Parliamentary Commission on Banking StandardsWritten evidence from Stilpon Nestor

I. Introduction and Synthesis

I was initially asked to provide some thoughts to the Committee on four points related to the corporate governance of banks:

1.The impact of the regulatory framework on governance;

2.The challenge of risk governance for boards;

3.Getting the board profile right; and

4.The importance of board evaluation.

Following the panel discussion with the subcommittee on 27 November 2012, the secretary of the Committee asked me to address four supplementary questions on behalf of the Chairman. The first three of these questions are taken up as items IV-VIII in the present submission. Supplementary question 4 is already addressed in current section V.

I believe that the most important systemic governance issue that policy makers need to address has to do with increasing regulatory complexity and supervisory expectations on the role of the board as a compliance agent. Ever more detailed regulation of banking risk has a significant downside when it comes to governance: it imposes a uniform point of view on risk across the sector and dampens challenge. Boards are unlikely to be able to see risks others than the ones regulators want them to see. When it comes to risk governance, boards should focus on that they are most equipped to do: setting risk appetite, regularly monitoring the risk profile of the bank and assessing the adequacy of the risk function. In order to meet these challenges and broader societal expectations, banking boards need to be smaller and work harder—although I do not necessarily believe that such requirements should be imposed through mandatory regulation. Non-executive directors (NEDs) need to spend more time with their banks and be paid for it. Every few years, an external governance assessment needs to be performed by a competent and independent third party, regulated by the FSA. This assessment should have a broader scope than externally facilitated self- evaluations. I perceive no need for a separate corporate governance code for listed banks but there might be some added value to a comply-or-explain approach to bank governance, especially for large non-listed banks. The appointment of full time NEDs might be envisaged in certain cases but, overall, it seems ill-suited to the ownership and control profile of UK banks.

II. The Impact of Ever-More Detailed Regulation on Governance

1. The regulatory framework for banks in the UK and the rest of the EU is based on Basel 2. From a governance perspective the Basel 2 approach has one key systemic flaw: Instead of building a framework within which each financial institution may develop its own methodology for assessing risk, Basel 2 imposes a uniform, detailed (albeit incomplete) view of banking risk. If risk management is, as one bank chairman puts it, "the mortar of any banking house", regulators decided that only one type of mortar was allowed for building all kinds of banking houses. By doing this they focused on process rather than outcomes.1

2. In the wake of the crisis, Basel 3 greatly expanded the regulatory scope without challenging the regulatory philosophy of Basel 2. On the contrary, Basel 3 has increased regulatory complexity2 and will thus be imposing even more Stalinist uniformity in managing banking risk.

3. As we first argued in a 2009 paper,3 two key Basel governance risks were relevant at the time and remain relevant today.

3.1 Missing the elephants in the room

Boards were following detailed Basel 2 capital adequacy metrics but ended up missing more than one elephant in the risk room such as rapidly increasing gross leverage and decreasing liquidity. While Basel 3 now "catches" these particular elephants, history teaches us that there are others roaming free and undetected—and that sooner or later they will strike. Sovereign risk exposures that carry zero weight in the Basel 3 calculation of the denominator of capital adequacy are a good reminder of the dangers that lie ahead. If all banks are made to think inside the current regulatory box, it is unlikely that they will catch any of these new elephants.

3.2 Less director responsibility

Given the imposed uniformity, directors increasingly feel that their primary accountability lies with their supervisors not with the institutions they lead. They are not willing to challenge the conventional approach, even if some of them do see the elephants. In this looking glass world of regulated uniformity, stewardship becomes a subset of compliance and supervisory hyperactivity becomes a governance risk.

III. The Challenge of Risk Governance for Boards

A bank board's primary responsibility is to direct and control the management of risk — risk governance. In this respect every bank board faces two challenges:

To define the key responsibilities of the board in a value adding way.

To organise the work of the board so that these responsibilities can be adequately discharged.

1. Key Responsibilities of the Board

1.1. Risk Appetite Framework

1.1.1. In the run up to the financial crisis it became clear that risk appetite was a concept that was ill-defined and ultimately misleading: risk appetite was effectively perceived as the amount of risk that bank businesses would choose to assume within a complex framework of limits (that complexity, again) which was constantly shifting and often manipulated by management. In a nutshell, risk appetite was a bottom-up, not a top-down process.

1.1.2. Supervisors now have rightly put risk appetite squarely within the board's remit. Setting the Risk Appetite Framework (RAF) is seen as a top-down process: risk appetite is the amount of risk the bank is willing to take in its various areas of activities within a certain period of time.

1.1.3. Risk appetite is the flip side of strategy. Consequently, the two processes need to be tightly co-ordinated at both board and management level.

1.1.4. RAF should be holistic, encompassing capital, liquidity and all types of banking risk. However, RAF should not be confused with the limit framework of the bank. It is rather a system of thresholds and red flags that helps to shape the limit framework.

1.2. Boards and reputational risk

1.2.1. This is another area that typically lies within the board's remit. The challenge here is to understand the "secondary" nature of reputational risk (ie a risk that materialises when risks events in other "buckets" occur) and its asymmetric impact on the balance sheet4; and to develop coherent metrics and red flags for its measurement and mitigation.

1.3. Monitoring the risk profile of the bank

1.3.1. The board needs a dashboard in order to understand how much risk it is carrying in any given point in time: too much information is as bad as too little information. The dashboard needs to be reviewed regularly.

1.3.2. The dashboard metrics are not necessarily the same as the risk appetite metrics. The risk appetite metrics provide the board with regular assurance that the bank is staying within the path that the board has traced for the given period; they also provide warnings when the bank comes close to the path's borders. The dashboard metrics are not primarily focused on assurance. Their purpose is rather to inform board strategic guidance with a timely snapshot of all kinds of risks the bank is facing. Regular reporting intervals provide directors with an evolutionary perspective.

1.3.3. In multi-entity, multinational groups, the role of the parent board in overseeing and controlling risk across the group has become paramount. The dashboard must give a realistic and fully integrated picture of risks across the group and its banking subsidiaries.

1.4. Overseeing the risk management function

1.4.1. The risk management function is not just a control function, it lies in the heart of a bank's strategy. The adequacy of the risk management function and system is key: the board needs to kick its tyres regularly, independently of management. But this should not result in Risk Management coming under the tutelage of the board. This will only result in making it less "strategic" and lower its impact on management culture.

1.5. Risk culture

1.5.1. Getting a good grasp of what "risk culture" means is essential. But managing to it is not effective. Culture is process over time and its qualities can only be identified ex post. Boards should be practical about this.

2. Operationalising the Board's Risk Governance Mandate

2.1. Risk and retained authorities

2.1.1. Boards are currently asked by regulators to own too many components of the risk governance architecture. For example, their current ownership of the Internal Capital Adequacy Assessment Process (ICAAP-in its entirety, a highly technical document) seems to encourage box ticking rather than a focus on material risk strategy and culture issues. The board should probably own the key principles underpinning ICAAP (possibly set and reviewed as part of RAF), with the rest of ICAAP becoming the responsibility of senior management.

2.2. The profile, role and limits of the risk committee

2.2.1. Following the recommendations of the Walker report, all UK banks have board level risk committees. Most of them are adequately populated by financial industry experts. However, our recent research indicates that UK risk committees work less hard than those of their European peers. One of the key challenges face is the co-ordination of the work of the risk committee (in charge of following the bank's risk profile, risk appetite implementation as well as the adequacy of the risk management function) with the work of the audit committee (focused on internal control and accounting policies and often guiding operational risk management and provisioning).

2.3. The role of the Chief Risk Officer (CRO)

2.3.1. Consolidating leadership of the risk management function at the highest level is key in changing the risk culture of the organisation. CROs need to be at the very top of the management hierarchy, independent from any business line or P&L centre. They are members of the executive committee in most large European banks. Here, a note of caution is worth repeating: the CRO should remain a key member of the management team. Internal Audit-style independence and a solid reporting line to the board might undermine the strategic "mortar" aspect of the function and unintentionally result in isolating Risk Management from executive decision making.

3. Supervisory Oversight and Assurance

3.1. The importance of the board in risk governance has been recognised by the FSA and other supervisors in the wake of the crisis. Pillar 2 supervisory responsibilities and practice now include a close and consistent review of board governance. The FSA has also recognised that its focus on governance needs to be underpinned by external assurance. It has stepped up the use of external consultants (so called Section 166 consultants) in this respect. What is important is that these consultants are controlled for competence, skill and independence (eg absence of conflicts) by the FSA and, in the future, the Prudential Regulatory Authority (PRA). Steps are being taken to this effect but the final shape of supervisory vetting of governance service providers is not yet clear.

3.2. Acknowledging the need for external assurance, the industry via the International Institute of Finance (IIF), is also promoting the idea of regular, firm-wide risk governance assessments with a focus on promoting a better risk culture.

IV. Getting the Board Profile Right

1. In a nutshell, Nestor Advisors' 2012 research on the 25 largest European banks5 suggests that boards of the best-performing banks are on average smaller and more 'mature', (on the basis of a synthetic indicator that looks at tenure of the board and its chairman, and the age of its directors). The best-performing banks have boards that work harder and are more available, in terms of other outside commitments of their members. On average, the best performing banks pay their CEO, chairman and non-executive directors (NEDs) more, and put their members to the ballot more frequently than their worst-performing peers. As expectations pile up on boards, NED remuneration gains in importance. In this respect, it might be worth noting that the two government controlled UK banks (RBS and Lloyds TSB) pay their NEDs approximately half (on a calculated per diem basis) of the rate paid by their 3 private sector competitors in our peer group (Barclays, HSBC and Standard Chartered).

2. One negative trend that we have identified is a decreasing number of chairmen with financial industry expertise (FIE)—although this is not the case in the four UK banks that are part of our 25 member European peer group. Our earlier research on this issue in the run up to the crisis suggested that banks with FIEs as chairmen performed better than the rest. That is because stability, continuity and intimate knowledge of often very complex businesses come at a premium. One way to achieve this is to appoint the former CEO as a Chairman, a common practice with several UK banks in the past. While there have been few governance mishaps attributed to this approach, the UK Corporate Governance Code's disapproval has resulted in its gradual abandonment. On balance, I believe that this is unfortunate.

3. Another negative trend that our research has spotted is the dwindling number of executives in banking boards. In my view, it is important to establish direct accountability of the executive team to the shareholders. Executive board membership also promotes the idea of the top executives working as a team rather than being subservient to the CEO. It also provides the board with a better view of the firm's management bench strength.

V. The Importance of Board Evaluation

1. According to Nestor Advisors research, all of the top 25 European banks perform an annual self-evaluation of their boards, while 36% of them use an external facilitator for their self- evaluation. The UK banks have been following this practice for over a decade. This is no surprise given the UK Corporate Governance Code's (UK Code) long-standing emphasis on annual board reviews.

2. The practice of self-evaluation (facilitated or not) is a good one. But the fact is that many of the bank boards that were routinely evaluated, often with external facilitation, were shown to have severe governance weaknesses when the crisis hit. This suggests that simple board reviews are not enough. Institutions that play a systemic role in the economy need more than a regular review of how well the board functions as a team and as individuals — the classic scope of board reviews. The IIF suggests "using self-evaluation as a diagnostic tool to make improvements in board risk governance practices". I would go a step further and suggest that, at least every 3 years, the board should have an external evaluation (which would include a self-evaluation) of its governance practices with a specific focus on risk governance issues by FSA-approved experts (as per above). This would transcend the current cosy confines of self- evaluation and provide boards, shareholders and supervisors with a much higher level of comfort. Currently, the FSA imposes such external governance assessments (which are also recommended by the Basel Committee's corporate governance principles) on an ad hoc basis only in problematic circumstances. Making them regular would enhance director diligence and intensify their focus on governance. It would also avoid governance challenges reaching the supervisor's "red flag" level resulting in supervisory interventions.

VI. Is there a Case for a Separate or Supplementary CG Code for Banks in Order to Improve Banking Standards? If so, what Apsects of the Current Code and Banking Governance would Benefit from Specific Guidance Over and Above What is in the UK Combined Code

1. In principle, Codes6 should not be considered a direct alternative to prudential regulation, meant to protect depositors and the integrity of the banking system as a whole. Outcomes that are essential to the achievement of these objectives, should be imposed through mandatory regulation. In contrast, codes are a means of driving convergence towards a desirable standard without the "downside" of dis-allowing actual or potential alternatives. This is because the e alternatives might actually prove to be Beneficial to individual banks and to the system as a whole. Most importantly, codes provide for transparency of governance practices. Here, one should note an important difference between best practice or supervisory guidance and codes. The former, even when "voluntary", do not yield market- wide information on specific-firm practices — they limit information supply to the supervisor. In addition to allowing for an explanation in case of non-compliance, codes also render the Code, politicians, and employees) with governance information, codes encourage direct cross-pollination between firms and spur the continuing development of best practice.

2. On the basis of the above benefits, one can think of two reasons for developing a Banking CG Code:

2.1.The current UK CG Code for listed companies is not adequate for banks that are listed.

2.2.There is a need for common standards and CG transparency among the large population of non-listed banks, including UK subsidiaries of international groups.

3. To begin with, it is worth noting that FSA guidance on some key governance areas related to the profile and structure of bank boards is already in place. This is also true for certain board responsibilities and authorities that constitute regulatory requirements. The EU 7th directive requires boards of all "public interest" entities to have an Audit Committee — this definition includes banks.

4. As regards 2.1, I believe that there is little need as such for a specialised Bank CG code for publicly listed banks. The great majority of the UK CG Code provisions seem perfectly adequate for banks. There might be a case for a different benchmark standard in a few areas where the banks are truly idiosyncratic.7 These include the profile of the chairman, the need for a board risk committee, the financial sector expertise of directors as well as their workload.

5. However, there is significant downside in adopting specialised codes for specific sectors. They introduce "noise" and might actually lower overall transparency in the market. Banks can easily explain their adherence to a different standard on each of these issues under the current Code.

In view of the above, my response to whether there is a case for a separate Code for listed banks is negative

6. The response to 2.2 seems less clear cut. The City of London is full of foreign controlled subsidiaries of substantial size and commensurate systemic impact. The main street is also witnessing significant penetration by foreign and private equity controlled firms. There are a number challenges in the way the FSA exercises its "Pillar 2" supervisory mandate as regards these firms:

6.1.The FSA often directs non-listed banks to adopt governance arrangements similar to those of the UK Combined Code. These might be inadequate for smaller firms or for firms with a very specific, narrow mandate. As regards subsidiaries of foreign groups, such arrangements might actually weaken group-wide governance and control functions and processes, at least in certain circumstances. The "group" non-executives often play a role equivalent to that of full-time NEDs, (ie senior management of the parent) as discussed in section VIII.

6.2.There seems to be limited understanding of (or little systematic effort to understand) parent governance arrangements, and to evaluate subsidiary governance in a "group" context.

6.3.It is not clear whether there are de minimis rules in directing firms to adopt certain governance arrangements or whether the supervisors "risk weight" their prescriptions for different firms.

6.4.There is little market transparency of governance outcomes, so that (a) market players can learn from each other and (b) consistent best practice driven by the institutions themselves may emerge across the universe of non-listed regulated companies.

7. In view of the above it might be worth considering a comply-or-explain CG Code for banks. Listed banks would implement such a code in parallel to the UK CG Code (this might generate significantly more "explaining" then "complying" with the latter). This code could directly tackle some of the specific challenges for non-listed private and foreign owned banks identified above. In addition to improving transparency on bank governance, a comply-or- explain approach towards all banks might also generate scale economies on the supervisory side by focusing the FSA (PRA)'s attention on firms where significant issues of compliance (or weak explanation) emerge. The "ownership" of the Code and the responsibility for its implementation should combine effective buy-in by both the industry and the supervisor.

VII. Are Banks having Difficulty in Recruiting and Retaining Non-Executive Directors? If So, what Needs to Change in the Significant Influence Function Process

1. The SIF process might have deterred certain candidates from agreeing to be nominated to bank boards, although I have no concrete evidence on this point. My view is that UK based candidates with suitable financial sector expertise are unlikely to have been put off by the process. Nevertheless, the SIF process might have had a deterrence effect on two occasions:

1.1.It might have driven away desirable "diversity" NED candidates, ie NEDs that add value not through their banking knowledge and experience but though their capacity to articulate a different perspective, relevant to the business of a bank. Their need as a counterweight against group thinking on any bank board is widely accepted. I do not think that attracting such candidates was taken into consideration in designing SIF process nor that the supervisors did their behavioural science "homework" in preparing the interview template.

1.2.It might have made it more difficult for non-English native speakers with banking experience to be favourably considered by FSA interviewers. This might be especially tough on the large population of foreign bank subsidiaries who legitimately count among their non- executives members home country senior management.

2. As implemented over the 2009–12 period, the SIF process had several weaknesses. Mandatory interviews suffered from questionable credibility and a relatively low cost-benefit yield. Most importantly, they constituted one more step towards "de-responsibilising" boards, as regards their own profile and adequacy of composition, a responsibility which both the Basel Committee and the European Banking Authority (EBA) require them to assume. Less responsibility eventually means less accountability to both shareholders and supervisors should things go wrong. I therefore welcome recent changes implemented by the FSA scrapping the mandatory pre-nomination screening of all candidates. In principle the FSA (PRA) should rely on the quality of a firm's nomination policies and procedures. It should stay assured of the robustness of such policies by means of its own or a third-party's regular review. In this respect, nomination policies, procedures and outcomes should come within the scope of the regular, third party CG evaluations proposed in Part V. Only in cases where real doubts exist about the capacity of an individual to assume a directorship (mostly related to fit- and- proper issues) should the PRA focus on the individual's profile and competence. When interviews by the supervisors are regarded as necessary, their methodology should explicitly take into consideration points 1.1 and 1.2 above.

VIII. What is the Level of Expertise Required on Boards, Especially on the Technical Committees

Should there be restrictions on NED board mandates such as those the UK Code imposes on full-time executive directors?

Is there a merit in considering full time NEDs, at least for those who chair Audit and Risk committees? What are the pros and cons?

1. The general part of the question in the title is addressed in Part IV above.

2. As regards restrictions on board mandates, it is my view that bank NEDs need to limit their other board mandates and that banks do indeed need to be benchmarked against a higher NED "workload" standard on a comply-or-explain basis. However, I believe that a compulsory limitation would be counterproductive for a number of reasons:

2.1.Some NED candidates might need to go through long sunset periods in existing NED positions.

2.2.A NED's existing board positions might actually be valuable to the particular board. Boards benefit from "knowledge import" and cross-pollination from external director mandates.

2.3.There might be cases where the value added that a particular candidate brings is so important that an "explanation" against the standard should be acceptable.

3. Let me turn to the issue of full-time NEDs. Prima facie their appointment might be considered welcome, if the goal is to make banking boards more "professional". Full-time NEDs would, at least in theory, be experts with time on their hands to apply a hands-on approach, especially in areas such as risk and audit committee work. Being hands-on also increases their "challenge" capacity and their control potential which, in its turn might allow the whole board to be more challenging of management. But full-time NEDs also come with significant downsides:

3.1.A full- time NED stops acquiring experience and knowledge from his/her other activities. In a business such as banking where practices change quite frequently and need to be constantly adapted to changing business and consumer patterns of behaviour this weakening of "knowledge import" might constitute a considerable disadvantage.

3.2.As knowledge import weakens, the potential of "in-the-box" thinking becomes greater; and the "box" is more often than not that of the firm's executives. The challenge potential, one of the theoretical advantages of this approach, might actually be smaller than one thinks.

3.3.With bigger control authority comes more individual power—and the potential for abuse. The collective power of the board might be weakened as the power of certain individual NEDs grows. Power centres within the board might multiply, undermining the "unifying" authority of the Chairman and potentially creating a disruptive cacophony.

3.4.More individual power can also entice full time NEDs to micro-manage. In its turn, this might lead to a weaker distinction between governance (directing and controlling) and management.

3.5.The most important downside of full time NEDs relates to their independence and accountability. Only independently wealthy retirees would be able to claim the economic independence which, in fine, underpins the concept of an independent director. Everyone else would in essence be depended on the company for his/her continuing livelihood.

4. Limited independence points to the narrow limits of the full-time NED approach. Its effectiveness depends on the existence of strong principals, usually in the form of "reference" shareholders with significant power. This is, for example, the case in Turkey where most large banks appoint a full-time NED to run their audit committee. Each one of these banks has at least two significant shareholders of reference. They not only provide for NED accountability but also make it difficult for any one of the reference shareholders to "hijack" NED loyalty — the other(s) are always watching. Where principals are weak and agency problems are likely to be present, full–time NEDs are more likely to either be captured by management or themselves "capture" the board, as discussed above.

5. There are alternatives to full time NEDs that can bring some benefits with fewer downsides. Santander, for example, has a significant minority of executive directors on its group board. At least three of them do not have specific executive tasks as heads of functions or businesses within the bank structure. They are there to provide oversight in key areas such as risk and strategy. These "roaming" executive directors are, in a sense, "independent executives". They are directly accountable to shareholders, with a hands-on approach and mandate to guide, closely supervise and challenge management.

4 January 2013

1 In addition, Basel 2 allows the most sophisticated banks to develop “equivalent” mortar in the form of “advanced” methodologies as long as they address capital adequacy in all its Pillar 1 detail. This has been treated by the most sophisticated (and more systemically important) banks as an open invitation to create even more complicated and opaque risk and capital management systems.

2 Andrew Haldane, Executive Director of the Bank of England, has extensively addressed this point in various speeches and papers.

3 Ladipo, D. and Nestor, S. (2009), ‘Bank Boards and the Financial Crisis – A corporate governance study of the 25 largest European banks’.

4 This refers to the amount of direct monetary losses due to the primary risk realization being sometimes only a fraction of the value lost due to the reputational (or “franchise”) impact.

5 Khalilulina, D. and Nestor, S. (2012) ‘The New Normal - A summary report on the corporate governance of Europe’s top 25 banks’.

6 I take the question to refer to a comply-or-explain Code as opposed to mandatory regulation.

7 How and why these standards might differ from current UK CG Code standards is sporadically discussed in other parts of this submission.

Prepared 24th June 2013