A Starling Insights Deeper Dive Report

Supervisors on Supervision

Public Exposure Draft

Eva Hüpkes

Secretary General

International Association of Deposit Insurers

Picture of Eva Hüpkes
View Full Report

Contributions to the Supervisors on Supervision Stocktake

How do inconsistent definitions and the lack of a common framework by which to discuss culture impact the practice of supervision, particularly as regards material but qualitative risks?

1.1.2a Many participants note a relationship between culture and governance, but that a lack of shared grammar, frameworks, tools, and training contributes to inconsistent expectations.

“A challenge may be the lack of any meaningful metric to evaluate governance and culture in a bank examination as this requires taking a holistic view of all aspects of the risk governance framework rather than looking at each facet in isolation.”

What is the relationship between culture and governance and how does ambiguity about that relationship contribute to uncertainty?

1.1.3b Other participants noted that culture and governance are interconnected and influence one another.

“In governance, we tend to focus heavily on the inputs — rules, structures, and processes — and then wait to evaluate the outputs, such as performance, compliance, or outcomes. But what’s often missing is a systemic framework to assess the throughputs, which is the culture that connects the two.

Culture is the lifeblood of an organization; it shapes how decisions are made, how risks are managed, and whether the values on paper are actually lived in practice. Without a mechanism to evaluate and influence this critical middle layer, we risk overlooking the very dynamics that determine whether governance structures succeed or fail in achieving their intended goals”

Should culture, and the conduct proclivities it may promote or discourage among employees, factor into supervisory engagements?

1.2.1a Many participants see culture as a precursor to misconduct and consumer harm, making it of key interest to conduct regulators.

“The Financial Crisis of 2008 exposed deep seated flaws in the financial system and highlighted the importance of governance and ethics in finance. In the wake of the Crisis, a series of scandals ranging from mis-selling to market manipulation undermined trust in the financial system. In response, policy makers sought to promote higher standards of corporate governance, industry culture, ethics, and trust. Despite those reform efforts, incidences of misconduct and mismanagement of risk continue to plague the industry.”

What role do international standard-setters have to play in coordinating culture supervision?

1.3.3b Participants also emphasize that the goal may not be uniform standards as much so as establishing coherent terms of reference and frameworks of analysis — a “shared grammar.”

“Robust minimum international standards have a role to play in fostering better corporate governance. But it is the implementation of those standards at the level of individual firms that determines their effectiveness. 

As in other areas of post-crisis reforms, this is where continued effort is needed. The task of changing culture in the financial industry is complex and challenging. 

The greater role of social media in generating and spreading information of actual or perceived governance failures, demonstrates the need for an innovative and more holistic approach in regulation and supervision.”

How does a lack of effective tools and frameworks for culture risk supervision impact perceptions of supervisory legitimacy?

1.4.3a Participants described how the lack of a common evidentiary basis makes it difficult for supervisors to demonstrate effective culture risk governance and/or supervision.

“In 2017, the FSB conducted a peer review that examined the implementation of the OECD Principles of Corporate Governance of 1999 (revised in 2004). The peer review observed that, despite progress in enhancing risk governance frameworks, many authorities lacked the ability to assess the effectiveness of a firm’s risk governance — and more specifically its risk culture, to help ensure sound risk governance through changing environments — or they did not have corporate governance-specific enforcement powers to augment other existing powers. 

New approaches, e.g. culture audits informed by behavioural and data science, might provide greater insight into the human factors that shape risk taking individually and collectively.”

What role does culture play in governance failures that ultimately require supervisory attention?

2.1.1c Some participants emphasize that culture and governance are fundamental to performance outcomes such that reliance on formal controls and processes without addressing culture undermines risk management.

“Do you have a three lines of defense framework? Yes? Well, that’s a start, but is that enough? Are we done just by ticking the box? 

The real question is whether the framework is actually working as intended. And how do we know? Governance structures and processes might look robust on paper, but they can be easily undermined by an unhealthy culture. 

Culture operates beneath the surface — it is the attitudes, behaviors, and unwritten norms that influence how people actually act within the framework. If the culture is misaligned, it can render even the best-designed controls ineffective.

In many cases, governance failures do not stem from a lack of frameworks or processes but from a culture that corrodes their effectiveness. That is why understanding and addressing culture is not just an add-on; it is a precursor to ensuring governance systems succeed”

2.1.1d Participants observe that culture can undermine incentive programs, employee engagement efforts, and other common management measures aimed at shaping behavior in desired directions, making it even more so a challenge for large, complex organizations.

“I’m not sure it’s just about compensation. While aligning pay with risk outcomes is important, it’s not the whole story. Culture plays a critical role in shaping how people respond to any incentive structure or management intervention. If the organizational culture rewards short term wins over long-term sustainability or tolerates cutting corners — then even the most well designed compensation frameworks can backfire”

What are the consequences for failing to consider the influence of culture in assessments of governance effectiveness?

2.1.2a Many Participants point to the banking sector turmoil of 2023, and various earlier misconduct scandals and prudential risk management lapses, as evidence that adequate culture risk supervision is lacking.

“The banking-sector failures in the first half of 2023 are dramatic examples of the consequences of lax governance and poor risk cultures. Banks’ boards and senior management failed to assess and manage risks adequately, and banks did not have effective internal controls and risk management systems in place.”

2.1.2a Many Participants point to the banking sector turmoil of 2023, and various earlier misconduct scandals and prudential risk management lapses, as evidence that adequate culture risk supervision is lacking.

[Events of the 2023 Turmoil] once again underlined the importance of effective supervision and the need for authorities to engage in credible and sceptical conversation with an institution’s board and senior management on the institution’s business strategy and effectiveness of its risk governance.”

How do supervisors approach culture as a factor in governance failures in the absence of clear frameworks?

2.2.1a Participants discuss how the relationship between governance and culture risk presents unique challenges for supervision.

“So why have regulatory reforms to date failed to prevent governance failures?

One possible explanation is that supervisors and regulators have been too focused on technical measures, such as capital requirements and risk management practices. Capital, liquidity, and related standards are essential to a stable financial system. Compliance and risk management processes are necessary but not sufficient.

Values and culture are keystones of governance as they drive behaviours of people throughout the organisation and the ultimate effectiveness of its governance arrangements. Governance is not a fixed set of guidelines and procedures. Rather it is about behaviours and ongoing processes by which decisions are made. A focus on right behaviours would mean a shift from the focus on structures and procedures to organisational culture and values that drive behaviours.

Supervisory approaches that focus primarily on compliance and do not give proper weight to culture and governance cannot keep pace with changes in finance. Supervisors need to broaden their perspectives to include strategy, people and culture and need to understand how desired cultures can best be supported and reinforced.”

How is supervision made more challenging by a reliance on judgment?

2.2.2b Other participants point out that reliance on insufficiently structured supervisory judgment can lead to inaction or delay.

“Supervisors must have sufficient discretion to act when necessary, and this requires a robust legal foundation — particularly as banks are likely to push back against such interventions. That said, discretion must be carefully balanced with objective criteria, like quantitative reference points or specific indicators, which act as triggers for deeper scrutiny when certain thresholds are reached.

I strongly advocate for a framework that includes both public and internal triggers to guide early intervention. Public triggers serve as transparent benchmarks. Internal triggers work to detect vulnerabilities early and prompt action before they become visible externally. These internal mechanisms are vital for protecting trust, allowing institutions to address issues discreetly and proactively. 

Acting behind the scenes and ahead of time helps prevent situations from escalating into public crises, avoiding the loss of confidence and reputational harm that often result from delayed or reactive responses.”

How can supervisory culture be made more proactive and effective in connection with evaluating culture-related risk matters?

2.2.3a Participants describe effective supervisory culture as both forward-looking and supportive of necessarily bold decision-making amidst unavoidable uncertainties.

“Risk management and business strategy are, and must remain, the responsibility of the banks themselves. However, supervisors must be prepared to step in decisively when failures occur. The real challenge lies in striking the right balance — holding banks accountable for their governance and decision-making while ensuring that supervisors have the authority and tools necessary to intervene effectively when the stability of the system is at risk.”

How should supervisory bodies approach enforcement in the context of culture risk governance and supervision?

2.3.1a Participants note that a lack of established culture risk governance frameworks and metrics makes enforcement and accountability more challenging.

“In the very early stages, it’s often as simple as saying: there’s an issue, now explain what happened. Just having senior management come before the regulator and account for themselves creates significant pressure on the leadership of the institution. From there, measures can become progressively more intrusive if the bank fails to comply — extraordinary audits, in-depth examinations, or additional onsite inspections. 

That said, you don’t want the process to be entirely automatic; there needs to be some discretion to account for the specifics of each situation. But if you allow too much discretion, you risk falling into forbearance, where nothing meaningful gets done. The balance lies in having enough flexibility to respond appropriately, without losing the resolve to act when it’s necessary.”

Why have supervisors found it challenging to identify and assess culture-related risks prior to a risk event?

2.3.2a Participants discuss different approaches and frameworks for supervising culture driven risks and highlight relevant tradeoffs.

“We often approach incentives through a narrow lens, focusing heavily on deterrence through negative incentives, but perhaps we need to think more broadly. Should supervision be limited to punishing and criticizing, or should it also involve recognizing and rewarding good behavior? 

The deeper question is whether we truly understand what a good culture looks like in banks and financial institutions. If we do, is there a way to highlight good practices and showcase examples of what works? This could help foster a more constructive dynamic between supervisors and the institutions they oversee, ultimately contributing to a healthier financial system”

What emerging techniques and tools offer promise to improve culture measurement and risk assessments?

3.2.2d Participants describe other innovative applications of AI to challenges of culture risk governance and supervision.

“Novel digital technologies, such as machine learning and Artificial Intelligence (AI), are providing new opportunities both for authorities and firms. 

For authorities, the use of novel technologies can improve oversight, surveillance, and analytical capabilities. It also allows for greater and more rapid processing of supervisory and regulatory data, as well as improved analysis. 

For firms, the use of those technologies can help to enhance governance processes and risk management capabilities. Artificial intelligence capabilities are powerful and can help to detect problems and promote more informed and effective decision-making.”

What have we learned from past approaches to culture risk governance and supervision?

3.3.2a Participants noted both opportunities and challenges in connection with individual accountability regimes.

“When it comes to identifying who is specifically responsible for mismanagement, the answer is often unclear — a systemic issue driven by two factors. First, there’s the 'accountability firewall,' a breakdown in information flow that disconnects the top leadership from the ‘engine room’ of the bank, shielding senior executives from accountability. Second, collective decision-making fosters what’s known as the 'Murder on the Orient Express Defense': when everyone is to blame, no one is truly accountable. Together, these dynamics erode individual responsibility.”

3.3.2e Other participants caution against using capital or liquidity controls as a means to compensate for lack of sound culture risk governance.

“Work on corporate governance was one element of a multipronged effort undertaken by the Financial Stability Board (FSB) and standard-setting bodies to strengthen the overall safety and soundness of financial institutions in the wake of the Global Financial Crisis.

This effort led to the introduction of a range of new measures aimed at strengthening governance frameworks and practices at financial institutions. It covered board effectiveness and risk management, senior management accountabilities and responsibilities, risk culture, and financial and non-financial incentives:

  • The FSB Principles for Sound Compensation Practices, issued in 2009, provide guidance on how financial institutions should design and implement compensation policies that are both transparent and subject to appropriate governance and oversight and that align employees’ incentives with the long-term profitability of the firm.
  • Supplementary Guidance to the FSB Principles, issued in 2018, provide firms and supervisors with additional guidance and a framework for considering how tools, such as in-year bonus adjustments, malus or clawback, can be used to reduce misconduct risk and address misconduct incidents.
  • In 2013, the FSB published Principles for an Effective Risk Appetite Framework to provide guidance on how to develop and implement a risk appetite framework that specifies the level and types of risk that an institution is willing to accept in pursuit of its strategic objectives.
  • In 2014, the FSB provided guidance to supervisory authorities on how to assess and promote a sound risk culture within financial institutions that is aligned with the institution’s values and strategy and ensures that risk management is an integral key part of the institution’s operations.
  • In 2018, the FSB published a Toolkit for firms and supervisors to use in order to tackle the causes and consequences of misconduct.

So why have regulatory reforms to date failed to prevent governance failures? One possible explanation is that supervisors and regulators have been too focused on technical measures, such as capital requirements and risk management practices. Capital, liquidity, and related standards are essential to a stable financial system. Compliance and risk management processes are necessary but not sufficient.”