Internal governance and risk management - CSSF 12/552


Internal governance and risk management - CSSF 12/552

Converging towards sound governance practices

Internal governance within one single circular, to complement the existing rules of governance by implementing recent guidelines issued by the European Banking Authority (EBA) and the Basel Committee.

On 11 December 2012, the CSSF issued circular 12/552 entitled “Central Administration, Internal Governance and Risk Management” that replaces and repeals six existing circulars (IML 95/120, IML 96/126, IML 98/143, CSSF 04/155, CSSF 05/178 and CSSF 10/466). Applicable to banks and investment firms, the objective of the new circular is to centralize in one single document all the main requirements related to internal governance matters, thereby efficiently transposing rules promulgated by European authorities, notably by the European Banking Authority.

While taking into account the principle of proportionality, the Luxembourg regulator has adopted very precise rules regarding the respective role and responsibilities of the governing and management bodies (i.e. Board of Directors and Authorized Management) and has recognized in its regulatory framework the “three-line-of-defence” concept that clearly positions the Compliance, Risk Control and Internal Audit functions in the organization.

Even if several requirements of circular 12/552 were already demanded by prevailing regulation, the text also includes new elements, such as the “fit and proper” conditions for the members of the management body, the strengthened role of the Risk Control function or the existence of designated information security and IT officers.

The release of this circular represents a unique momentum for banks and investment firms to review the adequacy of their existing governance framework and to seize this opportunity to enhance its efficiency and value-adding capabilities.

CSSF 12/552 - internal governance and risk management

The “three-line-of-defence” model as a new standard

Intensive scrutiny over governance arrangements is a clearly observed trend in the supervisory approach adopted by regulators all over Europe. In terms of organizational structure, the provisions set out in the Circular 12/552 pave the way for setting the ‘three lines of defence’ risk governance model as a market standard.

This model is already in place in some institutions but despite embracing it, some companies still struggle to articulate how oversight is apportioned between the risk management and other specialist functions, such as compliance or finance departments.

Transparent apportionment of oversight responsibilities and the existence of independent checks and challenges are critical to achieving an adequate organizational structure with a clear allocation and appropriate segregation of responsibilities.

We can help you tackle the broad issues of enterprise risk management and effective corporate governance, while offering specialized assistance in high risk areas such as regulatory risk reporting, compliance and internal audit services or information systems.

Our solutions to help you enhance your framework

The multidisciplinary range of our Governance, Regulatory and Risk Strategies (GRRS) provide comprehensive and adapted solutions to the challenges posed by CSSF Circular 12/552. Our Deloitte governance framework offers an end-to-end view of corporate governance and forms the basis for the tools that help boards and executives quickly identify potential opportunities to improve both effectiveness and efficiency of their governance practices.


Examples of services include:

  • Training sessions to educate members of the governing bodies on their roles and responsibilities
  • Benchmark your governance framework against regulatory requirements and peers
  • Enhance efficiency of your internal corporate governance through revision of the segregation of duties among control functions
  • Support in ensuring your risk management system is adequate and commensurate to your needs and enhance your ICAAP process to match regulators’ expectations
  • Support in reviewing completeness of your documentation hierarchy (strategies, policies, procedures and regulatory reporting)
  • Provide outsourced solutions such as internal audit services or regulatory hotline
Did you find this useful?