types. In almost all cases, serious deficiencies in risk management played a role.”⁵

Credit Suisse’s governance structure was found to have been marred by unclear responsibilities, frequent leadership changes, and a failure to address organisational shortcomings in a sustainable manner. These weaknesses created instability, undermined oversight, and contributed to a series of scandals and strategic missteps. Notable were:

• Unclear Responsibilities and Enforcement Gaps. FINMA observed that “CS’s corporate governance was deficient in several respects: Responsibilities were not clearly defined and were often not enforced.” This lack of clarity granted business divisions excessive autonomy, enabling unchecked risks to proliferate.
• Leadership Instability and Loss of Expertise. Between 2020 and 2022, CS underwent multiple leadership changes, including two Chairs of the Board and two CEOs. This resulted in a “loss of know-how and temporary multiple roles, weakening governance.” The Federal Council report indirectly references this instability, noting the bank’s sluggish response to regulatory demands during the crisis.
• Failure to Remedy Organisational Shortcomings. Despite repeated interventions by FINMA, “Over the years, the governing bodies of CS were unable to remedy the repeatedly identified shortcomings in the bank’s organisation in a sustainable way.” 

These governance failures eroded accountability and allowed persistent issues to fester, as evidenced by the bank’s inability to stabilise during the liquidity crisis of 2023.

Credit Suisse’s risk culture was characterised by a weak “tone from the top,” moral hazards arising from remuneration practices, and insufficient transparency. This culture prioritised short-term gains over long-term stability, amplifying risks and contributing to repeated scandals. Notable were:

• Weak Tone from the Top and Moral Hazards. FINMA highlighted a “flawed management culture and the weak ‘tone from the top’ over a longer period of time led to a poor risk culture.” Remuneration practices further exacerbated this issue: “Even in years where the bank reported large losses, variable remuneration remained high. Negative results had little impact on remuneration.” 
• Lack of Transparency and Conflict Management. Risk culture deficiencies included “deficiencies in the area of conflicts of interests and a lack of transparency towards FINMA.” Efforts by FINMA to address low risk awareness were largely ineffective, as “The senior management bodies were unable to reinforce the risk culture throughout the bank in a significant and sustainable manner.”
• Incentives for Inappropriate Behaviour. High variable pay during loss-making years and inadequate penalties for misconduct “encouraged an inappropriate risk culture over the past decade.” This culture granted excessive autonomy to business divisions, fostering a high risk-appetite without sufficient controls.

This poor risk culture created an environment where risks were minimised or ignored, ultimately contributing to a digital ‘bank run’ in 2023 as clients lost faith in CS’s stability.

CS’s risk management was riddled with deficiencies, including ineffective controls, excessive risk appetite, and failures to implement FINMA-mandated improvements. These weaknesses left the bank vulnerable to liquidity and capital crises. Notable were:

• Excessive Risk Appetite and Weak Controls. According to FINMA, “The internal control system was not sufficiently sophisticated or effective to adequately identify and address the inherent risks arising from the risk appetite.”
• Implementation Failures. Despite FINMA’s repeated measures, “Over the years, CS was unable to implement the measures requested by FINMA to reinforce the internal control system and risk management in a timely, effective, and sustainable manner.” The Federal Council report referenced “weaknesses in organisation, capital, and liquidity.”
• Complex Structure and Recurring Weaknesses. The bank’s complex group structure hindered systematic risk management, leading to “recurring weaknesses” and an underestimation of outflows during the crisis.

These failings culminated in the liquidity crisis of 2023, during which CS “regularly underestimated the client outflows and overestimated the effects of its measures.”

Management errors, including incomplete strategic shifts, slow crisis responses, and a legacy of scandals, further eroded the bank’s capital and reputation over time. Notable were:

• Incomplete Strategic Implementation. Efforts to downsize the investment bank were “incomplete and insufficiently effective, and were unable to impress the market and clients.” 
• Crisis Response Errors. During the acute phase of the crisis, management rejected more far-reaching measures due to concerns over earnings and publicity: “The management rejected further-reaching measures and pointed out the negative publicity impact.” Recovery plans also underestimated market realities.
• Repeated Scandals: Scandals such as Mozambique, surveillance (“spygate”), Greensill, Archegos, Petrobras, PDVSA, FIFA, and Supply Chain Finance Funds highlighted repeated management errors. For example, the surveillance affair revealed “serious organisational shortcomings” at CS. FINMA noted that “Especially from 2018 onwards, confidence in the bank was dented by repeated scandals… which resulted in extensive measures, fines, losses and reputational damage.”

These cumulative errors and scandals led to significant fines, losses, and a “widespread loss of confidence,” culminating in rapid liquidity outflows in 2023. The lessons here are operational:

• First, supervisors require a structured evidence base for governance and culture — drawing on behavioural and operational indicators — to make qualitative risk assessable, comparable, and reviewable;
• Second, escalation must be time-bounded and foreseeable: predefined, graduated pathways that convert repeated deficiencies into concrete restrictions or changes in governance;
• Third, incentives should pass basic compatibility tests: remuneration and decision rights need to reflect control performance and realised risk, with effective malus and clawback; 
• Fourth, complexity is itself a governance constraint; where deficiencies persist, simplification should not be optional; and
• Fifth, supervisory posture matters: a documented, board-level conversation that is both credible and sceptical is integral to effectiveness and to legitimacy.

Complexity is itself a governance constraint.

None of this enlarges supervision beyond its remit; it renders that remit practicable and predictable.

The Credit Suisse case demonstrates how discretion without measurement becomes delay, and how delay under digital conditions becomes instability. Effective supervision remains an ethical public-good function. It should also be reliably operational, and this cannot be assured without adequate attention to culture risk governance, as the Credit Suisse case makes abundantly clear.

Eva Hüpkes was appointed Secretary General of the International Association of Deposit Insurers (IADI) in 2023. She was previously the Head of Regulatory and Supervisory Policies at the Financial Stability Board (FSB). She has worked on a broad range of financial sector issues. She contributed substantially to the G20’s post-Crisis financial and regulatory policy reforms, most notably the development of the global standards for crisis management and resolution.