**3.2 Governance assessment and the strategic role of risk management: the risk culture**

The second assessment of the SREP process is devoted to the following areas: Internal governance framework; Risk management framework and risk culture; Risk infrastructure and data and reporting.

#### *Basel IV: The Challenge of II Pillar for Risk Management Function DOI: http://dx.doi.org/10.5772/intechopen.96929*

At this stage of the assessment, the main objective of the supervisory authority is to evaluate whether the bank's governance system and risk management process are adequate and consistent with the adopted business model and with what is planned in the risk appetite framework. More specifically, the suitability of the governance is assessed and whether the governance is adequately informed about the risks assumed by the bank, the risk management policies, the impact of the risk management policies on the banking activity as well as the level of capitalisation and whether this level is in balance with the risks assumed. It also assesses whether the bank has remuneration policies that comply with applicable regulations and whether the bank has an adequate system of internal controls (focusing on the risk management and compliance function), and in particular whether: (a) risk management policies have been properly defined and documented; (b) whether operational limits to the risk that can be taken are properly defined for the various business units and the bank's risk appetite; (c) whether these limits are complied with; (d) whether the risk management function is able to measure, control and manage the risks the bank is exposed to; and (e) whether the bank in its operations complies with the rules affecting its business and internal regulations. Finally, in order for the analysis to be complete, the authority examines the technological infrastructure supporting the risk management process, as well as the quality of the data and the data collection mechanism. In fact, it is easy to see how scarce or irrelevant information can compromise the proper operation of the banking business, especially in terms of risk management and control. In summary, the areas impacted by this analysis are:


Particular attention is paid to the assessment of the Risk management framework and the diffusion of an adequate risk culture at all organisational levels of the bank. The attention paid by supervisors to the three corporate control functions and in particular to the Risk Management function highlights the strategic role assumed by this function in recent years: there is no possibility of planning the opening of new branches, offering new products, changing the funding plan without taking into account the impact of these choices on the governance of risks, capital and liquidity. Given the strategic role that this function plays in the overall governance of the bank, it is clear that it must be staffed with adequate professionalism to oversee the various tasks and responsibilities that regulation has greatly articulated in recent years. In carrying out its activities, the Risk Management then has the moral obligation to spread the culture of risk at every organisational level; it is the

culture of risk that is the real engine of change to guide the bank in the current hyper-regulated, volatile and complex market context. As pointed out by FSB [12]<sup>22</sup> "*weaknesses in risk culture are often considered a root cause of the global financial crisis, headline risk and compliance*"*.* A sound risk culture should be able to ensure:


A sound and widespread risk culture is the *sine qua non* for an effectively integrated risk governance that is capable of bringing together, in a reasoned manner, the supervisory and management views, the current and forward looking perspectives, and the *business-as-usual* and stressed perspectives. The board should continually promote, monitor and evaluate the institution's risk culture, assess the impact of the institution's risk culture on financial stability, risk profile and sound governance and make adjustments where necessary; and provide risk-taking rewards and penalties for those individuals within a bank who are in a position to make decisions regarding the risk they are managing.

For this reason, the culture of risk, being the humus of the sound and prudent management of a bank, cannot remain the exclusive property of the relative Risk Management function, but must become part of the common language and cultural baggage of the other actors involved in the governance of the company at any organisational level. In this perspective, it seems useful to clarify the skills and professionalism required by the corporate control functions, and therefore also by the Risk Management.
