Uncategorized

What Is a Risk Committee and Why Does It Matter? Katia Ciesielska In Luxembourg’s regulatory environment, the roles of RC and RR are central to AML/CFT governance for AIFMs, UCITS management companies, PSFs, credit institutions and other supervised entities. Yet in many organisations, these terms risk becoming technical shorthand rather than clearly understood governance responsibilities. RC/RR obligations in Luxembourg sit at the heart of anti‑money laundering compliance for entities supervised under the Law of 12 November 2004 on the fight against money laundering and terrorist financing, as amended (the “2004 AML Law”). For boards of directors, understanding the distinction between the Responsable du Respect (RR) and the Responsable du Contrôle (RC) is not optional; it is a core component of internal governance, regulatory accountability and risk oversight. This article explains the RC/RR framework under Luxembourg AML law, clarifies the respective responsibilities of RC and RR, and highlights where boards most frequently underestimate AML governance risk. The Regulatory Framework for RC and RR in Luxembourg The RC/RR framework is rooted in the 2004 AML Law and further detailed through CSSF Regulation 12‑02 of 14 December 2012 on the fight against money laundering and terrorist financing and related CSSF circulars, FAQs and supervisory guidance. For investment funds and managers, key guidance includes the CSSF FAQ of 25 November 2019 on persons involved in AML/CFT for a Luxembourg investment fund or investment fund manager, which clarifies the practical expectations for RC and RR. Under this framework, regulated entities must formally designate: A Responsable du Respect des obligations (RR) A Responsable du Contrôle du respect des obligations (RC) Both individuals (or, for the RR, a collegial body) are identified responsible persons for AML/CFT purposes and must meet fit and proper requirements consistent with the 2004 AML Law and CSSF “fit and proper” expectations. Their appointments must be clearly documented and, where required, notified to the CSSF using the prescribed forms and portals. For AIFMs, UCITS management companies and many PSFs, the appointment of both an RC and an RR is mandatory in light of the AML/CFT risk identified in the investment fund and financial sectors. While their functions differ, they operate within a single AML governance structure for which the board retains ultimate responsibility. Delegation to an RC or RR does not discharge the board from its oversight duties; supervisory authorities regularly underline that the board remains ultimately responsible for AML/CFT compliance and internal control. What Is the Difference Between RC and RR in Luxembourg? In Luxembourg AML/CFT regulation, the distinction between RC and RR reflects a separation between strategic accountability and operational control. The RR (Responsable du Respect) is responsible at senior management or board level for ensuring that the entity complies overall with its AML/CFT obligations under the 2004 AML Law, Regulation 12‑02 and relevant CSSF circulars. The RR is often the board itself or one of its members in the case of investment fund managers, and must have sufficient knowledge of the entity’s activities, distribution model and risk profile. The RC (Responsable du Contrôle) is the AML/CFT compliance officer responsible for the effective, day‑to‑day implementation and monitoring of AML/CFT controls, including the tasks listed in Articles 40(3)–43 of CSSF Regulation 12‑02. The RC must be at an appropriate hierarchical level, have access to all necessary systems and information, and be available to the CSSF without delay. This distinction is substantive, not semantic. The RR must ensure that the AML framework is appropriate, proportionate and embedded within the organisation, while the RC applies and monitors that framework in practice and reports weaknesses and breaches. Both roles are subject to regulatory scrutiny and may be asked to explain AML arrangements directly to the supervisor. From a governance perspective, RC/RR appointments are not administrative formalities; they are core pillars of the AML control environment and are explicitly considered in CSSF on‑site inspections, AML external reports under Circulars 21/788 and 21/790 and thematic reviews. The Role of the RR: Strategic AML Accountability The Responsable du Respect carries strategic responsibility for AML compliance and sets the tone for AML/CFT governance. In practice, the RR must ensure that: The internal AML/CFT framework reflects the entity’s size, complexity and risk profile, including the business‑wide risk assessment required by the 2004 AML Law. Policies and procedures are formally adopted, reviewed and regularly updated to reflect legislative changes, CSSF circulars and evolving risk factors. The business‑wide AML/CFT risk assessment is conducted, documented and approved at least annually or upon material changes. Reporting to the board accurately reflects AML risk exposure, key metrics, and qualitative analysis of trends and issues. Suspicious activity reporting processes are properly designed, documented and functioning, with clear escalation to the FIU and CSSF where appropriate. The RR must have sufficient seniority and authority to influence governance decisions, including resource allocation to the RC function and AML systems. The CSSF expects the RR to have direct access to the board and the capacity to escalate concerns where necessary, particularly where commercial pressures could compromise AML standards. For boards, this means ensuring that RR reporting is regular, substantive and reflected in minutes, and that questions, challenges and follow‑up actions are clearly documented. An RR function that appears only formally, without evidence of challenge or discussion, is likely to attract supervisory attention in governance and AML thematic reviews. The Role of the RC: Operational AML Control The Responsable du Contrôle is responsible for operational implementation and monitoring of AML/CFT obligations and typically acts as MLRO in practice. The RC typically oversees: Client and transaction‑level AML risk assessments, including initial and ongoing risk scoring. Ongoing due diligence and periodic reviews aligned with risk‑based frequencies. KYC documentation collection, verification and updating in line with the 2004 AML Law and Regulation 12‑ Monitoring and escalation of suspicious transactions, including preparation of suspicious transaction reports to the FIU. Internal AML reporting and control summaries, including dashboards and key indicators to the RR and board. AML/CFT training for staff, tailored to functions and updated for regulatory changes. The RC must have adequate expertise,

What Is a Risk Committee and Why Does It Matter? Katia Ciesielska The era of AI curiosity is over; the era of AI accountability has begun for Luxembourg boards using high‑risk AI systems. As we move through 2026, the countdown toward 2 August 2026 has become critical for governance professionals across Luxembourg, when key obligations of the EU AI Act become fully applicable for high‑risk AI systems used in financial services and other regulated sectors. What was once a technology discussion is now a core board responsibility. In a jurisdiction where the CSSF continues to emphasise robust internal governance, digital operational resilience and documented oversight, boards must now move from awareness to structured action on AI governance. This article outlines what Luxembourg independent directors and board members should prioritise during the final months before August 2026. What the EU AI Act Requires from Luxembourg Boards Using High‑Risk AI Systems The EU AI Act introduces a risk‑based framework governing the development, placement and use of artificial intelligence systems within the European Union, with particularly strict requirements for high‑risk AI systems. In financial services, many commonly used tools fall within this high‑risk category, including systems used for creditworthiness assessments, AML transaction monitoring, fraud detection, insurance pricing, algorithmic portfolio allocation and automated decision‑making. Boards must understand one central point: the Act assigns responsibility along the AI value chain, including to deployers and, in some cases, those who substantially modify AI systems. It is not enough to say, “We bought the tool from a reputable vendor”; legal responsibility does not disappear through outsourcing. Oversight must be deliberate, documented and embedded in the governance framework. Deployer vs Provider: Why Classification Matters for Luxembourg Funds and Banks One of the first questions every Luxembourg board should address is its legal role under the EU AI Act. Most investment funds, management companies (ManCos), AIFMs and credit institutions will qualify as “deployers”, meaning they use an AI system under their authority in the course of a professional activity and must ensure proper use, monitoring and logging of the system. However, the distinction between deployer and provider can become blurred. A provider is the entity that develops an AI system, or has it developed, and places it on the market under its own name, carrying heavier obligations such as conformity assessments and extensive technical documentation. The concept of “substantial modification” is where boards are most frequently caught off guard: if a Luxembourg fund or institution modifies a high‑risk AI system beyond its original intended purpose or significantly alters its performance parameters, it may legally assume the role of provider, with materially increased regulatory exposure. This is not theoretical. Customising a vendor’s risk‑scoring model, adjusting core algorithmic thresholds without vendor supervision, or repurposing an AI tool for a new function can potentially trigger this reclassification. Boards should ensure that contracts with AI vendors clearly define responsibilities and that any system modifications are reviewed through a formal governance lens. AI Literacy Obligations for Board Members under Article 4 of the EU AI Act Article 4 of the EU AI Act introduces a concept that is highly relevant for directors: AI literacy. For the first time, EU legislation explicitly requires organisations to ensure that those involved in the operation and oversight of AI systems possess sufficient knowledge to understand their functioning and associated risks. For Luxembourg boards, this requirement cannot be delegated entirely to management. Supervisory authorities increasingly expect that AI literacy starts at the top; directors who are unable to understand how AI systems generate outputs, what data they rely on, or where bias risks may arise cannot effectively discharge their oversight duties. AI literacy does not require directors to become engineers, but it does require them to ask informed questions. Boards should ensure that training programmes are specifically tailored to governance needs rather than generic technology introductions. Directors should understand risk classifications under the Act, the concept of high‑risk systems, documentation obligations, bias and discrimination concerns, and the legal consequences of non‑compliance. Given the pace of technological development, AI training should become part of the annual board education calendar, similar to updates on AML, sanctions or regulatory changes, and the training itself should be documented as evidence of literacy. High‑Risk AI Systems, Human Oversight and Traceability Many AI applications used in Luxembourg’s financial sector will fall into the high‑risk category and are therefore subject to strict requirements around risk management, data governance, transparency, traceability and human oversight. The principle of human oversight is central: high‑risk systems must be designed to allow natural persons to oversee their operation and intervene where necessary, addressing the risk of automation bias – the tendency to accept algorithmic outputs without sufficient challenge. From a board perspective, oversight must translate into operational reality. Human overseers must have both technical competence and formal authority to override or disregard AI outputs, with clearly defined escalation procedures and, for critical systems, safe‑halt mechanisms or “kill switches”. Boards should ask: if the system produces an anomalous output tomorrow, who has the authority to stop it, how quickly can that intervention occur, and is that authority documented? These are fundamentally governance questions, not purely technical ones. Traceability is another cornerstone of the EU AI Act. High‑risk systems must automatically generate logs throughout their period of use to enable post‑incident analysis and supervisory review, and in Luxembourg such logs are typically expected to be retained for a period sufficient to support regulatory audit and investigation. Traceability is not merely an IT control; it is a governance safeguard. Documented policies on AI usage, risk assessments, monitoring reports and board minutes reflecting discussion of AI oversight will become increasingly important in demonstrating compliance. Aligning AI Governance with CSSF Expectations in Luxembourg In Luxembourg, AI governance cannot be viewed in isolation from existing supervisory expectations. The CSSF has consistently emphasised that new technological risks must be embedded within the broader internal governance framework, including risk management, compliance, internal control and ICT/digital resilience requirements. For credit institutions, this aligns with Circular 12/552 on internal governance,

Risk Committees in Luxembourg: Purpose, Structure & Why You Need One What Is a Risk Committee and Why Does It Matter? Katia Ciesielska A risk committee is a specialized board committee focused on overseeing an organization’s risk management framework. Its core purpose is to assist the board in assessing whether the risks the company takes are adequately managed relative to its ability to bear those risks and its capital and liquidity buffers. In practice, this means evaluating whether risk exposure aligns with risk appetite and financial capacity, and recommending corrective actions when it does not. In today’s environment of complex, fast-moving risks – from credit and operational risks to cybersecurity and ESG – a dedicated risk committee at board level has become a governance best practice across Luxembourg’s financial sector. Many companies historically relied on audit committees for risk oversight, but audit committees often have overloaded agendas and focus mainly on financial reporting controls. A separate risk committee allows deeper focus on key risk connections, emerging risks, risk culture, risk appetite, and the effectiveness of risk management processes. The regulatory expectation in Luxembourg has also shifted. Over the past five years, the CSSF (Commission de Surveillance du Secteur Financier) has moved from recommending risk committees to requiring them for significant institutions. This shift reflects a global lesson: boards that lack dedicated time and expertise for risk oversight are more likely to miss warning signs or misjudge their risk appetite. Risk Committees in Luxembourg Banking: What the CSSF Now Requires For Luxembourg banks, risk committees are no longer optional. CSSF Circular 20/758, the key governance circular for investment firms and credit institutions, mandates that “significant institutions” must establish a dedicated risk committee. “Significant” typically means systemically important banks, subsidiaries of major international banks, or any institution deemed material by the CSSF based on size, complexity, and risk profile. Key Regulatory Expectations The risk committee’s mission, as outlined in CSSF guidance, is to assist the board in assessing the adequacy of the bank’s risk profile relative to its financial resources (capital and liquidity) and its ability to manage those risks. The committee must regularly deliberate on: The state of risk management and the bank’s risk exposures Future risk strategy and tolerance The quality and effectiveness of the risk control function’s work Whether risks remain within the bank’s capacity and regulatory limits (for example, via stress tests) Corrective measures for any control shortcomings The CSSF also emphasizes committee composition: significant banks’ risk committees must comprise a majority of independent members, including an independent chairperson. This independence requirement reflects a regulatory principle that unbiased judgment is essential for effective risk challenge of management. A Luxembourg Bank Example Consider a mid-sized Luxembourg bank with €15 billion in assets and a diversified portfolio spanning mortgages, SME lending, and wealth management. The board appoints a risk committee of four independent directors (three external, one retired CRO from a peer institution) chaired by a former risk officer with 20 years’ banking experience. The committee meets quarterly and reviews: Interest-rate risk profiles and stress test results across the mortgage book Credit concentration in the SME portfolio and any large exposures Operational risk incidents (e.g., fraud cases, IT incidents) Emerging risks (e.g., GDPR compliance gaps, cybersecurity threats) The risk committee then reports findings and recommendations to the full board, ensuring risk considerations inform strategic decisions like market expansion or new product launches. Risk Management Oversight for Funds and Investment Firms Luxembourg is the world’s second-largest fund center, and robust risk governance in the investment fund industry is equally vital. However, the regulatory approach differs slightly from banking. CSSF Circular 18/698, the governance circular for investment fund managers, does not explicitly mandate a dedicated board risk committee. Instead, it requires each authorized fund manager to establish a permanent risk management function with clear responsibilities to identify, measure, and manage all relevant fund risks and report regularly to the board. Many Luxembourg fund boards choose to integrate risk oversight either through a combined Audit & Risk Committee or by addressing risk as a standing agenda item at each board meeting. The appropriate approach depends on the size and complexity of the fund manager or fund strategy. When Funds Benefit from a Dedicated Risk Committee For larger management companies or those managing higher-risk alternative funds, a dedicated risk committee (or risk sub-committee) is considered best practice to focus on areas like: Portfolio risk profiles (concentration, counterparty, liquidity) Valuation oversight Regulatory compliance risks Stress testing and scenario analysis Industry guidance from the Association of the Luxembourg Fund Industry (ALFI) and the Institute of Directors (ILA) encourages fund boards to have clear lines of responsibility for risk management and to consider dedicated risk committees as a governance enhancement, especially for complex strategies. A Luxembourg Fund Manager Example A €5 billion alternative investment fund manager with high-yield and private credit mandates establishes a formal Risk Committee comprising four board members: the chair (independent, former hedge fund CIO), a valuation expert, the fund sponsor’s representative, and an independent director with AML expertise. The committee meets monthly to review: Concentration risks in each fund (largest 10 holdings, country exposure) Valuation methodologies and any contested asset valuations Liquidity stress scenarios (e.g., “redemption shock” planning) Counterparty risks (prime brokers, custodians) Compliance with CSSF expectations on leverage, liquidity thresholds, and fund documentation Between meetings, the Chief Risk Officer (an independent employee, not a board member) provides rolling risk reports. This structure ensures rigorous oversight without slowing decision-making. Risk Committees in Corporate Governance Outside the regulated financial sector, Luxembourg corporates are increasingly embracing risk committees, especially publicly listed companies or those with significant international operations. Luxembourg company law does not mandate risk committees (except for certain EU requirements like audit committees for public-interest entities), but governance codes and investor expectations drive their adoption. The “Ten Principles of Corporate Governance” issued by the Luxembourg Stock Exchange encourage boards to establish specialized committees (audit, nomination, remuneration, and risk) to improve oversight. Many large corporates in Luxembourg – particularly in aerospace, industrial, real estate,

Independent Director in Luxembourg: Legal Duties, Time Commitment & Real Liability What Independent Directors Actually Owe Under Luxembourg Law Katia Ciesielska The role of an independent director in Luxembourg is frequently perceived as formal, part-time, or largely compliance-driven. In practice, that perception understates both the responsibility and the influence attached to the mandate. As Luxembourg has evolved into a leading European hub for investment funds, holding companies, and cross-border structures, expectations toward boards have risen accordingly. Independence is no longer symbolic. It is practical, demanding, and increasingly scrutinised. An independent director in Luxembourg owes duties to the company itself not to shareholders, sponsors, appointing parties, or management, even when those stakeholders play a central role in the company’s ecosystem. These duties are rooted in Luxembourg company law and long-standing governance principles. They require directors to act with care, diligence, loyalty, and independent judgement. In regulated environments, such as investment funds or supervised entities under CSSF oversight, these expectations are reinforced by regulatory frameworks and supervisory practice. The distinction is crucial. A director’s primary obligation is to the entity; everything else flows from that principle. This is not semantic, it fundamentally shapes how independent directors approach conflicts, make decisions, and defend their actions if challenged. Independence Is Assessed by Behaviour, Not Just Criteria Independence in Luxembourg is assessed by substance rather than form. It is not sufficient to meet formal criteria such as the absence of shareholding or employment links. Independence is demonstrated through behaviour in the boardroom and beyond. It is reflected in the willingness to question assumptions, request additional information, challenge optimistic projections, and raise concerns when risks are underestimated. Consider a fund board where the management team presents an aggressive growth strategy. An independent director might say: “The numbers look compelling, but I’d like to understand the downside scenario if market conditions shift. What happens to returns if we see a 20% contraction in assets? How do we manage that operationally?” This kind of questioning – informed, constructive, and grounded in governance principle – is what substance looks like. Independence does not mean opposition for its own sake. It means exercising informed judgement and contributing constructively to better decision-making. A board of all “yes” directors is weaker than a board where genuine disagreement is welcome and properly documented. Conversely, a director who votes against every proposal is not exercising independence; they are simply being obstructionist. The practical test is this: Does the director’s behaviour reflect thinking independent from management bias and sponsor pressure? If yes, the mandate is genuine. The Real Time Commitment of an Independent Director Mandate The time commitment associated with an independent director mandate is often underestimated, and this underestimation leads to conflict. While board meetings are visible milestones typically scheduled for half a day four to six times per year much of the work happens outside the meeting room. Preparation involves reviewing board packs, financial information, risk reports, transaction documents, and compliance updates. For a fund board, this might include quarterly performance reports, redemption analyses, regulatory correspondence, and strategy memos. A conscientious director will spend 4-8 hours preparing for each meeting, even in a “light” governance environment. After meetings, independent directors frequently engage in follow-up discussions, request clarifications, and remain available for urgent matters. A fund facing sudden redemptions, a portfolio company facing operational challenges, or a regulatory investigation will demand immediate director availability. These moments are unpredictable but real. In Luxembourg, where governance standards are high and documentation is central, the effective workload is continuous rather than episodic. Directors should expect to dedicate approximately 100–150 hours per year to a single mandate, depending on complexity, regulatory environment, and board maturity. A director serving on three boards should realistically be committing 300-450 hours annually – roughly equivalent to 8–11 weeks of full-time work. This is material and should factor into mandate decisions. Personal Liability: Where the Real Risk Lies Personal liability is another area where misconceptions persist, and understanding where the real exposure lies is essential for any director. Independent directors are personally exposed, but liability rarely arises from holding a dissenting view. No court has penalised a director for voting “no” on a transaction or raising risk concerns. In practice, risk tends to materialise where directors fail to engage, fail to challenge, or fail to act when warning signs are present. The typical exposure patterns look like this:   Insufficient documentation: A board approves a transaction without clear minutes recording the discussion, risks considered, or management’s responses to director questions. If the transaction later fails, there is no contemporaneous evidence that diligence was done. Absence of escalation: A director observes a compliance breach or governance red flag but does not raise it formally in the meeting or ensure it is documented. Later, when the issue surfaces, the director cannot demonstrate that they were aware or concerned. Passive acceptance of management assurance: A director asks about AML controls, receives verbal reassurance from compliance, and does not follow up with written confirmation or evidence of testing. Silence on conflicts: A director has a potential conflict but does not disclose it or does not recuse themselves from the decision. Asking difficult questions and ensuring that concerns are properly recorded is often the most effective form of protection. A director with 20 documented questions in board minutes -even if the board overrode the concern – has demonstrated diligence. A director with no record of concern, even if they had private doubts, has not. Strategic Oversight Beyond Compliance The role of an independent director is not operational. Day-to-day management belongs to executive teams or, where applicable, daily managers. Nevertheless, boards increasingly expect independent directors to contribute meaningfully to strategic oversight, not merely compliance review. This includes engaging in discussions around: Long-term direction and capital allocation: Where is the fund or company headed in three to five years? Are we investing in the right sectors, geographies, or asset classes? Are we diversified appropriately? Risk appetite and scenario planning: What happens if a key portfolio company fails? What if

Board Evaluation in Luxembourg: How Boards Improve Performance in 2026 Board evaluation has transformed from a regulatory checkbox into a powerful tool for improving board effectiveness. In Luxembourg’s dynamic corporate environment, where boards oversee complex cross-border operations and navigate evolving governance standards, strategic board performance evaluation is no longer optional-it’s essential. Katia Ciesielska High-performing boards in Luxembourg are adopting rigorous board assessment practices that go beyond annual questionnaires. They’re implementing continuous evaluation frameworks, engaging external board evaluators, and using data-driven insights to enhance board dynamics, decision-making, and strategic oversight. This comprehensive guide explores proven board evaluation methodologies and best practices that drive measurable performance improvements in 2026. Why Board Evaluation Matters in Luxembourg’s Corporate Landscape Luxembourg’s unique position as a European financial hub and home to thousands of international companies creates distinctive governance challenges. Boards oversee organizations operating across multiple jurisdictions, navigating complex regulatory environments while managing diverse stakeholder expectations. The Luxembourg Stock Exchange’s governance requirements, combined with European directives and sector-specific regulations, mean that boards must demonstrate not just compliance but genuine board effectiveness. The stakes have never been higher. PwC’s 2025 Board Effectiveness Survey reveals a troubling confidence gap: while 35% of C-suite executives rate their boards’ effectiveness as excellent or good (up from 30% the previous year), a striking 93% of executives believe at least one director should be replaced—the highest level ever recorded. Only 32% believe their boards have the right mix of skills and expertise for today’s governance challenges. Institutional investors increasingly scrutinize board quality as a key investment criterion. Regulators expect boards to show evidence of continuous improvement through regular board evaluation. Perhaps most importantly, the accelerating pace of change in technology, sustainability, and geopolitics demands boards that can learn and adapt rapidly. As discussed in my analysis of what high-performing boards will focus on in 2026, continuous improvement through evaluation is a defining characteristic of board excellence in corporate governance. How Board Evaluation Has Evolved: From Compliance to Performance Traditional board evaluations followed a predictable pattern: an annual questionnaire, perhaps facilitated by an external consultant every three years, followed by a board discussion and action plan that may or may not be implemented. This approach treated board assessment as an event rather than a process, and often failed to generate meaningful change. The numbers tell a sobering story. Research by Nasdaq found that while over 90% of boards conduct some form of evaluation, only 7% result in specific action plans. Similarly, Diligent reports that despite 74% of directors believing evaluations are effective tools for improvement, only 58% actually make changes following their evaluation. This disconnect between assessment and action represents billions in untapped governance value. Leading Luxembourg boards in 2026 are taking a fundamentally different approach to board performance evaluation. They recognize that evaluation is not about judgment but about learning and growth. They’ve moved from asking “Are we good enough?” to “How can we become more effective?” This shift in mindset has transformed how board evaluation is designed and implemented. 5 Essential Components of Effective Board Evaluation Define Clear Objectives for Your Board Evaluation The most effective board evaluations begin with crystal-clear objectives. What specifically is the board trying to improve? Is the focus on decision-making quality, strategic oversight, risk management, stakeholder engagement, or board dynamics? Rather than attempting to evaluate everything superficially, high-performing boards identify priority areas that matter most to organizational success. The scope must also be well-defined. Will the board assessment cover the full board, individual directors, committees, and the relationship with management? Each element requires different methodologies and creates different sensitivities that must be managed thoughtfully. Board Evaluation Methodologies: Choosing the Right Approach Gone are the days when a simple questionnaire sufficed. Leading boards now employ mixed board evaluation methodologies that capture both quantitative data and qualitative insights. This typically includes structured surveys to identify patterns and trends, one-on-one interviews to explore nuanced issues in depth, observation of board and committee meetings to assess real-time dynamics, and analysis of board materials and decision-making processes. Many Luxembourg boards working with international stakeholders also incorporate perspectives from key management executives, major shareholders, and sometimes external stakeholders to gain a 360-degree view of board effectiveness. Why External Board Evaluators Add Value While internal evaluations have their place, external board evaluation brings crucial benefits. Research from Korn Ferry and Gibson Dunn shows that among S&P 500 companies, the use of three-tier evaluations (full board, committees, and individual directors) increased from 47% in 2024 to 53% in 2025, with leading companies increasingly engaging external facilitators for deeper insights. An experienced independent evaluator creates psychological safety for directors to speak candidly, brings fresh perspective unclouded by internal politics, offers benchmarking insights from other boards, and lends credibility to findings with investors and regulators. According to EY research, 22% of Fortune 100 companies now use third-party facilitators, with predictions of a three-fold increase over the next three years. The key is selecting a board evaluator who understands both governance best practices and the specific context of your organization and industry. In Luxembourg’s cross-border environment, this often means choosing someone with international experience who can navigate cultural nuances. Assessing Board Dynamics and Culture Effectively Technical competence is table stakes. What truly distinguishes high-performing boards is their dynamics: how directors interact, challenge each other, and make decisions together. Effective board evaluation therefore probes beneath surface-level functioning to examine trust levels among directors, psychological safety for dissenting views, quality of debate and constructive challenge, efficiency of meetings and preparation, and the balance between support and oversight of management. These softer elements are often where the greatest improvement opportunities lie in board performance, yet they’re also the most difficult to assess and address through traditional board assessment methods. Turning Board Evaluation Results Into Action A board evaluation is only valuable if it drives change. The best board assessments produce concrete, prioritized recommendations with clear ownership and timelines. High-performing boards then track progress systematically, often revisiting key issues in subsequent evaluations to assess improvement in board effectiveness. This requires

Artificial Intelligence in the Boardroom: Governance Frameworks for Luxembourg Directors Boards in 2026 must prioritise agility amid economic volatility, tech disruption and regulatory shifts. Directors face growing pressure to evolve from compliance monitors into strategic partners who drive resilience and growth. Here’s how they can rise to the challenge: Katia Ciesielska Artificial intelligence has moved from boardroom speculation to boardroom imperative. For Luxembourg directors overseeing fund management companies, financial services firms, and international corporate structures, AI governance is no longer optional – it’s a fiduciary duty.The gap between AI’s potential and board readiness remains alarmingly wide. Deloitte research reveals that 66% of board members have limited to no knowledge of AI, and 31% say AI doesn’t even appear on their board agendas. Meanwhile, McKinsey data shows organizations with AI-savvy boards outperform peers by 10.9 percentage points in return on equity.For Luxembourg directors navigating the EU AI Act, sophisticated investors, and cross-border regulations, establishing robust AI governance frameworks is essential. This guide provides practical frameworks for overseeing AI effectively in 2026. Why AI Governance Matters for Luxembourg Boards Luxembourg’s position as Europe’s leading fund domicile creates unique AI governance challenges. Boards oversee organizations deploying AI across portfolio management, risk analytics, compliance automation, and operations often across multiple jurisdictions simultaneously.Directors face converging pressures that make AI governance a top priority:Regulatory Obligations: The EU AI Act entered force in August 2024, with full compliance requirements taking effect in August 2026. The CSSF expects Luxembourg financial sector boards to provide evidence of AI oversight in their governance frameworks. Boards must demonstrate they understand where AI is used, how systems are classified, and whether controls meet regulatory standards.Investor Scrutiny: Institutional investors increasingly examine board AI competence as an investment criterion. Research shows disclosure of board AI oversight increased by 84% year-over-year in 2024, with shareholder proposals related to AI quadrupling compared to 2023.Liability Exposure: The EU AI Act’s liability framework makes it easier for claimants to prove causation for AI-related harms, increasing potential director exposure. Directors bear fiduciary responsibility for AI governance failures.Competitive Imperative: AI fundamentally reshapes competitive dynamics. Organizations deploying AI effectively gain substantial advantages in efficiency and decision quality. Boards that fail to oversee AI strategy risk positioning their organizations at a decisive disadvantage.As explored in my analysis of  What High-Performing Boards Will Focus on in 2026, AI oversight represents a defining characteristic of board excellence. The EU AI Act: What Directors Must Know The EU AI Act establishes the world’s first comprehensive regulatory framework for artificial intelligence, imposing direct obligations on AI system providers and deployers.Risk Classification System: The Act categorizes AI systems into four tiers – prohibited, high-risk, limited-risk, and minimal-risk – with obligations scaling to risk levels. High-risk AI includes systems used in employment decisions, creditworthiness assessment, and certain operational contexts in regulated industries like financial services.Board Obligations: Directors cannot delegate AI Act compliance exclusively to management. Boards must approve risk frameworks, direct resources to compliance, and maintain audit-ready evidence of AI governance. Directors should demand a current inventory of AI use cases, the risk category for each system, and proof of controls for high-risk AI.Enforcement Reality: Non-compliance can trigger substantial fines (up to €35 million or 7% of global annual turnover for the most serious violations). More significantly, investors and regulators treat weak AI controls as a signal of broader governance gaps. A Governance Framework for Luxembourg Boards Effective AI governance requires boards to establish clear frameworks defining oversight responsibilities, reporting mechanisms, and decision rights. 1. Define Your AI Governance Posture Not all boards should approach AI governance identically. The appropriate posture depends on AI’s strategic importance and the risks it creates. Assess how central AI is to your organization’s competitive position. For some Luxembourg entities, AI may be core to fund performance. For others, it’s a supporting tool. This assessment should inform governance intensity. McKinsey research suggests boards should explicitly define which AI topics warrant full board discussion (such as material investments or strategic partnerships), which belong in committees (risk frameworks, vendor reviews), and which are operational matters. Only 39% of Fortune 100 companies currently have disclosed board AI oversight, suggesting most need to formalize these structures. 2. Build Board AI Literacy Directors cannot govern what they don’t understand. Developing baseline AI literacy across the full board is foundational, though directors don’t need to become technical experts. Essential Knowledge Areas: Luxembourg directors should understand core AI concepts (machine learning, generative AI, large language models), AI’s strategic implications for their industry, the EU AI Act’s risk framework and compliance obligations, common AI risks (bias, privacy violations, security vulnerabilities), and basic AI governance principles. Practical Learning: Effective board education combines management presentations on AI initiatives, participation in director education programs (such as those offered by the Luxembourg Institute of Directors), and hands-on experimentation with AI tools in low-stakes contexts. Given AI’s rapid evolution, high-performing boards establish rhythms of continuous learning through quarterly deep-dives on AI developments and regular management updates. 3. Demand Strategic Clarity on AI Boards should require management to articulate clear AI strategy aligned with overall business objectives. Vague aspirations to “leverage AI” are inadequate. Critical Strategic Questions: Where specifically will AI create competitive advantage? What capabilities must we build versus buy? How does AI strategy align with our strategic priorities and resource allocation? What are we NOT doing with AI, and why? How do our initiatives compare to competitors? Investment Oversight: Gartner projects AI spending will reach $644 billion globally in 2025, up 76% from 2024. Directors should ensure investments align with strategy and deliver measurable returns. 4. Establish Robust Risk Oversight AI introduces distinctive risks requiring board-level attention. While management handles day-to-day risk management, boards must define risk appetite, ensure appropriate controls exist, and monitor emerging risks. Risk Appetite: Boards should explicitly define the organization’s AI risk appetite. This includes clarifying which AI applications are off-limits, establishing thresholds for acceptable error rates or bias levels, and determining which risks require board approval. Key Risk Categories: Luxembourg boards should ensure management has frameworks to identify and mitigate algorithmic bias and fairness issues, data privacy violations under GDPR, cybersecurity vulnerabilities

What High-Performing Boards Will Focus on in 2026 Boards in 2026 must prioritise agility amid economic volatility, tech disruption and regulatory shifts. Directors face growing pressure to evolve from compliance monitors into strategic partners who drive resilience and growth. Here’s how they can rise to the challenge: Katia Ciesielska Set the Context With Scenario Planning Economic uncertainty demands robust scenario planning and stress testing of core assumptions. According to recent PwC research, 76% of directors say geopolitical instability is their top concern, yet fewer than half conduct regular scenario exercises.Boards should dedicate agenda time to “what if” discussions covering supply chains, competition and geopolitical risks.For Luxembourg fund boards, this means modelling 2–5 year horizons under AIFM rules and ensuring resource alignment so that threats are turned into opportunities. Shape an AI Strategy and Governance Framework AI is moving from experiment to core operations, requiring clear frameworks for deployment, ethics and risk. Boards must probe management on use cases, bias mitigation and measurable ROI.A 2024 McKinsey survey found that companies with board-level AI oversight are 2.5 times more likely to see tangible returns from AI investments.Luxembourg directors should oversee AI in areas such as fund valuation and AML screening, piloting projects to build confidence before full rollout. Equally important is putting policies in place to govern AI use responsibly and tapping external expertise when necessary. Strengthen Risk and Crisis Resilience Interlinked risks – from cyber to ESG – call for enterprise wide inventories and predefined escalation paths. Boards gain an edge by linking oversight to incentives and testing response plans regularly. In funds, prioritise AML cyber overlaps under CSSF guidelines and foster a culture where early signals trigger swift action.Keeping crisis management plans up to date and subjecting them to regular drills can make a real difference. The most resilient organisations run at least two crisis simulations annually. Build Talent Pipelines and Robust Succession Plans Skill gaps in tech, cyber and sustainability undermine execution. Annual board audits reveal needs for diverse expertise, and succession planning should become a standing item, extending beyond the CEO to key roles.Luxembourg boards should recruit UCITS savvy talent for hybrid workforces and invest in upskilling to retain next generation leaders.Incorporating board evaluations and peer reviews also helps ensure the right mix of skills and experiences. Integrate Sustainability and ESG into Strategy ESG anchors long term value, with boards tying metrics to compensation and demanding audited progress. Regional regulatory flux—such as SFDR for funds—requires flexible reporting that builds stakeholder trust.For fund managers, embed SFDR compliance into strategy to turn sustainability into a competitive differentiator.Clear oversight of ESG issues also helps boards navigate political polarisation and regulatory complexity. Leading boards are now linking ESG KPIs directly to executive compensation, with over 60% of S&P 500 companies adopting this approach. Enhance Board Effectiveness and Tools Real time dashboards are replacing quarterly silos, offering unified views of risk and performance and enabling between meeting insights. Boards thrive by customising these tools and training themselves on data interpretation.In Luxembourg, use dashboards for compliance monitoring, sharpening proactive oversight in fast moving markets.Regular board self assessments and third party evaluations can drive continuous improvement. Address Shareholder Activism and Regulatory Change Rising activism and evolving proxy voting policies mean engagement must be year round. Boards should stay informed about new rules – like the EU’s Shareholder Rights Directive II and U.S. proxy advisory updates – and be prepared to explain decisions on pay plans, governance structures and strategy.Transparency and consistent communication with investors will be critical in navigating more customised voting policies and settlement cycles that are speeding up.Boards that excel in 2026 will blend strategy, tech fluency and self awareness. By adopting AI responsibly, reinforcing ethics and culture, strengthening crisis preparedness, aligning talent with strategy and engaging openly with stakeholders, directors can steer their organisations through uncertainty. Contact Let’s Connect Need an independent perspective for your Luxembourg fund board? Reach out for tailored guidance. Get in Touch Email katia@katiaciesielska.com Based in Luxembourg Follow me