Richard Doornbosch: Good governance, better decisions, best results - introducing the new CBCS Corporate Governance Code in uncertain times
Central bank speech
|
03 February 2022
Introduction
Good afternoon, ladies, and gentlemen,
First, I would like to thank the Board of the Curacao International Financial Services Association (CIFA) for the invitation. It is a great pleasure to see so many of you here today. The Centrale Bank van Curacao en Sint Maarten (the CBCS) is highly appreciative of the efforts CIFA has put forward in continuing to promote the international financial services sector of Curacao.
Until the end of January 2020, the World Health Organisation assessed the risk on a global level of the then novel Coronavirus to be moderated. Only a few weeks later the first case in Curacao was reported and on March 16, 2020, all international flights were suspended. Since that day we have been absorbed by the twist and turns of the pandemic. The Omicron-coronavirus being the latest twist.
While the Coronavirus might be the biggest source of uncertainty at the moment, it is certainly not the only risk that needs to be managed. And managing risks is at the core of the financial sector. It is the difference between being profitable or loss making. Flourish or perish.
It is therefore not surprising that the foundations of modern risk management can be found in finance when in the '70s Black and Scholes together with Robert Merton developed ways to price the value of options and other derivatives by using the implied probability distributions from market prices. These quantitative approaches to risk management led over time to sophisticated Value at Risk models but also to the collapse of Long-Term Capital Management (LTCM) in 1998 showing the importance of adequately accounting for rare and outlying scenarios. The financial crisis in 2008 showed (again) that risks should always be assessed in the context of good Corporate Governance as several malpractices were brought to light. Closer to home the devastating effect of a total lack of Corporate Governance can be seen when reading the recent court ruling in the Ennia case.
As the supervisor of the financial sector in the monetary union of Curaçao and Sint Maarten we see risk management as an integral part of Corporate Governance. Good governance leads to better decisions, lower risks, and therefore better results. In particular in the uncertain times we are living in today. Before introducing the new Corporate Governance Code (the Code) and how we see this as a core element of our new style of supervision, I will highlight five key trends that will have to be managed by financial institutions.
As we have been thinking about our own strategic agenda towards 2025 in recent months, we have considered these when setting priorities. After this I will discuss some key elements of our new Corporate Governance Code. Then what to expect from the CBCS. Finally, I will formulate some takeaways by way of conclusion.
Living in turbulent and uncertain times
Let's start with the main risks we see: the five 'C's': that is Covid-19, Climate, Crypto, Cyber and Criminal activity (or AML/CFT risks).
As for Covid-19, I would like to be short as I am sure you will have it on your radarscreen all too often. The most important insight from recent events is that it is going to be part of our lives and business the coming years and it has shown the need to think through the implications for our financial and operational resilience. In particular we have seen companies think about ways to reduce their fixed costs – as income became more volatile due to Covid-19 – by outsourcing or more extensively using third party vendors. This might be an efficient strategy to deal with the higher uncertainty but must be managed carefully as not to create its own risks. When entering into an outsourcing agreement you have to be clear on the obligations
of both parties and ensureno limitations apply to the access of data. It should not be hindered by confidentiality, secrecy, privacy, or protection. Proper due diligence is required as outsourcing activities must also at no time impede the CBCS from supervising the activities. The CBCS is in the process of drafting an outsourcing guideline which the institutions under its supervision will have to comply with. More general the Code stresses the need to be prepared for severe business disruptions.
Moving to the second 'C'. The enormous impact of the pandemic has recharged our awareness on the need to urgently address Climate change as this will potentially have an even bigger and longer lasting impact. Wildfires, droughts, flooding, and storms already today appear to occur with much more intensity and in a higher frequency compared to let's say 30 to 40 years ago. Parts of the world which in earlier days were considered relatively safe to the occurrence of a natural hazard are in present times prone to the devastating effects mother nature can have. The possible impact has on Sint Maarten been felt in 2017 with hurricanes Irma and Maria, but we have to get a better picture of what direct physical risks there are for Sint Maarten and Curacao.
The world is still on a path to miss the Paris agreement objective of limiting global warming to well below 2 degrees Celsius by a wide margin. The implication is that physical risks of climate change should be considered where the interests of the company are geographically located. Alternatively, and hopefully, when the world would finally act and reverse the trend of global emissions, transition risks will become more prominent for financial institutions to manage. The International Monetary Fund (IMF) estimates additional global cumulative investments of US$12 to US$20 trillion a year to achieve net zero emissions by 2050 making other technologies and activities obsolete.
Institutions are encouraged to set up a climate risk management program which involves strategies reducing the vulnerability associated with climate risk. The strategies could cover a wide range of potential actions, such as early-response systems, strategic diversification, financial instruments (e.g., climate risk insurance), infrastructure design and capacity building.
Large climate related investments also provide new opportunities for the Fund industry as sustainable investment funds are growing rapidly, more than doubling over the last four years to US$3.6 trillion in 2020. We see this trend - translating into a growing corporate social responsibility - as very relevant in Curacao and Sint Maarten. The Code therefore speaks about organizations to take responsibility for possible negative outcomes of its activities in the triple context in which it operates. Triple meaning considering the impact on environment, society and governance (of the economy) or ESG.
Let's turn to the third 'C'. The IMF financial stability report indicated that Crypto assets market capitalization tripled in May 2021 to an all-time high of US$2.5 trillion before falling by 40% in a month, underscoring the high volatility. Also, in Curacao we have seen more interest in crypto assets, whereby a local supermarket is accepting payments in bitcoins. If not yet, you may sooner or later also be confronted with parties wishing to settle financial transactions using crypto currencies, or clients interested in investing in crypto currencies. Institutions that wish to engage in such transactions should be vigilant of the risks involved with this interesting new development. Cryptocurrencies are highly volatile, intangible, exist on non-regulated markets, and are uninsured by any authority.
Another concern is the use of crypto assets for criminal and/or illegitimate purposes. Crypto investors may have legitimate reasons to invest, however those investors who find themselves in the unfortunate position of being a victim of financial crime must be mindful that they do not likely have the same legal options as traditional victims of fraud. When a cryptocurrency exchange is hacked and customers' holdings are stolen, for instance, there is frequently no standard practice for recovering the missing funds. Making the link once more. The Code indicates the value of well-documented new product approval policies to manage risk.
For many organizations information and their supporting systems are amongst their most valuable assets making Cyber security, the fourth 'C', top of mind for many directors. Information technology provides many benefits to these organizations, which they use to drive their stakeholders' value. However, information technology is developing in a rapid pace and has become more dynamic, which makes the role it plays in the support of the organization's goals increasingly important. Consequently, the need for a clear corporate strategy on cyber security increases. The number of cyberattacks worldwide – in particular in the financial sector – has shown a significant increase as the CBCS itself has learned the hard way early
September of last year. Fortunately, our IT-Governance was in place guiding our incident response and recovery with assistance of topnotch outside expertise. As a result, a worst-case scenario has been prevented, however we took some valuable lessons and will be further strengthening our cyber defense. As for the sector we had already made this a high priority before the incident and the CBCS had drafted several provisions and guidelines in relation to IT-governance which institutions under our supervision are expected to adhere to and compliance with these regulations is monitored by the CBCS.
Finally, the risk of being used to hiding the proceeds from Criminal activity or AML/CFT risk, the fifth 'C', should still be high on the list of financial institutions' board rooms. As I am sure you are aware, all financial service providers should have proper policies and procedures in place which mitigate the risk of them being unwittingly used by criminals and become involved in money laundering activities, which will negatively affect their reputation and operations.
In this respect, the CBCS is currently in the process of updating the current Provisions and Guidelines on the Detection and Deterrence of Money Laundering and Terrorist Financing (P&Gs). The Corporate Governance Code emphasizes the need for the governing body to have clear and documented policies how these standards should be met. Financial institutions must perform a risk assessment which identifies, assesses, monitors, manages, and mitigates money laundering. Based on this risk assessment, financial institutions need to implement a Risk Based Approach (RBA), which entails that in situations where there are higher risks, the institution must apply enhanced measures to manage and mitigate those risks. Where
risks are lower, simplified measures might suffice. Internal audit departments are required to perform annual independent testing of the financial institution's AML/CFT procedures.
Introducing a new Corporate Governance Code
Ladies and gentlemen,
Let's now turn to the second part of this speech going into more detail on our new Corporate Governance Code.
Let's start with some basics. The objective of good Corporate Governance is to ensure ethical, effective, and prudent management and strong oversight by the governing body, to promote responsible corporate citizenship, to safeguard stakeholder's interest in conformity with public interest on a sustainable basis and to have a sound risk culture at all levels. The CBCS evaluates as part of its supervisory responsibility, the functioning of these Corporate Governance arrangements. We have in fact identified this as a key element of our new style of supervision. Daniele Nouy, then Chair of the European Central Bank's Supervisory Board, called good governance "an asset for all seasons, it is always essential for stability". This is the reason we have included governance as a first determinant in our risk scoreboard.
Generally speaking, Corporate Governance arrangements determine the allocation of powers and responsibilities by which the business and affairs of a company are carried out. Corporate Governance involves structure on the one hand and people, behavior, and corporate culture on the other hand. The latter being not always easy to assess and measure. Yet, the CBCS as the supervisory authority must be in a position whereby it can perform this assessment.
In this respect, the CBCS has recently drafted a new code, the so-called Corporate Governance Code Financial Institutions & Service Providers, which I have also refered to in this speech as the Code. The Code addresses all aspects of governance, from the way Boards and Senior Management work and interact, to how the decision-making process shapes culture and risk management.
Let me go over the substantive elements in the Code.
(1) The structure of the organization should ensure that the supervisory function (in most cases the Supervisory Board) and Management have clearly defined roles and responsibilities with adequate checks and balances between the two and together guarantee an effective implementation of the strategy. This is the lengthiest part of the Code and includes the requirement for the Supervisory Board to have a majority of independent members including the Chairman. But also, the requirement for the Supervisory Board to at least once per year perform a self-assessment, whereby questions should be posed such as:
- Do Board members continually challenge themselves?
- Are the right subjects discussed and questions asked and is adequately given follow up to decisions and recommendations of the supervisory board?
- Does the Board have the skills and competence to address the strategy of the organization?
(2) The second substantive element regards the internal organization. The organizational structure should be clear with an adequate segregation of duties (e.g., control functions being independent from the business lines) and sufficient resources. The catch phrase for Management and Supervisory Board is "know your structure"! Important to mention is also the sensible demand for financial institutions to avoid setting up non-transparent structures. As those will often be used for a purpose connected with money laundering or other financial crimes.
Substantive elements (3) and (4) regards risk culture respectively risk management or internal control. Risks should be taken within a well-defined framework in line with risk strategy and appetite. Risks within new products and business areas, but also risks that may result from changes to products, processes, and systems, are to be duly identified, assessed, appropriately managed, and monitored. The Risk Management function and Compliance function should be involved in the establishment of the framework and the approval of such changes. This to ensure that all material risks are considered, and that the financial institution complies with all internal and external requirements.
The Code uses the so-called 'three lines of defense' model in identifying the functions responsible for addressing and managing risks. Its underlying premise is that, under the oversight and direction of Senior Management and the Supervisory Board, three separate groups (or lines of defense) within the organization are necessary for effective management of risk and control.
The Business lines, being the first line of defense, take risks and are responsible for their operational management directly and on a permanent basis. For that purpose, business lines should have appropriate processes and controls in place that aim to ensure that risks are identified, analyzed, measured, monitored, managed, reported, and kept within the limits of the risk appetite and that the business activities are in compliance with external and internal requirements.
The Risk Management function and Compliance function form the second line of defense. The Risk Management function facilitates the implementation of a sound risk management framework throughout the financial institution and has responsibility to further identify, monitor, analyze, measure, manage and report on risks. This body should also form a holistic view on all risks on an individual and consolidated basis. It challenges and assists in the implementation of risk management measures by the Business lines to ensure that the processes and controls in place at the first line of defense are properly designed and effective.
Some criteria to consider in this respect are: Are risk management's reports discussed in the Supervisory Board meetings? Does risk management regularly hold presentations, meetings or send emails about risk management policies and procedures to create awareness? Does the financial institution measure relevant risks exposures in terms of probability and impact? Are risk management processes and procedures reviewed annually? Do operational managers meet regularly to discuss potential operational risks that arise from their activities?
The Compliance function monitors compliance with legal and regulatory requirements and internal policies, provides advice on compliance to the governing body and other relevant staff, and establishes policies and processes to manage compliance risks and to ensure compliance.
The independent Internal Audit function (IAD), being the third line of defense, conducts risk-based and general audits and reviews the Corporate Governance arrangements, processes, and mechanisms to ascertain that they are sound and effective, implemented and consistently applied. The Internal Audit function is in charge also of the independent review of the first two lines of defense. The Internal Audit function should perform its tasks fully independently of the other lines of defense.
So, your management has to ensure that the three lines of defense are managed and staffed by personnel with appropriate knowledge and experience
Depending on the size and complexity of the financial institution's operation, there may be situations where some oversight functions will be combined with each other, combined with operational duties (except for the IAD), are outsourced or simply do not exist as a function within the organization. The CBCS allows the outsourcing of oversight functions, however the appropriateness thereof will be assessed by the CBCS based on the outsourcing policy that is currently being written and that should be seen as under the umbrella of the Code.
(5) A fifth substantive principle is to establish a sound business continuity plan to limit losses in the event of severe business disruption. The lockdown early 2020 tested these plans and stressed the importance to think through different scenarios. A financial institution should put in place a plan to react to emergencies and continue critical business activities and recovery plans to bring back the ordinary business procedures as soon as possible.
The final two substantive provisions are (6) proportionality and (7) transparency. The proportionality principle is very relevant in the context of Curacao and Sint Maarten. Corporate Governance principles are for all seasons and organizations but are written with large corporations in mind. When implementing arrangements, financial institutions should take into account the size, nature, scale and complexity of their activities. It should be consistent with the individual risk profile and business model. In particular for smaller institutions the CBCS will in its supervision rely on its governance assessment. Better governance is lesser supervision.
Concluding the discussion on the Code, I would like to highlight that the Code emphasizes the importance of the governance body to lead and assume responsibility for corporate citizenship. This is a new and important element recognizing that the financial institution's strategy and conduct need to be consistent with environmental, social and governance principles of the highest standards. It relates amongst others to the workplace being healthy and safe, policies being in place to prevent, detect and respond to fraud and corruption, consumer rights being protected and having responsible rules on pollution and waste disposal. We will ask companies to disclose their efforts and encourage them to use internationally agreed standards to do so. The CBCS will also have to review its own activities and see where we need to step up our efforts.
What to expect from the CBCS?
The CBCS has sent the Code to the various representative organizations for consultation on its contents and has in the meantime received valuable feedback to consider. The reactions include among others a call to reduce the size of the Code and to clarify some of the definitions used, to make a distinction between the roles and responsibilities of the Supervisory and Management Board, to provide guidance on reporting requirements and the proportionality principle.
We are very pleased with the time and energy you and others have invested in giving us feedback on the Code. This underlines the importance you see in good Corporate Governance and getting this right. As a result, we have decided to build in an additional consultation round in the first half of this year on the basis of a new text taking into account your feedback and acknowledging the diversity in size and complexity of financial institutions in our jurisdiction. From very small institutions with only a handful of clients to institutions being a part of large international corporations that have to respond to multiple supervisors. We will also be investing in our own analytical capacity. We will for example review the fit & proper testing to better assess the experience, reputation, independence, time commitment, diversity, and potential conflict of interest of directors.
With the introduction of a new organizational structure as of January 1st of last year, the CBCS now has a separate department charged with the responsibility of supervising Corporate Governance arrangements within all institutions under the CBCS' supervision. It is the CBCS' intention to gauge a better understanding of current Corporate Governance practices in place by performing a stocktaking. The CBCS will draft a questionnaire through which relevant information will be gathered and an initial overview in respect to these arrangements can be formed. This overview will serve as a starting point for the CBCS to plan onsite examinations and perform these using specific Corporate Governance examination procedures to gain a
further understanding of the company, among others through document review, conducting interviews and walk throughs.
Conclusion
Ladies and gentlemen, let me conclude. I would like to leave you with one key take away.
Corporate Governance is always an essential part of the effective and balanced decision making process within your institution. However, this is most certainly true in highly uncertain times. Good governance leads to an improved culture and better decision making. And better decisions will ensure risks are adequately identified and effectively mitigated. This will determine the best results possible.
Corporate governance could perhaps be compared with the basic hygiene rules that we all know too well. Wash your hands, keep six feet distance, and wear a mask whenever you are in closed spaces. Following these rules takes effort and discipline. You have to be deliberate about them and they take at times some of the fun away. But as they keep us from getting ill, we are happy to follow them.
It has been a pleasure to address some words on Corporate Governance towards you today and the CBCS looks forward to regular contacts with CIFA to continue the discussion
