Governance
- Anthony Peccia
- Oct 9
- 5 min read
Updated: Nov 6
Did they blow up by accident?
In 2024, TD Bank pled guilty in the U.S. to conspiracy to commit money-laundering and paid about $1.8 billion in penalties. The 'Too Dependable' bank turned money-laundering mule — $1.8 billion lesson in oversight. Criminal cash cruised through compliance — the watchdog was asleep. Needed a babysitter for its controls — regulators installed a hall monitor.
In 2020, Citi’s loan ops team checked the wrong boxes, sending $893 million instead of $7.8 million in interest. One wrong checkbox sent $893 million flying — full principal instead of pocket change. Three reviewers signed it off anyway — process obedience beat common sense. Regulators called time on autopilot governance — $400 million for ignoring the obvious. Four years under consent order, same problems, new fine — governance by memo, not execution.
In 2023, UBS finalized its emergency takeover of failing Credit Suisse, orchestrated by Swiss regulators to avert a banking crisis. In 2007, traders pleaded guilty to mismarking securities, inflating values to boost profits and bonuses. In 2019, the bank hired private investigators to surveil a departing executive, triggering a global 'spy-gate' scandal. In 2021, Credit Suisse lost about $5.5 billion on Archegos after failing to act on internal warnings. During Chair Urs Rohner’s decade-long tenure, scandals piled up; his successor António Horta-Osório (ex-Lloyds) resigned months later for breaching conduct rules.
No! They blew up because of multiple failures in Governance!
Governance and what it achieves
Governance in ECRG (Exposure, Controls, Resilience, Governance Risk Management Framework) has one purpose and one purpose only: to ensure that each of Exposure, Controls, and Resilience are properly done.
Governance is the system that defines who must do what, by when, and what happens when they don’t — and ensures that the rules people follow on paper are also the behaviors they follow in practice. It works through three mechanisms.
Roles — who does what and when.
Accountability — what happens when things go wrong or right.
Culture — what people actually do. When the expected and actual behaviors diverge, governance breaks down.
Everything else — frameworks, committees, reports — is a sublevel of this simple MECE.
ROLES
Role | One-Line Summary | Operational Reality |
Board | Sets risk appetite, demands evidence, and challenges management to stay within it. | The Board doesn’t run the risk program; it keeps score and calls time-outs when the play drifts offside. |
Senior Management | Converts appetite into limits, assigns ownership, and ensures E, C, and R are built and maintained. | Senior Management owns execution — they make sure the blueprints of E, C, and R are actually built, tested, and resourced. |
First Line (Business) | Owns exposures, operates controls, executes resilience, and reports truthfully. | They are the doers; if they hand risk work to the 2nd line, governance has already failed. |
Second Line (Risk & Compliance) | Sets the rulebook, challenges execution, and ensures consistency across the enterprise. | They don’t run any part of E, C, R, or G — their job is to ensure the people who do are competent, consistent, and honest. |
Third Line (Internal Audit) | Independently verifies that E, C, and R actually work as claimed. | The “prove it” function — they don’t build or monitor, they verify independently and report directly to the Board. |
Committees | Provide cross-functional challenge and escalation so decisions and information move, not stall. | They’re the wiring — keeping information and accountability flowing across functions instead of getting stuck in silos. |
ACCOUNTABILITY
Aspect | One-Line Summary | Operational Reality |
Definition | Accountability converts expectations into consequences — linking roles to results. | Governance fails when no one owns failures — good systems make accountability unavoidable, not optional. |
Purpose | Ensures consequences, correction, and recognition when E, C, or R are done right or wrong. | It makes the written rules real; without it, roles are just job descriptions. |
Behavioral Essence | Every role has an owner, every failure has an explainer, every lesson has a fix. | Good governance doesn’t depend on good people; it depends on a system where doing the right thing is easier and safer than hiding failure. |
Consequence Design | Consequences make outcomes matter — both good and bad. | Reward expected behavior, penalize bad behavior; otherwise, culture learns the opposite. |
Escalation | Issues must reach the right level fast before they metastasize. | Escalation only works when people feel safe to raise bad news early without punishment. |
Transparency | Keeps performance visible and comparable across the organization. | Hidden information kills accountability; sunlight forces truth. |
Learning & Correction | Converts mistakes into system upgrades, not blame cycles. | Real governance fixes patterns, not people. |
Actions & Incentives | Leaders model the behaviors they demand and reward escalation over concealment. Action at the Top not Tone at the Top | Leadership action is the thermostat — it sets what behavior stays normal under stress. |
CULTURE
Aspect | One-Line Summary | Operational Reality |
Definition | Culture is what people actually do. | What people actually do — not what they say — defines the organization. |
Purpose | Ensures E, C, and R are carried out truthfully, rigorously, and transparently in daily work. | Culture determines if the risk framework lives or dies in practice. |
Escalation Behavior | People surface bad news early rather than bury it. | Healthy cultures reward truth-telling; decayed ones shoot the messenger. |
Challenge Behavior | People question, test, and debate decisions instead of deferring to hierarchy. | Real challenge is visible in meetings and decisions — silence signals fear, not alignment. |
Accountability Behavior | People fix problems instead of hiding them. | When the same issue repeats, it’s not a control failure — it’s a cultural one. |
Incentive Behavior | Rewards and penalties reinforce expected behaviors, not just results. | If bonuses depend on output, not conduct, culture will always lose to revenue. |
Leadership Behavior | Leaders act the way they expect others to act, especially under stress. | People don’t copy what leaders say; they copy what leaders do when it’s costly. |
Learning Behavior | The organization updates its playbooks, controls, and plans after each failure. | A learning culture treats incidents as data, not drama. |
KEY TAKEAWAYS
1. Governance’s single purpose is to ensure each of E, C, and R are properly done — designed right, executed right, and corrected when they drift.
2. Roles define who does what; Accountability defines what happens next; Culture determines what people actually do.
3. Governance begins with written rules but survives only through consistent behaviors.
4. Accountability converts expectations into consequences — it’s the link between rules and results.
5. Policies and committees don’t fix behavior gaps; incentives, transparency, and escalation do.
6. Behavior drift — when actual actions deviate from expected ones — is the earliest sign of governance decay.
7. Effective governance makes doing the right thing easier, safer, and faster than hiding the truth.
i think that these banks don’t blow up on the day of the scandal.
They blow up way earlier, the moment people start cutting tiny corners and calling it normal.
Rules stay on paper, but real behavior drifts.
and by the time the headline hits, governance died long before.
The cases show that banks rarely “blow up by accident”—they fail through repeated governance breakdowns where roles blur, accountability weakens, and culture drifts from policy. TD’s laundering scandal, Citi’s fat-finger fiasco, and Credit Suisse’s long slide weren’t technical failures alone; they were symptoms of leadership not demanding evidence, first lines handing ownership upward, and incentives rewarding output over oversight. Governance is not about more committees or documentation—it’s about ensuring E, C, and R are lived daily, challenged honestly, and corrected quickly. When escalation feels unsafe and consequences are inconsistent, controls become theater and small cracks scale into billion-dollar losses.
Great MECE structure for governance. I still remember the project our group did last week for Credit Suisee. It was really a nice example of how Governance failed because of no actions.
Governance is reduced to something very practical: making sure Exposure, Controls, and Resilience are actually done the way they’re supposed to be. The cases show that failures weren’t about one bad decision. They were about roles not being owned, accountability not enforced, and culture drifting until “paper rules” no longer matched real behavior.
It’s a good reminder that governance isn’t frameworks or committees; it’s whether people escalate issues, challenge decisions, and act consistently under pressure. When that breaks, everything else breaks with it.
Governance ties everything together by defining who owns exposures, who builds and operates controls, who tests and challenges resilience, and what happens when things go wrong. Governance relies on clear roles (1st, 2nd, 3rd line), accountability (consequences for actions), and culture (truth-telling, challenge, escalation)