Governance

Anthony Peccia
Oct 9
5 min read

Updated: 51 minutes ago

Did they blow up by accident?

In 2024, TD Bank pled guilty in the U.S. to conspiracy to commit money-laundering and paid about $1.8 billion in penalties. The 'Too Dependable' bank turned money-laundering mule — $1.8 billion lesson in oversight. Criminal cash cruised through compliance — the watchdog was asleep. Needed a babysitter for its controls — regulators installed a hall monitor.

In 2020, Citi’s loan ops team checked the wrong boxes, sending $893 million instead of $7.8 million in interest. One wrong checkbox sent $893 million flying — full principal instead of pocket change. Three reviewers signed it off anyway — process obedience beat common sense. Regulators called time on autopilot governance — $400 million for ignoring the obvious. Four years under consent order, same problems, new fine — governance by memo, not execution.

In 2023, UBS finalized its emergency takeover of failing Credit Suisse, orchestrated by Swiss regulators to avert a banking crisis. In 2007, traders pleaded guilty to mismarking securities, inflating values to boost profits and bonuses. In 2019, the bank hired private investigators to surveil a departing executive, triggering a global 'spy-gate' scandal. In 2021, Credit Suisse lost about $5.5 billion on Archegos after failing to act on internal warnings. During Chair Urs Rohner’s decade-long tenure, scandals piled up; his successor António Horta-Osório (ex-Lloyds) resigned months later for breaching conduct rules.

No! They blew up because of multiple failures in Governance!

Governance and what it achieves

Governance in ECRG (Exposure, Controls, Resilience, Governance Risk Management Framework) has one purpose and one purpose only: to ensure that each of Exposure, Controls, and Resilience are properly done.

Governance is the system that defines who must do what, by when, and what happens when they don’t — and ensures that the rules people follow on paper are also the behaviors they follow in practice. It works through three mechanisms.

Roles — who does what and when.
Accountability — what happens when things go wrong or right.
Culture — what people actually do. When the expected and actual behaviors diverge, governance breaks down.

Everything else — frameworks, committees, reports — is a sublevel of this simple MECE.

ROLES

Role	One-Line Summary	Operational Reality
Board	Sets risk appetite, demands evidence, and challenges management to stay within it.	The Board doesn’t run the risk program; it keeps score and calls time-outs when the play drifts offside.
Senior Management	Converts appetite into limits, assigns ownership, and ensures E, C, and R are built and maintained.	Senior Management owns execution — they make sure the blueprints of E, C, and R are actually built, tested, and resourced.
First Line (Business)	Owns exposures, operates controls, executes resilience, and reports truthfully.	They are the doers; if they hand risk work to the 2nd line, governance has already failed.
Second Line (Risk & Compliance)	Sets the rulebook, challenges execution, and ensures consistency across the enterprise.	They don’t run any part of E, C, R, or G — their job is to ensure the people who do are competent, consistent, and honest.
Third Line (Internal Audit)	Independently verifies that E, C, and R actually work as claimed.	The “prove it” function — they don’t build or monitor, they verify independently and report directly to the Board.
Committees	Provide cross-functional challenge and escalation so decisions and information move, not stall.	They’re the wiring — keeping information and accountability flowing across functions instead of getting stuck in silos.

ACCOUNTABILITY

Aspect	One-Line Summary	Operational Reality
Definition	Accountability converts expectations into consequences — linking roles to results.	Governance fails when no one owns failures — good systems make accountability unavoidable, not optional.
Purpose	Ensures consequences, correction, and recognition when E, C, or R are done right or wrong.	It makes the written rules real; without it, roles are just job descriptions.
Behavioral Essence	Every role has an owner, every failure has an explainer, every lesson has a fix.	Good governance doesn’t depend on good people; it depends on a system where doing the right thing is easier and safer than hiding failure.
Consequence Design	Consequences make outcomes matter — both good and bad.	Reward expected behavior, penalize bad behavior; otherwise, culture learns the opposite.
Escalation	Issues must reach the right level fast before they metastasize.	Escalation only works when people feel safe to raise bad news early without punishment.
Transparency	Keeps performance visible and comparable across the organization.	Hidden information kills accountability; sunlight forces truth.
Learning & Correction	Converts mistakes into system upgrades, not blame cycles.	Real governance fixes patterns, not people.
Actions & Incentives	Leaders model the behaviors they demand and reward escalation over concealment. Action at the Top not Tone at the Top	Leadership action is the thermostat — it sets what behavior stays normal under stress.

CULTURE

Aspect	One-Line Summary	Operational Reality
Definition	Culture is what people actually do.	What people actually do — not what they say — defines the organization.
Purpose	Ensures E, C, and R are carried out truthfully, rigorously, and transparently in daily work.	Culture determines if the risk framework lives or dies in practice.
Escalation Behavior	People surface bad news early rather than bury it.	Healthy cultures reward truth-telling; decayed ones shoot the messenger.
Challenge Behavior	People question, test, and debate decisions instead of deferring to hierarchy.	Real challenge is visible in meetings and decisions — silence signals fear, not alignment.
Accountability Behavior	People fix problems instead of hiding them.	When the same issue repeats, it’s not a control failure — it’s a cultural one.
Incentive Behavior	Rewards and penalties reinforce expected behaviors, not just results.	If bonuses depend on output, not conduct, culture will always lose to revenue.
Leadership Behavior	Leaders act the way they expect others to act, especially under stress.	People don’t copy what leaders say; they copy what leaders do when it’s costly.
Learning Behavior	The organization updates its playbooks, controls, and plans after each failure.	A learning culture treats incidents as data, not drama.

KEY TAKEAWAYS

1. Governance’s single purpose is to ensure each of E, C, and R are properly done — designed right, executed right, and corrected when they drift.

2. Roles define who does what; Accountability defines what happens next; Culture determines what people actually do.

3. Governance begins with written rules but survives only through consistent behaviors.

4. Accountability converts expectations into consequences — it’s the link between rules and results.

5. Policies and committees don’t fix behavior gaps; incentives, transparency, and escalation do.

6. Behavior drift — when actual actions deviate from expected ones — is the earliest sign of governance decay.

7. Effective governance makes doing the right thing easier, safer, and faster than hiding the truth.

34 Comments

Hailey Liu

7 days ago

What impressed me most about this article is how it turns “governance” from a set of rules into something about real behavior. It’s not just about reports or committees, it’s about what people actually do when things get hard or uncomfortable. Good governance means making the right action easier and safer than hiding the truth. The big scandals like TD Bank or Credit Suisse didn’t happen overnight; they happened because small behavior drifts were ignored until it was too late. So I was wondering, in a company where performance and short-term results matter most, how can leaders design incentives that make speaking up about problems feel safer than staying silent?

allenziqi.gong

This piece powerfully captures why governance failures — not accidents — are the true cause of institutional breakdowns. The examples of TD Bank, Citi, and Credit Suisse show that even massive organizations with sophisticated systems can implode when governance becomes performative instead of functional. Each case demonstrates a collapse of behavioral governance — roles blurred, accountability diluted, and culture rewarded the wrong things. The framework here makes governance practical rather than abstract: it’s not about more policies or committees but about ensuring Exposure, Controls, and Resilience (E·C·R) actually work as intended. Governance is described as a living system that links roles (who does what), accountability (what happens when they don’t), and culture (what people truly do). When any of these…

Oct 29

The slides and the video said escalation only works when people feel safe raising bad news early. But in most banks, raising problems can still hurt your career. How do you actually build a culture where telling the truth feels safer than staying quiet? Is it realistic in a high pressure environment where results matter more than process?

lavender.zhao

The examples show that culture is where governance often fails, not in documentation, but in mindset. The ECRG model reframes governance as the element that makes Exposure, Controls, and Resilience work right. I wonder whether governance should be treated not as the fourth pillar but as the glue. If without it, even well-designed controls and resilience plans fail. Should governance therefore be evaluated not by presence, but by effectiveness of coordination?

selene.dang

After learning more about governance, especially the section on building culture, I found it interesting how much emphasis is placed on critical thinking and challenge behaviour. Encouraging people to question and test decisions sounds ideal, but I think in practice it can lead to inconsistency or slow down execution. So I wonder how can organizations achieve a balance between designing a culture where employees feel safe to challenge ideas and raise concern without creating additional confusion or inefficiency across teams?