The “magic triangle” of surveillance: why harmony puts your bank at risk

Introduction

In the first two articles of our series on the pillars of internal governance, we discussed Pillar 1: Structure & Systematics and Pillar 2: Fit & Proper.

Yet even the best organisational chart and the most brilliant experts are worthless if the bank’s ‘nervous system’ fails: communication. In supervisory practice 2026, one insight has become firmly established: Governance failure is almost always heralded by silence.

The ‘magic triangle’, one of the pillars of internal governance, focuses on the complex interplay between the Executive Board, the Supervisory Board and the auditors. This is where it is decided whether risks are identified in good time or ‘managed’ until the system collapses.

The illusion of unanimity: when harmony becomes a risk

In many German institutions, unanimity is still seen as a sign of good governance. Yet for modern supervisors and auditors, a consistently 100 per cent approval rate is a warning sign. Why? Because complex strategic decisions – whether regarding digital transformation, ESG positioning or new risk models – naturally generate friction.

The Culture of Challenge

The new regulatory reality demands a vibrant Culture of Challenge. This means: the supervisory board is not a mere ‘rubber-stamp body’. It must critically scrutinise the management board’s assumptions. Today, an auditor no longer assesses the depth of oversight solely on the basis of checklists, but through the analysis of minutes:

• Were alternative scenarios discussed?
• Were there critical queries regarding the risk reports?
• Were unwelcome truths spoken openly?

If the answers are “no”, this indicates a weak governance culture to the regulator. A “harmonious” silence within the board is then interpreted as a lack of control intensity, which leads directly to point deductions in the SREP (Supervisory Review and Evaluation Process).

The ‘Magic Triangle’: A dynamic field of tension

The interaction between the three parties – the Executive Board, the Supervisory Board and the external auditors – must be understood as a functional control loop.

• The Executive Board provides the data and the strategy. It must be prepared to rise to the ‘challenge’ rather than defending information as a means of exercising control.
• The Supervisory Board acts as a sparring partner and controller. It requires the technical depth (Pillar 2) to not only read the Executive Board’s reports but also to validate them.
• The auditor is the catalyst in this triangle. They bring an external perspective and must now go far beyond the audit of the financial statements. They assess the effectiveness of the internal control system (ICS) and the resilience of governance processes.

A well-functioning triangle is characterised by the auditor supporting the supervisory board in shedding light on the executive board’s ‘blind spots’ without undermining operational management.

The ‘filter effect’: Where bad news gets lost

One of the greatest operational risks in banks is the loss of information as it makes its way up the chain. Critical warning signs from risk control or compliance are often filtered out by informal power structures or a ‘culture of fear’.

The sanitisation of reporting

Reports are often “sanitised” at middle management levels to such an extent that only green lights reach the board. The actual risk is linguistically downplayed to such an extent that no immediate need for action is apparent.

Today, the auditor specifically analyses these interfaces:

• How consistent are the raw data from the operational level with the aggregated reports for the board?
• Are critical findings from internal audit communicated to the audit committee in a timely and unvarnished manner?
• Do informal channels exist that bypass formal governance?

A transparent flow of information is not a “nice-to-have” but a shield against systemic risks. Anyone who does not actively combat the “filter effect” is steering their institution blind.

Measuring ‘soft’ factors: the depth of scrutiny in an audit

How does an auditor measure communication? It sounds like an impossible task, yet the methodology (including that set out in IDW PS 340, as amended) has become precise. The depth of scrutiny can be measured through:

1. Minute analysis: The quality of the documentation provides insight into the intensity of the debate.
2. Individual interviews: The auditor conducts confidential discussions with board members to compare their understanding of their roles with their actual interactions.
3. Follow-up culture: How consistently are measures demanded by the supervisory board followed up? A strong supervisory board is characterised by the fact that it not only asks questions, but also ensures they are answered.

Economic relevance: Communication saves capital

There is a direct link between the quality of communication and capital requirements. The ECB and BaFin assess “Internal Governance & Risk Management” as part of the SREP score.

An institution that can demonstrate a genuine ‘Culture of Challenge’ and a seamless flow of information is considered resilient. The result is a lower Pillar 2 Requirement (P2R) surcharge. Conversely, governance shortcomings in interaction (for example, a dominant CEO with a weak supervisory board) lead to drastic capital surcharges.

Governance excellence means here: Talking saves money. An open dialogue with the auditor and a robust culture of discussion within the supervisory board are the most cost-effective safeguards against regulatory sanctions.

Practical checklist: Is your ‘nervous system’ working?

To put the third pillar of your governance to the test, you should critically answer the following questions:

• Minutes check: Do our meeting minutes reflect a genuine discussion of the issues, or do they read like a list of announcements?
• Information flow: Do we have mechanisms (such as whistleblowing systems or direct reporting lines to the audit department) that bypass the filtering effect of middle management?
• Understanding of roles: Does our supervisory board see itself as a “partner in oversight” or as a “defender of the executive board”?
• Interaction with auditors: Do we use the auditor as a strategic diagnostic tool, or do we treat them as a necessary evil to whom we reveal as little as possible?

Conclusion: From Formality to Functionality

The third pillar of internal governance is the most challenging, as it deals with human behaviour. Yet it is precisely here that the greatest potential for genuine stability lies. A bank where hierarchies block the flow of information and where unanimity is prioritised over truth is structurally vulnerable.

Governance 2026 requires the courage to challenge the status quo and the discipline to ensure transparency. Those who master the ‘magic triangle’ create an organisation that is capable of learning and recognises risks before they reach the balance sheet.