With the 9th amendment to MaRisk, governance once again moves into the supervisory spotlight. However, the focus is not on a fundamental re-regulation, but rather on a targeted refinement of the existing framework. BaFin selectively reduces the level of detail and shifts the emphasis towards principles-based regulation, actual effectiveness, and institution-specific implementation.
Table of Contents
The often-cited “paradigm shift” is therefore also evident in the area of governance – though less as a disruption and more as a shift in emphasis: away from formalistic box-ticking towards a stronger obligation to justify decisions, consistent risk orientation, and increased institutional responsibility.
Governance as a Steering Framework
Governance has always played a central role within MaRisk. The amendment further sharpens this role: structures, committees and functions should not merely exist, but must demonstrably contribute to the management of material risks.
At the same time, the regulatory framework is streamlined and systematised. While this creates additional flexibility for certain institutions, it also reduces guidance due to less detailed requirements. Governance thus becomes more of an active management task. What matters is no longer formal compliance alone, but the actual suitability of structures for effective risk management.
Increased Responsibility of Senior Management
Senior management is at the centre of this development. Its responsibility extends beyond establishing governance structures to continuously reviewing and ensuring their effectiveness.
In practice, this means closer involvement in ongoing management processes: material risks must be understood, prioritised, and the performance of control and monitoring mechanisms must be regularly and critically assessed.
The role of the supervisory body is also strengthened. The consolidation of requirements in AT 3.2 underlines its function as an integral part of governance. This leads to more intensive engagement with the risk situation and management processes, as well as increased expectations regarding the critical oversight of senior management. Effective governance therefore requires close interaction between management and active supervision.
Proportionality as a Guiding Principle
The strengthened role of proportionality is particularly evident in the area of governance. Organisational structures can be more closely aligned with size, business model, and risk profile.
A key reference point is the new classification of institutions, which determines the extent to which regulatory requirements apply. The following categories are distinguished:
- very small institutions (total assets up to €1 billion),
- small and non-complex institutions (SNCIs) (total assets up to €5 billion), and
- less significant institutions (LSIs).
The associated flexibilities are not new, but are now more clearly defined and easier to apply.
For example, it is explicitly clarified that combining functions is permissible for very small institutions, provided conflicts of interest are appropriately addressed. In addition, the full outsourcing of the compliance function or internal audit is expressly permitted for these institutions (cf. AT 9, para. 5). Substantively, these are not new developments; however, the previously required, often extensive case-by-case justification is partially no longer necessary. This also reflects the overarching objective of the MaRisk amendment to create tangible relief, particularly for small and very small institutions with limited staffing resources.
For larger institutions, however, the additional flexibility remains limited. Moreover, the application of the proportionality principle continues to require a well-founded, risk-based justification.
Focus on the Principle of Materiality
Closely linked to proportionality is the stronger emphasis on the principle of materiality. Governance structures should consistently focus on material risks rather than attempting to cover all conceivable aspects.
In practice, this requires clear prioritisation: reporting, decision-making processes and controls must be aligned with key risk drivers. Reports to senior management are thereby streamlined and focused more strongly on decision-relevant content (cf. BT 2.2, para. 1).
At the same time, the effort shifts: less detail in requirements leads to a greater need to justify why certain topics are classified as non-material.
Control Functions: Integration Instead of Silos
With regard to control functions, the amendment takes a pragmatic approach. Existing functions remain in place but are more strongly embedded in an integrated management context. The aim is to define interfaces more clearly, avoid duplication, and promote a consistent view of risks.
In practice, this primarily means closer coordination between functions. For example, it is explicitly stipulated that the compliance function and the risk controlling function must cooperate and exchange information (cf. AT 4.4.2, para. 5).
Small and very small institutions in particular benefit from increased flexibility in organisational design, provided that the effectiveness of control functions is maintained.
Documentation: From Checklists to Justification
A key shift is evident in documentation. As detailed requirements decline, the traditional “checklist approach” loses importance. Instead, there is an expectation that decisions are justified in a transparent and consistent manner.
This applies in particular to the application of the proportionality principle. Institutions must explain why simplifications are appropriate and how they align with their risk profile. Organisational relief is therefore typically accompanied by increased requirements for justification.
The removal of formal requirements does not equate to substantive relief. For example, the omission of explicit rules on staff qualifications does not eliminate the underlying expectation, but merely reduces the formal depth of review (cf. AT 7.1).
Conclusion: Greater Flexibility Requires Stronger Steering Capabilities
The 9th MaRisk amendment introduces greater flexibility and selective relief, particularly for small and very small institutions. However, the fundamental requirements remain largely unchanged. The actual scope for action is narrower than the term “paradigm shift” might suggest.
The key change lies in the transfer of responsibility to institutions. Governance structures must be developed independently, justified in a well-founded manner, and continuously reviewed for effectiveness.
The additional flexibility does not immediately result in relief. Rather, it initially requires investment in analysis, design, and documentation. Any relief will often only materialise in the medium term, once robust and audit-proof solutions have been established.
