Blogpost

Internal Governance 2026: Why MaRisk compliance alone is no longer a safeguard

Governance is no longer just a “tick-box exercise” that can be dealt with by maintaining a well-organised filing system. By 2026, the perspective of regulators and auditors will have changed radically: moving away from mere process verification towards an analysis of structural resilience.

Thorsten Tewes
7
5 minutes reading time
Intrnal Governance 2026

Internal Governance 2026

In theory, it sounds simple: draw up a few guidelines, define responsibilities in the organisational chart and file away the audit reports. But the reality of current supervisory practice is quite different. Governance is no longer merely a ‘tick-box exercise’ that can be dealt with by maintaining a well-organised filing system.

By 2026, the perspective of supervisors and auditors has changed radically: away from mere process confirmation, towards an analysis of structural resilience.

Anyone who still views governance today as a tedious compliance exercise overlooks the fact that it has become a key control factor and ‘hard currency’ in the SREP process (Supervisory Review and Evaluation Process). The new IDW guidance on the audit of the internal governance system serves as a sharp diagnostic tool, identifying weaknesses where they have often remained hidden until now.

The Foundation: Organisational Structure and the Pitfalls of Interactions

An institution’s internal governance system forms its backbone. Yet a backbone is only stable if the joints – the interactions – function properly. Whilst MaRisk sets out the regulatory guidelines, the new supervisory approach delves deeper: how do the control bodies actually interact?

A resilient governance structure is not characterised merely by the existence of risk control, compliance and internal audit. Rather, it is about avoiding the diffusion of responsibility. In many institutions, we observe the phenomenon of ‘silo governance’: each function operates correctly in isolation, but blind spots arise at the interfaces.

The IDW guidance hits the nail on the head here. It calls for a holistic view of the organisational structure. A clear separation of front-office and back-office functions is the absolute minimum; modern governance analysis looks at information flows.

Does critical information reach senior management unfiltered and in a timely manner? Are there informal power structures that undermine the official decision-making channels? If the informal hierarchy dominates the formal structure, this is already a high-risk indicator for the auditor.

Identifiable indicators: When the system ‘speaks’

Today, auditors rely less on what is written in the manual and more on what the system ‘spits out’ in day-to-day operations. A functioning governance system provides clear indicators of stability.

One positive indicator, for example, is a vibrant culture of discussion within the committees, which can be substantiated by minutes. If decisions are always taken unanimously and without critical questioning within minutes, this often indicates to supervisors not harmony, but a lack of a challenge culture.

Further indicators include:

  • Adequacy of resources: Are the staffing and IT resources allocated to control functions appropriate for the risk profile? A rapidly growing crypto portfolio alongside a stagnating compliance department is a classic warning sign.
  • Error tolerance and escalation procedures: How are errors handled? Are vulnerabilities reported proactively or only discovered under pressure from the audit team? The manner in which errors are communicated is one of the strongest indicators of the quality of the governance culture.

Typical weaknesses: Exposing the ‘governance charade’

The IDW guidance and the supervisory authority’s case studies highlight recurring patterns that regularly lead to findings. We also refer to this as the ‘governance charade’: a perfect structure is presented to the outside world, whilst operational management follows entirely different rules.

Typical weaknesses of high audit relevance include:

  1. Overburdened key roles: Compliance officers or risk managers who are so overwhelmed with operational tasks that there is no time left for strategic oversight.
  2. Lack of independence: Where the risk manager’s remuneration is too closely linked to sales targets, or where the internal audit function reports directly to a board member whose department it is supposed to audit.
  3. Outdated competency profiles: Governance structures designed for the business of five years ago, but which are completely unable to address today’s requirements regarding ESG risks or cyber resilience.

For the auditor, these weaknesses are not merely ‘cosmetic flaws’. They are evidence of management’s inadequate ability to exercise control.

The auditor’s risk assessment: the new baseline assessment

In the past, the governance review was often an afterthought to the financial statement audit. Today, the auditor’s risk assessment regarding governance forms the basis for the entire institution-wide risk assessment.

The auditor asks themselves: “Can I rely on the figures if the system generating them has structural flaws?”

A poor governance rating has a direct impact on the scope of the audit. Increased risk assessments lead to more in-depth audit procedures, higher costs and – in the worst case – a report to the regulator, which may then increase the SREP surcharge (capital add-on).

Governance is therefore no longer an abstract concept, but directly influences the institution’s capital requirements and profitability.

Conclusion: Governance as a competitive advantage

The requirements of MaRisk and the clarifications provided by the IDW guidance should not be viewed as a regulatory burden, but rather as a blueprint for a resilient organisation. An institution with a transparent, open and professionally sound governance structure will not only pass the next audit without a hitch, but will also be more agile in crisis management.

The path to “governance excellence” involves three steps:

  • Self-reflection: Use the indicators from the IDW guidance document for an internal quick check before the auditor arrives.
  • Investment in people: Governance requires professional expertise and backbone in key roles.
  • Cultural change: Establish a culture of communication in which risks are seen as opportunities for improvement rather than personal failures.

At the end of the day, governance is not a matter of forms, but a matter of attitude. Those who internalise this will make their institution resilient to tomorrow’s regulatory requirements.

Announcement

In the next post, we will be looking at the ‘human factor’: ‘Fit & Proper’ in the spotlight of supervision.

If you would like to know how you can adapt the specific indicators in the IDW guidance document to the size of your institution, let’s have a chat.

Share: LinkedIn Xing X Facebook
Thorsten Tewes

Thorsten Tewes

has many years of professional experience in auditing, organization, and compliance at banks and savings banks. At msg for banking, he is responsible for organization, corporate governance, and audit support. Together with his team in Management & Business Consulting, he develops comprehensive solutions for reorganizing structures, processes, and internal control systems within banks and savings banks. As part of co-sourcing, he supports representatives and internal auditors in carrying out audit procedures.

linkedin xing
Write a comment

You must login to post a comment.

Related articles

Discover even more interesting articles on this topic.

Blogpost
4 minutes reading time

In the EBA’s focus: Second implementation report on the IRRBB heat map

Rainer Alfes
Blogpost
4 minutes reading time

BaFin’s Digital Supervisory Briefing: Focus on governance and proportionality

Blogpost
1 minutes reading time

Global Risks Report 2026: Ready for the risk inventory ’26?