Directive 2013/36/EU (CRD) sets out specific provisions regarding the role, tasks and requirements for the risk management function (RMF) and the head of the RMF.

Article 76(5) of the CRD requires, inter alia, that the RMF be independent from the operational functions, ensure that all material risks are identified, measured, and properly reported, and be actively involved in elaborating the institution's risk strategy and in all material risk management decisions. The RMF shall also be able to report directly to the management body in its supervisory function, independent from senior management, and raise concerns and warn that body, where appropriate, where specific risk developments affect or may affect the institution, without prejudice to the responsibilities of the management body in its supervisory and/or managerial functions. The head of the RMF should be an independent senior manager with distinct responsibility for the risk management function, able to have direct access to the management body in its supervisory function where necessary.

The revised EBA Guidelines on internal governance (EBA/GL/2021/05) specify further the CRD provisions and the requirements for the internal control functions (including the RMF) and their heads.

Paragraph 175, letter a, of the Guidelines indicate that “in order to be regarded as independent, the staff of internal control functions should not perform any operational tasks that fall within the scope of the activities the internal control functions are intended to monitor and control”.

With specific reference to the RMF, the Guidelines (paragraph 183) indicate that the RMF should be independent of the business lines and units whose risks it controls but should not be prevented from interacting with them. Interaction between the operational functions and the RMF should help to achieve the objective of all the institution’s staff bearing responsibility for managing risk.

In addition the guidelines specify that “the head of the RMF should have sufficient expertise, independence and seniority to challenge decisions that affect an institution’s exposure to risks” (paragraph 201), that it “should be able to challenge decisions taken by the institution’s management and its management body”, and that “if an institution wishes to grant the head of the RMF the right to veto decisions made at levels below the management body, it should specify the scope of such a veto right, the escalation or appeal procedures, and how the management body will be involved” (paragraph 202).

In the context of credit processes, the EBA Guidelines on loan origination and monitoring (EBA/GL/2020/06) define that the term ‘Credit decision-maker’ means a credit committee or committees and individual staff members with delegated credit decision-making powers, as set out within the credit decision-making framework specified in the institutions’ policies and procedures. The tasks of the committee in question include the responsibilities of a ’credit decision-maker’, the EBA’s answer therefore refers to the term ‘ Credit Committee’ as part of the first line of defence and not ‘Credit Risk Committee’ as used by the submitter.

Furthermore, the EBA Guidelines on loan origination and monitoring, in line with the EBA Guidelines on internal governance, additionally clarify that “if the institutions grant specific veto rights in relation to positive credit decisions to the head of the risk management function, institutions should consider granting such veto rights to additional staff members within the risk management function for specific credit decisions, to ensure that such a veto can be exercised, if appropriate, at all levels of the credit decision-making framework below the management body. Institutions should specify the scope of these veto rights, the escalation or appeal procedures, and how the management body will be involved”.

In the light of the above, the appointment of the head of the RMF (Chief Risk Officer, CRO) as chair in an institution’s Credit Committee is not compliant with the rules on internal governance set out in the CRD as further specified in the EBA Guidelines. However, the head of the RMF may participate in the Credit Committee without the right to approve decisions, but with the right to challenge, object to or veto decisions - this latter only at decision level below the ultimate level of decision – as provided for in paragraph 202 of EBA/GL/2021/05.

Indeed, the participation in the Credit Committee as chair makes the head of the RMF directly responsible for the decisions that are taken, implying operational tasks, thus undermining the independence from the business lines or units that the head of the RMF controls and endangering the head of RMF’s ability to challenge the decisions made.

The EBA Guidelines on internal governance make it clear that the head of the RMF should have sufficient independence to challenge decisions that affect an institution’s exposure to risks, and that he/she may be granted a right to veto decisions only if the following conditions are met:

- the decisions are made at levels below the level of the management body, which bears ultimate and overall responsibility for the institution; and

- the scope of the veto right, the escalation or appeal procedures, and how the management body will be involved are specified clearly by the institution.

This is in line with the guidelines that specify also that the RMF’s involvement in decision-making processes should ensure that risk considerations are taken into account appropriately.

However, accountability for the decisions taken should remain with the business and internal units, and ultimately the management body.

In case of significant concerns, the head of RMF would in any case be able to report directly to the supervisory function of the management body.