What are the key changes?
The revised Code will come into force on 1 January 2015. The existing Code remains in force until then. There is a new overarching general requirement in the Code that “the system of governance shall promote and communicate an appropriate risk and compliance culture at all levels of the institution”.
Some of the key changes include:
Probability Risk and Impact SysteM (“PRISM”): The revised Code replaces the terms “Major” and “Minor” institution with the Central Bank’s PRISM designations, ie High, Medium High, Medium Low and Low Impact. This highlights the Central Bank’s increasing focus on its PRISM system of supervision and enforcement.
Chief Risk Officer (“CRO”): Institutions must formally appoint a CRO. The requirements to perform this role include having the relevant expertise, qualifications and / or background or else be required to undertake relevant and timely training. The CRO must challenge decisions that may affect the risk exposure of an institution. The responsibilities of the CRO are also set out in detail in the Code and include maintaining and monitoring the effectiveness of the institutions risk management system, ensuring and maintaining that the institution has effective processes in place in order to identify and manage the risks which may threaten the institution, providing comprehensive and regular information to the board on an institution’s risk. This is the CRO’s primary responsibility, promoting sound risk management “both on a solo and consolidated basis”, and ensuring that throughout all levels of the institution there is an appropriate risk culture. The risk management system will be subject to frequent internal review and helping the board decide how much risk they want to take on (risk appetite). The CRO must also promote and communicate an appropriate risk and compliance culture at all levels of the institution.
Risk Committee: The risk committee must also have a minimum of three members, but can increase in size to “handle the nature, scale and complexity of the business conducted by it”. Both the chairman and the members will be comprised of (independent) non-executive directors. There should be relevant risk expertise.
Contingency plans: The board must address identified risks with contingency plans based on, the areas where it considers the institution to be especially vulnerable; the risk appetite of the institution; and the risk management system of the institution. These contingency plans shall be reviewed, updated and tested on a regular basis. A board’s consideration on a risk-related issue can be “enhanced” by members who are part of more than one sub-committee ie Audit and Risk committee. This is because “members serving on more than one board sub-committee…may gain a greater appreciation of risk considerations across the institution”.
Shared Committee Membership: An emphasis has been placed on sharing committee memberships, due to the fact that “board consideration of risk-related issues may be enhanced by members serving on more than one board sub-committee, as members may gain a greater appreciation of risk considerations across the institution”. The audit and risk committees will be required to share a member.
Audit Committee: The audit committee shall have a new minimum of three members. All members should have relevant financial expertise and at least one member must have an appropriate qualification. There must also be a shared member between the Risk and Audit committees. With High-Impact Institutions, there will be a shared member between the Risk and Remuneration Committees. As a whole the audit committee shall have relevant financial experience and it will be a requirement for at least one member to have an appropriate qualification.
The Board: The Board is responsible “for the effective, prudent and ethical oversight of the institution” and is also tasked with overseeing:
- The setting of the business strategy of the institution
- The amounts, types and distribution of both internal capital and own funds adequate to cover the risks of the institution
- The strategy for the ongoing management of material risks including, inter-alia, liquidity risk
- A robust and transparent organisational structure with effective communication and reporting channels
- A remuneration framework that is in line with the risk strategies of the institution
- An adequate and effective internal control framework, that includes well-functioning risk management, compliance and internal audit functions as well as an appropriate financial reporting and accounting framework
All institutions must put in place a written diversity policy for board membership. Institutions will be required to formally review the membership of any non-executive director who has been a member of the board for nine years or more. They must explain why they want to keep this member to the Central Bank. They will also have to repeat the review process annually. The CEO must be formally appointed by the board.
The board shall put in place a formal skills matrix to ensure that there is an appropriate skills mix across members of the board and potential new members should be assessed against the skills matrix during the appointment process.
A skills matrix will be established to “ensure that there is an appropriate skills mix across members of the board”. The skills matrix, including what skills a potential member may have, will be taken into account when looking for a new board member. New members will also have to formally undergo induction training to the board.
The board will have to formally document how it has satisfied itself as to a director’s independence, and be able to explain how this director is independent.
Meetings: The minimum number of meetings for boards has been reduced to at least four per calendar year and at least once per six months. Where relevant, directors should attend each committee meeting, in person. If this is not possible videoconferencing or telephone is allowed.
Directorships: A board member may not hold more than five directorships of institutions, including those that are based outside Ireland. The Central Bank must give prior approval if a person wants to become a director of more than five institutions, and a detailed case must be made by the institution explaining that the person has enough time. For non-financial institutions, the limit is nine directorships, and similar conditions apply.
Chairman and CEO: The Chairman of an institution is not permitted to hold the position of Chairman or CEO of another institution, including those that are authorised outside Ireland, unless the institutions are not graded High Impact and provided he has sufficient time to properly carry out his role as chairman. Permission is still required from the Central Bank however.
The CEO of an institution can no longer hold more than one position of CEO, even if the second institution is outside Ireland. However if the institutions in question are graded Medium - Low or Low, a CEO may hold up to two additional positions, provided that the individual has sufficient time to carry out their responsibilities and provided that they seek the prior approval of the Central Bank.
Changes relevant for “High Impact” institutions only
- CEO will be unable to hold the position of CEO in any other institution, including firms authorised outside Ireland
- The Chairman will also be unable to be Chairman of more than one institution, including institutions authorised outside Ireland
- Required to appoint a separate Chief Financial Officer, unlike lower impact institutions who can assign the job to an existing employee. It is also possible for High Impact institutions to do this, but only with the permission of the Central Bank