Good morning.
I would like to thank the Institute of Directors for inviting me to speak with you today1.
We are living through a time of great uncertainty – uncertainty over the short term path of the COVID-19 pandemic and its longer term effects; uncertainty regarding the pace and extent of technology and related behavioural changes; uncertainty about the timing of the effects of climate change; and much more besides.
This uncertainty has implications for how we think about risk and probabilities, and importantly how we govern, lead and manage our organisations. I will explore these issues in my remarks today. I will outline how the approach to the fundamentals of governance and risk management need to continue to improve.
I will start by summarising some of the Central Bank’s key regulatory and supervisory priorities for 2021.
The mission of the Central Bank is to serve the public good by safeguarding monetary and financial stability and by working to ensure that the financial system operates in the best interests of consumers and the wider economy. The Governor of the Central Bank recently outlined the Bank’s 2021 priorities2. Today, I will expand on some of the sub-set of specific financial regulation priorities for 2021, which are focused on the near and longer term challenges we see in the system.
Our priorities are informed by our overarching aim for the financial system to be resilient and trustworthy, for it to sustainably serve the needs of the economy and its customers and for firms and individuals within the system to adhere to a culture of fairness and high standards. In 2021, our financial regulation strategic priorities include:
In delivering the above, we remain focused on seeking to ensure that regulated firms: (i) have sustainable business models; (ii) sufficient financial resources including through times of plausible and severe stresses; (iii) are well governed, with appropriate cultures and effective risk management; and (iv) can recover if they get into difficulty and are resolvable without recourse to the taxpayer if they cannot.
Given the audience today, I want to focus in on governance and risk management. Before covering these areas in detail, I think it is worthwhile to reflect on the pandemic.
We are still experiencing a profound shock from the COVID-19 pandemic. It is, first and foremost, a cause of human tragedy. It has challenged our resilience in many ways and has had a devastating effect on many families and individuals. The health emergency has also had a profoundly negative effect on many businesses and household incomes, due to the associated economic disruption4.
While the timing and nature of the current shock were largely unforeseen, the Central Bank has long recognised the inevitability of economic shocks and downturns. We have focused over the last decade on rebuilding and increasing the financial and operational resilience of the Irish financial system. Consumer and investor protection frameworks have also been significantly enhanced with this in mind.
Much of the Central Bank’s focus over the last year has been on mitigating the effects of the pandemic. The Central Bank’s intertwined responsibilities – consumer protection; monetary policy; prudential regulation; payments, and so on – have strong interconnections with each other. This positions us well to understand and mitigate the effects of the pandemic.
The economic challenges posed by COVID-19 have been met by exceptional policy support. This has included a range of fiscal, monetary, macro-prudential and micro-prudential policy actions (as well as actions taken by financial services firms) to support households, businesses and vulnerable borrowers.
Vaccine technology has advanced in recent years to such an extent that highly effective vaccines have been developed in a short time period and offer hope that the virus can be defeated. Moreover, technology has enabled many parts of the economy (including financial services) to continue operating with many workers (typically those with higher and more secure incomes) continuing to work remotely. The corollary of this is that the pandemic has disproportionally affected those that are least able to afford it5.
As we continue to work through the challenges and uncertainty we all face, there is a need for us all to think afresh of how we govern and manage risk and how we work to meet not only the current challenges but also to recognise and face into emerging ones too. It is worth asking ourselves, is it possible that the COVID-19 pandemic is not just a seismic and tragic event, but a stark warning too? It is worth us reflecting on how we think about future events that have a near certainty of occurrence over time, but with some doubt about precise timing and impact. In other words, how well do we prepare for predictable surprises6?
Humans tend to be optimistic in nature. It is in some ways a necessary human condition. Business leaders need to have optimism about the future to drive their businesses forward. However, we should also recognise that there is power in negative thinking – testing our assumptions, considering what could go wrong and considering what we will do if things do go wrong. Many mistakes, big and small, would be prevented or the impact of them lessened if leaders better considered what could go wrong and what assumptions they were relying on. “We should all spend more time thinking about the prospect of failure and what we might do about it. It is a useful mental habit but it is neither easy nor enjoyable7.”
Global pandemics have been on risk registers for a long time – in my own experience, at least a couple of decades. There have also been recent health emergencies in various parts of the World that signalled clear alarm bells for those who were listening8. High profile organisations and experts have been clear that a global pandemic was a certainty, but the timing, nature, type and gravity of one was open to doubt. Notwithstanding its inevitability over time, we were all ill-prepared for its occurrence in 2020.
There are lessons here for us to consider for other critically important issues, such as climate change and technological disruption.
Climate change effects and costs are with us today. There is broad scientific consensus that these effects and costs are going to grow exponentially and that the future costs of deferred and inadequate action today also continue to grow. And yet, at global, national, political, economic, business and individual levels our responses and planned actions are woefully inadequate.
The pandemic has accelerated and deepened our reliance on technology. Technological change is disrupting the landscape of financial services. The competitive landscape is changing, with new entrants, new business models, a race by incumbents to invest in developing the necessary capabilities, and in many cases the potential for a fundamental disruption in the value chain of traditional financial services firms and sectors9. All business models are vulnerable to this pace of technology change and there are few, if any, that will be able to survive without change for more than a few years. The cost of inaction, insufficient action or misdirected action today, will probably be terminal for businesses large and small over a short time horizon. And yet, as I will come to, we still see that significant improvements are required at board and executive levels in the understanding of technology and technology related risk.
These are complex issues, which will not be solved by simple solutions. But, I am certain that improvements in governance and risk management are pre-requisites to successfully rising to meet these challenges, so I will now turn to our work and expectations in these areas.
Governance and risk management
As I have already outlined, there is a strong case for fundamentally reconsidering how we think about risks. There is also a need to significantly improve how firms are being governed today. Some of the recurring issues pre-pandemic that have undermined effective internal governance and risk management in firms include:
- weaknesses in connecting strategy with risks and financial resources;
- deficiencies in board oversight of director and senior management appointments10;
- a lack of effective challenge of the executive by the non-executive directors;
- weaknesses in the governance of firm’s risk appetite, including a lack of appropriate reporting to the board;
- inadequate resourcing of the risk management and compliance functions and poor quality governance of compliance activities and assurance work11; and
- weaknesses in understanding and approach to IT related risk management.
So, what is the Central Bank doing and what do we expect?
Accountability and decision making
Individual accountability has been a focus for the Central Bank since the global financial crisis. It has been a decade since the Fitness and Probity (F&P) Regime was introduced to ensure that individuals who hold certain positions in regulated firms are committed to high standards of competence, integrity and honesty. More recently, we have proposed12 the introduction of an enhanced Individual Accountability Framework (IAF) for individuals, particularly senior individuals, working in regulated financial services firms in Ireland.
The four key components of this proposed framework are:
- Conduct Standards which will set out the behaviour the Central Bank expects of regulated financial services providers (RFSPs) and the individuals working within them;
- A Senior Executive Accountability Regime (SEAR) which will ensure clearer accountability by placing obligations on firms and senior individuals within them to set out clearly where responsibility and decision-making lies for their business;
- Enhancements to the current F&P Regime to strengthen the onus on firms to proactively assess individuals in controlled functions on an ongoing basis, and to surmount some current limitations of the F&P Regime; and
- A unified enforcement process, which would apply to all contraventions by firms or individuals of financial services legislation.
In evolving the individual accountability framework, we are of course keen to ensure that we do not unbalance the framework of collective decision-making and individual accountability by an increased focus on the individual aspects. In fact, we expect that enhancing individual accountability should result in better collective decisions due to a heightened awareness on the part of individuals of their own increased accountability for the discharge of their function, including with respect to their participation in collective decision-making. We expect that the new framework will reflect this in the obligations of individuals.
We are working closely with the Department of Finance to develop this framework, so that the necessary legislative proposals can be brought forward as soon as possible, after which we will be in a position to consult publically on the proposals and will look forward to engaging further with you then.
Diversity & Inclusion
While some firms are starting to make progress, much more needs to be done to increase the diversity of experience, thought, background and attributes at senior levels, to reduce the likelihood of groupthink, reduce overconfidence, improve decision-making, increase the level of internal challenge, improve risk management, and reduce excessive resistance to external challenge.
This is becoming even more important as we strive to deal more effectively with the complex challenges we face today and respond to the evident unequal effects of the pandemic. It is in times of change and uncertainty when qualities such as resilience and innovative thinking are essential, and the value of diversity of background, thought and experience are all the more important.
The Central Bank will continue to require improvements in this area13 ; undertake detailed and thematic reviews14 ; and publish research and information on the issues and progress (or lack thereof) in improving diversity and inclusion in regulated firms15.
Technology and innovation
Advances in technology are bringing rapid and deep changes to the financial services sector. These are impacting business models, decision-making, systems and processes, and products. They are having a material effect on the operation of financial markets, financial supervision and the economy.
Financial services firms are looking to innovation, such as increased automation; digitisation of processes; the use of algorithms; and machine learning to deliver cost reductions and efficiencies, and competitive advantage resulting from improved customer offerings. Big Data Analytics can allow for advanced risk assessment and pricing16.
New payment methods and platforms bring challenges for the traditional role and dominance of banks in this area, while digital payment channels have lowered the barrier to entry for alternative providers.
Innovation has the capacity to bring many benefits for consumers, the economy and society in general. It is essential to the effective functioning of a competitive economy.
Customers require firms’ systems and data to be available, reliable and secure. This is also important for financial stability reasons. Digital transformation can, without proper oversight, increase vulnerabilities in firms’ IT operations, with increased risks around IT failures, outages and cyber-attacks. Firms must strive to minimise the frequency and impact of issues and have an ability to recover quickly from them. Resilient systems are a fundamental pre-requisite for successful innovation.
The importance of operational resilience has been further reinforced by the experience of the immediate shock from COVID-19 and the ongoing shift in consumer behaviour and reliance on remote working. Given the importance of operational continuity for the stability of the system and for consumers, businesses and the wider economy, we will continue to challenge how firms are ensuring that risk and control frameworks are operating effectively under the current working environment and are prepared for unforeseen operational disruptions.
It is important to emphasise that ultimate responsibility for a firm’s IT risk, strategy and governance rests with the Board, including the adequacy of digital and IT strategies to deliver and support business strategies and plans. Boards must firstly ensure they themselves have the skills and knowledge to meaningfully understand the risks their organisation faces and the responsibilities they bear. In order for the IT function to be able to operate within set risk tolerances, Boards are expected to allocate and periodically review appropriate IT budgets to safeguard the operational resilience of the IT framework. In this regard, the Central Bank expects Boards to approve, oversee and review the implementation of Business Continuity Policies and Disaster Recovery Plans. Furthermore, Boards are expected to obtain independent assurance on IT governance by approving and periodically reviewing the IT audit plans and by being informed in a timely manner of IT related incidents and their impact on their firm’s operations17.
Proposed upstream legislation, such as the EU digital operational resilience act (in short DORA)18 or the revised EU directive on security of network and information systems (NIS2)19, will also seek to further strengthen the governance and oversight frameworks of IT risk.
Climate change
Finally, I want to turn to climate change and sustainability. Until recently, these would not necessarily have been seen as areas of legitimate interest of central banks and regulators. It is now clear that the macro-prudential policy, economic advice, financial stability, and consumer and investor protection implications of climate change put it firmly in the bailiwick of Central Banks and regulators.
As the President of the ECB, Christine Lagarde, has recently said20, “Inaction has negative consequences, and the implications of not tackling climate change are already visible. Globally, the past six years are the warmest six on record, and 2020 was the warmest in Europe. The number of disasters caused by natural hazards is also rising, resulting in $210 billion of damages in 2020. An analysis of over 300 peer-reviewed studies of disasters found that almost 70% of the events analysed were made more likely, or more severe, by human-caused climate change.” In this context, the ECB is assessing how climate risks and environmental sustainability considerations are relevant in the pursuit of its mandate as part of its ongoing Strategy Review, to which the Central Bank is an active participant.
So, the question becomes not whether we should focus efforts on climate change, but how and what should we focus on. I believe we have a role in both mitigating the risks from the effects of climate change and taking actions that reduce these effects.
Boards and executives need to meaningfully act now to understand and address the challenges associated with climate change. In order to mitigate the risk and adequately position themselves to respond to these challenges, opportunities and regulatory expectations, firms will need to understand the impact of climate related risks on their business environment, their business models and investments. This requires lessons to be learnt from the pandemic, changing how we think about risks and probabilities over the longer term.
The Central Bank is a significant participant in financial markets itself, through its investment portfolio for example. Investment choices are increasingly informed by climate and sustainability related considerations21.
As members of the Network for Greening the Financial System22 and the wider European regulatory system23 you can expect the Central Bank to become increasingly active and intrusive in its approach to the supervision of climate change risks. Action is required by us all now. You can expect us to be seeking evidence that:
- Boards are meaningfully considering climate change risk;
- climate change risks are being incorporated and embedded in organisational risk management frameworks and mitigation;
- climate risks are being considered as part of stress testing; and
- the EU taxonomy of sustainable activities24 is being proactively applied.
I will conclude here.
Unprecedented is an overused word. It is perhaps fair to say we are living through times that are unprecedented in living memory. But it is important that we do not believe that there is nothing that we can learn from history – from precedents – whether recent or long past.
Moreover, we can also learn from our experience in the pandemic, about how our core assumptions can prove to be unreliable, and about how we think about future events that may seem improbable in a given year but have a near certainty of occurrence over time. Applying these lessons well will be important in how we emerge from the pandemic and how we meet the uncertain challenges ahead, whether these challenges arise from climate change, technology or some other source.
Finally, the pandemic also reminds us of the importance of the basics, the fundamentals of good hygiene, of compliance, of minding those around us, of basic risk management. Improvements in the fundamentals of better governance; better risk management; improving your understanding and testing your assumptions; and actively considering what could go wrong and preparing for it are critical to the financial system being resilient and trustworthy; and sustainably serving the needs of the economy and its customers.
I thank you for your attention and look forward to our discussion.
[1] With thanks to Lisa O’Mahony, Joern Dobberstein, Pamela Farrell and Tony Cahalan for their assistance in preparing these remarks
[12] In line with the Central Bank’s submission to the Law Reform Commission in 2017, and our recommendations to the Minister for Finance in 2018
[17] Our expectations are outlined in more detail in the Central Bank’s Guidelines on Information Technology and Cybersecurity Risks and on outsourcing through the publication of a 2018 outsourcing discussion paper. The Central Bank will shortly publish a public consultation on proposed cross-industry outsourcing guidance which will re-iterate our expectation of high standards with regard to the governance and oversight of outsourcing arrangements.
[21] In relation to the equities component of these investment assets, compliance with the UN-supported Principles for Responsible Investment (PRI) was a condition in allocating the mandate for this portfolio. In relation to the bond component of these investment assets, the Bank holds eleven green bonds and is aiming to increase its exposure to green bonds in its investment assets in 2021. In addition, Eurosystem central banks have agreed a common stance for climate change-related sustainable and responsible investment principles for euro-denominated non-monetary policy portfolios that they each manage under their own responsibility. The common stance prepares the ground for the measurement of greenhouse gas (GHG) emissions and other sustainable and responsible investment-related metrics of these portfolios. The Eurosystem aims to start making annual climate-related disclosures for these types of portfolios within the next two years, using the recommendations of the Task Force on Climate-related Financial Disclosures (TCFD) as the initial framework. The Bank is fully aligned with this timeline and approach.
- Climate change mitigation
- Climate change adaptation
- The sustainable use and protection of water and marine resources
- The sustainable use and protection of water and marine resources
- The transition to a circular economy
- Pollution prevention and control
- The protection and restoration of biodiversity and ecosystems