A Guide to Governance for Financial Institutions

It’s time to set the record straight: governance is not just about following rules and regulations.  

While financial institutions have a legal responsibility to their stakeholders and consumers, governance goes beyond merely checking compliance boxes; it’s the foundation of a resilient, strong, and sound financial institution (FI).  

Unfortunately, too many financial institutions take a reactive approach to governance. They fail to seize strategic opportunities and learn how to leverage governance strategies to thrive in an era of constant change.  

So, where are FIs going wrong with governance? What can we learn from past enforcement actions that address governance issues? And how can FIs take a proactive stance toward governance? Let’s explore. 

Table of Contents:

• What is governance? 
• What do regulators say about governance? 
• What role does governance play in ERM?  
• How can FIs implement better governance strategies? 
• What’s next? Implementing governance the right way
• How can GRC software help?

What is governance? 

Governance refers to the internal rules, processes, policies, and structures that guide an organization’s decision-making and strategy. It defines how an organization is controlled and operated, including roles and responsibilities. 

As an organization's foundation, the governance strategy provides accountability and transparency and ensures that the institution operates responsibly, sustainably, and in accordance with its mission, vision, values, and risk appetite.  

Governance also plays an important role in strategic growth, transforming risks — including compliance, operational, and third-party risks — into assets. Institutions with strong governance make smarter decisions, respond faster to crises, and create sustainable competitive advantages.  

What are the essential components of governance? 

While every financial institution’s governance looks different based on its size, resources, and market, some key components make up a strong framework:  

• Roles and responsibilities: Everyone, from board members to senior management and other stakeholders, needs to know their duties and contribute to the institution’s success. Leaders must communicate the roles and responsibilities of everyone involved to prevent overlap or address gaps that could lead to regulatory issues or operational failures.
  
• Strategic alignment: Governance isn’t exclusive to meeting regulatory obligations. Good governance practices should also align with an organization’s strategic goals. By integrating governance with strategic planning, organizations can ensure that their governance practices are proactive rather than reactive and help foster a culture where governance is viewed as a fundamental aspect of achieving long-term success rather than just a regulatory requirement.
  
• Risk management: A risk management strategy is vital within a governance framework. It requires a thorough understanding of risks and how they can affect the organization. 
  
• Operational resilience: Operational risk is the risk of financial loss when processes, people, or systems fail. Operational resiliency is an institution’s ability to maintain its core functions before and after those failures, which include incidents such as natural disasters and security threats like a gunman in or near the branch. By committing to operational resilience, institutions can better navigate challenges while maintaining compliance and protecting their stakeholders and customers. 

Related: Business Resiliency: Your Guide to Business Continuity Management 

Governance can be further broken down into a few key areas:  

Corporate governance

The Office of the Comptroller of the Currency describes corporate governance as the “authorities and responsibilities of the board and senior management, in their respective roles, to govern the bank’s operations and structure.” It typically includes the bank’s board of directors (BOD), management (CEO, CRO, etc.), shareholders, and other stakeholders (compliance officers, risk management team members, etc.).  

Risk governance 

Risk governance is part of corporate governance. It applies corporate governance principles to the institution’s risk management plan and includes the policies, processes, personnel, and control systems that support risk-related decision-making.   

Related: Essential Risk Assessments for Financial Institutions 

What do regulators say about governance?

While governance isn’t only about adhering to regulatory guidelines, the topic has become a growing concern among regulators. A lack of effective governance — alongside unmanaged innovation risk, insufficient Anti-Money Laundering (AML) and Countering Financing of Terrorism (CFT) programs, and violations of fair lending practices — is one most frequent issues identified in consent orders issued in 2024.  

The Comptroller’s Handbook: Corporate and Risk Governance from the Office of the Comptroller of the Currency (OCC) emphasizes that a robust corporate and risk governance framework is essential for the sound operation of banks. It notes that governance practices must align with a bank's size, complexity, and risk profile. As such, larger or more complex FIs should have more sophisticated and formal board and management structures and processes.  

In addition to the OCC, other regulatory bodies, including the Federal Deposit Insurance Corporation (FDIC), the Federal Reserve Board, and the Consumer Financial Protection Bureau (CFPB), also offer guidance on governance practices to help ensure that financial institutions meet necessary standards.  

Related: Laws vs. Regulations vs. Guidance: What's the Difference? 

Governance gone wrong: the Wells Fargo story

In recent years, Wells Fargo's account opening scandal has been one of the most egregious examples of poor governance.  

Wells Fargo & Company and its subsidiary, Wells Fargo Bank, agreed to pay a $3 billion settlement for consistently pressuring employees to meet unrealistic sales goals from 2002 to 2016, ultimately leading to millions of unauthorized accounts and misuse of customer information. "This case illustrates a complete failure of leadership at multiple levels within the Bank. Simply put, Wells Fargo traded its hard-earned reputation for short-term profits, and harmed untold numbers of customers along the way," said U.S. Attorney Nick Hanna for the Central District of California.   

But false accounts were the tip of the iceberg. Other controversies included charging 570,000 customers for unnecessary auto insurance, illegally repossessing cars from service members, overcharging small businesses for credit card transactions, and mishandling high-net-worth customers' personal information. Shortly after launching a "Re-Established" ad campaign to rebuild trust, the bank found itself in trouble again by settling SEC charges for encouraging inappropriate trading practices. 

The problem is that management and the board failed to consider the risks of pushing staff to meet extremely aggressive sales goals. They didn’t align strategy with risk.   

Wells Fargo is just one example of an institution reaping the consequences of its actions. However, poor governance goes beyond compliance issues; it's ultimately a failure in leadership that can derail an institution. That's why governance is integral to your institution's enterprise risk management strategy. 

Related: What TD Bank’s Money Laundering Debacle Teaches Us About Underfunding Compliance 

What role does governance play in ERM?

Enterprise risk management (ERM) is defined by the Committee of Sponsoring Organizations (COSO) as the "culture, capabilities and practices that organizations integrate with strategy-setting and apply when they carry out that strategy, with the purpose of managing risk in creating, preserving, and realizing value."  

Governance plays a crucial role within COSO's ERM framework and is one of five components of a successful ERM program. The components that create governance and culture include: 

• Exercising board oversight 
• Establishing operating structure 
• Define the desired culture  
• Demonstrating commitment to core values 
• Attracting, developing, and retaining capable individuals  

How can FIs implement better governance strategies? 

So, how can financial institutions incorporate governance into their risk management strategies while taking advantage of strategic opportunities? Here are some best practices:

• Align risk management with strategic planning. Sound governance begins and ends with strategic planning. Leaders should include robust risk monitoring and compliance controls, incident response plans, stakeholder involvement in risk management, and a SWOT analysis (Strengths, Weaknesses, Opportunities, and Threats) in their strategic plans. 
• Require risk assessments. Well-executed risk assessments are key to uncovering risks, establishing controls to mitigate them, and empowering the leadership to make strong, risk-focused decisions. 
• Build a better board-management relationship. While the management team is in charge of daily operations, the board is there to ask the hard questions and challenge the team when necessary. Too often, control at financial institutions is held among a few individuals, which is a major mistake that can result in a lack of transparency and accountability. 
• Build the right team. A great governance and risk management strategy can’t be executed to its potential without the right team. Weaknesses in employee recruitment, training, and retention can lead to compliance challenges that can easily snowball into other risk areas. The right team is also key to obtaining a successful compliance culture. 
• Consider the Three Lines Model. A structured approach to governance is critical. The three lines in the model include operational staff managing client interactions and internal controls, risk and compliance roles supporting and monitoring these operations, and an independent internal audit function that evaluates risks and reports findings to the board.
• Focus on change management. Change, from organizational changes like mergers and acquisitions to regulatory changes like 1071, is inevitable. An enterprise change management approach to identifying, managing, tracking, and responding to changes that have a significant impact on operations is crucial in the institution’s wider governance and risk management strategies. 
• Don’t forget about reporting. If it isn’t documented, it didn’t happen. While formal reports are crucial, ongoing communication fosters alignment and accountability among stakeholders, enhancing visibility into operations.   

Related: Board and Management Action Plan for Enhancing Resiliency with Sound Governance 

What’s next? Implementing governance the right way 

Remember, governance isn’t just something that happens. It requires an ongoing effort from your institution’s board, management team, risk team, and other stakeholders. Like a compliance culture, a commitment to governance starts from the top down.  

Clearly communicate your institution's commitment to governance. Ensure that all relevant processes, policies, and systems are centralized in one accessible location that serves as the definitive source of truth for all appropriate team members. When changes occur, inform team members so they can make adjustments as needed.  

How GRC software can help

An effective governance strategy is a team effort, but the proper governance, risk, and compliance (GRC) software can streamline the process, enabling your team to focus on your strategic objectives and make the best use of your time, money, and other resources. Look for a software solution that meets your financial institution’s needs, whether staying updated on relevant regulatory updates, simplifying reporting, analyzing risks, monitoring risk with risk evaluation modeling, or more.  

What does strong governance and management look like? 

Find out in our on-demand webinar The ‘M’ in CAMELS: The Role of Risk Management.